heap_checker.html 21 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534
  1. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
  2. <HTML>
  3. <HEAD>
  4. <link rel="stylesheet" href="designstyle.css">
  5. <title>Gperftools Heap Leak Checker</title>
  6. </HEAD>
  7. <BODY>
  8. <p align=right>
  9. <i>Last modified
  10. <script type=text/javascript>
  11. var lm = new Date(document.lastModified);
  12. document.write(lm.toDateString());
  13. </script></i>
  14. </p>
  15. <p>This is the heap checker we use at Google to detect memory leaks in
  16. C++ programs. There are three parts to using it: linking the library
  17. into an application, running the code, and analyzing the output.</p>
  18. <H1>Linking in the Library</H1>
  19. <p>The heap-checker is part of tcmalloc, so to install the heap
  20. checker into your executable, add <code>-ltcmalloc</code> to the
  21. link-time step for your executable. Also, while we don't necessarily
  22. recommend this form of usage, it's possible to add in the profiler at
  23. run-time using <code>LD_PRELOAD</code>:</p>
  24. <pre>% env LD_PRELOAD="/usr/lib/libtcmalloc.so" <binary></pre>
  25. <p>This does <i>not</i> turn on heap checking; it just inserts the
  26. code. For that reason, it's practical to just always link
  27. <code>-ltcmalloc</code> into a binary while developing; that's what we
  28. do at Google. (However, since any user can turn on the profiler by
  29. setting an environment variable, it's not necessarily recommended to
  30. install heapchecker-linked binaries into a production, running
  31. system.) Note that if you wish to use the heap checker, you must
  32. also use the tcmalloc memory-allocation library. There is no way
  33. currently to use the heap checker separate from tcmalloc.</p>
  34. <h1>Running the Code</h1>
  35. <p>Note: For security reasons, heap profiling will not write to a file
  36. -- and is thus not usable -- for setuid programs.</p>
  37. <h2><a name="whole_program">Whole-program Heap Leak Checking</a></h2>
  38. <p>The recommended way to use the heap checker is in "whole program"
  39. mode. In this case, the heap-checker starts tracking memory
  40. allocations before the start of <code>main()</code>, and checks again
  41. at program-exit. If it finds any memory leaks -- that is, any memory
  42. not pointed to by objects that are still "live" at program-exit -- it
  43. aborts the program (via <code>exit(1)</code>) and prints a message
  44. describing how to track down the memory leak (using <A
  45. HREF="heapprofile.html#pprof">pprof</A>).</p>
  46. <p>The heap-checker records the stack trace for each allocation while
  47. it is active. This causes a significant increase in memory usage, in
  48. addition to slowing your program down.</p>
  49. <p>Here's how to run a program with whole-program heap checking:</p>
  50. <ol>
  51. <li> <p>Define the environment variable HEAPCHECK to the <A
  52. HREF="#types">type of heap-checking</A> to do. For instance,
  53. to heap-check
  54. <code>/usr/local/bin/my_binary_compiled_with_tcmalloc</code>:</p>
  55. <pre>% env HEAPCHECK=normal /usr/local/bin/my_binary_compiled_with_tcmalloc</pre>
  56. </ol>
  57. <p>No other action is required.</p>
  58. <p>Note that since the heap-checker uses the heap-profiling framework
  59. internally, it is not possible to run both the heap-checker and <A
  60. HREF="heapprofile.html">heap profiler</A> at the same time.</p>
  61. <h3><a name="types">Flavors of Heap Checking</a></h3>
  62. <p>These are the legal values when running a whole-program heap
  63. check:</p>
  64. <ol>
  65. <li> <code>minimal</code>
  66. <li> <code>normal</code>
  67. <li> <code>strict</code>
  68. <li> <code>draconian</code>
  69. </ol>
  70. <p>"Minimal" heap-checking starts as late as possible in a
  71. initialization, meaning you can leak some memory in your
  72. initialization routines (that run before <code>main()</code>, say),
  73. and not trigger a leak message. If you frequently (and purposefully)
  74. leak data in one-time global initializers, "minimal" mode is useful
  75. for you. Otherwise, you should avoid it for stricter modes.</p>
  76. <p>"Normal" heap-checking tracks <A HREF="#live">live objects</A> and
  77. reports a leak for any data that is not reachable via a live object
  78. when the program exits.</p>
  79. <p>"Strict" heap-checking is much like "normal" but has a few extra
  80. checks that memory isn't lost in global destructors. In particular,
  81. if you have a global variable that allocates memory during program
  82. execution, and then "forgets" about the memory in the global
  83. destructor (say, by setting the pointer to it to NULL) without freeing
  84. it, that will prompt a leak message in "strict" mode, though not in
  85. "normal" mode.</p>
  86. <p>"Draconian" heap-checking is appropriate for those who like to be
  87. very precise about their memory management, and want the heap-checker
  88. to help them enforce it. In "draconian" mode, the heap-checker does
  89. not do "live object" checking at all, so it reports a leak unless
  90. <i>all</i> allocated memory is freed before program exit. (However,
  91. you can use <A HREF="#disable">IgnoreObject()</A> to re-enable
  92. liveness-checking on an object-by-object basis.)</p>
  93. <p>"Normal" mode, as the name implies, is the one used most often at
  94. Google. It's appropriate for everyday heap-checking use.</p>
  95. <p>In addition, there are two other possible modes:</p>
  96. <ul>
  97. <li> <code>as-is</code>
  98. <li> <code>local</code>
  99. </ul>
  100. <p><code>as-is</code> is the most flexible mode; it allows you to
  101. specify the various <A HREF="#options">knobs</A> of the heap checker
  102. explicitly. <code>local</code> activates the <A
  103. HREF="#explicit">explicit heap-check instrumentation</A>, but does not
  104. turn on any whole-program leak checking.</p>
  105. <h3><A NAME="tweaking">Tweaking whole-program checking</A></h3>
  106. <p>In some cases you want to check the whole program for memory leaks,
  107. but waiting for after <code>main()</code> exits to do the first
  108. whole-program leak check is waiting too long: e.g. in a long-running
  109. server one might wish to simply periodically check for leaks while the
  110. server is running. In this case, you can call the static method
  111. <code>HeapLeakChecker::NoGlobalLeaks()</code>, to verify no global leaks have happened
  112. as of that point in the program.</p>
  113. <p>Alternately, doing the check after <code>main()</code> exits might
  114. be too late. Perhaps you have some objects that are known not to
  115. clean up properly at exit. You'd like to do the "at exit" check
  116. before those objects are destroyed (since while they're live, any
  117. memory they point to will not be considered a leak). In that case,
  118. you can call <code>HeapLeakChecker::NoGlobalLeaks()</code> manually, near the end of
  119. <code>main()</code>, and then call <code>HeapLeakChecker::CancelGlobalCheck()</code> to
  120. turn off the automatic post-<code>main()</code> check.</p>
  121. <p>Finally, there's a helper macro for "strict" and "draconian" modes,
  122. which require all global memory to be freed before program exit. This
  123. freeing can be time-consuming and is often unnecessary, since libc
  124. cleans up all memory at program-exit for you. If you want the
  125. benefits of "strict"/"draconian" modes without the cost of all that
  126. freeing, look at <code>REGISTER_HEAPCHECK_CLEANUP</code> (in
  127. <code>heap-checker.h</code>). This macro allows you to mark specific
  128. cleanup code as active only when the heap-checker is turned on.</p>
  129. <h2><a name="explicit">Explicit (Partial-program) Heap Leak Checking</h2>
  130. <p>Instead of whole-program checking, you can check certain parts of your
  131. code to verify they do not have memory leaks. This check verifies that
  132. between two parts of a program, no memory is allocated without being freed.</p>
  133. <p>To use this kind of checking code, bracket the code you want
  134. checked by creating a <code>HeapLeakChecker</code> object at the
  135. beginning of the code segment, and call
  136. <code>NoLeaks()</code> at the end. These functions, and all others
  137. referred to in this file, are declared in
  138. <code>&lt;gperftools/heap-checker.h&gt;</code>.
  139. </p>
  140. <p>Here's an example:</p>
  141. <pre>
  142. HeapLeakChecker heap_checker("test_foo");
  143. {
  144. code that exercises some foo functionality;
  145. this code should not leak memory;
  146. }
  147. if (!heap_checker.NoLeaks()) assert(NULL == "heap memory leak");
  148. </pre>
  149. <p>Note that adding in the <code>HeapLeakChecker</code> object merely
  150. instruments the code for leak-checking. To actually turn on this
  151. leak-checking on a particular run of the executable, you must still
  152. run with the heap-checker turned on:</p>
  153. <pre>% env HEAPCHECK=local /usr/local/bin/my_binary_compiled_with_tcmalloc</pre>
  154. <p>If you want to do whole-program leak checking in addition to this
  155. manual leak checking, you can run in <code>normal</code> or some other
  156. mode instead: they'll run the "local" checks in addition to the
  157. whole-program check.</p>
  158. <h2><a name="disable">Disabling Heap-checking of Known Leaks</a></h2>
  159. <p>Sometimes your code has leaks that you know about and are willing
  160. to accept. You would like the heap checker to ignore them when
  161. checking your program. You can do this by bracketing the code in
  162. question with an appropriate heap-checking construct:</p>
  163. <pre>
  164. ...
  165. {
  166. HeapLeakChecker::Disabler disabler;
  167. &lt;leaky code&gt;
  168. }
  169. ...
  170. </pre>
  171. Any objects allocated by <code>leaky code</code> (including inside any
  172. routines called by <code>leaky code</code>) and any objects reachable
  173. from such objects are not reported as leaks.
  174. <p>Alternately, you can use <code>IgnoreObject()</code>, which takes a
  175. pointer to an object to ignore. That memory, and everything reachable
  176. from it (by following pointers), is ignored for the purposes of leak
  177. checking. You can call <code>UnIgnoreObject()</code> to undo the
  178. effects of <code>IgnoreObject()</code>.</p>
  179. <h2><a name="options">Tuning the Heap Checker</h2>
  180. <p>The heap leak checker has many options, some that trade off running
  181. time and accuracy, and others that increase the sensitivity at the
  182. risk of returning false positives. For most uses, the range covered
  183. by the <A HREF="#types">heap-check flavors</A> is enough, but in
  184. specialized cases more control can be helpful.</p>
  185. <p>
  186. These options are specified via environment varaiables.
  187. </p>
  188. <p>This first set of options controls sensitivity and accuracy. These
  189. options are ignored unless you run the heap checker in <A
  190. HREF="#types">as-is</A> mode.
  191. <table frame=box rules=sides cellpadding=5 width=100%>
  192. <tr valign=top>
  193. <td><code>HEAP_CHECK_AFTER_DESTRUCTORS</code></td>
  194. <td>Default: false</td>
  195. <td>
  196. When true, do the final leak check after all other global
  197. destructors have run. When false, do it after all
  198. <code>REGISTER_HEAPCHECK_CLEANUP</code>, typically much earlier in
  199. the global-destructor process.
  200. </td>
  201. </tr>
  202. <tr valign=top>
  203. <td><code>HEAP_CHECK_IGNORE_THREAD_LIVE</code></td>
  204. <td>Default: true</td>
  205. <td>
  206. If true, ignore objects reachable from thread stacks and registers
  207. (that is, do not report them as leaks).
  208. </td>
  209. </tr>
  210. <tr valign=top>
  211. <td><code>HEAP_CHECK_IGNORE_GLOBAL_LIVE</code></td>
  212. <td>Default: true</td>
  213. <td>
  214. If true, ignore objects reachable from global variables and data
  215. (that is, do not report them as leaks).
  216. </td>
  217. </tr>
  218. </table>
  219. <p>These options modify the behavior of whole-program leak
  220. checking.</p>
  221. <table frame=box rules=sides cellpadding=5 width=100%>
  222. <tr valign=top>
  223. <td><code>HEAP_CHECK_MAX_LEAKS</code></td>
  224. <td>Default: 20</td>
  225. <td>
  226. The maximum number of leaks to be printed to stderr (all leaks are still
  227. emitted to file output for pprof to visualize). If negative or zero,
  228. print all the leaks found.
  229. </td>
  230. </tr>
  231. </table>
  232. <p>These options apply to all types of leak checking.</p>
  233. <table frame=box rules=sides cellpadding=5 width=100%>
  234. <tr valign=top>
  235. <td><code>HEAP_CHECK_IDENTIFY_LEAKS</code></td>
  236. <td>Default: false</td>
  237. <td>
  238. If true, generate the addresses of the leaked objects in the
  239. generated memory leak profile files.
  240. </td>
  241. </tr>
  242. <tr valign=top>
  243. <td><code>HEAP_CHECK_TEST_POINTER_ALIGNMENT</code></td>
  244. <td>Default: false</td>
  245. <td>
  246. If true, check all leaks to see if they might be due to the use
  247. of unaligned pointers.
  248. </td>
  249. </tr>
  250. <tr valign=top>
  251. <td><code>HEAP_CHECK_POINTER_SOURCE_ALIGNMENT</code></td>
  252. <td>Default: sizeof(void*)</td>
  253. <td>
  254. Alignment at which all pointers in memory are supposed to be located.
  255. Use 1 if any alignment is ok.
  256. </td>
  257. </tr>
  258. <tr valign=top>
  259. <td><code>PPROF_PATH</code></td>
  260. <td>Default: pprof</td>
  261. <td>
  262. The location of the <code>pprof</code> executable.
  263. </td>
  264. </tr>
  265. <tr valign=top>
  266. <td><code>HEAP_CHECK_DUMP_DIRECTORY</code></td>
  267. <td>Default: /tmp</td>
  268. <td>
  269. Where the heap-profile files are kept while the program is running.
  270. </td>
  271. </tr>
  272. </table>
  273. <h2>Tips for Handling Detected Leaks</h2>
  274. <p>What do you do when the heap leak checker detects a memory leak?
  275. First, you should run the reported <code>pprof</code> command;
  276. hopefully, that is enough to track down the location where the leak
  277. occurs.</p>
  278. <p>If the leak is a real leak, you should fix it!</p>
  279. <p>If you are sure that the reported leaks are not dangerous and there
  280. is no good way to fix them, then you can use
  281. <code>HeapLeakChecker::Disabler</code> and/or
  282. <code>HeapLeakChecker::IgnoreObject()</code> to disable heap-checking
  283. for certain parts of the codebase.</p>
  284. <p>In "strict" or "draconian" mode, leaks may be due to incomplete
  285. cleanup in the destructors of global variables. If you don't wish to
  286. augment the cleanup routines, but still want to run in "strict" or
  287. "draconian" mode, consider using <A
  288. HREF="#tweaking"><code>REGISTER_HEAPCHECK_CLEANUP</code></A>.</p>
  289. <h2>Hints for Debugging Detected Leaks</h2>
  290. <p>Sometimes it can be useful to not only know the exact code that
  291. allocates the leaked objects, but also the addresses of the leaked objects.
  292. Combining this e.g. with additional logging in the program
  293. one can then track which subset of the allocations
  294. made at a certain spot in the code are leaked.
  295. <br/>
  296. To get the addresses of all leaked objects
  297. define the environment variable <code>HEAP_CHECK_IDENTIFY_LEAKS</code>
  298. to be <code>1</code>.
  299. The object addresses will be reported in the form of addresses
  300. of fake immediate callers of the memory allocation routines.
  301. Note that the performance of doing leak-checking in this mode
  302. can be noticeably worse than the default mode.
  303. </p>
  304. <p>One relatively common class of leaks that don't look real
  305. is the case of multiple initialization.
  306. In such cases the reported leaks are typically things that are
  307. linked from some global objects,
  308. which are initialized and say never modified again.
  309. The non-obvious cause of the leak is frequently the fact that
  310. the initialization code for these objects executes more than once.
  311. <br/>
  312. E.g. if the code of some <code>.cc</code> file is made to be included twice
  313. into the binary, then the constructors for global objects defined in that file
  314. will execute twice thus leaking the things allocated on the first run.
  315. <br/>
  316. Similar problems can occur if object initialization is done more explicitly
  317. e.g. on demand by a slightly buggy code
  318. that does not always ensure only-once initialization.
  319. </p>
  320. <p>
  321. A more rare but even more puzzling problem can be use of not properly
  322. aligned pointers (maybe inside of not properly aligned objects).
  323. Normally such pointers are not followed by the leak checker,
  324. hence the objects reachable only via such pointers are reported as leaks.
  325. If you suspect this case
  326. define the environment variable <code>HEAP_CHECK_TEST_POINTER_ALIGNMENT</code>
  327. to be <code>1</code>
  328. and then look closely at the generated leak report messages.
  329. </p>
  330. <h1>How It Works</h1>
  331. <p>When a <code>HeapLeakChecker</code> object is constructed, it dumps
  332. a memory-usage profile named
  333. <code>&lt;prefix&gt;.&lt;name&gt;-beg.heap</code> to a temporary
  334. directory. When <code>NoLeaks()</code>
  335. is called (for whole-program checking, this happens automatically at
  336. program-exit), it dumps another profile, named
  337. <code>&lt;prefix&gt;.&lt;name&gt;-end.heap</code>.
  338. (<code>&lt;prefix&gt;</code> is typically determined automatically,
  339. and <code>&lt;name&gt;</code> is typically <code>argv[0]</code>.) It
  340. then compares the two profiles. If the second profile shows
  341. more memory use than the first, the
  342. <code>NoLeaks()</code> function will
  343. return false. For "whole program" profiling, this will cause the
  344. executable to abort (via <code>exit(1)</code>). In all cases, it will
  345. print a message on how to process the dumped profiles to locate
  346. leaks.</p>
  347. <h3><A name=live>Detecting Live Objects</A></h3>
  348. <p>At any point during a program's execution, all memory that is
  349. accessible at that time is considered "live." This includes global
  350. variables, and also any memory that is reachable by following pointers
  351. from a global variable. It also includes all memory reachable from
  352. the current stack frame and from current CPU registers (this captures
  353. local variables). Finally, it includes the thread equivalents of
  354. these: thread-local storage and thread heaps, memory reachable from
  355. thread-local storage and thread heaps, and memory reachable from
  356. thread CPU registers.</p>
  357. <p>In all modes except "draconian," live memory is not
  358. considered to be a leak. We detect this by doing a liveness flood,
  359. traversing pointers to heap objects starting from some initial memory
  360. regions we know to potentially contain live pointer data. Note that
  361. this flood might potentially not find some (global) live data region
  362. to start the flood from. If you find such, please file a bug.</p>
  363. <p>The liveness flood attempts to treat any properly aligned byte
  364. sequences as pointers to heap objects and thinks that it found a good
  365. pointer whenever the current heap memory map contains an object with
  366. the address whose byte representation we found. Some pointers into
  367. not-at-start of object will also work here.</p>
  368. <p>As a result of this simple approach, it's possible (though
  369. unlikely) for the flood to be inexact and occasionally result in
  370. leaked objects being erroneously determined to be live. For instance,
  371. random bit patterns can happen to look like pointers to leaked heap
  372. objects. More likely, stale pointer data not corresponding to any
  373. live program variables can be still present in memory regions,
  374. especially in thread stacks. For instance, depending on how the local
  375. <code>malloc</code> is implemented, it may reuse a heap object
  376. address:</p>
  377. <pre>
  378. char* p = new char[1]; // new might return 0x80000000, say.
  379. delete p;
  380. new char[1]; // new might return 0x80000000 again
  381. // This last new is a leak, but doesn't seem it: p looks like it points to it
  382. </pre>
  383. <p>In other words, imprecisions in the liveness flood mean that for
  384. any heap leak check we might miss some memory leaks. This means that
  385. for local leak checks, we might report a memory leak in the local
  386. area, even though the leak actually happened before the
  387. <code>HeapLeakChecker</code> object was constructed. Note that for
  388. whole-program checks, a leak report <i>does</i> always correspond to a
  389. real leak (since there's no "before" to have created a false-live
  390. object).</p>
  391. <p>While this liveness flood approach is not very portable and not
  392. 100% accurate, it works in most cases and saves us from writing a lot
  393. of explicit clean up code and other hassles when dealing with thread
  394. data.</p>
  395. <h3>Visualizing Leak with <code>pprof</code></h3>
  396. <p>
  397. The heap checker automatically prints basic leak info with stack traces of
  398. leaked objects' allocation sites, as well as a pprof command line that can be
  399. used to visualize the call-graph involved in these allocations.
  400. The latter can be much more useful for a human
  401. to see where/why the leaks happened, especially if the leaks are numerous.
  402. </p>
  403. <h3>Leak-checking and Threads</h3>
  404. <p>At the time of HeapLeakChecker's construction and during
  405. <code>NoLeaks()</code> calls, we grab a lock
  406. and then pause all other threads so other threads do not interfere
  407. with recording or analyzing the state of the heap.</p>
  408. <p>In general, leak checking works correctly in the presence of
  409. threads. However, thread stack data liveness determination (via
  410. <code>base/thread_lister.h</code>) does not work when the program is
  411. running under GDB, because the ptrace functionality needed for finding
  412. threads is already hooked to by GDB. Conversely, leak checker's
  413. ptrace attempts might also interfere with GDB. As a result, GDB can
  414. result in potentially false leak reports. For this reason, the
  415. heap-checker turns itself off when running under GDB.</p>
  416. <p>Also, <code>thread_lister</code> only works for Linux pthreads;
  417. leak checking is unlikely to handle other thread implementations
  418. correctly.</p>
  419. <p>As mentioned in the discussion of liveness flooding, thread-stack
  420. liveness determination might mis-classify as reachable objects that
  421. very recently became unreachable (leaked). This can happen when the
  422. pointers to now-logically-unreachable objects are present in the
  423. active thread stack frame. In other words, trivial code like the
  424. following might not produce the expected leak checking outcome
  425. depending on how the compiled code works with the stack:</p>
  426. <pre>
  427. int* foo = new int [20];
  428. HeapLeakChecker check("a_check");
  429. foo = NULL;
  430. // May fail to trigger.
  431. if (!heap_checker.NoLeaks()) assert(NULL == "heap memory leak");
  432. </pre>
  433. <hr>
  434. <address>Maxim Lifantsev<br>
  435. <!-- Created: Tue Dec 19 10:43:14 PST 2000 -->
  436. <!-- hhmts start -->
  437. Last modified: Fri Jul 13 13:14:33 PDT 2007
  438. <!-- hhmts end -->
  439. </address>
  440. </body>
  441. </html>