Valgrind学习笔记(一)
一、Memcheck-tools
1. 可查找的错误类型:
1) Illegal read or write errors
--read-var-info=<yes|no> [default:no],如果这个选项被打开,应用程序将运行的更慢,但是能够给出能多的错误细节。如下:
--read-var-info=no
==15516== Uninitialised byte(s) found during client check request
==15516== at 0x400633: croak (varinfo1.c:28)
==15516== by 0x4006B2: main (varinfo1.c:55)
==15516== Address 0x60103b is 7 bytes inside data symbol "global_i2"
==15516==
==15516== Uninitialised byte(s) found during client check request
==15516== at 0x400633: croak (varinfo1.c:28)
==15516== by 0x4006BC: main (varinfo1.c:56)
==15516== Address 0x7fefffefc is on thread 1's stack
--read-var-info=yes:
==15522== Uninitialised byte(s) found during client check request
==15522== at 0x400633: croak (varinfo1.c:28)
==15522== by 0x4006B2: main (varinfo1.c:55)
==15522== Location 0x60103b is 0 bytes inside global_i2[7],
==15522== a global variable declared at varinfo1.c:41
==15522==
==15522== Uninitialised byte(s) found during client check request
==15522== at 0x400633: croak (varinfo1.c:28)
==15522== by 0x4006BC: main (varinfo1.c:56)
==15522== Location 0x7fefffefc is 0 bytes inside local var "local"
==15522== declared at varinfo1.c:46, in frame #1 of thread 1
2) Use of uninitialized values
--track-origins=yes 可以得到更为详细的错误信息(特别针对使用未初始化的变量时)
3) Use of uninitialized or unaddressable values in system calls
Code example:
int main( void )
{
char* arr = malloc(10);
int* arr2 = malloc(sizeof(int));
write( 1 /* stdout */, arr, 10 );
exit(arr2[0]);
}
Valgrind给出的信息:
Syscall param write(buf) points to uninitialised byte(s)
at 0x25A48723: __write_nocancel (in /lib/tls/libc-2.3.3.so)
by 0x259AFAD3: __libc_start_main (in /lib/tls/libc-2.3.3.so)
by 0x8048348: (within /auto/homes/njn25/grind/head4/a.out)
Address 0x25AB8028 is 0 bytes inside a block of size 10 alloc'd
at 0x259852B0: malloc (vg_replace_malloc.c:130)
by 0x80483F1: main (a.c:5)
Syscall param exit(error_code) contains uninitialised byte(s)
at 0x25A21B44: __GI__exit (in /lib/tls/libc-2.3.3.so)
by 0x8048426: main (a.c:8)
4) Illegal frees
Valgrind将会跟踪program通过malloc/new分配的内存,因此他可以确切的指导当前的free/delete操作是否合法。以下是重复free的一个例子。
Invalid free()
at 0x4004FFDF: free (vg_clientmalloc.c:577)
by 0x80484C7: main (tests/doublefree.c:10)
Address 0x3807F7B4 is 0 bytes inside a block of size 177 free'd
at 0x4004FFDF: free (vg_clientmalloc.c:577)
by 0x80484C7: main (tests/doublefree.c:10)
5) When a heap block is freed with an inappropriate deallocation function
下面是一个用new[]分配但是用free释放的code example
Mismatched free() / delete / delete []
at 0x40043249: free (vg_clientfuncs.c:171)
by 0x4102BB4E: QGArray::~QGArray(void) (tools/qgarray.cpp:149)
by 0x4C261C41: PptDoc::~PptDoc(void) (include/qmemarray.h:60)
by 0x4C261F0E: PptXml::~PptXml(void) (pptxml.cc:44)
Address 0x4BB292A8 is 0 bytes inside a block of size 64 alloc'd
at 0x4004318C: operator new[](unsigned int) (vg_clientfuncs.c:152)
by 0x4C21BC15: KLaola::readSBStream(int) const (klaola.cc:314)
by 0x4C21C155: KLaola::stream(KLaola::OLENode const *) (klaola.cc:416)
by 0x4C21788F: OLEFilter::convert(QCString const &) (olefilter.cc:272)
6)Overlapping source and destination blocks
==27492== Source and destination overlap in memcpy(0xbffff294, 0xbffff280, 21)
==27492== at 0x40026CDC: memcpy (mc_replace_strmem.c:71)
==27492== by 0x804865A: main (overlap.c:40)
7)Memory leak detection
Pointer chain AAA Category BBB Category
------------- ------------ ------------
(1) RRR ------------> BBB DR
(2) RRR ---> AAA ---> BBB DR IR
(3) RRR BBB DL
(4) RRR AAA ---> BBB DL IL
(5) RRR ------?-----> BBB (y)DR, (n)DL
(6) RRR ---> AAA -?-> BBB DR (y)IR, (n)DL
(7) RRR -?-> AAA ---> BBB (y)DR, (n)DL (y)IR, (n)IL
(8) RRR -?-> AAA -?-> BBB (y)DR, (n)DL (y,y)IR, (n,y)IL, (_,n)DL
(9) RRR AAA -?-> BBB DL (y)IL, (n)DL
Pointer chain legend:
- RRR: a root set node or DR block
- AAA, BBB: heap blocks
- --->: a start-pointer
- -?->: an interior-pointer
Category legend:
- DR: Directly reachable
- IR: Indirectly reachable
- DL: Directly lost
- IL: Indirectly lost
- (y)XY: it's XY if the interior-pointer is a real pointer
- (n)XY: it's XY if the interior-pointer is not a real pointer
- (_)XY: it's XY in either case
--show-reachable=yes如果这样设置,cases 1,2,4 and 9 才会被定位。
--leak-check=full,memcheck将针对definitely lost or probably lost给出更为详细的信息,甚至包括分配的地点。
2. Memcheck命令行选项:
1) --leak-check=<no|summary|yes|full> [default: summary]
如果是summary,则只是给出最后leak的汇总,如果是yes或者是full的话,将会给出比较详细的leak信息。
2) --leak-resolution=<low|med|high> [default: high]
用于合并leak信息来源的backtraces,如果low,当有两层匹配的时候就可以合并,mid是四层,high要求必须完全比配。该选项不会影响Memcheck查找leak的能力,只会影响结果的显示方式。
3) --show-reachable=<yes|no> [default: no]
如果设置为yes,将获取全部的内存分配状况。
4) --track-origins=<yes|no> [default: no]
如果设置为yes,对于为初始化的变量(from heap or stack)能够非常好的定位到错误源,但是这也将导致程序的整体运行速度变慢和更大的内存开销。
5) --freelist-vol=<number> [default: 20000000]
<number>是按照byte来计算的,这个数字越大,检测出对已释放内存的无效访问的可能性越高。
1. 可查找的错误类型:
1) Illegal read or write errors
--read-var-info=<yes|no> [default:no],如果这个选项被打开,应用程序将运行的更慢,但是能够给出能多的错误细节。如下:
--read-var-info=no
==15516== Uninitialised byte(s) found during client check request
==15516== at 0x400633: croak (varinfo1.c:28)
==15516== by 0x4006B2: main (varinfo1.c:55)
==15516== Address 0x60103b is 7 bytes inside data symbol "global_i2"
==15516==
==15516== Uninitialised byte(s) found during client check request
==15516== at 0x400633: croak (varinfo1.c:28)
==15516== by 0x4006BC: main (varinfo1.c:56)
==15516== Address 0x7fefffefc is on thread 1's stack
--read-var-info=yes:
==15522== Uninitialised byte(s) found during client check request
==15522== at 0x400633: croak (varinfo1.c:28)
==15522== by 0x4006B2: main (varinfo1.c:55)
==15522== Location 0x60103b is 0 bytes inside global_i2[7],
==15522== a global variable declared at varinfo1.c:41
==15522==
==15522== Uninitialised byte(s) found during client check request
==15522== at 0x400633: croak (varinfo1.c:28)
==15522== by 0x4006BC: main (varinfo1.c:56)
==15522== Location 0x7fefffefc is 0 bytes inside local var "local"
==15522== declared at varinfo1.c:46, in frame #1 of thread 1
2) Use of uninitialized values
--track-origins=yes 可以得到更为详细的错误信息(特别针对使用未初始化的变量时)
3) Use of uninitialized or unaddressable values in system calls
Code example:
int main( void )
{
char* arr = malloc(10);
int* arr2 = malloc(sizeof(int));
write( 1 /* stdout */, arr, 10 );
exit(arr2[0]);
}
Valgrind给出的信息:
Syscall param write(buf) points to uninitialised byte(s)
at 0x25A48723: __write_nocancel (in /lib/tls/libc-2.3.3.so)
by 0x259AFAD3: __libc_start_main (in /lib/tls/libc-2.3.3.so)
by 0x8048348: (within /auto/homes/njn25/grind/head4/a.out)
Address 0x25AB8028 is 0 bytes inside a block of size 10 alloc'd
at 0x259852B0: malloc (vg_replace_malloc.c:130)
by 0x80483F1: main (a.c:5)
Syscall param exit(error_code) contains uninitialised byte(s)
at 0x25A21B44: __GI__exit (in /lib/tls/libc-2.3.3.so)
by 0x8048426: main (a.c:8)
4) Illegal frees
Valgrind将会跟踪program通过malloc/new分配的内存,因此他可以确切的指导当前的free/delete操作是否合法。以下是重复free的一个例子。
Invalid free()
at 0x4004FFDF: free (vg_clientmalloc.c:577)
by 0x80484C7: main (tests/doublefree.c:10)
Address 0x3807F7B4 is 0 bytes inside a block of size 177 free'd
at 0x4004FFDF: free (vg_clientmalloc.c:577)
by 0x80484C7: main (tests/doublefree.c:10)
5) When a heap block is freed with an inappropriate deallocation function
下面是一个用new[]分配但是用free释放的code example
Mismatched free() / delete / delete []
at 0x40043249: free (vg_clientfuncs.c:171)
by 0x4102BB4E: QGArray::~QGArray(void) (tools/qgarray.cpp:149)
by 0x4C261C41: PptDoc::~PptDoc(void) (include/qmemarray.h:60)
by 0x4C261F0E: PptXml::~PptXml(void) (pptxml.cc:44)
Address 0x4BB292A8 is 0 bytes inside a block of size 64 alloc'd
at 0x4004318C: operator new[](unsigned int) (vg_clientfuncs.c:152)
by 0x4C21BC15: KLaola::readSBStream(int) const (klaola.cc:314)
by 0x4C21C155: KLaola::stream(KLaola::OLENode const *) (klaola.cc:416)
by 0x4C21788F: OLEFilter::convert(QCString const &) (olefilter.cc:272)
6)Overlapping source and destination blocks
==27492== Source and destination overlap in memcpy(0xbffff294, 0xbffff280, 21)
==27492== at 0x40026CDC: memcpy (mc_replace_strmem.c:71)
==27492== by 0x804865A: main (overlap.c:40)
7)Memory leak detection
Pointer chain AAA Category BBB Category
------------- ------------ ------------
(1) RRR ------------> BBB DR
(2) RRR ---> AAA ---> BBB DR IR
(3) RRR BBB DL
(4) RRR AAA ---> BBB DL IL
(5) RRR ------?-----> BBB (y)DR, (n)DL
(6) RRR ---> AAA -?-> BBB DR (y)IR, (n)DL
(7) RRR -?-> AAA ---> BBB (y)DR, (n)DL (y)IR, (n)IL
(8) RRR -?-> AAA -?-> BBB (y)DR, (n)DL (y,y)IR, (n,y)IL, (_,n)DL
(9) RRR AAA -?-> BBB DL (y)IL, (n)DL
Pointer chain legend:
- RRR: a root set node or DR block
- AAA, BBB: heap blocks
- --->: a start-pointer
- -?->: an interior-pointer
Category legend:
- DR: Directly reachable
- IR: Indirectly reachable
- DL: Directly lost
- IL: Indirectly lost
- (y)XY: it's XY if the interior-pointer is a real pointer
- (n)XY: it's XY if the interior-pointer is not a real pointer
- (_)XY: it's XY in either case
--show-reachable=yes如果这样设置,cases 1,2,4 and 9 才会被定位。
--leak-check=full,memcheck将针对definitely lost or probably lost给出更为详细的信息,甚至包括分配的地点。
2. Memcheck命令行选项:
1) --leak-check=<no|summary|yes|full> [default: summary]
如果是summary,则只是给出最后leak的汇总,如果是yes或者是full的话,将会给出比较详细的leak信息。
2) --leak-resolution=<low|med|high> [default: high]
用于合并leak信息来源的backtraces,如果low,当有两层匹配的时候就可以合并,mid是四层,high要求必须完全比配。该选项不会影响Memcheck查找leak的能力,只会影响结果的显示方式。
3) --show-reachable=<yes|no> [default: no]
如果设置为yes,将获取全部的内存分配状况。
4) --track-origins=<yes|no> [default: no]
如果设置为yes,对于为初始化的变量(from heap or stack)能够非常好的定位到错误源,但是这也将导致程序的整体运行速度变慢和更大的内存开销。
5) --freelist-vol=<number> [default: 20000000]
<number>是按照byte来计算的,这个数字越大,检测出对已释放内存的无效访问的可能性越高。