A Bug in _CrtMemCheckpoint
|
Home |
 |
Back To Tips Page |
|
A Bug in _CrtMemCheckpoint |
|
A memory leak is a really tedious set of problems to address. But it is not helped by the fact that one of the tools which allegedly might help find a memory leak is in fact buggy.
You might expect, based on the description of _CrtMemCheckpoint and the associated _CrtMemState structure, that this might be useful in helping you find memory leaks. For example, you might be led to suspect that if you did
_CrtMemState ms; ...do stuff here to set up _CrtMemCheckpoint(&ms); UINT start = ms.lTotalCount; ...do stuff whose expected net consumption is 0 _CrtMemCheckpoint(&ms); ASSERT(start == ms.lTotalCount); // net consumption not zero!
that you would detect if there was a memory leak between the two calls.
Unfortunately, this won't work. There is a serious bug in the dbgheap.c logic, or its documentation, that means that the number for lTotalCount is irrelevant.
This bug is present in all versions of VS from at least VS6 through VS2005.
The documentation for _CrtMemState says:
To capture a summary snapshot of the state of the heap at a given time, use
the _CrtMemState structure defined in CRTDBG.H:
typedef struct _CrtMemState
{
// Pointer to the most recently allocated block:
struct _CrtMemBlockHeader * pBlockHeader;
// A counter for each of the 5 types of block:
size_t lCounts[_MAX_BLOCKS];
// Total bytes allocated in each block type:
size_t lSizes[_MAX_BLOCKS];
// The most bytes allocated at a time up to now:
size_t lHighWaterCount;
// The total bytes allocated at present:
size_t lTotalCount;
} _CrtMemState;
You would suspect from this description that lTotalCount represents the total bytes currently allocated at present.
Unfortunately, you would be wrong.
A simple examination of the code of dbgheap.c shows the following manipulation of the variable that is used to hold lTotalCount:
| Version |
Line |
Function | Code |
| VS6 | 61 | (module-level declaration) |
static unsigned long _lTotalAlloc; /*Grand total - sum of all allocations */ |
| 398 | _heap_alloc_debug | _lTotalAlloc += nSize; | |
| 664 | realloc_help | _lTotalAlloc -= pNewBlock->nDataSize; | |
| 665 | _lTotalAlloc += nNewSize; | ||
| 1850 | _CrtMemCheckpoint | state->lTotalCount = _lTotalAlloc; | |
| VS.NET 2003 | 70 | (module-level declaration) |
static unsigned long _lTotalAlloc; /*Grand total - sum of all allocations */ |
| 420 | _heap_alloc_debug | _lTotalAlloc += nSize; | |
| 715 | realloc_help | _lTotalAlloc -= pNewBlock->nDataSize; | |
| 716 | _lTotalAlloc += nNewSize; | ||
| 1986 | _CrtMemCheckpoint | state->lTotalCount = _lTotalAlloc; | |
| VS2005 | 81 | (module-level declaration) |
static unsigned long _lTotalAlloc; /*Grand total - sum of all allocations */ |
| 434 | _heap_alloc_debug | _lTotalAlloc += nSize; | |
| 753 | realloc_help | _lTotalAlloc -= pNewBlock->nDataSize; | |
| 754 | _lTotalAlloc += nNewSize; | ||
| 2174 | _CrtMemCheckpoint | state->lTotalCount = _lTotalAlloc; |
This appears to be an error caused by someone misreading the code or misunderstanding what it meant. The result is that the documentation produced for end-user consumption would indicate that this number is the total current allocation, but in fact it is, as indicated in the comment, the sum of all allocations throughout the history of the execution. For example, a loop that allocates and frees 20 bytes would appear to be leaking 20 bytes on each iteration, when in fact there is no net loss of storage.
The particular example was prompted by a question in the newsgroup, where the code given was in support of the claim that GetTextExtent did not free the CString that was being created. A slight adaptation of the code is shown here
_CrtMemState ms;
CClientDC dc(this);
for(int i = 0; i < 1000; i++)
{ /* use storage */
CSize sz = dc.GetTextExtent(_T("abcdefg"));
_CrtMemCheckpoint(&ms);
TRACE("%Total space allocated: %i\n", ms.lTotalCount);
} /* use storage */
and a piece of the observed output was
Total space allocated: 9249 Total space allocated: 9269 Total space allocated: 9289 Total space allocated: 9309 Total space allocated: 9329
However, if you write a function that actually counts the number of allocated blocks in the heap, such as this one
/****************************************************************************
* CountWalk
* Result: UINT
* Amount of space allocated as revealed by _heapwalk
****************************************************************************/
UINT CountWalk()
{
int HeapStatus;
BOOL running = TRUE;
_HEAPINFO info;
info._pentry = NULL;
UINT UsedBytes = 0;
while(running)
{ /* scan heap */
HeapStatus = _heapwalk(&info);
switch(HeapStatus)
{ /* check status */
case _HEAPOK:
break;
case _HEAPEND:
running = FALSE;
break;
default:
ASSERT(FALSE);
running = FALSE;
continue;
} /* check status */
if(info._useflag == _USEDENTRY)
{ /* used block */
UsedBytes += info._size;
} /* used block */
} /* scan heap */
return UsedBytes;
} // CountWalk
and the code is modified as shown below
for(int i = 0; i < 1000; i++)
{ /* use storage */
CSize sz = dc.GetTextExtent(_T("abcdefg"));
_CrtMemCheckpoint(&ms);
TRACE("%4d: Total space allocated (_CrtMemCheckpoint): %i\n", i, ms.lTotalCount);
TRACE("%4d: Total space allocated (_heapwalk): %i\n", i, CountWalk());
} /* use storage */
then the new output is
0: Total space allocated (_CrtMemCheckpoint): 9249 0: Total space allocated (_heapwalk): 17424 1: Total space allocated (_CrtMemCheckpoint): 9269 1: Total space allocated (_heapwalk): 17424 2: Total space allocated (_CrtMemCheckpoint): 9289 2: Total space allocated (_heapwalk): 17424 3: Total space allocated (_CrtMemCheckpoint): 9309 3: Total space allocated (_heapwalk): 17424 4: Total space allocated (_CrtMemCheckpoint): 9329 4: Total space allocated (_heapwalk): 17424 ... 195: Total space allocated (_CrtMemCheckpoint): 13149 195: Total space allocated (_heapwalk): 17424 196: Total space allocated (_CrtMemCheckpoint): 13169 196: Total space allocated (_heapwalk): 17424 197: Total space allocated (_CrtMemCheckpoint): 13189 ... 473: Total space allocated (_CrtMemCheckpoint): 18709 473: Total space allocated (_heapwalk): 17424 474: Total space allocated (_CrtMemCheckpoint): 18729 474: Total space allocated (_heapwalk): 17424 475: Total space allocated (_CrtMemCheckpoint): 18749 475: Total space allocated (_heapwalk): 17424 ... 931: Total space allocated (_CrtMemCheckpoint): 27869 931: Total space allocated (_heapwalk): 17424 932: Total space allocated (_CrtMemCheckpoint): 27889 932: Total space allocated (_heapwalk): 17424 933: Total space allocated (_CrtMemCheckpoint): 27909 933: Total space allocated (_heapwalk): 17424 934: Total space allocated (_CrtMemCheckpoint): 27929 934: Total space allocated (_heapwalk): 17424 935: Total space allocated (_CrtMemCheckpoint): 27949 935: Total space allocated (_heapwalk): 17424 ...
Note that while the _CrtMemCheckpoint value keeps going up, the actual count of bytes allocated remains constant.
Back when I used to do lectures on such topics, one of the things I would do is hand out a set of rulers (that had been printed on transparencies) and a piece of paper with two points on it. I hand these out myself, one at a time, by walking along between the students, or, in other contexts, I have a student assistant do this. The points were deliberately created to be 1/4" in diameter. The question is "How far apart are these dots?" That's the whole question. The answer was specified as needing to be accurate to 1/32". The students had to measure the distance, write it down, and then we compared the answers. The rule was that there was to be no talking to each other during the experiment, no communication at all, and I would answer no questions. (The dots were exactly two inches apart, center-to-center).
I handed out a set of rulers that were largely erroneous. They were identified by letters. Each ruler is four inches long. I can no longer find the file I used to create these, but you can assume that something like this was true
| Ruler | Characteristic |
| A | Marks are 1/16" apart. There are only inch marks and 1/16" marks. There are 15 marks per inch. |
| B | Marks are 1/16" apart. There are only inch marks and 1/16" marks. There are 16 marks per inch. One inch on the ruler is 15/16 of a standard inch. |
| C | Marks are 1/16" apart. There are only inch marks and 1/16" marks. There are 16 marks per inch. One inch on the ruler is 11/16" of a standard inch. |
| D | Same as B, but one inch on the ruler is 7/8 of a standard inch. |
| E | Same as C, but one inch on the ruler is 11/8 of a standard inch. |
| F | Same as B, except the first inch is 31/32", the second inch is , the third inch is 29/32", the fourth inch is 7/8". |
| G | Marks are 1/16" apart. There are only inch marks and 1/16" marks. The first inch has only 15 marks. |
I poll the students for their results and write them down. The results were wonderful. No two people got the same result!
The protocol was that all they could say when asked was the measurement they got; the experiment was not over yet.
Next, I asked the people on the left to exchange their rulers with the people on the right, and measure again. I then write down the results of the second set of measurements.
Now they're allowed to talk.
First, one of the questions was "did you want the distance between the dots, or the center-to-center distance, or the edge-to-edge distance?" Of course, this is a valid question, and I carefully avoided stating it. The importance of this question is that you first have to be able to specify what you are measuring! Lacking that specification, all answers are meaningless. So the first important question is:
1. What are you measuring?
But the real problem is that there is no real calibration of the rulers. There is no guarantee that they are actually measuring an inch. This gets back to the question of calibration of the measuring device. This is the second important question:
2. What are you measuring with?
I note that everyone made exactly one measurement by which they arrived at their conclusion. I'm not sure what validity this has. In a course I used to teach to 11-14-year-olds, we had to measure the height of the Museum ceiling, which was three stories about the floor. The way we did this was to take a laser pointer and place it in a block of wood, which I had carefully drilled so the hole was as precisely vertical as I could manage, and the laser pointer fit snugly into it. Then a pair of students would take another laser pointer and a protractor, measure out 20 feet from the vertical laser, and point the second laser so that the two dots were as close as they could get. They would then write down the angle.
When we got back to the classroom, they would plot, on graph paper, the vertical, the horizontal, and the angle. The intercept of the angle line with the vertical is the height of the ceiling. Of course, we got a large number of results. The ceiling was anywhere from 48 to 72 feet high! I use this to teach them that science is never precise; we work out the standard error, and no competent scientist would say "The answer is precisely x" but would say "based on a series of measurements, the answer is x, ±e". And that's the lesson. This is the third important question:
3. How accurate are your measurements?
So when I see a result that looks wrong, I go looking for independent verification of the behavior. My first approach was to simply examine the relevant code generated by the compiler. To make sure I was reading the right code, I actually looked at the generated code.
The original poster had used VS6, so this is the code from VS6. The argument was that it appeared to happen in debug mode, not in release mode, so I examined the code from both:
CSize sz = dc.GetTextExtent(_T("ABCDEF"));
VS6 DEBUG 00401991 68 D4 53 41 00 push offset string "ABCDEF" (004153d4) 00401996 8D 4D C8 lea ecx,[ebp-38h] 00401999 E8 4A 05 00 00 call CString::CString (00401ee8) 0040199E C6 45 FC 02 mov byte ptr [ebp-4],2 004019A2 8D 45 C8 lea eax,[ebp-38h] 004019A5 50 push eax 004019A6 8D 4D C0 lea ecx,[ebp-40h] 004019A9 51 push ecx 004019AA 8D 4D D4 lea ecx,[ebp-2Ch] 004019AD E8 30 05 00 00 call CDC::GetTextExtent (00401ee2) 004019B2 8B 10 mov edx,dword ptr [eax] 004019B4 8B 40 04 mov eax,dword ptr [eax+4] 004019B7 89 55 CC mov dword ptr [ebp-34h],edx 004019BA 89 45 D0 mov dword ptr [ebp-30h],eax 004019BD C6 45 FC 01 mov byte ptr [ebp-4],1 004019C1 8D 4D C8 lea ecx,[ebp-38h] 004019C4 E8 37 05 00 00 call CString::~CString (00401f00) VS6 RELEASE: 00401379 68 20 30 40 00 push offset string "ABCDEF" (00403020) 0040137E 8D 4C 24 10 lea ecx,[esp+10h] 00401382 C7 44 24 38 01 00 00 mov dword ptr [esp+38h],1 0040138A E8 95 03 00 00 call CString::CString (00401724) 0040138F 8B 44 24 0C mov eax,dword ptr [esp+0Ch] 00401393 8D 54 24 10 lea edx,[esp+10h] 00401397 52 push edx 00401398 8B 48 F8 mov ecx,dword ptr [eax-8] 0040139B 51 push ecx 0040139C 50 push eax 0040139D 8B 44 24 2C mov eax,dword ptr [esp+2Ch] 004013A1 50 push eax 004013A2 FF 15 00 20 40 00 call dword ptr [__imp__GetTextExtentPoint32A@16 (00402000)] 004013A8 8D 4C 24 0C lea ecx,[esp+0Ch] 004013AC E8 7F 03 00 00 call CString::~CString (00401730)
The code seems completely obvious: a temporary CString object is created, used, and freed. So there should be no storage leak.
I posted this, and the argument was made that CString::~CString obviously wasn't releasing the storage. Now, this seemed very unlikely to me. Any bug this egregious would have been fixed a decade ago.
Of course, my immediate question was to ask what the basis for this allegation was (What are you measuring? What are you measuring with?)
The answer was the code shown above that uses _CrtMemCheckpoint. Now, this didn't make any sense. If you believe the specification, at least. So it meant that there was either something very deeply wrong, or the results were a lie. So I just single-stepped into the code and watched the _CrtMemCheckpoint code execute. I saw what variable it was storing. That variable was clearly incrementing. So I next watched the creation of the string, and saw the line of code that incremented _lTotalAlloc. Then I watched the code that freed the string, and saw no line of code that decremented _lTotalAlloc.
So next, I wrote the WalkCount function to enumerate the blocks of storage and count the allocations. It gave a correct value that did not increase.
End of story. The lTotalCount field is simply wrong.
But the key when making any measurement is simply to make sure that the measurement is measuring what you think it is measuring, and that it is measuring it correctly, and reporting it correctly.
![[Dividing Line Image]](div.gif){kind=small}
The views expressed in these essays are those of the author, and in no way represent, nor are they endorsed by, Microsoft.