[x]

Site Alert(s):

Server maintenance Saturday Nov 22, 2008, 12:00 PM - 3:00 PM. The Knowledge Center will be unavailable during this time.

[x]

Site Alert(s):

Server maintenance Saturday Nov 22, 2008, 12:00 PM - 3:00 PM. The Knowledge Center will be unavailable during this time.

Knowledge Center Home
> CTX106209

Rate this Article:

Article Feedback

Print View

Alternate Languages: N/A

Case Study: How to Find the Stack Overflow For Threads Running In Kernel Space

Document ID: CTX106209 / Created On: Apr 25, 2005 / Updated On: Nov 8, 2007

Average Rating: not yet rated

View products this document applies to

Problem Definition

The customer is experiencing intermittent bugchecks on some of the Citrix MetaFrame XP servers.

Environment

Citrix:

Product - MetaFrame XP, Feature Release 3/Service Pack 3

Hotfixes - 078, 082, 100, 119 & 126

Language –English

Clients – 32-bit Windows 6.x, Wyse 2310,2315 with 4.x client built into the firmware

Microsoft:

OS - Windows 2000/2003

Language - English

Troubleshooting Methodology

Find out following details before you start analyzing the systems dumps. All of this information is very important for the dump analysis.

Any recent updates to the systems.

Citrix Related: Did they experience the fatal error after applying any new Citrix patches, hotfixes, or Service Packs? Obtain information about other installed patches, hotfixes and service packs on the faulting server.

Microsoft Related: Did they experience the fatal error after applying any Microsoft related patches? Obtain information about other installed patches, hotfixes and service packs on the faulting server.

Find out information about third party installed applications, such as virus scanners, and any other background tools running such as UPHClean. Find out about any recent changes to these applications.

Find out whether the systems are configured to catch a complete system dump. If not, have the problem server configured to capture complete memory dumps.

Note: Why do we ask for a complete memory dump? Complete memory dumps provide the state of the system that includes both user space and kennel space at the time of fault. Complete memory dumps help analyze and show the faulting components both from the user space and kernel space to complete an accurate and quick turnaround of the issue.

Refer to Overview of memory dump file options for Windows 2000, for Windows XP, and for Windows Server 2003 for more information.

Note: The complete memory dump option is not available on computers with 2 gigabytes (GB) or more of RAM. For additional information, refer to Complete memory dumps not available on computers with 2 or more gigabytes of RAM.

Analyzing the system dump. Assumptions/requirements:

Basic knowledge of using debugging tools from Microsoft, such as windbg.exe.

You need the latest version of the windbg tool from Microsoft installed on the box. The windg tool is available from Microsoft.

Symbols for the third party applications if needed (such as Citrix MetaFrame XP).

Public symbols for Microsoft OS. They can be sourced from the following link and it also provides information on how to configure the windbg to access these public symbols. Debugging Tools and Symbols: Getting Started

Detailed analysis steps:

Load the system dump using the windbg tool. Once the dump loads successfully without any problem issue the !analyze –v command. This command dumps these details about the bug/fault in the following order:

i. General information about the bug check details

ii. State of the microprocessor registers at the time of fault

iii. Stack trace of faulting thread

iv. Faulting module details

Generally I do not rely or use this information to come to the conclusion of the issue.

------------------------------------
0: kd> !analyze –v
*******************************************************************************
* *
*                         Bugcheck Analysis *
* *
*******************************************************************************
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
       use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
       use .trap on that value
Else
       .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------*** ERROR: Module load completed but symbols could not be loaded for q57w2k.sys
*** ERROR: Module load completed but symbols could not be loaded for PDRFRAME.SYS
*** ERROR: Module load completed but symbols could not be loaded for pdcrypt1.SYS
*** ERROR: Module load completed but symbols could not be loaded for WDICA.SYSBUGCHECK_STR: 0x7f_8TSS: 00000028 -- (.tss 28)
eax=88f476d0 ebx=00000000 ecx=00000147 edx=88f61000 esi=88f476d0 edi=88f61000
eip=bfcb23e1 esp=b5f16fb0 ebp=b5f173c0 iopl=0        nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000             efl=00010282
q57w2k+0x183e1:
bfcb23e1 53               push    ebx
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULTSTACK_OVERFLOW: b5f17000BAD_STACK_POINTER: b5f16fb0LAST_CONTROL_TRANSFER: from bfc9d95a to bfcb23e1STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
be2893c0 bfc9d95a 88f5e000 88f46e18 88f62e7c q57w2k+0x183e1
be2896fc bfc9d6f9 00000000 be289764 88f5e000 q57w2k+0x395a
be289714 bfc9dc58 00f5e000 88eba708 88f7f4b0 q57w2k+0x36f9
be289734 bfea35e4 8834c171 00000000 00000000 q57w2k+0x3c58
be289754 bf34e80b 00000000 88ead870 88eba8a8 NDIS!ndisMSendX+0x11d
be28977c bf34e71e 88eba8a8 88ead870 88ebbd28 tcpip!ARPSendData+0x1a1
be2897ac bf34ebfa 88eba800 be28989c 00000001 tcpip!ARPTransmit+0x74
be2898a0 bf35007c bf38da58 88e7d700 88e87888 tcpip!IPTransmit+0x5ef
be289924 bf3501c8 a3e3ea0f be289900 8834c11c tcpip!TCPSend+0x928
be289944 bf350263 be289900 00000000 00000211 tcpip!TdiSend+0x176
be289978 bf34edc2 8834c078 8834c100 88e89130 tcpip!TCPSendData+0x8e
be28998c 8041de73 88e89130 8834c040 877e6a28 tcpip!TCPDispatchInternalDeviceControl+0x4a
be2899a0 eb368ce6 eb368c2e 884876a8 86f33008 nt!IopfCallDriver+0x35
be2899b0 bf077345 877e6a28 be289b20 be289b20 TDTCP!TdRawWrite+0xb8
be2899f0 bf0763f8 884876a8 00000002 be289b20 termdd!_IcaCallSd+0x55
be289a00 eb548348 87bd21fc 00000002 be289b20 termdd!IcaCallNextDriver+0x26
be289a18 eb548a7f 877d8248 be289b20 bf077345 PDRFRAME!DeviceWrite+0x32
be289a24 bf077345 877d8248 be289b20 87790c48 PDRFRAME!PdRawWrite+0x2f
be289a64 bf0763f8 87bd21e8 00000002 be289b20 termdd!_IcaCallSd+0x55
be289a74 eb54e3bc 8700557c 00000002 be289b20 termdd!IcaCallNextDriver+0x26
be289a90 eb54f12d 86f33008 be289b20 bf077345 pdcrypt1!DeviceWrite+0x8c
be289a9c bf077345 86f33008 be289b20 8834c008 pdcrypt1!PdRawWrite+0x2f
be289adc bf0763f8 87005568 00000002 be289b20 termdd!_IcaCallSd+0x55
be289aec be2427cd 88219e1c 00000002 be289b20 termdd!IcaCallNextDriver+0x26
be289b2c be2430f4 88351000 8834c008 00000000 WDICA!_BufferSdWrite+0xb5
be289b58 be243b99 88352428 883512b0 88351000 WDICA!SendPendingPackets+0xcd
be289b74 be2442f9 00000001 be289ba4 00000001 WDICA!SendSomeData+0x1ff
be289b98 be23af3e 00000001 0000000a a215b028 WDICA!IcaBufferAppendVirtualData+0xd2
be289bc4 bf077345 00000030 00000001 87aee9f4 WDICA!TerminalChannelWrite+0x282
be289c04 bf077109 88219e08 00000003 be289c6c termdd!_IcaCallSd+0x55
be289c20 bf0763a7 87aee9e8 00000003 be289c6c termdd!_IcaCallStack+0x55
be289c44 bf07412b 88466728 00000003 be289c6c termdd!IcaCallDriver+0x5f
be289c9c bf07572e 88466728 882b39a8 882b3a18 termdd!IcaWriteChannel+0xcd
be289cac bf07546b 882b39a8 882b3a18 889b8ed0 termdd!IcaWrite+0x3a
be289cc0 8041de73 889b8ed0 882b39a8 873ed248 termdd!IcaDispatch+0xb5
be289cd4 a014a61b 00000030 a20174f8 00000030 nt!IopfCallDriver+0x35
be289cf0 a014a56a 00000004 873ed248 a215b028 win32k+0x14a61b
be289d14 a0108ea8 873ed248 a215b028 00000030 win32k+0x14a56a
be289d38 a07a0e57 873ed248 a215b028 00000030 win32k+0x108ea8
be289d60 a07a15e8 a20174c8 00000030 00000001 vdtw30!Send_Transmit_Buffer+0x123
be289d74 a07a485c 00000000 00000000 00000004 vdtw30!SubmitTWPacket+0xc0
be289ec8 a07b4ce6 a20db020 a20db0f6 be28b57e vdtw30!pgDrvTextOut+0xdd0
be289f10 8043f8e4 8908e4ec c0289101 8043f8ef vdtw30!SendTWCommand+0xd6
be289fc8 8046e474 87be1008 00000465 00000001 nt!MiDeleteSystemPagableVm+0x3a2
00000001 00000000 00000000 00000000 00000000 nt!MiFreePoolPages+0x614FOLLOWUP_IP:
q57w2k+183e1
bfcb23e1 53               push    ebxSYMBOL_STACK_INDEX: 0FOLLOWUP_NAME: wintriagSYMBOL_NAME: q57w2k+183e1MODULE_NAME: q57w2kIMAGE_NAME: q57w2k.sysDEBUG_FLR_IMAGE_TIMESTAMP: 40d4cbc5STACK_COMMAND: .tss 28 ; kbFAILURE_BUCKET_ID: 0x7f_8_q57w2k+183e1BUCKET_ID: 0x7f_8_q57w2k+183e1Followup: wintriag
------------------------------------

The above information provides general pointers, information, and lays the ground for the next course of actions to take. The stack trace suggests that a crashing thread is running through the Citrix module, vdtw30.dll, along with some Microsoft and third party related drivers/dlls. Now based on my experience of dumps analysis and the above information, I would like to see the complete stack trace of the faulting thread. So I issue the following command to dump and list all the function calls starting from the bottom of the stack to the top of the stack of faulting thread.

kv 100 - list all the top 0X100 function calls from the top of the stack trace.

Here is the output of the above command:

0: kd> kv 100
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
b5f173c0 bfc9d95a 88f61000 88f476d0 88f65e7c q57w2k+0x183e1 <-Top of the stack
b5f176fc bfc9d6f9 00000000 b5f17764 88f61000 q57w2k+0x395a
b5f17714 bfc9dc58 00f61000 88eb45e8 88f7f9b0 q57w2k+0x36f9
b5f17734 bfea35e4 87142ad1 00000000 00000000 q57w2k+0x3c58
b5f17754 bf34e80b 00000000 88eac384 88eb4668 NDIS!ndisMSendX+0x11d (FPO: [Non-Fpo]) (CONV: stdcall)
b5f1777c bf34e71e 88eb4668 88eac384 886799e8 tcpip!ARPSendData+0x1a1 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f177ac bf34ebfa 88eb4600 b5f1789c 00000001 tcpip!ARPTransmit+0x74 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f178a0 bf35007c bf38da58 88e7dc00 88e89548 tcpip!IPTransmit+0x5ef (FPO: [Non-Fpo]) (CONV: stdcall)
b5f17924 bf3501c8 a9383fe4 b5f17900 87142a7c tcpip!TCPSend+0x928 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f17944 bf350263 b5f17900 00000000 00000211 tcpip!TdiSend+0x176 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f17978 bf34edc2 871429d8 87142a00 88e89ab0 tcpip!TCPSendData+0x8e (FPO: [Non-Fpo]) (CONV: stdcall)
b5f1798c 8041de73 88e89ab0 871429a0 868762c8 tcpip!TCPDispatchInternalDeviceControl+0x4a (FPO: [2,0,2])
b5f179a0 eb3a8ce6 eb3a8c2e 86a13588 87f75608 nt!IopfCallDriver+0x35 (FPO: [0,0,2]) (CONV: fastcall)
b5f179b0 becf0345 868762c8 b5f17b20 b5f17b20 TDTCP!TdRawWrite+0xb8 (FPO: [2,0,3]) (CONV: stdcall)
b5f179f0 becef3f8 86a13588 00000002 b5f17b20 termdd!_IcaCallSd+0x55 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f17a00 eb5a8348 86dd94dc 00000002 b5f17b20 termdd!IcaCallNextDriver+0x26 (FPO: [3,0,0]) (CONV: stdcall)
b5f17a64 becef3f8 86dd94c8 00000002 b5f17b20 PDRFRAME!DeviceWrite+0x32
b5f17a74 eb5263bc 87761c3c 00000002 b5f17b20 termdd!IcaCallNextDriver+0x26 (FPO: [3,0,0]) (CONV: stdcall)
b5f17adc becef3f8 87761c28 00000002 b5f17b20 pdcrypt1!DeviceWrite+0x8c
b5f17aec be2cc7cd 882e249c 00000002 b5f17b20 termdd!IcaCallNextDriver+0x26 (FPO: [3,0,0]) (CONV: stdcall)
b5f17b2c be2cd0f4 8657c000 87142968 00000000 WDICA!_BufferSdWrite+0xb5 (FPO: [Non-Fpo])
b5f17b58 be2cdb99 8657d428 8657c2b0 8657c000 WDICA!SendPendingPackets+0xcd (FPO: [Non-Fpo])
b5f17b74 be2ce2f9 00000001 b5f17ba4 00000001 WDICA!SendSomeData+0x1ff (FPO: [Non-Fpo])
b5f17b98 be2c4f3e 00000001 0000000a a215a028 WDICA!IcaBufferAppendVirtualData+0xd2 (FPO: [Non-Fpo])
b5f17bc4 becf0345 00000052 00000001 868769f4 WDICA!TerminalChannelWrite+0x282 (FPO: [EBP 0xbe2d721e] [2,2,4])
b5f17c04 becf0109 882e2488 00000003 b5f17c6c termdd!_IcaCallSd+0x55 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f17c20 becef3a7 868769e8 00000003 b5f17c6c termdd!_IcaCallStack+0x55 (FPO: [3,0,3]) (CONV: stdcall)
b5f17c44 beced12b 88062748 00000003 b5f17c6c termdd!IcaCallDriver+0x5f (FPO: [Non-Fpo]) (CONV: stdcall)
b5f17c9c becee72e 88062748 8813f188 8813f1f8 termdd!IcaWriteChannel+0xcd (FPO: [Non-Fpo]) (CONV: stdcall)
b5f17cac becee46b 8813f188 8813f1f8 889be8f0 termdd!IcaWrite+0x3a (FPO: [2,0,0]) (CONV: stdcall)
b5f17cc0 8041de73 889be8f0 8813f188 87bceee8 termdd!IcaDispatch+0xb5 (FPO: [2,0,2]) (CONV: stdcall)
b5f17cd4 a014a61b 00000052 a201707a 00000052 nt!IopfCallDriver+0x35 (FPO: [0,0,2]) (CONV: fastcall)
b5f17cf0 a014a56a 00000004 87bceee8 a215a028 win32k!_CtxDoFileIo+0xb3 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f17d14 a0108ea8 87bceee8 a215a028 00000052 win32k!CtxWriteFile+0x1c (FPO: [Non-Fpo]) (CONV: stdcall)
b5f17d38 a07a0e57 87bceee8 a215a028 00000052 win32k!EngFileWrite+0x19 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f17d60 a07a15e8 a2017028 00000052 00000001 vdtw30!Send_Transmit_Buffer+0x123
b5f17d74 a07a485c 00000000 00000000 00000004 vdtw30!SubmitTWPacket+0xc0
b5f17ec8 a07b4ce6 a20da020 a20da108 b5f19590 vdtw30!pgDrvTextOut+0xdd0
b5f17edc a07a3a82 b5f18fe8 b5f19260 a201dcd8 vdtw30!SendTWCommand+0xd6
b5f18f24 a07a5747 00000000 b5f18fdc a2274cf8 vdtw30!DrvTw1TextOut+0x868
b5f18f80 a000eb5b a201dce8 b5f18fdc a2274cf8 vdtw30!DrvTextOut+0xb7
b5f19218 a0068b50 b5f19260 a22aae9c a22aaef0 win32k!GreExtTextOutWLocked+0x108e (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19258 a0068b99 a22aa9d8 0000000e 000000a1 win32k!GreExtTextOutWInternal+0x62 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19288 a0066b45 070102b5 0000000e 000000a1 win32k!GreExtTextOutW+0x24 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f192b0 a0094255 070102b5 0000000e 000000a1 win32k!_TextOutW+0x1c (FPO: [Non-Fpo]) (CONV: stdcall)
b5f192cc a0094295 070102b5 0000000e 000000a1 win32k!UserTextOutWInternal+0x17 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f192f4 a00942e3 070102b5 0000000e 000000a1 win32k!DT_DrawStr+0x85 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19328 a00944d1 070102b5 000000a1 b5f19538 win32k!DT_DrawJustifiedLine+0x60 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19458 a00945ec 070102b5 000000a1 b5f19538 win32k!AddEllipsisAndDrawLine+0xa8 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f194e8 a0094676 070102b5 b5f19538 0000002c win32k!DrawTextExWorker+0x17c (FPO: [Non-Fpo]) (CONV: stdcall)
b5f1950c a005c673 070102b5 b5f19538 0000002c win32k!DrawTextExW+0x1c (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19790 a005c06a 018a0021 070102b5 0000002c win32k!DrawSwitchWndHilite+0x1ba (FPO: [Non-Fpo]) (CONV: stdcall)
b5f197cc a005c155 a0e56ac0 a2193c58 a0e56ac0 win32k!xxxPaintSwitchWindow+0x16c (FPO: [Non-Fpo]) (CONV: stdcall)
b5f197f0 a00643cb a0e56ac0 00000014 130107f5 win32k!xxxSwitchWndProc+0x84 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19838 a0063ceb a0e56ac0 00000014 130107f5 win32k!xxxSendMessageTimeout+0x18b (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19858 a0016839 a0e56ac0 00000014 130107f5 win32k!xxxSendMessage+0x1a (FPO: [4,0,0]) (CONV: stdcall)
b5f1987c a001557a a0e56ac0 00000000 00000001 win32k!xxxSendEraseBkgnd+0x5a (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19898 a0015626 a0e56ac0 a2193c58 a26ee028 win32k!xxxSimpleDoSyncPaint+0xaf (FPO: [1,0,3]) (CONV: stdcall)
b5f198bc a001569d a0e56ac0 00000004 a2193c58 win32k!xxxInternalDoSyncPaint+0x12 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f198e4 a0014294 a0d706e0 00000004 b5f19954 win32k!xxxInternalDoSyncPaint+0x7b (FPO: [Non-Fpo]) (CONV: stdcall)
b5f198f4 a001399d a0d706e0 00000004 00000000 win32k!xxxDoSyncPaint+0x2b (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19954 a0013b5f 00000001 00000000 a0d11a78 win32k!xxxEndDeferWindowPosEx+0x239 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19970 a005c4c9 a0e56ac0 ffffffff 000000eb win32k!xxxSetWindowPos+0xb1 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f1999c a004ce1a a0e56ac0 00000000 00000009 win32k!xxxShowSwitchWindow+0x92 (FPO: [1,0,3]) (CONV: stdcall)
b5f199f8 a0095836 a2477bc8 00000009 00000000 win32k!xxxNextWindow+0x303 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19a50 a009529b 00000009 0000000f 0c244875 win32k!xxxKeyEvent+0x3fc (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19a78 a008ced9 b5f19a09 00000000 00000000 win32k!xxxProcessKeyEvent+0x151 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19aa4 a0095114 a2193758 8813f1c8 8042fa6b win32k!ProcessKeyboardInput+0x1ad (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19ab0 8042fa6b a2193758 a2193778 00000000 win32k!InputApc+0x3b (FPO: [3,0,1]) (CONV: stdcall)
b5f19ae8 8046b0e0 00000000 00000000 00000000 nt!KiDeliverApc+0xf1 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19b08 8042c190 804301e0 00000001 00000000 nt!KiSwapThread+0x1e8 (FPO: [EBP 0xb5f19b3c] [0,0,4])
b5f19b3c a00a9e7f 00000006 86c2f718 00000001 nt!KeWaitForMultipleObjects+0x268 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19da8 80455e9c 00000002 00000000 00000000 win32k!RawInputThread+0x3c2 (FPO: [Non-Fpo]) (CONV: stdcall)
b5f19ddc 8046b5e6 a00a9b59 b57567d0 00000000 nt!PspSystemThreadStartup+0x54 (FPO: [Non-Fpo]) (CONV: stdcall)
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 <-Bottom and beginning of the thread

Now if you observer the above complete stack dump closely you will find, 75 function calls in the faulting thread, which definitely raises a red flag.

Most of the time when I unwind the faulting thread completely, I find around 10 to 25 function calls. In this situation, I go directly to the top of the stack and start looking closely at each function call and start verifying the parameters to the functions and if necessary unassemble suspicious functions to look more closely at what’s really going on with the passed parameter and local variable in the function body.

In this case we are not following that above route. We dump the stack one more time with a different command that provides the stack consumption of each function. This command is:

kf 100 – f switch to k causes the distance between adjacent frames to be displayed. This distance is the number of bytes separating the frames on the actual stack.

The stack appears as follows:

0: kd> kf 100
Memory ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong. b5f173c0 bfc9d95a q57w2k+0x183e1
33c b5f176fc bfc9d6f9 q57w2k+0x395a
18 b5f17714 bfc9dc58 q57w2k+0x36f9
20 b5f17734 bfea35e4 q57w2k+0x3c58
20 b5f17754 bf34e80b NDIS!ndisMSendX+0x11d (FPO: [Non-Fpo]) (CONV: stdcall)
28 b5f1777c bf34e71e tcpip!ARPSendData+0x1a1 (FPO: [Non-Fpo]) (CONV: stdcall)
30 b5f177ac bf34ebfa tcpip!ARPTransmit+0x74 (FPO: [Non-Fpo]) (CONV: stdcall)
f4 b5f178a0 bf35007c tcpip!IPTransmit+0x5ef (FPO: [Non-Fpo]) (CONV: stdcall)
84 b5f17924 bf3501c8 tcpip!TCPSend+0x928 (FPO: [Non-Fpo]) (CONV: stdcall)
20 b5f17944 bf350263 tcpip!TdiSend+0x176 (FPO: [Non-Fpo]) (CONV: stdcall)
34 b5f17978 bf34edc2 tcpip!TCPSendData+0x8e (FPO: [Non-Fpo]) (CONV: stdcall)
14 b5f1798c 8041de73 tcpip!TCPDispatchInternalDeviceControl+0x4a (FPO: [2,0,2]) (CONV: stdcall)
14 b5f179a0 eb3a8ce6 nt!IopfCallDriver+0x35 (FPO: [0,0,2]) (CONV: fastcall)
10 b5f179b0 becf0345 TDTCP!TdRawWrite+0xb8 (FPO: [2,0,3]) (CONV: stdcall)
40 b5f179f0 becef3f8 termdd!_IcaCallSd+0x55 (FPO: [Non-Fpo]) (CONV: stdcall)
10 b5f17a00 eb5a8348 termdd!IcaCallNextDriver+0x26 (FPO: [3,0,0]) (CONV: stdcall)
64 b5f17a64 becef3f8 PDRFRAME!DeviceWrite+0x32
10 b5f17a74 eb5263bc termdd!IcaCallNextDriver+0x26 (FPO: [3,0,0]) (CONV: stdcall)
68 b5f17adc becef3f8 pdcrypt1!DeviceWrite+0x8c
10 b5f17aec be2cc7cd termdd!IcaCallNextDriver+0x26 (FPO: [3,0,0]) (CONV: stdcall)
40 b5f17b2c be2cd0f4 WDICA!_BufferSdWrite+0xb5 (FPO: [Non-Fpo])
2c b5f17b58 be2cdb99 WDICA!SendPendingPackets+0xcd (FPO: [Non-Fpo])
1c b5f17b74 be2ce2f9 WDICA!SendSomeData+0x1ff (FPO: [Non-Fpo])
24 b5f17b98 be2c4f3e WDICA!IcaBufferAppendVirtualData+0xd2 (FPO: [Non-Fpo])
2c b5f17bc4 becf0345 WDICA!TerminalChannelWrite+0x282 (FPO: [EBP 0xbe2d721e] [2,2,4])
40 b5f17c04 becf0109 termdd!_IcaCallSd+0x55 (FPO: [Non-Fpo]) (CONV: stdcall)
1c b5f17c20 becef3a7 termdd!_IcaCallStack+0x55 (FPO: [3,0,3]) (CONV: stdcall)
24 b5f17c44 beced12b termdd!IcaCallDriver+0x5f (FPO: [Non-Fpo]) (CONV: stdcall)
58 b5f17c9c becee72e termdd!IcaWriteChannel+0xcd (FPO: [Non-Fpo]) (CONV: stdcall)
10 b5f17cac becee46b termdd!IcaWrite+0x3a (FPO: [2,0,0]) (CONV: stdcall)
14 b5f17cc0 8041de73 termdd!IcaDispatch+0xb5 (FPO: [2,0,2]) (CONV: stdcall)
14 b5f17cd4 a014a61b nt!IopfCallDriver+0x35 (FPO: [0,0,2]) (CONV: fastcall)
1c b5f17cf0 a014a56a win32k!_CtxDoFileIo+0xb3 (FPO: [Non-Fpo]) (CONV: stdcall)
24 b5f17d14 a0108ea8 win32k!CtxWriteFile+0x1c (FPO: [Non-Fpo]) (CONV: stdcall)
24 b5f17d38 a07a0e57 win32k!EngFileWrite+0x19 (FPO: [Non-Fpo]) (CONV: stdcall)
28 b5f17d60 a07a15e8 vdtw30!Send_Transmit_Buffer+0x123
14 b5f17d74 a07a485c vdtw30!SubmitTWPacket+0xc0
154 b5f17ec8 a07b4ce6 vdtw30!pgDrvTextOut+0xdd0
14 b5f17edc a07a3a82 vdtw30!SendTWCommand+0xd6
1048 b5f18f24 a07a5747 vdtw30!DrvTw1TextOut+0x868
5c b5f18f80 a000eb5b vdtw30!DrvTextOut+0xb7
298 b5f19218 a0068b50 win32k!GreExtTextOutWLocked+0x108e (FPO: [Non-Fpo]) (CONV: stdcall)
40 b5f19258 a0068b99 win32k!GreExtTextOutWInternal+0x62 (FPO: [Non-Fpo]) (CONV: stdcall)
30 b5f19288 a0066b45 win32k!GreExtTextOutW+0x24 (FPO: [Non-Fpo]) (CONV: stdcall)
28 b5f192b0 a0094255 win32k!_TextOutW+0x1c (FPO: [Non-Fpo]) (CONV: stdcall)
1c b5f192cc a0094295 win32k!UserTextOutWInternal+0x17 (FPO: [Non-Fpo]) (CONV: stdcall)
28 b5f192f4 a00942e3 win32k!DT_DrawStr+0x85 (FPO: [Non-Fpo]) (CONV: stdcall)
34 b5f19328 a00944d1 win32k!DT_DrawJustifiedLine+0x60 (FPO: [Non-Fpo]) (CONV: stdcall)
130 b5f19458 a00945ec win32k!AddEllipsisAndDrawLine+0xa8 (FPO: [Non-Fpo]) (CONV: stdcall)
90 b5f194e8 a0094676 win32k!DrawTextExWorker+0x17c (FPO: [Non-Fpo]) (CONV: stdcall)
24 b5f1950c a005c673 win32k!DrawTextExW+0x1c (FPO: [Non-Fpo]) (CONV: stdcall)
284 b5f19790 a005c06a win32k!DrawSwitchWndHilite+0x1ba (FPO: [Non-Fpo]) (CONV: stdcall)
3c b5f197cc a005c155 win32k!xxxPaintSwitchWindow+0x16c (FPO: [Non-Fpo]) (CONV: stdcall)
24 b5f197f0 a00643cb win32k!xxxSwitchWndProc+0x84 (FPO: [Non-Fpo]) (CONV: stdcall)
48 b5f19838 a0063ceb win32k!xxxSendMessageTimeout+0x18b (FPO: [Non-Fpo]) (CONV: stdcall)
20 b5f19858 a0016839 win32k!xxxSendMessage+0x1a (FPO: [4,0,0]) (CONV: stdcall)
24 b5f1987c a001557a win32k!xxxSendEraseBkgnd+0x5a (FPO: [Non-Fpo]) (CONV: stdcall)
1c b5f19898 a0015626 win32k!xxxSimpleDoSyncPaint+0xaf (FPO: [1,0,3]) (CONV: stdcall)
24 b5f198bc a001569d win32k!xxxInternalDoSyncPaint+0x12 (FPO: [Non-Fpo]) (CONV: stdcall)
28 b5f198e4 a0014294 win32k!xxxInternalDoSyncPaint+0x7b (FPO: [Non-Fpo]) (CONV: stdcall)
10 b5f198f4 a001399d win32k!xxxDoSyncPaint+0x2b (FPO: [Non-Fpo]) (CONV: stdcall)
60 b5f19954 a0013b5f win32k!xxxEndDeferWindowPosEx+0x239 (FPO: [Non-Fpo]) (CONV: stdcall)
1c b5f19970 a005c4c9 win32k!xxxSetWindowPos+0xb1 (FPO: [Non-Fpo]) (CONV: stdcall)
2c b5f1999c a004ce1a win32k!xxxShowSwitchWindow+0x92 (FPO: [1,0,3]) (CONV: stdcall)
5c b5f199f8 a0095836 win32k!xxxNextWindow+0x303 (FPO: [Non-Fpo]) (CONV: stdcall)
58 b5f19a50 a009529b win32k!xxxKeyEvent+0x3fc (FPO: [Non-Fpo]) (CONV: stdcall)
28 b5f19a78 a008ced9 win32k!xxxProcessKeyEvent+0x151 (FPO: [Non-Fpo]) (CONV: stdcall)
2c b5f19aa4 a0095114 win32k!ProcessKeyboardInput+0x1ad (FPO: [Non-Fpo]) (CONV: stdcall)
c b5f19ab0 8042fa6b win32k!InputApc+0x3b (FPO: [3,0,1]) (CONV: stdcall)
38 b5f19ae8 8046b0e0 nt!KiDeliverApc+0xf1 (FPO: [Non-Fpo]) (CONV: stdcall)
20 b5f19b08 8042c190 nt!KiSwapThread+0x1e8 (FPO: [EBP 0xb5f19b3c] [0,0,4])
34 b5f19b3c a00a9e7f nt!KeWaitForMultipleObjects+0x268 (FPO: [Non-Fpo]) (CONV: stdcall)
26c b5f19da8 80455e9c win32k!RawInputThread+0x3c2 (FPO: [Non-Fpo]) (CONV: stdcall)
34 b5f19ddc 8046b5e6 nt!PspSystemThreadStartup+0x54 (FPO: [Non-Fpo]) (CONV: stdcall)
00000000 00000000 nt!KiThreadStartup+0x16

The Microsoft operating system defines/assigns 12k bytes of stack space to each thread running in the Kernel space and it’s enough to store local variables and parameters for functions.

Here is an explanation of the different parts of the function call of the stack.

A typical function call in stack appears as follows:

284 b5f19790 a005c06a win32k!DrawSwitchWndHilite+0x1ba 1 2 3 4 5 6

Total number of bytes consumed/used by the function from the stack space of thread.

EBP pointer of the function, it’s used as a reference pointer to access the local variable and parameters passed to the function.

Return address of the instruction in the function xxxPaintSwitchWindow() that called the function DrawSwitchWndHilite().

example:

b5f19790 a005c06a win32k!DrawSwitchWndHilite+0x1ba (FPO: [Non-Fpo]) (CONV: stdcall)
3c b5f197cc a005c155 win32k!xxxPaintSwitchWindow+0x16c (FPO: [Non-Fpo]) (CONV: stdcall)
a005c06a = win32k!xxxPaintSwitchWindow+0x16c

Module name, which can be exe, dll, or sys file.

Function name.

Offset of the next instruction from the start of the function that needs to be fetched to microprocessors accumulator (also know an ALU, Arithmetic logic unit), for decoding and execution.

Now we have enough information on what to do next. If we add all the bytes used/allocated by each function on the thread stack, we find that it exceeds or is almost equal to the 12k limit. Because we have hit this limit, there is no stack space left for any subsequent function calls and this condition led to the fatal error.

Now we need to identify and list all the function calls in this stack trace that are using very large amounts of stack space. Two of them are as follows:

1048 b5f18f24 a07a5747 vdtw30!DrvTw1TextOut+0x868 <-0x1048 equal 4168 bytes - 30% of 12k
33c b5f176fc bfc9d6f9 q57w2k+0x395a <-0x33c equal 828 bytes

The above two function calls are using the larger stack space. One function call belongs to Citrix module vdtw30.dll and the other one belongs to HP driver q57w2k.sys.

After isolating the Citrix function call, I verified the implementation for function, DrvTw1TextOut() and found one of the local variables in this function, an array to structure, consumed almost 4k of memory.

Resolution

Citrix allocated this array on the system pool and defined the pointer to this array as a local variable that held the address to this array. This implementation reduced the consumption of stack space by this function from 4k bytes to just 4 bytes at the cost of some performance. This made 4k bytes of free space on the thread stack space so that other functions can use this valuable resource.

Additional Information

Windbg Tool Help provides extensive help on how to use the debug tool and the different commands supported by it that help to analyze dumps and conduct live debugging.

This document applies to:

Knowledge Center

Products

XenApp

XenApp Plugins (Clients)

XenServer

XenDesktop

NetScaler Application Delivery

Access Gateway

EdgeSight

Provisioning Server

WANScaler

Password Manager

>> View All Products

Does it work with Citrix? Verify it - introducing the new Citrix Ready Community Verified

Knowledge Resources