Kernel Debugger: Viewing the Stack Trace and Trap Frame

• Microsoft Windows NT Workstation versions 3.5 and 3.51
• Microsoft Windows NT Server versions 3.5 and 3.51

SUMMARY

This article explains how to view a stack trace and display the trap frame using the Kernel Debugger (KD).

MORE INFORMATION

I386KD Commands

The KD debugging utility suite is an excellent tool for analyzing a MEMORY.DMP file. The KD utilities have many commands that are used during debugging to take advantage of the debugger's ability to parse a MEMORY.DMP file. This article briefly describes the commonly used commands. This article does not provide in-depth description of the many commands that are available.

When you select the Help option in the debugger, the following information is displayed (There are many commands available to the user analyze a MEMORY.DMP file):

   ?                           - Displays this list
   bugdump                     - Display bug check dump data
   calldata <table name>       - Dump call data hash table
   db <physical address>       - Display physical memory
   dd <physical address>       - Display physical memory
   devobj <device address>     - Dump the device object and Irp queue
   drvobj <driver address>     - Dump the driver object and related
                                 information
   drivers [options]           - Display information about all loaded
                                 system modules
   eb <physical address>       - modify physical memory
      <byte> <byte, byte ,...>
   ed <physical address>       - modify physical memory
      <dword> <dword,dword,...>
   errlog                      - Dump the error log contents
   exr <address>               - Dump exception record at specified address
   filecache                   - Dumps information about the file system
                                 cache
   frag [flags]                - Kernel mode pool fragmentation
                                 Flags:  1 - List all fragment information
                                         2 - List allocation information
                                         3 - both
   handle <addr> <flags>       - Dumps handle for a process
          <process> <TypeName>   Flags: -2 - Dump non-paged object
   heap <addr> [flags]         - Dumps heap for a process
                                 Flags:  -v Verbose
                                         -f Free List entries
                                         -a All entries
                                         -s Summary
                                         -x Force a dump even if the data
                                            is bad address: desired heap to
                                            dump or 0 for all
   help                        - Displays this list
   ib <port>                   - Read a byte from an I\O port
   id <port>                   - Read a double-word from an I\O port
   iw <port>                   - Read a word from an I\O port
   irp <address>               - Dump Irp at specified address
   irpzone                     - Walk the Irp zones looking for active Irps
   locks [-v] <address>        - Dump kernel mode resource locks
   lpc                         - Dump lpc ports and messages
   memusage                    - Dumps the page frame database table
   ob <port>                   - Write a byte to an I\O port
   obja <TypeName>             - Dumps an object manager object's
                                 attributes
   object <TypeName>           - Dumps an object manager object
   od <port>                   - Write a double-word to an I\O port
   ow <port>                   - Write a word to an I\O port
   pfn                         - Dumps the page frame database entry for
                                 the physical page
   pool <address> [detail]     - Dump kernel mode heap
                                 Address: 0 or blank - Only the process
                                                       heap
                                          -1         - All heaps in the
                                                       process
                                 Otherwise for the heap address listed
                                 detail:  0 - Sumarry Information
                                          1 - Above + location\size of
                                              regions
                                          3 - Above + allocated\free blocks
                                              in committed regions
                                          4 - Above + free lists
   poolfind Tag [pooltype] -   - Finds occurrences of the specified Tag
                                 Tag is 4 character tag, * and ? are wild
                                 cards. Pooltype is 0 for nonpaged
                                 (default, and 1 for paged. NOTE: This can
                                 take a long time.
   poolused [flags]            - Dump usage by pool tag
                                 Flags:  1 Verbose
                                 Flags:  2 Sort by NonPagedPool Usage
                                 Flags:  4 Sort by PagedPool Usage
   process [flags]             - Dumps process at specified address
   processfields               - Show offsets to all fields in a process
   ready                       - Dumps state of all READY system threads
   regkcb                      - Dump registry key-control-blocks
   regpool [s|r]               - Dump registry allocated paged pool
                                 s - Save list of registry pages to
                                     temporary file
                                 r - Restore list of registry pages from
                                     temp. file
   srb <address>               - Dump Srb at specified address
   sysptes                     - Dumps the system PTEs
   thread [flags]              - Dump thread at specified address
   threadfields                - Show offsets to all fields in a thread
   time                        - Reports PerformanceCounterRate and
                                 TimerDifference
   timer                       - Dumps timer tree
   token [flags]               - Dump token at specified address
   tokenfields                 - Show offsets to all fields in a token
   trap <address>              - Dump a trap frame
   vad                         - Dumps VADs
   version                     - Version of extension dll
   vm                          - Dumps virtual management values

   apic [base]                 - Dump local apic
   cxr                         - Dump context record at specified address
   ioapic [base]               - Dump io apic
   npx [base]                  - Dumps NPX save area
   pcr                         - Dumps the PCR
   pte                         - Dumps the corresponding PDE and PTE for
                                 the entered address
   sel [selector]              - Examine selector values
   trap [base]                 - Dump trap frame
   tss [register]              - Dump TSS

Viewing The Stack Trace And Trap Frame

The "k" commands and !trap command are usually the first set of commands used whenever a debug session starts. These particular commands give the user a very good starting point for establishing the cause of a system failure.

The k command is a simple stack walk. It displays functions in the order that they were called. It displays the base pointer for the function followed by the return address. The text is the resolved function name.

Notice in the example below that "NT!_MmAccessFault" is the function name, preceded by "NT!" This indicates the system file that spawned the function. In this case, "NT!_MmAccessFault" is located in NTOSKRNL.EXE. The hexadecimal number following the function name is the displayed offset into the function that is currently displayed on the stack trace.

k ChildEBP RetAddr fe29bd28 8013bb3b NT!_MmAccessFault+0x294 fe29bd28 804044c0 NT!_KiTrap0E+0xa7 fe29bdac 80110c5c hal!KfAcquireSpinLock fe29be20 8039ced3 NT!_FsRtlPrivateLock+0xb2 fe29be84 fbe5f92b Ntfs!_NtfsFastLock+0x9f fe29bf00 fbe51525 srv!_SrvSmbLockingAndX+0x293 fe29bf0c fbe51483 srv!_SrvProcessSmb+0x18 fe29bf20 fbe62185 srv!_SrvRestartReceive+0x90 fe29bf40 fbe6210b srv!_DequeueAndProcessWorkItem+0x31 fe29bf4c 80132910 srv!_WorkerThread+0x24 fe29bf7c 8013cf4e NT!_PspSystemThreadStartup+0x40 00000000 00000000 NT!_KiThreadStartup+0x16

KB

kb - This command displays all the information contained in the previous command, and the first three parameters passed to the child function under the column "Args to Child."

kb ChildEBP RetAddr Args to Child fe29bd28 8013bb3b 00000000 dfdff024 00000000 NT!_MmAccessFault+0x294 fe29bd28 804044c0 00000000 dfdff024 00000000 NT!_KiTrap0E+0xa7 fe29bdac 80110c5c e1479008 fe395a68 fe44a8a0 hal!KfAcquireSpinLock fe29be20 8039ced3 fe3bc248 fe395a68 fe29becc NT!_FsRtlPrivateLock+0xb2 fe29be84 fbe5f92b fe395a68 fe29becc fe29bec4 Ntfs!_NtfsFastLock+0x9f **Contents Deleted**

KV

kv - This command is the verbose stack trace. It contains all available information. The information displayed will include all the information displayed from using the kb command and any other information available including the Trap Frame and Frame Pointer Optimization information.

kv ChildEBP RetAddr Args to Child **Parameters Deleted** NT!_MmAccessFault+0x294 **Parameters Deleted** NT!_KiTrap0E+0xa7(FPO: [0,0] TrapFrame@fe29bd3c) **Parameters Deleted** hal!KfAcquireSpinLock (FPO: [0,0,0]) **Parameters Deleted** NT!_FsRtlPrivateLock+0xb2 **Parameters Deleted** Ntfs!_NtfsFastLock+0x9f **Parameters Deleted** srv!_SrvSmbLockingAndX+0x293 **Parameters Deleted** srv!_SrvProcessSmb+0x18 (FPO: [1,0,1]) **Parameters Deleted** srv!_SrvRestartReceive+0x90 (FPO: [1,0,3]) **Parameters Deleted** srv!_DequeueAndProcessWorkItem+0x31(FPO:[1,2,4]) **Parameters Deleted** srv!_WorkerThread+0x24 (FPO: [1,0,1]) **Parameters Deleted** NT!_PspSystemThreadStartup+0x40 **Parameters Deleted** NT!_KiThreadStartup+0x16

!trap

!trap - When a system trap occurs and Windows NT has the time to gracefully shutdown from a fatal error, Windows NT creates a Trap Frame. This is a record of the state of the processors registers at the time of the system failure. To display the Trap Frame, the !trap command is called with the address of the trap frame. If a Trap Frame is available it is displayed using the kv command. The Trap Frame, in this case, is at the address of fe29bd3c.

kv ChildEBP RetAddr Args to Child **Parameters Deleted** NT!_MmAccessFault+0x294 **Parameters Deleted** NT!_KiTrap0E+0xa7(FPO: [0,0] TrapFrame@fe29bd3c) **Parameters Deleted** hal!KfAcquireSpinLock (FPO: [0,0,0]) **Parameters Deleted** NT!_FsRtlPrivateLock+0xb2 **Parameters Deleted** Ntfs!_NtfsFastLock+0x9f **Parameters Deleted** srv!_SrvSmbLockingAndX+0x293 **Parameters Deleted** srv!_SrvProcessSmb+0x18 (FPO: [1,0,1]) **Parameters Deleted** srv!_SrvRestartReceive+0x90 (FPO: [1,0,3]) **Parameters Deleted** srv!_DequeueAndProcessWorkItem+0x31(FPO:[1,2,4]) **Parameters Deleted** srv!_WorkerThread+0x24 (FPO: [1,0,1]) **Parameters Deleted** NT!_PspSystemThreadStartup+0x40 **Parameters Deleted** NT!_KiThreadStartup+0x16

!trap fe29bd3c eax=fe3ceed4 ebx=fe44a801 ecx=fe3ceed4 edx=080242a1 esi=804044c0 edi=e1479008 eip=804044c0 esp=fe29bdb0 ebp=fe29be20 iopl=0 nv up ei ng nz ac po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000      efl=00010296

804044c0 a024f0dfff       mov     al,[ffdff024]

!KB
---

Use this command when the following Trap Frame appears. The Trap Frame appears when you execute the kv command, then execute the !trap on the Trap Frame address, and then execute the !kb command. In the example below, note that the stack trace displayed is not like the initial stack trace. The final stack trace is in the context of the system failure.

Example

kv ChildEBP RetAddr Args to Child **Parameters Deleted** NT!_MmAccessFault+0x294 **Parameters Deleted** NT!_KiTrap0E+0xa7(FPO: [0,0] TrapFrame@fe29bd3c) **Parameters Deleted** hal!KfAcquireSpinLock (FPO: [0,0,0]) **Parameters Deleted** NT!_FsRtlPrivateLock+0xb2 **Parameters Deleted** Ntfs!_NtfsFastLock+0x9f **Parameters Deleted** srv!_SrvSmbLockingAndX+0x293 **Parameters Deleted** srv!_SrvProcessSmb+0x18 (FPO: [1,0,1]) **Parameters Deleted** srv!_SrvRestartReceive+0x90 (FPO: [1,0,3]) **Parameters Deleted** srv!_DequeueAndProcessWorkItem+0x31(FPO:[1,2,4]) **Parameters Deleted** srv!_WorkerThread+0x24 (FPO: [1,0,1]) **Parameters Deleted** NT!_PspSystemThreadStartup+0x40 **Parameters Deleted** NT!_KiThreadStartup+0x16

!trap fe29bd3c eax=fe3ceed4 ebx=fe44a801 ecx=fe3ceed4 edx=080242a1 esi=804044c0 edi=e1479008 eip=804044c0 esp=fe29bdb0 ebp=fe29be20 iopl=0 nv up ei ng nz ac po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000      efl=00010296

804044c0 a024f0dfff       mov     al,[ffdff024]

!kb

For more information on Windows NT debugging, query on the following word here in the Microsoft Knowledge Base:

   debugref