1 / 49

SWAT Memory Leak Detection

SWAT Memory Leak Detection. Matthias Hauswirth. Agenda. Approaches to memory leak detection SWAT infrastructure Heap model Staleness predicates Leak analysis tool. Memory Leaks. alloc. access. free. object1. time. Memory Leaks. alloc. access. free. object1. alloc. access.

tomai
Download Presentation

SWAT Memory Leak Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SWATMemory Leak Detection Matthias Hauswirth

  2. Agenda • Approaches to memory leak detection • SWAT infrastructure • Heap model • Staleness predicates • Leak analysis tool

  3. Memory Leaks alloc access free object1 time

  4. Memory Leaks alloc access free object1 alloc access object2 time shutdown

  5. Memory Leaks alloc access free object1 alloc access object2 alloc access object3 reachable unreachable time shutdown

  6. Approaches to Leak Detection • Survivors • Objects surviving until program termination • Unreachables • Objects unreachable at snapshot (GC) • Stales • Objects not recently accessed at snapshot (SWAT)

  7. Survivors: Guess o5 - o4 leak o3 leak o2 leak o1 leak time startup shutdown

  8. Survivors: Reality o5 - o4 leak ? o3 leak o2 leak o1 leak ? time startup shutdown

  9. Unreachables: Guess o5 - o4 alive o3 leak o2 alive o1 - time startup snapshot shutdown

  10. Unreachables: Reality o5 - o4 alive o3 leak o2 alive ? o1 - time startup snapshot shutdown

  11. Stales (SWAT): Guess o5 - o4 alive o3 leak o2 leak o1 - time startup snapshot shutdown

  12. Stales (SWAT): Reality o5 - o4 alive o3 leak o2 leak o1 - time startup snapshot shutdown

  13. SWAT Infrastructure winword.exe settings instrument winword.swat.exe source info swatruntime.dll run snapshots postprocess statistics view

  14. Instrument comp1 proc1

  15. Bursty Tracing:Duplicate Basic Blocks comp1 proc1 prof$proc1

  16. Bursty Tracing:Insert Dispatch Checks comp1 proc1 prof$proc1

  17. Instrumentation:Patch Allocations & Frees comp1 swatruntime.dll xalloc XallocWrapper

  18. Instrumentation:Instrument Loads & Stores comp1 proc1 prof$proc1 swatruntime.dll RecordReference

  19. Bursty TracingDispatch Check OrigSrc ProfSrc Global Counters: cOrig # of StayOrig cProf # of StayProf cOrig==1 DecOrig OrigZero DecProf cOrig>1 cProf==1 cProf>1 cProf==0 StayOrig StartOrig StayProf StartProf OrigTgt ProfTgt

  20. Adaptive Bursty Tracing • Bursty tracing • Sampling rate influences results • Rate chosen at runtime • Adaptive bursty tracing • Different sampling rate by dispatch check point • Start at high rate • Wait until average gets down to requested rate • Start rate, delta & target rate chosen at runtime

  21. Why Adaptive Bursty Tracing?

  22. Adaptive Bursty TracingDispatch Check OrigSrc ProfSrc Per-Dispatch Check Counter: cOrig[dcid] # of StayOrig Global Counter: cProf # of StayProf dcid cOrig[dcid]==1 DecOrig OrigZero DecProf cOrig[dcid]>1 cProf==1 cProf>1 cProf==0 StayOrig StartOrig StayProf StartProf OrigTgt ProfTgt

  23. Effect of Adaptive Bursty Tracing on Coverage

  24. SWAT Heap Model • Requirements • AllocateObject(eip, startAddress, size) • FreeObject(eip, startAddress) • FindObject(eip, address) • GetObjectIterator() • Implementations • Hash table (address→objectInfo) • Hash table (startAddress→objectInfo)Hash table (address→offsetToStartAddress) • Address tree

  25. SWAT Heap Model Address: 0101 0 1 0 0 1 1 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0000 0100 0101 1000 1100

  26. SWAT Heap Model 0 1 0 0 1 1 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0101 8 byte 0000 0100 1000 1100

  27. SWAT Heap Model 0 1 0 0 1 1 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0000 0100 1000 1100

  28. SWAT Heap Model 0 1 0 0 1 1 0 0 0 1 1 1 0 0 0 0 0 1 1 1 1 1 0000 0100 1000 1100

  29. SWAT Heap Model 0 1 0 0 1 1 0 0 0 1 1 1 0 0 0 0 0 1 1 1 1 1 0000 0100 1000 1100

  30. SWAT Heap Model 0 1 0 0 1 1 0 0 1 1 0 0 1 1 0000 0100 1000 1100

  31. SWAT Heap Model 0 1 0 0 1 1 0 0 1 1 0 0 1 1 Start address: 0101 Size: 8 Access count: 19 Last access time: 19’000’000 Alloc site: EIP 0x400019 Last access site: EIP 0x400190

  32. SWAT Heap Model • Space Overhead • Address Tree Nodes • 0.03 … 0.35 allocated node bytes / allocated byte • Overall • 0.12 … 3.4 times the allocated memory • Time • FindObject(eip, address) • Log(addressSpaceSize) --- (32 bits = 32 nodes)

  33. Evaluation: Time Overhead

  34. Staleness Predicates • Stale = object not needed anymore • Stale, if… • Never accessed • Idle time > t • Idle time > n * active time idle t active idle n*active

  35. Evaluation • Inject leaks • Randomly, at runtime, decide not to execute a free • Variables • Sampling rate • Adaptive or bursty • Predicate • Measurement results per snapshot • List of objects assumed leaked • Some true, some false • List of objects assumed alive • Some true, some false

  36. Comparing Predicates

  37. Comparing Sampling Rates

  38. Lucky Omission Effect Question At time of snapshot, is object a leak? maxIdleTime Injected Leak time [# actual references] snapshot

  39. Lucky Omission Effect Low sampling rate maxIdleTime time [# actual references] snapshot

  40. Lucky Omission Effect Low sampling rate assumed leaked: true maxIdleTime time [# actual references] snapshot

  41. Lucky Omission Effect Low sampling rate assumed leaked: true maxIdleTime High sampling rate time [# actual references] snapshot

  42. Lucky Omission Effect Low sampling rate assumed leaked: true maxIdleTime High sampling rate assumed alive: false time [# actual references] snapshot

  43. Lucky Omission Effect Low sampling rate assumed leaked: true maxIdleTime lucky omission window High sampling rate assumed alive: false time [# actual references] snapshot

  44. Mitigation ofLucky Omission Effect • Reduce chance of leak happening during maxIdleTime • snapshotInterval >> maxIdleTime snapshotInterval maxIdleTime maxIdleTime time [# actual references] snapshot snapshot

  45. Practical Sampling Rates &Useful Predicates

  46. Leak Analysis Tool

  47. Ranking • Sort <alloc site, last access site> pairs • Old rankings: • # of stale objects [currently used] • # of stale bytes • Drag caused by stale objects (bytes*idle time) • New ranking: • # of predicates declaring an object stale

  48. Conclusions • Many ways to leak detection • Predicting leaks by looking at past events: • Important objects might never be used (boxsim) • Lots of stale objects might indicate a space-inefficient algorithm • Leak Analysis Tool • Made it easy to find several statically injected leaks

  49. Future Work • Currently: • Store source info compactly (at instrumentation time) • Snapshots at runtime don’t use source info • Post process snapshots to add source info • This week: • Rank leaks • Update Leak Analysis Tool to use ranking • Run new version on winword.exe and mshtml.dll • Later: • Combine “Unreachables” with “Stales” approach

More Related