Trace Analysis Patterns (Part 232)

August 28th, 2023

Most trace and log diagrams we use for analysis pattern illustration are 1-dimensional if we ignore the structure of individual trace messages despite being looking as 2-dimensional. It is, therefore, natural to consider them as periodic and aperiodic tessellations of a line using a set of segments of different lengths and colors. A Trace Tessellation analysis pattern is such an arrangement based on some criteria, for example, a combination of trace and log analysis patterns or simply some A(TID) mapping.

GPT-4 suggests the following outline for 1-dimensional tessellation:

Tessellating a one-dimensional space like a line is fundamentally simpler than tessellating a two-dimensional space. Given that a line segment is the only basic shape you can use to tessellate a line, at first glance, it may seem there isn’t much room for diverse or “interesting” patterns. However, we can introduce variability by considering the following:

Varying Lengths: Instead of using uniform line segments, use segments of varying lengths. For instance, alternating between short and long segments can create a rhythmic pattern.

Color or Texture Variations: Even though it’s a one-dimensional space, you can vary colors or textures. For example, alternate between black and white line segments.

Spacing: While traditional tessellation has no gaps, you could introduce regular or irregular spacing between line segments for a more abstract approach.

Pattern Interruption: Repeating a set pattern and then deliberately interrupting it can be visually interesting. For instance, having three short segments followed by one long segment, and then repeating.

Associative Representation: You can use tessellated patterns on a line to represent data or other concepts. For example, Morse code uses a combination of short (”dots”) and long (”dashes”) signals, essentially tessellating a line with two types of segments to convey information.

Fractals and Recursive Patterns: While not “tessellation” in the traditional sense, you can create patterns on a line using recursive rules. The Cantor set is an example of this, where you take a line segment, remove the middle third, and then repeat the process for the remaining segments ad infinitum.

These are just a few ways to introduce interest and complexity into the “tessellation” of a one-dimensional space. While it’s fundamentally simpler than two-dimensional tessellation, with some creativity, you can still achieve intriguing and meaningful patterns.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Crash Dump Analysis Patterns (Part 284)

July 1st, 2023

Sometimes, we are interested in Exception Collection from all different memory parts and space types and using different analysis patterns, for example, for the user and managed spaces:

- Stored Exception;

- Exception Stack Traces from Stack Trace Collection from unmanaged space;

- Managed Code Exceptions from CLR Runtime Threads (~*e !pe -nested and !Threads WinDbg commands) including Nested and Mixed Exceptions;

- Recorded heap failures (!heap -s -v) and other Historical Information;

- Hidden Exceptions (unmanaged space) in Execution Residue (unmanaged user space) for all threads;

- Hidden Exceptions (managed space) in Execution Residue (managed space) for all threads.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Crash Dump Analysis Patterns (Part 283)

April 8th, 2023

Shared Buffer Overwrite may happen via different mechanisms. A virtual address and its underlying physical page may be used by different threads from one process, or if threads from different processes are involved, its underlying physical memory page may be shared between different processes. In the former case, we can check threads’ Execution Residue for the page virtual address range. In the latter case, for example, when we have random crashes in different processes at different virtual addresses, we can compare page frame numbers for problem virtual addresses:

0: kd> !process ffffc38c3010b0c0 0
PROCESS ffffc38c3010b0c0
SessionId: 1 Cid: 1224 Peb: 24fc30b000 ParentCid: 1284
DirBase: 0a953002 ObjectTable: ffffac8a0b2aab40 HandleCount: 184.
Image: conhost.exe

0: kd> !process ffffc38c305e8080 0
PROCESS ffffc38c305e8080
SessionId: 0 Cid: 01c8 Peb: 4acc277000 ParentCid: 0290
DirBase: 10b62b002 ObjectTable: ffffac8a081b33c0 HandleCount: 276.
Image: svchost.exe

0: kd> !pte 00007ffc`884a0000
VA 00007ffc884a0000
PXE at FFFFFB7DBEDF67F8 PPE at FFFFFB7DBECFFF90 PDE at FFFFFB7D9FFF2210 PTE at FFFFFB3FFE442500
contains 8A0000000485F867 contains 0A00000115063867 contains 0A00000009D64867 contains 86000001358EF025
pfn 485f ---DA--UW-V pfn 115063 ---DA--UWEV pfn 9d64 ---DA--UWEV pfn 1358ef —-A–UR-V

0: kd> .process /r /p ffffc38c3010b0c0
Implicit process is now ffffc38c`3010b0c0
Loading User Symbols
.................................

0: kd> .process /r /p ffffc38c305e8080
Implicit process is now ffffc38c`305e8080
Loading User Symbols
..................................

0: kd> !pte 00007ffc`884a0000
VA 00007ffc884a0000
PXE at FFFFFB7DBEDF67F8 PPE at FFFFFB7DBECFFF90 PDE at FFFFFB7D9FFF2210 PTE at FFFFFB3FFE442500
contains 0A00000107137867 contains 0A0000010703A867 contains 0A0000010713B867 contains 81000001358EF005
pfn 107137 ---DA--UWEV pfn 10703a ---DA--UWEV pfn 10713b ---DA--UWEV pfn 1358ef ——-UR-V

We call such an analysis pattern Shared Page.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 231)

April 2nd, 2023

Suppose we are interested in particular message types, which are Message Patterns. We can form a Pattern Vector with values of corresponding Message Pattern occurrences during each fixed time interval corresponding to selected Time Scale. A typical example is illustrated in the following diagram with counted Silent Messages as well:

Each Message Vector component value is the local Statement Current. We can also select Statement Densities instead, especially if we select only Message Patterns from Foreground Components. Other values are possible, for example, from Trace Field.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 230)

March 6th, 2023

Inspired by Laws of Form and works inspired by it including Story and Structure we introduce Iconic Trace symbolic mapping for individual messages, Activity Regions, Motives, and Activity Theatre. A typical example is illustrated in the following diagram:

It is also possible to construct Iconic CoTraces. We will provide different symbolic profiles (with the meaning of various symbols) and examples later in the forthcoming revision of Software Narratology.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 229)

February 25th, 2023

Often, we have Basic Facts but are unsure 100% if particular trace messages are relevant or not. We take the idea of Case Messages analysis pattern from fuzzy sets where we have a degree of membership function. It is illustrated in the following diagram:

In comparison, Message Set analysis pattern is about crisp sets where the degree of membership is either 0 or 1.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 228)

February 19th, 2023

If necessary, for example, for the conversion to Text Trace, individual trace messages may need to be converted to message text form blending various message constituents like ATIDs, Message Invariants, data, and Trace Constants into some textual narrative form. We illustrate it in the following diagram:

We call the resulting message text Denormalized Message. It is the reverse process than finding Features of Activity and constructing structured messages conforming to some Trace Schema.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 227)

February 19th, 2023

In addition to Trace Skeleton, we can insert Silent Messages, treat non-silent messages as instances of some template message, and even take Quotient Trace of them, leaving the position of final non-silent messages intact. This is similar to retraction in topology, so we name this analysis pattern Trace Retract and illustrate it in the following diagram:

 

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 226)

February 19th, 2023

When we construct Trace Molecule, we may find that some Message Complex links from different ATIDs point to the same message and Tracemes. In such a case we have Message Bond by analogy with covalent bonds. One such example is illustrated in the following diagram:

 

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 225)

February 18th, 2023

Trace Nerve is Thread of Activity or Adjoint Thread of Activity that runs through all Activity Regions. An example is illustrated in the following diagram:

Of course, depending on trace or log, there can be several Trace Nerves. This analysis pattern was inspired by nerve complexes in topology.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 224)

February 18th, 2023

Looking at software traces and logs as 2-categories allows us to consider Whisker Traces (horizontal composition) in addition to vertical composition such as Serial Traces, Trace Mask, and Container Traces. The same ATIDs can be combined, and if there is a time mismatch, additional message copies need to be added (whiskering). The process is illustrated in the following diagram:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 223)

February 17th, 2023

Trace embedding usually happens when some external tracing or logging framework or library is used. In this case, a trace message becomes part of an outer trace message which may have its own uniform Trace Schema. In this case, Embedded Trace analysis pattern is different from Container Trace where outer Trace Schemas may be different.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 222)

February 11th, 2023

Trace Windows, the obvious analysis pattern that was always implicit, is added now due to the proliferation of stream processing nowadays. However, it captures not only horizontal windows but vertical ones, similar to subspaces if we consider messages as vectors. Both types of windows can be combined. This is illustrated in the following diagram:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 221)

February 8th, 2023

There’s some kind of duality between trace data and activity. For example, trace data corresponds to CoData (CoTrace, CoLog), the analysis activity. On the other hand, Regions of Activity (and various Activity-related patterns such Thread of Activity) may contain data that itself may point to some activity (not necessarily the same), CoActivity. For example, some keyboard-related message data may contain values of passwords. This analysis pattern is illustrated schematically in the following diagram:

CoActivity is different from Data Flow, where the same or modified value is passed from one message to another, not necessarily inside the same activity.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 220)

February 7th, 2023

For any Message Complex, we can choose the corresponding Tracemes and assign them to points. If we keep ourselves only to line segments, we call these arrangements Trace Molecules. One example is illustrated in the following diagram:

This molecular approach was inspired by semic molecules in semic analysis. On the other hand, ultimately, the whole trace is one giant molecule similar to the traces and logs as proteins metaphor. This approach differs from the earlier artificial chemistry approach to trace and log analysis where molecules are patterns.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 219)

February 6th, 2023

Consider the following trace message:

object: 0x77F468AB100 ref: 2

It contains several Tracemes, the smallest units of tracing (trace meaning, by analogy with semes), corresponding to Message Invariants and their data: //object memory address//, and //reference count//. However, they are structurally higher in the semantic hierarchy when compared with sememesTraceme is pronounced /tɹeɪˈsiːm/ and can also be interpreted as trace me.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 218)

February 5th, 2023

Message Complex takes inspiration from simplicial complexes. We select a message, choose TID or ATID, and connect to the nearest messages having the same TID or ATID. This procedure can be repeated for newly connected messages. Then we select another ATID and repeat the procedure. Three connected messages with the same ATID may form a triangle and may also intersect another triangle with a different ATID if they share the same message. A very simple example is illustrated in the following diagram:

Message Complex is more structural and geometric compared to Message Context, which is just a set of surrounding messages regardless of their TID or ATID based on some relationship criteria.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 217)

February 4th, 2023

(Adjoint) Threads of Activity can be interpreted as braids (multibraiding). This braid analogy assumes that all (adjoint) threads implicitly start and end outside of the trace boundaries. However, some (adjoint) threads may start after the beginning of the tracing or end before the finishing of the tracing. Such modified braids are called braidoids. There can be several braidoids per trace based on the chosen (A)TIDs. We call this analysis pattern Trace Braidoids and one, based on TID, is illustrated in the following diagram:

We added arc crossings when a different TID becomes current. Please also compare these crossings with other analysis patterns such as Braid Group and Braid of Activity.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 216)

February 2nd, 2023

Message data may point to other messages in the same trace (see the example of Linked Messages) or in the other trace (see the Data Selector example). But similar data in other messages may not point to any other messages in the same or other, perhaps Truncated, traces and logs collected at the same time - similar to invalid pointers, for example, kernel addresses in process memory dumps or user space addresses in kernel memory dumps. We call this analysis pattern Null Reference (also notice the analogy with foreign key values in data tables where Null is not a value). Another analogy here is referential failure. This is illustrated in the following diagram adapted from Linked Messages analysis pattern diagram.

This analysis pattern is different from Missing Data where the reference is itself missing.

These Null References can be remediated by longer supplemental traces, Fiber Bundle, and Adjoint Spaces.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 215)

February 1st, 2023

When we disregard the length of message blocks having the same attribute (ATID), we get Quotient Trace. But when we disregard the content of these message blocks (and replace each message with the same “empty” non-Silent Message) but preserve their length, we get Trace Skeleton.

Different Trace Shapes may have different Trace Skeletons but we can generate similar shapes from one skeleton.

We can also apply a music metaphor and consider it as Trace Rhythm:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -