I've been playing around with -LbrSources:PmcInterrupt -LbrFilters:StackMode data and about ~0.1% of the LBR records are attributed to the wrong process.
In my investigation of these misattributed LBR records, execution is always somewhere in nt!SwapContext
Even worse, if I try to emit the LBR stacks for ContextSwitch events then these are 100% attributed to the wrong process.
The steps currently taken in SwapContext appear to be -
- Perform context swap - the LBR stack is now invalid for the current thread
- Trace context swap - the associated LBR event is always attributed to the wrong thread here
- Clear LBR stack - the (empty) LBR stack is now valid again
And any PmcInterrupt events occurring between 1 and 3 will be attributed to the wrong thread.
I would have thought that the tracing then clearing would need to occur immediately prior to the context swap -
- Trace context swap - the LBR stack is still valid here
- Clear LBR stack
- Perform context swap
I've been playing around with
-LbrSources:PmcInterrupt -LbrFilters:StackModedata and about ~0.1% of the LBR records are attributed to the wrong process.In my investigation of these misattributed LBR records, execution is always somewhere in
nt!SwapContextEven worse, if I try to emit the LBR stacks for
ContextSwitchevents then these are 100% attributed to the wrong process.The steps currently taken in
SwapContextappear to be -And any
PmcInterruptevents occurring between 1 and 3 will be attributed to the wrong thread.I would have thought that the tracing then clearing would need to occur immediately prior to the context swap -