Inside CRT: Debug Heap Management

2024-01-25 08:32
文章标签 debug heap management inside crt

本文主要是介绍Inside CRT: Debug Heap Management,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

转一篇好文,关于VC CRT Debug状态下的Heap管理;你将理解内存地址值为0xCC,0xCD,0xDD,0xFD到底代表着什么,e文的。

Inside CRT: Debug Heap Management


When you compile a debug build of your program with Visual Studio and run it in debugger, you can see that the memory allocated or deallocated has funny values, such as 0xCDCDCDCD or 0xDDDDDDDD. This is the result of the work Microsoft has put in to detect memory corruption and leaks in the Win32 platform. In this article, I will explain how memory allocation/deallocation is done via new/delete or malloc/free.

First, I will explain what all these values that you see, like CD, DD, and so forth, mean.

ValueNameDescription
0xCDC lean MemoryAllocated memory via malloc or new but never written by the application.
0xDDD ead MemoryMemory that has been released with delete or free. It is used to detect writing through dangling pointers.
0xFDF ence MemoryAlso known as "no mans land." This is used to wrap the allocated memory (like surrounding it with fences) and is used to detect indexing arrays out of bounds.
0xAB(A llocated B lock?)Memory allocated by LocalAlloc().
0xBAADF00DBad FoodMemory allocated by LocalAlloc() with LMEM_FIXED, but not yet written to.
0xCC When the code is compiled with the /GZ option, uninitialized variables are automatically assigned to this value (at byte level).

If you take a look at DBGHEAP.C , you can see how some of these values are defined:



<script type="text/javascript"> </script>

Before going any further, take a look at the memory management function that I will refer in this article.

FunctionDescription
mallocC/C++ function that allocates a block of memory from the heap. The implementation of the C++ operator new is based on malloc.
_malloc_dbgDebug version of malloc; only available in the debug versions of the run-time libraries. _malloc_dbg is a debug version of the malloc function. When _DEBUG is not defined, each call to _malloc_dbg is reduced to a call to malloc. Both malloc and _malloc_dbg allocate a block of memory in the base heap, but _malloc_dbg offers several debugging features: buffers on either side of the user portion of the block to test for leaks, a block type parameter to track specific allocation types, and filename /linenumber information to determine the origin of allocation requests.
freeC/C++ function that frees an allocated block. The implementation of C++ operator delete is based on free.
_free_dbgDebug version of free; only available in the debug versions of the run-time libraries. The _free_dbg function is a debug version of the free function. When _DEBUG is not defined, each call to _free_dbg is reduced to a call to free. Both free and _free_dbg free a memory block in the base heap, but _free_dbg accommodates two debugging features: the ability to keep freed blocks in the heap's linked list to simulate low memory conditions and a block type parameter to free specific allocation types.
LocalAlloc
GlobalAlloc
Win32 API to allocate the specified number of bytes from the heap. Windows memory management does not provide a separate local heap and global heap.
LocalFree
GlobalFree
Win32 API free the specified local memory object and invalidates its handle.
HeapAllocWin32 API allocates a block of memory from a heap. The allocated memory is not movable.
HeapFreeWin32 API frees a memory block allocated from a heap by the HeapAlloc or HeapReAlloc function.

There are many other functions that deal with memory management. For a complete view please refer to MSDN.

Note : Because this article is about memory management in a debug build, all the references to malloc and free in the following are actually references to their debug versions, _malloc_dbg and _free_dbg.

Compile the following code and run it in the debugger, walking step by step into it to see how memory is allocated and deallocated.



Here, 12 bytes are dynamically allocated, but the CRT allocates more than that by wrapping the allocated block with bookkeeping information. For each allocated block, the CRT keeps information in a structure called _CrtMemBlockHeader , which is declared in DBGINT.H :



It stores the following information:

FieldDescription
pBlockHeaderNextA pointer to the next block allocated, but next means the previous allocated block because the list is seen as a stack, with the latest allocated block at the top.
pBlockHeaderPrevA pointer to the previous block allocated; this means the block that was allocated after the current block.
szFileNameA pointer to the name of the file in which the call to malloc was made, if known.
nLineThe line in the source file indicated by szFileName at which the call to malloc was made, if known.
nDataSizeNumber of bytes requested
nBlockUse 0 - Freed block, but not released back to the Win32 heap
1 - Normal block (allocated with new/malloc)
2 - CRT blocks, allocated by CRT for its own use
lRequestCounter incremented with each allocation
gapA zone of 4 bytes (in the current implementation) filled with 0xFD, fencing the data block, of nDataSize bytes. Another block filled with 0xFD of the same size follows the data.

Most of the work of heap block allocation and deallocation are made by HeapAlloc () and HeapFree (). When you request 12 bytes to be allocated on the heap, malloc() will call HeapAlloc(), requesting 36 more bytes.

blockSize = sizeof(_CrtMemBlockHeader) + nSize + nNoMansLandSize;

malloc requests space for the 12 bytes we need (nSize), plus 32 bytes for the _CrtMemBlockHeader structure and another nNoMansLandSize bytes (4 bytes) to fence the data zone and close the gap.

But, HeapAlloc() will allocate even more bytes: 8 bytes below the requested block (that is, at a lower address) and 32 above it (that is, at a bigger address). It also initializes the requested block to 0xBAADF00D (bad food).

Then, malloc() fills the _CrtMemBlockHeader block with information and initializes the data block with 0xCD and no mans land with 0xFD.

Here is a table that shows how memory looks after the call to HeapAlloc() and after malloc() returns. For a complete situation, see the last table. (Note: All values are in hex.)

Addressafter HeapAlloc()after malloc()
00320FD8
00320FDC
00320FE0
00320FE4
00320FE8
00320FEC
00320FF0
00320FF4
00320FF8
00320FFC
00321000
00321004
00321008
0032100C
00321010
00321014
00321018
0032101C
00321020
00321024
00321028
0032102C
09 00 09 01
E8 07 18 00
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
AB AB AB AB
AB AB AB AB
00 00 00 00
00 00 00 00
79 00 09 00
EE 04 EE 00
40 05 32 00
40 05 32 00
09 00 09 01
E8 07 18 00
98 07 32 00
00 00 00 00
00 00 00 00
00 00 00 00
0C 00 00 00
01 00 00 00
2E 00 00 00
FD FD FD FD
CD CD CD CD
CD CD CD CD
CD CD CD CD
FD FD FD FD
AB AB AB AB
AB AB AB AB
00 00 00 00
00 00 00 00
79 00 09 00
EE 04 EE 00
40 05 32 00
40 05 32 00

Colors:

  • Green: win32 bookkeeping info
  • Blue: block size requested by malloc and filled with bad food
  • Magenta: _CrtMemBlockHeader block
  • Red: no mans land
  • Black: requested data block

In this example, after the call to malloc() returns, buffer will point to memory address 0x00321000.

When you call delete/free, the CRT will set the block it requested from HeapAlloc() to 0xDD, indicating this is a free zone. Normally after this, free() will call HeapFree() to give back the block to the Win32 heap, in which case the block will be overwritten with 0xFEEEEEEE, to indicate Win32 heap free memory.

You can avoid this by using the CRTDBG_DELAY_FREE_MEM_DF flag to _CrtSetDbgFlag (). It prevents memory from actually being freed, as for simulating low-memory conditions. When this bit is on, freed blocks are kept in the debug heap's linked list but are marked as _FREE_BLOCK . This is useful if you want to detect dangling pointers errors, which can be done by verifying if the freed block is written with 0xDD pattern or something else. Use _CrtCheckMemory () to verify the heap.s integrity.

The next table shows how the memory looks during the free(), before HeapFree() is called and afterwards.

AddressBefore HeapFree()After HeapFree()
00320FD8
00320FDC
00320FE0
00320FE4
00320FE8
00320FEC
00320FF0
00320FF4
00320FF8
00320FFC
00321000
00321004
00321008
0032100C
00321010
00321014
00321018
0032101C
00321020
00321024
00321028
0032102C
09 00 09 01
5E 07 18 00
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
AB AB AB AB
AB AB AB AB
00 00 00 00
00 00 00 00
79 00 09 00
EE 04 EE 00
40 05 32 00
40 05 32 00
82 00 09 01
5E 04 18 00
E0 2B 32 00
78 01 32 00
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE

Colors:

  • Green: win32 bookkeeping info
  • Blue: CRT block filled with dead memory
  • Gray: memory given back to win32 heap

The two tables above are put in a single, more detailed, table below:

Address (hex)OffsetHeapAllocmallocFree before HeapFreeFree after HeapFreeDescription
00320FD8 -40 01090009 01090009 01090009 01090082 Win32 Heap info
00320FDC -36 001807E8 001807E8 0018075E 0018045E Win32 Heap info
00320FE0 -32 BAADF00D 00320798 DDDDDDDD 00322BE0 pBlockHeaderNext
00320FE4 -28 BAADF00D 00000000 DDDDDDDD 00320178 pBlockHeaderPrev
00320FE8 -24 BAADF00D 00000000 DDDDDDDD FEEEEEEE szFileName
00320FEC -20 BAADF00D 00000000 DDDDDDDD FEEEEEEE nLine
00320FF0 -16 BAADF00D 0000000C DDDDDDDD FEEEEEEE nDataSize
00320FF4 -12 BAADF00D 00000001 DDDDDDDD FEEEEEEE nBlockUse
00320FF8 -8 BAADF00D 0000002E DDDDDDDD FEEEEEEE lRequest
00320FFC -4 BAADF00D FDFDFDFD DDDDDDDD FEEEEEEE gap (no mans land)
00321000 0 BAADF00D CDCDCDCD DDDDDDDD FEEEEEEE Data requested
00321004 +4 BAADF00D CDCDCDCD DDDDDDDD FEEEEEEE Data requested
00321008 +8 BAADF00D CDCDCDCD DDDDDDDD FEEEEEEE Data requested
0032100C +12 BAADF00D FDFDFDFD DDDDDDDD FEEEEEEE No mans land
00321010 +16 ABABABAB ABABABAB ABABABAB FEEEEEEE Win32 Heap info
00321014 +20 ABABABAB ABABABAB ABABABAB FEEEEEEE Win32 Heap info
00321018 +24 00000000 00000000 00000000 FEEEEEEE Win32 Heap info
0032101C +28 00000000 00000000 00000000 FEEEEEEE Win32 Heap info
00321020 +32 00090079 00090079 00090079 FEEEEEEE Win32 Heap info
00321024 +36 00EE04EE 00EE04EE 00EE04EE FEEEEEEE Win32 Heap info
00321028 +40 00320540 00320540 00320540 FEEEEEEE Win32 Heap info
0032102C +44 00320540 00320540 00320540 FEEEEEEE Win32 Heap info

这篇关于Inside CRT: Debug Heap Management的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/642675

相关文章

安装SQL2005后SQL Server Management Studio 没有出来的解决方案

一种情况,在安装 sqlServer2005 时 居然出现两个警告: 1 Com+ 目录要求 2 Edition change check 郁闷!网上说出现两个警告,是肯定装不成功的!我抱着侥幸的态度试了下,成功了。 安装成功后,正准备 “ 仅工具、联机丛书和示例(T)” 但是安装不了,他提示我“工作站组件”安装过了对现有组件无法更新或升级。 解决办法: 1 打开“控

Nn criterions don’t compute the gradient w.r.t. targets error「pytorch」 (debug笔记)

Nn criterions don’t compute the gradient w.r.t. targets error「pytorch」 ##一、 缘由及解决方法 把这个pytorch-ddpg|github搬到jupyter notebook上运行时,出现错误Nn criterions don’t compute the gradient w.r.t. targets error。注:我用

SIGMOD-24概览Part7: Industry Session (Graph Data Management)

👇BG3: A Cost Effective and I/O Efficient Graph Database in ByteDance 🏛机构:字节 ➡️领域: Information systems → Data management systemsStorage management 📚摘要:介绍了字节新提出的ByteGraph 3.0(BG3)模型,用来处理大规模图结构数据 背景

idea 怎么调试debug

1、这里以一个web工程为例,点击图中按钮开始运行web工程。 2、设置断点 3、使用postman发送http请求 4、请求发送之后会自动跳到断点处,并且在断点之前会有数据结果显示 5、按F8 在 Debug 模式下,进入下一步,如果当前行断点是一个方法,则不进入当前方法体内,跳到下一条执行语句。 6、按F7在 Debug 模式下,进入下一步,如果当

02 Shell Script注释和debug

Shell Script注释和debug 一、ShellScript注释 ​ # 代表不解释不执行 ​ 语法:# # 创建myshell.sh文件[root@localhost ~]# vi myshell.sh # 写入内容#!/bin/bash# 打印hello world(正确)echo "hello world"echo "hello 2" # 注释2(正确)echo

Tomcat怎样用Debug模式启动

在加装了Tomcat插件的Eclipse中可以设置用Debug模式启动Tomcat,此时Tomcat以及Web应用中的日志都以最详细的级别输出。 但如果直接从命令行用“starup.sh”启动,则只有INFO和更高级别的日志被输出,其他的都过滤掉了。 怎样才能在命令行里以Debug模式启动Tomcat?         你可以用配置Tomcat支持

WebStorm用Debug模式调试Vue等前端项目

问题说明 开发前端时,一直很苦恼调试前端代码的麻烦。 简单的内容可以通过console.log()在控制台打印变量值,来验证预期结果。 涉及到稍复杂的逻辑,就需要在代码中侵入增加debugger,或者在浏览器中找到js文件,再手动添加断点。 非常的麻烦,而且浏览器中对变量的追踪功能也有限,同时我也一直好奇WebStorm中Debug启动方式的作用,今天研究了一下,果然WebStorm提供了更简

【SqlServer】SQL Server Management Studio (SSMS) 下载、安装、配置使用及卸载——保姆级教程

超详细的 SQL Server Management Studio (SSMS) 下载、安装、连接数据库配置及卸载教程 SQL Server Management Studio (SSMS) 是微软提供的图形化管理工具,主要用于连接、管理和开发 SQL Server 数据库。以下是详细的 SSMS 下载、安装、连接数据库以及卸载的完整教程。 一、SSMS 下载与安装 1.1 下载 SSM

The `XXXUITests [Debug]` target overrides the `ALWAYS_EMBED_SWIFT_STANDARD_LIBRARIES` build......

出现的警告: [!] The `ColorInHeartUITests [Debug]` target overrides the `ALWAYS_EMBED_SWIFT_STANDARD_LIBRARIES` build setting defined in `Pods/Target Support Files/Pods-ColorInHeart-ColorInHeartUITests/Po

#error: Building MFC application with /MD[d] (CRT dll version) requires MFC shared dll version

昨天编译文件时出现了Building MFC application with /MD[d] (CRT dll version)requires MFC shared dll version~~~~的错误。   在网上很容易找到了解决的方案,公布如下:   对着你的项目点击右键,依次选择:属性、配置属性、常规,然后右边有个“项目默认值”,下面有个MFC的使用,选择“在共享 DLL 中使