When is a Leak not a Leak? Using Heapshot Analysis to Find Undesirable Memory Growth

The other day, I was in need of a Cocoa application that launches quickly that has a standard document model. At random, I chose the rather awesome Hex Fiend. As I often do, I also had top -u -o pid running in a Terminal window.

And I noticed something odd. As expected, the RPRVT of Hex Fiend was growing on each cmd-n. However, the RPRVT was not decreasing the same amount every time I hit cmd-w.

That ain’t right. Or it might be. Beyond evidence that a memory use problem may exist, top is a horrible tool for determining if a problem is real or what the actual problem might be.

In this case, the issue looks like a simple memory leak. Hex Fiend is allocating and retaining some set of objects, but not releasing them. The easiest first step is to use the leaks command line tool:

% leaks "Hex Fiend"
leaks Report Version:  2.0
Process:         Hex Fiend [3435]
Path:            /Volumes/Data/Applications/Hex Fiend.app/Contents/MacOS/Hex Fiend
Load Address:    0x100000000
Identifier:      com.ridiculousfish.HexFiend
Version:         2.0.0 (200)
Code Type:       X86-64 (Native)
Parent Process:  launchd [122]
Date/Time:       2010-10-16 20:47:09.935 -0700
OS Version:      Mac OS X 10.6.4
Report Version:  7
Process 3435: 22980 nodes malloced for 2600 KB
Process 3435: 0 leaks for 0 total leaked bytes.

OK; whatever the problem is, it isn’t “leaked” memory in the traditional definition of “leaked memory”.

That is, whatever memory is being allocated and never released is still being referenced somewhere. Maybe a circular retain. Maybe something that has a weak reference from the rest of the App’s object graph such that leaks can’t detect.

In other words, this isn’t just a simple memory leak and it will require more advanced tools to fix.

Fortunately, the Allocations Instrument provides exactly the tool we need. It is called Heapshot Analysis and it is brutally effective at deducing these kinds of problems.

To use:

  • Launch Instruments and select the Allocations template under the Memory category.
  • Target the application you want to analyze. It can already be running or you can launch it from Instruments. As well, you can launch it from Xcode via the Run With Performance Tools menu.
  • (10) Do something in the application where you return to the starting state. For Hex Fiend, this particular case is as simple as creating a new document and then closing it. For an optimal application, this activity should effectively cause no memory growth (or very little).
  • In the Allocations Instrument, press the Mark Heap button
  • Goto 10 (and repeat 5 or 6 times).
Step 1.png

I ended up with the data as seen to the left. Each “Heapshot” iteration represents opening, then closing, an untitled window with no data in it.

The “Heap Growth” and “Still Alive” columns provide a summation of all of the objects in that heapshot that still exist in all subsequent samplings of the heap. That is, in Heapshot 3, there were 36.08K of allocations spread across 260 allocation events that continued to exist throughout the rest of the run.

Specifically: the values in those columns represent permanent heap growth.

When creating, then closing, an untitled document there should be, ideally, no heap growth. That there is ~35K per document of permanent heap growth indicates that a leak does exist (regardless of what leaks said above).

Note that as you continue to iterate, you might see the values of previous Heapshot samples decrease. That is because objects allocated in that sample — at that heap mark — have been released. That is, every single object listed in that table — all ~25,000 or so in that screenshot alone — are very much in memory, using resources, and sticking around.

Instruments lets us dive deeper.

Step 2.png

Not only can we expand any given Heapshot iteration to see the inventory of permanent objects allocated in that iteration, but we can dive all the way down to the individual allocations and see a backtrace of exactly where it was allocated.

Looking at many of the allocations, they all seem to be during either the initialize of an instance of MyDocument or during loading of the user interface related with the same.

No surprises there; the inventory of objects is clearly related to the document.

What is surprising, though, is that an instance of MyDocument doesn’t show up on that list! It looks like the instance of MyDocument is correctly being deallocated on window close, but much of the user interface related to the document is not!

While we clearly have enough evidence to suspect MyDocument as being the source of the issue, we can confirm this further within Instruments.

Turn on Record reference counts in the Allocations instrument. When the app isn’t running, hit the little (i) in the Allocations track in Instruments and click the check box. Then run the application and do the same set of samples (or turn this on from the beginning if you didn’t forget like I did).

Now, when you click through any allocation, you’ll see a list of events that includes the point of allocation and all subsequent retain/release events. Clicking through many of the random objects in any given Heapshot sample shows two things. First, all of the objects ended with a retain count of 1 — not 2, not 5, but 1 — this indicates that whatever the problem is, it is likely pretty consistent and we can fix it once and be done with it. Secondly, the non-UI related objects like DataInspector or NSBigMutableString have very few events and they largely come from [MyDocument -init], further confirming our suspicions.

Now it is time to turn to the source.

Which I need to download; all of the above was done against the app without the source.

OK — got it — now — start with MyDocument‘s init method (which doesn’t do the self = [super init]; if (self) {...} return self; dance. Boo.) and compare it to dealloc

The init method looks fairly straightforward; allocate a bunch of stuff, glue it together, return self:

- init {
    [super init];
    lineCountingRepresenter = [[HFLineCountingRepresenter alloc] init];
    hexRepresenter = [[HFHexTextRepresenter alloc] init];
    asciiRepresenter = [[HFStringEncodingTextRepresenter alloc] init];
    scrollRepresenter = [[HFVerticalScrollerRepresenter alloc] init];
    layoutRepresenter = [[HFLayoutRepresenter alloc] init];
    statusBarRepresenter = [[HFStatusBarRepresenter alloc] init];
    dataInspectorRepresenter = [[DataInspectorRepresenter alloc] init];
    ... etc ...

As a matter of fact, pretty much all of those representers are showing up as still in memory per each Heapshot mark!

And, diving into the individual retain/releases, we see that some of the representers are connected to other representers. So, if anyone of those representers is sticking around, it might likely keep others alive with it, too! Or it could be a circular retain issue. But, before we start trying to deduce hard problems, we should exhaust the simple causes first and look at the dealloc method.

The first thing that jumps out at me is that the dealloc method is trying to do something clever. Instead of line-by-line calling release on every object allocated in init, it does:

    [[self representers] makeObjectsPerformSelector:@selector(release)];

OK. So, what does representers look like?

- (NSArray *)representers {
    return [NSArray arrayWithObjects:lineCountingRepresenter, hexRepresenter,
               asciiRepresenter, scrollRepresenter,
               dataInspectorRepresenter, statusBarRepresenter, nil];
}

Waitaminute there…. comparing that array’s contents to the items allocated in init, we see that the layoutRepresenter is missing. Nor is it explicitly released anywhere else in dealloc!

That’d be the leak right there! And leaks won’t detect it because there are enough non-retained relationships that the objects look like they are still reachable from the application’s core object graph!

The naive fix would be to add layoutRepresenter to the array returned by -representers. However, the layoutRepresenter seems to be kinda special in its role and, frankly, I really hate tricky dealloc games like making an array of objects perform release.

So, I replaced the performSelector: in dealloc with:

    [lineCountingRepresenter release];
    [hexRepresenter release];
    [asciiRepresenter release];
    [scrollRepresenter release];
    [layoutRepresenter release];
    [statusBarRepresenter release];
    [dataInspectorRepresenter release];
Step 3.png

Running the heapshot analysis again shows that the # of permanent allocations per iteration has dropped from ~250 to a consistent 8. Vast improvement, but still not perfect.

Looking at the remaining allocations, every single one is allocated in drawLineNumbersWithClipStringDrawing.

In particular, it is the drawing call here that is the source of the remaining leaks (except one):

	    NSString *string = [[NSString alloc] initWithBytesNoCopy:buff
						length:newStringLength
						encoding:NSASCIIStringEncoding freeWhenDone:NO];
            [string drawInRect:textRect withAttributes:textAttributes];
            [string release];

But, wait, how can that be? Well, it could be a bug in the AppKit. Or it could be some kind of a weird cache. As a matter of fact, if you create about 30 documents in Hex Fiend, then close them all, you will see the previous heap marks drop to 7 objects remaining. So, clearly, there is some kind of a size limited cache that is eventually being pruned. Obviously, not a very efficient cache if it is filling with copies of the same objects. I like to call these kinds of caches write only caches. All the benefits of high memory use combined with all the efficiencies of a 100% cache miss rate! FTW!

The one other leak, though, is that the dealloc method in HFLineCountingView is not releasing the textContainer. First, I’ll fix that and re-measure. Done. That removes one object from each Heapshot iteration.

OK — so, looking at the remaining objects, we have a set of objects that look an awful lot like a set of attributes for text; a paragraph style, color, etc…

Sure enough, textAttributes is not being released in dealloc.

Step 4.png

So, where do we stand?

See for yourself!

Not bad! No leaks on many iterations. That 1 4KB malloc seen in some iterations is likely some internal cache in the AppKit. That it doesn’t always appear and eventually goes away indicates that it is both behaving correctly and can be ignored.

The next step would be to do the same kind of testing, only with documents that contain actual data. Then do the testing after making a set of edits and undoing them.


Heapshot analysis has proven to be an incredibly effective tool for identifying and fixing memory use issues in applications. The above style of use where you pick a task that should return state back to the same as it was when you started is the most effective form of this analysis.

However, this same approach can be used for applications that build up or change state over time (think Mail, which has new messages coming in all the time or an application with an accretion of logs or undo state).

Fire up your application under Instruments and periodically hit “Mark Heap” when your app is in a reasonable state. The more Heap Shots you capture, the easier it is to analyze. Look at any given iteration and ask yourself Why do these objects created way back when still exist in memory and is their use of resources justified?. The follow up question is What can I do to make the permanent memory accretion smaller?.



13 Responses to “When is a Leak not a Leak? Using Heapshot Analysis to Find Undesirable Memory Growth”

  1. Marshall says:

    Nice writeup, Bill.
    Thanks for the tips.

  2. Mike Llewellyn says:

    One of e best Instruments walkthroughs I have seen, thanks for sharing that. Instruments for me tomorrow morning now :).

  3. Tom Harrington says:

    Thanks, I’ve been working on leveling up with Instruments and this really helps. Using record reference counts seems like a good suggestion for people who mistakenly expect the -retainCount method to be useful.

  4. ridiculous_fish says:

    Yikes! Thanks for tracking this down, Bill! leaks is not foolproof.

  5. bbum says:

    @Tom Heh — I should add to the article that if you are calling retainCount, you are doing it wrong.

    @Fish — it was a fun puzzle. Hex Fiend is really an awesome, useful, app. Thanks for going through the trouble of open sourcing it!

  6. Iain Delaney says:

    Is that something the static analyzer could catch, or is the coding error too sneaky? I’ve been amazed at the things the analyzer does find.

  7. Core Intuition » Episode 36: I Completely Messed It Up says:

    […] Using heapshot analysis — Bill Bumgarner’s blog post […]

  8. bbum says:

    @Iain The analyzer won’t catch issues that require deep, cross-correlative, analysis of your code. It is limited to a single compilation unit — a single .m file — and won’t catch problems that span compilation units.

  9. iPhone development highlights: January 2011 at Ole Begemann: iOS Development says:

    […] a post from October 2010, Bill Bumgarner introduces the Heapshot Analysis tool in Instruments and how to use it to find memory leaks in your app. If you want to see it in action, I also highly […]

  10. Michael Tsai - Blog - Heapshot Analysis says:

    […] Bill Bumgarner on using Instruments to find memory leaks: Heapshot analysis has proven to be an incredibly effective tool for identifying and fixing memory use issues in applications. The above style of use where you pick a task that should return state back to the same as it was when you started is the most effective form of this analysis. […]

  11. --Nick/ says:

    Thanks — I’ve come across this quite a while after you wrote it, but I’m glad to find it and it’s helping me this evening.

  12. Debugging memory leaks with Instruments and Heapshots | Finalize.com: My journey with iOS and other code adventures says:

    […] When is a Leak not a Leak? Using Heapshot Analysis to Find Undesirable Memory Growth […]

  13. devUA says:

    hey i am using ARC in my project. when i do heapshots then Heaps have some which are not released. And some of these are local NSArray which contains NSNumber with int. so i am unable to find why these NSArray which contains NSNumber unable to release in Heapshots even i exit game ( or class which contains these array is released)…

Leave a Reply

Line and paragraph breaks automatic.
XHTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>