What is a Software Defect? 511 WHAT IS A SOFTWARE DEFECT? Software can be considered as models of real or imagined systems which may be models themselves. Any modeling act involves a mapping between a system and a model that preserves causal, ordering and inclusion relationships and a mapping from the model to the system that translates emerging relationships and causal struc- tures back to that system. The latter I call modeling expectations and any ob- served deviations in structure and behavior between the model and the system I call software defects which can be functional failures, error messages, crashes or hangs (bold line on diagrams below): Real or Imagined System or Model Software Model Consider ATM software as a venerable example. It models imagined world of ATM transactions which we call ATM software requirements. The latter specifies ACID (atomic, consistent, isolated and durable) transaction rules. If they are broken by the written software we have the defect: ATM software requirements ATM software What are software requirements? They are models of real or imagined systems or can be models of past causal and relationship experiences. If requirements are wrong they do not translate back and we still consider software as having a defect: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 512 PART 5: A Bit of Science Real System or Causal Experiences Model (Requirements) Software Model Translating this to ATM example we have: User expectations based on fair trading experience ATM software requirements model ATM software Another example where the perceived absence of failures can be considered as a defect is the program designed to model memory leaks that might not be leaking due to a defect in its source code. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Dump Analysis and Voice Recognition 513 PART 6: FUN WITH CRASH DUMPS DUMP ANALYSIS AND VOICE RECOGNITION “Being so tired of typing endless !analyze -v one day an idea came to me about using Voice Recognition. Taking advantage of spending 7 years in that field starting from 1992 and being the architect and designer/developer of the first pioneer speech recognition systems on Windows platforms (if you remember Covox and Voice Blaster - I was an employee there) VoiceMouse, JustVoice, SpeakingMouse, and recently my own project OpenTask I seriosly consider using this for Dump Analysis. More later…” This was my first blog post ever and now you are reading this book! Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 514 PART 6: Fun with Crash Dumps SENDING SMS MESSAGES VIA DUMPS SystemDump tool (page 646) allows to crash a computer and embed a message in a memory dump. Dump files are becoming a universal medium of discourse between customers and support personnel. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. WinDbg as a Big Calculator 515 WINDBG AS A BIG CALCULATOR I noticed one engineer frequently switching between WinDbg and Calc. Now we can forget about using calc.exe during debugging sessions and save valuable time. In other words we no longer need to multiprocess. We can use ? and .formats commands: 0:000> ? 2 + 2 Evaluate expression: 4 = 00000004 0:000> .formats 4 Evaluate expression: Hex: 00000004 Decimal: 4 Octal: 00000000004 Binary: 00000000 00000000 00000000 00000100 Chars: Time: Thu Jan 01 00:00:04 1970 Float: low 5.60519e-045 high 0 Double: 1.97626e-323 Now we can do our finance calculations in WinDbg too. The WinDbg Way! Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 516 PART 6: Fun with Crash Dumps DUMPS, DEBUGGERS AND VIRTUALIZATION Everyone now speaks about virtualization and its benefit. New horizons spring here and there. I would like to add my 2 cents from memory dump analysis and debug- ging perspective. There will be more complex debugging environment as my recent experience with WOW64 tells me: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Musical Dumps 517 If we generalize this to a virtualization environment we would come up with the following picture: If we think more we come up with the following example of the general DDV architecture: So we need: A “Debugger” to debug “Virtualization layer”. A “Debugger plugin” to help the “Debugger” to understand the “Subject of virtualization”. Various virtualized “debuggers” debugging their virtualized subjects. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 518 PART 6: Fun with Crash Dumps MUSICAL DUMPS After listening to “An Anthology of Noise and Electronic Music” and remembering that long time ago I was asked to convert stock charts into sound waves an idea came to me to convert memory dump files into WAV files by appending an appropriate header in front of them. So depending on imposed sampling frequency (Hz), quantization level (bits) and mono/stereo settings we can enjoy listening to memory dumps. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Debugging the Debugger 519 DEBUGGING THE DEBUGGER Is it possible to debug a debugger when it debugs a debuggee? Good question. I never asked it to myself until one today and tried. And it works! First I tried to attach WinDbg.exe to an instance of WinDbg.exe executing !analyze -v command and got these stacks: 0:002> ~*kL 100 0 Id: 1ff0.104c Suspend: 1 Teb: 7ffdf000 Unfrozen ChildEBP RetAddr 0006df38 7739d02f ntdll!KiFastSystemCallRet 0006ff7c 01055e36 USER32!NtUserWaitMessage+0xc 0006ffc0 77e523e5 windbg!_initterm_e+0x170 0006fff0 00000000 kernel32!BaseProcessStart+0x23 1 Id: 1ff0.1af8 Suspend: 1 Teb: 7ffde000 Unfrozen ChildEBP RetAddr 00ac3448 030a5677 dbghelp!CAllPubNameTrav::next+0x1b 00ac345c 0301e16e dbghelp!CDiaEnumTraversalCSymRow::Next+0x48 00ac44fc 0301e452 dbghelp!diaGetGlobals+0x8fe 00ac4524 0304967a dbghelp!diaGetSymbols+0x42 00ac453c 03045ca3 dbghelp!diaEnumSymbols+0x1a 00ac4554 03031e5a dbghelp!modEnumSymbols+0x43 00ac459c 030338a5 dbghelp!ModLoop+0x10a 00ac6570 030391d8 dbghelp!EnumSymbols+0x155 00ac65a0 0220947b dbghelp!SymEnumSymbolsW+0x48 00ac7600 0220a53d dbgeng!FindTypeInfoInMod+0x18b 00aca5cc 0220caa2 dbgeng!TypeInfoFound+0xced 00acb62c 0220c95f dbgeng!SymbolTypeDumpNew+0xa2 00acb654 0220d36b dbgeng!FastSymbolTypeDump+0xef 00acb700 0213c753 dbgeng!SymbolTypeDump+0xbb 00acc25c 0147d632 dbgeng!ExtIoctl+0x1073 00acc2f4 0150e10e ext!GetFieldData+0xe2 00accc14 014f9f00 ext!UaThread::_Extract_UIThread+0x34e 00accc24 014fa1f9 ext!UaThread::CallExtractors+0x20 00accc34 01511126 ext!UaThread::ExtractAttributes+0x99 00accd78 015212e2 ext!UserAnalyze::ExtractAttributes+0x376 00acd02c 01521467 ext!UeFillAnalysis+0x462 00acd10c 01521650 ext!UeAnalyze+0x147 00acd208 0147c90c ext!AnalyzeUserException+0x1a0 00acd23c 02141299 ext!analyze+0x28c 00acd2c8 021414d9 dbgeng!ExtensionInfo::CallA+0x2e9 00acd458 021415a2 dbgeng!ExtensionInfo::Call+0x129 00acd474 0213feb1 dbgeng!ExtensionInfo::CallAny+0x72 00acd8ec 02181698 dbgeng!ParseBangCmd+0x661 00acd9dc 02182b29 dbgeng!ProcessCommands+0x508 00acda20 020c9049 dbgeng!ProcessCommandsAndCatch+0x49 00acdeb8 020c92aa dbgeng!Execute+0x2b9 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 520 PART 6: Fun with Crash Dumps 00acdee8 010283bf dbgeng!DebugClient::ExecuteWide+0x6a 00acdf88 0102883b windbg!ProcessCommand+0xff 00acffa4 0102aabc windbg!ProcessEngineCommands+0x8b 00acffb8 77e6608b windbg!EngineLoop+0x3dc 00acffec 00000000 kernel32!BaseThreadStart+0x34 # 2 Id: 1ff0.116c Suspend: 1 Teb: 7ffdd000 Unfrozen ChildEBP RetAddr 00fdffc8 7c845ea0 ntdll!DbgBreakPoint 00fdfff4 00000000 ntdll!DbgUiRemoteBreakin+0x36 Next I thought, wait a moment, we are debugging the crash dump analysis ses- sion. Can we debug a debugger debugging a running process? So I attached WinDbg.exe to an instance of WinDbg.exe attached to an instance of notepad.exe and got these stacks: 0:002> ~*kL 0 Id: 11f0.164c Suspend: 1 Teb: 7ffde000 Unfrozen ChildEBP RetAddr 0006df38 7739d02f ntdll!KiFastSystemCallRet 0006ff7c 01055e36 USER32!NtUserWaitMessage+0xc 0006ffc0 77e523e5 windbg!_initterm_e+0x170 0006fff0 00000000 kernel32!BaseProcessStart+0x23 1 Id: 11f0.1bb0 Suspend: 1 Teb: 7ffdd000 Unfrozen ChildEBP RetAddr 00adff0c 7c822124 ntdll!KiFastSystemCallRet 00adff10 77e6bad8 ntdll!NtWaitForSingleObject+0xc 00adff80 020bf8aa kernel32!WaitForSingleObjectEx+0xac 00adffa0 0102aa42 dbgeng!DebugClient::DispatchCallbacks+0x4a 00adffb8 77e6608b windbg!EngineLoop+0x362 00adffec 00000000 kernel32!BaseThreadStart+0x34 # 2 Id: 11f0.100c Suspend: 1 Teb: 7ffdc000 Unfrozen ChildEBP RetAddr 00beffc8 7c845ea0 ntdll!DbgBreakPoint 00befff4 00000000 ntdll!DbgUiRemoteBreakin+0x36 Given that many functions from dbghelp.dll and dbgeng.dll are described in WinDbg help we can quickly reverse engineer WinDbg.exe and its extensions to under- stand their mechanics from high level perspective. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... Crash Dumps VISUALIZING MEMORY DUMPS As the first step towards Memory Dump Tomography (page 522) I created a small program that interprets a memory dump as a picture We can visualize crash dumps with it The tool is available for free download at: http://www.dumpanalysis.org/downloads /Dump2 Picture.zip Simply run it from the command prompt and specify full paths to a dump file and an output BMP file The memory. .. memory dump file will be converted by default into true color, 32 bits-per-pixel bitmap We can specify other values: 8, 16 and 24 C: \Dump2 Picture >Dump2 Picture.exe Dump2 Picture version 1.0 Written by Dmitry Vostokov, 2007 Usage: Dump2 Picture dumpfile bmpfile [8|16|24|32] For example: C: \Dump2 Picture >Dump2 Picture.exe MEMORY. DMP MEMORY. BMP 8 Dump2 Picture version 1.0 Written by Dmitry Vostokov, 2007 MEMORY. BMP... watermark Visualizing Memory Dumps 537 Notepad process user memory dump (8 bits-per-pixel): Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 538 PART 6: Fun with Crash Dumps Notepad process user memory dump (16 bits-per-pixel): Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Visualizing Memory Dumps 539 Notepad process user memory dump (24 bits-per-pixel):... watermark 534 PART 6: Fun with Crash Dumps Vista kernel memory dump (16 bits-per-pixel): Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Visualizing Memory Dumps 535 Vista kernel memory dump (24 bits-per-pixel): Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 536 PART 6: Fun with Crash Dumps Vista kernel memory dump (32 bits-per-pixel): Please purchase...Musical Dumps: Dump2 Wave 521 MUSICAL DUMPS: DUMP2 WAVE Dump2 Wave command line tool is available for free download at http://www.dumpanalysis.org/downloads /Dump2 Wave.zip Simply run it from the command prompt and specify full paths to a dump file and output WAV file The dump file will be converted by default into 44.1KHz 16bit stereo WAV file... with Crash Dumps DUMP TOMOGRAPHY There is an idea to interpret a process or a system dump as a picture (similar to interpreting it as a giant wave file: Dump2 Wave: http://www.dumpanalysis.org/forum/viewtopic.php?t=41 I would like to extend this idea and present it as Dump Tomography - a combination of images taken from a dump when looking at it from different perspectives, for example, memory, resources... the dump to CD-quality wave file and saved interesting sound fragments from it (to conserve space - the original wave file was 76Mb) To listen to these fragments you can download wave files from the following location: DumpSounds.zip (8Mb, http://www.dumpanalysis.org /Dump2 Wave/DumpSounds.zip) Here is the description of what I heard in these wave files: - dump1 .wav violin aliens train sound Hello - dump2 .wav... Split-Merge on www.verypdf.com to remove this watermark Listening to Computer Memory 529 LISTENING TO COMPUTER MEMORY An alternative to converting memory dumps to sound files is to save a memory range to a binary file and then convert it to a wave file The latter is better for complete memory dumps which can be several Gb in size To save a memory range to a file we can use WinDbg writemem command: writemem d2w-range.bin... Dump2 Picture version 1.0 Written by Dmitry Vostokov, 2007 MEMORY. BMP MEMORY. DMP 1 file(s) copied Below are some screenshots of bitmap files created by the tool We can think about them as visualized kernel or user address spaces Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Visualizing Memory Dumps 533 Vista kernel memory dump (8 bits-per-pixel): Please purchase PDF Split-Merge on... train sound Hello - dump2 .wav electric guitar signals from cosmos - dump3 .wav Morse code alphabet - dump4 .wav helicopter - dump5 .wav Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Voices from Process Space 527 horn some interesting noise and fragments of electronic music Of course, we can convert kernel memory dumps to wave files and hear voices from kernel space too… Please . Musical Dumps: Dump2 Wave 521 MUSICAL DUMPS: DUMP2 WAVE Dump2 Wave command line tool is available for free download at http://www.dumpanalysis.org/downloads /Dump2 Wave.zip. with Crash Dumps SENDING SMS MESSAGES VIA DUMPS SystemDump tool (page 646) allows to crash a computer and embed a message in a memory dump. Dump files