Windows heap call allocations - strange call stack
I am trying to analyze a memory dump of a managed managed process, suspect if it is leaking its own memory. To be able to use windbg (and use the heap extension from there), I have activated user mode call stacks for the server process.
I see many blocks of size 68. And among those blocks (the ones I could check manually with! Heap -p -a) there are many form stack calls
!heap -p -a 000000003ca5cfd0 address 000000003ca5cfd0 found in _HEAP @ 1ea0000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state 000000003ca5cfa0 0009 0000  000000003ca5cfd0 00068 - (busy) 7766bbed ntdll! ?? ::FNODOBFM::`string'+0x000000000001913b 7fef7b76a57 msvcr120!malloc+0x000000000000005b 7fef7b76967 msvcr120!operator new+0x000000000000001f 7fe9a5cdaf8 +0x000007fe9a5cdaf8
Do you have any idea what these allocations are because they take hundreds of megabytes into the dump file?
EDIT lm shows the following around the 7fe9a5cdaf8 area (truncated)
start end module name 00000000`773b0000 00000000`774cf000 kernel32 (pdb symbols) 00000000`774d0000 00000000`775ca000 user32 (deferred) 00000000`775d0000 00000000`77779000 ntdll (pdb symbols) 00000000`77790000 00000000`77797000 psapi (deferred) 00000000`777a0000 00000000`777a3000 normaliz (deferred) 00000001`3f810000 00000001`3f818000 ManagedService (deferred) 000007fe`dd2d0000 000007fe`de398000 System_Web_ni (deferred)
source to share
I am assuming there was no embedded image for your application (using NGen). In this case, the module (DLL) contains only IL code, which will never be executed. So, internally, there won't be any stacks inside the module.
Instead, the IL code will be JIT compiled to a different location in memory, eg. 7fe9a5cdaf8 in your case. Which is where the real code runs, so you see from the native side.
To return a compiled JIT command to your .NET method descriptor, follow these steps:
0:000> .symfix 0:000> .loadby sos mscorwks ; *** .NET 2 0:000> .loadby sos clr ; *** .NET 4 0:000> !ip2md 7fe9a5cdaf8
The output should then show the name of the .NET method (example here, since I don't have a dump):
MethodDesc: 000007ff00033450 Method Name: ManagedService.Program.Main() Class: 000007ff00162438 MethodTable: 000007ff00033460 mdToken: 0600001f Module: 000007ff00032e30 IsJitted: yes CodeAddr: 000007ff00170120
source to share