Comments on: Crash Dump Analysis Patterns (Part 20a)

By: Dmitry Vostokov

Dmitry Vostokov — Sat, 29 Jul 2017 06:43:20 +0000

There are 2 heap types in Windows 10: segment and NT

Two different heaps in Edge:

0:031> !heap
Heap Address NT/Segment Heap

2beae60000 Segment Heap
2beab10000 NT Heap
2beb4f0000 Segment Heap
2beadc0000 Segment Heap
2beae40000 Segment Heap
33ef7b0000 Segment Heap
33f15f0000 Segment Heap
2b88c50000 NT Heap
2ba2a50000 Segment Heap
2b9f940000 Segment Heap
2bac9f0000 Segment Heap
2bac9c0000 Segment Heap
2b9c9e0000 NT Heap
2b985d0000 NT Heap
2b823f0000 NT Heap

0:031> !heap -s

Process Total Total
Global Heap Reserved Committed
Heap Address Signature Flags List Bytes Bytes
Index (K) (K)

2beae60000 ddeeddee 0 1 94260 81524
2beb4f0000 ddeeddee 0 3 85044 69756
2beadc0000 ddeeddee 0 4 1076 80
2beae40000 ddeeddee 0 5 52 4
33ef7b0000 ddeeddee 0 6 1076 168
33f15f0000 ddeeddee 0 7 1076 36
2ba2a50000 ddeeddee 0 9 1076 144
2b9f940000 ddeeddee 0 10 1076 20
2bac9f0000 ddeeddee 0 11 3124 1856
2bac9c0000 ddeeddee 0 12 12340 8332

***********************************************************
NT HEAP STATS BELOW
***********************************************************
LFH Key : 0xd5b760accf32da62
Termination on corruption : ENABLED
Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast
(k) (k) (k) (k) length blocks cont. heap
————————————————————————————-
0000002beab10000 00008000 64 4 64 2 1 1 0 0
0000002b88c50000 00000001 16 16 16 13 1 1 0 N/A
0000002b9c9e0000 00000001 16 16 16 13 2 1 0 N/A
0000002b985d0000 00000001 16 16 16 13 1 1 0 N/A
0000002b823f0000 00000001 16 16 16 8 4 1 0 N/A
————————————————————————————-

https://www.blackhat.com/docs/us-16/materials/us-16-Yason-Windows-10-Segment-Heap-Internals.pdf

By: Dmitry Vostokov

Dmitry Vostokov — Fri, 03 May 2013 10:01:14 +0000

We can get distribution stats for different block sizes and then filter all stack traces based on the specific size we are interested in:

0:001> !heap -stat -h 06a00000
heap @ 06a00000
group-by: TOTSIZE max-display: 20
size #blocks total ( %) (percent of total busy bytes)
240 13eb9 - 31cce80 (40.67)
48 2a813 - bf4558 (9.76)
88 14213 - ab1a18 (8.73)
28 2a6a1 - 6a0928 (5.41)
4 187062 - 61c188 (4.99)
30 1e140 - 5a3c00 (4.61)
53218d 1 - 53218d (4.24)
50 fa85 - 4e4990 (4.00)
39d2d4 1 - 39d2d4 (2.95)
c 3592b - 282e04 (2.05)
3c 9591 - 230dfc (1.79)
b8 2b2b - 1f06e8 (1.58)
9c 31a9 - 1e42fc (1.54)
70 3592 - 176fe0 (1.20)
3ec 5dc - 16fad0 (1.17)
33c 5dc - 12f390 (0.97)
14 b4d5 - e20a4 (0.72)
20 6101 - c2020 (0.62)
6c 135e - 82ba8 (0.42)
60 1082 - 630c0 (0.32)

0:001> !heap -flt s 240
[…]
1c6c0db8 0055 0055 [00] 1c6c0dd0 00240 - (busy)
? ModuleA!DllUnregisterServer+272c7c
1c6c1060 0055 0055 [00] 1c6c1078 00240 - (busy)
? ModuleA!DllUnregisterServer+272c7c
1c6c1308 0055 0055 [00] 1c6c1320 00240 - (busy)
? ModuleA!DllUnregisterServer+272c7c
1c6c15b0 0055 0055 [00] 1c6c15c8 00240 - (busy)
? ModuleA!DllUnregisterServer+272c7c
1c6c1858 0055 0055 [00] 1c6c1870 00240 - (busy)
[…]

By: Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 37)

Wed, 12 May 2010 10:39:47 +0000

[…] we introduce an icon for Memory Leak (process heap) […]

By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 94a)

Mon, 30 Nov 2009 16:47:38 +0000

[…] all about deviations and of them is Size Deviation (a super pattern), be it a handle table size, a heap size, a number of contended locks, time spent in kernel, and so on. Every system or process property […]

By: Crash Dump Analysis » Blog Archive » Memory leak, spiking threads, wait chain, high critical section contention and module variety: pattern cooperation

Mon, 19 Oct 2009 21:10:19 +0000

[…] I noticed yesterday that my home Vista computer suddenly became slower than usual so I brought Task Manager, sorted processes by CPU usage and discovered an instance of IE7 with 50% - 60% of CPU consumption. Dumping processes in Vista is easier than ever, so I did the right click on that process and selected Create Dump File menu option. The dump was saved and I killed the process. The size of the dump file was 1.2Gb and that definitely indicated a memory leak. Examining process heap showed large heap segments amounting to 800Mb and therefore pointing to the possible heap leak: […]

By: Crash Dump Analysis » Blog Archive » Stack trace collection, message box, hidden exception, nested offender, insufficient memory, C++ exception, heap leak and ubiquitous component: pattern cooperation

Tue, 06 Oct 2009 22:02:14 +0000

[…] Apart from that, the size of the memory dump, almost 1.8Gb, suggested a memory leak and we clearly see expanded heaps that also suggest the case of a heap leak: […]

By: Say Goodnight » WTF? “tail fill – unable to read heap entry extra”

Tue, 04 Aug 2009 01:09:23 +0000

[…] was tracking down a memory leak using DMP files using a method outlined here. Windbg is great for this kind of memory leak debugging because you don’t have to worry about […]

By: Crash Dump Analysis » Blog Archive » Comparative Memory Dump Analysis: CPU Spikes

Fri, 22 May 2009 22:34:39 +0000

[…] see similarities and differences. Most often this technique is used for memory leaks, for example, process heap leaks. Here we see another example related to CPU […]

By: Crash Dump Analysis » Blog Archive » Looking for abnormal: case study

Crash Dump Analysis » Blog Archive » Looking for abnormal: case study — Mon, 27 Apr 2009 10:22:29 +0000

[…] to take a few consecutive memory dumps of the growing memory and analyze it later as described in a heap leak pattern. This can also be a .NET leak too if unmanaged AppA.exe happened to load any managed […]

By: Software Generalist » Blog Archive » Reading Notebook: 13-Jan-09

Software Generalist » Blog Archive » Reading Notebook: 13-Jan-09 — Tue, 13 Jan 2009 22:05:05 +0000

[…] Memory profilers: Massif, AQtime and mpatrol (pp. 53 - 54) - On Windows you can use Gflags and select user mode stack trace database and then use WinDbg: http://www.dumpanalysis.org/blog/index.php/2007/08/06/crash-dump-analysis-patterns-part-20a/ […]