A customer asked for help with a longstanding but low-frequency hang that they have never been able to figure out. From what they could tell, their UI thread was calling into the kernel, and the call simply hung for no apparent reason. Unfortunately, the kernel dump couldn’t show a stack from user mode because the stack had been paged out. (Which makes sense, because a hung thread isn’t using its stack, so once the system is under some memory pressure, that stack gets paged out.)<\/p>\n
0: kd> !thread 0xffffd18b976ec080 7\r\nTHREAD ffffd18b976ec080 Cid 79a0.7f18 Teb: 0000003d7ca28000\r\n Win32Thread: ffffd18b89a8f170 WAIT: (Suspended) KernelMode Non-Alertable\r\nSuspendCount 1\r\n ffffd18b976ec360 NotificationEvent\r\nNot impersonating\r\nDeviceMap ffffad897944d640\r\nOwning Process ffffd18bcf9ec080 Image: contoso.exe\r\nAttached Process N\/A Image: N\/A\r\nWait Start TickCount 14112735 Ticks: 1235580 (0:05:21:45.937)\r\nContext Switch Count 1442664 IdealProcessor: 2 \r\nUserTime 00:02:46.015\r\nKernelTime 00:01:11.515\r\n\r\n nt!KiSwapContext+0x76\r\n nt!KiSwapThread+0x928\r\n nt!KiCommitThreadWait+0x370\r\n nt!KeWaitForSingleObject+0x7a4\r\n nt!KiSchedulerApc+0xec\r\n nt!KiDeliverApc+0x5f9\r\n nt!KiCheckForKernelApcDelivery+0x34\r\n nt!MiUnlockAndDereferenceVad+0x8d\r\n nt!MmProtectVirtualMemory+0x312\r\n nt!NtProtectVirtualMemory+0x1d9\r\n nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffff8707`a9bef3a0)\r\n ntdll!ZwProtectVirtualMemory+0x14\r\n [end of stack trace]\r\n<\/pre>\nAlthough we couldn’t see what the code was doing in user mode, there was something unusual in the information that was present.<\/p>\n
Observe that the offending thread is Suspended<\/i>. And it appears to have been suspended for over five hours.<\/p>\n
THREAD ffffd18b976ec080 Cid 79a0.7f18 Teb: 0000003d7ca28000\r\n Win32Thread: ffffd18b89a8f170 WAIT: (Suspended<\/span>) KernelMode Non-Alertable\r\nSuspendCount 1\r\n ffffd18b976ec360 NotificationEvent\r\nNot impersonating\r\nDeviceMap ffffad897944d640\r\nOwning Process ffffd18bcf9ec080 Image: contoso.exe\r\nAttached Process N\/A Image: N\/A\r\nWait Start TickCount 14112735 Ticks: 1235580 (0:05:21:45.937<\/span>)\r\n<\/pre>\nNaturally, a suspended UI thread is going to manifest itself as a hang.<\/p>\n
Functions like
Suspend\u00adThread<\/code> exist primarily for debuggers to use, so we asked them if they had a debugger attached to the process when they captured the kernel dump. They said that they did not.<\/p>\nSo who suspended the thread, and why?<\/p>\n
The customer then realized that they had a watchdog thread which monitors the UI thread for responsiveness, and every so often, it suspends the UI thread, captures a stack trace, and then resumes the UI thread. And in the dump file, they were able to observe their watchdog thread in the middle of its stack trace capturing code. But why was the stack trace capture taking five hours?<\/p>\n
The stack of the watchdog thread looks like this:<\/p>\n
ntdll!ZwWaitForAlertByThreadId(void)+0x14\r\nntdll!RtlpAcquireSRWLockSharedContended+0x15a\r\nntdll!RtlpxLookupFunctionTable+0x180\r\nntdll!RtlLookupFunctionEntry+0x4d\r\ncontoso!GetStackTrace+0x72\r\ncontoso!GetStackTraceOfUIThread+0x127\r\n...\r\n<\/pre>\nOkay, so we see that the watchdog thread is trying to get a stack trace of the UI thread, but it’s hung inside
Rtl\u00adLookup\u00adFunction\u00adEntry<\/code> which is waiting for a lock.<\/p>\nYou know who I bet holds the lock?<\/p>\n
The UI thread.<\/p>\n
Which is suspended.<\/p>\n
The UI thread is probably trying to dispatch an exception, which means that it is walking the stack looking for an exception handler. But in the middle of this search, it got suspended by the watchdog thread. Then the watchdog thread tries to walk the stack of the UI thread, but it can’t do that yet because the function table is locked by the UI thread’s stack walk.<\/p>\n