490 likes | 685 Vues
SWAT Memory Leak Detection. Matthias Hauswirth. Agenda. Approaches to memory leak detection SWAT infrastructure Heap model Staleness predicates Leak analysis tool. Memory Leaks. alloc. access. free. object1. time. Memory Leaks. alloc. access. free. object1. alloc. access.
E N D
SWATMemory Leak Detection Matthias Hauswirth
Agenda • Approaches to memory leak detection • SWAT infrastructure • Heap model • Staleness predicates • Leak analysis tool
Memory Leaks alloc access free object1 time
Memory Leaks alloc access free object1 alloc access object2 time shutdown
Memory Leaks alloc access free object1 alloc access object2 alloc access object3 reachable unreachable time shutdown
Approaches to Leak Detection • Survivors • Objects surviving until program termination • Unreachables • Objects unreachable at snapshot (GC) • Stales • Objects not recently accessed at snapshot (SWAT)
Survivors: Guess o5 - o4 leak o3 leak o2 leak o1 leak time startup shutdown
Survivors: Reality o5 - o4 leak ? o3 leak o2 leak o1 leak ? time startup shutdown
Unreachables: Guess o5 - o4 alive o3 leak o2 alive o1 - time startup snapshot shutdown
Unreachables: Reality o5 - o4 alive o3 leak o2 alive ? o1 - time startup snapshot shutdown
Stales (SWAT): Guess o5 - o4 alive o3 leak o2 leak o1 - time startup snapshot shutdown
Stales (SWAT): Reality o5 - o4 alive o3 leak o2 leak o1 - time startup snapshot shutdown
SWAT Infrastructure winword.exe settings instrument winword.swat.exe source info swatruntime.dll run snapshots postprocess statistics view
Instrument comp1 proc1
Bursty Tracing:Duplicate Basic Blocks comp1 proc1 prof$proc1
Bursty Tracing:Insert Dispatch Checks comp1 proc1 prof$proc1
Instrumentation:Patch Allocations & Frees comp1 swatruntime.dll xalloc XallocWrapper
Instrumentation:Instrument Loads & Stores comp1 proc1 prof$proc1 swatruntime.dll RecordReference
Bursty TracingDispatch Check OrigSrc ProfSrc Global Counters: cOrig # of StayOrig cProf # of StayProf cOrig==1 DecOrig OrigZero DecProf cOrig>1 cProf==1 cProf>1 cProf==0 StayOrig StartOrig StayProf StartProf OrigTgt ProfTgt
Adaptive Bursty Tracing • Bursty tracing • Sampling rate influences results • Rate chosen at runtime • Adaptive bursty tracing • Different sampling rate by dispatch check point • Start at high rate • Wait until average gets down to requested rate • Start rate, delta & target rate chosen at runtime
Adaptive Bursty TracingDispatch Check OrigSrc ProfSrc Per-Dispatch Check Counter: cOrig[dcid] # of StayOrig Global Counter: cProf # of StayProf dcid cOrig[dcid]==1 DecOrig OrigZero DecProf cOrig[dcid]>1 cProf==1 cProf>1 cProf==0 StayOrig StartOrig StayProf StartProf OrigTgt ProfTgt
SWAT Heap Model • Requirements • AllocateObject(eip, startAddress, size) • FreeObject(eip, startAddress) • FindObject(eip, address) • GetObjectIterator() • Implementations • Hash table (address→objectInfo) • Hash table (startAddress→objectInfo)Hash table (address→offsetToStartAddress) • Address tree
SWAT Heap Model Address: 0101 0 1 0 0 1 1 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0000 0100 0101 1000 1100
SWAT Heap Model 0 1 0 0 1 1 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0101 8 byte 0000 0100 1000 1100
SWAT Heap Model 0 1 0 0 1 1 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0000 0100 1000 1100
SWAT Heap Model 0 1 0 0 1 1 0 0 0 1 1 1 0 0 0 0 0 1 1 1 1 1 0000 0100 1000 1100
SWAT Heap Model 0 1 0 0 1 1 0 0 0 1 1 1 0 0 0 0 0 1 1 1 1 1 0000 0100 1000 1100
SWAT Heap Model 0 1 0 0 1 1 0 0 1 1 0 0 1 1 0000 0100 1000 1100
SWAT Heap Model 0 1 0 0 1 1 0 0 1 1 0 0 1 1 Start address: 0101 Size: 8 Access count: 19 Last access time: 19’000’000 Alloc site: EIP 0x400019 Last access site: EIP 0x400190
SWAT Heap Model • Space Overhead • Address Tree Nodes • 0.03 … 0.35 allocated node bytes / allocated byte • Overall • 0.12 … 3.4 times the allocated memory • Time • FindObject(eip, address) • Log(addressSpaceSize) --- (32 bits = 32 nodes)
Staleness Predicates • Stale = object not needed anymore • Stale, if… • Never accessed • Idle time > t • Idle time > n * active time idle t active idle n*active
Evaluation • Inject leaks • Randomly, at runtime, decide not to execute a free • Variables • Sampling rate • Adaptive or bursty • Predicate • Measurement results per snapshot • List of objects assumed leaked • Some true, some false • List of objects assumed alive • Some true, some false
Lucky Omission Effect Question At time of snapshot, is object a leak? maxIdleTime Injected Leak time [# actual references] snapshot
Lucky Omission Effect Low sampling rate maxIdleTime time [# actual references] snapshot
Lucky Omission Effect Low sampling rate assumed leaked: true maxIdleTime time [# actual references] snapshot
Lucky Omission Effect Low sampling rate assumed leaked: true maxIdleTime High sampling rate time [# actual references] snapshot
Lucky Omission Effect Low sampling rate assumed leaked: true maxIdleTime High sampling rate assumed alive: false time [# actual references] snapshot
Lucky Omission Effect Low sampling rate assumed leaked: true maxIdleTime lucky omission window High sampling rate assumed alive: false time [# actual references] snapshot
Mitigation ofLucky Omission Effect • Reduce chance of leak happening during maxIdleTime • snapshotInterval >> maxIdleTime snapshotInterval maxIdleTime maxIdleTime time [# actual references] snapshot snapshot
Ranking • Sort <alloc site, last access site> pairs • Old rankings: • # of stale objects [currently used] • # of stale bytes • Drag caused by stale objects (bytes*idle time) • New ranking: • # of predicates declaring an object stale
Conclusions • Many ways to leak detection • Predicting leaks by looking at past events: • Important objects might never be used (boxsim) • Lots of stale objects might indicate a space-inefficient algorithm • Leak Analysis Tool • Made it easy to find several statically injected leaks
Future Work • Currently: • Store source info compactly (at instrumentation time) • Snapshots at runtime don’t use source info • Post process snapshots to add source info • This week: • Rank leaks • Update Leak Analysis Tool to use ranking • Run new version on winword.exe and mshtml.dll • Later: • Combine “Unreachables” with “Stales” approach