--- /dev/null
+<?xml version="1.0"?> <!-- -*- sgml -*- -->
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+[ <!ENTITY % vg-entities SYSTEM "../../docs/xml/vg-entities.xml"> %vg-entities; ]>
+
+
+<chapter id="dh-manual"
+ xreflabel="DHAT: a dynamic heap analysis tool">
+ <title>DHAT: a dynamic heap analysis tool</title>
+
+<para>To use this tool, you must specify
+<option>--tool=exp-dhat</option> on the Valgrind
+command line.</para>
+
+
+
+<sect1 id="dh-manual.overview" xreflabel="Overview">
+<title>Overview</title>
+
+<para>DHAT is a tool for examining how programs use their heap
+allocations.</para>
+
+<para>It tracks the allocated blocks, and inspects every memory access
+to find which block, if any, it is to. The following data is
+collected and presented per allocation point (allocation
+stack):</para>
+
+<itemizedlist>
+ <listitem><para>Total allocation (number of bytes and
+ blocks)</para></listitem>
+
+ <listitem><para>maximum live volume (number of bytes and
+ blocks)</para></listitem>
+
+ <listitem><para>average block lifetime (number of instructions
+ between allocation and freeing)</para></listitem>
+
+ <listitem><para>average number of reads and writes to each byte in
+ the block ("access ratios")</para></listitem>
+
+ <listitem><para>for allocation points which always allocate blocks
+ only of one size, and that size is 4096 bytes or less: counts
+ showing how often each byte offset inside the block is
+ accessed.</para></listitem>
+</itemizedlist>
+
+<para>Using these statistics it is possible to identify allocation
+points with the following characteristics:</para>
+
+<itemizedlist>
+
+ <listitem><para>potential process-lifetime leaks: blocks allocated
+ by the point just accumulate, and are freed only at the end of the
+ run.</para></listitem>
+
+ <listitem><para>excessive turnover: points which chew through a lot
+ of heap, even if it is not held onto for very long</para></listitem>
+
+ <listitem><para>excessively transient: points which allocate very
+ short lived blocks</para></listitem>
+
+ <listitem><para>useless or underused allocations: blocks which are
+ allocated but not completely filled in, or are filled in but not
+ subsequently read.</para></listitem>
+
+ <listitem><para>blocks with inefficient layout -- areas never
+ accessed, or with hot fields scattered throughout the
+ block.</para></listitem>
+</itemizedlist>
+
+<para>As with the Massif heap profiler, DHAT measures program progress
+by counting instructions, and so presents all age/time related figures
+as instruction counts. This sounds a little odd at first, but it
+makes runs repeatable in a way which is not possible if CPU time is
+used.</para>
+
+</sect1>
+
+
+
+
+<sect1 id="dh-manual.understanding" xreflabel="Understanding DHAT's output">
+<title>Understanding DHAT's output</title>
+
+
+<para>DHAT provides a lot of useful information on dynamic heap usage.
+Most of the art of using it is in interpretation of the resulting
+numbers. That is best illustrated via a set of examples.</para>
+
+
+<sect2>
+<title>Interpreting the max-live, tot-alloc and deaths fields</title>
+
+<sect3><title>A simple example</title></sect3>
+
+<screen><![CDATA[
+ ======== SUMMARY STATISTICS ========
+
+ guest_insns: 1,045,339,534
+ [...]
+ max-live: 63,490 in 984 blocks
+ tot-alloc: 1,904,700 in 29,520 blocks (avg size 64.52)
+ deaths: 29,520, at avg age 22,227,424
+ acc-ratios: 6.37 rd, 1.14 wr (12,141,526 b-read, 2,174,460 b-written)
+ at 0x4C275B8: malloc (vg_replace_malloc.c:236)
+ by 0x40350E: tcc_malloc (tinycc.c:6712)
+ by 0x404580: tok_alloc_new (tinycc.c:7151)
+ by 0x40870A: next_nomacro1 (tinycc.c:9305)
+]]></screen>
+
+<para>Over the entire run of the program, this stack (allocation
+point) allocated 29,520 blocks in total, containing 1,904,700 bytes in
+total. By looking at the max-live data, we see that not many blocks
+were simultaneously live, though: at the peak, there were 63,490
+allocated bytes in 984 blocks. This tells us that the program is
+steadily freeing such blocks as it runs, rather than hanging on to all
+of them until the end and freeing them all.</para>
+
+<para>The deaths entry tells us that 29,520 blocks allocated by this stack
+died (were freed) during the run of the program. Since 29,520 is
+also the number of blocks allocated in total, that tells us that
+all allocated blocks were freed by the end of the program.</para>
+
+<para>It also tells us that the average age at death was 22,227,424
+instructions. From the summary statistics we see that the program ran
+for 1,045,339,534 instructions, and so the average age at death is
+about 2% of the program's total run time.</para>
+
+<sect3><title>Example of a potential process-lifetime leak</title></sect3>
+
+<para>This next example (from a different program than the above)
+shows a potential process lifetime leak. A process lifetime leak
+occurs when a program keeps allocating data, but only frees the
+data just before it exits. Hence the program's heap grows constantly
+in size, yet Memcheck reports no leak, because the program has
+freed up everything at exit. This is particularly a hazard for
+long running programs.</para>
+
+<screen><![CDATA[
+ ======== SUMMARY STATISTICS ========
+
+ guest_insns: 418,901,537
+ [...]
+ max-live: 32,512 in 254 blocks
+ tot-alloc: 32,512 in 254 blocks (avg size 128.00)
+ deaths: 254, at avg age 300,467,389
+ acc-ratios: 0.26 rd, 0.20 wr (8,756 b-read, 6,604 b-written)
+ at 0x4C275B8: malloc (vg_replace_malloc.c:236)
+ by 0x4C27632: realloc (vg_replace_malloc.c:525)
+ by 0x56FF41D: QtFontStyle::pixelSize(unsigned short, bool) (qfontdatabase.cpp:269)
+ by 0x5700D69: loadFontConfig() (qfontdatabase_x11.cpp:1146)
+]]></screen>
+
+<para>There are two tell-tale signs that this might be a
+process-lifetime leak. Firstly, the max-live and tot-alloc numbers
+are identical. The only way that can happen is if these blocks are
+all allocated and then all deallocated.</para>
+
+<para>Secondly, the average age at death (300 million insns) is 71% of
+the total program lifetime (419 million insns), hence this is not a
+transient allocation-free spike -- rather, it is spread out over a
+large part of the entire run. One interpretation is, roughly, that
+all 254 blocks were allocated in the first half of the run, held onto
+for the second half, and then freed just before exit.</para>
+
+</sect2>
+
+
+<sect2>
+<title>Interpreting the acc-ratios fields</title>
+
+
+<sect3><title>A fairly harmless allocation point record</title></sect3>
+
+<screen><![CDATA[
+ max-live: 49,398 in 808 blocks
+ tot-alloc: 1,481,940 in 24,240 blocks (avg size 61.13)
+ deaths: 24,240, at avg age 34,611,026
+ acc-ratios: 2.13 rd, 0.91 wr (3,166,650 b-read, 1,358,820 b-written)
+ at 0x4C275B8: malloc (vg_replace_malloc.c:236)
+ by 0x40350E: tcc_malloc (tinycc.c:6712)
+ by 0x404580: tok_alloc_new (tinycc.c:7151)
+ by 0x4046C4: tok_alloc (tinycc.c:7190)
+]]></screen>
+
+<para>The acc-ratios field tells us that each byte in the blocks
+allocated here is read an average of 2.13 times before the block is
+deallocated. Given that the blocks have an average age at death of
+34,611,026, that's one read per block per approximately every 15
+million instructions. So from that standpoint the blocks aren't
+"working" very hard.</para>
+
+<para>More interesting is the write ratio: each byte is written an
+average of 0.91 times. This tells us that some parts of the allocated
+blocks are never written, at least 9% on average. To completely
+initialise the block would require writing each byte at least once,
+and that would give a write ratio of 1.0. The fact that some block
+areas are evidently unused might point to data alignment holes or
+other layout inefficiencies.</para>
+
+<para>Well, at least all the blocks are freed (24,240 allocations,
+24,240 deaths).</para>
+
+<para>If all the blocks had been the same size, DHAT would also show
+the access counts by block offset, so we could see where exactly these
+unused areas are. However, that isn't the case: the blocks have
+varying sizes, so DHAT can't perform such an analysis. We can see
+that they must have varying sizes since the average block size, 61.13,
+isn't a whole number.</para>
+
+
+<sect3><title>A more suspicious looking example</title></sect3>
+
+<screen><![CDATA[
+ max-live: 180,224 in 22 blocks
+ tot-alloc: 180,224 in 22 blocks (avg size 8192.00)
+ deaths: none (none of these blocks were freed)
+ acc-ratios: 0.00 rd, 0.00 wr (0 b-read, 0 b-written)
+ at 0x4C275B8: malloc (vg_replace_malloc.c:236)
+ by 0x40350E: tcc_malloc (tinycc.c:6712)
+ by 0x40369C: __sym_malloc (tinycc.c:6787)
+ by 0x403711: sym_malloc (tinycc.c:6805)
+]]></screen>
+
+<para>Here, both the read and write access ratios are zero. Hence
+this point is allocating blocks which are never used, neither read nor
+written. Indeed, they are also not freed ("deaths: none") and are
+simply leaked. So, here is 180k of completely useless allocation that
+could be removed.</para>
+
+<para>Re-running with Memcheck does indeed report the same leak. What
+DHAT can tell us, that Memcheck can't, is that not only are the blocks
+leaked, they are also never used.</para>
+
+<sect3><title>Another suspicious example</title></sect3>
+
+<para>Here's one where blocks are allocated, written to,
+but never read from. We see this immediately from the zero read
+access ratio. They do get freed, though:</para>
+
+<screen><![CDATA[
+ max-live: 54 in 3 blocks
+ tot-alloc: 1,620 in 90 blocks (avg size 18.00)
+ deaths: 90, at avg age 34,558,236
+ acc-ratios: 0.00 rd, 1.11 wr (0 b-read, 1,800 b-written)
+ at 0x4C275B8: malloc (vg_replace_malloc.c:236)
+ by 0x40350E: tcc_malloc (tinycc.c:6712)
+ by 0x4035BD: tcc_strdup (tinycc.c:6750)
+ by 0x41FEBB: tcc_add_sysinclude_path (tinycc.c:20931)
+]]></screen>
+
+<para>In the previous two examples, it is easy to see blocks that are
+never written to, or never read from, or some combination of both.
+Unfortunately, in C++ code, the situation is less clear. That's
+because an object's constructor will write to the underlying block,
+and its destructor will read from it. So the block's read and write
+ratios will be non-zero even if the object, once constructed, is never
+used, but only eventually destructed.</para>
+
+<para>Really, what we want is to measure only memory accesses in
+between the end of an object's construction and the start of its
+destruction. Unfortunately I do not know of a reliable way to
+determine when those transitions are made.</para>
+
+
+</sect2>
+
+<sect2>
+<title>Interpreting "Aggregated access counts by offset" data</title>
+
+<para>For allocation points that always allocate blocks of the same
+size, and which are 4096 bytes or smaller, DHAT counts accesses
+per offset, for example:</para>
+
+<screen><![CDATA[
+ max-live: 317,408 in 5,668 blocks
+ tot-alloc: 317,408 in 5,668 blocks (avg size 56.00)
+ deaths: 5,668, at avg age 622,890,597
+ acc-ratios: 1.03 rd, 1.28 wr (327,642 b-read, 408,172 b-written)
+ at 0x4C275B8: malloc (vg_replace_malloc.c:236)
+ by 0x5440C16: QDesignerPropertySheetPrivate::ensureInfo (qhash.h:515)
+ by 0x544350B: QDesignerPropertySheet::setVisible (qdesigner_propertysh...)
+ by 0x5446232: QDesignerPropertySheet::QDesignerPropertySheet (qdesigne...)
+
+ Aggregated access counts by offset:
+
+ [ 0] 28782 28782 28782 28782 28782 28782 28782 28782
+ [ 8] 20638 20638 20638 20638 0 0 0 0
+ [ 16] 22738 22738 22738 22738 22738 22738 22738 22738
+ [ 24] 6013 6013 6013 6013 6013 6013 6013 6013
+ [ 32] 18883 18883 18883 37422 0 0 0 0
+ [ 36] 5668 11915 5668 5668 11336 11336 11336 11336
+ [ 48] 6166 6166 6166 6166 0 0 0 0
+]]></screen>
+
+<para>This is fairly typical, for C++ code running on a 64-bit
+platform. Here, we have aggregated access statistics for 5668 blocks,
+all of size 56 bytes. Each byte has been accessed at least 5668
+times, except for offsets 12--15, 36--39 and 52--55. These are likely
+to be alignment holes.</para>
+
+<para>Careful interpretation of the numbers reveals useful information.
+Groups of N consecutive identical numbers that begin at an N-aligned
+offset, for N being 2, 4 or 8, are likely to indicate an N-byte object
+in the structure at that point. For example, the first 32 bytes of
+this object are likely to have the layout</para>
+
+<screen><![CDATA[
+ [0 ] 64-bit type
+ [8 ] 32-bit type
+ [12] 32-bit alignment hole
+ [16] 64-bit type
+ [24] 64-bit type
+]]></screen>
+
+<para>As a counterexample, it's also clear that, whatever is at offset 32,
+it is not a 32-bit value. That's because the last number of the group
+(37422) is not the same as the first three (18883 18883 18883).</para>
+
+<para>This example leads one to enquire (by reading the source code)
+whether the zeroes at 12--15 and 52--55 are alignment holes, and
+whether 48--51 is indeed a 32-bit type. If so, it might be possible
+to place what's at 48--51 at 12--15 instead, which would reduce
+the object size from 56 to 48 bytes.</para>
+
+<para>Bear in mind that the above inferences are all only "maybes". That's
+because they are based on dynamic data, not static analysis of the
+object layout. For example, the zeroes might not be alignment
+holes, but rather just parts of the structure which were not used
+at all for this particular run. Experience shows that's unlikely
+to be the case, but it could happen.</para>
+
+</sect2>
+
+</sect1>
+
+
+
+
+
+
+
+<sect1 id="dh-manual.options" xreflabel="DHAT Command-line Options">
+<title>DHAT Command-line Options</title>
+
+<para>DHAT-specific command-line options are:</para>
+
+<!-- start of xi:include in the manpage -->
+<variablelist id="dh.opts.list">
+
+ <varlistentry id="opt.show-top-n" xreflabel="--show-top-n">
+ <term>
+ <option><![CDATA[--show-top-n=<number>
+ [default: 10] ]]></option>
+ </term>
+ <listitem>
+ <para>At the end of the run, DHAT sorts the accumulated
+ allocation points according to some metric, and shows the
+ highest scoring entries. <varname>--show-top-n</varname>
+ controls how many entries are shown. The default of 10 is
+ quite small. For realistic applications you will probably need
+ to set it much higher, at least several hundred.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="opt.sort-by" xreflabel="--sort-by=string">
+ <term>
+ <option><![CDATA[--sort-by=<string> [default: max-bytes-live] ]]></option>
+ </term>
+ <listitem>
+ <para>At the end of the run, DHAT sorts the accumulated
+ allocation points according to some metric, and shows the
+ highest scoring entries. <varname>--sort-by</varname>
+ selects the metric used for sorting:</para>
+ <para><varname>max-bytes-live </varname> maximum live bytes [default]</para>
+ <para><varname>tot-bytes-allocd </varname> total allocation (turnover)</para>
+ <para><varname>max-blocks-live </varname> maximum live blocks</para>
+ <para>This controls the order in which allocation points are
+ displayed. You can choose to look at allocation points with
+ the highest maximum liveness, or the highest total turnover, or
+ by the highest number of live blocks. These give usefully
+ different pictures of program behaviour. For example, sorting
+ by maximum live blocks tends to show up allocation points
+ creating large numbers of small objects.</para>
+ </listitem>
+ </varlistentry>
+
+</variablelist>
+
+<para>One important point to note is that each allocation stack counts
+as a seperate allocation point. Because stacks by default have 12
+frames, this tends to spread data out over multiple allocation points.
+You may want to use the flag --num-callers=4 or some such small
+number, to reduce the spreading.</para>
+
+<!-- end of xi:include in the manpage -->
+
+</sect1>
+
+</chapter>
projects / thirdparty / valgrind.git / commitdiff
