dynamic memory alloca/on: advanced concepts

Carnegie Mellon

1 BryantandO’Hallaron,ComputerSystems:AProgrammer’sPerspec;ve,ThirdEdi;on

DynamicMemoryAlloca/on:AdvancedConcepts15-213:Introduc;ontoComputerSystems 20thLecture,Nov.5,2015

Instructors:RandalE.BryantandDavidR.O’Hallaron

Carnegie Mellon


Today¢  Explicitfreelists ¢  Segregatedfreelists¢  Garbagecollec/on¢  Memory-relatedperilsandpiBalls

Carnegie Mellon


KeepingTrackofFreeBlocks¢  Method1:Implicitfreelistusinglength—linksallblocks

¢  Method2:Explicitfreelistamongthefreeblocksusingpointers

¢  Method3:Segregatedfreelist

§  Differentfreelistsfordifferentsizeclasses

¢  Method4:Blockssortedbysize§  Canuseabalancedtree(e.g.Red-Blacktree)withpointerswithineach

freeblock,andthelengthusedasakey

5 4 26

5 4 26

Carnegie Mellon


ExplicitFreeLists

¢  Maintainlist(s)offreeblocks,notallblocks§  The“next”freeblockcouldbeanywhere

§  Soweneedtostoreforward/backpointers,notjustsizes§  S;llneedboundarytagsforcoalescing§  Luckilywetrackonlyfreeblocks,sowecanusepayloadarea

Size

Payloadandpadding

a

Size a

Size a

Size a

Next

Prev

Allocated(asbefore) Free

Carnegie Mellon


ExplicitFreeLists¢  Logically:

¢  Physically:blockscanbeinanyorder

A B C

4 4 4 4 66 44 4 4

Forward(next)links

Back(prev)links

A B

C

Carnegie Mellon


Alloca/ngFromExplicitFreeLists

Before

A:er

= malloc(…)

(withspli>ng)

conceptualgraphic

Carnegie Mellon


FreeingWithExplicitFreeLists¢  InserAonpolicy:Whereinthefreelistdoyouputanewly

freedblock?¢  LIFO(last-in-first-out)policy

§  Insertfreedblockatthebeginningofthefreelist§  Pro:simpleandconstant;me§  Con:studiessuggestfragmenta;onisworsethanaddressordered

¢  Address-orderedpolicy§  Insertfreedblockssothatfreelistblocksarealwaysinaddressorder:

addr(prev)<addr(curr)<addr(next)§  Con:requiressearch§  Pro:studiessuggestfragmenta;onislowerthanLIFO

Carnegie Mellon


FreeingWithaLIFOPolicy(Case1)

¢  Insertthefreedblockattherootofthelist

free( )

Root

Root

Before

A:er

conceptualgraphic

Carnegie Mellon



¢  Spliceoutsuccessorblock,coalescebothmemoryblocksandinsertthenewblockattherootofthelist

free( )

Root

Before

Root

A:er

conceptualgraphic

Carnegie Mellon



¢  Spliceoutpredecessorblock,coalescebothmemoryblocks,andinsertthenewblockattherootofthelist

free( )

Root

Root

Before

A:er

conceptualgraphic

Carnegie Mellon



¢  Spliceoutpredecessorandsuccessorblocks,coalesceall3memoryblocksandinsertthenewblockattherootofthelist

free( )

Root

Before

Root

A:er

conceptualgraphic

Carnegie Mellon


ExplicitListSummary¢  Comparisontoimplicitlist:

§  Allocateislinear;meinnumberoffreeblocksinsteadofallblocks§  Muchfasterwhenmostofthememoryisfull

§  Slightlymorecomplicatedallocateandfreesinceneedstospliceblocksinandoutofthelist

§  Someextraspaceforthelinks(2extrawordsneededforeachblock)§  Doesthisincreaseinternalfragmenta;on?

¢  Mostcommonuseoflinkedlistsisinconjunc/onwithsegregatedfreelists§  Keepmul;plelinkedlistsofdifferentsizeclasses,orpossiblyfor

differenttypesofobjects

Carnegie Mellon


KeepingTrackofFreeBlocks¢  Method1:Implicitlistusinglength—linksallblocks

¢  Method2:Explicitlistamongthefreeblocksusingpointers

¢  Method3:Segregatedfreelist

§  Differentfreelistsfordifferentsizeclasses

¢  Method4:Blockssortedbysize§  Canuseabalancedtree(e.g.Red-Blacktree)withpointerswithineach

freeblock,andthelengthusedasakey

5 4 26

5 4 26

Carnegie Mellon



Carnegie Mellon


SegregatedList(Seglist)Allocators¢  Eachsizeclassofblockshasitsownfreelist

¢  O\enhaveseparateclassesforeachsmallsize¢  Forlargersizes:Oneclassforeachtwo-powersize

1-2

3

4

5-8

9-inf

Carnegie Mellon


SeglistAllocator¢  Givenanarrayoffreelists,eachoneforsomesizeclass

¢  Toallocateablockofsizen:§  Searchappropriatefreelistforblockofsizem>n§  Ifanappropriateblockisfound:

§  Splitblockandplacefragmentonappropriatelist(op;onal)§  Ifnoblockisfound,trynextlargerclass§  Repeatun;lblockisfound

¢  Ifnoblockisfound:§  Requestaddi;onalheapmemoryfromOS(usingsbrk())§  Allocateblockofnbytesfromthisnewmemory§  Placeremainderasasinglefreeblockinlargestsizeclass.

Carnegie Mellon


SeglistAllocator(cont.)¢  Tofreeablock:

§  Coalesceandplaceonappropriatelist

¢  Advantagesofseglistallocators§  Higherthroughput

§  log;meforpower-of-twosizeclasses§  Be^ermemoryu;liza;on

§  First-fitsearchofsegregatedfreelistapproximatesabest-fitsearchofen;reheap.

§  Extremecase:Givingeachblockitsownsizeclassisequivalenttobest-fit.

Carnegie Mellon


MoreInfoonAllocators

¢  D.Knuth,“TheArtofComputerProgramming”,2ndedi/on,AddisonWesley,1973§  Theclassicreferenceondynamicstoragealloca;on

¢  Wilsonetal,“DynamicStorageAllocaAon:ASurveyandCriAcalReview”,Proc.1995Int’lWorkshoponMemoryManagement,Kinross,Scotland,Sept,1995.§  Comprehensivesurvey§  AvailablefromCS:APPstudentsite(csapp.cs.cmu.edu)

Carnegie Mellon



Carnegie Mellon


ImplicitMemoryManagement:GarbageCollec/on¢  GarbagecollecAon:automa/creclama/onofheap-allocated

storage—applica/onneverhastofree

¢  Commoninmanydynamiclanguages:§  Python,Ruby,Java,Perl,ML,Lisp,Mathema;ca

¢  Variants(“conserva/ve”garbagecollectors)existforCandC++§  However,cannotnecessarilycollectallgarbage

void foo() { int *p = malloc(128); return; /* p block is now garbage */ }

Carnegie Mellon


GarbageCollec/on¢  Howdoesthememorymanagerknowwhenmemorycanbe

freed?§  Ingeneralwecannotknowwhatisgoingtobeusedinthefuturesinceit

dependsoncondi;onals§  Butwecantellthatcertainblockscannotbeusedifthereareno

pointerstothem

¢  Mustmakecertainassump/onsaboutpointers§  Memorymanagercandis;nguishpointersfromnon-pointers§  Allpointerspointtothestartofablock§  Cannothidepointers

(e.g.,bycoercingthemtoanint,andthenbackagain)

Carnegie Mellon


ClassicalGCAlgorithms¢  Mark-and-sweepcollec/on(McCarthy,1960)

§  Doesnotmoveblocks(unlessyoualso“compact”)

¢  Referencecoun/ng(Collins,1960)§  Doesnotmoveblocks(notdiscussed)

¢  Copyingcollec/on(Minsky,1963)§  Movesblocks(notdiscussed)

¢  Genera/onalCollectors(LiebermanandHewii,1983)§  Collec;onbasedonlife;mes

§  Mostalloca;onsbecomegarbageverysoon§  Sofocusreclama;onworkonzonesofmemoryrecentlyallocated

¢  Formoreinforma/on:JonesandLin,“GarbageCollecAon:AlgorithmsforAutomaAcDynamicMemory”,JohnWiley&Sons,1996.

Carnegie Mellon


MemoryasaGraph¢  Weviewmemoryasadirectedgraph

§  Eachblockisanodeinthegraph§  Eachpointerisanedgeinthegraph§  Loca;onsnotintheheapthatcontainpointersintotheheaparecalled

rootnodes(e.g.registers,loca;onsonthestack,globalvariables)

Rootnodes

Heapnodes

Not-reachable(garbage)

reachable

Anode(block)isreachableifthereisapathfromanyroottothatnode.

Non-reachablenodesaregarbage(cannotbeneededbytheapplica/on)

Carnegie Mellon


MarkandSweepCollec/ng¢  Canbuildontopofmalloc/freepackage

§  Allocateusingmallocun;lyou“runoutofspace”¢  Whenoutofspace:

§  Useextramarkbitintheheadofeachblock§  Mark:Startatrootsandsetmarkbitoneachreachableblock§  Sweep:Scanallblocksandfreeblocksthatarenotmarked

A:ermark Markbitset

A:ersweep freefree

root

Beforemark

Note:arrowsheredenote

memoryrefs,notfreelistptrs.

Carnegie Mellon


Assump/onsForaSimpleImplementa/on¢  Applica/on§  new(n):returnspointertonewblockwithallloca;onscleared§  read(b,i):readloca;oniofblockbintoregister§  write(b,i,v): writevintoloca;oniofblockb

¢  Eachblockwillhaveaheaderword§  addressedasb[-1],forablockb §  Usedfordifferentpurposesindifferentcollectors

¢  Instruc/onsusedbytheGarbageCollector§  is_ptr(p):determineswhetherpisapointer§  length(b):returnsthelengthofblockb,notincludingtheheader§  get_roots():returnsalltheroots

Carnegie Mellon


MarkandSweep(cont.)

ptr mark(ptr p) { if (!is_ptr(p)) return; // do nothing if not pointer if (markBitSet(p)) return; // check if already marked setMarkBit(p); // set the mark bit for (i=0; i < length(p); i++) // call mark on all words mark(p[i]); // in the block return; }

Markusingdepth-firsttraversalofthememorygraph

Sweepusinglengthstofindnextblockptr sweep(ptr p, ptr end) { while (p < end) { if markBitSet(p) clearMarkBit(); else if (allocateBitSet(p)) free(p); p += length(p); }

Carnegie Mellon


Conserva/veMark&SweepinC¢  A“conserva/vegarbagecollector”forCprograms

§  is_ptr()determinesifawordisapointerbycheckingifitpointstoanallocatedblockofmemory

§  But,inCpointerscanpointtothemiddleofablock

¢  Sohowtofindthebeginningoftheblock?§  Canuseabalancedbinarytreetokeeptrackofallallocatedblocks(key

isstart-of-block)§  Balanced-treepointerscanbestoredinheader(usetwoaddi;onal

words)

Headerptr

Head Data

Le\ Right

SizeLe\:smalleraddressesRight:largeraddresses

Carnegie Mellon



Carnegie Mellon


Memory-RelatedPerilsandPiBalls¢  Dereferencingbadpointers¢  Readingunini/alizedmemory¢  Overwri/ngmemory¢  Referencingnonexistentvariables¢  Freeingblocksmul/ple/mes¢  Referencingfreedblocks¢  Failingtofreeblocks

Carnegie Mellon


CoperatorsOperators AssociaAvity() [] -> . ledtoright! ~ ++ -- + - * & (type) sizeof righttoled* / % ledtoright+ - ledtoright<< >> ledtoright< <= > >= ledtoright== != ledtoright& ledtoright^ ledtoright| ledtoright&& ledtoright|| ledtoright?: righttoled= += -= *= /= %= &= ^= != <<= >>= righttoled, ledtoright

¢  ->,(),and[]havehighprecedence,with*and&justbelow¢  Unary+, -,and*havehigherprecedencethanbinaryforms

Source:K&Rpage53

Carnegie Mellon


CPointerDeclara/ons:TestYourself!int *p int *p[13] int *(p[13]) int **p int (*p)[13] int *f() int (*f)() int (*(*f())[13])() int (*(*x[3])())[5]

pisapointertoint

pisanarray[13]ofpointertoint

pisanarray[13]ofpointertoint

pisapointertoapointertoanint

pisapointertoanarray[13]ofint

fisafunc;onreturningapointertoint

fisapointertoafunc;onreturningint

fisafunc;onreturningptrtoanarray[13]ofpointerstofunc;onsreturningint

xisanarray[3]ofpointerstofunc;onsreturningpointerstoarray[5]ofints

Source:K&RSec5.12

Carnegie Mellon


DereferencingBadPointers¢  Theclassicscanfbug

int val; ... scanf(“%d”, val);

Carnegie Mellon


ReadingUnini/alizedMemory¢  Assumingthatheapdataisini/alizedtozero

/* return y = Ax */ int *matvec(int **A, int *x) { int *y = malloc(N*sizeof(int)); int i, j; for (i=0; i<N; i++) for (j=0; j<N; j++) y[i] += A[i][j]*x[j]; return y; }

Carnegie Mellon


Overwri/ngMemory¢  Alloca/ngthe(possibly)wrongsizedobject

int **p; p = malloc(N*sizeof(int)); for (i=0; i<N; i++) { p[i] = malloc(M*sizeof(int)); }

Carnegie Mellon


Overwri/ngMemory¢  Off-by-oneerror

int **p; p = malloc(N*sizeof(int *)); for (i=0; i<=N; i++) { p[i] = malloc(M*sizeof(int)); }

Carnegie Mellon


Overwri/ngMemory¢  Notcheckingthemaxstringsize

¢  Basisforclassicbufferoverflowaiacks

char s[8]; int i; gets(s); /* reads “123456789” from stdin */

Carnegie Mellon


Overwri/ngMemory¢  Misunderstandingpointerarithme/c

int *search(int *p, int val) { while (*p && *p != val) p += sizeof(int); return p; }

Carnegie Mellon


Overwri/ngMemory¢  Referencingapointerinsteadoftheobjectitpointsto

int *BinheapDelete(int **binheap, int *size) { int *packet; packet = binheap[0]; binheap[0] = binheap[*size - 1]; *size--; Heapify(binheap, *size, 0); return(packet); }

Carnegie Mellon


ReferencingNonexistentVariables¢  Forgerngthatlocalvariablesdisappearwhenafunc/on

returns

int *foo () { int val; return &val; }

Carnegie Mellon


FreeingBlocksMul/pleTimes¢  Nasty!

x = malloc(N*sizeof(int)); <manipulate x> free(x); y = malloc(M*sizeof(int)); <manipulate y> free(x);

Carnegie Mellon


ReferencingFreedBlocks¢  Evil!

x = malloc(N*sizeof(int)); <manipulate x> free(x); ... y = malloc(M*sizeof(int)); for (i=0; i<M; i++) y[i] = x[i]++;

Carnegie Mellon


FailingtoFreeBlocks(MemoryLeaks)¢  Slow,long-termkiller!

foo() { int *x = malloc(N*sizeof(int)); ... return; }

Carnegie Mellon


FailingtoFreeBlocks(MemoryLeaks)¢  Freeingonlypartofadatastructure

struct list { int val; struct list *next; }; foo() { struct list *head = malloc(sizeof(struct list)); head->val = 0; head->next = NULL; <create and manipulate the rest of the list> ... free(head); return; }

Carnegie Mellon


DealingWithMemoryBugs¢  Debugger:gdb

§  Goodforfindingbadpointerdereferences§  Hardtodetecttheothermemorybugs

¢  Datastructureconsistencychecker§  Runssilently,printsmessageonlyonerror§  Useasaprobetozeroinonerror

¢  Binarytranslator:valgrind§  Powerfuldebuggingandanalysistechnique§  Rewritestextsec;onofexecutableobjectfile§  Checkseachindividualreferenceatrun;me

§  Badpointers,overwrites,refsoutsideofallocatedblock

¢  glibcmalloccontainscheckingcode§  setenv MALLOC_CHECK_ 3

dynamic memory alloca/on: advanced concepts

Documents