Posted on 2009-04-01 13:35
S.l.e!ep.¢% 阅读(1707)
评论(3) 编辑 收藏 引用 所属分类:
WinDbg
内存崩溃的BUG
内存崩溃的BUG (2)
在昨天的调试中,感谢
-----------------------------------------------------------------------------------------------------
地址段034bd000 - 00007000没法访问。
看调用栈0012e50c 0042ffc3 00000400 034c0fec 00000001 ws2_32!WSASend+0x61
WSASend的第二个参数为034c0fec很不幸的落在这个区间内。看WSASend的原型
int WSASend(
__in SOCKET s,
__in LPWSABUF lpBuffers,
__in DWORD dwBufferCount,
__out LPDWORD lpNumberOfBytesSent,
__in DWORD dwFlags,
__in LPWSAOVERLAPPED lpOverlapped,
__in LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);
显然第二个参数lpBuffers的地址非法。
call stack frame往上就是你的代码了:
0012f580 0040e577 0012f5bc 00000014 0012f58c xxx.exe+xxx-function
你需要在这里确认一下为什么传出的lpBuffers指向一个错误的地址
-------------------------------------------------------------------------------------------------------
传入 WSASend 的第二个参数 lpBuffers 确实指向了一个错误的地址,
用 knL + .frame + x
查看了 xxx.exe+xxx-function 的局部变量,发现
-------------------------------------------------------------------------------------------------------
PER_IO_CONTEXT* overlappedEx=new PER_IO_CONTEXT; 发现 overlappedEx 这个指针已经指向的内存是不对的
overlappedEx->IOOperation= WRITE;
overlappedEx->wsabuf.buf= (char *)malloc( nLen );
if( NULL == overlappedEx->wsabuf.buf )
{
delete overlappedEx;
return -1;
}
if(WSASend(m_socket,&(overlappedEx->wsabuf), 0x01,
&(overlappedEx->dwBytes), overlappedEx->dwFlags,
&(overlappedEx->Overlapped), NULL ) == SOCKET_ERROR)
{
在IOCP通知后,会 delete overlappedEx
-------------------------------------------------------------------------------------------------------
怀疑是不是 overlappedEx 这个指针的值被其它地方修改了?
于是在局数变量中定义了多一个变量,在 WSASend 调用前,加多这个语句,
PER_IO_CONTEXT* p = overlappedEx;
等了几个小时,再次重现问题,
用 knL + .frame + x
查看了 xxx.exe+xxx-function 的局部变量,发现
p 的值跟 overlappedEx 还是相等的, 但它们指向的内存却是
0366fe8c p = 0x03443fd8
0:010> !address 0x03443fd8
03442000 : 03442000 - 00007000
Type 00000000
Protect 00000001 PAGE_NOACCESS
State 00010000 MEM_FREE
Usage RegionUsageFree
0:010> dd 0x03443fd8
03443fd8 ???????? ???????? ???????? ????????
03443fe8 ???????? ???????? ???????? ????????
03443ff8 ???????? ???????? ???????? ????????
03444008 ???????? ???????? ???????? ????????
03444018 ???????? ???????? ???????? ????????
03444028 ???????? ???????? ???????? ????????
03444038 ???????? ???????? ???????? ????????
03444048 ???????? ???????? ???????? ????????
0:010> KB
ChildEBP RetAddr Args to Child
0366edac 71a26294 00000668 03443fec 00000001 mswsock!WSPSend+0x243
0366ede8 00430027 00000668 03443fec 00000001 ws2_32!WSASend+0x77
初步结论是: 在执行到 mswsock!WSPSend+0x243 ,在 WSASend 上一层 new 出来的 PER_IO_CONTEXT 已经被 delete 了