Two New eBPF Tools: memleak and argdist

Sunday, February 14, 2016

Warning: This post requires a bit of background. I strongly recommend Brendan Gregg's introduction to eBPF and bcc. With that said, the post below describes two new bcc-based tools, which you can use directly without perusing the implementation details. A few weeks ago, I started experimenting with eBPF. In a nutshell, eBPF (introduced in Linux kernel 3.19 and further improved in 4.x kernels) allows you to attach verifiably-safe programs to arbitrary functions in the kernel or a user process. These little programs, which execute in kernel mode, can collect performance information, trace diagnostic data, and aggregate statistics that are then...
no comments

Wrapping Up DotNext 2015

Saturday, January 2, 2016

A few weeks ago, I had the honor of being invited to speak at DotNext 2015, Russia's only .NET conference and one of the leading developer conferences in the country. As some of my readers probably know already, I was born in the USSR, so I speak Russian with a heavy Israeli accent but can understand both written and spoken Russian very well. The fact it was my wife's birthday and we could elope for a weekend of wintery weather and hardcore CLR internals only added to my resolve. I proposed two talks, and the organizers had such difficulty picking...
no comments

Live360! and BuildStuff Talks: SIMD, Visual Studio Diagnostic Hub, and Swift

Wednesday, December 9, 2015

I'm writing this on the plane back home from a week-long trip to Orlando, Vilnius, and Kiev, where I had the chance to speak at Live360! and BuildStuff; I've just counted and it's my tenth flight in three weeks, which is quite insane. But this is my second-to-last trip for 2015 -- the last one is going to be in December to DotNext Moscow. SIMD In this talk, we discussed vector registers and instructions that you could use from other languages like FORTRAN and C++ for more than 15 years. Starting from the MMX instruction set extensions in the 1997...
2 comments

Large Win32 Heap Allocations Go Directly to VirtualAlloc

Friday, October 23, 2015

The Windows heap manager was designed to avoid the overhead of having to allocate virtual memory directly with VirtualAlloc, among other things. If you only need a 20-byte object, it's a waste to call a system service (involving a user-kernel transition) and allocate a full page. The heap manager avoids that overhead by managing large blocks of virtual memory in user mode---it is implemented in ntdll.dll. However, when you allocate particularly large blocks of memory (>= 512KB at the time of writing), the heap manager doesn't see a reason to interfere, so it just forwards your request to VirtualAlloc. It still knows about...
2 comments

More on MiniDumper: Getting the Right Memory Pages for .NET Analysis

Wednesday, September 30, 2015

In my previous post on MiniDumper, I promised to explain in more detail how it figures out which memory ranges are required for .NET heap analysis. This is an interesting story, actually, because I tried a couple of approaches that failed before coming up with the final idea. Basically, I knew that a dump with full memory contains way more information than is necessary for .NET dump analysis. Even if you need the entire .NET heap available, you typically don't need a bunch of other memory ranges: executable code, Win32 heaps, unused regions of thread stacks, and so much more. My...
one comment

Materials from TechDays Netherlands 2015

Monday, August 31, 2015

Oops! This was sitting in my queue for several months now, and I just noticed it needs to be published. But better late than never I guess. Here goes: I've been lucky enough to be invited to speak at TechDays Netherlands again this year. This time I was asked to do four talks on some of my favorite subjects -- performance optimization, debugging, and diagnostics. Same as last year, the conference was impeccably organized. I'm really looking forward to next year's TechDays :-) In the meantime, here are the materials from my talks. Making .NET Applications Faster My usual favorite on improving...
7 comments

Creating Smaller, But Still Usable, Dumps of .NET Applications

Wednesday, August 19, 2015

MiniDumper is born. It is an open source library and command-line tool that can generate dump files of .NET processes. However, unlike standard tools such as Procdump, MiniDumper has three modes of operation: Full memory dumps (analogous to Procdump's -ma option). This is a complete dump of the process' memory, which includes the CLR heap but also a bunch of unnecessary information if you're mostly working with .NET applications. For example, a full memory dump will contain the binary code for all loaded modules, the unmanaged heap data, and a lot more. Heap-only dumps (no Procdump analog). This is a dump that contains the...
5 comments

A Neat Stack Corruption, or Reverse P/Invoke Structure Packing with Output Parameters

Tuesday, August 18, 2015

I know, I'm working hard on beating my record for longest post title ever. I also thought of adding a random Win32 API to the title, say CoMarshalInterThreadInterfaceInStream or AccessCheckByTypeResultListAndAuditAlarmByHandle. But I didn't, so here we are. What was I saying? Oh yeah, a neat stack corruption I spent a couple of hours chasing last week. I was doing my usual reverse P/Invoke where I call a Windows API and pass a delegate as a callback. There's a bunch of APIs in Win32 that take callbacks, but for the sake of this post let's take a look at a very simple example...
3 comments

Obtaining the CoreCLR DAC DLL for Windows Phone

Monday, July 6, 2015

Three years ago I blogged about obtaining SOS.dll and mscordacwks.dll indirectly from the Microsoft KB websites in case you only have a dump from the production system but can't gain access to copy these files over. (Reminder: SOS.dll is a WinDbg extension for debugging .NET processes and dump files. The DAC, or mscordacwks.dll, is a helper library used by SOS to access the inner workings of a specific CLR version's data structures. The DAC is also used by ClrMD, a managed library that provides an API replacement for the SOS extension commands.) It turns out that for Windows Phone applications (using the Windows Phone...

Wrapping Up DevWeek 2015

Thursday, April 2, 2015

Just a couple of months ago, I agreed to deliver eight breakout sessions and a full-day workshop at DevWeek 2015. And no, I don't have any regrets -- but it was definitely a very packed week with lots of room changes and, more importantly, context switches from one topic to another. If you've been to DevWeek this year, I'm sure you enjoyed it: it's getting better year over year, and this is my third one so far. Below you can find the materials for my eight sessions. If you've been to my workshop and haven't got the materials, please contact...