Login/Register
!heap –p –a VS !heap –x
Asked Answered
windbg
F

1

10

I have for years used the !heap –p –a for various tasks. Now I’m starting to debug on Win8 using the WinDbg 6.2.9200 found in the latest Win8 sdk.

Here I have found that the !heap –p –a does not always work, and that the output from !address “advertise” usage of !heap –x (see below) .

After reading the !heap -? , I can’t understand the difference! Anyone who knows the difference?

Which command do you use to see the details of a heap block ?

0:008> !address 335168f8 
<cut cut>

 Usage:                  Heap
 Base Address:           32b43000
 End Address:            33540000
 Region Size:            009fd000
 State:                  00001000   MEM_COMMIT
 Protect:                00000004   PAGE_READWRITE
 Type:                   00020000   MEM_PRIVATE
 Allocation Base:        32570000
 Allocation Protect:     00000004   PAGE_READWRITE
 More info:              heap owning the address: !heap 0xa80000
 More info:              heap segment
 More info:              heap entry containing the address: !heap -x 0x335168f8


0:008> !heap -x 0x335168f8
Entry     User      Heap      Segment       Size  PrevSize  Unused    Flags
-----------------------------------------------------------------------------
335168f0  335168f8  00a80000  32570000        30        30        1c  busy extra fill 

0:008> !heap -p -a 0x335168f8

0:008> .echo "nothing !!"
nothing !!
Footbridge answered 10/9, 2013 at 12:14 Comment(4)
Doesn't the "-p" ask for page heap info? I think page heaps must be enabled first (before starting the process in question) with something like gflags.Treacy
Yes, I agree that –p sound like page heap, but the “–p –a” has always worked even if page heap not is enabled. Also it’s much faster than the –x. Anyway if the –x is the way, I have to cope with it.Footbridge
6.2.9200 doesn't output on my machine as well. Neither does 6.12.2. What was your old version? I have many versions available, so I could give it a try.Propylene
@Thomas W. I have used 6.2.9200 and 6.3.9600. The problem with -x is that is takes several hours on a 3 gb dump :-(Footbridge
H
5

Windbg uses a different mechanism for looking up the heap information depending on which flag you use.

The -p flag tells it that you have enabled Page Heap via gflags.exe or similar. When Page Heap is enabled, Windows keeps a separate set of structures (_DPH_HEAP_ROOT and co) for tracking allocations. If PageHeap is not on, there won't be any such structures, so you will get no output. I also expect that -p -a will just search backward from the address to try to find the _DPH_HEAP_BLOCK which describes the allocation.

The -x flag tells Windbg to walk the the _HEAP/_HEAP_ENTRY structures which Windows uses for keeping track of allocations. This set of structures describe all active allocations which have gone through the standard allocators (e.g., malloc, new, LocalAlloc,HeapAlloc`, etc).

There are a few great papers on the internals of Windows' heap allocators. I really like the paper Chris Valasek (@nudehaberdasher) did a few years ago on the Low Fragmentation Heap which was implemented in Windows 7 (and the principles still apply in Win8).

Halland answered 19/6, 2014 at 17:13 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.