Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)

431 views

Published on

Published in: Technology
  • Be the first to comment

Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)

  1. 1. LEAKPOINT: Pinpointing theCauses of Memory LeaksGeorgia Institute of TechnologyJames Clause and Alessandro OrsoSupported in part by NSF and IBM Research
  2. 2. Memory leak classificationvoid *p = malloc(100);
  3. 3. Memory leak classificationvoid *p = malloc(100); M
  4. 4. Memory leak classificationLost memory Forgotten memoryM becomes unreachablebefore being deallocatedM is reachable, but is neveraccessed or deallocatedvoid *p = malloc(100); M
  5. 5. Memory leak classificationLost memory Forgotten memoryM becomes unreachablebefore being deallocatedM is reachable, but is neveraccessed or deallocatedvoid *p = malloc(100); M
  6. 6. Memory leak classificationLost memory Forgotten memoryM becomes unreachablebefore being deallocatedM is reachable, but is neveraccessed or deallocatedvoid *p = malloc(100); M• common• difficult to manually detect• high impact
  7. 7. Existing techniquesmtraceM. Bond and K. McKinley ‘06R. Hastings and B. Joyce ‘92M. Hauswirth and T. Chilimbi. ‘04D.Heine and M.Lam ‘03D. Heine and M. Lam ‘06M. Jump and K. McKinley ‘07leaksJ. Maebe, M. Ronsse, and K. D. Bosschere ‘04N. Mitchell and G. Sevitsky ‘03G. Novark, E. D. Berger, and B. G. Zorn ‘09M. Orlovich and R. Rugina ‘06F. Qin, S. Lu, and Y. Zhou ‘05MemCheckY. Xie and A. Aiken ‘05G. Xu and A. Rountev ‘08S. Cherem, L. Princehouse, and R. Rugina ‘06W. DePauw and G. Sevitsky ’99purifyPublications Tools
  8. 8. addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ...67. }}Detecting leaks is easy
  9. 9. addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ...67. }}Detecting leaks is easy
  10. 10. addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ...67. }}Detecting leaks is easy; fixing them is not
  11. 11. Overview
  12. 12. Overview
  13. 13. Overview
  14. 14. OverviewLeak locations are close to whereleaks should be fixed.
  15. 15. Overview1 TaintingpointersLeak locations are close to whereleaks should be fixed.
  16. 16. Overview1 TaintingpointersLeak locations are close to whereleaks should be fixed.
  17. 17. Overview1 Taintingpointers2 Propagatingtaint marksLeak locations are close to whereleaks should be fixed.
  18. 18. Overview1 Taintingpointers2 Propagatingtaint marksLeak locations are close to whereleaks should be fixed.
  19. 19. Overview1 Taintingpointers2 Propagatingtaint marks3 Identifyingwhen leaksoccurLeak locations are close to whereleaks should be fixed.
  20. 20. Overview1 Taintingpointers2 Propagatingtaint marks3 Identifyingwhen leaksoccurLeak locations are close to whereleaks should be fixed.
  21. 21. addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ...67. }}Detecting leaks is easy
  22. 22. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));delHtab() {15. int i;16. HASHPTR hptr , zapptr;17. for(i = 0; i < 3001; i++) {18. hptr = hashtab[i];19. if(hptr != (HASHPTR) NULL) {20. zapptr = hptr ;21. while(hptr->hnext != (HASHPTR) NULL) {22.! ! hptr = hptr->hnext;23.! ! free(zapptr);24.! ! zapptr = hptr ;25.! ! }26.! ! free(hptr);27.! }28. }!29. free(hashtab);30. return;}Detecting leaks is easy
  23. 23. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));Detecting leaks is easy; fixing them is toodelHtab() {15. int i;16. HASHPTR hptr , zapptr;17. for(i = 0; i < 3001; i++) {18. hptr = hashtab[i];19. if(hptr != (HASHPTR) NULL) {20. zapptr = hptr ;21. while(hptr->hnext != (HASHPTR) NULL) {22.! ! hptr = hptr->hnext;23.! ! free(zapptr);24.! ! zapptr = hptr ;25.! ! }26.! ! free(hptr);27.! }28. }!29. free(hashtab);30. return;}
  24. 24. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));Detecting leaks is easy; fixing them is toodelHtab() {15. int i;16. HASHPTR hptr , zapptr;17. for(i = 0; i < 3001; i++) {18. hptr = hashtab[i];19. if(hptr != (HASHPTR) NULL) {20. zapptr = hptr ;21. while(hptr->hnext != (HASHPTR) NULL) {22.! ! hptr = hptr->hnext;23.! ! free(zapptr);24.! ! zapptr = hptr ;25.! ! }26.! ! free(hptr);27.! }28. }!29. free(hashtab);30. return;}free(hptr->hname);
  25. 25. Outline• Our technique• Tainting pointers• Tracking pointers• Checking for leaks• Implementation• Evaluation• Conclusions and future work
  26. 26. 1.Tainting pointersAssign a taint mark to pointers returned fromallocation functions (e.g., malloc)
  27. 27. 1.Tainting pointersAssign a taint mark to pointers returned fromallocation functions (e.g., malloc)
  28. 28. 1.Tainting pointersLast use locationAllocation locationAllocation sizeDeallocated indicatorPointer countAssign a taint mark to pointers returned fromallocation functions (e.g., malloc)Metadata
  29. 29. 1.Tainting pointersLast use locationAllocation locationAllocation sizeDeallocated indicatorPointer countAssign a taint mark to pointers returned fromallocation functions (e.g., malloc)current locationcurrent locationfalsesize of the memory area1Metadata Initialized to
  30. 30. 2. Propagating taint marks
  31. 31. 2. Propagating taint marks1.Track the flow of pointers throughout the execution
  32. 32. 2. Propagating taint marks1.Track the flow of pointers throughout the execution
  33. 33. 2. Propagating taint marks1.Track the flow of pointers throughout the execution
  34. 34. 2. Propagating taint marks1.Track the flow of pointers throughout the execution2. Update taint marks’ mutable metadata
  35. 35. Tracking pointersassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  36. 36. p2 = p1 ➔ p2p2 = p1 ➔ p2p2 = p2 ± 1 ➔ p2p3 = p2 ± p1 ➔ p3p2 = p2 & 0xffff ➔ p2not taintedTracking pointersassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  37. 37. p2 = p1 ➔ p2p2 = p1 ➔ p2p2 = p2 ± 1 ➔ p2p3 = p2 ± p1 ➔ p3p2 = p2 & 0xffff ➔ p2not taintedTracking pointersassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  38. 38. p2 = p1 ➔ p2p2 = p1 ➔ p2p2 = p2 ± 1 ➔ p2p3 = p2 ± p1 ➔ p3p2 = p2 & 0xffff ➔ p2not taintedTracking pointersassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  39. 39. p2 = p1 ➔ p2p2 = p1 ➔ p2p2 = p2 ± 1 ➔ p2p3 = p2 ± p1 ➔ p3p2 = p2 & 0xffff ➔ p2not taintedTracking pointersassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  40. 40. p2 = p1 ➔ p2p2 = p1 ➔ p2p2 = p2 ± 1 ➔ p2p3 = p2 ± p1 ➔ p3p2 = p2 & 0xffff ➔ p2not taintedTracking pointersassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  41. 41. p2 = p1 ➔ p2p2 = p1 ➔ p2p2 = p2 ± 1 ➔ p2p3 = p2 ± p1 ➔ p3p2 = p2 & 0xffff ➔ p2not taintedTracking pointersassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  42. 42. p2 = p1 ➔ p2p2 = p1 ➔ p2p2 = p2 ± 1 ➔ p2p3 = p2 ± p1 ➔ p3p2 = p2 & 0xffff ➔ p2not taintedTracking pointersBased on domain knowledge and expertiseassignmentadditionsubtractionandmultiplicationdivisionmodulusor, xor,shift, notcomparison
  43. 43. Update metadata (1)
  44. 44. Pointer CountsUpdate metadata (1)
  45. 45. Pointer Counts• Assignment: increment the count of the pointer thatis copied, decrement the count of the pointer that isoverwrittenUpdate metadata (1)
  46. 46. Pointer Counts• Assignment: increment the count of the pointer thatis copied, decrement the count of the pointer that isoverwrittenUpdate metadata (1)ptr3 = ptr1 ➔ ptr3 , ptr11 2 2ptr1 = NULL ➔ ptr1 , ptr32 1
  47. 47. Pointer Counts• Assignment: increment the count of the pointer thatis copied, decrement the count of the pointer that isoverwritten• Function return: decrement the count of pointersstored in local variablesUpdate metadata (1)ptr3 = ptr1 ➔ ptr3 , ptr11 2 2ptr1 = NULL ➔ ptr1 , ptr32 1
  48. 48. Pointer Counts• Assignment: increment the count of the pointer thatis copied, decrement the count of the pointer that isoverwritten• Function return: decrement the count of pointersstored in local variables• Memory deallocation: decrement the count ofpointers reachable from the deallocated memoryUpdate metadata (1)ptr3 = ptr1 ➔ ptr3 , ptr11 2 2ptr1 = NULL ➔ ptr1 , ptr32 1
  49. 49. Update metadata (2)
  50. 50. Deallocation indicatorUpdate metadata (2)
  51. 51. Deallocation indicator• Set to true when a pointer is passed to a deallocationfunction (e.g., free)Update metadata (2)
  52. 52. Deallocation indicator• Set to true when a pointer is passed to a deallocationfunction (e.g., free)Last use locationUpdate metadata (2)
  53. 53. Deallocation indicator• Set to true when a pointer is passed to a deallocationfunction (e.g., free)Last use location• Set to the current location whenever a pointer is- propagated- passed as a function argument- returned from a function- used to access memoryUpdate metadata (2)
  54. 54. 3. Identifying when leaks occur
  55. 55. 3. Identifying when leaks occurLost memory Forgotten memoryIf a taint mark’s pointer countis zero and it’s deallocatedindicator is falseIf, at the end of execution, ataint mark’s deallocatedindicator is false
  56. 56. 3. Identifying when leaks occurLost memory Forgotten memoryIf a taint mark’s pointer countis zero and it’s deallocatedindicator is falseIf, at the end of execution, ataint mark’s deallocatedindicator is false
  57. 57. 3. Identifying when leaks occurLost memory Forgotten memoryIf a taint mark’s pointer countis zero and it’s deallocatedindicator is falseIf, at the end of execution, ataint mark’s deallocatedindicator is false(Checks are recursive)
  58. 58. 3. Identifying when leaks occurLost memory Forgotten memoryIf a taint mark’s pointer countis zero and it’s deallocatedindicator is falseIf, at the end of execution, ataint mark’s deallocatedindicator is falseGenerate a leak report:• allocation location, allocation size, and last use location(Checks are recursive)
  59. 59. 3. Identifying when leaks occurLost memory Forgotten memoryIf a taint mark’s pointer countis zero and it’s deallocatedindicator is falseIf, at the end of execution, ataint mark’s deallocatedindicator is falseGenerate a leak report:• allocation location, allocation size, and last use locationMerge leak reports:• combine reports with identical allocation and last uselocations, add allocation sizes(Checks are recursive)
  60. 60. Prototype toolImplemented usingValgrind
  61. 61. Prototype toolImplemented usingValgrind30–100x overheads
  62. 62. Prototype tool16 bytes of memoryallocated:  at malloc  by addhash (hash.c:50)by parser (parser.c:210)by readcell (parser.c:34)  by main (main.c:98)  was leaked:   at free   by delHtab (hash.c:28)   by grdcell(grdcell.c:354)   by main (main.c:227)Implemented usingValgrind
  63. 63. Prototype tool16 bytes of memoryallocated:  at malloc  by addhash (hash.c:50)by parser (parser.c:210)by readcell (parser.c:34)  by main (main.c:98)  was leaked:   at free   by delHtab (hash.c:28)   by grdcell(grdcell.c:354)   by main (main.c:227)Implemented usingValgrind
  64. 64. Prototype tool16 bytes of memoryallocated:  at malloc  by addhash (hash.c:50)by parser (parser.c:210)by readcell (parser.c:34)  by main (main.c:98)  was leaked:   at free   by delHtab (hash.c:28)   by grdcell(grdcell.c:354)   by main (main.c:227)Implemented usingValgrind
  65. 65. Prototype tool16 bytes of memoryallocated:  at malloc  by addhash (hash.c:50)by parser (parser.c:210)by readcell (parser.c:34)  by main (main.c:98)  was leaked:   at free   by delHtab (hash.c:28)   by grdcell(grdcell.c:354)   by main (main.c:227)Implemented usingValgrindCan be used to prioritizedebugging effort
  66. 66. EvaluationHow does Leakpoint’s ability todetect memory leaks compareto existing tools?How effective is Leakpoint atguiding developers to thelocations where memory leaksmay be fixed?
  67. 67. RQ1: Comparison with existing tools
  68. 68. Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing tools
  69. 69. Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsLeakpoint
  70. 70. Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsomegaLeakpoint
  71. 71. Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsomega MemCheckLeakpoint
  72. 72. Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpoint
  73. 73. Leak detectionLeak identificationSubjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpoint
  74. 74. Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpoint
  75. 75. # Detected memory leaks (# false positives)Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpoint
  76. 76. # Detected memory leaks (# false positives)Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpoint
  77. 77. # Detected memory leaks (# false positives)Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpoint
  78. 78. # Detected memory leaks (# false positives)Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpoint
  79. 79. # Detected memory leaks (# false positives)Subjects164.gzip 4 1 4 4175.vpr 47 0 47 47176.gcc 1121 406 (1415) 1121 1121181.mcf 0 0 0 0186.crafty 37 0 37 37197.parser 2 0 2 2252.eon 380 380 380 380253.perlbmk 3481 0 (2) 3481 536254.gap 2 0 (2) 2 2255.vortex 15 1 15 15256.bzip2 10 1 10 10300.twolf 1403 68 (3) 1403 1403RQ1: Comparison with existing toolsmtraceomega MemCheckLeakpointLeakpoint is at least as effective as existing toolsat detecting memory leaks
  80. 80. RQ2: Effectiveness at guiding developersCompare the leak locations identified by Leakpointwith the locations where the leaks were fixed bythe original application developers.
  81. 81. RQ2: Effectiveness at guiding developersCompare the leak locations identified by Leakpointwith the locations where the leaks were fixed bythe original application developers.Transmission
  82. 82. RQ2: Effectiveness at guiding developersCompare the leak locations identified by Leakpointwith the locations where the leaks were fixed bythe original application developers.Transmission
  83. 83. RQ2: Effectiveness at guiding developersCompare the leak locations identified by Leakpointwith the locations where the leaks were fixed bythe original application developers.Transmission
  84. 84. RQ2: Effectiveness at guiding developersCompare the leak locations identified by Leakpointwith the locations where the leaks were fixed bythe original application developers.Transmission4 memory leaks total
  85. 85. static void processCompletedTasks(tr_web *web) {...task->done_func(web->session, ..., task->done_func_user_data);...evbuffer_free(task->response);tr_free(task->url);tr_free(task);...}Transmissionstatic void invokeRequest(void * vreq) {...hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH);memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH);tr_webRun(req->session, req->url, req->done_func, hash);...}
  86. 86. static void processCompletedTasks(tr_web *web) {...task->done_func(web->session, ..., task->done_func_user_data);...evbuffer_free(task->response);tr_free(task->url);tr_free(task);...}Transmissionstatic void invokeRequest(void * vreq) {...hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH);memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH);tr_webRun(req->session, req->url, req->done_func, hash);...}static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) {dbgmsg(NULL, "got a response ... message");onReqDone(session);}// tr_free(torrent_hash);
  87. 87. static void processCompletedTasks(tr_web *web) {...task->done_func(web->session, ..., task->done_func_user_data);...evbuffer_free(task->response);tr_free(task->url);tr_free(task);...}Transmissionstatic void invokeRequest(void * vreq) {...hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH);memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH);tr_webRun(req->session, req->url, req->done_func, hash);...}static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) {dbgmsg(NULL, "got a response ... message");onReqDone(session);}// tr_free(torrent_hash);Distance: 6 statements
  88. 88. URIHANDLER_FUNC(mod_rewrite_uri_handler) {...hctx = handler_ctx_init();con->plugin_ctx[p->id] = hctx;...}Lighttpd 1
  89. 89. URIHANDLER_FUNC(mod_rewrite_uri_handler) {...hctx = handler_ctx_init();con->plugin_ctx[p->id] = hctx;...}Lighttpd 1// if(con->plugin_ctx[p->id] == NULL) {// }// else {// hctx = con->plugin_ctx[p->id];// }
  90. 90. URIHANDLER_FUNC(mod_rewrite_uri_handler) {...hctx = handler_ctx_init();con->plugin_ctx[p->id] = hctx;...}Lighttpd 1// if(con->plugin_ctx[p->id] == NULL) {// }// else {// hctx = con->plugin_ctx[p->id];// }Distance: overlapping
  91. 91. int http_request_parse(server *srv, connection *con) {...if(NULL == (ds = (data_string *)array_get_unused_element(con->request.headers, TYPE_STRING))) {ds = data_string_init();}...else if (cmp > 0 &&0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key),CONST_STR_LEN("Content-Length")))) {char *errunsigned long int r;size_t jif (con_length_set) {con->http_status = 400;con->keep_alive = 0;if(srv->srvconf.log_request_header_on_error) {log_error_write(srv, __FILE__, __LINE__, "s", "duplicate ...");log_error_write(srv, __FILE__, __LINE__, "Sb", "request-header:n",con->request.request);}return 0;}...}Lighttpd 2
  92. 92. int http_request_parse(server *srv, connection *con) {...if(NULL == (ds = (data_string *)array_get_unused_element(con->request.headers, TYPE_STRING))) {ds = data_string_init();}...else if (cmp > 0 &&0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key),CONST_STR_LEN("Content-Length")))) {char *errunsigned long int r;size_t jif (con_length_set) {con->http_status = 400;con->keep_alive = 0;if(srv->srvconf.log_request_header_on_error) {log_error_write(srv, __FILE__, __LINE__, "s", "duplicate ...");log_error_write(srv, __FILE__, __LINE__, "Sb", "request-header:n",con->request.request);}return 0;}...}Lighttpd 2// array_insert_unique(con->request.headers, (data_unset *)ds);
  93. 93. int http_request_parse(server *srv, connection *con) {...if(NULL == (ds = (data_string *)array_get_unused_element(con->request.headers, TYPE_STRING))) {ds = data_string_init();}...else if (cmp > 0 &&0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key),CONST_STR_LEN("Content-Length")))) {char *errunsigned long int r;size_t jif (con_length_set) {con->http_status = 400;con->keep_alive = 0;if(srv->srvconf.log_request_header_on_error) {log_error_write(srv, __FILE__, __LINE__, "s", "duplicate ...");log_error_write(srv, __FILE__, __LINE__, "Sb", "request-header:n",con->request.request);}return 0;}...}Lighttpd 2// array_insert_unique(con->request.headers, (data_unset *)ds);Distance: 1 statement
  94. 94. static struct spelling *spelling_base;static void push_string(char *string) {...spelling_base = xmalloc(spelling_size * sizeof(struct spelling));...}void finish_init() {...constructor_decl = p->decl;...spelling_base = p->spelling_base;...}GCC
  95. 95. static struct spelling *spelling_base;static void push_string(char *string) {...spelling_base = xmalloc(spelling_size * sizeof(struct spelling));...}void finish_init() {...constructor_decl = p->decl;...spelling_base = p->spelling_base;...}GCC// free(spelling_base);
  96. 96. static struct spelling *spelling_base;static void push_string(char *string) {...spelling_base = xmalloc(spelling_size * sizeof(struct spelling));...}void finish_init() {...constructor_decl = p->decl;...spelling_base = p->spelling_base;...}GCC// free(spelling_base);Distance: 10 statements*
  97. 97. Summary• A new technique for identifying where memoryleaks occur• at least as effective as existing techniques atdetecting memory leaks• helpful in guiding developers to the locationswhere memory leaks should be fixed
  98. 98. Future work
  99. 99. Future workImprovedimplementation
  100. 100. Future workAdditionalexperimentationImprovedimplementation
  101. 101. Future workAdditionalexperimentationUserStudiesImprovedimplementation
  102. 102. Questions?1 Taintingpointers2 Propagatingtaint marks3 Identifyingwhen leaksoccur

×