SlideShare a Scribd company logo

Session - Debugging memory stomps and other atrocities - Stefan Reinalter - Technology

Download as PPTX, PDF
Expert Insight
Expert Insight

The document discusses common memory-related bugs in games such as memory leaks, stack overflows, and memory overwrites. It provides examples of each bug and recommends remedies like using bounds checking, static code analysis tools, and memory tracking to debug issues. Debugging optimized builds is also discussed, emphasizing the importance of understanding compiler optimizations and assembly code. Hardware breakpoints and page protection are presented as techniques for finding random memory overwrites.

Technology
1 of 43
Game Connection 2012 Debugging memory stomps and molecular-matters.com other atrocities
molecular-matters.com Motivation  People make mistakes  In relation to memory allocations, mistakes can be fatal
molecular-matters.com Common mistakes  Forgetting to initialize class members  Code then relies on garbage or stale values  Writing out-of-bounds  Reading out-of-bounds  Memory leaks
molecular-matters.com Common mistakes (cont'd)  Stack overflows  Seldom in main thread  More often in other threads  Memory overwrites  Off-by-one  Wrong casting  Reference & pointer to temporary  Dangling pointers
molecular-matters.com Possible outcomes  From best to worst  Compile error, warning  Analysis tool error, warning  Assertion  Consistent crash or corruption  Random, unpredictable crash  Crashes after N hours of gameplay  Seemingly works, crashes at certification
molecular-matters.com Class member initialization  Non-initialized members get garbage  Whatever the memory content is  Lucky case  Leads to a crash later  Unlucky case  Works, but not as intended  Subtle bugs N frames later
Class member initialization (cont'd) molecular-matters.com  Extra painful with pool allocators  Most recently freed entry is re-used  Members point to stale data  Remedy  Crank up compiler warning level  Fill memory with distinct pattern when allocating  Fill memory with distinct pattern when freeing  Use static code analysis tools
molecular-matters.com Fill patterns  If you can, do not fill with zero  Hides bugs and uninitialized pointer members  E.g. delete 0 still works, but pointer was never initialized  Often not possible when dealing with legacy code  Fill with „uncommon“ values  Numerically odd  Unused address range  E.g. 0xCD, 0xFD, 0xAB
molecular-matters.com Writing out-of-bounds  Could stomp unrelated data  Could stomp allocator book-keeping data  Could write to non-committed memory  Lucky case  Immediate crash  Unlucky case  Weird behaviour N frames later
molecular-matters.com Writing out-of-bounds (cont'd)  Remedy  Bounds checking  Insert guard bytes at the front and back of each allocation  Use static code analysis tools  Use page access protection
molecular-matters.com Reading out-of-bounds  Reads garbage data  Garbage could lead to crash later  Read operation itself could also crash  Very rare, reading from protected page  Worst case  Goes unnoticed for months  Seldomly crashes
Reading out-of-bounds (cont'd) molecular-matters.com  Remedy  Bounds checking, somewhat insufficient  At least the garbage read is always the same  Use static code analysis tools  Use page access protection
molecular-matters.com Memory leaks  Lead to out-of-memory conditions after hours of playing the game  Can go unnoticed for weeks  Different kinds of leaks  „User-code“ leaks  API leaks  System memory leaks  Logical leaks
molecular-matters.com Memory leaks (cont'd)  Remedy  Memory tracking  Override global new & delete  Or build DIY functions  Hook low-level functions  Disassemble & patch (PC)  Weak functions (consoles)  Compiler-specific wrapping (consoles)  Linker-specific wrapping (--wrap, GCC)  Soak tests
molecular-matters.com Stack overflows  An overflow can stomp single bytes, not just big blocks  Thread stack memory comes from heap  Stomps completely unrelated data  Often lead to immediate crash upon writing  E.g. in function prologue
molecular-matters.com Stack overflows (cont'd)  Debugging help  Find stack start & end  Highly platform-specific  Linker-defined symbols for executable  Fill stack with pattern  Check for pattern at start & end  Each frame  In offending functions
molecular-matters.com Stack overflows (cont'd)
molecular-matters.com Memory overwrites  Off-by-one  Write past the end of an array  0-based vs. 1-based  Debugging tools  Bounds checking  Finds those cases rather quick  Static code analysis tools
molecular-matters.com Memory overwrites (cont'd)  Wrong casting  Multiple inheritance  Implicit conversions to void*  No offsets added  reinterpret_cast  No offsets added  static_cast & dynamic_cast  Correct offsets
molecular-matters.com Memory overwrites (cont'd)  Reference & pointer to temporary  Most compilers will warn  Crank up the warning level  Compilers are tricked easily  Reference vs. const reference  Reference to temp. = illegal  Const ref. to temp. = legal
molecular-matters.com Memory overwrites (cont'd)  Dangling pointers  Point to already freed allocation  Lucky case  Memory page has been decommited  Immediate crash upon access  Unlucky case  Other allocation sits at the same address
molecular-matters.com Debugging optimized builds  Debug builds  printf(), assert(), etc. slow down the application  Hides data races  Crashes in optimized builds  Local variables mostly gone  Not on stack, but in registers (PowerPC!)  Memory window is your friend  Never lies!
Debugging optimized builds (cont‘d) molecular-matters.com  Knowing stack frame layout helps  Parameter passing  Dedicated vs. volatile vs. non-volatile registers  Knowing assembly helps  Knowing class layout helps  V-table pointer, padding, alignment, …  Verify your assumptions!
Debugging optimized builds (cont‘d) molecular-matters.com  Familiarize yourself with  Function prologue  Function epilogue  Function calls  Virtual function calls  Different address ranges  Heap, stack, code, write-combined, …  Study compiler-generated code
Debugging optimized builds (cont‘d) molecular-matters.com  Help from the debugger  Cast any address to pointer-type in watch window  Cast zero into any instance  Work out member offsets  Pseudo variables  @eax, @r1, @err, platform-specific ones  Going back in time  „Set next instruction“
Debugging optimized builds (cont‘d) molecular-matters.com
Debugging optimized builds (cont‘d) molecular-matters.com  Help from the debugger (cont'd)  Crash dumps  Registers  Work backwards from point of crash  Find offsets using debugger  Find this-pointer (+offset) in register, cast in debugger  Memory contents  On-the-fly coding  Nop'ing out instructions  Changing branches
Debugging optimized builds (cont‘d) molecular-matters.com
molecular-matters.com Debugging overwrites  Hardware breakpoints  Supported by debuggers  Supported by all major platforms  x86: Debug registers (DR0-DR7)  PowerPC: Data Access Breakpoint Register (DABR)  Help finding reads & writes  Setting from code helps finding random stomps  CPU only  GPU/SPU/DMA/IO access doesn't trigger
molecular-matters.com Debugging overwrites (cont‘d)  Page protection  Move allocations in question to the start or end of a page  Restrict access to surrounding pages  Needs a lot more memory  Protect free pages  Walk allocations upon freeing memory  Don't re-use recently freed allocations
molecular-matters.com Debugging overwrites (cont'd)  Page protection (cont'd)  Needs virtual memory system  If not available, most platforms offer similar features
molecular-matters.com If all else fails...  Go home, get some sleep  Let your brain do the work  Grab a colleague  Pair debugging  Fresh pair of eyes  Talk to somebody  Non-programmers, other team members  Your family, rubber ducks, ...
molecular-matters.com Yes, rubber ducks!
molecular-matters.com Yes, rubber ducks!
molecular-matters.com That's it! Questions? Contact: stefan.reinalter@molecular-matters. com
molecular-matters.com Bonus slides Memory tracking
molecular-matters.com Memory tracking  Two possibilities  Allocate & free memory with new & delete only  Override global new and delete operators  Static initialization order fiasco  Memory tracker must be instantiated first  Platform-specific tricks needed  Still need to hook other functions  malloc & free  Weak functions or linker function wrapping  Problems with 3rd party libraries doing the same
molecular-matters.com Memory tracking (cont'd)  Static initialization order  Top to bottom in a translation unit  Undefined across translation units  Platform-specific tricks  #pragma init_seg(compiler/lib/user) (MSVC)  __attribute__ ((init_priority (101))) (GCC)  Custom code/linker sections
molecular-matters.com Memory tracking (cont'd)  Other possibility  Disallow new & delete completely  Use custom functions instead  Allows more fine-grained tracking in allocators  Demand explicit startup & shutdown  Harder to do with legacy codebase  Need to hook platform-specific functions  Easier on consoles  Code-patching on PC
molecular-matters.com Memory tracking (cont'd)  Hooking functions  Weak functions (if supported)  Implemented at compiler-level  XMemAlloc (Xbox360)  Function wrapping at linker-level  --wrap (GCC)  __wrap_* & __real_*  Code-patching (Windows)  Disassemble & patch at run-time
molecular-matters.com Memory tracking (cont'd)  Storing allocations  Intrusive  In-place linked list  Changes memory layout  Cannot use debug memory on consoles  External  Associative container, e.g. hash map  Same memory layout as with tracking disabled  Can use debug memory on consoles
molecular-matters.com Memory tracking (cont'd)  Levels of sophistication  Simple counter  File & line & function, size  Full callstack, ID, allocator name, size, …  Tracking granularity  Global, e.g. #ifdef/#endif  Per allocator  More on that later
molecular-matters.com Memory tracking (cont'd)  Finding logical leaks  Snapshot functionality  Capture all live allocations  Compare snapshots e.g. upon level start  Report snapshot differences

Recommended

6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Randphanleson
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camPriyanka Aash
 
.Net debugging 2017
.Net debugging 2017.Net debugging 2017
.Net debugging 2017Tess Ferrandez
 
Common asp.net production issues rev
Common asp.net production issues revCommon asp.net production issues rev
Common asp.net production issues revTess Ferrandez
 
Debugging performance issues, memory issues and crashes in .net applications rev
Debugging performance issues, memory issues and crashes in .net applications revDebugging performance issues, memory issues and crashes in .net applications rev
Debugging performance issues, memory issues and crashes in .net applications revTess Ferrandez
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen
 

Recommended

6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Randphanleson
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camPriyanka Aash
 
.Net debugging 2017
.Net debugging 2017.Net debugging 2017
.Net debugging 2017Tess Ferrandez
 
Common asp.net production issues rev
Common asp.net production issues revCommon asp.net production issues rev
Common asp.net production issues revTess Ferrandez
 
Debugging performance issues, memory issues and crashes in .net applications rev
Debugging performance issues, memory issues and crashes in .net applications revDebugging performance issues, memory issues and crashes in .net applications rev
Debugging performance issues, memory issues and crashes in .net applications revTess Ferrandez
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen
 
Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...
Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...
Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...Mary Chan
 
A Life of breakpoint
A Life of breakpointA Life of breakpoint
A Life of breakpointHajime Morrita
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
Coding for multiple cores
Coding for multiple coresCoding for multiple cores
Coding for multiple coresLee Hanxue
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging BasicsBala Subra
 
Good++
Good++Good++
Good++Jade Ritchie Annand
 
Chelberg ptcuser 2010
Chelberg ptcuser 2010Chelberg ptcuser 2010
Chelberg ptcuser 2010Clay Helberg
 
Exploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinarExploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinarMaarten Balliauw
 
Java Tools and Techniques for Solving Tricky Problem
Java Tools and Techniques for Solving Tricky ProblemJava Tools and Techniques for Solving Tricky Problem
Java Tools and Techniques for Solving Tricky ProblemWill Iverson
 
Everyone loves PHP
Everyone loves PHPEveryone loves PHP
Everyone loves PHPAbhijit Das
 
How to Build a Pure Evil Magento Module
How to Build a Pure Evil Magento ModuleHow to Build a Pure Evil Magento Module
How to Build a Pure Evil Magento ModuleAOE
 
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management....NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...NETFest
 
Peyton jones-2011-parallel haskell-the_future
Peyton jones-2011-parallel haskell-the_futurePeyton jones-2011-parallel haskell-the_future
Peyton jones-2011-parallel haskell-the_futureTakayuki Muranushi
 
Simon Peyton Jones: Managing parallelism
Simon Peyton Jones: Managing parallelismSimon Peyton Jones: Managing parallelism
Simon Peyton Jones: Managing parallelismSkills Matter
 
DotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NETDotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NETMaarten Balliauw
 
Big Java Chapter 1
Big Java Chapter 1Big Java Chapter 1
Big Java Chapter 1Maria Joslin
 
Parallel Programming: Beyond the Critical Section
Parallel Programming: Beyond the Critical SectionParallel Programming: Beyond the Critical Section
Parallel Programming: Beyond the Critical SectionTony Albrecht
 
Cassandra as Memcache
Cassandra as MemcacheCassandra as Memcache
Cassandra as MemcacheEdward Capriolo
 
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...Maarten Balliauw
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 

More Related Content

Similar to Session - Debugging memory stomps and other atrocities - Stefan Reinalter - Technology

Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...
Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...
Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...Mary Chan
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
Coding for multiple cores
Coding for multiple coresCoding for multiple cores
Coding for multiple coresLee Hanxue
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging BasicsBala Subra
 
Chelberg ptcuser 2010
Chelberg ptcuser 2010Chelberg ptcuser 2010
Chelberg ptcuser 2010Clay Helberg
 
Exploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinarExploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinarMaarten Balliauw
 
Java Tools and Techniques for Solving Tricky Problem
Java Tools and Techniques for Solving Tricky ProblemJava Tools and Techniques for Solving Tricky Problem
Java Tools and Techniques for Solving Tricky ProblemWill Iverson
 
Everyone loves PHP
Everyone loves PHPEveryone loves PHP
Everyone loves PHPAbhijit Das
 
How to Build a Pure Evil Magento Module
How to Build a Pure Evil Magento ModuleHow to Build a Pure Evil Magento Module
How to Build a Pure Evil Magento ModuleAOE
 
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management....NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...NETFest
 
Peyton jones-2011-parallel haskell-the_future
Peyton jones-2011-parallel haskell-the_futurePeyton jones-2011-parallel haskell-the_future
Peyton jones-2011-parallel haskell-the_futureTakayuki Muranushi
 
Simon Peyton Jones: Managing parallelism
Simon Peyton Jones: Managing parallelismSimon Peyton Jones: Managing parallelism
Simon Peyton Jones: Managing parallelismSkills Matter
 
DotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NETDotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NETMaarten Balliauw
 
Big Java Chapter 1
Big Java Chapter 1Big Java Chapter 1
Big Java Chapter 1Maria Joslin
 
Parallel Programming: Beyond the Critical Section
Parallel Programming: Beyond the Critical SectionParallel Programming: Beyond the Critical Section
Parallel Programming: Beyond the Critical SectionTony Albrecht
 
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...Maarten Balliauw
 

Similar to Session - Debugging memory stomps and other atrocities - Stefan Reinalter - Technology (20)

Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...
Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...
Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...
 
A Life of breakpoint
A Life of breakpointA Life of breakpoint
A Life of breakpoint
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
Coding for multiple cores
Coding for multiple coresCoding for multiple cores
Coding for multiple cores
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging Basics
 
Good++
Good++Good++
Good++
 
Chelberg ptcuser 2010
Chelberg ptcuser 2010Chelberg ptcuser 2010
Chelberg ptcuser 2010
 
Exploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinarExploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinar
 
Java Tools and Techniques for Solving Tricky Problem
Java Tools and Techniques for Solving Tricky ProblemJava Tools and Techniques for Solving Tricky Problem
Java Tools and Techniques for Solving Tricky Problem
 
Everyone loves PHP
Everyone loves PHPEveryone loves PHP
Everyone loves PHP
 
How to Build a Pure Evil Magento Module
How to Build a Pure Evil Magento ModuleHow to Build a Pure Evil Magento Module
How to Build a Pure Evil Magento Module
 
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management....NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
 
Peyton jones-2011-parallel haskell-the_future
Peyton jones-2011-parallel haskell-the_futurePeyton jones-2011-parallel haskell-the_future
Peyton jones-2011-parallel haskell-the_future
 
Simon Peyton Jones: Managing parallelism
Simon Peyton Jones: Managing parallelismSimon Peyton Jones: Managing parallelism
Simon Peyton Jones: Managing parallelism
 
DotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NETDotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NET
 
Big Java Chapter 1
Big Java Chapter 1Big Java Chapter 1
Big Java Chapter 1
 
Parallel Programming: Beyond the Critical Section
Parallel Programming: Beyond the Critical SectionParallel Programming: Beyond the Critical Section
Parallel Programming: Beyond the Critical Section
 
Cassandra as Memcache
Cassandra as MemcacheCassandra as Memcache
Cassandra as Memcache
 
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 

Recently uploaded (20)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 

Session - Debugging memory stomps and other atrocities - Stefan Reinalter - Technology

  • 1. Game Connection 2012 Debugging memory stomps and molecular-matters.com other atrocities
  • 2. molecular-matters.com Motivation  People make mistakes  In relation to memory allocations, mistakes can be fatal
  • 3. molecular-matters.com Common mistakes  Forgetting to initialize class members  Code then relies on garbage or stale values  Writing out-of-bounds  Reading out-of-bounds  Memory leaks
  • 4. molecular-matters.com Common mistakes (cont'd)  Stack overflows  Seldom in main thread  More often in other threads  Memory overwrites  Off-by-one  Wrong casting  Reference & pointer to temporary  Dangling pointers
  • 5. molecular-matters.com Possible outcomes  From best to worst  Compile error, warning  Analysis tool error, warning  Assertion  Consistent crash or corruption  Random, unpredictable crash  Crashes after N hours of gameplay  Seemingly works, crashes at certification
  • 6. molecular-matters.com Class member initialization  Non-initialized members get garbage  Whatever the memory content is  Lucky case  Leads to a crash later  Unlucky case  Works, but not as intended  Subtle bugs N frames later
  • 7. Class member initialization (cont'd) molecular-matters.com  Extra painful with pool allocators  Most recently freed entry is re-used  Members point to stale data  Remedy  Crank up compiler warning level  Fill memory with distinct pattern when allocating  Fill memory with distinct pattern when freeing  Use static code analysis tools
  • 8. molecular-matters.com Fill patterns  If you can, do not fill with zero  Hides bugs and uninitialized pointer members  E.g. delete 0 still works, but pointer was never initialized  Often not possible when dealing with legacy code  Fill with „uncommon“ values  Numerically odd  Unused address range  E.g. 0xCD, 0xFD, 0xAB
  • 9. molecular-matters.com Writing out-of-bounds  Could stomp unrelated data  Could stomp allocator book-keeping data  Could write to non-committed memory  Lucky case  Immediate crash  Unlucky case  Weird behaviour N frames later
  • 10. molecular-matters.com Writing out-of-bounds (cont'd)  Remedy  Bounds checking  Insert guard bytes at the front and back of each allocation  Use static code analysis tools  Use page access protection
  • 11. molecular-matters.com Reading out-of-bounds  Reads garbage data  Garbage could lead to crash later  Read operation itself could also crash  Very rare, reading from protected page  Worst case  Goes unnoticed for months  Seldomly crashes
  • 12. Reading out-of-bounds (cont'd) molecular-matters.com  Remedy  Bounds checking, somewhat insufficient  At least the garbage read is always the same  Use static code analysis tools  Use page access protection
  • 13. molecular-matters.com Memory leaks  Lead to out-of-memory conditions after hours of playing the game  Can go unnoticed for weeks  Different kinds of leaks  „User-code“ leaks  API leaks  System memory leaks  Logical leaks
  • 14. molecular-matters.com Memory leaks (cont'd)  Remedy  Memory tracking  Override global new & delete  Or build DIY functions  Hook low-level functions  Disassemble & patch (PC)  Weak functions (consoles)  Compiler-specific wrapping (consoles)  Linker-specific wrapping (--wrap, GCC)  Soak tests
  • 15. molecular-matters.com Stack overflows  An overflow can stomp single bytes, not just big blocks  Thread stack memory comes from heap  Stomps completely unrelated data  Often lead to immediate crash upon writing  E.g. in function prologue
  • 16. molecular-matters.com Stack overflows (cont'd)  Debugging help  Find stack start & end  Highly platform-specific  Linker-defined symbols for executable  Fill stack with pattern  Check for pattern at start & end  Each frame  In offending functions
  • 18. molecular-matters.com Memory overwrites  Off-by-one  Write past the end of an array  0-based vs. 1-based  Debugging tools  Bounds checking  Finds those cases rather quick  Static code analysis tools
  • 19. molecular-matters.com Memory overwrites (cont'd)  Wrong casting  Multiple inheritance  Implicit conversions to void*  No offsets added  reinterpret_cast  No offsets added  static_cast & dynamic_cast  Correct offsets
  • 20. molecular-matters.com Memory overwrites (cont'd)  Reference & pointer to temporary  Most compilers will warn  Crank up the warning level  Compilers are tricked easily  Reference vs. const reference  Reference to temp. = illegal  Const ref. to temp. = legal
  • 21. molecular-matters.com Memory overwrites (cont'd)  Dangling pointers  Point to already freed allocation  Lucky case  Memory page has been decommited  Immediate crash upon access  Unlucky case  Other allocation sits at the same address
  • 22. molecular-matters.com Debugging optimized builds  Debug builds  printf(), assert(), etc. slow down the application  Hides data races  Crashes in optimized builds  Local variables mostly gone  Not on stack, but in registers (PowerPC!)  Memory window is your friend  Never lies!
  • 23. Debugging optimized builds (cont‘d) molecular-matters.com  Knowing stack frame layout helps  Parameter passing  Dedicated vs. volatile vs. non-volatile registers  Knowing assembly helps  Knowing class layout helps  V-table pointer, padding, alignment, …  Verify your assumptions!
  • 24. Debugging optimized builds (cont‘d) molecular-matters.com  Familiarize yourself with  Function prologue  Function epilogue  Function calls  Virtual function calls  Different address ranges  Heap, stack, code, write-combined, …  Study compiler-generated code
  • 25. Debugging optimized builds (cont‘d) molecular-matters.com  Help from the debugger  Cast any address to pointer-type in watch window  Cast zero into any instance  Work out member offsets  Pseudo variables  @eax, @r1, @err, platform-specific ones  Going back in time  „Set next instruction“
  • 26. Debugging optimized builds (cont‘d) molecular-matters.com
  • 27. Debugging optimized builds (cont‘d) molecular-matters.com  Help from the debugger (cont'd)  Crash dumps  Registers  Work backwards from point of crash  Find offsets using debugger  Find this-pointer (+offset) in register, cast in debugger  Memory contents  On-the-fly coding  Nop'ing out instructions  Changing branches
  • 28. Debugging optimized builds (cont‘d) molecular-matters.com
  • 29. molecular-matters.com Debugging overwrites  Hardware breakpoints  Supported by debuggers  Supported by all major platforms  x86: Debug registers (DR0-DR7)  PowerPC: Data Access Breakpoint Register (DABR)  Help finding reads & writes  Setting from code helps finding random stomps  CPU only  GPU/SPU/DMA/IO access doesn't trigger
  • 30. molecular-matters.com Debugging overwrites (cont‘d)  Page protection  Move allocations in question to the start or end of a page  Restrict access to surrounding pages  Needs a lot more memory  Protect free pages  Walk allocations upon freeing memory  Don't re-use recently freed allocations
  • 31. molecular-matters.com Debugging overwrites (cont'd)  Page protection (cont'd)  Needs virtual memory system  If not available, most platforms offer similar features
  • 32. molecular-matters.com If all else fails...  Go home, get some sleep  Let your brain do the work  Grab a colleague  Pair debugging  Fresh pair of eyes  Talk to somebody  Non-programmers, other team members  Your family, rubber ducks, ...
  • 35. molecular-matters.com That's it! Questions? Contact: stefan.reinalter@molecular-matters. com
  • 37. molecular-matters.com Memory tracking  Two possibilities  Allocate & free memory with new & delete only  Override global new and delete operators  Static initialization order fiasco  Memory tracker must be instantiated first  Platform-specific tricks needed  Still need to hook other functions  malloc & free  Weak functions or linker function wrapping  Problems with 3rd party libraries doing the same
  • 38. molecular-matters.com Memory tracking (cont'd)  Static initialization order  Top to bottom in a translation unit  Undefined across translation units  Platform-specific tricks  #pragma init_seg(compiler/lib/user) (MSVC)  __attribute__ ((init_priority (101))) (GCC)  Custom code/linker sections
  • 39. molecular-matters.com Memory tracking (cont'd)  Other possibility  Disallow new & delete completely  Use custom functions instead  Allows more fine-grained tracking in allocators  Demand explicit startup & shutdown  Harder to do with legacy codebase  Need to hook platform-specific functions  Easier on consoles  Code-patching on PC
  • 40. molecular-matters.com Memory tracking (cont'd)  Hooking functions  Weak functions (if supported)  Implemented at compiler-level  XMemAlloc (Xbox360)  Function wrapping at linker-level  --wrap (GCC)  __wrap_* & __real_*  Code-patching (Windows)  Disassemble & patch at run-time
  • 41. molecular-matters.com Memory tracking (cont'd)  Storing allocations  Intrusive  In-place linked list  Changes memory layout  Cannot use debug memory on consoles  External  Associative container, e.g. hash map  Same memory layout as with tracking disabled  Can use debug memory on consoles
  • 42. molecular-matters.com Memory tracking (cont'd)  Levels of sophistication  Simple counter  File & line & function, size  Full callstack, ID, allocator name, size, …  Tracking granularity  Global, e.g. #ifdef/#endif  Per allocator  More on that later
  • 43. molecular-matters.com Memory tracking (cont'd)  Finding logical leaks  Snapshot functionality  Capture all live allocations  Compare snapshots e.g. upon level start  Report snapshot differences