Posted on 2009-04-01 13:35
S.l.e!ep.¢% 閱讀(1727)
評論(3) 編輯 收藏 引用 所屬分類:
WinDbg
內存崩潰的BUG
內存崩潰的BUG (2)
在昨天的調試中,感謝
-----------------------------------------------------------------------------------------------------
地址段034bd000 - 00007000沒法訪問。
看調用棧0012e50c 0042ffc3 00000400 034c0fec 00000001 ws2_32!WSASend+0x61
WSASend的第二個參數(shù)為034c0fec很不幸的落在這個區(qū)間內。看WSASend的原型
int WSASend(
__in SOCKET s,
__in LPWSABUF lpBuffers,
__in DWORD dwBufferCount,
__out LPDWORD lpNumberOfBytesSent,
__in DWORD dwFlags,
__in LPWSAOVERLAPPED lpOverlapped,
__in LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);
顯然第二個參數(shù)lpBuffers的地址非法。
call stack frame往上就是你的代碼了:
0012f580 0040e577 0012f5bc 00000014 0012f58c xxx.exe+xxx-function
你需要在這里確認一下為什么傳出的lpBuffers指向一個錯誤的地址
-------------------------------------------------------------------------------------------------------
傳入 WSASend 的第二個參數(shù) lpBuffers 確實指向了一個錯誤的地址,
用 knL + .frame + x
查看了?? xxx.exe+xxx-function???? 的局部變量,發(fā)現(xiàn)
-------------------------------------------------------------------------------------------------------
PER_IO_CONTEXT* overlappedEx=new PER_IO_CONTEXT;????? 發(fā)現(xiàn)??overlappedEx ?這個指針已經(jīng)指向的內存是不對的
overlappedEx->IOOperation= WRITE;
overlappedEx->wsabuf.buf= (char *)malloc( nLen );
if( NULL == overlappedEx->wsabuf.buf )
{
delete overlappedEx;
return -1;
}
if(WSASend(m_socket,&(overlappedEx->wsabuf), 0x01,
&(overlappedEx->dwBytes), overlappedEx->dwFlags,
&(overlappedEx->Overlapped), NULL ) == SOCKET_ERROR)
{
在IOCP通知后,會 delete overlappedEx
-------------------------------------------------------------------------------------------------------
懷疑是不是 overlappedEx 這個指針的值被其它地方修改了?
于是在局數(shù)變量中定義了多一個變量,在 WSASend 調用前,加多這個語句,
PER_IO_CONTEXT* p? = overlappedEx;
等了幾個小時,再次重現(xiàn)問題,
用 knL + .frame + x
查看了?? xxx.exe+xxx-function???? 的局部變量,發(fā)現(xiàn)
p 的值跟 overlappedEx 還是相等的, 但它們指向的內存卻是
0366fe8c p = 0x03443fd8
0:010> !address 0x03443fd8
??? 03442000 : 03442000 - 00007000
??????????????????? Type???? 00000000
??????????????????? Protect? 00000001 PAGE_NOACCESS
??????????????????? State??? 00010000 MEM_FREE????????????????
??????????????????? Usage??? RegionUsageFree
0:010> dd 0x03443fd8
03443fd8? ???????? ???????? ???????? ????????
03443fe8? ???????? ???????? ???????? ????????
03443ff8? ???????? ???????? ???????? ????????
03444008? ???????? ???????? ???????? ????????
03444018? ???????? ???????? ???????? ????????
03444028? ???????? ???????? ???????? ????????
03444038? ???????? ???????? ???????? ????????
03444048? ???????? ???????? ???????? ????????
0:010> KB
ChildEBP RetAddr? Args to Child?????????????
0366edac 71a26294 00000668 03443fec 00000001 mswsock!WSPSend+0x243
0366ede8 00430027 00000668 03443fec 00000001 ws2_32!WSASend+0x77
初步結論是: 在執(zhí)行到? mswsock!WSPSend+0x243 ,在 WSASend 上一層 new 出來的? PER_IO_CONTEXT 已經(jīng)被 delete 了