Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Memory Leak Profiling - VMFive

95963a44712b973e2fd7766baa419478?s=47 dv
December 27, 2015

Android Memory Leak Profiling - VMFive

Introduce tools for memory profiling

95963a44712b973e2fd7766baa419478?s=128

dv

December 27, 2015
Tweet

Transcript

  1. VMFive Lab Demo by Chiu-Hsiang Hsu Android Memory Leak Profiling

    Dec, 27, 2015
  2. 2 Android Memory Leak Profiling 許邱翔 交通大學資訊工程學系 自介

  3. 3 程式中記憶體相關的問題非常多, 有沒有工具可以幫忙檢查 & 避免? Android 系統上的 Native 程式的記憶體 使用狀況又是如何呢?

    Android Memory Leak Profiling
  4. 4 前言 我們寫程式總免不了會有 bugs, 其中 Memory 相關的 bugs 佔了一大部份, 有工具可以幫我們檢查嗎?

    有的, 最常見的是 Valgrind, 除此之外還有 Pin、Dr. Memory、Sanitizer ...
  5. 5 Memory 問題分類 • Heap OOB (Out of Bounds) •

    Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free
  6. 6 Memory 問題分類 • Heap OOB (Out of Bounds) •

    Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free
  7. 7 Memory 問題分類 • Heap OOB (Out of Bounds) •

    Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free
  8. 8 Memory 問題分類 • Heap OOB (Out of Bounds) •

    Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free
  9. 9 Memory 問題分類 • Heap OOB (Out of Bounds) •

    Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free
  10. 1 0 Memory 問題分類 • Heap OOB (Out of Bounds)

    • Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free
  11. 1 1 Memory 問題分類 • Heap OOB (Out of Bounds)

    • Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free
  12. 1 2 Memory 問題分類 • Heap OOB (Out of Bounds)

    • Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free
  13. 1 3 Memory 問題分類 • Heap OOB (Out of Bounds)

    • Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free
  14. 1 4 分析 • Valgrind (Dynamic Binary Instrumentation) • LLVM

    Sanitizer (Compile-Time Instrumentation)
  15. 1 5 Dynamic Binary Instrumentation • Pros ◦ 使用者不用重新 compile

    或 link ◦ 可以獲得執行時期的資訊 • Cons ◦ 速度較慢
  16. 1 6 Compile-Time Instrumentation • Pros ◦ 速度較 DBI 快

    (事先編譯好 & 可以做更多優化) • Cons ◦ 需要 Compiler 支援
  17. 1 7 Valgrind is a Framework

  18. 1 8 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP]
  19. 1 9 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Heap OOB • UAF • UMR • Double Free • Leaks
  20. 2 0 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Simulate Cache • Simulate Branch Predictor
  21. 2 1 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Generate Call Graph
  22. 2 2 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Data Race • Misuse of pthreads API • Potential Deadlocks
  23. 2 3 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Data Race • Misuse of pthreads API • Potential Deadlocks
  24. 2 4 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Heap Use Profiling
  25. 2 5 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Heap Allocation • Heap Access • Heap Lifetime • ...
  26. 2 6 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Stack OOB • Global OOB
  27. 2 7 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Basic Block Vector Generation (for SimPoint)
  28. 2 8 Cross-Compile for Android ARM Official SVN Version [Patch]

    disable Elf32_Nhdr definition for android-21 to avoid redefinition (coregrind/m_coredump/coredump-elf.c)
  29. 2 9 Cross-Compile for Android ARM AOSP Version

  30. 3 0 Valgrind on Android ARM Wrapper for Android Activity

    Manager
  31. 3 1 Problem on Emulator Valgrind wrapper fail to run

    on Android Emulator (not solve yet)
  32. 3 2 Run on real Android Device Platform (My Phone)

    & Compiling Information
  33. 3 3 Problem - Unhandled Instruction • disInstr(arm) ◦ 0xEC510F1E

    (cond=14(0xE) 27:20=197(0xC5) 4: 4=1 3:0=14(0xE)) ▪ mrrc 15, 1, r0, r1, cr14 ◦ 0xEE190F1D (cond=14(0xE) 27:20=225(0xE1) 4: 4=1 3:0=13(0xD)) ▪ mrc 15, 0, r0, cr9, cr13, {0}
  34. 3 4 Problem - Unhandled Instruction • disInstr(thumb) ◦ 0xDEFF

    0xF8DF ▪ mrcle 8, 7, APSR_nzcv, cr15, cr15, {6} ◦ 0xDEFF 0xF107 ▪ nrmlee f7, f7 ◦ 0xDEFF 0x461F ▪ mrcle 6, 7, r4, cr15, cr15, {0} ◦ 0xDEFF 0x4607 ▪ cdple 6, 15, cr4, cr15, cr7, {0}
  35. 3 5 Sanitizer • AddressSanitizer • MemorySanitizer • LeakSanitizer •

    UndefinedBehaviorSanitizer • ThreadSanitizer
  36. 3 6 Sanitizer • AddressSanitizer • MemorySanitizer • LeakSanitizer •

    UndefinedBehaviorSanitizer • ThreadSanitizer • Heap OOB • Stack OOB • Global OOB • UAF • UAR • Double Free • Leaks (LeakSanitizer)
  37. 3 7 Sanitizer • AddressSanitizer • MemorySanitizer • LeakSanitizer •

    UndefinedBehaviorSanitizer • ThreadSanitizer • UMR
  38. 3 8 Sanitizer • AddressSanitizer • MemorySanitizer • LeakSanitizer •

    UndefinedBehaviorSanitizer • ThreadSanitizer • Leaks
  39. 3 9 Sanitizer • AddressSanitizer • MemorySanitizer • LeakSanitizer •

    UndefinedBehaviorSanitizer • ThreadSanitizer • Integer Overflow • NULL Pointer • Divide By Zero • ...
  40. 4 0 Sanitizer • AddressSanitizer • MemorySanitizer • LeakSanitizer •

    UndefinedBehaviorSanitizer • ThreadSanitizer • Data Race
  41. 4 1 Sanitizer Android ARM Support compiler-rt/cmake/config-ix.cmake

  42. 4 2 AddressSanitizer Algorithm 程式使用的 memory 每 8 bytes 對應到

    1 byte 的 shadow memory
  43. 4 3 Conclusion 記憶體相關問題始終存在, 各個輔助工具還有很多改進的空間 有了好的 Instrumentation 工具之外, 還需要有好的 Testing

    搭配使用才能抓出問題
  44. 4 4 References • [2004] Dynamic Binary Analysis and Instrumentation

    • [2007] Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation • [2009] ThreadSanitizer: data race detection in practice • [2012] AddressSanitizer: A Fast Address Sanity Checker • [2012] Dynamic Race Detection with LLVM Compiler • [2014] How Developers Use Data Race Detection Tools • [2014] C/C++ Thread Safety Analysis • [2015] MemorySanitizer: fast detector of uninitialized memory use in C++
  45. THANK YOU.