Debugging Effective Leak Detection with the Debug CRT and Application Verifier

Programming memory leaks in C or C++ is easy. Even careful programming often cannot avoid the little mistakes that finally end up in your program having a memory leak. Thankfully, however, there are plenty of helpful tools that assist in finding leaks as early as possible.

One especially helpful tool for leak detection is the debug CRT. Although the leak detection facilities provided by the debug CRT are not as far-reaching as those of, say, UMDH, using the debug CRT is probably the most friction-less way of identifying leaks.

Of course, the debug CRT will only track allocations of the CRT heap. That is, allocations performed using malloc or, in case of C++, the default operator new.

So how to enable allocation tracking? As it turns out, it is already enabled by default for the debug heap – so changing the CRT flags using _CrtSetDbgFlag usually is not even neccessary. All there is to do is to call _CrtDumpMemoryLeaks() at the end of the program.

When exactly is “the end of the program”? That depends on which CRT you use. Each CRT uses a separate heap and thus, must have its resources be tracked separately. If your application EXE and your DLLs all link against the DLL version of the CRT, the right moment to call _CrtDumpMemoryLeaks() is at the end of main(). If you use the static CRT, the right moment is when the respective module is about to unload – for an EXE, this is the end of main() again (atexit is another option). For a DLL, however, this is DllMain (in the DLL_PROCESS_DETACH case).

To illustrate how to make use of this CRT feature, consider the following leaky code:

    #include <crtdbg.h>
    
    class Widget
    {
    private:
      int a;
    
    public:
      Widget() : a( 0 )
      {
      }
    };
    
    void UseWidget( Widget* w )
    {
    }
    
    int __cdecl wmain()
    {
      Widget* w = new Widget();
      UseWidget( w );
    
      _CrtDumpMemoryLeaks();
      return 0;
    }
    

Running the debug build (i.e. a build using the debug CRT) of this program will yield the following output in the debugger:

    Detected memory leaks!
    Dumping objects ->
    {124} normal block at 0x008C2880, 4 bytes long.
     Data:  00 00 00 00 
    Object dump complete.
    

So we have a memory leak – allocation #124 is not freed. The default procedure to locate the leak now is to include a call to _CrtSetBreakAlloc( 124 ) in the program and run it in the debugger – it will break when allocation #124 is performed. While this practice is ok for smaller programs, it will fail as soon as your program is not fully deterministic any more – most likely because it uses multiple threads. So for many programs, this technique is pretty much worthless.

But before continueing on the topic of how to find the culprit, there is another catch to discuss. Let’s include this snippet of code into our program:

    class WidgetHolder
    {
    private:
      Widget* w;
    
    public:
      WidgetHolder() : w( new Widget() )
      {}
    
      ~WidgetHolder()
      {
        delete w;
      }
    };
    
    WidgetHolder widgetHolder;
    

No leak here – we are properly cleaning up. But let’s see what the debugger window tells:

    Detected memory leaks!
    Dumping objects ->
    {125} normal block at 0x000328C0, 4 bytes long.
     Data:  00 00 00 00 
    {124} normal block at 0x00032880, 4 bytes long.
     Data:  00 00 00 00 
    Object dump complete.
    

Urgh. But the reason should be obvious – when main() is about to return, ~WidgetHolder has not run yet. As a consequence, WidgetHolder’s allocation has not been freed yet and _CrtDumpMemoryLeaks will treat this as a leak. Unfortunately, there is no good way to avoid such false positives. Of course, this only holds for C++. For C, this problem does not exist.

Ok, back to the problem of locating the leak. We know that allocation #124 is the problem, but assuming our program does more than the simplistic example, breaking on #124 during the next runs is likely to lead us to ever changing locations. So this information is worthless. That leaves the address of the leaked memory – 0x008C2880.

At this point, we can leverage the fact that the CRT heap is not really a heap but just a wrapper around the RTL heap. Therefore, we can use the incredibly powerful debugging facilities of the RTL heap to help us out.

In order to fix a leak, it is usually extremely helpful to locate the code having conducted the allocation. Once you have this information, it is often trivial to spot the missing free operation. As it turns out, the the RTL heap’s page heap feature offers this capability.

Open Application Verifier and enable Heap Checks for our application. By default, this enables the full page heap, but the normal page heap is enough for our case.

Note that for the following discussion, I assume you are using the Visual Studio debugger.

Set a breakpoint on the statement immediately following the _CrtDumpMemoryLeaks() statement and run the application until it breaks there. This time, the locations 0x02CDFFA0 and 0x02CDFF40 are reported as being leaked. Do not continue execution yet.

Rather, open WinDBG and attach noninvasively to the debugged process. VisualStudio is already attached, so we cannot perform a real attach, but a noninvasive attach does the trick.

In WinDBG, we now use the !heap extension to query page heap information:

    0:000!heap -p -a 0x02CDFF40
        address 02cdff40 found in
        _HEAP @ 2cd0000
          HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
            02cdfef8 000c 0000  [00]   02cdff20    00028 - (busy)
            Trace: 02dc
            776380d8 ntdll!RtlDebugAllocateHeap+0x00000030
    [...]
            6a2fab29 MSVCR80D!malloc+0x00000019
            6a34908f MSVCR80D!operator new+0x0000000f
            4115c9 Leak!WidgetHolder::WidgetHolder+0x00000049
            415808 Leak!`dynamic initializer for 'widgetHolder''+0x00000028
            6a2e246a MSVCR80D!_initterm+0x0000001a
            411d33 Leak!__tmainCRTStartup+0x00000103
            411c1d Leak!wmainCRTStartup+0x0000000d
            767b19f1 kernel32!BaseThreadInitThunk+0x0000000e
            7764d109 ntdll!_RtlUserThreadStart+0x00000023
    
    0:000!heap -p -a 0x02CDFFA0
        address 02cdffa0 found in
        _HEAP @ 2cd0000
          HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
            02cdff58 000c 0000  [00]   02cdff80    00028 - (busy)
            Trace: 02e0
            776380d8 ntdll!RtlDebugAllocateHeap+0x00000030
    [...]
            6a2fab29 MSVCR80D!malloc+0x00000019
            6a34908f MSVCR80D!operator new+0x0000000f
            411464 Leak!wmain+0x00000044
            411dd6 Leak!__tmainCRTStartup+0x000001a6
            411c1d Leak!wmainCRTStartup+0x0000000d
            767b19f1 kernel32!BaseThreadInitThunk+0x0000000e
            7764d109 ntdll!_RtlUserThreadStart+0x00000023
            
    

Aha, stack traces! The remaining analysis is almost trivial: 0x02CDFF40 has been allocated on behalf of WidgetHolder::WidgetHolder. WidgetHolder::WidgetHolder, however, is not indirectly invoked by wmain, but rather by MSVCR80D!_initterm! That is a strong indication for this being a global object that can be ignored in this analysis.

0x02CDFFA0, in turn, is allocated by wmain, so this is a real leak. But which allocation is it, exactly? lsa will tell us:

    0:000lsa Leak!wmain+0x00000044
        33: }
        34: 
        35: int __cdecl wmain()
        36: {
      37: 	Widget* w = new Widget();
        38: 	UseWidget( w );
        39: 
        40: 	_CrtDumpMemoryLeaks();
        41: 	return 0;
        42: }
    

There you go, we have found the culprit.

Although simple, I have found this technique to be very effective in practice, as it enables you to find leaks as you develop your code. As Application Verifier should be enabled anyway for any application you are developing on, the technique also turns out to be a lot less laborious than it may seem. It almost certainly is a lot more convenient than routinely doing UMDH runs. To be fair, however, UMDH is able to catch more leaks (non CRT-leaks), so additionally using UMDH remains being a good idea.

Any opinions expressed on this blog are Johannes' own. Refer to the respective vendor’s product documentation for authoritative information.
« Back to home