Initial commit — leak-hunt project complete
Five bugs identified and patched in retail Asheron's Call client: - v3b: palette refcount over-increment (3-byte NOP at two sites) - v5: RenderSurface PurgeResource no-op stub (vtable slot 2 thunk) - v11: two dangling-pointer crash guards (NULL-check + reorder) - v14: CEnvCell::Destroy ClipPlaneList leak (18-byte JMP to cleanup thunk) - v22: unpacker stale-pointer SEH guard (whole-function __try/__except) All five ship in leakfix.dll (117 KB, SHA d282f23c…) which is loaded by acclient.exe at process start via PE import table patching by tools/install_leakfix.py. Controlled 15-client fleet soak: unpatched control died at 26h with palette exhaustion; all 14 patched clients survived past that point and reached ≥5-day uptime. Residual ~15 MB/h growth traced to d3d9.dll's internal slab allocator (260KB surface backing buffers retained after Release). See REPORT.md §10 for the full investigation; conclusion is that it's unfixable from outside d3d9. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
commit
57b5e43d0e
199 changed files with 1648333 additions and 0 deletions
63
tools/find_holder.py
Normal file
63
tools/find_holder.py
Normal file
|
|
@ -0,0 +1,63 @@
|
|||
"""find_holder.py <pid> <target_va>
|
||||
Scan all committed private RW memory in process for pointers equal to target_va.
|
||||
Reports addresses where the pointer was found + small context."""
|
||||
import ctypes, ctypes.wintypes as wt, sys, struct
|
||||
|
||||
PROCESS_VM_READ = 0x10
|
||||
PROCESS_QUERY_INFORMATION = 0x400
|
||||
k = ctypes.windll.kernel32
|
||||
k.OpenProcess.argtypes = [wt.DWORD, wt.BOOL, wt.DWORD]; k.OpenProcess.restype = wt.HANDLE
|
||||
k.ReadProcessMemory.argtypes = [wt.HANDLE, wt.LPCVOID, wt.LPVOID, ctypes.c_size_t, ctypes.POINTER(ctypes.c_size_t)]
|
||||
k.ReadProcessMemory.restype = wt.BOOL
|
||||
k.VirtualQueryEx.argtypes = [wt.HANDLE, wt.LPCVOID, ctypes.c_void_p, ctypes.c_size_t]
|
||||
k.VirtualQueryEx.restype = ctypes.c_size_t
|
||||
|
||||
class MBI(ctypes.Structure):
|
||||
_fields_ = [("BaseAddress", ctypes.c_void_p), ("AllocationBase", ctypes.c_void_p),
|
||||
("AllocationProtect", wt.DWORD), ("RegionSize", ctypes.c_size_t),
|
||||
("State", wt.DWORD), ("Protect", wt.DWORD), ("Type", wt.DWORD)]
|
||||
|
||||
def rd(h, va, n):
|
||||
buf = (ctypes.c_ubyte * n)(); sz = ctypes.c_size_t(0)
|
||||
if not k.ReadProcessMemory(h, va, buf, n, ctypes.byref(sz)): return None
|
||||
return bytes(buf[:sz.value])
|
||||
|
||||
pid = int(sys.argv[1])
|
||||
target = int(sys.argv[2], 0)
|
||||
target_bytes = struct.pack('<I', target)
|
||||
|
||||
h = k.OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, False, pid)
|
||||
if not h: print("OpenProcess fail"); sys.exit(2)
|
||||
|
||||
found = []
|
||||
mbi = MBI()
|
||||
addr = 0
|
||||
while k.VirtualQueryEx(h, addr, ctypes.byref(mbi), ctypes.sizeof(mbi)):
|
||||
base = mbi.BaseAddress or 0
|
||||
sz = mbi.RegionSize
|
||||
if (mbi.State == 0x1000 and mbi.Type == 0x20000 and (mbi.Protect & 0xFF) in (0x04, 0x40)
|
||||
and sz < 64*1024*1024):
|
||||
data = rd(h, base, sz)
|
||||
if data:
|
||||
off = 0
|
||||
while True:
|
||||
off = data.find(target_bytes, off)
|
||||
if off < 0: break
|
||||
if (off & 3) == 0:
|
||||
holder_va = base + off
|
||||
# Read 32 bytes around to see what context
|
||||
ctx = data[max(0, off-16): off+16].hex(' ')
|
||||
found.append((holder_va, ctx))
|
||||
if len(found) >= 20: break
|
||||
off += 4
|
||||
if len(found) >= 20: break
|
||||
next_addr = base + sz
|
||||
if next_addr <= addr: break
|
||||
addr = next_addr
|
||||
if addr >= 0x80000000: break
|
||||
|
||||
k.CloseHandle(h)
|
||||
|
||||
print(f"Pointers to 0x{target:08x} (top {len(found)}):")
|
||||
for holder_va, ctx in found:
|
||||
print(f" @0x{holder_va:08x}: ...{ctx}...")
|
||||
Loading…
Add table
Add a link
Reference in a new issue