2010-07-25



1. 内存泄露




1.1 如何检测内存泄露

    正常情况下,我们通过Virtual Studio 生成的程序,除MFC以外是不会报告内存泄露的,即使你确实泄露了。那么为什么是除MFC应用程序以外呢?这个问题就说到了MFC应用程序向导都为我们生成了些什么。

#ifdef _DEBUG
#define new DEBUG_NEW

如果你细心的话,应该会在你的项目里找到这么一段话。这段话的意思是,如果是DEBUG版本,则将 new 替换成 DEBUG_NEW。



#define DEBUG_NEW new(THIS_FILE, __LINE__)

它只是在new后面加了两个参数 THIS_FILE, __LINE__


那么new 怎么会有参数的呢?

秘密在于MFC重载了 operator new。当然所有的内存分配最后都会调用crt的malloc进行内存分配。

void* __cdecl operator new(size_t nSize, LPCSTR lpszFileName, int nLine)
return ::operator new(nSize, _NORMAL_BLOCK, lpszFileName, nLine);

void* __cdecl operator new[](size_t nSize, LPCSTR lpszFileName, int nLine)
return ::operator new[](nSize, _NORMAL_BLOCK, lpszFileName, nLine);

void __cdecl operator delete(void* pData, LPCSTR /* lpszFileName */,
int /* nLine */)
::operator delete(pData);

void __cdecl operator delete[](void* pData, LPCSTR /* lpszFileName */,
int /* nLine */)
::operator delete(pData);



#include <crtdbg.h>


Detected memory leaks!
Dumping objects ->
{91} normal block at 0x00725BB0, 256 bytes long.
Data: <                > CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD
Object dump complete.









new(_NORMAL_BLOCK, __FILE__, __LINE__) char[256]


Detected memory leaks!
Dumping objects ->
d:/developed/directxlearn/directxlearn/directxlearn.cpp(21) : {91} normal block at 0x002B5BB0, 256 bytes long.
Data: <                > CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD
Object dump complete.


3. 更深入的讨论


我们先看一下反汇编以后的new 代码

mov         eax,dword ptr [`wWinMain'::`2'::__LINE__Var (2D801Ch)]
add         eax,3
push        eax
push        offset string "d://developed//directxlearn//direct"... (2D6960h)
push        1
push        100h
call        operator new[] (2D12EEh)
add         esp,10h
mov         dword ptr [ebp-0F8h],eax

从反汇编出来的代码中我们可以看到,文件名和行号都是存储在程序数据段中的,传入operator new 的只是文件名的地址而已。跟踪进入call operator new[] 我们可以看到如下代码

void *__CRTDECL operator new[](
size_t cb,
int nBlockUse,
const char * szFileName,
int nLine
_THROW1(_STD bad_alloc)
void *res = operator new(cb, nBlockUse, szFileName, nLine );

RTCCALLBACK(_RTC_Allocate_hook, (res, cb, 0));

return res;

 operator new 的代码如下

void *__CRTDECL operator new(
size_t cb,
int nBlockUse,
const char * szFileName,
int nLine
_THROW1(_STD bad_alloc)
/* _nh_malloc_dbg already calls _heap_alloc_dbg in a loop and calls _callnewh
if the allocation fails. If _callnewh returns (very likely because no
new handlers have been installed by the user), _nh_malloc_dbg returns NULL.
void *res = _nh_malloc_dbg( cb, 1, nBlockUse, szFileName, nLine );

RTCCALLBACK(_RTC_Allocate_hook, (res, cb, 0));

/* if the allocation fails, we throw std::bad_alloc */
if (res == 0)
static const std::bad_alloc nomem;

return res;

可以看到,最终还是调用了_nh_malloc_dbg.如果我们继续跟踪下去的话会找到真正分配内存的地方,这里我着重讲一下CRT的内存结构。和很多内存池一样,CRT也在分配内存的前后加入了一些标记和内容。其中最重要的就是一个_CrtMemBlockHeader 的结构。

typedef struct _CrtMemBlockHeader
struct _CrtMemBlockHeader * pBlockHeaderNext;
struct _CrtMemBlockHeader * pBlockHeaderPrev;
char *                      szFileName;
int                         nLine;
#ifdef _WIN64
/* These items are reversed on Win64 to eliminate gaps in the struct
* and ensure that sizeof(struct)%16 == 0, so 16-byte alignment is
* maintained in the debug heap.
int                         nBlockUse;
size_t                      nDataSize;
#else  /* _WIN64 */
size_t                      nDataSize;
int                         nBlockUse;
#endif  /* _WIN64 */
long                        lRequest;
unsigned char               gap[nNoMansLandSize];
/* followed by:
*  unsigned char           data[nDataSize];
*  unsigned char           anotherGap[nNoMansLandSize];
} _CrtMemBlockHeader;


blockSize = sizeof(_CrtMemBlockHeader) + nSize + nNoMansLandSize;



pHead->pBlockHeaderNext = _pFirstBlock;
pHead->pBlockHeaderPrev = NULL;
pHead->szFileName = (char *)szFileName;
pHead->nLine = nLine;
pHead->nDataSize = nSize;
pHead->nBlockUse = nBlockUse;
pHead->lRequest = lRequest;
/* link blocks together */
_pFirstBlock = pHead;

/* fill in gap before and after real block */
memset((void *)pHead->gap, _bNoMansLandFill, nNoMansLandSize);
memset((void *)(pbData(pHead) + nSize), _bNoMansLandFill, nNoMansLandSize);
/* fill data with silly value (but non-zero) */
memset((void *)pbData(pHead), _bCleanLandFill, nSize);


4. CRT的缺陷


首先,是你new的时候或者malloc的时候不可能都是用特殊版本的函数调用,只能通过定义宏来实现。宏这个东西我比较讨厌,因为在来来回回的包含中你不能确定哪些new 被替换了。所以一旦有没有被宏替换过的new那么你的报告就会出现一些没有地址和行号的内存泄露报告。





5. Virutal Leak Detected



当主程序加载DLL到自己的进程地址空间之前,操作系统首先要将整个DLL文件载入到内存中,然后根据需要重新映射动态链接库的地址,之后调整导出符号表中入口函数的地址,使之指向正确的函数入口。如果你跟踪汇编代码的话,会发现你Call 一个DLL的导出函数或者类函数的时候其实是先到了一个全是jmp指令的地方,然后才到达正确的代码地址。这个全是jmp指令的地方就是导出函数表。如果我们修改了表中的跳转地址的话,当你去call 的时候就会跳转到一个你指定的地方,比如说一个钩子函数。但是,这种修改跳转表的方法只对当前程序实例有效。




There are a several configuration options that control specific aspects of VLD's operation. These configuration options are stored in the vld.ini configuration file. By default, the configuration file should be in the Visual Leak Detector installation directory. However, the configuration file can be copied to the program's working directory, in which case the configuration settings in that copy of vld.ini will apply only when debugging that one program.

This option acts as a master on/off switch. By default, this option is set to "on". To completely disable Visual Leak Detector at runtime, set this option to "off". When VLD is turned off using this option, it will do nothing but print a message to the debugger indicating that it has been turned off.

Normally, VLD displays each individual leaked block in detail. Setting this option to "yes" will make VLD aggregate all leaks that share the same size and call stack under a single entry in the memory leak report. Only the first leaked block will be reported in detail. No other identical leaks will be displayed. Instead, a tally showing the total number of leaks matching that size and call stack will be shown. This can be useful if there are only a few sources of leaks, but those few sources are repeatedly leaking a very large number of memory blocks.

In some rare cases, it may be necessary to include a module in leak detection, but it may not be possible to include vld.h in any of the module's sources. In such cases, this option can be used to force VLD to include those modules in leak detection. List the names of the modules (DLLs) to be forcefully included in leak detection. If you do use this option, it's advisable to also add vld.lib to the list of library modules in the linker options of your project's settings.

Caution: Use this option only when absolutely necessary. In some situations, use of this option may result in unpredictable behavior including false leak reports and/or crashes. It's best to stay away from this option unless you are sure you understand what you are doing.

Set this option to an integer value to limit the amount of data displayed in memory block data dumps. When this number of bytes of data have been dumped, the dump will stop. This can be useful if any of the leaked blocks are very large and the debugger's output window becomes too cluttered. You can set this option to 0 (zero) if you want to suppress data dumps altogether.

By default, VLD will trace the call stack for each allocated block as far back as possible. Each frame traced adds additional overhead (in both CPU time and memory usage) to your debug executable. If you'd like to limit this overhead, you can define this macro to an integer value. The stack trace will stop when it has traced this number of frames. The frame count may include some of the "internal" frames which, by default, are not displayed in the debugger's output window (see TraceInternalFrames below). In some cases there may be about three or four "internal" frames at the beginning of the call stack. Keep this in mind when using this macro, or you may not see the number of frames you expect.

When the memory leak report is saved to a file, the report may optionally be Unicode encoded instead of using the default ASCII encoding. This might be useful if the data contained in leaked blocks is likely to consist of Unicode text. Set this option to "unicode" to generate a Unicode encoded report.

Use this option to specify the name and location of the file in which to save the memory leak report when using a file as the report destination, as specified by the ReportTo option. If no file is specified here, then VLD will save the report in a file named "memory_leak_report.txt" in the working directory of the program.

The memory leak report may be sent to a file in addition to, or instead of, the debugger. Use this option to specify which type of destination to use. Specify one of "debugger" (the default), "file", or "both".

VLD has the ability to check itself for memory leaks. This feature is always active. Every time you run VLD, in addition to checking your own program for memory leaks, it is also checking itself for leaks. Setting this option to "on" forces VLD to intentionally leak a small amount of memory: a 21-character block filled with the text "Memory Leak Self-Test". This provides a way to test VLD's ability to check itself for memory leaks and verify that this capability is working correctly. This option is usually only useful for debugging VLD itself.

If enabled, this option causes Visual Leak Detector to write the memory leak report to the debugger's output window at a slower than normal rate. This option is specifically designed to work around a known issue with some older versions of Visual Studio where some data sent to the output window might be lost if it is sent too quickly. If you notice that some information seems to be missing from the memory leak report, try turning this on.

Selects the method to be used for walking the stack to obtain call stacks for allocated memory blocks. The default "fast" method may not always be able to successfully trace completely through all call stacks. In such cases, the "safe" method may prove to be more reliable in obtaining the full stack trace. The disadvantage with the "safe" method is that it is significantly slower than the "fast" method and will probably result in very noticeable performance degradation of the program being debugged. In most cases it should be okay to leave this option set to "fast". If you experience problems getting VLD to show call stacks, you can try setting this option to "safe".

If you do use the "safe" method, and notice a significant performance decrease, you may want to consider using the MaxTraceFrames option to limit the number of frames traced to a relatively small number. This can reduce the amount of time spent tracing the stack by a very large amount.

Set this option to "yes" to disable memory leak detection initially. This can be useful if you need to be able to selectively enable memory leak detection from runtime, without needing to rebuild the executable; however, this option should be used with caution. Any memory leaks that may occur before memory leak detection is enabled at runtime will go undetected. For example, if the constructor of some global variable allocates memory before execution reaches a subsequent call to VLDEnable, then VLD will not be able to detect if the memory allocated by the global variable is never freed. Refer to the following section on controlling leak detection at runtime for details on using the runtime APIs which can be useful in conjunction with this option.

This option determines whether or not all frames of the call stack, including frames internal to the heap, are traced. There will always be a number of frames on the call stack which are internal to Visual Leak Detector and C/C++ or Win32 heap APIs that aren't generally useful for determining the cause of a leak. Normally these frames are skipped during the stack trace, which somewhat reduces the time spent tracing and amount of data collected and stored in memory. Including all frames in the stack trace, all the way down into VLD's own code can, however, be useful for debugging VLD itself.


我们先看一下VLD的初始化过程,这有助于我们加深对VLD工作机制的理解。我这里使用的是vld 1.9h的版本,支持VS2008及以下的编译器。最新的2.0a版本已经可以支持vs2010


6. 非泄露内存增长



6.1 UMDH简介

 UMDH 是windows debug tools 下的一款命令行工具,它的全名是User-Mode Dump Heap 这个工具会分析当前进程在堆上分配的内存,并有两种模式

1. 进程分析模式,这个模式会对进程分配的每一块内存做记录,其中包含分配的内存大小;内存分配地址;内存分配时的函数调用堆栈等。

2. 日志分析模式,该模式会比较几个不同的日志,找出内存增长的地方。



gflags /i ImageName +ust


其次,安装windows 的 symbol文件。如果不需要的话可以不用安装。






之后我们通过命令行 umdh -p:2230  -f:dump_allocations.txt 对进程进行分析。

其中-p后面的数字是进程号, -f 后面跟的是日志文件的文件名。


之后我们重复以上步骤几次,最好给文件名编个号。比如 dump1.txt dump2.txt



umdh -v dump1.txt dump2.txt > memleak.txt



+ 5320 (f110 - 9df0) 3a allocs BackTrace00053 
Total increase == 5320
MyApp!operator new+0x0000000E
