Software Diagnostics Library

Sometimes we don’t have symbols (No Component Symbols pattern) or have only a restricted set that we call No Data Types pattern. For example, in a base OS we have data types:

0:016> dt ntdll!*
          ntdll!LIST_ENTRY64
          ntdll!LIST_ENTRY32
          ntdll!_KUSER_SHARED_DATA
          ntdll!_KSYSTEM_TIME
          ntdll!_KSYSTEM_TIME
          ntdll!_NT_PRODUCT_TYPE
[...]

In the “private” version we don’t have them although the symbol file exists:

0:015> dt ntdll!*
0:015> !lmi ntdll
Loaded Module Info: [ntdll]
         Module: ntdll
   Base Address: 0000000076de0000
     Image Name: ntdll.dll
   Machine Type: 34404 (X64)
     Time Stamp: 4dcd9861 Fri May 13 21:45:21 2011
           Size: 17f000
       CheckSum: 188814
Characteristics: 2022  perf
Debug Data Dirs: Type  Size     VA  Pointer
             CODEVIEW    22, f72a8,   f66a8 RSDS - GUID: {05A648A7-625D-42E7-B736-7816F0CA1E0C}
               Age: 2, Pdb: ntdll.pdb
                CLSID     8, f72a0,   f66a0 [Data not mapped]
     Image Type: MEMORY   - Image read successfully from loaded memory.
    Symbol Type: PDB      - Symbols loaded successfully from symbol server.
                 c:\mss\ntdll.pdb\05A648A7625D42E7B7367816F0CA1E0C2\ntdll.pdb
    Load Report: public symbols , not source indexed
                 c:\mss\ntdll.pdb\05A648A7625D42E7B7367816F0CA1E0C2\ntdll.pdb

In such cases manually loading a proximate module might help: Coping with missing symbolic information (although I haven’t yet tested it on x64 systems). I also thought of naming the pattern as Private Modification but that would not cover many other cases where types were missing from the very beginning.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

This entry was posted on Sunday, June 12th, 2011 at 10:55 pm and is filed under Crash Dump Analysis, Crash Dump Patterns, Debugging. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.