Re: [PATCH 00/40] Memory allocation profiling

From: Tejun Heo
Date: Wed May 03 2023 - 12:36:04 EST

Next message: Frederic Weisbecker: "Re: [tip: timers/core] timers/nohz: Switch to ONESHOT_STOPPED in the low-res handler when the tick is stopped"
Previous message: Yue Zhao: "[PATCH 1/1][For stable 5.4] mm: migrate: buffer_migrate_page_norefs() fallback migrate not uptodate pages"
In reply to: Steven Rostedt: "Re: [PATCH 00/40] Memory allocation profiling"
Next in thread: Suren Baghdasaryan: "Re: [PATCH 00/40] Memory allocation profiling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello, Kent.

On Wed, May 03, 2023 at 04:05:08AM -0400, Kent Overstreet wrote:
> No, we're still waiting on the tracing people to _demonstrate_, not
> claim, that this is at all possible in a comparable way with tracing.

So, we (meta) happen to do stuff like this all the time in the fleet to hunt
down tricky persistent problems like memory leaks, ref leaks, what-have-you.
In recent kernels, with kprobe and BPF, our ability to debug these sorts of
problems has improved a great deal. Below, I'm attaching a bcc script I used
to hunt down, IIRC, a double vfree. It's not exactly for a leak but leaks
can follow the same pattern.

There are of course some pros and cons to this approach:

Pros:

* The framework doesn't really have any runtime overhead, so we can have it
deployed in the entire fleet and debug wherever problem is.

* It's fully flexible and programmable which enables non-trivial filtering
and summarizing to be done inside kernel w/ BPF as necessary, which is
pretty handy for tracking high frequency events.

* BPF is pretty performant. Dedicated built-in kernel code can do better of
course but BPF's jit compiled code & its data structures are fast enough.
I don't remember any time this was a problem.

Cons:

* BPF has some learning curve. Also the fact that what it provides is a wide
open field rather than something scoped out for a specific problem can
make it seem a bit daunting at the beginning.

* Because tracking starts when the script starts running, it doesn't know
anything which has happened upto that point, so you gotta pay attention to
handling e.g. handling frees which don't match allocs. It's kinda annoying
but not a huge problem usually. There are ways to build in BPF progs into
the kernel and load it early but I haven't experiemnted with it yet
personally.

I'm not necessarily against adding dedicated memory debugging mechanism but
do wonder whether the extra benefits would be enough to justify the code and
maintenance overhead.

Oh, a bit of delta but for anyone who's more interested in debugging
problems like this, while I tend to go for bcc
(https://github.com/iovisor/bcc) for this sort of problems. Others prefer to
write against libbpf directly or use bpftrace
(https://github.com/iovisor/bpftrace).

Thanks.

#!/usr/bin/env bcc-py

import bcc
import time
import datetime
import argparse
import os
import sys
import errno

description = """
Record vmalloc/vfrees and trigger on unmatched vfree
"""

bpf_source = """
#include <uapi/linux/ptrace.h>
#include <linux/vmalloc.h>

struct vmalloc_rec {
unsigned long ptr;
int last_alloc_stkid;
int last_free_stkid;
int this_stkid;
bool allocated;
};

BPF_STACK_TRACE(stacks, 8192);
BPF_HASH(vmallocs, unsigned long, struct vmalloc_rec, 131072);
BPF_ARRAY(dup_free, struct vmalloc_rec, 1);

int kpret_vmalloc_node_range(struct pt_regs *ctx)
{
unsigned long ptr = PT_REGS_RC(ctx);
uint32_t zkey = 0;
struct vmalloc_rec rec_init = { };
struct vmalloc_rec *rec;
int stkid;

if (!ptr)
return 0;

stkid = stacks.get_stackid(ctx, 0);

rec_init.ptr = ptr;
rec_init.last_alloc_stkid = -1;
rec_init.last_free_stkid = -1;
rec_init.this_stkid = -1;

rec = vmallocs.lookup_or_init(&ptr, &rec_init);
rec->allocated = true;
rec->last_alloc_stkid = stkid;
return 0;
}

int kp_vfree(struct pt_regs *ctx, const void *addr)
{
unsigned long ptr = (unsigned long)addr;
uint32_t zkey = 0;
struct vmalloc_rec rec_init = { };
struct vmalloc_rec *rec;
int stkid;

stkid = stacks.get_stackid(ctx, 0);

rec_init.ptr = ptr;
rec_init.last_alloc_stkid = -1;
rec_init.last_free_stkid = -1;
rec_init.this_stkid = -1;

rec = vmallocs.lookup_or_init(&ptr, &rec_init);
if (!rec->allocated && rec->last_alloc_stkid >= 0) {
rec->this_stkid = stkid;
dup_free.update(&zkey, rec);
}

rec->allocated = false;
rec->last_free_stkid = stkid;
return 0;
}
"""

bpf = bcc.BPF(text=bpf_source)
bpf.attach_kretprobe(event="__vmalloc_node_range", fn_name="kpret_vmalloc_node_range");
bpf.attach_kprobe(event="vfree", fn_name="kp_vfree");
bpf.attach_kprobe(event="vfree_atomic", fn_name="kp_vfree");

stacks = bpf["stacks"]
vmallocs = bpf["vmallocs"]
dup_free = bpf["dup_free"]
last_dup_free_ptr = dup_free[0].ptr

def print_stack(stkid):
for addr in stacks.walk(stkid):
sym = bpf.ksym(addr)
print(' {}'.format(sym))

def print_dup(dup):
print('allocated={} ptr={}'.format(dup.allocated, hex(dup.ptr)))
if (dup.last_alloc_stkid >= 0):
print('last_alloc_stack: ')
print_stack(dup.last_alloc_stkid)
if (dup.last_free_stkid >= 0):
print('last_free_stack: ')
print_stack(dup.last_free_stkid)
if (dup.this_stkid >= 0):
print('this_stack: ')
print_stack(dup.this_stkid)

while True:
time.sleep(1)

if dup_free[0].ptr != last_dup_free_ptr:
print('\nDUP_FREE:')
print_dup(dup_free[0])
last_dup_free_ptr = dup_free[0].ptr

Next message: Frederic Weisbecker: "Re: [tip: timers/core] timers/nohz: Switch to ONESHOT_STOPPED in the low-res handler when the tick is stopped"
Previous message: Yue Zhao: "[PATCH 1/1][For stable 5.4] mm: migrate: buffer_migrate_page_norefs() fallback migrate not uptodate pages"
In reply to: Steven Rostedt: "Re: [PATCH 00/40] Memory allocation profiling"
Next in thread: Suren Baghdasaryan: "Re: [PATCH 00/40] Memory allocation profiling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]