How To Find the Trap Frame If It Is Corrupt (159672)


The information in this article applies to:

  • Microsoft Windows NT Workstation 3.5
  • Microsoft Windows NT Workstation 3.51
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Server 3.5
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0
This article was previously published under Q159672

SUMMARY

If the trap frame is corrupt or cannot be found when completing a debugging session, use the method detailed below to determine its location.

MORE INFORMATION

Dump the first ChildEBp's address on the stack using the dd command. Continue to dump until you see two 23's back-to-back. After you run into this line of the dump, subtract x30 from the address at the beginning of that line and run a !trap against the results.

For example: 
KD> kb
FramePtr  RetAddr   Param1   Param2   Param3   Function Name
fdfa4d3c  80121022  00000000 00000000 00000000 NT!KiTrap0E+0x252

KDx86> dd fdfa4d3c
0xFDFA4D3C  fef26ba8 fbde3200 00000000 00000000 .k...2..........
0xFDFA4D4C  00000000 00104601 fdfa4d80 80104655 .....F...M..UF..
0xFDFA4D5C  fef26ba8 fef26c08 fef26ba8 fbde3260 .k...l...k..`2..
0xFDFA4D6C  00000000 00000023 00000023 00000400 ....#...#.......

Sequence of 00000000 00000023 00000023 starts at 0xFDFA4D6C.

KD> !trap FDFA4D3C
eax=00326b08 ebx=00022500 ecx=e18f6dc0 edx=00000400 esi=00000000
edi=004f2118
eip=80121022 esp=fdfa4db0 ebp=fdfa4dfc iopl=0         nv up ei pl nz na po
cy
vip=0    vif=0
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000
efl=00010207
ErrCode = 00000000

NOTE: Another way of getting the trap frame is to do a dump on EBP-30 and dump from this address until you get to the sequence of 00000023 00000023. From this point on its just like the first example.
Modification Type:MajorLast Reviewed:5/14/2003
Keywords:kbinfo KB159672
©2002 Microsoft Corporation. All rights reserved.