PEP: 445 Title: Add new APIs to customize memory allocators Version: $Revision$ Last-Modified: $Date$ Author: Victor Stinner Status: Draft Type: Standards Track Content-Type: text/x-rst Created: 15-june-2013 Python-Version: 3.4 Abstract ======== Add new APIs to customize memory allocators. Rationale ========= Use cases: * Application embedding Python may want to isolate Python memory from the memory of the application, or may want to different memory allocator optimized for its Python usage * Python running on embedded devices with low memory and slow CPU. A custom memory allocator may be required to use efficiently the memory and/or to be able to use all the memory of the device. * Debug tool to: - track memory usage (memory leaks) - get the Python filename and line number where an object was allocated - detect buffer underflow, buffer overflow and detect misuse of Python allocator APIs (builtin Python debug hooks) - force allocation to fail to test handling of ``MemoryError`` exception Proposal ======== API changes ----------- * Add new GIL-free (no need to hold the GIL) memory allocator functions: - ``void* PyMem_RawMalloc(size_t size)`` - ``void* PyMem_RawRealloc(void *ptr, size_t new_size)`` - ``void PyMem_RawFree(void *ptr)`` - the behaviour of requesting zero bytes is not defined: return *NULL* or a distinct non-*NULL* pointer depending on the platform. * Add a new ``PyMemBlockAllocator`` structure:: typedef struct { /* user context passed as the first argument to the 3 functions */ void *ctx; /* allocate a memory block */ void* (*malloc) (void *ctx, size_t size); /* allocate or resize a memory block */ void* (*realloc) (void *ctx, void *ptr, size_t new_size); /* release a memory block */ void (*free) (void *ctx, void *ptr); } PyMemBlockAllocator; * Add new functions to get and set internal functions of ``PyMem_RawMalloc()``, ``PyMem_RawRealloc()`` and ``PyMem_RawFree()``: - ``void PyMem_GetRawAllocator(PyMemBlockAllocator *allocator)`` - ``void PyMem_SetRawAllocator(PyMemBlockAllocator *allocator)`` * Add new functions to get and set internal functions of ``PyMem_Malloc()``, ``PyMem_Realloc()`` and ``PyMem_Free()``: - ``void PyMem_GetAllocator(PyMemBlockAllocator *allocator)`` - ``void PyMem_SetAllocator(PyMemBlockAllocator *allocator)`` - ``malloc(ctx, 0)`` and ``realloc(ctx, ptr, 0)`` must not return *NULL*: it would be treated as an error. * Add new functions to get and set internal functions of ``PyObject_Malloc()``,, ``PyObject_Realloc()`` and ``PyObject_Free()``: - ``void PyObject_GetAllocator(PyMemBlockAllocator *allocator)`` - ``void PyObject_SetAllocator(PyMemBlockAllocator *allocator)`` - ``malloc(ctx, 0)`` and ``realloc(ctx, ptr, 0)`` must not return *NULL*: it would be treated as an error. * Add a new ``PyMemMappingAllocator`` structure:: typedef struct { /* user context passed as the first argument to the 2 functions */ void *ctx; /* allocate a memory mapping */ void* (*alloc) (void *ctx, size_t size); /* release a memory mapping */ void (*free) (void *ctx, void *ptr, size_t size); } PyMemMappingAllocator; * Add a new function to get and set memory mapping allocator: - ``void PyMem_GetMappingAllocator(PyMemMappingAllocator *allocator)`` - ``void PyMem_SetMappingAllocator(PyMemMappingAllocator *allocator)`` - Currently, this allocator is only used internally by *pymalloc* to allocate arenas. * Add a new function to setup the builtin Python debug hooks when memory allocators are replaced: - ``void PyMem_SetupDebugHooks(void)`` * The following memory allocators always returns *NULL* if size is greater than ``PY_SSIZE_T_MAX``: ``PyMem_RawMalloc()``, ``PyMem_RawRealloc()``, ``PyMem_Malloc()``, ``PyMem_Realloc()``, ``PyObject_Malloc()``, ``PyObject_Realloc()``. The builtin Python debug hooks were introduced in Python 2.3 and implement the following checks: * Newly allocated memory is filled with the byte ``0xCB``, freed memory is filled with the byte ``0xDB``. * Detect API violations, ex: ``PyObject_Free()`` called on a memory block allocated by ``PyMem_Malloc()`` * Detect write before the start of the buffer (buffer underflow) * Detect write after the end of the buffer (buffer overflow) The *pymalloc* allocator is used by default for: ``PyObject_Malloc()``, ``PyObject_Realloc()`` and ``PyObject_Free()``. Make usage of these new APIs ---------------------------- * ``PyMem_Malloc()`` and ``PyMem_Realloc()`` always call ``malloc()`` and ``realloc()``, instead of calling ``PyObject_Malloc()`` and ``PyObject_Realloc()`` in debug mode * ``PyObject_Malloc()`` falls back on ``PyMem_Malloc()`` instead of ``malloc()`` if size is greater or equal than ``SMALL_REQUEST_THRESHOLD`` (512 bytes), and ``PyObject_Realloc()`` falls back on ``PyMem_Realloc()`` instead of ``realloc()`` * Replace direct calls to ``malloc()`` with ``PyMem_Malloc()``, or ``PyMem_RawMalloc()`` if the GIL is not held * Configure external libraries like zlib or OpenSSL to allocate memory using ``PyMem_RawMalloc()`` Examples ======== Use case 1: Replace Memory Allocator, keep pymalloc ---------------------------------------------------- Dummy example wasting 2 bytes per allocation, and 10 bytes per arena:: #include int alloc_padding = 2; int arena_padding = 10; void* my_malloc(void *ctx, size_t size) { int padding = *(int *)ctx; return malloc(size + padding); } void* my_realloc(void *ctx, void *ptr, size_t new_size) { int padding = *(int *)ctx; return realloc(ptr, new_size + padding); } void my_free(void *ctx, void *ptr) { free(ptr); } void* my_alloc_arena(void *ctx, size_t size) { int padding = *(int *)ctx; return malloc(size + padding); } void my_free_arena(void *ctx, void *ptr, size_t size) { free(ptr); } void setup_custom_allocator(void) { PyMemBlockAllocator block; PyMemMappingAllocator mapping; block.ctx = &alloc_padding; block.malloc = my_malloc; block.realloc = my_realloc; block.free = my_free; PyMem_SetRawAllocator(&block); PyMem_SetAllocator(&block); mapping.ctx = &arena_padding; mapping.alloc = my_alloc_arena; mapping.free = my_free_arena; PyMem_SetMappingAllocator(mapping); PyMem_SetupDebugHooks(); } .. warning:: Remove the call ``PyMem_SetRawAllocator(&alloc)`` if the new allocator are not thread-safe. Use case 2: Replace Memory Allocator, override pymalloc -------------------------------------------------------- If your allocator is optimized for allocation of small objects (less than 512 bytes) with a short lifetime, pymalloc can be overriden: replace ``PyObject_Malloc()``. Dummy Example wasting 2 bytes per allocation:: #include int padding = 2; void* my_malloc(void *ctx, size_t size) { int padding = *(int *)ctx; return malloc(size + padding); } void* my_realloc(void *ctx, void *ptr, size_t new_size) { int padding = *(int *)ctx; return realloc(ptr, new_size + padding); } void my_free(void *ctx, void *ptr) { free(ptr); } void setup_custom_allocator(void) { PyMemBlockAllocator alloc; alloc.ctx = &padding; alloc.malloc = my_malloc; alloc.realloc = my_realloc; alloc.free = my_free; PyMem_SetRawAllocator(&alloc); PyMem_SetAllocator(&alloc); PyObject_SetAllocator(&alloc); PyMem_SetupDebugHooks(); } .. warning:: Remove the call ``PyMem_SetRawAllocator(&alloc)`` if the new allocator are not thread-safe. Use case 3: Setup Allocator Hooks --------------------------------- Example to setup hooks on all memory allocators:: struct { PyMemBlockAllocator raw; PyMemBlockAllocator mem; PyMemBlockAllocator obj; /* ... */ } hook; static void* hook_malloc(void *ctx, size_t size) { PyMemBlockAllocator *alloc = (PyMemBlockAllocator *)ctx; /* ... */ ptr = alloc->malloc(alloc->ctx, size); /* ... */ return ptr; } static void* hook_realloc(void *ctx, void *ptr, size_t new_size) { PyMemBlockAllocator *alloc = (PyMemBlockAllocator *)ctx; void *ptr2; /* ... */ ptr2 = alloc->realloc(alloc->ctx, ptr, new_size); /* ... */ return ptr2; } static void hook_free(void *ctx, void *ptr) { PyMemBlockAllocator *alloc = (PyMemBlockAllocator *)ctx; /* ... */ alloc->free(alloc->ctx, ptr); /* ... */ } void setup_hooks(void) { PyMemBlockAllocator alloc; static int installed = 0; if (installed) return; installed = 1; alloc.malloc = hook_malloc; alloc.realloc = hook_realloc; alloc.free = hook_free; PyMem_GetRawAllocator(&hook.raw); alloc.ctx = &hook.raw; PyMem_SetRawAllocator(&alloc); PyMem_GetAllocator(&hook.mem); alloc.ctx = &hook.mem; PyMem_SetAllocator(&alloc); PyObject_GetAllocator(&hook.obj); alloc.ctx = &hook.obj; PyObject_SetAllocator(&alloc); } .. warning:: Remove the call ``PyMem_SetRawAllocator(&alloc)`` if hooks are not thread-safe. .. note:: ``PyMem_SetupDebugHooks()`` does not need to be called: Python debug hooks are installed automatically at startup. Performances ============ Results of the `Python benchmarks suite `_ (-b 2n3): some tests are 1.04x faster, some tests are 1.04 slower, significant is between 115 and -191. I don't understand these output, but I guess that the overhead cannot be seen with such test. Results of pybench benchmark: "+0.1%" slower globally (diff between -4.9% and +5.6%). The full reports are attached to the issue #3329. Alternatives ============ Only have one generic get/set function -------------------------------------- Replace the 6 functions: * ``PyMem_GetRawAllocator(PyMemBlockAllocator *allocator)`` * ``PyMem_GetAllocator(PyMemBlockAllocator *allocator)`` * ``PyObject_GetAllocator(PyMemBlockAllocator *allocator)`` * ``PyMem_SetRawAllocator(allocator)`` * ``PyMem_SetAllocator(PyMemBlockAllocator *allocator)`` * ``PyObject_SetAllocator(PyMemBlockAllocator *allocator)`` with 2 functions with an additional *domain* argument: * ``int PyMem_GetBlockAllocator(int domain, PyMemBlockAllocator *allocator)`` * ``int PyMem_SetBlockAllocator(int domain, PyMemBlockAllocator *allocator)`` These functions return 0 on success, or -1 if the domain is unknown. where domain is one of these values: * ``PYALLOC_PYMEM`` * ``PYALLOC_PYMEM_RAW`` * ``PYALLOC_PYOBJECT`` Drawback: the caller has to check if the result is 0, or handle the error. PyMem_Malloc() reuses PyMem_RawMalloc() by default -------------------------------------------------- ``PyMem_Malloc()`` should call ``PyMem_RawMalloc()`` by default. So calling ``PyMem_SetRawAllocator()`` would also also patch ``PyMem_Malloc()`` indirectly. .. note:: In the implementation of this PEP (issue #3329), ``PyMem_RawMalloc(0)`` calls ``malloc(0)``, whereas ``PyMem_Malloc(0)`` calls ``malloc(1)``. Add a new PYDEBUGMALLOC environment variable -------------------------------------------- To be able to use the Python builtin debug hooks even when a custom memory allocator replaces the default Python allocator, an environment variable ``PYDEBUGMALLOC`` can be added to setup these debug function hooks, instead of adding the new function ``PyMem_SetupDebugHooks()``. If the environment variable is present, ``PyMem_SetRawAllocator()``, ``PyMem_SetAllocator()`` and ``PyObject_SetAllocator()`` will reinstall automatically the hook on top of the new allocator. An new environment variable would make the Python initialization even more complex. The `PEP 432 `_ tries to simply the CPython startup sequence. Use macros to get customizable allocators ----------------------------------------- To have no overhead in the default configuration, customizable allocators would be an optional feature enabled by a configuration option or by macros. Not having to recompile Python makes debug hooks easier to use in practice. Extensions modules don't have to be recompiled with macros. Pass the C filename and line number ----------------------------------- Define allocator functions using macros and use ``__FILE__`` and ``__LINE__`` to get the C filename and line number of a memory allocation. Example:: typedef struct { /* user context passed as the first argument to the 3 functions */ void *ctx; /* allocate a memory block */ void* (*malloc) (void *ctx, const char *filename, int lineno, size_t size); /* allocate or resize a memory block */ void* (*realloc) (void *ctx, const char *filename, int lineno, void *ptr, size_t new_size); /* release a memory block */ void (*free) (void *ctx, const char *filename, int lineno, void *ptr); } PyMemBlockAllocator; void* _PyMem_MallocTrace(const char *filename, int lineno, size_t size); /* need also a function for the Python stable ABI */ void* PyMem_Malloc(size_t size); #define PyMem_Malloc(size) _PyMem_MallocTrace(__FILE__, __LINE__, size) Passing a filename and a line number to each allocator makes the API more complex: pass 3 new arguments, instead of just a context argument, to each allocator function. The GC allocator functions should also be patched. For example, ``_PyObject_GC_Malloc()`` is used in many C functions and so objects of differenet types would have the same allocation location. Such changes add too much complexity for a little gain. GIL-free PyMem_Malloc() ----------------------- When Python is compiled in debug mode, ``PyMem_Malloc()`` calls indirectly ``PyObject_Malloc()`` which requires the GIL to be held. That's why ``PyMem_Malloc()`` must be called with the GIL held. This PEP proposes to "fix" ``PyMem_Malloc()`` to make it always call ``malloc()``. So the "GIL must be held" restriction may be removed from ``PyMem_Malloc()``. Allowing to call ``PyMem_Malloc()`` without holding the GIL might break applications which setup their own allocators or allocator hooks. Holding the GIL is convinient to develop a custom allocator: no need to care of other threads. It is also convinient for a debug allocator hook: Python internal objects can be safetly inspected. Calling ``PyGILState_Ensure()`` in a memory allocator may have unexpected behaviour, especially at Python startup and at creation of a new Python thread state. Don't add PyMem_RawMalloc() --------------------------- Replace ``malloc()`` with ``PyMem_Malloc()``, but only if the GIL is held. Otherwise, keep ``malloc()`` unchanged. The ``PyMem_Malloc()`` is used without the GIL held in some Python functions. For example, the ``main()`` and ``Py_Main()`` functions of Python call ``PyMem_Malloc()`` whereas the GIL do not exist yet. In this case, ``PyMem_Malloc()`` should be replaced with ``malloc()`` (or ``PyMem_RawMalloc()``). If an hook is used to the track memory usage, the ``malloc()`` memory will not be seen. Remaining ``malloc()`` may allocate a lot of memory and so would be missed in reports. Use existing debug tools to analyze the memory ---------------------------------------------- There are many existing debug tools to analyze the memory. Some examples: `Valgrind `_, `Purify `_, `Clang AddressSanitizer `_, `failmalloc `_, etc. The problem is to retrieve the Python object related to a memory pointer to read its type and/or content. Another issue is to retrieve the location of the memory allocation: the C backtrace is usually useless (same reasoning than macros using ``__FILE__`` and ``__LINE__``), the Python filename and line number (or even the Python traceback) is more useful. Classic tools are unable to introspect Python internals to collect such information. Being able to setup a hook on allocators called with the GIL held allow to collect a lot of useful data from Python internals. Add msize() ----------- Add another field to ``PyMemBlockAllocator`` and ``PyMemMappingAllocator``:: size_t msize(void *ptr); This function returns the size of a memory block or a memory mapping. Return (size_t)-1 if the function is not implemented or if the pointer is unknown (ex: NULL pointer). On Windows, this function can be implemented using ``_msize()`` and ``VirtualQuery()``. No context argument ------------------- Simplify the signature of allocator functions, remove the context argument: * ``void* malloc(size_t size)`` * ``void* realloc(void *ptr, size_t new_size)`` * ``void free(void *ptr)`` It is likely for an allocator hook to be reused for ``PyMem_SetAllocator()`` and ``PyObject_SetAllocator()``, or even ``PyMem_SetRawAllocator()``, but the hook must call a different function depending on the allocator. The context is a convenient way to reuse the same custom allocator or hook for different Python allocators. External libraries ================== Python should try to reuse the same prototypes for allocator functions than other libraries. Libraries used by Python: * OpenSSL: `CRYPTO_set_mem_functions() `_ to set memory management functions globally * expat: `parserCreate() `_ has a per-instance memory handler Other libraries: * glib: `g_mem_set_vtable() `_ * libxml2: `xmlGcMemSetup() `_, global See also the `GNU libc: Memory Allocation Hooks `_. Memory allocators ================= The C standard library provides the well known ``malloc()`` function. Its implementation depends on the platform and of the C library. The GNU C library uses a modified ptmalloc2, based on "Doug Lea's Malloc" (dlmalloc). FreeBSD uses `jemalloc `_. Google provides tcmalloc which is part of `gperftools `_. ``malloc()`` uses two kinds of memory: heap and memory mappings. Memory mappings are usually used for large allocations (ex: larger than 256 KB), whereas the heap is used for small allocations. On UNIX, the heap is handled by ``brk()`` and ``sbrk()`` system calls on Linux, and it is contiguous. On Windows, the heap is handled by ``HeapAlloc()`` and may be discontiguous. Memory mappings are handled by ``mmap()`` on UNIX and ``VirtualAlloc()`` on Windows, they may be discontiguous. Releasing a memory mapping gives back immediatly the memory to the system. On UNIX, heap memory is only given back to the system if it is at the end of the heap. Otherwise, the memory will only be given back to the system when all the memory located after the released memory are also released. To allocate memory in the heap, the allocator tries to reuse free space. If there is no contiguous space big enough, the heap must be increased, even if we have more free space than required size. This issue is called the "memory fragmentation": the memory usage seen by the system may be much higher than real usage. On Windows, ``HeapAlloc()`` creates a new memory mapping with ``VirtualAlloc()`` if there is not enough free contiguous memory. CPython has a *pymalloc* allocator for allocations smaller than 512 bytes. This allocator is optimized for small objects with a short lifetime. It uses memory mappings called "arenas" with a fixed size of 256 KB. Other allocators: * Windows provides a `Low-fragmentation Heap `_. * The Linux kernel uses `slab allocation `_. * The glib library has a `Memory Slice API `_: efficient way to allocate groups of equal-sized chunks of memory Links ===== CPython issues related to memory allocation: * `Issue #3329: Add new APIs to customize memory allocators `_ * `Issue #13483: Use VirtualAlloc to allocate memory arenas `_ * `Issue #16742: PyOS_Readline drops GIL and calls PyOS_StdioReadline, which isn't thread safe `_ * `Issue #18203: Replace calls to malloc() with PyMem_Malloc() or PyMem_RawMalloc() `_ * `Issue #18227: Use Python memory allocators in external libraries like zlib or OpenSSL `_ Projects analyzing the memory usage of Python applications: * `pytracemalloc `_ * `Meliae: Python Memory Usage Analyzer `_ * `Guppy-PE: umbrella package combining Heapy and GSL `_ * `PySizer (developed for Python 2.4) `_