I have a Silverlight 3 application which seems to be leaking DispatcherTimer objects. At least, over time when the application runs I find more of them on the heap:
!dumpheap -type DispatcherTimer
returns an increating number of them.
I'd like to find the Tick event handler method for these so I can identify where they're created in my code.
When I try dumping one of these in windbg, I get something like:
!do 098b9980
Name: System.Windows.Threading.DispatcherTimer
MethodTable: 0bfd4ba0
EEClass: 0bc98d18
Size: 20(0x14) bytes
File: C:\Program Files (x86)\Microsoft Silverlight\4.0.50524.0\System.Windows.dll
Fields:
MT Field Offset Type VT Attr Value Name
0bfd1538 40008be 4 ...eObjectSafeHandle 0 instance 098b9994 m_nativePtr
0bfd3d0c 40008bf 8 ...reTypeEventHelper 0 instance 098b99ac _coreTypeEventHelper
506a07e4 40008c0 c System.Boolean 1 instance 1 _isEnabled
0bfd3c68 40008c1 cec ...ependencyProperty 0 shared static IntervalProperty
>> Domain:Value 086d3f38:NotInit 086daeb8:098b99b8 <<
But from here, I don't know how to find the method handling the Tick event. I suspect it's something to do with _coreTypeEventHelper, but when I dump that, I get:
!do 098b99ac
Name: MS.Internal.CoreTypeEventHelper
MethodTable: 0bfd3d0c
EEClass: 0bc98420
Size: 12(0xc) bytes
File: C:\Program Files (x86)\Microsoft Silverlight\4.0.50524.0\System.Windows.dll
Fields:
MT Field Offset Type VT Attr Value Name
00000000 40009f5 4 0 instance 098b9ae4 _eventAndDelegateTable
506a0e94 40009f4 514 System.Int32 1 shared static _nextAvailableTableIndex
>> Domain:Value 086d3f38:NotInit 086daeb8:669 <<
then I dump the _eventAndDelegateTable:
Name: System.Collections.Generic.Dictionary`2[[System.Int32, mscorlib],[MS.Internal.CoreTypeEventHelper+EventAndDelegate, System.Windows]]
MethodTable: 0bfcc0a0
EEClass: 5026c744
Size: 52(0x34) bytes
File: C:\Program Files (x86)\Microsoft Silverlight\4.0.50524.0\mscorlib.dll
Fields:
MT Field Offset Type VT Attr Value Name
5068f2d0 4000648 4 System.Int32[] 0 instance 098b9b18 buckets
50691060 4000649 8 ...non, mscorlib]][] 0 instance 098b9b30 entries
506a0e94 400064a 20 System.Int32 1 instance 1 count
506a0e94 400064b 24 System.Int32 1 instance 1 version
506a0e94 400064c 28 System.Int32 1 instance -1 freeList
506a0e94 400064d 2c System.Int32 1 instance 0 freeCount
50697f08 400064e c ...Int32, mscorlib]] 0 instance 098b9650 comparer
506ccfb0 400064f 10 ...Canon, mscorlib]] 0 instance 00000000 keys
506ceaac 4000650 14 ...Canon, mscorlib]] 0 instance 00000000 values
506a02e4 4000651 18 System.Object 0 instance 00000000 _syncRoot
506895d8 4000652 1c ...SerializationInfo 0 instance 00000000 m_siInfo
And then I'm kind of lost!
Before attempting to find the relevant event handler, you could also search for the source of the leak by investigating why the DispatcherTimer instances doesn't get released.
After you have the output of the !dumpheap -type DispatcherTimer, execute the !gcroot command on a couple of instances of DispatcherTimer. You should be able to see which object holds a reference to the timer.
Also, you could place appropriate breakpoints (using !bpmd), in order to obtain helpful stacktraces.
Related
These are my assignments:
Write a program to find the number of address lines in an n Kbytes of memory. Assume that n is always to the power of 2.
Sample input: 2
Sample output: 11
I don't need specific coding help, but I don't know the relation between address lines and memory.
To express in very easy terms, without any bus-multiplexing, the number of bits required to address a memory is the number of lines (address or data) required to access that memory.
Quoting from the Wikipedia article,
a system with a 32-bit address bus can address 232 (4,294,967,296) memory locations.
for a simple example, consider this, you have 3 address lines (A, B, C), so the values which can be formed using 3 bits are
A B C
0 0 0
0 0 1
0 1 0
0 1 1
1 0 0
1 0 1
1 1 0
1 1 1
Total 8 values. So using ABC, you can access any of those eight values, i.e., you can reach any of those memory addresses.
So, TL;DR, the simple relationship is, with n number of lines, we can represent 2n number of addresses.
An address line usually refers to a physical connection between a CPU/chipset and memory. They specify which address to access in the memory. So the task is to find out how many bits are required to pass the input number as an address.
In your example, the input is 2 kilobytes = 2048 = 2^11, hence the answer 11. If your input is 64 kilobytes, the answer is 16 (65536 = 2^16).
I'm having problem to form the field section's structure into xfd files after analyse by issuing commnad "vutil32.exe -i -kx pogl.dad". I hope somebody could help me out how to form out field structure as highlighted in below. I've uploaded sample of my file known as "pglc.dad" i hope soneone could guide me how to form .xfd file from his expert skills and guide me.Thanks
Result from vutil32.exe
file size: 250880
record size (min/max): 121/1024 compressed(80%)
# of keys: 4
key size: 16:02 31:03 56:03 15
key offset: 0 0 0 1
duplicates okay: N N N N
block size: 512
blocks per granule: 1
tree height: 4/2/2.7
# of nodes: 200
# of deleted nodes: 1
total node space: 101800
node space used: 67463 (66%)
user count: 0
Key Dups Seg-1 Seg-2 Seg-3 Seg-4 Seg-5 Seg-6
(sz/of) (sz/of) (sz/of) (sz/of) (sz/of) (sz/of)
0 N 1/0 15/1
1 N 1/0 15/66 15/1
2 N 1/0 40/81 15/1
3 N 15/1
Here is my further construction of .xfd file.
XFD,02,PGLC,PGLC
00300,00041,004
1,0,013,00000
01
PGSTAT
3,0,004,00004,020,00021,004,00000
3
PGSTAT
PGDESC
PGLINE
3,0,004,00004,008,00013,004,00000
03
PGSTAT
PGDESC
PGLINE
1,0,012,00021
01
PGSTAT
000
0150,00150,00003 =================>> How can i form this field section.
00000,00013,16,00016,+00,000,000,PGSTAT
00000,00001,16,00001,+00,000,000,PGDESC
00001,00015,16,00015,+00,000,000,PGLINE
here is the link for my pglc.dad : http://files.engineering.com/getfile.aspx?folder=080fdad6-b1d5-4a37-8dd0-b89f9a985c69&file=PGLC.DAD
Thanks appopriate to someone could helps.
I know the XFD format intimately as I have written a couple of parsers of this file format in both Perl and Cobol.
Having said that, I would strongly recommend that you do not try to hand craft an XFD file from scratch.
If you have an AcuCobol (MicroFocus) compiler, and the source of the file's SELECT and FD definitions, then you can create a very small Cobol program that has just the SELECT and FD definitions and then compile the program using:
ccbl32.exe -Fx <program>
That will create an XFD file for the indexed file definition. Note, you can specify a directory for the created XFD file using the -Fo <directory> option.
If you don't have the source of the file definitions, then you are just going to be guessing what and where the fields are. The indexed file by itself will not tell you that information. I can see from extracting the data in your file (using the vutil -e option) that the file contains binary data as well as text, so without knowing exactly what PICture those fields are (COMP-?) you will be struggling to figure out the structure of those fields.
Hi I am trying to understand whether it is possible to take instruction opcodes and 'poke' them into memory or smehow convert them to a binary program. I have found an abandoned lisp project here: http://common-lisp.net/viewvc/cl-x86-asm/cl-x86-asm/ which takes x86 asm instructions and converts them into opcodes (please see example below). The project does not go further to actually complete the creation of the binary executable. Hence I would need to do that 'manually' Any ideas can help me. Thanks.
;; assemble some code in it
(cl-x86-asm::assemble-forms
'((.Entry :PUSH :EAX)
(:SUB :EAX #XFFFEA)
(:MOV :EAX :EBX)
(:POP :EAX)
(:PUSH :EAX)
(.Exit :RET))
Processing...
;; print the assembled segment
(cl-x86-asm::print-segment)
* Segment type DATA-SEGMENT
Segment size 0000000C bytes
50 81 05 00 0F FF EA 89
03 58 50 C3
Clozure Common Lisp for example has this built-in. This is usually called LAP, Lisp Assembly Program.
See defx86lapfunction.
Example:
(defx86lapfunction fast-mod ((number arg_y) (divisor arg_z))
(xorq (% imm1) (% imm1))
(mov (% number) (% imm0))
(div (% divisor))
(mov (% imm1) (% arg_z))
(single-value-return))
SBCL can do some similar with VOP (Virtual Operations).
http://g000001.cddddr.org/2011-12-08
I learned that it can be done using CFFI/FFI for example the very simple asm code:
(:movl 12 :eax)
(:ret)
This will be converted to the following sequence of octets: #(184 12 0 0 0 195) which in hex it is: #(B8 C 0 0 0 C3). The next step is to send it to a location in memory as such:
(defparameter pointer (cffi:foreign-alloc :unsigned-char :initial-contents #(184 12 0 0 0 195)))
;; and then execute it as such to return the integer 12:
(cffi:foreign-funcall-pointer pointer () :int)
=> result: 12
Thanks to the experts in #lisp (freenode irc channel) for helping out with this solution.
How can I obtain the ID of a CGPDFObject?
I have this dictionary in my PDF:
3 0 obj
<< /Type /Pages /MediaBox [0 0 612 792] /Count 5 /Kids [ 2 0 R 9 0 R 15 0 R
21 0 R 27 0 R ] >>
endobj
which I obtain using:
CGPDFDictionaryRef pdfPagesObjectRef;
CGPDFDictionaryGetDictionary(pdfCatalogueRef, "Pages", &pdfPagesObjectRef);
Now I am aware of the CGPDFDictionaryApplyFunctionto get the key/value pairs inside the dictionary. But how can I get the own object ID and generation Number? (In this case 3 and 0).
EDIT:
Why I need these information? I am trying to add text annotations to the file. In my understanding, there is no "high level" way to do this in iOS. You have to append a new section (xref table, overridden objects, trailer etc.) by hand.
Therefore it is inevitable to get the IDs and generation numbers of the objects I want to override, and for those referenced in objects I override (eg. /Resources, /Contents in an overridden page).
I was reading the following paper on buffer overflow : http://www1.telhai.ac.il/sources/private/academic/cs/557/2659/Materials/Smashing.pdf
According to the examples in the paper, the attacker injects code in the buffer which is overflowed and modifies the return address to point to the address of the buffer. Since, the injected code and the local variables both lie on the stack , shouldn't the attacker make sure that she/he has left enough space for local variables before overflowing the buffer with the code? In broad sense, I m confused how stack would be maintained when both the code and local variables are there on the stack ....are there chances of local variables overwriting the injected code ???
One solution is to not use any local variables. This isn't necessarily a big constraint on code that is going to be small and do its work by calling into something else anyway. (Very relative on saying its not a big constraint, it's beyond me tbh but since this isn't the easiest code to write, its not a big constraint in that context).
That's not even necessary though. A stack will look something like:
Function A Arg 2
Function A Arg 1
Function A Arg 0
Return Address into caller
Function A Local 1
Function A Local 0
Function B Arg 1
Function B Arg 0
Return Address into place in Function A's executable code.
Function B Local 2
Function B Local 1
Function B Local 0
Function C Arg 0
Return Address into place in Function B's executable code.
Function C Local 3
Function C Local 2
Function C Local 1
Function C Local 0
...
A buffer overflow tricks it into looking like:
Function A Arg 2
Function A Arg 1
Function A Arg 0
Return Address into caller
Function A Local 1
NastyCode bytes 0-3
NastyCode bytes 4-7
NastyCode bytes 8-B
NastyCode bytes C-E
NastyCode bytes F-10
NastyCode bytes 10-13
NastyCode bytes 14-17
NastyCode bytes 18-1B
NastyCode bytes 1F-20
...
NastyCode arg 0 (etc.)
Return Address (of NastyCode [may not even be valid, may return to original caller, or may jump into something it'll set up]).
NastyCode Local 2
NastyCode Local 1
NastyCode Local 0
Return Address (should be of Function F, into a point in Function E but it's changed to point to byte 0 of NastyCode)
Function F Local 2
Function F Local 1
Function F Local 0
So the executable code written into the stack can be away from the local varaibles of that code.