嵌入式 内存泄漏检测工具valgrind以及mtrace

2019-07-12 19:36发布

注意: 1、二进制文件不能strip 2、二进制文件最好使用-g 3、官方文档valgrind:http://valgrind.org/docs/download_docs.html,这是其官方帮助文档,比较全面  valgrind --tool=memcheck --leak-check=full  ./x86_joseph_qrcode

usage

  • x86 平台
  • 先编译你自己的应用程序
  • 命令行:
    • valgrind --log-file=1 --tool=memcheck ./a.out

error specification

一、有malloc,但未free

  • code #include #include void main() { char *p = malloc(20); sprintf(p, "%s", "test"); fprintf(stderr, "p:%s/n", p); }
  • 分析:
    • 文件后部,总体来看,有确定无疑的lost 20字节。如下:==26512== LEAK SUMMARY: ==26512== definitely lost: 20 bytes in 1 blocks.
    • 在文件之前描述的内容,细节可以看出,有1个malloc,但未去free。如下:==26512== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 11 from 1) ==26512== malloc/free: in use at exit: 20 bytes in 1 blocks. ==26512== malloc/free: 1 allocs, 0 frees, 20 bytes allocated.

二、free一个未malloc的指针

  • code void main() { char p[] = "hello"; fprintf(stderr, "p:%s/n", p); free(p); }
  • 分析:
    • 文件后部,总体来看,有1个错误,0个malloc,1个free。如下:==26786== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 11 from 1) ==26786== malloc/free: in use at exit: 0 bytes in 0 blocks. ==26786== malloc/free: 0 allocs, 1 frees, 0 bytes allocated.
    • 在文件之前描述的内容,细节可以看出,有一个无效的free。如下:==26786== Invalid free() / delete / delete[] ==26786== at 0x402265C: free (vg_replace_malloc.c:323) ==26786== by 0x804841F: main (in /home/yutao/test/a.out)

三、stack中,无效的读取,不会提示出错

  • code void main() { char p[8] = "hello"; //p在栈上, "hello"在常量区 fprintf(stderr, "p10:%c/n", p[10]); }
  • 分析:
    • 读取stack栈中的内容,不会提示错误 ==27452== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 11 from 1) ==27452== malloc/free: in use at exit: 0 bytes in 0 blocks. ==27452== malloc/free: 0 allocs, 0 frees, 0 bytes allocated.
  • 其为局部变量,存贮在stack中,由于p[10]未超出栈的长度,所以没提示出错?

四、heap堆中,无效的读取,会提示出错

  • code void main() { char *p = malloc(8); fprintf(stderr, "p10:%c/n", p[10]); free(p); }
  • 分析:
    • 读取heap堆中的内容,会提示错误,提示无效的1个字节的读取,位置是malloc的8字节的后面第2字节==27744== Invalid read of size 1 ==27744== at 0x804842A: main (in /home/yutao/test/a.out) ==27744== Address 0x4190032 is 2 bytes after a block of size 8 alloc'd ==27744== at 0x4022AB8: malloc (vg_replace_malloc.c:207) ==27744== by 0x8048420: main (in /home/yutao/test/a.out) ==27744== ==27744== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 11 from 1) ==27744== malloc/free: in use at exit: 0 bytes in 0 blocks. ==27744== malloc/free: 1 allocs, 1 frees, 8 bytes allocated.
    • malloc的数据在heap堆中。

五、stack上的,无效的写

  • code void main() { char p[8] = "hello"; p[10]='a'; }
  • 分析:
    • 运行时会出错,会打印Backtrace *** stack smashing detected ***: ./a.out terminated ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0x412d138] /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0x412d0f0] ./a.out[0x80483d6] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0x4056450] ./a.out[0x8048331] ======= Memory map: ======== 04000000-0401a000 r-xp 00000000 08:06 682589 /lib/ld-2.7.so
    • 总体,会提示有1个错误,内容是5个malloc,0个free==27918== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 13 from 1) ==27918== malloc/free: in use at exit: 892 bytes in 5 blocks. ==27918== malloc/free: 5 allocs, 0 frees, 892 bytes allocated. ==27918== LEAK SUMMARY: ==27918== definitely lost: 0 bytes in 0 blocks. ==27918== possibly lost: 0 bytes in 0 blocks. ==27918== still reachable: 892 bytes in 5 blocks.
    • 文件前面的错误信息是,有一个无效read,读了4个字节。==27918== Invalid read of size 4 ==27918== at 0x40151F3: (within /lib/ld-2.7.so) ==27918== by 0x4005C69: (within /lib/ld-2.7.so) ==27918== by 0x4007A97: (within /lib/ld-2.7.so) ==27918== by 0x4011543: (within /lib/ld-2.7.so) ==27918== by 0x400D5D5: (within /lib/ld-2.7.so) ==27918== by 0x4010F5D: (within /lib/ld-2.7.so) ==27918== by 0x414E291: (within /lib/tls/i686/cmov/libc-2.7.so) ==27918== by 0x400D5D5: (within /lib/ld-2.7.so) ==27918== by 0x414E454: __libc_dlopen_mode (in /lib/tls/i686/cmov/libc-2.7.so) ==27918== by 0x412A4D8: (within /lib/tls/i686/cmov/libc-2.7.so) ==27918== by 0x412A4D8: (within /lib/tls/i686/cmov/libc-2.7.so) ==27918== by 0x412A669: backtrace (in /lib/tls/i686/cmov/libc-2.7.so) ==27918== by 0x40A3B91: (within /lib/tls/i686/cmov/libc-2.7.so) ==27918== Address 0x4190038 is 16 bytes inside a block of size 19 alloc'd
    • 这个提示的错误信息和代码中的信息,没很好的匹配上,但可以知道是已经出错了。

六、heap堆上,无效的写

  • code void main() { char *p = malloc(8); p[10]='a'; free(p); }
  • 分析:
    • 程序运行不会出错
    • 写heap堆中的内容,log会提示错误,提示无效的1个字节的写,位置是malloc的8字节的后面第2字节==28351== Invalid write of size 1 ==28351== at 0x80483CA: main (in /home/yutao/test/a.out) ==28351== Address 0x4190032 is 2 bytes after a block of size 8 alloc'd ==28351== at 0x4022AB8: malloc (vg_replace_malloc.c:207) ==28351== by 0x80483C0: main (in /home/yutao/test/a.out
Valgrind 是一款 Linux下(支持 x86、x86_64和ppc32)程序的内存调试工具,它可以对编译后的二进制程序进行内存使用监测(C语言中的malloc和free,以及C++中的new和delete),找出内存泄漏问题。

  Valgrind 中包含的 Memcheck 工具可以检查以下的程序错误:

  使用未初始化的内存 (Use of uninitialised memory)
  使用已经释放了的内存 (Reading/writing memory after it has been free’d)
  使用超过malloc分配的内存空间(Reading/writing off the end of malloc’d blocks)
  对堆栈的非法访问 (Reading/writing inappropriate areas on the stack)
  申请的空间是否有释放 (Memory leaks – where pointers to malloc’d blocks are lost forever)
  malloc/free/new/delete申请和释放内存的匹配(Mismatched use of malloc/new/new [] vs free/delete/delete [])
  src和dst的重叠(Overlapping src and dst pointers in memcpy() and related functions)
  重复free

  1、编译安装 Valgrind:
wget http://valgrind.org/downloads/valgrind-3.4.1.tar.bz2
tar xvf valgrind-3.4.1.tar.bz2
cd valgrind-3.4.1/
./configure --prefix=/usr/local/webserver/valgrind
make
make install


  2、使用示例:对“ls”程序进程检查,返回结果中的“definitely lost: 0 bytes in 0 blocks.”表示没有内存泄漏。
[root@xoyo42 /]# /usr/local/webserver/valgrind/bin/valgrind --tool=memcheck --leak-check=full ls /
==1157== Memcheck, a memory error detector.
==1157== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==1157== Using LibVEX rev 1884, a library for dynamic binary translation.
==1157== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==1157== Using valgrind-3.4.1, a dynamic binary instrumentation framework.
==1157== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==1157== For more details, rerun with: -v
==1157==
bin data0 dev home lib64 media mnt opt root selinux sys tcsql.db.idx.pkey.dec ttserver.pid var
boot data1 etc lib lost+found misc net proc sbin srv tcsql.db tmp usr
==1157==
==1157== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 5 from 1)
==1157== malloc/free: in use at exit: 28,471 bytes in 36 blocks.
==1157== malloc/free: 166 allocs, 130 frees, 51,377 bytes allocated.
==1157== For counts of detected errors, rerun with: -v
==1157== searching for pointers to 36 not-freed blocks.
==1157== checked 174,640 bytes.
==1157==
==1157== LEAK SUMMARY:
==1157== definitely lost: 0 bytes in 0 blocks.
==1157== possibly lost: 0 bytes in 0 blocks.
==1157== still reachable: 28,471 bytes in 36 blocks.
==1157== suppressed: 0 bytes in 0 blocks.
==1157== Reachable blocks (those to which a pointer was found) are not shown.
==1157== To see them, rerun with: --leak-check=full --show-reachable=yes


  3、使用示例:对一个使用libevent库编写的“httptest”程序进程检查,返回结果中的“definitely lost: 255 bytes in 5 blocks.”表示发生内存泄漏。
[root@xoyo42 tcsql-0.1]# /usr/local/webserver/valgrind/bin/valgrind --tool=memcheck --leak-check=full ./httptest
==1274== Memcheck, a memory error detector.
==1274== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==1274== Using LibVEX rev 1884, a library for dynamic binary translation.
==1274== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==1274== Using valgrind-3.4.1, a dynamic binary instrumentation framework.
==1274== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==1274== For more details, rerun with: -v
==1274==
==1274== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 1005 from 2)
==1274== malloc/free: in use at exit: 402,291 bytes in 74 blocks.
==1274== malloc/free: 15,939 allocs, 15,865 frees, 6,281,523 bytes allocated.
==1274== For counts of detected errors, rerun with: -v
==1274== searching for pointers to 74 not-freed blocks.
==1274== checked 682,468,160 bytes.
==1274==
==1274== 255 bytes in 5 blocks are definitely lost in loss record 17 of 32
==1274== at 0x4A05FBB: malloc (vg_replace_malloc.c:207)
==1274== by 0x3C1D809BC6: evhttp_decode_uri (http.c:2105)
==1274== by 0x401C75: tcsql_handler (in /data0/tcsql/cankao/tcsql-0.1/tcsql)
==1274== by 0x3C1D80C88F: evhttp_get_body (http.c:1582)
==1274== by 0x3C1D8065F7: event_base_loop (event.c:392)
==1274== by 0x403E2F: main (in /data0/tcsql/cankao/tcsql-0.1/tcsql)
==1274==
==1274== LEAK SUMMARY:
==1274== definitely lost: 255 bytes in 5 blocks.
==1274== possibly lost: 0 bytes in 0 blocks.
==1274== still reachable: 402,036 bytes in 69 blocks.
==1274== suppressed: 0 bytes in 0 blocks.
==1274== Reachable blocks (those to which a pointer was found) are not shown.
==1274== To see them, rerun with: --leak-check=full --show-reachable=yes


  检查httptest程序,发现有一处“char *decode_uri = evhttp_decode_uri(evhttp_request_uri(req));”中的“decode_uri”没有被free,再程序处理完成后加上“free(decode_uri);”后,再使用Valgrind检查,结果已经是“definitely lost: 0 bytes in 0 blocks.”。
  mtrace:

前言

所有使用动态内存分配(dynamic memory allocation)的程序都有机会遇上内存泄露(memory leakage)问题,在Linux里有三种常用工具来检测内存泄露的情況,包括:
  1. mtrace
  2. dmalloc
  3. memwatch

1. mtrace

mtrace是三款工具之中是最简单易用的,mtrace是一个C函數,在里声明及定义,函数原型为: void mtrace(void);
其实mtrace是类似malloc_hook的 malloc handler,只不过mtrace的handler function已由系统为你写好,但既然如此,系统又怎么知道你想将malloc/free的记录写在哪里呢?为此,调用mtrace()前要先设置 MALLOC_TRACE环境变量: #include
....
setenv("MALLOC_TRACE", "output_file_name", 1);
...

「output_file_name」就是储存检测结果的文件的名称。 但是检测结果的格式是一般人无法理解的,而只要有安装mtrace的话,就会有一名为mtrace的Perl script,在shell输入以下指令: mtrace [binary] output_file_name
就会将output_file_name的內容转化成能被理解的语句,例如「No memory leaks」,「0x12345678 Free 10 was never alloc」诸如此类。 例如以下有一函数:(暂且放下single entry single exit的原则) #include
#include
#include
#include
int main() {
char *hello;

setenv("MALLOC_TRACE", "output", 1);
mtrace();
if ((hello = (char *) malloc(sizeof(char))) == NULL) {
perror("Cannot allocate memory.");
return -1;
}

return 0;
}

执行后,再用mtrace 将结果输出: - 0x08049670 Free 3 was never alloc'd 0x42029acc
- 0x080496f0 Free 4 was never alloc'd 0x420dc9e9
- 0x08049708 Free 5 was never alloc'd 0x420dc9f1
- 0x08049628 Free 6 was never alloc'd 0x42113a22
- 0x08049640 Free 7 was never alloc'd 0x42113a52
- 0x08049658 Free 8 was never alloc'd 0x42113a96

Memory not freed:
-----------------
Address Size Caller
0x08049a90 0x1 at 0x80483fe

最后一行标明有一个大小为1 byte的内存尚未释放,大概是指「hello」吧。 若我们把该段内存释放:
#include
#include
#include
#include
int main() {
char *hello;

setenv("MALLOC_TRACE", "output", 1);
mtrace();
if ((hello = (char *) malloc(sizeof(char))) == NULL) {
perror("Cannot allocate memory.");
return -1;
}

free(hello);
return 0;
}

结果如下: - 0x080496b0 Free 4 was never alloc'd 0x42029acc
- 0x08049730 Free 5 was never alloc'd 0x420dc9e9
- 0x08049748 Free 6 was never alloc'd 0x420dc9f1
- 0x08049668 Free 7 was never alloc'd 0x42113a22
- 0x08049680 Free 8 was never alloc'd 0x42113a52
- 0x08049698 Free 9 was never alloc'd 0x42113a96
No memory leaks.

mtrace的原理是记录每一对malloc-free的执行,若每一个malloc都有相应的free,则代表没有内存泄露,对于任何非malloc/free情況下所发生的内存泄露问题,mtrace并不能找出来。