Archive for May 10th, 2014

Crash Dump Analysis Patterns (Part 206)

Saturday, May 10th, 2014

Here we introduce another Wait Chain pattern where a client thread makes a request and a created server thread servicing the request makes another request to the client which creates a new client thread to service the server request. The new client thread makes a request to the server again and a new server thread is created which makes a new client request, and so on. We call such a pattern Screwbolt Wait Chain. The additional signs here may be an abnormal number of threads and possibly Handle Leak pattern although the latter may be present only in a client or server process only. Thread Age, Waiting Thread Time, and common Blocking Module patterns may be used to unwind the chain and diagnose the possible problem module and corresponding Module Product Process. The pattern is illustrated on this diagram:

Although we initially found this pattern related to LPC /ALPC IPC we think it not limited to it and can occur in different client-server communication implementations.

- Dmitry Vostokov @ + -