0

I've profiled Internet Explorer 11 to find out why does it consume lots of CPU in kernel-mode. The hottest path (that was present in 85% of samples) was the following stack:

  • NtAllocateVirtualMemory
  • whNtAllocateVirtualMemory
  • Wow64SystemServiceEx
  • ServiceNoTurbo
  • RunCpuSimulation
  • Wow64LdrpInitialize
  • _LdrInitialize
  • LdrInitializeThunk
  • _NtAllocateVirtualMemory@24
  • RtlIpv6AddressToStringW (85% of samples!)
  • _RtlpLfhBucketIndexMap
  • RtlpLowFragHeapAllocFromContext
  • RtlpAllocateUserBlockFromHeap
  • @RtlpLowFragHeapAllocateFromZone@8
  • _RtlpLfhBucketIndexMap
  • RtlAllocateHeap

How can a call to RtlAllocateHeap result in a call to RtlIpv6AddressToStringW?

Ark-kun
  • 6,358
  • 2
  • 34
  • 70
  • It can't. Mapping code addresses to function names in optimized code is an imperfect art. Heap allocation can certainly be on the hot path. Nothing you can do about it, you didn't write this code. – Hans Passant Dec 01 '13 at 11:53
  • IMO its most likely that some of the pointers are just left over from previously-used but now cleaned-up up stack frames (meaning they are unrelated to the other calls), how exactly is this trace being collected? through call profiling or stack frame inspection? – Necrolis Dec 01 '13 at 12:24
  • THE HOT PATH DOESN'T TELL YOU MUCH :-) What you need to look at is actual stack samples, including (if possible) those taken during I/O. [*This video shows why.*](https://www.youtube.com/watch?v=xPg3sRpdW1U) For example, WHY is virtual memory being allocated? All that trace tells you is that it is, and doing it in a clumsy way, and not telling you how much time is spent doing it. – Mike Dunlavey Dec 01 '13 at 13:57
  • @Necrolis I'm using the profiler included in Visual Studio 2013. – Ark-kun Dec 04 '13 at 01:21

0 Answers0