Android Memory Leak Profiling - VMFive

Transcript

1. VMFive Lab Demo by Chiu-Hsiang Hsu Android Memory Leak Profiling

   Dec, 27, 2015

2. 2 Android Memory Leak Profiling 許邱翔 交通大學資訊工程學系 自介

3. 3 程式中記憶體相關的問題非常多， 有沒有工具可以幫忙檢查 & 避免？ Android 系統上的 Native 程式的記憶體 使用狀況又是如何呢？

   Android Memory Leak Profiling

4. 4 前言 我們寫程式總免不了會有 bugs， 其中 Memory 相關的 bugs 佔了一大部份， 有工具可以幫我們檢查嗎？

   有的， 最常見的是 Valgrind， 除此之外還有 Pin、Dr. Memory、Sanitizer ...

5. 5 Memory 問題分類 • Heap OOB (Out of Bounds) •

   Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free

6. 6 Memory 問題分類 • Heap OOB (Out of Bounds) •

   Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free

7. 7 Memory 問題分類 • Heap OOB (Out of Bounds) •

   Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free

8. 8 Memory 問題分類 • Heap OOB (Out of Bounds) •

   Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free

9. 9 Memory 問題分類 • Heap OOB (Out of Bounds) •

   Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free

10. 1 0 Memory 問題分類 • Heap OOB (Out of Bounds)

    • Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free

11. 1 1 Memory 問題分類 • Heap OOB (Out of Bounds)

    • Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free

12. 1 2 Memory 問題分類 • Heap OOB (Out of Bounds)

    • Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free

13. 1 3 Memory 問題分類 • Heap OOB (Out of Bounds)

    • Stack OOB (Out of Bounds) • Global OOB (Out of Bounds) • UAF (Use After Free) • UAR (Use After Return) • UMR (Uninitialized Memory Reads) • Leaks • Double Free

14. 1 4 分析 • Valgrind (Dynamic Binary Instrumentation) • LLVM

    Sanitizer (Compile-Time Instrumentation)

15. 1 5 Dynamic Binary Instrumentation • Pros ◦ 使用者不用重新 compile

    或 link ◦ 可以獲得執行時期的資訊 • Cons ◦ 速度較慢

16. 1 6 Compile-Time Instrumentation • Pros ◦ 速度較 DBI 快

    (事先編譯好 & 可以做更多優化) • Cons ◦ 需要 Compiler 支援

17. 1 7 Valgrind is a Framework

18. 1 8 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP]

19. 1 9 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Heap OOB • UAF • UMR • Double Free • Leaks

20. 2 0 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Simulate Cache • Simulate Branch Predictor

21. 2 1 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Generate Call Graph

22. 2 2 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Data Race • Misuse of pthreads API • Potential Deadlocks

23. 2 3 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Data Race • Misuse of pthreads API • Potential Deadlocks

24. 2 4 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Heap Use Profiling

25. 2 5 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Heap Allocation • Heap Access • Heap Lifetime • ...

26. 2 6 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Stack OOB • Global OOB

27. 2 7 Valgrind • Memcheck • Cachegrind • Callgrind •

    Helgrind • DRD • Massif • DHAT [EXP] • SGCheck [EXP] • BBV [EXP] • Basic Block Vector Generation (for SimPoint)

28. 2 8 Cross-Compile for Android ARM Official SVN Version [Patch]

    disable Elf32_Nhdr definition for android-21 to avoid redefinition (coregrind/m_coredump/coredump-elf.c)

29. 2 9 Cross-Compile for Android ARM AOSP Version

30. 3 0 Valgrind on Android ARM Wrapper for Android Activity

    Manager

31. 3 1 Problem on Emulator Valgrind wrapper fail to run

    on Android Emulator (not solve yet)

32. 3 2 Run on real Android Device Platform (My Phone)

    & Compiling Information

33. 3 3 Problem - Unhandled Instruction • disInstr(arm) ◦ 0xEC510F1E

    (cond=14(0xE) 27:20=197(0xC5) 4: 4=1 3:0=14(0xE)) ▪ mrrc 15, 1, r0, r1, cr14 ◦ 0xEE190F1D (cond=14(0xE) 27:20=225(0xE1) 4: 4=1 3:0=13(0xD)) ▪ mrc 15, 0, r0, cr9, cr13, {0}

34. 3 4 Problem - Unhandled Instruction • disInstr(thumb) ◦ 0xDEFF

    0xF8DF ▪ mrcle 8, 7, APSR_nzcv, cr15, cr15, {6} ◦ 0xDEFF 0xF107 ▪ nrmlee f7, f7 ◦ 0xDEFF 0x461F ▪ mrcle 6, 7, r4, cr15, cr15, {0} ◦ 0xDEFF 0x4607 ▪ cdple 6, 15, cr4, cr15, cr7, {0}

35. 3 5 Sanitizer • AddressSanitizer • MemorySanitizer • LeakSanitizer •

    UndefinedBehaviorSanitizer • ThreadSanitizer

36. 3 6 Sanitizer • AddressSanitizer • MemorySanitizer • LeakSanitizer •

    UndefinedBehaviorSanitizer • ThreadSanitizer • Heap OOB • Stack OOB • Global OOB • UAF • UAR • Double Free • Leaks (LeakSanitizer)

37. 3 7 Sanitizer • AddressSanitizer • MemorySanitizer • LeakSanitizer •

    UndefinedBehaviorSanitizer • ThreadSanitizer • UMR

38. 3 8 Sanitizer • AddressSanitizer • MemorySanitizer • LeakSanitizer •

    UndefinedBehaviorSanitizer • ThreadSanitizer • Leaks

39. 3 9 Sanitizer • AddressSanitizer • MemorySanitizer • LeakSanitizer •

    UndefinedBehaviorSanitizer • ThreadSanitizer • Integer Overflow • NULL Pointer • Divide By Zero • ...

40. 4 0 Sanitizer • AddressSanitizer • MemorySanitizer • LeakSanitizer •

    UndefinedBehaviorSanitizer • ThreadSanitizer • Data Race

41. 4 1 Sanitizer Android ARM Support compiler-rt/cmake/config-ix.cmake

42. 4 2 AddressSanitizer Algorithm 程式使用的 memory 每 8 bytes 對應到

    1 byte 的 shadow memory

43. 4 3 Conclusion 記憶體相關問題始終存在， 各個輔助工具還有很多改進的空間 有了好的 Instrumentation 工具之外， 還需要有好的 Testing

    搭配使用才能抓出問題

44. 4 4 References • [2004] Dynamic Binary Analysis and Instrumentation

    • [2007] Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation • [2009] ThreadSanitizer: data race detection in practice • [2012] AddressSanitizer: A Fast Address Sanity Checker • [2012] Dynamic Race Detection with LLVM Compiler • [2014] How Developers Use Data Race Detection Tools • [2014] C/C++ Thread Safety Analysis • [2015] MemorySanitizer: fast detector of uninitialized memory use in C++

45. THANK YOU.