PART 2: Crash Dump Analysis Patterns

Design Value

The pattern called Small Value (Volume 7, page 191) deals with easily recognizable values such as handles, timeouts, mouse pointer coordinates, enumeration values, and window messages. There is another kind of values, for example, 256 (+/- 1) or some other round value. Here we can also add some regular patterns in hex representation such as window handles or flags, for example, 0×10008000. Such designed values may fall into some module range, the so-called Coincidental Symbolic Information (Volume 1, page 390) pattern. They may not necessarily be stack trace parameters (which can also be False Function Parameters, Volume 2, page 173). If we see a design value in the output of WinDbg commands, especially related to abnormal behavior patterns, then it might point to some reached design limitations. For example, Blocked ALPC Queue (Volume 6, page 34) may have a limitation on I/O completion port (Volume 1, page 653). We observed that when we had ALPC Wait Chains (Volume 3, page 97) in one unresponsive system:

0: kd> !alpc /p <port_address>
[...]
512 thread(s) are registered with port IO completion object:
[...]
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.188.97.200