nt!KiDeferredReadyThread函数分析之插入DispatcherReadyListHead列表的一个例子-编程阁

nt!KiDeferredReadyThread函数分析之插入DispatcherReadyListHead列表的一个例子

1: kd> p
eax=00000000 ebx=0000000e ecx=00000003 edx=0000000e esi=89555268 edi=80a059f8
eip=80a41fbc esp=f75f6814 ebp=f75f6834 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiDeferredReadyThread+0x394:
80a41fbc a1806eb180 mov eax,dword ptr [nt!_KiIdleSummary (80b16e80)] ds:0023:80b16e80=00000000
1: kd> p
eax=00000000 ebx=0000000e ecx=00000003 edx=0000000e esi=89555268 edi=80a059f8
eip=80a421d6 esp=f75f6814 ebp=f75f6834 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiDeferredReadyThread+0x5ae:
80a421d6 0f85effdffff jne nt!KiDeferredReadyThread+0x3a3 (80a41fcb) [br=0]
1: kd> dv IdleSet
IdleSet = 0
1: kd> p
eax=00000000 ebx=0000000e ecx=00000003 edx=0000000e esi=89555268 edi=80a059f8
eip=80a421dc esp=f75f6814 ebp=f75f6834 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiDeferredReadyThread+0x5b4:
80a421dc 8b45f4 mov eax,dword ptr [ebp-0Ch] ss:0010:f75f6828=00000000
1: kd> kc
#
00 nt!KiDeferredReadyThread
01 nt!KiProcessDeferredReadyList
02 nt!KiExitDispatcher
03 nt!KeSetEvent
04 win32k!QueueMouseEvent
05 win32k!ProcessMouseInput
06 win32k!InputApc
07 nt!KiDeliverApc
08 nt!KiSwapThread
09 nt!KeWaitForMultipleObjects
0a win32k!xxxMsgWaitForMultipleObjects
0b win32k!xxxDesktopThread
0c win32k!xxxCreateSystemThreads
0d win32k!NtUserCallOneParam
0e nt!_KiSystemService

//
// Select the ideal processor as the processor to preempt, if possible.
//

TargetPrcb = KiProcessorBlock[Processor];

1: kd> dv Processor
Processor = 0

ThreadPriority = Thread->Priority;

1: kd> p
eax=ffdff9bc ebx=ffdff120 ecx=00000000 edx=00000001 esi=89555268 edi=80a059f8
eip=80a4226e esp=f75f6814 ebp=f75f6834 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiDeferredReadyThread+0x646:
80a4226e 0fbe4e5b movsx ecx,byte ptr [esi+5Bh] ds:0023:895552c3=0e

1: kd> dt kthread 89555268
CSRSRV!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x89555278 - 0x89555278 ]
+0x018 InitialStack : 0xf75d7000 Void
+0x01c StackLimit : 0xf75d4000 Void
+0x020 KernelStack : 0xf75d6a18 Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0xa10
+0x02c State : 0x7 ''
+0x02d NpxState : 0xa ''
+0x02e WaitIrql : 0 ''
+0x02f WaitMode : 0 ''
+0x030 Teb : 0x7ffd9000 Void
+0x034 ApcState : _KAPC_STATE
+0x04c ApcQueueLock : 0
+0x050 WaitStatus : 0n1
+0x054 WaitBlockList : 0x898a5488 _KWAIT_BLOCK
+0x058 Alertable : 0x1 ''
+0x059 WaitNext : 0 ''
+0x05a WaitReason : 0xd ''
+0x05b Priority : 14 ''

if (((KiIdleSummary & TargetPrcb->SetMember) == 0) &&
(Thread->IdealProcessor == Processor)) {

1: kd> x nt!KiIdleSummary
80b16e80 nt!KiIdleSummary = 0

Thread->NextProcessor = (UCHAR)Processor;

1: kd> dv Processor
Processor = 0

1: kd> dx -id 0,0,89831250 -r1 ((basesrv!_KTHREAD *)0x895f2a78)
((basesrv!_KTHREAD *)0x895f2a78) : 0x895f2a78 [Type: _KTHREAD *]
[+0x000] Header [Type: _DISPATCHER_HEADER]
[+0x010] MutantListHead [Type: _LIST_ENTRY]
[+0x018] InitialStack : 0xba1b1000 [Type: void *]
[+0x01c] StackLimit : 0xba1ad000 [Type: void *]
[+0x020] KernelStack : 0xba1b0c5c [Type: void *]
[+0x024] ThreadLock : 0x0 [Type: unsigned long]
[+0x028] ContextSwitches : 0x470 [Type: unsigned long]
[+0x02c] State : 0x2 [Type: unsigned char]
[+0x02d] NpxState : 0xa [Type: unsigned char]
[+0x02e] WaitIrql : 0x0 [Type: unsigned char]
[+0x02f] WaitMode : 1 [Type: char]
[+0x030] Teb : 0x7ffd5000 [Type: void *]
[+0x034] ApcState [Type: _KAPC_STATE]
[+0x04c] ApcQueueLock : 0x0 [Type: unsigned long]
[+0x050] WaitStatus : 258 [Type: long]
[+0x054] WaitBlockList : 0x895f2b18 [Type: _KWAIT_BLOCK *]
[+0x058] Alertable : 0x0 [Type: unsigned char]
[+0x059] WaitNext : 0x0 [Type: unsigned char]
[+0x05a] WaitReason : 0x6 [Type: unsigned char]
[+0x05b] Priority : 15 [Type: char]

Thread->NextProcessor = (UCHAR)Processor;
if ((Thread1 = TargetPrcb->NextThread) != NULL) { 目标处理器下一个线程是否可以抢占

ASSERT(Thread1->State == Standby);

if (ThreadPriority > Thread1->Priority) {
Thread1->Preempted = TRUE;
Thread->State = Standby;
TargetPrcb->NextThread = Thread;
Thread1->State = DeferredReady;
Thread1->DeferredProcessor = CurrentPrcb->Number;
KiReleaseTwoPrcbLocks(CurrentPrcb, TargetPrcb);
KiDeferredReadyThread(Thread1);
return;
}

} else {
Thread1 = TargetPrcb->CurrentThread; 目标处理器当前线程是否可以抢占
if (ThreadPriority > Thread1->Priority) {
Thread1->Preempted = TRUE;
Thread->State = Standby;
TargetPrcb->NextThread = Thread; 抢占的含义是赋值为NextThread！！！
KiReleaseTwoPrcbLocks(CurrentPrcb, TargetPrcb);
KiRequestDispatchInterrupt(Thread->NextProcessor);
return;
}
}

[+0x05b] Priority : 15 不可抢占！！！

1: kd> dv ThreadPriority
ThreadPriority = 0n14

不可抢占，插入DispatcherReadyListHead列表

Thread->State = Ready;
Thread->WaitTime = KiQueryLowTickCount();
if (Preempted != FALSE) {
InsertHeadList(&TargetPrcb->DispatcherReadyListHead[ThreadPriority],
&Thread->WaitListEntry);

} else {
InsertTailList(&TargetPrcb->DispatcherReadyListHead[ThreadPriority],
&Thread->WaitListEntry);
}

TargetPrcb->ReadySummary |= PRIORITY_MASK(ThreadPriority);

1: kd> dv Preempted
Preempted = 0x00 ''

[+0x928] ReadySummary : 0x0 [Type: unsigned long]
[+0x92c] SelectNextLast : 0x0 [Type: unsigned long]
[+0x930] DispatcherReadyListHead [Type: _LIST_ENTRY [32]]

[14] [Type: _LIST_ENTRY]

1: kd> dx -id 0,0,89831250 -r1 (*((basesrv!_LIST_ENTRY *)0xffdffac0))
(*((basesrv!_LIST_ENTRY *)0xffdffac0)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0xffdffac0 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0xffdffac0 [Type: _LIST_ENTRY *]

} else {
InsertTailList(&TargetPrcb->DispatcherReadyListHead[ThreadPriority],
&Thread->WaitListEntry);
}

1: kd> dx -id 0,0,89831250 -r1 (*((basesrv!_LIST_ENTRY *)0xffdffac0))
(*((basesrv!_LIST_ENTRY *)0xffdffac0)) [Type: _LIST_ENTRY]
[+0x000]Flink : 0x895552c8[Type: _LIST_ENTRY *]
[+0x004] Blink : 0x895552c8 [Type: _LIST_ENTRY *]

TargetPrcb->ReadySummary |= PRIORITY_MASK(ThreadPriority);

#define PRIORITY_MASK(n) (KiMask32Array[n])

1: kd> x nt!KiMask32Array
80a05eb0 nt!KiMask32Array = unsigned long []
80a05eb0 nt!KiMask32Array = unsigned long [32]
80a05eb0 nt!KiMask32Array = unsigned long []
1: kd> dx -r1 (*((ntkrnlmp!unsigned long (*)[32])0x80a05eb0))
(*((ntkrnlmp!unsigned long (*)[32])0x80a05eb0)) [Type: unsigned long [32]]
[0] : 0x1 [Type: unsigned long]
[1] : 0x2 [Type: unsigned long]
[2] : 0x4 [Type: unsigned long]
[3] : 0x8 [Type: unsigned long]
[4] : 0x10 [Type: unsigned long]
[5] : 0x20 [Type: unsigned long]
[6] : 0x40 [Type: unsigned long]
[7] : 0x80 [Type: unsigned long]
[8] : 0x100 [Type: unsigned long]
[9] : 0x200 [Type: unsigned long]
[10] : 0x400 [Type: unsigned long]
[11] : 0x800 [Type: unsigned long]
[12] : 0x1000 [Type: unsigned long]
[13] : 0x2000 [Type: unsigned long]
[14] : 0x4000 [Type: unsigned long]

100 0000 0000 0000 14个0，第14位。

[+0x928]ReadySummary : 0x4000[Type: unsigned long] 准备大概位为0x4000
[+0x92c] SelectNextLast : 0x0 [Type: unsigned long]
[+0x930] DispatcherReadyListHead [Type: _LIST_ENTRY [32]]

第二部分：g之后，1号处理器需要KiSwapThread

nt!KiSwapThread函数分析之nt!KiFindReadyThread

1: kd> g
Breakpoint 30 hit
eax=ffdff120 ebx=f7737120 ecx=00000001 edx=ffdff120 esi=00000000 edi=80a059f8
eip=80a429d8 esp=f75f6948 ebp=f75f697c iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!KiFindReadyThread:
80a429d8 55 push ebp
1: kd> kc
#
00 nt!KiFindReadyThread
01 nt!KiSwapThread
02 nt!KeWaitForMultipleObjects
03 win32k!xxxMsgWaitForMultipleObjects
04 win32k!xxxDesktopThread
05 win32k!xxxCreateSystemThreads
06 win32k!NtUserCallOneParam
07 nt!_KiSystemService
08 SharedUserData!SystemCallStub
09 winsrv!NtUserCallOneParam
1: kd> !pcr
KPCR for Processor 1 at f7737000:

1: kd> dt KPCR f7737000
basesrv!KPCR
+0x000 NtTib : _NT_TIB
+0x000 Used_ExceptionList : 0xf75f6260 _EXCEPTION_REGISTRATION_RECORD
+0x004 Used_StackBase : (null)
+0x008 PerfGlobalGroupMask : (null)
+0x00c TssCopy : 0xf7737ef0 Void
+0x010 ContextSwitches : 0x8a1e
+0x014 SetMemberCopy : 2
+0x018 Used_Self : 0x7ffd8000 Void
+0x01c SelfPcr : 0xf7737000 _KPCR
+0x020 Prcb : 0xf7737120 _KPRCB

1: kd> dx -id 0,0,89831250 -r1 ((basesrv!_KPRCB *)0xf7737120)
((basesrv!_KPRCB *)0xf7737120) : 0xf7737120 [Type: _KPRCB *]
[+0x000] MinorVersion : 0x1 [Type: unsigned short]
[+0x002] MajorVersion : 0x1 [Type: unsigned short]
[+0x004] CurrentThread : 0x89804020 [Type: _KTHREAD *]
[+0x008] NextThread : 0x0 [Type: _KTHREAD *]

[+0x928] ReadySummary : 0x0 [Type: unsigned long]
[+0x92c] SelectNextLast : 0x0 [Type: unsigned long]
[+0x930] DispatcherReadyListHead [Type: _LIST_ENTRY [32]]
[+0xa30] DeferredReadyListHead [Type: _SINGLE_LIST_ENTRY]
[+0xa34] PrcbPad72 [Type: unsigned long [11]]
[+0xa60] ChainedInterruptList : 0x0 [Type: void *]
[+0xa64] LookasideIrpFloat : 32720 [Type: long]
[+0xa68] SpareFields0 [Type: unsigned long [4]]
[+0xa78] VendorString [Type: unsigned char [13]]
[+0xa85] InitialApicId : 0x1 [Type: unsigned char]
[+0xa86] LogicalProcessorsPerPhysicalProcessor : 0x2 [Type: unsigned char]
[+0xa88] MHz : 0xe0f [Type: unsigned long]
[+0xa8c] FeatureBits : 0x33fff [Type: unsigned long]
[+0xa90] UpdateSignature : {876173328384} [Type: _LARGE_INTEGER]
[+0xa98] IsrTime : 0x0 [Type: unsigned __int64]
[+0xaa0] NpxSaveArea [Type: _FX_SAVE_AREA]
[+0xcb0] PowerState [Type: _PROCESSOR_POWER_STATE]
1: kd> kv
# ChildEBP RetAddr Args to Child
00 f75f6944 80a43dd9 f7737120 89804020 89804080 nt!KiFindReadyThread (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 722]
01 f75f697c 80a358c7 00000000 e1639460 00000002 nt!KiSwapThread+0x315 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 1854]
02 f75f69b4 bf8a4685 00000003 89804b50 00000001 nt!KeWaitForMultipleObjects+0x3b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c @ 816]
03 f75f6a04 bf8b123e 00000002 89804b50 bf8fe215 win32k!xxxMsgWaitForMultipleObjects+0xeb (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\queue.c @ 4540]
04 f75f6d1c bf8b21ba bfa70aa0 00000001 f75f6d48 win32k!xxxDesktopThread+0x437 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 594]
05 f75f6d2c bf806d52 bfa70aa0 f75f6d58 008cfff4 win32k!xxxCreateSystemThreads+0x9c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 347]
06 f75f6d48 80afbcb2 00000000 00000022 80afb956 win32k!NtUserCallOneParam+0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c @ 4789]
07 f75f6d48 7ffe0304 00000000 00000022 80afb956 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ f75f6d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
08 008cffe0 75340774 75318a89 00000000 00000022 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
09 008cffe8 00000000 00000022 00000004 00000000 winsrv!NtUserCallOneParam+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\umode\daytona\obj\i386\usrstubs.c @ 2683]
windbg> .open -a ffffffff80a43dd9

1: kd> dx -id 0,0,89831250 -r1 ((basesrv!_KPRCB *)0xffdff120)
((basesrv!_KPRCB *)0xffdff120) : 0xffdff120 [Type: _KPRCB *]
[+0x000] MinorVersion : 0x1 [Type: unsigned short]
[+0x002] MajorVersion : 0x1 [Type: unsigned short]
[+0x004] CurrentThread : 0x895f2a78 [Type: _KTHREAD *]
[+0x008] NextThread : 0x0 [Type: _KTHREAD *]

[+0x928] ReadySummary : 0x4000 [Type: unsigned long]
[+0x92c] SelectNextLast : 0x0 [Type: unsigned long]
[+0x930] DispatcherReadyListHead [Type: _LIST_ENTRY [32]]

1: kd> dx -id 0,0,89831250 -r1 (*((basesrv!_LIST_ENTRY (*)[32])0xffdffa50))
(*((basesrv!_LIST_ENTRY (*)[32])0xffdffa50)) [Type: _LIST_ENTRY [32]]

[14] [Type: _LIST_ENTRY]

1: kd> dx -id 0,0,89831250 -r1 (*((basesrv!_LIST_ENTRY *)0xffdffac0))
(*((basesrv!_LIST_ENTRY *)0xffdffac0)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x895552c8 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x895552c8 [Type: _LIST_ENTRY *]