[llvm-dev] Eliminating global memory roots (or not) to help leak checkers

Fangrui Song via llvm-dev llvm-dev at lists.llvm.org
Wed Apr 14 15:22:39 PDT 2021 

The motivation in https://reviews.llvm.org/D69428 was a function pointer
example. A function pointer should not point to an allocated object, so
ignoring it for root-set semantics is totally fine.

D69428 extended the function pointer cases to non-function-pointer
cases, which can be problematic.

On 2021-04-14, Nuno Lopes via llvm-dev wrote:
>Most (all?) leak checkers support suppression files. Isn’t that sufficient for your use case?

>Marking your leak roots with __attribute((used))__ is also an alternative.
>

>
>I understand that leaking memory on purpose happens because it’s expensive to clean it up. But reachable memory may well be a true leak. So flagging it as such is useful. None of us has data about the % of reachable memory that is a true leak, so it’s not possible to argue what’s user friendly/hostile.

As is, many code patterns in various projects can be affected by the
aggressive optimization. They may use a global pointer referencing an
allocated object as a replacement for a global variable with a
non-trivial destructor ([[clang::no_destroy]] :). Dynamic destruction is
not ordered across translation units, this can lead to all sorts of
static finalization order fiasco problems.  If there are threads not
joined at exit time, some threads may access objects which have been
destructed.

In addition, the leak checker may be registered as an atexit callback
instead of running after all destructors have run.
If the leak checker is registered by atexit, normally it runs before
destructors. Even if you have sophisticated destructors which deallocate
objects properly, if you ignore them as roots, the checker will report
false positives.

>Programs that leak memory on purpose are often sophisticated. And sophisticated devs can handle a little bit of extra effort to hide those smarts I think.
>
>
>
>Nuno
>
>
>
>P.S.: The original patch went in almost a decade ago when the ecosystem was a bit less developed. It was always meant to be temporary.
>
>
>
>
>
>From: Sterling Augustine
>Sent: 14 April 2021 17:39
>To: llvm-dev <llvm-dev at lists.llvm.org>
>Subject: [llvm-dev] Eliminating global memory roots (or not) to help leak checkers
>
>
>
>[Continuing discussion from https://reviews.llvm.org/D69428]
>
>
>
>Llvm is fairly conservative when eliminating global variables (or fields of such) that may point to dynamically allocated memory. This behavior is entirely to help leak checking tools such as Valgrind, Google's HeapLeakChecker, and LSAN, all of which treat memory that is reachable at exit as "not leaked", even though it will never be freed. Without these global variables to hold the pointer, the leak checkers can't determine that it is actually reachable, and will report a leak. Global variables that dynamically allocate memory but don't clean themselves up are fairly common in the wild, and various leak checkers have long not reported errors.
>
>
>
>This behavior was added all the way back in 2012 in https://lists.llvm.org/pipermail/llvm-commits/Week-of-Mon-20120625/145646.html.
>
>
>
>https://reviews.llvm.org/D69428 removed this behavior, and I subsequently reverted it when many internal Google tests started failing, but I believe many other users who use leak checking will encounter errors when this hits more mainstream releases.
>
>
>
>So: What to do?
>
>
>
>Preventing a valid transformation (the global variables are never read and can be eliminated) to help the leak checkers leaves some performance and code size on the table. Just how much is unclear.
>
>
>
>On the other hand, having leak checkers suddenly start reporting failures where they didn't before also seems suboptimal. Cleaning this somewhat common scenario up is surprisingly difficult at the user level.
>
>
>
>Some possibilities:
>
>
>
>1. Only do this at high optimization levels, say -O3. This would give aggressive users all the performance we can, but also make leak checkers report leaks sometimes, but not others.
>
>
>
>2. Hide it behind a flag or configurable option. Users who care can set it as they prefer. Creates more confusing options, different testing matrices and such, but everyone can get the behaviour that they want.
>
>
>
>3. Do it all the time, and users who encounter issues can clean up their code. Users get the most performance they possibly can, but have to clean up code or drop leak checking. Seems a little user hostile.
>
>
>
>Other possibilities?:
>

>_______________________________________________
>LLVM Developers mailing list
>llvm-dev at lists.llvm.org
>https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev

More information about the llvm-dev mailing list