Trace Analysis Patterns (Part 39)

Adjoint Thread invariants like PID can be reused giving rise to curious CDF (ETW) traces where two separate execution entities are glued together in one trace. For example, in one trace we see AppA and AppB sharing the same PID

#      Module  PID  TID   Time         Message
[…]
242583 ProcMon 5492 9476  11:04:33.398 LoadImageEvent for ImageName: …\AppA.exe PID: 5492
256222 ProcMon 5492 9476  11:04:50.036 ProcessDestroyEvent for PPID: 12168 PID: 5492 
274887 ProcMon 5492 10288 11:05:18.235 LoadImageEvent for ImageName: …\AppB.exe PID: 5492 
[…]

Other similar examples might include different instances of components sharing the same name, source code or even, in general, periodic tracing sessions appended to the end of the same trace file although we are thinking that the latter should be a separate pattern. We named this pattern Glued Activity by an analogy of different thread strings glued together (in general, manifiolds glued along their boundaries). Another name might be along the line of adjoint thread ID reuse (ATID Reuse).

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Leave a Reply