Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

!heap –p –a VS !heap –x

Tags:

windbg

I have for years used the !heap –p –a for various tasks. Now I’m starting to debug on Win8 using the WinDbg 6.2.9200 found in the latest Win8 sdk.

Here I have found that the !heap –p –a does not always work, and that the output from !address “advertise” usage of !heap –x (see below) .

After reading the !heap -? , I can’t understand the difference! Anyone who knows the difference?

Which command do you use to see the details of a heap block ?

0:008> !address 335168f8 
<cut cut>

 Usage:                  Heap
 Base Address:           32b43000
 End Address:            33540000
 Region Size:            009fd000
 State:                  00001000   MEM_COMMIT
 Protect:                00000004   PAGE_READWRITE
 Type:                   00020000   MEM_PRIVATE
 Allocation Base:        32570000
 Allocation Protect:     00000004   PAGE_READWRITE
 More info:              heap owning the address: !heap 0xa80000
 More info:              heap segment
 More info:              heap entry containing the address: !heap -x 0x335168f8


0:008> !heap -x 0x335168f8
Entry     User      Heap      Segment       Size  PrevSize  Unused    Flags
-----------------------------------------------------------------------------
335168f0  335168f8  00a80000  32570000        30        30        1c  busy extra fill 

0:008> !heap -p -a 0x335168f8

0:008> .echo "nothing !!"
nothing !!
like image 874
Kjell Gunnar Avatar asked Sep 10 '13 12:09

Kjell Gunnar

1 Answers

Windbg uses a different mechanism for looking up the heap information depending on which flag you use.

The -p flag tells it that you have enabled Page Heap via gflags.exe or similar. When Page Heap is enabled, Windows keeps a separate set of structures (_DPH_HEAP_ROOT and co) for tracking allocations. If PageHeap is not on, there won't be any such structures, so you will get no output. I also expect that -p -a will just search backward from the address to try to find the _DPH_HEAP_BLOCK which describes the allocation.

The -x flag tells Windbg to walk the the _HEAP/_HEAP_ENTRY structures which Windows uses for keeping track of allocations. This set of structures describe all active allocations which have gone through the standard allocators (e.g., malloc, new, LocalAlloc,HeapAlloc`, etc).

There are a few great papers on the internals of Windows' heap allocators. I really like the paper Chris Valasek (@nudehaberdasher) did a few years ago on the Low Fragmentation Heap which was implemented in Windows 7 (and the principles still apply in Win8).

like image 65
Zach Riggle Avatar answered Oct 17 '22 17:10

Zach Riggle
Sign in to Comment

Related questions

Symbols (pdb) for native dll are not loaded due to post build step
windbg: private pdb symbols
In windbg, How to set breakpoint on all functions in kernel32.dll?
in windbg how to save byte array to the file
inspect field on all instances in memory dump
Why psscor4 command will not run
Are there more secure alternatives to the .Net SQLConnection class?
Windbg: Unable to walk the managed stack
Is CreateProcessW deprecated?
How to use WinDBG to track down .net out of memory exceptions?
Unable to verify checksum for exe
What can "Pin" an object in memory in Silverlight?
VS2010: "No matching binary found" when trying to load symbols for crashdump
Heap extension command fails: failed to initialize the extention
Find memory leaks with WinDbg when lots of objects are present in Gen2
Trapping HANDLE creation in WOW64
WinDbg remote debugger protocol

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!