windows - poolmon负数是什么意思？

Question

我正在使用 Win 10 SDK 中的 poolmon 来分析内存泄漏，我在卸载驱动程序后立即运行它。我的命令行是

poolmon.exe -s -e -g -r -n poolmondump.txt

来自 poolmon/? 的参数定义

-s                  Display session pool
-n [Logfile]        Take a pool snapshot
                    Logfile maybe specified, default is poolsnap.log
-g [PoolTagFile]    Display driver information using PoolTagFile
                    If PoolTagFile is not specified
                    use 'pooltag.txt' from current directory
-e                  Display totals
-r                  Print memory summary information

一段输出是

 Tag  Type     Allocs         Frees    Diff   Bytes    Per Alloc    Mapped_Driver
  SIFP Paged 245366784   2359304  243007480      -1         17       [MyDriver.sys]
  SIFP Nonp          7         7         0       -1         -1       [MyDriver.sys]

有时会有负的Diff

 Tag  Type     Allocs         Frees    Diff   Bytes    Per Alloc    Mapped_Driver
 NweN Paged    529879   4784171  -4254292      -1          1        [MyDriver.sys]
 PBDN Paged        43        66       -23       1          0        [MyDriver.sys]

这个怎么理解？如何处理？我正在尝试重命名标签，但每天都有新的东西。
这仅发生在测试设置中使用的一个虚拟机上。

Answer 1

PoolMan Windows 中存在驱动程序，它:

displays data that the operating system collects about memory allocations from the system paged and nonpaged kernel pools, and the memory pools used for Terminal Services sessions. The data is grouped by pool allocation tag.

Driver developers and testers often use PoolMon to detect memory leaks when they create a new driver, change the driver code, or stress the driver. You can also use PoolMon in each stage of testing to view the driver's patterns of allocation and free operations, and to reveal how much pool memory the driver is using at any given time.

以下是命令:

 poolmon [/iTag] [/xTag] [/c [LocalTagFile]] [/g [PoolTagFile]] [/s[TSSessionID]] [ /p | /p /p ] [/e] [/( | /)]  [/t | /a| /f| /d | /b| /m] [/l] [/n [File]] [/? | /h]

解释:

Parameters

/i Displays only the allocations with the specified pool tag. You can have multiple /i parameters in a PoolMon command. Do not type a space between the /i and the Tag argument.

/x Excludes allocations with the specified tag from the display. You can have multiple /x parameters in a PoolMon command. Do not type a space between the /x and the Tag argument.

Tag Specifies a pool tag or pool tag pattern. Pool tags are case-sensitive. The Tag argument can include an asterisk () to represent zero or more instances of any character, or a question mark (?*) to represent one instance of any character. Do not begin a tag with an asterisk.

/c Adds a column to the display (Mapped_Driver) listing the drivers on the local computer that use each pool tag. This feature is supported only on 32-bit versions of Windows.

LocalTagFile Specifies the path and file name of a local tag file, a formatted text file that contains a list of the drivers on the local computer, and the tag values that they assign. This file is the data source for the Mapped_Driver column that appears when you use the /c parameter. The default is localtag.txt.

If you use the /c parameter, but do not specify a value for LocalTagFile, and PoolMon does not find a localtag.txt file in the current directory, PoolMon generates a localtag.txt file by scanning the drivers on the local computer (%SystemRoot%\System32\Drivers*.sys) .

/g Adds a column to the display (Mapped_Driver) listing Windows components and commonly used drivers that assign each tag.

PoolTagFile Specifies the path and file name of a formatted text file that lists the names of Windows components and commonly used drivers and the tag values they assign. This file is the data source for the Mapped_Driver column that appears when you use the /g parameter.

The default is pooltag.txt, a file provided by Microsoft. Pooltag.txt is included in the Tools\Other subdirectory of the Windows Driver Kit (WDK).

/s Displays allocations from the Terminal Services session pools.

TSSessionID Displays only allocations from the specified session pool. Do not type a space between the /s parameter and the TSSessionID argument.

/p Displays only allocations from the nonpaged pool.

/p /p Displays only allocations from the paged pool.

/e Displays pool totals. The totals appear at the bottom of the display.

/( or /) Turns on the sort-by-change mode. With /( or /), PoolMon sorts by the change in a value (allocation, free operations, and bytes), instead of the value. The change in each value is displayed in a parentheses after the value.

Use with /a, /f, /b or /m. For example, poolmon /a sorts the display by number of allocations, while poolmon /( /a sorts the display by the change in the number of allocations.

The left parenthesis and right parenthesis characters have the same effect and can be used interchangeably.

/t Sorts alphabetically by tag name. This is the default.

/a Sorts tags by the number of allocations.

/f Sorts tags by the number of free operations.

/d Sorts tags by the difference between bytes allocations and bytes freed.

/b Sorts tags by bytes used.

/m Sorts tags by bytes-per-allocation.

/l Turns highlighting off. By default, PoolMon highlights values that have changed since the last update.

/n Saves a snapshot of the PoolMon output to a file, instead of displaying it in a command window. You can include other command-line parameters to configure the output.

Because the snapshot data is static, the columns that show the change in values in the PoolMon display do not appear in a snapshot file.

File Specifies the name and location of the snapshot file. The default is poolsnap.log.

/? or /h Displays command-line syntax. The /? and /h parameters have the same effect and can be used interchangeably.