Crash Dump Analysis Patterns (Part 34)

Although crash dumps are static in nature they contain Historical Information about past system dynamics that might give clues to a problem and help with troubleshooting and debugging.

For example, IRP flow between user processes and drivers is readily available in any kernel or complete memory dump. WinDbg !irpfind command will show the list of currently present I/O request packets. !irp command will give individual packet details. 

Recent Driver Verifier improvements in Vista and Windows Server 2008 allow to embed stack traces associated with IRP allocation, completion and cancellation. For information please look at the following document:

http://www.microsoft.com/whdc/devtools/tools/vistaverifier.mspx

Other information that can be included in process, kernel and complete memory dumps may reveal some history of function calls beyond the current snapshot of thread stacks:

- Dmitry Vostokov @ DumpAnalysis.org -

8 Responses to “Crash Dump Analysis Patterns (Part 34)”

  1. Dmitry Vostokov Says:

    Unloaded module list (lm) is another example of Historical Information pattern

  2. Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 60) Says:

    […] In the pattern about NULL code pointer I created a simple program that crashes when we pass a NULL thread procedure pointer to CreateThread function. We might expect to see little in the raw stack data because there was no user-supplied thread code. In reality, if we dump it we would see lots of symbolic information for code and data including ASCII and UNICODE fragments that I call Execution Residue patterns and one of them is Exception Handling Residue we can use to check for hidden exceptions and differentiate between 1st and 2nd chance exceptions. Code residues are very powerful in reconstructing stack traces manually or looking for partial stack traces and historical information. […]

  3. Dmitry Vostokov Says:

    Also last error values for all threads make another good example of historical info

  4. Crash Dump Analysis » Blog Archive » Blocked thread, historical information, execution residue, hidden exception, dynamic memory corruption, incorrect stack trace and not my version: pattern cooperation Says:

    […] and the last thread was blocked in a destructor of MyPrinter class. However we see some historical information, faultrep.dll unloaded, and this means that some exception happened prior to the process […]

  5. Crash Dump Analysis » Blog Archive » Trace Analysis Patterns (Part 1) Says:

    […] traces and their collections are specializations of the more general traces. Another example is Historical Information in memory dump files especially when it is somehow […]

  6. Dmitry Vostokov Says:

    !obtrace monitors more than !htrace (Windows Internals, 5th edition, p. 156)

  7. Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 56) Says:

    […] we introduce an icon for Historical Information […]

  8. Dmitry Vostokov Says:

    Debugging TV Frames episode 0×29 shows an example for notepad.exe http://www.debugging.tv

Leave a Reply

You must be logged in to post a comment.