Chasing Memory leaks with just a dump

All,

I have an app crash dump (full user mode dump). the crash happens because
the entire 2GB memory space has been consumed by the app, it is a memory
leak situation.

so far i know this:

  1. the app doesnt allocate separate heaps for separate objects, so
    everything goes into the default heap.
  2. the app uses several DLLs etc, and some of those do use their own heaps.
    when i walk the PEB for the number of heaps I see quite a few.

there is no way to repro this as the scenario is inconsistent, so app
verifier, umdh etc are out.

my questions is, with this full user memory dump, and that alone, can I do
any progress and if so how?

thanks in advance

B

See what allocation size is prevailing in the heap.

thanks grigora…did that already, here is all the output, starngely, all
the allocations are only done once or twice, but hte sizes are huge…

0:004> !heap -s
Heap Flags Reserv Commit Virt Free List UCR Virt Lock
Fast
(k) (k) (k) (k) length blocks cont.
heap

00150000 00000002 4096 644 1244 74 8 10 0 0 L
00250000 00008000 64 12 12 10 1 1 0 0
007e0000 00001002 64 52 52 5 1 1 0 0 L
00800000 00000002 1024 20 20 3 1 1 0 0 L
00a00000 00001002 4096 2388 2388 13 5 3 0 0 L
Virtual block: 01040000 - 01040000 (size 00000000)
00b00000 00001002 1960256 1960256 1960256 70 0 0 1 7
L
00f30000 00001002 64 28 28 7 4 1 0 0 L
01520000 00001002 64 16 16 4 1 1 0 0 L
06330000 00001002 7232 4060 5824 1077 226 24 0 0 L
External fragmentation 26 % (226 free blocks)
06350000 00001003 1280 220 268 37 7 7 0 N/A
065c0000 00001003 256 4 4 2 1 1 0 N/A
06a90000 00001003 256 4 4 2 1 1 0 N/A
06ad0000 00001003 256 4 4 2 1 1 0 N/A
06b10000 00001003 256 4 4 2 1 1 0 N/A
06390000 00001002 64 16 16 3 1 1 0 0 L

0:004> !heap -stat -h 00b00000
heap @ 00b00000
group-by: TOTSIZE max-display: 20
size #blocks total ( %) (percent of total busy bytes)
70 84a897 - 3a09c210 (53.53)
30 aa8149 - 1ff83db0 (29.49)
60 25da12 - e31c6c0 (13.09)
38 12ecf1 - 423d4b8 (3.82)
a8980 1 - a8980 (0.04)
40 97a - 25e80 (0.01)
200 106 - 20c00 (0.01)
47 3d9 - 1112f (0.00)
18 725 - ab78 (0.00)
d0 80 - 6800 (0.00)
90 96 - 5460 (0.00)
50 fa - 4e20 (0.00)
20 1fa - 3f40 (0.00)
8c 4e - 2aa8 (0.00)
80 54 - 2a00 (0.00)
24 129 - 29c4 (0.00)
78 3e - 1d10 (0.00)
800 3 - 1800 (0.00)
28 74 - 1220 (0.00)
1000 1 - 1000 (0.00)
0:004> !heap flt s
Index Address Name Debugging options enabled
1: 00150000
Segment at 00150000 to 00250000 (0009b000 bytes committed)
Segment at 08380000 to 08480000 (00001000 bytes committed)
Segment at 08480000 to 08680000 (00005000 bytes committed)
2: 00250000
Segment at 00250000 to 00260000 (00003000 bytes committed)
3: 007e0000
Segment at 007e0000 to 007f0000 (0000d000 bytes committed)
4: 00800000
Segment at 00800000 to 00900000 (00005000 bytes committed)
5: 00a00000
Segment at 00a00000 to 00b00000 (000b0000 bytes committed)
Segment at 063c0000 to 064c0000 (000d0000 bytes committed)
Segment at 06600000 to 06800000 (000d5000 bytes committed)
6: 00b00000
Segment at 00b00000 to 00b10000 (00010000 bytes committed)
Segment at 00b10000 to 00c10000 (00100000 bytes committed)
Segment at 01610000 to 01810000 (00200000 bytes committed)
Segment at 01810000 to 01c10000 (00400000 bytes committed)
Segment at 01c10000 to 02410000 (00800000 bytes committed)
Segment at 02c50000 to 03c50000 (01000000 bytes committed)
Segment at 04310000 to 06310000 (02000000 bytes committed)
Segment at 09990000 to 0d990000 (04000000 bytes committed)
Segment at 10020000 to 18020000 (08000000 bytes committed)
Segment at 18020000 to 28020000 (10000000 bytes committed)
Segment at 28020000 to 38020000 (10000000 bytes committed)
Segment at 4a860000 to 56860000 (0c000000 bytes committed)
Segment at 38020000 to 3f820000 (07800000 bytes committed)
Segment at 5f090000 to 67790000 (08700000 bytes committed)
Segment at 430a0000 to 47c90000 (04bf0000 bytes committed)
Segment at 67790000 to 6c83f000 (050af000 bytes committed)
Segment at 3f820000 to 422fd000 (02add000 bytes committed)
Segment at 56860000 to 59494000 (02c34000 bytes committed)
Segment at 5b920000 to 5e6b6000 (02d96000 bytes committed)
Segment at 6d630000 to 70533000 (02f03000 bytes committed)
Segment at 77f50000 to 7afcb000 (0307b000 bytes committed)
Segment at 0d990000 to 0f290000 (01900000 bytes committed)
Segment at 47c90000 to 495f4000 (01964000 bytes committed)
Segment at 72f80000 to 74949000 (019c9000 bytes committed)
Segment at 0f290000 to 0ffa8000 (00d18000 bytes committed)
Segment at 49600000 to 4a333000 (00d33000 bytes committed)
Segment at 594a0000 to 5a1ed000 (00d4d000 bytes committed)
Segment at 5a4d0000 to 5b238000 (00d68000 bytes committed)
Segment at 70540000 to 712c2000 (00d82000 bytes committed)
Segment at 71ca0000 to 72a3d000 (00d9d000 bytes committed)
Segment at 74f10000 to 75cc9000 (00db9000 bytes committed)
Segment at 7afd0000 to 7bda4000 (00dd4000 bytes committed)
Segment at 7e030000 to 7ee20000 (00df0000 bytes committed)
Segment at 42300000 to 42a06000 (00706000 bytes committed)
Segment at 5e6c0000 to 5edcd000 (0070d000 bytes committed)
Segment at 6c840000 to 6cf54000 (00714000 bytes committed)
Segment at 712d0000 to 719eb000 (0071b000 bytes committed)
Segment at 7bdb0000 to 7c4d2000 (00722000 bytes committed)
Segment at 7d280000 to 7d9a9000 (00729000 bytes committed)
Segment at 7ee20000 to 7f551000 (00731000 bytes committed)
Segment at 7f7f0000 to 7ff28000 (00738000 bytes committed)
Segment at 07590000 to 07930000 (003a0000 bytes committed)
Segment at 4a340000 to 4a6e2000 (003a2000 bytes committed)
Segment at 5b240000 to 5b5e3000 (003a3000 bytes committed)
Segment at 6cf60000 to 6d305000 (003a5000 bytes committed)
Segment at 72a40000 to 72de7000 (003a7000 bytes committed)
Segment at 74950000 to 74cf9000 (003a9000 bytes committed)
Segment at 75e60000 to 7620b000 (003ab000 bytes committed)
Segment at 762b0000 to 7665d000 (003ad000 bytes committed)
Segment at 76b80000 to 76f2e000 (003ae000 bytes committed)
Segment at 7d9b0000 to 7dd60000 (003b0000 bytes committed)
Segment at 07a80000 to 07c59000 (001d9000 bytes committed)
Segment at 08080000 to 0825a000 (001da000 bytes committed)
Segment at 42a10000 to 42bea000 (001da000 bytes committed)
Segment at 5a1f0000 to 5a3cb000 (001db000 bytes committed)
Segment at 5b5f0000 to 5b7cb000 (001db000 bytes committed)
Segment at 5edd0000 to 5efac000 (001dc000 bytes committed)
Segment at 6d310000 to 6d4ec000 (001dc000 bytes committed)
Segment at 719f0000 to 71bcd000 (001dd000 bytes committed)
Segment at 76660000 to 7683d000 (001dd000 bytes committed)
Segment at 770e0000 to 772bd000 (001dd000 bytes committed)
Segment at 77980000 to 77b5e000 (001de000 bytes committed)
Segment at 7c4e0000 to 7c6be000 (001de000 bytes committed)
Segment at 7dd60000 to 7df3f000 (001df000 bytes committed)
7: 00f30000
Segment at 00f30000 to 00f40000 (00007000 bytes committed)
8: 01520000
Segment at 01520000 to 01530000 (00004000 bytes committed)
9: 06330000
Segment at 06330000 to 06340000 (00010000 bytes committed)
Segment at 064c0000 to 065c0000 (000fe000 bytes committed)
Segment at 086e0000 to 088e0000 (00152000 bytes committed)
Segment at 088e0000 to 08ce0000 (00197000 bytes committed)
10: 06350000
Segment at 06350000 to 06390000 (0002c000 bytes committed)
Segment at 01410000 to 01510000 (0000b000 bytes committed)
11: 065c0000
Segment at 065c0000 to 06600000 (00001000 bytes committed)
12: 06a90000
Segment at 06a90000 to 06ad0000 (00001000 bytes committed)
13: 06ad0000
Segment at 06ad0000 to 06b10000 (00001000 bytes committed)
14: 06b10000
Segment at 06b10000 to 06b50000 (00001000 bytes committed)
15: 06390000
Segment at 06390000 to 063a0000 (00004000 bytes committed)
0:004> !heap -p -a 7dd60000

0:004> !heap flt s001de000
Index Address Name Debugging options enabled
1: 00150000
Segment at 00150000 to 00250000 (0009b000 bytes committed)
Segment at 08380000 to 08480000 (00001000 bytes committed)
Segment at 08480000 to 08680000 (00005000 bytes committed)
2: 00250000
Segment at 00250000 to 00260000 (00003000 bytes committed)
3: 007e0000
Segment at 007e0000 to 007f0000 (0000d000 bytes committed)
4: 00800000
Segment at 00800000 to 00900000 (00005000 bytes committed)
5: 00a00000
Segment at 00a00000 to 00b00000 (000b0000 bytes committed)
Segment at 063c0000 to 064c0000 (000d0000 bytes committed)
Segment at 06600000 to 06800000 (000d5000 bytes committed)
6: 00b00000
Segment at 00b00000 to 00b10000 (00010000 bytes committed)
Segment at 00b10000 to 00c10000 (00100000 bytes committed)
Segment at 01610000 to 01810000 (00200000 bytes committed)
Segment at 01810000 to 01c10000 (00400000 bytes committed)
Segment at 01c10000 to 02410000 (00800000 bytes committed)
Segment at 02c50000 to 03c50000 (01000000 bytes committed)
Segment at 04310000 to 06310000 (02000000 bytes committed)
Segment at 09990000 to 0d990000 (04000000 bytes committed)
Segment at 10020000 to 18020000 (08000000 bytes committed)
Segment at 18020000 to 28020000 (10000000 bytes committed)
Segment at 28020000 to 38020000 (10000000 bytes committed)
Segment at 4a860000 to 56860000 (0c000000 bytes committed)
Segment at 38020000 to 3f820000 (07800000 bytes committed)
Segment at 5f090000 to 67790000 (08700000 bytes committed)
Segment at 430a0000 to 47c90000 (04bf0000 bytes committed)
Segment at 67790000 to 6c83f000 (050af000 bytes committed)
Segment at 3f820000 to 422fd000 (02add000 bytes committed)
Segment at 56860000 to 59494000 (02c34000 bytes committed)
Segment at 5b920000 to 5e6b6000 (02d96000 bytes committed)
Segment at 6d630000 to 70533000 (02f03000 bytes committed)
Segment at 77f50000 to 7afcb000 (0307b000 bytes committed)
Segment at 0d990000 to 0f290000 (01900000 bytes committed)
Segment at 47c90000 to 495f4000 (01964000 bytes committed)
Segment at 72f80000 to 74949000 (019c9000 bytes committed)
Segment at 0f290000 to 0ffa8000 (00d18000 bytes committed)
Segment at 49600000 to 4a333000 (00d33000 bytes committed)
Segment at 594a0000 to 5a1ed000 (00d4d000 bytes committed)
Segment at 5a4d0000 to 5b238000 (00d68000 bytes committed)
Segment at 70540000 to 712c2000 (00d82000 bytes committed)
Segment at 71ca0000 to 72a3d000 (00d9d000 bytes committed)
Segment at 74f10000 to 75cc9000 (00db9000 bytes committed)
Segment at 7afd0000 to 7bda4000 (00dd4000 bytes committed)
Segment at 7e030000 to 7ee20000 (00df0000 bytes committed)
Segment at 42300000 to 42a06000 (00706000 bytes committed)
Segment at 5e6c0000 to 5edcd000 (0070d000 bytes committed)
Segment at 6c840000 to 6cf54000 (00714000 bytes committed)
Segment at 712d0000 to 719eb000 (0071b000 bytes committed)
Segment at 7bdb0000 to 7c4d2000 (00722000 bytes committed)
Segment at 7d280000 to 7d9a9000 (00729000 bytes committed)
Segment at 7ee20000 to 7f551000 (00731000 bytes committed)
Segment at 7f7f0000 to 7ff28000 (00738000 bytes committed)
Segment at 07590000 to 07930000 (003a0000 bytes committed)
Segment at 4a340000 to 4a6e2000 (003a2000 bytes committed)
Segment at 5b240000 to 5b5e3000 (003a3000 bytes committed)
Segment at 6cf60000 to 6d305000 (003a5000 bytes committed)
Segment at 72a40000 to 72de7000 (003a7000 bytes committed)
Segment at 74950000 to 74cf9000 (003a9000 bytes committed)
Segment at 75e60000 to 7620b000 (003ab000 bytes committed)
Segment at 762b0000 to 7665d000 (003ad000 bytes committed)
Segment at 76b80000 to 76f2e000 (003ae000 bytes committed)
Segment at 7d9b0000 to 7dd60000 (003b0000 bytes committed)
Segment at 07a80000 to 07c59000 (001d9000 bytes committed)
Segment at 08080000 to 0825a000 (001da000 bytes committed)
Segment at 42a10000 to 42bea000 (001da000 bytes committed)
Segment at 5a1f0000 to 5a3cb000 (001db000 bytes committed)
Segment at 5b5f0000 to 5b7cb000 (001db000 bytes committed)
Segment at 5edd0000 to 5efac000 (001dc000 bytes committed)
Segment at 6d310000 to 6d4ec000 (001dc000 bytes committed)
Segment at 719f0000 to 71bcd000 (001dd000 bytes committed)
Segment at 76660000 to 7683d000 (001dd000 bytes committed)
Segment at 770e0000 to 772bd000 (001dd000 bytes committed)
Segment at 77980000 to 77b5e000 (001de000 bytes committed)
Segment at 7c4e0000 to 7c6be000 (001de000 bytes committed)
Segment at 7dd60000 to 7df3f000 (001df000 bytes committed)
7: 00f30000
Segment at 00f30000 to 00f40000 (00007000 bytes committed)
8: 01520000
Segment at 01520000 to 01530000 (00004000 bytes committed)
9: 06330000
Segment at 06330000 to 06340000 (00010000 bytes committed)
Segment at 064c0000 to 065c0000 (000fe000 bytes committed)
Segment at 086e0000 to 088e0000 (00152000 bytes committed)
Segment at 088e0000 to 08ce0000 (00197000 bytes committed)
10: 06350000
Segment at 06350000 to 06390000 (0002c000 bytes committed)
Segment at 01410000 to 01510000 (0000b000 bytes committed)
11: 065c0000
Segment at 065c0000 to 06600000 (00001000 bytes committed)
12: 06a90000
Segment at 06a90000 to 06ad0000 (00001000 bytes committed)
13: 06ad0000
Segment at 06ad0000 to 06b10000 (00001000 bytes committed)
14: 06b10000
Segment at 06b10000 to 06b50000 (00001000 bytes committed)
15: 06390000
Segment at 06390000 to 063a0000 (00004000 bytes committed)
0:004> !heap flt s 001de000
Index Address Name Debugging options enabled

On Wed, Sep 24, 2014 at 7:23 PM, wrote:

> See what allocation size is prevailing in the heap.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Apparently, it’s allocations sized 0x70 that ran away.

Find such blocks in the heap, and see where their first DWORD points. If it’s a C++ object with virtual functions, it will point to a vtable. The vtable symbol name may contain the class name. If it’s not in symbols, check the pointers in vtable, find to what functions they point.

i found a similar post in a blog explaining the steps u suggest, just ot
make sure those are indeed the steps u said, here is teh blog post

http://jumpdollar.blogspot.in/2014/09/windbg-how-to-debug-memory-leaks-with.html

On Thu, Sep 25, 2014 at 4:42 AM, wrote:

> Apparently, it’s allocations sized 0x70 that ran away.
>
> Find such blocks in the heap, and see where their first DWORD points. If
> it’s a C++ object with virtual functions, it will point to a vtable. The
> vtable symbol name may contain the class name. If it’s not in symbols,
> check the pointers in vtable, find to what functions they point.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>