I. problem description
When the memory of a process is abnormally large, there may be a memory leak, or there may be no limit on the length of data structures such as related queues in memory.
II. Solutions
If the problem is easy to appear, it is better to use umdh tool to make judgment. The usage of this tool is detailed in its help manual, and will not be described here.
This article is about another idea. As we all know, the process is divided into code space, data space, stack, heap, etc. The rest of the heap is basically fixed and capped. The space size of the heap is basically unlimited for 64 bit processes, so our idea is to view the contents of the heap.
III. solutions
After using the windbg attach to the process, execute in turn
0:003> !heap -s NtGlobalFlag enables following debugging aids for new heaps: stack back traces LFH Key : 0x0000008f4b2ee335 Termination on corruption : ENABLED Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast (k) (k) (k) (k) length blocks cont. heap ------------------------------------------------------------------------------------- 0000000002460000 08000002 1024 432 1024 1 6 1 0 0 LFH 0000000000010000 08008000 64 8 64 5 1 1 0 0 0000000000020000 08008000 64 64 64 61 1 1 0 0 00000000001a0000 08001002 1088 256 1088 3 1 2 0 0 LFH 00000000040a0000 08001002 512 28 512 0 2 1 0 0 0000000004080000 08001002 1088 332 1088 6 5 2 0 0 LFH ------------------------------------------------------------------------------------- 0:003> !heap -stat -h 0000000004080000 heap @ 0000000004080000 group-by: TOTSIZE max-display: 20 size #blocks total ( %) (percent of total busy bytes) 6608 1 - 6608 (36.24) 4000 1 - 4000 (22.73) 1000 2 - 2000 (11.37) 1001 1 - 1001 (5.68) b00 1 - b00 (3.91) 2c8 3 - 858 (2.96) 200 4 - 800 (2.84) 401 1 - 401 (1.42) 3ff 1 - 3ff (1.42) 30a 1 - 30a (1.08) 178 2 - 2f0 (1.04) 28 11 - 2a8 (0.94) 38 a - 230 (0.78) 220 1 - 220 (0.75) 100 2 - 200 (0.71) 58 5 - 1b8 (0.61) 160 1 - 160 (0.49) 130 1 - 130 (0.42) 30 6 - 120 (0.40) 48 3 - d8 (0.30) 0:003> !heap -flt s 401(This is a random selection. Of course, in the example I wrote, there is such a big leak.) _HEAP @ 2460000 _HEAP @ 10000 _HEAP @ 20000 _HEAP @ 1a0000 _HEAP @ 40a0000 _HEAP @ 4080000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state 0000000003f907e0 0043 0000 [00] 0000000003f90810 00401 - (busy) 0:003> !heap -p -a 0000000003f90810 address 0000000003f90810 found in _HEAP @ 4080000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state 0000000003f907e0 0043 0000 [00] 0000000003f90810 00401 - (busy) 7700cc0d ntdll! ?? ::FNODOBFM::`string'+0x000000000001913b 71048d17 MSVCR100!malloc+0x000000000000005b 71048ddb MSVCR100!operator new+0x000000000000001f 13fa423d7 test!test1+0x0000000000000017 13fa47ed4 test!boost::detail::thread_data<long (__cdecl*)(void)>::run+0x0000000000000014 13fa52e43 test!boost::`anonymous namespace'::thread_start_function+0x0000000000000043 71001d9f MSVCR100!_callthreadstartex+0x0000000000000017 71001e3b MSVCR100!_threadstartex+0x000000000000007f 76e6652d kernel32!BaseThreadInitThunk+0x000000000000000d 76f9c521 ntdll!RtlUserThreadStart+0x000000000000001d
In this way, you can locate the number of lines of code applying for memory (note that you need to set the symbol file and execute gflags.exe /i *.exe +ust)
Four. Postscript
1. Sometimes we may not have time to set gflags. At this time, we can check the memory content in the heap to guess the possible leak.
2. Heap-s can be executed many times to observe the heap address of memory increase for analysis.