PEP: 445 Title: Add new APIs to customize memory allocators Version: $Revision$ Last-Modified: $Date$ Author: Victor Stinner Status: Draft Type: Standards Track Content-Type: text/x-rst Created: 15-june-2013 Python-Version: 3.4 Abstract ======== Add new APIs to customize memory allocators. Rationale ========= Use cases: * Application embedding Python may want to isolate Python memory from the memory of the application, or may want to different memory allocator optimized for its Python usage * Python running on embedded devices with low memory and slow CPU. A custom memory allocator may be required to use efficiently the memory and/or to be able to use all memory of the device. * Debug tool to: - track memory leaks - get the Python filename and line number where an object was allocated - detect buffer underflow, buffer overflow and detect misuse of Python allocator APIs (builtin Python debug hooks) - force allocation to fail to test handling of ``MemoryError`` exception Proposal ======== API changes ----------- * Add new GIL-free memory allocator functions: - ``void* PyMem_RawMalloc(size_t size)`` - ``void* PyMem_RawRealloc(void *ptr, size_t new_size)`` - ``void PyMem_RawFree(void *ptr)`` - the behaviour of requesting zero bytes is not defined: return *NULL* or a distinct non-*NULL* pointer depending on the platform. * Add a new ``PyMemBlockAllocator`` structure:: typedef struct { /* user context passed as the first argument to the 3 functions */ void *ctx; /* allocate a memory block */ void* (*malloc) (void *ctx, size_t size); /* allocate or resize a memory block */ void* (*realloc) (void *ctx, void *ptr, size_t new_size); /* release a memory block */ void (*free) (void *ctx, void *ptr); } PyMemBlockAllocator; * Add new functions to get and set memory block allocators: - Get/Set internal functions of ``PyMem_RawMalloc()``, ``PyMem_RawRealloc()`` and ``PyMem_RawFree()``: * ``void PyMem_GetRawAllocator(PyMemBlockAllocator *allocator)`` * ``void PyMem_SetRawAllocator(PyMemBlockAllocator *allocator)`` - Get/Set internal functions of ``PyMem_Malloc()``, ``PyMem_Realloc()`` and ``PyMem_Free()``: * ``void PyMem_GetAllocator(PyMemBlockAllocator *allocator)`` * ``void PyMem_SetAllocator(PyMemBlockAllocator *allocator)`` * ``malloc(ctx, 0)`` and ``realloc(ctx, ptr, 0)`` must not return *NULL*: it would be treated as an error. - Get/Set internal functions of ``PyObject_Malloc()``,, ``PyObject_Realloc()`` and ``PyObject_Free()``: * ``void PyObject_GetAllocator(PyMemBlockAllocator *allocator)`` * ``void PyObject_SetAllocator(PyMemBlockAllocator *allocator)`` * Add a new ``PyMemMappingAllocator`` structure:: typedef struct { /* user context passed as the first argument to the 2 functions */ void *ctx; /* allocate a memory mapping */ void* (*malloc) (void *ctx, size_t size); /* release a memory mapping */ void (*free) (void *ctx, void *ptr, size_t size); } PyMemMappingAllocator; * Add a new function to get and set memory mapping allocator: - ``void PyMem_GetMappingAllocator(PyMemMappingAllocator *allocator)`` - ``void PyMem_SetMappingAllocator(PyMemMappingAllocator *allocator)`` - Currently, this allocator is only used internally by *pymalloc* to allocate arenas. * Add a new function to setup the builtin Python debug hooks when memory allocators are replaced: - ``void PyMem_SetupDebugHooks(void)`` The builtin Python debug hooks were introduced in Python 2.3 and implement the following checks: * Newly allocated memory is filled with the byte ``0xCB``, freed memory is filled with the byte ``0xDB``. * Detect API violations, ex: ``PyObject_Free()`` called on a memory block allocated by ``PyMem_Malloc()`` * Detect write before the start of the buffer (buffer underflow) * Detect write after the end of the buffer (buffer overflow) The *pymalloc* allocator is used by default for: ``PyObject_Malloc()``, ``PyObject_Realloc()`` and ``PyObject_Free()``. Make usage of these new APIs ---------------------------- * ``PyMem_Malloc()`` and ``PyMem_Realloc()`` always call ``malloc()`` and ``realloc()``, instead of calling ``PyObject_Malloc()`` and ``PyObject_Realloc()`` in debug mode * ``PyObject_Malloc()`` falls back on ``PyMem_Malloc()`` instead of ``malloc()`` if size is greater or equal than ``SMALL_REQUEST_THRESHOLD`` (512 bytes), and ``PyObject_Realloc()`` falls back on ``PyMem_Realloc()`` instead of ``realloc()`` * Replace direct calls to ``malloc()`` with ``PyMem_Malloc()``, or ``PyMem_RawMalloc()`` if the GIL is not held * Configure external libraries like zlib or OpenSSL to allocate memory using ``PyMem_RawMalloc()`` Examples ======== Use case 1: Replace Memory Allocator, keep pymalloc ---------------------------------------------------- Setup your custom memory allocator, keeping pymalloc. Dummy example wasting 2 bytes per allocation, and 10 bytes per arena:: #include int alloc_padding = 2; int arena_padding = 10; void* my_malloc(void *ctx, size_t size) { int padding = *(int *)ctx; return malloc(size + padding); } void* my_realloc(void *ctx, void *ptr, size_t new_size) { int padding = *(int *)ctx; return realloc(ptr, new_size + padding); } void my_free(void *ctx, void *ptr) { free(ptr); } void* my_alloc_arena(void *ctx, size_t size) { int padding = *(int *)ctx; return malloc(size + padding); } void my_free_arena(void *ctx, void *ptr, size_t size) { free(ptr); } void setup_custom_allocator(void) { PyMemBlockAllocator alloc; alloc.ctx = &alloc_padding; alloc.malloc = my_malloc; alloc.realloc = my_realloc; alloc.free = my_free; PyMem_SetRawAllocator(&alloc); PyMem_SetAllocator(&alloc); _PyObject_SetArenaAllocator(&arena_padding, my_alloc_arena, my_free_arena); PyMem_SetupDebugHooks(); } .. warning:: Remove the call ``PyMem_SetRawAllocator(&alloc)`` if the new allocator are not thread-safe. Use case 2: Replace Memory Allocator, override pymalloc -------------------------------------------------------- If your allocator is optimized for allocation of small objects (less than 512 bytes) with a short lifetime, pymalloc can be overriden: replace ``PyObject_Malloc()``. Dummy Example wasting 2 bytes per allocation:: #include int padding = 2; void* my_malloc(void *ctx, size_t size) { int padding = *(int *)ctx; return malloc(size + padding); } void* my_realloc(void *ctx, void *ptr, size_t new_size) { int padding = *(int *)ctx; return realloc(ptr, new_size + padding); } void my_free(void *ctx, void *ptr) { free(ptr); } void setup_custom_allocator(void) { PyMemBlockAllocator alloc; alloc.ctx = &padding; alloc.malloc = my_malloc; alloc.realloc = my_realloc; alloc.free = my_free; PyMem_SetRawAllocator(&alloc); PyMem_SetAllocator(&alloc); PyObject_SetAllocator(&alloc); PyMem_SetupDebugHooks(); } .. warning:: Remove the call ``PyMem_SetRawAllocator(&alloc)`` if the new allocator are not thread-safe. Use case 3: Setup Allocator Hooks --------------------------------- Example to setup hooks on all memory allocators:: struct { PyMemBlockAllocator pymem; PyMemBlockAllocator pymem_raw; PyMemBlockAllocator pyobj; /* ... */ } hook; static void* hook_malloc(void *ctx, size_t size) { PyMemBlockAllocator *alloc = (PyMemBlockAllocator *)ctx; /* ... */ ptr = alloc->malloc(alloc->ctx, size); /* ... */ return ptr; } static void* hook_realloc(void *ctx, void *ptr, size_t new_size) { PyMemBlockAllocator *alloc = (PyMemBlockAllocator *)ctx; void *ptr2; /* ... */ ptr2 = alloc->realloc(alloc->ctx, ptr, new_size); /* ... */ return ptr2; } static void hook_free(void *ctx, void *ptr) { PyMemBlockAllocator *alloc = (PyMemBlockAllocator *)ctx; /* ... */ alloc->free(alloc->ctx, ptr); /* ... */ } void setup_hooks(void) { PyMemBlockAllocator alloc; static int installed = 0; if (installed) return; installed = 1; alloc.malloc = hook_malloc; alloc.realloc = hook_realloc; alloc.free = hook_free; PyMem_GetRawAllocator(&hook.pymem_raw); alloc.ctx = &hook.pymem_raw; PyMem_SetRawAllocator(&alloc); PyMem_GetAllocator(&hook.pymem); alloc.ctx = &hook.pymem; PyMem_SetAllocator(&alloc); PyObject_GetAllocator(&hook.pyobj); alloc.ctx = &hook.pyobj; PyObject_SetAllocator(&alloc); } .. warning:: Remove the call ``PyMem_SetRawAllocator(&alloc)`` if hooks are not thread-safe. .. note:: ``PyMem_SetupDebugHooks()`` does not need to be called: Python debug hooks are installed automatically at startup. Performances ============ Results of the `Python benchmarks suite `_ (-b 2n3): some tests are 1.04x faster, some tests are 1.04 slower, significant is between 115 and -191. I don't understand these output, but I guess that the overhead cannot be seen with such test. Results of pybench benchmark: "+0.1%" slower globally (diff between -4.9% and +5.6%). The full reports are attached to the issue #3329. Alternatives ============ Only have one generic get/set function -------------------------------------- Replace the 6 functions: * ``PyMem_GetRawAllocator(PyMemBlockAllocator *allocator)`` * ``PyMem_GetAllocator(PyMemBlockAllocator *allocator)`` * ``PyObject_GetAllocator(PyMemBlockAllocator *allocator)`` * ``PyMem_SetRawAllocator(allocator)`` * ``PyMem_SetAllocator(PyMemBlockAllocator *allocator)`` * ``PyObject_SetAllocator(PyMemBlockAllocator *allocator)`` with 2 functions with an additional *domain* argument: * ``int Py_GetAllocator(int domain, PyMemBlockAllocator *allocator)`` * ``int Py_SetAllocator(int domain, PyMemBlockAllocator *allocator)`` These functions return 0 on success, or -1 if the domain is unknown. where domain is one of these values: * ``PYALLOC_PYMEM`` * ``PYALLOC_PYMEM_RAW`` * ``PYALLOC_PYOBJECT`` PyMem_Malloc() reuses PyMem_RawMalloc() by default -------------------------------------------------- ``PyMem_Malloc()`` should call ``PyMem_RawMalloc()`` by default. So calling ``PyMem_SetRawAllocator()`` would also also patch ``PyMem_Malloc()`` indirectly. Such change is less optimal, it adds another level of indirection. In the proposed implementation of this PEP (issue #3329), ``PyMem_RawMalloc()`` calls directly ``malloc()``, whereas ``PyMem_Malloc()`` returns ``NULL`` if size is larger than ``PY_SSIZE_T_MAX``, and the default allocator of ``PyMem_Malloc()`` calls ``malloc(1)`` if the size is zero. Add a new PYDEBUGMALLOC environment variable -------------------------------------------- To be able to use the Python builtin debug hooks even when a custom memory allocator replaces the default Python allocator, an environment variable ``PYDEBUGMALLOC`` can be added to setup these debug function hooks, instead of adding the new function ``PyMem_SetupDebugHooks()``. If the environment variable is present, ``PyMem_SetRawAllocator()``, ``PyMem_SetAllocator()`` and ``PyObject_SetAllocator()`` will reinstall automatically the hook on top of the new allocator. An new environment variable would make the Python initialization even more complex. The `PEP 432 `_ tries to simply the CPython startup sequence. Use macros to get customizable allocators ----------------------------------------- To have no overhead in the default configuration, customizable allocators would be an optional feature enabled by a configuration option or by macros. Not having to recompile Python makes debug hooks easier to use in practice. Extensions modules don't have to be recompiled with macros. Pass the C filename and line number ----------------------------------- Use C macros using ``__FILE__`` and ``__LINE__`` to get the C filename and line number of a memory allocation. Passing a filename and a line number to each allocator makes the API more complex: pass 3 new arguments, instead of just a context argument, to each allocator function. The GC allocator functions should also be patched. ``_PyObject_GC_Malloc()`` is used in many C functions for example and so objects of differenet types would have the same allocation location. Such changes add too much complexity for a little gain. PyMem_Malloc() GIL-free ----------------------- ``PyMem_Malloc()`` must be called with the GIL held because in debug mode, it calls indirectly ``PyObject_Malloc()`` which requires the GIL to be held. This PEP proposes to "fix" ``PyMem_Malloc()`` to make it always call ``malloc()``. So the "GIL must be held" restriction may be removed no ``PyMem_Malloc()``. Allowing to call ``PyMem_Malloc()`` without holding the GIL might break applications which setup their own allocator or their allocator hooks. Holding the GIL is very convinient to develop a custom allocator: no need to care of other threads nor mutexes. It is also convinient for an allocator hook: Python internals can be safetly inspected. Calling ``PyGILState_Ensure()`` in a memory allocator may have unexpected behaviour, especially at Python startup and at creation of a new Python thread state. Don't add PyMem_RawMalloc() --------------------------- Replace ``malloc()`` with ``PyMem_Malloc()``, but only if the GIL is held. Otherwise, keep ``malloc()`` unchanged. The ``PyMem_Malloc()`` is sometimes already misused. For example, the ``main()`` and ``Py_Main()`` functions of Python call ``PyMem_Malloc()`` whereas the GIL do not exist yet. In this case, ``PyMem_Malloc()`` should be replaced with ``malloc()`` (or ``PyMem_RawMalloc()``). If an hook is used to the track memory usage, the ``malloc()`` memory will not be seen. Remaining ``malloc()`` may allocate a lot of memory and so would be missed in reports. Use existing debug tools to analyze the memory ---------------------------------------------- There are many existing debug tools to analyze the memory. Some examples: `Valgrind `_, `Purify `_, `Clang AddressSanitizer `_, `failmalloc `_, etc. The problem is retrieve the Python object related to a memory pointer to read its type and/or content. Another issue is to retrieve the location of the memory allocation: the C backtrace is usually useless (same reasoning than macros using ``__FILE__`` and ``__LINE__``), the Python filename and line number (or even the Python traceback) is more useful. Classic tools are unable to introspect the Python internal to collect such information. Being able to setup a hook on allocators called with the GIL held allow to read a lot of useful data from Python internals. Add msize() ----------- Add another field to ``PyMemBlockAllocator`` and ``PyMemMappingAllocator``:: size_t msize(void *ptr); This function returns the size of a memory block or a memory mapping. Return (size_t)-1 if the function is not implemented or if the pointer is unknown (ex: NULL pointer). On Windows, this function can be implemented using ``_msize()`` and ``VirtualQuery()``. No context argument ------------------- Simplify the signature of allocator functions, remove the context argument: * ``void* malloc(size_t size)`` * ``void* realloc(void *ptr, size_t new_size)`` * ``void free(void *ptr)`` It is likely for an allocator hook to be reused for ``PyMem_SetAllocator()`` and ``PyObject_SetAllocator()``, but the hook must call a different function depending on the allocator. The context is a convenient way to reuse the same allocator or hook for different APIs. External libraries ================== * glib: `g_mem_set_vtable() `_ * OpenSSL: `CRYPTO_set_mem_functions() `_ to set memory management functions globally * expat: `parserCreate() `_ has a per-instance memory handler * libxml2: `xmlGcMemSetup() `_, global See also the `GNU libc: Memory Allocation Hooks `_. Memory allocators ================= The C standard library provides the well known ``malloc()`` function. Its implementation depends on the platform and of the C library. The GNU C library uses a modified ptmalloc2, based on "Doug Lea's Malloc" (dlmalloc). FreeBSD uses `jemalloc `_. Google provides tcmalloc which is part of `gperftools `_. ``malloc()`` uses two kinds of memory: heap and memory mappings. Memory mappings are usually used for large allocations (ex: larger than 256 KB), whereas the heap is used for small allocations. On UNIX, the heap is handled by ``brk()`` and ``sbrk()`` system calls on Linux, and it is contiguous. On Windows, the heap is handled by ``HeapAlloc()`` and may be discontiguous. Memory mappings are handled by ``mmap()`` on UNIX and ``VirtualAlloc()`` on Windows, they may be discontiguous. Releasing a memory mapping gives back immediatly the memory to the system. For the heap, memory is only given back to the system if it is at the end of the heap. Otherwise, the memory will only be given back to the system when all the memory located after the released memory are also released. To allocate memory in the heap, the allocator tries to reuse free space. If there is no contiguous space big enough, the heap must be increased, even if we have more free space than required size. This issue is called the "memory fragmentation": the memory usage seen by the system may be much higher than real usage. On Windows, ``HeapAlloc()`` creates a new memory mapping with ``VirtualAlloc()`` if there is not enough free contiguous memory. CPython has a pymalloc allocator using arenas of 256 KB for allocations smaller than 512 bytes. This allocator is optimized for small objects with a short lifetime. Windows provides a `Low-fragmentation Heap `_. The Linux kernel uses `slab allocation `_. The glib library has a `Memory Slice API `_: efficient way to allocate groups of equal-sized chunks of memory Links ===== CPython issues related to memory allocation: * `Issue #3329: Add new APIs to customize memory allocators `_ * `Issue #13483: Use VirtualAlloc to allocate memory arenas `_ * `Issue #16742: PyOS_Readline drops GIL and calls PyOS_StdioReadline, which isn't thread safe `_ * `Issue #18203: Replace calls to malloc() with PyMem_Malloc() or PyMem_RawMalloc() `_ * `Issue #18227: Use Python memory allocators in external libraries like zlib or OpenSSL `_ Projects analyzing the memory usage of Python applications: * `pytracemalloc `_ * `Meliae: Python Memory Usage Analyzer `_ * `Guppy-PE: umbrella package combining Heapy and GSL `_ * `PySizer (developed for Python 2.4) `_