Take control of your SAP testing with UiPath Test Suite
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
1. LEAKPOINT: Pinpointing the
Causes of Memory Leaks
Georgia Institute of Technology
James Clause and Alessandro Orso
Supported in part by NSF and IBM Research
4. Memory leak classification
Lost memory Forgotten memory
M becomes unreachable
before being deallocated
M is reachable, but is never
accessed or deallocated
void *p = malloc(100); M
5. Memory leak classification
Lost memory Forgotten memory
M becomes unreachable
before being deallocated
M is reachable, but is never
accessed or deallocated
void *p = malloc(100); M
6. Memory leak classification
Lost memory Forgotten memory
M becomes unreachable
before being deallocated
M is reachable, but is never
accessed or deallocated
void *p = malloc(100); M
• common
• difficult to manually detect
• high impact
7. Existing techniques
mtrace
M. Bond and K. McKinley ‘06
R. Hastings and B. Joyce ‘92
M. Hauswirth and T. Chilimbi. ‘04
D.Heine and M.Lam ‘03
D. Heine and M. Lam ‘06
M. Jump and K. McKinley ‘07
leaks
J. Maebe, M. Ronsse, and K. D. Bosschere ‘04
N. Mitchell and G. Sevitsky ‘03
G. Novark, E. D. Berger, and B. G. Zorn ‘09
M. Orlovich and R. Rugina ‘06
F. Qin, S. Lu, and Y. Zhou ‘05
MemCheck
Y. Xie and A. Aiken ‘05
G. Xu and A. Rountev ‘08
S. Cherem, L. Princehouse, and R. Rugina ‘06
W. DePauw and G. Sevitsky ’99
purify
Publications Tools
28. 1.Tainting pointers
Last use location
Allocation location
Allocation size
Deallocated indicator
Pointer count
Assign a taint mark to pointers returned from
allocation functions (e.g., malloc)
Metadata
29. 1.Tainting pointers
Last use location
Allocation location
Allocation size
Deallocated indicator
Pointer count
Assign a taint mark to pointers returned from
allocation functions (e.g., malloc)
current location
current location
false
size of the memory area
1
Metadata Initialized to
45. Pointer Counts
• Assignment: increment the count of the pointer that
is copied, decrement the count of the pointer that is
overwritten
Update metadata (1)
46. Pointer Counts
• Assignment: increment the count of the pointer that
is copied, decrement the count of the pointer that is
overwritten
Update metadata (1)
ptr3 = ptr1 ➔ ptr3 , ptr11 2 2
ptr1 = NULL ➔ ptr1 , ptr32 1
47. Pointer Counts
• Assignment: increment the count of the pointer that
is copied, decrement the count of the pointer that is
overwritten
• Function return: decrement the count of pointers
stored in local variables
Update metadata (1)
ptr3 = ptr1 ➔ ptr3 , ptr11 2 2
ptr1 = NULL ➔ ptr1 , ptr32 1
48. Pointer Counts
• Assignment: increment the count of the pointer that
is copied, decrement the count of the pointer that is
overwritten
• Function return: decrement the count of pointers
stored in local variables
• Memory deallocation: decrement the count of
pointers reachable from the deallocated memory
Update metadata (1)
ptr3 = ptr1 ➔ ptr3 , ptr11 2 2
ptr1 = NULL ➔ ptr1 , ptr32 1
51. Deallocation indicator
• Set to true when a pointer is passed to a deallocation
function (e.g., free)
Update metadata (2)
52. Deallocation indicator
• Set to true when a pointer is passed to a deallocation
function (e.g., free)
Last use location
Update metadata (2)
53. Deallocation indicator
• Set to true when a pointer is passed to a deallocation
function (e.g., free)
Last use location
• Set to the current location whenever a pointer is
- propagated
- passed as a function argument
- returned from a function
- used to access memory
Update metadata (2)
55. 3. Identifying when leaks occur
Lost memory Forgotten memory
If a taint mark’s pointer count
is zero and it’s deallocated
indicator is false
If, at the end of execution, a
taint mark’s deallocated
indicator is false
56. 3. Identifying when leaks occur
Lost memory Forgotten memory
If a taint mark’s pointer count
is zero and it’s deallocated
indicator is false
If, at the end of execution, a
taint mark’s deallocated
indicator is false
57. 3. Identifying when leaks occur
Lost memory Forgotten memory
If a taint mark’s pointer count
is zero and it’s deallocated
indicator is false
If, at the end of execution, a
taint mark’s deallocated
indicator is false
(Checks are recursive)
58. 3. Identifying when leaks occur
Lost memory Forgotten memory
If a taint mark’s pointer count
is zero and it’s deallocated
indicator is false
If, at the end of execution, a
taint mark’s deallocated
indicator is false
Generate a leak report:
• allocation location, allocation size, and last use location
(Checks are recursive)
59. 3. Identifying when leaks occur
Lost memory Forgotten memory
If a taint mark’s pointer count
is zero and it’s deallocated
indicator is false
If, at the end of execution, a
taint mark’s deallocated
indicator is false
Generate a leak report:
• allocation location, allocation size, and last use location
Merge leak reports:
• combine reports with identical allocation and last use
locations, add allocation sizes
(Checks are recursive)
62. Prototype tool
16 bytes of memory
allocated:
at malloc
by addhash (hash.c:50)
by parser (parser.c:210)
by readcell (parser.c:34)
by main (main.c:98)
was leaked:
at free
by delHtab (hash.c:28)
by grdcell(grdcell.c:354)
by main (main.c:227)
Implemented usingValgrind
63. Prototype tool
16 bytes of memory
allocated:
at malloc
by addhash (hash.c:50)
by parser (parser.c:210)
by readcell (parser.c:34)
by main (main.c:98)
was leaked:
at free
by delHtab (hash.c:28)
by grdcell(grdcell.c:354)
by main (main.c:227)
Implemented usingValgrind
64. Prototype tool
16 bytes of memory
allocated:
at malloc
by addhash (hash.c:50)
by parser (parser.c:210)
by readcell (parser.c:34)
by main (main.c:98)
was leaked:
at free
by delHtab (hash.c:28)
by grdcell(grdcell.c:354)
by main (main.c:227)
Implemented usingValgrind
65. Prototype tool
16 bytes of memory
allocated:
at malloc
by addhash (hash.c:50)
by parser (parser.c:210)
by readcell (parser.c:34)
by main (main.c:98)
was leaked:
at free
by delHtab (hash.c:28)
by grdcell(grdcell.c:354)
by main (main.c:227)
Implemented usingValgrind
Can be used to prioritize
debugging effort
66. Evaluation
How does Leakpoint’s ability to
detect memory leaks compare
to existing tools?
How effective is Leakpoint at
guiding developers to the
locations where memory leaks
may be fixed?
80. RQ2: Effectiveness at guiding developers
Compare the leak locations identified by Leakpoint
with the locations where the leaks were fixed by
the original application developers.
81. RQ2: Effectiveness at guiding developers
Compare the leak locations identified by Leakpoint
with the locations where the leaks were fixed by
the original application developers.
Transmission
82. RQ2: Effectiveness at guiding developers
Compare the leak locations identified by Leakpoint
with the locations where the leaks were fixed by
the original application developers.
Transmission
83. RQ2: Effectiveness at guiding developers
Compare the leak locations identified by Leakpoint
with the locations where the leaks were fixed by
the original application developers.
Transmission
84. RQ2: Effectiveness at guiding developers
Compare the leak locations identified by Leakpoint
with the locations where the leaks were fixed by
the original application developers.
Transmission
4 memory leaks total
97. Summary
• A new technique for identifying where memory
leaks occur
• at least as effective as existing techniques at
detecting memory leaks
• helpful in guiding developers to the locations
where memory leaks should be fixed