1 <?xml version="1.0"?> <!-- -*- sgml -*- --> 2 <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> 4 5 6 <chapter id="mc-manual" xreflabel="Memcheck: a memory error detector"> 7 <title>Memcheck: a memory error detector</title> 8 9 <para>To use this tool, you may specify <option>--tool=memcheck</option> 10 on the Valgrind command line. You don't have to, though, since Memcheck 11 is the default tool.</para> 12 13 14 <sect1 id="mc-manual.overview" xreflabel="Overview"> 15 <title>Overview</title> 16 17 <para>Memcheck is a memory error detector. It can detect the following 18 problems that are common in C and C++ programs.</para> 19 20 <itemizedlist> 21 <listitem> 22 <para>Accessing memory you shouldn't, e.g. overrunning and underrunning 23 heap blocks, overrunning the top of the stack, and accessing memory after 24 it has been freed.</para> 25 </listitem> 26 27 <listitem> 28 <para>Using undefined values, i.e. values that have not been initialised, 29 or that have been derived from other undefined values.</para> 30 </listitem> 31 32 <listitem> 33 <para>Incorrect freeing of heap memory, such as double-freeing heap 34 blocks, or mismatched use of 35 <function>malloc</function>/<computeroutput>new</computeroutput>/<computeroutput>new[]</computeroutput> 36 versus 37 <function>free</function>/<computeroutput>delete</computeroutput>/<computeroutput>delete[]</computeroutput></para> 38 </listitem> 39 40 <listitem> 41 <para>Overlapping <computeroutput>src</computeroutput> and 42 <computeroutput>dst</computeroutput> pointers in 43 <computeroutput>memcpy</computeroutput> and related 44 functions.</para> 45 </listitem> 46 47 <listitem> 48 <para>Passing a fishy (presumably negative) value to the 49 <computeroutput>size</computeroutput> parameter of a memory 50 allocation function.</para> 51 </listitem> 52 53 <listitem> 54 <para>Memory leaks.</para> 55 </listitem> 56 </itemizedlist> 57 58 <para>Problems like these can be difficult to find by other means, 59 often remaining undetected for long periods, then causing occasional, 60 difficult-to-diagnose crashes.</para> 61 62 </sect1> 63 64 65 66 <sect1 id="mc-manual.errormsgs" 67 xreflabel="Explanation of error messages from Memcheck"> 68 <title>Explanation of error messages from Memcheck</title> 69 70 <para>Memcheck issues a range of error messages. This section presents a 71 quick summary of what error messages mean. The precise behaviour of the 72 error-checking machinery is described in <xref 73 linkend="mc-manual.machine"/>.</para> 74 75 76 <sect2 id="mc-manual.badrw" 77 xreflabel="Illegal read / Illegal write errors"> 78 <title>Illegal read / Illegal write errors</title> 79 80 <para>For example:</para> 81 <programlisting><![CDATA[ 82 Invalid read of size 4 83 at 0x40F6BBCC: (within /usr/lib/libpng.so.2.1.0.9) 84 by 0x40F6B804: (within /usr/lib/libpng.so.2.1.0.9) 85 by 0x40B07FF4: read_png_image(QImageIO *) (kernel/qpngio.cpp:326) 86 by 0x40AC751B: QImageIO::read() (kernel/qimage.cpp:3621) 87 Address 0xBFFFF0E0 is not stack'd, malloc'd or free'd 88 ]]></programlisting> 89 90 <para>This happens when your program reads or writes memory at a place 91 which Memcheck reckons it shouldn't. In this example, the program did a 92 4-byte read at address 0xBFFFF0E0, somewhere within the system-supplied 93 library libpng.so.2.1.0.9, which was called from somewhere else in the 94 same library, called from line 326 of <filename>qpngio.cpp</filename>, 95 and so on.</para> 96 97 <para>Memcheck tries to establish what the illegal address might relate 98 to, since that's often useful. So, if it points into a block of memory 99 which has already been freed, you'll be informed of this, and also where 100 the block was freed. Likewise, if it should turn out to be just off 101 the end of a heap block, a common result of off-by-one-errors in 102 array subscripting, you'll be informed of this fact, and also where the 103 block was allocated. If you use the <option><xref 104 linkend="opt.read-var-info"/></option> option Memcheck will run more slowly 105 but may give a more detailed description of any illegal address.</para> 106 107 <para>In this example, Memcheck can't identify the address. Actually 108 the address is on the stack, but, for some reason, this is not a valid 109 stack address -- it is below the stack pointer and that isn't allowed. 110 In this particular case it's probably caused by GCC generating invalid 111 code, a known bug in some ancient versions of GCC.</para> 112 113 <para>Note that Memcheck only tells you that your program is about to 114 access memory at an illegal address. It can't stop the access from 115 happening. So, if your program makes an access which normally would 116 result in a segmentation fault, you program will still suffer the same 117 fate -- but you will get a message from Memcheck immediately prior to 118 this. In this particular example, reading junk on the stack is 119 non-fatal, and the program stays alive.</para> 120 121 </sect2> 122 123 124 125 <sect2 id="mc-manual.uninitvals" 126 xreflabel="Use of uninitialised values"> 127 <title>Use of uninitialised values</title> 128 129 <para>For example:</para> 130 <programlisting><![CDATA[ 131 Conditional jump or move depends on uninitialised value(s) 132 at 0x402DFA94: _IO_vfprintf (_itoa.h:49) 133 by 0x402E8476: _IO_printf (printf.c:36) 134 by 0x8048472: main (tests/manuel1.c:8) 135 ]]></programlisting> 136 137 <para>An uninitialised-value use error is reported when your program 138 uses a value which hasn't been initialised -- in other words, is 139 undefined. Here, the undefined value is used somewhere inside the 140 <function>printf</function> machinery of the C library. This error was 141 reported when running the following small program:</para> 142 <programlisting><![CDATA[ 143 int main() 144 { 145 int x; 146 printf ("x = %d\n", x); 147 }]]></programlisting> 148 149 <para>It is important to understand that your program can copy around 150 junk (uninitialised) data as much as it likes. Memcheck observes this 151 and keeps track of the data, but does not complain. A complaint is 152 issued only when your program attempts to make use of uninitialised 153 data in a way that might affect your program's externally-visible behaviour. 154 In this example, <varname>x</varname> is uninitialised. Memcheck observes 155 the value being passed to <function>_IO_printf</function> and thence to 156 <function>_IO_vfprintf</function>, but makes no comment. However, 157 <function>_IO_vfprintf</function> has to examine the value of 158 <varname>x</varname> so it can turn it into the corresponding ASCII string, 159 and it is at this point that Memcheck complains.</para> 160 161 <para>Sources of uninitialised data tend to be:</para> 162 <itemizedlist> 163 <listitem> 164 <para>Local variables in procedures which have not been initialised, 165 as in the example above.</para> 166 </listitem> 167 <listitem> 168 <para>The contents of heap blocks (allocated with 169 <function>malloc</function>, <function>new</function>, or a similar 170 function) before you (or a constructor) write something there. 171 </para> 172 </listitem> 173 </itemizedlist> 174 175 <para>To see information on the sources of uninitialised data in your 176 program, use the <option>--track-origins=yes</option> option. This 177 makes Memcheck run more slowly, but can make it much easier to track down 178 the root causes of uninitialised value errors.</para> 179 180 </sect2> 181 182 183 184 <sect2 id="mc-manual.bad-syscall-args" 185 xreflabel="Use of uninitialised or unaddressable values in system 186 calls"> 187 <title>Use of uninitialised or unaddressable values in system 188 calls</title> 189 190 <para>Memcheck checks all parameters to system calls: 191 <itemizedlist> 192 <listitem> 193 <para>It checks all the direct parameters themselves, whether they are 194 initialised.</para> 195 </listitem> 196 <listitem> 197 <para>Also, if a system call needs to read from a buffer provided by 198 your program, Memcheck checks that the entire buffer is addressable 199 and its contents are initialised.</para> 200 </listitem> 201 <listitem> 202 <para>Also, if the system call needs to write to a user-supplied 203 buffer, Memcheck checks that the buffer is addressable.</para> 204 </listitem> 205 </itemizedlist> 206 </para> 207 208 <para>After the system call, Memcheck updates its tracked information to 209 precisely reflect any changes in memory state caused by the system 210 call.</para> 211 212 <para>Here's an example of two system calls with invalid parameters:</para> 213 <programlisting><![CDATA[ 214 #include <stdlib.h> 215 #include <unistd.h> 216 int main( void ) 217 { 218 char* arr = malloc(10); 219 int* arr2 = malloc(sizeof(int)); 220 write( 1 /* stdout */, arr, 10 ); 221 exit(arr2[0]); 222 } 223 ]]></programlisting> 224 225 <para>You get these complaints ...</para> 226 <programlisting><![CDATA[ 227 Syscall param write(buf) points to uninitialised byte(s) 228 at 0x25A48723: __write_nocancel (in /lib/tls/libc-2.3.3.so) 229 by 0x259AFAD3: __libc_start_main (in /lib/tls/libc-2.3.3.so) 230 by 0x8048348: (within /auto/homes/njn25/grind/head4/a.out) 231 Address 0x25AB8028 is 0 bytes inside a block of size 10 alloc'd 232 at 0x259852B0: malloc (vg_replace_malloc.c:130) 233 by 0x80483F1: main (a.c:5) 234 235 Syscall param exit(error_code) contains uninitialised byte(s) 236 at 0x25A21B44: __GI__exit (in /lib/tls/libc-2.3.3.so) 237 by 0x8048426: main (a.c:8) 238 ]]></programlisting> 239 240 <para>... because the program has (a) written uninitialised junk 241 from the heap block to the standard output, and (b) passed an 242 uninitialised value to <function>exit</function>. Note that the first 243 error refers to the memory pointed to by 244 <computeroutput>buf</computeroutput> (not 245 <computeroutput>buf</computeroutput> itself), but the second error 246 refers directly to <computeroutput>exit</computeroutput>'s argument 247 <computeroutput>arr2[0]</computeroutput>.</para> 248 249 </sect2> 250 251 252 <sect2 id="mc-manual.badfrees" xreflabel="Illegal frees"> 253 <title>Illegal frees</title> 254 255 <para>For example:</para> 256 <programlisting><![CDATA[ 257 Invalid free() 258 at 0x4004FFDF: free (vg_clientmalloc.c:577) 259 by 0x80484C7: main (tests/doublefree.c:10) 260 Address 0x3807F7B4 is 0 bytes inside a block of size 177 free'd 261 at 0x4004FFDF: free (vg_clientmalloc.c:577) 262 by 0x80484C7: main (tests/doublefree.c:10) 263 ]]></programlisting> 264 265 <para>Memcheck keeps track of the blocks allocated by your program 266 with <function>malloc</function>/<computeroutput>new</computeroutput>, 267 so it can know exactly whether or not the argument to 268 <function>free</function>/<computeroutput>delete</computeroutput> is 269 legitimate or not. Here, this test program has freed the same block 270 twice. As with the illegal read/write errors, Memcheck attempts to 271 make sense of the address freed. If, as here, the address is one 272 which has previously been freed, you wil be told that -- making 273 duplicate frees of the same block easy to spot. You will also get this 274 message if you try to free a pointer that doesn't point to the start of a 275 heap block.</para> 276 277 </sect2> 278 279 280 <sect2 id="mc-manual.rudefn" 281 xreflabel="When a heap block is freed with an inappropriate deallocation 282 function"> 283 <title>When a heap block is freed with an inappropriate deallocation 284 function</title> 285 286 <para>In the following example, a block allocated with 287 <function>new[]</function> has wrongly been deallocated with 288 <function>free</function>:</para> 289 <programlisting><![CDATA[ 290 Mismatched free() / delete / delete [] 291 at 0x40043249: free (vg_clientfuncs.c:171) 292 by 0x4102BB4E: QGArray::~QGArray(void) (tools/qgarray.cpp:149) 293 by 0x4C261C41: PptDoc::~PptDoc(void) (include/qmemarray.h:60) 294 by 0x4C261F0E: PptXml::~PptXml(void) (pptxml.cc:44) 295 Address 0x4BB292A8 is 0 bytes inside a block of size 64 alloc'd 296 at 0x4004318C: operator new[](unsigned int) (vg_clientfuncs.c:152) 297 by 0x4C21BC15: KLaola::readSBStream(int) const (klaola.cc:314) 298 by 0x4C21C155: KLaola::stream(KLaola::OLENode const *) (klaola.cc:416) 299 by 0x4C21788F: OLEFilter::convert(QCString const &) (olefilter.cc:272) 300 ]]></programlisting> 301 302 <para>In <literal>C++</literal> it's important to deallocate memory in a 303 way compatible with how it was allocated. The deal is:</para> 304 <itemizedlist> 305 <listitem> 306 <para>If allocated with 307 <function>malloc</function>, 308 <function>calloc</function>, 309 <function>realloc</function>, 310 <function>valloc</function> or 311 <function>memalign</function>, you must 312 deallocate with <function>free</function>.</para> 313 </listitem> 314 <listitem> 315 <para>If allocated with <function>new</function>, you must deallocate 316 with <function>delete</function>.</para> 317 </listitem> 318 <listitem> 319 <para>If allocated with <function>new[]</function>, you must 320 deallocate with <function>delete[]</function>.</para> 321 </listitem> 322 </itemizedlist> 323 324 <para>The worst thing is that on Linux apparently it doesn't matter if 325 you do mix these up, but the same program may then crash on a 326 different platform, Solaris for example. So it's best to fix it 327 properly. According to the KDE folks "it's amazing how many C++ 328 programmers don't know this".</para> 329 330 <para>The reason behind the requirement is as follows. In some C++ 331 implementations, <function>delete[]</function> must be used for 332 objects allocated by <function>new[]</function> because the compiler 333 stores the size of the array and the pointer-to-member to the 334 destructor of the array's content just before the pointer actually 335 returned. <function>delete</function> doesn't account for this and will get 336 confused, possibly corrupting the heap.</para> 337 338 </sect2> 339 340 341 342 <sect2 id="mc-manual.overlap" 343 xreflabel="Overlapping source and destination blocks"> 344 <title>Overlapping source and destination blocks</title> 345 346 <para>The following C library functions copy some data from one 347 memory block to another (or something similar): 348 <function>memcpy</function>, 349 <function>strcpy</function>, 350 <function>strncpy</function>, 351 <function>strcat</function>, 352 <function>strncat</function>. 353 The blocks pointed to by their <computeroutput>src</computeroutput> and 354 <computeroutput>dst</computeroutput> pointers aren't allowed to overlap. 355 The POSIX standards have wording along the lines "If copying takes place 356 between objects that overlap, the behavior is undefined." Therefore, 357 Memcheck checks for this. 358 </para> 359 360 <para>For example:</para> 361 <programlisting><![CDATA[ 362 ==27492== Source and destination overlap in memcpy(0xbffff294, 0xbffff280, 21) 363 ==27492== at 0x40026CDC: memcpy (mc_replace_strmem.c:71) 364 ==27492== by 0x804865A: main (overlap.c:40) 365 ]]></programlisting> 366 367 <para>You don't want the two blocks to overlap because one of them could 368 get partially overwritten by the copying.</para> 369 370 <para>You might think that Memcheck is being overly pedantic reporting 371 this in the case where <computeroutput>dst</computeroutput> is less than 372 <computeroutput>src</computeroutput>. For example, the obvious way to 373 implement <function>memcpy</function> is by copying from the first 374 byte to the last. However, the optimisation guides of some 375 architectures recommend copying from the last byte down to the first. 376 Also, some implementations of <function>memcpy</function> zero 377 <computeroutput>dst</computeroutput> before copying, because zeroing the 378 destination's cache line(s) can improve performance.</para> 379 380 <para>The moral of the story is: if you want to write truly portable 381 code, don't make any assumptions about the language 382 implementation.</para> 383 384 </sect2> 385 386 387 <sect2 id="mc-manual.fishyvalue" 388 xreflabel="Fishy argument values"> 389 <title>Fishy argument values</title> 390 391 <para>All memory allocation functions take an argument specifying the 392 size of the memory block that should be allocated. Clearly, the requested 393 size should be a non-negative value and is typically not excessively large. 394 For instance, it is extremely unlikly that the size of an allocation 395 request exceeds 2**63 bytes on a 64-bit machine. It is much more likely that 396 such a value is the result of an erroneous size calculation and is in effect 397 a negative value (that just happens to appear excessively large because 398 the bit pattern is interpreted as an unsigned integer). 399 Such a value is called a "fishy value". 400 401 The <varname>size</varname> argument of the following allocation functions 402 is checked for being fishy: 403 <function>malloc</function>, 404 <function>calloc</function>, 405 <function>realloc</function>, 406 <function>memalign</function>, 407 <function>new</function>, 408 <function>new []</function>. 409 <function>__builtin_new</function>, 410 <function>__builtin_vec_new</function>, 411 For <function>calloc</function> both arguments are being checked. 412 </para> 413 414 <para>For example:</para> 415 <programlisting><![CDATA[ 416 ==32233== Argument 'size' of function malloc has a fishy (possibly negative) value: -3 417 ==32233== at 0x4C2CFA7: malloc (vg_replace_malloc.c:298) 418 ==32233== by 0x400555: foo (fishy.c:15) 419 ==32233== by 0x400583: main (fishy.c:23) 420 ]]></programlisting> 421 422 <para>In earlier Valgrind versions those values were being referred to 423 as "silly arguments" and no back-trace was included. 424 </para> 425 426 </sect2> 427 428 429 <sect2 id="mc-manual.leaks" xreflabel="Memory leak detection"> 430 <title>Memory leak detection</title> 431 432 <para>Memcheck keeps track of all heap blocks issued in response to 433 calls to 434 <function>malloc</function>/<function>new</function> et al. 435 So when the program exits, it knows which blocks have not been freed. 436 </para> 437 438 <para>If <option>--leak-check</option> is set appropriately, for each 439 remaining block, Memcheck determines if the block is reachable from pointers 440 within the root-set. The root-set consists of (a) general purpose registers 441 of all threads, and (b) initialised, aligned, pointer-sized data words in 442 accessible client memory, including stacks.</para> 443 444 <para>There are two ways a block can be reached. The first is with a 445 "start-pointer", i.e. a pointer to the start of the block. The second is with 446 an "interior-pointer", i.e. a pointer to the middle of the block. There are 447 several ways we know of that an interior-pointer can occur:</para> 448 449 <itemizedlist> 450 <listitem> 451 <para>The pointer might have originally been a start-pointer and have been 452 moved along deliberately (or not deliberately) by the program. In 453 particular, this can happen if your program uses tagged pointers, i.e. 454 if it uses the bottom one, two or three bits of a pointer, which are 455 normally always zero due to alignment, in order to store extra 456 information.</para> 457 </listitem> 458 459 <listitem> 460 <para>It might be a random junk value in memory, entirely unrelated, just 461 a coincidence.</para> 462 </listitem> 463 464 <listitem> 465 <para>It might be a pointer to the inner char array of a C++ 466 <computeroutput>std::string</computeroutput>. For example, some 467 compilers add 3 words at the beginning of the std::string to 468 store the length, the capacity and a reference count before the 469 memory containing the array of characters. They return a pointer 470 just after these 3 words, pointing at the char array.</para> 471 </listitem> 472 473 <listitem> 474 <para>Some code might allocate a block of memory, and use the first 8 475 bytes to store (block size - 8) as a 64bit number. 476 <computeroutput>sqlite3MemMalloc</computeroutput> does this.</para> 477 </listitem> 478 479 <listitem> 480 <para>It might be a pointer to an array of C++ objects (which possess 481 destructors) allocated with <computeroutput>new[]</computeroutput>. In 482 this case, some compilers store a "magic cookie" containing the array 483 length at the start of the allocated block, and return a pointer to just 484 past that magic cookie, i.e. an interior-pointer. 485 See <ulink url="http://theory.uwinnipeg.ca/gnu/gcc/gxxint_14.html">this 486 page</ulink> for more information.</para> 487 </listitem> 488 489 <listitem> 490 <para>It might be a pointer to an inner part of a C++ object using 491 multiple inheritance. </para> 492 </listitem> 493 </itemizedlist> 494 495 <para>You can optionally activate heuristics to use during the leak 496 search to detect the interior pointers corresponding to 497 the <computeroutput>stdstring</computeroutput>, 498 <computeroutput>length64</computeroutput>, 499 <computeroutput>newarray</computeroutput> 500 and <computeroutput>multipleinheritance</computeroutput> cases. If the 501 heuristic detects that an interior pointer corresponds to such a case, 502 the block will be considered as reachable by the interior 503 pointer. In other words, the interior pointer will be treated 504 as if it were a start pointer.</para> 505 506 507 <para>With that in mind, consider the nine possible cases described by the 508 following figure.</para> 509 510 <programlisting><![CDATA[ 511 Pointer chain AAA Leak Case BBB Leak Case 512 ------------- ------------- ------------- 513 (1) RRR ------------> BBB DR 514 (2) RRR ---> AAA ---> BBB DR IR 515 (3) RRR BBB DL 516 (4) RRR AAA ---> BBB DL IL 517 (5) RRR ------?-----> BBB (y)DR, (n)DL 518 (6) RRR ---> AAA -?-> BBB DR (y)IR, (n)DL 519 (7) RRR -?-> AAA ---> BBB (y)DR, (n)DL (y)IR, (n)IL 520 (8) RRR -?-> AAA -?-> BBB (y)DR, (n)DL (y,y)IR, (n,y)IL, (_,n)DL 521 (9) RRR AAA -?-> BBB DL (y)IL, (n)DL 522 523 Pointer chain legend: 524 - RRR: a root set node or DR block 525 - AAA, BBB: heap blocks 526 - --->: a start-pointer 527 - -?->: an interior-pointer 528 529 Leak Case legend: 530 - DR: Directly reachable 531 - IR: Indirectly reachable 532 - DL: Directly lost 533 - IL: Indirectly lost 534 - (y)XY: it's XY if the interior-pointer is a real pointer 535 - (n)XY: it's XY if the interior-pointer is not a real pointer 536 - (_)XY: it's XY in either case 537 ]]></programlisting> 538 539 <para>Every possible case can be reduced to one of the above nine. Memcheck 540 merges some of these cases in its output, resulting in the following four 541 leak kinds.</para> 542 543 544 <itemizedlist> 545 546 <listitem> 547 <para>"Still reachable". This covers cases 1 and 2 (for the BBB blocks) 548 above. A start-pointer or chain of start-pointers to the block is 549 found. Since the block is still pointed at, the programmer could, at 550 least in principle, have freed it before program exit. "Still reachable" 551 blocks are very common and arguably not a problem. So, by default, 552 Memcheck won't report such blocks individually.</para> 553 </listitem> 554 555 <listitem> 556 <para>"Definitely lost". This covers case 3 (for the BBB blocks) above. 557 This means that no pointer to the block can be found. The block is 558 classified as "lost", because the programmer could not possibly have 559 freed it at program exit, since no pointer to it exists. This is likely 560 a symptom of having lost the pointer at some earlier point in the 561 program. Such cases should be fixed by the programmer.</para> 562 </listitem> 563 564 <listitem> 565 <para>"Indirectly lost". This covers cases 4 and 9 (for the BBB blocks) 566 above. This means that the block is lost, not because there are no 567 pointers to it, but rather because all the blocks that point to it are 568 themselves lost. For example, if you have a binary tree and the root 569 node is lost, all its children nodes will be indirectly lost. Because 570 the problem will disappear if the definitely lost block that caused the 571 indirect leak is fixed, Memcheck won't report such blocks individually 572 by default.</para> 573 </listitem> 574 575 <listitem> 576 <para>"Possibly lost". This covers cases 5--8 (for the BBB blocks) 577 above. This means that a chain of one or more pointers to the block has 578 been found, but at least one of the pointers is an interior-pointer. 579 This could just be a random value in memory that happens to point into a 580 block, and so you shouldn't consider this ok unless you know you have 581 interior-pointers.</para> 582 </listitem> 583 584 </itemizedlist> 585 586 <para>(Note: This mapping of the nine possible cases onto four leak kinds is 587 not necessarily the best way that leaks could be reported; in particular, 588 interior-pointers are treated inconsistently. It is possible the 589 categorisation may be improved in the future.)</para> 590 591 <para>Furthermore, if suppressions exists for a block, it will be reported 592 as "suppressed" no matter what which of the above four kinds it belongs 593 to.</para> 594 595 596 <para>The following is an example leak summary.</para> 597 598 <programlisting><![CDATA[ 599 LEAK SUMMARY: 600 definitely lost: 48 bytes in 3 blocks. 601 indirectly lost: 32 bytes in 2 blocks. 602 possibly lost: 96 bytes in 6 blocks. 603 still reachable: 64 bytes in 4 blocks. 604 suppressed: 0 bytes in 0 blocks. 605 ]]></programlisting> 606 607 <para>If heuristics have been used to consider some blocks as 608 reachable, the leak summary details the heuristically reachable subset 609 of 'still reachable:' per heuristic. In the below example, of the 95 610 bytes still reachable, 87 bytes (56+7+8+16) have been considered 611 heuristically reachable. 612 </para> 613 614 <programlisting><![CDATA[ 615 LEAK SUMMARY: 616 definitely lost: 4 bytes in 1 blocks 617 indirectly lost: 0 bytes in 0 blocks 618 possibly lost: 0 bytes in 0 blocks 619 still reachable: 95 bytes in 6 blocks 620 of which reachable via heuristic: 621 stdstring : 56 bytes in 2 blocks 622 length64 : 16 bytes in 1 blocks 623 newarray : 7 bytes in 1 blocks 624 multipleinheritance: 8 bytes in 1 blocks 625 suppressed: 0 bytes in 0 blocks 626 ]]></programlisting> 627 628 <para>If <option>--leak-check=full</option> is specified, 629 Memcheck will give details for each definitely lost or possibly lost block, 630 including where it was allocated. (Actually, it merges results for all 631 blocks that have the same leak kind and sufficiently similar stack traces 632 into a single "loss record". The 633 <option>--leak-resolution</option> lets you control the 634 meaning of "sufficiently similar".) It cannot tell you when or how or why 635 the pointer to a leaked block was lost; you have to work that out for 636 yourself. In general, you should attempt to ensure your programs do not 637 have any definitely lost or possibly lost blocks at exit.</para> 638 639 <para>For example:</para> 640 <programlisting><![CDATA[ 641 8 bytes in 1 blocks are definitely lost in loss record 1 of 14 642 at 0x........: malloc (vg_replace_malloc.c:...) 643 by 0x........: mk (leak-tree.c:11) 644 by 0x........: main (leak-tree.c:39) 645 646 88 (8 direct, 80 indirect) bytes in 1 blocks are definitely lost in loss record 13 of 14 647 at 0x........: malloc (vg_replace_malloc.c:...) 648 by 0x........: mk (leak-tree.c:11) 649 by 0x........: main (leak-tree.c:25) 650 ]]></programlisting> 651 652 <para>The first message describes a simple case of a single 8 byte block 653 that has been definitely lost. The second case mentions another 8 byte 654 block that has been definitely lost; the difference is that a further 80 655 bytes in other blocks are indirectly lost because of this lost block. 656 The loss records are not presented in any notable order, so the loss record 657 numbers aren't particularly meaningful. The loss record numbers can be used 658 in the Valgrind gdbserver to list the addresses of the leaked blocks and/or give 659 more details about how a block is still reachable.</para> 660 661 <para>The option <option>--show-leak-kinds=<set></option> 662 controls the set of leak kinds to show 663 when <option>--leak-check=full</option> is specified. </para> 664 665 <para>The <option><set></option> of leak kinds is specified 666 in one of the following ways: 667 668 <itemizedlist> 669 <listitem><para>a comma separated list of one or more of 670 <option>definite indirect possible reachable</option>.</para> 671 </listitem> 672 673 <listitem><para><option>all</option> to specify the complete set (all leak kinds).</para> 674 </listitem> 675 676 <listitem><para><option>none</option> for the empty set.</para> 677 </listitem> 678 </itemizedlist> 679 680 </para> 681 682 <para> The default value for the leak kinds to show is 683 <option>--show-leak-kinds=definite,possible</option>. 684 </para> 685 686 <para>To also show the reachable and indirectly lost blocks in 687 addition to the definitely and possibly lost blocks, you can 688 use <option>--show-leak-kinds=all</option>. To only show the 689 reachable and indirectly lost blocks, use 690 <option>--show-leak-kinds=indirect,reachable</option>. The reachable 691 and indirectly lost blocks will then be presented as shown in 692 the following two examples.</para> 693 694 <programlisting><![CDATA[ 695 64 bytes in 4 blocks are still reachable in loss record 2 of 4 696 at 0x........: malloc (vg_replace_malloc.c:177) 697 by 0x........: mk (leak-cases.c:52) 698 by 0x........: main (leak-cases.c:74) 699 700 32 bytes in 2 blocks are indirectly lost in loss record 1 of 4 701 at 0x........: malloc (vg_replace_malloc.c:177) 702 by 0x........: mk (leak-cases.c:52) 703 by 0x........: main (leak-cases.c:80) 704 ]]></programlisting> 705 706 <para>Because there are different kinds of leaks with different 707 severities, an interesting question is: which leaks should be 708 counted as true "errors" and which should not? 709 </para> 710 711 <para> The answer to this question affects the numbers printed in 712 the <computeroutput>ERROR SUMMARY</computeroutput> line, and also the 713 effect of the <option>--error-exitcode</option> option. First, a leak 714 is only counted as a true "error" 715 if <option>--leak-check=full</option> is specified. Then, the 716 option <option>--errors-for-leak-kinds=<set></option> controls 717 the set of leak kinds to consider as errors. The default value 718 is <option>--errors-for-leak-kinds=definite,possible</option> 719 </para> 720 721 </sect2> 722 723 </sect1> 724 725 726 727 <sect1 id="mc-manual.options" 728 xreflabel="Memcheck Command-Line Options"> 729 <title>Memcheck Command-Line Options</title> 730 731 <!-- start of xi:include in the manpage --> 732 <variablelist id="mc.opts.list"> 733 734 <varlistentry id="opt.leak-check" xreflabel="--leak-check"> 735 <term> 736 <option><![CDATA[--leak-check=<no|summary|yes|full> [default: summary] ]]></option> 737 </term> 738 <listitem> 739 <para>When enabled, search for memory leaks when the client 740 program finishes. If set to <varname>summary</varname>, it says how 741 many leaks occurred. If set to <varname>full</varname> or 742 <varname>yes</varname>, each individual leak will be shown 743 in detail and/or counted as an error, as specified by the options 744 <option>--show-leak-kinds</option> and 745 <option>--errors-for-leak-kinds</option>. </para> 746 </listitem> 747 </varlistentry> 748 749 <varlistentry id="opt.leak-resolution" xreflabel="--leak-resolution"> 750 <term> 751 <option><![CDATA[--leak-resolution=<low|med|high> [default: high] ]]></option> 752 </term> 753 <listitem> 754 <para>When doing leak checking, determines how willing 755 Memcheck is to consider different backtraces to 756 be the same for the purposes of merging multiple leaks into a single 757 leak report. When set to <varname>low</varname>, only the first 758 two entries need match. When <varname>med</varname>, four entries 759 have to match. When <varname>high</varname>, all entries need to 760 match.</para> 761 762 <para>For hardcore leak debugging, you probably want to use 763 <option>--leak-resolution=high</option> together with 764 <option>--num-callers=40</option> or some such large number. 765 </para> 766 767 <para>Note that the <option>--leak-resolution</option> setting 768 does not affect Memcheck's ability to find 769 leaks. It only changes how the results are presented.</para> 770 </listitem> 771 </varlistentry> 772 773 <varlistentry id="opt.show-leak-kinds" xreflabel="--show-leak-kinds"> 774 <term> 775 <option><![CDATA[--show-leak-kinds=<set> [default: definite,possible] ]]></option> 776 </term> 777 <listitem> 778 <para>Specifies the leak kinds to show in a <varname>full</varname> 779 leak search, in one of the following ways: </para> 780 781 <itemizedlist> 782 <listitem><para>a comma separated list of one or more of 783 <option>definite indirect possible reachable</option>.</para> 784 </listitem> 785 786 <listitem><para><option>all</option> to specify the complete set (all leak kinds). 787 It is equivalent to 788 <option>--show-leak-kinds=definite,indirect,possible,reachable</option>.</para> 789 </listitem> 790 791 <listitem><para><option>none</option> for the empty set.</para> 792 </listitem> 793 </itemizedlist> 794 </listitem> 795 </varlistentry> 796 797 798 <varlistentry id="opt.errors-for-leak-kinds" xreflabel="--errors-for-leak-kinds"> 799 <term> 800 <option><![CDATA[--errors-for-leak-kinds=<set> [default: definite,possible] ]]></option> 801 </term> 802 <listitem> 803 <para>Specifies the leak kinds to count as errors in a 804 <varname>full</varname> leak search. The 805 <option><![CDATA[<set>]]></option> is specified similarly to 806 <option>--show-leak-kinds</option> 807 </para> 808 </listitem> 809 </varlistentry> 810 811 812 <varlistentry id="opt.leak-check-heuristics" xreflabel="--leak-check-heuristics"> 813 <term> 814 <option><![CDATA[--leak-check-heuristics=<set> [default: all] ]]></option> 815 </term> 816 <listitem> 817 <para>Specifies the set of leak check heuristics to be used 818 during leak searches. The heuristics control which interior pointers 819 to a block cause it to be considered as reachable. 820 The heuristic set is specified in one of the following ways:</para> 821 822 <itemizedlist> 823 <listitem><para>a comma separated list of one or more of 824 <option>stdstring length64 newarray multipleinheritance</option>.</para> 825 </listitem> 826 827 <listitem><para><option>all</option> to activate the complete set of 828 heuristics. 829 It is equivalent to 830 <option>--leak-check-heuristics=stdstring,length64,newarray,multipleinheritance</option>.</para> 831 </listitem> 832 833 <listitem><para><option>none</option> for the empty set.</para> 834 </listitem> 835 </itemizedlist> 836 </listitem> 837 838 <para>Note that these heuristics are dependent on the layout of the objects 839 produced by the C++ compiler. They have been tested with some gcc versions 840 (e.g. 4.4 and 4.7). They might not work properly with other C++ compilers. 841 </para> 842 </varlistentry> 843 844 845 <varlistentry id="opt.show-reachable" xreflabel="--show-reachable"> 846 <term> 847 <option><![CDATA[--show-reachable=<yes|no> ]]></option> 848 </term> 849 <term> 850 <option><![CDATA[--show-possibly-lost=<yes|no> ]]></option> 851 </term> 852 <listitem> 853 <para>These options provide an alternative way to specify the leak kinds to show: 854 </para> 855 <itemizedlist> 856 <listitem> 857 <para> 858 <option>--show-reachable=no --show-possibly-lost=yes</option> is equivalent to 859 <option>--show-leak-kinds=definite,possible</option>. 860 </para> 861 </listitem> 862 <listitem> 863 <para> 864 <option>--show-reachable=no --show-possibly-lost=no</option> is equivalent to 865 <option>--show-leak-kinds=definite</option>. 866 </para> 867 </listitem> 868 <listitem> 869 <para> 870 <option>--show-reachable=yes</option> is equivalent to 871 <option>--show-leak-kinds=all</option>. 872 </para> 873 </listitem> 874 </itemizedlist> 875 </listitem> 876 <para> Note that <option>--show-possibly-lost=no</option> has no effect 877 if <option>--show-reachable=yes</option> is specified.</para> 878 </varlistentry> 879 880 <varlistentry id="opt.undef-value-errors" xreflabel="--undef-value-errors"> 881 <term> 882 <option><![CDATA[--undef-value-errors=<yes|no> [default: yes] ]]></option> 883 </term> 884 <listitem> 885 <para>Controls whether Memcheck reports 886 uses of undefined value errors. Set this to 887 <varname>no</varname> if you don't want to see undefined value 888 errors. It also has the side effect of speeding up 889 Memcheck somewhat. 890 </para> 891 </listitem> 892 </varlistentry> 893 894 <varlistentry id="opt.track-origins" xreflabel="--track-origins"> 895 <term> 896 <option><![CDATA[--track-origins=<yes|no> [default: no] ]]></option> 897 </term> 898 <listitem> 899 <para>Controls whether Memcheck tracks 900 the origin of uninitialised values. By default, it does not, 901 which means that although it can tell you that an 902 uninitialised value is being used in a dangerous way, it 903 cannot tell you where the uninitialised value came from. This 904 often makes it difficult to track down the root problem. 905 </para> 906 <para>When set 907 to <varname>yes</varname>, Memcheck keeps 908 track of the origins of all uninitialised values. Then, when 909 an uninitialised value error is 910 reported, Memcheck will try to show the 911 origin of the value. An origin can be one of the following 912 four places: a heap block, a stack allocation, a client 913 request, or miscellaneous other sources (eg, a call 914 to <varname>brk</varname>). 915 </para> 916 <para>For uninitialised values originating from a heap 917 block, Memcheck shows where the block was 918 allocated. For uninitialised values originating from a stack 919 allocation, Memcheck can tell you which 920 function allocated the value, but no more than that -- typically 921 it shows you the source location of the opening brace of the 922 function. So you should carefully check that all of the 923 function's local variables are initialised properly. 924 </para> 925 <para>Performance overhead: origin tracking is expensive. It 926 halves Memcheck's speed and increases 927 memory use by a minimum of 100MB, and possibly more. 928 Nevertheless it can drastically reduce the effort required to 929 identify the root cause of uninitialised value errors, and so 930 is often a programmer productivity win, despite running 931 more slowly. 932 </para> 933 <para>Accuracy: Memcheck tracks origins 934 quite accurately. To avoid very large space and time 935 overheads, some approximations are made. It is possible, 936 although unlikely, that Memcheck will report an incorrect origin, or 937 not be able to identify any origin. 938 </para> 939 <para>Note that the combination 940 <option>--track-origins=yes</option> 941 and <option>--undef-value-errors=no</option> is 942 nonsensical. Memcheck checks for and 943 rejects this combination at startup. 944 </para> 945 </listitem> 946 </varlistentry> 947 948 <varlistentry id="opt.partial-loads-ok" xreflabel="--partial-loads-ok"> 949 <term> 950 <option><![CDATA[--partial-loads-ok=<yes|no> [default: yes] ]]></option> 951 </term> 952 <listitem> 953 <para>Controls how Memcheck handles 32-, 64-, 128- and 256-bit 954 naturally aligned loads from addresses for which some bytes are 955 addressable and others are not. When <varname>yes</varname>, such 956 loads do not produce an address error. Instead, loaded bytes 957 originating from illegal addresses are marked as uninitialised, and 958 those corresponding to legal addresses are handled in the normal 959 way.</para> 960 961 <para>When <varname>no</varname>, loads from partially invalid 962 addresses are treated the same as loads from completely invalid 963 addresses: an illegal-address error is issued, and the resulting 964 bytes are marked as initialised.</para> 965 966 <para>Note that code that behaves in this way is in violation of 967 the ISO C/C++ standards, and should be considered broken. If 968 at all possible, such code should be fixed.</para> 969 </listitem> 970 </varlistentry> 971 972 <varlistentry id="opt.expensive-definedness-checks" xreflabel="--expensive-definedness-checks"> 973 <term> 974 <option><![CDATA[--expensive-definedness-checks=<yes|no> [default: no] ]]></option> 975 </term> 976 <listitem> 977 <para>Controls whether Memcheck should employ more precise but also more 978 expensive (time consuming) algorithms when checking the definedness of a 979 value. The default setting is not to do that and it is usually 980 sufficient. However, for highly optimised code valgrind may sometimes 981 incorrectly complain. 982 Invoking valgrind with <option>--expensive-definedness-checks=yes</option> 983 helps but comes at a performance cost. Runtime degradation of 984 25% have been observed but the extra cost depends a lot on the 985 application at hand. 986 </para> 987 </listitem> 988 </varlistentry> 989 990 <varlistentry id="opt.keep-stacktraces" xreflabel="--keep-stacktraces"> 991 <term> 992 <option><![CDATA[--keep-stacktraces=alloc|free|alloc-and-free|alloc-then-free|none [default: alloc-and-free] ]]></option> 993 </term> 994 <listitem> 995 <para>Controls which stack trace(s) to keep for malloc'd and/or 996 free'd blocks. 997 </para> 998 999 <para>With <varname>alloc-then-free</varname>, a stack trace is 1000 recorded at allocation time, and is associated with the block. 1001 When the block is freed, a second stack trace is recorded, and 1002 this replaces the allocation stack trace. As a result, any "use 1003 after free" errors relating to this block can only show a stack 1004 trace for where the block was freed. 1005 </para> 1006 1007 <para>With <varname>alloc-and-free</varname>, both allocation 1008 and the deallocation stack traces for the block are stored. 1009 Hence a "use after free" error will 1010 show both, which may make the error easier to diagnose. 1011 Compared to <varname>alloc-then-free</varname>, this setting 1012 slightly increases Valgrind's memory use as the block contains two 1013 references instead of one. 1014 </para> 1015 1016 <para>With <varname>alloc</varname>, only the allocation stack 1017 trace is recorded (and reported). With <varname>free</varname>, 1018 only the deallocation stack trace is recorded (and reported). 1019 These values somewhat decrease Valgrind's memory and cpu usage. 1020 They can be useful depending on the error types you are 1021 searching for and the level of detail you need to analyse 1022 them. For example, if you are only interested in memory leak 1023 errors, it is sufficient to record the allocation stack traces. 1024 </para> 1025 1026 <para>With <varname>none</varname>, no stack traces are recorded 1027 for malloc and free operations. If your program allocates a lot 1028 of blocks and/or allocates/frees from many different stack 1029 traces, this can significantly decrease cpu and/or memory 1030 required. Of course, few details will be reported for errors 1031 related to heap blocks. 1032 </para> 1033 1034 <para>Note that once a stack trace is recorded, Valgrind keeps 1035 the stack trace in memory even if it is not referenced by any 1036 block. Some programs (for example, recursive algorithms) can 1037 generate a huge number of stack traces. If Valgrind uses too 1038 much memory in such circumstances, you can reduce the memory 1039 required with the options <varname>--keep-stacktraces</varname> 1040 and/or by using a smaller value for the 1041 option <varname>--num-callers</varname>. 1042 </para> 1043 </listitem> 1044 </varlistentry> 1045 1046 <varlistentry id="opt.freelist-vol" xreflabel="--freelist-vol"> 1047 <term> 1048 <option><![CDATA[--freelist-vol=<number> [default: 20000000] ]]></option> 1049 </term> 1050 <listitem> 1051 <para>When the client program releases memory using 1052 <function>free</function> (in <literal>C</literal>) or 1053 <computeroutput>delete</computeroutput> 1054 (<literal>C++</literal>), that memory is not immediately made 1055 available for re-allocation. Instead, it is marked inaccessible 1056 and placed in a queue of freed blocks. The purpose is to defer as 1057 long as possible the point at which freed-up memory comes back 1058 into circulation. This increases the chance that 1059 Memcheck will be able to detect invalid 1060 accesses to blocks for some significant period of time after they 1061 have been freed.</para> 1062 1063 <para>This option specifies the maximum total size, in bytes, of the 1064 blocks in the queue. The default value is twenty million bytes. 1065 Increasing this increases the total amount of memory used by 1066 Memcheck but may detect invalid uses of freed 1067 blocks which would otherwise go undetected.</para> 1068 </listitem> 1069 </varlistentry> 1070 1071 <varlistentry id="opt.freelist-big-blocks" xreflabel="--freelist-big-blocks"> 1072 <term> 1073 <option><![CDATA[--freelist-big-blocks=<number> [default: 1000000] ]]></option> 1074 </term> 1075 <listitem> 1076 <para>When making blocks from the queue of freed blocks available 1077 for re-allocation, Memcheck will in priority re-circulate the blocks 1078 with a size greater or equal to <option>--freelist-big-blocks</option>. 1079 This ensures that freeing big blocks (in particular freeing blocks bigger than 1080 <option>--freelist-vol</option>) does not immediately lead to a re-circulation 1081 of all (or a lot of) the small blocks in the free list. In other words, 1082 this option increases the likelihood to discover dangling pointers 1083 for the "small" blocks, even when big blocks are freed.</para> 1084 <para>Setting a value of 0 means that all the blocks are re-circulated 1085 in a FIFO order. </para> 1086 </listitem> 1087 </varlistentry> 1088 1089 <varlistentry id="opt.workaround-gcc296-bugs" xreflabel="--workaround-gcc296-bugs"> 1090 <term> 1091 <option><![CDATA[--workaround-gcc296-bugs=<yes|no> [default: no] ]]></option> 1092 </term> 1093 <listitem> 1094 <para>When enabled, assume that reads and writes some small 1095 distance below the stack pointer are due to bugs in GCC 2.96, and 1096 does not report them. The "small distance" is 256 bytes by 1097 default. Note that GCC 2.96 is the default compiler on some ancient 1098 Linux distributions (RedHat 7.X) and so you may need to use this 1099 option. Do not use it if you do not have to, as it can cause real 1100 errors to be overlooked. A better alternative is to use a more 1101 recent GCC in which this bug is fixed.</para> 1102 1103 <para>You may also need to use this option when working with 1104 GCC 3.X or 4.X on 32-bit PowerPC Linux. This is because 1105 GCC generates code which occasionally accesses below the 1106 stack pointer, particularly for floating-point to/from integer 1107 conversions. This is in violation of the 32-bit PowerPC ELF 1108 specification, which makes no provision for locations below the 1109 stack pointer to be accessible.</para> 1110 </listitem> 1111 </varlistentry> 1112 1113 <varlistentry id="opt.show-mismatched-frees" 1114 xreflabel="--show-mismatched-frees"> 1115 <term> 1116 <option><![CDATA[--show-mismatched-frees=<yes|no> [default: yes] ]]></option> 1117 </term> 1118 <listitem> 1119 <para>When enabled, Memcheck checks that heap blocks are 1120 deallocated using a function that matches the allocating 1121 function. That is, it expects <varname>free</varname> to be 1122 used to deallocate blocks allocated 1123 by <varname>malloc</varname>, <varname>delete</varname> for 1124 blocks allocated by <varname>new</varname>, 1125 and <varname>delete[]</varname> for blocks allocated 1126 by <varname>new[]</varname>. If a mismatch is detected, an 1127 error is reported. This is in general important because in some 1128 environments, freeing with a non-matching function can cause 1129 crashes.</para> 1130 1131 <para>There is however a scenario where such mismatches cannot 1132 be avoided. That is when the user provides implementations of 1133 <varname>new</varname>/<varname>new[]</varname> that 1134 call <varname>malloc</varname> and 1135 of <varname>delete</varname>/<varname>delete[]</varname> that 1136 call <varname>free</varname>, and these functions are 1137 asymmetrically inlined. For example, imagine 1138 that <varname>delete[]</varname> is inlined 1139 but <varname>new[]</varname> is not. The result is that 1140 Memcheck "sees" all <varname>delete[]</varname> calls as direct 1141 calls to <varname>free</varname>, even when the program source 1142 contains no mismatched calls.</para> 1143 1144 <para>This causes a lot of confusing and irrelevant error 1145 reports. <varname>--show-mismatched-frees=no</varname> disables 1146 these checks. It is not generally advisable to disable them, 1147 though, because you may miss real errors as a result.</para> 1148 </listitem> 1149 </varlistentry> 1150 1151 <varlistentry id="opt.ignore-ranges" xreflabel="--ignore-ranges"> 1152 <term> 1153 <option><![CDATA[--ignore-ranges=0xPP-0xQQ[,0xRR-0xSS] ]]></option> 1154 </term> 1155 <listitem> 1156 <para>Any ranges listed in this option (and multiple ranges can be 1157 specified, separated by commas) will be ignored by Memcheck's 1158 addressability checking.</para> 1159 </listitem> 1160 </varlistentry> 1161 1162 <varlistentry id="opt.malloc-fill" xreflabel="--malloc-fill"> 1163 <term> 1164 <option><![CDATA[--malloc-fill=<hexnumber> ]]></option> 1165 </term> 1166 <listitem> 1167 <para>Fills blocks allocated 1168 by <computeroutput>malloc</computeroutput>, 1169 <computeroutput>new</computeroutput>, etc, but not 1170 by <computeroutput>calloc</computeroutput>, with the specified 1171 byte. This can be useful when trying to shake out obscure 1172 memory corruption problems. The allocated area is still 1173 regarded by Memcheck as undefined -- this option only affects its 1174 contents. Note that <option>--malloc-fill</option> does not 1175 affect a block of memory when it is used as argument 1176 to client requests VALGRIND_MEMPOOL_ALLOC or 1177 VALGRIND_MALLOCLIKE_BLOCK. 1178 </para> 1179 </listitem> 1180 </varlistentry> 1181 1182 <varlistentry id="opt.free-fill" xreflabel="--free-fill"> 1183 <term> 1184 <option><![CDATA[--free-fill=<hexnumber> ]]></option> 1185 </term> 1186 <listitem> 1187 <para>Fills blocks freed 1188 by <computeroutput>free</computeroutput>, 1189 <computeroutput>delete</computeroutput>, etc, with the 1190 specified byte value. This can be useful when trying to shake out 1191 obscure memory corruption problems. The freed area is still 1192 regarded by Memcheck as not valid for access -- this option only 1193 affects its contents. Note that <option>--free-fill</option> does not 1194 affect a block of memory when it is used as argument to 1195 client requests VALGRIND_MEMPOOL_FREE or VALGRIND_FREELIKE_BLOCK. 1196 </para> 1197 </listitem> 1198 </varlistentry> 1199 1200 </variablelist> 1201 <!-- end of xi:include in the manpage --> 1202 1203 </sect1> 1204 1205 1206 <sect1 id="mc-manual.suppfiles" xreflabel="Writing suppression files"> 1207 <title>Writing suppression files</title> 1208 1209 <para>The basic suppression format is described in 1210 <xref linkend="manual-core.suppress"/>.</para> 1211 1212 <para>The suppression-type (second) line should have the form:</para> 1213 <programlisting><![CDATA[ 1214 Memcheck:suppression_type]]></programlisting> 1215 1216 <para>The Memcheck suppression types are as follows:</para> 1217 1218 <itemizedlist> 1219 <listitem> 1220 <para><varname>Value1</varname>, 1221 <varname>Value2</varname>, 1222 <varname>Value4</varname>, 1223 <varname>Value8</varname>, 1224 <varname>Value16</varname>, 1225 meaning an uninitialised-value error when 1226 using a value of 1, 2, 4, 8 or 16 bytes.</para> 1227 </listitem> 1228 1229 <listitem> 1230 <para><varname>Cond</varname> (or its old 1231 name, <varname>Value0</varname>), meaning use 1232 of an uninitialised CPU condition code.</para> 1233 </listitem> 1234 1235 <listitem> 1236 <para><varname>Addr1</varname>, 1237 <varname>Addr2</varname>, 1238 <varname>Addr4</varname>, 1239 <varname>Addr8</varname>, 1240 <varname>Addr16</varname>, 1241 meaning an invalid address during a 1242 memory access of 1, 2, 4, 8 or 16 bytes respectively.</para> 1243 </listitem> 1244 1245 <listitem> 1246 <para><varname>Jump</varname>, meaning an 1247 jump to an unaddressable location error.</para> 1248 </listitem> 1249 1250 <listitem> 1251 <para><varname>Param</varname>, meaning an 1252 invalid system call parameter error.</para> 1253 </listitem> 1254 1255 <listitem> 1256 <para><varname>Free</varname>, meaning an 1257 invalid or mismatching free.</para> 1258 </listitem> 1259 1260 <listitem> 1261 <para><varname>Overlap</varname>, meaning a 1262 <computeroutput>src</computeroutput> / 1263 <computeroutput>dst</computeroutput> overlap in 1264 <function>memcpy</function> or a similar function.</para> 1265 </listitem> 1266 1267 <listitem> 1268 <para><varname>Leak</varname>, meaning 1269 a memory leak.</para> 1270 </listitem> 1271 1272 </itemizedlist> 1273 1274 <para><computeroutput>Param</computeroutput> errors have a mandatory extra 1275 information line at this point, which is the name of the offending 1276 system call parameter. </para> 1277 1278 <para><computeroutput>Leak</computeroutput> errors have an optional 1279 extra information line, with the following format:</para> 1280 <programlisting><![CDATA[ 1281 match-leak-kinds:<set>]]></programlisting> 1282 <para>where <computeroutput><set></computeroutput> specifies which 1283 leak kinds are matched by this suppression entry. 1284 <computeroutput><set></computeroutput> is specified in the 1285 same way as with the option <option>--show-leak-kinds</option>, that is, 1286 one of the following:</para> 1287 <itemizedlist> 1288 <listitem>a comma separated list of one or more of 1289 <option>definite indirect possible reachable</option>. 1290 </listitem> 1291 1292 <listitem><option>all</option> to specify the complete set (all leak kinds). 1293 </listitem> 1294 1295 <listitem><option>none</option> for the empty set. 1296 </listitem> 1297 </itemizedlist> 1298 <para>If this optional extra line is not present, the suppression 1299 entry will match all leak kinds.</para> 1300 1301 <para>Be aware that leak suppressions that are created using 1302 <option>--gen-suppressions</option> will contain this optional extra 1303 line, and therefore may match fewer leaks than you expect. You may 1304 want to remove the line before using the generated 1305 suppressions.</para> 1306 1307 <para>The other Memcheck error kinds do not have extra lines.</para> 1308 1309 <para> 1310 If you give the <option>-v</option> option, Valgrind will print 1311 the list of used suppressions at the end of execution. 1312 For a leak suppression, this output gives the number of different 1313 loss records that match the suppression, and the number of bytes 1314 and blocks suppressed by the suppression. 1315 If the run contains multiple leak checks, the number of bytes and blocks 1316 are reset to zero before each new leak check. Note that the number of different 1317 loss records is not reset to zero.</para> 1318 <para>In the example below, in the last leak search, 7 blocks and 96 bytes have 1319 been suppressed by a suppression with the name 1320 <option>some_leak_suppression</option>:</para> 1321 <programlisting><![CDATA[ 1322 --21041-- used_suppression: 10 some_other_leak_suppression s.supp:14 suppressed: 12,400 bytes in 1 blocks 1323 --21041-- used_suppression: 39 some_leak_suppression s.supp:2 suppressed: 96 bytes in 7 blocks 1324 ]]></programlisting> 1325 1326 <para>For <varname>ValueN</varname> and <varname>AddrN</varname> 1327 errors, the first line of the calling context is either the name of 1328 the function in which the error occurred, or, failing that, the full 1329 path of the <filename>.so</filename> file or executable containing the 1330 error location. For <varname>Free</varname> errors, the first line is 1331 the name of the function doing the freeing (eg, 1332 <function>free</function>, <function>__builtin_vec_delete</function>, 1333 etc). For <varname>Overlap</varname> errors, the first line is the name of the 1334 function with the overlapping arguments (eg. 1335 <function>memcpy</function>, <function>strcpy</function>, etc).</para> 1336 1337 <para>The last part of any suppression specifies the rest of the 1338 calling context that needs to be matched.</para> 1339 1340 </sect1> 1341 1342 1343 1344 <sect1 id="mc-manual.machine" 1345 xreflabel="Details of Memcheck's checking machinery"> 1346 <title>Details of Memcheck's checking machinery</title> 1347 1348 <para>Read this section if you want to know, in detail, exactly 1349 what and how Memcheck is checking.</para> 1350 1351 1352 <sect2 id="mc-manual.value" xreflabel="Valid-value (V) bit"> 1353 <title>Valid-value (V) bits</title> 1354 1355 <para>It is simplest to think of Memcheck implementing a synthetic CPU 1356 which is identical to a real CPU, except for one crucial detail. Every 1357 bit (literally) of data processed, stored and handled by the real CPU 1358 has, in the synthetic CPU, an associated "valid-value" bit, which says 1359 whether or not the accompanying bit has a legitimate value. In the 1360 discussions which follow, this bit is referred to as the V (valid-value) 1361 bit.</para> 1362 1363 <para>Each byte in the system therefore has a 8 V bits which follow it 1364 wherever it goes. For example, when the CPU loads a word-size item (4 1365 bytes) from memory, it also loads the corresponding 32 V bits from a 1366 bitmap which stores the V bits for the process' entire address space. 1367 If the CPU should later write the whole or some part of that value to 1368 memory at a different address, the relevant V bits will be stored back 1369 in the V-bit bitmap.</para> 1370 1371 <para>In short, each bit in the system has (conceptually) an associated V 1372 bit, which follows it around everywhere, even inside the CPU. Yes, all the 1373 CPU's registers (integer, floating point, vector and condition registers) 1374 have their own V bit vectors. For this to work, Memcheck uses a great deal 1375 of compression to represent the V bits compactly.</para> 1376 1377 <para>Copying values around does not cause Memcheck to check for, or 1378 report on, errors. However, when a value is used in a way which might 1379 conceivably affect your program's externally-visible behaviour, 1380 the associated V bits are immediately checked. If any of these indicate 1381 that the value is undefined (even partially), an error is reported.</para> 1382 1383 <para>Here's an (admittedly nonsensical) example:</para> 1384 <programlisting><![CDATA[ 1385 int i, j; 1386 int a[10], b[10]; 1387 for ( i = 0; i < 10; i++ ) { 1388 j = a[i]; 1389 b[i] = j; 1390 }]]></programlisting> 1391 1392 <para>Memcheck emits no complaints about this, since it merely copies 1393 uninitialised values from <varname>a[]</varname> into 1394 <varname>b[]</varname>, and doesn't use them in a way which could 1395 affect the behaviour of the program. However, if 1396 the loop is changed to:</para> 1397 <programlisting><![CDATA[ 1398 for ( i = 0; i < 10; i++ ) { 1399 j += a[i]; 1400 } 1401 if ( j == 77 ) 1402 printf("hello there\n"); 1403 ]]></programlisting> 1404 1405 <para>then Memcheck will complain, at the 1406 <computeroutput>if</computeroutput>, that the condition depends on 1407 uninitialised values. Note that it <command>doesn't</command> complain 1408 at the <varname>j += a[i];</varname>, since at that point the 1409 undefinedness is not "observable". It's only when a decision has to be 1410 made as to whether or not to do the <function>printf</function> -- an 1411 observable action of your program -- that Memcheck complains.</para> 1412 1413 <para>Most low level operations, such as adds, cause Memcheck to use the 1414 V bits for the operands to calculate the V bits for the result. Even if 1415 the result is partially or wholly undefined, it does not 1416 complain.</para> 1417 1418 <para>Checks on definedness only occur in three places: when a value is 1419 used to generate a memory address, when control flow decision needs to 1420 be made, and when a system call is detected, Memcheck checks definedness 1421 of parameters as required.</para> 1422 1423 <para>If a check should detect undefinedness, an error message is 1424 issued. The resulting value is subsequently regarded as well-defined. 1425 To do otherwise would give long chains of error messages. In other 1426 words, once Memcheck reports an undefined value error, it tries to 1427 avoid reporting further errors derived from that same undefined 1428 value.</para> 1429 1430 <para>This sounds overcomplicated. Why not just check all reads from 1431 memory, and complain if an undefined value is loaded into a CPU 1432 register? Well, that doesn't work well, because perfectly legitimate C 1433 programs routinely copy uninitialised values around in memory, and we 1434 don't want endless complaints about that. Here's the canonical example. 1435 Consider a struct like this:</para> 1436 <programlisting><![CDATA[ 1437 struct S { int x; char c; }; 1438 struct S s1, s2; 1439 s1.x = 42; 1440 s1.c = 'z'; 1441 s2 = s1; 1442 ]]></programlisting> 1443 1444 <para>The question to ask is: how large is <varname>struct S</varname>, 1445 in bytes? An <varname>int</varname> is 4 bytes and a 1446 <varname>char</varname> one byte, so perhaps a <varname>struct 1447 S</varname> occupies 5 bytes? Wrong. All non-toy compilers we know 1448 of will round the size of <varname>struct S</varname> up to a whole 1449 number of words, in this case 8 bytes. Not doing this forces compilers 1450 to generate truly appalling code for accessing arrays of 1451 <varname>struct S</varname>'s on some architectures.</para> 1452 1453 <para>So <varname>s1</varname> occupies 8 bytes, yet only 5 of them will 1454 be initialised. For the assignment <varname>s2 = s1</varname>, GCC 1455 generates code to copy all 8 bytes wholesale into <varname>s2</varname> 1456 without regard for their meaning. If Memcheck simply checked values as 1457 they came out of memory, it would yelp every time a structure assignment 1458 like this happened. So the more complicated behaviour described above 1459 is necessary. This allows GCC to copy 1460 <varname>s1</varname> into <varname>s2</varname> any way it likes, and a 1461 warning will only be emitted if the uninitialised values are later 1462 used.</para> 1463 1464 </sect2> 1465 1466 1467 <sect2 id="mc-manual.vaddress" xreflabel=" Valid-address (A) bits"> 1468 <title>Valid-address (A) bits</title> 1469 1470 <para>Notice that the previous subsection describes how the validity of 1471 values is established and maintained without having to say whether the 1472 program does or does not have the right to access any particular memory 1473 location. We now consider the latter question.</para> 1474 1475 <para>As described above, every bit in memory or in the CPU has an 1476 associated valid-value (V) bit. In addition, all bytes in memory, but 1477 not in the CPU, have an associated valid-address (A) bit. This 1478 indicates whether or not the program can legitimately read or write that 1479 location. It does not give any indication of the validity of the data 1480 at that location -- that's the job of the V bits -- only whether or not 1481 the location may be accessed.</para> 1482 1483 <para>Every time your program reads or writes memory, Memcheck checks 1484 the A bits associated with the address. If any of them indicate an 1485 invalid address, an error is emitted. Note that the reads and writes 1486 themselves do not change the A bits, only consult them.</para> 1487 1488 <para>So how do the A bits get set/cleared? Like this:</para> 1489 1490 <itemizedlist> 1491 <listitem> 1492 <para>When the program starts, all the global data areas are 1493 marked as accessible.</para> 1494 </listitem> 1495 1496 <listitem> 1497 <para>When the program does 1498 <function>malloc</function>/<computeroutput>new</computeroutput>, 1499 the A bits for exactly the area allocated, and not a byte more, 1500 are marked as accessible. Upon freeing the area the A bits are 1501 changed to indicate inaccessibility.</para> 1502 </listitem> 1503 1504 <listitem> 1505 <para>When the stack pointer register (<literal>SP</literal>) moves 1506 up or down, A bits are set. The rule is that the area from 1507 <literal>SP</literal> up to the base of the stack is marked as 1508 accessible, and below <literal>SP</literal> is inaccessible. (If 1509 that sounds illogical, bear in mind that the stack grows down, not 1510 up, on almost all Unix systems, including GNU/Linux.) Tracking 1511 <literal>SP</literal> like this has the useful side-effect that the 1512 section of stack used by a function for local variables etc is 1513 automatically marked accessible on function entry and inaccessible 1514 on exit.</para> 1515 </listitem> 1516 1517 <listitem> 1518 <para>When doing system calls, A bits are changed appropriately. 1519 For example, <literal>mmap</literal> 1520 magically makes files appear in the process' 1521 address space, so the A bits must be updated if <literal>mmap</literal> 1522 succeeds.</para> 1523 </listitem> 1524 1525 <listitem> 1526 <para>Optionally, your program can tell Memcheck about such changes 1527 explicitly, using the client request mechanism described 1528 above.</para> 1529 </listitem> 1530 1531 </itemizedlist> 1532 1533 </sect2> 1534 1535 1536 <sect2 id="mc-manual.together" xreflabel="Putting it all together"> 1537 <title>Putting it all together</title> 1538 1539 <para>Memcheck's checking machinery can be summarised as 1540 follows:</para> 1541 1542 <itemizedlist> 1543 <listitem> 1544 <para>Each byte in memory has 8 associated V (valid-value) bits, 1545 saying whether or not the byte has a defined value, and a single A 1546 (valid-address) bit, saying whether or not the program currently has 1547 the right to read/write that address. As mentioned above, heavy 1548 use of compression means the overhead is typically around 25%.</para> 1549 </listitem> 1550 1551 <listitem> 1552 <para>When memory is read or written, the relevant A bits are 1553 consulted. If they indicate an invalid address, Memcheck emits an 1554 Invalid read or Invalid write error.</para> 1555 </listitem> 1556 1557 <listitem> 1558 <para>When memory is read into the CPU's registers, the relevant V 1559 bits are fetched from memory and stored in the simulated CPU. They 1560 are not consulted.</para> 1561 </listitem> 1562 1563 <listitem> 1564 <para>When a register is written out to memory, the V bits for that 1565 register are written back to memory too.</para> 1566 </listitem> 1567 1568 <listitem> 1569 <para>When values in CPU registers are used to generate a memory 1570 address, or to determine the outcome of a conditional branch, the V 1571 bits for those values are checked, and an error emitted if any of 1572 them are undefined.</para> 1573 </listitem> 1574 1575 <listitem> 1576 <para>When values in CPU registers are used for any other purpose, 1577 Memcheck computes the V bits for the result, but does not check 1578 them.</para> 1579 </listitem> 1580 1581 <listitem> 1582 <para>Once the V bits for a value in the CPU have been checked, they 1583 are then set to indicate validity. This avoids long chains of 1584 errors.</para> 1585 </listitem> 1586 1587 <listitem> 1588 <para>When values are loaded from memory, Memcheck checks the A bits 1589 for that location and issues an illegal-address warning if needed. 1590 In that case, the V bits loaded are forced to indicate Valid, 1591 despite the location being invalid.</para> 1592 1593 <para>This apparently strange choice reduces the amount of confusing 1594 information presented to the user. It avoids the unpleasant 1595 phenomenon in which memory is read from a place which is both 1596 unaddressable and contains invalid values, and, as a result, you get 1597 not only an invalid-address (read/write) error, but also a 1598 potentially large set of uninitialised-value errors, one for every 1599 time the value is used.</para> 1600 1601 <para>There is a hazy boundary case to do with multi-byte loads from 1602 addresses which are partially valid and partially invalid. See 1603 details of the option <option>--partial-loads-ok</option> for details. 1604 </para> 1605 </listitem> 1606 1607 </itemizedlist> 1608 1609 1610 <para>Memcheck intercepts calls to <function>malloc</function>, 1611 <function>calloc</function>, <function>realloc</function>, 1612 <function>valloc</function>, <function>memalign</function>, 1613 <function>free</function>, <computeroutput>new</computeroutput>, 1614 <computeroutput>new[]</computeroutput>, 1615 <computeroutput>delete</computeroutput> and 1616 <computeroutput>delete[]</computeroutput>. The behaviour you get 1617 is:</para> 1618 1619 <itemizedlist> 1620 1621 <listitem> 1622 <para><function>malloc</function>/<function>new</function>/<computeroutput>new[]</computeroutput>: 1623 the returned memory is marked as addressable but not having valid 1624 values. This means you have to write to it before you can read 1625 it.</para> 1626 </listitem> 1627 1628 <listitem> 1629 <para><function>calloc</function>: returned memory is marked both 1630 addressable and valid, since <function>calloc</function> clears 1631 the area to zero.</para> 1632 </listitem> 1633 1634 <listitem> 1635 <para><function>realloc</function>: if the new size is larger than 1636 the old, the new section is addressable but invalid, as with 1637 <function>malloc</function>. If the new size is smaller, the 1638 dropped-off section is marked as unaddressable. You may only pass to 1639 <function>realloc</function> a pointer previously issued to you by 1640 <function>malloc</function>/<function>calloc</function>/<function>realloc</function>.</para> 1641 </listitem> 1642 1643 <listitem> 1644 <para><function>free</function>/<computeroutput>delete</computeroutput>/<computeroutput>delete[]</computeroutput>: 1645 you may only pass to these functions a pointer previously issued 1646 to you by the corresponding allocation function. Otherwise, 1647 Memcheck complains. If the pointer is indeed valid, Memcheck 1648 marks the entire area it points at as unaddressable, and places 1649 the block in the freed-blocks-queue. The aim is to defer as long 1650 as possible reallocation of this block. Until that happens, all 1651 attempts to access it will elicit an invalid-address error, as you 1652 would hope.</para> 1653 </listitem> 1654 1655 </itemizedlist> 1656 1657 </sect2> 1658 </sect1> 1659 1660 <sect1 id="mc-manual.monitor-commands" xreflabel="Memcheck Monitor Commands"> 1661 <title>Memcheck Monitor Commands</title> 1662 <para>The Memcheck tool provides monitor commands handled by Valgrind's 1663 built-in gdbserver (see <xref linkend="manual-core-adv.gdbserver-commandhandling"/>). 1664 </para> 1665 1666 <itemizedlist> 1667 <listitem> 1668 <para><varname>xb <addr> [<len>]</varname> 1669 shows the definedness (V) bits and values for <len> (default 1) 1670 bytes starting at <addr>. 1671 For each 8 bytes, two lines are output. 1672 </para> 1673 <para> 1674 The first line shows the validity bits for 8 bytes. 1675 The definedness of each byte in the range is given using two hexadecimal 1676 digits. These hexadecimal digits encode the validity of each bit of the 1677 corresponding byte, 1678 using 0 if the bit is defined and 1 if the bit is undefined. 1679 If a byte is not addressable, its validity bits are replaced 1680 by <varname>__</varname> (a double underscore). 1681 </para> 1682 <para> 1683 The second line shows the values of the bytes below the corresponding 1684 validity bits. The format used to show the bytes data is similar to the 1685 GDB command 'x /<len>xb <addr>'. The value for a non 1686 addressable bytes is shown as ?? (two question marks). 1687 </para> 1688 <para> 1689 In the following example, <varname>string10</varname> is an array 1690 of 10 characters, in which the even numbered bytes are 1691 undefined. In the below example, the byte corresponding 1692 to <varname>string10[5]</varname> is not addressable. 1693 </para> 1694 <programlisting><![CDATA[ 1695 (gdb) p &string10 1696 $4 = (char (*)[10]) 0x804a2f0 1697 (gdb) mo xb 0x804a2f0 10 1698 ff 00 ff 00 ff __ ff 00 1699 0x804A2F0: 0x3f 0x6e 0x3f 0x65 0x3f 0x?? 0x3f 0x65 1700 ff 00 1701 0x804A2F8: 0x3f 0x00 1702 Address 0x804A2F0 len 10 has 1 bytes unaddressable 1703 (gdb) 1704 ]]></programlisting> 1705 1706 <para> The command xb cannot be used with registers. To get 1707 the validity bits of a register, you must start Valgrind with the 1708 option <option>--vgdb-shadow-registers=yes</option>. The validity 1709 bits of a register can then be obtained by printing the 'shadow 1' 1710 corresponding register. In the below x86 example, the register 1711 eax has all its bits undefined, while the register ebx is fully 1712 defined. 1713 </para> 1714 <programlisting><![CDATA[ 1715 (gdb) p /x $eaxs1 1716 $9 = 0xffffffff 1717 (gdb) p /x $ebxs1 1718 $10 = 0x0 1719 (gdb) 1720 ]]></programlisting> 1721 1722 </listitem> 1723 1724 <listitem> 1725 <para><varname>get_vbits <addr> [<len>]</varname> 1726 shows the definedness (V) bits for <len> (default 1) bytes 1727 starting at <addr> using the same convention as the 1728 <varname>xb</varname> command. <varname>get_vbits</varname> only 1729 shows the V bits (grouped by 4 bytes). It does not show the values. 1730 If you want to associate V bits with the corresponding byte values, the 1731 <varname>xb</varname> command will be easier to use, in particular 1732 on little endian computers when associating undefined parts of an integer 1733 with their V bits values. 1734 </para> 1735 <para> 1736 The following example shows the result of <varname>get_vibts</varname> 1737 on the <varname>string10</varname> used in the <varname>xb</varname> 1738 command explanation. 1739 </para> 1740 <programlisting><![CDATA[ 1741 (gdb) monitor get_vbits 0x804a2f0 10 1742 ff00ff00 ff__ff00 ff00 1743 Address 0x804A2F0 len 10 has 1 bytes unaddressable 1744 (gdb) 1745 ]]></programlisting> 1746 1747 </listitem> 1748 1749 <listitem> 1750 <para><varname>make_memory 1751 [noaccess|undefined|defined|Definedifaddressable] <addr> 1752 [<len>]</varname> marks the range of <len> (default 1) 1753 bytes at <addr> as having the given status. Parameter 1754 <varname>noaccess</varname> marks the range as non-accessible, so 1755 Memcheck will report an error on any access to it. 1756 <varname>undefined</varname> or <varname>defined</varname> mark 1757 the area as accessible, but Memcheck regards the bytes in it 1758 respectively as having undefined or defined values. 1759 <varname>Definedifaddressable</varname> marks as defined, bytes in 1760 the range which are already addressible, but makes no change to 1761 the status of bytes in the range which are not addressible. Note 1762 that the first letter of <varname>Definedifaddressable</varname> 1763 is an uppercase D to avoid confusion with <varname>defined</varname>. 1764 </para> 1765 1766 <para> 1767 In the following example, the first byte of the 1768 <varname>string10</varname> is marked as defined: 1769 </para> 1770 <programlisting><![CDATA[ 1771 (gdb) monitor make_memory defined 0x8049e28 1 1772 (gdb) monitor get_vbits 0x8049e28 10 1773 0000ff00 ff00ff00 ff00 1774 (gdb) 1775 ]]></programlisting> 1776 </listitem> 1777 1778 <listitem> 1779 <para><varname>check_memory [addressable|defined] <addr> 1780 [<len>]</varname> checks that the range of <len> 1781 (default 1) bytes at <addr> has the specified accessibility. 1782 It then outputs a description of <addr>. In the following 1783 example, a detailed description is available because the 1784 option <option>--read-var-info=yes</option> was given at Valgrind 1785 startup: 1786 </para> 1787 <programlisting><![CDATA[ 1788 (gdb) monitor check_memory defined 0x8049e28 1 1789 Address 0x8049E28 len 1 defined 1790 ==14698== Location 0x8049e28 is 0 bytes inside string10[0], 1791 ==14698== declared at prog.c:10, in frame #0 of thread 1 1792 (gdb) 1793 ]]></programlisting> 1794 </listitem> 1795 1796 <listitem> 1797 <para><varname>leak_check [full*|summary] 1798 [kinds <set>|reachable|possibleleak*|definiteleak] 1799 [heuristics heur1,heur2,...] 1800 [increased*|changed|any] 1801 [unlimited*|limited <max_loss_records_output>] 1802 </varname> 1803 performs a leak check. The <varname>*</varname> in the arguments 1804 indicates the default values. </para> 1805 1806 <para> If the <varname>[full*|summary]</varname> argument is 1807 <varname>summary</varname>, only a summary of the leak search is given; 1808 otherwise a full leak report is produced. A full leak report gives 1809 detailed information for each leak: the stack trace where the leaked blocks 1810 were allocated, the number of blocks leaked and their total size. When a 1811 full report is requested, the next two arguments further specify what 1812 kind of leaks to report. A leak's details are shown if they match 1813 both the second and third argument. A full leak report might 1814 output detailed information for many leaks. The nr of leaks for 1815 which information is output can be controlled using 1816 the <varname>limited</varname> argument followed by the maximum nr 1817 of leak records to output. If this maximum is reached, the leak 1818 search outputs the records with the biggest number of bytes. 1819 </para> 1820 1821 <para>The <varname>kinds</varname> argument controls what kind of blocks 1822 are shown for a <varname>full</varname> leak search. The set of leak kinds 1823 to show can be specified using a <varname><set></varname> similarly 1824 to the command line option <option>--show-leak-kinds</option>. 1825 Alternatively, the value <varname>definiteleak</varname> 1826 is equivalent to <varname>kinds definite</varname>, the 1827 value <varname>possibleleak</varname> is equivalent to 1828 <varname>kinds definite,possible</varname> : it will also show 1829 possibly leaked blocks, .i.e those for which only an interior 1830 pointer was found. The value <varname>reachable</varname> will 1831 show all block categories (i.e. is equivalent to <varname>kinds 1832 all</varname>). 1833 </para> 1834 1835 <para>The <varname>heuristics</varname> argument controls the heuristics 1836 used during the leak search. The set of heuristics to use can be specified 1837 using a <varname><set></varname> similarly 1838 to the command line option <option>--leak-check-heuristics</option>. 1839 The default value for the <varname>heuristics</varname> argument is 1840 <varname>heuristics none</varname>. 1841 </para> 1842 1843 <para>The <varname>[increased*|changed|any]</varname> argument controls what 1844 kinds of changes are shown for a <varname>full</varname> leak search. The 1845 value <varname>increased</varname> specifies that only block 1846 allocation stacks with an increased number of leaked bytes or 1847 blocks since the previous leak check should be shown. The 1848 value <varname>changed</varname> specifies that allocation stacks 1849 with any change since the previous leak check should be shown. 1850 The value <varname>any</varname> specifies that all leak entries 1851 should be shown, regardless of any increase or decrease. When 1852 If <varname>increased</varname> or <varname>changed</varname> are 1853 specified, the leak report entries will show the delta relative to 1854 the previous leak report. 1855 </para> 1856 1857 <para>The following example shows usage of the 1858 <varname>leak_check</varname> monitor command on 1859 the <varname>memcheck/tests/leak-cases.c</varname> regression 1860 test. The first command outputs one entry having an increase in 1861 the leaked bytes. The second command is the same as the first 1862 command, but uses the abbreviated forms accepted by GDB and the 1863 Valgrind gdbserver. It only outputs the summary information, as 1864 there was no increase since the previous leak search.</para> 1865 <programlisting><![CDATA[ 1866 (gdb) monitor leak_check full possibleleak increased 1867 ==19520== 16 (+16) bytes in 1 (+1) blocks are possibly lost in loss record 9 of 12 1868 ==19520== at 0x40070B4: malloc (vg_replace_malloc.c:263) 1869 ==19520== by 0x80484D5: mk (leak-cases.c:52) 1870 ==19520== by 0x804855F: f (leak-cases.c:81) 1871 ==19520== by 0x80488E0: main (leak-cases.c:107) 1872 ==19520== 1873 ==19520== LEAK SUMMARY: 1874 ==19520== definitely lost: 32 (+0) bytes in 2 (+0) blocks 1875 ==19520== indirectly lost: 16 (+0) bytes in 1 (+0) blocks 1876 ==19520== possibly lost: 32 (+16) bytes in 2 (+1) blocks 1877 ==19520== still reachable: 96 (+16) bytes in 6 (+1) blocks 1878 ==19520== suppressed: 0 (+0) bytes in 0 (+0) blocks 1879 ==19520== Reachable blocks (those to which a pointer was found) are not shown. 1880 ==19520== To see them, add 'reachable any' args to leak_check 1881 ==19520== 1882 (gdb) mo l 1883 ==19520== LEAK SUMMARY: 1884 ==19520== definitely lost: 32 (+0) bytes in 2 (+0) blocks 1885 ==19520== indirectly lost: 16 (+0) bytes in 1 (+0) blocks 1886 ==19520== possibly lost: 32 (+0) bytes in 2 (+0) blocks 1887 ==19520== still reachable: 96 (+0) bytes in 6 (+0) blocks 1888 ==19520== suppressed: 0 (+0) bytes in 0 (+0) blocks 1889 ==19520== Reachable blocks (those to which a pointer was found) are not shown. 1890 ==19520== To see them, add 'reachable any' args to leak_check 1891 ==19520== 1892 (gdb) 1893 ]]></programlisting> 1894 <para>Note that when using Valgrind's gdbserver, it is not 1895 necessary to rerun 1896 with <option>--leak-check=full</option> 1897 <option>--show-reachable=yes</option> to see the reachable 1898 blocks. You can obtain the same information without rerunning by 1899 using the GDB command <computeroutput>monitor leak_check full 1900 reachable any</computeroutput> (or, using 1901 abbreviation: <computeroutput>mo l f r a</computeroutput>). 1902 </para> 1903 </listitem> 1904 1905 <listitem> 1906 <para><varname>block_list <loss_record_nr>|<loss_record_nr_from>..<loss_record_nr_to> 1907 [unlimited*|limited <max_blocks>] 1908 [heuristics heur1,heur2,...] 1909 </varname> 1910 shows the list of blocks belonging to 1911 <varname><loss_record_nr></varname> (or to the loss records range 1912 <varname><loss_record_nr_from>..<loss_record_nr_to></varname>). 1913 The nr of blocks to print can be controlled using the 1914 <varname>limited</varname> argument followed by the maximum nr 1915 of blocks to output. 1916 If one or more heuristics are given, only prints the loss records 1917 and blocks found via one of the given <varname>heur1,heur2,...</varname> 1918 heuristics. 1919 </para> 1920 1921 <para> A leak search merges the allocated blocks in loss records : 1922 a loss record re-groups all blocks having the same state (for 1923 example, Definitely Lost) and the same allocation backtrace. 1924 Each loss record is identified in the leak search result 1925 by a loss record number. 1926 The <varname>block_list</varname> command shows the loss record information 1927 followed by the addresses and sizes of the blocks which have been 1928 merged in the loss record. If a block was found using an heuristic, the block size 1929 is followed by the heuristic. 1930 </para> 1931 1932 <para> If a directly lost block causes some other blocks to be indirectly 1933 lost, the block_list command will also show these indirectly lost blocks. 1934 The indirectly lost blocks will be indented according to the level of indirection 1935 between the directly lost block and the indirectly lost block(s). 1936 Each indirectly lost block is followed by the reference of its loss record. 1937 </para> 1938 1939 <para> The block_list command can be used on the results of a leak search as long 1940 as no block has been freed after this leak search: as soon as the program frees 1941 a block, a new leak search is needed before block_list can be used again. 1942 </para> 1943 1944 <para> 1945 In the below example, the program leaks a tree structure by losing the pointer to 1946 the block A (top of the tree). 1947 So, the block A is directly lost, causing an indirect 1948 loss of blocks B to G. The first block_list command shows the loss record of A 1949 (a definitely lost block with address 0x4028028, size 16). The addresses and sizes 1950 of the indirectly lost blocks due to block A are shown below the block A. 1951 The second command shows the details of one of the indirect loss records output 1952 by the first command. 1953 </para> 1954 <programlisting><![CDATA[ 1955 A 1956 / \ 1957 B C 1958 / \ / \ 1959 D E F G 1960 ]]></programlisting> 1961 1962 <programlisting><![CDATA[ 1963 (gdb) bt 1964 #0 main () at leak-tree.c:69 1965 (gdb) monitor leak_check full any 1966 ==19552== 112 (16 direct, 96 indirect) bytes in 1 blocks are definitely lost in loss record 7 of 7 1967 ==19552== at 0x40070B4: malloc (vg_replace_malloc.c:263) 1968 ==19552== by 0x80484D5: mk (leak-tree.c:28) 1969 ==19552== by 0x80484FC: f (leak-tree.c:41) 1970 ==19552== by 0x8048856: main (leak-tree.c:63) 1971 ==19552== 1972 ==19552== LEAK SUMMARY: 1973 ==19552== definitely lost: 16 bytes in 1 blocks 1974 ==19552== indirectly lost: 96 bytes in 6 blocks 1975 ==19552== possibly lost: 0 bytes in 0 blocks 1976 ==19552== still reachable: 0 bytes in 0 blocks 1977 ==19552== suppressed: 0 bytes in 0 blocks 1978 ==19552== 1979 (gdb) monitor block_list 7 1980 ==19552== 112 (16 direct, 96 indirect) bytes in 1 blocks are definitely lost in loss record 7 of 7 1981 ==19552== at 0x40070B4: malloc (vg_replace_malloc.c:263) 1982 ==19552== by 0x80484D5: mk (leak-tree.c:28) 1983 ==19552== by 0x80484FC: f (leak-tree.c:41) 1984 ==19552== by 0x8048856: main (leak-tree.c:63) 1985 ==19552== 0x4028028[16] 1986 ==19552== 0x4028068[16] indirect loss record 1 1987 ==19552== 0x40280E8[16] indirect loss record 3 1988 ==19552== 0x4028128[16] indirect loss record 4 1989 ==19552== 0x40280A8[16] indirect loss record 2 1990 ==19552== 0x4028168[16] indirect loss record 5 1991 ==19552== 0x40281A8[16] indirect loss record 6 1992 (gdb) mo b 2 1993 ==19552== 16 bytes in 1 blocks are indirectly lost in loss record 2 of 7 1994 ==19552== at 0x40070B4: malloc (vg_replace_malloc.c:263) 1995 ==19552== by 0x80484D5: mk (leak-tree.c:28) 1996 ==19552== by 0x8048519: f (leak-tree.c:43) 1997 ==19552== by 0x8048856: main (leak-tree.c:63) 1998 ==19552== 0x40280A8[16] 1999 ==19552== 0x4028168[16] indirect loss record 5 2000 ==19552== 0x40281A8[16] indirect loss record 6 2001 (gdb) 2002 2003 ]]></programlisting> 2004 2005 </listitem> 2006 2007 <listitem> 2008 <para><varname>who_points_at <addr> [<len>]</varname> 2009 shows all the locations where a pointer to addr is found. 2010 If len is equal to 1, the command only shows the locations pointing 2011 exactly at addr (i.e. the "start pointers" to addr). 2012 If len is > 1, "interior pointers" pointing at the len first bytes 2013 will also be shown. 2014 </para> 2015 2016 <para>The locations searched for are the same as the locations 2017 used in the leak search. So, <varname>who_points_at</varname> can a.o. 2018 be used to show why the leak search still can reach a block, or can 2019 search for dangling pointers to a freed block. 2020 Each location pointing at addr (or pointing inside addr if interior pointers 2021 are being searched for) will be described. 2022 </para> 2023 2024 <para>In the below example, the pointers to the 'tree block A' (see example 2025 in command <varname>block_list</varname>) is shown before the tree was leaked. 2026 The descriptions are detailed as the option <option>--read-var-info=yes</option> 2027 was given at Valgrind startup. The second call shows the pointers (start and interior 2028 pointers) to block G. The block G (0x40281A8) is reachable via block C (0x40280a8) 2029 and register ECX of tid 1 (tid is the Valgrind thread id). 2030 It is "interior reachable" via the register EBX. 2031 </para> 2032 2033 <programlisting><![CDATA[ 2034 (gdb) monitor who_points_at 0x4028028 2035 ==20852== Searching for pointers to 0x4028028 2036 ==20852== *0x8049e20 points at 0x4028028 2037 ==20852== Location 0x8049e20 is 0 bytes inside global var "t" 2038 ==20852== declared at leak-tree.c:35 2039 (gdb) monitor who_points_at 0x40281A8 16 2040 ==20852== Searching for pointers pointing in 16 bytes from 0x40281a8 2041 ==20852== *0x40280ac points at 0x40281a8 2042 ==20852== Address 0x40280ac is 4 bytes inside a block of size 16 alloc'd 2043 ==20852== at 0x40070B4: malloc (vg_replace_malloc.c:263) 2044 ==20852== by 0x80484D5: mk (leak-tree.c:28) 2045 ==20852== by 0x8048519: f (leak-tree.c:43) 2046 ==20852== by 0x8048856: main (leak-tree.c:63) 2047 ==20852== tid 1 register ECX points at 0x40281a8 2048 ==20852== tid 1 register EBX interior points at 2 bytes inside 0x40281a8 2049 (gdb) 2050 ]]></programlisting> 2051 2052 <para> When <varname>who_points_at</varname> finds an interior pointer, 2053 it will report the heuristic(s) with which this interior pointer 2054 will be considered as reachable. Note that this is done independently 2055 of the value of the option <option>--leak-check-heuristics</option>. 2056 In the below example, the loss record 6 indicates a possibly lost 2057 block. <varname>who_points_at</varname> reports that there is an interior 2058 pointer pointing in this block, and that the block can be considered 2059 reachable using the heuristic 2060 <computeroutput>multipleinheritance</computeroutput>. 2061 </para> 2062 2063 <programlisting><![CDATA[ 2064 (gdb) monitor block_list 6 2065 ==3748== 8 bytes in 1 blocks are possibly lost in loss record 6 of 7 2066 ==3748== at 0x4007D77: operator new(unsigned int) (vg_replace_malloc.c:313) 2067 ==3748== by 0x8048954: main (leak_cpp_interior.cpp:43) 2068 ==3748== 0x402A0E0[8] 2069 (gdb) monitor who_points_at 0x402A0E0 8 2070 ==3748== Searching for pointers pointing in 8 bytes from 0x402a0e0 2071 ==3748== *0xbe8ee078 interior points at 4 bytes inside 0x402a0e0 2072 ==3748== Address 0xbe8ee078 is on thread 1's stack 2073 ==3748== block at 0x402a0e0 considered reachable by ptr 0x402a0e4 using multipleinheritance heuristic 2074 (gdb) 2075 ]]></programlisting> 2076 2077 </listitem> 2078 2079 </itemizedlist> 2080 2081 </sect1> 2082 2083 <sect1 id="mc-manual.clientreqs" xreflabel="Client requests"> 2084 <title>Client Requests</title> 2085 2086 <para>The following client requests are defined in 2087 <filename>memcheck.h</filename>. 2088 See <filename>memcheck.h</filename> for exact details of their 2089 arguments.</para> 2090 2091 <itemizedlist> 2092 2093 <listitem> 2094 <para><varname>VALGRIND_MAKE_MEM_NOACCESS</varname>, 2095 <varname>VALGRIND_MAKE_MEM_UNDEFINED</varname> and 2096 <varname>VALGRIND_MAKE_MEM_DEFINED</varname>. 2097 These mark address ranges as completely inaccessible, 2098 accessible but containing undefined data, and accessible and 2099 containing defined data, respectively. They return -1, when 2100 run on Valgrind and 0 otherwise.</para> 2101 </listitem> 2102 2103 <listitem> 2104 <para><varname>VALGRIND_MAKE_MEM_DEFINED_IF_ADDRESSABLE</varname>. 2105 This is just like <varname>VALGRIND_MAKE_MEM_DEFINED</varname> but only 2106 affects those bytes that are already addressable.</para> 2107 </listitem> 2108 2109 <listitem> 2110 <para><varname>VALGRIND_CHECK_MEM_IS_ADDRESSABLE</varname> and 2111 <varname>VALGRIND_CHECK_MEM_IS_DEFINED</varname>: check immediately 2112 whether or not the given address range has the relevant property, 2113 and if not, print an error message. Also, for the convenience of 2114 the client, returns zero if the relevant property holds; otherwise, 2115 the returned value is the address of the first byte for which the 2116 property is not true. Always returns 0 when not run on 2117 Valgrind.</para> 2118 </listitem> 2119 2120 <listitem> 2121 <para><varname>VALGRIND_CHECK_VALUE_IS_DEFINED</varname>: a quick and easy 2122 way to find out whether Valgrind thinks a particular value 2123 (lvalue, to be precise) is addressable and defined. Prints an error 2124 message if not. It has no return value.</para> 2125 </listitem> 2126 2127 <listitem> 2128 <para><varname>VALGRIND_DO_LEAK_CHECK</varname>: does a full memory leak 2129 check (like <option>--leak-check=full</option>) right now. 2130 This is useful for incrementally checking for leaks between arbitrary 2131 places in the program's execution. It has no return value.</para> 2132 </listitem> 2133 2134 <listitem> 2135 <para><varname>VALGRIND_DO_ADDED_LEAK_CHECK</varname>: same as 2136 <varname> VALGRIND_DO_LEAK_CHECK</varname> but only shows the 2137 entries for which there was an increase in leaked bytes or leaked 2138 number of blocks since the previous leak search. It has no return 2139 value.</para> 2140 </listitem> 2141 2142 <listitem> 2143 <para><varname>VALGRIND_DO_CHANGED_LEAK_CHECK</varname>: same as 2144 <varname>VALGRIND_DO_LEAK_CHECK</varname> but only shows the 2145 entries for which there was an increase or decrease in leaked 2146 bytes or leaked number of blocks since the previous leak search. It 2147 has no return value.</para> 2148 </listitem> 2149 2150 <listitem> 2151 <para><varname>VALGRIND_DO_QUICK_LEAK_CHECK</varname>: like 2152 <varname>VALGRIND_DO_LEAK_CHECK</varname>, except it produces only a leak 2153 summary (like <option>--leak-check=summary</option>). 2154 It has no return value.</para> 2155 </listitem> 2156 2157 <listitem> 2158 <para><varname>VALGRIND_COUNT_LEAKS</varname>: fills in the four 2159 arguments with the number of bytes of memory found by the previous 2160 leak check to be leaked (i.e. the sum of direct leaks and indirect leaks), 2161 dubious, reachable and suppressed. This is useful in test harness code, 2162 after calling <varname>VALGRIND_DO_LEAK_CHECK</varname> or 2163 <varname>VALGRIND_DO_QUICK_LEAK_CHECK</varname>.</para> 2164 </listitem> 2165 2166 <listitem> 2167 <para><varname>VALGRIND_COUNT_LEAK_BLOCKS</varname>: identical to 2168 <varname>VALGRIND_COUNT_LEAKS</varname> except that it returns the 2169 number of blocks rather than the number of bytes in each 2170 category.</para> 2171 </listitem> 2172 2173 <listitem> 2174 <para><varname>VALGRIND_GET_VBITS</varname> and 2175 <varname>VALGRIND_SET_VBITS</varname>: allow you to get and set the 2176 V (validity) bits for an address range. You should probably only 2177 set V bits that you have got with 2178 <varname>VALGRIND_GET_VBITS</varname>. Only for those who really 2179 know what they are doing.</para> 2180 </listitem> 2181 2182 <listitem> 2183 <para><varname>VALGRIND_CREATE_BLOCK</varname> and 2184 <varname>VALGRIND_DISCARD</varname>. <varname>VALGRIND_CREATE_BLOCK</varname> 2185 takes an address, a number of bytes and a character string. The 2186 specified address range is then associated with that string. When 2187 Memcheck reports an invalid access to an address in the range, it 2188 will describe it in terms of this block rather than in terms of 2189 any other block it knows about. Note that the use of this macro 2190 does not actually change the state of memory in any way -- it 2191 merely gives a name for the range. 2192 </para> 2193 2194 <para>At some point you may want Memcheck to stop reporting errors 2195 in terms of the block named 2196 by <varname>VALGRIND_CREATE_BLOCK</varname>. To make this 2197 possible, <varname>VALGRIND_CREATE_BLOCK</varname> returns a 2198 "block handle", which is a C <varname>int</varname> value. You 2199 can pass this block handle to <varname>VALGRIND_DISCARD</varname>. 2200 After doing so, Valgrind will no longer relate addressing errors 2201 in the specified range to the block. Passing invalid handles to 2202 <varname>VALGRIND_DISCARD</varname> is harmless. 2203 </para> 2204 </listitem> 2205 2206 </itemizedlist> 2207 2208 </sect1> 2209 2210 2211 2212 2213 <sect1 id="mc-manual.mempools" xreflabel="Memory Pools"> 2214 <title>Memory Pools: describing and working with custom allocators</title> 2215 2216 <para>Some programs use custom memory allocators, often for performance 2217 reasons. Left to itself, Memcheck is unable to understand the 2218 behaviour of custom allocation schemes as well as it understands the 2219 standard allocators, and so may miss errors and leaks in your program. What 2220 this section describes is a way to give Memcheck enough of a description of 2221 your custom allocator that it can make at least some sense of what is 2222 happening.</para> 2223 2224 <para>There are many different sorts of custom allocator, so Memcheck 2225 attempts to reason about them using a loose, abstract model. We 2226 use the following terminology when describing custom allocation 2227 systems:</para> 2228 2229 <itemizedlist> 2230 <listitem> 2231 <para>Custom allocation involves a set of independent "memory pools". 2232 </para> 2233 </listitem> 2234 <listitem> 2235 <para>Memcheck's notion of a a memory pool consists of a single "anchor 2236 address" and a set of non-overlapping "chunks" associated with the 2237 anchor address.</para> 2238 </listitem> 2239 <listitem> 2240 <para>Typically a pool's anchor address is the address of a 2241 book-keeping "header" structure.</para> 2242 </listitem> 2243 <listitem> 2244 <para>Typically the pool's chunks are drawn from a contiguous 2245 "superblock" acquired through the system 2246 <function>malloc</function> or 2247 <function>mmap</function>.</para> 2248 </listitem> 2249 2250 </itemizedlist> 2251 2252 <para>Keep in mind that the last two points above say "typically": the 2253 Valgrind mempool client request API is intentionally vague about the 2254 exact structure of a mempool. There is no specific mention made of 2255 headers or superblocks. Nevertheless, the following picture may help 2256 elucidate the intention of the terms in the API:</para> 2257 2258 <programlisting><![CDATA[ 2259 "pool" 2260 (anchor address) 2261 | 2262 v 2263 +--------+---+ 2264 | header | o | 2265 +--------+-|-+ 2266 | 2267 v superblock 2268 +------+---+--------------+---+------------------+ 2269 | |rzB| allocation |rzB| | 2270 +------+---+--------------+---+------------------+ 2271 ^ ^ 2272 | | 2273 "addr" "addr"+"size" 2274 ]]></programlisting> 2275 2276 <para> 2277 Note that the header and the superblock may be contiguous or 2278 discontiguous, and there may be multiple superblocks associated with a 2279 single header; such variations are opaque to Memcheck. The API 2280 only requires that your allocation scheme can present sensible values 2281 of "pool", "addr" and "size".</para> 2282 2283 <para> 2284 Typically, before making client requests related to mempools, a client 2285 program will have allocated such a header and superblock for their 2286 mempool, and marked the superblock NOACCESS using the 2287 <varname>VALGRIND_MAKE_MEM_NOACCESS</varname> client request.</para> 2288 2289 <para> 2290 When dealing with mempools, the goal is to maintain a particular 2291 invariant condition: that Memcheck believes the unallocated portions 2292 of the pool's superblock (including redzones) are NOACCESS. To 2293 maintain this invariant, the client program must ensure that the 2294 superblock starts out in that state; Memcheck cannot make it so, since 2295 Memcheck never explicitly learns about the superblock of a pool, only 2296 the allocated chunks within the pool.</para> 2297 2298 <para> 2299 Once the header and superblock for a pool are established and properly 2300 marked, there are a number of client requests programs can use to 2301 inform Memcheck about changes to the state of a mempool:</para> 2302 2303 <itemizedlist> 2304 2305 <listitem> 2306 <para> 2307 <varname>VALGRIND_CREATE_MEMPOOL(pool, rzB, is_zeroed)</varname>: 2308 This request registers the address <varname>pool</varname> as the anchor 2309 address for a memory pool. It also provides a size 2310 <varname>rzB</varname>, specifying how large the redzones placed around 2311 chunks allocated from the pool should be. Finally, it provides an 2312 <varname>is_zeroed</varname> argument that specifies whether the pool's 2313 chunks are zeroed (more precisely: defined) when allocated. 2314 </para> 2315 <para> 2316 Upon completion of this request, no chunks are associated with the 2317 pool. The request simply tells Memcheck that the pool exists, so that 2318 subsequent calls can refer to it as a pool. 2319 </para> 2320 </listitem> 2321 2322 <listitem> 2323 <para><varname>VALGRIND_DESTROY_MEMPOOL(pool)</varname>: 2324 This request tells Memcheck that a pool is being torn down. Memcheck 2325 then removes all records of chunks associated with the pool, as well 2326 as its record of the pool's existence. While destroying its records of 2327 a mempool, Memcheck resets the redzones of any live chunks in the pool 2328 to NOACCESS. 2329 </para> 2330 </listitem> 2331 2332 <listitem> 2333 <para><varname>VALGRIND_MEMPOOL_ALLOC(pool, addr, size)</varname>: 2334 This request informs Memcheck that a <varname>size</varname>-byte chunk 2335 has been allocated at <varname>addr</varname>, and associates the chunk with the 2336 specified 2337 <varname>pool</varname>. If the pool was created with nonzero 2338 <varname>rzB</varname> redzones, Memcheck will mark the 2339 <varname>rzB</varname> bytes before and after the chunk as NOACCESS. If 2340 the pool was created with the <varname>is_zeroed</varname> argument set, 2341 Memcheck will mark the chunk as DEFINED, otherwise Memcheck will mark 2342 the chunk as UNDEFINED. 2343 </para> 2344 </listitem> 2345 2346 <listitem> 2347 <para><varname>VALGRIND_MEMPOOL_FREE(pool, addr)</varname>: 2348 This request informs Memcheck that the chunk at <varname>addr</varname> 2349 should no longer be considered allocated. Memcheck will mark the chunk 2350 associated with <varname>addr</varname> as NOACCESS, and delete its 2351 record of the chunk's existence. 2352 </para> 2353 </listitem> 2354 2355 <listitem> 2356 <para><varname>VALGRIND_MEMPOOL_TRIM(pool, addr, size)</varname>: 2357 This request trims the chunks associated with <varname>pool</varname>. 2358 The request only operates on chunks associated with 2359 <varname>pool</varname>. Trimming is formally defined as:</para> 2360 <itemizedlist> 2361 <listitem> 2362 <para> All chunks entirely inside the range 2363 <varname>addr..(addr+size-1)</varname> are preserved.</para> 2364 </listitem> 2365 <listitem> 2366 <para>All chunks entirely outside the range 2367 <varname>addr..(addr+size-1)</varname> are discarded, as though 2368 <varname>VALGRIND_MEMPOOL_FREE</varname> was called on them. </para> 2369 </listitem> 2370 <listitem> 2371 <para>All other chunks must intersect with the range 2372 <varname>addr..(addr+size-1)</varname>; areas outside the 2373 intersection are marked as NOACCESS, as though they had been 2374 independently freed with 2375 <varname>VALGRIND_MEMPOOL_FREE</varname>.</para> 2376 </listitem> 2377 </itemizedlist> 2378 <para>This is a somewhat rare request, but can be useful in 2379 implementing the type of mass-free operations common in custom 2380 LIFO allocators.</para> 2381 </listitem> 2382 2383 <listitem> 2384 <para><varname>VALGRIND_MOVE_MEMPOOL(poolA, poolB)</varname>: This 2385 request informs Memcheck that the pool previously anchored at 2386 address <varname>poolA</varname> has moved to anchor address 2387 <varname>poolB</varname>. This is a rare request, typically only needed 2388 if you <function>realloc</function> the header of a mempool.</para> 2389 <para>No memory-status bits are altered by this request.</para> 2390 </listitem> 2391 2392 <listitem> 2393 <para> 2394 <varname>VALGRIND_MEMPOOL_CHANGE(pool, addrA, addrB, 2395 size)</varname>: This request informs Memcheck that the chunk 2396 previously allocated at address <varname>addrA</varname> within 2397 <varname>pool</varname> has been moved and/or resized, and should be 2398 changed to cover the region <varname>addrB..(addrB+size-1)</varname>. This 2399 is a rare request, typically only needed if you 2400 <function>realloc</function> a superblock or wish to extend a chunk 2401 without changing its memory-status bits. 2402 </para> 2403 <para>No memory-status bits are altered by this request. 2404 </para> 2405 </listitem> 2406 2407 <listitem> 2408 <para><varname>VALGRIND_MEMPOOL_EXISTS(pool)</varname>: 2409 This request informs the caller whether or not Memcheck is currently 2410 tracking a mempool at anchor address <varname>pool</varname>. It 2411 evaluates to 1 when there is a mempool associated with that address, 0 2412 otherwise. This is a rare request, only useful in circumstances when 2413 client code might have lost track of the set of active mempools. 2414 </para> 2415 </listitem> 2416 2417 </itemizedlist> 2418 2419 </sect1> 2420 2421 2422 2423 2424 2425 2426 2427 <sect1 id="mc-manual.mpiwrap" xreflabel="MPI Wrappers"> 2428 <title>Debugging MPI Parallel Programs with Valgrind</title> 2429 2430 <para>Memcheck supports debugging of distributed-memory applications 2431 which use the MPI message passing standard. This support consists of a 2432 library of wrapper functions for the 2433 <computeroutput>PMPI_*</computeroutput> interface. When incorporated 2434 into the application's address space, either by direct linking or by 2435 <computeroutput>LD_PRELOAD</computeroutput>, the wrappers intercept 2436 calls to <computeroutput>PMPI_Send</computeroutput>, 2437 <computeroutput>PMPI_Recv</computeroutput>, etc. They then 2438 use client requests to inform Memcheck of memory state changes caused 2439 by the function being wrapped. This reduces the number of false 2440 positives that Memcheck otherwise typically reports for MPI 2441 applications.</para> 2442 2443 <para>The wrappers also take the opportunity to carefully check 2444 size and definedness of buffers passed as arguments to MPI functions, hence 2445 detecting errors such as passing undefined data to 2446 <computeroutput>PMPI_Send</computeroutput>, or receiving data into a 2447 buffer which is too small.</para> 2448 2449 <para>Unlike most of the rest of Valgrind, the wrapper library is subject to a 2450 BSD-style license, so you can link it into any code base you like. 2451 See the top of <computeroutput>mpi/libmpiwrap.c</computeroutput> 2452 for license details.</para> 2453 2454 2455 <sect2 id="mc-manual.mpiwrap.build" xreflabel="Building MPI Wrappers"> 2456 <title>Building and installing the wrappers</title> 2457 2458 <para> The wrapper library will be built automatically if possible. 2459 Valgrind's configure script will look for a suitable 2460 <computeroutput>mpicc</computeroutput> to build it with. This must be 2461 the same <computeroutput>mpicc</computeroutput> you use to build the 2462 MPI application you want to debug. By default, Valgrind tries 2463 <computeroutput>mpicc</computeroutput>, but you can specify a 2464 different one by using the configure-time option 2465 <option>--with-mpicc</option>. Currently the 2466 wrappers are only buildable with 2467 <computeroutput>mpicc</computeroutput>s which are based on GNU 2468 GCC or Intel's C++ Compiler.</para> 2469 2470 <para>Check that the configure script prints a line like this:</para> 2471 2472 <programlisting><![CDATA[ 2473 checking for usable MPI2-compliant mpicc and mpi.h... yes, mpicc 2474 ]]></programlisting> 2475 2476 <para>If it says <computeroutput>... no</computeroutput>, your 2477 <computeroutput>mpicc</computeroutput> has failed to compile and link 2478 a test MPI2 program.</para> 2479 2480 <para>If the configure test succeeds, continue in the usual way with 2481 <computeroutput>make</computeroutput> and <computeroutput>make 2482 install</computeroutput>. The final install tree should then contain 2483 <computeroutput>libmpiwrap-<platform>.so</computeroutput>. 2484 </para> 2485 2486 <para>Compile up a test MPI program (eg, MPI hello-world) and try 2487 this:</para> 2488 2489 <programlisting><![CDATA[ 2490 LD_PRELOAD=$prefix/lib/valgrind/libmpiwrap-<platform>.so \ 2491 mpirun [args] $prefix/bin/valgrind ./hello 2492 ]]></programlisting> 2493 2494 <para>You should see something similar to the following</para> 2495 2496 <programlisting><![CDATA[ 2497 valgrind MPI wrappers 31901: Active for pid 31901 2498 valgrind MPI wrappers 31901: Try MPIWRAP_DEBUG=help for possible options 2499 ]]></programlisting> 2500 2501 <para>repeated for every process in the group. If you do not see 2502 these, there is an build/installation problem of some kind.</para> 2503 2504 <para> The MPI functions to be wrapped are assumed to be in an ELF 2505 shared object with soname matching 2506 <computeroutput>libmpi.so*</computeroutput>. This is known to be 2507 correct at least for Open MPI and Quadrics MPI, and can easily be 2508 changed if required.</para> 2509 </sect2> 2510 2511 2512 <sect2 id="mc-manual.mpiwrap.gettingstarted" 2513 xreflabel="Getting started with MPI Wrappers"> 2514 <title>Getting started</title> 2515 2516 <para>Compile your MPI application as usual, taking care to link it 2517 using the same <computeroutput>mpicc</computeroutput> that your 2518 Valgrind build was configured with.</para> 2519 2520 <para> 2521 Use the following basic scheme to run your application on Valgrind with 2522 the wrappers engaged:</para> 2523 2524 <programlisting><![CDATA[ 2525 MPIWRAP_DEBUG=[wrapper-args] \ 2526 LD_PRELOAD=$prefix/lib/valgrind/libmpiwrap-<platform>.so \ 2527 mpirun [mpirun-args] \ 2528 $prefix/bin/valgrind [valgrind-args] \ 2529 [application] [app-args] 2530 ]]></programlisting> 2531 2532 <para>As an alternative to 2533 <computeroutput>LD_PRELOAD</computeroutput>ing 2534 <computeroutput>libmpiwrap-<platform>.so</computeroutput>, you can 2535 simply link it to your application if desired. This should not disturb 2536 native behaviour of your application in any way.</para> 2537 </sect2> 2538 2539 2540 <sect2 id="mc-manual.mpiwrap.controlling" 2541 xreflabel="Controlling the MPI Wrappers"> 2542 <title>Controlling the wrapper library</title> 2543 2544 <para>Environment variable 2545 <computeroutput>MPIWRAP_DEBUG</computeroutput> is consulted at 2546 startup. The default behaviour is to print a starting banner</para> 2547 2548 <programlisting><![CDATA[ 2549 valgrind MPI wrappers 16386: Active for pid 16386 2550 valgrind MPI wrappers 16386: Try MPIWRAP_DEBUG=help for possible options 2551 ]]></programlisting> 2552 2553 <para> and then be relatively quiet.</para> 2554 2555 <para>You can give a list of comma-separated options in 2556 <computeroutput>MPIWRAP_DEBUG</computeroutput>. These are</para> 2557 2558 <itemizedlist> 2559 <listitem> 2560 <para><computeroutput>verbose</computeroutput>: 2561 show entries/exits of all wrappers. Also show extra 2562 debugging info, such as the status of outstanding 2563 <computeroutput>MPI_Request</computeroutput>s resulting 2564 from uncompleted <computeroutput>MPI_Irecv</computeroutput>s.</para> 2565 </listitem> 2566 <listitem> 2567 <para><computeroutput>quiet</computeroutput>: 2568 opposite of <computeroutput>verbose</computeroutput>, only print 2569 anything when the wrappers want 2570 to report a detected programming error, or in case of catastrophic 2571 failure of the wrappers.</para> 2572 </listitem> 2573 <listitem> 2574 <para><computeroutput>warn</computeroutput>: 2575 by default, functions which lack proper wrappers 2576 are not commented on, just silently 2577 ignored. This causes a warning to be printed for each unwrapped 2578 function used, up to a maximum of three warnings per function.</para> 2579 </listitem> 2580 <listitem> 2581 <para><computeroutput>strict</computeroutput>: 2582 print an error message and abort the program if 2583 a function lacking a wrapper is used.</para> 2584 </listitem> 2585 </itemizedlist> 2586 2587 <para> If you want to use Valgrind's XML output facility 2588 (<option>--xml=yes</option>), you should pass 2589 <computeroutput>quiet</computeroutput> in 2590 <computeroutput>MPIWRAP_DEBUG</computeroutput> so as to get rid of any 2591 extraneous printing from the wrappers.</para> 2592 2593 </sect2> 2594 2595 2596 <sect2 id="mc-manual.mpiwrap.limitations.functions" 2597 xreflabel="Functions: Abilities and Limitations"> 2598 <title>Functions</title> 2599 2600 <para>All MPI2 functions except 2601 <computeroutput>MPI_Wtick</computeroutput>, 2602 <computeroutput>MPI_Wtime</computeroutput> and 2603 <computeroutput>MPI_Pcontrol</computeroutput> have wrappers. The 2604 first two are not wrapped because they return a 2605 <computeroutput>double</computeroutput>, which Valgrind's 2606 function-wrap mechanism cannot handle (but it could easily be 2607 extended to do so). <computeroutput>MPI_Pcontrol</computeroutput> cannot be 2608 wrapped as it has variable arity: 2609 <computeroutput>int MPI_Pcontrol(const int level, ...)</computeroutput></para> 2610 2611 <para>Most functions are wrapped with a default wrapper which does 2612 nothing except complain or abort if it is called, depending on 2613 settings in <computeroutput>MPIWRAP_DEBUG</computeroutput> listed 2614 above. The following functions have "real", do-something-useful 2615 wrappers:</para> 2616 2617 <programlisting><![CDATA[ 2618 PMPI_Send PMPI_Bsend PMPI_Ssend PMPI_Rsend 2619 2620 PMPI_Recv PMPI_Get_count 2621 2622 PMPI_Isend PMPI_Ibsend PMPI_Issend PMPI_Irsend 2623 2624 PMPI_Irecv 2625 PMPI_Wait PMPI_Waitall 2626 PMPI_Test PMPI_Testall 2627 2628 PMPI_Iprobe PMPI_Probe 2629 2630 PMPI_Cancel 2631 2632 PMPI_Sendrecv 2633 2634 PMPI_Type_commit PMPI_Type_free 2635 2636 PMPI_Pack PMPI_Unpack 2637 2638 PMPI_Bcast PMPI_Gather PMPI_Scatter PMPI_Alltoall 2639 PMPI_Reduce PMPI_Allreduce PMPI_Op_create 2640 2641 PMPI_Comm_create PMPI_Comm_dup PMPI_Comm_free PMPI_Comm_rank PMPI_Comm_size 2642 2643 PMPI_Error_string 2644 PMPI_Init PMPI_Initialized PMPI_Finalize 2645 ]]></programlisting> 2646 2647 <para> A few functions such as 2648 <computeroutput>PMPI_Address</computeroutput> are listed as 2649 <computeroutput>HAS_NO_WRAPPER</computeroutput>. They have no wrapper 2650 at all as there is nothing worth checking, and giving a no-op wrapper 2651 would reduce performance for no reason.</para> 2652 2653 <para> Note that the wrapper library itself can itself generate large 2654 numbers of calls to the MPI implementation, especially when walking 2655 complex types. The most common functions called are 2656 <computeroutput>PMPI_Extent</computeroutput>, 2657 <computeroutput>PMPI_Type_get_envelope</computeroutput>, 2658 <computeroutput>PMPI_Type_get_contents</computeroutput>, and 2659 <computeroutput>PMPI_Type_free</computeroutput>. </para> 2660 </sect2> 2661 2662 <sect2 id="mc-manual.mpiwrap.limitations.types" 2663 xreflabel="Types: Abilities and Limitations"> 2664 <title>Types</title> 2665 2666 <para> MPI-1.1 structured types are supported, and walked exactly. 2667 The currently supported combiners are 2668 <computeroutput>MPI_COMBINER_NAMED</computeroutput>, 2669 <computeroutput>MPI_COMBINER_CONTIGUOUS</computeroutput>, 2670 <computeroutput>MPI_COMBINER_VECTOR</computeroutput>, 2671 <computeroutput>MPI_COMBINER_HVECTOR</computeroutput> 2672 <computeroutput>MPI_COMBINER_INDEXED</computeroutput>, 2673 <computeroutput>MPI_COMBINER_HINDEXED</computeroutput> and 2674 <computeroutput>MPI_COMBINER_STRUCT</computeroutput>. This should 2675 cover all MPI-1.1 types. The mechanism (function 2676 <computeroutput>walk_type</computeroutput>) should extend easily to 2677 cover MPI2 combiners.</para> 2678 2679 <para>MPI defines some named structured types 2680 (<computeroutput>MPI_FLOAT_INT</computeroutput>, 2681 <computeroutput>MPI_DOUBLE_INT</computeroutput>, 2682 <computeroutput>MPI_LONG_INT</computeroutput>, 2683 <computeroutput>MPI_2INT</computeroutput>, 2684 <computeroutput>MPI_SHORT_INT</computeroutput>, 2685 <computeroutput>MPI_LONG_DOUBLE_INT</computeroutput>) which are pairs 2686 of some basic type and a C <computeroutput>int</computeroutput>. 2687 Unfortunately the MPI specification makes it impossible to look inside 2688 these types and see where the fields are. Therefore these wrappers 2689 assume the types are laid out as <computeroutput>struct { float val; 2690 int loc; }</computeroutput> (for 2691 <computeroutput>MPI_FLOAT_INT</computeroutput>), etc, and act 2692 accordingly. This appears to be correct at least for Open MPI 1.0.2 2693 and for Quadrics MPI.</para> 2694 2695 <para>If <computeroutput>strict</computeroutput> is an option specified 2696 in <computeroutput>MPIWRAP_DEBUG</computeroutput>, the application 2697 will abort if an unhandled type is encountered. Otherwise, the 2698 application will print a warning message and continue.</para> 2699 2700 <para>Some effort is made to mark/check memory ranges corresponding to 2701 arrays of values in a single pass. This is important for performance 2702 since asking Valgrind to mark/check any range, no matter how small, 2703 carries quite a large constant cost. This optimisation is applied to 2704 arrays of primitive types (<computeroutput>double</computeroutput>, 2705 <computeroutput>float</computeroutput>, 2706 <computeroutput>int</computeroutput>, 2707 <computeroutput>long</computeroutput>, <computeroutput>long 2708 long</computeroutput>, <computeroutput>short</computeroutput>, 2709 <computeroutput>char</computeroutput>, and <computeroutput>long 2710 double</computeroutput> on platforms where <computeroutput>sizeof(long 2711 double) == 8</computeroutput>). For arrays of all other types, the 2712 wrappers handle each element individually and so there can be a very 2713 large performance cost.</para> 2714 2715 </sect2> 2716 2717 2718 <sect2 id="mc-manual.mpiwrap.writingwrappers" 2719 xreflabel="Writing new MPI Wrappers"> 2720 <title>Writing new wrappers</title> 2721 2722 <para> 2723 For the most part the wrappers are straightforward. The only 2724 significant complexity arises with nonblocking receives.</para> 2725 2726 <para>The issue is that <computeroutput>MPI_Irecv</computeroutput> 2727 states the recv buffer and returns immediately, giving a handle 2728 (<computeroutput>MPI_Request</computeroutput>) for the transaction. 2729 Later the user will have to poll for completion with 2730 <computeroutput>MPI_Wait</computeroutput> etc, and when the 2731 transaction completes successfully, the wrappers have to paint the 2732 recv buffer. But the recv buffer details are not presented to 2733 <computeroutput>MPI_Wait</computeroutput> -- only the handle is. The 2734 library therefore maintains a shadow table which associates 2735 uncompleted <computeroutput>MPI_Request</computeroutput>s with the 2736 corresponding buffer address/count/type. When an operation completes, 2737 the table is searched for the associated address/count/type info, and 2738 memory is marked accordingly.</para> 2739 2740 <para>Access to the table is guarded by a (POSIX pthreads) lock, so as 2741 to make the library thread-safe.</para> 2742 2743 <para>The table is allocated with 2744 <computeroutput>malloc</computeroutput> and never 2745 <computeroutput>free</computeroutput>d, so it will show up in leak 2746 checks.</para> 2747 2748 <para>Writing new wrappers should be fairly easy. The source file is 2749 <computeroutput>mpi/libmpiwrap.c</computeroutput>. If possible, 2750 find an existing wrapper for a function of similar behaviour to the 2751 one you want to wrap, and use it as a starting point. The wrappers 2752 are organised in sections in the same order as the MPI 1.1 spec, to 2753 aid navigation. When adding a wrapper, remember to comment out the 2754 definition of the default wrapper in the long list of defaults at the 2755 bottom of the file (do not remove it, just comment it out).</para> 2756 </sect2> 2757 2758 <sect2 id="mc-manual.mpiwrap.whattoexpect" 2759 xreflabel="What to expect with MPI Wrappers"> 2760 <title>What to expect when using the wrappers</title> 2761 2762 <para>The wrappers should reduce Memcheck's false-error rate on MPI 2763 applications. Because the wrapping is done at the MPI interface, 2764 there will still potentially be a large number of errors reported in 2765 the MPI implementation below the interface. The best you can do is 2766 try to suppress them.</para> 2767 2768 <para>You may also find that the input-side (buffer 2769 length/definedness) checks find errors in your MPI use, for example 2770 passing too short a buffer to 2771 <computeroutput>MPI_Recv</computeroutput>.</para> 2772 2773 <para>Functions which are not wrapped may increase the false 2774 error rate. A possible approach is to run with 2775 <computeroutput>MPI_DEBUG</computeroutput> containing 2776 <computeroutput>warn</computeroutput>. This will show you functions 2777 which lack proper wrappers but which are nevertheless used. You can 2778 then write wrappers for them. 2779 </para> 2780 2781 <para>A known source of potential false errors are the 2782 <computeroutput>PMPI_Reduce</computeroutput> family of functions, when 2783 using a custom (user-defined) reduction function. In a reduction 2784 operation, each node notionally sends data to a "central point" which 2785 uses the specified reduction function to merge the data items into a 2786 single item. Hence, in general, data is passed between nodes and fed 2787 to the reduction function, but the wrapper library cannot mark the 2788 transferred data as initialised before it is handed to the reduction 2789 function, because all that happens "inside" the 2790 <computeroutput>PMPI_Reduce</computeroutput> call. As a result you 2791 may see false positives reported in your reduction function.</para> 2792 2793 </sect2> 2794 2795 </sect1> 2796 2797 2798 2799 2800 2801 </chapter> 2802
