Debugging memory leaks

How to turn on refcnt/memory logging

Assuming you have a build with refcnt logging enabled (we'll tell you how to do that next), here's what you have to do to use it. All of the following environment variables can be set to any of these values:

• 1 - log to stdout
• 2 - log to stderr
• filename - write log to a file

The log environment variables are:

XPCOM_MEM_BLOAT_LOG

If this environment variable is set then xpcom will use the "bloat" trackers. The bloat trackers gather data for the BloatView output that occurs when the program exits, when about:bloat is loaded, or a call to nsTraceRefcnt::DumpStatistics is made.

When an addref/release/ctor/dtor call is made, the data is logged and attributed to the particular data type.

By default enabling this environment variable will cause the BloatView software to dump out the entire database of collected data. If all you want to see is that data for objects that leaked, set the environment variable XPCOM_MEM_LEAK_LOG.

XPCOM_MEM_LEAK_LOG

This is basically a subset of XPCOM_MEM_BLOAT_LOG, and only shows classes that had object that were leaked, instead of statistics for all classes.

XPCOM_MEM_REFCNT_LOG

Setting this environment variable enables refcount tracing.
Only enable this for severe pain (unless you are using refcount tracing or leaky, see below). What this does is to enable logging (to stdout) of each and every call to addref/release without discrimination to the types involved. The output includes mapping the call-stacks at the time of the call to symbolic forms (on platforms that support this) and thus will be *very* *VERY* *VERY* slow. Did I say slow? It is not as slow when using XPCOM_MEM_LOG_CLASSES and XPCOM_MEM_LOG_OBJECTS

XPCOM_MEM_COMPTR_LOG

This environment variable enables logging of additions and releases of objects into nsCOMPtrs. This is currently only enabled on Linux.

XPCOM_MEM_ALLOC_LOG

For losing architectures (those that don't have stack-crawl software written for them), xpcom supports logging at the *call site* to AddRef/Release using the usual cpp __FILE__ and __LINE__ number macro expansion hackery. This results in slower code, but at least you get *some* data about where the leaks might be occurring from.

XPCOM_MEM_LEAKY_LOG

For platforms that support leaky, xpcom will endeavor to find at run time the symbols __log_addref and __log_release and if found, instead of doing the slow painful stack crawls at program execution time instead it will pass the buck to the leaky software. This will allow your program to actually run in user friendly real time, but does require that your platform support leaky. Currently only linux supports leaky.

In addition, the following variable may be set to a list of class names:

XPCOM_MEM_LOG_CLASSES

Instead of slowing to a useless halt, instead you can slow to a mere crawl by using this option. When enabled, the xpcom logging software will look for the XPCOM_MEM_LOG_CLASSES environment variable (for platforms that support getenv). The variable contains a comma separated list of names which will be used to compare against the type's of the objects being logged. For example:

 env XPCOM_MEM_LOG_CLASSES=nsWebShell XPCOM_MEM_REFCNT_LOG=1 ./apprunner

will show you just the AddRef/Release calls to instances of nsWebShell while running apprunner. Note that setting XPCOM_MEM_LOG_CLASSES will also list the serial number of each object that leaked in the "bloat log" (that is, the file specified by the XPCOM_MEM_BLOAT_LOG variable). An object's serial number is simply a unique number, starting at one, that is assigned to the object when it is allocated.

You may use an object's serial number with the following variable to further restrict the reference count tracing:

XPCOM_MEM_LOG_OBJECTS

Set this variable to a comma-separated list of object serial number or ranges of serial number, e.g., 1,37-42,73,165 (serial numbers start from 1, not 0). When this is set, along with XPCOM_MEM_LOG_CLASSES and XPCOM_MEM_REFCNT_LOG, a stack track will be generated for only the specific objects that you list. For example,

 env XPCOM_MEM_LOG_CLASSES=nsWebShell XPCOM_MEM_LOG_OBJECTS=2 XPCOM_MEM_REFCNT_LOG=1 ./apprunner

will dump stack traces to the console for the 2nd nsWebShell object that gets allocated, and nothing else.

BloatView

BloatView dumps out per-class statistics on allocations and refcounts, and provides gross numbers on the amount of memory being leaked broken down by class. Here's a sample of the BloatView output:

   BloatView: ALL (cumulative) LEAK AND BLOAT STATISTICS
    |<------Class----->|<-----Bytes------>|<----------------Objects---------------->|<--------------References-------------->|
                         Per-Inst   Leaked    Total      Rem      Mean       StdDev     Total      Rem      Mean       StdDev
  0 TOTAL                     193  2480436   316271    12852 ( 5377.07  /-  5376.38)   410590    16079 ( 2850.93  /-  2849.79)
  1 StyleSetImpl               32        0        8        0 (    3.88  /-     3.15)     6304        0 (    7.18  /-     6.63)
  2 SinkContext                32        0       19        0 (    1.87  /-     1.04)        0        0 (    0.00  /-     0.00)
  3 nsXPCClasses               12        0        2        0 (    1.00  /-     0.71)       41        0 (    5.57  /-     4.98)
  4 NameSpaceURIKey             8       72      158        9 (    8.16  /-     7.62)        0        0 (    0.00  /-     0.00)
  5 nsSupportsArray            36    11304     2581      314 (  477.13  /-   476.53)     9223      314 (  579.23  /-   578.64)
  6 nsView                     96        0       57        0 (   27.64  /-    26.98)        0        0 (    0.00  /-     0.00)
  7 nsEnderDocumentObser       12        0        1        0 (    0.50  /-     0.87)        1        0 (    0.50  /-     0.87)

Here's how you interpret the columns:

• Class - The name of the class in question. (Warning: The class name is truncated to 20 characters.)
• Bytes Per-Inst - The number of bytes returned if you were to write sizeof(Class). Note that this number does not reflect any memory held onto by the class, such as internal buffers, etc. (E.g. for nsStr -- you're seeing the size of the header struct, not the size of the string!)
• Bytes Leaked - The number of bytes per instance times the number of objects leaked (Bytes Per-Inst * Objects Rem). Use this number to look for the worst offenders. (Should be zero!)
• Objects Total - The total count of objects allocated of a given class.
• Objects Rem - The number of objects allocated of a given class that weren't deleted. (Should be zero!)
• Objects Mean - The mean (average) number of objects of a given class across the lifetime of the run. Data points are taken whenever new and delete are called (not at regular intervals).
• Objects StdDev - The standard deviation in the mean number of objects allocated.
• References Total - The total number of AddRefs performed on a given class.
• References Rem - The number of references on a given class that weren't Released. (Should be zero!)
• References Mean - The mean (average) number of references to a given class across the lifetime of the run. Data points are taken whenever AddRef and Release are called (not at regular intervals).
• References StdDev - The standard deviation in the mean number of references

Interesting things to look for:

• Are your classes in the list? - Look! If they aren't, then you're not using the NS_IMPL_ADDREF and NS_IMPL_RELEASE (or NS_IMPL_ISUPPORTS which calls them) for xpcom objects, or MOZ_COUNT_CTOR and MOZ_COUNT_DTOR for non-xpcom objects. Not having your classes in the list is not ok. That means no one is looking at them, and we won't be able to tell if someone introduces a leak. (see [#Instrumenting below] for how to fix this)
• The Bytes Leaked for your classes should be zero! - Need I say more? If it isn't, you should use the other tools to fix it.
• The number of objects remaining might be equal to the total number of objects. This could indicate a hand-written Release method (that doesn't use the NS_LOG_RELEASE macro from nsTraceRefcnt.h), or perhaps you're just not freeing any of the instances you've allocated. These sorts of leaks are easy to fix.
• The total number of objects might be 1. This might indicate a global variable or service. Usually this will have a large number of refcounts.
• The number of refcounts might equal the total number of objects. This class might be a candidate for a non-xpcom object (but be very cautious about changing this if it implements any interfaces besides nsISupports).
• The mean number of objects is much lower than the total. This indicates a few objects of this class are allocated and then freed, as opposed to the opposite case where there's a big build-up of instances that are all freed together (perhaps at the end of the program).

You can also dump out bloat statistics interactively by typing about:bloat in the location bar, or by using the menu items under the QA menu in debug builds. Note that you need to have the XPCOM_MEM_BLOAT_LOG or XPCOM_MEM_LEAK_LOG envirionment variable defined first. You can also type about:bloat?new to get a log since the last time you called it, or about:bloat?clear to clear the current set of statistics completely (use this option with caution as it can result in what look like negative refcounts, etc). Whenever these options are used, the log data is dumped to a file relative to the program's directory:

 bloatlogs/all-1999-10-16-010302.txt (a complete log resulting from the about:bloat command)
 bloatlogs/new-1999-10-16-010423.txt (an incremental log resulting from the about:bloat?new command)

 Bloat/Leak Delta Report
 Current file:  dist/win32_D.OBJ/bin/bloatlogs/all-1999-10-22-133450.txt
 Previous file: dist/win32_D.OBJ/bin/bloatlogs/all-1999-10-16-010302.txt
 --------------------------------------------------------------------------
 CLASS                     LEAKS       delta      BLOAT       delta
 --------------------------------------------------------------------------
 TOTAL                   6113530       2.79%   67064808       9.18%
 StyleContextImpl         265440      81.19%     283584     -26.99%
 CToken                   236500      17.32%     306676      20.64%
 nsStr                    217760      14.94%    5817060       7.63%
 nsXULAttribute           113048     -70.92%     113568     -71.16%
 LiteralImpl               53280      26.62%      75840      19.40%
 nsXULElement              51648       0.00%      51648       0.00%
 nsProfile                 51224       0.00%      51224       0.00%
 nsFrame                   47568     -26.15%      48096     -50.49%
 CSSDeclarationImpl        42984       0.67%      43488       0.67%

Boehm GC Leak Detector

more...

Refcount Tracing

Refcount tracing is used to capture stack traces of AddRef and Release calls to use with the Refcount Balancer. It is best to set the XPCOM_MEM_REFCNT_LOG environment variable to point to a file when using it.

See Refcount Balancer for more information. Also see the tutorial on finding leaks of XPCOM objects.

Trace Malloc

TraceMalloc captures stack traces of all malloc, calloc , realloc, and free calls (this currently covers all operator new and delete calls in Mozilla, too). To enable TraceMalloc in your build, configure with --enable-trace-malloc. Run the resulting mozilla with --trace-malloc filename as an argument, and a binary log of events and callsite relations will be written to filename . If filename is -, nothing is written, but the TraceMalloc machinery keeps track of all live allocations, and builds its tree of callsites to keep book on stack backtraces.

Tools such as bloatblame (tools/trace-malloc/bloatblame.c) can be used to process filename. Try running with the unified output format option, -u. The output is a large HTML file that hyperlinks ancestor and descendent libraries, classes, and functions that call into one another, attributing malloc blame up and down each graph. Bloatblame accumulates allocation counts, and ignores free calls.

If you run with --trace-malloc -, your code can call NS_TraceMallocDumpAllocations(pathname) at opportune times, and a human-readable listing of the current heap, including stack traces for every allocation, will be written to pathname. This file can be post-processed by tools in mozilla/tools/trace-malloc as follows:

• histogram.pl, which produces a type histogram that can be diffed with histogram-diff.sh to produce output that looks like this:
• **

                        ---- Base ----   ---- Incr ----   ----- Difference ----
Type                    Count    Bytes   Count    Bytes   Count    Bytes %Total
TOTAL                   48942  4754774   76136  6566453   27194  1811679 100.00
nsTokenAllocator           17   110007      60   388260      43   278253  15.36
nsImageGTK                476  2197708     341  2366564    -135   168856   9.32
nsMemCacheRecord          843    45767    2328   124767    1485    79000   4.36
nsTextNode                209    11704    1614    90384    1405    78680   4.34
HTMLAttributesImpl        482    14288    2824    88400    2342    74112   4.09
nsScanner                  58    76824      94   146300      36    69476   3.83
nsScriptError             253    25070     842    91548     589    66478   3.67
nsHTMLDocument.mReferrer    177    21550     691    85460     514    63910   3.53
nsHTMLValue               139     7846    1215    68734    1076    60888   3.36
HTMLContentSink             6     4816      12    57782       6    52966   2.92

• uncategorized.pl, which lists all the void* allocations (the ones that couldn't be categorized by type), sorted by size.

Also, your JavaScript can call the following DOM window methods:

• TraceMallocDisable() - turn off tracing, first flushing any buffered log events for all log files.
• TraceMallocEnable() - turn on tracing.
• TraceMallocOpenLogFile(filename) - open a new log file and return its log file descriptor (or -1 on error).
• TraceMallocChangeLogFD(logfd) - change the current log file to the one identified by logfd, returning the previous fd (so you can maintain a number of open files; keep their fds in a JS Array!).wa
• TraceMallocCloseLogFD(logfd) - close the log file identified by logfd, flushing its buffer of any events first. If logfd identifies the current log file, change the current log file to the default log file given by the --trace-malloc command line argument.
• TraceMallocLogTimestamp(caption) - log a timestamp event to the current log file, annotating the log even with the caption string.
• TraceMallocDumpAllocations(pathname) - dump a human-readable listing of all traced, live allocations.

See nsTraceMalloc.h for detailed comments on the log file format.

Leaky

 setenv LD_PRELOAD ../lib/libleaky.so   #assumes you execute apprunner/viewer in the dist/bin directory
 setenv LIBMALLOC_LOG 8                 #tells leaky to log addref/release calls
 setenv XPCOM_MEM_LEAKY_LOG 1           #use leaky
 setenv XPCOM_MEM_LOG_CLASSES "a,b,c"   #the list of types you care about

 nsWebShell      0x81189f8       Release 5
 nsWebShell::Release(void) 0x59
 nsCOMPtr<nsIContentViewerContainer>::~nsCOMPtr(void) 0x34
 nsChannelListener::OnStartRequest(nsIChannel *, nsISupports *) 0x550
 nsFileChannel::OnStartRequest(nsIChannel *, nsISupports *) 0x7b
 nsOnStartRequestEvent::HandleEvent(void) 0x46
 nsStreamListenerEvent::HandlePLEvent(PLEvent *) 0x62
 PL_HandleEvent 0x57
 PL_ProcessPendingEvents 0x90
 nsEventQueueImpl::ProcessPendingEvents(void) 0x1d
 nsAppShell::SetDispatchListener(nsDispatchListener *) 0x3e
 gdk_get_show_events 0xbb
 g_io_add_watch 0xaa
 g_get_current_time 0x136
 g_get_current_time 0x6f1
 g_main_run 0x81
 gtk_main 0xb9
 nsAppShell::Run(void) 0x245
 nsAppShell::Run(void) 0xc7a92ede
 nsAppShell::Run(void) 0xc7a9317c
 __libc_start_main 0xeb

Purify

more...

How to build xpcom with refcnt/memory logging

Built into xpcom is the ability to support the debugging of memory leaks. By default, an optimized build of xpcom has this disabled. Also by default, the debug builds have the logging facilities enabled. You can control either of these options by changing environment variables before you build mozilla:

FORCE_BUILD_REFCNT_LOGGING

If this is defined then regardless of the type of build, refcnt logging (and related memory debugging) will be enabled in the build.

NO_BUILD_REFCNT_LOGGING

If this is defined then regardless of the type of build or of the setting of the FORCE_BUILD_REFCNT_LOGGING, no refcnt logging will be enabled and no memory debugging will be enabled. This variable overrides FORCE_BUILD_REFCNT_LOGGING.

The remaining discussion assumes that one way or another that xpcom has been built with refcnt/memory logging enabled.

How to instrument your objects for refcnt/memory logging

First, if your object is an xpcom object and you use the NS_IMPL_ADDREF and NS_IMPL_RELEASE (or a variation thereof) macro to implement your AddRef and Release methods, then there is nothing you need do. By default, those macros support refcnt logging directly.

If your object is not an xpcom object then some manual editing is in order. The following sample code shows what must be done:

 MyType::MyType()
 {
     MOZ_COUNT_CTOR(MyType);
 }

 MyType::~MyType()
 {
     MOZ_COUNT_DTOR(MyType);
 }

What are those macros doing for me anyway?

NS_IMPL_ADDREF has this additional line in it:

 NS_LOG_ADDREF(this, mRefCnt, #_class, sizeof(*this));

What this is doing is logging the AddRef call using XPCOM's nsTraceRefcnt class. The implementation of that macro is:

 #define NS_LOG_ADDREF(_p, _rc, _type, _size) \
     nsTraceRefcnt::LogAddRef((_p), (_rc), (_type), (PRUint32) (_size))

Which as you can see just passes the buck to nsTraceRefcnt. nsTraceRefcnt implements the logging support and will track addref/release/ctor/dtor calls in a database that it builds up as the program is executing. In a similar manner, NS_IMPL_RELEASE uses NS_LOG_RELEASE which uses nsTraceRefcnt::LogRelease.

For the MOZ_COUNT_CTOR and MOZ_COUNT_DTOR macros the expansion boils down to calls to nsTraceRefcnt::LogCtor and nsTraceRefcnt::LogDtor calls. Again, the type of the object is passed in as well as the sizeof of all the data type.

 #define MOZ_COUNT_CTOR(_type) \
     PR_BEGIN_MACRO \
         nsTraceRefcnt::LogCtor((void*)this, #_type, sizeof(*this)); \
     PR_END_MACRO

 #define MOZ_COUNT_DTOR(_type) \
     PR_BEGIN_MACRO \
         nsTraceRefcnt::LogDtor((void*)this, #_type, sizeof(*this));
     PR_END_MACRO