Windows heap call allocations - strange call stack

I am trying to analyze a memory dump of a managed managed process, suspect if it is leaking its own memory. To be able to use windbg (and use the heap extension from there), I have activated user mode call stacks for the server process.

I see many blocks of size 68. And among those blocks (the ones I could check manually with! Heap -p -a) there are many form stack calls

 !heap -p -a 000000003ca5cfd0
    address 000000003ca5cfd0 found in
    _HEAP @ 1ea0000
              HEAP_ENTRY Size Prev Flags            UserPtr UserSize - state
        000000003ca5cfa0 0009 0000  [00]   000000003ca5cfd0    00068 - (busy)
        7766bbed ntdll! ?? ::FNODOBFM::`string'+0x000000000001913b
        7fef7b76a57 msvcr120!malloc+0x000000000000005b
        7fef7b76967 msvcr120!operator new+0x000000000000001f
        7fe9a5cdaf8 +0x000007fe9a5cdaf8


Do you have any idea what these allocations are because they take hundreds of megabytes into the dump file?

EDIT lm shows the following around the 7fe9a5cdaf8 area (truncated)

start             end                module name
00000000`773b0000 00000000`774cf000   kernel32   (pdb symbols)
00000000`774d0000 00000000`775ca000   user32     (deferred)
00000000`775d0000 00000000`77779000   ntdll      (pdb symbols)
00000000`77790000 00000000`77797000   psapi      (deferred)
00000000`777a0000 00000000`777a3000   normaliz   (deferred)
00000001`3f810000 00000001`3f818000   ManagedService  (deferred)             
000007fe`dd2d0000 000007fe`de398000   System_Web_ni   (deferred)



source to share

1 answer

I am assuming there was no embedded image for your application (using NGen). In this case, the module (DLL) contains only IL code, which will never be executed. So, internally, there won't be any stacks inside the module.

Instead, the IL code will be JIT compiled to a different location in memory, eg. 7fe9a5cdaf8 in your case. Which is where the real code runs, so you see from the native side.

To return a compiled JIT command to your .NET method descriptor, follow these steps:

0:000> .symfix
0:000> .loadby sos mscorwks ; *** .NET 2
0:000> .loadby sos clr ; *** .NET 4

0:000> !ip2md 7fe9a5cdaf8 


The output should then show the name of the .NET method (example here, since I don't have a dump):

MethodDesc: 000007ff00033450
Method Name: ManagedService.Program.Main()
Class: 000007ff00162438
MethodTable: 000007ff00033460
mdToken: 0600001f
Module: 000007ff00032e30
IsJitted: yes
CodeAddr: 000007ff00170120




All Articles