{"id":20473,"date":"2008-10-24T10:00:00","date_gmt":"2008-10-24T10:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2008\/10\/24\/sucking-the-trap-frame-out-of-a-kernel-mode-stack-trace\/"},"modified":"2008-10-24T10:00:00","modified_gmt":"2008-10-24T10:00:00","slug":"sucking-the-trap-frame-out-of-a-kernel-mode-stack-trace","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20081024-00\/?p=20473","title":{"rendered":"Sucking the trap frame out of a kernel mode stack trace"},"content":{"rendered":"

\nIf you are placed in the unfortunate position of having to debug\na user-mode crash from kernel mode,\none of the first things you have to do is get back to the exception\non the user-mode side so you can see what happened.\nWe saw earlier\nhow you can get symbols for operating system binaries to help you\n\nsuck the exception pointers out of a user-mode stack trace<\/A>;\nhere’s a corresponding tip for the kernel-mode side.\n<\/P>\n

\nYour stack trace will look something like this:\n<\/P>\n

\nChildEBP RetAddr  Args to Child\n8fc86660 818844e3 83811e00 83811d78 83811e30 nt!KiSwapContext+0x26\n8fc8669c 8184abd2 83811d78 00000000 83811d78 nt!KiSwapThread+0x3d2\n8fc866fc 81a690b1 8fc86740 00000000 00000000 nt!KeWaitForSingleObject+0x414\n8fc8681c 81a6a5aa 90a06108 83811d78 8fc86860 nt!DbgkpQueueMessage+0x283\n8fc86844 819e3cbd 8fc86860 80000003 00000000 nt!DbgkpSendApiMessage+0x44\n8fc86908 8183c542 8fc86cf0 00000001 00000000 nt!DbgkForwardException+0xd0\n8fc86cd4 8184e51a 8fc86cf0 00000000 8fc86d44 nt!KiDispatchException+0x2ee\n8fc86d3c 8184e4ce 063fedc8 75b9b7df badb0d00 nt!CommonDispatchException+0x4a\n8fc86d44 75b9b7df badb0d00 00000000 00000000 nt!KiExceptionExit+0x186\n063fedc8 75b963ea 4eedcfb0 4f370fb0 063ff0bc ABC!Control::Character::OnDestroy+0xbc\n063ff020 747d3782 4f370fb0 5665cf68 063ff0bc ABC!Control::Character::MessageHandler+0x476\n063ff034 747d3819 063ff0bc 063ff050 747d37f6 DEF!EventGizmo::FireEvent+0xf\n063ff040 747d37f6 063ff0bc 0000000c 063ff0a8 DEF!Gizmo::CallStubEvent+0x1a\n063ff050 747d3842 4f370fb0 063ff0bc c6db9237 DEF!Callback::CallOnEvent+0x19\n063ff0a8 747d6ed0 4f370fb0 063ff0bc 00000001 DEF!Callback::Invoke+0x20\n063ff0d0 747d7708 4f370fb0 00000001 4eedcfb0 DEF!Callback::FireDestroy+0x2a\n063ff0f0 747d728a 3618af68 4eedcfb0 747d7429 DEF!ObjectManager::DestroyAllChildren+0x34\n063ff0fc 747d7429 4a1bff78 4eedcfb0 747d6e9d DEF!ObjectManager::BeginDestroy+0x2e\n063ff108 747d6e9d 4eedcfb0 747d7721 4a1bff78 DEF!ObjectManager::Destroy+0x1a\n<\/PRE>\n
\n\nThe third parameter to\nKiDispatchException<\/CODE> is the trap frame<\/A>.\nMost people who write about\nKiDispatchException<\/CODE> do so in the context of driver debugging,\nbut trap frames are also used during user-mode-to-kernel-mode transitions.\n<\/P>\n
\n0: kd> .trap 8fc86d44\nErrCode = 00000004\neax=00000001 ebx=00000001 ecx=4e62e594 edx=00000000 esi=5665cf68 edi=5630eff8\neip=75b9b7df esp=063fedb4 ebp=063fedc8 iopl=0         nv up ei pl zr na pe nc\ncs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246\nABC!Control::Character::OnDestroy+0xbc:\n001b:75b9b7df 8b01            mov     eax,dword ptr [ecx] ds:0023:4e62e594=?????\n???\n<\/PRE>\n
\nAnd there you have it,\nthe original exception.\n<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
If you are placed in the unfortunate position of having to debug a user-mode crash from kernel mode, one of the first things you have to do is get back to the exception on the user-mode side so you can see what happened. We saw earlier how you can get symbols for operating system binaries […]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-20473","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
If you are placed in the unfortunate position of having to debug a user-mode crash from kernel mode, one of the first things you have to do is get back to the exception on the user-mode side so you can see what happened. We saw earlier how you can get symbols for operating system binaries […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/20473","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=20473"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/20473\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=20473"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=20473"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=20473"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}