Major Description
Hello,
I've performed a simple test-case of launching cmd.exe in a bat file and killing it with a taskkill and after 1-5 minutes of running the case the machine seems to be experiencing a soft deadlock.
My test case is the following:
1. Create a bat file test.bat with the following content:
@echo off |
cls
|
:start
|
start cmd.exe
|
taskkill /im cmd.exe
|
goto start |
2. Attach WinDbg
3. Launch test.bat using Far Manager in ReactOS
4. Wait 1-5 minutes, at some point the OS will freeze
During the freeze I see the following stack traces:
kd> !stacks 2 |
Proc.Thread .Thread Ticks ThreadState Blocker
|
|
|
Max cache size is : 1048576 bytes (0x400 KB) |
Total memory in cache : 0 bytes (0 KB) |
Number of regions cached: 0 |
0 full reads broken into 0 partial reads |
counts: 0 cached/0 uncached, 0.00% cached |
bytes : 0 cached/0 uncached, 0.00% cached |
** Prototype PTEs are implicitly decoded
|
[...]
|
|
|
4.00004c b25a5a50 0000031 Blocked nt!KiSwapContext+0x19 |
nt!KeWaitForMultipleObjects+0x71b |
tcpip!sys_arch_mbox_fetch+0x69 |
tcpip!sys_timeouts_mbox_fetch+0x4d |
tcpip!tcpip_thread+0x3b |
tcpip!LwipThreadMain+0x33 |
nt!PspSystemThreadStartup+0x64 |
nt!KiThreadStartup+0x42 |
nt!PspCreateThread+0xa5f |
tcpip!malloc+0x1f |
+0xb2614228 |
+0x8ec83ec |
+0x8908458b |
+0x5068f845 |
+0x8bf77e94 |
+0xc283f855 |
+0x9448b90c |
+0x15fff77e |
tcpip!_imp_ExfInterlockedInsertHeadList
|
+0x8bf84d8b |
nt!RtlRaiseStatus+0x85 |
nt!RtlAreBitsSet+0x5f |
nt!RtlClearBit+0x3f |
nt!RtlClearBits+0xdf |
nt!RtlFindSetBitsAndClear+0x3f |
nt!RtlSetBit+0x3f |
nt!RtlSetAllBits+0x3f |
nt!KeIsWaitListEmpty+0x2f |
nt!KxUnwaitThreadForEvent+0xbf |
nt!Kii386SpinOnSpinLock+0x2f |
nt!NtOpenThread+0x33f |
nt!PsTerminateProcess+0x1f |
nt!_alldiv
|
nt!_allmul
|
nt!_aulldiv
|
nt!RtlGetCallersAddress+0x8f |
nt!KeReadStateEvent+0x5f |
nt!RtlFreeOemString+0x3f |
nt!KeWaitForMultipleObjects+0x89f |
nt!KeResetEvent+0xbf |
nt!KeClearEvent+0x5f |
nt!_stricmp+0x7f |
nt!memcpy+0xaf |
nt!RtlInitializeSListHead+0x1f |
nt!IofCallDriver+0xbf |
nt!IoFileObjectType
|
4.000050 b25a1958 0002b9e Blocked nt!KiSwapContext+0x19 |
nt!KeWaitForSingleObject+0x48f |
acpi!acpi_bus_receive_event+0x3f |
acpi!ButtonWaitThread+0x17 |
nt!PspSystemThreadStartup+0x64 |
nt!KiThreadStartup+0x42 |
nt!PspCreateThread+0xa5f |
acpi!AcpiRegQueryValue+0x17f |
+0xb2694f00 |
+0x38ec83ec |
+0x8908458b |
+0x4d8dfc45 |
+0x19e851c8 |
+0x83ffffae |
+0x458904c4 |
+0xf47d83f4 |
+0x810b7500 |
+0x80ec7d |
+0x2740000 |
+0x7d83e0eb |
+0xc7400f4 |
+0xc7fc558b |
+0x11842 |
+0x6cebc000 |
+0xb758d468 |
+0xe4458df7 |
+0x9a92e850 |
+0xc4830002 |
+0x74c08508 |
+0xf845c709 |
|
|
[b2345d88 cmd.exe]
|
344.000348 b2344d30 0000eca Blocked nt!KiSwapContext+0x19 |
nt!KeWaitForSingleObject+0x48f |
nt!NtRequestWaitReplyPort+0x91b |
nt!KiSystemCallTrampoline+0x1b |
nt!KiSystemServiceHandler+0x22f |
nt!KiFastCallEntry+0x8c |
+0x7c92c8fe |
|
|
[b2337188 cmd.exe]
|
5e4.------ NOTHREADS
|
|
|
Threads Processed: 111 |
|
|
Max cache size is : 1048576 bytes (0x400 KB) |
Total memory in cache : 0 bytes (0 KB) |
Number of regions cached: 0 |
0 full reads broken into 0 partial reads |
counts: 0 cached/0 uncached, 0.00% cached |
bytes : 0 cached/0 uncached, 0.00% cached |
** Transition PTEs are implicitly decoded
|
** Prototype PTEs are implicitly decoded
|
As you can see, there is a cmd.exe instance without any threads created: [b2337188 cmd.exe] which indicates most likely a race condition around creation of a process thread.
I've checked some other threads that seem to be around PsCreateThread, but there is no indication of an obvious race condition:
kd> .thread b25a1958
|
Implicit thread is now b25a1958
|
kd> kv
|
*** Stack trace for last set context - .thread/.cxr resets it
|
# ChildEBP RetAddr Args to Child
|
00 f7788cb8 8048b21f cccccccc cccccccc cccccccc nt!KiSwapContext+0x19
|
01 f7788d24 f7b35b0f f7b7bca0 00000000 00000000 nt!KeWaitForSingleObject+0x48f (FPO: [Non-Fpo]) (CONV: stdcall) [e:\sources\reactos\ntoskrnl\ke\wait.c @ 547]
|
02 f7788d48 f7b3acb7 f7788d54 cccccccc cccccccc acpi!acpi_bus_receive_event+0x3f (FPO: [Non-Fpo]) (CONV: cdecl) [e:\sources\reactos\drivers\bus\acpi\busmgr\bus.c @ 533]
|
03 f7788d8c 804ec464 b2694f00 00000000 8001003b acpi!ButtonWaitThread+0x17 (FPO: [Non-Fpo]) (CONV: stdcall) [e:\sources\reactos\drivers\bus\acpi\main.c @ 201]
|
04 f7788dc0 80505cc2 f7b3aca0 b2694f00 f7788df0 nt!PspSystemThreadStartup+0x64 (FPO: [Non-Fpo]) (CONV: stdcall) [e:\sources\reactos\ntoskrnl\ps\thread.c @ 158]
|
05 f7788ddc 804ec3ff f7b3aca0 b2694f00 cccccc00 nt!KiThreadStartup+0x42 (FPO: [Non-Fpo]) (CONV: stdcall) [e:\sources\reactos\ntoskrnl\ke\i386\thrdini.c @ 81]
|
06 f7788de0 f7b3ac9f b2694f00 cccccc00 0000027f nt!PspCreateThread+0xa5f (CONV: stdcall)
|
07 f7788de4 b2694f00 cccccc00 0000027f 00000000 acpi!AcpiRegQueryValue+0x17f (CONV: cdecl)
|
WARNING: Frame IP not in any known module. Following frames may be wrong.
|
08 f7b3aca0 38ec83ec 8908458b 4d8dfc45 19e851c8 0xb2694f00
|
09 f7b3aca4 8908458b 4d8dfc45 19e851c8 83ffffae 0x38ec83ec
|