[prof-heap] Fix issues stemming from rb_gc_force_recycle #3366
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 tasks
AlexJF
force-pushed
the
alexjf/heap-profiler-force-recycle-fix
branch
from
cb01363
to
2d89d6d
Compare
ivoanjo
reviewed
Jan 8, 2024
AlexJF
force-pushed
the
alexjf/heap-profiler-force-recycle-fix
branch
3 times, most recently
from
a4583e0
to
f80cedf
Compare
[prof-heap] Remove internal include
AlexJF
force-pushed
the
alexjf/heap-profiler-force-recycle-fix
branch
from
f80cedf
to
304c77e
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #3366 +/- ##
========================================
Coverage 98.24% 98.24%
========================================
Files 1254 1254
Lines 73218 73350 +132
Branches 3430 3437 +7
========================================
+ Hits 71931 72064 +133
+ Misses 1287 1286 -1 ☔ View full report in Codecov by Sentry. |
ivoanjo
approved these changes
Jan 9, 2024
ivoanjo
approved these changes
Jan 9, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
When trying our new heap profiler in real applications running in Ruby 2.7 we noticed the profiler quickly shuts down due to detecting duplicate sampling of objects with the same id. This is not supposed to happen since after Ruby 2.7 the object id system was reworked to ensure uniqueness and we rely on this as part of our object liveness tracking.
Turns out Rubies previous to 3.1 support a feature called "force recycling" where an object slot can be manually given back to the heap outside of a GC cycle by calling
rb_gc_force_recycle. However, the implementation of this feature is buggy and fails to clean-up objects ids or finalizers associated with objects that undergo this recycling (in a way that will actually slowly leak map entries over time). This feature also brought enough problems to the management of garbage collection code that it was eventually removed from Ruby 3.1 and later and replaced with a no-op (https://bugs.ruby-lang.org/issues/18290).Therefore, in Rubies < 3.1, if an object we were tracking were recycled and a new object uses its slot, this new object would "inherit" the id of the original and, from the perspective of our profiler, we'd be blind to this behaviour and continue reporting the original object as being alive.
Fortunately, as figured out by @ivoanjo in #3360 (comment), this implementation is buggy in a way that allows us to detect this recycling actually happened. When an object id is requested for an object, that object has the
FL_SEEN_OBJ_IDflag forcibly set. This is supposed to be an invariant as evidenced by the assert in https://github.com/ruby/ruby/blob/4a8d7246d15b2054eacb20f8ab3d29d39a3e7856/gc.c#L4050. However, when a new object uses a force recycled slot, it will inherit the object id from the object that was previously using that slow but will NOT be marked with theFL_SEEN_OBJ_IDflag. Consequently, when we're checking the liveness of a heap tracked object, if we're able to successfully map an id to a reference and then check the flags of that reference, if we don't seeFL_SEEN_OBJ_IDthen we can assume the object we were tracking was implicitly freed and clean its record.We have to be careful though. Since allocations that re-use recycled slots still trigger allocation tracepoints, it is possible that we decide to start tracking an object that was allocated on such a recycled slot. In this event, that object will already be missing the
FL_SEEN_OBJ_IDflag when we start tracking it. If we did nothing, next time we checked liveness using the workaround described in the previous paragraph we'd immediately discard it as dead even though it might very well be alive. Hence, when we detect a missingFL_SEEN_OBJ_IDflag on sampling, we need to force it back in, thus "fixing" the bug in the runtime. This also had the side-effect of reducing the number of map entries leaked in the obj_to_id and id_to_obj objspace tables.Motivation:
Handle problems introduced by
gc_force_recyclein Rubies < 3.1.Additional Notes:
How to test the change?
For Datadog employees:
credentials of any kind, I've requested a review from
@DataDog/security-design-and-guidance.Unsure? Have a question? Request a review!