发表新帖
发表新帖

What do the different columns in the “!heap -flt -s xxxx” windbg command represent

前端 未结
关注
3 1126
滥情空心
滥情空心 2020-12-31 02:05

I\'ve been doing some work on high memory issues, and I\'ve been doing a lot of heap analysis in windbg, and I was curious what the different columns really mean in \"!heap

相关标签:
3条回答
  • 野趣味
    2020-12-31 02:43

    From looking at the !heap documentation in the Debugging Tools for Windows help file and the heap docs on MSDN and a great excerpt from Advanced Windows Debugging, here's what I've been able to put together:

    • HEAP_ENTRY: pointer to entry within the heap. As you found, there is an 8 byte header which contains the data for the HEAP_ENTRY structure. The size of the HEAP_ENTRY structure is 8 bytes which defines the "heap granularity" size. This is used for determining the...
    • SIZE: size of the entry in terms of the granularity (i.e. the allocation size / 8)
    • FLAGS: these are defined in winbase.h with explanations found the in MSDN link.
    • USERPTR: the actual pointer to the allocated (or freed) object
    0 讨论(0)
  • 没有蜡笔的小新
    2020-12-31 02:51

    Well, the main difference between HEAP_ENTRY and UserPtr is the due to the fact that heaps have to be indexed, allocated, filled with metadata (like the allocated length made available to user)... otherwise, how could you free(p) something without providing how many bytes were allocated? Same thing with the two size fields: one thing is how big the structure indexing the heap is, one thing is how big is the memory region made available to the user.

    The FLAGS, in turn, basically specify which properties of the allocated memory block, if it is committed or just reserved, and, I guess, used by the kernel to rearrange or share memory regions if needed (but as nithins specifies they are documented in MSDN).

    The PREV ptr is used to keep track of all the allocated regions and the first pointer is stored in the PEB structure so both user-space and kernel-space code is aware of the allocated heap pools.

    0 讨论(0)
  • 长情又很酷
    2020-12-31 02:54

    HEAP_ENTRY Heaps store allocated blocks in contiguous Segments of memory, each allocated block starts with a 8-bytes header followed by the actual allocated data. The HEAP_ENTRY column is the address of the beginning of the header of the allocated block.

    Size The heap manager handles blocks in multiple of 8 bytes. The column is the number of 8 bytes chunk allocated. In your sample, 0044 means that the block takes 0x220 bytes (0x44*8).

    Prev Multiply per 8 to have the negative offset in bytes to the previous heap block.

    Flags This is a bitmask that encodes the following information

    0x01 - HEAP_ENTRY_BUSY
0x02 - HEAP_ENTRY_EXTRA_PRESENT
0x04 - HEAP_ENTRY_FILL_PATTERN
0x08 - HEAP_ENTRY_VIRTUAL_ALLOC
0x10 - HEAP_ENTRY_LAST_ENTRY

    UserPtr This is the pointer returned to the application by the HeapAlloc (callbed by malloc/new) function. Since the header is always 8 bytes long, it is always HEAP_ENTRY +8.

    UserSize This is the size passed the HeapAlloc function.

    state This is a decoding of the Flags column, telling if the entry is busy, freed, last of its segment, …

    Be aware that in Windows 7/2008 R2, heaps are by default using a front-end named LFH (Low fragmented heap) that uses the default heap manager to allocate chunks in which it dispatched user allocated data. For these heaps, UserPtr and UserSize will not point to real user data. The output of !heap -s displays which heaps are LFH enabled.

    0 讨论(0)
 看不清?
提交回复
热议问题