启动方式: valgrind [valgrind-options] your-prog [your-prog-options]
--gen-suppressions=yes 当Valgrind检测到系统库函数错误时,屏蔽此类错误
-v ,--verbose获得详细信息
必须调用Valgrind执行真正的可执行文件,而非shell或Perl的脚本文件
Valgrind输出三种方式:
(1)默认输出到2(stderr),可通过--log-fd=9指定
(2)指定输出到文件--log-file=filename
(3)指定输出到网络端口--log-socket=192.168.0.1:12345
-q,--quiet 安静执行,只打印错误信息
--trace-children=<yes|no> [default: no] 跟踪exec调用执行的子进程
--xml=<yes|no> [default: no] 用xml格式输出日志
--error-limit=<yes|no> [default: yes] 默认yes,在总量达到10,000,000,或者1,000个不同的错误,Valgrind停止报告错误。设置为no,则不限制。
4、Memcheck内存检测工具
4.1概述
Memcheck能够检测的几类问题:
获得非法内存
使用未定义的值
错误的释放堆内存
使用memcpy或相关函数,源和目的指针重叠
内存泄露
4.2错误信息解释
4.2.1非法的读写错误
Invalid read of size 4 at 0x40F6BBCC: (within /usr/lib/libpng.so.2.1.0.9) by 0x40F6B804: (within /usr/lib/libpng.so.2.1.0.9) by 0x40B07FF4: read_png_image(QImageIO *) (kernel/qpngio.cpp:326) by 0x40AC751B: QImageIO::read() (kernel/qimage.cpp:3621) Address 0xBFFFF0E0 is not stack’d, malloc’d or free’d
4.2.2 使用未初始化的值
Conditional jump or move depends on uninitialised value(s) at 0x402DFA94: _IO_vfprintf (_itoa.h:49) by 0x402E8476: _IO_printf (printf.c:36) by 0x8048472: main (tests/manuel1.c:8)
--track-origins=yes 查看详细未初始化信息
4.2.3在系统调用中,使用未初始化的或不可寻址值
#include <stdlib.h> #include <unistd.h> int main( void ) { char* arr = malloc(10); int* arr2 = malloc(sizeof(int)); write( 1 /* stdout */, arr, 10 ); exit(arr2[0]); }
错误信息
Syscall param write(buf) points to uninitialised byte(s) at 0x25A48723: __write_nocancel (in /lib/tls/libc-2.3.3.so) by 0x259AFAD3: __libc_start_main (in /lib/tls/libc-2.3.3.so) by 0x8048348: (within /auto/homes/njn25/grind/head4/a.out) Address 0x25AB8028 is 0 bytes inside a block of size 10 alloc’d at 0x259852B0: malloc (vg_replace_malloc.c:130) by 0x80483F1: main (a.c:5) Syscall param exit(error_code) contains uninitialised byte(s) at 0x25A21B44: __GI__exit (in /lib/tls/libc-2.3.3.so) by 0x8048426: main (a.c:8)
4.2.4非法释放
Invalid free() at 0x4004FFDF: free (vg_clientmalloc.c:577) by 0x80484C7: main (tests/doublefree.c:10) Address 0x3807F7B4 is 0 bytes inside a block of size 177 free’d at 0x4004FFDF: free (vg_clientmalloc.c:577) by 0x80484C7: main (tests/doublefree.c:10)
4.2.5堆空间不恰当释放
使用new【】分配空间,free释放
Mismatched free() / delete / delete [] at 0x40043249: free (vg_clientfuncs.c:171) by 0x4102BB4E: QGArray::~QGArray(void) (tools/qgarray.cpp:149) by 0x4C261C41: PptDoc::~PptDoc(void) (include/qmemarray.h:60) by 0x4C261F0E: PptXml::~PptXml(void) (pptxml.cc:44) Address 0x4BB292A8 is 0 bytes inside a block of size 64 alloc’d at 0x4004318C: operator new[](unsigned int) (vg_clientfuncs.c:152) by 0x4C21BC15: KLaola::readSBStream(int) const (klaola.cc:314) by 0x4C21C155: KLaola::stream(KLaola::OLENode const *) (klaola.cc:416) by 0x4C21788F: OLEFilter::convert(QCString const &) (olefilter.cc:272)
4.2.6源地址和目的地址有重叠
使用memcpy,strcpy, strncpy, strcat, strncat这些函数可能出现
==27492== Source and destination overlap in memcpy(0xbffff294, 0xbffff280, 21) ==27492== at 0x40026CDC: memcpy (mc_replace_strmem.c:71) ==27492== by 0x804865A: main (overlap.c:40)
4.2.7内存泄露检测
使用--leak-check
9种可能出现的情况
"Still reachable". This covers cases 1 and 2Pointer chain AAA Category BBB Category ------------- ------------ ------------ (1) RRR ------------> BBB DR (2) RRR ---> AAA ---> BBB DR IR (3) RRR BBB DL (4) RRR AAA ---> BBB DL IL (5) RRR ------?-----> BBB (y)DR, (n)DL (6) RRR ---> AAA -?-> BBB DR (y)IR, (n)DL (7) RRR -?-> AAA ---> BBB (y)DR, (n)DL (y)IR, (n)IL (8) RRR -?-> AAA -?-> BBB (y)DR, (n)DL (y,y)IR, (n,y)IL, (_,n)DL (9) RRR AAA -?-> BBB DL (y)IL, (n)DL Pointer chain legend: - RRR: a root set node or DR block - AAA, BBB: heap blocks - --->: a start-pointer - -?->: an interior-pointer Category legend: - DR: Directly reachable - IR: Indirectly reachable - DL: Directly lost - IL: Indirectly lost - (y)XY: it’s XY if the interior-pointer is a real pointer - (n)XY: it’s XY if the interior-pointer is not a real pointer - (_)XY: it’s XY in either case
"Definitely lost". This covers case 3"Indirectly lost". This covers cases 4 and 9
"Possibly lost". This covers cases 5--8 不需要考虑
4.3命令行选项
--leak-check=<no|summary|yes|full> [default: summary] 设置为full或yes将给出详细内存泄露检测
--show-possibly-lost=<yes|no> [default: yes] 设置为disabled将不显示 "possibly lost"结果--track-origins=<yes|no> [default: no] 跟踪未初始化值产生根源