Stack Trace (I/O Request)

If a thread has an associated I/O Request Packet (IRP) we may see another type of a stack trace we call I/O Request Stack Trace. It also grows bottom-up as can be seen on the diagram #3 (Volume 1, page 701). We can see this stack trace by using !irp WinDbg command:

0: kd> !thread fffffa801827a4c0 3f
THREAD fffffa801827a4c0 Cid 06c0.50cc Teb: 000007ffffec8000
Win32Thread: fffff900c1c64010 WAIT: (Executive) KernelMode Alertable
fffffa8016f64028 SynchronizationEvent
IRP List:
fffffa80162aa230: (0006,03a0) Flags: 00000884 Mdl: 00000000
[...]
nt!KiSwapContext+0×7a
nt!KiCommitThreadWait+0×1d2
nt!KeWaitForSingleObject+0×19f
nt!FsRtlCancellableWaitForMultipleObjects+0×5e
nt!FsRtlCancellableWaitForSingleObject+0×27
fltmgr! ?? ::FNODOBFM::`string'+0×2bfa
fltmgr!FltpCreate+0×2a9
nt!IopParseDevice+0×14d3
nt!ObpLookupObjectName+0×588
nt!ObOpenObjectByName+0×306
nt!IopCreateFile+0×2bc
nt!NtCreateFile+0×78
nt!KiSystemServiceCopyEnd+0×13
ntdll!NtCreateFile+0xa
[...]


0: kd> !irp fffffa80162aa230
Irp is active with 10 stacks 10 is current (= 0xfffffa80162aa588)
No Mdl: No System Buffer: Thread fffffa801827a4c0: Irp stack trace.
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000


Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 fffffa800cb28030 00000000 fffff880012048f0-
fffffa8016f64010
FileSystemNtfs fltmgr!FltpSynchronizedOperationCompletion
Args: 00000000 00000000 00000000 00000000
>[ 0, 0] 0 1 fffffa800ca00890 fffffa801060d070 00000000-00000000
pending
FileSystemFltMgr
Args: fffff88014450868 02000060 00000006 00000000

We see the current stack trace pointer points to the bottom I/O stack location. Non-empty top locations are analogous to Past Stack Trace (page 43). Further exploration of Device and File column information may point to further troubleshooting directions such as the Blocking File (Volume 6, page 105) pattern example.

By analogy with Stack Trace Collection (Volume 1, page 409) pattern that dumps stack traces from all threads based on memory dump type there is also I/O Stack Trace Collection (Volume 7, page 101) pattern that dumps I/O request stack traces from all IRPs that were possible to find.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.14.150