Crash Dump Analysis Patterns (Part 123)

Dual Stack Trace is the kernel mode and space counterpart to a user mode and space stack trace and vice versa, for example:

  25  Id: e8c.f20 Suspend: 1 Teb: 7ff9c000 Unfrozen
ChildEBP RetAddr 
086acac4 7c90df5a ntdll!KiFastSystemCallRet
086acac8 7c8025db ntdll!ZwWaitForSingleObject+0xc
086acb2c 7c802542 kernel32!WaitForSingleObjectEx+0xa8
086acb40 00fbba3a kernel32!WaitForSingleObject+0×12
WARNING: Stack unwind information not available. Following frames may be wrong.
086ad3c8 00fbc139 ModuleA!DllCanUnloadNow+0×638b4a
086adc38 00faba75 ModuleA!DllCanUnloadNow+0×639249
086ae4c8 00fa0da8 ModuleA!DllCanUnloadNow+0×629b25
086aed60 00a45331 ModuleA!DllCanUnloadNow+0×61ee48
086af6c4 00a44b10 ModuleA!DllCanUnloadNow+0xc6de1
086affb4 7c80b729 ModuleA!DllCanUnloadNow+0xc65c0
086affec 00000000 kernel32!BaseThreadStart+0×37

0: kd> !thread 88ec9020 1f
THREAD 88ec9020  Cid 17a0.2034  Teb: 7ffad000 Win32Thread: bc28c6e8 WAIT: (Unknown) UserMode Non-Alertable
    89095f48  Semaphore Limit 0x10000
IRP List:
    89a5a370: (0006,0094) Flags: 00000900  Mdl: 00000000
Not impersonating
DeviceMap                 d6c30c48
Owning Process            88fffd88       Image:         iexplore.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      5632994        Ticks: 2980 (0:00:00:46.562)
Context Switch Count      2269                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0x00a262d0
Start Address kernel32!BaseThreadStartThunk (0x77e617ec)
Stack Init b204c000 Current b204bc60 Base b204c000 Limit b2048000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0
ChildEBP RetAddr 
b204bc78 80833ec5 nt!KiSwapContext+0×26
b204bca4 80829c14 nt!KiSwapThread+0×2e5
b204bcec 8093b174 nt!KeWaitForSingleObject+0×346
b204bd50 8088b41c nt!NtWaitForSingleObject+0×9a
b204bd50 7c82860c nt!KiFastCallEntry+0xfc (TrapFrame @ b204bd64)

058fcabc 7c827d29 ntdll!KiFastSystemCallRet
058fcac0 77e61d1e ntdll!ZwWaitForSingleObject+0xc
058fcb30 77e61c8d kernel32!WaitForSingleObjectEx+0xac
058fcb44 00f98b4a kernel32!WaitForSingleObject+0×12
WARNING: Stack unwind information not available. Following frames may be wrong.
058fd3cc 00f99249 ModuleA+0×638b4a
058fdc3c 00f89b25 ModuleA+0×639249
058fe4cc 00f7ee48 ModuleA+0×629b25
058fed64 00a26de1 ModuleA+0×61ee48
058ff6c8 00a265c0 ModuleA+0xc6de1
058fffb8 77e6482f ModuleA+0xc65c0
058fffec 00000000 kernel32!BaseThreadStart+0×34

This pattern is helpful when we have both process user space memory dumps and kernel and complete memory dumps and want to match stack traces of interest between them. See also patterns Stack Trace and Stack Trace Collection.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Leave a Reply