Valgrind用户手册（二）

启动方式:     valgrind [valgrind-options] your-prog [your-prog-options]

--gen-suppressions=yes 当Valgrind检测到系统库函数错误时，屏蔽此类错误
-v ，--verbose获得详细信息
必须调用Valgrind执行真正的可执行文件，而非shell或Perl的脚本文件
Valgrind输出三种方式：
（1）默认输出到2（stderr），可通过--log-fd=9指定
（2）指定输出到文件--log-file=filename
（3）指定输出到网络端口--log-socket=192.168.0.1:12345
-q,--quiet 安静执行，只打印错误信息
--trace-children=<yes|no> [default: no] 跟踪exec调用执行的子进程
--xml=<yes|no> [default: no] 用xml格式输出日志
--error-limit=<yes|no> [default: yes]  默认yes，在总量达到10,000,000，或者1,000个不同的错误，Valgrind停止报告错误。设置为no，则不限制。



4、Memcheck内存检测工具



4.1概述
Memcheck能够检测的几类问题：
获得非法内存
使用未定义的值
错误的释放堆内存
使用memcpy或相关函数，源和目的指针重叠
内存泄露



4.2错误信息解释



4.2.1非法的读写错误

Invalid read of size 4
at 0x40F6BBCC: (within /usr/lib/libpng.so.2.1.0.9)
by 0x40F6B804: (within /usr/lib/libpng.so.2.1.0.9)
by 0x40B07FF4: read_png_image(QImageIO *) (kernel/qpngio.cpp:326)
by 0x40AC751B: QImageIO::read() (kernel/qimage.cpp:3621)
Address 0xBFFFF0E0 is not stack’d, malloc’d or free’d




4.2.2 使用未初始化的值

Conditional jump or move depends on uninitialised value(s)
at 0x402DFA94: _IO_vfprintf (_itoa.h:49)
by 0x402E8476: _IO_printf (printf.c:36)
by 0x8048472: main (tests/manuel1.c:8)


--track-origins=yes 查看详细未初始化信息



4.2.3在系统调用中，使用未初始化的或不可寻址值

#include <stdlib.h>
#include <unistd.h>
int main( void )
{
char* arr = malloc(10);
int* arr2 = malloc(sizeof(int));
write( 1 /* stdout */, arr, 10 );
exit(arr2[0]);
}


错误信息

Syscall param write(buf) points to uninitialised byte(s)
at 0x25A48723: __write_nocancel (in /lib/tls/libc-2.3.3.so)
by 0x259AFAD3: __libc_start_main (in /lib/tls/libc-2.3.3.so)
by 0x8048348: (within /auto/homes/njn25/grind/head4/a.out)
Address 0x25AB8028 is 0 bytes inside a block of size 10 alloc’d
at 0x259852B0: malloc (vg_replace_malloc.c:130)
by 0x80483F1: main (a.c:5)
Syscall param exit(error_code) contains uninitialised byte(s)
at 0x25A21B44: __GI__exit (in /lib/tls/libc-2.3.3.so)
by 0x8048426: main (a.c:8)


4.2.4非法释放

Invalid free()
at 0x4004FFDF: free (vg_clientmalloc.c:577)
by 0x80484C7: main (tests/doublefree.c:10)
Address 0x3807F7B4 is 0 bytes inside a block of size 177 free’d
at 0x4004FFDF: free (vg_clientmalloc.c:577)
by 0x80484C7: main (tests/doublefree.c:10)




4.2.5堆空间不恰当释放
使用new【】分配空间，free释放

Mismatched free() / delete / delete []
at 0x40043249: free (vg_clientfuncs.c:171)
by 0x4102BB4E: QGArray::~QGArray(void) (tools/qgarray.cpp:149)
by 0x4C261C41: PptDoc::~PptDoc(void) (include/qmemarray.h:60)
by 0x4C261F0E: PptXml::~PptXml(void) (pptxml.cc:44)
Address 0x4BB292A8 is 0 bytes inside a block of size 64 alloc’d
at 0x4004318C: operator new[](unsigned int) (vg_clientfuncs.c:152)
by 0x4C21BC15: KLaola::readSBStream(int) const (klaola.cc:314)
by 0x4C21C155: KLaola::stream(KLaola::OLENode const *) (klaola.cc:416)
by 0x4C21788F: OLEFilter::convert(QCString const &) (olefilter.cc:272)




4.2.6源地址和目的地址有重叠
使用memcpy,strcpy, strncpy, strcat, strncat这些函数可能出现

==27492== Source and destination overlap in memcpy(0xbffff294, 0xbffff280, 21)
==27492== at 0x40026CDC: memcpy (mc_replace_strmem.c:71)
==27492== by 0x804865A: main (overlap.c:40)


4.2.7内存泄露检测
使用--leak-check 
9种可能出现的情况

Pointer chain          AAA Category         BBB Category
-------------          ------------         ------------
(1) RRR ------------> BBB                    DR
(2) RRR ---> AAA ---> BBB DR                 IR
(3) RRR               BBB              DL
(4) RRR AAA ---> BBB DL IL
(5) RRR ------?-----> BBB                  (y)DR, (n)DL
(6) RRR ---> AAA -?-> BBB DR               (y)IR, (n)DL
(7) RRR -?-> AAA ---> BBB (y)DR, (n)DL     (y)IR, (n)IL
(8) RRR -?-> AAA -?-> BBB (y)DR, (n)DL     (y,y)IR, (n,y)IL, (_,n)DL
(9) RRR AAA -?-> BBB DL                    (y)IL, (n)DL
Pointer chain legend:
- RRR: a root set node or DR block
- AAA, BBB: heap blocks
- --->: a start-pointer
- -?->: an interior-pointer
Category legend:
- DR: Directly reachable
- IR: Indirectly reachable
- DL: Directly lost
- IL: Indirectly lost
- (y)XY: it’s XY if the interior-pointer is a real pointer
- (n)XY: it’s XY if the interior-pointer is not a real pointer
- (_)XY: it’s XY in either case
"Still reachable". This covers cases 1 and 2

"Definitely lost". This covers case 3 

"Indirectly lost". This covers cases 4 and 9
"Possibly lost". This covers cases 5--8 不需要考虑
4.3命令行选项
--leak-check=<no|summary|yes|full> [default: summary]       设置为full或yes将给出详细内存泄露检测


--show-possibly-lost=<yes|no> [default: yes]    设置为disabled将不显示 "possibly lost"结果
--track-origins=<yes|no> [default: no]       跟踪未初始化值产生根源