有关win32平台下调试堆的描述(Win32 Debug CRT Heap) (下)
先啥都不说,先给出两个链接,一个来自权威微软的MSDN(http://msdn.microsoft.com/zh-cn/library/bebs9zyz.aspx),一个来此某大神Andrew Birkett的Blog(http://www.nobugs.org/developer/win32/debug_crt_heap.html)。
Currently, the block header structure used to store the debug heap's bookkeeping information is declared as follows in the DBGINT.H header file:
typedef struct _CrtMemBlockHeader { // Pointer to the block allocated just before this one: struct _CrtMemBlockHeader *pBlockHeaderNext; // Pointer to the block allocated just after this one: struct _CrtMemBlockHeader *pBlockHeaderPrev; char *szFileName; // File name int nLine; // Line number size_t nDataSize; // Size of user block int nBlockUse; // Type of block long lRequest; // Allocation number // Buffer just before (lower than) the user's memory: unsigned char gap[nNoMansLandSize]; } _CrtMemBlockHeader; /* In an actual memory block in the debug heap, * this structure is followed by: * unsigned char data[nDataSize]; * unsigned char anotherGap[nNoMansLandSize]; */
The NoMansLand buffers on either side of the user data area of the block are currently 4 bytes in size, and are filled with a known byte value used by the debug heap routines to verify that the limits of the user's memory block have not been overwritten. The debug heap also fills new memory blocks with a known value. If you elect to keep freed blocks in the heap's linked list as explained below, these freed blocks are also filled with a known value. Currently, the actual byte values used are as follows:
1.0xFDFDFDFD塞满了我的眼球:我们的10bytes数据被一组0xFDFDFDFD围绕在左右,在上面被描述为No mans land,这个就是传说中的《禁闭岛》吗?:D顾名思义,"无人区",自然是意味着这两块区域是不能进入,是禁止被修改的。我们反推一下,如果非要修改这两片区域如何做到呢?毫无疑问,越界呗。也就是说,这个NoMansLand一旦被修改了,那么程序的某个地方肯定是越界了。这样是不是很容易的发现某些堆内存溢出bug了 :P
1 #include <stdio.h> 2 #include <stdlib.h> 3 #include <string.h> 4 int main(int argc, char **argv) 5 { 6 char *p = (char *)malloc(sizeof(char) * 10); 7 strncpy(p, "hello,boy!!",12); 8 9 10 free(p); 11 p = NULL; 12 13 return 0; 14 }
2.看到我,就知道你有多大:我们分配了10 bytes,也就是0xA bytes,调试堆中刚好有个字段描述与0xA相等,没错,你所看到的那4个字节就能瞬间得出咱们分配了多少内存。是不是也很方便? :)
1 #include <stdio.h> 2 #include <stdlib.h> 3 #include <string.h> 4 int main(int argc, char **argv) 5 { 6 char *p = (char *)malloc(sizeof(char) * 10); 7 char *q = ((char *)malloc(sizeof(char) * 11)); 8 strncpy(p, "hello,boy",10); 9 strncpy(q, "hello,girl", 11); 10 11 12 free(p); 13 p = NULL; 14 15 return 0; 16 }
char *szFileName; // File name int nLine; // Line number size_t nDataSize; // Size of user block int nBlockUse; // Type of block long lRequest; // Allocation number
posted on 2012-09-22 12:09 coolhysteria 阅读(815) 评论(0) 编辑 收藏 举报