Crash Dump Analysis Patterns (Part 53)
We often say that a particular thread is blocked and/or it blocks other threads. At the same time we know that almost all threads are “blocked” to some degree except those currently running on processors. They are either preempted and in the ready lists, voluntary yielded their execution or they are waiting for some synchronization object. Therefore the notion of Blocked Thread is highly context and problem dependent and usually we notice them when comparing current thread stack traces with their expected normal stack traces. Here reference guides are indispensible especially those created for troubleshooting concrete products. Forthcoming Debugger Log Analyzer was partially incepted to address this problem.
To show the diversity of “blocked” threads I propose the following thread classification:
Running threads
Their EIP (RIP) points to some function different from KiSwapContext:
3: kd> !running
System Processors f (affinity mask)
Idle Processors 0
Prcb Current Next
0 ffdff120 a30a9350 ................
1 f7727120 a3186448 ................
2 f772f120 a59a1b40 ................
3 f7737120 a3085888 ................
3: kd> !thread a59a1b40
THREAD a59a1b40 Cid 0004.00b8 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 2
Not impersonating
DeviceMap e10028b0
Owning Process a59aa648 Image: System
Wait Start TickCount 1450446 Ticks: 1 (0:00:00:00.015)
Context Switch Count 308765
UserTime 00:00:00.000
KernelTime 00:00:01.250
Start Address nt!ExpWorkerThread (0×80880356)
Stack Init f7055000 Current f7054cec Base f7055000 Limit f7052000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0
ChildEBP RetAddr
f7054bc4 8093c55c nt!ObfReferenceObject+0×1c
f7054ca0 8093d2ae nt!ObpQueryNameString+0×2ba
f7054cbc 808f7d0f nt!ObQueryNameString+0×18
f7054d80 80880441 nt!IopErrorLogThread+0×197
f7054dac 80949b7c nt!ExpWorkerThread+0xeb
f7054ddc 8088e062 nt!PspSystemThreadStartup+0×2e
00000000 00000000 nt!KiThreadStartup+0×16
3: kd> .thread a59a1b40
Implicit thread is now a59a1b40
3: kd> r
Last set context:
eax=00000028 ebx=e1000228 ecx=e1002b30 edx=e1000234 esi=e1002b18 edi=0000001a
eip=8086c73e esp=f7054bc4 ebp=f7054ca0 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!ObfReferenceObject+0×1c:
8086c73e 40 inc eax
These threads can also be identified by RUNNING attribute in the output of !process 0 ff command applied for complete and kernel memory dumps.
Ready threads
These threads can be seen in the output of !ready command or identified by READY attribute in the output of !process 0 ff command:
3: kd> !ready
Processor 0: No threads in READY state
Processor 1: Ready Threads at priority 11
THREAD a3790790 Cid 0234.1108 Teb: 7ffab000 Win32Thread: 00000000 READY
THREAD a32799a8 Cid 0234.061c Teb: 7ff83000 Win32Thread: 00000000 READY
THREAD a3961798 Cid 0c04.0c68 Teb: 7ffab000 Win32Thread: bc204ea8 READY
Processor 1: Ready Threads at priority 10
THREAD a32bedb0 Cid 1fc8.1a30 Teb: 7ffad000 Win32Thread: bc804468 READY
Processor 1: Ready Threads at priority 9
THREAD a52dcd48 Cid 0004.04d4 Teb: 00000000 Win32Thread: 00000000 READY
Processor 2: Ready Threads at priority 11
THREAD a37fedb0 Cid 0c04.11f8 Teb: 7ff8e000 Win32Thread: 00000000 READY
Processor 3: Ready Threads at priority 11
THREAD a5683db0 Cid 0234.0274 Teb: 7ffd6000 Win32Thread: 00000000 READY
THREAD a3151b48 Cid 0234.2088 Teb: 7ff88000 Win32Thread: 00000000 READY
THREAD a5099d80 Cid 0ecc.0d60 Teb: 7ffd4000 Win32Thread: 00000000 READY
THREAD a3039498 Cid 0c04.275c Teb: 7ff7d000 Win32Thread: 00000000 READY
If we look at these threads we would see that they were either scheduled to run because of a signaled object they were waiting for:
3: kd> !thread a3039498
THREAD a3039498 Cid 0c04.275c Teb: 7ff7d000 Win32Thread: 00000000 READY
IRP List:
a2feb008: (0006,0094) Flags: 00000870 Mdl: 00000000
Not impersonating
DeviceMap e10028b0
Owning Process a399a770 Image: svchost.exe
Wait Start TickCount 1450447 Ticks: 0
Context Switch Count 1069
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x001e4f22
LPC Server thread working on message Id 1e4f22
Start Address KERNEL32!BaseThreadStartThunk (0x77e617ec)
Stack Init f171b000 Current f171ac60 Base f171b000 Limit f1718000 Call 0
Priority 11 BasePriority 10 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f171ac78 80833465 a3039498 a3039540 e7561930 nt!KiSwapContext+0x26
f171aca4 80829a62 00000000 00000000 00000000 nt!KiSwapThread+0x2e5
f171acec 80938d0c a301cad8 00000006 f171ad01 nt!KeWaitForSingleObject+0×346
f171ad50 8088978c 00000c99 00000000 00000000 nt!NtWaitForSingleObject+0×9a
f171ad50 7c8285ec 00000c99 00000000 00000000 nt!KiFastCallEntry+0xfc
03d9efa8 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
3: kd> !object a301cad8
Object: a301cad8 Type: (a59a0720) Event
ObjectHeader: a301cac0 (old version)
HandleCount: 1 PointerCount: 3
Or they were boosted in priority:
3: kd> !thread a3790790
THREAD a3790790 Cid 0234.1108 Teb: 7ffab000 Win32Thread: 00000000 READY
IRP List:
a2f8b7f8: (0006,0094) Flags: 00000900 Mdl: 00000000
Not impersonating
DeviceMap e10028b0
Owning Process a554bcc8 Image: lsass.exe
Wait Start TickCount 1450447 Ticks: 0
Context Switch Count 384
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address RPCRT4!ThreadStartRoutine (0x77c7b0f5)
Start Address KERNEL32!BaseThreadStartThunk (0x77e617ec)
Stack Init f3ac1000 Current f3ac0ce8 Base f3ac1000 Limit f3abe000 Call 0
Priority 11 BasePriority 10 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f3ac0d00 80831266 a3790790 a50f1870 a3186448 nt!KiSwapContext+0x26
f3ac0d20 8082833a 00000000 a50f1870 8098b56c nt!KiExitDispatcher+0xf8
f3ac0d3c 8098b5b9 a50f1870 00000000 00f5f8d0 nt!KeSetEventBoostPriority+0×156
f3ac0d58 8088978c a50f1870 00f5f8d4 7c8285ec nt!NtSetEventBoostPriority+0×4d
f3ac0d58 7c8285ec a50f1870 00f5f8d4 7c8285ec nt!KiFastCallEntry+0xfc
00f5f8d4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
3: kd> !object a50f1870
Object: a50f1870 Type: (a59a0720) Event
ObjectHeader: a50f1858 (old version)
HandleCount: 1 PointerCount: 15
Or were interrupted and queued to be run again:
3: kd> !thread a5683db0
THREAD a5683db0 Cid 0234.0274 Teb: 7ffd6000 Win32Thread: 00000000 READY
IRP List:
a324d498: (0006,0094) Flags: 00000900 Mdl: 00000000
a2f97a20: (0006,0094) Flags: 00000900 Mdl: 00000000
a50c3e70: (0006,0190) Flags: 00000000 Mdl: a50a22d0
a5167750: (0006,0094) Flags: 00000800 Mdl: 00000000
Not impersonating
DeviceMap e10028b0
Owning Process a554bcc8 Image: lsass.exe
Wait Start TickCount 1450447 Ticks: 0
Context Switch Count 9619
UserTime 00:00:00.156
KernelTime 00:00:00.234
Win32 Start Address RPCRT4!ThreadStartRoutine (0x77c7b0f5)
Start Address KERNEL32!BaseThreadStartThunk (0x77e617ec)
Stack Init f59f3000 Current f59f2d00 Base f59f3000 Limit f59f0000 Call 0
Priority 11 BasePriority 10 PriorityDecrement 0
ChildEBP RetAddr
f59f2d18 80a5c1ae nt!KiDispatchInterrupt+0xb1
f59f2d48 80a5c577 hal!HalpDispatchSoftwareInterrupt+0x5e
f59f2d54 80a59902 hal!HalEndSystemInterrupt+0x67
f59f2d54 77c6928d hal!HalpIpiHandler+0xd2 (TrapFrame @ f59f2d64)
00c5f908 00000000 RPCRT4!OSF_SCALL::GetBuffer+0×37
3: kd> .thread a5683db0
Implicit thread is now a5683db0
3: kd> r
Last set context:
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=8088dba1 esp=f59f2d0c ebp=f59f2d2c iopl=0 nv up di pl nz na po nc
cs=0008 ss=0010 ds=0000 es=0000 fs=0000 gs=0000 efl=00000000
nt!KiDispatchInterrupt+0xb1:
8088dba1 b902000000 mov ecx,2
3: kd> ub
nt!KiDispatchInterrupt+0x8f:
8088db7f mov dword ptr [ebx+124h],esi
8088db85 mov byte ptr [esi+4Ch],2
8088db89 mov byte ptr [edi+5Ah],1Fh
8088db8d mov ecx,edi
8088db8f lea edx,[ebx+120h]
8088db95 call nt!KiQueueReadyThread (80833490)
8088db9a mov cl,1
8088db9c call nt!SwapContext (8088dbd0)
3: kd> u
nt!KiDispatchInterrupt+0xb1:
8088dba1 mov ecx,2
8088dba6 call dword ptr [nt!_imp_KfLowerIrql (80801108)]
8088dbac mov ebp,dword ptr [esp]
8088dbaf mov edi,dword ptr [esp+4]
8088dbb3 mov esi,dword ptr [esp+8]
8088dbb7 add esp,0Ch
8088dbba pop ebx
8088dbbb ret
We can get user space thread stack by using .trap command but we need to switch to its process context first:
3: kd> .process /r /p a554bcc8
Implicit process is now a554bcc8
Loading User Symbols
3: kd> kL
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr
00c5f908 77c7ed60 RPCRT4!OSF_SCALL::GetBuffer+0x37
00c5f924 77c7ed14 RPCRT4!I_RpcGetBufferWithObject+0x7f
00c5f934 77c7f464 RPCRT4!I_RpcGetBuffer+0xf
00c5f944 77ce3470 RPCRT4!NdrGetBuffer+0x2e
00c5fd44 77ce35c4 RPCRT4!NdrStubCall2+0x35c
00c5fd60 77c7ff7a RPCRT4!NdrServerCall2+0x19
00c5fd94 77c8042d RPCRT4!DispatchToStubInCNoAvrf+0x38
00c5fde8 77c80353 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11f
00c5fe0c 77c68e0d RPCRT4!RPC_INTERFACE::DispatchToStub+0xa3
00c5fe40 77c68cb3 RPCRT4!OSF_SCALL::DispatchHelper+0x149
00c5fe54 77c68c2b RPCRT4!OSF_SCALL::DispatchRPCCall+0x10d
00c5fe84 77c68b5e RPCRT4!OSF_SCALL::ProcessReceivedPDU+0x57f
00c5fea4 77c6e8db RPCRT4!OSF_SCALL::BeginRpcCall+0x194
00c5ff04 77c6e7b4 RPCRT4!OSF_SCONNECTION::ProcessReceiveComplete+0x435
00c5ff18 77c7b799 RPCRT4!ProcessConnectionServerReceivedEvent+0x21
00c5ff84 77c7b9b5 RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0x1b8
00c5ff8c 77c8872d RPCRT4!ProcessIOEventsWrapper+0xd
00c5ffac 77c7b110 RPCRT4!BaseCachedThreadRoutine+0x9d
00c5ffb8 77e64829 RPCRT4!ThreadStartRoutine+0x1b
00c5ffec 00000000 kernel32!BaseThreadStart+0x34
Waiting threads (wait originated from user space)
THREAD a34369d0 Cid 1fc8.1e88 Teb: 7ffae000 Win32Thread: bc6d5818 WAIT: (Unknown) UserMode Non-Alertable
a34d9940 SynchronizationEvent
a3436a48 NotificationTimer
Not impersonating
DeviceMap e12256a0
Owning Process a3340a10 Image: IEXPLORE.EXE
Wait Start TickCount 1450409 Ticks: 38 (0:00:00:00.593)
Context Switch Count 7091 LargeStack
UserTime 00:00:01.015
KernelTime 00:00:02.250
Win32 Start Address mshtml!CExecFT::StaticThreadProc (0x7fab1061)
Start Address kernel32!BaseThreadStartThunk (0x77e617ec)
Stack Init f252b000 Current f252ac60 Base f252b000 Limit f2528000 Call 0
Priority 11 BasePriority 10 PriorityDecrement 0
ChildEBP RetAddr
f252ac78 80833465 nt!KiSwapContext+0x26
f252aca4 80829a62 nt!KiSwapThread+0x2e5
f252acec 80938d0c nt!KeWaitForSingleObject+0x346
f252ad50 8088978c nt!NtWaitForSingleObject+0x9a
f252ad50 7c8285ec nt!KiFastCallEntry+0xfc (TrapFrame @ f252ad64)
030dff08 7c827d0b ntdll!KiFastSystemCallRet
030dff0c 77e61d1e ntdll!NtWaitForSingleObject+0xc
030dff7c 77e61c8d kernel32!WaitForSingleObjectEx+0xac
030dff90 7fab08a3 kernel32!WaitForSingleObject+0×12
030dffa8 7fab109c mshtml!CDwnTaskExec::ThreadExec+0xae
030dffb0 7fab106e mshtml!CExecFT::ThreadProc+0×28
030dffb8 77e64829 mshtml!CExecFT::StaticThreadProc+0xd
030dffec 00000000 kernel32!BaseThreadStart+0×34
If we had taken user dump of iexplore.exe we would have seen the following stack trace there:
030dff08 7c827d0b ntdll!KiFastSystemCallRet
030dff0c 77e61d1e ntdll!NtWaitForSingleObject+0xc
030dff7c 77e61c8d kernel32!WaitForSingleObjectEx+0xac
030dff90 7fab08a3 kernel32!WaitForSingleObject+0×12
030dffa8 7fab109c mshtml!CDwnTaskExec::ThreadExec+0xae
030dffb0 7fab106e mshtml!CExecFT::ThreadProc+0×28
030dffb8 77e64829 mshtml!CExecFT::StaticThreadProc+0xd
030dffec 00000000 kernel32!BaseThreadStart+0×34
Another example:
THREAD a31f2438 Cid 1fc8.181c Teb: 7ffaa000 Win32Thread: 00000000 WAIT: (Unknown) UserMode Non-Alertable
a30f8c20 NotificationEvent
a5146720 NotificationEvent
a376fbb0 NotificationEvent
Not impersonating
DeviceMap e12256a0
Owning Process a3340a10 Image: IEXPLORE.EXE
Wait Start TickCount 1419690 Ticks: 30757 (0:00:08:00.578)
Context Switch Count 2
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address USERENV!NotificationThread (0x76929dd9)
Start Address kernel32!BaseThreadStartThunk (0x77e617ec)
Stack Init f5538000 Current f5537900 Base f5538000 Limit f5535000 Call 0
Priority 10 BasePriority 10 PriorityDecrement 0
Kernel stack not resident.
ChildEBP RetAddr
f5537918 80833465 nt!KiSwapContext+0x26
f5537944 80829499 nt!KiSwapThread+0x2e5
f5537978 80938f68 nt!KeWaitForMultipleObjects+0x3d7
f5537bf4 809390ca nt!ObpWaitForMultipleObjects+0x202
f5537d48 8088978c nt!NtWaitForMultipleObjects+0xc8
f5537d48 7c8285ec nt!KiFastCallEntry+0xfc (TrapFrame @ f5537d64)
0851fec0 7c827cfb ntdll!KiFastSystemCallRet
0851fec4 77e6202c ntdll!NtWaitForMultipleObjects+0xc
0851ff6c 77e62fbe kernel32!WaitForMultipleObjectsEx+0x11a
0851ff88 76929e35 kernel32!WaitForMultipleObjects+0×18
0851ffb8 77e64829 USERENV!NotificationThread+0×5f
0851ffec 00000000 kernel32!BaseThreadStart+0×34
Waiting threads (wait originated from kernel space)
Examples include explicit wait as a result from calling potentially blocking API:
THREAD a33a9740 Cid 1980.1960 Teb: 7ffde000 Win32Thread: bc283ea8 WAIT: (Unknown) UserMode Non-Alertable
a35e3168 SynchronizationEvent
Not impersonating
DeviceMap e689f298
Owning Process a342d3a0 Image: explorer.exe
Wait Start TickCount 1369801 Ticks: 80646 (0:00:21:00.093)
Context Switch Count 1667 LargeStack
UserTime 00:00:00.015
KernelTime 00:00:00.093
Win32 Start Address Explorer!ModuleEntry (0x010148a4)
Start Address kernel32!BaseProcessStartThunk (0x77e617f8)
Stack Init f258b000 Current f258ac50 Base f258b000 Limit f2585000 Call 0
Priority 13 BasePriority 10 PriorityDecrement 1
Kernel stack not resident.
ChildEBP RetAddr
f258ac68 80833465 nt!KiSwapContext+0x26
f258ac94 80829a62 nt!KiSwapThread+0x2e5
f258acdc bf89abd3 nt!KeWaitForSingleObject+0×346
f258ad38 bf89da43 win32k!xxxSleepThread+0×1be
f258ad4c bf89e401 win32k!xxxRealWaitMessageEx+0×12
f258ad5c 8088978c win32k!NtUserWaitMessage+0×14
f258ad5c 7c8285ec nt!KiFastCallEntry+0xfc (TrapFrame @ f258ad64)
0007feec 7739bf53 ntdll!KiFastSystemCallRet
0007ff08 7c8fadbd USER32!NtUserWaitMessage+0xc
0007ff14 0100fff1 SHELL32!SHDesktopMessageLoop+0×24
0007ff5c 0101490c Explorer!ExplorerWinMain+0×2c4
0007ffc0 77e6f23b Explorer!ModuleEntry+0×6d
0007fff0 00000000 kernel32!BaseProcessStart+0×23
and implicit wait when a thread yields execution to another thread voluntarily via explicit context swap:
THREAD a3072b68 Cid 1fc8.1d94 Teb: 7ffaf000 Win32Thread: bc1e3c20 WAIT: (Unknown) UserMode Non-Alertable
a37004d8 QueueObject
a3072be0 NotificationTimer
IRP List:
a322be00: (0006,01fc) Flags: 00000000 Mdl: a30b8e30
a30bcc38: (0006,01fc) Flags: 00000000 Mdl: a35bf530
Not impersonating
DeviceMap e12256a0
Owning Process a3340a10 Image: IEXPLORE.EXE
Wait Start TickCount 1447963 Ticks: 2484 (0:00:00:38.812)
Context Switch Count 3972 LargeStack
UserTime 00:00:00.140
KernelTime 00:00:00.250
Win32 Start Address ntdll!RtlpWorkerThread (0x7c839efb)
Start Address kernel32!BaseThreadStartThunk (0x77e617ec)
Stack Init f1cc3000 Current f1cc2c38 Base f1cc3000 Limit f1cbf000 Call 0
Priority 10 BasePriority 10 PriorityDecrement 0
ChildEBP RetAddr
f1cc2c50 80833465 nt!KiSwapContext+0x26
f1cc2c7c 8082b60f nt!KiSwapThread+0x2e5
f1cc2cc4 808ed620 nt!KeRemoveQueue+0×417
f1cc2d48 8088978c nt!NtRemoveIoCompletion+0xdc
f1cc2d48 7c8285ec nt!KiFastCallEntry+0xfc (TrapFrame @ f1cc2d64)
06ceff70 7c8277db ntdll!KiFastSystemCallRet
06ceff74 7c839f38 ntdll!ZwRemoveIoCompletion+0xc
06ceffb8 77e64829 ntdll!RtlpWorkerThread+0×3d
06ceffec 00000000 kernel32!BaseThreadStart+0×34
THREAD a3612020 Cid 1980.1a48 Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (Unknown) UserMode Alertable
a3612098 NotificationTimer
Not impersonating
DeviceMap e689f298
Owning Process a342d3a0 Image: explorer.exe
Wait Start TickCount 1346718 Ticks: 103729 (0:00:27:00.765)
Context Switch Count 4
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!RtlpTimerThread (0x7c83d3dd)
Start Address kernel32!BaseThreadStartThunk (0x77e617ec)
Stack Init f2453000 Current f2452c80 Base f2453000 Limit f2450000 Call 0
Priority 10 BasePriority 10 PriorityDecrement 0
Kernel stack not resident.
ChildEBP RetAddr
f2452c98 80833465 nt!KiSwapContext+0x26
f2452cc4 80828f0b nt!KiSwapThread+0x2e5
f2452d0c 80994812 nt!KeDelayExecutionThread+0×2ab
f2452d54 8088978c nt!NtDelayExecution+0×84
f2452d54 7c8285ec nt!KiFastCallEntry+0xfc (TrapFrame @ f2452d64)
0149ff9c 7c826f4b ntdll!KiFastSystemCallRet
0149ffa0 7c83d424 ntdll!NtDelayExecution+0xc
0149ffb8 77e64829 ntdll!RtlpTimerThread+0×47
0149ffec 00000000 kernel32!BaseThreadStart+0×34
Explicit waits in kernel can be originated from GUI threads and their message loops, for example, Main Thread. Blocked GUI Thread pattern can be seen as an example of a genuine Blocked Thread. Some “blocked” threads are just really Passive Threads.
- Dmitry Vostokov @ DumpAnalysis.org -
October 9th, 2008 at 4:41 pm
[…] one such dump also had a clearly blocked thread which was blocking 10 different […]
December 19th, 2008 at 5:42 pm
[…] DebuggingIn one system even Task Manager was hanging and its forced complete memory dump reveals a blocked GUI dialog thread waiting for an LPC […]
February 9th, 2009 at 3:22 pm
[…] 2009 (0×7D9) - The Year of Debugging 2010 (0×7DA) - The Year of Dump Analysis Here is the additional analysis of a memory dump used to illustrate Swarm of Shared Locks pattern. In that dump there were also exclusively held locks with many blocked threads: […]
February 11th, 2009 at 3:17 pm
[…] as iexplore3.dmp. Comparing thread stack traces from both dump files showed one difference: the blocked OLE/RPC thread obviously processing some JavaScript […]
February 26th, 2009 at 12:56 pm
Another example of a blocked thread that is trying to load a library and blocked in kernel:
ntdll!KiFastSystemCallRet
ntdll!NtQueryAttributesFile+0xc)
ntdll!RtlDoesFileExists_UstrEx+0×6b
ntdll!RtlDoesFileExists_UEx+0×27
ntdll!RtlDosSearchPath_U+0×14f
ntdll!LdrpResolveDllName+0×12d
ntdll!LdrpMapDll+0×140
ntdll!LdrpLoadDll+0×1e9
ntdll!LdrLoadDll+0×230
kernel32!LoadLibraryExW+0×18e
kernel32!LoadLibraryExA+0×1f
[…]
WINMM!DrvSendMessage+0×18
MSACM32!IDriverMessageId+0×81
MSACM32!acmFormatSuggest+0×28b
mmdriver!DriverProc+0×8e52
[…]
mmdriver!wodMessage+0×76
WINMM!waveOutOpen+0×2a2
[…]
March 9th, 2009 at 7:13 pm
[…] call the pattern Semantic Split. It is better characterized as partition of a pattern, for example, Blocked Thread, into classes with different semantics, for example, blocked display threads and blocked remote […]
March 14th, 2009 at 8:37 am
[…] #20 is waiting for the critical section 00370608 owned by the thread #17. The latter thread is blockedin an unhandled exception filter raising a hard error message box. Applying the new exception […]
April 23rd, 2009 at 9:59 pm
[…] One application was hanging after printing and its user dump was taken. Inspection of threads reveals only one blocked thread: […]
May 8th, 2009 at 3:07 pm
[…] command detailed output of thread stacks showed that all these suspicious threads were in fact blocked when loading a […]
June 8th, 2009 at 5:35 pm
[…] monitor saved the process memory dump with the following stack trace of the main thread that was blocked by raising a […]
June 9th, 2009 at 11:11 pm
[…] cases I often dump all processes and threads to look for anomalies and indeed we find plenty of blocked threads in several services. For example, ServiceA.exe has blocked threads waiting for critical sections […]
October 3rd, 2009 at 10:05 pm
[…] follow LPC chain to csrss.exe to find out another blocked thread […]
October 9th, 2009 at 2:32 pm
[…] thread 86396db0 (TID 1c64) that blocked more than 50 threads (0×34) was blocked itself sleeping for more than 6 […]
October 20th, 2009 at 8:13 pm
[…] see that the main threads is blocked by sending a synchronous message via SendMessage Win32 API function call. The first argument to it […]
July 14th, 2010 at 3:31 pm
[…] is a specialization of Blocked Thread pattern where a thread is waiting for a hardware I/O response. For example, a frozen system […]
May 28th, 2012 at 10:12 pm
Another example of the blocked thread on a uniprocessor VM:
kd> !running
System Processors: (00000001)
Idle Processors: (00000000)
Prcbs Current Next
0 82944d20 85a575c0 …………….
kd> !thread
THREAD 85a575c0 Cid 0004.00e0 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
Not impersonating
DeviceMap 8a209d68
Owning Process 8523e660 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 4392621 Ticks: 0
Context Switch Count 414195
UserTime 00:00:00.000
KernelTime 17:59:14.739
Win32 Start Address DriverA (0×8900ab4e)
Stack Init 8d1c0fd0 Current 8d1c0950 Base 8d1c1000 Limit 8d1be000 Call 0
Priority 16 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
8d1c0c48 82c34117 ffd090f0 85a32008 85a5a000 nt!READ_REGISTER_ULONG+0×6 (FPO: [1,0,0])
8d1c0c68 82c347a1 8d1c0c84 82c38b53 8d1c0c7c hal!HalpHpetQueryCount+0×4b (FPO: [Non-Fpo])
8d1c0c70 82c38b53 8d1c0c7c 00da7a64 00000000 hal!HalpHpetQueryPerformanceCounter+0×1d (FPO: [Non-Fpo])
8d1c0c84 89007e52 8d1c0cbc 85a5a0d0 85a5a000 hal!KeQueryPerformanceCounter+0×3d (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
8d1c0ce4 89007938 85a5a000 00000000 85a5a000 DriverA+0×7e52
8d1c0cf8 8900ae9a 85a5a000 00000000 00000000 DriverA+0×7938
8d1c0d50 82a23056 85a32008 a9492f18 00000000 DriverA+0xae9a
8d1c0d90 828cb1a9 8900ab4e 85a5a000 00000000 nt!PspSystemThreadStartup+0×9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0×19
kd> !ready
Processor 0: Ready Threads at priority 15
THREAD 861a2590 Cid 0460.0464 Teb: 7ffdf000 Win32Thread: fe9dbb18 ????
THREAD 853cac98 Cid 0460.0670 Teb: 7ffd6000 Win32Thread: 00000000 ????
THREAD 852fda88 Cid 0004.0084 Teb: 00000000 Win32Thread: 00000000 ????
THREAD 8534ad48 Cid 0004.0090 Teb: 00000000 Win32Thread: 00000000 ????
THREAD 852f1d48 Cid 0004.0080 Teb: 00000000 Win32Thread: 00000000 ????
THREAD 852fd4f0 Cid 0004.0088 Teb: 00000000 Win32Thread: 00000000 ????
THREAD 85340020 Cid 0004.008c Teb: 00000000 Win32Thread: 00000000 ????
THREAD 852e67c8 Cid 0004.0078 Teb: 00000000 Win32Thread: 00000000 ????
THREAD 85de77a8 Cid 01e4.026c Teb: 7ffda000 Win32Thread: ffb2c008 ????
THREAD 85da7d48 Cid 01e4.0234 Teb: 7ffdf000 Win32Thread: ffad0d38 ????
THREAD 85a7c678 Cid 0004.00f0 Teb: 00000000 Win32Thread: 00000000 ????
[…]