Android Memory Leak Profiling - VMFive

Slide 1

Slide 1 text

VMFive Lab Demo by Chiu-Hsiang Hsu Android Memory Leak Profiling Dec, 27, 2015

Slide 2

Slide 2 text

2 Android Memory Leak Profiling 許邱翔交通大學資訊工程學系自介

Slide 3

Slide 3 text

3 程式中記憶體相關的問題非常多，有沒有工具可以幫忙檢查 & 避免？ Android 系統上的 Native 程式的記憶體使用狀況又是如何呢？ Android Memory Leak Profiling

Slide 4

Slide 4 text

4 前言我們寫程式總免不了會有 bugs，其中 Memory 相關的 bugs 佔了一大部份，有工具可以幫我們檢查嗎？有的，最常見的是 Valgrind，除此之外還有 Pin、Dr. Memory、Sanitizer ...

Slide 5

Slide 5 text

5 Memory 問題分類 ● Heap OOB (Out of Bounds) ● Stack OOB (Out of Bounds) ● Global OOB (Out of Bounds) ● UAF (Use After Free) ● UAR (Use After Return) ● UMR (Uninitialized Memory Reads) ● Leaks ● Double Free

Slide 6

Slide 6 text

6 Memory 問題分類 ● Heap OOB (Out of Bounds) ● Stack OOB (Out of Bounds) ● Global OOB (Out of Bounds) ● UAF (Use After Free) ● UAR (Use After Return) ● UMR (Uninitialized Memory Reads) ● Leaks ● Double Free

Slide 7

Slide 7 text

7 Memory 問題分類 ● Heap OOB (Out of Bounds) ● Stack OOB (Out of Bounds) ● Global OOB (Out of Bounds) ● UAF (Use After Free) ● UAR (Use After Return) ● UMR (Uninitialized Memory Reads) ● Leaks ● Double Free

Slide 8

Slide 8 text

8 Memory 問題分類 ● Heap OOB (Out of Bounds) ● Stack OOB (Out of Bounds) ● Global OOB (Out of Bounds) ● UAF (Use After Free) ● UAR (Use After Return) ● UMR (Uninitialized Memory Reads) ● Leaks ● Double Free

Slide 9

Slide 9 text

9 Memory 問題分類 ● Heap OOB (Out of Bounds) ● Stack OOB (Out of Bounds) ● Global OOB (Out of Bounds) ● UAF (Use After Free) ● UAR (Use After Return) ● UMR (Uninitialized Memory Reads) ● Leaks ● Double Free

Slide 10

Slide 10 text

1 0 Memory 問題分類 ● Heap OOB (Out of Bounds) ● Stack OOB (Out of Bounds) ● Global OOB (Out of Bounds) ● UAF (Use After Free) ● UAR (Use After Return) ● UMR (Uninitialized Memory Reads) ● Leaks ● Double Free

Slide 11

Slide 11 text

1 1 Memory 問題分類 ● Heap OOB (Out of Bounds) ● Stack OOB (Out of Bounds) ● Global OOB (Out of Bounds) ● UAF (Use After Free) ● UAR (Use After Return) ● UMR (Uninitialized Memory Reads) ● Leaks ● Double Free

Slide 12

Slide 12 text

1 2 Memory 問題分類 ● Heap OOB (Out of Bounds) ● Stack OOB (Out of Bounds) ● Global OOB (Out of Bounds) ● UAF (Use After Free) ● UAR (Use After Return) ● UMR (Uninitialized Memory Reads) ● Leaks ● Double Free

Slide 13

Slide 13 text

1 3 Memory 問題分類 ● Heap OOB (Out of Bounds) ● Stack OOB (Out of Bounds) ● Global OOB (Out of Bounds) ● UAF (Use After Free) ● UAR (Use After Return) ● UMR (Uninitialized Memory Reads) ● Leaks ● Double Free

Slide 14

Slide 14 text

1 4 分析 ● Valgrind (Dynamic Binary Instrumentation) ● LLVM Sanitizer (Compile-Time Instrumentation)

Slide 15

Slide 15 text

1 5 Dynamic Binary Instrumentation ● Pros ○ 使用者不用重新 compile 或 link ○ 可以獲得執行時期的資訊 ● Cons ○ 速度較慢

Slide 16

Slide 16 text

1 6 Compile-Time Instrumentation ● Pros ○ 速度較 DBI 快 (事先編譯好 & 可以做更多優化) ● Cons ○ 需要 Compiler 支援

Slide 17

Slide 17 text

1 7 Valgrind is a Framework

Slide 18

Slide 18 text

1 8 Valgrind ● Memcheck ● Cachegrind ● Callgrind ● Helgrind ● DRD ● Massif ● DHAT [EXP] ● SGCheck [EXP] ● BBV [EXP]

Slide 19

Slide 19 text

1 9 Valgrind ● Memcheck ● Cachegrind ● Callgrind ● Helgrind ● DRD ● Massif ● DHAT [EXP] ● SGCheck [EXP] ● BBV [EXP] ● Heap OOB ● UAF ● UMR ● Double Free ● Leaks

Slide 20

Slide 20 text

2 0 Valgrind ● Memcheck ● Cachegrind ● Callgrind ● Helgrind ● DRD ● Massif ● DHAT [EXP] ● SGCheck [EXP] ● BBV [EXP] ● Simulate Cache ● Simulate Branch Predictor

Slide 21

Slide 21 text

2 1 Valgrind ● Memcheck ● Cachegrind ● Callgrind ● Helgrind ● DRD ● Massif ● DHAT [EXP] ● SGCheck [EXP] ● BBV [EXP] ● Generate Call Graph

Slide 22

Slide 22 text

2 2 Valgrind ● Memcheck ● Cachegrind ● Callgrind ● Helgrind ● DRD ● Massif ● DHAT [EXP] ● SGCheck [EXP] ● BBV [EXP] ● Data Race ● Misuse of pthreads API ● Potential Deadlocks

Slide 23

Slide 23 text

2 3 Valgrind ● Memcheck ● Cachegrind ● Callgrind ● Helgrind ● DRD ● Massif ● DHAT [EXP] ● SGCheck [EXP] ● BBV [EXP] ● Data Race ● Misuse of pthreads API ● Potential Deadlocks

Slide 24

Slide 24 text

2 4 Valgrind ● Memcheck ● Cachegrind ● Callgrind ● Helgrind ● DRD ● Massif ● DHAT [EXP] ● SGCheck [EXP] ● BBV [EXP] ● Heap Use Profiling

Slide 25

Slide 25 text

2 5 Valgrind ● Memcheck ● Cachegrind ● Callgrind ● Helgrind ● DRD ● Massif ● DHAT [EXP] ● SGCheck [EXP] ● BBV [EXP] ● Heap Allocation ● Heap Access ● Heap Lifetime ● ...

Slide 26

Slide 26 text

2 6 Valgrind ● Memcheck ● Cachegrind ● Callgrind ● Helgrind ● DRD ● Massif ● DHAT [EXP] ● SGCheck [EXP] ● BBV [EXP] ● Stack OOB ● Global OOB

Slide 27

Slide 27 text

2 7 Valgrind ● Memcheck ● Cachegrind ● Callgrind ● Helgrind ● DRD ● Massif ● DHAT [EXP] ● SGCheck [EXP] ● BBV [EXP] ● Basic Block Vector Generation (for SimPoint)

Slide 28

Slide 28 text

2 8 Cross-Compile for Android ARM Official SVN Version [Patch] disable Elf32_Nhdr definition for android-21 to avoid redefinition (coregrind/m_coredump/coredump-elf.c)

Slide 29

Slide 29 text

2 9 Cross-Compile for Android ARM AOSP Version

Slide 30

Slide 30 text

3 0 Valgrind on Android ARM Wrapper for Android Activity Manager

Slide 31

Slide 31 text

3 1 Problem on Emulator Valgrind wrapper fail to run on Android Emulator (not solve yet)

Slide 32

Slide 32 text

3 2 Run on real Android Device Platform (My Phone) & Compiling Information

Slide 33

Slide 33 text

3 3 Problem - Unhandled Instruction ● disInstr(arm) ○ 0xEC510F1E (cond=14(0xE) 27:20=197(0xC5) 4: 4=1 3:0=14(0xE)) ■ mrrc 15, 1, r0, r1, cr14 ○ 0xEE190F1D (cond=14(0xE) 27:20=225(0xE1) 4: 4=1 3:0=13(0xD)) ■ mrc 15, 0, r0, cr9, cr13, {0}

Slide 34

Slide 34 text

3 4 Problem - Unhandled Instruction ● disInstr(thumb) ○ 0xDEFF 0xF8DF ■ mrcle 8, 7, APSR_nzcv, cr15, cr15, {6} ○ 0xDEFF 0xF107 ■ nrmlee f7, f7 ○ 0xDEFF 0x461F ■ mrcle 6, 7, r4, cr15, cr15, {0} ○ 0xDEFF 0x4607 ■ cdple 6, 15, cr4, cr15, cr7, {0}

Slide 35

Slide 35 text

3 5 Sanitizer ● AddressSanitizer ● MemorySanitizer ● LeakSanitizer ● UndefinedBehaviorSanitizer ● ThreadSanitizer

Slide 36

Slide 36 text

3 6 Sanitizer ● AddressSanitizer ● MemorySanitizer ● LeakSanitizer ● UndefinedBehaviorSanitizer ● ThreadSanitizer ● Heap OOB ● Stack OOB ● Global OOB ● UAF ● UAR ● Double Free ● Leaks (LeakSanitizer)

Slide 37

Slide 37 text

3 7 Sanitizer ● AddressSanitizer ● MemorySanitizer ● LeakSanitizer ● UndefinedBehaviorSanitizer ● ThreadSanitizer ● UMR

Slide 38

Slide 38 text

3 8 Sanitizer ● AddressSanitizer ● MemorySanitizer ● LeakSanitizer ● UndefinedBehaviorSanitizer ● ThreadSanitizer ● Leaks

Slide 39

Slide 39 text

3 9 Sanitizer ● AddressSanitizer ● MemorySanitizer ● LeakSanitizer ● UndefinedBehaviorSanitizer ● ThreadSanitizer ● Integer Overflow ● NULL Pointer ● Divide By Zero ● ...

Slide 40

Slide 40 text

4 0 Sanitizer ● AddressSanitizer ● MemorySanitizer ● LeakSanitizer ● UndefinedBehaviorSanitizer ● ThreadSanitizer ● Data Race

Slide 41

Slide 41 text

4 1 Sanitizer Android ARM Support compiler-rt/cmake/config-ix.cmake

Slide 42

Slide 42 text

4 2 AddressSanitizer Algorithm 程式使用的 memory 每 8 bytes 對應到 1 byte 的 shadow memory

Slide 43

Slide 43 text

4 3 Conclusion 記憶體相關問題始終存在，各個輔助工具還有很多改進的空間有了好的 Instrumentation 工具之外，還需要有好的 Testing 搭配使用才能抓出問題

Slide 44

Slide 44 text

4 4 References ● [2004] Dynamic Binary Analysis and Instrumentation ● [2007] Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation ● [2009] ThreadSanitizer: data race detection in practice ● [2012] AddressSanitizer: A Fast Address Sanity Checker ● [2012] Dynamic Race Detection with LLVM Compiler ● [2014] How Developers Use Data Race Detection Tools ● [2014] C/C++ Thread Safety Analysis ● [2015] MemorySanitizer: fast detector of uninitialized memory use in C++

Slide 45

Slide 45 text

THANK YOU.