This specially designed logo explores the concept of a face as a combination of dump and trace artifacts:
Join Facebook DATA (Dump Analysis + Trace Analysis) group: http://www.facebook.com/group.php?gid=95282722070
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
This is the ultimate multi- and cross-platform debugging reference project dubbed internally as “Memory Dump of Debugging”. Useful for years to come, this encyclopedia would cover all aspects of debugging with articles from leading experts from both industry and academia. Preliminary product information:
The title is a successor to both Encyclopedia of Crash Dump Analysis Patterns (ISBN: 978-1906717216) and Dictionary of Debugging (ISBN: 978-1906717353) the publisher plans to release in the mean time.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
This pattern has a funny name Gossip. I thought originally to call it Duplicated Message but gave it the new name allowing for the possibility of semantics of the same message to be distorted in subsequent trace messages from different adjoint threads. Typical ETW / CDF trace example (distortion free) of the same message content seen in different modules (some columns like Date and Time are omitted):
# Module PID TID Message[...]26875 ModuleA
2172 5284 LoadImageEvent: ImageName(\Device\HarddiskVolume2\Windows\System32\notepad.exe) ProcessId(0x000000000000087C)26876 ModuleB
2172 5284 LoadImageEvent: ImageName(\Device\HarddiskVolume2\Windows\System32\notepad.exe), ProcessId(2172)26877 ModuleC
2172 5284 ImageLoad: fileName=notepad.exe, pid: 000000000000087C[...]
In such cases, when constructing event sequence order it is recommended to choose messages from the one source instead of mixing events from different sources, for example:
# Module PID TID Message[...]26875 ModuleA
2172 5284 LoadImageEvent: ImageName(\Device\HarddiskVolume2\Windows\System32\notepad.exe) ProcessId(0×000000000000087C)[…]33132 ModuleA
4180 2130 LoadImageEvent: ImageName(\Device\HarddiskVolume2\Windows\System32\calc.exe) ProcessId(0×0000000000001054)[…]
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
When reading and analyzing software traces we always compare them to Master Trace. Another name for this pattern borrowed from narrative theory is Archetype. When looking at the software trace from a system we either know the correct sequence of Activity Regions, expect certain Background and Foreground Components, Event Sequence Order or mentally construct a model based on our experience and Implementation Discourse. For the latter example software engineers internalize software master narratives when they construct code and write tracing code for supportability. For the former example it is important to have a repository of traces corresponding to master traces. This helps in finding deviations after Bifurcation Point. Consider such comparisons similar to regression testing when we check the computation output against the expected prerecorded sequence.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
This is the 3rd revision of memory map visualization tools list where I include IDA Pro and a visualizer from Debug Analyzer.NET (every category is presented in chronological order of my encounter with links):
1. Synthetic
2. Natural
a. Static
b. Semi-dynamic
c. Dynamic
Please let me know any other approaches or links you know.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Pre-analysis - Avoiding crash dump analysis anti-patterns like wrong dump or zippocricy. Sometimes it goes with wild explanation no one asked for. Checking whether a software trace is empty before sending it.
Examples: He is always doing !locks pre-analysis before sending any dump.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Software trace analysis is difficult and it is very common to hear “couldn’t see anything …”. One of advantages of software trace analysis patterns is that we can use that pattern language to write analysis reports. Here I provide an example for an analysis of a CDF trace from Citrix XenApp server. Instead of replying “didn’t find anything suspicious …” an engineer identified the following patterns:
Seeing the list of patterns it was much easier to ask questions to aid in further troubleshooting.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
A memory dump “analysis is never finished, it is only abandoned”
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Stack Trace is a general pattern and there can always be found fine-grained patterns in stack traces as well. Here we discuss the general category of such stack trace patterns called Technology-Specific Subtrace (TSST) and give examples related to COM technology.
Consider this trace:
1: kd> k250
ChildEBP RetAddr
8d5d2808 82a7eb15 nt!KiSwapContext+0x26
8d5d2840 82a7d403 nt!KiSwapThread+0x266
8d5d2868 82a772cf nt!KiCommitThreadWait+0x1df
8d5d28e0 82550d75 nt!KeWaitForSingleObject+0x393
8d5d293c 82550e10 win32k!xxxRealSleepThread+0x1d7
8d5d2958 824ff4b0 win32k!xxxSleepThread+0x2d
8d5d29cc 825547e8 win32k!xxxInterSendMsgEx+0xb1c
8d5d2a1c 825546a4 win32k!xxxSendMessageTimeout+0x13b
8d5d2a44 82533843 win32k!xxxSendMessage+0×28
8d5d2b08 824fd865 win32k!xxxCalcValidRects+0xf7
8d5d2b64 82502c98 win32k!xxxEndDeferWindowPosEx+0×100
8d5d2b84 825170c9 win32k!xxxSetWindowPos+0xf6
8d5d2c08 82517701 win32k!xxxActivateThisWindow+0×2b1
8d5d2c38 82517537 win32k!xxxActivateWindow+0×144
8d5d2c4c 824fd9dd win32k!xxxSwpActivate+0×44
8d5d2ca4 82502c98 win32k!xxxEndDeferWindowPosEx+0×278
8d5d2cc4 824fff82 win32k!xxxSetWindowPos+0xf6
8d5d2d10 82a5342a win32k!NtUserSetWindowPos+0×140
8d5d2d10 76ee64f4 nt!KiFastCallEntry+0×12a (TrapFrame @ 8d5d2d34)
01e2cea0 7621358d ntdll!KiFastSystemCallRet
01e2cea4 6a8fa0eb USER32!NtUserSetWindowPos+0xc
01e2cf14 6a894b13 IEFRAME!SHToggleDialogExpando+0×15a
01e2cf28 6a894d5d IEFRAME!EleDlg::ToggleExpando+0×20
01e2d74c 6a895254 IEFRAME!EleDlg::OnInitDlg+0×229
01e2d7b8 762186ef IEFRAME!EleDlg::DlgProcEx+0×189
01e2d7e4 76209eb2 USER32!InternalCallWinProc+0×23
01e2d860 7620b98b USER32!UserCallDlgProcCheckWow+0xd6
01e2d8a8 7620bb7b USER32!DefDlgProcWorker+0xa8
01e2d8c4 762186ef USER32!DefDlgProcW+0×22
01e2d8f0 76218876 USER32!InternalCallWinProc+0×23
01e2d968 76217631 USER32!UserCallWinProcCheckWow+0×14b
01e2d9a8 76209b1d USER32!SendMessageWorker+0×4d0
01e2da64 76235500 USER32!InternalCreateDialog+0xb0d
01e2da94 76235553 USER32!InternalDialogBox+0xa7
01e2dab4 76235689 USER32!DialogBoxIndirectParamAorW+0×37
01e2dad8 6a5d4952 USER32!DialogBoxParamW+0×3f
01e2db00 6a5d5024 IEFRAME!Detour_DialogBoxParamW+0×47
01e2db24 6a8956df IEFRAME!SHFusionDialogBoxParam+0×32
01e2db58 6a8957bb IEFRAME!EleDlg::ShowDialog+0×398
01e2e638 6a8959d3 IEFRAME!ShowDialogBox+0xb6
01e2eb9c 6a9013ed IEFRAME!ShowElevationPrompt+0×1dd
01e2f010 7669fc8f IEFRAME!CIEUserBrokerObject::BrokerCoCreateInstance+0×202
01e2f040 76704c53 RPCRT4!Invoke+0×2a
01e2f448 76d9d936 RPCRT4!NdrStubCall2+0×2d6
01e2f490 76d9d9c6 ole32!CStdStubBuffer_Invoke+0xb6
01e2f4d8 76d9df1f ole32!SyncStubInvoke+0×3c
01e2f524 76cb213c ole32!StubInvoke+0xb9
01e2f600 76cb2031 ole32!CCtxComChnl::ContextInvoke+0xfa
01e2f61c 76d9a754 ole32!MTAInvoke+0×1a
01e2f64c 76d9dcbb ole32!AppInvoke+0xab
01e2f72c 76d9a773 ole32!ComInvokeWithLockAndIPID+0×372
01e2f778 7669f34a ole32!ThreadInvoke+0×302
01e2f7b4 7669f4da RPCRT4!DispatchToStubInCNoAvrf+0×4a
01e2f80c 7669f3c6 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×16c
01e2f834 766a0cef RPCRT4!RPC_INTERFACE::DispatchToStub+0×8b
01e2f86c 7669f882 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xb2
01e2f8b8 7669f7a4 RPCRT4!LRPC_SCALL::DispatchRequest+0×23b
01e2f8d8 7669f763 RPCRT4!LRPC_SCALL::QueueOrDispatchCall+0xbd
01e2f8f4 7669f5ff RPCRT4!LRPC_SCALL::HandleRequest+0×34f
01e2f928 7669f573 RPCRT4!LRPC_SASSOCIATION::HandleRequest+0×144
01e2f960 7669ee4f RPCRT4!LRPC_ADDRESS::HandleRequest+0xbd
01e2f9dc 7669ece7 RPCRT4!LRPC_ADDRESS::ProcessIO+0×50a
01e2f9e8 766a1357 RPCRT4!LrpcServerIoHandler+0×16
01e2f9f8 76ecd3a3 RPCRT4!LrpcIoComplete+0×16
01e2fa20 76ed0748 ntdll!TppAlpcpExecuteCallback+0×1c5
01e2fb88 76e11174 ntdll!TppWorkerThread+0×5a4
01e2fb94 76efb3f5 kernel32!BaseThreadInitThunk+0xe
01e2fbd4 76efb3c8 ntdll!__RtlUserThreadStart+0×70
01e2fbec 00000000 ntdll!_RtlUserThreadStart+0×1b
In the middle of the stack trace we see COM interface invocation in IEFRAME module. The similar stack trace fragment can be found in the following stack trace where COM IRemUnknown interface implementation resides in .NET CLR mscorwks module:
0:000> kL
ChildEBP RetAddr
0018a924 68b5f8f0 mscorwks!SafeReleaseHelper+0x77
0018a958 68b04a99 mscorwks!SafeRelease+0x2f
0018a98c 68b04860 mscorwks!IUnkEntry::Free+0x68
0018a9a0 68b049b5 mscorwks!RCW::ReleaseAllInterfaces+0x18
0018a9d0 68b049e1 mscorwks!RCW::ReleaseAllInterfacesCallBack+0xbd
0018aa00 68c0a108 mscorwks!RCW::Cleanup+0x22
0018aa0c 68c0a570 mscorwks!RCWCleanupList::ReleaseRCWListRaw+0x16
0018aa3c 68bd4b3d mscorwks!RCWCleanupList::ReleaseRCWListInCorrectCtx+0xdf
0018aa4c 75dd8c2e mscorwks!CtxEntry::EnterContextCallback+0×89
0018aa68 763c586c ole32!CRemoteUnknown::DoCallback+0×7a
0018aa84 764405f1 rpcrt4!Invoke+0×2a
0018ae88 75efd936 rpcrt4!NdrStubCall2+0×2ea
0018aed0 75efd9c6 ole32!CStdStubBuffer_Invoke+0xb6
0018af18 75efdf1f ole32!SyncStubInvoke+0×3c
0018af64 75e1223c ole32!StubInvoke+0xb9
0018b040 75e12131 ole32!CCtxComChnl::ContextInvoke+0xfa
0018b05c 75e130fa ole32!MTAInvoke+0×1a
0018b088 75efde47 ole32!STAInvoke+0×46
0018b0bc 75efdcbb ole32!AppInvoke+0xab
0018b19c 75efe34c ole32!ComInvokeWithLockAndIPID+0×372
0018b1c4 75e12ed2 ole32!ComInvoke+0xc5
0018b1d8 75e12e91 ole32!ThreadDispatch+0×23
0018b21c 75a06238 ole32!ThreadWndProc+0×161
0018b248 75a068ea user32!InternalCallWinProc+0×23
0018b2c0 75a07d31 user32!UserCallWinProcCheckWow+0×109
0018b320 75a07dfa user32!DispatchMessageWorker+0×3bc
0018b330 75ddd6be user32!DispatchMessageW+0xf
0018b360 75ddd66d ole32!CCliModalLoop::PeekRPCAndDDEMessage+0×4c
0018b390 75ddd57e ole32!CCliModalLoop::FindMessage+0×30
0018b3f0 75ddd633 ole32!CCliModalLoop::HandleWakeForMsg+0×41
0018b408 75dd1117 ole32!CCliModalLoop::BlockFn+0xc3
0018b488 68a6c905 ole32!CoWaitForMultipleHandles+0xcd
0018b4a8 68a6c866 mscorwks!NT5WaitRoutine+0×51
0018b514 68a6c7ca mscorwks!MsgWaitHelper+0xa5
0018b534 68b5fbe4 mscorwks!Thread::DoAppropriateAptStateWait+0×28
0018b5b8 68b5fc79 mscorwks!Thread::DoAppropriateWaitWorker+0×13c
0018b608 68b5fdf9 mscorwks!Thread::DoAppropriateWait+0×40
0018b664 68a1c5b6 mscorwks!CLREvent::WaitEx+0xf7
0018b678 68b1adb4 mscorwks!CLREvent::Wait+0×17
0018b6c8 68b1ab2a mscorwks!WKS::GCHeap::FinalizerThreadWait+0xfb
0018b764 08fa12c1 mscorwks!GCInterface::RunFinalizers+0×99
[…]
A TSST usually spans several modules. In any stack trace we can also find several TSST that may be overlapping. For example, in the first stack trace above we can discern fragments of COM, RPC, LPC, GUI Dialog, Window Management, and Window Messaging subtraces. In the second trace we can also see GC, Modal Loop, COM Wrapper, and Interface Management stack frames.
The closest software trace analysis pattern here is Implementation Discourse.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
The Year of Dump Analysis, 0×7DA, was another remarkable year for DumpAnalysis.org. Here is the list of major achievements to report:
- Proposed software narratological framework
- Extended the concept of multithreading with adjoint threading
- After recognizing victimware as a counterpart to crimeware established Victimware.org (currently points to Memory Dump, Software Trace, Debugging and Malware Analysis Portal)
- Established the Dublin School of Security
- Proposed using category theory for memory dump analysis as an alternative to set-theoretical frameworks
- Secured the first Memory Dump Analysis Audit Service and its subsidiary Tool Objects: Unified Troubleshooting and Debugging to become portal sponsors
- Completely redesigned Debugging Experts Magazine Online
- Contributed to two issues of Debugged! MZ/PE magazine: Multithreading and Tools for Software Problem Solving
- Published the 4th volume of Memory Dump Analysis Anthology with color supplement
- Prepared material for the 5th volume of Memory Dump Analysis Anthology (to be published in January, 2011)
- Organized the first Debugging Jokes Competition and the first Tell Your Windows Debugging Story Competition
- Established the Metaphysical Society of Ireland to promote memory dump worldview
- Helped to deliver Fundamentals of Complete Crash and Hang Memory Dump Analysis webinar
- Established the Museum of Debugging and Memory Dumps (the 1st exhibition opens in 2011)
- Introduced Unified Debugging patterns, Workaround patterns and Structural Memory Analysis patterns
- Proposed and organized the first Memory Analysts and Debuggers Day (to be celebrated annually)
- Continued working on CARE research project and published its reference architecture
- Unified memory dump and software trace analysis patterns as software behavior patterns
- Memory Dump Analysis Anthology got international recognition when Korean translation of 1st volume was published
… and much more including many new memory dump and software trace analysis patterns, pattern icons, pattern models, and pattern-driven analysis case studies.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
According to Google Analytics the number of visits / year increased by 0.7% since 2009 with almost 156,000 unique visitors (1% increase) from 184 countries (183 in 2009) and more than 33% of them are coming back. 1,322 visits were via 12 mobile operating systems (512% increase). Here are the top 100 network locations out of 28,612 (1% increase):
|
Service Provider |
Visits |
|
microsoft corp |
6298 |
|
comcast cable communications inc. |
4144 |
|
road runner holdco llc |
3579 |
|
internet service provider |
3106 |
|
verizon internet services inc. |
2589 |
|
comite gestor da internet no brasil |
2418 |
|
hewlett-packard company |
2324 |
|
japan network information center |
2199 |
|
deutsche telekom ag |
2145 |
|
reliance communications ltd |
1985 |
|
network of citrix systems inc |
1698 |
|
eircom |
1602 |
|
chunghwa telecom data communication business group |
1560 |
|
nib (national internet backbone) |
1458 |
|
charter communications |
1325 |
|
symantec corporation |
1261 |
|
proxad / free sas |
1252 |
|
samtel |
1121 |
|
uunet non-portable customer assignment |
1087 |
|
at&t internet services |
1084 |
|
intel corporation |
1083 |
|
cox communications |
1067 |
|
abts (karnataka) |
1060 |
|
qwest communications company llc |
957 |
|
comcast cable communications holdings inc |
940 |
|
korea telecom |
900 |
|
chtd chunghwa telecom co. ltd. |
859 |
|
comcast business communications inc. |
829 |
|
chinanet guangdong province network |
817 |
|
ip pools |
802 |
|
xo communications |
802 |
|
china unicom beijing province network |
799 |
|
microsoft |
771 |
|
data general corporation |
765 |
|
shaw communications inc. |
761 |
|
comcast cable communications |
746 |
|
tw telecom holdings inc. |
697 |
|
unknown |
684 |
|
citrix systems inc. |
681 |
|
telefonica de espana sau |
674 |
|
psinet inc. |
661 |
|
telstra internet |
647 |
|
chinanet shanghai province network |
637 |
|
arcor ag |
622 |
|
krnic |
621 |
|
cox communications inc. |
595 |
|
bellsouth.net inc. |
576 |
|
optimum online (cablevision systems) |
559 |
|
starhub cable vision ltd |
539 |
|
ntt communications corporation |
521 |
|
dell computer corporation |
519 |
|
computer associates international |
497 |
|
comcast cable communications ip services |
481 |
|
cisco systems inc. |
463 |
|
research in motion limited |
459 |
|
sympatico hse |
456 |
|
abts delhi |
425 |
|
eset s.r.o. |
425 |
|
telus communications inc. |
416 |
|
comstar-direct cjsc |
413 |
|
customers ie |
411 |
|
emc corporation |
408 |
|
abts tamilnadu |
398 |
|
iinet limited |
381 |
|
lg dacom corporation |
376 |
|
rcs & rds s.a. |
376 |
|
opal telecom dsl |
372 |
|
network of ign arch. and design gb |
367 |
|
kaspersky lab internet |
362 |
|
easynet ltd |
356 |
|
honeywell international inc. |
347 |
|
dynamic ip pool for broadband customers |
343 |
|
dynamic pools |
336 |
|
siemens ag |
335 |
|
global crossing |
333 |
|
provider local registry |
332 |
|
tpg internet pty ltd. |
328 |
|
ojsc north-west telecom |
326 |
|
telia network services |
326 |
|
ipg |
312 |
|
information management group |
310 |
|
chinanet jiangsu province network |
307 |
|
bharti infotel ltd. |
305 |
|
wipro technologies |
302 |
|
t-com croatia internet network |
291 |
|
pt telkom indonesia |
289 |
|
telecom italia s.p.a. tin easy lite |
288 |
|
neostrada plus |
285 |
|
singnet pte ltd |
285 |
|
multiprotocol service provider to other isp s and end users |
282 |
|
ibm india private limited |
278 |
|
microsoft corporation |
266 |
|
ekk catv plovdiv |
262 |
|
alice dsl |
260 |
|
level 3 communications inc. |
257 |
|
telekom malaysia berhad |
257 |
|
ukrtelecom ip network |
254 |
|
comcast cable communications inc |
251 |
|
appense |
250 |
|
uecomm |
250 |
Almost 71,000 Google search keywords pointed to the portal and this blog with 100 most frequent (some are in Russian):
|
Keyword |
Visits |
|
crash dump |
2776 |
|
crash dump analysis |
2463 |
|
kifastsystemcallret |
2451 |
|
adplus |
916 |
|
ntdll!kifastsystemcallret |
905 |
|
dump analysis |
865 |
|
win32 error 0n2 |
693 |
|
dumpanalysis.org |
595 |
|
memory dump analysis |
530 |
|
windows 7 crash dump |
516 |
|
windbg commands |
513 |
|
bugcheck system_service_exception |
487 |
|
дамп памяти |
473 |
|
crash dump windows 7 |
451 |
|
windbg |
437 |
|
fnodobfm |
431 |
|
bugcheck 3b |
406 |
|
crashdump |
404 |
|
crash dumps |
385 |
|
minidump analysis |
383 |
|
windbg crash dump analysis |
382 |
|
crash dump analyzer |
381 |
|
windbg cheat sheet |
343 |
|
adplus download |
330 |
|
анализ дампа памяти |
325 |
|
dmitry vostokov |
311 |
|
dump analyzer |
311 |
|
windbg analyze |
308 |
|
warning: frame ip not in any known module. following frames may be wrong. |
290 |
|
the stored exception information can be accessed via .ecxr. |
278 |
|
core dump analysis |
268 |
|
symbol file could not be found |
267 |
|
frame ip not in any known module |
263 |
|
bugcheck kmode_exception_not_handled |
256 |
|
dumpanalysis |
250 |
|
the stored exception information can be accessed via .ecxr |
242 |
|
memory dump analysis anthology |
238 |
|
ntkrnlmp.exe crash dump |
233 |
|
system_thread_exception_not_handled |
225 |
|
kiuserexceptiondispatcher |
222 |
|
getcontextstate failed, 0×80070026 |
210 |
|
0eedfade |
207 |
|
kisystemservicecopyend |
204 |
|
windbg crash dump |
203 |
|
kernel_mode_exception_not_handled |
202 |
|
rtlplowfragheapfree |
202 |
|
windows crash dump analysis |
202 |
|
crash dump analysis tool |
196 |
|
exception_double_fault |
195 |
|
trap frame |
189 |
|
ntdll kifastsystemcallret |
183 |
|
nt!kebugcheckex |
178 |
|
tppworkerthread |
178 |
|
vista kmode_exception_not_handled |
177 |
|
dump artefact trace artefact |
170 |
|
dump file analyzer |
168 |
|
adplus tutorial |
165 |
|
pool corruption |
160 |
|
rtldispatchexception wine |
155 |
|
termdd!icacallnextdriver |
155 |
|
application_fault_status_breakpoint |
153 |
|
ntdll.dll!kifastsystemcallret |
153 |
|
basethreadinitthunk |
152 |
|
bugcheck 7e |
151 |
|
analyze crash dump |
150 |
|
windbg script |
149 |
|
memory dump analysis tool |
146 |
|
warning: stack unwind information not available. following frames may be wrong. |
146 |
|
error: symbol file could not be found |
145 |
|
free special np |
145 |
|
rtluserthreadstart |
141 |
|
download adplus |
140 |
|
мещанина никифора никитина |
140 |
|
failure_bucket_id |
131 |
|
application_hang_blockedon_fileio |
129 |
|
how to use windbg for crash dump analysis |
123 |
|
windows dump analyzer |
123 |
|
getcontextstate failed, 0xd0000147 |
122 |
|
stack_text |
121 |
|
minidump analyzer |
120 |
|
time travel debugging |
120 |
|
windbg dump analysis |
120 |
|
__dyn_tls_init_callback |
118 |
|
localdumps |
118 |
|
system_service_exception 3b |
118 |
|
windbg scripts |
118 |
|
getcontextstate failed |
114 |
|
unable to load image win32 error 0n2 |
114 |
|
windbg hang |
114 |
|
windows crash dump |
114 |
|
crash dump vista |
112 |
|
debug_flr_image_timestamp |
110 |
|
ntdll.kifastsystemcallret |
107 |
|
system_service_exception |
107 |
|
system_thread_exception_not_handled (7e) |
107 |
|
анализ дампов памяти |
107 |
|
bugcheck c2 |
106 |
|
kifastcallentry |
106 |
|
ldrpsnapthunk |
106 |
|
nmi_hardware_failure |
104 |
Special thanks to more than 1,100 web sites that mention the portal and this blog with the first top 100:
|
Source |
Visits |
|
google.com |
3955 |
|
windbg.org |
2190 |
|
windbg.dumpanalysis.org |
2178 |
|
google.co.in |
1366 |
|
twitter.com |
1295 |
|
blog.codeimproved.net |
1158 |
|
stackoverflow.com |
1075 |
|
facebook.com |
780 |
|
winvistaclub.com |
751 |
|
blogs.msdn.com |
741 |
|
dumpanalysis.com |
680 |
|
reddit.com |
618 |
|
dumpanalysis.org |
586 |
|
images.google.com |
522 |
|
google.co.uk |
456 |
|
bytetalk.net |
398 |
|
google.de |
359 |
|
itdatabase.com |
351 |
|
advancedwindowsdebugging.com |
291 |
|
en.wikipedia.org |
283 |
|
google.ca |
280 |
|
analyze-v.com |
254 |
|
advanceddotnetdebugging.com |
246 |
|
google.com.au |
220 |
|
serverfault.com |
201 |
|
community.citrix.com |
199 |
|
google.ru |
180 |
|
nynaeve.net |
170 |
|
jasonhaley.com |
167 |
|
blog.miniasp.com |
166 |
|
google.fr |
166 |
|
google.es |
165 |
|
google.com.br |
158 |
|
google.co.kr |
152 |
|
reconstructer.org |
151 |
|
blogs.microsoft.co.il |
148 |
|
blog.naver.com |
143 |
|
forum.sysinternals.com |
141 |
|
google.com.ua |
133 |
|
netfxharmonics.com |
133 |
|
google.it |
126 |
|
google.nl |
126 |
|
debuggingexperts.com |
124 |
|
blog.not-a-kernel-guy.com |
119 |
|
images.google.co.in |
107 |
|
citrixblogger.org |
104 |
|
opentask.com |
103 |
|
google.pl |
102 |
|
images.google.co.uk |
98 |
|
delicious.com |
97 |
|
support.citrix.com |
88 |
|
isisaka.com |
85 |
|
linkedin.com |
83 |
|
google.com.ar |
81 |
|
google.com.tr |
81 |
|
j00ru.vexillium.org |
81 |
|
google.com.tw |
79 |
|
pchelpforum.com |
78 |
|
social.technet.microsoft.com |
78 |
|
debuggingexperts.dumpanalysis.org |
77 |
|
google.se |
77 |
|
codemachine.com |
73 |
|
google.com.ph |
73 |
|
rfvicente.spaces.live.com |
70 |
|
advdbg.org |
68 |
|
google.co.il |
68 |
|
google.co.za |
68 |
|
techsupportforum.com |
68 |
|
otvety.google.ru |
67 |
|
google.com.sg |
66 |
|
jinaida.egloos.com |
65 |
|
google.ie |
64 |
|
google.be |
63 |
|
voneinem-windbg.blogspot.com |
62 |
|
images.google.de |
60 |
|
saygoodnight.com |
59 |
|
caloni.com.br |
57 |
|
google.at |
57 |
|
google.ro |
56 |
|
msuiche.net |
56 |
|
driverentry.com.br |
55 |
|
google.ch |
55 |
|
google.com.pk |
54 |
|
mitbbs.com |
54 |
|
google.com.my |
53 |
|
serious-code.net |
53 |
|
bugswar.blogspot.com |
51 |
|
google.com.mx |
51 |
|
iconfactory.com |
51 |
|
advdbg.com |
49 |
|
managementbits.com |
49 |
|
rsdn.ru |
48 |
|
techradar.com |
48 |
|
blog.48bits.com |
47 |
|
cs.rochester.edu |
47 |
|
dogpile.com |
47 |
|
images.google.ca |
47 |
|
evilcodecave.wordpress.com |
46 |
|
google.pt |
46 |
Top 25 visiting countries:
|
Country/Territory |
Visits |
|
United States |
69610 |
|
India |
19007 |
|
United Kingdom |
16399 |
|
Russia |
12497 |
|
Germany |
10027 |
|
China |
7942 |
|
Canada |
7277 |
|
Japan |
5393 |
|
France |
5260 |
|
South Korea |
4551 |
|
Australia |
4305 |
|
Taiwan |
3882 |
|
Ireland |
3361 |
|
Netherlands |
3152 |
|
Spain |
3045 |
|
Ukraine |
2981 |
|
Italy |
2774 |
|
Israel |
2720 |
|
Brazil |
2592 |
|
Poland |
2519 |
|
Sweden |
2495 |
|
Singapore |
2367 |
|
Romania |
1990 |
|
Czech Republic |
1784 |
|
Belgium |
1481 |
More than 9,000 portal and blog pages were viewed a total of almost 387,000 times with top 100 content pages:
|
Page |
Pageviews |
|
/ |
45061 |
|
/blog/ |
35363 |
|
/blog/index.php/2008/01/10/what-is-kifastsystemcallret/ |
6673 |
|
/blog/index.php/2007/06/20/crash-dump-analysis-checklist/ |
6212 |
|
/blog/index.php/category/windbg-tips-and-tricks/ |
6151 |
|
/ru/blog/ |
4929 |
|
/blog/index.php/2008/09/12/adplus-in-21-seconds-and-13-steps/ |
3554 |
|
/Tools |
3442 |
|
/blog/index.php/2007/07/20/crash-dump-analysis-patterns-part-17/ |
3311 |
|
/blog/index.php/category/windows-7/ |
3267 |
|
/Crash+Dump+Analysis+for+System+Administrators |
2904 |
|
/blog/index.php/category/minidump-analysis/ |
2612 |
|
/blog/index.php/2007/09/06/minidump-analysis-part-2/ |
2604 |
|
/blog/index.php/2006/10/31/crash-dump-analysis-patterns-part-2/ |
2443 |
|
/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/ |
2366 |
|
/blog/index.php/2006/10/30/crash-dump-analysis-patterns-part-1/ |
2314 |
|
/blog/index.php/category/windbg-scripts/ |
2286 |
|
/blog/index.php/2008/03/12/bug-check-frequencies/ |
2220 |
|
/blog/index.php/2008/03/13/crash-dump-analysis-patterns-part-2b/ |
2113 |
|
/blog/index.php/2008/06/12/crash-dump-analysis-patterns-part-59b/ |
2104 |
|
/WinDbg+reference |
2076 |
|
/Forthcoming+Windows+Debugging+Notebook |
2054 |
|
/blog/index.php/2008/04/22/bugchecks-system_service_exception/ |
2048 |
|
/blog/index.php/about/ |
2038 |
|
/blog/index.php/2007/10/11/minidump-analysis-part-4/ |
1868 |
|
/blog/index.php/category/windows-server-2008/ |
1741 |
|
/blog/index.php/2007/09/11/crash-dump-analysis-patterns-part-26/ |
1736 |
|
/blog/index.php/2008/01/24/crash-dump-analysis-patterns-part-43/ |
1661 |
|
/blog/index.php/2007/12/17/crash-dump-analysis-patterns-part-41b/ |
1640 |
|
/blog/index.php/2007/10/17/crash-dump-analysis-patterns-part-31/ |
1631 |
|
/blog/index.php/2007/02/02/crash-dump-analysis-patterns-part-8/ |
1618 |
|
/blog/index.php/2007/05/19/resurrecting-dr-watson-on-vista/ |
1590 |
|
/blog/index.php/2006/12/09/clipboard-issues-explained/ |
1553 |
|
/Memory+Dump+Analysis+Anthology+Volume+1 |
1548 |
|
/blog/index.php/2007/09/17/resolving-symbol-file-could-not-be-found/ |
1524 |
|
/blog/index.php/2007/02/09/crash-dump-analysis-patterns-part-9a/ |
1516 |
|
/blog/index.php/2007/08/06/crash-dump-analysis-patterns-part-20a/ |
1445 |
|
/Memory+Dump+Analysis+Anthology+Volume+3 |
1423 |
|
/blog/index.php/2007/07/15/interrupts-and-exceptions-explained-part-4/ |
1422 |
|
/blog/index.php/crash-dump-analysis-patterns/ |
1368 |
|
/blog/index.php/2008/05/09/windbg-cheat-sheet-for-crash-dump-analysis/ |
1324 |
|
/Debugged+Magazine |
1307 |
|
/ru/blog/index.php/category/komandy-otladchika-windbg/ |
1302 |
|
/blog/index.php/2007/03/04/windbg-tips-and-tricks-analyzing-hangs-faster/ |
1295 |
|
/blog/index.php/2007/04/25/bugchecks-system_thread_exception_not_handled/ |
1281 |
|
/blog/index.php/2007/08/29/minidump-analysis-part-1/ |
1267 |
|
/blog/index.php/category/windbg-tips-and-tricks/page/6/ |
1251 |
|
/ru/blog/index.php/page/2/ |
1251 |
|
/blog/index.php/2007/03/03/windbg-tips-and-tricks-hypertext-commands/ |
1203 |
|
/blog/index.php/category/gdb-for-windbg-users/ |
1193 |
|
/blog/index.php/basic-windows-crash-dump-analysis/ |
1191 |
|
/blog/index.php/2007/06/21/crash-dump-analysis-patterns-part-16a/ |
1151 |
|
/care |
1151 |
|
/blog/index.php/category/bugchecks-depicted/ |
1143 |
|
/blog/index.php/2008/04/03/crash-dump-analysis-patterns-part-57/ |
1134 |
|
/museum-debugging |
1103 |
|
/blog/index.php/category/bugchecks-depicted/page/2/ |
1099 |
|
/blog/index.php/2010/01/08/live-kernel-debugging-of-a-system-freeze-case-study/ |
1096 |
|
/arts-photography-links |
1062 |
|
/blog/index.php/2007/09/ |
1022 |
|
/blog/index.php/2008/10/15/crash-dump-analysis-patterns-part-1b/ |
953 |
|
/blog/index.php/2007/08/04/visualizing-memory-dumps/ |
940 |
|
/blog/index.php/2007/11/02/crash-dump-analysis-patterns-part-13c/ |
932 |
|
/blog/index.php/category/dump-analysis/ |
921 |
|
/blog/index.php/crash-dump-examples/ |
912 |
|
/blog/index.php/2007/10/01/windows-service-crash-dumps-on-vista/ |
911 |
|
/blog/index.php/2007/02/10/crash-dump-analysis-in-visual-studio-2005/ |
904 |
|
/Forthcoming+Memory+Dump+Analysis+Anthology+Volume+2 |
902 |
|
/blog/index.php/category/windbg-scripts/page/2/ |
880 |
|
/blog/index.php/2006/10/ |
833 |
|
/blog/index.php/2008/06/26/heuristic-stack-trace-in-windbg-693113/ |
820 |
|
/blog/index.php/2008/01/02/how-to-distinguish-between-1st-and-2nd-chances/ |
813 |
|
/blog/index.php/2006/11/01/crash-dump-analysis-patterns-part-3/ |
790 |
|
/MDAA-color-supplement-vol1-3 |
783 |
|
/Forthcoming+Windows+Debugging:+Practical+Foundations |
779 |
|
/blog/index.php/automated-analysis/ |
774 |
|
/blog/index.php/2007/05/20/custom-postmortem-debuggers-on-vista/ |
773 |
|
/contact |
772 |
|
/blog/index.php/memory-dump-analysis-interview-questions/ |
763 |
|
/blog/index.php/2007/07/25/reconstructing-stack-trace-manually/ |
762 |
|
/blog/index.php/2007/09/14/crash-dump-analysis-patterns-part-27/ |
761 |
|
/training |
760 |
|
/blog/index.php/category/net-debugging/ |
752 |
|
/blog/index.php/category/windbg-tips-and-tricks/page/2/ |
732 |
|
/blog/index.php/2007/04/25/bugchecks-kmode_exception_not_handled/ |
731 |
|
/blog/index.php/2007/07/01/gdb-for-windbg-users-part-5/ |
729 |
|
/blog/index.php/2009/04/28/trace-analysis-patterns-part-1/ |
729 |
|
/FCMDA-book |
721 |
|
/blog/index.php/2007/06/21/repair-clipboard-chain-201/ |
720 |
|
/blog/index.php/category/cartoons/ |
706 |
|
/CDAPF-book |
690 |
|
/blog/index.php/2008/03/08/time-travel-debugging/ |
690 |
|
/blog/index.php/2006/10/14/dumps-for-dummies-part-2/ |
679 |
|
/blog/index.php/2008/04/28/crash-dump-analysis-patterns-part-6a/ |
672 |
|
/blog/index.php/dumps-for-dummies/ |
672 |
|
/blog/index.php/2007/05/19/inside-vista-error-reporting-part-1/ |
661 |
|
/Links |
640 |
|
/blog/index.php/2008/03/18/crash-dump-analysis-patterns-part-13e/ |
640 |
|
/blog/index.php/2008/05/28/net-managed-code-analysis-in-complete-memory-dumps/ |
635 |
|
/blog/index.php/foundations-of-debugging-x86/ |
635 |
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Resolution rush - The rush of software technical support and maintenance engineers to provide the resolution to a suddenly escalated incident.
Examples: After it crashed 3 times in a row at the customer site our VP was called and we all got the resolution rush.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Working for more than 7 years in technical support environment I found that many support incidents were resolved more easily by abductive reasoning than by induction and deduction practiced by Sherlock Holmes and observed by Dr. Watson. Abduction as a way to build an incident theory to advance in problem resolution was practiced by a USA colleague of Holmes: Philip Marlowe. Because technical support is less detached from customers (”the world”) when compared to software engineering departments I see the way of Marlowe as more natural. Of course, from time to time the way of Holmes is also appropriate. All depends on a support case. I found that abductive reasoning is also appropriate for memory dump and software trace analysis where “leaps of faith” are necessary because of insufficient information. Such leaps of abduction actually happen all the time when analysts give troubleshooting advice based on patterns.
I plan to write more about the 3rd way of reasoning after I finish reading two Raymond Chandler’s novels and a few other inference, causality and explanation books I mention later: The Big Sleep & Farewell, My Lovely (Modern Library)
I’m grateful for Clive Gamble for pointing this way out in his book Archaeology: The Basics
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
With the new year starts the new initiative to integrate traditional multidisciplinary debugging approaches and methodologies with multiplatform pattern-driven software problem solving, unified debugging patterns, best practices in memory dump analysis and software tracing, computer security, economics, and the new emerging trends I’m going to write about during this year.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
In these post series we are going to discuss the best practices for software tracing implementation including appropriate patterns and their links to software trace analysis patterns. The first one is called Period Timestamp where the start and the end time (and the date if necessary) are recorded in the trace file. This helps in Inter-Correlation and News Value analysis between several different trace types. For example, in one scenario, we had WindowHistory and MessageHistory logs. We identified a problem in the former log as happening at this time:
Handle: 00010196 Class: "ClassA" Title: "TitleA"
Captured at: 13:36:30:533
[…]
However, when we looked at the latter trace to search for specific window messages posted or sent before that time we saw that the recording started later than the former event:
Start time: 13:36:35:830
Period timestamps are necessary to distinguish Incomplete History from Truncated Trace where in the former case the absence of expected trace message is due to some problem.
From a unified debugging patterns perspective we have this sequence fragment:
Implementation Patterns: Period Timestamp
Usage Patterns: Trace Simultaneously
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
News Value is a pattern that assigns relative importance to software traces for problem solving purposes especially when related to problem description, recent incidents and timestamps of other supporting artifacts (memory dumps, other traces, etc.). For example, in one scenario, an ETW trace was provided with 3 additional log files:
# Source PID TID Date Time Message
0 Header 1260 1728 12/14/2010 06:48:56.289 ?????
[…]
215301 Unknown 640 808 12/14/2010 07:22:57.508 ????? Unknown( 16): GUID=[…] (No Format Information found).
// LogA
05/11/10 18:28:15.1562 : Service() - entry
[...]
14/12/10 10:31:58.0381 : Notification: sleep
* Start of new log *
14/12/10 10:34:38.4687 : Service() - entry
[…]
14/12/10 11:53:35.2729 : Service.CleanUp complete
* Start of new log *
14/12/10 11:56:11.7031 : Service() - entry
[…]
14/12/10 15:25:23.3004 : Notification: sleep
// LogB
[ 1] 12/14 10:34:29:890 Entry: ctor
[…]
[ 2] 12/14 11:53:30:866 Exit: COMServer.Server.DeleteObject
// LogC
[ 1] 12/14 11:56:03:359 Entry: ctor
[…]
[ 20] 12/14 15:30:20:110 Exit: Kernel32.Buffer.Release
From the description of the problem we expected LogB and LogC to be logs from two subsequent process executions where the first launch fails (LogB) and the second launch succeeds (LogC). Looking at their start and end times we see that they make sense from the problem description perspective but we have to dismiss ETW trace and most of LogA as recorded earlier and having no value for Inter-Correlation analysis of the more recent logs. We also see that portions of LogA overlap with LogB and LogC and therefore having analysis value for us.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
As the new decade is approaching (2011-2020) we would like to make a few previews and predictions:
- Increased complexity of software will bring more methods from biological, social sciences and humanities in addition to existing methods of automated debugging and computer science techniques
- Focus on first fault software problem solving (when aspect)
- Focus on pattern-driven software problem solving (how aspect)
- Fusion of debugging and malware analysis into a unified structural and behavioral pattern framework
- Visual debugging, memory and software trace visualization techniques
- Software maintenance certification
- Focus on domain-driven troubleshooting and debugging tools as a service (debugware TaaS)
- Focus on security issues related to memory dumps and software traces
- New scripting languages and programming language extensions for debugging
- The maturation of the science of memory snapshots and software traces (memoretics)
Imagining is not not limited to the above and more to come and explain in the forthcoming parts.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
If we look at any non-trivial trace we would see different Implementation Discourses. Components are written in different languages and adhere to different runtime environments, binary models and interface frameworks. All these implementation variations influence the structure, syntax and semantics of trace messages. For example, .NET debugging traces differ from file system driver or COM debugging messages. Therefore we establish the new field of Software Trace Linguistics as a science of software trace languages. Some parallels can be drawn here towards software linguistics (the science of software languages) although we came to that conclusion independently while thinking about applying “ethnography of speaking” to software trace narration. More on this in the following posts.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
We now start unifying software behavior analysis patterns with debugging architecture, design, implementation and usage. This is analogous to software construction where a problem analysis leads to various software engineering phases. The important difference here is the addition of debugging usage patterns. Let’s look at an example (we discuss suggested patterns later):
- Analysis Patterns
- Architectural Patterns
Debug Event Subscription / Notification
- Design Patterns
Punctuated Execution
- Implementation Patterns
Breakpoint (software and hardware)
- Usage Patterns
Kernel vs. user space breakpoints
To differentiate this systematic approach from the various published ad hoc debugging patterns we call it Unified Debugging Pattern Language. ADI parts can also correspond to various DebugWare patterns where we provide a mapping later.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
MAaaS includes 2 complementary DA+TA services:
1. Dump Analysis as a Service (DAaaS)
2. Trace Analysis as a Service (TAaaS)
Memory Dump Analysis Services is the first organization to provide such a service at an audit and certification levels.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
