GNU C Library 可以根据环境变量MALLOC_CHECK_来决定是否在运行时可检测程序中的内存问题。而内存问题有时候表现得非常古怪,比如random crash, crash的点又经常变,甚至coredump中也没什么栈信息。这时候可以用这个方法来验证一下。知识还没办法打印出错点对应的地址,有些遗憾。
下面是一个内存越界的例子:
|
运行结果:
$ g++ test.cpp -o test
malloc: using debugging hooks
malloc: using debugging hooks
malloc: using debugging hooks
malloc: using debugging hooks
malloc: using debugging hooks
malloc: using debugging hooks
$ ./test
malloc: using debugging hooks
buf1: [9b7f050]
free(): invalid pointer 0x9b7f050!
malloc: top chunk is corrupt
buf: [9ba0008]
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
$ export MALLOC_CHECK_=2
$ ./test
buf1: [a01d050]
Aborted
$ export MALLOC_CHECK_=0
$ ./test
buf1: [9e12050]
buf: [9e33008]
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
$ unset MALLOC_CHECK_
$ ./test
buf1: [9062050]
buf: [9062050]
0 0 0 0 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63
通 过比较两次分配的指针地址可以看出,当使用MALLOC_CHECK_时,如果检测到memory corrupt时,有问题的memory将被特殊处理,而不是像正常情况一样被分配给新的request. 因此有可能出现使用了此环境变量之后,原本可能发生crash的程序反而工作正常了。
对于double free, 会给出类似下面的输出:
free(): invalid pointer 0x9186050!
遗憾的是此方法没能检测到读越界。
附info malloc 中对此环境变量的说明:
Recent versions of Linux libc (later than 5.4.23) and GNU libc (2.x)
include a malloc implementation which is tunable via environment vari-
ables. When MALLOC_CHECK_ is set, a special (less efficient) implemen-
tation is used which is designed to be tolerant against simple errors,
such as double calls of free() with the same argument, or overruns of a
single byte (off-by-one bugs). Not all such errors can be protected
against, however, and memory leaks can result. If MALLOC_CHECK_ is set
to 0, any detected heap corruption is silently ignored; if set to 1, a
diagnostic is printed on stderr; if set to 2, abort() is called immedi-
ately. This can be useful because otherwise a crash may happen much
later, and the true cause for the problem is then very hard to track
down.