What do the ? XXX!yyyyyyyyyy+zzz mean in the !heap -flt s output
-
02-06-2021 - |
سؤال
I'm analyzing some user mode memory dumps to try to track down a leak, and I've got some canidates for what is leaking, but I keep on seeing these entries in my dumps when I run the !heap -flt s xx command.
14a8bd58 0006 0006 [07] 14a8bd60 00018 - (busy)
14a8bd88 0006 0006 [07] 14a8bd90 00018 - (busy)
14a8bdf8 0006 0006 [07] 14a8be00 00018 - (busy)
14a8bf48 0006 0006 [07] 14a8bf50 00018 - (busy)
? SomeModule!SomeFunction+1bdf4
I get what the
14a8bd58 0006 0006 [07] 14a8bd60 00018 - (busy)
lines are, but I'm not really sure what the lines
? SomeModule!SomeFunction+1bdf4
really mean. These dumps were captured with the +ust flag for heap traces.
المحلول
They are just providing symbolic information in order for a reader to more usefully locate the corresponding part of the source.
Under Windows, the virtual address space of a process is populated by a set of modules. Each module consists of a base address and a size. So another way this information is sometimes displayed is Module + Relative Offset
.
A module can contain functions. In the cases where symbol tables are intact, it is possible to find the relative offsets (into the module) and sizes of these functions. The dump is simply displaying this information in a more human-readable format.
نصائح أخرى
SomeModule
is the name of an executable module.
SomeFunction
is the name of a function exported from that module which is being executed.
+1bdf4
is an offset, in hexadecimal, from the beginning of that function.
Offset value is very large in this example, that could mean that symbol table for the module is missing and the offset is shown relative to the closest function with the known name, typically, an exported one.