malloc_g misunderstanding

Alain_Bonnefoy2 · February 2, 2001, 7:44am

Hi,
I have 2 questions about malloc_g functions.

Because of a bug in my application, I had to use malloc_g library to
track a memory leakage, and I didn’t really understand the result.
My application is a multithreaded resource manager.

I choosed to write the malloc_dump_unreferenced(1, 1) in my
xxx_ocb_free() function.

In my main(), I allocate the thread pool atribute structure, pointed by
a global pointer. Like that:

#ifdef NDEBUG
if ((pool_attr_p = calloc(1, sizeof(thread_pool_attr_t))) == NULL) {

#else
if ((pool_attr_p = debug_calloc(basename(FILE), LINE, 1,
sizeof(thread_pool_attr_t))) == NULL) {
#endif

As I understood, the malloc_g library gives the unreachables memory
area, so why does it give me the memory area pointed by pool_attr_p , a
global pointer, (I verified that this pointer was still good when
malloc_dump_unreferenced() was executed)?

POINTER FILE WHERE LINE ALLOC DATA HEX
DUMP
TO DATA ALLOCATED NUMBER FUNCT LENGTH OF BYTES
1-7

…
804F494 fct_nto.c 27 calloc(1) 68 …
…

What is the number between parenthesis?

My bug was in the following function:

int read_record(record_buffer_t *record_buffer_ptr, data_hash_t
*data_hash) {
int return_value = 0;
char *buffer_read;

#ifdef NDEBUG
buffer_read = malloc(data_hash->record_len+1);
#else
buffer_read = debug_malloc(basename(FILE), LINE,
data_hash->record_len+1);
#endif

if ((status = readblock(fd_database, (size_t) 1,
data_hash->record_offset, data_hash->record_len, buffer_read)) == -1) {
return_value = errno;
log_critical_error("%s, %s, %d: (readblock) %s
%s\n",basename(FILE),LINE, “”, errno);
} else {
buffer_read[data_hash->record_len] = ‘\0’;
split_database_record(&buffer_read_ptr, record_buffer);
}

#ifdef NDEBUG
free(buffer_read);
#else
debug_free(basename(FILE), LINE, buffer_read);
#endif

return (return_value);
}

I didn’t take care about that the function split_database_record()
returned a null pointer.
So, free() couldn’t give the buffer back to the heap.
My question is; as the buffer is allocated by a malloc_g function with
the FILE and LINE macros, why these informations were not given
in the Dump of Unreferenced Heap elements?

Thanks,
Alain.

Steve_Furr · February 6, 2001, 4:06pm

In article <3A7A655A.45700EA3@icbt.com>,
Alain Bonnefoy <alain.bonnefoy@icbt.com> wrote:

--------------F333DCF7D4B324C705DDCA44
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,
I have 2 questions about malloc_g functions.

Because of a bug in my application, I had to use malloc_g library to
track a memory leakage, and I didn’t really understand the result.
My application is a multithreaded resource manager.

I choosed to write the malloc_dump_unreferenced(1, 1) in my
xxx_ocb_free() function.

In my main(), I allocate the thread pool atribute structure, pointed by
a global pointer. Like that:

#ifdef NDEBUG
if ((pool_attr_p = calloc(1, sizeof(thread_pool_attr_t))) == NULL) {

#else
if ((pool_attr_p = debug_calloc(basename(FILE), LINE, 1,
sizeof(thread_pool_attr_t))) == NULL) {
#endif

As I understood, the malloc_g library gives the unreachables memory
area, so why does it give me the memory area pointed by pool_attr_p , a
global pointer, (I verified that this pointer was still good when
malloc_dump_unreferenced() was executed)?

It’s important to remember that, because of raw pointer access and
the like of compiler assistance, a 100% accurate leak trace isn’t really
possible, so an analysis of the heap dump is recommended. Conservative
pointer estimation is used to ameliorate the effects of inner pointers
and pointers contained in structures.

Before going further, did pool_attr_p actually point to 0x804f494
at the time?

The major thing that would impact your example is the construction of the
root set (since everything must be reachable from the root set).
The determination of the root set is complicated by several factors,
and a situation like this would depend on where pool_attr_p was defined.
Was it a global (extern) or a static variable? Perhaps more importantly,
was it in the executable or a shared library?

To construct the root set, malloc_g consults the dynamic link map
to find all the libraries linked against and looks for the extents
of the _data and _bss sections. After that it adds all the thread stacks.

If yours is in the executable that may explain something, if
the executable itself isn’t included in the link map. Please let me
know.

POINTER FILE WHERE LINE ALLOC DATA HEX
DUMP
TO DATA ALLOCATED NUMBER FUNCT LENGTH OF BYTES
1-7

…
804F494 fct_nto.c 27 calloc(1) 68 …
…

What is the number between parenthesis?

That is a sequence number for allocation requests, indicating which
occurrence of the particular function the request was. i.e. this
was the first calloc() request.

My bug was in the following function:

int read_record(record_buffer_t *record_buffer_ptr, data_hash_t
*data_hash) {
int return_value = 0;
char *buffer_read;

#ifdef NDEBUG
buffer_read = malloc(data_hash->record_len+1);
#else
buffer_read = debug_malloc(basename(FILE), LINE,
data_hash->record_len+1);
#endif

if ((status = readblock(fd_database, (size_t) 1,
data_hash->record_offset, data_hash->record_len, buffer_read)) == -1) {
return_value = errno;
log_critical_error("%s, %s, %d: (readblock) %s
%s\n",basename(FILE),LINE, “”, errno);
} else {
buffer_read[data_hash->record_len] = ‘\0’;
split_database_record(&buffer_read_ptr, record_buffer);
}

#ifdef NDEBUG
free(buffer_read);
#else
debug_free(basename(FILE), LINE, buffer_read);
#endif

return (return_value);
}

I didn’t take care about that the function split_database_record()
returned a null pointer.
So, free() couldn’t give the buffer back to the heap.
My question is; as the buffer is allocated by a malloc_g function with
the FILE and LINE macros, why these informations were not given
in the Dump of Unreferenced Heap elements?

I may be missing something, but I didn’t see any indication of
what was printed in the dump. The file and line information
is kept in the block header after the allocation and isn’t cleared
except by a call to realloc() or free(), unless the program underruns
the block, corrupting the header, or overruns a neighbouring block.

Thanks,
Alain.

--------------F333DCF7D4B324C705DDCA44
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

!doctype html public “-//w3c//dtd html 4.0 transitional//en”
html
font face=“Arial,Helvetica”>Hi,I have 2 questions about
malloc_g functions.Because of a bug in my application,
I had to use malloc_g library to track a memory leakage, and I didn’t really
understand the result.My application is a multithreaded
resource manager.I choosed to write the malloc_dump_unreferenced(1,

in my xxx_ocb_free() function.In my main(), I allocate
the thread pool atribute structure, pointed by a global pointer. Like that:#ifdef NDEBUG if
((pool_attr_p = calloc(1, sizeof(thread_pool_attr_t))) == NULL) {#else if
((pool_attr_p = debug_calloc(basename(FILE), LINE, 1, sizeof(thread_pool_attr_t)))
== NULL) {#endifAs I understood, the malloc_g
library gives the unreachables memory area, so why does it give me the
memory area pointed by pool_attr_p , a global pointer, (I verified that
this pointer was still good when malloc_dump_unreferenced() was executed)?POINTER
FILE WHERE LINE ALLOC
DATA HEX DUMPTO DATA
ALLOCATED NUMBER FUNCT
LENGTH OF BYTES 1-7---------- ---------------
-------- ------------ ----------- ---------------…804F494
fct_nto.c
27 calloc(1)
68 ……What is the number between
parenthesis?My bug was in the following
function:int read_record(record_buffer_t
*record_buffer_ptr, data_hash_t *data_hash) { int return_value
= 0; char *buffer_read; #ifdef NDEBUG buffer_read =
malloc(data_hash->record_len+1);#else buffer_read =
debug_malloc(basename(FILE), LINE, data_hash->record_len+1);#endif if ((status =
readblock(fd_database, (size_t) 1, data_hash->record_offset, data_hash->record_len,
buffer_read)) == -1) { return_value
= errno; log_critical_error("%s,
%s, %d: (readblock) %s %s\n",basename(FILE),LINE, “”, errno); } else { buffer_read[data_hash->record_len]
= ‘\0’; split_database_record(&buffer_read_ptr,
record_buffer); } #ifdef NDEBUG free(buffer_read);#else debug_free(basename(FILE),
LINE, buffer_read);#endif return (return_value);}I didn’t take care about
that the function split_database_record() returned a null pointer.So, free() couldn’t give
the buffer back to the heap.My question is; as the buffer
is allocated by a malloc_g function with the FILE and LINE macros,
why these informations were not given in the Dump of Unreferenced Heap
elements?Thanks,Alain.</html

--------------F333DCF7D4B324C705DDCA44–

–

Steve Furr email: furr@qnx.com
QNX Software Systems, Ltd.

Alain_Bonnefoy2 · February 7, 2001, 9:27am

Steve Furr a écrit :

In article <> 3A7A655A.45700EA3@icbt.com> >,
Alain Bonnefoy <> alain.bonnefoy@icbt.com> > wrote:

--------------F333DCF7D4B324C705DDCA44
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,
I have 2 questions about malloc_g functions.

Because of a bug in my application, I had to use malloc_g library to
track a memory leakage, and I didn’t really understand the result.
My application is a multithreaded resource manager.

I choosed to write the malloc_dump_unreferenced(1, 1) in my
xxx_ocb_free() function.

In my main(), I allocate the thread pool atribute structure, pointed by
a global pointer. Like that:

#ifdef NDEBUG
if ((pool_attr_p = calloc(1, sizeof(thread_pool_attr_t))) == NULL) {

#else
if ((pool_attr_p = debug_calloc(basename(FILE), LINE, 1,
sizeof(thread_pool_attr_t))) == NULL) {
#endif

As I understood, the malloc_g library gives the unreachables memory
area, so why does it give me the memory area pointed by pool_attr_p , a
global pointer, (I verified that this pointer was still good when
malloc_dump_unreferenced() was executed)?

It’s important to remember that, because of raw pointer access and
the like of compiler assistance, a 100% accurate leak trace isn’t really
possible, so an analysis of the heap dump is recommended. Conservative
pointer estimation is used to ameliorate the effects of inner pointers
and pointers contained in structures.

Before going further, did pool_attr_p actually point to 0x804f494
at the time?

Yes, pool_attr_p points to 0x804f494 from its allocation and still points to this address when I call malloc_dump_unreferenced().
It’s strange that malloc_g kept the information about who made the allocation but loose the information about this pointer still exists.

The major thing that would impact your example is the construction of the
root set (since everything must be reachable from the root set).
The determination of the root set is complicated by several factors,
and a situation like this would depend on where pool_attr_p was defined.
Was it a global (extern) or a static variable?

it’s a global variable

Perhaps more importantly,
was it in the executable or a shared library?

Yes it’s allocated by a malloc_g in a function called main() and I call malloc_dump_unreferenced in thread created by a pool.

To construct the root set, malloc_g consults the dynamic link map
to find all the libraries linked against and looks for the extents
of the _data and _bss sections. After that it adds all the thread stacks.

If yours is in the executable that may explain something, if
the executable itself isn’t included in the link map. Please let me
know.

What do you want I verify exactly?

POINTER FILE WHERE LINE ALLOC DATA HEX
DUMP
TO DATA ALLOCATED NUMBER FUNCT LENGTH OF BYTES
1-7

…
804F494 fct_nto.c 27 calloc(1) 68 …
…

What is the number between parenthesis?

That is a sequence number for allocation requests, indicating which
occurrence of the particular function the request was. i.e. this
was the first calloc() request.

My bug was in the following function:

int read_record(record_buffer_t *record_buffer_ptr, data_hash_t
*data_hash) {
int return_value = 0;
char *buffer_read;

#ifdef NDEBUG
buffer_read = malloc(data_hash->record_len+1);
#else
buffer_read = debug_malloc(basename(FILE), LINE,
data_hash->record_len+1);
#endif

if ((status = readblock(fd_database, (size_t) 1,
data_hash->record_offset, data_hash->record_len, buffer_read)) == -1) {
return_value = errno;
log_critical_error("%s, %s, %d: (readblock) %s
%s\n",basename(FILE),LINE, “”, errno);
} else {
buffer_read[data_hash->record_len] = ‘\0’;
split_database_record(&buffer_read_ptr, record_buffer);
}

#ifdef NDEBUG
free(buffer_read);
#else
debug_free(basename(FILE), LINE, buffer_read);
#endif

return (return_value);
}

I didn’t take care about that the function split_database_record()
returned a null pointer.
So, free() couldn’t give the buffer back to the heap.
My question is; as the buffer is allocated by a malloc_g function with
the FILE and LINE macros, why these informations were not given
in the Dump of Unreferenced Heap elements?

I may be missing something, but I didn’t see any indication of
what was printed in the dump. The file and line information
is kept in the block header after the allocation and isn’t cleared
except by a call to realloc() or free(), unless the program underruns
the block, corrupting the header, or overruns a neighbouring block.

Yes, you’re right, the complete dump is:

Dump of Unreferenced Heap Elements
************************ Dump of Leaked Heap Memory *************************

ARENA 804f000, size 16384: