1.默認(rèn)使用工具memcheck
2.輸出到XML文件:valgrind --leak-check=full --xml=yes --log-file="log.xml" myprog arg1 arg2
3.錯(cuò)誤解釋
3.1Illegal read / Illegal write errors
例如:
Invalid read of size 4
at 0x40F6BBCC: (within /usr/lib/libpng.so.2.1.0.9)
by 0x40F6B804: (within /usr/lib/libpng.so.2.1.0.9)
by 0x40B07FF4: read_png_image(QImageIO *) (kernel/qpngio.cpp:326)
by 0x40AC751B: QImageIO::read() (kernel/qimage.cpp:3621)
Address 0xBFFFF0E0 is not stack'd, malloc'd or free'd
這個(gè)錯(cuò)誤的發(fā)生是因?yàn)閷?duì)一些memcheck猜想不應(yīng)該訪問的內(nèi)存進(jìn)行了讀寫。
3.2 Use of uninitialised values
例如:
Conditional jump or move depends on uninitialised value(s)
at 0x402DFA94: _IO_vfprintf (_itoa.h:49)
by 0x402E8476: _IO_printf (printf.c:36)
by 0x8048472: main (tests/manuel1.c:8)
這個(gè)錯(cuò)誤的發(fā)生是因?yàn)槭褂昧宋闯跏蓟臄?shù)據(jù)。一般情況下有兩種情形容易出現(xiàn)這個(gè)錯(cuò)誤:
程序中的局部變量未初始化;
C語言malloc的內(nèi)存未初始化;C++中new的對(duì)象其成員未被初始化。
3.3 Illegal frees
例如:
Invalid free()
at 0x4004FFDF: free (vg_clientmalloc.c:577)
by 0x80484C7: main (tests/doublefree.c:10)
Address 0x3807F7B4 is 0 bytes inside a block of size 177 free'd
at 0x4004FFDF: free (vg_clientmalloc.c:577)
by 0x80484C7: main (tests/doublefree.c:10)
3.4 When a block is freed with an inappropriate deallocation function
例如:
Mismatched free() / delete / delete []
at 0x40043249: free (vg_clientfuncs.c:171)
by 0x4102BB4E: QGArray::~QGArray(void) (tools/qgarray.cpp:149)
by 0x4C261C41: PptDoc::~PptDoc(void) (include/qmemarray.h:60)
by 0x4C261F0E: PptXml::~PptXml(void) (pptxml.cc:44)
Address 0x4BB292A8 is 0 bytes inside a block of size 64 alloc'd
at 0x4004318C: operator new[](unsigned int) (vg_clientfuncs.c:152)
by 0x4C21BC15: KLaola::readSBStream(int) const (klaola.cc:314)
by 0x4C21C155: KLaola::stream(KLaola::OLENode const *) (klaola.cc:416)
by 0x4C21788F: OLEFilter::convert(QCString const &) (olefilter.cc:272)
If allocated with malloc, calloc, realloc, valloc or memalign, you must deallocate with free.
If allocated with new[], you must deallocate with delete[].
If allocated with new, you must deallocate with delete.
linux系統(tǒng)對(duì)上述錯(cuò)誤可能不在意,但是移值到其他平臺(tái)時(shí)卻會(huì)有問題。
3.5 Passing system call parameters with inadequate read/write permissions
例如:
Syscall param write(buf) points to uninitialised byte(s)
at 0x25A48723: __write_nocancel (in /lib/tls/libc-2.3.3.so)
by 0x259AFAD3: __libc_start_main (in /lib/tls/libc-2.3.3.so)
by 0x8048348: (within /auto/homes/njn25/grind/head4/a.out)
Address 0x25AB8028 is 0 bytes inside a block of size 10 alloc'd
at 0x259852B0: malloc (vg_replace_malloc.c:130)
by 0x80483F1: main (a.c:5)
Syscall param exit(error_code) contains uninitialised byte(s)
at 0x25A21B44: __GI__exit (in /lib/tls/libc-2.3.3.so)
by 0x8048426: main (a.c:8)
Memcheck檢查所有的被系統(tǒng)調(diào)用的參數(shù)。
It checks all the direct parameters themselves.
Also, if a system call needs to read from a buffer provided by your program, Memcheck checks that the entire buffer is addressable and has valid data, ie, it is readable.
Also, if the system call needs to write to a user-supplied buffer, Memcheck checks that the buffer is addressable.
例如:
#include <stdlib.h>
#include <unistd.h>
int main( void )
{
char* arr = malloc(10);
int* arr2 = malloc(sizeof(int));
write( 1 /* stdout */, arr, 10 );
exit(arr2[0]);
}
錯(cuò)誤信息:
Syscall param write(buf) points to uninitialised byte(s)
at 0x25A48723: __write_nocancel (in /lib/tls/libc-2.3.3.so)
by 0x259AFAD3: __libc_start_main (in /lib/tls/libc-2.3.3.so)
by 0x8048348: (within /auto/homes/njn25/grind/head4/a.out)
Address 0x25AB8028 is 0 bytes inside a block of size 10 alloc'd
at 0x259852B0: malloc (vg_replace_malloc.c:130)
by 0x80483F1: main (a.c:5)
Syscall param exit(error_code) contains uninitialised byte(s)
at 0x25A21B44: __GI__exit (in /lib/tls/libc-2.3.3.so)
by 0x8048426: main (a.c:8)
傳遞了無效參數(shù)到系統(tǒng)函數(shù)中。
3.6 Overlapping source and destination blocks
C的以下庫函數(shù)拷貝數(shù)據(jù)從一塊內(nèi)存到另一塊內(nèi)存時(shí): memcpy(), strcpy(), strncpy(), strcat(), strncat(). 源和目的都不允許溢出。
例如:
==27492== Source and destination overlap in memcpy(0xbffff294, 0xbffff280, 21)
==27492== at 0x40026CDC: memcpy (mc_replace_strmem.c:71)
==27492== by 0x804865A: main (overlap.c:40)
3.7 Memory leak detection
錯(cuò)誤信息:
Still reachable: A pointer to the start of the block is found. This usually indicates programming sloppiness. Since the block is still pointed at, the programmer could, at least in principle, free it before program exit. Because these are very common and arguably not a problem, Memcheck won't report such blocks unless --show-reachable=yes is specified.
Possibly lost, or "dubious": A pointer to the interior of the block is found. The pointer might originally have pointed to the start and have been moved along, or it might be entirely unrelated. Memcheck deems such a block as "dubious", because it's unclear whether or not a pointer to it still exists.
Definitely lost, or "leaked": The worst outcome is that no pointer to the block can be found. The block is classified as "leaked