Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to interpret the result of !heap -l from Windbg

Tags:

memory-leaks

debugging

windbg

I have a 3.5Gb dump file from a process which I suspect that has memory leak. I used Windbg to analyze the dump file and the specific command I used was !heap -l (for leak detection). The result showed that 807258 potential unreachable blocks were detected. However, I don't know how to use the analysis result. The report has the following format:

Entry | User | Heap | Segment | Size | PrevSize | Unused | Flags

00000000002e4190 | 00000000002e41a0 | 0000000000260000 | 0000000000260000 | 210 | 60 | 10 | busy

......(the rest of the 807258 rows)

My understanding is that heap column tells you which heap the leak is coming from but what does Entry and User stand for? I couldn't find any explanation in the online document of Microsoft. Can someone help me understand what does each of these columns mean?

like image 604
Optimus Prime Avatar asked Oct 25 '25 17:10

Optimus Prime

1 Answers

Entry is the address of the HEAP_ENTRY for that heap allocation. It's undocumented, but looks something like this.

You can see how it looks on your system using dt nt!_HEAP_ENTRY or even look at that specific heap entry using dt nt!_HEAP_ENTRY 00000000002e4190.

Here's the layout of nt!_HEAP_ENTRY on my system:

0:007> dt nt!_HEAP_ENTRY
ntdll!_HEAP_ENTRY
   +0x000 UnpackedEntry    : _HEAP_UNPACKED_ENTRY
   +0x000 PreviousBlockPrivateData : Ptr64 Void
   +0x008 Size             : Uint2B
   +0x00a Flags            : UChar
   +0x00b SmallTagIndex    : UChar
   +0x008 SubSegmentCode   : Uint4B
   +0x00c PreviousSize     : Uint2B
   +0x00e SegmentOffset    : UChar
   +0x00e LFHFlags         : UChar
   +0x00f UnusedBytes      : UChar
   +0x008 CompactHeader    : Uint8B
   +0x000 ExtendedEntry    : _HEAP_EXTENDED_ENTRY
   +0x000 Reserved         : Ptr64 Void
   +0x008 FunctionIndex    : Uint2B
   +0x00a ContextValue     : Uint2B
   +0x008 InterceptorValue : Uint4B
   +0x00c UnusedBytesLength : Uint2B
   +0x00e EntryOffset      : UChar
   +0x00f ExtendedBlockSignature : UChar
   +0x000 ReservedForAlignment : Ptr64 Void
   +0x008 Code1            : Uint4B
   +0x00c Code2            : Uint2B
   +0x00e Code3            : UChar
   +0x00f Code4            : UChar
   +0x00c Code234          : Uint4B
   +0x008 AgregateCode     : Uint8B

User is simply the start of the allocation as returned by RtlAllocateHeap() or HeapAlloc().

It's usually equal to the Entry address plus sizeof(_HEAP_ENTRY).

like image 71
Sean Cline Avatar answered Oct 29 '25 08:10

Sean Cline
Sign in to Comment

Related questions

Changes made in .js not being reflecting when I debug in Visual Studio
AWS equivalent of system.out.println()?
Debugging a remote process
IPython-style ipdb debugging in Jupyter notebook?
Can I set a breakpoint in ntdll.dll!_LdrpInitializeProcess?
How to read perl regular expression debugger
python - show variables during traceback
How to see variable in calling function in visual studio?
How can I configure JetBrains products to debug CDK TypeScript applications that require a context value to be set?
Vim "Error detected while processing /usr/share/vim/vimrc"
How do I specify the maven profile name to use when debugging a spring boot app with Visual Studio Code?
Debug using gdb the initial startup of a linux daemon
Unable to start debugging on the Web Server. Visual Studio 2008
Calling Python from Matlab - how to debug Python code?
How to find the caller method when debugging using Eclipse
Debugging with VS Code + Mocha and breakpoint stops at 'read-only inlined content from source map' file
How to use conditional break-points in IntelliJ?
Disassembly debugging won't find my address

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!