Your SlideShare is downloading. ×
0
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)

145

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
145
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. LEAKPOINT: Pinpointing theCauses of Memory LeaksGeorgia Institute of TechnologyJames Clause and Alessandro OrsoSupported in part by NSF and IBM Research
  • 2. Memory leak classificationvoid *p = malloc(100);
  • 3. Memory leak classificationvoid *p = malloc(100); M
  • 4. Memory leak classificationLost memory Forgotten memoryM becomes unreachablebefore being deallocatedM is reachable, but is neveraccessed or deallocatedvoid *p = malloc(100); M
  • 5. Memory leak classificationLost memory Forgotten memoryM becomes unreachablebefore being deallocatedM is reachable, but is neveraccessed or deallocatedvoid *p = malloc(100); M
  • 6. Memory leak classificationLost memory Forgotten memoryM becomes unreachablebefore being deallocatedM is reachable, but is neveraccessed or deallocatedvoid *p = malloc(100); M• common• difficult to manually detect• high impact
  • 7. Existing techniquesmtraceM. Bond and K. McKinley ‘06R. Hastings and B. Joyce ‘92M. Hauswirth and T. Chilimbi. ‘04D.Heine and M.Lam ‘03D. Heine and M. Lam ‘06M. Jump and K. McKinley ‘07leaksJ. Maebe, M. Ronsse, and K. D. Bosschere ‘04N. Mitchell and G. Sevitsky ‘03G. Novark, E. D. Berger, and B. G. Zorn ‘09M. Orlovich and R. Rugina ‘06F. Qin, S. Lu, and Y. Zhou ‘05MemCheckY. Xie and A. Aiken ‘05G. Xu and A. Rountev ‘08S. Cherem, L. Princehouse, and R. Rugina ‘06W. DePauw and G. Sevitsky ’99purifyPublications Tools
  • 8. addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ...67. }}Detecting leaks is easy
  • 9. addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ...67. }}Detecting leaks is easy
  • 10. addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ...67. }}Detecting leaks is easy; fixing them is not
  • 11. Overview
  • 12. Overview
  • 13. Overview
  • 14. OverviewLeak locations are close to whereleaks should be fixed.
  • 15. Overview1 TaintingpointersLeak locations are close to whereleaks should be fixed.
  • 16. Overview1 TaintingpointersLeak locations are close to whereleaks should be fixed.
  • 17. Overview1 Taintingpointers2 Propagatingtaint marksLeak locations are close to whereleaks should be fixed.
  • 18. Overview1 Taintingpointers2 Propagatingtaint marksLeak locations are close to whereleaks should be fixed.
  • 19. Overview1 Taintingpointers2 Propagatingtaint marks3 Identifyingwhen leaksoccurLeak locations are close to whereleaks should be fixed.
  • 20. Overview1 Taintingpointers2 Propagatingtaint marks3 Identifyingwhen leaksoccurLeak locations are close to whereleaks should be fixed.
  • 21. addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ...67. }}Detecting leaks is easy
  • 22. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));delHtab() {15. int i;16. HASHPTR hptr , zapptr;17. for(i = 0; i < 3001; i++) {18. hptr = hashtab[i];19. if(hptr != (HASHPTR) NULL) {20. zapptr = hptr ;21. while(hptr->hnext != (HASHPTR) NULL) {22.! ! hptr = hptr->hnext;23.! ! free(zapptr);24.! ! zapptr = hptr ;25.! ! }26.! ! free(hptr);27.! }28. }!29. free(hashtab);30. return;}Detecting leaks is easy
  • 23. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));Detecting leaks is easy; fixing them is toodelHtab() {15. int i;16. HASHPTR hptr , zapptr;17. for(i = 0; i < 3001; i++) {18. hptr = hashtab[i];19. if(hptr != (HASHPTR) NULL) {20. zapptr = hptr ;21. while(hptr->hnext != (HASHPTR) NULL) {22.! ! hptr = hptr->hnext;23.! ! free(zapptr);24.! ! zapptr = hptr ;25.! ! }26.! ! free(hptr);27.! }28. }!29. free(hashtab);30. return;}
  • 24. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));Detecting leaks is easy; fixing them is toodelHtab() {15. int i;16. HASHPTR hptr , zapptr;17. for(i = 0; i < 3001; i++) {18. hptr = hashtab[i];19. if(hptr != (HASHPTR) NULL) {20. zapptr = hptr ;21. while(hptr->hnext != (HASHPTR) NULL) {22.! ! hptr = hptr->hnext;23.! ! free(zapptr);24.! ! zapptr = hptr ;25.! ! }26.! ! free(hptr);27.! }28. }!29. free(hashtab);30. return;}free(hptr->hname);
  • 25. Outline• Our technique• Tainting pointers• Tracking pointers• Checking for leaks• Implementation• Evaluation• Conclusions and future work
  • 26. 1.Tainting pointersAssign a taint mark to pointers returned fromallocation functions (e.g., malloc)
  • 27. 1.Tainting pointersAssign a taint mark to pointers returned fromallocation functions (e.g., malloc)
  • 28. 1.Tainting pointersLast use locationAllocation locationAllocation sizeDeallocated indicatorPointer countAssign a taint mark to pointers returned fromallocation functions (e.g., malloc)Metadata
  • 29. 1.Tainting pointersLast use locationAllocation locationAllocation sizeDeallocated indicatorPointer countAssign a taint mark to pointers returned fromallocation functions (e.g., malloc)current locationcurrent locationfalsesize of the memory area1Metadata Initialized to
  • 30. 2. Propagating taint marks
  • 31. 2. Propagating taint marks1.Track the flow of pointers throughout the execution
  • 32. 2. Propagating taint marks1.Track the flow of pointers throughout the execution
  • 33. 2. Propagating taint marks1.Track the flow of pointers throughout the execution
  • 34. 2. Propagating taint marks1.Track the flow of pointers throughout the execution2. Update taint marks’ mutable metadata
  • 35. Tracking pointersassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  • 36. p2 = p1 ➔ p2p2 = p1 ➔ p2p2 = p2 ± 1 ➔ p2p3 = p2 ± p1 ➔ p3p2 = p2 & 0xffff ➔ p2not taintedTracking pointersassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  • 37. p2 = p1 ➔ p2p2 = p1 ➔ p2p2 = p2 ± 1 ➔ p2p3 = p2 ± p1 ➔ p3p2 = p2 & 0xffff ➔ p2not taintedTracking pointersassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  • 38. p2 = p1 ➔ p2p2 = p1 ➔ p2p2 = p2 ± 1 ➔ p2p3 = p2 ± p1 ➔ p3p2 = p2 & 0xffff ➔ p2not taintedTracking pointersassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  • 39. p2 = p1 ➔ p2p2 = p1 ➔ p2p2 = p2 ± 1 ➔ p2p3 = p2 ± p1 ➔ p3p2 = p2 & 0xffff ➔ p2not taintedTracking pointersassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  • 40. p2 = p1 ➔ p2p2 = p1 ➔ p2p2 = p2 ± 1 ➔ p2p3 = p2 ± p1 ➔ p3p2 = p2 & 0xffff ➔ p2not taintedTracking pointersassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  • 41. p2 = p1 ➔ p2p2 = p1 ➔ p2p2 = p2 ± 1 ➔ p2p3 = p2 ± p1 ➔ p3p2 = p2 & 0xffff ➔ p2not taintedTracking pointersassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  • 42. p2 = p1 ➔ p2p2 = p1 ➔ p2p2 = p2 ± 1 ➔ p2p3 = p2 ± p1 ➔ p3p2 = p2 & 0xffff ➔ p2not taintedTracking pointersBased on domain knowledge and expertiseassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  • 43. Update metadata (1)
  • 44. Pointer CountsUpdate metadata (1)
  • 45. Pointer Counts• Assignment: increment the count of the pointer thatis copied, decrement the count of the pointer that isoverwrittenUpdate metadata (1)
  • 46. Pointer Counts• Assignment: increment the count of the pointer thatis copied, decrement the count of the pointer that isoverwrittenUpdate metadata (1)ptr3 = ptr1 ➔ ptr3 , ptr11 2 2ptr1 = NULL ➔ ptr1 , ptr32 1
  • 47. Pointer Counts• Assignment: increment the count of the pointer thatis copied, decrement the count of the pointer that isoverwritten• Function return: decrement the count of pointersstored in local variablesUpdate metadata (1)ptr3 = ptr1 ➔ ptr3 , ptr11 2 2ptr1 = NULL ➔ ptr1 , ptr32 1
  • 48. Pointer Counts• Assignment: increment the count of the pointer thatis copied, decrement the count of the pointer that isoverwritten• Function return: decrement the count of pointersstored in local variables• Memory deallocation: decrement the count ofpointers reachable from the deallocated memoryUpdate metadata (1)ptr3 = ptr1 ➔ ptr3 , ptr11 2 2ptr1 = NULL ➔ ptr1 , ptr32 1
  • 49. Update metadata (2)
  • 50. Deallocation indicatorUpdate metadata (2)
  • 51. Deallocation indicator• Set to true when a pointer is passed to a deallocationfunction (e.g., free)Update metadata (2)
  • 52. Deallocation indicator• Set to true when a pointer is passed to a deallocationfunction (e.g., free)Last use locationUpdate metadata (2)
  • 53. Deallocation indicator• Set to true when a pointer is passed to a deallocationfunction (e.g., free)Last use location• Set to the current location whenever a pointer is- propagated- passed as a function argument- returned from a function- used to access memoryUpdate metadata (2)
  • 54. 3. Identifying when leaks occur
  • 55. 3. Identifying when leaks occurLost memory Forgotten memoryIf a taint mark’s pointer countis zero and it’s deallocatedindicator is falseIf, at the end of execution, ataint mark’s deallocatedindicator is false
  • 56. 3. Identifying when leaks occurLost memory Forgotten memoryIf a taint mark’s pointer countis zero and it’s deallocatedindicator is falseIf, at the end of execution, ataint mark’s deallocatedindicator is false
  • 57. 3. Identifying when leaks occurLost memory Forgotten memoryIf a taint mark’s pointer countis zero and it’s deallocatedindicator is falseIf, at the end of execution, ataint mark’s deallocatedindicator is false(Checks are recursive)
  • 58. 3. Identifying when leaks occurLost memory Forgotten memoryIf a taint mark’s pointer countis zero and it’s deallocatedindicator is falseIf, at the end of execution, ataint mark’s deallocatedindicator is falseGenerate a leak report:• allocation location, allocation size, and last use location(Checks are recursive)
  • 59. 3. Identifying when leaks occurLost memory Forgotten memoryIf a taint mark’s pointer countis zero and it’s deallocatedindicator is falseIf, at the end of execution, ataint mark’s deallocatedindicator is falseGenerate a leak report:• allocation location, allocation size, and last use locationMerge leak reports:• combine reports with identical allocation and last uselocations, add allocation sizes(Checks are recursive)
  • 60. Prototype toolImplemented usingValgrind
  • 61. Prototype toolImplemented usingValgrind30–100x overheads
  • 62. Prototype tool16 bytes of memoryallocated:  at malloc  by addhash (hash.c:50)by parser (parser.c:210)by readcell (parser.c:34)  by main (main.c:98)  was leaked:   at free   by delHtab (hash.c:28)   by grdcell(grdcell.c:354)   by main (main.c:227)Implemented usingValgrind
  • 63. Prototype tool16 bytes of memoryallocated:  at malloc  by addhash (hash.c:50)by parser (parser.c:210)by readcell (parser.c:34)  by main (main.c:98)  was leaked:   at free   by delHtab (hash.c:28)   by grdcell(grdcell.c:354)   by main (main.c:227)Implemented usingValgrind
  • 64. Prototype tool16 bytes of memoryallocated:  at malloc  by addhash (hash.c:50)by parser (parser.c:210)by readcell (parser.c:34)  by main (main.c:98)  was leaked:   at free   by delHtab (hash.c:28)   by grdcell(grdcell.c:354)   by main (main.c:227)Implemented usingValgrind
  • 65. Prototype tool16 bytes of memoryallocated:  at malloc  by addhash (hash.c:50)by parser (parser.c:210)by readcell (parser.c:34)  by main (main.c:98)  was leaked:   at free   by delHtab (hash.c:28)   by grdcell(grdcell.c:354)   by main (main.c:227)Implemented usingValgrindCan be used to prioritizedebugging effort
  • 66. EvaluationHow does Leakpoint’s ability todetect memory leaks compareto existing tools?How effective is Leakpoint atguiding developers to thelocations where memory leaksmay be fixed?
  • 67. RQ1: Comparison with existing tools
  • 68. Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing tools
  • 69. Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsLeakpoint
  • 70. Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsomegaLeakpoint
  • 71. Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsomega MemCheckLeakpoint
  • 72. Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpoint
  • 73. Leak detectionLeak identificationSubjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpoint
  • 74. Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpoint
  • 75. # Detected memory leaks (# false positives)Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpoint
  • 76. # Detected memory leaks (# false positives)Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpoint
  • 77. # Detected memory leaks (# false positives)Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpoint
  • 78. # Detected memory leaks (# false positives)Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpoint
  • 79. # Detected memory leaks (# false positives)Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpointLeakpoint is at least as effective as existing toolsat detecting memory leaks
  • 80. RQ2: Effectiveness at guiding developersCompare the leak locations identified by Leakpointwith the locations where the leaks were fixed bythe original application developers.
  • 81. RQ2: Effectiveness at guiding developersCompare the leak locations identified by Leakpointwith the locations where the leaks were fixed bythe original application developers.Transmission
  • 82. RQ2: Effectiveness at guiding developersCompare the leak locations identified by Leakpointwith the locations where the leaks were fixed bythe original application developers.Transmission
  • 83. RQ2: Effectiveness at guiding developersCompare the leak locations identified by Leakpointwith the locations where the leaks were fixed bythe original application developers.Transmission
  • 84. RQ2: Effectiveness at guiding developersCompare the leak locations identified by Leakpointwith the locations where the leaks were fixed bythe original application developers.Transmission4 memory leaks total
  • 85. static void processCompletedTasks(tr_web *web) {...task->done_func(web->session, ..., task->done_func_user_data);...evbuffer_free(task->response);tr_free(task->url);tr_free(task);...}Transmissionstatic void invokeRequest(void * vreq) {...hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH);memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH);tr_webRun(req->session, req->url, req->done_func, hash);...}
  • 86. static void processCompletedTasks(tr_web *web) {...task->done_func(web->session, ..., task->done_func_user_data);...evbuffer_free(task->response);tr_free(task->url);tr_free(task);...}Transmissionstatic void invokeRequest(void * vreq) {...hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH);memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH);tr_webRun(req->session, req->url, req->done_func, hash);...}static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) {dbgmsg(NULL, "got a response ... message");onReqDone(session);}// tr_free(torrent_hash);
  • 87. static void processCompletedTasks(tr_web *web) {...task->done_func(web->session, ..., task->done_func_user_data);...evbuffer_free(task->response);tr_free(task->url);tr_free(task);...}Transmissionstatic void invokeRequest(void * vreq) {...hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH);memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH);tr_webRun(req->session, req->url, req->done_func, hash);...}static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) {dbgmsg(NULL, "got a response ... message");onReqDone(session);}// tr_free(torrent_hash);Distance: 6 statements
  • 88. URIHANDLER_FUNC(mod_rewrite_uri_handler) {...hctx = handler_ctx_init();con->plugin_ctx[p->id] = hctx;...}Lighttpd 1
  • 89. URIHANDLER_FUNC(mod_rewrite_uri_handler) {...hctx = handler_ctx_init();con->plugin_ctx[p->id] = hctx;...}Lighttpd 1// if(con->plugin_ctx[p->id] == NULL) {// }// else {// hctx = con->plugin_ctx[p->id];// }
  • 90. URIHANDLER_FUNC(mod_rewrite_uri_handler) {...hctx = handler_ctx_init();con->plugin_ctx[p->id] = hctx;...}Lighttpd 1// if(con->plugin_ctx[p->id] == NULL) {// }// else {// hctx = con->plugin_ctx[p->id];// }Distance: overlapping
  • 91. int http_request_parse(server *srv, connection *con) {...if(NULL == (ds = (data_string *)array_get_unused_element(con->request.headers, TYPE_STRING))) {ds = data_string_init();}...else if (cmp > 0 &&0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key),CONST_STR_LEN("Content-Length")))) {char *errunsigned long int r;size_t jif (con_length_set) {con->http_status = 400;con->keep_alive = 0;if(srv->srvconf.log_request_header_on_error) {log_error_write(srv, __FILE__, __LINE__, "s", "duplicate ...");log_error_write(srv, __FILE__, __LINE__, "Sb", "request-header:n",con->request.request);}return 0;}...}Lighttpd 2
  • 92. int http_request_parse(server *srv, connection *con) {...if(NULL == (ds = (data_string *)array_get_unused_element(con->request.headers, TYPE_STRING))) {ds = data_string_init();}...else if (cmp > 0 &&0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key),CONST_STR_LEN("Content-Length")))) {char *errunsigned long int r;size_t jif (con_length_set) {con->http_status = 400;con->keep_alive = 0;if(srv->srvconf.log_request_header_on_error) {log_error_write(srv, __FILE__, __LINE__, "s", "duplicate ...");log_error_write(srv, __FILE__, __LINE__, "Sb", "request-header:n",con->request.request);}return 0;}...}Lighttpd 2// array_insert_unique(con->request.headers, (data_unset *)ds);
  • 93. int http_request_parse(server *srv, connection *con) {...if(NULL == (ds = (data_string *)array_get_unused_element(con->request.headers, TYPE_STRING))) {ds = data_string_init();}...else if (cmp > 0 &&0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key),CONST_STR_LEN("Content-Length")))) {char *errunsigned long int r;size_t jif (con_length_set) {con->http_status = 400;con->keep_alive = 0;if(srv->srvconf.log_request_header_on_error) {log_error_write(srv, __FILE__, __LINE__, "s", "duplicate ...");log_error_write(srv, __FILE__, __LINE__, "Sb", "request-header:n",con->request.request);}return 0;}...}Lighttpd 2// array_insert_unique(con->request.headers, (data_unset *)ds);Distance: 1 statement
  • 94. static struct spelling *spelling_base;static void push_string(char *string) {...spelling_base = xmalloc(spelling_size * sizeof(struct spelling));...}void finish_init() {...constructor_decl = p->decl;...spelling_base = p->spelling_base;...}GCC
  • 95. static struct spelling *spelling_base;static void push_string(char *string) {...spelling_base = xmalloc(spelling_size * sizeof(struct spelling));...}void finish_init() {...constructor_decl = p->decl;...spelling_base = p->spelling_base;...}GCC// free(spelling_base);
  • 96. static struct spelling *spelling_base;static void push_string(char *string) {...spelling_base = xmalloc(spelling_size * sizeof(struct spelling));...}void finish_init() {...constructor_decl = p->decl;...spelling_base = p->spelling_base;...}GCC// free(spelling_base);Distance: 10 statements*
  • 97. Summary• A new technique for identifying where memoryleaks occur• at least as effective as existing techniques atdetecting memory leaks• helpful in guiding developers to the locationswhere memory leaks should be fixed
  • 98. Future work
  • 99. Future workImprovedimplementation
  • 100. Future workAdditionalexperimentationImprovedimplementation
  • 101. Future workAdditionalexperimentationUserStudiesImprovedimplementation
  • 102. Questions?1 Taintingpointers2 Propagatingtaint marks3 Identifyingwhen leaksoccur

×