Copyright 1988, 1989 Hans-J. Boehm, Alan J. Demers Copyright (c) 1991, 1992 by Xerox Corporation. All rights reserved. THIS MATERIAL IS PROVIDED AS IS, WITH ABSOLUTELY NO WARRANTY EXPRESSED OR IMPLIED. ANY USE IS AT YOUR OWN RISK. Permission is hereby granted to copy this garbage collector for any purpose, provided the above notices are retained on all copies. This is version 2.6. Note that functions were renamed since version 1.9 to make naming consistent with PCR collectors. HISTORY - Early versions of this collector were developed as a part of research projects supported in part by the National Science Foundation and the Defense Advance Research Projects Agency. The SPARC specific code was contributed by Mark Weiser (weiser@parc.xerox.com). The Encore Multimax modifications were supplied by Kevin Kenny (kenny@m.cs.uiuc.edu). The adaptation to the RT is largely due to Vernon Lee (scorpion@rice.edu), on machines made available by IBM. Much of the HP specific code and a number of good suggestions for improving the generic code are due to Walter Underwood (wunder@hp-ses.sde.hp.com). Robert Brazile (brazile@diamond.bbn.com) originally supplied the ULTRIX code. Al Dosser (dosser@src.dec.com) and Regis Cridlig (Regis.Cridlig@cl.cam.ac.uk) subsequently provided updates and information on variation between ULTRIX systems. Parag Patel (parag@netcom.com) supplied the A/UX code. Bill Janssen (janssen@parc.xerox.com) supplied the SunOS dynamic loader specific code. Manuel Serrano (serrano@cornas.inria.fr) supplied linux and Sony News specific code. (Blame for misinstallation of those modifications goes to the first author, however.) Some of the improvements incorporated in this version were suggested by David Chase, then at Olivetti Research. Much of the code was rewritten by Hans-J. Boehm at Xerox PARC. This is intended to be a general purpose, garbage collecting storage allocator. The algorithms used are described in: Boehm, H., and M. Weiser, "Garbage Collection in an Uncooperative Environment", Software Practice & Experience, September 1988, pp. 807-820. Some of the ideas underlying the collector have previously been explored by others. (Doug McIlroy wrote a vaguely similar collector that is part of version 8 UNIX (tm).) However none of this work appears to have been widely disseminated. This collector includes numerous refinements not described in the above paper. Rudimentary tools for use of the collector as a leak detector are included. GENERAL DESCRIPTION This is a garbage colecting storage allocator that is intended to be used as a plug-in replacement for C's malloc. Since the collector does not require pointers to be tagged, it does not attempt to ensure that all inaccessible storage is reclaimed. However, in our experience, it is typically more successful at reclaiming unused memory than most C programs using explicit deallocation. Unlike manually introduced leaks, the amount of unreclaimed memory typically stays bounded. In the following, an "object" is defined to be a region of memory allocated by the routines described below. Any objects not intended to be collected must be pointed to either from other such accessible objects, or from the registers, stack, data, or statically allocated bss segments. Pointers from the stack or registers may point to anywhere inside an object. However, it is usually assumed that all pointers originating in the heap point to the beginning of an object. (This does not disallow interior pointers; it simply requires that there must be a pointer to the beginning of every accessible object, in addition to any interior pointers.) There are two facilities for altering this behavior. The macro ALL←INTERIOR←POINTERS may be defined in gc←private.h to cause any pointer into an object to retain the object. A routine GC←register←displacement is provided to allow for more controlled interior pointer use in the heap. Defining ALL←INTERIOR←POINTERS is somewhat dangerous. See gc←private.h for details. The routine GC←register←displacement is described in gc.h. Note that pointers inside memory allocated by the standard "malloc" are not seen by the garbage collector. Thus objects pointed to only from such a region may be prematurely deallocated. It is thus suggested that the standard "malloc" be used only for memory regions, such as I/O buffers, that are guaranteed not to contain pointers. Pointers in C language automatic, static, or register variables, are correctly recognized. The collector does not generally know how to find pointers in data areas that are associated with dynamic libraries. This is easy to remedy IF you know how to find those data areas on your operating system (see GC←add←roots). Code for doing this under SunOS4.X only is included (see dynamic←load.c). (Note that it includes a special version of dlopen, GC←dlopen, that should be called instead of the standard one. By default, this is not compiled in, since it requires the -ldl library.) Note that the garbage collector does not need to be informed of shared read-only data. However if the shared library mechanism can introduce discontiguous data areas that may contain pointers, then the collector does need to be informed. Signal processing for most signals is normally deferred during collection, and during uninterruptible parts of the allocation process. Unlike standard ANSI C mallocs, it is intended to be safe to invoke malloc from a signal handler while another malloc is in progress, provided the original malloc is not restarted. (Empirically, many UNIX applications already asssume this.) The allocator/collector can also be configured for thread-safe operation. (Full signal safety can also be acheived, but only at the cost of two system calls per malloc, which is usually unacceptable.) INSTALLATION AND PORTABILITY As distributed, the macro SILENT is defined at the top of gc←private.h. In the event of problems, this can be removed to obtain a moderate amount of descriptive output for each collection. (The given statistics exhibit a few peculiarities. Things don't appear to add up for a variety of reasons, most notably fragmentation losses. These are probably much more significant for the contrived program "test.c" than for your application.) Note that typing "make test" will automatically build the collector and then run setjmp←test and gctest. Setjmp←test will give you information about configuring the collector, which is useful primarily if you have a machine that's not already supported. Gctest is a somewhat superficial test of collector functionality. Failure is indicated by a core dump or a message to the effect that the collector is broken. Gctest takes about 20 seconds to run on a SPARCstation 2. On a slower machine, expect it to take a while. It may use up to 8 MB of memory. (The multi-threaded version will use more.) The Makefile will generate a library gc.a which you should link against. It is suggested that if you need to replace a piece of the collector (e.g. GC←mark←roots.c) you simply list your version ahead of gc.a on the ld command line, rather than replacing the one in gc.a. (This will generate numerous warnings under some versions of AIX, but it still works.) The collector currently is designed to run essentially unmodified on the following machines: Sun 3 Sun 4 under SunOS 4.X or Solaris2.X Vax under 4.3BSD, Ultrix Intel 386 or 486 under OS/2 (no threads) or linux. Sequent Symmetry (no concurrency) Encore Multimax (no concurrency) MIPS M/120 (and presumably M/2000) (RISC/os 4.0 with BSD libraries) IBM PC/RT (Berkeley UNIX) IBM RS/6000 HP9000/300 HP9000/700 DECstations under Ultrix SGI workstations under IRIX Sony News Apple MacIntosh under A/UX For these machines you should check the beginning of gc.h to verify that the machine type is correctly defined. On nonSun machines, you may also need to make changes to the Makefile, as described by comments there. Dynamic libraries are completely supported only under SunOS4.X (and even that support is not functional on the last Sun 3 release). On other machines we recommend that you do one of the following: 1) Add dynamic library support (and send us the code). 2) Use static versions of the libraries. 3) Arrange for dynamic libraries to use the standard malloc. This is still dangerous if the library stores a pointer to a garbage collected object. But nearly all standard interfaces prohibit this, because they deal correctly with pointers to stack allocated objects. (Strtok is an exception. Don't use it.) In all cases we assume that pointer alignment is consistent with that enforced by the standard C compilers. If you use a nonstandard compiler you may have to adjust the alignment parameters defined in gc←private.h. A port to a machine that is not byte addressed, or does not use 32 bit addresses will require a major effort. (Parts of the code try to anticipate 64 bit addresses. Others will need to be rewritten, since different data structures are needed.) A port to MSDOS is hopeless, unless you are willing to assume an 80386 or better, and that only flat 32 bit pointers will ever be used. For machines not already mentioned, or for nonstandard compilers, the following are likely to require change: 1. The parameters at the top of gc←private.h. The parameters that will usually require adjustment are STACKBOTTOM, ALIGNMENT and DATASTART. Setjmp←test prints its guesses of the first two. DATASTART should be an expression for computing the address of the beginning of the data segment. This can often be &etext. But some memory management units require that there be some unmapped space between the text and the data segment. Thus it may be more complicated. On UNIX systems, this is rarely documented. But the adb "$m" command may be helpful. (Note that DATASTART will usually be a function of &etext. Thus a single experiment is usually insufficient.) STACKBOTTOM is used to initialize GC←stackbottom, which should be a sufficient approximation to the coldest stack address. On some machines, it is difficult to obtain such a value that is valid across a variety of MMUs, OS releases, etc. A number of alternatives exist for using the collector in spite of this. See the discussion in gc←private.h immediately preceding the various definitions of STACKBOTTOM. 2. mach←dep.c. The most important routine here is one to mark from registers. The distributed file includes a generic hack (based on setjmp) that happens to work on many machines, and may work on yours. Try compiling and running setjmp←test.c to see whether it has a chance of working. (This is not correct C, so don't blame your compiler if it doesn't work. Based on limited experience, register window machines are likely to cause trouble. If your version of setjmp claims that all accessible variables, including registers, have the value they had at the time of the longjmp, it also will not work. Vanilla 4.2 BSD makes such a claim. SunOS does not.) If your compiler does not allow in-line assembly code, or if you prefer not to use such a facility, mach←dep.c may be replaced by a .s file (as we did for the MIPS machine and the PC/RT). 3. mark←roots.c. These are the top level mark routines that determine which sections of memory the collector should mark from. This is normally not architecture specific (aside from the macros defined in gc←private.h and referenced here), but it can be programming language and compiler specific. The supplied routine should work for most C compilers running under UNIX. Calls to GC←add←roots may sometimes be used for similar effect. 4. The sigsetmask call does not appear to exist under early system V UNIX. It is used by the collector to block and unblock signals at times at which an asynchronous allocation inside a signal handler could not be tolerated. Under system V, it is possible to remove these calls, provided no storage allocation is done by signal handlers. The alternative is to issue a sequence of system V system calls, one per signal that is actually used. This may be a bit slow. For a different versions of Berkeley UN*X or different machines using the Motorola 68000, Vax, SPARC, 80386, NS 32000, PC/RT, or MIPS architecture, it should frequently suffice to change definitions in gc←private.h. THE C INTERFACE TO THE ALLOCATOR The following routines are intended to be directly called by the user. Note that usually only GC←malloc is necessary. GC←clear←roots and GC←add←roots calls may be required if the collector has to trace from nonstandard places (e.g. from dynamic library data areas on a machine on which the collector doesn't already understand them.) On some machines, it may be desirable to set GC←stacktop to a good approximation of the stack base. (This enhances code portability on HP PA machines, since there is no good way for the collector to compute this value.) Client code may include "gc.h", which defines all of the following, plus a few others. 1) GC←malloc(nbytes) - allocate an object of size nbytes. Unlike malloc, the object is cleared before being returned to the user. Gc←malloc will invoke the garbage collector when it determines this to be appropriate. GC←malloc may return 0 if it is unable to acquire sufficient space from the operating system. This is the most probable consequence of running out of space. Other possible consequences are that a function call will fail due to lack of stack space, or that the collector will fail in other ways because it cannot maintain its internal data structures, or that a crucial system process will fail and take down the machine. Most of these possibilities are independent of the malloc implementation. 2) GC←malloc←atomic(nbytes) - allocate an object of size nbytes that is guaranteed not to contain any pointers. The returned object is not guaranteed to be cleeared. (Can always be replaced by GC←malloc, but results in faster collection times. The collector will probably run faster if large character arrays, etc. are allocated with GC←malloc←atomic than if they are statically allocated.) 3) GC←realloc(object, new←size) - change the size of object to be new←size. Returns a pointer to the new object, which may, or may not, be the same as the pointer to the old object. The new object is taken to be atomic iff the old one was. If the new object is composite and larger than the original object, then the newly added bytes are cleared (we hope). This is very likely to allocate a new object, unless MERGE←SIZES is defined in gc←private.h. Even then, it is likely to recycle the old object only if the object is grown in small additive increments (which, we claim, is generally bad coding practice.) 4) GC←free(object) - explicitly deallocate an object returned by GC←malloc or GC←malloc←atomic. Not necessary, but can be used to minimize collections if performance is critical. 5) GC←expand←hp(number←of←4K←blocks) - Explicitly increase the heap size. (This is normally done automatically if a garbage collection failed to GC←reclaim enough memory. Explicit calls to GC←expand←hp may prevent unnecessarily frequent collections at program startup.) 6) GC←clear←roots() - Reset the collectors idea of where static variables containing pointers may be located to the empty set of locations. No statically allocated variables will be traced from after this call, unless there are intervening GC←add←roots calls. The collector will still trace from registers and the program stack. 7) GC←add←roots(low←address, high←address←plus←1) - Add [low←address, high←address) as an area that may contain root pointers and should be traced by the collector. The static data and bss segments are considered by default, and should not be added unless GC←clear←roots has been called. The number of root areas is currently limited to 50. This is intended as a way to register data areas for dynamic libraries, or to replace the entire data ans bss segments by smaller areas that are known to contain all the roots. 8) Several routines to allow for registration of finalization code. User supplied finalization code may be invoked when an object becomes unreachable. To call (*f)(obj, x) when obj becomes inaccessible, use GC←register←finalizer(obj, f, x, 0, 0); For more sophisticated uses, and for finalization ordering issues, see gc.h. The global variable GC←free←space←divisor may be adjusted up from its default value of 4 to use less space and more collection time, or down for the opposite effect. Setting it to 1 or 0 will effectively disable collections and cause all allocations to simply grow the heap. The variable GC←non←gc←bytes, which is normally 0, may be changed to reflect the amount of memory allocated by the above routines that should not be considered as a candidate for collection. Collections are inhibited if this exceeds a given fraction (currently 3/4) of the total heap size. The heap is simply expanded instead. Careless use may, of course, result in excessive memory consumption. Some additional tuning is possible through the parameters defined near the top of gc←private.h. If only GC←malloc is intended to be used, it might be appropriate to define: #define malloc(n) GC←malloc(n) #define calloc(m,n) GC←malloc((m)*(n)) For small pieces of VERY allocation intensive code, gc←inline.h includes some allocation macros that may be used in place of GC←malloc and friends. Somewhat different emulations of the standard C allocation routines are contained and described in "interface.c" (contributed by David Chase, but subsequently mangled by Hans Boehm). These are appropriate for mixed systems, where part of the system uses explicit deallocation, and does not leak. Exclusive use of interface.c routines can result in needless fragmentation, since certain kinds of object coalescing are only done by the collector. All externally visible names in the garbage collector start with "GC←". To avoid name conflicts, client code should avoid this prefix, except when accessing garbage collector routines or variables. The internals of the collector understand different object "kinds" (sometimes called "regions"). By default, the only two kinds are ATOMIC and NORMAL. Its should be possible to add others, e.g. for data types for which layout information is known. The allocation routine "GC←generic←malloc" takes an explicit kind argument. (You will probably want to add faster kind-specific routines as well.) You will need to add another kind descriptor, including your own mark routine to add a new object kind. This requires a fairly detailed understanding of at least GC←mark. USE AS LEAK DETECTOR: The collector may be used to track down leaks in C programs that are intended to run with malloc/free (e.g. code with extreme real-time or portability constraints). To do so define FIND←LEAK somewhere in gc←private.h. This will cause the collector to invoke the report←leak routine defined near the top of reclaim.c whenever an inaccessible object is found that has not been explicitly freed. Productive use of this facility normally involves redefining report←leak to do something more intelligent. This typically requires annotating objects with additional information (e.g. creation time stack trace) that identifies their origin. Such code is typically not very portable, and is not included here. If all objects are allocated with GC←DEBUG←MALLOC (see next section), then the default version of report←leak will report the source file and line number at which the leaked object was allocated. This may sometimes be sufficient. DEBUGGING FACILITIES: The routines GC←debug←malloc, GC←debug←malloc←atomic, GC←debug←realloc, and GC←debug←free provide an alternate interface to the collector, which provides some help with memory overwrite errors, and the like. Objects allocated in this way are annotated with additional information. Some of this information is checked during garbage collections, and detected inconsistencies are reported to stderr. Simple cases of writing past the end of an allocated object should be caught if the object is explicitly deallocated, or if the collector is invoked while the object is live. The first deallocation of an object will clear the debugging info associated with an object, so accidentally repeated calls to GC←debug←free will report the deallocation of an object without debugging information. Out of memory errors will be reported to stderr, in addition to returning NIL. GC←debug←malloc checking during garbage collection is enabled with the first call to GC←debug←malloc. This will result in some slowdown during collections. If frequent heap checks are desired, this can be acheived by explicitly invoking GC←gcollect, e.g. from the debugger. GC←debug←malloc allocated objects should not be passed to GC←realloc or GC←free, and conversely. It is however acceptable to allocate only some objects with GC←debug←malloc, and to use GC←malloc for other objects, provided the two pools are kept distinct. In this case, there is a very low probablility that GC←malloc allocated objects may be misidentified as having been overwritten. This should happen with probability at most one in 2**32. This probability is zero if GC←debug←malloc is never called. GC←debug←malloc, GC←malloc←atomic, and GC←debug←realloc take two additional trailing arguments, a string and an integer. These are not interpreted by the allocator. They are stored in the object (the string is not copied). If an error involving the object is detected, they are printed. The macros GC←MALLOC, GC←MALLOC←ATOMIC, GC←REALLOC, GC←FREE, and GC←REGISTER←FINALIZER are also provided. These require the same arguments as the corresponding (nondebugging) routines. If gc.h is included with GC←DEBUG defined, they call the debugging versions of these functions, passing the current file name and line number as the two extra arguments, where appropriate. If gc.h is included without GC←DEBUG defined, then all these macros will instead be defined to their nondebugging equivalents. (GC←REGISTER←FINALIZER is necessary, since pointers to objects with debugging information are really pointers to a displacement of 16 bytes form the object beginning, and some translation is necessary when finalization routines are invoked. For details, about what's stored in the header, see the definition of the type oh in debug←malloc.c) BUGS: Any memory that does not have a recognizable pointer to it will be reclaimed. Exclusive-or'ing forward and backward links in a list doesn't cut it. Some C optimizers may lose the last undisguised pointer to a memory object as a consequence of clever optimizations. This has almost never been observed in practice. Send mail to boehm@parc.xerox.com for suggestions on how to fix your compiler. This is not a real-time collector. In the standard configuration, percentage of time required for collection should be constant across heap sizes. But collection pauses will increase for larger heaps. (On SPARCstation 2s collection times will be on the order of 300 msecs per MB of accessible memory that needs to be scanned. Your mileage may vary.) Much better real-time behavior would be possible if we had a portable way to identify sections of memory that were recently modified. Experience with PCR indicates that 100 msec pause times are probably possible, almost independent of heap size. RECENT VERSIONS: Version 1.3 and immediately preceding versions contained spurious assembly language assignments to TMP←SP. Only the assignment in the PC/RT code is necessary. On other machines, with certain compiler options, the assignments can lead to an unsaved register being overwritten. Known to cause problems under SunOS 3.5 WITHOUT the -O option. (With -O the compiler recognizes it as dead code. It probably shouldn't, but that's another story.) Version 1.4 and earlier versions used compile time determined values for the stack base. This no longer works on Sun 3s, since Sun 3/80s use a different stack base. We now use a straightforward heuristic on all machines on which it is known to work (incl. Sun 3s) and compile-time determined values for the rest. There should really be library calls to determine such values. Version 1.5 and earlier did not ensure 8 byte alignment for objects allocated on a sparc based machine. Please address bug reports to boehm@xerox.com. If you are contemplating a major addition, you might also send mail to ask whether it's already been done. Version 1.8 added ULTRIX support in gc←private.h. Version 1.9 fixed a major bug in gc←realloc. Version 2.0 introduced a consistent naming convention for collector routines and added support for registering dynamic library data segments in the standard mark←roots.c. Most of the data structures were revamped. The treatment of interior pointers was completely changed. Finalization was added. Support for locking was added. Object kinds were added. We added a black listing facility to avoid allocating at addresses known to occur as integers somewhere in the address space. Much of this was accomplished by adapting ideas and code from the PCR collector. The test program was changed and expanded. Version 2.1 was the first stable version since 1.9, and added support for PPCR. Version 2.2 added debugging allocation, and fixed various bugs. Among them: - GC←realloc could fail to extend the size of the object for certain large object sizes. - A blatant subscript range error in GC←printf, which unfortunately wasn't excercised on machines with sufficient stack alignment constraints. - GC←register←displacement did the wrong thing if it was called after any allocation had taken place. - The leak finding code would eventually break after 2048 byte byte objects leaked. - interface.c didn't compile. - The heap size remained much too small for large stacks. - The stack clearing code behaved badly for large stacks, and perhaps on HP/PA machines. Version 2.3 added ALL←INTERIOR←POINTERS and fixed the following bugs: - Missing declaration of etext in the A/UX version. - Some PCR root-finding problems. - Blacklisting was not 100% effective, because the plausible future heap bounds were being miscalculated. - GC←realloc didn't handle out-of-memory correctly. - GC←base could return a nonzero value for addresses inside free blocks. - test.c wasn't really thread safe, and could erroneously report failure in a multithreaded environment. (The locking primitives need to be replaced for other threads packages.) - GC←CONS was thoroughly broken. - On a SPARC with dynamic linking, signals stayed diabled while the client code was running. (Thanks to Manuel Serrano at INRIA for reporting the last two.) Version 2.4 added GC←free←space←divisor as a tuning knob, added support for OS/2 and linux, and fixed the following bugs: - On machines with unaligned pointers (e.g. Sun 3), every 128th word could fail to be considered for marking. - Dynamic←load.c erroneously added 4 bytes to the length of the data and bss sections of the dynamic library. This could result in a bad memory reference if the actual length was a multiple of a page. (Observed on Sun 3. Can probably also happen on a Sun 4.) (Thanks to Robert Brazile for pointing out that the Sun 3 version was broken. Dynamic library handling is still broken on Sun 3s under 4.1.1U1, but apparently not 4.1.1. If you have such a machine, use -Bstatic.) Version 2.5 added Solaris dynamic libary support, Solaris/Intel support, and fixed the following bugs: - Removed an explicit call to exit(1) - Fixed calls to GC←printf and GC←err←printf, so the correct number of arguments are always supplied. The OS/2 C compiler gets confused if the number of actuals and the number of formals differ. (ANSI C doesn't require this to work. The ANSI sanctioned way of doing things causes too many compatibility problems.) Version 2.6 fixed a bug diagnosed by Al Dosser at DEC. The marker could lose some pointers in the event of a mark stack overflow, a case it was intended to handle correctly. (He also pointed out a performance bug that was tickled under the same circumstances.)