0:000> kbChildEBP RetAddr Args to Child 0013e8a0 716031fa 00430000 078aed08 0fffffec AcLayers!hpFreeSub+0x110013e8cc 7160346e 00430000 00000000 00000010 AcLayers!hpCarve+0x9f0013e8f0 71603a62 00430000 00000010 00000000 AcLayers!HPAlloc+0xe50013e904 77bfc3c9 00430000 00000000 00000004 AcLayers!_HeapAlloc+0x3d0013e944 77bfc3e7 00000004 0013e960 77bfc42e msvcrt!_heap_alloc+0xe00013e950 77bfc42e 00000004 00000000 00000004 msvcrt!_nh_malloc+0x130013e960 73d34154 00000004 00000001 0013eb0c msvcrt!malloc+0x270013e978 73d3729a 00000004 0013eb0c 00000000 mfc42!operator new+0x310013e990 73dbe372 00000001 ffffffff 078a639c mfc42!CDWordArray::SetSize+0x440013e9a4 73dbf9a9 00000000 078b6b38 00000000 mfc42!CDWordArray::SetAtGrow+0x1a0013e9b4 73d955a2 078b6b38 00523070 00000000 mfc42!CDWordArray::Add+0x100013eae8 062a480e 078a639c 00521158 00521158 mfc42!CDockState::LoadState+0xe50013eb58 06286293 0051e7fc 078a639c 06289d77 BCGCB450!CBCGWorkspace::LoadState+0x12e0013eb64 06289d77 058f13b8 057bf078 000036b2 BCGCB450!CBCGFrameImpl::OnLoadFrame+0x130013eb6c 057bf078 000036b2 00cf8000 00000000 BCGCB450!CBCGMDIFrameWnd::LoadFrame+0x370013eb98 057bf33a 004e1c48 00518734 000902d8 Dds!CDdsApp::CustomInitlize+0x178 [E:\WorkProject\zddsproject\iCAD9.1\Dds\Main\dds.cpp @ 447]0013ebcc 04339c4e 00518734 0437d9b8 0013ec00 Dds!AttachStartforDdsCtrl+0x5a [E:\WorkProject\zddsproject\iCAD9.1\Dds\Main\dds.cpp @ 556]0013ebfc 73d47f2c 000902d8 73d47ac6 73d47a6c GsCard!CGsCardCtrl::EditDrawingBZDDS+0x20e0013ec74 73d47778 0437ce80 0013ec18 0013eefc mfc42!_AfxDispatchCall+0x120013ed04 10b1fd0d 00000001 0000007b 10d9eb30 mfc42!COleDispatchImpl::Invoke+0x38b
分析结果:
FOLLOWUP_IP: AcLayers!hpFreeSub+1171602f5c 8b06 mov eax,dword ptr [esi] ---》 esi 确实包含了一个非法指针。
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
FAULTING_THREAD: 00000870
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 716031fa to 71602f5c
--》esi确实是非法地址
0:000> !address esi 14b3b000 : 14b3b000 - 0b4c5000 Type 00000000 Protect 00000001 PAGE_NOACCESS State 00010000 MEM_FREE Usage RegionUsageFree
我实在觉得奇怪为什么操作系统分配内存会出错~~~
相关信息:
操作系统:XP SP2 ghost版本
查看了一下内存占用量实在是不大。。。 也就400MB
0013e978 73d3729a 00000004 0013eb0c 00000000 mfc42!operator new+0x31 -->这句可以看出分明是分配4字节大小的空间。(这里主要是存放指针用的)
========================================
0013e8a0 716031fa 00430000 078aed08 0fffffec AcLayers!hpFreeSub+0x110013e8cc 7160346e 00430000 00000000 00000010 AcLayers!hpCarve+0x9f0013e8f0 71603a62 00430000 00000010 00000000 AcLayers!HPAlloc+0xe5
我从来没有见过这种内存分配方式,除了从侯捷老师《Windows 95 系統程式設計 大奧秘》中能够找到一丁点资料。
very strange! 望各位大牛指点一二。
感觉这是一个特殊的Heap Corrupt问题,说特殊是因为这个出问题的进程启用了“应用程序兼容(Application Compatible,AC)”支持,使用AcLayers.DLL来模拟Windows 95的方式来管理堆。通常使用的Win32堆是实现在NTDLL.dll中的。
Heap Corrupt通常是由于堆缓冲区溢出(《软件调试》23.8.1,P670)导致的。调试的方法可以使用堆尾检查(23.8.3),或者页堆(23.9)...