#> bzip2 -d valgrind-3.1.0.tar.bz2
|
Available tools
| memcheck | memory checker |
| addrcheck | same as memcheck except that the uninitialised are not checked
but it runs twice faster than memcheck |
| cachegrind | CPU cache profiler |
| massif | heap profiler |
| helgrind | detect unlocked memory addresses accessed by several threads |
Core options
-
--tool=[memcheck|addrcheck|…]select the tool --helpdescribe commands of core and selected tool --help-debugidem with the addition of the debugging options --versionreturn version --log-file=foobarlog the results in foobar.pidpid--log-file-exactly=foobarlog the results in foobar--log-file-qualifier=VARlog the results in the file name defined by the environment variable VAR--log-socket=1.2.3.4:56789send log to machine 1.2.3.4 on port 56789 (use valgrind-listenerto receive the results)-q
--quietonly print error messages -v
--verbosedisplay more information
repeating the flag increases the verbosity--trace-children=[yes|no]default is to not trace the children --track-fds=[yes|no]default is to not list open file descriptors --demangle=[yes|no]default is to demangle the C++ names --num-callers=<number>default is to backtrace 4 routines
maximum value is 50--error-limit=[yes|no]when enabled (this is the default), Valgrind stops reporting errors after 30000 in total, or 300 different ones, have been seen; this avoids the error tracking machinery from becoming a huge performance overhead in programs with many errors. - valgrind does not work with setuid'ed binaries.
Memcheck
-
Every bit in memory or in the CPU has an associated valid-value (V) bit. For integer registers, the validity of the bits is check only when they are used to generate a memory address, to decide control flow, and as values of system calls (loading undefined bits in the registers and adding them is not an error). For floating registers, the control is simpler: it is done at the load instruction (i.e. all bits loaded in a floating register must be defined). Once the V bits for a value in the CPU have been checked, they are then set to indicate validity. This avoids long chains of errors.
Every byte in memory, but not in the CPU, have an associated valid-address (A) bit.- When the program starts, all the global data areas are marked as accessible.
- When the program does malloc/new, the A bits for exactly the allocated area, and not a byte more, are marked as accessible.
- Upon freeing the area the A bits are changed to indicate inaccessibility.
-
When the stack pointer register (
%esp) moves up or down, A bits are set. The rule is that the area from%espup to the base of the stack is marked as accessible, and below %esp is inaccessible. -
When doing system calls, A bits are changed appropriately. For example,
mmap()magically makes files appear in the process's address space, so the A bits must be updated ifmmap()succeeds.
-
--leak-check=[no|summary|full]default leak check is summary--show-reachable=[yes|no]default is do not display the reachable memory blocks --leak-resolution=[low|med|high]when doing leak checking, determines how we consider different backtraces to be the same: low(the default) 2,med4 andhighall entries need to match. -
A typical command line is
valgrind --tool=memcheck --trace-children=yes --num-callers=20 --log-file=/tmp/vglog --leak-check=full --leak-resolution=high --error-limit=no foobar
-
--depth=<number>default is to list the 3 calling routines for each memory allocation --format=[text|html]default is to produce a text file