“Some of the greatest advances in” debugging “have been due to the invention of symbols, which it afterwards became necessary to explain;”
Aldous Leonard Huxley, Jesting Pilate
For explanation of symbols please read:
Crash Dumps for Dummies: Part 5 - Symbol files explained
- Dmitry Vostokov @ DumpAnalysis.org -
Over the time I noticed that some troubleshooting and debugging tools show numbers in hex and some in decimal even for things that are traditionally hex, for example PID and TID. Then when getting data from one program I need to convert it to a different base for another tool. So over some time I was able to get the idea of what hex numbers usually are even if they don’t have hexadecimal ‘A’-'F’ in their digits. For example, in one log I got this output:
Parent changed to 393954
Although this number is valid hex number as well as decimal I had intuitive feeling that it was decimal… Checking source code of the tool revealed that it was output as decimal indeed.
I guess this feeling arouse because I just checked that most window handles that I have seen have the 4th zero digit:
Handle: 2801E6Handle: 110044Handle: 10052Handle: E01B6Handle: 602E2- Dmitry Vostokov @ DumpAnalysis.org -
Reminiscence on a memory dump as an integer:
“The trouble with” memory dumps “is that we have examined only the very small ones. Maybe all the exciting stuff happens at really big” memory dumps, “ones we can’t even begin to think about in any very definite way. So maybe all the action is really inaccessible and we’re just fiddling around. Our brains have evolved to get us out of the rain, find where the berries are, and keep us from getting killed. Our brains did not evolve to help us grasp really large” memory dumps “or to look at things in a hundred thousand” memory locations.
Ronald Lewis Graham, quoted in “Computers, Pattern, Chaos and Beauty” by Clifford A. Pickover
- Dmitry Vostokov @ DumpAnalysis.org -
Sometimes application developers with WinDbg live debugging and user dump experience need a quick guide to start with kernel and complete memory dumps. Familiar stack trace browsing commands no longer work and here is preliminary discussion/tutorial on the forum:
http://www.dumpanalysis.org/forum/viewtopic.php?f=10&t=270
If you want to dig deeper please see Moving to kernel space (updated references) post for reading list.
- Dmitry Vostokov @ DumpAnalysis.org -
Most of the time Data Alignment manifests itself on Intel platforms from performance perspective and GP faults for some instructions that require natural boundary for their qword operands. There are no exceptions generally if we move a dword value from or to an odd memory location address when the whole operand fits into one page. However we need to take the possibility of page boundary spans into account when checking memory addresses for their validity. Consider this exception:
0: kd> .trap 0xffffffffa38df520
ErrCode = 00000002
eax=b6d9220f ebx=b6ab4ffb ecx=00000304 edx=eaf2fdea esi=b6d9214c edi=b6ab8189
eip=bfa10e6e esp=a38df594 ebp=a38df5ac iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010293
driver+0x2ae6e:
bfa10e6e 895304 mov dword ptr [ebx+4],edx ds:0023:b6ab4fff=????????
The address seems to be valid:
0: kd> !pte b6ab4fff
VA b6ab4fff
PDE at C0300B68 PTE at C02DAAD0
contains 7F0DD863 contains 426B0863
pfn 7f0dd —DA–KWEV pfn 426b0 —DA–KWEV
But careful examination of the instruction reveals that it writes 32 bit value so we need to inspect the next byte too because it is on another page:
0: kd> !pte b6ab4fff+1
VA b6ab5000
PDE at C0300B68 PTE at C02DAAD4
contains 7F0DD863 contains 00000080
pfn 7f0dd —DA–KWEV not valid
DemandZero
Protect: 4 - ReadWrite
Although the page is demand zero and this should have been satisfied by creating a new page filled with zeroes, my point here that the page could have been completely invalid or paged out in the case of IRQL >= 2.
- Dmitry Vostokov @ DumpAnalysis.org -
Another variation of the previous bugtation No.40:
“Read” code “at whim!”
Randall Jarrell, A Sad Heart at the Supermarket: Essays & Fables
- Dmitry Vostokov @ DumpAnalysis.org -
Debug “at whim!” Debug “at whim!”
Randall Jarrell, A Sad Heart at the Supermarket: Essays & Fables
- Dmitry Vostokov @ DumpAnalysis.org -
Crash dumps “have another hypnotic effect. Because they are not immediately understood, they, like certain jokes, are suspected of holding in some sort of magic embrace the secret of” troubleshooting, “or at least some of its more” difficult “parts.”
Scott Milross Buchanan, Poetry and Mathematics
- Dmitry Vostokov @ DumpAnalysis.org -
“Everything is memory dump.”
I’m very excited to announce that Volume 2 is available in paperback, hardcover and digital editions:
Memory Dump Analysis Anthology, Volume 2
In one or two weeks paperback edition should also appear on Amazon and other bookstores. Amazon hardcover edition is planned to be available by the end of October.
I’m often asked when Volume 3 is available and I currently plan to release it in October - November, 2009. In the mean time I’m planning to concentrate on other publishing projects.
- Dmitry Vostokov @ DumpAnalysis.org -
Out of 61,500,000 Google hits for “Everything is” X I couldn’t find X == memory dump so I presume this quotation is also traced to me 
“Everything is memory dump.”
- Dmitry Vostokov @ DumpAnalysis.org -
Out of 85,800 Google hits for “In the beginning there was the” X I couldn’t find X == crash so I presume this quotation is traced to me
“In the beginning there was the crash.”
- Dmitry Vostokov @ DumpAnalysis.org -
The book is nearly finished and here is the final TOC:
Memory Dump Analysis Anthology, Volume 2: Table of Contents
- Dmitry Vostokov @ DumpAnalysis.org -
Exception “is what we see at a glance.”
- Dmitry Vostokov @ DumpAnalysis.org -