http://bugs.winehq.org/show_bug.cgi?id=23578
--- Comment #54 from Kfir Itzhak mastertheknife@gmail.com 2010-07-16 07:33:19 --- Ok i did read some source code of wine.
Assuming the problem is VAC scanning memory aggressively like people said, i found two potential problems.
ReadProcessMemory() calls NtReadVirtualMemory() which sends a read_process_memory request to wineserver. wineserver dynamically allocates a temporary buffer (of requested size), calls read_process_memory with that buffer and that function is the one actually reading from the process's virtual memory, however, it doesn't seem efficient. To read the memory, it seems like its pausing a thread in the running program, reads the memory and lets the thread continue.
So it can be: 1) read_process_memory in wineserver/ptrace.c being inefficient 2) VAC reads the memory in small chunks, this causes wineserver to allocate memory for every request and believe me, malloc() can be expensive. I did a test year ago, malloc'ing 64,000 linked list nodes took over 10 seconds.
I will do a test and replace the memory allocation in the read_process_memory request with a fixed size buffer, the problem is, i'm not sure whats the maximum allowed read size for ReadProcessMemory() and how much memory VAC is trying to read at each call, i think 1MB might be a safe bet for testing without getting VAC banned.