Archive for the ‘Debugging’ Category

« Older Entries
Newer Entries »

Trace Analysis Patterns (Part 36)

Sunday, January 30th, 2011

When reading and analyzing software traces we always compare them to Master Trace. Another name for this pattern borrowed from narrative theory is Archetype. When looking at the software trace from a system we either know the correct sequence of Activity Regions, expect certain Background and Foreground Components, Event Sequence Order or mentally construct a model based on our experience and Implementation Discourse. For the latter example software engineers internalize software master narratives when they construct code and write tracing code for supportability. For the former example it is important to have a repository of traces corresponding to master traces. This helps in finding deviations after Bifurcation Point. Consider such comparisons similar to regression testing when we check the computation output against the expected prerecorded sequence.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in CDF Analysis Tips and Tricks, Debugging, Software Narratology, Software Trace Analysis, Software Trace Reading, Testing, Trace Analysis Patterns | 2 Comments »

Why Memory Dump Analysis Audit is Good for You

Saturday, January 29th, 2011

Our sponsor, Memory Dump Analysis Services has published common questions and answers regarding their operation and competitive advantage over traditional software support organizations:

http://www.dumpanalysis.com/common-qa 

I like their bold statement that they don’t have any competitors because they are one step further by providing an audit. This reminds me the statement I learnt from school: Marxism is all powerful because it is true.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Announcements, Crash Dump Analysis, Debugging, Memory Dump Analysis Services, Software Technical Support | No Comments »

Memory Visualization Tools

Tuesday, January 25th, 2011

This is the 3rd revision of memory map visualization tools list where I include IDA Pro and a visualizer from Debug Analyzer.NET (every category is presented in chronological order of my encounter with links):

1. Synthetic

2. Natural

a. Static

b. Semi-dynamic

c. Dynamic

Please let me know any other approaches or links you know.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in .NET Debugging, Crash Dump Analysis, Debugging, Debugging Trends, IDA for WinDbg Users, Memory Visualization, Software Trace Analysis, Tools | 1 Comment »

Icons for Memory Dump Analysis Patterns (Part 88)

Monday, January 24th, 2011

Today we introduce an icon for Blocked Thread (software) pattern:

B/W

Color

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging, Pattern Icons, Visual Dump Analysis | No Comments »

The Window of Opportunity (Debugging Slang, Part 23)

Saturday, January 22nd, 2011

The Window of Opportunity - WYSIWYG. Requires scrolling or search to get most of it.

Examples: He opened a log file in notepad and was staring at it with disbelief. There was no error. After some time he closed the window of opportunity.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Debugging, Debugging Slang, Fun with Debugging, Fun with Software Traces, Software Trace Reading | No Comments »

Dump (Debugging Slang, Part 22.1)

Saturday, January 22nd, 2011

Dump - The last hope.

Examples: He was so desperate on site to ask whether a complete dump will do.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Debugging, Debugging Slang, Fun with Crash Dumps, Fun with Debugging | No Comments »

Pre-analysis (Debugging Slang, Part 21)

Saturday, January 22nd, 2011

Pre-analysis - Avoiding crash dump analysis anti-patterns like wrong dump or zippocricy. Sometimes it goes with wild explanation no one asked for. Checking whether a software trace is empty before sending it. 

Examples: He is always doing !locks pre-analysis before sending any dump.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in AntiPatterns, Crash Dump Analysis, Crash Dump De-analysis, Debugging, Debugging Slang, Fun with Crash Dumps, Fun with Debugging, Fun with Software Traces, Software Trace Analysis | No Comments »

Bugtation No.137

Thursday, January 20th, 2011

Debugging is defaulting.

Dmitry Vostokov, “It’s time to stop faulting!” programme from the independent Irish political candidate for the next general election who was writing programs in the past

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Bugtations, Debugging, Politics | No Comments »

Collaborative Analysis Audit Access System from MDAS

Tuesday, January 18th, 2011

Memory Dump Analysis Services announces the launch of CollaborativeA3System for its new and existing customers:

“… is a way to report and discuss memory dump analysis using using well-known and time-proven iterative and incremental processes. Several corporate users can view, comment on and learn various aspects of an analysis report gradually improving initial preliminary analysis to its final deliverable form.”

Source: http://www.dumpanalysis.com/collaborative-analysis-audit-access-system

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Announcements, Crash Dump Analysis, Debugging, Debugging Methodology, Memory Dump Analysis Services, Training and Seminars | No Comments »

2010 in Retrospection (Part 2)

Monday, January 17th, 2011

One of the great surprises in 2010 was the popularity of WinDbg.org page. I had never thought it was so popular! Originally forwarded to a subdomain of Crash Dump Analysis Portal when introduced in February, 2008 as a way to quickly download Debugging Tools for Windows and set up symbols it was made a full domain in July, 2010 with corresponding Google Analytics setup. Since then it enjoys 7,000 - 9,000 visits per month with almost 93% return rate with Microsoft, Intel, HP, Road Runner, Dell, Citrix, EMC, CA, Samsung, Cisco, Symantec, AMD, IBM, Oracle, and McAfee among its biggest users. I myself find it very useful in the field when I need to quickly setup debugging components. To the best of my knowledge the page remains the fastest way to that. There will be more useful information linked to it in 2011.

Another trend is the rise of the online version of Debugged! MZ/PE magazine that was completely redesigned in August, 2010 and now approaches 2,000 visitors per month. In 2011 there are some new initiatives coming for this online magazine.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Announcements, Debugged! MZ/PE, Debugging, History, WinDbg Tips and Tricks | No Comments »

Crash Dump Analysis Patterns (Part 127)

Saturday, January 15th, 2011

Stack Trace is a general pattern and there can always be found fine-grained patterns in stack traces as well. Here we discuss the general category of such stack trace patterns called Technology-Specific Subtrace (TSST) and give examples related to COM technology.

Consider this trace:

1: kd> k250
ChildEBP RetAddr            
8d5d2808 82a7eb15 nt!KiSwapContext+0x26
8d5d2840 82a7d403 nt!KiSwapThread+0x266
8d5d2868 82a772cf nt!KiCommitThreadWait+0x1df
8d5d28e0 82550d75 nt!KeWaitForSingleObject+0x393
8d5d293c 82550e10 win32k!xxxRealSleepThread+0x1d7
8d5d2958 824ff4b0 win32k!xxxSleepThread+0x2d
8d5d29cc 825547e8 win32k!xxxInterSendMsgEx+0xb1c
8d5d2a1c 825546a4 win32k!xxxSendMessageTimeout+0x13b
8d5d2a44 82533843 win32k!xxxSendMessage+0×28
8d5d2b08 824fd865 win32k!xxxCalcValidRects+0xf7
8d5d2b64 82502c98 win32k!xxxEndDeferWindowPosEx+0×100
8d5d2b84 825170c9 win32k!xxxSetWindowPos+0xf6
8d5d2c08 82517701 win32k!xxxActivateThisWindow+0×2b1
8d5d2c38 82517537 win32k!xxxActivateWindow+0×144
8d5d2c4c 824fd9dd win32k!xxxSwpActivate+0×44
8d5d2ca4 82502c98 win32k!xxxEndDeferWindowPosEx+0×278
8d5d2cc4 824fff82 win32k!xxxSetWindowPos+0xf6
8d5d2d10 82a5342a win32k!NtUserSetWindowPos+0×140
8d5d2d10 76ee64f4 nt!KiFastCallEntry+0×12a (TrapFrame @ 8d5d2d34)
01e2cea0 7621358d ntdll!KiFastSystemCallRet
01e2cea4 6a8fa0eb USER32!NtUserSetWindowPos+0xc
01e2cf14 6a894b13 IEFRAME!SHToggleDialogExpando+0×15a
01e2cf28 6a894d5d IEFRAME!EleDlg::ToggleExpando+0×20
01e2d74c 6a895254 IEFRAME!EleDlg::OnInitDlg+0×229
01e2d7b8 762186ef IEFRAME!EleDlg::DlgProcEx+0×189
01e2d7e4 76209eb2 USER32!InternalCallWinProc+0×23
01e2d860 7620b98b USER32!UserCallDlgProcCheckWow+0xd6
01e2d8a8 7620bb7b USER32!DefDlgProcWorker+0xa8
01e2d8c4 762186ef USER32!DefDlgProcW+0×22
01e2d8f0 76218876 USER32!InternalCallWinProc+0×23
01e2d968 76217631 USER32!UserCallWinProcCheckWow+0×14b
01e2d9a8 76209b1d USER32!SendMessageWorker+0×4d0
01e2da64 76235500 USER32!InternalCreateDialog+0xb0d
01e2da94 76235553 USER32!InternalDialogBox+0xa7
01e2dab4 76235689 USER32!DialogBoxIndirectParamAorW+0×37
01e2dad8 6a5d4952 USER32!DialogBoxParamW+0×3f
01e2db00 6a5d5024 IEFRAME!Detour_DialogBoxParamW+0×47
01e2db24 6a8956df IEFRAME!SHFusionDialogBoxParam+0×32
01e2db58 6a8957bb IEFRAME!EleDlg::ShowDialog+0×398
01e2e638 6a8959d3 IEFRAME!ShowDialogBox+0xb6
01e2eb9c 6a9013ed IEFRAME!ShowElevationPrompt+0×1dd
01e2f010 7669fc8f IEFRAME!CIEUserBrokerObject::BrokerCoCreateInstance+0×202
01e2f040 76704c53 RPCRT4!Invoke+0×2a
01e2f448 76d9d936 RPCRT4!NdrStubCall2+0×2d6
01e2f490 76d9d9c6 ole32!CStdStubBuffer_Invoke+0xb6
01e2f4d8 76d9df1f ole32!SyncStubInvoke+0×3c
01e2f524 76cb213c ole32!StubInvoke+0xb9
01e2f600 76cb2031 ole32!CCtxComChnl::ContextInvoke+0xfa
01e2f61c 76d9a754 ole32!MTAInvoke+0×1a
01e2f64c 76d9dcbb ole32!AppInvoke+0xab
01e2f72c 76d9a773 ole32!ComInvokeWithLockAndIPID+0×372
01e2f778 7669f34a ole32!ThreadInvoke+0×302
01e2f7b4 7669f4da RPCRT4!DispatchToStubInCNoAvrf+0×4a
01e2f80c 7669f3c6 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×16c
01e2f834 766a0cef RPCRT4!RPC_INTERFACE::DispatchToStub+0×8b
01e2f86c 7669f882 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xb2
01e2f8b8 7669f7a4 RPCRT4!LRPC_SCALL::DispatchRequest+0×23b
01e2f8d8 7669f763 RPCRT4!LRPC_SCALL::QueueOrDispatchCall+0xbd
01e2f8f4 7669f5ff RPCRT4!LRPC_SCALL::HandleRequest+0×34f
01e2f928 7669f573 RPCRT4!LRPC_SASSOCIATION::HandleRequest+0×144
01e2f960 7669ee4f RPCRT4!LRPC_ADDRESS::HandleRequest+0xbd
01e2f9dc 7669ece7 RPCRT4!LRPC_ADDRESS::ProcessIO+0×50a
01e2f9e8 766a1357 RPCRT4!LrpcServerIoHandler+0×16
01e2f9f8 76ecd3a3 RPCRT4!LrpcIoComplete+0×16
01e2fa20 76ed0748 ntdll!TppAlpcpExecuteCallback+0×1c5
01e2fb88 76e11174 ntdll!TppWorkerThread+0×5a4
01e2fb94 76efb3f5 kernel32!BaseThreadInitThunk+0xe
01e2fbd4 76efb3c8 ntdll!__RtlUserThreadStart+0×70
01e2fbec 00000000 ntdll!_RtlUserThreadStart+0×1b

In the middle of the stack trace we see COM interface invocation in IEFRAME module. The similar stack trace fragment can be found in the following stack trace where COM IRemUnknown interface implementation resides in .NET CLR mscorwks module:

0:000> kL
ChildEBP RetAddr 
0018a924 68b5f8f0 mscorwks!SafeReleaseHelper+0x77
0018a958 68b04a99 mscorwks!SafeRelease+0x2f
0018a98c 68b04860 mscorwks!IUnkEntry::Free+0x68
0018a9a0 68b049b5 mscorwks!RCW::ReleaseAllInterfaces+0x18
0018a9d0 68b049e1 mscorwks!RCW::ReleaseAllInterfacesCallBack+0xbd
0018aa00 68c0a108 mscorwks!RCW::Cleanup+0x22
0018aa0c 68c0a570 mscorwks!RCWCleanupList::ReleaseRCWListRaw+0x16
0018aa3c 68bd4b3d mscorwks!RCWCleanupList::ReleaseRCWListInCorrectCtx+0xdf
0018aa4c 75dd8c2e mscorwks!CtxEntry::EnterContextCallback+0×89
0018aa68 763c586c ole32!CRemoteUnknown::DoCallback+0×7a
0018aa84 764405f1 rpcrt4!Invoke+0×2a
0018ae88 75efd936 rpcrt4!NdrStubCall2+0×2ea
0018aed0 75efd9c6 ole32!CStdStubBuffer_Invoke+0xb6
0018af18 75efdf1f ole32!SyncStubInvoke+0×3c
0018af64 75e1223c ole32!StubInvoke+0xb9
0018b040 75e12131 ole32!CCtxComChnl::ContextInvoke+0xfa
0018b05c 75e130fa ole32!MTAInvoke+0×1a
0018b088 75efde47 ole32!STAInvoke+0×46
0018b0bc 75efdcbb ole32!AppInvoke+0xab
0018b19c 75efe34c ole32!ComInvokeWithLockAndIPID+0×372
0018b1c4 75e12ed2 ole32!ComInvoke+0xc5
0018b1d8 75e12e91 ole32!ThreadDispatch+0×23
0018b21c 75a06238 ole32!ThreadWndProc+0×161
0018b248 75a068ea user32!InternalCallWinProc+0×23
0018b2c0 75a07d31 user32!UserCallWinProcCheckWow+0×109
0018b320 75a07dfa user32!DispatchMessageWorker+0×3bc
0018b330 75ddd6be user32!DispatchMessageW+0xf
0018b360 75ddd66d ole32!CCliModalLoop::PeekRPCAndDDEMessage+0×4c
0018b390 75ddd57e ole32!CCliModalLoop::FindMessage+0×30
0018b3f0 75ddd633 ole32!CCliModalLoop::HandleWakeForMsg+0×41
0018b408 75dd1117 ole32!CCliModalLoop::BlockFn+0xc3
0018b488 68a6c905 ole32!CoWaitForMultipleHandles+0xcd
0018b4a8 68a6c866 mscorwks!NT5WaitRoutine+0×51
0018b514 68a6c7ca mscorwks!MsgWaitHelper+0xa5
0018b534 68b5fbe4 mscorwks!Thread::DoAppropriateAptStateWait+0×28
0018b5b8 68b5fc79 mscorwks!Thread::DoAppropriateWaitWorker+0×13c
0018b608 68b5fdf9 mscorwks!Thread::DoAppropriateWait+0×40
0018b664 68a1c5b6 mscorwks!CLREvent::WaitEx+0xf7
0018b678 68b1adb4 mscorwks!CLREvent::Wait+0×17
0018b6c8 68b1ab2a mscorwks!WKS::GCHeap::FinalizerThreadWait+0xfb
0018b764 08fa12c1 mscorwks!GCInterface::RunFinalizers+0×99
[…]

A TSST usually spans several modules. In any stack trace we can also find several TSST that may be overlapping. For example, in the first stack trace above we can discern fragments of COM, RPC, LPC, GUI Dialog, Window Management, and Window Messaging subtraces. In the second trace we can also see GC, Modal Loop, COM Wrapper, and Interface Management stack frames.

The closest software trace analysis pattern here is Implementation Discourse.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in .NET Debugging, COM Debugging, Crash Dump Analysis, Crash Dump Patterns, Debugging, Software Trace Analysis, Software Trace Reading, Trace Analysis Patterns | 1 Comment »

The Year of Dump Analysis in Retrospection

Friday, January 14th, 2011

The Year of Dump Analysis, 0×7DA, was another remarkable year for DumpAnalysis.org. Here is the list of major achievements to report:

- Proposed software narratological framework

- Extended the concept of multithreading with adjoint threading

- After recognizing victimware as a counterpart to crimeware established Victimware.org (currently points to Memory Dump, Software Trace, Debugging and Malware Analysis Portal)

- Established the Dublin School of Security

- Proposed using category theory for memory dump analysis as an alternative to set-theoretical frameworks

- Secured the first Memory Dump Analysis Audit Service and its subsidiary Tool Objects: Unified Troubleshooting and Debugging to become portal sponsors

- Completely redesigned Debugging Experts Magazine Online

- Contributed to two issues of Debugged! MZ/PE magazine: Multithreading and Tools for Software Problem Solving

- Published the 4th volume of Memory Dump Analysis Anthology with color supplement

- Prepared material for the 5th volume of Memory Dump Analysis Anthology (to be published in January, 2011)

- Organized the first Debugging Jokes Competition and the first Tell Your Windows Debugging Story Competition

- Established the Metaphysical Society of Ireland to promote memory dump worldview

- Helped to deliver Fundamentals of Complete Crash and Hang Memory Dump Analysis webinar

- Established the Museum of Debugging and Memory Dumps (the 1st exhibition opens in 2011)

- Introduced Unified Debugging patterns, Workaround patterns and Structural Memory Analysis patterns

- Proposed and organized the first Memory Analysts and Debuggers Day (to be celebrated annually)

- Continued working on CARE research project and published its reference architecture

- Unified memory dump and software trace analysis patterns as software behavior patterns

- Memory Dump Analysis Anthology got international recognition when Korean translation of 1st volume was published

… and much more including many new memory dump and software trace analysis patterns, pattern icons, pattern models, and pattern-driven analysis case studies.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Announcements, Crash Dump Analysis, Debugging, History, Software Trace Analysis | No Comments »

2010 in Retrospection (Part 1)

Sunday, January 9th, 2011

According to Google Analytics the number of visits / year increased by 0.7% since 2009 with almost 156,000 unique visitors (1% increase) from 184 countries (183 in 2009) and more than 33% of them are coming back. 1,322 visits were via 12 mobile operating systems (512% increase). Here are the top 100 network locations out of 28,612 (1% increase):

Service Provider

Visits

microsoft corp

6298

comcast cable communications inc.

4144

road runner holdco llc

3579

internet service provider

3106

verizon internet services inc.

2589

comite gestor da internet no brasil

2418

hewlett-packard company

2324

japan network information center

2199

deutsche telekom ag

2145

reliance communications ltd

1985

network of citrix systems inc

1698

eircom

1602

chunghwa telecom data communication business group

1560

nib (national internet backbone)

1458

charter communications

1325

symantec corporation

1261

proxad / free sas

1252

samtel

1121

uunet non-portable customer assignment

1087

at&t internet services

1084

intel corporation

1083

cox communications

1067

abts (karnataka)

1060

qwest communications company llc

957

comcast cable communications holdings inc

940

korea telecom

900

chtd chunghwa telecom co. ltd.

859

comcast business communications inc.

829

chinanet guangdong province network

817

ip pools

802

xo communications

802

china unicom beijing province network

799

microsoft

771

data general corporation

765

shaw communications inc.

761

comcast cable communications

746

tw telecom holdings inc.

697

unknown

684

citrix systems inc.

681

telefonica de espana sau

674

psinet inc.

661

telstra internet

647

chinanet shanghai province network

637

arcor ag

622

krnic

621

cox communications inc.

595

bellsouth.net inc.

576

optimum online (cablevision systems)

559

starhub cable vision ltd

539

ntt communications corporation

521

dell computer corporation

519

computer associates international

497

comcast cable communications ip services

481

cisco systems inc.

463

research in motion limited

459

sympatico hse

456

abts delhi

425

eset s.r.o.

425

telus communications inc.

416

comstar-direct cjsc

413

customers ie

411

emc corporation

408

abts tamilnadu

398

iinet limited

381

lg dacom corporation

376

rcs & rds s.a.

376

opal telecom dsl

372

network of ign arch. and design gb

367

kaspersky lab internet

362

easynet ltd

356

honeywell international inc.

347

dynamic ip pool for broadband customers

343

dynamic pools

336

siemens ag

335

global crossing

333

provider local registry

332

tpg internet pty ltd.

328

ojsc north-west telecom

326

telia network services

326

ipg

312

information management group

310

chinanet jiangsu province network

307

bharti infotel ltd.

305

wipro technologies

302

t-com croatia internet network

291

pt telkom indonesia

289

telecom italia s.p.a. tin easy lite

288

neostrada plus

285

singnet pte ltd

285

multiprotocol service provider to other isp s and end users

282

ibm india private limited

278

microsoft corporation

266

ekk catv plovdiv

262

alice dsl

260

level 3 communications inc.

257

telekom malaysia berhad

257

ukrtelecom ip network

254

comcast cable communications inc

251

appense

250

uecomm

250

Almost 71,000 Google search keywords pointed to the portal and this blog with 100 most frequent (some are in Russian):

Keyword

Visits

crash dump

2776

crash dump analysis

2463

kifastsystemcallret

2451

adplus

916

ntdll!kifastsystemcallret

905

dump analysis

865

win32 error 0n2

693

dumpanalysis.org

595

memory dump analysis

530

windows 7 crash dump

516

windbg commands

513

bugcheck system_service_exception

487

дамп памяти

473

crash dump windows 7

451

windbg

437

fnodobfm

431

bugcheck 3b

406

crashdump

404

crash dumps

385

minidump analysis

383

windbg crash dump analysis

382

crash dump analyzer

381

windbg cheat sheet

343

adplus download

330

анализ дампа памяти

325

dmitry vostokov

311

dump analyzer

311

windbg analyze

308

warning: frame ip not in any known module. following frames may be wrong.

290

the stored exception information can be accessed via .ecxr.

278

core dump analysis

268

symbol file could not be found

267

frame ip not in any known module

263

bugcheck kmode_exception_not_handled

256

dumpanalysis

250

the stored exception information can be accessed via .ecxr

242

memory dump analysis anthology

238

ntkrnlmp.exe crash dump

233

system_thread_exception_not_handled

225

kiuserexceptiondispatcher

222

getcontextstate failed, 0×80070026

210

0eedfade

207

kisystemservicecopyend

204

windbg crash dump

203

kernel_mode_exception_not_handled

202

rtlplowfragheapfree

202

windows crash dump analysis

202

crash dump analysis tool

196

exception_double_fault

195

trap frame

189

ntdll kifastsystemcallret

183

nt!kebugcheckex

178

tppworkerthread

178

vista kmode_exception_not_handled

177

dump artefact trace artefact

170

dump file analyzer

168

adplus tutorial

165

pool corruption

160

rtldispatchexception wine

155

termdd!icacallnextdriver

155

application_fault_status_breakpoint

153

ntdll.dll!kifastsystemcallret

153

basethreadinitthunk

152

bugcheck 7e

151

analyze crash dump

150

windbg script

149

memory dump analysis tool

146

warning: stack unwind information not available. following frames may be wrong.

146

error: symbol file could not be found

145

free special np

145

rtluserthreadstart

141

download adplus

140

мещанина никифора никитина

140

failure_bucket_id

131

application_hang_blockedon_fileio

129

how to use windbg for crash dump analysis

123

windows dump analyzer

123

getcontextstate failed, 0xd0000147

122

stack_text

121

minidump analyzer

120

time travel debugging

120

windbg dump analysis

120

__dyn_tls_init_callback

118

localdumps

118

system_service_exception 3b

118

windbg scripts

118

getcontextstate failed

114

unable to load image win32 error 0n2

114

windbg hang

114

windows crash dump

114

crash dump vista

112

debug_flr_image_timestamp

110

ntdll.kifastsystemcallret

107

system_service_exception

107

system_thread_exception_not_handled (7e)

107

анализ дампов памяти

107

bugcheck c2

106

kifastcallentry

106

ldrpsnapthunk

106

nmi_hardware_failure

104

Special thanks to more than 1,100 web sites that mention the portal and this blog with the first top 100:

Source

Visits

google.com

3955

windbg.org

2190

windbg.dumpanalysis.org

2178

google.co.in

1366

twitter.com

1295

blog.codeimproved.net

1158

stackoverflow.com

1075

facebook.com

780

winvistaclub.com

751

blogs.msdn.com

741

dumpanalysis.com

680

reddit.com

618

dumpanalysis.org

586

images.google.com

522

google.co.uk

456

bytetalk.net

398

google.de

359

itdatabase.com

351

advancedwindowsdebugging.com

291

en.wikipedia.org

283

google.ca

280

analyze-v.com

254

advanceddotnetdebugging.com

246

google.com.au

220

serverfault.com

201

community.citrix.com

199

google.ru

180

nynaeve.net

170

jasonhaley.com

167

blog.miniasp.com

166

google.fr

166

google.es

165

google.com.br

158

google.co.kr

152

reconstructer.org

151

blogs.microsoft.co.il

148

blog.naver.com

143

forum.sysinternals.com

141

google.com.ua

133

netfxharmonics.com

133

google.it

126

google.nl

126

debuggingexperts.com

124

blog.not-a-kernel-guy.com

119

images.google.co.in

107

citrixblogger.org

104

opentask.com

103

google.pl

102

images.google.co.uk

98

delicious.com

97

support.citrix.com

88

isisaka.com

85

linkedin.com

83

google.com.ar

81

google.com.tr

81

j00ru.vexillium.org

81

google.com.tw

79

pchelpforum.com

78

social.technet.microsoft.com

78

debuggingexperts.dumpanalysis.org

77

google.se

77

codemachine.com

73

google.com.ph

73

rfvicente.spaces.live.com

70

advdbg.org

68

google.co.il

68

google.co.za

68

techsupportforum.com

68

otvety.google.ru

67

google.com.sg

66

jinaida.egloos.com

65

google.ie

64

google.be

63

voneinem-windbg.blogspot.com

62

images.google.de

60

saygoodnight.com

59

caloni.com.br

57

google.at

57

google.ro

56

msuiche.net

56

driverentry.com.br

55

google.ch

55

google.com.pk

54

mitbbs.com

54

google.com.my

53

serious-code.net

53

bugswar.blogspot.com

51

google.com.mx

51

iconfactory.com

51

advdbg.com

49

managementbits.com

49

rsdn.ru

48

techradar.com

48

blog.48bits.com

47

cs.rochester.edu

47

dogpile.com

47

images.google.ca

47

evilcodecave.wordpress.com

46

google.pt

46

Top 25 visiting countries:

Country/Territory

Visits

United States

69610

India

19007

United Kingdom

16399

Russia

12497

Germany

10027

China

7942

Canada

7277

Japan

5393

France

5260

South Korea

4551

Australia

4305

Taiwan

3882

Ireland

3361

Netherlands

3152

Spain

3045

Ukraine

2981

Italy

2774

Israel

2720

Brazil

2592

Poland

2519

Sweden

2495

Singapore

2367

Romania

1990

Czech Republic

1784

Belgium

1481

More than 9,000 portal and blog pages were viewed a total of almost 387,000 times with top 100 content pages:

Page

Pageviews

/

45061

/blog/

35363

/blog/index.php/2008/01/10/what-is-kifastsystemcallret/

6673

/blog/index.php/2007/06/20/crash-dump-analysis-checklist/

6212

/blog/index.php/category/windbg-tips-and-tricks/

6151

/ru/blog/

4929

/blog/index.php/2008/09/12/adplus-in-21-seconds-and-13-steps/

3554

/Tools

3442

/blog/index.php/2007/07/20/crash-dump-analysis-patterns-part-17/

3311

/blog/index.php/category/windows-7/

3267

/Crash+Dump+Analysis+for+System+Administrators

2904

/blog/index.php/category/minidump-analysis/

2612

/blog/index.php/2007/09/06/minidump-analysis-part-2/

2604

/blog/index.php/2006/10/31/crash-dump-analysis-patterns-part-2/

2443

/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/

2366

/blog/index.php/2006/10/30/crash-dump-analysis-patterns-part-1/

2314

/blog/index.php/category/windbg-scripts/

2286

/blog/index.php/2008/03/12/bug-check-frequencies/

2220

/blog/index.php/2008/03/13/crash-dump-analysis-patterns-part-2b/

2113

/blog/index.php/2008/06/12/crash-dump-analysis-patterns-part-59b/

2104

/WinDbg+reference

2076

/Forthcoming+Windows+Debugging+Notebook

2054

/blog/index.php/2008/04/22/bugchecks-system_service_exception/

2048

/blog/index.php/about/

2038

/blog/index.php/2007/10/11/minidump-analysis-part-4/

1868

/blog/index.php/category/windows-server-2008/

1741

/blog/index.php/2007/09/11/crash-dump-analysis-patterns-part-26/

1736

/blog/index.php/2008/01/24/crash-dump-analysis-patterns-part-43/

1661

/blog/index.php/2007/12/17/crash-dump-analysis-patterns-part-41b/

1640

/blog/index.php/2007/10/17/crash-dump-analysis-patterns-part-31/

1631

/blog/index.php/2007/02/02/crash-dump-analysis-patterns-part-8/

1618

/blog/index.php/2007/05/19/resurrecting-dr-watson-on-vista/

1590

/blog/index.php/2006/12/09/clipboard-issues-explained/

1553

/Memory+Dump+Analysis+Anthology+Volume+1

1548

/blog/index.php/2007/09/17/resolving-symbol-file-could-not-be-found/

1524

/blog/index.php/2007/02/09/crash-dump-analysis-patterns-part-9a/

1516

/blog/index.php/2007/08/06/crash-dump-analysis-patterns-part-20a/

1445

/Memory+Dump+Analysis+Anthology+Volume+3

1423

/blog/index.php/2007/07/15/interrupts-and-exceptions-explained-part-4/

1422

/blog/index.php/crash-dump-analysis-patterns/

1368

/blog/index.php/2008/05/09/windbg-cheat-sheet-for-crash-dump-analysis/

1324

/Debugged+Magazine

1307

/ru/blog/index.php/category/komandy-otladchika-windbg/

1302

/blog/index.php/2007/03/04/windbg-tips-and-tricks-analyzing-hangs-faster/

1295

/blog/index.php/2007/04/25/bugchecks-system_thread_exception_not_handled/

1281

/blog/index.php/2007/08/29/minidump-analysis-part-1/

1267

/blog/index.php/category/windbg-tips-and-tricks/page/6/

1251

/ru/blog/index.php/page/2/

1251

/blog/index.php/2007/03/03/windbg-tips-and-tricks-hypertext-commands/

1203

/blog/index.php/category/gdb-for-windbg-users/

1193

/blog/index.php/basic-windows-crash-dump-analysis/

1191

/blog/index.php/2007/06/21/crash-dump-analysis-patterns-part-16a/

1151

/care

1151

/blog/index.php/category/bugchecks-depicted/

1143

/blog/index.php/2008/04/03/crash-dump-analysis-patterns-part-57/

1134

/museum-debugging

1103

/blog/index.php/category/bugchecks-depicted/page/2/

1099

/blog/index.php/2010/01/08/live-kernel-debugging-of-a-system-freeze-case-study/

1096

/arts-photography-links

1062

/blog/index.php/2007/09/

1022

/blog/index.php/2008/10/15/crash-dump-analysis-patterns-part-1b/

953

/blog/index.php/2007/08/04/visualizing-memory-dumps/

940

/blog/index.php/2007/11/02/crash-dump-analysis-patterns-part-13c/

932

/blog/index.php/category/dump-analysis/

921

/blog/index.php/crash-dump-examples/

912

/blog/index.php/2007/10/01/windows-service-crash-dumps-on-vista/

911

/blog/index.php/2007/02/10/crash-dump-analysis-in-visual-studio-2005/

904

/Forthcoming+Memory+Dump+Analysis+Anthology+Volume+2

902

/blog/index.php/category/windbg-scripts/page/2/

880

/blog/index.php/2006/10/

833

/blog/index.php/2008/06/26/heuristic-stack-trace-in-windbg-693113/

820

/blog/index.php/2008/01/02/how-to-distinguish-between-1st-and-2nd-chances/

813

/blog/index.php/2006/11/01/crash-dump-analysis-patterns-part-3/

790

/MDAA-color-supplement-vol1-3

783

/Forthcoming+Windows+Debugging:+Practical+Foundations

779

/blog/index.php/automated-analysis/

774

/blog/index.php/2007/05/20/custom-postmortem-debuggers-on-vista/

773

/contact

772

/blog/index.php/memory-dump-analysis-interview-questions/

763

/blog/index.php/2007/07/25/reconstructing-stack-trace-manually/

762

/blog/index.php/2007/09/14/crash-dump-analysis-patterns-part-27/

761

/training

760

/blog/index.php/category/net-debugging/

752

/blog/index.php/category/windbg-tips-and-tricks/page/2/

732

/blog/index.php/2007/04/25/bugchecks-kmode_exception_not_handled/

731

/blog/index.php/2007/07/01/gdb-for-windbg-users-part-5/

729

/blog/index.php/2009/04/28/trace-analysis-patterns-part-1/

729

/FCMDA-book

721

/blog/index.php/2007/06/21/repair-clipboard-chain-201/

720

/blog/index.php/category/cartoons/

706

/CDAPF-book

690

/blog/index.php/2008/03/08/time-travel-debugging/

690

/blog/index.php/2006/10/14/dumps-for-dummies-part-2/

679

/blog/index.php/2008/04/28/crash-dump-analysis-patterns-part-6a/

672

/blog/index.php/dumps-for-dummies/

672

/blog/index.php/2007/05/19/inside-vista-error-reporting-part-1/

661

/Links

640

/blog/index.php/2008/03/18/crash-dump-analysis-patterns-part-13e/

640

/blog/index.php/2008/05/28/net-managed-code-analysis-in-complete-memory-dumps/

635

/blog/index.php/foundations-of-debugging-x86/

635

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Announcements, Crash Dump Analysis, Debugging, DumpAnalysis.org Statistics, History, Software Trace Analysis | No Comments »

Crash Dump Analysis Patterns (Part 126)

Saturday, January 8th, 2011

Finally I got a few good crash dumps illustrating Livelock pattern when 2 threads are looping while acquiring and releasing a resource but not progressing. We have these signs in selected WinDbg output below:

- high contention patterns or context switch counts

- increased CPU time in user and / or kernel mode

- at least one livelocked thread is scheduled for execution

- one of livelocked threads has unusual priority boost

- the same thread stack trace for both livelocked threads having similar stats like spent time and context switch counts

- zero waiting ticks

1: kd> !locks

Resource @ 0xfffffa8008464528    Exclusively owned
    Contention Count = 43743004
    NumberOfExclusiveWaiters = 1
     Threads: fffffa8008315b60-01<*>
     Threads Waiting On Exclusive Access:
              fffffa8005769660

41080 total locks, 1 locks currently held

1: kd> !running

Prcbs  Current           Next            
  1    fffff88001e68180  fffff88001e72fc0  fffffa8008315b60  …………….

We have these stack traces from stack trace collection:

THREAD fffffa8008315b60  Cid 0724.2a28  Teb: 000007fffff9c000 Win32Thread: 0000000000000000 ????
IRP List:
    fffffa80082e5990: (0006,0118) Flags: 00060000  Mdl: 00000000
Not impersonating
DeviceMap                 fffff8a009f434e0
Owning Process            fffffa8005726360       Image:         ProcessA.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      522197         Ticks: 0
Context Switch Count      21665144           
UserTime                  00:00:40.373
KernelTime                00:02:42.791
Win32 Start Address 0×000007fef6939430
Stack Init fffff88007321db0 Current fffff88007321520
Base fffff88007322000 Limit fffff8800731c000 Call 0
Priority 8 BasePriority 6 UnusualBoost 1 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`07321560 fffff800`0168a992 nt!KiSwapContext+0×7a
fffff880`073216a0 fffff800`0168ccff nt!KiCommitThreadWait+0×1d2
fffff880`07321730 fffff800`0164c242 nt!KeWaitForSingleObject+0×19f
fffff880`073217d0 fffff800`0168b5ac nt!ExpWaitForResource+0xae
fffff880`07321840 fffff880`04608d91 nt!ExAcquireResourceExclusiveLite+0×14f
fffff880`073218b0 fffff880`04609e4e DriverA!foo+0×42
[…]
fffff880`07321a10 fffff800`0199ef66 nt!IopXxxControlFile+0×607
fffff880`07321b40 fffff800`01682993 nt!NtDeviceIoControlFile+0×56
fffff880`07321bb0 00000000`76ffff2a nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`07321c20)
00000000`03a1f488 000007fe`fd06b399 ntdll!NtDeviceIoControlFile+0xa
00000000`03a1f490 00000000`76ea610f KERNELBASE!DeviceIoControl+0×75
00000000`03a1f500 000007fe`f74f3d7c kernel32!DeviceIoControlImplementation+0×7f
[…]

THREAD fffffa8005769660  Cid 0724.10b0  Teb: 000007fffffa6000 Win32Thread: 0000000000000000 WAIT: (WrResource) KernelMode Non-Alertable
    fffffa8006661f20  SynchronizationEvent
IRP List:
    fffffa8006b1ac10: (0006,0118) Flags: 00060000  Mdl: 00000000
Not impersonating
DeviceMap                 fffff8a009f434e0
Owning Process            fffffa8005726360       Image:         ProcessA.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      522197         Ticks: 0
Context Switch Count      21601988           
UserTime                  00:00:30.147
KernelTime                00:02:30.972
Win32 Start Address 0×000007fef6939430
Stack Init fffff880071bbdb0 Current fffff880071bb520
Base fffff880071bc000 Limit fffff880071b6000 Call 0
Priority 7 BasePriority 6 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`071bb560 fffff800`0168a992 nt!KiSwapContext+0×7a
fffff880`071bb6a0 fffff800`0168ccff nt!KiCommitThreadWait+0×1d2
fffff880`071bb730 fffff800`0164c242 nt!KeWaitForSingleObject+0×19f
fffff880`071bb7d0 fffff800`0168b5ac nt!ExpWaitForResource+0xae
fffff880`071bb840 fffff880`04608d91 nt!ExAcquireResourceExclusiveLite+0×14f
fffff880`071bb8b0 fffff880`04609e4e DriverA!foo+0×42
[…]
fffff880`071bba10 fffff800`0199ef66 nt!IopXxxControlFile+0×607
fffff880`071bbb40 fffff800`01682993 nt!NtDeviceIoControlFile+0×56
fffff880`071bbbb0 00000000`76ffff2a nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`071bbc20)
00000000`033bf708 000007fe`fd06b399 ntdll!NtDeviceIoControlFile+0xa
00000000`033bf710 00000000`76ea610f KERNELBASE!DeviceIoControl+0×75
00000000`033bf780 000007fe`f74f3d7c kernel32!DeviceIoControlImplementation+0×7f
[…]

In both traces we have DriverA as Blocking Module.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging | No Comments »

Icons for Memory Dump Analysis Patterns (Part 87)

Friday, January 7th, 2011

Today we introduce an icon for Wait Chain (named pipes) pattern:

B/W

Color

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging, Pattern Icons, Visual Dump Analysis | No Comments »

Beer Time (Debugging Slang, Part 20)

Wednesday, January 5th, 2011

Beer time - Time to socialize and discuss the politics of debugging. For some engineers it is actually the time of debugging.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Debugging, Debugging Slang, Fun with Debugging, Politics, Politics of Debugging, Sociology of Debugging | No Comments »

Finger Exercise (Debugging Slang, Part 19)

Tuesday, January 4th, 2011

Finger exercise - Repeated application of certain keyboard debugging commands like t (trace).

Examples: Doing 15 minute finger exercise to locate a pointer change.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Debugging, Debugging Slang, Fun with Debugging | No Comments »

GI Index of Memory Dump Analysis

Monday, January 3rd, 2011

GI Index (Google Insights for Search) shows that crash dump analysis and debugging slowly decline in popularity:

GI for memory dump analysis searches coincides with the birth of DumpAnalysis.org in later 2006 (the only mystery for me is mid 2005 peak):

The birth of memory dump analysis as a discipline probably reinforced the emergence of memory forensics in the early 2006:

We also see that malware analysis is on the rise and it is not a surprise that DumpAnalysis.org is moving to MARS:

Perhaps mid 2005 peak for memory dump analysis searches coincides with the interest in malware analysis.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Announcements, Crash Dump Analysis, Debugging, History, Malware Analysis, Memoretics, Memory Analysis Forensics and Intelligence, Security | No Comments »

Crash Dump Analysis Patterns (Part 42i)

Monday, January 3rd, 2011

This is the variant of the general Wait Chain pattern where threads are waiting for named pipes. This is visible when we examining the pending IRP of a blocked thread:

THREAD 88ec9020  Cid 17a0.2034  Teb: 7ffad000 Win32Thread: bc28c6e8 WAIT: (Unknown) UserMode Non-Alertable
    89095f48  Semaphore Limit 0x10000
IRP List:
    89a5a370: (0006,0094) Flags: 00000900  Mdl: 00000000
Not impersonating
DeviceMap                 d6c30c48
Owning Process            88fffd88       Image:         ApplicationA.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      5632994        Ticks: 2980 (0:00:00:46.562)
Context Switch Count      2269                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0×00a262d0
Start Address kernel32!BaseThreadStartThunk (0×77e617ec)
Stack Init b204c000 Current b204bc60 Base b204c000 Limit b2048000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0
ChildEBP RetAddr 
b204bc78 80833ec5 nt!KiSwapContext+0×26
b204bca4 80829c14 nt!KiSwapThread+0×2e5
b204bcec 8093b174 nt!KeWaitForSingleObject+0×346
b204bd50 8088b41c nt!NtWaitForSingleObject+0×9a
b204bd50 7c82860c nt!KiFastCallEntry+0xfc (TrapFrame @ b204bd64)
058fcabc 7c827d29 ntdll!KiFastSystemCallRet
058fcac0 77e61d1e ntdll!ZwWaitForSingleObject+0xc
058fcb30 77e61c8d kernel32!WaitForSingleObjectEx+0xac
058fcb44 00f98b4a kernel32!WaitForSingleObject+0×12
[…]
058fffec 00000000 kernel32!BaseThreadStart+0×34

0: kd> !irp 89a5a370
Irp is active with 1 stacks 1 is current (= 0×89a5a3e0)
No Mdl: No System Buffer: Thread 88ec9020:  Irp stack trace. 
     cmd  flg cl Device   File     Completion-Context
>[  3, 0]   0  1 89ebee90 891d4f90 00000000-00000000    pending
                 \FileSystem\Npfs
                                   Args: 00000100 00000000 00000000 00000000

0: kd> !fileobj 891d4f90

\ServiceB\SVC

Device Object: 0x89ebee90   \FileSystem\Npfs
Vpb is NULL

Flags:  0x40080
                Named Pipe
                Handle Created

FsContext: 0xdaeca230 FsContext2: 0x8949bdb0
Private Cache Map: 0x00000001
CurrentByteOffset: 0

The pipe chain can also extend from thread to thread and even cross machine boundary. 

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging | No Comments »

Resolution Rush (Debugging Slang, Part 18)

Monday, January 3rd, 2011

Resolution rush - The rush of software technical support and maintenance engineers to provide the resolution to a suddenly escalated incident.

Examples: After it crashed 3 times in a row at the customer site our VP was called and we all got the resolution rush.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Debugging, Debugging Slang, Escalation Engineering, Fun with Crash Dumps, Fun with Debugging, Fun with Software Traces, Software Engineering, Software Technical Support, Software Trace Analysis | No Comments »

« Older Entries
Newer Entries »