Crash Dump Analysis Patterns (Part 20e)
The set of memory dumps that prompted to introduce Insufficient Memory pattern for stack trace database also prompted to include a variant of Memory Leak pattern related to regions of virtual memory address space. We created this simple modeling application:
int _tmain(int argc, _TCHAR* argv[])
{
int i,j; for (i = 1; i < 1000; ++i)
{
for (j = 1; j < 1000; ++j)
{
VirtualAlloc(NULL, 0x10000, MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
}
getc(stdin);
}
return 0;
}We allocated only reserved memory regions. Committing them would probably at some stage manifest Insufficient Memory patterns for committed memory and physical memory. So we took a few consecutive memory dumps and see the ever increasing number of regions allocated at greater and greater virtual addresses:
0:000> !address
[...]
* 0`04070000 0`04080000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`04080000 0`04090000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`04090000 0`040a0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`040a0000 0`040b0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`040b0000 0`040c0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`040c0000 0`040d0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`040d0000 0`040e0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`040e0000 0`040f0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`040f0000 0`04100000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`04100000 0`04110000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`04110000 0`04120000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`04120000 0`04130000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`04130000 0`04140000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`04140000 0`04260000 0`00120000 MEM_FREE PAGE_NOACCESS Free
[...]
0:000> !address
[...]
* 0`2eec0000 0`2eed0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2eed0000 0`2eee0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2eee0000 0`2eef0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2eef0000 0`2ef00000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2ef00000 0`2ef10000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2ef10000 0`2ef20000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2ef20000 0`2ef30000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2ef30000 0`2ef40000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2ef40000 0`2ef50000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2ef50000 0`2ef60000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2ef60000 0`2ef70000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2ef70000 0`2ef80000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2ef80000 0`2ef90000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2ef90000 0`2efa0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2efa0000 0`2efb0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2efb0000 0`2efc0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2efc0000 0`2efd0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2efd0000 0`2efe0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2efe0000 0`2eff0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2eff0000 0`2f000000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2f000000 0`2f010000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`2f010000 0`2f170000 0`00160000 MEM_FREE PAGE_NOACCESS Free
[...]
0:000> !address
[...]
* 0`697f0000 0`69800000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`69800000 0`69810000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`69810000 0`69820000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`69820000 0`69830000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`69830000 0`69840000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`69840000 0`69850000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`69850000 0`69860000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`69860000 0`69870000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`69870000 0`69880000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`69880000 0`69890000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`69890000 0`698a0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`698a0000 0`699e0000 0`00140000 MEM_FREE PAGE_NOACCESS Free
[...]
0:000> !address
[...]
* 0`c08c0000 0`c08d0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`c08d0000 0`c08e0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`c08e0000 0`c08f0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`c08f0000 0`c0900000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`c0900000 0`c0910000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`c0910000 0`c0920000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`c0920000 0`c0930000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 0`c0930000 0`c0960000 0`00030000 MEM_FREE PAGE_NOACCESS Free
[...]
0:000> !address
[...]
* 1`3d6a0000 1`3d6b0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 1`3d6b0000 1`3d6c0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 1`3d6c0000 1`3d6d0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 1`3d6d0000 1`3d6e0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 1`3d6e0000 1`3d6f0000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 1`3d6f0000 1`3d700000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 1`3d700000 1`3d710000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 1`3d710000 1`3d720000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 1`3d720000 1`3d730000 0`00010000 MEM_PRIVATE MEM_RESERVE <unclassified>
* 1`3d730000 1`3d7a0000 0`00070000 MEM_FREE PAGE_NOACCESS Free
[...]
0:000> !address -summary
--- Usage Summary ---------------- RgnCount ———– Total Size ——– %ofBusy %ofTotal
Free 15 7fe`c275e000 ( 7.995 Tb) 99.94%
<unclassified> 80928 1`3d193000 ( 4.955 Gb) 99.86% 0.06%
Image 28 0`0034b000 ( 3.293 Mb) 0.06% 0.00%
Stack 6 0`00200000 ( 2.000 Mb) 0.04% 0.00%
MemoryMappedFile 8 0`001af000 ( 1.684 Mb) 0.03% 0.00%
TEB 2 0`00004000 ( 16.000 kb) 0.00% 0.00%
PEB 1 0`00001000 ( 4.000 kb) 0.00% 0.00%
--- Type Summary (for busy) ------ RgnCount ----------- Total Size -------- %ofBusy %ofTotal
MEM_PRIVATE 80936 1`3d397000 ( 4.957 Gb) 99.90% 0.06%
MEM_IMAGE 29 0`0034c000 ( 3.297 Mb) 0.06% 0.00%
MEM_MAPPED 8 0`001af000 ( 1.684 Mb) 0.03% 0.00%
--- State Summary ---------------- RgnCount ----------- Total Size -------- %ofBusy %ofTotal
MEM_FREE 15 7fe`c275e000 ( 7.995 Tb) 99.94%
MEM_RESERVE 80926 1`3d438000 ( 4.957 Gb) 99.91% 0.06%
MEM_COMMIT 47 0`0045a000 ( 4.352 Mb) 0.09% 0.00%
--- Protect Summary (for commit) - RgnCount ----------- Total Size -------- %ofBusy %ofTotal
PAGE_EXECUTE_READ 4 0`001ef000 ( 1.934 Mb) 0.04% 0.00%
PAGE_READONLY 19 0`001de000 ( 1.867 Mb) 0.04% 0.00%
PAGE_READWRITE 17 0`00080000 ( 512.000 kb) 0.01% 0.00%
PAGE_WRITECOPY 5 0`00008000 ( 32.000 kb) 0.00% 0.00%
PAGE_READWRITE|PAGE_GUARD 2 0`00005000 ( 20.000 kb) 0.00% 0.00%
--- Largest Region by Usage ----------- Base Address -------- Region Size ----------
Free 1`3fac7000 7fd`bdc79000 ( 7.991 Tb)
<unclassified> 0`7f0e0000 0`00f00000 ( 15.000 Mb)
Image 0`77831000 0`00102000 ( 1.008 Mb)
Stack 0`00170000 0`000fb000 (1004.000 kb)
MemoryMappedFile 0`7efe5000 0`000fb000 (1004.000 kb)
TEB 7ff`fffdc000 0`00002000 ( 8.000 kb)
PEB 7ff`fffd3000 0`00001000 ( 4.000 kb)
Examination of such regions for Execution Residue such as Module Hint may point into further troubleshooting directions especially if live debugging is not possible.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -