Debugged! MZ/PE magazine editorial board has secured a columnist Don T. Quit to write a column “Tips, Bits and Fields”. Don is very eager to offer a (socio- | psycho- | ε) logical advice to debugging community.
Just to remind that a deadline to submit articles for the first issue is set to 15th of February.
- Dmitry Vostokov @ DumpAnalysis.org -
While working on “Computer Memory Visualization” book I noticed this recent title and immediately bought it:
Core Memory: A Visual Survey of Vintage Computers
This is not only a wonderful hardcover coffee table book with stunning photographs of old computers and their memory hardware but also has numerous historical notes. It nicely complements my own DLL List Landscape: The Art from Computer Memory Space book that features virtual memory visual images.
- Dmitry Vostokov @ DumpAnalysis.org -
Originally I paid attention to “Paper is patient” in Social Sciences as Sorcery book. It merits its own bugtation:
Crash dump “is patient.”
- Dmitry Vostokov @ DumpAnalysis.org -
“Everything is in a state of” memory.
- Dmitry Vostokov @ DumpAnalysis.org -
“For it is not enough to have a good” debugger: “one must use it well.”
- Dmitry Vostokov @ DumpAnalysis.org -
Sometimes there is not enough physical memory and the system experiences the so called disk or page file thrashing trying to resolve page faults. This can be seen in some memory dumps coming from frozen environments showing signs of double traps in running threads, the first one is a normal memory access fault (blue) and the other is forced NMI bugcheck to save a memory dump (red):
1: kd> .bugcheck
Bugcheck code 00000080
Arguments 004f4454 00000000 00000000 00000000
1: kd> !thread
THREAD 88939b20 Cid 360.378 Teb: 7ffdb000 Win32Thread: a20a7ac8 RUNNING
IRP List:
86be9e68: (0006,0100) Flags: 00000070 Mdl: 00000000
88939e68: (0006,0100) Flags: 00000070 Mdl: 00000000
88939128: (0006,0100) Flags: 00000070 Mdl: 00000000
Not impersonating
Owning Process 889456e0
Wait Start TickCount 2357431 Elapsed Ticks: 9
Context Switch Count 18267 LargeStack
UserTime 0:00:08.0218
KernelTime 0:12:28.0109
Start Address KERNEL32!BaseThreadStartThunk (0x7c57b740)
Win32 Start Address msafd!SockAsyncThread (0x74fd3113)
Stack Init bef9e000 Current bef9db60 Base bef9e000 Limit bef9b000 Call 0
Priority 11 BasePriority 11 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
8904aff0 80469211 hal!HalHandleNMI+0×193
8904aff0 80438621 nt!KiTrap02+0×41
bef9dc10 8043799a nt!MiTrimWorkingSet+0xa7
bef9dc38 804378ec nt!MiDoReplacement+0×2e
bef9dc50 804453cf nt!MiLocateAndReserveWsle+0×1e
bef9dc68 804444e0 nt!MiAddValidPageToWorkingSet+0×89
bef9dc8c 804443a2 nt!MiCompleteProtoPteFault+0xf6
bef9dcb8 804436e8 nt!MiResolveProtoPteFault+0×160
bef9dcfc 8044ccd0 nt!MiDispatchFault+0xfc
bef9dd4c 8046b063 nt!MmAccessFault+0xd1c
bef9dd4c 74fd31e0 nt!KiTrap0E+0xc7
016effb4 7c57b3bc msafd!SockAsyncThread+0xcd
016effec 00000000 KERNEL32!BaseThreadStart+0×52
If we check virtual memory stats we see the low number of available pages:
1: kd> !vm
*** Virtual Memory Usage ***
Physical Memory: 524165 ( 2096660 Kb)
Page File: \??\C:\pagefile.sys
Current: 4190208Kb Free Space: 3298704Kb
Minimum: 4190208Kb Maximum: 4190208Kb
Page File: \??\E:\pagefile.sys
Current: 4190208Kb Free Space: 3339860Kb
Minimum: 4190208Kb Maximum: 4190208Kb
Available Pages: 1098 ( 4392 Kb)
ResAvail Pages: 410646 ( 1642584 Kb)
Modified Pages: 282384 ( 1129536 Kb)
NonPagedPool Usage: 10046 ( 40184 Kb)
NonPagedPool Max: 68609 ( 274436 Kb)
PagedPool 0 Usage: 15391 ( 61564 Kb)
PagedPool 1 Usage: 1906 ( 7624 Kb)
PagedPool 2 Usage: 1925 ( 7700 Kb)
PagedPool 3 Usage: 1937 ( 7748 Kb)
PagedPool 4 Usage: 1892 ( 7568 Kb)
PagedPool Usage: 23051 ( 92204 Kb)
PagedPool Maximum: 87040 ( 348160 Kb)
Shared Commit: 16867 ( 67468 Kb)
Special Pool: 0 ( 0 Kb)
Free System PTEs: 65288 ( 261152 Kb)
Shared Process: 38655 ( 154620 Kb)
PagedPool Commit: 23051 ( 92204 Kb)
Driver Commit: 1060 ( 4240 Kb)
Committed pages: 1049592 ( 4198368 Kb)
Commit limit: 2580155 (10320620 Kb)
[…]
In W2K dumps we can also see locking on a working set resource (I guess the name from Ws shortcut here):
1: kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
Resource @ nt!MmSystemWsLock (0×804869c0) Exclusively owned
Contention Count = 33083
NumberOfExclusiveWaiters = 237
[…]
and huge number of threads in Ready state for every thread priority.
Looking at the current process owning the running thread shows the large number of page faults and increased kernel CPU time compared to time spent in user mode:
1: kd> !process 889456e0
PROCESS 889456e0 SessionId: 0 Cid: 0360 Peb: 7ffdf000 ParentCid: 01a8
DirBase: 102af000 ObjectTable: 88945c08 TableSize: 622.
Image: Application.EXE
VadRoot 88944468 Clone 0 Private 838. Modified 30691412. Locked 188.
DeviceMap 89049288
Token e28db550
ElapsedTime 10:13:30.0684
UserTime 0:00:12.0578
KernelTime 0:12:38.0625
QuotaPoolUsage[PagedPool] 31568
QuotaPoolUsage[NonPagedPool] 68266
Working Set Sizes (now,min,max) (49, 50, 345) (196KB, 200KB, 1380KB)
PeakWorkingSetSize 1956
VirtualSize 131 Mb
PeakVirtualSize 131 Mb
PageFaultCount 46180598
MemoryPriority BACKGROUND
BasePriority 10
CommitCharge 1247
- Dmitry Vostokov @ DumpAnalysis.org -
Publishing my old CV and salary expectations damaged my memory and yesterday night I experienced a dream where a courier arrived to my office. I opened a packet and saw an A4 plastic card with a cover displaying a VIP job offer from one company the name of which I cannot disclose here. The plastic job offer card also had 2 buttons: accept an offer and decline an offer. To the left of the buttons there was a picture of a tiger: I used to play with 2 x 2 tiger puzzle with my 2 year old son before that night… When I woke up the dream was so real that I searched around for that card 
- Dmitry Vostokov @ DumpAnalysis.org -
I made a beautiful 100 x 18400 slice of pagefile.bmp generated by Dump2Picture using ImageMagick (1.5Mb JPEG image):
Wider 450 x 18400 slice (7Mb JPEG image) is available for viewing here:
Page File Image Slice (7Mb JPEG)
- Dmitry Vostokov @ DumpAnalysis.org -
I was curious about how page file looks like when represented as a bitmap picture image like I previously did with memory dumps and I expected it to look like a picture of a complete memory dump due to its purpose as a backup to physical memory. It looks similar indeed. Here is a picture of a 1.3Gb pagefile.sys from my home computer after running Vista for last 2 weeks, generated by Dump2Picture tool and resized from 18400 x 18400 32-bit bitmap by ImageMagick:
- Dmitry Vostokov @ DumpAnalysis.org -
“Look for” a bug “in everything and you will find it.”
Pierre-Jules Renard, Journal
- Dmitry Vostokov @ DumpAnalysis.org -
… taking into account one second because of slowing Earth rotation. I wish everyone a Happy New Year and successful debugging and memory analysis sessions in virtuality and reality!
Dmitry Vostokov @ 45474150 504d5544 PAGEDUMP....(...
0bc6c000 81000000 8054d030 8054f098 ........0.T...T.
0000014c 00000001 000000e2 00000000 L...............
00000000 00000000 00000000 45474100 .............AGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474100 PAGEPAGEPAGE.AGE
8053eee0 00000003 0000f67d 00000001 ..S.....}.......
0000009e 00000100 00000eff 00001000 ................
0000e6e0 45474150 45474150 45474150 ....PAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
45474150 45474150 45474150 45474150 PAGEPAGEPAGEPAGE
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
[...]
