Memory Bugs Unit 3 Memory Layout and Allocation. system level programming Software College Northeastern University 2 Several Uses of Memory Static Allocation.

Memory Bugs

Unit 3

Memory Layout and Allocation

system level progrsystem level programmingamming

Software College Northeastern University2

Several Uses of Memory

Static Allocation Dynamic Allocation Explicit and Implicit Program Memory Layout



Static Allocation

static refers to things that happen at compile time and link time

In C++, when we declare a variable outside of any function or class definition, the compiler allocates space for it in memory

The variable will exist at a fixed address throughout the execution of the program.



Static Allocation:Example int my_var[128]; // a statically allocated variable int my_fn(int x) { for (int i = 0; i < 128; i++) my_var[i] = 0; } 6: my_var[i] = 0;

00401053 mov ecx,dword ptr [ebp-4]00401056 mov dword ptr [ecx*4+4225C4h],000401061 jmp my_fn+21h (00401041)

Fixed Address



Static Allocation vs. C++ static Declarations

A C or C++ variable declared as static is allocated statically and, in addition, the variable is visible only to functions defined within the same file .



static Declaration:Exampleint my_var[128]; // a statically allocated variablestatic bool my_var_initialized = false;

int my_fn(int x) { if (my_var_initialized) return; my_var_initialized = true;for (int i = 0; i < 128; i++) my_var[i] = 0; }

be visible globally Accessed only from Local

file



static Declaration:Exampleint my_var[128]; // a statically allocated variableint my_fn(int x) { static bool my_var_initialized = false;

if (my_var_initialized) return; my_var_initialized = true;for (int i = 0; i < 128; i++) my_var[i] = 0; }

statically allocated Visible with in the function



Precautions For Static Allocation

Statically allocated data uses memory for the lifetime of the program, and it must be of a fixed size

- It is better to wait until run time and allocate only what you need.



Dynamic Allocation

Limitations of Static Allocation Stack Allocation A Function Call Using the Stack Returning From a Function Call Stack Allocation For Local Variables Heap (Explicit) Allocation



Limitations of Static Allocation

naming gets to be a problem. - two function with the same variable nameprograms do not always know how much

storage until run time. - be waste to allocate too muchstatic allocation reserves memory for the

duration of the program - can not be reused by other each instance of a function has its own copy

of parameters and local variables.



Stack Allocation

Stack - stack-based allocation or called the run-time stack support recursion and dynamic allocation very eff

iciently. An Example

int foo() { int b; b = bar(); return b; } int bar() { int b = 0; b = baz(b); return b; } int baz(int b) {

if (b < 1) return baz(b + 1); else return b; }



A Function Call Using the Stack

The information for one function is called an activation record or stack frame

At any time, the stack will contain information for all the functions that have been invoked but have not yet been completed

TOS is the top of the stack Frame is the base of the current activation rec

ord Program counter (also known as PC)holds the

address of the next instruction



Call Chain Example

foo(…){

int b;•b=bar();••

}

bar(…){ int b=0;

• • •b=baz();• • •

} baz(int b){

••baz(b+1);•return b;

}

foo

bar

baz(0)

baz(1)

baz(2)

Call Chain

Function baz recursive



StackPointer%esp

bfoo

•••

FramePointer%ebp

Stack Operation

foo

Call Chainfoo(…){

int b • b=bar(); • •

}

On Pentium processors, the stack "grows" toward lower memory addresses



StackPointer%esp

byoo

b=0bar

•••

FramePointer%ebp

Stack Operation

foo

bar

Call Chainbar(…){ int b=0;

• • •baz();• • •

}



StackPointer%esp

bfoo

b=0bar

b=0baz

•••

FramePointer%ebp

Stack Operation

foo

bho

baz

Call Chainbaz(int b){

••baz(b+1);••

}



StackPointer%esp

bfoo

b=0bar

b=0baz

•••

FramePointer%ebp

Stack Operation

foo

bar

baz


••baz(b+1);••

}b=1baz

baz



StackPointer%esp

bfoo

b=0bar

b=0baz

•••

FramePointer%ebp

Stack Operation

foo

bar

baz


••baz(b+1);••

}b=1baz

baz

bazb=2baz



StackPointer%esp

bfoo

bbar

bbaz

•••

FramePointer%ebp

Stack Operation

foo

bar

baz

Call Chainbaz(…){

••baz();••

}

bbaz

baz

baz



StackPointer%esp

foo

bar

baz

•••

FramePointer%ebp

Stack Operation

foo

bar

baz

Call Chainbaz(…){

••baz();••

}

baz

baz



StackPointer%esp

foo

bar

•••

FramePointer%ebp

Stack Operation

foo

bar

Call Chainbar(…){ int b=0;

• • •baz();• • •

}baz

baz

baz



foo(…){

••bar();••

}

StackPointer%esp

foo

•••

FramePointer%ebp

Stack Operation

foo

bar

Call Chain

baz

baz

baz



Activation Record

Parameters. The return address. A pointer to the caller's activation record. Saved machine registers. Local variables.



Activation Record:Detailsint find(char *str, char *pat) { int i, j, str_max, pat_max; pat_max = strlen(pat); str_max = strlen(str) - pat_max; for (i = 0; i < str_max; i++) { for (j = 0; j < pat_max; j++) { if (str[i + j] != pat[j]) break; } // Did loop complete? If so, we found a match. if

(j == pat_max) return i; } return -1; }



Stack Allocation For Local Variables

Call stack in VC++ IDE - a list of the current activation records

find(char * 0x00420078 `string', char * 0x0042008c `string') line 10

main() line 24 + 15 bytesmainCRTStartup() line 206 + 25 bytesKERNEL32! 7c816fd7()



Stack Allocation For Local Variables

Variables declared within a function are allocated on the stack

EIP = 00401059 ESP = 0012FEC4 EBP = 0012FF20 EFL = 00000206



ESP 0x0012FEC4 Saved Registers

Filled with0xCCCCCCCC

0x0012FF10 pat_max

0x0012FF14 str_max

0x0012FF18 j

0x0012FF1C i

EBP 0x0012FF20 Prev.frame

Return address

str

pat



Stack Allocation:Problem

For all practical purposes, local variables disappear when their function returns

Never return the address of a local variable!!

int * Err_return(int *a,int n){ int sum; for(int i=0;i<n;i++) sum += *(a+i); return ∑ }



Dynamic Stack Allocation:summary

Advantages: Allows recursion Reuses space

Disadvantages: Run-time overhead of allocation and deallocation

on stack Local variables cannot be history sensitive Inefficient references (indirect addressing)



Heap (Explicit) Allocation The heap is just a chunk of memory, usually large, tha

t programs use to store data. Explicit - Allocated and deallocated by explicit directives at arb

itrary times, specified by the programmer In C++ - You allocate memory from the heap by calling malloc

or new, and you can return memory to the heap by calling free or delete.

Lifetime -The time interval between creation and destruction



Heap (Explicit) Allocation ( 显示 )

int *make_array(int n){ int *array = (int *) malloc(sizeof(int) * n); for (int i = 0; i < n; i++) array[i] = -1; return array;} int *my_array = make_array(100);

// allocate an array of -1... // use my_array as long as you wantfree(my_array); // release my_array's memory



Heap (Explicit) Allocation

What is the most important ? Pointer to allocated chunk memory leak The associated heap memory is "lost" until the pro

gram terminates(The memory is recovered by the operating system)

P




dangling pointer problem you have a pointer to some memory, but the mem

ory has been deallocated and perhaps reused for something else

pp = new int ;……r = p ;delete r ; r




Advantage: Provides on-demand dynamic storage

managementDisadvantage:

Requires an expensive and complex storage management algorithm



Dynamic Heap Allocation:Implicit Implicit heap-based allocation

Allocation and deallocation are implicit (transparent for the programmer)

Advantage: Flexibility, ease of use

Disadvantage: Possible inefficiency

if the programmer knows that there will be N elements in a list, it would be better to explicitly allocate space for them all at once



Dynamic Heap Allocation

Allocation is made in a memory region called heap

Principal concerns in heap management are speed and space



Dynamic Heap Allocation Space issues:

Internal fragmentationwhen allocating a block larger than

required to hold a given object the extra space in the block is unused

External fragmentationwhen allocated blocks are scattered

through the heap, making the free space extremely fragmented

there may be a lot of free space, but no piece is large enough for some future request




External fragmentation:

Shaded blocks – in use Clear blocks – free



Dynamic Heap Allocation Dealing with external fragmentation

cannot totally avoid it ability of the heap to satisfy requests may

degrade over time The solution:

Why is this difficult?

compact the heap by moving already allocated blocks

need to find all pointers that refer to the moved blocks, and update their values




Implementation

Maintain a single linked list of heap blocks that are not currently used (the free list)

Strategies:

First fit – select the first block in the list that is large enough to satisfy the allocation request

Best fit – select the smallest block in the list that is large enough to satisfy the allocation request




First fit Faster, tends to produce internal

fragmentation Best fit

Slower (searches the entire list), less internal fragmentation




Using a single linked list makes the allocation time linear in the number of free blocks

To reduce it to constant time:

Implementation:

separate lists for blocks of different sizes

Strategies:

Buddy system

Fibonacci heap



Dynamic Heap Allocation Buddy system:

Block sizes are powers of 2 Allocation:

a request for a block of size 2k comes inif a block of size 2k is available, take itif not, split a block of size 2k+1 in two halves (2k each), us

e half for allocation, and place the other in the 2k free list

Deallocation: merge the block with its "buddy" (the other half) if it is f

ree

free list

2k

2k+1




Fibonacci system – similar, but uses Fibonacci numbers instead of

powers of 2free list

F(k)F(k+1)



Explicit vs. Implicit

C and C++ leave everything up to the programmer. We call this explicit memory management

The other approach, which we will call implicit memory management, still requires the programmer to allocate memory as needed, but it relies on the run-time system to free memory.

Implicit memory management makes programming easier overall, and the run-time penalty is often insignificant



Memory Bugs

Review of Pointers in C Making and Using Bad References Overwriting Memory Twice free Memory Leaks Exterminating Memory Bugs Garbage Collection



Review of Pointers in C

A pointer in C holds the memory address of some data object.

The unary & operator applied to a data object returns the address of that object,

The unary * operator returns the data object at the address provided by a pointer.



Some examples follow:

// take the address of a variableint var; // declare the variableint *var_ptr; // declare the pointervar_ptr = &var; // take the address of var*var_ptr = 3; // stores 3 into var// access variable pointed to by var_ptrif (var == *var_ptr) printf("ok\n");

Review of Pointers in C:Example



Some examples follow:

// allocate an integer with malloc// the result must be coerced into an (int *):var_ptr = (int *) malloc(sizeof(int));*var_ptr = 4;

// free the memoryfree(var_ptr);




// declare a structuretypedef struct { int int_field; double dbl_field;} my_struct_type;

// allocate a structure on the heapmy_struct_type *s;s = (my_struct_type *) malloc(sizeof(my_struct_type));// initialize fields of ss->int_field = 0;s->dbl_field = 0.0;


systems-level prosystems-level programminggramming


Making and Using Bad References

A common bug is to dereference a pointer that does not point where you want it to point.

In this situation, the best thing that can happen is that the pointer ends up pointing to some invalid memory location.




The worst thing that can happen is that some random memory location is modified and the program keeps running.

- return address

- other variables Eventually, the program may crash without a

hint as to what went wrong: the final program location and the corrupted data may be completely unrelated to the bug.

- difficult to debug



Where do bad pointers come from? - One source is uninitialized data. pointer could hav

e any value.

int sum(int a[], int n){ int *p; int sum = 0; for (int i = 0; i < n; i++) sum += *p++;}




A common bug is to pass a variable rather than an address to scanf(), a function that reads ASCII data and converts it to various common data formats:

// read an integer and a double from standard input:

int i; double d; scanf("%d %g", i, d); // wrong!!! What will happ

en ? // here is the correct call: scanf("%d %g", &i, &d);




Overwriting Memory

Sometimes pointers are initially correct, but the programmer performs pointer arithmetic and manages to address memory incorrectly.

#define array_size 100 int *a = (int *) malloc(sizeof(int *) * array_size); for (int i = 0; i <= array_size; i++)

a[i] = NULL;This might corrupt the heap or overwrite

some other data in the program.



Sometimes, programmers forget that strings are terminated by a zero byte.

char *heapify_string(char *s) { int len = strlen(s); char *new_s = (char *) malloc(len); strcpy(new_s, s); return new_s; }

Overwriting Memory



There are many ways to construct pointers to the wrong memory address or to write data beyond the last address of a data object.

These errors are especially easy to make in C, and they can lead to hard-to-find bugs if corrupted data is not discovered until much later in the program execution.

Summary



Twice free

Most memory allocators assume that you call free once (eventually) for each block of memory allocated.

- If you free a pointer to something that is not in the heap or something that is already free, bad things can happen to the heap.

memory allocation time can be critical to program performance, so few if any checks are made at run time.



Twice free

The following program accidentally frees the same pointer twice:

void my_write(x) { ... use x ... free(x); } int *x = (int *) malloc(sizeof(int*) * N); ... my_read(x); ... my_write(x); free(x); //oops, x is freed in my_write()!



Always make sure allocated memory blocks are freed once and only once,

If a pointer is copied, you must make sure that no copy of the pointer will be used again after you free the block.

Twice free:Summary



It’s all right for programs that perform a specific task and then exit

- allocate but do not free Programs that run for long periods of time will

allocate more and more memory until either memory is exhausted or performance is so bad that the program must be terminated.

- Operating systems - Web servers

Memory Leaks



The failure to deallocate a block of memory when it is no longer needed is often called a memory leak.

memory leaks cause memory blocks to "disappear" from the address space.

void my_function(char *msg) { // allocate space for a string char *full_msg = (char *) malloc(strlen(msg) + 100); strcpy(full_msg, "The following error was encountered: "); strcat(full_msg, msg); if (!display(full_msg)) return; ... free(full_msg); }

Memory Leaks



Memory leaks can cause programs to grow in size until they no longer function. Memory leaks occur when:

Programmers simply forget to free memory.

Error or unusual returns skip the code that was intended to free memory.

Only top-level parts of a nested structure are freed.

Memory Leaks:Summary



Memory Allocators as Debugging Tools debuggers are good for is where a program t

ries to use a NULL pointer. dereferencing a NULL pointer generates a n

on-existent memory error. A debugger can tell you where the error occ

urred and what pointer variable was used.

Memory Allocators as Debugging Tools



There are a number of memory allocators designed to detect memory allocation bugs.

By recording extra information about blocks and to check that information for consistency whenever a block is allocated or freed.




The extra information may include:

The file name and line number where the allocation occurred.

The status: whether the block is allocated or free.

Padding before and after the block. Links to other blocks. An allocation sequence number.




uses a macro to redefine malloc. - Redefining procedures using macros is a handy techni

que

#define malloc(size) my_malloc(size, __FILE__, __LINE__)




many compilers come with libraries that assist with debugging.

Microsoft's Visual C++ 6.0, includes special debugging support in the debug version of the C++ libraries.

extra bookkeeping information includes: A pointer to the previously allocated block, A pointer to the next allocated block, The source file name and line number where

the allocation originated, An allocation sequence number, A buffer filled with the constant 0xFD to catch

overwrites.




This information can be used to detect memory leaks and other problems.

The programmer can call _CrtCheckMemory() to check the integrity of the debug heap.

The heap can be checked automatically at every allocation operation by setting the _CRTDBG_CHECK_ALWAYS_DF flag using the _CrtSetDbgFlag function.

This will slow down execution, so it is normally disabled. See the Visual C++ documentation for details on using these functions.




Debugging versions of malloc and commercial run-time error detection systems can be much more powerful

If you use your own memory allocator, you can build a debugging version to help find memory bugs.

If you use the built-in memory allocator, you can probably benefit from one of the commercial run-time error detection systems.

Summary



Garbage Collection

Mark Sweep Garbage Collection

Copying Garbage Collection

Reference Counting

Summary



One reason there are memory allocation errors is that memory allocation requires the programmer to obey( 服从 ) certain rules: allocate memory before using it, free memory eventually but only once, and do not read or write except to allocated m

emory.

Garbage Collection





Mark Sweep Garbage Collectionfollow pointers from global variables, from the stack, and

Now within this initial set of reachable blocks of memory, there may be pointers to more blocks.

These pointers are also followed and any new blocks found are added to the "reachable" set.

finally, all pointers in the "reachable" set point to blocks in the "reachable" set.




the Mark Sweep garbage collection algorithm: Find the set of processor registers and global

variables that store pointers to the heap. For each pointer found, mark the block pointed to (set the mark bit), and put the block on a list of blocks to be processed.

Remove a block from this list of blocks. For each pointer inside the block, find the block pointed to. If that block is not already marked, set its mark bit and put that block on the list of blocks to be processed.

Repeat the previous step until there are no more blocks on the list. Now, every block that is reachable has its mark bit set.




Mark Sweep



Sweep phase:

For each block in the heap, inspect the mark bit. If the bit is set, clear the bit. If the bit is not set and the block is not free, free the block and clear the bit.

all unreachable blocks have been freed, and all mark bits are cleared.




Divided Heap two parts; Copy one part to another part in sometime.

Copying Garbage Collection



every block of memory includes an integer reference count that records the number of pointers that directly point to the block.

Reference counts are set to one when a block is allocated.

If the pointer is copied from one memory location to another, the reference count is incremented.

If a pointer to a block is overwritten with another pointer or NULL, the reference count of the block is decremented.

If a reference count is zero, then there are no remaining pointers to the block, so it is freed.

When a block is freed, all pointers within the block become unallocated memory, so you must decrement the counts of blocks that these pointers point to.

Reference Counting



Garbage collection automatically reclaims memory that can no longer be referenced by the program. Languages with garbage collection are generally restrictive in terms of what can be done with pointers and types. On the other hand, it is generally faster to program in these languages than in C or C++.

The most basic garbage collector is the Mark Sweep Collector, where pointers are followed to discover which blocks are reachable, and then nonreachable blocks are freed.

Reference Counting is perhaps even simpler: a counter keeps track of how many pointers reference a block, and when the count goes to zero, the block is freed. Reference counting implementations are error-prone because it is easy to forget to update a reference.

summary



1.Which of the following are true about statically allocated data in C programs?

I. Its location is chosen by the compiler. II. Its location may change during execution if more

memory is required. III. Its location is not known directly but can be

found in a static symbol table. (a) I only.

(b) III only.(c) II and III only.(d) I and II only.

Quiz



2.In C, local variables allocated inside functions are allocated

(a) in the heap(b) on the stack(c) in static storage(d) in a fifo

Quiz



3.Suppose a compiler uses static storage to store all variables, function parameters, saved registers, and return addresses. Which of the following language features can this compiler support?

I. Local variables. II. Function calls.

III. Recursion. (a) II only

(b) I, II, and III(c) I and II only(d) I only

Quiz



4.Which of the following features apply to standard heap allocation in C?

I. The size of heap objects must be known at compile time.

II. Heap memory must be explicitly allocated. III. Heap memory is deallocated when a function retur

ns. (a) I and II only.

(b) I only.(c) II only.(d) I and III.

Quiz



5.The key feature of implicit memory management is that memory is freed automatically. Which of the following features of C make(s) it difficult to add support for implicit memory management in C?

I. Pointers are not always initialized. II. Type casting makes it impossible to know when a value

could be a pointer. III. C programs can allocate memory at runtime. (a) III only

(b) II only(c) I and II only(d) I only

Quiz

Memory Bugs Unit 3 Memory Layout and Allocation. system level programming Software College Northeastern University 2 Several Uses of Memory Static Allocation.

Documents

int b b

based allocation

variable int

int bazint b

stack frame

int bar

false int

truefor int