Trace Malloc Tools
              Chris Waterson <waterson@netscape.com>
                      November 27, 2000

This is a short primer on how to use the `trace malloc' tools
contained in this directory.


WHAT IS TRACE MALLOC?
=====================

Trace malloc is an optional facility that is built in to XPCOM. It
uses `weak linking' to intercept all calls to malloc(), calloc(),
realloc() and free(). It does two things:

1. Writes information about allocations to a filehandle that you
specify. As each call to malloc(), et. al. is made, a record is logged
to the filehandle.

2. Maintains a table of all `live objects' -- that is, objects that
have been allocated by malloc(), calloc() or realloc(), but have not
yet been free()'d. The contents of this table can be called by making
a `secret' call to JavaScript.


MAKING A TRACE MALLOC BUILD
===========================

As of this writing, trace malloc only works on Linux, but work is
underway to port it to Windows.

On Linux, start with a clean tree, and configure your build with the
following flags:

  --enable-trace-malloc
  --enable-cpp-rtti

Be sure that `--enable-boehm' is *not* set. I don't think that the
values for `--enable-debug' and `--enable-optimize' matter, but I've
typically had debug on and optimize off.


COLLECTING LIVE OBJECT DATA
===========================

To collect `live object' data from `mozilla' using a build that has
trace malloc enabled,

  1. Run `mozilla' as follows:

     % mozilla --trace-malloc /dev/null

  2. Do whatever operations in mozilla you'd like to test.

  3. Open the `live-bloat.html' file contained in this directory.

  4. Press the button that says `Dump to /tmp/dump.log'

An enormous file (typically 300MB) called `dump.log' will be dropped
in your `/tmp' directory.

To collect live object data from `gtkEmbed' using a build that has
trace malloc enabled:

  1. Run `gtkEmbed' as follows:

     % gtkEmbed --trace-malloc /dev/null

  2. Do whatever operations in gtkEmbed that you'd like to test.

  3. Press the `Dump Memory' button at the bottom of gtkEmbed.

The enormous file will be dropped in the current directory, and is
called `allocations.log'.


About Live Object Logs
----------------------

A typical entry from the `live object' dump file will look like:

  Address     Type      Size
  |           |         |
  v           v         v
  0x40008080 <nsFooBar> 16
        0x00000001 <- Fields
        0x40008084
        0x80004001
        0x00000036
  __builtin_new[./libxpcom.so +0x10E9DC]  <- Stack at allocation time
  nsFooBar::CreateFooBar(nsFooBar **)[./libfoobar.so +0x408C]
  main+C7E5AFB5[(null) +0xC7E5AFB5]

One will be printed for each object that was allocated.


TOOLS TO PARSE LIVE OBJECT LOGS
===============================

This directory is meant to house the tools that you can use to parse
live-object logs.

Object Histograms - histogram.pl
--------------------------------

This program parses a `live object' dump and produces a histogram of
the objects, sorted from objects that take the most memory to objects
that take the least. The output of this program is rather spartan: on
each line, it prints the object type, the number of objects of that
type, and the total number of bytes that the objects consume.

There are a two simple programs to `pretty print' the output from
histogram.pl:

  1. histogram-pretty.sh takes a single histogram and produces a table
     of objects.

       Type                    Count    Bytes %Total
       TOTAL                   67348  4458127 100.00
       nsImageGTK                 76   679092  15.23
       void*                    8956   563572  12.64
       ...
       PRLock                    732    61488   1.38
       OTHER                   24419   940235  21.09

  2. histogram-diff.sh takes two histograms and computes the difference
     between them.

                  ---- Base ----   ---- Incr ----   ----- Difference ----
       Type       Count    Bytes   Count    Bytes   Count    Bytes %Total
       TOTAL      40241  1940945   73545  5315142   33304  3374197 100.00
       nsImageGTK    16   106824     151   832816     135   725992  21.52
       PresShell     16    51088     198   340706     182   289618   8.58
       ...
       OTHER      27334  1147033   38623  1493385   11289   346352  10.26

Both of these scripts accept `-c' parameter that specifies how many
rows you'd like to see (by default, twenty). Any rows past the first
`n' rows are lumped into a single `OTHER' row. This allows you to keep
your reports short n' sweet.

Stack-based Type Inference - types.dat
--------------------------------------

Trace malloc uses `speculative RTTI' to determine the types of objects
as it dumps them. Unfortunately, RTTI can only deduce the type name
for C++ objects with a virtual destructor.

This leaves:

 . C++ object without a virtual destructor
 . array allocated C++ objects, and
 . objects allocated with the C runtime function (malloc
   and friends)

out in the cold. Trace malloc reports objects allocated this was as
having type `void*'.

The good news is that you can almost always determine the object's
type by looking at the stack trace that's taken at the time the object
is allocated.

The file `types.dat' consists of rules to classify objects based on
stack trace.


Uncategorized Objects - uncategorized.pl
----------------------------------------

Categorizing objects in `types.dat' is sweaty work, and the
`uncategorized.pl' script is a tool that makes it a bit
easier. Specifically, it reads a `live object' dump file and sorts the
stack traces. Stack traces that account for the most uncategorized
objects are placed first.

Using this tool, you can add the `most effective' rules to
`types.dat': rules that account for most of the uncategorized data.