Interpreting App Verifier output: Heap corruption or misinterpreting stack address as heap address?

We have a test case that crashes our big MFC-based app with a heap corruption error.

I turned on the page heap using App Verifier for the DLL in question (turning the heap on for the entire process isn't workable for other reasons, unfortunately.) The verifier didn't give us any more information than we already had; it triggered at the same point as the original crash.

Right now I have two competing theories. Which theory do you think is more likely to be correct, and what would your next steps be?

1. This is indeed heap corruption. The verifier isn't catching the original damage because it's happening in another DLL. We should try to activate the verifier for more DLLs and determine what code is damaging the heap.
2. The heap is fine; the problem is that we are treating a stack address as a heap address. We should study the code in this callstack further to figure out what's going wrong.

I'm leaning #2 because the parameter to free() looks like a stack address, but so far nobody has proposed an explanation for how this is possible.

Here's a snippet of the call stack. MyString is a simple wrapper around CString. MyAppDll is the DLL that's set to use the page heap.

msvcr90.dll!free(void * pBlock=0x000000000012d6e8)  Line 110
mfc90u.dll!ATL::CStringT > >::~CStringT > >()  Line 1011 + 0x1e bytes
MyStringDll.dll!MyString::~MyString()  Line 59
MyAppDll.dll!doStuffWithLotsOfStringInlining(MyClass* input=0x000000000012d6d0)  Line 863 + 0x26 bytes

Here are the registers inside the free() stack frame:

RAX = 0000000000000000 RBX = 000000000012D6E8 RCX = 0000000000000000 
RDX = 0000000000000000 RSI = 000000000012D6D0 RDI = 00000000253C1090 
R8  = 0000开发者_高级运维000000000000 R9  = 0000000000000000 R10 = 0000000000000000 
R11 = 0000000000000000 R12 = 000000000012D7D0 R13 = 000007FFFFC04CE0 
R14 = 0000000025196600 R15 = 0000000000000000 RIP = 00000000725BC7BC 
RSP = 000000000012D570 RBP = 000007FFF3670900 EFL = 00000000 

And here's the app verifier message:

VERIFIER STOP 0000000000000010: pid 0x1778: Corrupted start stamp for heap block. 

    00000000083B1000 : Heap handle used in the call.
    000000006DD394E8 : Heap block involved in the operation.
    54D32858A8747589 : Size of the heap block.
    000000005E33BA8D : Corrupted stamp value.

I think your string or users of it is/are overflowing/underflowing the string's buffer somewhere, probably against a field which is next to the string pointer, which you then try to free.

Your RSP is 12D570, which is 94 quads (ints) away from what you are trying to free, so somewhere between there, something bad is happening with buffers.

Verify that you are not doing any unsafe string ops and that you are correctly reading the documentation for passing buffers/strings into the DLLs you are using.

You probably need more code in your question if you want a more exact answer.