Trace Malloc Tools
Chris Waterson <waterson@netscape.com>
November 27, 2000
This is a short primer on how to use the `trace malloc' tools
contained in this directory.
WHAT IS TRACE MALLOC?
=====================
Trace malloc is an optional facility that is built in to XPCOM. It
uses `weak linking' to intercept all calls to malloc(), calloc(),
realloc() and free(). It does two things:
1. Writes information about allocations to a filehandle that you
specify. As each call to malloc(), et. al. is made, a record is logged
to the filehandle.
2. Maintains a table of all `live objects' -- that is, objects that
have been allocated by malloc(), calloc() or realloc(), but have not
yet been free()'d. The contents of this table can be called by making
a `secret' call to JavaScript.
MAKING A TRACE MALLOC BUILD
===========================
As of this writing, trace malloc only works on Linux, but work is
underway to port it to Windows.
On Linux, start with a clean tree, and configure your build with the
following flags:
--enable-trace-malloc
--enable-cpp-rtti
Be sure that `--enable-boehm' is *not* set. I don't think that the
values for `--enable-debug' and `--enable-optimize' matter, but I've
typically had debug on and optimize off.
COLLECTING LIVE OBJECT DATA
===========================
To collect `live object' data from `mozilla' using a build that has
trace malloc enabled,
1. Run `mozilla' as follows:
% mozilla --trace-malloc /dev/null
2. Do whatever operations in mozilla you'd like to test.
3. Open the `live-bloat.html' file contained in this directory.
4. Press the button that says `Dump to /tmp/dump.log'
An enormous file (typically 300MB) called `dump.log' will be dropped
in your `/tmp' directory.
To collect live object data from `gtkEmbed' using a build that has
trace malloc enabled:
1. Run `gtkEmbed' as follows:
% gtkEmbed --trace-malloc /dev/null
2. Do whatever operations in gtkEmbed that you'd like to test.
3. Press the `Dump Memory' button at the bottom of gtkEmbed.
The enormous file will be dropped in the current directory, and is
called `allocations.log'.
About Live Object Logs
----------------------
A typical entry from the `live object' dump file will look like:
Address Type Size
| | |
v v v
0x40008080 <nsFooBar> 16
0x00000001 <- Fields
0x40008084
0x80004001
0x00000036
__builtin_new[./libxpcom.so +0x10E9DC] <- Stack at allocation time
nsFooBar::CreateFooBar(nsFooBar **)[./libfoobar.so +0x408C]
main+C7E5AFB5[(null) +0xC7E5AFB5]
One will be printed for each object that was allocated.
TOOLS TO PARSE LIVE OBJECT LOGS
===============================
This directory is meant to house the tools that you can use to parse
live-object logs.
Object Histograms - histogram.pl
--------------------------------
This program parses a `live object' dump and produces a histogram of
the objects, sorted from objects that take the most memory to objects
that take the least. The output of this program is rather spartan: on
each line, it prints the object type, the number of objects of that
type, and the total number of bytes that the objects consume.
There are a two simple programs to `pretty print' the output from
histogram.pl:
1. histogram-pretty.sh takes a single histogram and produces a table
of objects.
Type Count Bytes %Total
TOTAL 67348 4458127 100.00
nsImageGTK 76 679092 15.23
void* 8956 563572 12.64
...
PRLock 732 61488 1.38
OTHER 24419 940235 21.09
2. histogram-diff.sh takes two histograms and computes the difference
between them.
---- Base ---- ---- Incr ---- ----- Difference ----
Type Count Bytes Count Bytes Count Bytes %Total
TOTAL 40241 1940945 73545 5315142 33304 3374197 100.00
nsImageGTK 16 106824 151 832816 135 725992 21.52
PresShell 16 51088 198 340706 182 289618 8.58
...
OTHER 27334 1147033 38623 1493385 11289 346352 10.26
Both of these scripts accept `-c' parameter that specifies how many
rows you'd like to see (by default, twenty). Any rows past the first
`n' rows are lumped into a single `OTHER' row. This allows you to keep
your reports short n' sweet.
Stack-based Type Inference - types.dat
--------------------------------------
Trace malloc uses `speculative RTTI' to determine the types of objects
as it dumps them. Unfortunately, RTTI can only deduce the type name
for C++ objects with a virtual destructor.
This leaves:
. C++ object without a virtual destructor
. array allocated C++ objects, and
. objects allocated with the C runtime function (malloc
and friends)
out in the cold. Trace malloc reports objects allocated this was as
having type `void*'.
The good news is that you can almost always determine the object's
type by looking at the stack trace that's taken at the time the object
is allocated.
The file `types.dat' consists of rules to classify objects based on
stack trace.
Uncategorized Objects - uncategorized.pl
----------------------------------------
Categorizing objects in `types.dat' is sweaty work, and the
`uncategorized.pl' script is a tool that makes it a bit
easier. Specifically, it reads a `live object' dump file and sorts the
stack traces. Stack traces that account for the most uncategorized
objects are placed first.
Using this tool, you can add the `most effective' rules to
`types.dat': rules that account for most of the uncategorized data.