在Debug 模式下,
VC 会把未初始化的栈内存全部填成0xcc,当字符串看就是 烫烫烫烫……
会把未初始化的堆内存全部填成0xcd,当字符串看就是 屯屯屯屯……
可以让我们方便地看出那些内存没初始化
但是Release 模式下不会有这种附加动作,原来那块内存里是什么就是什么
名字 描述
0xCD Clean Memory 申请的内存由malloc或者new完成
0xDD Dead Memory 释放后的内存,用来检测悬垂指针
0xFD Fence Memory 动态申请后的内存值,没有初始化。用来检测数组的下标界限
0xAB (Allocated Block?) 使用LocalAlloc()分配的内存 0x0DF0ADBA Bad Food 使用LocalAlloc并且参数为LMEM_FIXED,但是还没写入
0xCC 使用了/GZ选项,没有初始化的自动变量在DBGHEAP.C文件中,
Microsoft's memorymanagement functions often initialize memory with special values. The followingarticle describes frequent used variants.
Microsoft Visual C++ Runtime library
C runtime library provides it own debug codes:
0xCD, 0xCDCDCDCD - New objects. New objects are filled with 0xCD when they areallocated.
0xFD, 0xFDFDFDFD - No-man's land memory. Extra bytes that belong to theinternal block allocated, but not the block you requested. They are placedbefore and after requested blocks and used for data bound checking.
0xDD, 0xDDDDDDDD - Freed blocks. The freed blocks kept unused in the debugheap's linked list when the _CRTDBG_DELAY_FREE_MEM_DF flag is set are currentlyfilled with 0xDD. Although in some cases you won't see magic 0xDDDDDDDD value,as it will be overwritten by another debug function (e.g. 0xFEEEFEEE forHeapFree).
These constants are defined in DbgHeap.c file as
static unsigned char _bNoMansLandFill = 0xFD; /* fill no-man's land with this*/
static unsigned char _bDeadLandFill = 0xDD; /* fill free objects with this */
static unsigned char _bCleanLandFill = 0xCD; /* fill new objects with this */
Compiler initialisations
0xCC, 0xCCCCCCCC - The /GX Microsoft Visual C++ compiler option initialises alllocal variables not explicitly initialised by the program. It fills all memoryused by these variables with 0xCC, 0xCCCCCCCC.
Windows NT memory codes
0xABABABAB - Memory following a block allocated by LocalAlloc().
0xBAADF00D - "Bad Food". This is memory allocated via LocalAlloc(LMEM_FIXED, ... ). It is memory that has been allocated but not yet written to.
0xFEEEFEEE - OS fill heap memory, which was marked for usage, but wasn'tallocated by HeapAlloc() or LocalAlloc(). Or that memory just has been freed byHeapFree().
好了,现在来解释一下标题。
未初始化的变量会被系统赋初值为0xCC,超过了ASCII码0-127这个范围,因此这个“字符串”被系统当成了宽字符组成的字符串,即两个字节数据组成一个字符,而0xCCCC表示的宽字符正好是乱码中的那个“烫”字。
烫烫烫烫烫烫烫烫烫烫烫烫烫烫烫烫烫烫烫烫烫烫烫烫烫烫烫
是debug中未初始化的栈变量
屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯
是debug中未初始化的堆变量
举个例子:
|
1
2
3
4
5
|
int
main(
void
)
{
char
x[4];
return
0;
}
|
用断点查看X的值,可以发现,“烫烫”出现了:
x 0x0012ff60 "烫烫烫烫?" char [4]
查看反汇编:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
1:
int
main(
void
)
2: {
004113A0 55 push ebp
004113A1 8B EC mov ebp,esp
004113A3 81 EC CC 00 00 00 sub esp,0CCh
004113A9 53 push ebx
004113AA 56 push esi
004113AB 57 push edi
004113AC 8D BD 34 FF FF FF lea edi,[ebp-0CCh]
004113B2 B9 33 00 00 00 mov ecx,33h
004113B7 B8 CC CC CC CC mov eax,0CCCCCCCCh
004113BC F3 AB rep stos dword ptr es:[edi]
3:
char
x[4];
4:
return
0;
004113BE 33 C0 xor eax,eax
5: }
|
简单解释一下关键句的含义:
004113AC 8D BD 34 FF FF FF lea edi,[ebp-0CCh]
将获得的0CCh大小的栈空间首地址赋给edi
004113B2 B9 33 00 00 00 mov ecx,33h
rep的循环次数为33h
004113B7 B8 CC CC CC CC mov eax,0CCCCCCCCh
eax = 0CCCCCCCCh
004113BC F3 AB rep stos dword ptr es:[edi]
将栈空间的33H个双字节赋值为0CCCCCCCCh
而0xcccc用汉语表示刚好就是“烫”
oxcc正好是中断int 3的指令 起到保护作用
