{"type":"doc","content":[{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"摘要"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Raphael [1]是西瓜視頻基礎技術團隊開發的一款 native 內存泄漏檢測工具,廣泛用於字節跳動旗下各大 App 的 native 內存泄漏治理,收益顯著。工具現已開源,本文將通過原理、方案和實踐來剖析 Raphael 的相關細節。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"背景"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Android 平臺上的內存問題一直是性能優化和穩定性治理的焦點和痛點,Java 堆內存因爲有比較成熟的工具和方法論,加上 hprof 快照作爲補充,定位和治理都很方便。而 native 內存問題一直缺乏穩定、高效的工具,僅有的 malloc debug [6]不僅性能和穩定性難以滿足需要,還存在 Android 版本兼容的問題。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"現狀"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"事實上,native 內存泄漏治理一直不乏優秀的工具,已知的可用於調查 native 內存泄漏問題的工具主要有:LeakTracer、MTrace、MemWatch、Valgrind-memcheck、TCMalloc、LeakSanitizer 等。但由於 Android 平臺的特殊性,這些工具要麼不兼容,要麼接入成本過高,很難在 Android 平臺上落地。這些工具的原理基本都是:先代理內存分配\/釋放相關的函數(如:malloc\/calloc\/realloc\/memalign\/free),再通過 unwind 回溯調用堆棧,最後藉助緩存管理過濾出未釋放的內存分配記錄。因此,這些工具的主要差異也就體現在代理實現、棧回溯和緩存管理三個方面。根據這些工具代理實現的差異,大致可以分爲 hook 和 LD_PRELOAD 兩大類,典型的如 malloc debug [5] 和 LeakTracer。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/c2\/c2ae99ef5328e3cc3eb0e404fcdbf620.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"malloc debug"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"malloc debug 是 Android 系統自帶的內存調試工具(官方 Native 內存調試 有相關介紹 "},{"type":"text","marks":[{"type":"strong"}],"text":")"},{"type":"text","text":" ,雖然沒有額外的接入代碼,但開啓方式和核心功能等都受 Android 版本限制。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/27\/27e4aed6efca2d594c038a03ab6dffbc.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們在線下嘗試使用 malloc debug 監控西瓜視頻 App(配置 wrap.sh)時發現,正常啓動時間小於 1s 的機型(Pixel 2 & Android 10),其冷啓動時間被拉長到了 11s+。而且在正常使用過程中滑動時的卡頓感非常明顯,頁面切換時耗時難以接受,監控過程中應用的使用體驗極差。不僅如此,西瓜視頻在 malloc debug 監控過程中還會遇到必現的棧回溯 crash(堆棧如下,《libunwind llvm 編年史》[8] 有相關分析)。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/3f\/3fdf67759d1574324b7d9f0d8798e7be.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"LeakTracer"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"LeakTracer 是另一個比較知名的內存泄漏監控工具,其原理是:通過 LD_PRELOAD 機制搶先加載一個定義了 malloc\/calloc\/realloc\/memalign\/free 等同名函數的代理庫,這樣就全局代理了應用層內存的分配和釋放,通過 unwind 回溯調用棧並過濾出疑似的內存泄漏信息。Android 平臺上的 LD_PRELOAD 是被嚴格限制的,因爲其沒有獨立的 unwind 實現,依賴系統的 unwind 能力,也會遇到 malloc debug 遇到的棧幀兼容問題;如果把 LeakTracer 集成到目標 so 裏通過 override 方式實現代理,只能攔截到本 so 裏顯式的內存分配\/釋放,無法攔截到其他 so 和跨 so 調用的內存分配\/釋放。通過 native 插樁的方式也是如此,只能監控局部單純的內存泄漏,無法全局監控內存使用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"綜合以上分析和接入體驗,我們不難發現,這些內存泄漏監控工具在 Android 平臺上實際接入時基本都存在以下三個比較典型的問題:"}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"流程繁瑣"},{"type":"text","text":":需要配置 wrap.sh\/root permission\/setprop 等,受 Android 版本限制"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"兼容問題"},{"type":"text","text":":unwind 庫存在嚴重的兼容性問題,libunwind_llvm 無法正確回溯 GNU 編譯的棧幀"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"性能問題"},{"type":"text","text":":官方的 malloc debug 性能數據是損失 10 倍以上,實測西瓜開啓後在中高端機上不可用"}]}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"我們的需求"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"西瓜視頻 App 是一個彙集了視頻播放、特效拍攝、視頻剪輯輯、P2P 加速等 native 代碼非常多的中大型應用,每個 native 代碼相關的模塊背後都有一個專業團隊在高速迭代,加上日人均使用時長超過 100 分鐘的影響,西瓜視頻 App 的 native 內存問題治理難度非常大。事實上,單純的內存泄漏問題相對較少,更多的是因爲業務邏輯不合理帶來的內存使用問題,需要工具滲透到 App 運行的過程中進行監控,無形中提高了對工具性能和穩定性的要求。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"線上 native 內存問題基本都是以虛擬內存觸頂的形式暴露出來的。在西瓜視頻 App 裏,虛擬內存的消耗除了上述幾大模塊外,還有其他幾個消耗大戶,如線程、webview、Flutter、硬件加速、顯存等。事實上,malloc\/calloc\/realloc\/memalign 等相對於 mmap\/mmap64 直接分配出的內存在整個虛擬內存空間中通常佔比比較小。因爲內存問題通常以虛擬內存耗盡的形式表現出來,只有儘可能多的收集各種內存消耗來無限逼近虛擬內存上限,才能準確找出虛擬內存耗盡的原因。因此,像 malloc debug 這樣只監控 malloc\/calloc\/realloc\/memalign\/free 等根本無法滿足內存治理需要,覆蓋 mmap\/mmap64\/munmap 等儘可能多的內存分配形式是監控工具必須要做的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"綜合上面的分析可以得出,西瓜視頻 App 乃至整個字節跳動旗下其他 App, 對於一個通用的 native 內存泄漏監控工具的訴求主要有以下幾個方面:"}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"接入層面:不依賴 Android 版本,無需 root,對業務滲透儘可能低"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"穩定性:不存在影響業務的穩定性問題,可以滿足線上使用的訴求"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"性能層面:沒有明顯的性能問題,達到可線上使用的標準"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"監控範圍:不侷限於 malloc\/calloc\/realloc\/memalign\/free,至少還能覆蓋 mmap\/mmap64\/munmap"}]}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Raphael 核心設計"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過前面的分析可以知道,一個完整的 native 內存泄漏監控工具主要包含三部分:代理實現、棧回溯和緩存管理。代理實現是解決 Android 平臺上接入問題的關鍵,棧回溯是性能和穩定性的核心,緩存邏輯在一定程度上也會直接影響性能和穩定性。接下來我們會從四個方面介紹 Raphael 的核心設計。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"代理實現"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"鑑於 wrap.sh 和 LD_PRELOAD 在 Android 平臺上不具有通用性,首先被排除。又因 malloc hook 只能代理 malloc\/calloc\/realloc\/free,無法覆蓋 mmap\/mmap64\/munmap,也被放棄。但受 malloc hook 實現方式的啓發,藉助於 inline hook \/ PLT hook 工具我們可以實現同樣的代理效果,這其中比較有代表性的工具主要有 Android-Inline-Hook[3] 和 xHook[1]。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/0f\/0f0976b9b1e9ba996f78136c0078e2f9.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"xHook 是比較優秀的 PLT hook 工具代表,其穩定性可以達到上線標準。因其實現依賴正則,同時 hook 的 so 或函數比較多時,hook 耗時會比較明顯。此外,其原生實現只能 hook 當前已經加載的 so,對於未加載的沒做特殊處理,如果用來做長時間的進程級監控,需要解決增量 so hook 問題。不過這種 hook 方式非常適合做 so 定向監控。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與 PLT hook 原理不同,inline hook 則是在目標函數的頭部直接插入跳轉指令,其 hook 的是最終的函數實現,不存在增量 so hook 問題,hook 效率高效直接。但 inline hook 在 hook 那些可能正在執行的函數後,需要掛起相關線程進行指令修正,這個是 inline hook 的痛點,現有 hook 實現很多沒有做指令修復,或者在指令修復時或多或少都存在一些問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Raphael 在早期的驗證版本里採用 xHook 來實現代理接入。後續爲了實現長時間進程級監控,以覆蓋更多的業務場景,Raphael 又通過 Android-Inline-Hook 解決增量 so hook 問題,通過 xHook 實現定向監控。爲了進一步提升工具的性能和穩定性, Raphael 內部最新版本已切換到了 bytehook(字節跳動自研的 PLT hook 工具,可自動處理增量 so hook 問題)。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"棧回溯"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"定位一個對象或者一段內存通常可以通過引用\/依賴關係,也可以通過創建\/分配時的堆棧。Java 堆內存因爲有明確的組織形式和清晰的依賴關係,可以通過依賴關係靜態分析內存泄漏問題。但 native 堆內存依賴\/引用比較隱晦,也沒有 Java 堆內存那樣明確的組織格式,無法通過依賴\/引用關係進行靜態分析,只能通過分配時的堆棧來輔助定位。棧回溯(unwind)是 native 層獲取調用堆棧的通用方式,是 native 內存泄漏監控工具不可或缺的核心,同時也是工具性能和穩定性的瓶頸所在。接下來本文將從棧回溯工具選取、限制棧回溯頻次、減少無用棧回溯三個方面介紹 Raphael 在棧回溯上所做的工作。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"棧回溯工具選取"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Android 平臺上常用的 32 位棧回溯庫主要有:libunwind_llvm、libunwind (nongnu)、libgcc_s、libudf、libbacktrace、libunwindstack 等,實踐證實這些工具或多或少都存在一些問題,以下是我們基於三個主流的棧回溯庫做的簡單對比分析(平臺:Pixel 2 & Android 10,性能:Demo 裏統計 16 層棧幀回溯的總耗時;兼容性:字節跳動旗下多個應用長時間的優化治理實踐)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/eb\/eb643acc80eae8ecda20861a784dcf5e.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"棧回溯涉及到的東西比較多,想要自己短時間內實現一個在穩定性、回溯性能、回溯成功率等方面都表現優異的 32 位棧回溯工具難度非常大。爲了快速驗證並解決實際機問題,Raphael 在早期版本里採用的是 libunwind_llvm,隨後切換到 libunwind_llvm & libunwind (nongnu),通過 libunwind_llvm 保證回溯性能,在回溯深度低於 2 層時切換到 libunwind (nongnu),以保證回溯成功率。最新版本里則採用的是 libudf,兼具了性能和回溯成功率。相對而言,64 位下基於 FP 的棧回溯實現性能和穩定性基本都能滿足需求,這裏不做過多介紹。Rapahel 同時也在設計時做了充分的擴展考慮,可以輕鬆切換到其他更優秀的棧回溯實現。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"限制棧回溯頻次"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"即便是 libudf 實現,其在 demo 裏回溯 16 層棧幀的平均耗時也需要 0.6ms,監控工具實際運行時對 App 性能的影響是很明顯的。提升監控性能的途徑除了直接優化棧回溯性能外,減少回溯頻次也是十分有效的手段。我們在西瓜視頻 App 的優化治理實踐中發現,多數場景小於 1024 byte 的內存分配其頻率約佔 70% 以上,但線上遇到的 native 內存觸頂問題,卻很少是由小內存泄漏引發的,監控小內存泄漏對於解決線上 native 內存觸頂問題沒有實質效果。即便真的是由小內存引發的,這個需要高頻和必現的場景才能達到,這類問題通常在線下單測(定向監控)場景是完全可以覆蓋到的。基於此,Raphael 通過設定內存閾值來控制棧回溯頻次,可以大幅降低棧回溯的性能損耗。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/d6\/d67d6dfad4e561d27011f437df95cbfb.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"減少無用棧回溯"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"受限於代理流程和棧回溯實現機制,從代理函數入口到回溯開始的路徑上會存在幾層跟分配堆棧無關的函數調用,這幾層調用最終會體現在最後回溯成功的堆棧上(下圖的紅色部分),每次內存分配都回溯這幾層無用的調用鏈是十分損耗性能的。解決這種問題的直觀方法就是減少甚至完全規避這種無關的棧回溯,體現在代碼層面就是減少代理入口到回溯開啓函數之間的調用層級。inline 是一種簡單直接的實現方式,也可以直接在代理入口處提前構建回溯的 context 數據。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/96\/96818685935b80a7293a3ee2bd7ef52e.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"緩存管理"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"緩存管理作爲 native 內存監控的重要一環,對整個監控工具性能的影響至關重要。以 malloc debug 和LeakTracer 爲例,它們都是通過分配後的內存地址作爲 key 來計算 hash 後散列存儲的,並通過一個全局鎖來同步緩存更新的時序。兩者不同的是,malloc debug 會通過堆棧聚合調用鏈完全相同的內存分配記錄,其緩存的存儲單元通過 malloc 動態分配;而 LeakTracer 則不會根據堆棧聚合,其存儲單元會預先分配一部分,緩存不足時也會動態申請。通過以上分析和實測可以發現,malloc debug 的實際性能比LeakTracer 低很多,原因主要體現在堆棧聚合和緩存動態分配上。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/f0\/f0f51f332d2bcbbc9bdde76e413b8a5a.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對比 malloc debug 和 LeakTracer 的源碼也可以發現:運行時的堆棧聚合是完全沒有必要的;如果限制內存監控的閾值,緩存空間和緩存單元的上限都可以控制在一定範圍內的,不需要動態申請,可以減少動態分配的性能損耗;此外,由於 native 內存分配和釋放頻率比較高,全局鎖一定程序上會影響整體性能,通過 key 計算 hash 後再散列存儲時不需要全局鎖。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Raphael 是預先分配固定大小的緩存空間,除了發生內存觸頂導致的 crash 外,緩存單元提前耗完也認爲存在內存泄漏問題。這主要是因爲:對於 32 位進程,其虛擬內存的上限通常是 4G,正常運行時相對比較容易觸達上限,而 64 位進程的虛擬地址空間非常大,實際很難遇到虛擬內存觸頂的 case,但遇到物理內存不足的概率則要大很多,這與 32 位進程基本相反。通過控制 vmPeak 閾值和緩存單元餘量可以有效捕捉到內存泄漏數據,最終實現穩定可靠的全自動內存泄漏監控及消費流程"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/6c\/6c070c153dda4537933dec8c303c2407.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/6c\/6cd9c02d0eaae12158c2c705d4e7fedb.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"監控範圍"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過前面的分析可以知道,只監控 malloc\/calloc\/realloc\/memalign\/free 是無法滿足治理需求的,這主要是因爲 malloc\/calloc\/realloc\/memalign\/free 等分配出的內存通常在整個虛擬內存空間裏佔比較小,常見的內存消耗大戶 Thread、webview、Flutter、硬件加速、顯存等,都不是通過這些函數分配出的。爲了能夠對 Android 平臺上的 native 內存觸頂問題精準歸因,監控需要無限逼近虛擬內存的上限,這就需要監控儘可能多的內存分配形式。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Android 上的內存操作主要是 malloc\/calloc\/realloc\/memalign\/free 和 mmap\/mmap64\/munmap,同監控 malloc\/calloc\/realloc\/memalign\/free 相比,監控 mmap\/mmap64\/munmap 有兩點不同:一個是線程棧的釋放問題,雖然創建線程時是通過 mmap\/mmap64 分配的棧內存,但棧內存的釋放並不一定是通過顯式調用 munmap 實現的;另一個是監控重入問題,當通過 malloc\/calloc\/realloc\/memalign 等分配大內存時,底層通常是通過 mmap\/mmap64 實現的,兩類接口同時監控時會存在重入問題。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"棧內存釋放"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"線程的棧內存又分爲信號棧和執行棧,信號棧在調用"},{"type":"text","marks":[{"type":"strong"}],"text":"void pthread_exit(void *return_value)"},{"type":"text","text":" 接口時會通過 munmap 即刻釋放,而執行棧的釋放則有兩種形式:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"void pthread_exit(void "},{"type":"text","marks":[{"type":"italic"}],"text":"return_value) 函數體裏,當線程狀態爲 THREAD_DETACHED 時會直接通過 void _exit_with_stack_teardown(void"},{"type":"text","text":"stack, size_t sz) 釋放"}]}]}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/69\/6968ff9682de60af41adc9e3ee576c18.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/a3\/a3e97a3eb2d93e52f3464616b2b45e8a.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"int pthread_join(pthread_t t, void** return_value) 裏通過 "},{"type":"text","marks":[{"type":"strong"}],"text":"pthread_internal_remove_and_free,最終在"},{"type":"text","text":"pthread_internal_free 裏通過 munmap 釋放"}]}]}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/86\/86180777711e03a662a38115a5751af5.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/a1\/a17edb1687615bde771af3d2010db7fd.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"綜上,最終通過 munmap 釋放的內存都可以被監控到,而通過_exit_with_stack_teardown 釋放的內存則無法攔截到。我們針對這種情況做了特殊處理:在 Raphael 裏代理攔截了 void pthread_exit(void *) ,並判斷此時線程狀態是否爲 THREAD_DETACHED,如果是則在監控裏直接移除相關記錄,否則不移除。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"重入問題"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖是一個典型的重入現場,其上層的 malloc 函數最終調用到了 mmap 函數,同時監控兩類內存接口時就會遇到此類問題。重入問題帶來的一個挑戰是緩存如何管理,同一個緩存裏只能維護一個記錄,維護兩個記錄的邏輯和性能過於複雜。此外,從 malloc 到 mmap 的堆棧是固定的,這幾層堆棧對分析內存泄漏完全沒用,因爲這個時候關注的是 malloc 之上的堆棧。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/6a\/6a3ebbfc9a0bc45d83a9d19e1a417c08.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"解決重入問題的方案很直接,在檢測到 mmap\/mmap64 之上有 malloc\/calloc\/realloc 等棧幀時,忽略本次分配。這樣不僅解決了重入問題,也避免了不必要的棧回溯。因爲 Android 平臺不支持 thread local storage(TLS),只能通過 pthread_setspecific 和 pthread_getspecific 實現。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/78\/786c4f7fe2b9ecc7a036735a48ce76dd.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"綜合評估"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"功能"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"相對於 malloc debug 和 LeakTracer,Raphael 不僅支持 malloc\/calloc\/realloc\/memalign\/free,也支持監控 mmap\/mmap64\/munmap 等,使監控範圍擴展到了線程、webview、Flutter、顯存等,基本完全覆蓋了 Android 平臺上的 native 內存使用場景。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"性能"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Android 平臺上的 native 內存泄漏檢測通常都是在程序運行過程中進行的,棧回溯和緩存管理會消耗部分 CPU 和內存,帶來一定的性能損失。Raphael 可配置的監控能力有很大的伸縮性,性能影響可以限制在可接受範圍內,以下數據基於西瓜視頻 App 32 位模式評測(中高端機型和 64 位下的性能更高):"}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CPU:32 位模式 & ≥1024 的監控閾值下,在低端機上 CPU 消耗< 3%"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"內存:32 位模式下默認會有約 16M 的虛擬內存消耗"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"幀率:32 位模式 & ≥1024 的監控閾值下,低端機上幀率沒有明顯變化"}]}]}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"穩定性"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"已開源的版本是基於開源 inline hook 實現的,在部分 Android 6 機型上存在卡死問題,除此之外暫未發現其他穩定性問題。此外,字節跳動這邊早期的治理實踐集中在線下,並基於 Raphael 建設完善了線下的防治體系,更爲穩定的版本可以滿足線上的監控需求,我們會在後續迭代開源。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"治理實踐"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Raphael 在字節跳動內部使用非常廣泛,是字節跳動 native 協會指定的 native 內存泄漏檢測工具。在治理實踐中,Raphael 覆蓋了幾乎所有的 native 內存使用場景,輔助解決了大量的 native 內存泄漏和內存使用不合理的問題。接下來通過四個典型的案例簡單介紹下 Raphael 的監控能力和基於 Raphael 的數據分析方法(應用自身的,Java 層的,webview 的,系統層的)。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"案例 1"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖是西瓜視頻裏兩個比較典型的 native 內存問題現場,既有嚴格意義上的內存泄漏(用完之後未釋放),也有更爲廣泛的內存不合理使用的問題(短暫泄漏、局部場景問題、上層業務邏輯問題等)。針對內存泄漏問題,在明確了相關內存的生命週期之後,可以相對輕鬆的快速定位到。對於內存使用不合理的問題,則需要儘可能多的蒐集未釋放的內存,來綜合評估影響。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/d3\/d33d6b7f3584b0501e9404f38d15b994.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"早期在分析數據時,我們也會通過 maps 來驗證 Raphael 的數據。通常通過分析 maps 可以大致知道內存觸頂的原因,下圖是一個典型的運行時通過 malloc\/calloc\/realloc\/memalign 和 mmap\/mmap64 分配的內存過多導致的 OOM 現場。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/08\/08dffb5acc93886237266b935a82a9f9.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"案例 2"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖是字節跳動內部一個業務遇到的 native 內存問題現場,未接入 Raphael 前雖能輕鬆復現 native 內存增長的問題,但無法定位內存增長的原因。在接入 Raphael 後,雖然攔截到的內存並不多,但問題暴露的非常明顯。排名第一個的堆棧是 Java 層創建 bitmap 對象時調用到 native 層堆棧(Android 8 以後 Bitmap 的數據是存儲在 native 層),該問題的調查最終轉移到了 Java 層。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/95\/956ef6fe2ddf3aaea48542b553e32d06.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基於以上分析,我們可以斷定 Java 層的堆內存裏一定存在大量的 Bitmap 對象。因爲該問題是線下可復現的,我們可以很容易的通過 Java 堆內存快照驗證並定位到問題原因(如下圖所示)。如果是線上,我們需要抓取異常現場的快照才能最終定位,這也正是 "},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s?__biz=MzI1MzYzMjE0MQ==&mid=2247487203&idx=1&sn=182584b69910c843ae95f60e74127249&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"西瓜視頻穩定性治理體系建設一:Tailor 原理及實踐"}],"marks":[{"type":"strong"}]},{"type":"text","text":" 裏所提到的通用異常數據蒐集建設。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/6c\/6c903ec280f4903c31b832a50d136385.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"案例 3"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一直以來 Android 設備上 webview 消耗的內存很少被重視,隨着前端業務場景增多,webview 導致的內存問題也越來越明顯、越來越頻繁。下圖是 Raphael 在西瓜視頻 App 裏監控到的一個前端活動頁導致的內存問題現場。由於系統 webview 自身的原因,工具無法回溯出完整的調用棧,無法直觀定位到問題原因。最終我們通過定向分析內存數據,定位到這些內存基本都是前端頁面裏緩存的圖片資源,在對該頁面的圖片緩存策略進行優化之後,相關的內存觸頂的異常大幅降低。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/e1\/e19f999b05563a1bb0c8e50ed71f8cfd.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"案例 4"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖是 Android 系統上長期存在的一類 Camera 內存泄漏現場。通過分析源碼可知,Camera 在拍攝過程中會在 native 層持續構造 CameraMetadata 實例,而每個 CameraMetadata 對象都會指向一塊不小的 native 內存,這塊 native 內存的釋放依賴 Java 層的 CameraMetadataNative 對象執行 finalize 函數。這個邏輯最終導致這部分 native 內存的回收間接依賴 Java 層的 GC。如果一段時間內 Java 層沒有 GC ,這部分 native 內存就會因爲沒有及時釋放而堆積,進而在觸頂後引發各種因 native 內存不足而導致的異常。"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s?__biz=MzI1MzYzMjE0MQ==&mid=2247486499&idx=1&sn=1f38a8dd301d6fe1d0b62f7e027113de&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"《Android Camera 內存問題剖析》"}],"marks":[{"type":"strong"}]},{"type":"text","text":"裏有詳細的分析過程,《ART 視角 | 如何讓 GC 同步回收 native 內存》針對此類問題也同步給出了方案,通過溝通 Android 團隊表示會在後續版本里徹底修復此問題。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/4f\/4fff3acf2226a4c00e24cb6fd4b8072e.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"後續規劃"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Native 內存泄漏監控的原理相對簡單,但想要做到完美通用卻很困難,最主要的考驗當屬性能和穩定性問題,例如 32 位棧回溯的性能和穩定性、緩存管理的性能等。前期我們在調研和開發 Raphael 時,基於快速落地和解決緊迫問題的目的,複用了大量第三方代碼,並簡化了很多邏輯。經過長期的治理實踐,工具自身也暴露出一些問題和後續可以優化的方向。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"就代理邏輯而言,Android-Inline-Hook 和 And64InlineHook 雖然都是比較優秀的 inline hook 工具,但實際使用時仍然存在兼容和卡死的問題。雖然 xHook 在兼容性和性能上都可以達到上線標準,但不具有通用性,很難將 native 內存泄漏監控擴展到其他有上限的資源上(如 JNI Reference Table)。我們也在調研優化 inline hook,探索更爲穩定高效的 hook 方案。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"棧回溯和緩存管理是 native 內存泄漏監控性能和穩定性的瓶頸。相對而言,基於 FP 的 64 位棧回溯方案已經到了極致,但 32 位下目前仍沒有完美理想的方案。在 32 位下,Raphael 通過限制棧回溯深度和控制監控範圍來規避頻繁棧回溯帶來的性能影響,雖然可以大幅提升性能,但也存在漏報問題。因此,32 位棧回溯性能也是我們後續的優化方向。此外,Raphael 已開源的版本其緩存管理仍然是通過全局鎖來實現同步的,會有一定的性能損失,這個我們也會在後續的開源迭代裏同步最新的優化。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"衆所周知,物理內存、虛擬內存、Thread、FD、JNI Reference Table 等都是典型的有上限的資源,不合理使用都會造成常規手段難以調查的穩定性問題。顯而易見,內存泄漏的監控邏輯, 同樣適用於其他這些有上限的資源。甚至於那些雖然沒有明確上限的(如 Binder、流量、耗時等),我們也可以構造出相應的上限來實現監控和溯源。基於 Raphael 擴展其他的監控能力是我們後續要高優完善的。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"總結"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Android native 內存泄漏話題由來已久,在此之前業界一直沒有穩定可靠的工具可用,得益於 AOSP 和其他優秀的開源項目(Android-Inline-Hook、And64InlineHook、xHook、xDL),使得我們有機會進行相關的嘗試。Raphael 是西瓜視頻基礎技術團隊的初步探索和嘗試,在字節跳動內部衆多 App (如西瓜、抖音、頭條)長期的治理實踐中,不僅解決了大量疑難問題,也進一步完善了工具和方法論。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雖然基於 Raphael 的 native 內存泄漏監控方案目前已經足夠成熟和穩定,但其監控過程畢竟滲透到了 App 的運行過程,會有一定程度的性能損失和穩定性風險。我們倡導的方案是基於此來建設完善線下的內存泄漏防治體系,謹慎帶到線上。由於內部迭代的 Raphael 版本比較多,且涉及其他未開源的項目,本次開源我們只能選擇其中一個穩定可用的版本,其他優化會在後續逐步開源。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Raphael 只是邁開了其中的一小步,方案還有很大的優化空間。開源不是終點,我們希望集思廣益、共同探索完善,在 Android 穩定性治理上走的更快更遠。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"相關資料"}]},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"Raphael 開源地址:"}]},{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/github.com\/bytedance\/memory-leak-detector"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"xHook 鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/github.com\/iqiyi\/xHook"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":5,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"xDL 鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":6,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/github.com\/hexhacking\/xDL"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":7,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"Android-Inline-Hook 鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":8,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/github.com\/ele7enxxh\/Android-Inline-Hook"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":9,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"And64InlineHook 鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":10,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/github.com\/Rprop\/And64InlineHook"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":11,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"malloc debug 鏈接:"},{"type":"text","text":"https:\/\/android.googlesource.com\/platform\/bionic\/+\/master\/libc\/malloc_debug\/README.md"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":12,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"LeakTracer 鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":13,"align":null,"origin":null},"content":[{"type":"text","text":"http:\/\/www.andreasen.org\/LeakTracer\/"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":14,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"http:\/\/mp.weixin.qq.com\/s?__biz=MzI1MzYzMjE0MQ==&mid=2247486499&idx=1&sn=1f38a8dd301d6fe1d0b62f7e027113de&chksm=e9d0c7c1dea74ed70621fb46b1f081626177610d98e1fbb4c4867099eb43edc051f61f1a2371&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":" Android Camera內存問題剖析"}]}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":15,"align":null,"origin":null},"content":[{"type":"text","text":" "},{"type":"text","marks":[{"type":"strong"}],"text":"libunwind llvm 編年史:"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" https:\/\/zhuanlan.zhihu.com\/p\/33937283"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 10. "},{"type":"text","marks":[{"type":"strong"}],"text":"ART 視角 | 如何讓 GC 同步回收 native 內存:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" https:\/\/juejin.cn\/post\/6894153239907237902"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文轉載自:字節跳動技術團隊(ID:toutiaotechblog)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"原文鏈接:"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s\/RF3m9_v5bYTYbwY-d1RloQ","title":"xxx","type":null},"content":[{"type":"text","text":"西瓜視頻穩定性治理體系建設二:Raphael 原理及實踐"}]}]}]}
西瓜視頻穩定性治理體系建設二:Raphael 原理及實踐
{"type":"doc","content":[{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"摘要"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Raphael [1]是西瓜視頻基礎技術團隊開發的一款 native 內存泄漏檢測工具,廣泛用於字節跳動旗下各大 App 的 native 內存泄漏治理,收益顯著。工具現已開源,本文將通過原理、方案和實踐來剖析 Raphael 的相關細節。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"背景"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Android 平臺上的內存問題一直是性能優化和穩定性治理的焦點和痛點,Java 堆內存因爲有比較成熟的工具和方法論,加上 hprof 快照作爲補充,定位和治理都很方便。而 native 內存問題一直缺乏穩定、高效的工具,僅有的 malloc debug [6]不僅性能和穩定性難以滿足需要,還存在 Android 版本兼容的問題。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"現狀"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"事實上,native 內存泄漏治理一直不乏優秀的工具,已知的可用於調查 native 內存泄漏問題的工具主要有:LeakTracer、MTrace、MemWatch、Valgrind-memcheck、TCMalloc、LeakSanitizer 等。但由於 Android 平臺的特殊性,這些工具要麼不兼容,要麼接入成本過高,很難在 Android 平臺上落地。這些工具的原理基本都是:先代理內存分配\/釋放相關的函數(如:malloc\/calloc\/realloc\/memalign\/free),再通過 unwind 回溯調用堆棧,最後藉助緩存管理過濾出未釋放的內存分配記錄。因此,這些工具的主要差異也就體現在代理實現、棧回溯和緩存管理三個方面。根據這些工具代理實現的差異,大致可以分爲 hook 和 LD_PRELOAD 兩大類,典型的如 malloc debug [5] 和 LeakTracer。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/c2\/c2ae99ef5328e3cc3eb0e404fcdbf620.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"malloc debug"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"malloc debug 是 Android 系統自帶的內存調試工具(官方 Native 內存調試 有相關介紹 "},{"type":"text","marks":[{"type":"strong"}],"text":")"},{"type":"text","text":" ,雖然沒有額外的接入代碼,但開啓方式和核心功能等都受 Android 版本限制。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/27\/27e4aed6efca2d594c038a03ab6dffbc.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們在線下嘗試使用 malloc debug 監控西瓜視頻 App(配置 wrap.sh)時發現,正常啓動時間小於 1s 的機型(Pixel 2 & Android 10),其冷啓動時間被拉長到了 11s+。而且在正常使用過程中滑動時的卡頓感非常明顯,頁面切換時耗時難以接受,監控過程中應用的使用體驗極差。不僅如此,西瓜視頻在 malloc debug 監控過程中還會遇到必現的棧回溯 crash(堆棧如下,《libunwind llvm 編年史》[8] 有相關分析)。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/3f\/3fdf67759d1574324b7d9f0d8798e7be.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"LeakTracer"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"LeakTracer 是另一個比較知名的內存泄漏監控工具,其原理是:通過 LD_PRELOAD 機制搶先加載一個定義了 malloc\/calloc\/realloc\/memalign\/free 等同名函數的代理庫,這樣就全局代理了應用層內存的分配和釋放,通過 unwind 回溯調用棧並過濾出疑似的內存泄漏信息。Android 平臺上的 LD_PRELOAD 是被嚴格限制的,因爲其沒有獨立的 unwind 實現,依賴系統的 unwind 能力,也會遇到 malloc debug 遇到的棧幀兼容問題;如果把 LeakTracer 集成到目標 so 裏通過 override 方式實現代理,只能攔截到本 so 裏顯式的內存分配\/釋放,無法攔截到其他 so 和跨 so 調用的內存分配\/釋放。通過 native 插樁的方式也是如此,只能監控局部單純的內存泄漏,無法全局監控內存使用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"綜合以上分析和接入體驗,我們不難發現,這些內存泄漏監控工具在 Android 平臺上實際接入時基本都存在以下三個比較典型的問題:"}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"流程繁瑣"},{"type":"text","text":":需要配置 wrap.sh\/root permission\/setprop 等,受 Android 版本限制"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"兼容問題"},{"type":"text","text":":unwind 庫存在嚴重的兼容性問題,libunwind_llvm 無法正確回溯 GNU 編譯的棧幀"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"性能問題"},{"type":"text","text":":官方的 malloc debug 性能數據是損失 10 倍以上,實測西瓜開啓後在中高端機上不可用"}]}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"我們的需求"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"西瓜視頻 App 是一個彙集了視頻播放、特效拍攝、視頻剪輯輯、P2P 加速等 native 代碼非常多的中大型應用,每個 native 代碼相關的模塊背後都有一個專業團隊在高速迭代,加上日人均使用時長超過 100 分鐘的影響,西瓜視頻 App 的 native 內存問題治理難度非常大。事實上,單純的內存泄漏問題相對較少,更多的是因爲業務邏輯不合理帶來的內存使用問題,需要工具滲透到 App 運行的過程中進行監控,無形中提高了對工具性能和穩定性的要求。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"線上 native 內存問題基本都是以虛擬內存觸頂的形式暴露出來的。在西瓜視頻 App 裏,虛擬內存的消耗除了上述幾大模塊外,還有其他幾個消耗大戶,如線程、webview、Flutter、硬件加速、顯存等。事實上,malloc\/calloc\/realloc\/memalign 等相對於 mmap\/mmap64 直接分配出的內存在整個虛擬內存空間中通常佔比比較小。因爲內存問題通常以虛擬內存耗盡的形式表現出來,只有儘可能多的收集各種內存消耗來無限逼近虛擬內存上限,才能準確找出虛擬內存耗盡的原因。因此,像 malloc debug 這樣只監控 malloc\/calloc\/realloc\/memalign\/free 等根本無法滿足內存治理需要,覆蓋 mmap\/mmap64\/munmap 等儘可能多的內存分配形式是監控工具必須要做的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"綜合上面的分析可以得出,西瓜視頻 App 乃至整個字節跳動旗下其他 App, 對於一個通用的 native 內存泄漏監控工具的訴求主要有以下幾個方面:"}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"接入層面:不依賴 Android 版本,無需 root,對業務滲透儘可能低"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"穩定性:不存在影響業務的穩定性問題,可以滿足線上使用的訴求"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"性能層面:沒有明顯的性能問題,達到可線上使用的標準"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"監控範圍:不侷限於 malloc\/calloc\/realloc\/memalign\/free,至少還能覆蓋 mmap\/mmap64\/munmap"}]}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Raphael 核心設計"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過前面的分析可以知道,一個完整的 native 內存泄漏監控工具主要包含三部分:代理實現、棧回溯和緩存管理。代理實現是解決 Android 平臺上接入問題的關鍵,棧回溯是性能和穩定性的核心,緩存邏輯在一定程度上也會直接影響性能和穩定性。接下來我們會從四個方面介紹 Raphael 的核心設計。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"代理實現"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"鑑於 wrap.sh 和 LD_PRELOAD 在 Android 平臺上不具有通用性,首先被排除。又因 malloc hook 只能代理 malloc\/calloc\/realloc\/free,無法覆蓋 mmap\/mmap64\/munmap,也被放棄。但受 malloc hook 實現方式的啓發,藉助於 inline hook \/ PLT hook 工具我們可以實現同樣的代理效果,這其中比較有代表性的工具主要有 Android-Inline-Hook[3] 和 xHook[1]。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/0f\/0f0976b9b1e9ba996f78136c0078e2f9.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"xHook 是比較優秀的 PLT hook 工具代表,其穩定性可以達到上線標準。因其實現依賴正則,同時 hook 的 so 或函數比較多時,hook 耗時會比較明顯。此外,其原生實現只能 hook 當前已經加載的 so,對於未加載的沒做特殊處理,如果用來做長時間的進程級監控,需要解決增量 so hook 問題。不過這種 hook 方式非常適合做 so 定向監控。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與 PLT hook 原理不同,inline hook 則是在目標函數的頭部直接插入跳轉指令,其 hook 的是最終的函數實現,不存在增量 so hook 問題,hook 效率高效直接。但 inline hook 在 hook 那些可能正在執行的函數後,需要掛起相關線程進行指令修正,這個是 inline hook 的痛點,現有 hook 實現很多沒有做指令修復,或者在指令修復時或多或少都存在一些問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Raphael 在早期的驗證版本里採用 xHook 來實現代理接入。後續爲了實現長時間進程級監控,以覆蓋更多的業務場景,Raphael 又通過 Android-Inline-Hook 解決增量 so hook 問題,通過 xHook 實現定向監控。爲了進一步提升工具的性能和穩定性, Raphael 內部最新版本已切換到了 bytehook(字節跳動自研的 PLT hook 工具,可自動處理增量 so hook 問題)。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"棧回溯"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"定位一個對象或者一段內存通常可以通過引用\/依賴關係,也可以通過創建\/分配時的堆棧。Java 堆內存因爲有明確的組織形式和清晰的依賴關係,可以通過依賴關係靜態分析內存泄漏問題。但 native 堆內存依賴\/引用比較隱晦,也沒有 Java 堆內存那樣明確的組織格式,無法通過依賴\/引用關係進行靜態分析,只能通過分配時的堆棧來輔助定位。棧回溯(unwind)是 native 層獲取調用堆棧的通用方式,是 native 內存泄漏監控工具不可或缺的核心,同時也是工具性能和穩定性的瓶頸所在。接下來本文將從棧回溯工具選取、限制棧回溯頻次、減少無用棧回溯三個方面介紹 Raphael 在棧回溯上所做的工作。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"棧回溯工具選取"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Android 平臺上常用的 32 位棧回溯庫主要有:libunwind_llvm、libunwind (nongnu)、libgcc_s、libudf、libbacktrace、libunwindstack 等,實踐證實這些工具或多或少都存在一些問題,以下是我們基於三個主流的棧回溯庫做的簡單對比分析(平臺:Pixel 2 & Android 10,性能:Demo 裏統計 16 層棧幀回溯的總耗時;兼容性:字節跳動旗下多個應用長時間的優化治理實踐)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/eb\/eb643acc80eae8ecda20861a784dcf5e.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"棧回溯涉及到的東西比較多,想要自己短時間內實現一個在穩定性、回溯性能、回溯成功率等方面都表現優異的 32 位棧回溯工具難度非常大。爲了快速驗證並解決實際機問題,Raphael 在早期版本里採用的是 libunwind_llvm,隨後切換到 libunwind_llvm & libunwind (nongnu),通過 libunwind_llvm 保證回溯性能,在回溯深度低於 2 層時切換到 libunwind (nongnu),以保證回溯成功率。最新版本里則採用的是 libudf,兼具了性能和回溯成功率。相對而言,64 位下基於 FP 的棧回溯實現性能和穩定性基本都能滿足需求,這裏不做過多介紹。Rapahel 同時也在設計時做了充分的擴展考慮,可以輕鬆切換到其他更優秀的棧回溯實現。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"限制棧回溯頻次"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"即便是 libudf 實現,其在 demo 裏回溯 16 層棧幀的平均耗時也需要 0.6ms,監控工具實際運行時對 App 性能的影響是很明顯的。提升監控性能的途徑除了直接優化棧回溯性能外,減少回溯頻次也是十分有效的手段。我們在西瓜視頻 App 的優化治理實踐中發現,多數場景小於 1024 byte 的內存分配其頻率約佔 70% 以上,但線上遇到的 native 內存觸頂問題,卻很少是由小內存泄漏引發的,監控小內存泄漏對於解決線上 native 內存觸頂問題沒有實質效果。即便真的是由小內存引發的,這個需要高頻和必現的場景才能達到,這類問題通常在線下單測(定向監控)場景是完全可以覆蓋到的。基於此,Raphael 通過設定內存閾值來控制棧回溯頻次,可以大幅降低棧回溯的性能損耗。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/d6\/d67d6dfad4e561d27011f437df95cbfb.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"減少無用棧回溯"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"受限於代理流程和棧回溯實現機制,從代理函數入口到回溯開始的路徑上會存在幾層跟分配堆棧無關的函數調用,這幾層調用最終會體現在最後回溯成功的堆棧上(下圖的紅色部分),每次內存分配都回溯這幾層無用的調用鏈是十分損耗性能的。解決這種問題的直觀方法就是減少甚至完全規避這種無關的棧回溯,體現在代碼層面就是減少代理入口到回溯開啓函數之間的調用層級。inline 是一種簡單直接的實現方式,也可以直接在代理入口處提前構建回溯的 context 數據。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/96\/96818685935b80a7293a3ee2bd7ef52e.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"緩存管理"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"緩存管理作爲 native 內存監控的重要一環,對整個監控工具性能的影響至關重要。以 malloc debug 和LeakTracer 爲例,它們都是通過分配後的內存地址作爲 key 來計算 hash 後散列存儲的,並通過一個全局鎖來同步緩存更新的時序。兩者不同的是,malloc debug 會通過堆棧聚合調用鏈完全相同的內存分配記錄,其緩存的存儲單元通過 malloc 動態分配;而 LeakTracer 則不會根據堆棧聚合,其存儲單元會預先分配一部分,緩存不足時也會動態申請。通過以上分析和實測可以發現,malloc debug 的實際性能比LeakTracer 低很多,原因主要體現在堆棧聚合和緩存動態分配上。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/f0\/f0f51f332d2bcbbc9bdde76e413b8a5a.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對比 malloc debug 和 LeakTracer 的源碼也可以發現:運行時的堆棧聚合是完全沒有必要的;如果限制內存監控的閾值,緩存空間和緩存單元的上限都可以控制在一定範圍內的,不需要動態申請,可以減少動態分配的性能損耗;此外,由於 native 內存分配和釋放頻率比較高,全局鎖一定程序上會影響整體性能,通過 key 計算 hash 後再散列存儲時不需要全局鎖。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Raphael 是預先分配固定大小的緩存空間,除了發生內存觸頂導致的 crash 外,緩存單元提前耗完也認爲存在內存泄漏問題。這主要是因爲:對於 32 位進程,其虛擬內存的上限通常是 4G,正常運行時相對比較容易觸達上限,而 64 位進程的虛擬地址空間非常大,實際很難遇到虛擬內存觸頂的 case,但遇到物理內存不足的概率則要大很多,這與 32 位進程基本相反。通過控制 vmPeak 閾值和緩存單元餘量可以有效捕捉到內存泄漏數據,最終實現穩定可靠的全自動內存泄漏監控及消費流程"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/6c\/6c070c153dda4537933dec8c303c2407.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/6c\/6cd9c02d0eaae12158c2c705d4e7fedb.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"監控範圍"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過前面的分析可以知道,只監控 malloc\/calloc\/realloc\/memalign\/free 是無法滿足治理需求的,這主要是因爲 malloc\/calloc\/realloc\/memalign\/free 等分配出的內存通常在整個虛擬內存空間裏佔比較小,常見的內存消耗大戶 Thread、webview、Flutter、硬件加速、顯存等,都不是通過這些函數分配出的。爲了能夠對 Android 平臺上的 native 內存觸頂問題精準歸因,監控需要無限逼近虛擬內存的上限,這就需要監控儘可能多的內存分配形式。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Android 上的內存操作主要是 malloc\/calloc\/realloc\/memalign\/free 和 mmap\/mmap64\/munmap,同監控 malloc\/calloc\/realloc\/memalign\/free 相比,監控 mmap\/mmap64\/munmap 有兩點不同:一個是線程棧的釋放問題,雖然創建線程時是通過 mmap\/mmap64 分配的棧內存,但棧內存的釋放並不一定是通過顯式調用 munmap 實現的;另一個是監控重入問題,當通過 malloc\/calloc\/realloc\/memalign 等分配大內存時,底層通常是通過 mmap\/mmap64 實現的,兩類接口同時監控時會存在重入問題。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"棧內存釋放"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"線程的棧內存又分爲信號棧和執行棧,信號棧在調用"},{"type":"text","marks":[{"type":"strong"}],"text":"void pthread_exit(void *return_value)"},{"type":"text","text":" 接口時會通過 munmap 即刻釋放,而執行棧的釋放則有兩種形式:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"void pthread_exit(void "},{"type":"text","marks":[{"type":"italic"}],"text":"return_value) 函數體裏,當線程狀態爲 THREAD_DETACHED 時會直接通過 void _exit_with_stack_teardown(void"},{"type":"text","text":"stack, size_t sz) 釋放"}]}]}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/69\/6968ff9682de60af41adc9e3ee576c18.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/a3\/a3e97a3eb2d93e52f3464616b2b45e8a.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"int pthread_join(pthread_t t, void** return_value) 裏通過 "},{"type":"text","marks":[{"type":"strong"}],"text":"pthread_internal_remove_and_free,最終在"},{"type":"text","text":"pthread_internal_free 裏通過 munmap 釋放"}]}]}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/86\/86180777711e03a662a38115a5751af5.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/a1\/a17edb1687615bde771af3d2010db7fd.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"綜上,最終通過 munmap 釋放的內存都可以被監控到,而通過_exit_with_stack_teardown 釋放的內存則無法攔截到。我們針對這種情況做了特殊處理:在 Raphael 裏代理攔截了 void pthread_exit(void *) ,並判斷此時線程狀態是否爲 THREAD_DETACHED,如果是則在監控裏直接移除相關記錄,否則不移除。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"重入問題"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖是一個典型的重入現場,其上層的 malloc 函數最終調用到了 mmap 函數,同時監控兩類內存接口時就會遇到此類問題。重入問題帶來的一個挑戰是緩存如何管理,同一個緩存裏只能維護一個記錄,維護兩個記錄的邏輯和性能過於複雜。此外,從 malloc 到 mmap 的堆棧是固定的,這幾層堆棧對分析內存泄漏完全沒用,因爲這個時候關注的是 malloc 之上的堆棧。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/6a\/6a3ebbfc9a0bc45d83a9d19e1a417c08.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"解決重入問題的方案很直接,在檢測到 mmap\/mmap64 之上有 malloc\/calloc\/realloc 等棧幀時,忽略本次分配。這樣不僅解決了重入問題,也避免了不必要的棧回溯。因爲 Android 平臺不支持 thread local storage(TLS),只能通過 pthread_setspecific 和 pthread_getspecific 實現。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/78\/786c4f7fe2b9ecc7a036735a48ce76dd.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"綜合評估"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"功能"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"相對於 malloc debug 和 LeakTracer,Raphael 不僅支持 malloc\/calloc\/realloc\/memalign\/free,也支持監控 mmap\/mmap64\/munmap 等,使監控範圍擴展到了線程、webview、Flutter、顯存等,基本完全覆蓋了 Android 平臺上的 native 內存使用場景。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"性能"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Android 平臺上的 native 內存泄漏檢測通常都是在程序運行過程中進行的,棧回溯和緩存管理會消耗部分 CPU 和內存,帶來一定的性能損失。Raphael 可配置的監控能力有很大的伸縮性,性能影響可以限制在可接受範圍內,以下數據基於西瓜視頻 App 32 位模式評測(中高端機型和 64 位下的性能更高):"}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CPU:32 位模式 & ≥1024 的監控閾值下,在低端機上 CPU 消耗< 3%"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"內存:32 位模式下默認會有約 16M 的虛擬內存消耗"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"幀率:32 位模式 & ≥1024 的監控閾值下,低端機上幀率沒有明顯變化"}]}]}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"穩定性"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"已開源的版本是基於開源 inline hook 實現的,在部分 Android 6 機型上存在卡死問題,除此之外暫未發現其他穩定性問題。此外,字節跳動這邊早期的治理實踐集中在線下,並基於 Raphael 建設完善了線下的防治體系,更爲穩定的版本可以滿足線上的監控需求,我們會在後續迭代開源。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"治理實踐"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Raphael 在字節跳動內部使用非常廣泛,是字節跳動 native 協會指定的 native 內存泄漏檢測工具。在治理實踐中,Raphael 覆蓋了幾乎所有的 native 內存使用場景,輔助解決了大量的 native 內存泄漏和內存使用不合理的問題。接下來通過四個典型的案例簡單介紹下 Raphael 的監控能力和基於 Raphael 的數據分析方法(應用自身的,Java 層的,webview 的,系統層的)。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"案例 1"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖是西瓜視頻裏兩個比較典型的 native 內存問題現場,既有嚴格意義上的內存泄漏(用完之後未釋放),也有更爲廣泛的內存不合理使用的問題(短暫泄漏、局部場景問題、上層業務邏輯問題等)。針對內存泄漏問題,在明確了相關內存的生命週期之後,可以相對輕鬆的快速定位到。對於內存使用不合理的問題,則需要儘可能多的蒐集未釋放的內存,來綜合評估影響。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/d3\/d33d6b7f3584b0501e9404f38d15b994.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"早期在分析數據時,我們也會通過 maps 來驗證 Raphael 的數據。通常通過分析 maps 可以大致知道內存觸頂的原因,下圖是一個典型的運行時通過 malloc\/calloc\/realloc\/memalign 和 mmap\/mmap64 分配的內存過多導致的 OOM 現場。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/08\/08dffb5acc93886237266b935a82a9f9.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"案例 2"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖是字節跳動內部一個業務遇到的 native 內存問題現場,未接入 Raphael 前雖能輕鬆復現 native 內存增長的問題,但無法定位內存增長的原因。在接入 Raphael 後,雖然攔截到的內存並不多,但問題暴露的非常明顯。排名第一個的堆棧是 Java 層創建 bitmap 對象時調用到 native 層堆棧(Android 8 以後 Bitmap 的數據是存儲在 native 層),該問題的調查最終轉移到了 Java 層。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/95\/956ef6fe2ddf3aaea48542b553e32d06.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基於以上分析,我們可以斷定 Java 層的堆內存裏一定存在大量的 Bitmap 對象。因爲該問題是線下可復現的,我們可以很容易的通過 Java 堆內存快照驗證並定位到問題原因(如下圖所示)。如果是線上,我們需要抓取異常現場的快照才能最終定位,這也正是 "},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s?__biz=MzI1MzYzMjE0MQ==&mid=2247487203&idx=1&sn=182584b69910c843ae95f60e74127249&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"西瓜視頻穩定性治理體系建設一:Tailor 原理及實踐"}],"marks":[{"type":"strong"}]},{"type":"text","text":" 裏所提到的通用異常數據蒐集建設。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/6c\/6c903ec280f4903c31b832a50d136385.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"案例 3"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一直以來 Android 設備上 webview 消耗的內存很少被重視,隨着前端業務場景增多,webview 導致的內存問題也越來越明顯、越來越頻繁。下圖是 Raphael 在西瓜視頻 App 裏監控到的一個前端活動頁導致的內存問題現場。由於系統 webview 自身的原因,工具無法回溯出完整的調用棧,無法直觀定位到問題原因。最終我們通過定向分析內存數據,定位到這些內存基本都是前端頁面裏緩存的圖片資源,在對該頁面的圖片緩存策略進行優化之後,相關的內存觸頂的異常大幅降低。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/e1\/e19f999b05563a1bb0c8e50ed71f8cfd.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"案例 4"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖是 Android 系統上長期存在的一類 Camera 內存泄漏現場。通過分析源碼可知,Camera 在拍攝過程中會在 native 層持續構造 CameraMetadata 實例,而每個 CameraMetadata 對象都會指向一塊不小的 native 內存,這塊 native 內存的釋放依賴 Java 層的 CameraMetadataNative 對象執行 finalize 函數。這個邏輯最終導致這部分 native 內存的回收間接依賴 Java 層的 GC。如果一段時間內 Java 層沒有 GC ,這部分 native 內存就會因爲沒有及時釋放而堆積,進而在觸頂後引發各種因 native 內存不足而導致的異常。"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s?__biz=MzI1MzYzMjE0MQ==&mid=2247486499&idx=1&sn=1f38a8dd301d6fe1d0b62f7e027113de&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"《Android Camera 內存問題剖析》"}],"marks":[{"type":"strong"}]},{"type":"text","text":"裏有詳細的分析過程,《ART 視角 | 如何讓 GC 同步回收 native 內存》針對此類問題也同步給出了方案,通過溝通 Android 團隊表示會在後續版本里徹底修復此問題。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/4f\/4fff3acf2226a4c00e24cb6fd4b8072e.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"後續規劃"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Native 內存泄漏監控的原理相對簡單,但想要做到完美通用卻很困難,最主要的考驗當屬性能和穩定性問題,例如 32 位棧回溯的性能和穩定性、緩存管理的性能等。前期我們在調研和開發 Raphael 時,基於快速落地和解決緊迫問題的目的,複用了大量第三方代碼,並簡化了很多邏輯。經過長期的治理實踐,工具自身也暴露出一些問題和後續可以優化的方向。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"就代理邏輯而言,Android-Inline-Hook 和 And64InlineHook 雖然都是比較優秀的 inline hook 工具,但實際使用時仍然存在兼容和卡死的問題。雖然 xHook 在兼容性和性能上都可以達到上線標準,但不具有通用性,很難將 native 內存泄漏監控擴展到其他有上限的資源上(如 JNI Reference Table)。我們也在調研優化 inline hook,探索更爲穩定高效的 hook 方案。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"棧回溯和緩存管理是 native 內存泄漏監控性能和穩定性的瓶頸。相對而言,基於 FP 的 64 位棧回溯方案已經到了極致,但 32 位下目前仍沒有完美理想的方案。在 32 位下,Raphael 通過限制棧回溯深度和控制監控範圍來規避頻繁棧回溯帶來的性能影響,雖然可以大幅提升性能,但也存在漏報問題。因此,32 位棧回溯性能也是我們後續的優化方向。此外,Raphael 已開源的版本其緩存管理仍然是通過全局鎖來實現同步的,會有一定的性能損失,這個我們也會在後續的開源迭代裏同步最新的優化。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"衆所周知,物理內存、虛擬內存、Thread、FD、JNI Reference Table 等都是典型的有上限的資源,不合理使用都會造成常規手段難以調查的穩定性問題。顯而易見,內存泄漏的監控邏輯, 同樣適用於其他這些有上限的資源。甚至於那些雖然沒有明確上限的(如 Binder、流量、耗時等),我們也可以構造出相應的上限來實現監控和溯源。基於 Raphael 擴展其他的監控能力是我們後續要高優完善的。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"總結"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Android native 內存泄漏話題由來已久,在此之前業界一直沒有穩定可靠的工具可用,得益於 AOSP 和其他優秀的開源項目(Android-Inline-Hook、And64InlineHook、xHook、xDL),使得我們有機會進行相關的嘗試。Raphael 是西瓜視頻基礎技術團隊的初步探索和嘗試,在字節跳動內部衆多 App (如西瓜、抖音、頭條)長期的治理實踐中,不僅解決了大量疑難問題,也進一步完善了工具和方法論。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雖然基於 Raphael 的 native 內存泄漏監控方案目前已經足夠成熟和穩定,但其監控過程畢竟滲透到了 App 的運行過程,會有一定程度的性能損失和穩定性風險。我們倡導的方案是基於此來建設完善線下的內存泄漏防治體系,謹慎帶到線上。由於內部迭代的 Raphael 版本比較多,且涉及其他未開源的項目,本次開源我們只能選擇其中一個穩定可用的版本,其他優化會在後續逐步開源。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Raphael 只是邁開了其中的一小步,方案還有很大的優化空間。開源不是終點,我們希望集思廣益、共同探索完善,在 Android 穩定性治理上走的更快更遠。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"相關資料"}]},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"Raphael 開源地址:"}]},{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/github.com\/bytedance\/memory-leak-detector"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"xHook 鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/github.com\/iqiyi\/xHook"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":5,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"xDL 鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":6,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/github.com\/hexhacking\/xDL"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":7,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"Android-Inline-Hook 鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":8,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/github.com\/ele7enxxh\/Android-Inline-Hook"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":9,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"And64InlineHook 鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":10,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/github.com\/Rprop\/And64InlineHook"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":11,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"malloc debug 鏈接:"},{"type":"text","text":"https:\/\/android.googlesource.com\/platform\/bionic\/+\/master\/libc\/malloc_debug\/README.md"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":12,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"LeakTracer 鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":13,"align":null,"origin":null},"content":[{"type":"text","text":"http:\/\/www.andreasen.org\/LeakTracer\/"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":14,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"http:\/\/mp.weixin.qq.com\/s?__biz=MzI1MzYzMjE0MQ==&mid=2247486499&idx=1&sn=1f38a8dd301d6fe1d0b62f7e027113de&chksm=e9d0c7c1dea74ed70621fb46b1f081626177610d98e1fbb4c4867099eb43edc051f61f1a2371&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":" Android Camera內存問題剖析"}]}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":15,"align":null,"origin":null},"content":[{"type":"text","text":" "},{"type":"text","marks":[{"type":"strong"}],"text":"libunwind llvm 編年史:"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" https:\/\/zhuanlan.zhihu.com\/p\/33937283"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 10. "},{"type":"text","marks":[{"type":"strong"}],"text":"ART 視角 | 如何讓 GC 同步回收 native 內存:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" https:\/\/juejin.cn\/post\/6894153239907237902"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文轉載自:字節跳動技術團隊(ID:toutiaotechblog)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"原文鏈接:"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s\/RF3m9_v5bYTYbwY-d1RloQ","title":"xxx","type":null},"content":[{"type":"text","text":"西瓜視頻穩定性治理體系建設二:Raphael 原理及實踐"}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章