C++

Forum

 
HeapAlloc Problems

ahbazzi (117)
I had developed a GUI application based on WIN API. I have several windows where each contains several controls (EDIT, STATIC, BUTTON, LISTVIEW ...).

My problem is that as my Application is growing, the application is crashing sometimes or giving Errors related HeapAlloc.
I don't know what is the reason knowing that every time it is crashing in a different stage or action.
Below is a copy of the STACK while debugging:

 ntdll.dll!@RtlpCreateSplitBlock@28()  + 0x36c4 bytes	
 ntdll.dll!@RtlpAllocateHeap@24()  + 0x26e bytes	
 ntdll.dll!_RtlAllocateHeap@12()  + 0x2d0a bytes	
>msvcr90d.dll!_heap_alloc_base(unsigned int size=4132)  Line 105 + 0x28 bytes	C
 msvcr90d.dll!_heap_alloc_dbg_impl(unsigned int nSize=4096, int nBlockUse=2, const char * szFileName=0x5e075cac, int nLine=58, int * errno_tmp=0x0021de08)  Line 427 + 0x9 bytes	C++
 msvcr90d.dll!_nh_malloc_dbg_impl(unsigned int nSize=4096, int nhFlag=0, int nBlockUse=2, const char * szFileName=0x5e075cac, int nLine=58, int * errno_tmp=0x0021de08)  Line 239 + 0x19 bytes	C++
 msvcr90d.dll!_nh_malloc_dbg(unsigned int nSize=4096, int nhFlag=0, int nBlockUse=2, const char * szFileName=0x5e075cac, int nLine=58)  Line 296 + 0x1d bytes	C++
 msvcr90d.dll!_malloc_dbg(unsigned int nSize=4096, int nBlockUse=2, const char * szFileName=0x5e075cac, int nLine=58)  Line 160 + 0x1b bytes	C++
 msvcr90d.dll!_getbuf(_iobuf * str=0x5e181448)  Line 58 + 0x13 bytes	C
 msvcr90d.dll!_flsbuf(int ch=87, _iobuf * str=0x5e181448)  Line 153 + 0x9 bytes	C
 msvcr90d.dll!_fwrite_nolock(const void * buffer=0x0021dff0, unsigned int size=1, unsigned int num=53, _iobuf * stream=0x5e181448)  Line 194 + 0xd bytes	C
 msvcr90d.dll!fwrite(const void * buffer=0x0021dff0, unsigned int size=1, unsigned int count=53, _iobuf * stream=0x5e181448)  Line 83 + 0x15 bytes	C
 BsolAllForms.dll!BsolPrintWindowMessages(unsigned int msg_p=12, char * codeUnit_p=0x01304c30)  Line 614 + 0x25 bytes	C++


In the above debug output, the application crashed upon writing to LOG file knowing that writing function BsolPrintWindowMessages was working properly

Some other times, the application is crashing upon allocation of a wstring variable. Also it crashed upon deallocation of wchar_t* text_v variable using free(text_v);

Your help is highly needed
Regards,
Ahmad
Last edited on
ahbazzi (117)
Any update on this topic? I have been stuck in this problem since 5 days and not able to proceed before having it resolved.

modoran (2077)
You have corrupted the heap somewhere, the problems you have could be unrelated to what you have posted. So post the code.
ahbazzi (117)
The code is really complex and not straight forward. But the I have a function that is called from the window procedure. This function open steam into a file and post in some debugging messages. The application is producing more than 200 line in the file before it get into the heap error.
ahbazzi (117)
Modoran:
Can please tell me how a heap gets corrupted?

In my Application, I have only 1 function that writes to a file. This function prints down the window messages with the affected control ID. For each control class (EDIT, BUTTON, LISTVIEW, STATIC...) I had done sub-classing from which I am calling the the above mentioned function. Below is the function code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 
char * BsolPrintWindowMessages (UINT msg_p, char * codeUnit_p) {
	FILE * fpw = fopen("windows_msgs.log", "ab");

	// Hide the error of existing file by setting errorno to 0
	BsolMSDN_SetLastError(0);
//	BsolIssueMsg_LastError(TEXT("BsolUtilities: fopen"));

	char msgString[256];
	if (fpw) {
		switch(msg_p) {
			case WM_CREATE: sprintf_s(msgString, 255, "WM_CREATE : <%d>\t\t%s\r\n",WM_CREATE,codeUnit_p); break;
			case WM_DESTROY: sprintf_s(msgString, 255, "WM_DESTROY : <%d>\t\t%s\r\n",WM_DESTROY,codeUnit_p); break;
			case WM_MOVE: sprintf_s(msgString, 255, "WM_MOVE : <%d>\t\t%s\r\n",WM_MOVE,codeUnit_p); break;
			case WM_SIZE: sprintf_s(msgString, 255, "WM_SIZE : <%d>\t\t%s\r\n",WM_SIZE,codeUnit_p); break;
			  . 
			  . 
			  . 
			default: sprintf_s(msgString, 255, "NO MESSAGE DEFINED: <%d>\t\t%s\r\n",msg_p, codeUnit_p); break;
		}
		SetLastError(0);

		fwrite((const void*)msgString, sizeof(char), strlen(msgString), fpw); 
		BsolIssueMsg_LastError (TEXT("fwite"));

		SetLastError(0);
		fclose(fpw);
		BsolIssueMsg_LastError (TEXT("fclose"));

		fpw = NULL;
	}
	return msgString;
}


I tried to debug the code but I reached no where.

Regards,
Ahmad
modoran (2077)
Well, in that code you don't check if fopen() succeeds. If not it will return a NULL pointer, trying to dereference that => your program will crash.

Actually I see that you don't check return values of anything ...
ahbazzi (117)
Sorry for late reply, but I was on mission (traveling).

Anyway, I would like to draw your attention that upon debugging the application, it is running properly and not getting into the crashing heap. However, when I run the application in the normal way, it crashes.

I had checked the return values of fopen(), fwrite() and fclose(), the return is successful but the crash is happening upon writing the string which is before fwrite() returns.
I am using the same function ( i.e. code of BsolPrintWindowMessages shown above) for writing into file, it is writing more than 2000 line then it crashes at some point.

Regards,
Ahmad
Jaybob66 (534)


@line 31 -- return msgString;

this is local data and will be deallocated when the function exits, if you try to use the char* pointer returned from this function it will be pointing at where the string used to exist before it was deallocated.

ergo heap corruption.
ahbazzi (117)
Jaybob66:
Thanks for your update. However,can you explain further what causes the heap to be corrupted upon deallocating this local variable.

I am asking this because I faced heap corruption in another function where I am using wstring variable. But when I deallocated explicitly the variable, the heap corruption caused by this function was resolved.

Thanks in advance.
Regards,
Ahmad
Jaybob66 (534)
sorry for this late reply,

its because deallocated memory can be (and inevitably will be) reused at some point.

Any read actions from the returned char* will potentially show the string corrupted where the memory has been reused behind your back.

Any write actions to the char* returned will then be potentially corrupting new variables that have been allocated in the reused space.

ahbazzi (117)
Hi All,

I am in real trouble.
Whenever I fix a heap corruption in a certain function, the application crashes on another one. I don't know what is missing or the problem in my code.
Now the application is crashing upon using malloc().

Below is a copy of the STACK while debugging:
 ntdll.dll!@RtlpAllocateHeap@24()  + 0x42f bytes	
 ntdll.dll!_RtlAllocateHeap@12()  + 0x2d0a bytes	
 msvcr90d.dll!_heap_alloc_base(unsigned int size=48)  Line 105 + 0x28 bytes	C
 msvcr90d.dll!_heap_alloc_dbg_impl(unsigned int nSize=12, int nBlockUse=1, const char * szFileName=0x00000000, int nLine=0, int * errno_tmp=0x0030e7f8)  Line 427 + 0x9 bytes	C++
 msvcr90d.dll!_nh_malloc_dbg_impl(unsigned int nSize=12, int nhFlag=0, int nBlockUse=1, const char * szFileName=0x00000000, int nLine=0, int * errno_tmp=0x0030e7f8)  Line 239 + 0x19 bytes	C++
 msvcr90d.dll!_nh_malloc_dbg(unsigned int nSize=12, int nhFlag=0, int nBlockUse=1, const char * szFileName=0x00000000, int nLine=0)  Line 296 + 0x1d bytes	C++
 msvcr90d.dll!malloc(unsigned int nSize=12)  Line 56 + 0x15 bytes	C++
>BsolForm.dll!BsolForm::BsolValidateItem(HWND__ * phWnd_p=0x00030ddc, BsolLinkList * item_p=0x006ea5e8, int ctrlId_p=2311)  Line 474 + 0xc bytes	C++
 BsolForm.dll!BsolFrmOnUserValidateItem(BsolEventHandler::BsolEventArgs * eArgs_p=0x0030ec68)  Line 1077 + 0x16 bytes	C++


and below is the code of function BsolValidateItem:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
 
BOOL BsolForm::BsolValidateItem (HWND phWnd_p, BsolLinkList * item_p, int ctrlId_p) {
	LPCWSTR msgTitle_v = TEXT("BsolForm: ValidateItem");
	BOOL return_v = true;
	BsolDBColumn * dbCol_v;
	int size_v;
	wstring wsType_v, wsValue_v;
	wchar_t * wcValue_v;

	// Get Type
	wsType_v = item_p->BsolGetType();
	// If item is EditBox
	if (wsType_v.compare(TEXT("EDITBOX")) == 0) {
		// Get DB Column struct
		dbCol_v = item_p->BsolGetDBData();
		// Get column size
		size_v = dbCol_v->dcSize;
		// Allocate memory
		wcValue_v = (wchar_t*)malloc(size_v);
		// Get Text from Control
		BsolMSDN_GetWindowText (phWnd_p, ctrlId_p, wcValue_v, size_v, msgTitle_v);
		// Set text to wstring
		wsValue_v = wcValue_v;
		// If not empty, Validate Text: value and formate
		if (!wsValue_v.empty())
			return_v = this->BsolValidate (item_p, wsValue_v);
	}
	return return_v;
}

Note: all functions that starts with "Bsol" are functions defined by myself.
The application is crashing on wcValue_v = (wchar_t*)malloc(size_v); on line 18 in the above code (it is line 474 in my code file).
Please note that application is excuting this function several times without any problem before it crashes. Furthermore, upon debugging the application, it is giving now problem at all. All those crashes disappears as if the application is using another heap or another algorithm.

Regards,
Ahmad
modoran (2077)
Why happens if you do this:
wcValue_v = (wchar_t*)malloc(size_v * sizeof (wchar_t));

However this is unlikely to fix your problem, maybe fix future bugs in your application :)


And why are you using malloc in a C++ application instead of new operator ?
Last edited on
Topic archived. No new replies allowed.