{"id":110800,"date":"2025-01-23T07:00:00","date_gmt":"2025-01-23T15:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=110800"},"modified":"2025-01-23T08:04:02","modified_gmt":"2025-01-23T16:04:02","slug":"20250123-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20250123-00\/?p=110800","title":{"rendered":"Memory corruption from outside the process looks like space aliens"},"content":{"rendered":"

Chasing down memory corruption is one of the more frustrating parts of debugging. You can use debugger write breakpoints and tools like Address Sanitizer<\/a> (ASAN), Valgrind<\/a>, Application Verifier<\/a> (AppVerifier), and Page heap<\/a> to try to identify memory corruption bugs in real time. And you can use tools like rr<\/a>, and Time Travel Debugging<\/a> (TTD) to record the execution of a program and replay it. But all of these tools can only track writes that were issued by the program being debugged.<\/p>\n

If the offending write comes from outside the process, then all your program sees is a mysterious change in the value even though the program never modified it. (As far as you can determine, it was changed by space aliens<\/a>.)<\/p>\n

You can use this knowledge to your advantage: If you see a memory change that is not detected by a write breakpoint or Time Travel Debugging, then you can add to the list of scenarios the possibility that the memory is being updated from outside the process, say by kernel mode (example 1<\/a>, example 2<\/a>), or more rarely, by another process doing Write\u00adProcess\u00adMemory<\/code> as some crude form of interprocess communication (not recommended<\/a>).<\/p>\n

Next time, I’ll do a quick comparison of some of these diagnostic tools I mentioned above.<\/p>\n","protected":false},"excerpt":{"rendered":"

The write isn’t visible to your process, just the effect of the write.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-110800","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"

The write isn’t visible to your process, just the effect of the write.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/110800","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=110800"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/110800\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=110800"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=110800"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=110800"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}