說明
使用 VLD 記憶體洩漏檢測工具輔助開發時整理的學習筆記。本篇對 VLD 2.5.1 原始碼做記憶體洩漏檢測的思路進行剖析。同系列文章目錄可見 《記憶體洩漏檢測工具》目錄
1. 原始碼獲取
version 1.0 及之前版本都使用舊的檢測思路:透過 _CrtSetAllocHook 註冊自定義 AllocHook 函式,從而監視程式的記憶體分配事件,詳見本人另一篇部落格 核心原始碼剖析(VLD 1.0),缺陷是隻能檢測由 new 或 malloc 產生的記憶體洩漏,受限於 _CrtSetAllocHook。從 version 1.9 開始,VLD 換用了新的檢測思路,透過修改匯入地址表(Import Address Table)將原先的記憶體操作函式替換為 VLD 自定義的函式,從而可以檢測到更多型別的洩漏。CodeProject-Visual-Leak-Detector 與 百度網盤-vld-1.9d-setup 可以下載 vld 1.9d 的庫及原始碼,注意,這個版本的安裝器有個坑,會清空之前的 Path 系統變數,只留下 VLD 的,需慎用。Github-dmoulding-vld 上有 vld 1.9h 的原始碼。Github-KindDragon-vld 上有 vld 2.5.1 的原始碼,這是目前的最新版本(其他下載途徑詳見 VLD 2.5.1 原始碼下載)。
本篇文章主要對 vld 2.5.1 的原始碼進行剖析。以下資料可能對理解其檢測原理有幫助:
- 部落格園-Visual Leak Detector 2.3 原理剖析。
- 騰訊雲-HOOK技術實戰。
- 部落格園-臨界區(Critical Section)的封裝和使用示例。
- 部落格園-讓Visual Leak Detector使用最新10.0版本的dbghelp.dll。
- StackExchange-How to hook the entry point of a DLL。
- MSDN-DLL 和 Visual C++ 執行時庫行為。
- MSDN-執行庫行為。
- MSDN-Use the C Run-Time。
- 部落格園-inline hook 原理&教程。
2. 原始碼檔案概覽
以下 26 個檔案是 VLD 原始碼的核心檔案,
vld-master\src
callstack.cpp
callstack.h
criticalsection.h
crtmfcpatch.h
dbghelp.h
dllspatches.cpp
loaderlock.h
map.h
ntapi.cpp
ntapi.h
resource.h
set.h
stdafx.cpp
stdafx.h
tree.h
utility.cpp
utility.h
vld.cpp
vld.h
vldallocator.h
vldapi.cpp
vldheap.cpp
vldheap.h
vldint.h
vld_def.h
vld_hooks.cpp
其中有 17 個 .h 檔案、9 個 .cpp 檔案,各檔案用途簡述如下:
-
以下
5個檔案用於定義VLD內部使用的資料結構,set類似於STL set,map類似於STL map,tree為紅黑樹,callstack類似於STL vector。callstack.cpp callstack.h map.h set.h ree.h -
以下
3個檔案用於定義VLD內部使用的記憶體管理函式,供VLD內部使用。vldallocator.h vldheap.cpp vldheap.h -
以下
3幾個檔案用於定義VLD修正後的記憶體管理函式,供VLD外部使用。進一步跟蹤發現,vld_hooks.cpp裡定義的函式在VLD內部也會被呼叫。crtmfcpatch.h dllspatches.cpp vld_hooks.cpp -
以下
11個檔案定義了一些通用的函式、變數、宏等。criticalsection.h dbghelp.h loaderlock.h ntapi.cpp ntapi.h resource.h stdafx.cpp stdafx.h utility.cpp utility.h vldapi.cpp -
以下
2個檔案定義了VisualLeakDetector類的方法,外部API介面的內部實現多在這裡。vld.cpp vldint.h -
以下
2個檔案是VLD對外的包含檔案,裡面宣告瞭VLD的API介面,還有一些配置宏的定義。vld.h vld_def.h
3. 原始碼剖析
vld 2.5.1 自定義了 vld.dll 的入口點函式,核心程式碼如下,詳見 vld.cpp 第 76~307 行。
#define _DECL_DLLMAIN // for _CRT_INIT
#include <process.h> // for _CRT_INIT
#pragma comment(linker, "/entry:DllEntryPoint")
__declspec(noinline)
BOOL WINAPI DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
// Patch/Restore ntdll address that calls the dll entry point
if (fdwReason == DLL_PROCESS_ATTACH) {
NtDllPatch((PBYTE)_ReturnAddress(), patch);
}
if (fdwReason == DLL_PROCESS_ATTACH || fdwReason == DLL_THREAD_ATTACH)
if (!_CRT_INIT(hinstDLL, fdwReason, lpReserved))
return(FALSE);
if (fdwReason == DLL_PROCESS_DETACH || fdwReason == DLL_THREAD_DETACH)
if (!_CRT_INIT(hinstDLL, fdwReason, lpReserved))
return(FALSE);
if (fdwReason == DLL_PROCESS_DETACH) {
NtDllRestore(patch);
}
return(TRUE);
}
並定義了一個很重要的全域性變數,詳見 vld.cpp 第 60~61 行:
// The one and only VisualLeakDetector object instance.
__declspec(dllexport) VisualLeakDetector g_vld;
從入口點函式可知:
(1)載入 vld.dll 時,做了兩件事:先執行 NtDllPatch() 函式、然後執行 VisualLeakDetector 類建構函式(在 _CRT_INIT() 中)。
(2)解除安裝 vld.dll 時,也做了兩件事:先執行 VisualLeakDetector 類解構函式(在 _CRT_INIT() 中)、然後執行 NtDllRestore() 函式。
3.1 透過 inline hook 修補 LdrpCallInitRoutine
這是載入 vld.dll 時做的第一件事,在 NtDllPatch() 函式中進行。由於每次載入/解除安裝 DLL 時,都會進入預設的 LdrpCallInitRoutine() 函式,為了對新載入的 DLL 做記憶體洩漏檢測(如果配置項 ForceIncludeModules 列表包含這個 DLL),VLD 在 NtDllPatch() 函式中使用 inline hook 技術修補了預設的 LdrpCallInitRoutine() 函式,核心程式碼如下,詳見 vld.cpp 第 171~258 行。
BOOL NtDllPatch(const PBYTE pReturnAddress, NTDLL_LDR_PATCH &NtDllPatch)
{
if (NtDllPatch.bState == FALSE) {
...
BYTE ptr[] = { 0xFF, 0x75, 0x08 }; // push [ebp][08h]
BYTE mov[] = { 0x90, 0xB8, '?', '?', '?', '?' }; // mov eax, 0x00000000
BYTE call[] = { 0xFF, 0xD0 }; // call eax
...
BYTE jmp[] = { 0xE9, '?', '?', '?', '?' }; // jmp 0x00000000
...
if (...) {
...
if (VirtualProtect(NtDllPatch.pDetourAddress, NtDllPatch.nDetourSize, PAGE_EXECUTE_READWRITE, &dwProtect)) {
memset(NtDllPatch.pDetourAddress, 0x90, NtDllPatch.nDetourSize);
...
// Push EntryPoint as last parameter
memcpy(&NtDllPatch.pDetourAddress[0], &ptr, _countof(ptr));
// Copy original param instructions
memcpy(&NtDllPatch.pDetourAddress[_countof(ptr)], NtDllPatch.pPatchAddress, nParamSize);
// Move LdrpCallInitRoutine to eax/rax
*(PSIZE_T)(&mov[2]) = (SIZE_T)LdrpCallInitRoutine;
memcpy(&NtDllPatch.pDetourAddress[_countof(ptr) + nParamSize], &mov, _countof(mov));
// Jump to original function
*(DWORD*)(&jmp[1]) = (DWORD)(pReturnAddress - _countof(call) - (NtDllPatch.pDetourAddress + NtDllPatch.nDetourSize));
memcpy(&NtDllPatch.pDetourAddress[_countof(ptr) + nParamSize + _countof(mov)], &jmp, _countof(jmp));
VirtualProtect(NtDllPatch.pDetourAddress, NtDllPatch.nDetourSize, dwProtect, &dwProtect);
if (VirtualProtect(NtDllPatch.pPatchAddress, NtDllPatch.nPatchSize, PAGE_EXECUTE_READWRITE, &dwProtect)) {
memset(NtDllPatch.pPatchAddress, 0x90, NtDllPatch.nPatchSize);
// Jump to detour address
*(DWORD*)(&jmp[1]) = (DWORD)(NtDllPatch.pDetourAddress - (pReturnAddress - _countof(call)));
memcpy(pReturnAddress - _countof(call) - _countof(jmp), &jmp, _countof(jmp));
// Call LdrpCallInitRoutine from eax/rax
memcpy(pReturnAddress - _countof(call), &call, _countof(call));
VirtualProtect(NtDllPatch.pPatchAddress, NtDllPatch.nPatchSize, dwProtect, &dwProtect);
NtDllPatch.bState = TRUE;
}
}
}
}
return NtDllPatch.bState;
}
用於修補的 LdrpCallInitRoutine() 函式如下,詳見 vld.cpp 第 89~99 行。
typedef BOOLEAN(NTAPI *PDLL_INIT_ROUTINE)(IN PVOID DllHandle, IN ULONG Reason, IN PCONTEXT Context OPTIONAL);
BOOLEAN WINAPI LdrpCallInitRoutine(IN PVOID BaseAddress, IN ULONG Reason, IN PVOID Context, IN PDLL_INIT_ROUTINE EntryPoint)
{
LoaderLock ll;
if (Reason == DLL_PROCESS_ATTACH) {
g_vld.RefreshModules();
}
return EntryPoint(BaseAddress, Reason, (PCONTEXT)Context);
}
對預設的 LdrpCallInitRoutine() 函式修補完成後,在程式的後續執行過程中,每次新載入了 DLL 庫,都會自動執行 g_vld.RefreshModules(),重新整理記憶體洩漏檢測的模組列表。外部 API 介面 VLDRefreshModules() 也是對 g_vld.RefreshModules() 的一個簡單封裝(詳見 vldapi.cpp 第 95~98 行)。這個 g_vld.RefreshModules() 的流程可以簡述如下:
(1)使用 dbghelp.h 庫 EnumerateLoadedModulesW64 函式獲得當前程式的所有已載入模組(DLL、EXE),v2.5.1 使用的 dbghelp.dll 版本為 6.11.1.404。
(2)遍歷已載入模組,確保這些模組的符號資訊可用,使用到的 dbghelp.h 庫函式有:SymGetModuleInfoW64、SymUnloadModule64、SymLoadModuleExW。同時使用 IAT hook 技術替換掉這些模組中的記憶體操作函式,達到監控所有記憶體操作的效果。
(3)儲存當前所有已載入模組的狀態及資訊到 g_vld 的 m_loadedModules 變數中,這是一個類似於 STL set 的資料結構,底層實現是紅黑樹。
3.2 透過 IAT hook 替換記憶體操作函式
這是載入 vld.dll 時做的第二件事,在 VisualLeakDetector 類建構函式中進行,詳見 vld.cpp 第 337~518 行,該建構函式的主幹如下。
// Constructor - Initializes private data, loads configuration options, and
// attaches Visual Leak Detector to all other modules loaded into the current
// process.
//
VisualLeakDetector::VisualLeakDetector ()
{
_set_error_mode(_OUT_TO_STDERR);
// Initialize configuration options and related private data.
_wcsnset_s(m_forcedModuleList, MAXMODULELISTLENGTH, '\0', _TRUNCATE);
m_maxDataDump = 0xffffffff;
m_maxTraceFrames = 0xffffffff;
m_options = 0x0;
...
// Load configuration options.
configure();
if (m_options & VLD_OPT_VLDOFF) {
Report(L"Visual Leak Detector is turned off.\n");
return;
}
...
// Initialize global variables.
g_currentProcess = GetCurrentProcess();
g_currentThread = GetCurrentThread();
g_processHeap = GetProcessHeap();
...
// Initialize remaining private data.
m_heapMap = new HeapMap;
m_heapMap->reserve(HEAP_MAP_RESERVE);
m_iMalloc = NULL;
...
// Initialize the symbol handler. We use it for obtaining source file/line
// number information and function names for the memory leak report.
LPWSTR symbolpath = buildSymbolSearchPath();
...
if (!g_DbgHelp.SymInitializeW(g_currentProcess, symbolpath, FALSE)) {
Report(L"WARNING: Visual Leak Detector: The symbol handler failed to initialize (error=%lu).\n"
L" File and function names will probably not be available in call stacks.\n", GetLastError());
}
delete [] symbolpath;
...
// Attach Visual Leak Detector to every module loaded in the process.
...
g_LoadedModules.EnumerateLoadedModulesW64(g_currentProcess, addLoadedModule, newmodules);
attachToLoadedModules(newmodules);
ModuleSet* oldmodules = m_loadedModules;
m_loadedModules = newmodules;
delete oldmodules;
...
Report(L"Visual Leak Detector Version " VLDVERSION L" installed.\n");
if (m_status & VLD_STATUS_FORCE_REPORT_TO_FILE) {
// The report is being forced to a file. Let the human know why.
Report(L"NOTE: Visual Leak Detector: Unicode-encoded reporting has been enabled, but the\n"
L" debugger is the only selected report destination. The debugger cannot display\n"
L" Unicode characters, so the report will also be sent to a file. If no file has\n"
L" been specified, the default file name is \"" VLD_DEFAULT_REPORT_FILE_NAME L"\".\n");
}
reportConfig();
}
重點在上面的第 47~53 行(對應 vld.cpp 第 494~502 行),這幾行的流程與 g_vld.RefreshModules() 的流程一樣,其中 attachToLoadedModules 的函式主幹如下,詳見 vld.cpp 第 769~906 行:
VOID VisualLeakDetector::attachToLoadedModules (ModuleSet *newmodules)
{
...
// Iterate through the supplied set, until all modules have been attached.
for (ModuleSet::Iterator newit = newmodules->begin(); newit != newmodules->end(); ++newit)
{
...
DWORD64 modulebase = (DWORD64) (*newit).addrLow;
...
// increase reference count to module
HMODULE modulelocal = NULL;
if (!GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, (LPCTSTR) modulebase, &modulelocal))
continue;
...
// Attach to the module.
PatchModule(modulelocal, m_patchTable, _countof(m_patchTable));
...
}
}
m_patchTable 裡面儲存了需要進行 IAT hook 的記憶體操作函式表,詳見 dllspatches.cpp,下面是一個概覽。
struct moduleentry_t
{
LPCSTR exportModuleName; // The name of the module exporting the patched API.
BOOL reportLeaks; // Patch module to report leaks from it
UINT_PTR moduleBase; // The base address of the exporting module (filled in at runtime when the modules are loaded).
patchentry_t* patchTable;
};
moduleentry_t VisualLeakDetector::m_patchTable [] = {
// Win32 heap APIs.
"kernel32.dll", FALSE, 0x0, m_kernelbasePatch, // we patch this record on Win7 and higher
"kernel32.dll", FALSE, 0x0, m_kernel32Patch,
// MFC new operators (exported by ordinal).
"mfc42.dll", TRUE, 0x0, mfc42Patch,
"mfc42d.dll", TRUE, 0x0, mfc42dPatch,
"mfc42u.dll", TRUE, 0x0, mfc42uPatch,
"mfc42ud.dll", TRUE, 0x0, mfc42udPatch,
...
"mfc140.dll", TRUE, 0x0, mfc140Patch,
"mfc140d.dll", TRUE, 0x0, mfc140dPatch,
"mfc140u.dll", TRUE, 0x0, mfc140uPatch,
"mfc140ud.dll", TRUE, 0x0, mfc140udPatch,
// CRT new operators and heap APIs.
"msvcrt.dll", FALSE, 0x0, msvcrtPatch,
"msvcrtd.dll", FALSE, 0x0, msvcrtdPatch,
"msvcr70.dll", FALSE, 0x0, msvcr70Patch,
"msvcr70d.dll", FALSE, 0x0, msvcr70dPatch,
...
"msvcr120.dll", FALSE, 0x0, msvcr120Patch,
"msvcr120d.dll",FALSE, 0x0, msvcr120dPatch,
"ucrtbase.dll", FALSE, 0x0, ucrtbasePatch,
"ucrtbased.dll",FALSE, 0x0, ucrtbasedPatch,
// NT APIs.
"ntdll.dll", FALSE, 0x0, m_ntdllPatch,
// COM heap APIs.
"ole32.dll", FALSE, 0x0, m_ole32Patch
};
// This structure allows us to build a table of APIs which should be patched
// through to replacement functions provided by VLD.
struct patchentry_t
{
LPCSTR importName; // The name (or ordinal) of the imported API being patched.
LPVOID* original; // Pointer to the original function.
LPCVOID replacement; // Pointer to the function to which the imported API should be patched through to.
};
static patchentry_t ucrtbasedPatch[] = {
"_calloc_dbg", &UCRTd::data.pcrtd__calloc_dbg, UCRTd::crtd__calloc_dbg,
"_malloc_dbg", &UCRTd::data.pcrtd__malloc_dbg, UCRTd::crtd__malloc_dbg,
"_realloc_dbg", &UCRTd::data.pcrtd__realloc_dbg, UCRTd::crtd__realloc_dbg,
...
};
繼續跟蹤,其中 PatchModule 的函式主幹如下,詳見 utility.cpp 第 628~672 行,這個函式對 m_patchTable 中的每個表,都執行 PatchImport:
BOOL PatchModule (HMODULE importmodule, moduleentry_t patchtable [], UINT tablesize)
{
moduleentry_t *entry;
UINT index;
BOOL patched = FALSE;
...
// Loop through the import patch table, individually patching each import
// listed in the table.
...
for (index = 0; index < tablesize; index++) {
entry = &patchtable[index];
if (PatchImport(importmodule, entry)) {
patched = TRUE;
}
}
return patched;
}
繼續跟蹤,到了 PatchImport 函式,詳見 utility.cpp 第 459~626 行,這是 IAT hook 技術的核心函式,正是在這個函式里,透過修改 IAT(匯入地址表)將原先的記憶體操作函式替換為了 VLD 自定義的函式,修改 IAT 的核心程式碼如下,其中 thunk->u1.Function 是 IAT 表中原函式的地址,replacement 是 VLD 自定義函式的地址,VirtualProtect 用於更改對應記憶體區域的讀寫屬性。
DWORD protect;
if (VirtualProtect(&thunk->u1.Function, sizeof(thunk->u1.Function), PAGE_EXECUTE_READWRITE, &protect)) {
thunk->u1.Function = (DWORD_PTR)replacement;
if (VirtualProtect(&thunk->u1.Function, sizeof(thunk->u1.Function), protect, &protect)) {
...
}
}
除了對當前已載入的模組進行 IAT hook 外,VisualLeakDetector 類建構函式還做了以下工作:
- 初始化一系列全域性的
NT APIs函式控制程式碼、全域性變數、私有變數。 - 初始化
VLD的配置資訊,呼叫configure()函式與reportConfig()函式。 - 初始化符號搜尋路徑,呼叫
buildSymbolSearchPath()函式。
3.3 每次記憶體分配時獲取呼叫堆疊資訊
以 CRT 中的 new 函式為例,VLD 會將其替換為以下自定義函式,詳見 crtmfcpatch.h 第 887~906 行:
// crtd_scalar_new - Calls to the CRT's scalar new operator from msvcrXXd.dll
// are patched through to this function.
//
// - size (IN): The size, in bytes, of the memory block to be allocated.
//
// Return Value:
//
// Returns the value returned by the CRT scalar new operator.
//
template<int CRTVersion, bool debug>
void* CrtPatch<CRTVersion, debug>::crtd_scalar_new (size_t size)
{
PRINT_HOOKED_FUNCTION();
new_t pcrtxxd_scalar_new = (new_t)data.pcrtd_scalar_new;
assert(pcrtxxd_scalar_new);
CAPTURE_CONTEXT();
CaptureContext cc((void*)pcrtxxd_scalar_new, context_, debug, (CRTVersion >= 140));
return pcrtxxd_scalar_new(size);
}
CAPTURE_CONTEXT() 宏定義如下,用於捕獲此次分配的指令地址,為後面獲取呼叫堆疊做準備,詳見 utility.h 第 74~97 行。
// Capture current context
#if defined(_M_IX86)
#define CAPTURE_CONTEXT() \
context_t context_; \
{CONTEXT _ctx; \
RtlCaptureContext(&_ctx); \
context_.Ebp = _ctx.Ebp; context_.Esp = _ctx.Esp; context_.Eip = _ctx.Eip; \
context_.fp = (UINT_PTR)_ReturnAddress();}
#define GET_RETURN_ADDRESS(context) (context.fp)
#elif defined(_M_X64)
#define CAPTURE_CONTEXT() \
context_t context_; \
{CONTEXT _ctx; \
RtlCaptureContext(&_ctx); \
context_.Rbp = _ctx.Rbp; context_.Rsp = _ctx.Rsp; context_.Rip = _ctx.Rip; \
context_.fp = (UINT_PTR)_ReturnAddress();}
#define GET_RETURN_ADDRESS(context) (context.fp)
#else
// If you want to retarget Visual Leak Detector to another processor
// architecture then you'll need to provide an architecture-specific macro to
// obtain the frame pointer (or other address) which can be used to obtain the
// return address and stack pointer of the calling frame.
#error "Visual Leak Detector is not supported on this architecture."
#endif // _M_IX86 || _M_X64
CaptureContext 的建構函式與解構函式如下,詳見 vld.cpp 第 2903~2956 行:
CaptureContext::CaptureContext(void* func, context_t& context, BOOL debug, BOOL ucrt) : m_context(context) {
context.func = reinterpret_cast<UINT_PTR>(func);
m_tls = g_vld.getTls();
if (debug) {
m_tls->flags |= VLD_TLS_DEBUGCRTALLOC;
}
if (ucrt) {
m_tls->flags |= VLD_TLS_UCRT;
}
m_bFirst = (GET_RETURN_ADDRESS(m_tls->context) == NULL);
if (m_bFirst) {
// This is the first call to enter VLD for the current allocation.
// Record the current frame pointer.
m_tls->context = m_context;
}
}
CaptureContext::~CaptureContext() {
if (!m_bFirst)
return;
if ((m_tls->blockWithoutGuard) && (!IsExcludedModule())) {
blockinfo_t* pblockInfo = NULL;
if (m_tls->newBlockWithoutGuard == NULL) {
g_vld.mapBlock(m_tls->heap,
m_tls->blockWithoutGuard,
m_tls->size,
(m_tls->flags & VLD_TLS_DEBUGCRTALLOC) != 0,
(m_tls->flags & VLD_TLS_UCRT) != 0,
m_tls->threadId,
pblockInfo);
}
else {
g_vld.remapBlock(m_tls->heap,
m_tls->blockWithoutGuard,
m_tls->newBlockWithoutGuard,
m_tls->size,
(m_tls->flags & VLD_TLS_DEBUGCRTALLOC) != 0,
(m_tls->flags & VLD_TLS_UCRT) != 0,
m_tls->threadId,
pblockInfo, m_tls->context);
}
CallStack* callstack = CallStack::Create();
callstack->getStackTrace(g_vld.m_maxTraceFrames, m_tls->context);
pblockInfo->callStack.reset(callstack);
}
// Reset thread local flags and variables for the next allocation.
Reset();
}
在 CaptureContext 解構函式里,透過呼叫 g_vld.mapBlock() 或 g_vld.remapBlock() 將此次分配的資訊存入 m_heapMap,這是一個類似於 STL map 的資料結構,底層實現是紅黑樹,詳見 vldint.h,這裡面儲存了此次分配的執行緒 ID、分配序號、分配大小、所在堆等資訊。
// Data is collected for every block allocated from any heap in the process.
// The data is stored in this structure and these structures are stored in
// a BlockMap which maps each of these structures to its corresponding memory
// block.
struct blockinfo_t {
std::unique_ptr<CallStack> callStack;
DWORD threadId;
SIZE_T serialNumber;
SIZE_T size;
bool reported;
bool debugCrtAlloc;
bool ucrt;
};
// BlockMaps map memory blocks (via their addresses) to blockinfo_t structures.
typedef Map<LPCVOID, blockinfo_t*> BlockMap;
// Information about each heap in the process is kept in this map. Primarily
// this is used for mapping heaps to all of the blocks allocated from those
// heaps.
struct heapinfo_t {
BlockMap blockMap; // Map of all blocks allocated from this heap.
UINT32 flags; // Heap status flags
};
// HeapMaps map heaps (via their handles) to BlockMaps.
typedef Map<HANDLE, heapinfo_t*> HeapMap;
class VisualLeakDetector : public IMalloc
{
...
private:
...
HeapMap *m_heapMap; // Map of all active heaps in the process.
...
};
此外,CaptureContext 解構函式中還呼叫 getStackTrace() 獲取呼叫堆疊資訊(一系列指令地址),根據使用者的不同配置,獲取堆疊有兩種方法,分別是 fast 模式與 safe 模式(詳見 配置項 StackWalkMethod)。閱讀原始碼可知,詳見 callstack.cpp 第 605~771 行:fast 模式使用 RtlCaptureStackBackTrace 函式來回溯堆疊,快但可能會漏;safe 模式使用 StackWalk64 函式來跟蹤堆疊,慢卻詳細。
VOID FastCallStack::getStackTrace (UINT32 maxdepth, const context_t& context)
{
...
maxframes = RtlCaptureStackBackTrace(0, maxframes, reinterpret_cast<PVOID*>(myFrames), &BackTraceHash);
...
}
VOID SafeCallStack::getStackTrace (UINT32 maxdepth, const context_t& context)
{
...
// Walk the stack.
while (count < maxdepth) {
count++;
...
if (!g_DbgHelp.StackWalk64(architecture, g_currentProcess, g_currentThread, &frame, ¤tContext, NULL,
SymFunctionTableAccess64, SymGetModuleBase64, NULL, locker)) {
// Couldn't trace back through any more frames.
break;
}
if (frame.AddrFrame.Offset == 0) {
// End of stack.
break;
}
// Push this frame's program counter onto the CallStack.
push_back((UINT_PTR)frame.AddrPC.Offset);
}
}
3.4 生成洩漏檢測報告
與 v1.0 舊版本不同的是,新版本可以在執行過程中呼叫外部介面 VLDReportLeaks() 或 VLDReportThreadLeaks() 即刻輸出洩漏報告,不必等到程式退出時。它們分別是 g_vld.ReportLeaks() 與 g_vld.ReportThreadLeaks() 的簡單封裝,詳見 vldapi.cpp 第 65~73 行。對應的函式程式碼如下,詳見 vld.cpp 第 2394~2434 行。
SIZE_T VisualLeakDetector::ReportLeaks( )
{
if (m_options & VLD_OPT_VLDOFF) {
// VLD has been turned off.
return 0;
}
// Generate a memory leak report for each heap in the process.
SIZE_T leaksCount = 0;
CriticalSectionLocker<> cs(g_heapMapLock);
bool firstLeak = true;
Set<blockinfo_t*> aggregatedLeaks;
for (HeapMap::Iterator heapit = m_heapMap->begin(); heapit != m_heapMap->end(); ++heapit) {
HANDLE heap = (*heapit).first;
UNREFERENCED_PARAMETER(heap);
heapinfo_t* heapinfo = (*heapit).second;
leaksCount += reportLeaks(heapinfo, firstLeak, aggregatedLeaks);
}
return leaksCount;
}
SIZE_T VisualLeakDetector::ReportThreadLeaks( DWORD threadId )
{
if (m_options & VLD_OPT_VLDOFF) {
// VLD has been turned off.
return 0;
}
// Generate a memory leak report for each heap in the process.
SIZE_T leaksCount = 0;
CriticalSectionLocker<> cs(g_heapMapLock);
bool firstLeak = true;
Set<blockinfo_t*> aggregatedLeaks;
for (HeapMap::Iterator heapit = m_heapMap->begin(); heapit != m_heapMap->end(); ++heapit) {
HANDLE heap = (*heapit).first;
UNREFERENCED_PARAMETER(heap);
heapinfo_t* heapinfo = (*heapit).second;
leaksCount += reportLeaks(heapinfo, firstLeak, aggregatedLeaks, threadId);
}
return leaksCount;
}
透過上面這段原始碼可知,輸出洩漏報告時,是遍歷 m_heapMap 逐堆(heap)進行輸出的,兩者的差別僅在於呼叫 reportLeaks() 函式時第四個引數值不同,ReportLeaks() 傳的是預設值 threadId = (DWORD)-1 ,而 ReportThreadLeaks() 傳的是目標執行緒的 threadId。繼續跟蹤,到了 reportLeaks() 函式,核心程式碼如下,詳見 vld.cpp 第 1824~1932 行。
SIZE_T VisualLeakDetector::reportLeaks (heapinfo_t* heapinfo, bool &firstLeak, Set<blockinfo_t*> &aggregatedLeaks, DWORD threadId)
{
BlockMap* blockmap = &heapinfo->blockMap;
SIZE_T leaksFound = 0;
for (BlockMap::Iterator blockit = blockmap->begin(); blockit != blockmap->end(); ++blockit)
{
// Found a block which is still in the BlockMap. We've identified a
// potential memory leak.
LPCVOID block = (*blockit).first;
blockinfo_t* info = (*blockit).second;
if (info->reported)
continue;
if (threadId != ((DWORD)-1) && info->threadId != threadId)
continue;
...
// It looks like a real memory leak.
if (firstLeak) { // A confusing way to only display this message once
Report(L"WARNING: Visual Leak Detector detected memory leaks!\n");
firstLeak = false;
}
SIZE_T blockLeaksCount = 1;
Report(L"---------- Block %Iu at " ADDRESSFORMAT L": %Iu bytes ----------\n", info->serialNumber, address, size);
...
DWORD callstackCRC = 0;
if (info->callStack)
callstackCRC = CalculateCRC32(info->size, info->callStack->getHashValue());
Report(L" Leak Hash: 0x%08X, Count: %Iu, Total %Iu bytes\n", callstackCRC, blockLeaksCount, size * blockLeaksCount);
leaksFound += blockLeaksCount;
// Dump the call stack.
if (blockLeaksCount == 1)
Report(L" Call Stack (TID %u):\n", info->threadId);
else
Report(L" Call Stack:\n");
if (info->callStack)
info->callStack->dump(m_options & VLD_OPT_TRACE_INTERNAL_FRAMES);
// Dump the data in the user data section of the memory block.
if (m_maxDataDump != 0) {
Report(L" Data:\n");
if (m_options & VLD_OPT_UNICODE_REPORT) {
DumpMemoryW(address, (m_maxDataDump < size) ? m_maxDataDump : size);
}
else {
DumpMemoryA(address, (m_maxDataDump < size) ? m_maxDataDump : size);
}
}
Report(L"\n\n");
}
return leaksFound;
}
在 reportLeaks() 函式里,又對每個堆的 BlockMap 進行了遍歷(它也是一個類似於 STL map 的資料結構),這裡面儲存了在該堆上分配的所有記憶體塊資訊,記憶體塊地址為 first key,相應的分配資訊結構體為 second value。
(1)Leak Hash 的計算:由以下呼叫方式及函式定義(詳見 utility.cpp 第 1085~1145 行)可知,這個值由洩露塊大小及其呼叫堆疊決定。進一步跟蹤表明,這個值還可能與堆疊獲取方式(fast 還是 safe)有關,因為不同方式下得到的 startValue 不同(進行 CRC 計算的初值不同)。
DWORD CalculateCRC32(UINT_PTR p, UINT startValue)
{
register DWORD hash = startValue;
hash = (hash >> 8) ^ crctab[(hash & 0xff) ^ ((p >> 0) & 0xff)];
hash = (hash >> 8) ^ crctab[(hash & 0xff) ^ ((p >> 8) & 0xff)];
hash = (hash >> 8) ^ crctab[(hash & 0xff) ^ ((p >> 16) & 0xff)];
hash = (hash >> 8) ^ crctab[(hash & 0xff) ^ ((p >> 24) & 0xff)];
#ifdef WIN64
hash = (hash >> 8) ^ crctab[(hash & 0xff) ^ ((p >> 32) & 0xff)];
hash = (hash >> 8) ^ crctab[(hash & 0xff) ^ ((p >> 40) & 0xff)];
hash = (hash >> 8) ^ crctab[(hash & 0xff) ^ ((p >> 48) & 0xff)];
hash = (hash >> 8) ^ crctab[(hash & 0xff) ^ ((p >> 56) & 0xff)];
#endif
return hash;
}
callstackCRC = CalculateCRC32(info->size, info->callStack->getHashValue());
(2)Call Stack 的符號化:透過下面這一行呼叫 dump() 函式。
info->callStack->dump(m_options & VLD_OPT_TRACE_INTERNAL_FRAMES);
在 dump() 函式中,又呼叫 resolve() 函式對呼叫堆疊進行解析,將一系列指令地址轉換為檔名、函式名、行號等資訊,詳見 callstack.cpp 第 345~468 行,其核心程式碼如下。
int CallStack::resolve(BOOL showInternalFrames)
{
...
// Iterate through each frame in the call stack.
for (UINT32 frame = 0; frame < m_size; frame++)
{
// Try to get the source file and line number associated with
// this program counter address.
SIZE_T programCounter = (*this)[frame];
if (GetCallingModule(programCounter) == g_vld.m_vldBase)
continue;
DWORD64 displacement64;
BYTE symbolBuffer[sizeof(SYMBOL_INFO) + MAX_SYMBOL_NAME_SIZE];
LPCWSTR functionName = getFunctionName(programCounter, displacement64, (SYMBOL_INFO*)&symbolBuffer, locker);
...
BOOL foundline = g_DbgHelp.SymGetLineFromAddrW64(g_currentProcess, programCounter, &displacement, &sourceInfo, locker);
...
if (!foundline)
displacement = (DWORD)displacement64;
NumChars = resolveFunction( programCounter, foundline ? &sourceInfo : NULL,
displacement, functionName, stack_line, _countof( stack_line ));
...
} // end for loop
m_status |= CALLSTACK_STATUS_NOTSTARTUPCRT;
return unresolvedFunctionsCount;
}
使用 SymGetLineFromAddrW64 介面獲得原始檔名和行號,在 getFunctionName() 函式中呼叫 SymFromAddrW 介面獲得函式名,這兩點與 v1.0 的做法一致。在 resolveFunction() 中,使用 GetModuleFileName 介面獲得模組名,並對堆疊資訊字串進行了格式化。
(3)Data 的格式化顯示:透過對 DumpMemoryW() 或 DumpMemoryA() 的呼叫來將記憶體中的資料轉換為十六進位制、ASCII 碼或 Unicode 碼,詳見 utility.cpp 第 48~190 行。DumpMemoryA() 中與編碼轉換相關的核心程式碼如下,透過強制型別轉換完成 ((PBYTE)address)[byteIndex],然後根據 isgraph() 函式的返回值來判斷是否能顯示該字元。
VOID DumpMemoryA (LPCVOID address, SIZE_T size)
{
// Each line of output is 16 bytes.
SIZE_T dumpLen;
if ((size % 16) == 0) {
// No padding needed.
dumpLen = size;
}
else {
// We'll need to pad the last line out to 16 bytes.
dumpLen = size + (16 - (size % 16));
}
...
WCHAR ascDump [18] = {0};
...
for (SIZE_T byteIndex = 0; byteIndex < dumpLen; byteIndex++) {
SIZE_T wordIndex = byteIndex % 16;
...
SIZE_T ascIndex = wordIndex + wordIndex / 8;
if (byteIndex < size) {
BYTE byte = ((PBYTE)address)[byteIndex];
...
if (isgraph(byte)) {
ascDump[ascIndex] = (WCHAR)byte;
}
else {
ascDump[ascIndex] = L'.';
}
}
...
}
}
DumpMemoryW() 中與編碼轉換相關的核心程式碼如下,WORD 是 unsigned short 的別名,先透過強制型別轉換將記憶體中的相鄰兩位元組轉為一個 WORD,然後直接將其賦值給 WCHAR 陣列中的單個元素。
VOID DumpMemoryW (LPCVOID address, SIZE_T size)
{
// Each line of output is 16 bytes.
SIZE_T dumpLen;
if ((size % 16) == 0) {
// No padding needed.
dumpLen = size;
}
else {
// We'll need to pad the last line out to 16 bytes.
dumpLen = size + (16 - (size % 16));
}
...
WCHAR unidump [18] = {0};
...
for (SIZE_T byteIndex = 0; byteIndex < dumpLen; byteIndex++) {
...
SIZE_T uniIndex = ((byteIndex / 2) % 8) + ((byteIndex / 2) % 8) / 8;
if (byteIndex < size) {
...
if (((byteIndex % 2) == 0) && ((byteIndex + 1) < dumpLen)) {
// On every even byte, print one character.
WORD word = ((PWORD)address)[byteIndex / 2];
if ((word == 0x0000) || (word == 0x0020)) {
unidump[uniIndex] = L'.';
}
else {
unidump[uniIndex] = word;
}
}
}
...
}
}
(4)輸出洩漏檢測報告:Report() 函式里(詳見 utility.cpp 第 747~774 行),完成字串的格式化後,又接著呼叫 Print() 輸出洩漏報告(詳見 utility.cpp 第 687~745 行),在這裡面會嘗試呼叫使用者自定義的 ReportHook() 函式,若沒有,則 CallReportHook() 預設返回 0。
VOID Print (LPWSTR messagew)
{
if (NULL == messagew)
return;
int hook_retval=0;
if (!CallReportHook(0, messagew, &hook_retval))
{
if (s_reportEncoding == unicode) {
if (s_reportFile != NULL) {
// Send the report to the previously specified file.
fwrite(messagew, sizeof(WCHAR), wcslen(messagew), s_reportFile);
}
if ( s_reportToStdOut )
fputws(messagew, stdout);
}
else {
const size_t MAXMESSAGELENGTH = 5119;
size_t count = 0;
CHAR messagea [MAXMESSAGELENGTH + 1];
if (wcstombs_s(&count, messagea, MAXMESSAGELENGTH + 1, messagew, _TRUNCATE) != 0) {
// Failed to convert the Unicode message to ASCII.
assert(FALSE);
return;
}
messagea[MAXMESSAGELENGTH] = '\0';
if (s_reportFile != NULL) {
// Send the report to the previously specified file.
fwrite(messagea, sizeof(CHAR), strlen(messagea), s_reportFile);
}
if ( s_reportToStdOut )
fputs(messagea, stdout);
}
if (s_reportToDebugger)
OutputDebugStringW(messagew);
}
else if (hook_retval == 1)
__debugbreak();
if (s_reportToDebugger && (s_reportDelay)) {
Sleep(10); // Workaround the Visual Studio 6 bug where debug strings are sometimes lost if they're sent too fast.
}
}
3.5 程式退出時的工作
解除安裝 vld.dll 時,做了兩件事:先執行 VisualLeakDetector 類解構函式(在 _CRT_INIT() 中)、然後執行 NtDllRestore() 函式。首先看 VisualLeakDetector 類解構函式,詳見 vld.cpp 第 610~722 行,其函式主幹如下。
VisualLeakDetector::~VisualLeakDetector ()
{
...
if (m_status & VLD_STATUS_INSTALLED) {
// Detach Visual Leak Detector from all previously attached modules.
...
g_LoadedModules.EnumerateLoadedModulesW64(g_currentProcess, detachFromModule, NULL);
...
BOOL threadsactive = waitForAllVLDThreads();
if (m_status & VLD_STATUS_NEVER_ENABLED) {
// Visual Leak Detector started with leak detection disabled and
// it was never enabled at runtime. A lot of good that does.
Report(L"WARNING: Visual Leak Detector: Memory leak detection was never enabled.\n");
}
else {
// Generate a memory leak report for each heap in the process.
SIZE_T leaks_count = ReportLeaks();
// Show a summary.
if (leaks_count == 0) {
Report(L"No memory leaks detected.\n");
}
else {
Report(L"Visual Leak Detector detected %Iu memory leak", leaks_count);
Report((leaks_count > 1) ? L"s (%Iu bytes).\n" : L" (%Iu bytes).\n", m_curAlloc);
Report(L"Largest number used: %Iu bytes.\n", m_maxAlloc);
Report(L"Total allocations: %Iu bytes.\n", m_totalAlloc);
}
}
// Free resources used by the symbol handler.
DbgTrace(L"dbghelp32.dll %i: SymCleanup\n", GetCurrentThreadId());
if (!g_DbgHelp.SymCleanup(g_currentProcess)) {
Report(L"WARNING: Visual Leak Detector: The symbol handler failed to deallocate resources (error=%lu).\n",
GetLastError());
}
...
if (threadsactive) {
Report(L"WARNING: Visual Leak Detector: Some threads appear to have not terminated normally.\n"
L" This could cause inaccurate leak detection results, including false positives.\n");
}
Report(L"Visual Leak Detector is now exiting.\n");
...
checkInternalMemoryLeaks();
}
else {
...
}
...
}
在解構函式中做了以下幾個工作:
(1)還原 IAT 表,將被替換的函式還原。呼叫堆疊為:EnumerateLoadedModulesW64 -> detachFromModule -> RestoreModule -> RestoreImport,詳見 RestoreImport 函式,在 utility.cpp 第 776~895 行,核心程式碼為 iate->u1.Function = (DWORD_PTR)original。
(2)等待其他執行緒退出。呼叫了 waitForAllVLDThreads() 函式,詳見 vld.cpp 第 520~565 行,如下所示,當有執行緒未退出時,程式可能會等待幾十秒(不大於 90 秒),這也是有些時候關閉程式但很久未輸出報告的原因。
bool VisualLeakDetector::waitForAllVLDThreads()
{
bool threadsactive = false;
DWORD dwCurProcessID = GetCurrentProcessId();
int waitcount = 0;
// See if any threads that have ever entered VLD's code are still active.
CriticalSectionLocker<> cs(m_tlsLock);
for (TlsMap::Iterator tlsit = m_tlsMap->begin(); tlsit != m_tlsMap->end(); ++tlsit) {
if ((*tlsit).second->threadId == GetCurrentThreadId()) {
// Don't wait for the current thread to exit.
continue;
}
HANDLE thread = OpenThread(SYNCHRONIZE | THREAD_QUERY_INFORMATION, FALSE, (*tlsit).second->threadId);
if (thread == NULL) {
// Couldn't query this thread. We'll assume that it exited.
continue; // XXX should we check GetLastError()?
}
if (GetProcessIdOfThread(thread) != dwCurProcessID) {
//The thread ID has been recycled.
CloseHandle(thread);
continue;
}
if (WaitForSingleObject(thread, 10000) == WAIT_TIMEOUT) { // 10 seconds
// There is still at least one other thread running. The CRT
// will stomp it dead when it cleans up, which is not a
// graceful way for a thread to go down. Warn about this,
// and wait until the thread has exited so that we know it
// can't still be off running somewhere in VLD's code.
//
// Since we've been waiting a while, let the human know we are
// still here and alive.
waitcount++;
threadsactive = true;
if (waitcount >= 9) // 90 sec.
{
CloseHandle(thread);
return threadsactive;
}
Report(L"Visual Leak Detector: Waiting for threads to terminate...\n");
}
CloseHandle(thread);
}
return threadsactive;
}
(3)生成洩漏檢測報告。呼叫了 ReportLeaks() 函式,其實現思路詳見本部落格上文。
(4)生成洩漏檢測總結資訊。leaks_count 為本次檢測出的全部洩漏塊總數,m_curAlloc 為本次檢測出的全部洩漏塊總大小,m_maxAlloc 為整個檢測過程中全部洩漏塊總大小的最大值(即 max(m_curAlloc)),m_totalAlloc 為整個檢測過程中在堆上所分配記憶體的總大小。
Report(L"Visual Leak Detector detected %Iu memory leak", leaks_count);
Report((leaks_count > 1) ? L"s (%Iu bytes).\n" : L" (%Iu bytes).\n", m_curAlloc);
Report(L"Largest number used: %Iu bytes.\n", m_maxAlloc);
Report(L"Total allocations: %Iu bytes.\n", m_totalAlloc);
(5)釋放資源。釋放內部成員變數的記憶體,使用 SymCleanup 釋放符號資源。
(6)洩漏自檢。呼叫了 checkInternalMemoryLeaks() 函式,詳見 vld.cpp 第 567~608 行。透過遍歷一個 VLD 自定義雙向連結串列來判斷自身是否產生了記憶體洩漏,這個雙向連結串列的結構與系統自帶的記憶體管理雙向連結串列相類似,可參考本人另一篇部落格 核心原始碼剖析(VLD 1.0)。
析構完畢後,會執行 NtDllRestore() 函式,詳見 vld.cpp 第 261~279 行,還原對預設 LdrpCallInitRoutine() 的更改。
BOOL NtDllRestore(NTDLL_LDR_PATCH &NtDllPatch)
{
// Restore patched bytes
BOOL bResult = FALSE;
if (NtDllPatch.bState && NtDllPatch.nPatchSize && &NtDllPatch.pBackup[0]) {
DWORD dwProtect = 0;
if (VirtualProtect(NtDllPatch.pPatchAddress, NtDllPatch.nPatchSize, PAGE_EXECUTE_READWRITE, &dwProtect)) {
memcpy(NtDllPatch.pPatchAddress, NtDllPatch.pBackup, NtDllPatch.nPatchSize);
VirtualProtect(NtDllPatch.pPatchAddress, NtDllPatch.nPatchSize, dwProtect, &dwProtect);
if (VirtualProtect(NtDllPatch.pDetourAddress, NtDllPatch.nDetourSize, PAGE_EXECUTE_READWRITE, &dwProtect)) {
memset(NtDllPatch.pDetourAddress, 0x00, NtDllPatch.nDetourSize);
VirtualProtect(NtDllPatch.pDetourAddress, NtDllPatch.nDetourSize, dwProtect, &dwProtect);
bResult = TRUE;
}
}
}
return bResult;
}
4. 其他問題
4.1 如何區分分配記憶體的來由
VLD 2.5.1 思路如下:
-
與 核心原始碼剖析(VLD 1.0) 一樣,使用
_CrtMemBlockHeader結構體的nBlockUse成員來判斷是否屬於CRT分配的記憶體,詳見resolveStacks()函式(vld.cpp 第 2861~2862 行)、getLeaksCount()函式(vld.cpp 第 1739~1740 行)、reportLeaks()函式(vld.cpp 第 1854~1855 行)。 -
透過呼叫堆疊中的函式名來判斷是否屬於
CRT啟動程式碼分配的記憶體,詳見isCrtStartupFunction()函式,在 callstack.cpp 第 513~554 行。 -
VLD仿照_CrtMemBlockHeader結構體自定義了一個vldblockheader_t,用來儲存VLD內部的每次分配資訊,詳見 vldheap.h 第 88~99 行。接著過載了內部的new/delete函式(詳見 vldheap.cpp)、自定義繼承了std::allocator(詳見 vldallocator.h),併為VLD開闢了一個專屬堆g_vldHeap。這樣一來,VLD內部每次分配記憶體時都會分配在專屬堆g_vldHeap上,且都加上這個自定義頭,最終形成了一個儲存VLD內部記憶體分配資訊的雙向連結串列,讓一個全域性指標g_vldBlockList指向這個連結串列的頭節點,後續透過這個全域性指標訪問雙向連結串列,即可獲得VLD內部的記憶體分配資訊。// Memory block header structure used internally by VLD. All internally // allocated blocks are allocated from VLD's private heap and have this header // pretended to them. struct vldblockheader_t { struct vldblockheader_t *next; // Pointer to the next block in the list of internally allocated blocks. struct vldblockheader_t *prev; // Pointer to the preceding block in the list of internally allocated blocks. const char *file; // Name of the file where this block was allocated. int line; // Line number within the above file where this block was allocated. size_t size; // The size of this memory block, not including this header. size_t serialNumber; // Each block is assigned a unique serial number, starting from zero. };
4.2 如何實現多執行緒檢測
與 核心原始碼剖析(VLD 1.0) 一樣,v2.5.1 也使用到了執行緒本地儲存(Thread Local Storage),參考 MicroSoft-Using-Thread-Local-Storage。全域性物件 g_vld 有兩個成員變數 m_tlsIndex 與 m_tlsMap,相關定義可見 vldint.h,如下。
// Thread local storage structure. Every thread in the process gets its own copy
// of this structure. Thread specific information, such as the current leak
// detection status (enabled or disabled) and the address that initiated the
// current allocation is stored here.
struct tls_t {
context_t context; // Address of return address at the first call that entered VLD's code for the current allocation.
UINT32 flags; // Thread-local status flags:
#define VLD_TLS_DEBUGCRTALLOC 0x1 // If set, the current allocation is a CRT allocation.
#define VLD_TLS_DISABLED 0x2 // If set, memory leak detection is disabled for the current thread.
#define VLD_TLS_ENABLED 0x4 // If set, memory leak detection is enabled for the current thread.
#define VLD_TLS_UCRT 0x8 // If set, the current allocation is a UCRT allocation.
UINT32 oldFlags; // Thread-local status old flags
DWORD threadId; // Thread ID of the thread that owns this TLS structure.
HANDLE heap;
LPVOID blockWithoutGuard; // Store pointer to block.
LPVOID newBlockWithoutGuard;
SIZE_T size;
};
// The TlsSet allows VLD to keep track of all thread local storage structures
// allocated in the process.
typedef Map<DWORD,tls_t*> TlsMap;
class VisualLeakDetector : public IMalloc
{
...
private:
...
DWORD m_tlsIndex; // Thread-local storage index.
...
TlsMap *m_tlsMap; // Set of all thread-local storage structures for the process.
...
}
m_tlsIndex 用來接收 TlsAlloc() 返回的索引值,初始化成功後(詳見 vld.cpp 第 337~518 行),當前程式的任何執行緒都可以使用這個索引值來儲存和訪問對應執行緒本地的值,不同執行緒間互不影響,訪問獲得的結果也與其他執行緒無關,v2.5.1 用它來儲存一個 tls_t 結構體指標,這個結構體裡與多執行緒檢測控制有關的變數有 flags、oldFlags、threadId 這三個,其餘的被當做每次記憶體操作時的臨時變數。
m_tlsIndex = TlsAlloc();
...
if (m_tlsIndex == TLS_OUT_OF_INDEXES) {
Report(L"ERROR: Visual Leak Detector could not be installed because thread local"
L" storage could not be allocated.");
return;
}
TlsMap 是一個類似於 STL map 的容器,執行緒 ID 為 first key,對應的 tls_t* 為 second value,用它來管理每個執行緒的 tls_t 結構體記憶體。每次進行記憶體分配時,都會進入 enabled() 函式(詳見 vld.cpp 第 1210~1239 行)與 getTls() 函式(詳見 vld.cpp 第 1287~1325 行),這兩個函式都在分配行為所屬的執行緒中執行。
BOOL VisualLeakDetector::enabled ()
{
if (!(m_status & VLD_STATUS_INSTALLED)) {
// Memory leak detection is not yet enabled because VLD is still
// initializing.
return FALSE;
}
tls_t* tls = getTls();
if (!(tls->flags & VLD_TLS_DISABLED) && !(tls->flags & VLD_TLS_ENABLED)) {
// The enabled/disabled state for the current thread has not been
// initialized yet. Use the default state.
if (m_options & VLD_OPT_START_DISABLED) {
tls->flags |= VLD_TLS_DISABLED;
}
else {
tls->flags |= VLD_TLS_ENABLED;
}
}
return ((tls->flags & VLD_TLS_ENABLED) != 0);
}
tls_t* VisualLeakDetector::getTls ()
{
// Get the pointer to this thread's thread local storage structure.
tls_t* tls = (tls_t*)TlsGetValue(m_tlsIndex);
assert(GetLastError() == ERROR_SUCCESS);
if (tls == NULL) {
DWORD threadId = GetCurrentThreadId();
CriticalSectionLocker<> cs(m_tlsLock);
TlsMap::Iterator it = m_tlsMap->find(threadId);
if (it == m_tlsMap->end()) {
// This thread's thread local storage structure has not been allocated.
tls = new tls_t;
// Add this thread's TLS to the TlsSet.
m_tlsMap->insert(threadId, tls);
} else {
// Already had a thread with this ID
tls = (*it).second;
}
ZeroMemory(&tls->context, sizeof(tls->context));
tls->flags = 0x0;
tls->oldFlags = 0x0;
tls->threadId = threadId;
tls->blockWithoutGuard = NULL;
TlsSetValue(m_tlsIndex, tls);
}
return tls;
}
若是第一次進入,會給當前執行緒分配一個 tls_t 結構體,並初始化結構體的成員變數。若使用者設定了 VLD_OPT_START_DISABLED,則當前執行緒初始值 tls->flags |= VLD_TLS_DISABLED,表示 VLD 對當前執行緒關閉,否則 tls->flags |= VLD_TLS_ENABLED,表示 VLD 對當前執行緒開啟。
4.3 如何實現雙擊輸出自動定位到指定行
這個實現起來比較簡單,只要保證這一行輸出中,前面的字串形式為 "檔案路徑(行號)" 就可以。vld 的堆疊輸出形式正好符合這個要求,因此可以自動跳轉,參考 CppBlog - 如何在 vs 中的 Output 視窗雙擊定位程式碼。下面是這個功能的一個演示例:
#include <Windows.h>
int main()
{
OutputDebugString(L" e:\\Cworkspace\\VSDemo\\testDoubleClick\\testDoubleClick\\main.cpp (3).\n");
return 0;
}