If a thread has an associated I/O Request Packet (IRP) we may see another type of a stack trace we call I/O Request Stack Trace. It also grows bottom-up as can be seen on the diagram #3 (Volume 1, page 701). We can see this stack trace by using !irp WinDbg command:
0: kd> !thread fffffa801827a4c0 3f THREAD fffffa801827a4c0 Cid 06c0.50cc Teb: 000007ffffec8000 Win32Thread: fffff900c1c64010 WAIT: (Executive) KernelMode Alertable fffffa8016f64028 SynchronizationEvent IRP List: fffffa80162aa230: (0006,03a0) Flags: 00000884 Mdl: 00000000 [...] nt!KiSwapContext+0×7a nt!KiCommitThreadWait+0×1d2 nt!KeWaitForSingleObject+0×19f nt!FsRtlCancellableWaitForMultipleObjects+0×5e nt!FsRtlCancellableWaitForSingleObject+0×27 fltmgr! ?? ::FNODOBFM::`string'+0×2bfa fltmgr!FltpCreate+0×2a9 nt!IopParseDevice+0×14d3 nt!ObpLookupObjectName+0×588 nt!ObOpenObjectByName+0×306 nt!IopCreateFile+0×2bc nt!NtCreateFile+0×78 nt!KiSystemServiceCopyEnd+0×13 ntdll!NtCreateFile+0xa [...] 0: kd> !irp fffffa80162aa230 Irp is active with 10 stacks 10 is current (= 0xfffffa80162aa588) No Mdl: No System Buffer: Thread fffffa801827a4c0: Irp stack trace. cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 fffffa800cb28030 00000000 fffff880012048f0- fffffa8016f64010 FileSystemNtfs fltmgr!FltpSynchronizedOperationCompletion Args: 00000000 00000000 00000000 00000000 >[ 0, 0] 0 1 fffffa800ca00890 fffffa801060d070 00000000-00000000 pending FileSystemFltMgr Args: fffff88014450868 02000060 00000006 00000000
We see the current stack trace pointer points to the bottom I/O stack location. Non-empty top locations are analogous to Past Stack Trace (page 43). Further exploration of Device and File column information may point to further troubleshooting directions such as the Blocking File (Volume 6, page 105) pattern example.
By analogy with Stack Trace Collection (Volume 1, page 409) pattern that dumps stack traces from all threads based on memory dump type there is also I/O Stack Trace Collection (Volume 7, page 101) pattern that dumps I/O request stack traces from all IRPs that were possible to find.
18.119.192.110