分析求助：鼠标有反应，别的没有反应。

Windows内核调试

分析求助：鼠标有反应，别的没有反应。

correy 2012-11-11, 18:47 下午

文件压缩后有10mb左右，上传出现问题，放到了：
https://skydrive.live.com/redir?resid=8A2ED4A2F09E9B3!89592
敬请下载。

一下是简单的分析，请各位高手给出正确的分析方法和结果。

0: kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks.......

Resource @ Ntfs!NtfsData (0xf7b6d5b0) Shared 1 owning threads
Threads: 8b1a68d0-01<*>
KD: Scanning for held locks.........................................

Resource @ 0x879bdc2c    Shared 1 owning threads
    Contention Count = 7856
    NumberOfSharedWaiters = 18
    NumberOfExclusiveWaiters = 1
     Threads: 8acf2020-01    8ace13f0-01    89d4c440-01<*> 8aa60a98-01
              8b1a63f0-01    88e32020-01    8ab04020-01    8866ea60-01
              8866e020-01    8a194b78-01    89d50508-01    8ac96b08-01
              8866f958-01    87e5f300-01    8aa796f8-01    88672d08-01
              8866e7f0-01    88654020-01    8ac76020-01
     Threads Waiting On Exclusive Access:
              8b1a6b40

KD: Scanning for held locks.

Resource @ 0x8ac04378    Exclusively owned
    Contention Count = 91
    NumberOfSharedWaiters = 2
     Threads: 89d4c440-01<*> 8b1a6db0-01    8b1a7738-01
KD: Scanning for held locks.

Resource @ 0x8abfcf58    Shared 1 owning threads
    Contention Count = 7
    NumberOfSharedWaiters = 1
    NumberOfExclusiveWaiters = 1
     Threads: 8b1a63f0-01<*> 8b1a68d0-01
     Threads Waiting On Exclusive Access:
              89d4c440

KD: Scanning for held locks.........................

Resource @ 0x894ac888 Exclusively owned
Threads: 89d4c440-01<*>

Resource @ 0x894acda8    Exclusively owned
    Contention Count = 2
    NumberOfSharedWaiters = 1
     Threads: 89d4c440-01<*> 8b1a79a8-01
KD: Scanning for held locks.....

Resource @ 0x883d0bc0    Shared 1 owning threads
    Contention Count = 24547
     Threads: 89d4c440-03<*>
KD: Scanning for held locks....................

Resource @ 0x889e2ae0 Exclusively owned
Threads: 8b1a63f0-01<*>

Resource @ 0x894af688 Exclusively owned
Threads: 8b1a63f0-01<*>

Resource @ 0x8ae07eb8 Exclusively owned
Threads: 8b1a63f0-01<*>

Resource @ 0x8acc6598 Exclusively owned
Threads: 8b1a63f0-01<*>

Resource @ 0x8ac969c8 Exclusively owned
Threads: 8b1a63f0-01<*>
KD: Scanning for held locks.

Resource @ 0x8ace8e08 Exclusively owned
Threads: 8b1a63f0-01<*>
KD: Scanning for held locks.

Resource @ 0x892138e8 Exclusively owned
Threads: 8b1a63f0-01<*>

Resource @ 0x8aa601e8 Exclusively owned
Threads: 8b1a63f0-01<*>

Resource @ 0x88efc580 Exclusively owned
Threads: 8b1a63f0-01<*>

Resource @ 0x879bbdf0 Exclusively owned
Threads: 8b1a63f0-01<*>

Resource @ 0x884c1618 Exclusively owned
Threads: 8b1a63f0-01<*>

Resource @ 0x8acc5758 Exclusively owned
Threads: 8b1a63f0-01<*>

Resource @ 0x89365318 Exclusively owned
Threads: 8b1a63f0-01<*>

Resource @ 0x8a18d3b0 Exclusively owned
Threads: 8b1a63f0-01<*>

Resource @ 0x879c5318 Exclusively owned
Threads: 8b1a63f0-01<*>

Resource @ 0x884c5ad8 Exclusively owned
Threads: 8b1a63f0-01<*>
KD: Scanning for held locks.......
3329 total locks, 23 locks currently held

0: kd> !thread 8b1a63f0
THREAD 8b1a63f0 Cid 0004.0030 Teb: 00000000 Win32Thread: 00000000 WAIT: (Unknown) KernelMode Non-Alertable
    8b2e80b0 Semaphore Limit 0x7fffffff
    8b1a6468 NotificationTimer
Not impersonating
DeviceMap                 e10018f0
Owning Process            8b1a89e8       Image:         System
Attached Process          N/A            Image:         N/A
Wait Start TickCount      18959          Ticks: 186 (0:00:00:02.906)
Context Switch Count      5288
UserTime                  00:00:00.000
KernelTime                00:00:01.343
Start Address nt!ExpWorkerThread (0x80880356)
Stack Init f78d7000 Current f78d6430 Base f78d7000 Limit f78d4000 Call 0
Priority 14 BasePriority 13 PriorityDecrement 1
ChildEBP RetAddr Args to Child
f78d6448 80833465 8b1a63f0 8b1a6498 00000001 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
f78d6474 80829a62 8b1a63f0 879bdc2c 00000000 nt!KiSwapThread+0x2e5 (FPO: [0,7,0])
f78d64bc 8087cbed 8b2e80b0 0000001b 00000000 nt!KeWaitForSingleObject+0x346 (FPO: [5,13,4])
f78d64f8 8087d02f f78d6890 f78d6608 f78d6608 nt!ExpWaitForResource+0xd5 (FPO: [0,5,4])
f78d6518 f7b9107d 879bdc2c 00000001 00000006 nt!ExAcquireResourceSharedLite+0xf5 (FPO: [2,3,4])
f78d652c f7b78290 f78d6608 879bd7f8 00000001 Ntfs!NtfsAcquireSharedVcb+0x23 (FPO: [3,0,4])
f78d6590 f7b8aff6 f78d6608 8851d4d0 80a5bf00 Ntfs!NtfsCommonQueryInformation+0xd2 (FPO: [SEH])
f78d65f4 f7b8b02f f78d6608 8851d4d0 00000001 Ntfs!NtfsFsdDispatchSwitch+0x12a (FPO: [SEH])
f78d6710 809b550c 879bd718 8851d4d0 89d79270 Ntfs!NtfsFsdDispatchWait+0x1c (FPO: [2,66,0])
f78d6740 8081df33 f7272c45 f78d6774 f7272c45 nt!IovCallDriver+0x112 (FPO: [1,5,0])
f78d674c f7272c45 89d79270 80a5bf00 ffffffff nt!IofCallDriver+0x13 (FPO: [0,0,0])
f78d6774 809b550c 89d79270 8851d4d0 b5e7bab8 fltMgr!FltpDispatch+0x6f (FPO: [2,6,0])
f78d67a4 8081df33 b5e7472e f78d67d8 b5e7472e nt!IovCallDriver+0x112 (FPO: [1,5,0])
f78d67b0 b5e7472e 8851d4d0 80a5c456 00000000 nt!IofCallDriver+0x13 (FPO: [0,0,0])
f78d67d8 b5e74aef 89d79270 88bbd038 00000006 xxx!FilemonQueryFile+0xce (FPO: [Non-Fpo]) (CONV: stdcall) [d:\xxx\client\filemon\filemon\filemon.c @ 845]
f78d68d8 b5e7812a 00000000 88bbd038 87895f18 xxx!FilemonGetFullPath+0x23f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\xxx\client\filemon\filemon\filemon.c @ 939]
f78d6ab0 b5e7964f 87895e60 8aaf8208 8aaf8208 xxx!FilemonHookRoutine+0x1da (FPO: [Non-Fpo]) (CONV: stdcall) [d:\xxx\client\filemon\filemon\filemon.c @ 2279]
f78d6ac4 809b550c 87895e60 8aaf8208 88bbd038 xxx!FilemonDispatch+0x2f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\xxx\client\filemon\filemon\filemon.c @ 2736]
f78d6af4 8081df33 8081e67f f78d6b14 8081e67f nt!IovCallDriver+0x112 (FPO: [1,5,0])
f78d6b00 8081e67f 00000000 f78d6b3c 8ac24ac8 nt!IofCallDriver+0x13 (FPO: [0,0,0])
f78d6b14 80836426 88bbd00b f78d6b3c f78d6c04 nt!IoSynchronousPageWrite+0xaf (FPO: [5,0,4])
f78d6c30 8083780b e3ebb430 e3ebb4b0 8ac24ac8 nt!MiFlushSectionInternal+0x6ba (FPO: [6,61,4])
f78d6c74 8080f8de 8ac24a90 f78d6c00 00010000 nt!MmFlushSection+0x211 (FPO: [5,6,0])
f78d6cfc 8080fc57 00010000 00000000 00000001 nt!CcFlushCache+0x3a6 (FPO: [4,24,4])
f78d6d40 808127a2 8b1a63f0 808ae5c0 8b19d190 nt!CcWriteBehind+0x11b (FPO: [0,8,4])
f78d6d80 80880441 8b19d190 00000000 8b1a63f0 nt!CcWorkerThread+0x15a (FPO: [SEH])
f78d6dac 80949b7c 8b19d190 00000000 00000000 nt!ExpWorkerThread+0xeb (FPO: [1,5,0])
f78d6ddc 8088e062 80880356 00000000 00000000 nt!PspSystemThreadStartup+0x2e (FPO: [SEH])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

0: kd> !thread 89d4c440
THREAD 89d4c440 Cid 0b9c.0ba0 Teb: 7ffdd000 Win32Thread: e118c610 WAIT: (Unknown) KernelMode Non-Alertable
    8acf4428 SynchronizationEvent
    89d4c4b8 NotificationTimer
IRP List:
    89d5c878: (0006,01fc) Flags: 40000404 Mdl: 00000000
Not impersonating
DeviceMap                 e32abaf8
Owning Process            89d4c020       Image:         cmd.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      18959          Ticks: 186 (0:00:00:02.906)
Context Switch Count      178844                 LargeStack
UserTime                  00:00:00.250
KernelTime                00:00:03.640
Win32 Start Address 0x4ad07670
Start Address 0x7c8217f8
Stack Init b663d000 Current b663c49c Base b663d000 Limit b6639000 Call 0
Priority 14 BasePriority 8 PriorityDecrement 1
ChildEBP RetAddr Args to Child
b663c4b4 80833465 89d4c440 89d4c4e8 00000001 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
b663c4e0 80829a62 89d4c440 8abfcf58 00000000 nt!KiSwapThread+0x2e5 (FPO: [0,7,0])
b663c528 8087cbed 8acf4428 0000001b 00000000 nt!KeWaitForSingleObject+0x346 (FPO: [5,13,4])
b663c564 8087ce07 00000000 e2188008 b663c870 nt!ExpWaitForResource+0xd5 (FPO: [0,5,4])
b663c584 f7b515b4 8abfcf58 b663c801 b663c5b8 nt!ExAcquireResourceExclusiveLite+0x8d (FPO: [2,3,0])
b663c594 f7b8e3b1 b663c870 e2188008 b663c801 Ntfs!NtfsAcquireResourceExclusive+0x20 (FPO: [3,0,0])
b663c5b8 f7b90d9d b663c801 e2188008 e21880d0 Ntfs!NtfsAcquireExclusiveFcb+0x42 (FPO: [4,1,4])
b663c5d4 f7b7bfce b663c870 e21880d0 e31c29a8 Ntfs!NtfsAcquireExclusiveScb+0x17 (FPO: [2,0,4])
b663c658 f7b9e8fa b663c870 00000000 b663c978 Ntfs!NtfsWriteUsnJournalChanges+0x71 (FPO: [SEH])
b663c854 f7b928d9 b663c870 89d5c878 80a5bf00 Ntfs!NtfsCommonCleanup+0x21ff (FPO: [SEH])
b663c9c4 809b550c 879bd718 89d5c878 89d79270 Ntfs!NtfsFsdCleanup+0xcf (FPO: [SEH])
b663c9f4 8081df33 f7272c45 b663ca28 f7272c45 nt!IovCallDriver+0x112 (FPO: [1,5,0])
b663ca00 f7272c45 89d79270 80a5bf00 ffffffff nt!IofCallDriver+0x13 (FPO: [0,0,0])
b663ca28 809b550c 89d79270 89d5c878 89d5ca50 fltMgr!FltpDispatch+0x6f (FPO: [2,6,0])
b663ca58 8081df33 b5e792e0 b663cc2c b5e792e0 nt!IovCallDriver+0x112 (FPO: [1,5,0])
b663ca64 b5e792e0 80a5bf00 87895e60 ffffffff nt!IofCallDriver+0x13 (FPO: [0,0,0])
b663cc2c b5e7964f 87895e60 89d5c878 89d5c878 xxx!FilemonHookRoutine+0x1390 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\xxx\client\filemon\filemon\filemon.c @ 2663]
b663cc40 809b550c 87895e60 89d5c878 88b07318 xxx!FilemonDispatch+0x2f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\xxx\client\filemon\filemon\filemon.c @ 2736]
b663cc70 8081df33 808f9732 b663ccac 808f9732 nt!IovCallDriver+0x112 (FPO: [1,5,0])
b663cc7c 808f9732 88b07300 8b18f730 88b07318 nt!IofCallDriver+0x13 (FPO: [0,0,0])
b663ccac 80934bac 89d4c020 87895e60 00120196 nt!IopCloseFile+0x2ae (FPO: [5,7,0])
b663ccdc 809344ad 89d4c020 00000001 8b18f730 nt!ObpDecrementHandleCount+0xcc (FPO: [4,2,4])
b663cd04 80934546 e32a9a58 88b07318 00000018 nt!ObpCloseHandleTableEntry+0x131 (FPO: [5,1,0])
b663cd48 80934663 00000018 00000001 b663cd64 nt!ObpCloseHandle+0x82 (FPO: [2,7,4])
b663cd58 8088978c 00000018 0012fafc 7c9585ec nt!NtClose+0x1b (FPO: [1,0,0])
b663cd58 7c9585ec 00000018 0012fafc 7c9585ec nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b663cd64)
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fafc 00000000 00000000 00000000 00000000 ntdll+0x285ec

能说下是那个资源引起的死锁吗？
我查了下：
Threads: 8b1a63f0 拥有17个，其中15个是Exclusively
Threads: 89d4c440 拥有6个，其中两个是Shared 类型的。
而我们模块的地址是：
b5e72000 b5ea8000 xxx (private pdb symbols) d:\xxx\client\filemon\filemon\objchk_wnet_x86\i386\xxx.pdb
那些Resource的地址都不在我们的驱动模块里面？

0: kd> !irp 89d5c878
Irp is active with 11 stacks 9 is current (= 0x89d5ca08)
No Mdl: No System Buffer: Thread 89d4c440: Irp stack trace.
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 10 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
>[ 12, 0]   0 e0 879bd718 88b07318 809c7ef4-89d5ca2c Success Error Cancel
      \FileSystem\Ntfs nt!IovpInternalCompletionTrap
Args: 00000000 00000000 00000000 00000000
[ 12, 0]   0 0 89d79270 88b07318 b5e77a40-00000000
      \FileSystem\FltMgr xxx
Args: 00000000 00000000 00000000 00000000
[ 12, 0]   0 0 87895e60 88b07318 00000000-00000000
      \Driver\xxx
Args: 00000000 00000000 00000000 00000000
0: kd> !devobj 879bd718
Device object (879bd718) is for:
\FileSystem\Ntfs DriverObject 8b1c03e0
Current Irp 00000000 RefCount 0 Type 00000008 Flags 00000000
DevExt 879bd7d0 DevObjExt 879bdfd0
ExtensionFlags (0xc0000000) DOE_BOTTOM_OF_FDO_STACK, DOE_DESIGNATED_FDO
AttachedDevice (Upper) 89d79270 \FileSystem\FltMgr
Device queue is not busy.
0: kd> !irp 88b07318
IRP signature does not match, probably not an IRP
0: kd> dt nt!_file_object 88b07318
   +0x000 Type             : 5
   +0x002 Size             : 112
   +0x004 DeviceObject     : 0x8b1c7630 _DEVICE_OBJECT
   +0x008 Vpb              : 0x8b1c75a8 _VPB
   +0x00c FsContext        : 0xe31c2a70
   +0x010 FsContext2       : 0xe31c2bb8
   +0x014 SectionObjectPointer : 0x8aa60fec _SECTION_OBJECT_POINTERS
   +0x018 PrivateCacheMap : (null)
   +0x01c FinalStatus      : 0
   +0x020 RelatedFileObject : 0x896050f8 _FILE_OBJECT
   +0x024 LockOperation    : 0 ''
   +0x025 DeletePending    : 0 ''
   +0x026 ReadAccess       : 0 ''
   +0x027 WriteAccess      : 0x1 ''
   +0x028 DeleteAccess     : 0 ''
   +0x029 SharedRead       : 0x1 ''
   +0x02a SharedWrite      : 0 ''
   +0x02b SharedDelete     : 0 ''
   +0x02c Flags            : 0x44042
   +0x030 FileName         : _UNICODE_STRING "\www\addtest.txt"
   +0x038 CurrentByteOffset : _LARGE_INTEGER 0x7
   +0x040 Waiters          : 0
   +0x044 Busy             : 1
   +0x048 LastLock         : (null)
   +0x04c Lock             : _KEVENT
   +0x05c Event            : _KEVENT
   +0x06c CompletionContext : (null)
0: kd> !fileobj 88b07318

\www\addtest.txt

Related File Object: 0x896050f8

Device Object: 0x8b1c7630 \Driver\Ftdisk
Vpb: 0x8b1c75a8
Access: Write SharedRead

Flags: 0x44042
Synchronous IO
Cache Supported
Cleanup Complete
Handle Created

File Object is currently busy and has 0 waiters.

FsContext: 0xe31c2a70 FsContext2: 0xe31c2bb8
CurrentByteOffset: 7
Cache Data:
Section Object Pointers: 8aa60fec
Shared Cache Map: 88e32810 File Offset: 7 in VACB number 0
Vacb: 8b192df0
Your data is at: c3c00007

诚心求解答，第一次分析这。

email:kouleguan@gmail.com
QQ:112426112

希望张老师等大牛出现回答。

Re: 分析求助：鼠标有反应，别的没有反应。

格蠹老雷 2012-11-12, 23:13 下午

典型的死锁：

- CC线程8b1a63f0想获取Cmd线程89d4c440拥有的0x879bdc2c

- Cmd线程89d4c440想获取CC线程8b1a63f0拥有的0x8abfcf58

通过搜索内核池可以看到0x8abfcf58是NTFS创建的，根据栈回溯，与FCB（File Control Block）关联

!pool 0x8abfcf58

*8abfcf50 size: 40 previous size: 8 (Allocated) *Ntfr

Pooltag Ntfr : ERESOURCE, Binary : ntfs.sys

NtfR - ntfs.sys - READ_AHEAD_THREAD

类似的0x879bdc2c与设备对象和VCB （Volume Control Block）关联

如此看来，CC线程拿到了FCB，想要VCB，Cmd线程拿到了VCB，想要FCB...

Re: 分析求助：鼠标有反应，别的没有反应。

correy 2012-11-13, 13:45 下午
感谢老张的分析。

如何解决呢？

痛苦的思索中。

说明：自己的驱动代码中没有处理FCB和VCB内容，倒是用了3个ERESOURCE。

不足之处，请继续指教。

可能是因为两个!pool命令的内容太多，导致回复失败。看看能不能再补上。

Re: 分析求助：鼠标有反应，别的没有反应。

correy 2012-11-13, 13:50 下午
回复的内容及返回的错误页面。

Re: 分析求助：鼠标有反应，别的没有反应。

correy 2012-11-24, 22:48 下午
感谢张老师的来信。

问题可能已经解决，按照理论上也解决了。

开始的时候出现一两次死机，可能是别的原因，以后想出现都没有出现。

经过这么多天的测试，没有出现问题，断定解决了。