Kernel Debugger: Viewing the Stack Trace and Trap Frame
ID: Q148661
|
The information in this article applies to:
-
Microsoft Windows NT Workstation versions 3.5, 3.51
-
Microsoft Windows NT Server versions 3.5, 3.51
SUMMARY
This article explains how to view a stack trace and display the trap frame
using the Kernel Debugger (KD).
MORE INFORMATION
I386KD Commands
The KD debugging utility suite is an excellent tool for analyzing a
MEMORY.DMP file. The KD utilities have many commands that are used
during debugging to take advantage of the debugger's ability to parse a
MEMORY.DMP file. This article briefly describes the commonly used commands.
This article does not provide in-depth description of the many commands
that are available.
When you select the Help option in the debugger, the following information
is displayed (There are many commands available to the user analyze a
MEMORY.DMP file):
? - Displays this list
bugdump - Display bug check dump data
calldata <table name> - Dump call data hash table
db <physical address> - Display physical memory
dd <physical address> - Display physical memory
devobj <device address> - Dump the device object and Irp queue
drvobj <driver address> - Dump the driver object and related
information
drivers [options] - Display information about all loaded
system modules
eb <physical address> - modify physical memory
<byte> <byte, byte ,...>
ed <physical address> - modify physical memory
<dword> <dword,dword,...>
errlog - Dump the error log contents
exr <address> - Dump exception record at specified address
filecache - Dumps information about the file system
cache
frag [flags] - Kernel mode pool fragmentation
Flags: 1 - List all fragment information
2 - List allocation information
3 - both
handle <addr> <flags> - Dumps handle for a process
<process> <TypeName> Flags: -2 - Dump non-paged object
heap <addr> [flags] - Dumps heap for a process
Flags: -v Verbose
-f Free List entries
-a All entries
-s Summary
-x Force a dump even if the data
is bad address: desired heap to
dump or 0 for all
help - Displays this list
ib <port> - Read a byte from an I\O port
id <port> - Read a double-word from an I\O port
iw <port> - Read a word from an I\O port
irp <address> - Dump Irp at specified address
irpzone - Walk the Irp zones looking for active Irps
locks [-v] <address> - Dump kernel mode resource locks
lpc - Dump lpc ports and messages
memusage - Dumps the page frame database table
ob <port> - Write a byte to an I\O port
obja <TypeName> - Dumps an object manager object's
attributes
object <TypeName> - Dumps an object manager object
od <port> - Write a double-word to an I\O port
ow <port> - Write a word to an I\O port
pfn - Dumps the page frame database entry for
the physical page
pool <address> [detail] - Dump kernel mode heap
Address: 0 or blank - Only the process
heap
-1 - All heaps in the
process
Otherwise for the heap address listed
detail: 0 - Sumarry Information
1 - Above + location\size of
regions
3 - Above + allocated\free blocks
in committed regions
4 - Above + free lists
poolfind Tag [pooltype] - - Finds occurrences of the specified Tag
Tag is 4 character tag, * and ? are wild
cards. Pooltype is 0 for nonpaged
(default, and 1 for paged. NOTE: This can
take a long time.
poolused [flags] - Dump usage by pool tag
Flags: 1 Verbose
Flags: 2 Sort by NonPagedPool Usage
Flags: 4 Sort by PagedPool Usage
process [flags] - Dumps process at specified address
processfields - Show offsets to all fields in a process
ready - Dumps state of all READY system threads
regkcb - Dump registry key-control-blocks
regpool [s|r] - Dump registry allocated paged pool
s - Save list of registry pages to
temporary file
r - Restore list of registry pages from
temp. file
srb <address> - Dump Srb at specified address
sysptes - Dumps the system PTEs
thread [flags] - Dump thread at specified address
threadfields - Show offsets to all fields in a thread
time - Reports PerformanceCounterRate and
TimerDifference
timer - Dumps timer tree
token [flags] - Dump token at specified address
tokenfields - Show offsets to all fields in a token
trap <address> - Dump a trap frame
vad - Dumps VADs
version - Version of extension dll
vm - Dumps virtual management values
X86-specific:
apic [base] - Dump local apic
cxr - Dump context record at specified address
ioapic [base] - Dump io apic
npx [base] - Dumps NPX save area
pcr - Dumps the PCR
pte - Dumps the corresponding PDE and PTE for
the entered address
sel [selector] - Examine selector values
trap [base] - Dump trap frame
tss [register] - Dump TSS
Viewing The Stack Trace And Trap Frame
The "k" commands and !trap command are usually the first set of commands
used whenever a debug session starts. These particular commands give the
user a very good starting point for establishing the cause of a system
failure.
The k command is a simple stack walk. It displays functions in the order
that they were called. It displays the base pointer for the function
followed by the return address. The text is the resolved function name.
Notice in the example below that "NT!_MmAccessFault" is the function name,
preceded by "NT!" This indicates the system file that spawned the function.
In this case, "NT!_MmAccessFault" is located in NTOSKRNL.EXE. The
hexadecimal number following the function name is the displayed offset into
the function that is currently displayed on the stack trace.
k
ChildEBP RetAddr
fe29bd28 8013bb3b NT!_MmAccessFault+0x294
fe29bd28 804044c0 NT!_KiTrap0E+0xa7
fe29bdac 80110c5c hal!KfAcquireSpinLock
fe29be20 8039ced3 NT!_FsRtlPrivateLock+0xb2
fe29be84 fbe5f92b Ntfs!_NtfsFastLock+0x9f
fe29bf00 fbe51525 srv!_SrvSmbLockingAndX+0x293
fe29bf0c fbe51483 srv!_SrvProcessSmb+0x18
fe29bf20 fbe62185 srv!_SrvRestartReceive+0x90
fe29bf40 fbe6210b srv!_DequeueAndProcessWorkItem+0x31
fe29bf4c 80132910 srv!_WorkerThread+0x24
fe29bf7c 8013cf4e NT!_PspSystemThreadStartup+0x40
00000000 00000000 NT!_KiThreadStartup+0x16
KB
kb - This command displays all the information contained in the previous
command, and the first three parameters passed to the child function
under the column "Args to Child."
kb
ChildEBP RetAddr Args to Child
fe29bd28 8013bb3b 00000000 dfdff024 00000000 NT!_MmAccessFault+0x294
fe29bd28 804044c0 00000000 dfdff024 00000000 NT!_KiTrap0E+0xa7
fe29bdac 80110c5c e1479008 fe395a68 fe44a8a0 hal!KfAcquireSpinLock
fe29be20 8039ced3 fe3bc248 fe395a68 fe29becc NT!_FsRtlPrivateLock+0xb2
fe29be84 fbe5f92b fe395a68 fe29becc fe29bec4 Ntfs!_NtfsFastLock+0x9f
**Contents Deleted**
KV
kv - This command is the verbose stack trace. It contains all available
information. The information displayed will include all the information
displayed from using the kb command and any other information available
including the Trap Frame and Frame Pointer Optimization information.
kv
ChildEBP RetAddr Args to Child
**Parameters Deleted** NT!_MmAccessFault+0x294
**Parameters Deleted** NT!_KiTrap0E+0xa7(FPO: [0,0] TrapFrame@fe29bd3c)
**Parameters Deleted** hal!KfAcquireSpinLock (FPO: [0,0,0])
**Parameters Deleted** NT!_FsRtlPrivateLock+0xb2
**Parameters Deleted** Ntfs!_NtfsFastLock+0x9f
**Parameters Deleted** srv!_SrvSmbLockingAndX+0x293
**Parameters Deleted** srv!_SrvProcessSmb+0x18 (FPO: [1,0,1])
**Parameters Deleted** srv!_SrvRestartReceive+0x90 (FPO: [1,0,3])
**Parameters Deleted** srv!_DequeueAndProcessWorkItem+0x31(FPO:[1,2,4])
**Parameters Deleted** srv!_WorkerThread+0x24 (FPO: [1,0,1])
**Parameters Deleted** NT!_PspSystemThreadStartup+0x40
**Parameters Deleted** NT!_KiThreadStartup+0x16
!trap
!trap - When a system trap occurs and Windows NT has the time to gracefully
shutdown from a fatal error, Windows NT creates a Trap Frame. This is a
record of the state of the processors registers at the time of the system
failure. To display the Trap Frame, the !trap command is called with the
address of the trap frame. If a Trap Frame is available it is displayed
using the kv command. The Trap Frame, in this case, is at the address of
fe29bd3c.
kv
ChildEBP RetAddr Args to Child
**Parameters Deleted** NT!_MmAccessFault+0x294
**Parameters Deleted** NT!_KiTrap0E+0xa7(FPO: [0,0] TrapFrame@fe29bd3c)
**Parameters Deleted** hal!KfAcquireSpinLock (FPO: [0,0,0])
**Parameters Deleted** NT!_FsRtlPrivateLock+0xb2
**Parameters Deleted** Ntfs!_NtfsFastLock+0x9f
**Parameters Deleted** srv!_SrvSmbLockingAndX+0x293
**Parameters Deleted** srv!_SrvProcessSmb+0x18 (FPO: [1,0,1])
**Parameters Deleted** srv!_SrvRestartReceive+0x90 (FPO: [1,0,3])
**Parameters Deleted** srv!_DequeueAndProcessWorkItem+0x31(FPO:[1,2,4])
**Parameters Deleted** srv!_WorkerThread+0x24 (FPO: [1,0,1])
**Parameters Deleted** NT!_PspSystemThreadStartup+0x40
**Parameters Deleted** NT!_KiThreadStartup+0x16
!trap fe29bd3c
eax=fe3ceed4 ebx=fe44a801 ecx=fe3ceed4 edx=080242a1 esi=804044c0
edi=e1479008 eip=804044c0 esp=fe29bdb0 ebp=fe29be20 iopl=0
nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
ErrCode = 00000000
804044c0 a024f0dfff mov al,[ffdff024]
!KB
!kb - This command is used in conjunction with the Trap Frame information.
It displays the stack in the context of the system failure. In addition,
the !kv command produces verbose output in the context of the failure.
Use this command when the following Trap Frame appears. The Trap Frame
appears when you execute the kv command, then execute the !trap on the Trap
Frame address, and then execute the !kb command. In the example below, note
that the stack trace displayed is not like the initial stack trace. The
final stack trace is in the context of the system failure.
Example
kv
ChildEBP RetAddr Args to Child
**Parameters Deleted** NT!_MmAccessFault+0x294
**Parameters Deleted** NT!_KiTrap0E+0xa7(FPO: [0,0] TrapFrame@fe29bd3c)
**Parameters Deleted** hal!KfAcquireSpinLock (FPO: [0,0,0])
**Parameters Deleted** NT!_FsRtlPrivateLock+0xb2
**Parameters Deleted** Ntfs!_NtfsFastLock+0x9f
**Parameters Deleted** srv!_SrvSmbLockingAndX+0x293
**Parameters Deleted** srv!_SrvProcessSmb+0x18 (FPO: [1,0,1])
**Parameters Deleted** srv!_SrvRestartReceive+0x90 (FPO: [1,0,3])
**Parameters Deleted** srv!_DequeueAndProcessWorkItem+0x31(FPO:[1,2,4])
**Parameters Deleted** srv!_WorkerThread+0x24 (FPO: [1,0,1])
**Parameters Deleted** NT!_PspSystemThreadStartup+0x40
**Parameters Deleted** NT!_KiThreadStartup+0x16
!trap fe29bd3c
eax=fe3ceed4 ebx=fe44a801 ecx=fe3ceed4 edx=080242a1 esi=804044c0
edi=e1479008 eip=804044c0 esp=fe29bdb0 ebp=fe29be20 iopl=0
nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
ErrCode = 00000000
804044c0 a024f0dfff mov al,[ffdff024]
!kb
ChildEBP RetAddr Args to Child
fe29bdac Parm1 Parm2 Parm3 hal!KfAcquireSpinLock
fe29be20 Parm1 Parm2 Parm3 NT!_FsRtlPrivateLock+0xb2
fe29be84 Parm1 Parm2 Parm3 Ntfs!_NtfsFastLock+0x9f
fe29bf00 Parm1 Parm2 Parm3 srv!_SrvSmbLockingAndX+0x293
fe29bf0c Parm1 Parm2 Parm3 srv!_SrvProcessSmb+0x18
fe29bf20 Parm1 Parm2 Parm3 srv!_SrvRestartReceive+0x90
fe29bf40 Parm1 Parm2 Parm3 srv!_DequeueAndProcessWorkItem+0x31
fe29bf4c Parm1 Parm2 Parm3 srv!_WorkerThread+0x24
fe29bf7c Parm1 Parm2 Parm3 NT!_PspSystemThreadStartup+0x40
00000000 Parm1 Parm2 Parm3 NT!_KiThreadStartup+0x16
For more information on Windows NT debugging, query on the following word
here in the Microsoft Knowledge Base:
debugref
Additional query words:
prodnt
Keywords : ntstop
Version : 3.50 3.51
Platform : WINDOWS
Issue type :