Skip to content

Implement TTD.Heap object query and display functionality #864

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 5 commits into
base: dev
Choose a base branch
from
Draft

Implement TTD.Heap object query and display functionality #864

wants to merge 5 commits into from

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Sep 25, 2025
edited
Loading

This PR implements comprehensive TTD (Time Travel Debugging) heap analysis functionality as requested in the issue, providing the ability to query and display @$curprocess.TTD.Heap objects with full UI and Python API integration.

Overview

The implementation adds complete support for analyzing heap operations in TTD traces, following the same architectural patterns established by the existing TTD.Memory and TTD.Calls features. This enables developers to track memory allocations, deallocations, and other heap operations throughout the execution of a traced program.

Key Features

Core API Implementation

  • TTDHeapEvent Structure: Comprehensive data structure capturing all heap properties from the TTD.Heap specification including Action, Heap handle, Address information, Size data, Flags, Result codes, and timing information
  • DbgEng Integration: Uses Windows Data Model APIs to query @$cursession.TTD.Data.Heap() with robust COM interface handling and error management
  • Complete API Stack: Methods implemented across all layers (DebuggerController, DebugAdapter, DbgEngTTDAdapter) with proper inheritance and default implementations

UI Widget

  • Professional Interface: New TTD Heap sidebar widget following Binary Ninja's established design patterns
  • 18 Data Columns: All heap properties including Action, Heap, Address, Previous Address, Size, Base Address, Flags, Result, Reserve Size, Commit Size, Make Read Only, Thread information, and Parameters
  • Interactive Features:
    • Double-click TimeStart/TimeEnd columns to navigate to specific positions in the TTD trace
    • Sortable columns with proper numerical sorting for addresses and sizes
    • Customizable column visibility with show/hide options
    • Context menus for data export (copy cell, row, or entire table)
    • Tabbed interface supporting multiple heap analysis sessions

Python API Integration

  • TTDHeapEvent Class: Complete Python binding with all heap operation properties
  • get_ttd_heap_objects() Method: Direct programmatic access for automated analysis and scripting
  • Comprehensive Documentation: Usage examples, heap analysis patterns, and memory leak detection techniques

Supported Heap Operations

The implementation handles all heap actions specified in the TTD.Heap documentation:

  • Alloc: Memory allocation operations with size and address tracking
  • ReAlloc: Memory reallocation with previous address preservation
  • Free: Memory deallocation operations
  • Create: Heap creation with reserve and commit size information
  • Protect: Heap protection changes with read-only flags
  • Lock/Unlock: Heap synchronization operations
  • Destroy: Heap destruction operations

Usage Examples

UI Usage

  1. Open TTD trace in Binary Ninja debugger
  2. Navigate to TTD Heap widget in sidebar
  3. Click "Query Heap Objects" to analyze all heap operations
  4. Double-click time columns to navigate to specific heap operations
  5. Use column visibility dialog to customize display

Python API Usage

# Get all heap operations in the trace
heap_events = dbg.get_ttd_heap_objects()

# Analyze allocation patterns
allocs = [e for e in heap_events if e.action == "Alloc"]
frees = [e for e in heap_events if e.action == "Free"]
print(f"Potential leaks: {len(allocs) - len(frees)} allocations")

# Navigate to specific heap operation
if heap_events:
    dbg.set_ttd_position(heap_events[0].time_start)

Technical Implementation

  • Memory Management: Proper string and array allocation/deallocation in C FFI layer
  • Error Handling: Comprehensive exception handling with detailed logging
  • Performance: Efficient batch processing of heap objects from TTD data model
  • Integration: Seamless integration with existing TTD infrastructure and Binary Ninja's debugger architecture

This implementation provides a complete solution for heap analysis in TTD traces, enabling developers to identify memory leaks, analyze allocation patterns, and debug heap-related issues with the same level of sophistication as the existing TTD Memory and Calls analysis tools.

Original prompt

This section details on the original issue you should resolve

<issue_title>Query and display TTD.Heap object</issue_title>
<issue_description>1. Add API and implementation for querying @$curprocess.TTD.Heap . Add a dumb base implementation in DebugAdapter and override it in the dbgeng TTD adapter to provide the actual implementation
2. Add a new UI widget that is similar to the TTD.Calls/Memory widget
3. Provide Python API access to the evetns

Description

TTD Heap objects are used to give information about heap calls that occur over the course of a trace.
Properties

Every heap object will have these properties.
Property 	Description
Action 	Describes the action that occurred. Possible values are: Alloc, ReAlloc, Free, Create, Protect, Lock, Unlock, Destroy.
Heap 	The handle for the Win32 heap.
Conditional properties

Depending on the heap object, it may have some of the properties below.
Property 	Description
Address 	The address of the allocated object.
PreviousAddress 	The address of the allocated object before it was reallocated. If Address is not the same as PreviousAddress then the reallocation caused the memory to move.
Size 	The size and/or requested size of an allocated object.
BaseAddress 	The address of an allocated object in the heap. It can represent the address which will be freed (Free) or the address of the object before it is reallocated (ReAlloc.)
Flags 	Meaning depends on the API.
Result 	The result of the heap API call. Non-zero means success and zero means failure.
ReserveSize 	Amount of memory to reserve for the heap.
CommitSize 	Initial committed size for the heap.
MakeReadOnly 	A non-zero value indicates a request to make the heap read-only; A zero value indicates the heap should be read-write.
Children
Object 	Description
TimeStart 	A position object that describes the position at the start of the allocation.
TimeEnd 	A position object that describes the position at the end of the allocation.
Example Usage

Use this dx (Display Debugger Object Model Expression) command to display the heap memory in a grid using the -g option.
dbgcmd

0:0:000> dx -g @$cursession.TTD.Data.Heap()
=======================================================================================================================================================
=                          = Action     = Heap          = Address       = Size      = Flags  = (+) TimeStart = (+) TimeEnd = Result = PreviousAddress =
=======================================================================================================================================================
= [0x0] : [object Object]  - Alloc      - 0xaf0000      - 0xb0cfd0      - 0x4c      - 0x0    - FAB:17B1      - FAD:40      -        -                 =
= [0x1] : [object Object]  - Alloc      - 0xaf0000      - 0xb07210      - 0x34      - 0x8    - FB1:9         - FB3:74      -        -                 =
= [0x2] : [object Object]  - Alloc      - 0xaf0000      - 0xb256d8      - 0x3c      - 0x8    - E525:174      - E526:E1     -        -                 =

The output can be described as “normalized data” because there is a chosen set of APIs that represent heap operations. The data that is extracted from the appropriate parameters, is presented in a uniform manner.

Clicking on TimeStart or TimeEnd will navigate you to that point in the trace.

Click on the parameters field next to a specific entry, to display available parameter information.
dbgcmd

dx -r1 @$cursession.TTD.Data.Heap()[2].@"Parameters"
@$cursession.TTD.Data.Heap()[2].@"Parameters"                
    [0x0]            : 0x16c7d780000
    [0x1]            : 0x280000
    [0x2]            : 0x20
    [0x3]            : 0x0
...    

Increase the recursion -r value to display additional information.
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>
Fixes #863

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@Copilot Copilot AI changed the title [WIP] Query and display TTD.Heap object Implement TTD.Heap object query and display functionality Sep 25, 2025
@Copilot Copilot AI requested a review from xusheng6 September 25, 2025 07:28
Copilot finished work on behalf of xusheng6 September 25, 2025 07:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xusheng6 xusheng6 Awaiting requested review from xusheng6

Assignees

@xusheng6 xusheng6

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Query and display TTD.Heap object
3 participants
@Copilot @CLAassistant @xusheng6