使用valgrind检测Android native程序的内存

下载http://valgrind.org/downloads/valgrind-3.7.0.tar.bz2，使用ndk toolchain，按照代码中的README.android编译Android版本的valgrind，push到/data分区，这里笔者push到了/data/local/valgrind/，同时把VALGRIND_LIB 环境变量设置为/data/local/valgrind/lib/valgrind

编写一个有很多内存错误的程序：

main() { { int x; printf ("x = %d\n", x); } { char* arr = malloc(10); int* arr2 = malloc(sizeof(int)); write( 1 /* stdout */, arr, 10 ); } { char a[100]; memcpy(a, a + 20, 40); } { char *q; q = malloc(1024*1024); q[1] = 1024; } { char *p; p = malloc(1024*1024); p[0] = p[0]; p[1] = 1024; free(p); free(p); } }
使用valgrind运行之：

/data/local/valgrind/bin/valgrind --leak-check=full --track-origins=yes /data/check

得到如下结果：

==965== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. ==965== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==965== Command: /data/check ==965== ==965== Conditional jump or move depends on uninitialised value(s) ==965== at 0xAFD1AF6A: vfprintf (in /system/lib/libc.so) ==965== Uninitialised value was created by a stack allocation ==965== at 0x83D8: main (check.c:2) ==965== ==965== Conditional jump or move depends on uninitialised value(s) ==965== at 0xAFD1B3FA: vfprintf (in /system/lib/libc.so) ==965== Uninitialised value was created by a stack allocation ==965== at 0x83D8: main (check.c:2) ==965== ==965== Conditional jump or move depends on uninitialised value(s) ==965== at 0xAFD1B3FE: vfprintf (in /system/lib/libc.so) ==965== Uninitialised value was created by a stack allocation ==965== at 0x83D8: main (check.c:2) ==965== ==965== Conditional jump or move depends on uninitialised value(s) ==965== at 0xAFD1B478: vfprintf (in /system/lib/libc.so) ==965== Uninitialised value was created by a stack allocation ==965== at 0x83D8: main (check.c:2) ==965== ==965== Conditional jump or move depends on uninitialised value(s) ==965== at 0xAFD1B47E: vfprintf (in /system/lib/libc.so) ==965== Uninitialised value was created by a stack allocation ==965== at 0x83D8: main (check.c:2) ==965== ==965== Conditional jump or move depends on uninitialised value(s) ==965== at 0xAFD0FE00: __udivdi3 (in /system/lib/libc.so) ==965== Uninitialised value was created by a stack allocation ==965== at 0x83D8: main (check.c:2) ==965== ==965== Conditional jump or move depends on uninitialised value(s) ==965== at 0xAFD0D230: __udivsi3 (in /system/lib/libc.so) ==965== Uninitialised value was created by a stack allocation ==965== at 0x83D8: main (check.c:2) ==965== ==965== Conditional jump or move depends on uninitialised value(s) ==965== at 0xAFD0D294: __udivsi3 (in /system/lib/libc.so) ==965== Uninitialised value was created by a stack allocation ==965== at 0x83D8: main (check.c:2) ==965== ==965== Conditional jump or move depends on uninitialised value(s) ==965== at 0xAFD0FE5C: __udivdi3 (in /system/lib/libc.so) ==965== Uninitialised value was created by a stack allocation ==965== at 0x83D8: main (check.c:2) ==965== ==965== Conditional jump or move depends on uninitialised value(s) ==965== at 0xAFD0FEAC: __udivdi3 (in /system/lib/libc.so) ==965== Uninitialised value was created by a stack allocation ==965== at 0x83D8: main (check.c:2) ==965== ==965== Syscall param write(buf) points to uninitialised byte(s) ==965== at 0xAFD0B47C: write (in /system/lib/libc.so) ==965== Address 0x480a058 is 0 bytes inside a block of size 10 alloc'd ==965== at 0x80103318: malloc (vg_replace_malloc.c:263) ==965== by 0x83F7: main (check.c:8) ==965== Uninitialised value was created by a heap allocation ==965== at 0x80103318: malloc (vg_replace_malloc.c:263) ==965== by 0x83F7: main (check.c:8) ==965== ==965== Source and destination overlap in memcpy(0xbde6b908, 0xbde6b91c, 40) ==965== at 0x80106A64: memcpy (mc_replace_strmem.c:838) ==965== by 0x843B: main (check.c:14) ==965== ==965== Invalid free() / delete / delete[] / realloc() ==965== at 0x80102E1C: free (vg_replace_malloc.c:427) ==965== by 0x849B: main (check.c:30) ==965== Address 0x490a100 is 0 bytes inside a block of size 1,048,576 free'd ==965== at 0x80102E1C: free (vg_replace_malloc.c:427) ==965== by 0x8493: main (check.c:29) ==965== ==965== ==965== HEAP SUMMARY: ==965== in use at exit: 1,052,686 bytes in 4 blocks ==965== total heap usage: 5 allocs, 2 frees, 2,101,262 bytes allocated ==965== ==965== 4 bytes in 1 blocks are definitely lost in loss record 1 of 4 ==965== at 0x80103318: malloc (vg_replace_malloc.c:263) ==965== by 0x8407: main (check.c:9) ==965== ==965== 10 bytes in 1 blocks are definitely lost in loss record 2 of 4 ==965== at 0x80103318: malloc (vg_replace_malloc.c:263) ==965== by 0x83F7: main (check.c:8) ==965== ==965== 1,048,576 bytes in 1 blocks are definitely lost in loss record 4 of 4 ==965== at 0x80103318: malloc (vg_replace_malloc.c:263) ==965== by 0x8443: main (check.c:18) ==965== ==965== LEAK SUMMARY: ==965== definitely lost: 1,048,590 bytes in 3 blocks ==965== indirectly lost: 0 bytes in 0 blocks ==965== possibly lost: 0 bytes in 0 blocks ==965== still reachable: 4,096 bytes in 1 blocks ==965== suppressed: 0 bytes in 0 blocks ==965== Reachable blocks (those to which a pointer was found) are not shown. ==965== To see them, rerun with: --leak-check=full --show-reachable=yes ==965== ==965== For counts of detected and suppressed errors, rerun with: -v ==965== ERROR SUMMARY: 275 errors from 16 contexts (suppressed: 0 from 0)
这些错误可以分为如下几类：

1. Illegal read / Illegal write errors
2. Use of uninitialised values
3. Use of uninitialised or unaddressable values in system calls
4. Illegal frees
5. When a heap block is freed with an inappropriate deallocation function
6. Overlapping source and destination blocks
7. Memory leak detection