Microsoft的编译器在调试模式下使用以下方法处理未拥有/未初始化内存的各个部分(支持情况可能因编译器版本而异):
Value Name Description
------ -------- -------------------------
0xCD Clean Memory Allocated memory via malloc or new but never
written by the application.
0xDD Dead Memory Memory that has been released with delete or free.
It is used to detect writing through dangling pointers.
0xED or Aligned Fence 'No man's land' for aligned allocations. Using a
0xBD different value here than 0xFD allows the runtime
to detect not only writing outside the allocation,
but to also identify mixing alignment-specific
allocation/deallocation routines with the regular
ones.
0xFD Fence Memory Also known as "no mans land." This is used to wrap
the allocated memory (surrounding it with a fence)
and is used to detect indexing arrays out of
bounds or other accesses (especially writes) past
the end (or start) of an allocated block.
0xFD or Buffer slack Used to fill slack space in some memory buffers
0xFE (unused parts of `std::string` or the user buffer
passed to `fread()`). 0xFD is used in VS 2005 (maybe
some prior versions, too), 0xFE is used in VS 2008
and later.
0xCC When the code is compiled with the /GZ option,
uninitialized variables are automatically assigned
to this value (at byte level).
// the following magic values are done by the OS, not the C runtime:
0xAB (Allocated Block?) Memory allocated by LocalAlloc().
0xBAADF00D Bad Food Memory allocated by LocalAlloc() with LMEM_FIXED,but
not yet written to.
0xFEEEFEEE OS fill heap memory, which was marked for usage,
but wasn't allocated by HeapAlloc() or LocalAlloc().
Or that memory just has been freed by HeapFree().
免责声明:该表格来源于我手头的一些笔记,可能不是100%正确(或连贯的)。
其中许多值在vc/crt/src/dbgheap.c中定义:
/*
* The following values are non-zero, constant, odd, large, and atypical
* Non-zero values help find bugs assuming zero filled data.
* Constant values are good, so that memory filling is deterministic
* (to help make bugs reproducible). Of course, it is bad if
* the constant filling of weird values masks a bug.
* Mathematically odd numbers are good for finding bugs assuming a cleared
* lower bit.
* Large numbers (byte values at least) are less typical and are good
* at finding bad addresses.
* Atypical values (i.e. not too often) are good since they typically
* cause early detection in code.
* For the case of no man's land and free blocks, if you store to any
* of these locations, the memory integrity checker will detect it.
*
* _bAlignLandFill has been changed from 0xBD to 0xED, to ensure that
* 4 bytes of that (0xEDEDEDED) would give an inaccessible address under 3gb.
*/
static unsigned char _bNoMansLandFill = 0xFD; /* fill no-man's land with this */
static unsigned char _bAlignLandFill = 0xED; /* fill no-man's land for aligned routines */
static unsigned char _bDeadLandFill = 0xDD; /* fill free objects with this */
static unsigned char _bCleanLandFill = 0xCD; /* fill new objects with this */
有些情况下,调试运行时会用已知的值填充缓冲区(或部分缓冲区),例如
std::string
分配的“松散”空间或传递给
fread()
的缓冲区。这些情况使用一个名为
_SECURECRT_FILL_BUFFER_PATTERN
的值(定义在
crtdefs.h
中)。我不确定它是什么时候引入的,但至少在VS 2005(VC++8)的调试运行时中存在。
最初,用于填充这些缓冲区的值是
0xFD
,与无人区使用的相同值。然而,在VS 2008(VC++9)中,该值被更改为
0xFE
。我认为这是因为可能存在填充操作将超出缓冲区末尾的情况,例如,如果调用者传递了一个对于
fread()
来说过大的缓冲区大小。在这种情况下,值
0xFD
可能不会触发检测到这个溢出,因为如果缓冲区大小只大了1个字节,那么填充值将与用于初始化校验码的无人区值相同。无人区的变化意味着溢出不会被注意到。
因此,在VS 2008中更改了填充值,以便这种情况会更改无人区的校验码,并由运行时检测到问题。
正如其他人所指出的,这些值的关键属性之一是,如果解引用带有其中一个值的指针变量,它将导致访问冲突,因为在标准的32位Windows配置中,用户模式地址不会高于0x7fffffff。