Software Diagnostics Library » 2011

Trace Analysis Patterns (Part 36)

Sunday, January 30th, 2011

When reading and analyzing software traces we always compare them to Master Trace. Another name for this pattern borrowed from narrative theory is Archetype. When looking at the software trace from a system we either know the correct sequence of Activity Regions, expect certain Background and Foreground Components, Event Sequence Order or mentally construct a model based on our experience and Implementation Discourse. For the latter example software engineers internalize software master narratives when they construct code and write tracing code for supportability. For the former example it is important to have a repository of traces corresponding to master traces. This helps in finding deviations after Bifurcation Point. Consider such comparisons similar to regression testing when we check the computation output against the expected prerecorded sequence.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in CDF Analysis Tips and Tricks, Debugging, Software Narratology, Software Trace Analysis, Software Trace Reading, Testing, Trace Analysis Patterns | 2 Comments »

Why Memory Dump Analysis Audit is Good for You

Saturday, January 29th, 2011

Our sponsor, Memory Dump Analysis Services has published common questions and answers regarding their operation and competitive advantage over traditional software support organizations:

http://www.dumpanalysis.com/common-qa

I like their bold statement that they don’t have any competitors because they are one step further by providing an audit. This reminds me the statement I learnt from school: Marxism is all powerful because it is true.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Announcements, Crash Dump Analysis, Debugging, Memory Dump Analysis Services, Software Technical Support | No Comments »

Crash Dump Analysis Patterns (Part 128)

Saturday, January 29th, 2011

Similar to Message Box and String Parameter patterns we also have Dialog Box pattern (I’m grateful to Etienne Jeanneau for this suggestion) where we can see dialog window caption and contents when we examine function parameters (I guess this information comes from dialog box template). Although in the examples below we know the dialog purpose from friendly call stack function names for many 3rd-party applications we either don’t have symbols or no such helper functions but we want to know what was on the screen when screenshots were not collected.

The first 2 examples are from notepad and the 3rd is from IE:

0:000> kv ChildEBP RetAddr Args to Child 0017f5c4 777b073f 777c3c9f 000d023c 00000001 ntdll!KiFastSystemCallRet 0017f5c8 777c3c9f 000d023c 00000001 00000000 user32!NtUserWaitMessage+0xc 0017f5fc 777c2dc0 00310778 000d023c 00000001 user32!DialogBox2+0x202 0017f624 777c2eec 76460000 02a6bc60 000d023c user32!InternalDialogBox+0xd0 0017f644 76489a65 76460000 02a6bc60 000d023c user32!DialogBoxIndirectParamAorW+0×37 0017f680 76489ccf 0017f68c 00000001 0017f6d4 comdlg32!ChooseFontX+0×1ba 0017f6bc 006741c7 0017f6d4 00000111 00000000 comdlg32!ChooseFontW+0×2e 0017f734 0067164a 000d023c 00000021 00000000 notepad!NPCommand+0×4c7 0017f758 777afd72 000d023c 00000111 00000021 notepad!NPWndProc+0×4cf 0017f784 777afe4a 0067146c 000d023c 00000111 user32!InternalCallWinProc+0×23 0017f7fc 777b018d 00000000 0067146c 000d023c user32!UserCallWinProcCheckWow+0×14b 0017f860 777b022b 0067146c 00000000 0017f8a4 user32!DispatchMessageWorker+0×322 0017f870 00671465 0017f888 00000000 0067a21c user32!DispatchMessageW+0xf 0017f8a4 0067195d 00670000 00000000 00231cfa notepad!WinMain+0xe3 0017f934 7652d0e9 7ffd9000 0017f980 77b019bb notepad!_initterm_e+0×1a1 0017f940 77b019bb 7ffd9000 78f7b908 00000000 kernel32!BaseThreadInitThunk+0xe 0017f980 77b0198e 006731ed 7ffd9000 00000000 ntdll!__RtlUserThreadStart+0×23 0017f998 00000000 006731ed 7ffd9000 00000000 ntdll!_RtlUserThreadStart+0×1b

0:000> dc 02a6bc60 l50 02a6bc60 80c800c4 00000000 000d0014 011f0036 ............6... 02a6bc70 000000c4 00460000 006e006f 00000074 ......F.o.n.t… 02a6bc80 004d0008 00200053 00680053 006c0065 ..M.S. .S.h.e.l. 02a6bc90 0020006c 006c0044 00000067 50020000 l. .D.l.g……P 02a6bca0 00000000 00070007 00090028 ffff0440 ……..(…@… 02a6bcb0 00260082 006f0046 0074006e 0000003a ..&.F.o.n.t.:… 02a6bcc0 00000000 50210b51 00000000 00100007 ….Q.!P…….. 02a6bcd0 004c0062 ffff0470 00000085 00000000 b.L.p……….. 02a6bce0 50020000 00000000 0007006e 0009002c …P….n…,… 02a6bcf0 ffff0441 00460082 006e006f 00200074 A…..F.o.n.t. . 02a6bd00 00740073 00790026 0065006c 0000003a s.t.&.y.l.e.:… 02a6bd10 00000000 50210041 00000000 0010006e ….A.!P….n… 02a6bd20 004c004a ffff0471 00000085 00000000 J.L.q……….. 02a6bd30 50020000 00000000 000700bd 0009001e …P………… 02a6bd40 ffff0442 00260082 00690053 0065007a B…..&.S.i.z.e. 02a6bd50 0000003a 00000000 50210b51 00000000 :…….Q.!P…. 02a6bd60 001000be 004c0024 ffff0472 00000085 ….$.L.r……. 02a6bd70 00000000 50020007 00000000 00610007 …….P……a. 02a6bd80 00480062 ffff0430 00450080 00660066 b.H.0…..E.f.f. 02a6bd90 00630065 00730074 00000000 50010003 e.c.t.s……..P

0:000> kv ChildEBP RetAddr Args to Child 0017f5a8 777b073f 777c3c9f 000d023c 00000001 ntdll!KiFastSystemCallRet 0017f5ac 777c3c9f 000d023c 00000001 00000000 user32!NtUserWaitMessage+0xc 0017f5e0 777c2dc0 0044034a 000d023c 00000001 user32!DialogBox2+0x202 0017f608 777c2eec 768a0000 029030bc000d023c user32!InternalDialogBox+0xd0 0017f628 777c10ef 768a0000 029030bc 000d023c user32!DialogBoxIndirectParamAorW+0×37 0017f64c 7695d877 768a0000 00003810 000d023c user32!DialogBoxParamW+0×3f 0017f670 76a744dc 768a0000 00003810 000d023c shell32!SHFusionDialogBoxParam+0×32 0017f6b0 00674416 000d023c 002530dc 00672fc4 shell32!ShellAboutW+0×4d 0017f734 0067164a 000d023c 00000041 00000000 notepad!NPCommand+0×718 0017f758 777afd72 000d023c 00000111 00000041 notepad!NPWndProc+0×4cf 0017f784 777afe4a 0067146c 000d023c 00000111 user32!InternalCallWinProc+0×23 0017f7fc 777b018d 00000000 0067146c 000d023c user32!UserCallWinProcCheckWow+0×14b 0017f860 777b022b 0067146c 00000000 0017f8a4 user32!DispatchMessageWorker+0×322 0017f870 00671465 0017f888 00000000 0067a21c user32!DispatchMessageW+0xf 0017f8a4 0067195d 00670000 00000000 00231cfa notepad!WinMain+0xe3 0017f934 7652d0e9 7ffd9000 0017f980 77b019bb notepad!_initterm_e+0×1a1 0017f940 77b019bb 7ffd9000 78f7b908 00000000 kernel32!BaseThreadInitThunk+0xe 0017f980 77b0198e 006731ed 7ffd9000 00000000 ntdll!__RtlUserThreadStart+0×23 0017f998 00000000 006731ed 7ffd9000 00000000 ntdll!_RtlUserThreadStart+0×1b

0:000> dc 029030bc l50 029030bc ffff0001 00000000 00000000 80c800cc ................ 029030cc 0014000c 01130014 000000ee 00410000 ..............A. 029030dc 006f0062 00740075 00250020 00000073 b.o.u.t. .%.s… 029030ec 00000008 004d0000 00200053 00680053 ……M.S. .S.h. 029030fc 006c0065 0020006c 006c0044 00000067 e.l.l. .D.l.g… 0290310c 00000000 00000000 50000043 00370007 ……..C..P..7. 0290311c 00140015 00003009 0082ffff 0000ffff …..0………. 0290312c 00000000 00000000 00000000 5000008c ……………P 0290313c 00370023 000a00c8 00003500 0082ffff #.7……5…… 0290314c 00000000 00000000 00000000 5000008c ……………P 0290315c 00410023 000a00eb 0000350b 0082ffff #.A……5…… 0290316c 00000000 00000000 00000000 50000080 ……………P 0290317c 004b0023 000a00d2 0000350a 0082ffff #.K……5…… 0290318c 00000000 00000000 00000000 50000080 ……………P 0290319c 00550023 002800d2 00003513 0082ffff #.U…(..5…… 029031ac 00680054 00200065 00570025 004e0049 T.h.e. .%.W.I.N. 029031bc 004f0044 00530057 004c005f 004e004f D.O.W.S._.L.O.N. 029031cc 00250047 006f0020 00650070 00610072 G.%. .o.p.e.r.a. 029031dc 00690074 0067006e 00730020 00730079 t.i.n.g. .s.y.s. 029031ec 00650074 0020006d 006e0061 00200064 t.e.m. .a.n.d. .

16 Id: 10fc.124c Suspend: 0 Teb: 7ffd7000 Unfrozen ChildEBP RetAddr Args to Child 053f8098 777b073f 777c3c9f 003d0650 00000001 ntdll!KiFastSystemCallRet 053f809c 777c3c9f 003d0650 00000001 00000000 user32!NtUserWaitMessage+0xc 053f80d0 777c2dc0 002e0378 003d0650 00000001 user32!DialogBox2+0x202 053f80f8 777c2eec 6f270000 03387bd4 003d0650 user32!InternalDialogBox+0xd0 053f8118 777c10ef 6f270000 03387bd4 003d0650 user32!DialogBoxIndirectParamAorW+0×37 053f813c 6f2c5548 6f270000 00005398 003d0650 user32!DialogBoxParamW+0×3f 053f8164 6f2c5743 6f270000 00005398 003d0650 ieframe!Detour_DialogBoxParamW+0×47 053f8188 6f2c56f5 6f270000 00005398 001905ea ieframe!SHFusionDialogBoxParam+0×32 053f9228 6f2c5378 001905ea 053fb540 00000104 ieframe!DoAddToFavDlgEx+0xcf 053fbb5c 6f2c58f9 001905ea 0e69a0c0 053fbff0 ieframe!AddToFavoritesEx+0×349 053fbdb8 6f2c57ee 00000000 053fbff0 00000000 ieframe!CBaseBrowser2::_AddToFavorites+0xe9 053fc0f4 6f2c3e5e 00000000 00000000 00000001 ieframe!CBaseBrowser2::_ExecAddToFavorites+0×123 053fc124 6f39ca4e 6f39c524 00000008 00000001 ieframe!CBaseBrowser2::_ExecExplorer+0xbe 053fc14c 6f39cee8 114ea39c 6f39c524 00000008 ieframe!CBaseBrowser2::Exec+0×12d 053fc17c 6f39cf17 6f39c524 00000008 00000001 ieframe!CShellBrowser2::_Exec_CCommonBrowser+0×80 053fc414 6f498284 114ea39c 6f39c524 00000008 ieframe!CShellBrowser2::Exec+0×626 053fc43c 6f49e5cd 0000a173 00000000 ffffff71 ieframe!CShellBrowser2::_FavoriteOnCommand+0×75 053fc458 6f3c5ea8 0000a173 00000000 00000111 ieframe!CShellBrowser2::_OnDefault+0×3e 053fd6f0 6f394194 0000a173 00000000 0000031a ieframe!CShellBrowser2::v_OnCommand+0xa7b 053fd70c 6f39898d 001905ea 00000111 0000a173 ieframe!CBaseBrowser2::v_WndProc+0×247 053fd770 6f3988db 001905ea 00000111 0000a173 ieframe!CShellBrowser2::v_WndProc+0×3fe 053fd794 777afd72 001905ea 00000111 0000a173 ieframe!CShellBrowser2::s_WndProc+0xfb 053fd7c0 777afe4a 6f39887a 001905ea 00000111 user32!InternalCallWinProc+0×23 053fd838 777b0943 00000000 6f39887a 001905ea user32!UserCallWinProcCheckWow+0×14b 053fd878 777b0b36 00252838 01223dc0 0000a173 user32!SendMessageWorker+0×4b7 053fd898 6f3cf032 001905ea 00000111 0000a173 user32!SendMessageW+0×7c 053fd8d0 6f396ead 0056049c 00000111 0000a173 ieframe!CInternetToolbarHost::v_WndProc+0xf8 053fd8f4 777afd72 0056049c 00000111 0000a173 ieframe!CImpWndProc::s_WndProc+0×65 053fd920 777afe4a 6f396e6e 0056049c 00000111 user32!InternalCallWinProc+0×23 053fd998 777b018d 00000000 6f396e6e 0056049c user32!UserCallWinProcCheckWow+0×14b 053fd9fc 777b022b 6f396e6e 00000000 053ffb14 user32!DispatchMessageWorker+0×322 053fda0c 6f39c1f5 053fda30 00000000 10eec4c0 user32!DispatchMessageW+0xf 053ffb14 6f34337f 0e7c3708 00000000 11bd8dc8 ieframe!CTabWindow::_TabWindowThreadProc+0×54c 053ffbcc 77525179 10eec4c0 00000000 053ffbe8 ieframe!LCIETab_ThreadProc+0×2c1 053ffbdc 7652d0e9 11bd8dc8 053ffc28 77b019bb iertutil!CIsoScope::RegisterThread+0xab 053ffbe8 77b019bb 11bd8dc8 7dd62326 00000000 kernel32!BaseThreadInitThunk+0xe 053ffc28 77b0198e 7752516b 11bd8dc8 00000000 ntdll!__RtlUserThreadStart+0×23 053ffc40 00000000 7752516b 11bd8dc8 00000000 ntdll!_RtlUserThreadStart+0×1b

0:000> dc 03387bd4 l50 03387bd4 ffff0001 00000000 00000000 80c808c0 ................ 03387be4 0000000a 011f0000 00000064 00410000 ........d.....A. 03387bf4 00640064 00610020 00460020 00760061 d.d. .a. .F.a.v. 03387c04 0072006f 00740069 00000065 00000008 o.r.i.t.e……. 03387c14 004d0000 00200053 00680053 006c0065 ..M.S. .S.h.e.l. 03387c24 0020006c 006c0044 00000067 00000000 l. .D.l.g……. 03387c34 00000000 50000003 0007000f 00140015 …….P…….. 03387c44 00009760 0082ffff 00bfffff 00000000 `…………… 03387c54 00000000 00000000 50020000 00070035 ………..P5… 03387c64 000800db 000003f4 0082ffff 00640041 …………A.d. 03387c74 00200064 00200061 00610046 006f0076 d. .a. .F.a.v.o. 03387c84 00690072 00650074 00000000 00000000 r.i.t.e……… 03387c94 00000000 50020000 00110035 001000db …….P5……. 03387ca4 000003f5 0082ffff 00640041 00200064 ……..A.d.d. . 03387cb4 00680074 00730069 00770020 00620065 t.h.i.s. .w.e.b. 03387cc4 00610070 00650067 00610020 00200073 p.a.g.e. .a.s. . 03387cd4 00200061 00610066 006f0076 00690072 a. .f.a.v.o.r.i. 03387ce4 00650074 0020002e 006f0054 00610020 t.e… .T.o. .a. 03387cf4 00630063 00730065 00200073 006f0079 c.c.e.s.s. .y.o. 03387d04 00720075 00660020 00760061 0072006f u.r. .f.a.v.o.r.

Stack traces with DialogBoxIndirectParam call and x64 complicates the picture a bit and are subject of another post. Please also note that a user might not see the dialog box you see on a stack trace due to many reasons like terminal session problems or a process running in a non-interactive session.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns | 2 Comments »

Memory Visualization Tools

Tuesday, January 25th, 2011

This is the 3rd revision of memory map visualization tools list where I include IDA Pro and a visualizer from Debug Analyzer.NET (every category is presented in chronological order of my encounter with links):

1. Synthetic

Numerous debuggers / disassemblers that show memory maps for easy navigation, for example, IDA Pro
VMMap
KernelMAP v0.0.1
MemSpyy
Virtual memory usage and GC heap usage
Plugin and / or script-driven visualizers: Debug Analyzer.NET

2. Natural

a. Static

Dump2Picture (Windows)
dump2pic (Linux)
2D and 3D visualization using general-purpose tools like ParaView.

b. Semi-dynamic

WinDbg scripts

c. Dynamic

Haywire

Please let me know any other approaches or links you know.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in .NET Debugging, Crash Dump Analysis, Debugging, Debugging Trends, IDA for WinDbg Users, Memory Visualization, Software Trace Analysis, Tools | 1 Comment »

Icons for Memory Dump Analysis Patterns (Part 88)

Monday, January 24th, 2011

Today we introduce an icon for Blocked Thread (software) pattern:

B/W

Color

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging, Pattern Icons, Visual Dump Analysis | No Comments »

The Window of Opportunity (Debugging Slang, Part 23)

Saturday, January 22nd, 2011

The Window of Opportunity - WYSIWYG. Requires scrolling or search to get most of it.

Examples: He opened a log file in notepad and was staring at it with disbelief. There was no error. After some time he closed the window of opportunity.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Debugging, Debugging Slang, Fun with Debugging, Fun with Software Traces, Software Trace Reading | No Comments »

Dump (Debugging Slang, Part 22.1)

Saturday, January 22nd, 2011

Dump - The last hope.

Examples: He was so desperate on site to ask whether a complete dump will do.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Debugging, Debugging Slang, Fun with Crash Dumps, Fun with Debugging | No Comments »

Pre-analysis (Debugging Slang, Part 21)

Saturday, January 22nd, 2011

Pre-analysis - Avoiding crash dump analysis anti-patterns like wrong dump or zippocricy. Sometimes it goes with wild explanation no one asked for. Checking whether a software trace is empty before sending it.

Examples: He is always doing !locks pre-analysis before sending any dump.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in AntiPatterns, Crash Dump Analysis, Crash Dump De-analysis, Debugging, Debugging Slang, Fun with Crash Dumps, Fun with Debugging, Fun with Software Traces, Software Trace Analysis | No Comments »

No Longer Seeing Nothing: The Advantage of Patterns

Saturday, January 22nd, 2011

Software trace analysis is difficult and it is very common to hear “couldn’t see anything …”. One of advantages of software trace analysis patterns is that we can use that pattern language to write analysis reports. Here I provide an example for an analysis of a CDF trace from Citrix XenApp server. Instead of replying “didn’t find anything suspicious …” an engineer identified the following patterns:

Seeing the list of patterns it was much easier to ask questions to aid in further troubleshooting.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in CDF Analysis Tips and Tricks, Software Behavior Patterns, Software Trace Analysis, Software Trace Reading, Structural Trace Patterns, Trace Analysis Patterns | No Comments »

Bugtation No.137

Thursday, January 20th, 2011

Debugging is defaulting.

Dmitry Vostokov, “It’s time to stop faulting!” programme from the independent Irish political candidate for the next general election who was writing programs in the past

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Bugtations, Debugging, Politics | No Comments »

Bugtation No.136

Wednesday, January 19th, 2011

A memory dump “analysis is never finished, it is only abandoned”

Paul Valéry

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Bugtations, Crash Dump Analysis, Software Trace Analysis | No Comments »

Collaborative Analysis Audit Access System from MDAS

Tuesday, January 18th, 2011

Memory Dump Analysis Services announces the launch of CollaborativeA3System for its new and existing customers:

“… is a way to report and discuss memory dump analysis using using well-known and time-proven iterative and incremental processes. Several corporate users can view, comment on and learn various aspects of an analysis report gradually improving initial preliminary analysis to its final deliverable form.”

Source: http://www.dumpanalysis.com/collaborative-analysis-audit-access-system

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Announcements, Crash Dump Analysis, Debugging, Debugging Methodology, Memory Dump Analysis Services, Training and Seminars | No Comments »

2010 in Retrospection (Part 2)

Monday, January 17th, 2011

One of the great surprises in 2010 was the popularity of WinDbg.org page. I had never thought it was so popular! Originally forwarded to a subdomain of Crash Dump Analysis Portal when introduced in February, 2008 as a way to quickly download Debugging Tools for Windows and set up symbols it was made a full domain in July, 2010 with corresponding Google Analytics setup. Since then it enjoys 7,000 - 9,000 visits per month with almost 93% return rate with Microsoft, Intel, HP, Road Runner, Dell, Citrix, EMC, CA, Samsung, Cisco, Symantec, AMD, IBM, Oracle, and McAfee among its biggest users. I myself find it very useful in the field when I need to quickly setup debugging components. To the best of my knowledge the page remains the fastest way to that. There will be more useful information linked to it in 2011.

Another trend is the rise of the online version of Debugged! MZ/PE magazine that was completely redesigned in August, 2010 and now approaches 2,000 visitors per month. In 2011 there are some new initiatives coming for this online magazine.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Announcements, Debugged! MZ/PE, Debugging, History, WinDbg Tips and Tricks | No Comments »

Crash Dump Analysis Patterns (Part 127)

Saturday, January 15th, 2011

Stack Trace is a general pattern and there can always be found fine-grained patterns in stack traces as well. Here we discuss the general category of such stack trace patterns called Technology-Specific Subtrace (TSST) and give examples related to COM technology.

Consider this trace:

1: kd> k250 ChildEBP RetAddr 8d5d2808 82a7eb15 nt!KiSwapContext+0x26 8d5d2840 82a7d403 nt!KiSwapThread+0x266 8d5d2868 82a772cf nt!KiCommitThreadWait+0x1df 8d5d28e0 82550d75 nt!KeWaitForSingleObject+0x393 8d5d293c 82550e10 win32k!xxxRealSleepThread+0x1d7 8d5d2958 824ff4b0 win32k!xxxSleepThread+0x2d 8d5d29cc 825547e8 win32k!xxxInterSendMsgEx+0xb1c 8d5d2a1c 825546a4 win32k!xxxSendMessageTimeout+0x13b 8d5d2a44 82533843 win32k!xxxSendMessage+0×28 8d5d2b08 824fd865 win32k!xxxCalcValidRects+0xf7 8d5d2b64 82502c98 win32k!xxxEndDeferWindowPosEx+0×100 8d5d2b84 825170c9 win32k!xxxSetWindowPos+0xf6 8d5d2c08 82517701 win32k!xxxActivateThisWindow+0×2b1 8d5d2c38 82517537 win32k!xxxActivateWindow+0×144 8d5d2c4c 824fd9dd win32k!xxxSwpActivate+0×44 8d5d2ca4 82502c98 win32k!xxxEndDeferWindowPosEx+0×278 8d5d2cc4 824fff82 win32k!xxxSetWindowPos+0xf6 8d5d2d10 82a5342a win32k!NtUserSetWindowPos+0×140 8d5d2d10 76ee64f4 nt!KiFastCallEntry+0×12a (TrapFrame @ 8d5d2d34) 01e2cea0 7621358d ntdll!KiFastSystemCallRet 01e2cea4 6a8fa0eb USER32!NtUserSetWindowPos+0xc 01e2cf14 6a894b13 IEFRAME!SHToggleDialogExpando+0×15a 01e2cf28 6a894d5d IEFRAME!EleDlg::ToggleExpando+0×20 01e2d74c 6a895254 IEFRAME!EleDlg::OnInitDlg+0×229 01e2d7b8 762186ef IEFRAME!EleDlg::DlgProcEx+0×189 01e2d7e4 76209eb2 USER32!InternalCallWinProc+0×23 01e2d860 7620b98b USER32!UserCallDlgProcCheckWow+0xd6 01e2d8a8 7620bb7b USER32!DefDlgProcWorker+0xa8 01e2d8c4 762186ef USER32!DefDlgProcW+0×22 01e2d8f0 76218876 USER32!InternalCallWinProc+0×23 01e2d968 76217631 USER32!UserCallWinProcCheckWow+0×14b 01e2d9a8 76209b1d USER32!SendMessageWorker+0×4d0 01e2da64 76235500 USER32!InternalCreateDialog+0xb0d 01e2da94 76235553 USER32!InternalDialogBox+0xa7 01e2dab4 76235689 USER32!DialogBoxIndirectParamAorW+0×37 01e2dad8 6a5d4952 USER32!DialogBoxParamW+0×3f 01e2db00 6a5d5024 IEFRAME!Detour_DialogBoxParamW+0×47 01e2db24 6a8956df IEFRAME!SHFusionDialogBoxParam+0×32 01e2db58 6a8957bb IEFRAME!EleDlg::ShowDialog+0×398 01e2e638 6a8959d3 IEFRAME!ShowDialogBox+0xb6 01e2eb9c 6a9013ed IEFRAME!ShowElevationPrompt+0×1dd 01e2f010 7669fc8f IEFRAME!CIEUserBrokerObject::BrokerCoCreateInstance+0×202 01e2f040 76704c53 RPCRT4!Invoke+0×2a 01e2f448 76d9d936 RPCRT4!NdrStubCall2+0×2d6 01e2f490 76d9d9c6 ole32!CStdStubBuffer_Invoke+0xb6 01e2f4d8 76d9df1f ole32!SyncStubInvoke+0×3c 01e2f524 76cb213c ole32!StubInvoke+0xb9 01e2f600 76cb2031 ole32!CCtxComChnl::ContextInvoke+0xfa 01e2f61c 76d9a754 ole32!MTAInvoke+0×1a 01e2f64c 76d9dcbb ole32!AppInvoke+0xab 01e2f72c 76d9a773 ole32!ComInvokeWithLockAndIPID+0×372 01e2f778 7669f34a ole32!ThreadInvoke+0×302 01e2f7b4 7669f4da RPCRT4!DispatchToStubInCNoAvrf+0×4a 01e2f80c 7669f3c6 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×16c 01e2f834 766a0cef RPCRT4!RPC_INTERFACE::DispatchToStub+0×8b 01e2f86c 7669f882 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xb2 01e2f8b8 7669f7a4 RPCRT4!LRPC_SCALL::DispatchRequest+0×23b 01e2f8d8 7669f763 RPCRT4!LRPC_SCALL::QueueOrDispatchCall+0xbd 01e2f8f4 7669f5ff RPCRT4!LRPC_SCALL::HandleRequest+0×34f 01e2f928 7669f573 RPCRT4!LRPC_SASSOCIATION::HandleRequest+0×144 01e2f960 7669ee4f RPCRT4!LRPC_ADDRESS::HandleRequest+0xbd 01e2f9dc 7669ece7 RPCRT4!LRPC_ADDRESS::ProcessIO+0×50a 01e2f9e8 766a1357 RPCRT4!LrpcServerIoHandler+0×16 01e2f9f8 76ecd3a3 RPCRT4!LrpcIoComplete+0×16 01e2fa20 76ed0748 ntdll!TppAlpcpExecuteCallback+0×1c5 01e2fb88 76e11174 ntdll!TppWorkerThread+0×5a4 01e2fb94 76efb3f5 kernel32!BaseThreadInitThunk+0xe 01e2fbd4 76efb3c8 ntdll!__RtlUserThreadStart+0×70 01e2fbec 00000000 ntdll!_RtlUserThreadStart+0×1b

In the middle of the stack trace we see COM interface invocation in IEFRAME module. The similar stack trace fragment can be found in the following stack trace where COM IRemUnknown interface implementation resides in .NET CLR mscorwks module:

0:000> kL ChildEBP RetAddr 0018a924 68b5f8f0 mscorwks!SafeReleaseHelper+0x77 0018a958 68b04a99 mscorwks!SafeRelease+0x2f 0018a98c 68b04860 mscorwks!IUnkEntry::Free+0x68 0018a9a0 68b049b5 mscorwks!RCW::ReleaseAllInterfaces+0x18 0018a9d0 68b049e1 mscorwks!RCW::ReleaseAllInterfacesCallBack+0xbd 0018aa00 68c0a108 mscorwks!RCW::Cleanup+0x22 0018aa0c 68c0a570 mscorwks!RCWCleanupList::ReleaseRCWListRaw+0x16 0018aa3c 68bd4b3d mscorwks!RCWCleanupList::ReleaseRCWListInCorrectCtx+0xdf 0018aa4c 75dd8c2e mscorwks!CtxEntry::EnterContextCallback+0×89 0018aa68 763c586c ole32!CRemoteUnknown::DoCallback+0×7a 0018aa84 764405f1 rpcrt4!Invoke+0×2a 0018ae88 75efd936 rpcrt4!NdrStubCall2+0×2ea 0018aed0 75efd9c6 ole32!CStdStubBuffer_Invoke+0xb6 0018af18 75efdf1f ole32!SyncStubInvoke+0×3c 0018af64 75e1223c ole32!StubInvoke+0xb9 0018b040 75e12131 ole32!CCtxComChnl::ContextInvoke+0xfa 0018b05c 75e130fa ole32!MTAInvoke+0×1a 0018b088 75efde47 ole32!STAInvoke+0×46 0018b0bc 75efdcbb ole32!AppInvoke+0xab 0018b19c 75efe34c ole32!ComInvokeWithLockAndIPID+0×372 0018b1c4 75e12ed2 ole32!ComInvoke+0xc5 0018b1d8 75e12e91 ole32!ThreadDispatch+0×23 0018b21c 75a06238 ole32!ThreadWndProc+0×161 0018b248 75a068ea user32!InternalCallWinProc+0×23 0018b2c0 75a07d31 user32!UserCallWinProcCheckWow+0×109 0018b320 75a07dfa user32!DispatchMessageWorker+0×3bc 0018b330 75ddd6be user32!DispatchMessageW+0xf 0018b360 75ddd66d ole32!CCliModalLoop::PeekRPCAndDDEMessage+0×4c 0018b390 75ddd57e ole32!CCliModalLoop::FindMessage+0×30 0018b3f0 75ddd633 ole32!CCliModalLoop::HandleWakeForMsg+0×41 0018b408 75dd1117 ole32!CCliModalLoop::BlockFn+0xc3 0018b488 68a6c905 ole32!CoWaitForMultipleHandles+0xcd 0018b4a8 68a6c866 mscorwks!NT5WaitRoutine+0×51 0018b514 68a6c7ca mscorwks!MsgWaitHelper+0xa5 0018b534 68b5fbe4 mscorwks!Thread::DoAppropriateAptStateWait+0×28 0018b5b8 68b5fc79 mscorwks!Thread::DoAppropriateWaitWorker+0×13c 0018b608 68b5fdf9 mscorwks!Thread::DoAppropriateWait+0×40 0018b664 68a1c5b6 mscorwks!CLREvent::WaitEx+0xf7 0018b678 68b1adb4 mscorwks!CLREvent::Wait+0×17 0018b6c8 68b1ab2a mscorwks!WKS::GCHeap::FinalizerThreadWait+0xfb 0018b764 08fa12c1 mscorwks!GCInterface::RunFinalizers+0×99 […]

A TSST usually spans several modules. In any stack trace we can also find several TSST that may be overlapping. For example, in the first stack trace above we can discern fragments of COM, RPC, LPC, GUI Dialog, Window Management, and Window Messaging subtraces. In the second trace we can also see GC, Modal Loop, COM Wrapper, and Interface Management stack frames.

The closest software trace analysis pattern here is Implementation Discourse.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in .NET Debugging, COM Debugging, Crash Dump Analysis, Crash Dump Patterns, Debugging, Software Trace Analysis, Software Trace Reading, Trace Analysis Patterns | 1 Comment »

The Year of Dump Analysis in Retrospection

Friday, January 14th, 2011

The Year of Dump Analysis, 0×7DA, was another remarkable year for DumpAnalysis.org. Here is the list of major achievements to report:

- Proposed software narratological framework

- Extended the concept of multithreading with adjoint threading

- After recognizing victimware as a counterpart to crimeware established Victimware.org (currently points to Memory Dump, Software Trace, Debugging and Malware Analysis Portal)

- Established the Dublin School of Security

- Proposed using category theory for memory dump analysis as an alternative to set-theoretical frameworks

- Secured the first Memory Dump Analysis Audit Service and its subsidiary Tool Objects: Unified Troubleshooting and Debugging to become portal sponsors

- Completely redesigned Debugging Experts Magazine Online

- Contributed to two issues of Debugged! MZ/PE magazine: Multithreading and Tools for Software Problem Solving

- Published the 4th volume of Memory Dump Analysis Anthology with color supplement

- Prepared material for the 5th volume of Memory Dump Analysis Anthology (to be published in January, 2011)

- Organized the first Debugging Jokes Competition and the first Tell Your Windows Debugging Story Competition

- Established the Metaphysical Society of Ireland to promote memory dump worldview

- Helped to deliver Fundamentals of Complete Crash and Hang Memory Dump Analysis webinar

- Established the Museum of Debugging and Memory Dumps (the 1st exhibition opens in 2011)

- Introduced Unified Debugging patterns, Workaround patterns and Structural Memory Analysis patterns

- Proposed and organized the first Memory Analysts and Debuggers Day (to be celebrated annually)

- Continued working on CARE research project and published its reference architecture

- Unified memory dump and software trace analysis patterns as software behavior patterns

- Memory Dump Analysis Anthology got international recognition when Korean translation of 1st volume was published

… and much more including many new memory dump and software trace analysis patterns, pattern icons, pattern models, and pattern-driven analysis case studies.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Announcements, Crash Dump Analysis, Debugging, History, Software Trace Analysis | No Comments »

Mad OS and other Publishing Blunders

Tuesday, January 11th, 2011

While thinking about writing an operating system for memory analysis and debugging I decided to check the abbreviation and found this publishing data submission error (I hope that was not intentional) for the book Canvas 5 URW Type Library, Mad OS and Windows by Editor. I put a screenshot just in case it is fixed when you are reading this post:

Further forward thinking led me to design the front cover for a book “Bugs in Publishing” (ISBN: 978-1906717803):

In my journey as a publisher (OpenTask) I did a lot of debugging, for example, my first printed book was without page numbers on pages (but they were present in the table of contents) :-)

Now small print:

Please do not even think that the delayed book is about switching to Mac OS X! It is only about publishing: all other interpretations are products of your wild imagination and a publisher does not assume any responsibility for the damage done…

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Books, Fun with Debugging, Publishing | No Comments »

2010 in Retrospection (Part 1)

Sunday, January 9th, 2011

According to Google Analytics the number of visits / year increased by 0.7% since 2009 with almost 156,000 unique visitors (1% increase) from 184 countries (183 in 2009) and more than 33% of them are coming back. 1,322 visits were via 12 mobile operating systems (512% increase). Here are the top 100 network locations out of 28,612 (1% increase):

Service Provider	Visits
microsoft corp	6298
comcast cable communications inc.	4144
road runner holdco llc	3579
internet service provider	3106
verizon internet services inc.	2589
comite gestor da internet no brasil	2418
hewlett-packard company	2324
japan network information center	2199
deutsche telekom ag	2145
reliance communications ltd	1985
network of citrix systems inc	1698
eircom	1602
chunghwa telecom data communication business group	1560
nib (national internet backbone)	1458
charter communications	1325
symantec corporation	1261
proxad / free sas	1252
samtel	1121
uunet non-portable customer assignment	1087
at&t internet services	1084
intel corporation	1083
cox communications	1067
abts (karnataka)	1060
qwest communications company llc	957
comcast cable communications holdings inc	940
korea telecom	900
chtd chunghwa telecom co. ltd.	859
comcast business communications inc.	829
chinanet guangdong province network	817
ip pools	802
xo communications	802
china unicom beijing province network	799
microsoft	771
data general corporation	765
shaw communications inc.	761
comcast cable communications	746
tw telecom holdings inc.	697
unknown	684
citrix systems inc.	681
telefonica de espana sau	674
psinet inc.	661
telstra internet	647
chinanet shanghai province network	637
arcor ag	622
krnic	621
cox communications inc.	595
bellsouth.net inc.	576
optimum online (cablevision systems)	559
starhub cable vision ltd	539
ntt communications corporation	521
dell computer corporation	519
computer associates international	497
comcast cable communications ip services	481
cisco systems inc.	463
research in motion limited	459
sympatico hse	456
abts delhi	425
eset s.r.o.	425
telus communications inc.	416
comstar-direct cjsc	413
customers ie	411
emc corporation	408
abts tamilnadu	398
iinet limited	381
lg dacom corporation	376
rcs & rds s.a.	376
opal telecom dsl	372
network of ign arch. and design gb	367
kaspersky lab internet	362
easynet ltd	356
honeywell international inc.	347
dynamic ip pool for broadband customers	343
dynamic pools	336
siemens ag	335
global crossing	333
provider local registry	332
tpg internet pty ltd.	328
ojsc north-west telecom	326
telia network services	326
ipg	312
information management group	310
chinanet jiangsu province network	307
bharti infotel ltd.	305
wipro technologies	302
t-com croatia internet network	291
pt telkom indonesia	289
telecom italia s.p.a. tin easy lite	288
neostrada plus	285
singnet pte ltd	285
multiprotocol service provider to other isp s and end users	282
ibm india private limited	278
microsoft corporation	266
ekk catv plovdiv	262
alice dsl	260
level 3 communications inc.	257
telekom malaysia berhad	257
ukrtelecom ip network	254
comcast cable communications inc	251
appense	250
uecomm	250

Almost 71,000 Google search keywords pointed to the portal and this blog with 100 most frequent (some are in Russian):

Keyword	Visits
crash dump	2776
crash dump analysis	2463
kifastsystemcallret	2451
adplus	916
ntdll!kifastsystemcallret	905
dump analysis	865
win32 error 0n2	693
dumpanalysis.org	595
memory dump analysis	530
windows 7 crash dump	516
windbg commands	513
bugcheck system_service_exception	487
дамп памяти	473
crash dump windows 7	451
windbg	437
fnodobfm	431
bugcheck 3b	406
crashdump	404
crash dumps	385
minidump analysis	383
windbg crash dump analysis	382
crash dump analyzer	381
windbg cheat sheet	343
adplus download	330
анализ дампа памяти	325
dmitry vostokov	311
dump analyzer	311
windbg analyze	308
warning: frame ip not in any known module. following frames may be wrong.	290
the stored exception information can be accessed via .ecxr.	278
core dump analysis	268
symbol file could not be found	267
frame ip not in any known module	263
bugcheck kmode_exception_not_handled	256
dumpanalysis	250
the stored exception information can be accessed via .ecxr	242
memory dump analysis anthology	238
ntkrnlmp.exe crash dump	233
system_thread_exception_not_handled	225
kiuserexceptiondispatcher	222
getcontextstate failed, 0×80070026	210
0eedfade	207
kisystemservicecopyend	204
windbg crash dump	203
kernel_mode_exception_not_handled	202
rtlplowfragheapfree	202
windows crash dump analysis	202
crash dump analysis tool	196
exception_double_fault	195
trap frame	189
ntdll kifastsystemcallret	183
nt!kebugcheckex	178
tppworkerthread	178
vista kmode_exception_not_handled	177
dump artefact trace artefact	170
dump file analyzer	168
adplus tutorial	165
pool corruption	160
rtldispatchexception wine	155
termdd!icacallnextdriver	155
application_fault_status_breakpoint	153
ntdll.dll!kifastsystemcallret	153
basethreadinitthunk	152
bugcheck 7e	151
analyze crash dump	150
windbg script	149
memory dump analysis tool	146
warning: stack unwind information not available. following frames may be wrong.	146
error: symbol file could not be found	145
free special np	145
rtluserthreadstart	141
download adplus	140
мещанина никифора никитина	140
failure_bucket_id	131
application_hang_blockedon_fileio	129
how to use windbg for crash dump analysis	123
windows dump analyzer	123
getcontextstate failed, 0xd0000147	122
stack_text	121
minidump analyzer	120
time travel debugging	120
windbg dump analysis	120
__dyn_tls_init_callback	118
localdumps	118
system_service_exception 3b	118
windbg scripts	118
getcontextstate failed	114
unable to load image win32 error 0n2	114
windbg hang	114
windows crash dump	114
crash dump vista	112
debug_flr_image_timestamp	110
ntdll.kifastsystemcallret	107
system_service_exception	107
system_thread_exception_not_handled (7e)	107
анализ дампов памяти	107
bugcheck c2	106
kifastcallentry	106
ldrpsnapthunk	106
nmi_hardware_failure	104

Special thanks to more than 1,100 web sites that mention the portal and this blog with the first top 100:

Source	Visits
google.com	3955
windbg.org	2190
windbg.dumpanalysis.org	2178
google.co.in	1366
twitter.com	1295
blog.codeimproved.net	1158
stackoverflow.com	1075
facebook.com	780
winvistaclub.com	751
blogs.msdn.com	741
dumpanalysis.com	680
reddit.com	618
dumpanalysis.org	586
images.google.com	522
google.co.uk	456
bytetalk.net	398
google.de	359
itdatabase.com	351
advancedwindowsdebugging.com	291
en.wikipedia.org	283
google.ca	280
analyze-v.com	254
advanceddotnetdebugging.com	246
google.com.au	220
serverfault.com	201
community.citrix.com	199
google.ru	180
nynaeve.net	170
jasonhaley.com	167
blog.miniasp.com	166
google.fr	166
google.es	165
google.com.br	158
google.co.kr	152
reconstructer.org	151
blogs.microsoft.co.il	148
blog.naver.com	143
forum.sysinternals.com	141
google.com.ua	133
netfxharmonics.com	133
google.it	126
google.nl	126
debuggingexperts.com	124
blog.not-a-kernel-guy.com	119
images.google.co.in	107
citrixblogger.org	104
opentask.com	103
google.pl	102
images.google.co.uk	98
delicious.com	97
support.citrix.com	88
isisaka.com	85
linkedin.com	83
google.com.ar	81
google.com.tr	81
j00ru.vexillium.org	81
google.com.tw	79
pchelpforum.com	78
social.technet.microsoft.com	78
debuggingexperts.dumpanalysis.org	77
google.se	77
codemachine.com	73
google.com.ph	73
rfvicente.spaces.live.com	70
advdbg.org	68
google.co.il	68
google.co.za	68
techsupportforum.com	68
otvety.google.ru	67
google.com.sg	66
jinaida.egloos.com	65
google.ie	64
google.be	63
voneinem-windbg.blogspot.com	62
images.google.de	60
saygoodnight.com	59
caloni.com.br	57
google.at	57
google.ro	56
msuiche.net	56
driverentry.com.br	55
google.ch	55
google.com.pk	54
mitbbs.com	54
google.com.my	53
serious-code.net	53
bugswar.blogspot.com	51
google.com.mx	51
iconfactory.com	51
advdbg.com	49
managementbits.com	49
rsdn.ru	48
techradar.com	48
blog.48bits.com	47
cs.rochester.edu	47
dogpile.com	47
images.google.ca	47
evilcodecave.wordpress.com	46
google.pt	46

Top 25 visiting countries:

Country/Territory	Visits
United States	69610
India	19007
United Kingdom	16399
Russia	12497
Germany	10027
China	7942
Canada	7277
Japan	5393
France	5260
South Korea	4551
Australia	4305
Taiwan	3882
Ireland	3361
Netherlands	3152
Spain	3045
Ukraine	2981
Italy	2774
Israel	2720
Brazil	2592
Poland	2519
Sweden	2495
Singapore	2367
Romania	1990
Czech Republic	1784
Belgium	1481

More than 9,000 portal and blog pages were viewed a total of almost 387,000 times with top 100 content pages:

Page	Pageviews
/	45061
/blog/	35363
/blog/index.php/2008/01/10/what-is-kifastsystemcallret/	6673
/blog/index.php/2007/06/20/crash-dump-analysis-checklist/	6212
/blog/index.php/category/windbg-tips-and-tricks/	6151
/ru/blog/	4929
/blog/index.php/2008/09/12/adplus-in-21-seconds-and-13-steps/	3554
/Tools	3442
/blog/index.php/2007/07/20/crash-dump-analysis-patterns-part-17/	3311
/blog/index.php/category/windows-7/	3267
/Crash+Dump+Analysis+for+System+Administrators	2904
/blog/index.php/category/minidump-analysis/	2612
/blog/index.php/2007/09/06/minidump-analysis-part-2/	2604
/blog/index.php/2006/10/31/crash-dump-analysis-patterns-part-2/	2443
/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/	2366
/blog/index.php/2006/10/30/crash-dump-analysis-patterns-part-1/	2314
/blog/index.php/category/windbg-scripts/	2286
/blog/index.php/2008/03/12/bug-check-frequencies/	2220
/blog/index.php/2008/03/13/crash-dump-analysis-patterns-part-2b/	2113
/blog/index.php/2008/06/12/crash-dump-analysis-patterns-part-59b/	2104
/WinDbg+reference	2076
/Forthcoming+Windows+Debugging+Notebook	2054
/blog/index.php/2008/04/22/bugchecks-system_service_exception/	2048
/blog/index.php/about/	2038
/blog/index.php/2007/10/11/minidump-analysis-part-4/	1868
/blog/index.php/category/windows-server-2008/	1741
/blog/index.php/2007/09/11/crash-dump-analysis-patterns-part-26/	1736
/blog/index.php/2008/01/24/crash-dump-analysis-patterns-part-43/	1661
/blog/index.php/2007/12/17/crash-dump-analysis-patterns-part-41b/	1640
/blog/index.php/2007/10/17/crash-dump-analysis-patterns-part-31/	1631
/blog/index.php/2007/02/02/crash-dump-analysis-patterns-part-8/	1618
/blog/index.php/2007/05/19/resurrecting-dr-watson-on-vista/	1590
/blog/index.php/2006/12/09/clipboard-issues-explained/	1553
/Memory+Dump+Analysis+Anthology+Volume+1	1548
/blog/index.php/2007/09/17/resolving-symbol-file-could-not-be-found/	1524
/blog/index.php/2007/02/09/crash-dump-analysis-patterns-part-9a/	1516
/blog/index.php/2007/08/06/crash-dump-analysis-patterns-part-20a/	1445
/Memory+Dump+Analysis+Anthology+Volume+3	1423
/blog/index.php/2007/07/15/interrupts-and-exceptions-explained-part-4/	1422
/blog/index.php/crash-dump-analysis-patterns/	1368
/blog/index.php/2008/05/09/windbg-cheat-sheet-for-crash-dump-analysis/	1324
/Debugged+Magazine	1307
/ru/blog/index.php/category/komandy-otladchika-windbg/	1302
/blog/index.php/2007/03/04/windbg-tips-and-tricks-analyzing-hangs-faster/	1295
/blog/index.php/2007/04/25/bugchecks-system_thread_exception_not_handled/	1281
/blog/index.php/2007/08/29/minidump-analysis-part-1/	1267
/blog/index.php/category/windbg-tips-and-tricks/page/6/	1251
/ru/blog/index.php/page/2/	1251
/blog/index.php/2007/03/03/windbg-tips-and-tricks-hypertext-commands/	1203
/blog/index.php/category/gdb-for-windbg-users/	1193
/blog/index.php/basic-windows-crash-dump-analysis/	1191
/blog/index.php/2007/06/21/crash-dump-analysis-patterns-part-16a/	1151
/care	1151
/blog/index.php/category/bugchecks-depicted/	1143
/blog/index.php/2008/04/03/crash-dump-analysis-patterns-part-57/	1134
/museum-debugging	1103
/blog/index.php/category/bugchecks-depicted/page/2/	1099
/blog/index.php/2010/01/08/live-kernel-debugging-of-a-system-freeze-case-study/	1096
/arts-photography-links	1062
/blog/index.php/2007/09/	1022
/blog/index.php/2008/10/15/crash-dump-analysis-patterns-part-1b/	953
/blog/index.php/2007/08/04/visualizing-memory-dumps/	940
/blog/index.php/2007/11/02/crash-dump-analysis-patterns-part-13c/	932
/blog/index.php/category/dump-analysis/	921
/blog/index.php/crash-dump-examples/	912
/blog/index.php/2007/10/01/windows-service-crash-dumps-on-vista/	911
/blog/index.php/2007/02/10/crash-dump-analysis-in-visual-studio-2005/	904
/Forthcoming+Memory+Dump+Analysis+Anthology+Volume+2	902
/blog/index.php/category/windbg-scripts/page/2/	880
/blog/index.php/2006/10/	833
/blog/index.php/2008/06/26/heuristic-stack-trace-in-windbg-693113/	820
/blog/index.php/2008/01/02/how-to-distinguish-between-1st-and-2nd-chances/	813
/blog/index.php/2006/11/01/crash-dump-analysis-patterns-part-3/	790
/MDAA-color-supplement-vol1-3	783
/Forthcoming+Windows+Debugging:+Practical+Foundations	779
/blog/index.php/automated-analysis/	774
/blog/index.php/2007/05/20/custom-postmortem-debuggers-on-vista/	773
/contact	772
/blog/index.php/memory-dump-analysis-interview-questions/	763
/blog/index.php/2007/07/25/reconstructing-stack-trace-manually/	762
/blog/index.php/2007/09/14/crash-dump-analysis-patterns-part-27/	761
/training	760
/blog/index.php/category/net-debugging/	752
/blog/index.php/category/windbg-tips-and-tricks/page/2/	732
/blog/index.php/2007/04/25/bugchecks-kmode_exception_not_handled/	731
/blog/index.php/2007/07/01/gdb-for-windbg-users-part-5/	729
/blog/index.php/2009/04/28/trace-analysis-patterns-part-1/	729
/FCMDA-book	721
/blog/index.php/2007/06/21/repair-clipboard-chain-201/	720
/blog/index.php/category/cartoons/	706
/CDAPF-book	690
/blog/index.php/2008/03/08/time-travel-debugging/	690
/blog/index.php/2006/10/14/dumps-for-dummies-part-2/	679
/blog/index.php/2008/04/28/crash-dump-analysis-patterns-part-6a/	672
/blog/index.php/dumps-for-dummies/	672
/blog/index.php/2007/05/19/inside-vista-error-reporting-part-1/	661
/Links	640
/blog/index.php/2008/03/18/crash-dump-analysis-patterns-part-13e/	640
/blog/index.php/2008/05/28/net-managed-code-analysis-in-complete-memory-dumps/	635
/blog/index.php/foundations-of-debugging-x86/	635

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Announcements, Crash Dump Analysis, Debugging, DumpAnalysis.org Statistics, History, Software Trace Analysis | No Comments »

Crash Dump Analysis Patterns (Part 126)

Saturday, January 8th, 2011

Finally I got a few good crash dumps illustrating Livelock pattern when 2 threads are looping while acquiring and releasing a resource but not progressing. We have these signs in selected WinDbg output below:

- high contention patterns or context switch counts

- increased CPU time in user and / or kernel mode

- at least one livelocked thread is scheduled for execution

- one of livelocked threads has unusual priority boost

- the same thread stack trace for both livelocked threads having similar stats like spent time and context switch counts

- zero waiting ticks

1: kd> !locks

Resource @ 0xfffffa8008464528 Exclusively owned Contention Count = 43743004 NumberOfExclusiveWaiters = 1 Threads: fffffa8008315b60-01<*> Threads Waiting On Exclusive Access: fffffa8005769660

41080 total locks, 1 locks currently held

1: kd> !running

Prcbs Current Next 1 fffff88001e68180 fffff88001e72fc0 fffffa8008315b60 …………….

We have these stack traces from stack trace collection:

THREAD fffffa8008315b60 Cid 0724.2a28 Teb: 000007fffff9c000 Win32Thread: 0000000000000000 ???? IRP List: fffffa80082e5990: (0006,0118) Flags: 00060000 Mdl: 00000000 Not impersonating DeviceMap fffff8a009f434e0 Owning Process fffffa8005726360 Image: ProcessA.exe Attached Process N/A Image: N/A Wait Start TickCount 522197 Ticks: 0 Context Switch Count 21665144 UserTime 00:00:40.373 KernelTime 00:02:42.791 Win32 Start Address 0×000007fef6939430 Stack Init fffff88007321db0 Current fffff88007321520 Base fffff88007322000 Limit fffff8800731c000 Call 0 Priority 8 BasePriority 6 UnusualBoost 1 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`07321560 fffff800`0168a992 nt!KiSwapContext+0×7a fffff880`073216a0 fffff800`0168ccff nt!KiCommitThreadWait+0×1d2 fffff880`07321730 fffff800`0164c242 nt!KeWaitForSingleObject+0×19f fffff880`073217d0 fffff800`0168b5ac nt!ExpWaitForResource+0xae fffff880`07321840 fffff880`04608d91 nt!ExAcquireResourceExclusiveLite+0×14f fffff880`073218b0 fffff880`04609e4e DriverA!foo+0×42 […] fffff880`07321a10 fffff800`0199ef66 nt!IopXxxControlFile+0×607 fffff880`07321b40 fffff800`01682993 nt!NtDeviceIoControlFile+0×56 fffff880`07321bb0 00000000`76ffff2a nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`07321c20) 00000000`03a1f488 000007fe`fd06b399 ntdll!NtDeviceIoControlFile+0xa 00000000`03a1f490 00000000`76ea610f KERNELBASE!DeviceIoControl+0×75 00000000`03a1f500 000007fe`f74f3d7c kernel32!DeviceIoControlImplementation+0×7f […]

THREAD fffffa8005769660 Cid 0724.10b0 Teb: 000007fffffa6000 Win32Thread: 0000000000000000 WAIT: (WrResource) KernelMode Non-Alertable fffffa8006661f20 SynchronizationEvent IRP List: fffffa8006b1ac10: (0006,0118) Flags: 00060000 Mdl: 00000000 Not impersonating DeviceMap fffff8a009f434e0 Owning Process fffffa8005726360 Image: ProcessA.exe Attached Process N/A Image: N/A Wait Start TickCount 522197 Ticks: 0 Context Switch Count 21601988 UserTime 00:00:30.147 KernelTime 00:02:30.972 Win32 Start Address 0×000007fef6939430 Stack Init fffff880071bbdb0 Current fffff880071bb520 Base fffff880071bc000 Limit fffff880071b6000 Call 0 Priority 7 BasePriority 6 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`071bb560 fffff800`0168a992 nt!KiSwapContext+0×7a fffff880`071bb6a0 fffff800`0168ccff nt!KiCommitThreadWait+0×1d2 fffff880`071bb730 fffff800`0164c242 nt!KeWaitForSingleObject+0×19f fffff880`071bb7d0 fffff800`0168b5ac nt!ExpWaitForResource+0xae fffff880`071bb840 fffff880`04608d91 nt!ExAcquireResourceExclusiveLite+0×14f fffff880`071bb8b0 fffff880`04609e4e DriverA!foo+0×42 […] fffff880`071bba10 fffff800`0199ef66 nt!IopXxxControlFile+0×607 fffff880`071bbb40 fffff800`01682993 nt!NtDeviceIoControlFile+0×56 fffff880`071bbbb0 00000000`76ffff2a nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`071bbc20) 00000000`033bf708 000007fe`fd06b399 ntdll!NtDeviceIoControlFile+0xa 00000000`033bf710 00000000`76ea610f KERNELBASE!DeviceIoControl+0×75 00000000`033bf780 000007fe`f74f3d7c kernel32!DeviceIoControlImplementation+0×7f […]