一、valgrind介绍
1、valgrind体系结构
(1)valgrind有内核(core)以及基于内核的其他调试工具组成。
(2)内核类似于一个框架(framework),它模拟了一个CPU环境,并提供服务给其他工具。
(3)其他工具则类似于插件(plug-in),利用内核提供的服务完成各种特点的内存调试任务。
2、valgrind工具集
(1)Memcheck:valgrind应用最广泛的工具,一个重量级的内存检查器,能够发现开发中绝大多数内存错误使用情况。
(2)Callgrind:它主要用来检查程序中函数调用过程中出现的问题。
(3)Cachegrind:它主要用来检查程序中缓存使用出现的问题。
(4)Helgrind:它主要用来检查多线程程序中出现的竞争问题。
(5)Massif:它主要用来检查程序中堆栈使用中出现的问题。
(6)Extension:可以利用core提供的功能,自己编写特定的内存调试工具。
二、valgrind内存检查
1、linux程序的内存布局 (1)代码段(.text) 存放的是CPU要执行的指令。代码段是可以共享的,相同的代码在内存中只会有一个拷贝,同时这个段是只读的, 防止程序由于错误而修改自身的指令。 (2)初始化数据段(.data) 存放的是程序中需要明确赋初始值的变量,内核在调用exec函数启动该程序时从源程序文件中读入。int val = 100; (3)未初始化数据段(.bss) 位于这一段中的数据,内核在执行该程序前,将其初始化为0或者null。int sum; (4)堆(Heap) 用于在程序中进行动态内存申请,如malloc,new等函数。 (5)栈(Stack) 函数中的局部变量,在函数调用过程中产生的临时变量。
2、内存检查原理 Memcheck能够检测出内存问题,关键在于其建立了两个全局表。 (1)Valid-Value表 对于进程的整个地址空间中的每一个字节(byte),都有与之对应的8个bits。 对于CPU的每个寄存器,也有一个与之对应的bit向量。 这些bits负责记录该字节或者寄存器值是否具有有效的、已初始化的值。 (2)Valid-Address表 对于进程整个地址空间中的每一个字节(byte),还有与之对应的1个bit, 负责记录该地址是否能够被读写。 (3)当要读写内存中某个字节时,首先检查这个字节对应的A bit。 如果该A bit显示该位置是无效位置,memcheck则报告读写错误。 (4)内核类似于一个虚拟的CPU环境,当内存中的某个字节被加载到真实的CPU中,该字节对应的V bit也被加载到 虚拟的CPU环境中。一旦寄存器中的值,被用来产生内存地址,或者该值能够影响程序输出,则memcheck会检查 对应的V bit,如果该值尚未初始化,则会报告使用未初始化内存错误。
三、valgrind的用法 为了使valgrind发现的错误更精确,建议在编译时加上-g参数,编译优化选项选择O0,虽然这会降低程序的执行效率。
gcc -g -O0 prog.c -o prog
调用valgrind的通用格式为
valgrind [valgrind-options] prog [prog-options]
内存非法使用的检测方法
valgrind --tool=memcheck --leak-check=yes prog
1、检测内存泄漏 // test1.c
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
char *p = malloc(10);
return EXIT_SUCCESS;
}
$ gcc -g -O0 test1.c -o test1
$ valgrind --tool=memcheck --leak-check=yes test1
==37444== Memcheck, a memory error detector
==37444== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==37444== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==37444== Command: test1
==37444==
==37444==
==37444== HEAP SUMMARY:
==37444== in use at exit: 10 bytes in 1 blocks
==37444== total heap usage: 1 allocs, 0 frees, 10 bytes allocated
==37444==
==37444== 10 bytes in 1 blocks are definitely lost in loss record 1 of 1
==37444== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==37444== by 0x400537: main (test1.c:6)
==37444==
==37444== LEAK SUMMARY:
==37444== definitely lost: 10 bytes in 1 blocks
==37444== indirectly lost: 0 bytes in 0 blocks
==37444== possibly lost: 0 bytes in 0 blocks
==37444== still reachable: 0 bytes in 0 blocks
==37444== suppressed: 0 bytes in 0 blocks
==37444==
==37444== For counts of detected and suppressed errors, rerun with: -v
==37444== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
2、检测对非法内存地址的访问 // test2.c
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
char *p = malloc(10);
p[10] = 1;
free(p);
return EXIT_SUCCESS;
}
$ gcc -g -O0 test2.c -o test2
$ valgrind --tool=memcheck --leak-check=yes test2
==37481== Memcheck, a memory error detector
==37481== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==37481== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==37481== Command: test2
==37481==
==37481== Invalid write of size 1
==37481== at 0x400584: main (test2.c:7)
==37481== Address 0x520304a is 0 bytes after a block of size 10 alloc'd
==37481== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==37481== by 0x400577: main (test2.c:6)
==37481==
==37481==
==37481== HEAP SUMMARY:
==37481== in use at exit: 0 bytes in 0 blocks
==37481== total heap usage: 1 allocs, 1 frees, 10 bytes allocated
==37481==
==37481== All heap blocks were freed -- no leaks are possible
==37481==
==37481== For counts of detected and suppressed errors, rerun with: -v
==37481== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
3、读取未初始化区域 // test3.c
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
int *x = malloc(sizeof(int));
int a = *x + 1;
free(x);
return a;
}
$ gcc -g -O0 test3.c -o test3
$ valgrind --tool=memcheck --leak-check=yes test3
==37505== Memcheck, a memory error detector
==37505== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==37505== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==37505== Command: test3
==37505==
==37505== Syscall param exit_group(status) contains uninitialised byte(s)
==37505== at 0x4F05B98: _Exit (_exit.c:31)
==37505== by 0x4E73FAA: __run_exit_handlers (exit.c:97)
==37505== by 0x4E74044: exit (exit.c:104)
==37505== by 0x4E5A836: (below main) (libc-start.c:325)
==37505==
==37505==
==37505== HEAP SUMMARY:
==37505== in use at exit: 0 bytes in 0 blocks
==37505== total heap usage: 1 allocs, 1 frees, 4 bytes allocated
==37505==
==37505== All heap blocks were freed -- no leaks are possible
==37505==
==37505== For counts of detected and suppressed errors, rerun with: -v
==37505== Use --track-origins=yes to see where uninitialised values come from
==37505== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
4、访问已释放的区域
// test4.c
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
int *x = malloc(sizeof(int));
free(x);
int a = *x + 1;
return a;
}
$ gcc -g -O0 test4.c -o test4
$ valgrind --tool=memcheck --leak-check=yes test4
==37533== Memcheck, a memory error detector
==37533== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==37533== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==37533== Command: test4
==37533==
==37533== Invalid read of size 4
==37533== at 0x40058C: main (test4.c:8)
==37533== Address 0x5203040 is 0 bytes inside a block of size 4 free'd
==37533== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==37533== by 0x400587: main (test4.c:7)
==37533== Block was alloc'd at
==37533== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==37533== by 0x400577: main (test4.c:6)
==37533==
==37533==
==37533== HEAP SUMMARY:
==37533== in use at exit: 0 bytes in 0 blocks
==37533== total heap usage: 1 allocs, 1 frees, 4 bytes allocated
==37533==
==37533== All heap blocks were freed -- no leaks are possible
==37533==
==37533== For counts of detected and suppressed errors, rerun with: -v
==37533== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
5、内存双重释放
// test5.c
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
char *x = malloc(sizeof(int));
free(x);
free(x);
return EXIT_SUCCESS;
}
$ gcc -g -O0 test5.c -o test5
$ valgrind --tool=memcheck --leak-check=yes test5
==37554== Memcheck, a memory error detector
==37554== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==37554== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==37554== Command: test5
==37554==
==37554== Invalid free() / delete / delete[] / realloc()
==37554== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==37554== by 0x400593: main (test5.c:8)
==37554== Address 0x5203040 is 0 bytes inside a block of size 4 free'd
==37554== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==37554== by 0x400587: main (test5.c:7)
==37554== Block was alloc'd at
==37554== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==37554== by 0x400577: main (test5.c:6)
==37554==
==37554==
==37554== HEAP SUMMARY:
==37554== in use at exit: 0 bytes in 0 blocks
==37554== total heap usage: 1 allocs, 2 frees, 4 bytes allocated
==37554==
==37554== All heap blocks were freed -- no leaks are possible
==37554==
==37554== For counts of detected and suppressed errors, rerun with: -v
==37554== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
6、内存覆盖
// test6.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[])
{
char x[50];
int i;
for(i = 0; i < 50; i++)
{
x[i] = i + 1;
}
strncpy(x+20, x, 20); // ok
strncpy(x+20, x, 21); // overlap
strncpy(x, x+20, 20); // ok
strncpy(x, x+20, 21); // overlap
x[39] = '\0';
strcpy(x, x+20); // ok
x[39] = 39;
x[40] = '\0';
strcpy(x, x+20); // overlap
return 0;
}
$ gcc -g -O0 test6.c -o test6
$ valgrind --tool=memcheck --leak-check=yes test6
==37692== Memcheck, a memory error detector
==37692== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==37692== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==37692== Command: test6
==37692==
==37692== Source and destination overlap in strncpy(0xffefffb49, 0xffefffb35, 21)
==37692== at 0x4C31626: __strncpy_sse2_unaligned (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==37692== by 0x40064F: main (test6.c:14)
==37692==
==37692== Source and destination overlap in strncpy(0xffefffb35, 0xffefffb49, 21)
==37692== at 0x4C31626: __strncpy_sse2_unaligned (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==37692== by 0x400687: main (test6.c:16)
==37692==
==37692== Source and destination overlap in strcpy(0xffefffb20, 0xffefffb34)
==37692== at 0x4C310E6: strcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==37692== by 0x4006C1: main (test6.c:23)
==37692==
==37692==
==37692== HEAP SUMMARY:
==37692== in use at exit: 0 bytes in 0 blocks
==37692== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==37692==
==37692== All heap blocks were freed -- no leaks are possible
==37692==
==37692== For counts of detected and suppressed errors, rerun with: -v
==37692== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
7、valgrind不能检测的错误
valgrind不对静态数组(分配在栈上)进行边界检查
// test7.c
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
char x[10];
x[11] = 'a';
return EXIT_SUCCESS;
}
$ valgrind --vgdb=yes --tool=memcheck --leak-check=yes test7
==37863== Memcheck, a memory error detector
==37863== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==37863== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==37863== Command: test7
==37863==
==37863==
==37863== HEAP SUMMARY:
==37863== in use at exit: 0 bytes in 0 blocks
==37863== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==37863==
==37863== All heap blocks were freed -- no leaks are possible
==37863==
==37863== For counts of detected and suppressed errors, rerun with: -v
==37863== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)