Crash Dump Analysis Patterns (Part 207)

The pattern called Small Value deals with easily recognizable values such as handles, timeouts, mouse pointer coordinates, enumeration values, window messages, etc. There is another kind of values we call Design Values, for example, 256 (+/- 1) or some other round value. Here we can also add some regular patterns in hex representation such as window handles or flags, for example, such as 0×10008000. Such designed values may fall into some module range too, the so called Coincidental Symbolic Information pattern. If we see a design value in the output of WinDbg commands especially related to abnormal behaviour patterns, not necessarily as a stack trace parameter, which can be False, then it might point to some design limitations that were reached. For example, Blocked ALPC Queue may have a limitation on I/O Completion Port when we have ALPC Wait Chains in an unresponsive system:

0: kd> !alpc /p <port_address>
[...]
512 thread(s) are registered with port IO completion object:
[…]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Leave a Reply