tailieunhanh - Memory Dump Analysis Anthology- P11
Memory Dump Analysis Anthology- P11: This is a revised, edited, cross-referenced and thematically organized volume of selected blog posts about crash dump analysis and debugging written in 2006 - 2007 for software engineers developing and maintaining products on Windows platforms, technical support and escalation engineers dealing with complex software issues and general Windows users. | No Component Symbols 301 No Component Symbols pattern can be easily identified in stack traces by huge function offsets or no exported functions at all STACK_TEXT WARNING Stack unwind information not available. Following frames may be wrong. 00b2f42c 091607aa mydll foo 0x8338 00b2f4cc 7c83ab9e mydll2 0 8fe3 Please purchase PDF Split-Merge on to remove this watermark 302 PART 3 Crash Dump Analysis Patterns INSUFFICIENT MEMORY COMMITTED MEMORY Insufficient Memory pattern can be seen in many complete and kernel memory dumps. This condition can cause a system to crash become slow hang or refuse to provide the expected functionality for example refuse new terminal server connections. There are many types of memory resources and we can classify them initially into the following categories Committed memory Virtual memory o Kernel space Paged pool Non-paged pool Session pool PTE limits Desktop heap GDI limits o User space Virtual regions Process heap What we outline here is committed memory exhaustion. Committed memory is an allocated memory backed up by some physical memory or by a reserved space in the page file s . Reserving the space needs to be done in case OS wants to swap out that memory data to disk when it is not used and there is no physical memory available for other processes. If that data is needed again OS brings it back to physical memory. If there is no space in page file s then physical memory is filled up. If committed memory is exhausted most likely the system will hang or result in a bugcheck soon so checking memory statistics shall always be done when we get a kernel or a complete memory dump. Even access violation bugchecks could result from insufficient memory when some memory allocation operation failed but a kernel mode component didn t check the return value for NULL. Here is an example BugCheck 8E c0000005 809203af aa647c0c 0 0 kd analyze -v TRAP-FRAME aa647c0c -- .trap ffffffffaa647c0c Please purchase PDF Split-Merge on .
đang nạp các trang xem trước