One 、 brief introduction

Memcheck yes Valgrind The trump card of , It is used for C/C++ Memory error detection of program ：

1. Illegal access to memory （ Pile up 、 Stack 、 Memory segment error ）
2. Reference uninitialized variables
3. Illegal release of memory （ Repeat release 、 The release does not match the application ）
4. Memory overlap error
5. Memory leak
6. Incorrectly requesting memory

Besides ,Memcheck It can also be used for memory tree analysis .

Two 、 Illegal access to memory

2.1 Code

int main( void )
{
    
    int *ptr = 0;
    *ptr = 0;
    return 0;
}

2.2 perform

$ gcc test.c -g
$ ./a.out
Segmentation fault (core dumped)

2.3 debugging

$ valgrind ./a.out
···
==2681== Invalid write of size 4
==2681==    at 0x10860A: main (test.c:4)
==2681==  Address 0x0 is not stack'd, malloc'd or (recently) free'd ==2681== ==2681== ==2681== Process terminating with default action of signal 11 (SIGSEGV) ==2681== Access not within mapped region at address 0x0 ==2681== at 0x10860A: main (test.c:4) ==2681== If you believe this happened as a result of a stack ==2681== overflow in your program's main thread (unlikely but
==2681==  possible), you can try to increase the size of the
==2681==  main thread stack using the --main-stacksize= flag.
==2681==  The main thread stack size used in this run was 8388608.
···

test.c Of the 4 That's ok ： The illegal access address is 0x0 The variable of . This error causes the program to be signaled SIGSEGV End .

Be careful :

1. Debugging options are required during compilation
2. because memcheck Is the default tool , So omit --tool=<name>memcheck

3、 ... and 、 Reference uninitialized variables

3.1 Code （ One ）

#include <stdio.h>

int main( void )
{
    
    int x;
    printf("x = %d\n", x);
    return 0;
}

3.2 debugging （ One ）

$ valgrind ./a.out
···
==2698== Conditional jump or move depends on uninitialised value(s)
==2698==    at 0x4E988DA: vfprintf (vfprintf.c:1642)
==2698==    by 0x4EA0F25: printf (printf.c:33)
==2698==    by 0x108667: main (test.c:6)
==2698== 
==2698== Use of uninitialised value of size 8
==2698==    at 0x4E9486B: _itoa_word (_itoa.c:179)
==2698==    by 0x4E97F0D: vfprintf (vfprintf.c:1642)
==2698==    by 0x4EA0F25: printf (printf.c:33)
==2698==    by 0x108667: main (test.c:6)
···

test.c Of the 6 That's ok ： In function printf() An uninitialized variable is accessed in .

3.3 Code （ Two ）

#include <stdlib.h>

int main( void )
{
    
    int *arr = malloc(sizeof(int));
    exit(arr[0]);
    return 0;
}

3.4 debugging （ Two ）

$ valgrind ./a.out
···
==2707== Syscall param exit_group(status) contains uninitialised byte(s)
==2707==    at 0x4F20E06: _Exit (_exit.c:31)
==2707==    by 0x4E7F111: __run_exit_handlers (exit.c:132)
==2707==    by 0x4E7F139: exit (exit.c:139)
==2707==    by 0x1086AC: main (test.c:6)
···

test.c Of the 6 That's ok ： In the system call exit() An uninitialized variable is accessed in .

Four 、 Illegal release of memory

4.1 Code （ One ）

#include <stdlib.h>

int main( void )
{
    
    int *ptr = malloc(10);
    free(ptr);
    free(ptr);
    return 0;
}

4.2 debugging （ One ）

$ valgrind ./a.out
···
==2715== Invalid free() / delete / delete[] / realloc()
==2715==    at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2715==    by 0x1086B7: main (test.c:7)
==2715==  Address 0x522d040 is 0 bytes inside a block of size 10 free'd ==2715== at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2715== by 0x1086AB: main (test.c:6) ==2715== Block was alloc'd at
==2715==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2715==    by 0x10869B: main (test.c:5)
···

In memory test.c Of the 5 Line assignment , The first 6 Line release correctly , And the first 7 Illegal release of row .

4.3 Code （ Two ）

#include <cstdlib>

int main(void)
{
    
    int *ptr = (int*)malloc(10);
    delete ptr;
    return 0;
}

4.4 debugging （ Two ）

$ valgrind ./a.out
···
==2265== Mismatched free() / delete / delete []
==2265==    at 0x4C3123B: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2265==    by 0x1086F0: main (test.cpp:6)
==2265==  Address 0x5b7dc80 is 0 bytes inside a block of size 10 alloc'd
==2265==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2265==    by 0x1086DB: main (test.cpp:5)
···

In memory test.c Of the 5 Line assignment (malloc), The first 6 Illegal release of row (free).

5、 ... and 、 Memory overlap error

5.1 Code

#include <stdio.h>
#include <string.h>

void *memcpy(void *dest, const void *src, size_t n)
{
    
    char *d=dest;
    const char *s=src;
    for( int i=0; i<n; ++i) {
    
        d[i] = s[i];
    }
    return (void*)0;
}

int main(void)
{
    
    char arr[16];
    memset(arr, 0, sizeof(arr));

    strcpy(arr, "overlap");
    printf("%s\n", arr);

    memcpy(arr+3, arr, strlen(arr));
    printf("%s\n", arr);

    return 0;
}

5.2 Desired output

overlap
oveoverlap

5.3 Output when memory overlap occurs

overlap
oveoveoveo

5.4 Valgrind Output example

==27492== Source and destination overlap in memcpy(0xbffff294, 0xbffff280, 21)
==27492==    at 0x40026CDC: memcpy (mc_replace_strmem.c:71)
==27492==    by 0x804865A: main (overlap.c:40)

5.5 Correction method

take memcpy Modify the function to the following code

void *memcpy(void *dest, const void *src, size_t n)
{
    
    char *arr = malloc(n);
    char *d=dest;
    const char *s=src;

    for( int i=0; i<n; ++i) {
    
        arr[i] = s[i];
    }

    for( int i=0; i<n; ++i) {
    
        d[i] = arr[i];
    }

    return (void*)0;
}

By first putting src A copy of , To achieve the purpose of preventing memory overwrite errors .

6、 ... and 、 Memory leak

6.1 Code

#include <stdlib.h>

int main( void )
{
    
    char *ptr = malloc(100);
    ptr = malloc(50);
    free(ptr);
    return 0;
}

6.2 debugging

$ valgrind --tool=memcheck --leak-check=full ./a.out
···
==2646== HEAP SUMMARY:
==2646==     in use at exit: 100 bytes in 1 blocks
==2646==   total heap usage: 2 allocs, 1 frees, 150 bytes allocated
==2646== 
==2646== 100 bytes in 1 blocks are definitely lost in loss record 1 of 1
==2646==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2646==    by 0x10869B: main (test.c:5)
==2646== 
==2646== LEAK SUMMARY:
==2646==    definitely lost: 100 bytes in 1 blocks
==2646==    indirectly lost: 0 bytes in 0 blocks
==2646==      possibly lost: 0 bytes in 0 blocks
==2646==    still reachable: 0 bytes in 0 blocks
==2646==         suppressed: 0 bytes in 0 blocks
···

The first 5 That's ok ：malloc() The requested memory is leaking . Obviously , Two malloc() only one free() With the corresponding .

Leak Summary Analysis of items ：

7、 ... and 、 Incorrectly requesting memory

7.1 Code

#include <stdio.h>
#include <stdlib.h>

int main( void )
{
    
    int val = -1;
    
    char *ptr = malloc(val);
    printf("ptr = %p \n", ptr);
    
    if( ptr != 0 ) free(ptr);
    return 0;
}

7.2 debugging

$ valgrind ./a.out
···
==2885== Argument 'size' of function malloc has a fishy (possibly negative) value: -1
==2885==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2885==    by 0x1086F2: main (test.c:8)
==2885== 
ptr = (nil)
···

The first 6 That's ok ： It is unwise to apply to the system for negative space . here malloc() Returns a null pointer . therefore , Check malloc() It is necessary to return the pointer ！ Empathy , Check malloc() It is also necessary to participate in ！