Analysis of computer memory snapshots (memory dumps) and their evolution is the domain of memoretics. Computer memory semiotics (memiotics or memosemiotics) is the branch of memoretics that studies the interpretation of computer memory, its meaning, signs and symbols.
- Dmitry Vostokov @ DumpAnalysis.org -
Looking at computer memory visual images combined with listening to the incredible nostalgic music composed by Oystein Sevag is highly recommended to relieve stress while immersing yourself in the vast depths of memory hierarchy. I really like “Painful Love” tracks. Is love and passion for programming painful?…
- Dmitry Vostokov @ DumpAnalysis.org -
Looking at memory dumps every day and writing about them has an unfortunate implication: every state of the world looks like a gigantic memory dump to me. Everything is memory and every state is memory dump. The current state of the world is an infinite (or an immense) number of memuons*. Infinite can be any cardinal number greater or equal to that of natural numbers. In any case we can say it is N bits where this number is either finite or ∞. Therefore we have 2N possible memory states (S). The set of possible transitions between them (S -> S) has the number of 2N ^ 2N elements. Which is the memory itself and we have transitions between its states too. Ad infinitum we have a limiting process from which arises the perceived flow of events. Anyway there is much to elaborate here. I’ll come back to this later.
(*) Memuon is an indivisible entity similar to a bit of information.
This is my current philosophy 
I’m dead serious.
- Dmitry Vostokov @ DumpAnalysis.org -
If you remember I promised to review this CD:
The first Memory Analysis CD album
Finally it arrived by post and here it is:
I’ve just finished listening to it. It is wonderful! Clearly belongs to my Music for Debugging collection. Here is my commentary (italics) on track titles:
1. Chameleon
It crashes then hangs then spikes then leaks. You never know what happens next…
2. Silence Before The Storm
Waiting for the problem to start dumping memory
3. Appearances
Multiple occurrences of the issue ease crash dump collection
4. Memory Analysis
Memory dump analysis activity
5. Voices From Heaven
It’s my blog full of crash dump analysis patterns
6. Figure In The Fog
It’s that DLL! I see it clearly!!!
7. Diamond Tear
Customer is happy
8. The Toy Soldier
WinDbg
9. Tears In Dragon’s Eyes
Operating system vendor is happy too
10. Forgotten Song
No pasaran (bugs)
11. Skies
We are debugging gods!
Enjoy :-)
- Dmitry Vostokov @ DumpAnalysis.org -
Crash dump analysis is a support activity. Therefore understanding software support business is important. I recently started abbreviating book titles for my personal book reading accounting purposes and here accidentally emerges the ASS abbreviation that reminds me every time that support guys cover “asses” of software engineers designing and developing software and expose their own “asses” when talking to customers :-)
I’m sorry if I offended someone here…
The book was on my shelf for 4 years and only today I got the message :-)
- Dmitry Vostokov @ DumpAnalysis.org -
More books to come in 2009. One of them is full-color book illustrated with beautiful visual images emerging from inherent modularized structure of modern operating systems and applications. Preliminary product details:
- Dmitry Vostokov @ DumpAnalysis.org -
Full-color special edition is available now. PART 6: Fun with Crash Dumps that features memory dump visualization pictures is the most impressive there. All screenshots and diagrams are color too. The book is thicker, heavier and much more expensive. Print on demand color books are very pricey. It is only available on Lulu because my Ingram distributor, Lightning Source, doesn’t print color books with more than 480 pages:
Memory Dump Analysis Anthology Collector’s Edition, Volume 1
- Dmitry Vostokov @ DumpAnalysis.org -
Just discovered this album from Polish band Gutter Sirens on Amazon:
I haven’t listened to it yet. Will post a review as soon as it arrives
- Dmitry Vostokov @ DumpAnalysis.org -
Just discovered that priority goes to Mikel Lasa
Memory Dump: 1960-1990 (Poesía vasca, hoy)
- Dmitry Vostokov @ DumpAnalysis.org -
In the article about memory dump analysis as forensic science CSI was proposed to mean “Crashed Server Investigation”. I’m interested in general forensic science as well and I’ve almost finished reading the book about the emergence of forensic science in 19th and 20th centuries:
As a result, yesterday I was rethinking CSI again and found these similar meanings:
- Crashed Software Investigation
- Crashed System Investigation
Any more suggestions? :-)
- Dmitry Vostokov @ DumpAnalysis.org -
This is a picture from PubForum event gallery. I’m on the left and Rich Crusco, MVP, Citrix Technical Evangelist for Application Delivery and Virtualization technologies, is on the right. Visitors often think that these books are just on crash dumps… Click on it to enlarge:
More pictures can be found on here.
- Dmitry Vostokov @ DumpAnalysis.org -
PubForum pictures are available where you can see me selling Crash Dump Tools to the audience and explaining broken clipboard chains:
All presentations from that event are available here:
My presentation is also available here:
Citrix Tools: PubForum Presentation
- Dmitry Vostokov @ DumpAnalysis.org -
Due to demand from people that prefer ebooks I published Memory Dump Analysis Anthology, Volume 1 in a digital format that can be purchased in Crash Dump Analysis Store. This format has color pictures inside.
- Dmitry Vostokov @ DumpAnalysis.org -
In the past two hours I noticed visitors from this URL:
http://finance.google.com/finance?q=AAPL
Checked it and found that my previous post with secondary bugcheck callback data from my Mac Mini running Windows Vista hit complex RSS feed triggers. I saved the picture of this historic moment. Click on it to enlarge:
Has anyone studied the influence of crash dumps on stock market volatility and crashes? Perhaps there is some similarity between OS thread exceptions and share price trends and it is possible to metaphorically map crash dump analysis patterns to finance domain like I’m doing for Project Failure Analysis.
- Dmitry Vostokov @ DumpAnalysis.org -
Similar to radiometric dating using isotopes we can use memory visualization techniques to see distribution of allocated buffers and their retention over time. The key is to allocate colored memory. For example, to append a red buffer that contains RGBA values 0xFF000000 to specific allocations. I call these colored memory marks isomemotopes.
We can either inject a different isomemotope for a different data or change the isomemotope over time to mark specific allocation times. I created a test program that allocates buffers marked by a different amount of different isomemotopes every time:
#include "stdafx.h"
#include <stdlib.h>
#include <memory.h>
#include <windows.h>
typedef unsigned int ISOMEMOTOPE;
void *alloc_and_mark_with_isomemotope(size_t size,
ISOMEMOTOPE color,
size_t amount)
{
char *p = (char *)malloc(size+amount);
for (char *isop = p+size;
p && isop < p+size+amount;
isop+=sizeof(ISOMEMOTOPE))
{
*(ISOMEMOTOPE *)isop=color;
}
return p;
}
int _tmain(int argc, _TCHAR* argv[])
{
alloc_and_mark_with_isomemotope(0x1000,
0xFF000000, // red
0x10000);
alloc_and_mark_with_isomemotope(0x1000,
0x00FF0000, // green
0x20000);
alloc_and_mark_with_isomemotope(0x1000,
0x0000FF00, // blue
0x30000);
alloc_and_mark_with_isomemotope(0x1000,
0xFFFFFF00, // white
0x40000);
alloc_and_mark_with_isomemotope(0x1000,
0xFFFF0000, // yellow
0x50000);
DebugBreak();
return 0;
}
Corresponding Dump2Picture image is this (0×00000000 address is at the bottom):
- Dmitry Vostokov @ DumpAnalysis.org -
I’m very proud to announce that it is finally available in both paperback and hardback. Why have I made available both editions? Because I personally prefer hardcover books. You can order the book today and it will be printed in 3-5 days (paperback) or 5-10 days (hardcover) and sent to you:
Memory Dump Analysis Anthology, Volume 1
Note: although listed on Amazon and other online bookstores it is not immediately available at these stores at the moment due to the late submission. I apologize for this. However, I expect that in a few weeks pre-orders taken there will be eventually fulfilled. In the mean time, if you want the book now, you can use the link above.
- Dmitry Vostokov @ DumpAnalysis.org -
Although the first volume has not been published yet (scheduled for 15th of April, 2008) the planning for the second volume has already begun. Preliminary information is:
Hardcover version is also planned. PDF version will be available for download too.
(*) subject to change
- Dmitry Vostokov @ DumpAnalysis.org -
I read science fiction from time to time now (I was a big fan of it back to school and university days) but I cannot recall memory dumps mentioned explicitly in such books. I’ve just finished reading Dan Simmons’s The Fall of Hyperion book (the sequel to Hyperion book that I read previously) and I recall in chapter 33 on page 303 a poetic description of a process crash (italics are mine):
“Johnny twists a second in the AI’s massive grip (fault injection?), and then his analog - Keats’s small but beautiful body (GUI?) - is torn, compacted, smashed into an unrecognizable mass (corrupt dump?) which Ummon sets against his megalith flesh (private bytes?), absorbing the analogs’s remains (overwriting discarded pages?) back into the orange-and-red depths of itself (working set?).”
PS: Hyperion and The Fall of Hyperion is the best science fiction I have ever read and highly recommend:
I continue looking for crash dumps in Dan Simmons’s Endymion and Rise of Endymion books which are on my lunch time reading list as soon as I finish Global Conspiracy book I’m reading now.
- Dmitry Vostokov @ DumpAnalysis.org -
Q. Every time you open the specific Microsoft Word 2007 document on Vista WER error message box appears on the screen (click on the picture to enlarge):
What might be the cause of it?
You can find the correct answer in the comments to this post.
- Dmitry Vostokov @ DumpAnalysis.org -
Since the first release of Dump2Wave I was under pressure to publish its source code and today I released it under GPL. I have to apologize that it doesn’t always use secure string manipulation functions, error handling is copy/pasted several times and there are no comments. I promise better code in the next version. 
If you plan to make changes and improvements please let me know so I could enjoy your versions of memory sounds too. I used ancient Visual C++ 6.0 to compile and build the project.
// Dump2Wave version 1.2.1 (c) Dmitry Vostokov
// GNU GENERAL PUBLIC LICENSE
// http://www.gnu.org/licenses/gpl-3.0.txt
#include <iostream>
#include <process.h>
#include <windows.h>
#pragma pack(1)
typedef struct {
unsigned int riff; // 'RIFF'
unsigned int length; // dump size + sizeof(WAVEFILEHDR) - 8
unsigned int wave; // 'WAVE'
unsigned int fmt; // 'fmt '
unsigned int fmtlen; // 16
unsigned short code; // 1
unsigned short channels; // 2
unsigned int sps; // 44100
unsigned int avgbps; // sps*channels*(sbits/8)
unsigned short alignment; // 4
unsigned short sbits; // 16
unsigned int data; // 'data'
unsigned int datalen;
} WAVEFILEHDR;
#pragma pack()
WAVEFILEHDR hdr = {'FFIR', sizeof(WAVEFILEHDR) - 8, 'EVAW',
' tmf', 16, 1, 2, 44100, 44100*4, 4, 16, 'atad', 0};
void DisplayError (LPCSTR szPrefix)
{
LPSTR errMsg;
CHAR szMsg[256];
strncpy(szMsg, szPrefix, 128);
DWORD gle = GetLastError();
if (gle && FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER|
FORMAT_MESSAGE_FROM_SYSTEM, NULL, gle, 0,
(LPSTR)&errMsg, 0, NULL))
{
strcat(szMsg, ": ");
strncat(szMsg, errMsg, 120);
}
std::cout << szMsg << std::endl;
LocalFree(errMsg);
}
int main(int argc, char* argv[])
{
std::cout << std::endl << "Dump2Wave version 1.2.1" <<
std::endl << "Written by Dmitry Vostokov, 2006" <<
std::endl << std::endl;
if (argc < 3)
{
std::cout << "Usage: Dump2Wave dumpfile wavefile [44100|22050|11025|8000 16|8 2|1]" << std::endl;
return -1;
}
HANDLE hFile = CreateFile(argv[1],
GENERIC_READ, FILE_SHARE_READ, NULL,
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
DisplayError("Cannot read dump file");
return -1;
}
DWORD dwDumpSizeHigh = 0;
DWORD dwDumpSizeLow = GetFileSize(hFile, &dwDumpSizeHigh);
CloseHandle(hFile);
if (dwDumpSizeHigh)
{
std::cout << "The dump file must be less than 4Gb" <<
std::endl;
return -1;
}
if (argc == 6)
{
hdr.channels = atoi(argv[5]);
hdr.sps = atoi(argv[3]);
hdr.sbits = atoi(argv[4]);
hdr.avgbps = hdr.sps*hdr.channels*(hdr.sbits/8);
hdr.alignment = hdr.channels*(hdr.sbits/8);
}
dwDumpSizeLow = (dwDumpSizeLow/hdr.alignment)*(hdr.alignment);
hdr.length += dwDumpSizeLow;
hdr.datalen = dwDumpSizeLow;
hFile = CreateFile(argv[2], GENERIC_WRITE, 0,
NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
DisplayError("Cannot create wave header file");
return -1;
}
DWORD dwWritten;
if (!WriteFile(hFile, &hdr, sizeof(hdr), &dwWritten, NULL))
{
DisplayError("Cannot write wave header file");
CloseHandle(hFile);
return -1;
}
CloseHandle(hFile);
std::string str = "copy \"";
str += argv[2];
str += "\" /B + \"";
str += argv[1];
str += "\" /B \"";
str += argv[2];
str += "\" /B";
system(str.c_str());
return 0;
}
- Dmitry Vostokov @ DumpAnalysis.org -
