Software Diagnostics Library

Bugtation No.14

September 5th, 2008

Crash dump analysis ”is anticipated with” joy, “performed with” eagerness, “and bragged about forever.”

Anonymous

Posted in Bugtations, Crash Dump Analysis, Debugging, Fun with Crash Dumps | No Comments »

The Songs for Remote Debugging

September 4th, 2008

The Songs of Distant Earth is my favorite Mike Oldfield album. Highly recommended to keep optimism when doing remote debugging on different systems.

The Songs of Distant Earth

Here is my alternative track naming:

1. The Decision To Go Remote
2. Let There Be A Connection
3. Super System Crash
4. Connection Established
5. First Break In
6. The Sea Of Threads
7. Setting Breakpoints
8. Prayer For A Match
9. Lament For Users
10. The Kernel
11. Screensaver Starts
12. Tabular Output
13. The Shining Threads
14. Breakpoint Match
15. The Sunken Debugger
16. Contemplating Observations
17. A New Session

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Debugging, Music for Debugging | No Comments »

WDPF cover

September 4th, 2008

Previously announced Windows Debugging: Practical Foundations book has got its front cover done in classic B/W style. A bit frightening, but shouldn’t stop if someone is determined to learn field debugging

Please let me know what do you think. Table of contents to be published next week.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Announcements, Books, Crash Dump Analysis, Crash Dumps for Dummies, Debugging, Publishing, Software Technical Support | No Comments »

Bug Concentration Camp

September 4th, 2008

New cartoon from Narasimha Vedala provides insight on string reversing (click on it to enlarge):

At the Bug Concentration Camp [BCC]
CCB officer decides the fate

I was curious to check if there are any opcodes like BCC or CCB and there are indeed:

BCC - Branch on Carry Clear
CCB - Chip Configuration Byte

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Cartoons, Debugging | No Comments »

Bugtation No.13

September 4th, 2008

Shakespeare on transitive nature of software defects, where one bug causes another, and so on, until the final effect or when memory corruption causes crash effects.

“… and now remains
That we find out the cause of this effect,
Or rather say, the cause of this defect,
For this effect defective comes by cause.”

William Shakespeare, Hamlet

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Bugtations, Crash Dump Analysis, Crash Dump Patterns, Debugging, Fun with Crash Dumps | No Comments »

Mother Bug

September 4th, 2008

New cartoon from Narasimha Vedala:

Mother bug explains Morris worm

DBG_MotherBug from Narasimha Vedala

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Cartoons, Debugging | No Comments »

Bugtation No.12

September 3rd, 2008

“Sir, please believe me, it’s the first time this has ever happened. Have another try, don’t get upset. You know our” Programs “are” TESTED.

Jean-Pierre Petit, Adventures of Archibald Higgins: Euclid Rules O.K.?

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Bugtations, Debugging, Software Technical Support, Testing | No Comments »

Heap and early crash dump: pattern cooperation

September 2nd, 2008

The following error was reported when launching an application and no configured default postmortem debugger was able to save a crash dump:

The application failed to initialize properly (0x06d007e). Click on OK to terminate the application.

The process memory dump captured manually using userdump.exe when the error message box was displayed didn’t show anything helpful on stack traces:

0:000> ~*kL

. 0 Id: 310.1ab8 Suspend: 1 Teb: 7ffdf000 Unfrozen ChildEBP RetAddr 0012fd14 7c8284c5 ntdll!_LdrpInitialize+0x184 00000000 00000000 ntdll!KiUserApcDispatcher+0x25

1 Id: 310.1ec0 Suspend: 1 Teb: 7ffde000 Unfrozen ChildEBP RetAddr 0820fcb0 7c826f4b ntdll!KiFastSystemCallRet 0820fcb4 7c813b90 ntdll!NtDelayExecution+0xc 0820fd14 7c8284c5 ntdll!_LdrpInitialize+0x19b 00000000 00000000 ntdll!KiUserApcDispatcher+0x25

However, one of last error values was access violation (Last Error Collection pattern):

0:000> !gle -all Last error for thread 0: LastErrorValue: (Win32) 0x3e6 (998) - Invalid access to memory location. LastStatusValue: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

Last error for thread 1: LastErrorValue: (Win32) 0 (0) - The operation completed successfully. LastStatusValue: (NTSTATUS) 0 - STATUS_WAIT_0

It was suspected that access violation errors were handled by application exception handlers (Custom Exception Handler pattern) and it was recommended to catch first-chance exception crash dumps (Early Crash Dump pattern) and indeed there was one such exception:

0:000> r eax=00000000 ebx=00000000 ecx=00000000 edx=00157554 esi=00000080 edi=00000000 eip=7c829ffa esp=0012ed48 ebp=0012ef64 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 ntdll!RtlAllocateHeap+0x24: 7c829ffa 0b4310 or eax,dword ptr [ebx+10h] ds:0023:00000010=????????

0:000> kL ChildEBP RetAddr 0012ef64 7c3416b3 ntdll!RtlAllocateHeap+0x24 0012efa4 7c3416db msvcr71!_heap_alloc+0xe0 0012efac 7c3416f8 msvcr71!_nh_malloc+0x10 0012efb8 67741c01 msvcr71!malloc+0xf [...]

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging | No Comments »

Bugtation No.11

September 2nd, 2008

The crash dump “is the message”.

Marshall McLuhan, The medium is the message

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Bugtations, Crash Dump Analysis, Crash Dump Patterns, Debugging, Fun with Crash Dumps | No Comments »

Learning Basque

September 1st, 2008

A few months ago I wrote about my discovery of the first memory dump book. It actually arrived but only today I got a chance to take pictures of its front and back covers. The latter explans the title of the book (MEMORY DUMP) albeit in Spanish.