Memory problems with Windows VCR library
First: I am using Microsoft Visual Studio 2005 with debugging libraries turned on, on a Windows XP installation.
I have problems with the debug versions of the memory functions, namely _malloc_dbg and co. The first time I got this problem was when _malloc_dbg returned NULL on a request. That time I traced it back to a stack overflow created through the WndProc with a recursive SendMessage (yes it was a bug). The problem was that I didn't get a stack overflow error. Why is that?
After that it got worse. When I solved that I stumbled upon a second instance when _malloc_dbg returned NULL. That time I found this in the output log (*** is the app name):
First-chance exception at 0x7c926a36 (ntdll.dll) in ***.exe: 0xC0000005: Access violation writing location 0x454d4545.
First-chance exception at 0x7c910f29 (ntdll.dll) in ***.exe: 0xC0000005: Access violation reading location 0x454d4545.
First-chance exception at 0x7c91b3fb (ntdll.dll) in ***.exe: 0xC0000005: Access violation reading location 0x454d4545.
The stack frames for the first write violation (I am too tired to trace the second and third; they didn't seem that important because I though that if the first was solved, the rest would follow) show as:
ntdll.dll!_RtlFreeHeapSlow
ntdll.dll!_RtlDebugFreeHea
ntdll.dll!_RtlFreeHeapSlow
ntdll.dll!_RtlFreeHeap@12(
msvcr80d.dll!_free_base(vo
msvcr80d.dll!_free_dbg_nol
msvcr80d.dll!_free_dbg(voi
***.exe!dbg_safe_free(void
***.exe!AppWindowWmRequest
***.exe!AppWindowWndProc(H
user32.dll!77d48734()
[Frames below may be incorrect and/or missing, no symbols loaded for user32.dll]
user32.dll!77d48816()
user32.dll!77d4b4c0()
user32.dll!77d4b50c()
ntdll.dll!_KiUserCallbackD
user32.dll!77d491be()
user32.dll!77d51082()
***.exe!AppWindowMsgLoop()
***.exe!WinMain(HINSTANCE_
***.exe!__tmainCRTStartup(
***.exe!WinMainCRTStartup(
kernel32.dll!_BaseProcessS
I traced the value 0x454d454d back to the value of pHead->pBlockHeaderNext->p
What's really neat of this is that _free_dbg has a try / catch so that these errors don't actually throw exceptions (that I can see), so that makes it just that much harder to catch this.
Now here we go. I only get this error when I turn on a specific part of the code which is in a secondary thread. It has two modes of operation (an offline for testing and online for retail, but still debug). The notable difference between the offline and retail mode is that the retail mode accesses the internet through libCURL. Now, I've checked this code like a hundred times (it's not that complicated) and I can't find any problems there.
My guess is then that it isn't there, but that's the only thing that changes; how could it be something else?
One last thing. I get the first access error when I free some memory in the main thread allocated in the secondary thread (which isn't in the mentioned block but is also located in the offline version and doesn't throw this error in that instance) and I get the NULL from _malloc_dbg after 6 new message on my WndProc.
I suspect this to be a stack overflow (or corruption) too but I don't know how to test for this.
If ANYBODY has ANY ideas, please throw them at me. I am at a total loss.
I have problems with the debug versions of the memory functions, namely _malloc_dbg and co. The first time I got this problem was when _malloc_dbg returned NULL on a request. That time I traced it back to a stack overflow created through the WndProc with a recursive SendMessage (yes it was a bug). The problem was that I didn't get a stack overflow error. Why is that?
After that it got worse. When I solved that I stumbled upon a second instance when _malloc_dbg returned NULL. That time I found this in the output log (*** is the app name):
First-chance exception at 0x7c926a36 (ntdll.dll) in ***.exe: 0xC0000005: Access violation writing location 0x454d4545.
First-chance exception at 0x7c910f29 (ntdll.dll) in ***.exe: 0xC0000005: Access violation reading location 0x454d4545.
First-chance exception at 0x7c91b3fb (ntdll.dll) in ***.exe: 0xC0000005: Access violation reading location 0x454d4545.
The stack frames for the first write violation (I am too tired to trace the second and third; they didn't seem that important because I though that if the first was solved, the rest would follow) show as:
ntdll.dll!_RtlFreeHeapSlow
ntdll.dll!_RtlDebugFreeHea
ntdll.dll!_RtlFreeHeapSlow
ntdll.dll!_RtlFreeHeap@12(
msvcr80d.dll!_free_base(vo
msvcr80d.dll!_free_dbg_nol
msvcr80d.dll!_free_dbg(voi
***.exe!dbg_safe_free(void
***.exe!AppWindowWmRequest
***.exe!AppWindowWndProc(H
user32.dll!77d48734()
[Frames below may be incorrect and/or missing, no symbols loaded for user32.dll]
user32.dll!77d48816()
user32.dll!77d4b4c0()
user32.dll!77d4b50c()
ntdll.dll!_KiUserCallbackD
user32.dll!77d491be()
user32.dll!77d51082()
***.exe!AppWindowMsgLoop()
***.exe!WinMain(HINSTANCE_
***.exe!__tmainCRTStartup(
***.exe!WinMainCRTStartup(
kernel32.dll!_BaseProcessS
I traced the value 0x454d454d back to the value of pHead->pBlockHeaderNext->p
What's really neat of this is that _free_dbg has a try / catch so that these errors don't actually throw exceptions (that I can see), so that makes it just that much harder to catch this.
Now here we go. I only get this error when I turn on a specific part of the code which is in a secondary thread. It has two modes of operation (an offline for testing and online for retail, but still debug). The notable difference between the offline and retail mode is that the retail mode accesses the internet through libCURL. Now, I've checked this code like a hundred times (it's not that complicated) and I can't find any problems there.
My guess is then that it isn't there, but that's the only thing that changes; how could it be something else?
One last thing. I get the first access error when I free some memory in the main thread allocated in the secondary thread (which isn't in the mentioned block but is also located in the offline version and doesn't throw this error in that instance) and I get the NULL from _malloc_dbg after 6 new message on my WndProc.
I suspect this to be a stack overflow (or corruption) too but I don't know how to test for this.
If ANYBODY has ANY ideas, please throw them at me. I am at a total loss.
>>First-chance exception at 0x7c926a36
There's a misconception and not a problem:
'First-chance exception in xxx...' just means that a function from within the 'xxx' caused an access-violation exception that was handled successfully inside the SEH frame that was active when the exception occurred. You can think of it being the same as if you use code like this:
long l;
__try // set up current SEH frame
{
CopyMemory ( &l, 0, sizeof ( long)); // read from 0x00000000
}
__except( EXCEPTION_EXECUTE_HANDLER)
{
puts ( "We knew that this would go wrong...");
}
(Additional info: MS KB Article Q105675)
The article can be found at http://support.microsoft.com/support/kb/articles/q105/6/75.asp
A first chance exception is called so as it is passed to a debugger before the application 'sees' it. This is done by sending a 'EXCEPTION_DEBUG_EVENT' to the debugger, which can now decide whether it is passed to the apllication to handle it or 'ignore' it (e.g. like an 'EXCEPTION_BREAKPOINT' aka 'int 3'). If the exception isn't handled, it becomes a '2nd chance' exception, the debugger 'sees' it the 2nd time and will usually terminate the program (without using a debugger, these exceptions end up at 'UnhandledExceptionFilter(
In short: This message is only generated by a debugger & you can safely ignore it...
There's a misconception and not a problem:
'First-chance exception in xxx...' just means that a function from within the 'xxx' caused an access-violation exception that was handled successfully inside the SEH frame that was active when the exception occurred. You can think of it being the same as if you use code like this:
long l;
__try // set up current SEH frame
{
CopyMemory ( &l, 0, sizeof ( long)); // read from 0x00000000
}
__except( EXCEPTION_EXECUTE_HANDLER)
{
puts ( "We knew that this would go wrong...");
}
(Additional info: MS KB Article Q105675)
The article can be found at http://support.microsoft.com/support/kb/articles/q105/6/75.asp
A first chance exception is called so as it is passed to a debugger before the application 'sees' it. This is done by sending a 'EXCEPTION_DEBUG_EVENT' to the debugger, which can now decide whether it is passed to the apllication to handle it or 'ignore' it (e.g. like an 'EXCEPTION_BREAKPOINT' aka 'int 3'). If the exception isn't handled, it becomes a '2nd chance' exception, the debugger 'sees' it the 2nd time and will usually terminate the program (without using a debugger, these exceptions end up at 'UnhandledExceptionFilter(
In short: This message is only generated by a debugger & you can safely ignore it...
ASKER
I understand this very well. The thing is though that that exception that is caught in dbgheap.c:353 is the exception that causes _malloc_dbg to return NULL, and is the first-chance exception I refere to.
There is one simple reason why I believe that this must be the cause of _malloc_dbg returning NULL. Exceptions are slow so it cannot be a standard practice of _malloc (well, ntdll.dll!_RtlAllocateHeap
There is one simple reason why I believe that this must be the cause of _malloc_dbg returning NULL. Exceptions are slow so it cannot be a standard practice of _malloc (well, ntdll.dll!_RtlAllocateHeap
ASKER
For people who stumbled upon this question in search of an answer, this is what was wrong:
char * p;
// some code
p = _malloc_dbg(20);
strcat(p, "foo bar");
This currupted the heap in such a way that the effects showed up in a very strange and difficult to debug place. The correct code in this case was:
char * p;
// some code
p = _realloc_dbg(p, 20);
stract(p, "foo bar");
I hope this can help someone some day.
char * p;
// some code
p = _malloc_dbg(20);
strcat(p, "foo bar");
This currupted the heap in such a way that the effects showed up in a very strange and difficult to debug place. The correct code in this case was:
char * p;
// some code
p = _realloc_dbg(p, 20);
stract(p, "foo bar");
I hope this can help someone some day.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
First-chance exception at 0x7c91b3fb (ntdll.dll) in ExpertPoster.exe: 0xC0000005: Access violation reading location 0x454d4545.
This is what directly causes the _malloc_dbg to return NULL. I think this definitely is heap corruption. How do I test for this? I think the _Crt* functions don't cover this.
This time the try / finally is in dbgheap.c:353. Again a stack trace:
ntdll.dll!_RtlAllocateHeap
ntdll.dll!_RtlDebugAllocat
ntdll.dll!_RtlAllocateHeap
ntdll.dll!_RtlAllocateHeap
msvcr80d.dll!_heap_alloc_b
msvcr80d.dll!_heap_alloc_d
msvcr80d.dll!_nh_malloc_db
msvcr80d.dll!_malloc_dbg(u
***.exe!dbg_safe_malloc(un
***.exe!TransferStart(HWND
***.exe!AppWindowSequenceP
***.exe!AppWindowWmRequest
***.exe!AppWindowWndProc(H
user32.dll!77d48734()
[Frames below may be incorrect and/or missing, no symbols loaded for user32.dll]
user32.dll!77d48816()
user32.dll!77d4b4c0()
user32.dll!77d4b50c()
ntdll.dll!_KiUserCallbackD
user32.dll!77d491be()
user32.dll!77d51082()
***.exe!AppWindowMsgLoop()
***.exe!WinMain(HINSTANCE_
***.exe!__tmainCRTStartup(
***.exe!WinMainCRTStartup(
kernel32.dll!_BaseProcessS