| Debugging Memory Errors |
The memory verifier debugger extension
The virtual space operation log tracks all routines that modify the virtual space of a process in any way. These include VirtualAlloc, VirtualFree, MapViewOfFile, and UnmapViewOfFile.
You can use the !avrf -vs Length extension command to display the last several records; Length specifies the number of records.
You can use !avrf -vs -a Address to display all virtual space operations that affected the specified Address. For an allocation, it is sufficient that Address be contained in the allocated block. For a free, the exact address of the beginning of the region must be given.
For each entry in the log, the following information is displayed:
The function called
The thread ID of the thread that called the routine
The address involved in the call � this is the address that was returned by an allocation routine or that was passed to a free routine
The size of the region involved in the call
The type of memory operation (the AllocationType parameter)
The type of protection requested
The stack trace of the call
Examples
The most recent entries are displayed first.
In the following example, the two most recent entries are displayed:
0:001>�!avrf�-vs�2
VirtualFree�(tid:�0xB4):�addr:04bb0000�sz:00400000�op:8000�prot:0
��������00aa1ac2:�verifier!VsLogCall+0x42
��������00aa19c1:�verifier!AVrfpNtFreeVirtualMemory+0x30
��������68925d17:�kernel32!VirtualFreeEx+0x35
��������6892611c:�kernel32!VirtualFree+0x13
��������75ef6525:�mshtml+0x116525
��������75ef68af:�mshtml+0x1168AF
��������6a20787c:�ntdll!LdrpCallInitRoutine+0x14
��������6a211c6f:�ntdll!LdrUnloadDll+0x39A
��������689275c1:�kernel32!FreeLibrary+0x3B
��������77b22d69:�ole32!CoQueryReleaseObject+0x1E6
��������77b02bd2:�ole32!SetErrorInfo+0x1ED
VirtualFree�(tid:�0xB4):�addr:04bb0000�sz:00001000�op:4000�prot:0
��������00aa1ac2:�verifier!VsLogCall+0x42
��������00aa19c1:�verifier!AVrfpNtFreeVirtualMemory+0x30
��������68925d17:�kernel32!VirtualFreeEx+0x35
��������6892611c:�kernel32!VirtualFree+0x13
��������75ef65ae:�mshtml+0x1165AE
��������75ef68af:�mshtml+0x1168AF
��������6a20787c:�ntdll!LdrpCallInitRoutine+0x14
��������6a211c6f:�ntdll!LdrUnloadDll+0x39A
��������689275c1:�kernel32!FreeLibrary+0x3B
��������77b22d69:�ole32!CoQueryReleaseObject+0x1E6
��������77b02bd2:�ole32!SetErrorInfo+0x1ED
It can be seen from the output that thread 0xB4 first decommitted a page and then released the entire virtual region.
Here is a display of all operations affecting the address 0x4BB1000:
0:001>�!avrf�-vs�-a�4bb1000
Searching�in�vspace�log�for�address�04bb1000�...
VirtualFree�(tid:�0xB4):�addr:04bb0000�sz:00400000�op:8000�prot:0
��������00aa1ac2:�verifier!VsLogCall+0x42
��������00aa19c1:�verifier!AVrfpNtFreeVirtualMemory+0x30
��������68925d17:�kernel32!VirtualFreeEx+0x35
��������6892611c:�kernel32!VirtualFree+0x13
��������75ef6525:�mshtml+0x116525
��������75ef68af:�mshtml+0x1168AF
��������6a20787c:�ntdll!LdrpCallInitRoutine+0x14
��������6a211c6f:�ntdll!LdrUnloadDll+0x39A
��������689275c1:�kernel32!FreeLibrary+0x3B
��������77b22d69:�ole32!CoQueryReleaseObject+0x1E6
��������77b02bd2:�ole32!SetErrorInfo+0x1ED
VirtualFree�(tid:�0xB4):�addr:04bb1000�sz:00001000�op:4000�prot:0
��������00aa1ac2:�verifier!VsLogCall+0x42
��������00aa19c1:�verifier!AVrfpNtFreeVirtualMemory+0x30
��������68925d17:�kernel32!VirtualFreeEx+0x35
��������6892611c:�kernel32!VirtualFree+0x13
��������75ef65ae:�mshtml+0x1165AE
��������75ef68af:�mshtml+0x1168AF
��������6a20787c:�ntdll!LdrpCallInitRoutine+0x14
��������6a211c6f:�ntdll!LdrUnloadDll+0x39A
��������689275c1:�kernel32!FreeLibrary+0x3B
��������77b22d69:�ole32!CoQueryReleaseObject+0x1E6
��������77b02bd2:�ole32!SetErrorInfo+0x1ED
VirtualAlloc�(tid:�0xB4):�addr:04bb0000�sz:00010000�op:1000�prot:4
��������00aa1ac2:�verifier!VsLogCall+0x42
��������00aa1988:�verifier!AVrfpNtAllocateVirtualMemory+0x37
��������68925ca3:�kernel32!VirtualAllocEx+0x61
��������68926105:�kernel32!VirtualAlloc+0x16
��������75ef63f3:�mshtml+0x1163F3
VirtualAlloc�(tid:�0xB4):�addr:04bb0000�sz:00400000�op:2000�prot:4
��������00aa1ac2:�verifier!VsLogCall+0x42
��������00aa1988:�verifier!AVrfpNtAllocateVirtualMemory+0x37
��������68925ca3:�kernel32!VirtualAllocEx+0x61
��������68926105:�kernel32!VirtualAlloc+0x16
��������75ef63d9:�mshtml+0x1163D9
To read this, remember that the entries are dumped starting with the most recent one. Thus, this log shows that thread 0xB4 allocated a large region in which it committed a page. Later it decommitted the page, and then released the entire virtual region.