nt!没有Args的KeWaitForSingleObject [英] nt!KeWaitForSingleObject without Args
问题描述
我目前正在尝试调试系统死锁,并且很难理解这一点.
I'm currently trying to debug a system deadlock and I'm having a hard time understanding this.
Child-SP RetAddr : Args to Child : Call Site
fffff880`035cb760 fffff800`02ecef72 : 00000000`00000002 fffffa80`066e8b50 00000000`00000000 fffffa80`066a16e0 : nt!KiSwapContext+0x7a
fffff880`035cb8a0 fffff800`02ee039f : fffffa80`0b9256b0 00000000`000007ff 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2
fffff880`035cb930 fffff880`0312a5e4 : 00000000`00000000 fffff800`00000000 fffffa80`079a3c00 00000000`00000000 : nt!KeWaitForSingleObject+0x19
为什么KeWaitForSingleObject的第一个参数为null?
Why would the first argument for KeWaitForSingleObject be null?
除非我误会了,不是对象等待的第一个参数? 僵局仅仅是因为该线程什么都没有等待还是这种普通行为?
Unless I'm misunderstanding isn't the first argument the object being waited on? Is the deadlock simply that this thread is waiting on nothing or is this ordinary behavior?
另外,我看到另一个进程(services.exe)显示了类似的堆栈跟踪:
Additionally I see another process (services.exe) showing a similar stack trace:
1: kd> .thread fffffa800d406b50
Implicit thread is now fffffa80`0d406b50
1: kd> kv
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP RetAddr : Args to Child : Call Site
fffff880`09ed4800 fffff800`02ecef72 : fffffa80`0d406b50 fffffa80`0d406b50 00000000`00000000 fffff8a0`00000000 : nt!KiSwapContext+0x7a
fffff880`09ed4940 fffff800`02ee039f : 00000000`000000b4 fffffa80`0b1df7f0 00000000`0000005e fffff800`031ae5e7 : nt!KiCommitThreadWait+0x1d2
fffff880`09ed49d0 fffff800`031d1e3e : fffffa80`0d406b00 00000000`00000006 00000000`00000001 00000000`093bf000 : nt!KeWaitForSingleObject+0x19f
fffff880`09ed4a70 fffff800`02ed87d3 : fffffa80`0d406b50 00000000`77502410 fffff880`09ed4ab8 fffffa80`0b171a50 : nt!NtWaitForSingleObject+0xde
该线程本质上是否在等待自身?
Is this thread waiting on itself essentially?
推荐答案
您正在调试64位进程.
You're debugging a 64-bit process.
记住x64调用约定,此处对此进行了说明.前四个参数在寄存器中传递.之后,参数被压入堆栈.
Remember the x64 calling convention, which is explained here. The first 4 arguments are passed in registers. After that, arguments are pushed onto the stack.
不幸的是,kv盲目地显示堆栈参数.实际上,要确定前四个参数在调用时实际上是什么是非常困难的(有时是不可能的),因为它们可能没有存储在任何可以恢复的地方.
Unfortunately, kv blindly displays the stack arguments. In fact, it would be quite difficult (and sometimes impossible) for it to determine what the first 4 arguments actually were at the time of the call since they may not have been stored anywhere that can ever be recovered.
因此,您正在查看 nt!NtWaitForSingleObject ,其中nullptr是Timeout的非常典型的参数.
So, you are looking at the 5th argument to nt!NtWaitForSingleObject, where a nullptr is a pretty typical argument for a Timeout.
幸运的是,对于我们调试类型,一切都不会丢失!有一个windbg扩展,可以在调用函数时尽其所能重建参数.该扩展名为 CMKD .您可以将扩展DLL放在winext文件夹中,并按如下方式调用它:
Luckily for us debugging types, all is not lost! There is a windbg extension which does its best to reconstruct the arguments when the function was called. The extension is called CMKD. You can place the extension DLL in your winext folder and call it like so:
0:000> !cmkd.stack -p
Call Stack : 7 frames
## Stack-Pointer Return-Address Call-Site
00 000000a408c7fb28 00007ffda95b1148 ntdll!NtWaitForSingleObject+a
Parameter[0] = 0000000000000034
Parameter[1] = 0000000000000000
Parameter[2] = 0000000000000000
Parameter[3] = (unknown)
01 000000a408c7fb30 00007ff7e44c13f1 KERNELBASE!WaitForSingleObjectEx+98
Parameter[0] = 0000000000000034
Parameter[1] = 00000000ffffffff
Parameter[2] = 0000000000000000
Parameter[3] = 00007ff7e44cba28
02 000000a408c7fbd0 00007ff7e44c3fed ConsoleApplication2!main+41
Parameter[0] = (unknown)
Parameter[1] = (unknown)
Parameter[2] = (unknown)
Parameter[3] = (unknown)
请注意,它并不总是能够成功找到参数,因为其中有些是(unknown).但是,它做得很好,并且在调试64位代码时可以是非常宝贵的工具.
Notice that it does not always succeed at finding the argument, as some of them are (unknown). But, it does a pretty good job and can be an invaluable tool when debugging 64-bit code.
这篇关于nt!没有Args的KeWaitForSingleObject的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
