Trace Analysis Patterns (Part 38)
Sometimes, we look at a trace and say it’s Impossible Trace. For example, this fragment shows that the function foo had been called:
# Module PID TID Message
[...]
1001 ModuleA 202 404 foo: start
1002 ModuleA 202 404 foo: end
[...]
However, if we look at the corresponding source code (PLOT) we would see that something is missing: the function bar must have been called with its own set of trace messages we don’t see in the trace:
void foo()
{
TRACE("foo: start");
bar();
TRACE("foo: end");
}
void bar()
{
TRACE("bar: start");
// some code ...
TRACE("bar: end");
}
We suspect the runtime code being modified, perhaps by patching. In other cases of missing messages we can also suspect thrown exceptions or local buffer overflows that led to wrong return address skipping the code with expected tracing statements. The mismatch between the trace and the source code we are looking at is also possible if the old source code didn’t have bar function called.
Note: I’m grateful for this pattern idea to Gary Barton.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -