Valgrind学习笔记(一)

一、Memcheck-tools

    1.    可查找的错误类型:
            1) Illegal read or write errors
            --read-var-info=<yes|no> [default:no],如果这个选项被打开,应用程序将运行的更慢,但是能够给出能多的错误细节。如下:
   
            --read-var-info=no
            ==15516== Uninitialised byte(s) found during client check request
            ==15516==    at 0x400633: croak (varinfo1.c:28)
            ==15516==    by 0x4006B2: main (varinfo1.c:55)
            ==15516==  Address 0x60103b is 7 bytes inside data symbol "global_i2"
            ==15516==
            ==15516== Uninitialised byte(s) found during client check request
            ==15516==    at 0x400633: croak (varinfo1.c:28)
            ==15516==    by 0x4006BC: main (varinfo1.c:56)
            ==15516==  Address 0x7fefffefc is on thread 1's stack
           
            --read-var-info=yes:
            ==15522== Uninitialised byte(s) found during client check request
            ==15522==    at 0x400633: croak (varinfo1.c:28)
            ==15522==    by 0x4006B2: main (varinfo1.c:55)
            ==15522==  Location 0x60103b is 0 bytes inside global_i2[7],
            ==15522==  a global variable declared at varinfo1.c:41
            ==15522==
            ==15522== Uninitialised byte(s) found during client check request
            ==15522==    at 0x400633: croak (varinfo1.c:28)
            ==15522==    by 0x4006BC: main (varinfo1.c:56)
            ==15522==  Location 0x7fefffefc is 0 bytes inside local var "local"
            ==15522==  declared at varinfo1.c:46, in frame #1 of thread 1

            2) Use of uninitialized values
            --track-origins=yes 可以得到更为详细的错误信息(特别针对使用未初始化的变量时)
           
            3) Use of uninitialized or unaddressable values in system calls
            Code example:           
            int main( void )
            {
                    char* arr  = malloc(10);
                    int*  arr2 = malloc(sizeof(int));
                    write( 1 /* stdout */, arr, 10 );
                    exit(arr2[0]);
            }

            Valgrind给出的信息:
            Syscall param write(buf) points to uninitialised byte(s)
            at 0x25A48723: __write_nocancel (in /lib/tls/libc-2.3.3.so)
            by 0x259AFAD3: __libc_start_main (in /lib/tls/libc-2.3.3.so)
            by 0x8048348: (within /auto/homes/njn25/grind/head4/a.out)
            Address 0x25AB8028 is 0 bytes inside a block of size 10 alloc'd
            at 0x259852B0: malloc (vg_replace_malloc.c:130)
            by 0x80483F1: main (a.c:5)
       
            Syscall param exit(error_code) contains uninitialised byte(s)
            at 0x25A21B44: __GI__exit (in /lib/tls/libc-2.3.3.so)
            by 0x8048426: main (a.c:8)

            4) Illegal frees
            Valgrind将会跟踪program通过malloc/new分配的内存,因此他可以确切的指导当前的free/delete操作是否合法。以下是重复free的一个例子。
            Invalid free()
                at 0x4004FFDF: free (vg_clientmalloc.c:577)
                by 0x80484C7: main (tests/doublefree.c:10)
            Address 0x3807F7B4 is 0 bytes inside a block of size 177 free'd
                at 0x4004FFDF: free (vg_clientmalloc.c:577)
                by 0x80484C7: main (tests/doublefree.c:10)
               
            5) When a heap block is freed with an inappropriate deallocation function
            下面是一个用new[]分配但是用free释放的code example
            Mismatched free() / delete / delete []
                at 0x40043249: free (vg_clientfuncs.c:171)
                by 0x4102BB4E: QGArray::~QGArray(void) (tools/qgarray.cpp:149)
                by 0x4C261C41: PptDoc::~PptDoc(void) (include/qmemarray.h:60)
                by 0x4C261F0E: PptXml::~PptXml(void) (pptxml.cc:44)
            Address 0x4BB292A8 is 0 bytes inside a block of size 64 alloc'd
                at 0x4004318C: operator new[](unsigned int) (vg_clientfuncs.c:152)
                by 0x4C21BC15: KLaola::readSBStream(int) const (klaola.cc:314)
                by 0x4C21C155: KLaola::stream(KLaola::OLENode const *) (klaola.cc:416)
                by 0x4C21788F: OLEFilter::convert(QCString const &) (olefilter.cc:272)

            6)Overlapping source and destination blocks
            ==27492== Source and destination overlap in memcpy(0xbffff294, 0xbffff280, 21)
            ==27492==    at 0x40026CDC: memcpy (mc_replace_strmem.c:71)
            ==27492==    by 0x804865A: main (overlap.c:40)
   
            7)Memory leak detection
            Pointer chain            AAA Category    BBB Category
            -------------            ------------    ------------
            (1)  RRR ------------> BBB                    DR
            (2)  RRR ---> AAA ---> BBB    DR              IR
            (3)  RRR               BBB                    DL
            (4)  RRR      AAA ---> BBB    DL              IL
            (5)  RRR ------?-----> BBB                    (y)DR, (n)DL
            (6)  RRR ---> AAA -?-> BBB    DR              (y)IR, (n)DL
            (7)  RRR -?-> AAA ---> BBB    (y)DR, (n)DL    (y)IR, (n)IL
            (8)  RRR -?-> AAA -?-> BBB    (y)DR, (n)DL    (y,y)IR, (n,y)IL, (_,n)DL
            (9)  RRR      AAA -?-> BBB    DL              (y)IL, (n)DL
           
            Pointer chain legend:
            - RRR: a root set node or DR block
            - AAA, BBB: heap blocks
            - --->: a start-pointer
            - -?->: an interior-pointer
           
            Category legend:
            - DR: Directly reachable
            - IR: Indirectly reachable
            - DL: Directly lost
            - IL: Indirectly lost
            - (y)XY: it's XY if the interior-pointer is a real pointer
            - (n)XY: it's XY if the interior-pointer is not a real pointer
            - (_)XY: it's XY in either case
           
            --show-reachable=yes如果这样设置,cases 1,2,4 and 9 才会被定位。
            --leak-check=full,memcheck将针对definitely lost or probably lost给出更为详细的信息,甚至包括分配的地点。
           
    2.    Memcheck命令行选项:
           1)    --leak-check=<no|summary|yes|full> [default: summary]
                  如果是summary,则只是给出最后leak的汇总,如果是yes或者是full的话,将会给出比较详细的leak信息。
                   
           2)    --leak-resolution=<low|med|high> [default: high]
                  用于合并leak信息来源的backtraces,如果low,当有两层匹配的时候就可以合并,mid是四层,high要求必须完全比配。该选项不会影响Memcheck查找leak的能力,只会影响结果的显示方式。
           
           3)    --show-reachable=<yes|no> [default: no]
                  如果设置为yes,将获取全部的内存分配状况。
                   
           4)    --track-origins=<yes|no> [default: no]
                  如果设置为yes,对于为初始化的变量(from heap or stack)能够非常好的定位到错误源,但是这也将导致程序的整体运行速度变慢和更大的内存开销。
                   
           5)    --freelist-vol=<number> [default: 20000000]
                  <number>是按照byte来计算的,这个数字越大,检测出对已释放内存的无效访问的可能性越高。
           
posted @ 2011-06-05 21:48  OrangeAdmin  阅读(3142)  评论(0编辑  收藏  举报