SlideShare una empresa de Scribd logo

Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)

James Clause
James Clause
Tecnología
1 de 102
Descargar para leer sin conexión
LEAKPOINT: Pinpointing the Causes of Memory Leaks Georgia Institute of Technology James Clause and Alessandro Orso Supported in part by NSF and IBM Research
Memory leak classification void *p = malloc(100);
Memory leak classification void *p = malloc(100); M
Memory leak classification Lost memory Forgotten memory M becomes unreachable before being deallocated M is reachable, but is never accessed or deallocated void *p = malloc(100); M
Memory leak classification Lost memory Forgotten memory M becomes unreachable before being deallocated M is reachable, but is never accessed or deallocated void *p = malloc(100); M
Memory leak classification Lost memory Forgotten memory M becomes unreachable before being deallocated M is reachable, but is never accessed or deallocated void *p = malloc(100); M • common • difficult to manually detect • high impact
Existing techniques mtrace M. Bond and K. McKinley ‘06 R. Hastings and B. Joyce ‘92 M. Hauswirth and T. Chilimbi. ‘04 D.Heine and M.Lam ‘03 D. Heine and M. Lam ‘06 M. Jump and K. McKinley ‘07 leaks J. Maebe, M. Ronsse, and K. D. Bosschere ‘04 N. Mitchell and G. Sevitsky ‘03 G. Novark, E. D. Berger, and B. G. Zorn ‘09 M. Orlovich and R. Rugina ‘06 F. Qin, S. Lu, and Y. Zhou ‘05 MemCheck Y. Xie and A. Aiken ‘05 G. Xu and A. Rountev ‘08 S. Cherem, L. Princehouse, and R. Rugina ‘06 W. DePauw and G. Sevitsky ’99 purify Publications Tools
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy; fixing them is not
Overview
Overview
Overview
Overview Leak locations are close to where leaks should be fixed.
Overview 1 Tainting pointers Leak locations are close to where leaks should be fixed.
Overview 1 Tainting pointers Leak locations are close to where leaks should be fixed.
Overview 1 Tainting pointers 2 Propagating taint marks Leak locations are close to where leaks should be fixed.
Overview 1 Tainting pointers 2 Propagating taint marks Leak locations are close to where leaks should be fixed.
Overview 1 Tainting pointers 2 Propagating taint marks 3 Identifying when leaks occur Leak locations are close to where leaks should be fixed.
Overview 1 Tainting pointers 2 Propagating taint marks 3 Identifying when leaks occur Leak locations are close to where leaks should be fixed.
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } Detecting leaks is easy
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; }
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } free(hptr->hname);
Outline • Our technique • Tainting pointers • Tracking pointers • Checking for leaks • Implementation • Evaluation • Conclusions and future work
1.Tainting pointers Assign a taint mark to pointers returned from allocation functions (e.g., malloc)
1.Tainting pointers Assign a taint mark to pointers returned from allocation functions (e.g., malloc)
1.Tainting pointers Last use location Allocation location Allocation size Deallocated indicator Pointer count Assign a taint mark to pointers returned from allocation functions (e.g., malloc) Metadata
1.Tainting pointers Last use location Allocation location Allocation size Deallocated indicator Pointer count Assign a taint mark to pointers returned from allocation functions (e.g., malloc) current location current location false size of the memory area 1 Metadata Initialized to
2. Propagating taint marks
2. Propagating taint marks 1.Track the flow of pointers throughout the execution
2. Propagating taint marks 1.Track the flow of pointers throughout the execution
2. Propagating taint marks 1.Track the flow of pointers throughout the execution
2. Propagating taint marks 1.Track the flow of pointers throughout the execution 2. Update taint marks’ mutable metadata
Tracking pointers assignment addition subtraction and multiplication division modulus or, xor, shift, not comparison
p2 = p1 ➔ p2 p2 = p1 ➔ p2 p2 = p2 ± 1 ➔ p2 p3 = p2 ± p1 ➔ p3 p2 = p2 & 0xffff ➔ p2 not tainted Tracking pointers assignment addition subtraction and multiplication division modulus or, xor, shift, not comparison
p2 = p1 ➔ p2 p2 = p1 ➔ p2 p2 = p2 ± 1 ➔ p2 p3 = p2 ± p1 ➔ p3 p2 = p2 & 0xffff ➔ p2 not tainted Tracking pointers assignment addition subtraction and multiplication division modulus or, xor, shift, not comparison
p2 = p1 ➔ p2 p2 = p1 ➔ p2 p2 = p2 ± 1 ➔ p2 p3 = p2 ± p1 ➔ p3 p2 = p2 & 0xffff ➔ p2 not tainted Tracking pointers assignment addition subtraction and multiplication division modulus or, xor, shift, not comparison
p2 = p1 ➔ p2 p2 = p1 ➔ p2 p2 = p2 ± 1 ➔ p2 p3 = p2 ± p1 ➔ p3 p2 = p2 & 0xffff ➔ p2 not tainted Tracking pointers assignment addition subtraction and multiplication division modulus or, xor, shift, not comparison
p2 = p1 ➔ p2 p2 = p1 ➔ p2 p2 = p2 ± 1 ➔ p2 p3 = p2 ± p1 ➔ p3 p2 = p2 & 0xffff ➔ p2 not tainted Tracking pointers assignment addition subtraction and multiplication division modulus or, xor, shift, not comparison
p2 = p1 ➔ p2 p2 = p1 ➔ p2 p2 = p2 ± 1 ➔ p2 p3 = p2 ± p1 ➔ p3 p2 = p2 & 0xffff ➔ p2 not tainted Tracking pointers assignment addition subtraction and multiplication division modulus or, xor, shift, not comparison
p2 = p1 ➔ p2 p2 = p1 ➔ p2 p2 = p2 ± 1 ➔ p2 p3 = p2 ± p1 ➔ p3 p2 = p2 & 0xffff ➔ p2 not tainted Tracking pointers Based on domain knowledge and expertise assignment addition subtraction and multiplication division modulus or, xor, shift, not comparison
Update metadata (1)
Pointer Counts Update metadata (1)
Pointer Counts • Assignment: increment the count of the pointer that is copied, decrement the count of the pointer that is overwritten Update metadata (1)
Pointer Counts • Assignment: increment the count of the pointer that is copied, decrement the count of the pointer that is overwritten Update metadata (1) ptr3 = ptr1 ➔ ptr3 , ptr11 2 2 ptr1 = NULL ➔ ptr1 , ptr32 1
Pointer Counts • Assignment: increment the count of the pointer that is copied, decrement the count of the pointer that is overwritten • Function return: decrement the count of pointers stored in local variables Update metadata (1) ptr3 = ptr1 ➔ ptr3 , ptr11 2 2 ptr1 = NULL ➔ ptr1 , ptr32 1
Pointer Counts • Assignment: increment the count of the pointer that is copied, decrement the count of the pointer that is overwritten • Function return: decrement the count of pointers stored in local variables • Memory deallocation: decrement the count of pointers reachable from the deallocated memory Update metadata (1) ptr3 = ptr1 ➔ ptr3 , ptr11 2 2 ptr1 = NULL ➔ ptr1 , ptr32 1
Update metadata (2)
Deallocation indicator Update metadata (2)
Deallocation indicator • Set to true when a pointer is passed to a deallocation function (e.g., free) Update metadata (2)
Deallocation indicator • Set to true when a pointer is passed to a deallocation function (e.g., free) Last use location Update metadata (2)
Deallocation indicator • Set to true when a pointer is passed to a deallocation function (e.g., free) Last use location • Set to the current location whenever a pointer is - propagated - passed as a function argument - returned from a function - used to access memory Update metadata (2)
3. Identifying when leaks occur
3. Identifying when leaks occur Lost memory Forgotten memory If a taint mark’s pointer count is zero and it’s deallocated indicator is false If, at the end of execution, a taint mark’s deallocated indicator is false
3. Identifying when leaks occur Lost memory Forgotten memory If a taint mark’s pointer count is zero and it’s deallocated indicator is false If, at the end of execution, a taint mark’s deallocated indicator is false
3. Identifying when leaks occur Lost memory Forgotten memory If a taint mark’s pointer count is zero and it’s deallocated indicator is false If, at the end of execution, a taint mark’s deallocated indicator is false (Checks are recursive)
3. Identifying when leaks occur Lost memory Forgotten memory If a taint mark’s pointer count is zero and it’s deallocated indicator is false If, at the end of execution, a taint mark’s deallocated indicator is false Generate a leak report: • allocation location, allocation size, and last use location (Checks are recursive)
3. Identifying when leaks occur Lost memory Forgotten memory If a taint mark’s pointer count is zero and it’s deallocated indicator is false If, at the end of execution, a taint mark’s deallocated indicator is false Generate a leak report: • allocation location, allocation size, and last use location Merge leak reports: • combine reports with identical allocation and last use locations, add allocation sizes (Checks are recursive)
Prototype tool Implemented usingValgrind
Prototype tool Implemented usingValgrind 30–100x overheads
Prototype tool 16 bytes of memory allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227) Implemented usingValgrind
Prototype tool 16 bytes of memory allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227) Implemented usingValgrind
Prototype tool 16 bytes of memory allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227) Implemented usingValgrind
Prototype tool 16 bytes of memory allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227) Implemented usingValgrind Can be used to prioritize debugging effort
Evaluation How does Leakpoint’s ability to detect memory leaks compare to existing tools? How effective is Leakpoint at guiding developers to the locations where memory leaks may be fixed?
RQ1: Comparison with existing tools
Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools
Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools Leakpoint
Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools omegaLeakpoint
Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools omega MemCheckLeakpoint
Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint
Leak detectionLeak identificationSubjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint
Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint
# Detected memory leaks (# false positives)Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint
# Detected memory leaks (# false positives)Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint
# Detected memory leaks (# false positives)Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint
# Detected memory leaks (# false positives)Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint
# Detected memory leaks (# false positives)Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint Leakpoint is at least as effective as existing tools at detecting memory leaks
RQ2: Effectiveness at guiding developers Compare the leak locations identified by Leakpoint with the locations where the leaks were fixed by the original application developers.
RQ2: Effectiveness at guiding developers Compare the leak locations identified by Leakpoint with the locations where the leaks were fixed by the original application developers. Transmission
RQ2: Effectiveness at guiding developers Compare the leak locations identified by Leakpoint with the locations where the leaks were fixed by the original application developers. Transmission
RQ2: Effectiveness at guiding developers Compare the leak locations identified by Leakpoint with the locations where the leaks were fixed by the original application developers. Transmission
RQ2: Effectiveness at guiding developers Compare the leak locations identified by Leakpoint with the locations where the leaks were fixed by the original application developers. Transmission 4 memory leaks total
static void processCompletedTasks(tr_web *web) { ... task->done_func(web->session, ..., task->done_func_user_data); ... evbuffer_free(task->response); tr_free(task->url); tr_free(task); ... } Transmission static void invokeRequest(void * vreq) { ... hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH); memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH); tr_webRun(req->session, req->url, req->done_func, hash); ... }
static void processCompletedTasks(tr_web *web) { ... task->done_func(web->session, ..., task->done_func_user_data); ... evbuffer_free(task->response); tr_free(task->url); tr_free(task); ... } Transmission static void invokeRequest(void * vreq) { ... hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH); memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH); tr_webRun(req->session, req->url, req->done_func, hash); ... } static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) { dbgmsg(NULL, "got a response ... message"); onReqDone(session); } // tr_free(torrent_hash);
static void processCompletedTasks(tr_web *web) { ... task->done_func(web->session, ..., task->done_func_user_data); ... evbuffer_free(task->response); tr_free(task->url); tr_free(task); ... } Transmission static void invokeRequest(void * vreq) { ... hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH); memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH); tr_webRun(req->session, req->url, req->done_func, hash); ... } static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) { dbgmsg(NULL, "got a response ... message"); onReqDone(session); } // tr_free(torrent_hash); Distance: 6 statements
URIHANDLER_FUNC(mod_rewrite_uri_handler) { ... hctx = handler_ctx_init(); con->plugin_ctx[p->id] = hctx; ... } Lighttpd 1
URIHANDLER_FUNC(mod_rewrite_uri_handler) { ... hctx = handler_ctx_init(); con->plugin_ctx[p->id] = hctx; ... } Lighttpd 1 // if(con->plugin_ctx[p->id] == NULL) { // } // else { // hctx = con->plugin_ctx[p->id]; // }
URIHANDLER_FUNC(mod_rewrite_uri_handler) { ... hctx = handler_ctx_init(); con->plugin_ctx[p->id] = hctx; ... } Lighttpd 1 // if(con->plugin_ctx[p->id] == NULL) { // } // else { // hctx = con->plugin_ctx[p->id]; // } Distance: overlapping
int http_request_parse(server *srv, connection *con) { ... if(NULL == (ds = (data_string *)array_get_unused_element( con->request.headers, TYPE_STRING))) { ds = data_string_init(); } ... else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Content-Length")))) { char *err unsigned long int r; size_t j if (con_length_set) { con->http_status = 400; con->keep_alive = 0; if(srv->srvconf.log_request_header_on_error) { log_error_write(srv, __FILE__, __LINE__, "s", "duplicate ..."); log_error_write(srv, __FILE__, __LINE__, "Sb", "request-header:n", con->request.request); } return 0; } ... } Lighttpd 2
int http_request_parse(server *srv, connection *con) { ... if(NULL == (ds = (data_string *)array_get_unused_element( con->request.headers, TYPE_STRING))) { ds = data_string_init(); } ... else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Content-Length")))) { char *err unsigned long int r; size_t j if (con_length_set) { con->http_status = 400; con->keep_alive = 0; if(srv->srvconf.log_request_header_on_error) { log_error_write(srv, __FILE__, __LINE__, "s", "duplicate ..."); log_error_write(srv, __FILE__, __LINE__, "Sb", "request-header:n", con->request.request); } return 0; } ... } Lighttpd 2 // array_insert_unique(con->request.headers, (data_unset *)ds);
int http_request_parse(server *srv, connection *con) { ... if(NULL == (ds = (data_string *)array_get_unused_element( con->request.headers, TYPE_STRING))) { ds = data_string_init(); } ... else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Content-Length")))) { char *err unsigned long int r; size_t j if (con_length_set) { con->http_status = 400; con->keep_alive = 0; if(srv->srvconf.log_request_header_on_error) { log_error_write(srv, __FILE__, __LINE__, "s", "duplicate ..."); log_error_write(srv, __FILE__, __LINE__, "Sb", "request-header:n", con->request.request); } return 0; } ... } Lighttpd 2 // array_insert_unique(con->request.headers, (data_unset *)ds); Distance: 1 statement
static struct spelling *spelling_base; static void push_string(char *string) { ... spelling_base = xmalloc(spelling_size * sizeof(struct spelling)); ... } void finish_init() { ... constructor_decl = p->decl; ... spelling_base = p->spelling_base; ... } GCC
static struct spelling *spelling_base; static void push_string(char *string) { ... spelling_base = xmalloc(spelling_size * sizeof(struct spelling)); ... } void finish_init() { ... constructor_decl = p->decl; ... spelling_base = p->spelling_base; ... } GCC // free(spelling_base);
static struct spelling *spelling_base; static void push_string(char *string) { ... spelling_base = xmalloc(spelling_size * sizeof(struct spelling)); ... } void finish_init() { ... constructor_decl = p->decl; ... spelling_base = p->spelling_base; ... } GCC // free(spelling_base); Distance: 10 statements*
Summary • A new technique for identifying where memory leaks occur • at least as effective as existing techniques at detecting memory leaks • helpful in guiding developers to the locations where memory leaks should be fixed
Future work
Future work Improved implementation
Future work Additional experimentation Improved implementation
Future work Additional experimentation User Studies Improved implementation
Questions? 1 Tainting pointers 2 Propagating taint marks 3 Identifying when leaks occur

Recomendados

Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)James Clause
 
Torturing the PHP interpreter
Torturing the PHP interpreterTorturing the PHP interpreter
Torturing the PHP interpreterLogicaltrust pl
 
zk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてzk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてts21
 
Php radomize
Php radomizePhp radomize
Php radomizedo_aki
 
Clean Coders Hate What Happens To Your Code When You Use These Enterprise Pro...
Clean Coders Hate What Happens To Your Code When You Use These Enterprise Pro...Clean Coders Hate What Happens To Your Code When You Use These Enterprise Pro...
Clean Coders Hate What Happens To Your Code When You Use These Enterprise Pro...Kevlin Henney
 
Basic C++ 11/14 for Python Programmers
Basic C++ 11/14 for Python ProgrammersBasic C++ 11/14 for Python Programmers
Basic C++ 11/14 for Python ProgrammersAppier
 
Data monsters probablistic data structures
Data monsters probablistic data structuresData monsters probablistic data structures
Data monsters probablistic data structuresGreenM
 
Get Kata
Get KataGet Kata
Get KataKevlin Henney
 

Recomendados

Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)James Clause
 
Torturing the PHP interpreter
Torturing the PHP interpreterTorturing the PHP interpreter
Torturing the PHP interpreterLogicaltrust pl
 
zk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてzk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてts21
 
Php radomize
Php radomizePhp radomize
Php radomizedo_aki
 
Clean Coders Hate What Happens To Your Code When You Use These Enterprise Pro...
Clean Coders Hate What Happens To Your Code When You Use These Enterprise Pro...Clean Coders Hate What Happens To Your Code When You Use These Enterprise Pro...
Clean Coders Hate What Happens To Your Code When You Use These Enterprise Pro...Kevlin Henney
 
Basic C++ 11/14 for Python Programmers
Basic C++ 11/14 for Python ProgrammersBasic C++ 11/14 for Python Programmers
Basic C++ 11/14 for Python ProgrammersAppier
 
Data monsters probablistic data structures
Data monsters probablistic data structuresData monsters probablistic data structures
Data monsters probablistic data structuresGreenM
 
Get Kata
Get KataGet Kata
Get KataKevlin Henney
 
Bai Giang 11
Bai Giang 11Bai Giang 11
Bai Giang 11nbb3i
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & moreMattias Geniar
 
CBSE, Grade12, Computer Science, Random Numbers - Notes
CBSE, Grade12, Computer Science, Random Numbers - NotesCBSE, Grade12, Computer Science, Random Numbers - Notes
CBSE, Grade12, Computer Science, Random Numbers - NotesMalathi Senthil
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an ExploitPatricia Aas
 
MongoDB Analytics
MongoDB AnalyticsMongoDB Analytics
MongoDB Analyticsdatablend
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
 
Hangman Game Programming in C (coding)
Hangman Game Programming in C (coding)Hangman Game Programming in C (coding)
Hangman Game Programming in C (coding)hasan0812
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
PyData Paris 2015 - Track 3.2 Serge Guelton et Pierrick Brunet
PyData Paris 2015 - Track 3.2 Serge Guelton et Pierrick Brunet PyData Paris 2015 - Track 3.2 Serge Guelton et Pierrick Brunet
PyData Paris 2015 - Track 3.2 Serge Guelton et Pierrick Brunet Pôle Systematic Paris-Region
 
Programming with GUTs
Programming with GUTsProgramming with GUTs
Programming with GUTsKevlin Henney
 
Java, Up to Date Sources
Java, Up to Date SourcesJava, Up to Date Sources
Java, Up to Date Sources輝 子安
 
The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014Dinesh Bolkensteyn
 
Information Security Hands-On Breakout Session
Information Security Hands-On Breakout SessionInformation Security Hands-On Breakout Session
Information Security Hands-On Breakout SessionSplunk
 
A simple snake game project
A simple snake game projectA simple snake game project
A simple snake game projectAmit Kumar
 
TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Dete...
TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Dete...TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Dete...
TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Dete...Iosif Itkin
 
Ping pong game
Ping pong gamePing pong game
Ping pong gameAmit Kumar
 
Dalembert
DalembertDalembert
DalembertRichard Gill
 
E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server AttacksE-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacksphanleson
 
Down the rabbit hole, profiling in Django
Down the rabbit hole, profiling in DjangoDown the rabbit hole, profiling in Django
Down the rabbit hole, profiling in DjangoRemco Wendt
 
Software Exploits
Software ExploitsSoftware Exploits
Software ExploitsKevinCSmallwood
 
Advice For Design Students... From A Few Years Out
Advice For Design Students... From A Few Years OutAdvice For Design Students... From A Few Years Out
Advice For Design Students... From A Few Years OutJohn Hanawalt
 
18 B E I N PÅ T U R
18 B E I N PÅ T U R18 B E I N PÅ T U R
18 B E I N PÅ T U RKnutstad
 

Más contenido relacionado

La actualidad más candente

Bai Giang 11
Bai Giang 11Bai Giang 11
Bai Giang 11nbb3i
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & moreMattias Geniar
 
CBSE, Grade12, Computer Science, Random Numbers - Notes
CBSE, Grade12, Computer Science, Random Numbers - NotesCBSE, Grade12, Computer Science, Random Numbers - Notes
CBSE, Grade12, Computer Science, Random Numbers - NotesMalathi Senthil
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an ExploitPatricia Aas
 
MongoDB Analytics
MongoDB AnalyticsMongoDB Analytics
MongoDB Analyticsdatablend
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
 
Hangman Game Programming in C (coding)
Hangman Game Programming in C (coding)Hangman Game Programming in C (coding)
Hangman Game Programming in C (coding)hasan0812
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
PyData Paris 2015 - Track 3.2 Serge Guelton et Pierrick Brunet
PyData Paris 2015 - Track 3.2 Serge Guelton et Pierrick Brunet PyData Paris 2015 - Track 3.2 Serge Guelton et Pierrick Brunet
PyData Paris 2015 - Track 3.2 Serge Guelton et Pierrick Brunet Pôle Systematic Paris-Region
 
Programming with GUTs
Programming with GUTsProgramming with GUTs
Programming with GUTsKevlin Henney
 
Java, Up to Date Sources
Java, Up to Date SourcesJava, Up to Date Sources
Java, Up to Date Sources輝 子安
 
The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014Dinesh Bolkensteyn
 
Information Security Hands-On Breakout Session
Information Security Hands-On Breakout SessionInformation Security Hands-On Breakout Session
Information Security Hands-On Breakout SessionSplunk
 
A simple snake game project
A simple snake game projectA simple snake game project
A simple snake game projectAmit Kumar
 
TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Dete...
TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Dete...TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Dete...
TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Dete...Iosif Itkin
 
Ping pong game
Ping pong gamePing pong game
Ping pong gameAmit Kumar
 
E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server AttacksE-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacksphanleson
 
Down the rabbit hole, profiling in Django
Down the rabbit hole, profiling in DjangoDown the rabbit hole, profiling in Django
Down the rabbit hole, profiling in DjangoRemco Wendt
 

La actualidad más candente (20)

Bai Giang 11
Bai Giang 11Bai Giang 11
Bai Giang 11
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & more
 
CBSE, Grade12, Computer Science, Random Numbers - Notes
CBSE, Grade12, Computer Science, Random Numbers - NotesCBSE, Grade12, Computer Science, Random Numbers - Notes
CBSE, Grade12, Computer Science, Random Numbers - Notes
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an Exploit
 
MongoDB Analytics
MongoDB AnalyticsMongoDB Analytics
MongoDB Analytics
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
 
Hangman Game Programming in C (coding)
Hangman Game Programming in C (coding)Hangman Game Programming in C (coding)
Hangman Game Programming in C (coding)
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
PyData Paris 2015 - Track 3.2 Serge Guelton et Pierrick Brunet
PyData Paris 2015 - Track 3.2 Serge Guelton et Pierrick Brunet PyData Paris 2015 - Track 3.2 Serge Guelton et Pierrick Brunet
PyData Paris 2015 - Track 3.2 Serge Guelton et Pierrick Brunet
 
Programming with GUTs
Programming with GUTsProgramming with GUTs
Programming with GUTs
 
Java, Up to Date Sources
Java, Up to Date SourcesJava, Up to Date Sources
Java, Up to Date Sources
 
The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014
 
Information Security Hands-On Breakout Session
Information Security Hands-On Breakout SessionInformation Security Hands-On Breakout Session
Information Security Hands-On Breakout Session
 
A simple snake game project
A simple snake game projectA simple snake game project
A simple snake game project
 
TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Dete...
TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Dete...TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Dete...
TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Dete...
 
Ping pong game
Ping pong gamePing pong game
Ping pong game
 
Dalembert
DalembertDalembert
Dalembert
 
E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server AttacksE-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacks
 
Down the rabbit hole, profiling in Django
Down the rabbit hole, profiling in DjangoDown the rabbit hole, profiling in Django
Down the rabbit hole, profiling in Django
 
Software Exploits
Software ExploitsSoftware Exploits
Software Exploits
 

Destacado

Advice For Design Students... From A Few Years Out
Advice For Design Students... From A Few Years OutAdvice For Design Students... From A Few Years Out
Advice For Design Students... From A Few Years OutJohn Hanawalt
 
18 B E I N PÅ T U R
18 B E I N PÅ T U R18 B E I N PÅ T U R
18 B E I N PÅ T U RKnutstad
 
Computing powerpoint
Computing powerpointComputing powerpoint
Computing powerpointxbenzi
 
AIESEC UK Summer Opportunities
AIESEC UK Summer OpportunitiesAIESEC UK Summer Opportunities
AIESEC UK Summer OpportunitiesAdomas Baltagalvis
 
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)James Clause
 
Energy-directed Test Suite Optimization (GREENS 2013)
Energy-directed Test Suite Optimization (GREENS 2013)Energy-directed Test Suite Optimization (GREENS 2013)
Energy-directed Test Suite Optimization (GREENS 2013)James Clause
 
Digital Photography
Digital PhotographyDigital Photography
Digital Photographymrsmelissa
 
Effective Memory Protection Using Dynamic Tainting (ASE 2007)
Effective Memory Protection Using Dynamic Tainting (ASE 2007)Effective Memory Protection Using Dynamic Tainting (ASE 2007)
Effective Memory Protection Using Dynamic Tainting (ASE 2007)James Clause
 
SaugumasManPatinka.lt - Kaip kovoti su patyčiomis internete? - 27 lapkričio, ...
SaugumasManPatinka.lt - Kaip kovoti su patyčiomis internete? - 27 lapkričio, ...SaugumasManPatinka.lt - Kaip kovoti su patyčiomis internete? - 27 lapkričio, ...
SaugumasManPatinka.lt - Kaip kovoti su patyčiomis internete? - 27 lapkričio, ...Adomas Baltagalvis
 
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...James Clause
 
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...James Clause
 
Brand Engagement & Its Importance
Brand Engagement & Its ImportanceBrand Engagement & Its Importance
Brand Engagement & Its ImportanceJeffklein Glodove
 
Effective AIESEC info sessions
Effective AIESEC info sessionsEffective AIESEC info sessions
Effective AIESEC info sessionsAdomas Baltagalvis
 
How to Create Multi-Product Ads With Facebook Power Editor
How to Create Multi-Product Ads With Facebook Power EditorHow to Create Multi-Product Ads With Facebook Power Editor
How to Create Multi-Product Ads With Facebook Power EditorAdomas Baltagalvis
 
Event Management Company Profile
Event Management Company ProfileEvent Management Company Profile
Event Management Company ProfileShaikh Shoaib
 

Destacado (19)

Advice For Design Students... From A Few Years Out
Advice For Design Students... From A Few Years OutAdvice For Design Students... From A Few Years Out
Advice For Design Students... From A Few Years Out
 
18 B E I N PÅ T U R
18 B E I N PÅ T U R18 B E I N PÅ T U R
18 B E I N PÅ T U R
 
Computing powerpoint
Computing powerpointComputing powerpoint
Computing powerpoint
 
The Art of Customer Service
The Art of Customer ServiceThe Art of Customer Service
The Art of Customer Service
 
AIESEC UK Summer Opportunities
AIESEC UK Summer OpportunitiesAIESEC UK Summer Opportunities
AIESEC UK Summer Opportunities
 
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
 
Powerful Presentations
Powerful PresentationsPowerful Presentations
Powerful Presentations
 
Energy-directed Test Suite Optimization (GREENS 2013)
Energy-directed Test Suite Optimization (GREENS 2013)Energy-directed Test Suite Optimization (GREENS 2013)
Energy-directed Test Suite Optimization (GREENS 2013)
 
Digital Photography
Digital PhotographyDigital Photography
Digital Photography
 
Effective Memory Protection Using Dynamic Tainting (ASE 2007)
Effective Memory Protection Using Dynamic Tainting (ASE 2007)Effective Memory Protection Using Dynamic Tainting (ASE 2007)
Effective Memory Protection Using Dynamic Tainting (ASE 2007)
 
SaugumasManPatinka.lt - Kaip kovoti su patyčiomis internete? - 27 lapkričio, ...
SaugumasManPatinka.lt - Kaip kovoti su patyčiomis internete? - 27 lapkričio, ...SaugumasManPatinka.lt - Kaip kovoti su patyčiomis internete? - 27 lapkričio, ...
SaugumasManPatinka.lt - Kaip kovoti su patyčiomis internete? - 27 lapkričio, ...
 
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
 
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
 
Brand Engagement & Its Importance
Brand Engagement & Its ImportanceBrand Engagement & Its Importance
Brand Engagement & Its Importance
 
Easy vpn
Easy vpnEasy vpn
Easy vpn
 
Effective AIESEC info sessions
Effective AIESEC info sessionsEffective AIESEC info sessions
Effective AIESEC info sessions
 
AIESEC Reintegration process
AIESEC Reintegration processAIESEC Reintegration process
AIESEC Reintegration process
 
How to Create Multi-Product Ads With Facebook Power Editor
How to Create Multi-Product Ads With Facebook Power EditorHow to Create Multi-Product Ads With Facebook Power Editor
How to Create Multi-Product Ads With Facebook Power Editor
 
Event Management Company Profile
Event Management Company ProfileEvent Management Company Profile
Event Management Company Profile
 

Similar a Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)

NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNoSuchCon
 
Assignment on Numerical Method C Code
Assignment on Numerical Method C CodeAssignment on Numerical Method C Code
Assignment on Numerical Method C CodeSyed Ahmed Zaki
 
ภาษาซี
ภาษาซีภาษาซี
ภาษาซีkramsri
 
ภาษาซี
ภาษาซีภาษาซี
ภาษาซีkramsri
 
Python for Scientific Computing
Python for Scientific ComputingPython for Scientific Computing
Python for Scientific ComputingAlbert DeFusco
 
Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02nikomatsakis
 
Distributed algorithms for big data @ GeeCon
Distributed algorithms for big data @ GeeConDistributed algorithms for big data @ GeeCon
Distributed algorithms for big data @ GeeConDuyhai Doan
 
Classical programming interview questions
Classical programming interview questionsClassical programming interview questions
Classical programming interview questionsGradeup
 
Unit 3 Input Output.pptx
Unit 3 Input Output.pptxUnit 3 Input Output.pptx
Unit 3 Input Output.pptxPrecise Mya
 
Static analysis and writing C/C++ of high quality code for embedded systems
Static analysis and writing C/C++ of high quality code for embedded systemsStatic analysis and writing C/C++ of high quality code for embedded systems
Static analysis and writing C/C++ of high quality code for embedded systemsAndrey Karpov
 
software-vulnerability-detectionPresentation
software-vulnerability-detectionPresentationsoftware-vulnerability-detectionPresentation
software-vulnerability-detectionPresentationClaude Goubet
 
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperTokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperConnor McDonald
 
Basic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmersBasic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmersJen Yee Hong
 
Practical File of C Language
Practical File of C LanguagePractical File of C Language
Practical File of C LanguageRAJWANT KAUR
 

Similar a Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010) (20)

NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
 
Assignment on Numerical Method C Code
Assignment on Numerical Method C CodeAssignment on Numerical Method C Code
Assignment on Numerical Method C Code
 
ภาษาซี
ภาษาซีภาษาซี
ภาษาซี
 
Marat-Slides
Marat-SlidesMarat-Slides
Marat-Slides
 
3
33
3
 
ภาษาซี
ภาษาซีภาษาซี
ภาษาซี
 
Python for Scientific Computing
Python for Scientific ComputingPython for Scientific Computing
Python for Scientific Computing
 
Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02
 
Distributed algorithms for big data @ GeeCon
Distributed algorithms for big data @ GeeConDistributed algorithms for big data @ GeeCon
Distributed algorithms for big data @ GeeCon
 
Classical programming interview questions
Classical programming interview questionsClassical programming interview questions
Classical programming interview questions
 
Unit 3 Input Output.pptx
Unit 3 Input Output.pptxUnit 3 Input Output.pptx
Unit 3 Input Output.pptx
 
numdoc
numdocnumdoc
numdoc
 
Buffer OverFlow
Buffer OverFlowBuffer OverFlow
Buffer OverFlow
 
Static analysis and writing C/C++ of high quality code for embedded systems
Static analysis and writing C/C++ of high quality code for embedded systemsStatic analysis and writing C/C++ of high quality code for embedded systems
Static analysis and writing C/C++ of high quality code for embedded systems
 
C lab manaual
C lab manaualC lab manaual
C lab manaual
 
software-vulnerability-detectionPresentation
software-vulnerability-detectionPresentationsoftware-vulnerability-detectionPresentation
software-vulnerability-detectionPresentation
 
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperTokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java Developer
 
Basic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmersBasic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmers
 
3. chapter ii
3. chapter ii3. chapter ii
3. chapter ii
 
Practical File of C Language
Practical File of C LanguagePractical File of C Language
Practical File of C Language
 

Más de James Clause

Enabling and Supporting the Debugging of Field Failures (Job Talk)
Enabling and Supporting the Debugging of Field Failures (Job Talk)Enabling and Supporting the Debugging of Field Failures (Job Talk)
Enabling and Supporting the Debugging of Field Failures (Job Talk)James Clause
 
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)James Clause
 
Initial Explorations on Design Pattern Energy Usage (GREENS 12)
Initial Explorations on Design Pattern Energy Usage (GREENS 12)Initial Explorations on Design Pattern Energy Usage (GREENS 12)
Initial Explorations on Design Pattern Energy Usage (GREENS 12)James Clause
 
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)James Clause
 
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)James Clause
 
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)James Clause
 
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)James Clause
 
Camouflage: Automated Anonymization of Field Data (ICSE 2011)
Camouflage: Automated Anonymization of Field Data (ICSE 2011)Camouflage: Automated Anonymization of Field Data (ICSE 2011)
Camouflage: Automated Anonymization of Field Data (ICSE 2011)James Clause
 

Más de James Clause (8)

Enabling and Supporting the Debugging of Field Failures (Job Talk)
Enabling and Supporting the Debugging of Field Failures (Job Talk)Enabling and Supporting the Debugging of Field Failures (Job Talk)
Enabling and Supporting the Debugging of Field Failures (Job Talk)
 
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
 
Initial Explorations on Design Pattern Energy Usage (GREENS 12)
Initial Explorations on Design Pattern Energy Usage (GREENS 12)Initial Explorations on Design Pattern Energy Usage (GREENS 12)
Initial Explorations on Design Pattern Energy Usage (GREENS 12)
 
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
 
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
 
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
 
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
 
Camouflage: Automated Anonymization of Field Data (ICSE 2011)
Camouflage: Automated Anonymization of Field Data (ICSE 2011)Camouflage: Automated Anonymization of Field Data (ICSE 2011)
Camouflage: Automated Anonymization of Field Data (ICSE 2011)
 

Último

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Último (20)

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 

Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)

  • 1. LEAKPOINT: Pinpointing the Causes of Memory Leaks Georgia Institute of Technology James Clause and Alessandro Orso Supported in part by NSF and IBM Research
  • 3. Memory leak classification void *p = malloc(100); M
  • 4. Memory leak classification Lost memory Forgotten memory M becomes unreachable before being deallocated M is reachable, but is never accessed or deallocated void *p = malloc(100); M
  • 5. Memory leak classification Lost memory Forgotten memory M becomes unreachable before being deallocated M is reachable, but is never accessed or deallocated void *p = malloc(100); M
  • 6. Memory leak classification Lost memory Forgotten memory M becomes unreachable before being deallocated M is reachable, but is never accessed or deallocated void *p = malloc(100); M • common • difficult to manually detect • high impact
  • 7. Existing techniques mtrace M. Bond and K. McKinley ‘06 R. Hastings and B. Joyce ‘92 M. Hauswirth and T. Chilimbi. ‘04 D.Heine and M.Lam ‘03 D. Heine and M. Lam ‘06 M. Jump and K. McKinley ‘07 leaks J. Maebe, M. Ronsse, and K. D. Bosschere ‘04 N. Mitchell and G. Sevitsky ‘03 G. Novark, E. D. Berger, and B. G. Zorn ‘09 M. Orlovich and R. Rugina ‘06 F. Qin, S. Lu, and Y. Zhou ‘05 MemCheck Y. Xie and A. Aiken ‘05 G. Xu and A. Rountev ‘08 S. Cherem, L. Princehouse, and R. Rugina ‘06 W. DePauw and G. Sevitsky ’99 purify Publications Tools
  • 8. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
  • 9. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
  • 10. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy; fixing them is not
  • 14. Overview Leak locations are close to where leaks should be fixed.
  • 15. Overview 1 Tainting pointers Leak locations are close to where leaks should be fixed.
  • 16. Overview 1 Tainting pointers Leak locations are close to where leaks should be fixed.
  • 17. Overview 1 Tainting pointers 2 Propagating taint marks Leak locations are close to where leaks should be fixed.
  • 18. Overview 1 Tainting pointers 2 Propagating taint marks Leak locations are close to where leaks should be fixed.
  • 19. Overview 1 Tainting pointers 2 Propagating taint marks 3 Identifying when leaks occur Leak locations are close to where leaks should be fixed.
  • 20. Overview 1 Tainting pointers 2 Propagating taint marks 3 Identifying when leaks occur Leak locations are close to where leaks should be fixed.
  • 21. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
  • 22. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } Detecting leaks is easy
  • 23. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; }
  • 24. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } free(hptr->hname);
  • 25. Outline • Our technique • Tainting pointers • Tracking pointers • Checking for leaks • Implementation • Evaluation • Conclusions and future work
  • 26. 1.Tainting pointers Assign a taint mark to pointers returned from allocation functions (e.g., malloc)
  • 27. 1.Tainting pointers Assign a taint mark to pointers returned from allocation functions (e.g., malloc)
  • 28. 1.Tainting pointers Last use location Allocation location Allocation size Deallocated indicator Pointer count Assign a taint mark to pointers returned from allocation functions (e.g., malloc) Metadata
  • 29. 1.Tainting pointers Last use location Allocation location Allocation size Deallocated indicator Pointer count Assign a taint mark to pointers returned from allocation functions (e.g., malloc) current location current location false size of the memory area 1 Metadata Initialized to
  • 31. 2. Propagating taint marks 1.Track the flow of pointers throughout the execution
  • 32. 2. Propagating taint marks 1.Track the flow of pointers throughout the execution
  • 33. 2. Propagating taint marks 1.Track the flow of pointers throughout the execution
  • 34. 2. Propagating taint marks 1.Track the flow of pointers throughout the execution 2. Update taint marks’ mutable metadata
  • 36. p2 = p1 ➔ p2 p2 = p1 ➔ p2 p2 = p2 ± 1 ➔ p2 p3 = p2 ± p1 ➔ p3 p2 = p2 & 0xffff ➔ p2 not tainted Tracking pointers assignment addition subtraction and multiplication division modulus or, xor, shift, not comparison
  • 37. p2 = p1 ➔ p2 p2 = p1 ➔ p2 p2 = p2 ± 1 ➔ p2 p3 = p2 ± p1 ➔ p3 p2 = p2 & 0xffff ➔ p2 not tainted Tracking pointers assignment addition subtraction and multiplication division modulus or, xor, shift, not comparison
  • 38. p2 = p1 ➔ p2 p2 = p1 ➔ p2 p2 = p2 ± 1 ➔ p2 p3 = p2 ± p1 ➔ p3 p2 = p2 & 0xffff ➔ p2 not tainted Tracking pointers assignment addition subtraction and multiplication division modulus or, xor, shift, not comparison
  • 39. p2 = p1 ➔ p2 p2 = p1 ➔ p2 p2 = p2 ± 1 ➔ p2 p3 = p2 ± p1 ➔ p3 p2 = p2 & 0xffff ➔ p2 not tainted Tracking pointers assignment addition subtraction and multiplication division modulus or, xor, shift, not comparison
  • 40. p2 = p1 ➔ p2 p2 = p1 ➔ p2 p2 = p2 ± 1 ➔ p2 p3 = p2 ± p1 ➔ p3 p2 = p2 & 0xffff ➔ p2 not tainted Tracking pointers assignment addition subtraction and multiplication division modulus or, xor, shift, not comparison
  • 41. p2 = p1 ➔ p2 p2 = p1 ➔ p2 p2 = p2 ± 1 ➔ p2 p3 = p2 ± p1 ➔ p3 p2 = p2 & 0xffff ➔ p2 not tainted Tracking pointers assignment addition subtraction and multiplication division modulus or, xor, shift, not comparison
  • 42. p2 = p1 ➔ p2 p2 = p1 ➔ p2 p2 = p2 ± 1 ➔ p2 p3 = p2 ± p1 ➔ p3 p2 = p2 & 0xffff ➔ p2 not tainted Tracking pointers Based on domain knowledge and expertise assignment addition subtraction and multiplication division modulus or, xor, shift, not comparison
  • 45. Pointer Counts • Assignment: increment the count of the pointer that is copied, decrement the count of the pointer that is overwritten Update metadata (1)
  • 46. Pointer Counts • Assignment: increment the count of the pointer that is copied, decrement the count of the pointer that is overwritten Update metadata (1) ptr3 = ptr1 ➔ ptr3 , ptr11 2 2 ptr1 = NULL ➔ ptr1 , ptr32 1
  • 47. Pointer Counts • Assignment: increment the count of the pointer that is copied, decrement the count of the pointer that is overwritten • Function return: decrement the count of pointers stored in local variables Update metadata (1) ptr3 = ptr1 ➔ ptr3 , ptr11 2 2 ptr1 = NULL ➔ ptr1 , ptr32 1
  • 48. Pointer Counts • Assignment: increment the count of the pointer that is copied, decrement the count of the pointer that is overwritten • Function return: decrement the count of pointers stored in local variables • Memory deallocation: decrement the count of pointers reachable from the deallocated memory Update metadata (1) ptr3 = ptr1 ➔ ptr3 , ptr11 2 2 ptr1 = NULL ➔ ptr1 , ptr32 1
  • 51. Deallocation indicator • Set to true when a pointer is passed to a deallocation function (e.g., free) Update metadata (2)
  • 52. Deallocation indicator • Set to true when a pointer is passed to a deallocation function (e.g., free) Last use location Update metadata (2)
  • 53. Deallocation indicator • Set to true when a pointer is passed to a deallocation function (e.g., free) Last use location • Set to the current location whenever a pointer is - propagated - passed as a function argument - returned from a function - used to access memory Update metadata (2)
  • 54. 3. Identifying when leaks occur
  • 55. 3. Identifying when leaks occur Lost memory Forgotten memory If a taint mark’s pointer count is zero and it’s deallocated indicator is false If, at the end of execution, a taint mark’s deallocated indicator is false
  • 56. 3. Identifying when leaks occur Lost memory Forgotten memory If a taint mark’s pointer count is zero and it’s deallocated indicator is false If, at the end of execution, a taint mark’s deallocated indicator is false
  • 57. 3. Identifying when leaks occur Lost memory Forgotten memory If a taint mark’s pointer count is zero and it’s deallocated indicator is false If, at the end of execution, a taint mark’s deallocated indicator is false (Checks are recursive)
  • 58. 3. Identifying when leaks occur Lost memory Forgotten memory If a taint mark’s pointer count is zero and it’s deallocated indicator is false If, at the end of execution, a taint mark’s deallocated indicator is false Generate a leak report: • allocation location, allocation size, and last use location (Checks are recursive)
  • 59. 3. Identifying when leaks occur Lost memory Forgotten memory If a taint mark’s pointer count is zero and it’s deallocated indicator is false If, at the end of execution, a taint mark’s deallocated indicator is false Generate a leak report: • allocation location, allocation size, and last use location Merge leak reports: • combine reports with identical allocation and last use locations, add allocation sizes (Checks are recursive)
  • 62. Prototype tool 16 bytes of memory allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227) Implemented usingValgrind
  • 63. Prototype tool 16 bytes of memory allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227) Implemented usingValgrind
  • 64. Prototype tool 16 bytes of memory allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227) Implemented usingValgrind
  • 65. Prototype tool 16 bytes of memory allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227) Implemented usingValgrind Can be used to prioritize debugging effort
  • 66. Evaluation How does Leakpoint’s ability to detect memory leaks compare to existing tools? How effective is Leakpoint at guiding developers to the locations where memory leaks may be fixed?
  • 67. RQ1: Comparison with existing tools
  • 68. Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools
  • 69. Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools Leakpoint
  • 70. Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools omegaLeakpoint
  • 71. Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools omega MemCheckLeakpoint
  • 72. Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint
  • 73. Leak detectionLeak identificationSubjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint
  • 74. Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint
  • 75. # Detected memory leaks (# false positives)Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint
  • 76. # Detected memory leaks (# false positives)Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint
  • 77. # Detected memory leaks (# false positives)Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint
  • 78. # Detected memory leaks (# false positives)Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint
  • 79. # Detected memory leaks (# false positives)Subjects 164.gzip 4 1 4 4 175.vpr 47 0 47 47 176.gcc 1121 406 (1415) 1121 1121 181.mcf 0 0 0 0 186.crafty 37 0 37 37 197.parser 2 0 2 2 252.eon 380 380 380 380 253.perlbmk 3481 0 (2) 3481 536 254.gap 2 0 (2) 2 2 255.vortex 15 1 15 15 256.bzip2 10 1 10 10 300.twolf 1403 68 (3) 1403 1403 RQ1: Comparison with existing tools mtraceomega MemCheckLeakpoint Leakpoint is at least as effective as existing tools at detecting memory leaks
  • 80. RQ2: Effectiveness at guiding developers Compare the leak locations identified by Leakpoint with the locations where the leaks were fixed by the original application developers.
  • 81. RQ2: Effectiveness at guiding developers Compare the leak locations identified by Leakpoint with the locations where the leaks were fixed by the original application developers. Transmission
  • 82. RQ2: Effectiveness at guiding developers Compare the leak locations identified by Leakpoint with the locations where the leaks were fixed by the original application developers. Transmission
  • 83. RQ2: Effectiveness at guiding developers Compare the leak locations identified by Leakpoint with the locations where the leaks were fixed by the original application developers. Transmission
  • 84. RQ2: Effectiveness at guiding developers Compare the leak locations identified by Leakpoint with the locations where the leaks were fixed by the original application developers. Transmission 4 memory leaks total
  • 85. static void processCompletedTasks(tr_web *web) { ... task->done_func(web->session, ..., task->done_func_user_data); ... evbuffer_free(task->response); tr_free(task->url); tr_free(task); ... } Transmission static void invokeRequest(void * vreq) { ... hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH); memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH); tr_webRun(req->session, req->url, req->done_func, hash); ... }
  • 86. static void processCompletedTasks(tr_web *web) { ... task->done_func(web->session, ..., task->done_func_user_data); ... evbuffer_free(task->response); tr_free(task->url); tr_free(task); ... } Transmission static void invokeRequest(void * vreq) { ... hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH); memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH); tr_webRun(req->session, req->url, req->done_func, hash); ... } static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) { dbgmsg(NULL, "got a response ... message"); onReqDone(session); } // tr_free(torrent_hash);
  • 87. static void processCompletedTasks(tr_web *web) { ... task->done_func(web->session, ..., task->done_func_user_data); ... evbuffer_free(task->response); tr_free(task->url); tr_free(task); ... } Transmission static void invokeRequest(void * vreq) { ... hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH); memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH); tr_webRun(req->session, req->url, req->done_func, hash); ... } static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) { dbgmsg(NULL, "got a response ... message"); onReqDone(session); } // tr_free(torrent_hash); Distance: 6 statements
  • 88. URIHANDLER_FUNC(mod_rewrite_uri_handler) { ... hctx = handler_ctx_init(); con->plugin_ctx[p->id] = hctx; ... } Lighttpd 1
  • 89. URIHANDLER_FUNC(mod_rewrite_uri_handler) { ... hctx = handler_ctx_init(); con->plugin_ctx[p->id] = hctx; ... } Lighttpd 1 // if(con->plugin_ctx[p->id] == NULL) { // } // else { // hctx = con->plugin_ctx[p->id]; // }
  • 90. URIHANDLER_FUNC(mod_rewrite_uri_handler) { ... hctx = handler_ctx_init(); con->plugin_ctx[p->id] = hctx; ... } Lighttpd 1 // if(con->plugin_ctx[p->id] == NULL) { // } // else { // hctx = con->plugin_ctx[p->id]; // } Distance: overlapping
  • 91. int http_request_parse(server *srv, connection *con) { ... if(NULL == (ds = (data_string *)array_get_unused_element( con->request.headers, TYPE_STRING))) { ds = data_string_init(); } ... else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Content-Length")))) { char *err unsigned long int r; size_t j if (con_length_set) { con->http_status = 400; con->keep_alive = 0; if(srv->srvconf.log_request_header_on_error) { log_error_write(srv, __FILE__, __LINE__, "s", "duplicate ..."); log_error_write(srv, __FILE__, __LINE__, "Sb", "request-header:n", con->request.request); } return 0; } ... } Lighttpd 2
  • 92. int http_request_parse(server *srv, connection *con) { ... if(NULL == (ds = (data_string *)array_get_unused_element( con->request.headers, TYPE_STRING))) { ds = data_string_init(); } ... else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Content-Length")))) { char *err unsigned long int r; size_t j if (con_length_set) { con->http_status = 400; con->keep_alive = 0; if(srv->srvconf.log_request_header_on_error) { log_error_write(srv, __FILE__, __LINE__, "s", "duplicate ..."); log_error_write(srv, __FILE__, __LINE__, "Sb", "request-header:n", con->request.request); } return 0; } ... } Lighttpd 2 // array_insert_unique(con->request.headers, (data_unset *)ds);
  • 93. int http_request_parse(server *srv, connection *con) { ... if(NULL == (ds = (data_string *)array_get_unused_element( con->request.headers, TYPE_STRING))) { ds = data_string_init(); } ... else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Content-Length")))) { char *err unsigned long int r; size_t j if (con_length_set) { con->http_status = 400; con->keep_alive = 0; if(srv->srvconf.log_request_header_on_error) { log_error_write(srv, __FILE__, __LINE__, "s", "duplicate ..."); log_error_write(srv, __FILE__, __LINE__, "Sb", "request-header:n", con->request.request); } return 0; } ... } Lighttpd 2 // array_insert_unique(con->request.headers, (data_unset *)ds); Distance: 1 statement
  • 94. static struct spelling *spelling_base; static void push_string(char *string) { ... spelling_base = xmalloc(spelling_size * sizeof(struct spelling)); ... } void finish_init() { ... constructor_decl = p->decl; ... spelling_base = p->spelling_base; ... } GCC
  • 95. static struct spelling *spelling_base; static void push_string(char *string) { ... spelling_base = xmalloc(spelling_size * sizeof(struct spelling)); ... } void finish_init() { ... constructor_decl = p->decl; ... spelling_base = p->spelling_base; ... } GCC // free(spelling_base);
  • 96. static struct spelling *spelling_base; static void push_string(char *string) { ... spelling_base = xmalloc(spelling_size * sizeof(struct spelling)); ... } void finish_init() { ... constructor_decl = p->decl; ... spelling_base = p->spelling_base; ... } GCC // free(spelling_base); Distance: 10 statements*
  • 97. Summary • A new technique for identifying where memory leaks occur • at least as effective as existing techniques at detecting memory leaks • helpful in guiding developers to the locations where memory leaks should be fixed
  • 102. Questions? 1 Tainting pointers 2 Propagating taint marks 3 Identifying when leaks occur