What do the ? XXX!yyyyyyyyyy+zzz mean in the !heap -flt s output

Question

I'm analyzing some user mode memory dumps to try to track down a leak, and I've got some canidates for what is leaking, but I keep on seeing these entries in my dumps when I run the !heap -flt s xx command.

    14a8bd58 0006 0006  [07]   14a8bd60    00018 - (busy)
    14a8bd88 0006 0006  [07]   14a8bd90    00018 - (busy)
    14a8bdf8 0006 0006  [07]   14a8be00    00018 - (busy)
    14a8bf48 0006 0006  [07]   14a8bf50    00018 - (busy)
      ? SomeModule!SomeFunction+1bdf4

I get what the

    14a8bd58 0006 0006  [07]   14a8bd60    00018 - (busy)

lines are, but I'm not really sure what the lines

      ? SomeModule!SomeFunction+1bdf4

really mean. These dumps were captured with the +ust flag for heap traces.

Answer 1

They are just providing symbolic information in order for a reader to more usefully locate the corresponding part of the source.

Under Windows, the virtual address space of a process is populated by a set of modules. Each module consists of a base address and a size. So another way this information is sometimes displayed is Module + Relative Offset.

A module can contain functions. In the cases where symbol tables are intact, it is possible to find the relative offsets (into the module) and sizes of these functions. The dump is simply displaying this information in a more human-readable format.

Answer 2

SomeModule is the name of an executable module.

SomeFunction is the name of a function exported from that module which is being executed.

+1bdf4 is an offset, in hexadecimal, from the beginning of that function.

Offset value is very large in this example, that could mean that symbol table for the module is missing and the offset is shown relative to the closest function with the known name, typically, an exported one.