問題描述
當我在調試模式下使用 VisualStudio 編譯程序運行我的程序時,有時我會得到
<塊引用>調試斷言失敗!表達式:_CrtIsValidHeapPointer(block)
或
<塊引用>調試斷言失敗!表達式:is_block_type_valid(header->_block_use)
(或兩個相繼)斷言.
什么意思?如何找到并修復此類問題的根源?
這些斷言表明,應該釋放的指針無效(或不再有效)(_CrtIsValidHeapPointer-assertion)或堆在程序運行期間的某個時間點被破壞 (is_block_type_valid(header->_block_use)-assertion aka _Block_Type_Is_Valid (pHead->nBlockUse)-assertion在早期版本中).
從堆中獲取內存時,malloc/free 函數不直接與操作系統通信,而是與內存管理器通信,通常由相應的內存管理器提供C-運行時.VisualStudio/Windows SDK 為調試構建提供了一個特殊的堆內存管理器,它在運行時執行額外的健全性檢查.
_CrtIsValidHeapPointer 只是一個啟發式,但是無效指針的情況已經足夠多,這個函數可以報告問題.
1._CrtIsValidHeapPointer-斷言何時觸發?
有一些最常見的場景:
A.指針不指向從堆開始的內存:
char *mem = 不在堆上!";免費(內存);這里的文字沒有存儲在堆上,因此可以/不應該被釋放.
B.指針的值不是malloc/calloc返回的原始地址:
unsigned char *mem = (unsigned char*)malloc(100);內存++;免費(內存);//mem地址錯誤!由于 mem 的值在增量后不再是 64byte 對齊的,所以通過完整性檢查可以很容易地看出它不能是堆指針!
一個稍微復雜但并不罕見的 C++ 示例(不匹配 new[] 和 delete):
struct A {int a = 0;~A() {//析構函數不是微不足道的!std::cout <<<<
";}};A *mem = 新 A[10];刪除內存;當new A[n]被調用時,實際上sizeof(size_t)+n*sizeof(A)字節內存是通過malloc (當A類的析構函數不是平凡時),數組中元素的個數保存在分配內存的開頭,返回的指針mem指向的不是到 malloc 返回的原始地址,但是到地址+偏移量 (sizeof(size_t)).然而,delete 對這個偏移量一無所知,并試圖刪除地址錯誤的指針(delete [] 會做正確的事情).
C.雙重免費:
unsigned char *mem = (unsigned char*)malloc(10);免費(內存);免費(內存);# 指針已經被釋放C++ 中一個很常見的原因是 3 的規則/5 沒有得到遵守,例如:
struct A {//bad: 不遵守三規則int* ptr;A(int i): ptr(new int(i)){}~A() { 刪除指針;}};{A(0);a b = a;//a 和 b 共享指針:a.ptr == b.ptr}//這里 b 和 a 的析構函數被調用 =>問題//首先 b.ptr 被刪除//刪除(已經刪除)a.ptr 現在會導致 UB/error.D.來自另一個運行時/內存管理器的指針
Windows 程序能夠同時使用多個運行時:每個使用的 dll 都可能有自己的運行時/內存管理器/堆,因為它是靜態鏈接的,或者因為它們有不同的版本.因此,在一個 dll 中分配的內存在另一個 dll 中釋放時可能會失敗,該 dll 使用不同的堆(參見例如這個 SO-question 或這個 SO 問題).
2.is_block_type_valid(header->_block_use)-assertion 何時觸發?
在上述情況 A. 和 B. 中,另外 is_block_type_valid(header->_block_use) 也會觸發.在 _CrtIsValidHeapPointer 斷言之后,free 函數(更精確的 free_dbg_nolock)在塊頭(由調試堆,稍后會提供更多信息)并檢查塊類型是否有效.但是,由于指針完全是偽造的,因此 nBlockUse 預期在內存中的位置是一些隨機值.
但是,在某些情況下,當 is_block_type_valid(header->_block_use) 在沒有先前的 _CrtIsValidHeapPointer-assertion 的情況下觸發時.
A._CrtIsValidHeapPointer 不檢測無效指針
這是一個例子:
unsigned char *mem = (unsigned char*)malloc(100);內存+=64;免費(內存);因為 debug-heap 用 0xCD 填充分配的內存,我們可以肯定訪問 nBlockUse 會產生錯誤的類型,從而導致上述斷言.>
B.堆損壞
大多數時候,當 is_block_type_valid(header->_block_use) 在沒有 _CrtIsValidHeapPointer 的情況下觸發時,這意味著堆由于某些超出范圍而損壞寫.
所以如果我們精致"(并且不要覆蓋無人區"-稍后會詳細介紹):
unsigned char *mem = (unsigned char*)malloc(100);*(mem-17)=64;//顛簸 _block_use.免費(內存);僅導致 is_block_type_valid(header->_block_use).
在上述所有情況下,可以通過跟蹤內存分配來找到潛在的問題,但了解更多關于調試堆的結構會有很大幫助.
可以找到有關調試堆的概述,例如在文檔中,或者所有的實現細節都可以在相應的Windows Kit中找到,(例如C:Program Files (x86)Windows Kits10Source10.0.16299.0ucrtheapdebug_heap.cpp).
簡而言之:當在調試堆上分配內存時,分配的內存比需要的多,因此無人區"之類的附加結構將被分配.和附加信息,例如 _block_use,可以存儲在真實"旁邊.記憶.實際的內存布局是:
-------------------------------------------------------------------------|區塊頭+無人區|真實"記憶|無人區| 高分辨率照片| CLIPARTO----------------------------------------------------------------------|32 字節 + 4 字節 |?字節 |4 字節 |-----------------------------------------------------------------無人區"中的每一個字節在末尾和開頭設置為一個特殊值 (0xFD),因此一旦它被覆蓋,我們就可以注冊越界寫訪問(只要它們最多關閉 4 個字節)).
比如在new[]-delete-mismatch的情況下,我們可以分析一下指針之前的內存,看看這是否是無人區(這里作為代碼,但通常在調試器中完成):
A *mem = 新 A[10];...//代替//刪除內存;//調查內存:unsigned char* ch = reinterpret_cast(mem);for (int i = 0; i <16; i++) {std::cout <<(int)(*(ch - i)) <<"";} 我們得到:
0 0 0 0 0 0 0 0 10 253 253 253 253 0 0 52即前 8 個字節用于元素數 (10),而不是我們看到的無人區".(0xFD=253) 然后是其他信息.很容易看出,出了什么問題 - 如果指針正確,前 4 個值在 253.
當調試堆釋放內存時,它會用一個特殊的字節值覆蓋它:0xDD,即221.還可以通過設置標志_CRTDBG_DELAY_FREE_MEM_DF來限制曾經使用和釋放的內存的重用,因此內存不僅在free調用之后直接保持標記,而且在整個運行過程中保持標記的程序.所以當我們第二次嘗試釋放同一個指針時,調試堆可以看到,內存已經被釋放一次并觸發斷言.
因此,通過分析指針周圍的值,也很容易看出問題是雙重釋放的:
unsigned char *mem = (unsigned char*)malloc(10);免費(內存);for (int i = 0; i <16; i++) {printf("%d", (int)(*(mem - i)));}免費(內存);//第二個空閑印刷品
221 221 221 221 221 221 221 221 221 221 221 221 221 221 221 221內存,即內存已經被釋放一次.
關于檢測堆損壞:
無人區的目的是檢測超出范圍的寫入,但這僅適用于在任一方向關閉 4 個字節,例如:
unsigned char *mem = (unsigned char*)malloc(100);*(mem-1)=64;//擊敗無人區免費(內存);導致
檢測到堆損壞:在正常塊 (#13266) 之前 0x0000025C6CC21050.CRT 檢測到應用程序在開始堆緩沖區之前寫入內存.查找堆損壞的一個好方法是使用 _CrtSetDbgFlag(_CRTDBG_CHECK_ALWAYS_DF) 或 ASSERT(_CrtCheckMemory());(請參閱此 SO-post).但是,這有點間接 - 使用 gflags 的更直接方式,如本 SO-post<中所述/a>(gflags 需要大約 30 倍的內存并且慢大約 10 倍,這并不罕見).
順便說一句,_CrtMemBlockHeader 的定義隨著時間的推移而改變,不再是 在線幫助,但是:
struct _CrtMemBlockHeader{_CrtMemBlockHeader* _block_header_next;_CrtMemBlockHeader* _block_header_prev;字符常量* _file_name;int_line_number;int_block_use;size_t _data_size;長_request_number;無符號字符_gap [no_mans_land_size];//其次是://無符號字符 _data[_data_size];//unsigned char _another_gap[no_mans_land_size];};When I run my with VisualStudio compiled programs in debug-mode, sometimes I get
Debug assertion failed! Expression:
_CrtIsValidHeapPointer(block)
or
Debug assertion failed! Expression:
is_block_type_valid(header->_block_use)
(or both after each other) assertions.
What does it mean? How can I find and fix the origin of such problems?
These assertions show that either the pointer, which should be freed is not (or no longer) valid (_CrtIsValidHeapPointer-assertion) or that the heap was corrupted at some point during the run of the program (is_block_type_valid(header->_block_use)-assertion aka _Block_Type_Is_Valid (pHead->nBlockUse)-assertion in earlier versions).
When acquiring memory from the heap, functions malloc/free don't communicate directly with the OS, but with a memory manager, which is usually provided by the corresponding C-runtime. VisualStudio/Windows SDK provide a special heap-memory manager for debug-builds, which performs additional sanity checks during the run time.
_CrtIsValidHeapPointer is just a heuristic, but there are enough cases of invalid pointers, for which this function can report a problem.
1. When does _CrtIsValidHeapPointer-assertion fire?
There are some of the most usual scenarios:
A. Pointer doesn't point to a memory from the heap to begin with:
char *mem = "not on the heap!";
free(mem);
here the literal isn't stored on the heap and thus can/should not be freed.
B. The value of the pointer isn't the original address returned by malloc/calloc:
unsigned char *mem = (unsigned char*)malloc(100);
mem++;
free(mem); // mem has wrong address!
As value of mem is no longer 64byte aligned after the increment, the sanity check can easily see that it cannot be a heap-pointer!
A slightly more complex, but not unusual C++-example (mismatch new[] and delete):
struct A {
int a = 0;
~A() {// destructor is not trivial!
std::cout << a << "
";
}
};
A *mem = new A[10];
delete mem;
When new A[n] is called, actually sizeof(size_t)+n*sizeof(A)bytes memory are allocated via malloc (when the destructor of the class A is not trivial), the number of elements in array is saved at the beginning of the allocated memory and the returned pointer mem points not to the original address returned by malloc, but to address+offset (sizeof(size_t)). However, delete knows nothing about this offset and tries to delete the pointer with wrong address (delete [] would do the right thing).
C. double-free:
unsigned char *mem = (unsigned char*)malloc(10);
free(mem);
free(mem); # the pointer is already freed
A very common reason in C++ that rule of three/five isn't adhered to, e.g:
struct A {// bad: doesn't adhere to rule of three
int* ptr;
A(int i): ptr(new int(i)){}
~A() { delete ptr; }
};
{
A a(0);
A b = a; // a and b share pointer: a.ptr == b.ptr
} // here destructors of b and a called => problem
// at first b.ptr gets deleted
// deleting (already deleted) a.ptr leads now to UB/error.
D. pointer from another runtime/memory manager
Windows programs have the ability to use multiple runtimes at once: every used dll could potentially have its own runtime/memory manager/heap, because it was linked statically or because they have different versions. Thus, a memory allocated in one dll, could fail when freed in another dll, which uses a different heap (see for example this SO-question or this SO-question).
2. When does is_block_type_valid(header->_block_use)-assertion fire?
In the above cases A. and B., in addition also is_block_type_valid(header->_block_use) will fire. After _CrtIsValidHeapPointer-assertion, the free-function (more precise free_dbg_nolock) looks for info in the block-header (a special data structure used by debug-heap, more information about it later on) and checks that the block type is valid. However, because the pointer is completely bogus, the place in the memory, where nBlockUse is expected to be, is some random value.
However, there are some scenarios, when is_block_type_valid(header->_block_use) fires without previous _CrtIsValidHeapPointer-assertion.
A. _CrtIsValidHeapPointer doesn't detect invalid pointer
Here is an example:
unsigned char *mem = (unsigned char*)malloc(100);
mem+=64;
free(mem);
Because debug-heap fills the allocated memory with 0xCD, we can be sure that accessing nBlockUse will yield a wrong type, thus leading to the above assertion.
B. Corruption of the heap
Most of the time, when is_block_type_valid(header->_block_use) fires without _CrtIsValidHeapPointer it means, that the heap was corrupted due to some out-of-range writes.
So if we "delicate" (and don't overwrite "no man's land"-more on that later):
unsigned char *mem = (unsigned char*)malloc(100);
*(mem-17)=64; // thrashes _block_use.
free(mem);
leads only to is_block_type_valid(header->_block_use).
In all above cases, it is possible to find the underlying issue by following memory allocations, but knowing more about the structure of debug-heap helps a lot.
An overview about debug-heap can be found e.g. in documentation, alternatively all details of the implementation can be found in the corresponding Windows Kit,(e.g. C:Program Files (x86)Windows Kits10Source10.0.16299.0ucrtheapdebug_heap.cpp).
In a nutshell: When a memory is allocated on a debug heap, more memory than needed is allocated, so additional structures such as "no man's land" and additional info, such as _block_use, can be stored next to the "real" memory. The actual memory layout is:
------------------------------------------------------------------------
| header of the block + no man's land | "real" memory | no man's land |
----------------------------------------------------------------------
| 32 bytes + 4bytes | ? bytes | 4 bytes |
------------------------------------------------------------------------
Every byte in "no man's land" at the end and at the beginning are set to a special value (0xFD), so once it is overwritten we can register out-of-bounds write access (as long as they are at most 4 bytes off).
For example in the case of new[]-delete-mismatch we can analyze memory before the pointer, to see whether this is no man's land or not (here as code, but normally done in debugger):
A *mem = new A[10];
...
// instead of
//delete mem;
// investigate memory:
unsigned char* ch = reinterpret_cast<unsigned char*>(mem);
for (int i = 0; i < 16; i++) {
std::cout << (int)(*(ch - i)) << " ";
}
we get:
0 0 0 0 0 0 0 0 10 253 253 253 253 0 0 52
i.e. the first 8 bytes are used for the number of elements (10), than we see "no man's land" (0xFD=253) and then other information. It is easy to see, what is going wrong - if the pointer where correct, the first 4 values where 253.
When Debug-heap frees memory it overwrites it with a special byte value: 0xDD, i.e. 221. One also can restrict the reuse of once used and freed memory by setting flag _CRTDBG_DELAY_FREE_MEM_DF, thus the memory stays marked not only directly after the free-call, but during the whole run of the program. So when we try to free the same pointer a second time, debug-heap can see, taht the memory was already freed once and fire the assertion.
Thus, it is also easy to see, that the problem is a double-free, by analyzing the values around pointer:
unsigned char *mem = (unsigned char*)malloc(10);
free(mem);
for (int i = 0; i < 16; i++) {
printf("%d ", (int)(*(mem - i)));
}
free(mem); //second free
prints
221 221 221 221 221 221 221 221 221 221 221 221 221 221 221 221
the memory, i.e. the memory was already freed once.
On the detection of heap-corruption:
The purpose of no-man's land is to detect out-of-range writes, this however works only for being off for 4 bytes in either direction, e.g.:
unsigned char *mem = (unsigned char*)malloc(100);
*(mem-1)=64; // thrashes no-man's land
free(mem);
leads to
HEAP CORRUPTION DETECTED: before Normal block (#13266) at 0x0000025C6CC21050.
CRT detected that the application wrote to memory before start of heap buffer.
A good way to find heap corruption is to use _CrtSetDbgFlag(_CRTDBG_CHECK_ALWAYS_DF) or ASSERT(_CrtCheckMemory());(see this SO-post). However, this is somewhat indirect - a more direct way it to use gflags as explained in this SO-post (it is not unusual that gflags needs about 30 times more memory and is about 10 times slower).
Btw, the definition of _CrtMemBlockHeader changed over the time and no longer the one shown in online-help, but:
struct _CrtMemBlockHeader
{
_CrtMemBlockHeader* _block_header_next;
_CrtMemBlockHeader* _block_header_prev;
char const* _file_name;
int _line_number;
int _block_use;
size_t _data_size;
long _request_number;
unsigned char _gap[no_mans_land_size];
// Followed by:
// unsigned char _data[_data_size];
// unsigned char _another_gap[no_mans_land_size];
};
這篇關于為什么我會得到 _CrtIsValidHeapPointer(block) 和/或 is_block_type_valid(header->_block_use) 斷言?的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!