vadflags.MemCommit?

Hello,

What does MemCommit flag in vad->u.vadflags represent? I am dumping the VAD
of committed memory location and observed MemCommit flag is not set.
VirtualQuery indeed returned state of the location as committed. Is this
flag used with any other field in MMVAD structure to differentiate reserved
or commited memory?

/Pd

Have you tried using !vad?

Good luck,

mm

IUnknown IUnknown wrote:

Hello,

What does MemCommit flag in vad->u.vadflags represent? I am dumping the
VAD of committed memory location and observed MemCommit flag is not set.
VirtualQuery indeed returned state of the location as committed. Is this
flag used with any other field in MMVAD structure to differentiate
reserved or commited memory?

/Pd

Yes. For e.g. memory @ 0x360000 is committed and o/p of !vad is as follows;

kd> !vad 82440970 1

VAD @ 82440970
Start VPN 360 End VPN 361 Control Area 00000000
FirstProtoPte 00000000 LastPte 00000000 Commit Charge 2 (2.)
Secured.Flink 0 Blink 0 Banked/Extend 0
File Offset 0
ViewUnmap PrivateMemory NO_ACCESS

kd> dt -b _MMVAD 82440970
nt!_MMVAD
+0x000 StartingVpn : 0x360
+0x004 EndingVpn : 0x361
+0x008 Parent : 0x822962e0
+0x00c LeftChild : (null)
+0x010 RightChild : (null)
+0x014 u : __unnamed
+0x000 LongFlags : 0x98000002
+0x000 VadFlags : _MMVAD_FLAGS
+0x000 CommitCharge : 0y0000000000000000010 (0x2)
+0x000 PhysicalMapping : 0y0
+0x000 ImageMap : 0y0
+0x000 UserPhysicalPages : 0y0
+0x000 NoChange : 0y0
+0x000 WriteWatch : 0y0
+0x000 Protection : 0y11000 (0x18)
+0x000 LargePages : 0y0
+0x000 MemCommit : 0y0
+0x000 PrivateMemory : 0y1
+0x018 ControlArea : 0x1a070004
+0x01c FirstPrototypePte : 0x81f55da0
+0x020 LastContiguousPte : 0x00300012
+0x024 u2 : __unnamed
+0x000 LongFlags2 : 0x8208b690
+0x000 VadFlags2 : _MMVAD_FLAGS2
+0x000 FileOffset : 0y000010001011011010010000 (0x8b690)
+0x000 SecNoChange : 0y0
+0x000 OneSecured : 0y1
+0x000 MultipleSecured : 0y0
+0x000 ReadOnly : 0y0
+0x000 LongVad : 0y0
+0x000 ExtendableFile : 0y0
+0x000 Inherit : 0y0
+0x000 CopyOnWrite : 0y1

So, is there any way I can determine if allocated memory is reserved or
committed?

/Pd

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:
xxxxx@lists.osr.com] On Behalf Of Martin O’Brien
Sent: Saturday, October 18, 2008 1:14 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] vadflags.MemCommit?

Have you tried using !vad?

Good luck,

mm

IUnknown IUnknown wrote:

Hello,

What does MemCommit flag in vad->u.vadflags represent? I am dumping the

VAD of committed memory location and observed MemCommit flag is not set.

VirtualQuery indeed returned state of the location as committed. Is this

flag used with any other field in MMVAD structure to differentiate

reserved or commited memory?

/Pd


You are currently subscribed to windbg as: xxxxx@vmware.com

To unsubscribe send a blank email to xxxxx@lists.osr.com

> So, is there any way I can determine if allocated memory is reserved or

committed?

VadFlags.MemCommit = 0 means the VAD was created as reserved
(without MEM_COMMIT flag). Individual pages might later be
committed using VirtualAlloc(MEM_COMMIT), so you need
to examine each page using !pte to see if it is committed or not.


This posting is provided “AS IS” with no warranties, and confers no
rights.

Memcommit takes two flags as far as i have noticed 0 and 1
0 means just reserved without commiting
1 means reserved and commited

#include <stdio.h>
#include <windows.h>

int main (void)
{

char *IunkCommit;
char *IunkReserve;

IunkCommit = (char )VirtualAlloc(NULL,0x1000,MEM_COMMIT |
MEM_RESERVE,PAGE_EXECUTE_READWRITE);
IunkReserve = (char
)VirtualAlloc(NULL,0x1000,MEM_RESERVE,PAGE_EXECUTE_READWRITE);
MessageBox(NULL,“LOOPER”,“Looping Till i Windbg”,NULL);
VirtualFree(IunkCommit,1,MEM_RELEASE);
VirtualFree(IunkReserve,1,MEM_RELEASE);
return 0;
}

lkd> !process 0 7 IunkVirtual.exe
PROCESS 85aaab88 SessionId: 0 Cid: 0ad8 Peb: 7ffdc000 ParentCid: 0668
DirBase: 0f2c03a0 ObjectTable: e2defea8 HandleCount: 29.
Image: IunkVirtual.exe
VadRoot 85cc79a0 Vads 43 Clone 0 Private 81. Modified 78. Locked 0.
DeviceMap e2678dd0
Token e2fab708
ElapsedTime 00:29:13.750
UserTime 00:00:00.015
KernelTime 00:00:00.015
QuotaPoolUsage[PagedPool] 34004
QuotaPoolUsage[NonPagedPool] 1720
Working Set Sizes (now,min,max) (151, 50, 345) (604KB, 200KB, 1380KB)
PeakWorkingSetSize 497
VirtualSize 20 Mb
PeakVirtualSize 20 Mb
PageFaultCount 641
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 122

THREAD 85aaa910 Cid 0ad8.01ac Teb: 7ffdf000 Win32Thread:
e1446008 WAIT: (WrUserRequest) UserMode Non-Alertable
85b309b0 SynchronizationEvent
Not impersonating
DeviceMap e2678dd0
Owning Process 85aaab88 Image: IunkVirtual.exe
Attached Process N/A Image: N/A
Wait Start TickCount 1365131 Ticks: 111395 (0:00:29:00.546)
Context Switch Count 242 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address 0x00401000
Start Address 0x7c810867
Stack Init a8a27000 Current a8a26cb0 Base a8a27000 Limit a8a22000 Call 0
Priority 12 BasePriority 8 PriorityDecrement 2 DecrementCount 16
Kernel stack not resident.

lkd> !vad 85cc79a0
VAD level start end commit
8646bcf0 ( 2) 10 10 1 Private READWRITE
85ad4510 ( 3) 20 20 1 Private READWRITE
85b1d448 ( 4) 30 12f 4 Private READWRITE
85aeea68 ( 5) 130 132 0 Mapped READONLY
85b1d5a0 ( 6) 140 23f 16 Private READWRITE
85b462d0 ( 7) 240 24f 6 Private READWRITE
85b1d530 ( 8) 250 25f 0 Mapped READWRITE
85b3b908 ( 9) 260 275 0 Mapped READONLY
85be19b8 (10) 280 2bc 0 Mapped READONLY
85b47fd8 (11) 2c0 300 0 Mapped READONLY
85ac2200 (12) 310 315 0 Mapped READONLY
85b4e758 (13) 320 3e7 0 Mapped EXECUTE_READ
85b163a0 (14) 3f0 3f0 1 Private READWRITE
85b4e788 ( 1) 400 411 5 Mapped Exe EXECUTE_WRITECOPY
85acdd18 ( 3) 420 522 0 Mapped READONLY
85b1d560 ( 2) 530 82f 0 Mapped EXECUTE_READ
85b4f178 ( 4) 830 830 1 Private READWRITE
85b27ab8 ( 3) 840 c3f 16 Private NO_ACCESS
85b1db30 ( 5) c40 c40 1 Private EXECUTE_READWRITE
85b275a0 ( 4) c50 c50 0 Private EXECUTE_READWRITE
85b27f68 ( 6) c60 c6f 5 Private READWRITE
85b25220 ( 7) c70 c72 0 Mapped READONLY
86276e58 ( 5) c80 ccf 0 Mapped READONLY
85ae9db8 ( 7) cd0 cd0 0 Mapped READWRITE
85b35308 ( 8) ce0 d1f 0 Mapped READWRITE
85ade4f0 ( 9) d20 d5f 0 Mapped READWRITE
85cabb10 (10) d70 def 0 Mapped READWRITE
85adc230 ( 6) 5ad70 5ada7 2 Mapped Exe EXECUTE_WRITECOPY
85af7c00 ( 9) 605d0 605d8 2 Mapped Exe EXECUTE_WRITECOPY
85ac2300 ( 8) 74720 7476a 3 Mapped Exe EXECUTE_WRITECOPY
85b0e198 ( 9) 77120 771ab 4 Mapped Exe EXECUTE_WRITECOPY
85b40c38 (10) 774e0 7761b 8 Mapped Exe EXECUTE_WRITECOPY
85b20258 ( 7) 77c10 77c67 7 Mapped Exe EXECUTE_WRITECOPY
85cc79a0 ( 0) 77d40 77dcf 2 Mapped Exe EXECUTE_WRITECOPY
85ae9128 ( 4) 77dd0 77e6a 5 Mapped Exe EXECUTE_WRITECOPY
85b1a6f0 ( 5) 77e70 77f00 1 Mapped Exe EXECUTE_WRITECOPY
85cb3cf0 ( 3) 77f10 77f55 1 Mapped Exe EXECUTE_WRITECOPY
85ad12d0 ( 2) 7c800 7c8f3 5 Mapped Exe EXECUTE_WRITECOPY
85b1da90 ( 1) 7c900 7c9af 5 Mapped Exe EXECUTE_WRITECOPY
85acc170 ( 3) 7f6f0 7f7ef 0 Mapped EXECUTE_READ
85ac8928 ( 2) 7ffb0 7ffd3 0 Mapped READONLY
85be3e18 ( 3) 7ffdc 7ffdc 1 Private READWRITE
85b16e70 ( 4) 7ffdf 7ffdf 1 Private READWRITE

Total VADs: 43 average level: 6 maximum depth: 14
lkd> !vad 85b1db30 1

VAD @ 85b1db30
Start VPN c40 End VPN c40 Control Area 00000000
FirstProtoPte 00000000 LastPte 00000000 Commit Charge 1 (1.)
Secured.Flink 0 Blink 0 Banked/Extend 0
File Offset 0
ViewUnmap MemCommit PrivateMemory EXECUTE_READWRITE

lkd> !vad 85b275a0 1

VAD @ 85b275a0
Start VPN c50 End VPN c50 Control Area 00000000
FirstProtoPte 00000000 LastPte 00000000 Commit Charge 0 (0.)
Secured.Flink 0 Blink 0 Banked/Extend 0
File Offset 0
ViewUnmap PrivateMemory EXECUTE_READWRITE

lkd> dt -b nt!_MMVAD u.VadFlags.MemCommit 85b1db30
+0x014 u :
+0x000 VadFlags :
+0x000 MemCommit : 0y1
lkd> dt -b nt!_MMVAD u.VadFlags.MemCommit 85b275a0
+0x014 u :
+0x000 VadFlags :
+0x000 MemCommit : 0y0

BaseAddress: 00c40000
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000040 PAGE_EXECUTE_READWRITE
Type: 00020000 MEM_PRIVATE

BaseAddress: 00c41000
RegionSize: 0000f000
State: 00010000 MEM_FREE
Protect: 00000001 PAGE_NOACCESS

BaseAddress: 00c50000
RegionSize: 00001000
State: 00002000 MEM_RESERVE
Type: 00020000 MEM_PRIVATE

BaseAddress: 00c51000
RegionSize: 0000f000
State: 00010000 MEM_FREE
Protect: 00000001 PAGE_NOACCESS

regards

raj_r

On 10/19/08, IUnknown wrote:
>
>
> Yes. For e.g. memory @ 0x360000 is committed and o/p of !vad is as follows;
>
>
>
>
> kd> !vad 82440970 1
>
> VAD @ 82440970
> Start VPN 360 End VPN 361 Control Area 00000000
> FirstProtoPte 00000000 LastPte 00000000 Commit Charge 2 (2.)
> Secured.Flink 0 Blink 0 Banked/Extend 0
> File Offset 0
> ViewUnmap PrivateMemory NO_ACCESS
>
>
>
>
>
> kd> dt -b _MMVAD 82440970
> nt!_MMVAD
> +0x000 StartingVpn : 0x360
> +0x004 EndingVpn : 0x361
> +0x008 Parent : 0x822962e0
> +0x00c LeftChild : (null)
> +0x010 RightChild : (null)
> +0x014 u : __unnamed
> +0x000 LongFlags : 0x98000002
> +0x000 VadFlags : _MMVAD_FLAGS
> +0x000 CommitCharge : 0y0000000000000000010 (0x2)
> +0x000 PhysicalMapping : 0y0
> +0x000 ImageMap : 0y0
> +0x000 UserPhysicalPages : 0y0
> +0x000 NoChange : 0y0
> +0x000 WriteWatch : 0y0
> +0x000 Protection : 0y11000 (0x18)
> +0x000 LargePages : 0y0
> +0x000 MemCommit : 0y0
> +0x000 PrivateMemory : 0y1
> +0x018 ControlArea : 0x1a070004
> +0x01c FirstPrototypePte : 0x81f55da0
> +0x020 LastContiguousPte : 0x00300012
> +0x024 u2 :__unnamed
> +0x000 LongFlags2 : 0x8208b690
> +0x000 VadFlags2 : _MMVAD_FLAGS2
> +0x000 FileOffset : 0y000010001011011010010000 (0x8b690)
> +0x000 SecNoChange : 0y0
> +0x000 OneSecured : 0y1
> +0x000 MultipleSecured : 0y0
> +0x000 ReadOnly : 0y0
> +0x000 LongVad : 0y0
> +0x000 ExtendableFile : 0y0
> +0x000 Inherit : 0y0
> +0x000 CopyOnWrite : 0y1
>
>
>
>
> So, is there any way I can determine if allocated memory is reserved or
> committed?
>
>
>
>
> /Pd
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> Martin O’Brien
> Sent: Saturday, October 18, 2008 1:14 PM
> To: Kernel Debugging Interest List
> Subject: Re:[windbg] vadflags.MemCommit?
>
>
>
> Have you tried using !vad?
>
>
>
> Good luck,
>
>
>
> mm
>
>
>
> IUnknown IUnknown wrote:
>
> > Hello,
>
> >
>
> > What does MemCommit flag in vad->u.vadflags represent? I am dumping the
>
> > VAD of committed memory location and observed MemCommit flag is not set.
>
> > VirtualQuery indeed returned state of the location as committed. Is this
>
> > flag used with any other field in MMVAD structure to differentiate
>
> > reserved or commited memory?
>
> >
>
> > /Pd
>
>
>
> —
>
> You are currently subscribed to windbg as: xxxxx@vmware.com
>
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com— You are currently
> subscribed to windbg as: xxxxx@gmail.com To unsubscribe send a blank
> email to xxxxx@lists.osr.com</windows.h></stdio.h>