This project has moved and is read-only. For the latest updates, please go here.

stack walk translated, when I already have the stack trace

Jun 11, 2010 at 10:33 AM

I work in my company at a project that involves getting stack traces from process that currently run.
We use EventTracing for windows (ETW) and we make kernel traces of the system call and, for windows vista we also enable the stackwalk flag so we get the stacktrace o the calling thread when that event happened.
We get a stack walk that looks something like this:

TimeStamp: 255010986
ProcessId: 0xbd4
ThreadId: 5404
Stack1: 0x82a837db
Stack2: 0x77be5e4c
Stack3: 0x75d76872
Stack4: 0x76b5f12a
Stack5: 0x614a4108
Stack6: 0x72ab29bb
Stack7: 0x72ab2a47
Stack8: 0x77bfb3f5
Stack9: 0x77bfb3c8
Stack10: 0x0
Stack11: 0xc0100002
Stack12: 0xf330014
Stack13: 0xeffbe2ba
Stack14: 0x5
Stack15: 0x99c31d87
Stack16: 0x0
Stack17: 0xc0100002
Stack18: 0x18200030
Stack19: 0xeffbe2bc
Stack20: 0x5
Stack21: 0xeffbe2ba
Stack22: 0x5
Stack23: 0x1438
Stack24: 0x147c
Stack25: 0x82a837db
Stack26: 0x76c8914b
Stack27: 0x76c89180
Stack28: 0x76c892a9
Stack29: 0xc0100002
Stack30: 0xf340014
Stack31: 0xeffbe2c0
Stack32: 0x5

This is the way xperf generates it's stack walk info from etl file.
I wanted to ask you how can I resolve these addresses, for each thread to look like something your library generates:
ntdll!NtCreateFile for example.
This is how the stack walk event structure that I receive in my callback function from which I generate what I showed you earlier looks like: http://msdn.microsoft.com/en-us/library/dd392323%28v=VS.85%29.aspx

Thank you.

Jun 11, 2010 at 11:11 AM

Are you aware of this?

http://blogs.msdn.com/b/pigscanfly/archive/2009/08/06/stack-walking-in-xperf.aspx

http://blogs.msdn.com/b/ntdebugging/archive/2010/06/08/hidden-etw-stack-trace-feature-get-stacks-all-over-the-place.aspx

Jun 11, 2010 at 12:04 PM

Yes I am.

I have read that. But I need to do what xperf does programatically.

If I give xperf my log file it will generate stack walk, but I want to do it inside my program, not analyze it later.

As I said I can generate the Stack, as I showed you above.

How do I turn that intro readable nt!NtCreateFile ? That was my question.

 

Jun 11, 2010 at 12:08 PM
This is not very easy... The problem is: The base address of each module in a process can vary from start-to-start... and with "address randomization" (starting with Vista) it will never be the same on different computers. So to solve this problem you need at least the module (DLL) list of all loaded modules with the correct base-addresses at runtime. Also you need to have the timstampt for each module (DLL), so taht you can find the _correct_ module. If you have all these infos, you can use the normal "Sym-functions" (like in my project) to get the symbols for each entry... But I would suggest to use the build-in function; the other solution is too complex... you also do not have the module/base/timestamp list....
Jun 11, 2010 at 12:24 PM

I can make events that trace the loading of a DLL and I can get time stamp base address load .

Actually this is what info I can get:

  uint32 ImageBase;
uint32 ImageSize;
uint32 ProcessId; - in which the dll is loaded
uint32 ImageCheckSum;
uint32 TimeDateStamp;
uint32 Reserved0;
uint32 DefaultBase;
uint32 Reserved1;
uint32 Reserved2;
uint32 Reserved3;
uint32 Reserved4;
string FileName;

Is this enough to make the stack processing happen ?
Jun 11, 2010 at 1:17 PM

It might be enough...

Jun 11, 2010 at 1:39 PM

The problem is that this is the first time I work with thread stacks this way, and symbols, and the Sym-functions and dbghelp, and I find them pretty counter intuitive at first.

Well if let's say for this stack trace:


ProcessId: 0xbd4
ThreadId: 5404
Stack1: 0x82a837db
Stack2: 0x77be5e4c
Stack3: 0x75d76872

 

i have:

uint32 ImageBase;
uint32 ImageSize;
uint32 ProcessId; - in which the dll is loaded
uint32 ImageCheckSum;
uint32 TimeDateStamp;
uint32 Reserved0;
uint32 DefaultBase;
uint32 Reserved1;
uint32 Reserved2;
uint32 Reserved3;
uint32 Reserved4;
string FileName;

how do I use the sym functions and dbghelp functions to make the stack look like:

ntdll!NtCreateFile
nt!IoCreateFile
nt!IopCreateFile


for example.

 

Sep 16, 2014 at 1:21 PM
You can use StackWalker to walk an stack from a textfile... you need to use the documented Sym-functions. For more details, see MSDN documentation. Of course, you can use StackWalker to get an idea hwo to use the Sym-functions.
Marked as answer by jkalmbach on 9/16/2014 at 5:21 AM