Gflags tool used to check memory out-of-bounds and wild pointers

Reproduced in: http://blog.csdn.net/zhufangyou/article/details/6563878

 

Enable the check function:
Gflags/P/enable **. EXE/full

Disable the check function:
Gflags/P/disable **. exe

List processes that are currently starting the page heap:
Gflags/P

1. Case studies

Debug and run the program. The program crashes in Ntdll when it exits.
In a function, the output
Window output:
Heap: Free heap block xxxxxx modified at xxxxxx after it was freed

At this time, it is impossible to quickly find out where the program has illegal memory access.

2. Solution

A.
Install debugging tools for Windows (
That is, windbg)
After installation, add the installation directory to the path
Environment Variable

B. Run: gflags-P/enable ***. EXE/full
"***. EXE" is the name of the program to be debugged, and the complete path is not required.

This command line sets some debugging parameters in the registry.
To add a protection mechanism when the inner is used.
, Once the memory is written
Out of bounds,
Or a wild pointer problem occurs,
Will cause an interruption. Therefore,
You can determine where the problem is. |

Configure normal page heap:

"C:/program files/debugging tools for Windows (x86)/gflags.exe"/P/enable qq.exe

Configure full page heap:

"C:/program files/debugging tools for Windows (x86)/gflags.exe"/P/enable qq.exe/full

List processes that are currently starting the page heap:

"C:/program files/debugging tools for Windows (x86)/gflags.exe"/P

Cancel Page heap settings:

"C:/program files/debugging tools for Windows (x86)/gflags.exe"/P/disable qq.exe

C. debug and run your own program.
Visual c ++ directly locates problematic code.

D. Delete the debugging settings in the registry:
Gflags-P/disable ***. exe

What is page heap )?

From Windows 2000 onwards, the operating system has introduced the "Verification layer" in the heap manager, that is, the page heap manager. This verification layer is in the ntdll. dll module. It can verify all the dynamic memory operations (read/write, allocation, release, and other operations) of the application ).

There are two types of page heap: normal page heap and full page heap)

Full page heap:

When a memory block is allocated, adjust the allocation position of the memory block so that the end of the block is aligned with the system paging boundary. Then, allocate an inaccessible page at the boundary as the protection area. In this way, the process will crash once memory read/write is out of bounds, so as to help check the memory out of bounds in a timely manner.

Because the memory allocated each time needs to be arranged in this form, especially for small memory allocation, even if one byte is allocated, a memory page should be allocated, and a reserved Virtual Memory Page (note that in the current implementation, the page used as the boundary protection area is never submitted ). This requires a large amount of memory. It is difficult to estimate how much memory a process needs. Therefore, before using page heap, at least ensure that your machine has at least 1 GB of virtual memory.

Normal page heap

The working principle of the normal page heap is similar to that of the CRT debugging memory allocation function. By allocating a small amount of fill information, check the fill area when releasing the memory block. To check whether the memory is damaged. The advantage of this method is that the memory consumption is greatly reduced. The disadvantage is that it can only be detected when the block is released, and it is not good to track the error code location.

Gflags, appverifier, pageheap.exe

Gflags, appverifier, and pageheap.exe are three shell tools used to facilitate the configuration of page heap options. The page heap option is located in the Registry Directory: HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/Image File Execution options/Your executable program name /. When Windows starts a process, window checks the Registry directory settings to apply the corresponding
Pageheap option.

Pageheap.exe

-The pageheap Configuration tool is available for Windows 2000 Professional SP2 and later versions. It has been replaced by gflags.

Gflags

-The old pageheap Configuration tool has two methods: Command Line and GUI. It has comprehensive functions and is included in the windbg debugger installation package. It is also available for Windows 2000 Professional SP2 and later versions.

Appverifier

-The new pageheap Configuration tool must be supported by the XP system. Vs2005 has built-in appverifier, which is supported. Use the "debug" menu> "Start with application verifier" to start the program. Page heap is automatically started. Download: http://www.microsoft.com/downloads/details.aspx? Familyid = bd02c19c-1250-433c-8c1b-2619bd93b3a2 & displaylang = en # filelist

Some examples of using the gflags command line:

Are these tools required?

As mentioned above, pageheap is a function provided by the operating system. These tools are used to conveniently modify the options in the Registry. In actual applications, you can directly modify the Registry to enable pageheap. This is useful on the customer's machine and does not require the customer to install the software.

Some special options are described as follows:

/Unaligned

This option can only be used for full page heap. When we allocate a piece of memory from the normal heap manager, the memory is always 8 bytes aligned, and the page heap uses this alignment rule by default, however, this will cause the end of the allocated memory block to not be exactly aligned with the page boundary. There may be a gap between 0 and 7 bytes. Obviously, access within the gap is not immediately discovered. More accurately, read operations will never be discovered, and write operations will not be found until the memory block is released to check the fill information in the gap space. /Unaligned is used to fix this defect. It specifies that the page heap manager does not have to comply with the 8-byte aligned rules to ensure that the page boundary is precisely aligned at the end of the memory block.

Note that some programs may encounter exceptions when enabling this option, such as IE and QQ.

/Backwards

This option can only be used for full page heap. This option alignment the allocated memory block header with the page boundary (rather than the tail and boundary). This option is used to check whether the access to the header is out of bounds.

/Debug

Specify a startup process to attach to the debugger. It is a useful option for programs that cannot automatically generate dump.

Valid range of page heap Verification

All memory allocation functions are valid as long as they are finally called to the ntdll. dll Heap management function (rtlallocateheap and rtlfreeheap. Including:

Heapalloc, heapfree, heaprealloc, localalloc, localfree, localrealloc, and other heap management functions provided by Kernel32.

CRT memory allocation, such as malloc, free, realloc, msize, expand, operator new, delete, new [], delete [], and so on.

However, the page heap cannot be used to verify the memory blocks allocated by virtual memory allocation functions such as virtualalloc and virtualfree.

Error types that the page heap can handle:

Error Type normal page heap full page heap

Heap handle is invalid. Immediate detection

Heap memory block pointer is invalid. Immediate detection

Multi-thread access heap is not synchronized. Immediate detection is detected.

Assuming that the same address (realloc) is returned after the memory is released, 90% is detected immediately after the memory is realloc.

Memory block repeated release 90% immediate discovery 90% immediate discovery

Access the released memory block 90%. After the actual release, it is found that 90% is detected immediately.

Content after the end of the access block is immediately found after being released

Content Before the access block starts is immediately found after being released