## Archive for the ‘Mathematics of Debugging’ Category

Sunday, September 13th, 2020
Several Strands of Activity from different types of ATIDs (Adjoint Threads of Activity) combine into **Cord of Activity**:

Between cord and rope analogies we chose cord as having “ord” (ordinal) in it (and c as cardinal). It is also possible to combine several **Cords of Activity** from different traces (Trace Dimension) to form a “cable-laid rope”. We don’t introduce a separate pattern here since in the resulting Trace Mask we have new **Cord of Activity** due to the additionally created ATID type referencing former separate traces and logs. Data references in messages may provide additional braiding via Braids of Activity.

We started with strands (we got the idea from the discussion of ethnomathematics where strand analysis was mentioned) but then we found the following useful discussion on rope terminology: “Art and Science of Rope“.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns | No Comments »

Sunday, August 23rd, 2020
Sometimes we may want to **Flag** a message or Activity Region, for example, using Message Annotations. In other cases we may have **Activity Regions** are sorted by their coordinate-wise inclusion. Or we have inclusion of Message Sets. The analysis pattern name is borrowed from flag filtration in mathematics, where we consider subsets of messages and **Activity Regions** as subspaces. Dia|gram pictures of **Flags** may even resemble flags of some countries.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns | No Comments »

Friday, July 31st, 2020
It is possible to foliate traces into separate traces having the same structure and scale (we also show corresponding Trace Fabric for the original trace):

In the diagram above **Trace Foliation** was done for message type, for example, error and normal messages. The reverse operation of Trace Mask would produce the same original trace.

Correspondingly Trace Fabric can be foliated too giving rise to “orchestra” representation and vice versa via **Trace Mask**:

Bars can be added with the help of Silent Messages.

The name of this analysis pattern was also inspired by foliations in mathematics.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns, Trace Analysis and Music | No Comments »

Monday, July 20th, 2020
Traces and logs from diverse software systems doing different things may have similar **Trace Shape** despite completely different message content, especially for specific Threads of Activity or Adjoint Threads of Activity:

This may be apparent when we compare **Trace Shape** of Quotient Trace.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns, Trace Analysis and Geometry, Trace Analysis and Topology | No Comments »

Saturday, July 18th, 2020
Causal History messages (black circles) pass through Activity Regions which can be marked as hollow circles:

We call this analysis pattern **Trace D’Enfant** by analogy with dessin d’enfant in mathematics, a bipartite graph embedded in an oriented surface, so in theory **Traces D’Enfants** can be studied algebraically.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns | No Comments »

Friday, July 17th, 2020
The relations between Causal History messages (0-chains) can be abstracted as **Causal Chains** (1-chains). Two relations can be linked if an endpoint of one is also a beginning point of another:

The relations of 1-chains can be abstracted as 2-chains and so on (n-chains):

We took the idea of relation spaces and chains from already quoted “Discreet Causal Theory” book. Causal chain terminology is also used in philosophy.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns, Trace Analysis and Physics | No Comments »

Thursday, July 16th, 2020
When looking at Causal History we can choose **Causal Messages** (not necesseraly the top ones):

**Causal Messages** may not overlap with the trace Defect Group which may not have any causal relevance being only correlation messages.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns, Trace Analysis and Physics | No Comments »

Wednesday, July 15th, 2020
Trace Paths and Back Traces form **Causal History** of the log where arrows point in the direction of possible causation:

Here we borrow the notion of causal sets from physics and corresponding mathematics. The left diagramming idea was taken from Discrete Causal Theory book and Hasse diagrams (which is inverted in our picture). Also, such graphs are internal to software narratives compared to the more general external space we proposed earlier.

We omit **Time** arrow as it is possible to consider general traces and logs with their causality markers.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns, Trace Analysis and Physics | No Comments »

Monday, July 13th, 2020
Trace analysis gestures that result in CoTrace also produce **Trace Path** between messages of interest:

Such **Trace Paths** can also be useful for Trace Homotopy analysis. They also provide the basis for Explanation Traces.

Note that **Trace Path** is also a reverse for Back Trace analysis pattern. Both are usually selected from Working Set.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns | No Comments »

Thursday, July 9th, 2020
**Defect Group** analysis pattern addresses messages related to source code defects (PLOTs), problem descriptions, and Inter-Correlation with wrong configuration files (Small DA+TA). It differs from Message Set analysis pattern as a predicate to group them may not be easily available.

Such **Defect Groups** can be results of previous analyses activities. The name of the analysis pattern came from representation theory defect group of a block but at present, it is only name analogy.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Narratology, Software Trace Analysis, Trace Analysis Patterns | No Comments »

Sunday, June 14th, 2020
When interpreting a value as a pointer to a memory address we are usually interested in adjacent values pointed to:

`0:000> ? rdx`

Evaluate expression: 982485297288 = 000000e4`c0afe888

`0:000> ? poi(000000e4`c0afe888)`

Evaluate expression: 180 = 00000000`000000b4

`0:000> ? poi(rdx)`

Evaluate expression: 180 = 00000000`000000b4

`0:000> dps rdx-10 rdx+10`

000000e4`c0afe878 000000e4`c0afeac0

000000e4`c0afe880 000000e4`c0971000

000000e4`c0afe888 00000000`000000b4

000000e4`c0afe890 00000000`0000008c

000000e4`c0afe898 00000000`00000088

`0:000> r $t0 = 0`

`0:000> dps rdx-@$t0 rdx+@$t0`

000000e4`c0afe888 00000000`000000b4

`0:000> r $t0 = 20`

`0:000> dps rdx-@$t0 rdx+@$t0`

000000e4`c0afe868 00000000`00000001

000000e4`c0afe870 00001a38`00000001

000000e4`c0afe878 000000e4`c0afeac0

000000e4`c0afe880 000000e4`c0971000

000000e4`c0afe888 00000000`000000b4

000000e4`c0afe890 00000000`0000008c

000000e4`c0afe898 00000000`00000088

000000e4`c0afe8a0 00000000`00000088

000000e4`c0afe8a8 00000000`0000008c

We call this analysis pattern **Pointer Cone** by analogy with cones in category theory and our earlier attempts to use it. The reason for this pattern appearance is that it has been used in many times in other analysis pattern descriptions. We also intend to use this pattern language building block in our next analysis pattern.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Categorical Debugging, Crash Dump Analysis, Crash Dump Patterns, Mathematics of Debugging, x64 Windows | No Comments »

Tuesday, July 30th, 2019
**Trace Similarity** analysis pattern uses various similarity measures to assess the closeness of one trace or log to another. Here we provide an illustrative example using Jaccard index. Consider three simple logs where sample sets consist from Activity Regions:

The following table shows calculation of similarity between A and B, A and C, and B and C:

It’s possible to use sample sets consisting of messages instead. For our toy example we get similar index numbers:

We get different indexes though for individual regions and messages, for example:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Anomaly Detection, Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns, Trace Analysis and Topology | No Comments »

Saturday, July 27th, 2019
In addition to Declarative Trace we have code statements that may be intercepted by external API tracing tools (CreateFile, CloseHandle):

In the sample code above we have different logs resulted from **Declarative Trace** (DebugLog, OutputDebugString):

In addition, we have a log saved by an external tracing tool (for example, Process Monitor) that includes our API calls:

All such trace-generating source code statements form **Moduli Trace** as soon as they are executed:

Such a trace can also be analyzed using trace and log analysis patterns like other trace types. We took the idea of this analysis pattern from moduli spaces in mathematics that parametrize other spaces.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns, Trace Analysis and Topology | No Comments »

Tuesday, July 16th, 2019
**Cartesian Trace** analysis pattern has its analogical roots in Cartesian product. It covers a case where we have a long trace and a few Small DA+TA configuration traces (files). The former trace messages are associated with the latter messages (content or content changes) as depicted in the following diagram:

Think about a rectangle as a product of two line fragments or a cylinder as a product of a circle and a line fragment. Both traces are completely independent in comparison to Fiber Bundle, Trace Presheaf, or Trace Extension.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns | No Comments »

Sunday, July 14th, 2019
Some trace and log messages may have different grammatical structure and content but similar semantics. Therefore, we can create a table listing equivalent messages (using some equivalence relation) and use it to construct simpler traces and logs as depicted in this picture:

One trivial example of **Equivalent Messages** analysis pattern is Quotient Trace. Another example is Inter-Correlational analysis of logs that have different structure and format. In such a case **Equivalent Messages** simplify the analysis of higher Trace Dimensions.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns, Trace Analysis and Topology | No Comments »

Sunday, April 7th, 2019
If we run software with its default configuration and no interaction (input data) we get its **Minimal Trace**:

Such traces may have their own Master Trace. Also, Minimal Trace is a specific Use Case Trail. Metaphorically, they can be considered as minimal surfaces.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns, Trace Analysis and Geometry | No Comments »

Tuesday, March 26th, 2019
Based on a mathematical analogy with critical points in topology (Morse theory) we introduce **Critical Points** in trace and log analysis where they signify the change of trace or log “shape” (topological or “geometric” properties) as illustrated in the following diagram:

Such a point may be an individual message, its Message Context, or Activity Region.

**Critical Points** are examples of Intra-Correlation whereas Bifurcation Points are examples of Inter-Correlation.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns, Trace Analysis and Topology | No Comments »

Saturday, September 22nd, 2018
Sometimes, we ask for a log file to see State and Event pattern, and see it there, only to find that we cannot do Back Trace of State Dumps from some Significant Event for Inter-Correlation analysis because our Data Interval is truncated (Truncated Trace). This highlights the importance of proper tracing intervals that we call **Significant Interval** analysis pattern by analogy with significant digits in scientific measurements. The following diagram illustrate the pattern:

If you find out you get truncated traces and logs often you may want to increase Statement Current for state logging.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Software Trace Analysis Tips and Tricks, Software Tracing Design, Software Tracing Implementation Patterns, Trace Analysis Patterns | No Comments »

Saturday, September 8th, 2018
We can “integrate” trace message stream into another, smaller trace. By analogy with motivic integration in contemporary mathematics we call this analysis pattern **Motivic Trace**. There can be border cases where the whole trace is reduced to one message or every message is associated with a different message (perhaps shorter or a number). Message Sets that are integrated into **Motivic Trace** can be completely different (for example, based on Motives) in comparison with Quotient Trace where we reduce **Message Sets** that have the same common attribute.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns | No Comments »

Thursday, July 20th, 2017
Certain types of blind SQL injection attacks may leave log messages with just one byte difference. We call with analysis pattern **Ultrasimilar Messages** by analogy with an ultrametric space in mathematics and the interpretation of messages as p-adic numbers. Since, such messages may be scattered in a log we can choose Message Pattern based on some Message Invariant (for example, parts of SQL request) and then analyze its Fiber of Activity (for example, Data Flow of its variable part). A log with two different types of **Ultrasimilar Messages** is shown in the following diagram:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Security, Software Trace Analysis, Trace Analysis Patterns | No Comments »