Microsoft KB Archive/148661

{|
 * width="100%"|

Kernel Debugger: Viewing the Stack Trace and Trap Frame

 * }

ID: Q148661

-

The information in this article applies to:


 * Microsoft Windows NT Workstation versions 3.5, 3.51
 * Microsoft Windows NT Server versions 3.5, 3.51

-

SUMMARY
This article explains how to view a stack trace and display the trap frame using the Kernel Debugger (KD).

I386KD Commands
The KD debugging utility suite is an excellent tool for analyzing a MEMORY.DMP file. The KD utilities have many commands that are used during debugging to take advantage of the debugger's ability to parse a MEMORY.DMP file. This article briefly describes the commonly used commands. This article does not provide in-depth description of the many commands that are available.

When you select the Help option in the debugger, the following information is displayed (There are many commands available to the user analyze a MEMORY.DMP file):

  ? - Displays this list bugdump                    - Display bug check dump data calldata      - Dump call data hash table db      - Display physical memory dd      - Display physical memory devobj    - Dump the device object and Irp queue drvobj    - Dump the driver object and related information drivers [options]          - Display information about all loaded system modules eb      - modify physical memory  ed      - modify physical memory  errlog                     - Dump the error log contents exr              - Dump exception record at specified address filecache                  - Dumps information about the file system cache frag [flags]               - Kernel mode pool fragmentation Flags: 1 - List all fragment information 2 - List allocation information 3 - both handle       - Dumps handle for a process   Flags: -2 - Dump non-paged object heap [flags]        - Dumps heap for a process Flags: -v Verbose -f Free List entries -a All entries -s Summary -x Force a dump even if the data is bad address: desired heap to                                           dump or 0 for all help                       - Displays this list ib                  - Read a byte from an I\O port id                  - Read a double-word from an I\O port iw                  - Read a word from an I\O port irp              - Dump Irp at specified address irpzone                    - Walk the Irp zones looking for active Irps locks [-v]       - Dump kernel mode resource locks lpc                        - Dump lpc ports and messages memusage                   - Dumps the page frame database table ob                  - Write a byte to an I\O port obja             - Dumps an object manager object's                                 attributes object           - Dumps an object manager object od                  - Write a double-word to an I\O port ow                  - Write a word to an I\O port pfn                        - Dumps the page frame database entry for the physical page pool [detail]    - Dump kernel mode heap Address: 0 or blank - Only the process heap -1        - All heaps in the process Otherwise for the heap address listed detail: 0 - Sumarry Information 1 - Above + location\size of                                             regions 3 - Above + allocated\free blocks in committed regions 4 - Above + free lists poolfind Tag [pooltype] -  - Finds occurrences of the specified Tag Tag is 4 character tag, * and ? are wild cards. Pooltype is 0 for nonpaged (default, and 1 for paged. NOTE: This can                                take a long time.   poolused [flags]            - Dump usage by pool tag                                 Flags:  1 Verbose                                 Flags:  2 Sort by NonPagedPool Usage                                 Flags:  4 Sort by PagedPool Usage   process [flags]             - Dumps process at specified address   processfields               - Show offsets to all fields in a process   ready                       - Dumps state of all READY system threads   regkcb                      - Dump registry key-control-blocks   regpool [s|r]               - Dump registry allocated paged pool                                 s - Save list of registry pages to                                     temporary file                                 r - Restore list of registry pages from temp. file srb              - Dump Srb at specified address sysptes                    - Dumps the system PTEs thread [flags]             - Dump thread at specified address threadfields               - Show offsets to all fields in a thread time                       - Reports PerformanceCounterRate and TimerDifference timer                      - Dumps timer tree token [flags]              - Dump token at specified address tokenfields                - Show offsets to all fields in a token trap             - Dump a trap frame vad                        - Dumps VADs version                    - Version of extension dll vm                         - Dumps virtual management values

X86-specific:

apic [base]                - Dump local apic cxr                        - Dump context record at specified address ioapic [base]              - Dump io apic npx [base]                 - Dumps NPX save area pcr                        - Dumps the PCR pte                        - Dumps the corresponding PDE and PTE for the entered address sel [selector]             - Examine selector values trap [base]                - Dump trap frame tss [register]             - Dump TSS

Viewing The Stack Trace And Trap Frame
The "k" commands and !trap command are usually the first set of commands used whenever a debug session starts. These particular commands give the user a very good starting point for establishing the cause of a system failure.

The k command is a simple stack walk. It displays functions in the order that they were called. It displays the base pointer for the function followed by the return address. The text is the resolved function name.

Notice in the example below that "NT!_MmAccessFault" is the function name, preceded by "NT!" This indicates the system file that spawned the function. In this case, "NT!_MmAccessFault" is located in NTOSKRNL.EXE. The hexadecimal number following the function name is the displayed offset into the function that is currently displayed on the stack trace.

k ChildEBP RetAddr fe29bd28 8013bb3b NT!_MmAccessFault+0x294 fe29bd28 804044c0 NT!_KiTrap0E+0xa7 fe29bdac 80110c5c hal!KfAcquireSpinLock fe29be20 8039ced3 NT!_FsRtlPrivateLock+0xb2 fe29be84 fbe5f92b Ntfs!_NtfsFastLock+0x9f fe29bf00 fbe51525 srv!_SrvSmbLockingAndX+0x293 fe29bf0c fbe51483 srv!_SrvProcessSmb+0x18 fe29bf20 fbe62185 srv!_SrvRestartReceive+0x90 fe29bf40 fbe6210b srv!_DequeueAndProcessWorkItem+0x31 fe29bf4c 80132910 srv!_WorkerThread+0x24 fe29bf7c 8013cf4e NT!_PspSystemThreadStartup+0x40 00000000 00000000 NT!_KiThreadStartup+0x16

KB
kb - This command displays all the information contained in the previous command, and the first three parameters passed to the child function under the column "Args to Child."

kb ChildEBP RetAddr Args to Child fe29bd28 8013bb3b 00000000 dfdff024 00000000 NT!_MmAccessFault+0x294 fe29bd28 804044c0 00000000 dfdff024 00000000 NT!_KiTrap0E+0xa7 fe29bdac 80110c5c e1479008 fe395a68 fe44a8a0 hal!KfAcquireSpinLock fe29be20 8039ced3 fe3bc248 fe395a68 fe29becc NT!_FsRtlPrivateLock+0xb2 fe29be84 fbe5f92b fe395a68 fe29becc fe29bec4 Ntfs!_NtfsFastLock+0x9f
 * Contents Deleted**

KV
kv - This command is the verbose stack trace. It contains all available information. The information displayed will include all the information displayed from using the kb command and any other information available including the Trap Frame and Frame Pointer Optimization information.

kv ChildEBP RetAddr Args to Child
 * Parameters Deleted** NT!_MmAccessFault+0x294
 * Parameters Deleted** NT!_KiTrap0E+0xa7(FPO: [0,0] TrapFrame@fe29bd3c)
 * Parameters Deleted** hal!KfAcquireSpinLock (FPO: [0,0,0])
 * Parameters Deleted** NT!_FsRtlPrivateLock+0xb2
 * Parameters Deleted** Ntfs!_NtfsFastLock+0x9f
 * Parameters Deleted** srv!_SrvSmbLockingAndX+0x293
 * Parameters Deleted** srv!_SrvProcessSmb+0x18 (FPO: [1,0,1])
 * Parameters Deleted** srv!_SrvRestartReceive+0x90 (FPO: [1,0,3])
 * Parameters Deleted** srv!_DequeueAndProcessWorkItem+0x31(FPO:[1,2,4])
 * Parameters Deleted** srv!_WorkerThread+0x24 (FPO: [1,0,1])
 * Parameters Deleted** NT!_PspSystemThreadStartup+0x40
 * Parameters Deleted** NT!_KiThreadStartup+0x16

!trap
!trap - When a system trap occurs and Windows NT has the time to gracefully shutdown from a fatal error, Windows NT creates a Trap Frame. This is a record of the state of the processors registers at the time of the system failure. To display the Trap Frame, the !trap command is called with the address of the trap frame. If a Trap Frame is available it is displayed using the kv command. The Trap Frame, in this case, is at the address of fe29bd3c.

kv ChildEBP RetAddr Args to Child
 * Parameters Deleted** NT!_MmAccessFault+0x294
 * Parameters Deleted** NT!_KiTrap0E+0xa7(FPO: [0,0] TrapFrame@fe29bd3c)
 * Parameters Deleted** hal!KfAcquireSpinLock (FPO: [0,0,0])
 * Parameters Deleted** NT!_FsRtlPrivateLock+0xb2
 * Parameters Deleted** Ntfs!_NtfsFastLock+0x9f
 * Parameters Deleted** srv!_SrvSmbLockingAndX+0x293
 * Parameters Deleted** srv!_SrvProcessSmb+0x18 (FPO: [1,0,1])
 * Parameters Deleted** srv!_SrvRestartReceive+0x90 (FPO: [1,0,3])
 * Parameters Deleted** srv!_DequeueAndProcessWorkItem+0x31(FPO:[1,2,4])
 * Parameters Deleted** srv!_WorkerThread+0x24 (FPO: [1,0,1])
 * Parameters Deleted** NT!_PspSystemThreadStartup+0x40
 * Parameters Deleted** NT!_KiThreadStartup+0x16

!trap fe29bd3c eax=fe3ceed4 ebx=fe44a801 ecx=fe3ceed4 edx=080242a1 esi=804044c0 edi=e1479008 eip=804044c0 esp=fe29bdb0 ebp=fe29be20 iopl=0 nv up ei ng nz ac po nc cs=0008 ss=0010  ds=0023  es=0023  fs=0030  gs=0000      efl=00010296 ErrCode = 00000000 804044c0 a024f0dfff      mov     al,[ffdff024]

!KB
!kb - This command is used in conjunction with the Trap Frame information. It displays the stack in the context of the system failure. In addition, the !kv command produces verbose output in the context of the failure.

Use this command when the following Trap Frame appears. The Trap Frame appears when you execute the kv command, then execute the !trap on the Trap Frame address, and then execute the !kb command. In the example below, note that the stack trace displayed is not like the initial stack trace. The final stack trace is in the context of the system failure.

Example
kv ChildEBP RetAddr Args to Child
 * Parameters Deleted** NT!_MmAccessFault+0x294
 * Parameters Deleted** NT!_KiTrap0E+0xa7(FPO: [0,0] TrapFrame@fe29bd3c)
 * Parameters Deleted** hal!KfAcquireSpinLock (FPO: [0,0,0])
 * Parameters Deleted** NT!_FsRtlPrivateLock+0xb2
 * Parameters Deleted** Ntfs!_NtfsFastLock+0x9f
 * Parameters Deleted** srv!_SrvSmbLockingAndX+0x293
 * Parameters Deleted** srv!_SrvProcessSmb+0x18 (FPO: [1,0,1])
 * Parameters Deleted** srv!_SrvRestartReceive+0x90 (FPO: [1,0,3])
 * Parameters Deleted** srv!_DequeueAndProcessWorkItem+0x31(FPO:[1,2,4])
 * Parameters Deleted** srv!_WorkerThread+0x24 (FPO: [1,0,1])
 * Parameters Deleted** NT!_PspSystemThreadStartup+0x40
 * Parameters Deleted** NT!_KiThreadStartup+0x16

!trap fe29bd3c eax=fe3ceed4 ebx=fe44a801 ecx=fe3ceed4 edx=080242a1 esi=804044c0 edi=e1479008 eip=804044c0 esp=fe29bdb0 ebp=fe29be20 iopl=0 nv up ei ng nz ac po nc cs=0008 ss=0010  ds=0023  es=0023  fs=0030  gs=0000      efl=00010296 ErrCode = 00000000 804044c0 a024f0dfff      mov     al,[ffdff024]

!kb ChildEBP RetAddr Args to Child fe29bdac Parm1 Parm2 Parm3 hal!KfAcquireSpinLock fe29be20 Parm1 Parm2 Parm3 NT!_FsRtlPrivateLock+0xb2 fe29be84 Parm1 Parm2 Parm3 Ntfs!_NtfsFastLock+0x9f fe29bf00 Parm1 Parm2 Parm3 srv!_SrvSmbLockingAndX+0x293 fe29bf0c Parm1 Parm2 Parm3 srv!_SrvProcessSmb+0x18 fe29bf20 Parm1 Parm2 Parm3 srv!_SrvRestartReceive+0x90 fe29bf40 Parm1 Parm2 Parm3 srv!_DequeueAndProcessWorkItem+0x31 fe29bf4c Parm1 Parm2 Parm3 srv!_WorkerThread+0x24 fe29bf7c Parm1 Parm2 Parm3 NT!_PspSystemThreadStartup+0x40 00000000 Parm1 Parm2 Parm3 NT!_KiThreadStartup+0x16

For more information on Windows NT debugging, query on the following word here in the Microsoft Knowledge Base:

"debugref" Additional query words: prodnt

Keywords : ntstop

Version : 3.50 3.51

Platform : WINDOWS

Issue type :

Technology :