How to find Memory leak ?

Dear all,

I am doing HCT on my USB driver.
In driver verifier test, I got error and dumped memory.dmp file.

I analyzed this memory.dmp with dumpchk tool.
With this dump, I found that, I am not freeing one non-paged memory
allocation (BugCheckParameter4 is 1).

Is there any way to found which function is allocating this memory?
And what is the address of this memory?

Bottom I am attaching the dump analysis.

Regards,
RD

DUMP_HEADER32:
MajorVersion 0000000f
MinorVersion 00000a28
DirectoryTableBase 002ec000
PfnDataBase 81000000
PsLoadedModuleList 805531a0
PsActiveProcessHead 80559258
MachineImageType 0000014c
NumberProcessors 00000001
BugCheckCode 000000c4
BugCheckParameter1 00000060
BugCheckParameter2 00000000
BugCheckParameter3 00000020
BugCheckParameter4 00000001
PaeEnabled 00000001
KdDebuggerDataBlock 80544ce0

There are several ways to find errant memory allocation.
One of the trivial ones is to replace the memory allocation and freeing
routines with a macro. For simplicity I’m using malloc and free here.

— File: Mymem.h
#define malloc(x) myMalloc(x, LINE, FILE)
#define free(x) myFree(x, LINE, FILE)

–File: Mymem.c

struct memAccount {
struct memAccount *link;
char *who;
long where;
size_t size;
};

static struct memAccount *list = NULL;

void *myMalloc(size_t size, long line, char *file)
{
struct memAccount *p;
p = malloc(size + sizeof(struct memAccount));
if (p == NULL) return NULL; // You may want to have a
warning/error here.
p->who = file;
p->where = line;
p->link = list;
p->size = size;
list = p;
return (void *)&p[1];
}

void myFree(void *p)
{
struct memAccount *pp;
struct memAccount *q, *qq;

pp = (struct memAccount *)p;
pp–; // move back one struct-size.
for(qq = NULL, q = list; q; qq = q, q = q->link)
{
if (q == pp)
break;
}
if (q != pp)
{
/// Big ERROR. Someone tried to free memory that we don’t know
of…
return;
}
if (qq) // Something before this link.
{
qq->link = pp->link;
}
else
{
list = pp->link;
}
free(pp);
}

void ListAllocatedMemory(void)
{
struct memAccount *p;

for(p = list; p; p = p->link)
{
printf(“Memory at %p of %d bytes allocated from %s:%d”, &p[1],
p->size, p->who, p->where);
}
}

If you call ListAllocatedMemory at times, you can see what is allocated.
It’s obviously best to do this when you think the number of allocations are
low.

The above code is just hacked into this mail, so it will probably not
compile… :wink: But I think it’s good enough to show the principle.


Mats

xxxxx@lists.osr.com wrote on 04/21/2005 12:13:02 PM:

Dear all,

I am doing HCT on my USB driver.
In driver verifier test, I got error and dumped memory.dmp file.

I analyzed this memory.dmp with dumpchk tool.
With this dump, I found that, I am not freeing one non-paged memory
allocation (BugCheckParameter4 is 1).

Is there any way to found which function is allocating this memory?
And what is the address of this memory?

Bottom I am attaching the dump analysis.

Regards,
RD

DUMP_HEADER32:
MajorVersion 0000000f
MinorVersion 00000a28
DirectoryTableBase 002ec000
PfnDataBase 81000000
PsLoadedModuleList 805531a0
PsActiveProcessHead 80559258
MachineImageType 0000014c
NumberProcessors 00000001
BugCheckCode 000000c4
BugCheckParameter1 00000060
BugCheckParameter2 00000000
BugCheckParameter3 00000020
BugCheckParameter4 00000001
PaeEnabled 00000001
KdDebuggerDataBlock 80544ce0


Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

ForwardSourceID:NT00011252

Ramya Desai wrote:

Is there any way to found which function is allocating this memory?
And what is the address of this memory?

While Matts’ approach is very useful (we actually do something similar
here at OSR), there’s a simpler solution you could try if you haven’t
done it yet: I hate to state the obvious but this is precisely the
purpose of using pool tagging.

For example, if your driver is the Foo driver, have the first two
characters of the pool tag represent your driver name and the last two
represent the type of structure you’re allocating and/or where you’re
allocating it.

Verifier will report the tag(s) you are leaking, and you’ll instantly
know where you’re leaking it from.

Not only that, but if you watch the allocs/frees of all the pool tags in
your driver (using a program like the PoolTag GUI in the DDK), you can
see which tags are “hot” allocations, and then perhaps implement a
“look-aside” algorithm for allocating these hot structures.

Peter
OSR

Further, if you use “!verifier 3” in WinDBG it will tell you your
allocations and the locations within your driver (by return address)
that actually performed the allocation. So even if you decide that (for
some perverse reason) you really LIKE using the tag "Ddk " in your
driver you can still find out where your outstanding allocations are
coming from.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter G. Viscarola
Sent: Thursday, April 21, 2005 10:18 AM
To: ntdev redirect
Subject: Re:[ntdev] How to find Memory leak ?

Ramya Desai wrote:

Is there any way to found which function is allocating this memory?
And what is the address of this memory?

While Matts’ approach is very useful (we actually do something similar
here at OSR), there’s a simpler solution you could try if you haven’t
done it yet: I hate to state the obvious but this is precisely the
purpose of using pool tagging.

For example, if your driver is the Foo driver, have the first two
characters of the pool tag represent your driver name and the last two
represent the type of structure you’re allocating and/or where you’re
allocating it.

Verifier will report the tag(s) you are leaking, and you’ll instantly
know where you’re leaking it from.

Not only that, but if you watch the allocs/frees of all the pool tags in

your driver (using a program like the PoolTag GUI in the DDK), you can
see which tags are “hot” allocations, and then perhaps implement a
“look-aside” algorithm for allocating these hot structures.

Peter
OSR


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hi,
Thank you for your replies.
I am little bit confused using “!verifier 3” to detect the memory leak.
I am explaining two scenarios to run “!verifier 3”.
Could you please suggest me that which scenario is correct to run
“!verifier 3”. ?

Scenario 1:

  1. I connect target system (Where Driver is loaded and HCT is running) with
    debug system (Where WinDBG is running) through serial or 1394 cable.

  2. I reboot target system in debug mode.

  3. I run driver verifier in HCT and debug.

  4. After completion of HCT (of course it fails!!) I run the command
    “!verifier 3” in KD prompt of debug system.

  5. This gives the result of allocations.

Scenario 2:

  1. Here I am using one system only

  2. I boot the system in debug mode and run the WinDBG in the same system.

  3. In KD I type “!verifier 3 mydriver.sys” (Here I am not running HCT)

  4. This will give the details of memory allocations.

Regards,
Ramya.

On 4/21/05, Tony Mason wrote:
> Further, if you use “!verifier 3” in WinDBG it will tell you your
> allocations and the locations within your driver (by return address)
> that actually performed the allocation. So even if you decide that (for
> some perverse reason) you really LIKE using the tag "Ddk " in your
> driver you can still find out where your outstanding allocations are
> coming from.
>
> Regards,
>
> Tony
>
> Tony Mason
> Consulting Partner
> OSR Open Systems Resources, Inc.
> http://www.osr.com
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Peter G. Viscarola
> Sent: Thursday, April 21, 2005 10:18 AM
> To: ntdev redirect
> Subject: Re:[ntdev] How to find Memory leak ?
>
> Ramya Desai wrote:
> >
> > Is there any way to found which function is allocating this memory?
> > And what is the address of this memory?
> >
>
> While Matts’ approach is very useful (we actually do something similar
> here at OSR), there’s a simpler solution you could try if you haven’t
> done it yet: I hate to state the obvious but this is precisely the
> purpose of using pool tagging.
>
> For example, if your driver is the Foo driver, have the first two
> characters of the pool tag represent your driver name and the last two
> represent the type of structure you’re allocating and/or where you’re
> allocating it.
>
> Verifier will report the tag(s) you are leaking, and you’ll instantly
> know where you’re leaking it from.
>
> Not only that, but if you watch the allocs/frees of all the pool tags in
>
> your driver (using a program like the PoolTag GUI in the DDK), you can
> see which tags are “hot” allocations, and then perhaps implement a
> “look-aside” algorithm for allocating these hot structures.
>
> Peter
> OSR
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@osr.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

This is what I was going to recommend. You can scope the results to
your driver by !verifier 3 <driver.sys>. This is by far the easiest
first step to take, no changing of code, pool tags, or recompile needed.
Just enable verifier and pool tracking for your driver.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Thursday, April 21, 2005 7:31 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to find Memory leak ?

Further, if you use “!verifier 3” in WinDBG it will tell you your
allocations and the locations within your driver (by return address)
that actually performed the allocation. So even if you decide that (for
some perverse reason) you really LIKE using the tag "Ddk " in your
driver you can still find out where your outstanding allocations are
coming from.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter G. Viscarola
Sent: Thursday, April 21, 2005 10:18 AM
To: ntdev redirect
Subject: Re:[ntdev] How to find Memory leak ?

Ramya Desai wrote:
>
> Is there any way to found which function is allocating this memory?
> And what is the address of this memory?
>

While Matts’ approach is very useful (we actually do something similar
here at OSR), there’s a simpler solution you could try if you haven’t
done it yet: I hate to state the obvious but this is precisely the
purpose of using pool tagging.

For example, if your driver is the Foo driver, have the first two
characters of the pool tag represent your driver name and the last two
represent the type of structure you’re allocating and/or where you’re
allocating it.

Verifier will report the tag(s) you are leaking, and you’ll instantly
know where you’re leaking it from.

Not only that, but if you watch the allocs/frees of all the pool tags in

your driver (using a program like the PoolTag GUI in the DDK), you can
see which tags are “hot” allocations, and then perhaps implement a
“look-aside” algorithm for allocating these hot structures.

Peter
OSR


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com</driver.sys>

Dear doron,
Then this looks good to use “!verifier 3 <driver.sys>”.
But how ?..Could you please tell me from my previous mail that which
Scenario is to be applied to test “!verifier 3 <driver.sys>” ?.

Regards,
R

On 4/21/05, Doron Holan wrote:
> This is what I was going to recommend. You can scope the results to
> your driver by !verifier 3 <driver.sys>. This is by far the easiest
> first step to take, no changing of code, pool tags, or recompile needed.
> Just enable verifier and pool tracking for your driver.
>
> d
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
> Sent: Thursday, April 21, 2005 7:31 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] How to find Memory leak ?
>
> Further, if you use “!verifier 3” in WinDBG it will tell you your
> allocations and the locations within your driver (by return address)
> that actually performed the allocation. So even if you decide that (for
> some perverse reason) you really LIKE using the tag "Ddk " in your
> driver you can still find out where your outstanding allocations are
> coming from.
>
> Regards,
>
> Tony
>
> Tony Mason
> Consulting Partner
> OSR Open Systems Resources, Inc.
> http://www.osr.com
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Peter G. Viscarola
> Sent: Thursday, April 21, 2005 10:18 AM
> To: ntdev redirect
> Subject: Re:[ntdev] How to find Memory leak ?
>
> Ramya Desai wrote:
> >
> > Is there any way to found which function is allocating this memory?
> > And what is the address of this memory?
> >
>
> While Matts’ approach is very useful (we actually do something similar
> here at OSR), there’s a simpler solution you could try if you haven’t
> done it yet: I hate to state the obvious but this is precisely the
> purpose of using pool tagging.
>
> For example, if your driver is the Foo driver, have the first two
> characters of the pool tag represent your driver name and the last two
> represent the type of structure you’re allocating and/or where you’re
> allocating it.
>
> Verifier will report the tag(s) you are leaking, and you’ll instantly
> know where you’re leaking it from.
>
> Not only that, but if you watch the allocs/frees of all the pool tags in
>
> your driver (using a program like the PoolTag GUI in the DDK), you can
> see which tags are “hot” allocations, and then perhaps implement a
> “look-aside” algorithm for allocating these hot structures.
>
> Peter
> OSR
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@osr.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument:
> ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
></driver.sys></driver.sys></driver.sys>

Ramya Desai wrote:

Dear doron,
Then this looks good to use “!verifier 3 <driver.sys>”.
> But how ?..Could you please tell me from my previous mail that which
> Scenario is to be applied to test “!verifier 3 <driver.sys>” ?.
>

You type “!verifier 3 xxx.sys” (wheere xxx is the name of your driver)
into the debugger (such as Windbg).

You might wanna actually READ the debugger documentation.

Peter
OSR</driver.sys></driver.sys>

You should run !verifier 3 <driver.sys> when you get the bugcheck for
leaked memory. Do this when you are using a 2 machine debug setup
(since kd cannot run on the same machine that just bugchecked…)

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Viscarola
(OSR)
Sent: Thursday, April 21, 2005 9:17 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] How to find Memory leak ?

Ramya Desai wrote:
> Dear doron,
> Then this looks good to use “!verifier 3 <driver.sys>”.
> But how ?..Could you please tell me from my previous mail that which
> Scenario is to be applied to test “!verifier 3 <driver.sys>” ?.
>

You type “!verifier 3 xxx.sys” (wheere xxx is the name of your driver)
into the debugger (such as Windbg).

You might wanna actually READ the debugger documentation.

Peter
OSR


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com</driver.sys></driver.sys></driver.sys>