njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 1 | <?xml version="1.0"?> <!-- -*- sgml -*- --> |
| 2 | <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
| 4 | |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 5 | |
| 6 | <chapter id="mc-manual" xreflabel="Memcheck: a heavyweight memory checker"> |
| 7 | <title>Memcheck: a heavyweight memory checker</title> |
| 8 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 9 | <para>To use this tool, you may specify <option>--tool=memcheck</option> |
| 10 | on the Valgrind command line. You don't have to, though, since Memcheck |
| 11 | is the default tool.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 12 | |
| 13 | |
| 14 | <sect1 id="mc-manual.bugs" |
| 15 | xreflabel="Kinds of bugs that Memcheck can find"> |
| 16 | <title>Kinds of bugs that Memcheck can find</title> |
| 17 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 18 | <para>Memcheck is Valgrind's heavyweight memory checking tool. All |
| 19 | reads and writes of memory are checked, and calls to |
| 20 | malloc/new/free/delete are intercepted. As a result, Memcheck can detect |
| 21 | the following problems:</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 22 | |
| 23 | <itemizedlist> |
| 24 | <listitem> |
| 25 | <para>Use of uninitialised memory</para> |
| 26 | </listitem> |
| 27 | <listitem> |
| 28 | <para>Reading/writing memory after it has been free'd</para> |
| 29 | </listitem> |
| 30 | <listitem> |
| 31 | <para>Reading/writing off the end of malloc'd blocks</para> |
| 32 | </listitem> |
| 33 | <listitem> |
| 34 | <para>Reading/writing inappropriate areas on the stack</para> |
| 35 | </listitem> |
| 36 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 37 | <para>Memory leaks - where pointers to malloc'd blocks are |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 38 | lost forever</para> |
| 39 | </listitem> |
| 40 | <listitem> |
| 41 | <para>Mismatched use of malloc/new/new [] vs |
| 42 | free/delete/delete []</para> |
| 43 | </listitem> |
| 44 | <listitem> |
| 45 | <para>Overlapping <computeroutput>src</computeroutput> and |
| 46 | <computeroutput>dst</computeroutput> pointers in |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 47 | <function>memcpy()</function> and related |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 48 | functions</para> |
| 49 | </listitem> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 50 | </itemizedlist> |
| 51 | |
| 52 | </sect1> |
| 53 | |
| 54 | |
| 55 | |
| 56 | <sect1 id="mc-manual.flags" |
njn | 779a2d6 | 2005-07-25 00:12:19 +0000 | [diff] [blame] | 57 | xreflabel="Command-line flags specific to Memcheck"> |
| 58 | <title>Command-line flags specific to Memcheck</title> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 59 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 60 | <!-- start of xi:include in the manpage --> |
| 61 | <variablelist id="mc.opts.list"> |
njn | 5127298 | 2005-07-25 23:18:44 +0000 | [diff] [blame] | 62 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 63 | <varlistentry id="opt.leak-check" xreflabel="--leak-check"> |
| 64 | <term> |
| 65 | <option><![CDATA[--leak-check=<no|summary|yes|full> [default: summary] ]]></option> |
| 66 | </term> |
| 67 | <listitem> |
| 68 | <para>When enabled, search for memory leaks when the client |
| 69 | program finishes. A memory leak means a malloc'd block, which has |
| 70 | not yet been free'd, but to which no pointer can be found. Such a |
| 71 | block can never be free'd by the program, since no pointer to it |
| 72 | exists. If set to <varname>summary</varname>, it says how many |
| 73 | leaks occurred. If set to <varname>full</varname> or |
| 74 | <varname>yes</varname>, it gives details of each individual |
| 75 | leak.</para> |
| 76 | </listitem> |
| 77 | </varlistentry> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 78 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 79 | <varlistentry id="opt.show-reachable" xreflabel="--show-reachable"> |
| 80 | <term> |
| 81 | <option><![CDATA[--show-reachable=<yes|no> [default: no] ]]></option> |
| 82 | </term> |
| 83 | <listitem> |
| 84 | <para>When disabled, the memory leak detector only shows blocks |
| 85 | for which it cannot find a pointer to at all, or it can only find |
| 86 | a pointer to the middle of. These blocks are prime candidates for |
| 87 | memory leaks. When enabled, the leak detector also reports on |
| 88 | blocks which it could find a pointer to. Your program could, at |
| 89 | least in principle, have freed such blocks before exit. Contrast |
| 90 | this to blocks for which no pointer, or only an interior pointer |
| 91 | could be found: they are more likely to indicate memory leaks, |
| 92 | because you do not actually have a pointer to the start of the |
| 93 | block which you can hand to <function>free</function>, even if you |
| 94 | wanted to.</para> |
| 95 | </listitem> |
| 96 | </varlistentry> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 97 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 98 | <varlistentry id="opt.leak-resolution" xreflabel="--leak-resolution"> |
| 99 | <term> |
| 100 | <option><![CDATA[--leak-resolution=<low|med|high> [default: low] ]]></option> |
| 101 | </term> |
| 102 | <listitem> |
| 103 | <para>When doing leak checking, determines how willing |
| 104 | <constant>memcheck</constant> is to consider different backtraces to |
| 105 | be the same. When set to <varname>low</varname>, only the first |
| 106 | two entries need match. When <varname>med</varname>, four entries |
| 107 | have to match. When <varname>high</varname>, all entries need to |
| 108 | match.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 109 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 110 | <para>For hardcore leak debugging, you probably want to use |
| 111 | <option>--leak-resolution=high</option> together with |
| 112 | <option>--num-callers=40</option> or some such large number. Note |
| 113 | however that this can give an overwhelming amount of information, |
| 114 | which is why the defaults are 4 callers and low-resolution |
| 115 | matching.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 116 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 117 | <para>Note that the <option>--leak-resolution=</option> setting |
| 118 | does not affect <constant>memcheck's</constant> ability to find |
| 119 | leaks. It only changes how the results are presented.</para> |
| 120 | </listitem> |
| 121 | </varlistentry> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 122 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 123 | <varlistentry id="opt.freelist-vol" xreflabel="--freelist-vol"> |
| 124 | <term> |
| 125 | <option><![CDATA[--freelist-vol=<number> [default: 5000000] ]]></option> |
| 126 | </term> |
| 127 | <listitem> |
| 128 | <para>When the client program releases memory using |
| 129 | <function>free</function> (in <literal>C</literal>) or delete |
| 130 | (<literal>C++</literal>), that memory is not immediately made |
| 131 | available for re-allocation. Instead, it is marked inaccessible |
| 132 | and placed in a queue of freed blocks. The purpose is to defer as |
| 133 | long as possible the point at which freed-up memory comes back |
| 134 | into circulation. This increases the chance that |
| 135 | <constant>memcheck</constant> will be able to detect invalid |
| 136 | accesses to blocks for some significant period of time after they |
| 137 | have been freed.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 138 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 139 | <para>This flag specifies the maximum total size, in bytes, of the |
| 140 | blocks in the queue. The default value is five million bytes. |
| 141 | Increasing this increases the total amount of memory used by |
| 142 | <constant>memcheck</constant> but may detect invalid uses of freed |
| 143 | blocks which would otherwise go undetected.</para> |
| 144 | </listitem> |
| 145 | </varlistentry> |
| 146 | |
| 147 | <varlistentry id="opt.workaround-gcc296-bugs" xreflabel="--workaround-gcc296-bugs"> |
| 148 | <term> |
| 149 | <option><![CDATA[--workaround-gcc296-bugs=<yes|no> [default: no] ]]></option> |
| 150 | </term> |
| 151 | <listitem> |
| 152 | <para>When enabled, assume that reads and writes some small |
| 153 | distance below the stack pointer are due to bugs in gcc 2.96, and |
| 154 | does not report them. The "small distance" is 256 bytes by |
| 155 | default. Note that gcc 2.96 is the default compiler on some older |
| 156 | Linux distributions (RedHat 7.X) and so you may need to use this |
| 157 | flag. Do not use it if you do not have to, as it can cause real |
| 158 | errors to be overlooked. A better alternative is to use a more |
| 159 | recent gcc/g++ in which this bug is fixed.</para> |
| 160 | </listitem> |
| 161 | </varlistentry> |
| 162 | |
| 163 | <varlistentry id="opt.partial-loads-ok" xreflabel="--partial-loads-ok"> |
| 164 | <term> |
| 165 | <option><![CDATA[--partial-loads-ok=<yes|no> [default: no] ]]></option> |
| 166 | </term> |
| 167 | <listitem> |
| 168 | <para>Controls how <constant>memcheck</constant> handles word-sized, |
| 169 | word-aligned loads from addresses for which some bytes are |
| 170 | addressible and others are not. When <varname>yes</varname>, such |
| 171 | loads do not elicit an address error. Instead, the loaded V bytes |
| 172 | corresponding to the illegal addresses indicate Undefined, and |
| 173 | those corresponding to legal addresses are loaded from shadow |
| 174 | memory, as usual.</para> |
| 175 | |
| 176 | <para>When <varname>no</varname>, loads from partially invalid |
| 177 | addresses are treated the same as loads from completely invalid |
| 178 | addresses: an illegal-address error is issued, and the resulting V |
| 179 | bytes indicate valid data.</para> |
| 180 | |
| 181 | <para>Note that code that behaves in this way is in violation of |
| 182 | the the ISO C/C++ standards, and should be considered broken. If |
| 183 | at all possible, such code should be fixed. This flag should be |
| 184 | used only as a last resort.</para> |
| 185 | </listitem> |
| 186 | </varlistentry> |
| 187 | |
njn | 1d0825f | 2006-03-27 11:37:07 +0000 | [diff] [blame] | 188 | <varlistentry id="opt.undef-value-errors" xreflabel="--undef-value-errors"> |
| 189 | <term> |
| 190 | <option><![CDATA[--undef-value-errors=<yes|no> [default: yes] ]]></option> |
| 191 | </term> |
| 192 | <listitem> |
| 193 | <para>Controls whether <constant>memcheck</constant> detects |
| 194 | dangerous uses of undefined value errors. When |
| 195 | <varname>yes</varname>, Memcheck behaves like Addrcheck, a lightweight |
| 196 | memory-checking tool that used to be part of Valgrind, which didn't |
| 197 | detect undefined value errors. Use this option if you don't like |
| 198 | seeing undefined value errors. |
| 199 | </para> |
| 200 | </listitem> |
| 201 | </varlistentry> |
| 202 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 203 | </variablelist> |
| 204 | <!-- end of xi:include in the manpage --> |
| 205 | |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 206 | </sect1> |
| 207 | |
| 208 | |
| 209 | <sect1 id="mc-manual.errormsgs" |
| 210 | xreflabel="Explanation of error messages from Memcheck"> |
| 211 | <title>Explanation of error messages from Memcheck</title> |
| 212 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 213 | <para>Despite considerable sophistication under the hood, Memcheck can |
| 214 | only really detect two kinds of errors: use of illegal addresses, and |
| 215 | use of undefined values. Nevertheless, this is enough to help you |
| 216 | discover all sorts of memory-management nasties in your code. This |
| 217 | section presents a quick summary of what error messages mean. The |
| 218 | precise behaviour of the error-checking machinery is described in |
| 219 | <xref linkend="mc-manual.machine"/>.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 220 | |
| 221 | |
| 222 | <sect2 id="mc-manual.badrw" |
| 223 | xreflabel="Illegal read / Illegal write errors"> |
| 224 | <title>Illegal read / Illegal write errors</title> |
| 225 | |
| 226 | <para>For example:</para> |
| 227 | <programlisting><![CDATA[ |
| 228 | Invalid read of size 4 |
| 229 | at 0x40F6BBCC: (within /usr/lib/libpng.so.2.1.0.9) |
| 230 | by 0x40F6B804: (within /usr/lib/libpng.so.2.1.0.9) |
| 231 | by 0x40B07FF4: read_png_image__FP8QImageIO (kernel/qpngio.cpp:326) |
| 232 | by 0x40AC751B: QImageIO::read() (kernel/qimage.cpp:3621) |
njn | 21f9195 | 2005-03-12 22:14:42 +0000 | [diff] [blame] | 233 | Address 0xBFFFF0E0 is not stack'd, malloc'd or free'd |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 234 | ]]></programlisting> |
| 235 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 236 | <para>This happens when your program reads or writes memory at a place |
| 237 | which Memcheck reckons it shouldn't. In this example, the program did a |
| 238 | 4-byte read at address 0xBFFFF0E0, somewhere within the system-supplied |
| 239 | library libpng.so.2.1.0.9, which was called from somewhere else in the |
| 240 | same library, called from line 326 of <filename>qpngio.cpp</filename>, |
| 241 | and so on.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 242 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 243 | <para>Memcheck tries to establish what the illegal address might relate |
| 244 | to, since that's often useful. So, if it points into a block of memory |
| 245 | which has already been freed, you'll be informed of this, and also where |
| 246 | the block was free'd at. Likewise, if it should turn out to be just off |
| 247 | the end of a malloc'd block, a common result of off-by-one-errors in |
| 248 | array subscripting, you'll be informed of this fact, and also where the |
| 249 | block was malloc'd.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 250 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 251 | <para>In this example, Memcheck can't identify the address. Actually |
| 252 | the address is on the stack, but, for some reason, this is not a valid |
| 253 | stack address -- it is below the stack pointer and that isn't allowed. |
| 254 | In this particular case it's probably caused by gcc generating invalid |
sewardj | 8d9fec5 | 2005-11-15 20:56:23 +0000 | [diff] [blame] | 255 | code, a known bug in some ancient versions of gcc.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 256 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 257 | <para>Note that Memcheck only tells you that your program is about to |
| 258 | access memory at an illegal address. It can't stop the access from |
| 259 | happening. So, if your program makes an access which normally would |
| 260 | result in a segmentation fault, you program will still suffer the same |
| 261 | fate -- but you will get a message from Memcheck immediately prior to |
| 262 | this. In this particular example, reading junk on the stack is |
| 263 | non-fatal, and the program stays alive.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 264 | |
| 265 | </sect2> |
| 266 | |
| 267 | |
| 268 | |
| 269 | <sect2 id="mc-manual.uninitvals" |
| 270 | xreflabel="Use of uninitialised values"> |
| 271 | <title>Use of uninitialised values</title> |
| 272 | |
| 273 | <para>For example:</para> |
| 274 | <programlisting><![CDATA[ |
| 275 | Conditional jump or move depends on uninitialised value(s) |
| 276 | at 0x402DFA94: _IO_vfprintf (_itoa.h:49) |
| 277 | by 0x402E8476: _IO_printf (printf.c:36) |
| 278 | by 0x8048472: main (tests/manuel1.c:8) |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 279 | ]]></programlisting> |
| 280 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 281 | <para>An uninitialised-value use error is reported when your program |
| 282 | uses a value which hasn't been initialised -- in other words, is |
| 283 | undefined. Here, the undefined value is used somewhere inside the |
| 284 | printf() machinery of the C library. This error was reported when |
| 285 | running the following small program:</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 286 | <programlisting><![CDATA[ |
| 287 | int main() |
| 288 | { |
| 289 | int x; |
| 290 | printf ("x = %d\n", x); |
| 291 | }]]></programlisting> |
| 292 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 293 | <para>It is important to understand that your program can copy around |
| 294 | junk (uninitialised) data as much as it likes. Memcheck observes this |
| 295 | and keeps track of the data, but does not complain. A complaint is |
| 296 | issued only when your program attempts to make use of uninitialised |
| 297 | data. In this example, x is uninitialised. Memcheck observes the value |
| 298 | being passed to <literal>_IO_printf</literal> and thence to |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 299 | <literal>_IO_vfprintf</literal>, but makes no comment. However, |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 300 | _IO_vfprintf has to examine the value of x so it can turn it into the |
| 301 | corresponding ASCII string, and it is at this point that Memcheck |
| 302 | complains.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 303 | |
| 304 | <para>Sources of uninitialised data tend to be:</para> |
| 305 | <itemizedlist> |
| 306 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 307 | <para>Local variables in procedures which have not been initialised, |
| 308 | as in the example above.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 309 | </listitem> |
| 310 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 311 | <para>The contents of malloc'd blocks, before you write something |
| 312 | there. In C++, the new operator is a wrapper round malloc, so if |
| 313 | you create an object with new, its fields will be uninitialised |
| 314 | until you (or the constructor) fill them in, which is only Right and |
| 315 | Proper.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 316 | </listitem> |
| 317 | </itemizedlist> |
| 318 | |
| 319 | </sect2> |
| 320 | |
| 321 | |
| 322 | |
| 323 | <sect2 id="mc-manual.badfrees" xreflabel="Illegal frees"> |
| 324 | <title>Illegal frees</title> |
| 325 | |
| 326 | <para>For example:</para> |
| 327 | <programlisting><![CDATA[ |
| 328 | Invalid free() |
| 329 | at 0x4004FFDF: free (vg_clientmalloc.c:577) |
| 330 | by 0x80484C7: main (tests/doublefree.c:10) |
njn | 21f9195 | 2005-03-12 22:14:42 +0000 | [diff] [blame] | 331 | Address 0x3807F7B4 is 0 bytes inside a block of size 177 free'd |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 332 | at 0x4004FFDF: free (vg_clientmalloc.c:577) |
| 333 | by 0x80484C7: main (tests/doublefree.c:10) |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 334 | ]]></programlisting> |
| 335 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 336 | <para>Memcheck keeps track of the blocks allocated by your program with |
| 337 | malloc/new, so it can know exactly whether or not the argument to |
| 338 | free/delete is legitimate or not. Here, this test program has freed the |
| 339 | same block twice. As with the illegal read/write errors, Memcheck |
| 340 | attempts to make sense of the address free'd. If, as here, the address |
| 341 | is one which has previously been freed, you wil be told that -- making |
| 342 | duplicate frees of the same block easy to spot.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 343 | |
| 344 | </sect2> |
| 345 | |
| 346 | |
| 347 | <sect2 id="mc-manual.rudefn" |
| 348 | xreflabel="When a block is freed with an inappropriate deallocation |
| 349 | function"> |
| 350 | <title>When a block is freed with an inappropriate deallocation |
| 351 | function</title> |
| 352 | |
| 353 | <para>In the following example, a block allocated with |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 354 | <function>new[]</function> has wrongly been deallocated with |
| 355 | <function>free</function>:</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 356 | <programlisting><![CDATA[ |
| 357 | Mismatched free() / delete / delete [] |
| 358 | at 0x40043249: free (vg_clientfuncs.c:171) |
| 359 | by 0x4102BB4E: QGArray::~QGArray(void) (tools/qgarray.cpp:149) |
| 360 | by 0x4C261C41: PptDoc::~PptDoc(void) (include/qmemarray.h:60) |
| 361 | by 0x4C261F0E: PptXml::~PptXml(void) (pptxml.cc:44) |
njn | 21f9195 | 2005-03-12 22:14:42 +0000 | [diff] [blame] | 362 | Address 0x4BB292A8 is 0 bytes inside a block of size 64 alloc'd |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 363 | at 0x4004318C: __builtin_vec_new (vg_clientfuncs.c:152) |
| 364 | by 0x4C21BC15: KLaola::readSBStream(int) const (klaola.cc:314) |
| 365 | by 0x4C21C155: KLaola::stream(KLaola::OLENode const *) (klaola.cc:416) |
| 366 | by 0x4C21788F: OLEFilter::convert(QCString const &) (olefilter.cc:272) |
| 367 | ]]></programlisting> |
| 368 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 369 | <para>In <literal>C++</literal> it's important to deallocate memory in a |
| 370 | way compatible with how it was allocated. The deal is:</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 371 | <itemizedlist> |
| 372 | <listitem> |
| 373 | <para>If allocated with |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 374 | <function>malloc</function>, |
| 375 | <function>calloc</function>, |
| 376 | <function>realloc</function>, |
| 377 | <function>valloc</function> or |
| 378 | <function>memalign</function>, you must |
| 379 | deallocate with <function>free</function>.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 380 | </listitem> |
| 381 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 382 | <para>If allocated with <function>new[]</function>, you must |
| 383 | deallocate with <function>delete[]</function>.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 384 | </listitem> |
| 385 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 386 | <para>If allocated with <function>new</function>, you must deallocate |
| 387 | with <function>delete</function>.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 388 | </listitem> |
| 389 | </itemizedlist> |
| 390 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 391 | <para>The worst thing is that on Linux apparently it doesn't matter if |
| 392 | you do muddle these up, and it all seems to work ok, but the same |
| 393 | program may then crash on a different platform, Solaris for example. So |
| 394 | it's best to fix it properly. According to the KDE folks "it's amazing |
| 395 | how many C++ programmers don't know this".</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 396 | |
| 397 | <para>Pascal Massimino adds the following clarification: |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 398 | <function>delete[]</function> must be used for objects allocated by |
| 399 | <function>new[]</function> because the compiler stores the size of the |
| 400 | array and the pointer-to-member to the destructor of the array's content |
| 401 | just before the pointer actually returned. This implies a |
| 402 | variable-sized overhead in what's returned by <function>new</function> |
| 403 | or <function>new[]</function>.</para> |
| 404 | |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 405 | </sect2> |
| 406 | |
| 407 | |
| 408 | |
| 409 | <sect2 id="mc-manual.badperm" |
| 410 | xreflabel="Passing system call parameters with |
| 411 | inadequate read/write permissions"> |
| 412 | <title>Passing system call parameters with inadequate read/write |
| 413 | permissions</title> |
| 414 | |
sewardj | 8d9fec5 | 2005-11-15 20:56:23 +0000 | [diff] [blame] | 415 | <para>Memcheck checks all parameters to system calls: |
njn | c4fcca3 | 2004-12-01 00:02:36 +0000 | [diff] [blame] | 416 | <itemizedlist> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 417 | <listitem> |
| 418 | <para>It checks all the direct parameters themselves.</para> |
| 419 | </listitem> |
| 420 | <listitem> |
| 421 | <para>Also, if a system call needs to read from a buffer provided by |
| 422 | your program, Memcheck checks that the entire buffer is addressible |
| 423 | and has valid data, ie, it is readable.</para> |
| 424 | </listitem> |
| 425 | <listitem> |
| 426 | <para>Also, if the system call needs to write to a user-supplied |
| 427 | buffer, Memcheck checks that the buffer is addressible.</para> |
| 428 | </listitem> |
njn | c4fcca3 | 2004-12-01 00:02:36 +0000 | [diff] [blame] | 429 | </itemizedlist> |
| 430 | </para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 431 | |
njn | c4fcca3 | 2004-12-01 00:02:36 +0000 | [diff] [blame] | 432 | <para>After the system call, Memcheck updates its tracked information to |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 433 | precisely reflect any changes in memory permissions caused by the system |
| 434 | call.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 435 | |
njn | c4fcca3 | 2004-12-01 00:02:36 +0000 | [diff] [blame] | 436 | <para>Here's an example of two system calls with invalid parameters:</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 437 | <programlisting><![CDATA[ |
njn | 62ad73d | 2005-08-15 04:26:13 +0000 | [diff] [blame] | 438 | #include <stdlib.h> |
| 439 | #include <unistd.h> |
njn | c4fcca3 | 2004-12-01 00:02:36 +0000 | [diff] [blame] | 440 | int main( void ) |
| 441 | { |
| 442 | char* arr = malloc(10); |
| 443 | int* arr2 = malloc(sizeof(int)); |
| 444 | write( 1 /* stdout */, arr, 10 ); |
| 445 | exit(arr2[0]); |
| 446 | } |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 447 | ]]></programlisting> |
| 448 | |
njn | c4fcca3 | 2004-12-01 00:02:36 +0000 | [diff] [blame] | 449 | <para>You get these complaints ...</para> |
| 450 | <programlisting><![CDATA[ |
| 451 | Syscall param write(buf) points to uninitialised byte(s) |
| 452 | at 0x25A48723: __write_nocancel (in /lib/tls/libc-2.3.3.so) |
| 453 | by 0x259AFAD3: __libc_start_main (in /lib/tls/libc-2.3.3.so) |
| 454 | by 0x8048348: (within /auto/homes/njn25/grind/head4/a.out) |
| 455 | Address 0x25AB8028 is 0 bytes inside a block of size 10 alloc'd |
| 456 | at 0x259852B0: malloc (vg_replace_malloc.c:130) |
| 457 | by 0x80483F1: main (a.c:5) |
| 458 | |
| 459 | Syscall param exit(error_code) contains uninitialised byte(s) |
| 460 | at 0x25A21B44: __GI__exit (in /lib/tls/libc-2.3.3.so) |
| 461 | by 0x8048426: main (a.c:8) |
| 462 | ]]></programlisting> |
| 463 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 464 | <para>... because the program has (a) tried to write uninitialised junk |
| 465 | from the malloc'd block to the standard output, and (b) passed an |
| 466 | uninitialised value to <function>exit</function>. Note that the first |
| 467 | error refers to the memory pointed to by |
| 468 | <computeroutput>buf</computeroutput> (not |
| 469 | <computeroutput>buf</computeroutput> itself), but the second error |
| 470 | refers to the argument <computeroutput>error_code</computeroutput> |
| 471 | itself.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 472 | |
| 473 | </sect2> |
| 474 | |
| 475 | |
| 476 | <sect2 id="mc-manual.overlap" |
| 477 | xreflabel="Overlapping source and destination blocks"> |
| 478 | <title>Overlapping source and destination blocks</title> |
| 479 | |
| 480 | <para>The following C library functions copy some data from one |
| 481 | memory block to another (or something similar): |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 482 | <function>memcpy()</function>, |
| 483 | <function>strcpy()</function>, |
| 484 | <function>strncpy()</function>, |
| 485 | <function>strcat()</function>, |
| 486 | <function>strncat()</function>. |
| 487 | The blocks pointed to by their <computeroutput>src</computeroutput> and |
| 488 | <computeroutput>dst</computeroutput> pointers aren't allowed to overlap. |
| 489 | Memcheck checks for this.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 490 | |
| 491 | <para>For example:</para> |
| 492 | <programlisting><![CDATA[ |
| 493 | ==27492== Source and destination overlap in memcpy(0xbffff294, 0xbffff280, 21) |
| 494 | ==27492== at 0x40026CDC: memcpy (mc_replace_strmem.c:71) |
| 495 | ==27492== by 0x804865A: main (overlap.c:40) |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 496 | ==27492== |
| 497 | ]]></programlisting> |
| 498 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 499 | <para>You don't want the two blocks to overlap because one of them could |
| 500 | get partially trashed by the copying.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 501 | |
njn | ccad0b8 | 2005-07-19 00:48:55 +0000 | [diff] [blame] | 502 | <para>You might think that Memcheck is being overly pedantic reporting |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 503 | this in the case where <computeroutput>dst</computeroutput> is less than |
| 504 | <computeroutput>src</computeroutput>. For example, the obvious way to |
| 505 | implement <function>memcpy()</function> is by copying from the first |
| 506 | byte to the last. However, the optimisation guides of some |
| 507 | architectures recommend copying from the last byte down to the first. |
| 508 | Also, some implementations of <function>memcpy()</function> zero |
| 509 | <computeroutput>dst</computeroutput> before copying, because zeroing the |
| 510 | destination's cache line(s) can improve performance.</para> |
njn | ccad0b8 | 2005-07-19 00:48:55 +0000 | [diff] [blame] | 511 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 512 | <para>The moral of the story is: if you want to write truly portable |
| 513 | code, don't make any assumptions about the language |
| 514 | implementation.</para> |
njn | ccad0b8 | 2005-07-19 00:48:55 +0000 | [diff] [blame] | 515 | |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 516 | </sect2> |
| 517 | |
| 518 | |
njn | ab5b714 | 2005-08-16 02:20:17 +0000 | [diff] [blame] | 519 | <sect2 id="mc-manual.leaks" xreflabel="Memory leak detection"> |
| 520 | <title>Memory leak detection</title> |
| 521 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 522 | <para>Memcheck keeps track of all memory blocks issued in response to |
| 523 | calls to malloc/calloc/realloc/new. So when the program exits, it knows |
| 524 | which blocks have not been freed. |
njn | ab5b714 | 2005-08-16 02:20:17 +0000 | [diff] [blame] | 525 | </para> |
| 526 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 527 | <para>If <option>--leak-check</option> is set appropriately, for each |
| 528 | remaining block, Memcheck scans the entire address space of the process, |
| 529 | looking for pointers to the block. Each block fits into one of the |
| 530 | three following categories.</para> |
njn | ab5b714 | 2005-08-16 02:20:17 +0000 | [diff] [blame] | 531 | |
| 532 | <itemizedlist> |
| 533 | |
| 534 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 535 | <para>Still reachable: A pointer to the start of the block is found. |
| 536 | This usually indicates programming sloppiness. Since the block is |
| 537 | still pointed at, the programmer could, at least in principle, free |
| 538 | it before program exit. Because these are very common and arguably |
njn | ab5b714 | 2005-08-16 02:20:17 +0000 | [diff] [blame] | 539 | not a problem, Memcheck won't report such blocks unless |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 540 | <option>--show-reachable=yes</option> is specified.</para> |
njn | ab5b714 | 2005-08-16 02:20:17 +0000 | [diff] [blame] | 541 | </listitem> |
| 542 | |
| 543 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 544 | <para>Possibly lost, or "dubious": A pointer to the interior of the |
| 545 | block is found. The pointer might originally have pointed to the |
| 546 | start and have been moved along, or it might be entirely unrelated. |
| 547 | Memcheck deems such a block as "dubious", because it's unclear |
| 548 | whether or not a pointer to it still exists.</para> |
njn | ab5b714 | 2005-08-16 02:20:17 +0000 | [diff] [blame] | 549 | </listitem> |
| 550 | |
| 551 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 552 | <para>Definitely lost, or "leaked": The worst outcome is that no |
| 553 | pointer to the block can be found. The block is classified as |
| 554 | "leaked", because the programmer could not possibly have freed it at |
| 555 | program exit, since no pointer to it exists. This is likely a |
| 556 | symptom of having lost the pointer at some earlier point in the |
| 557 | program.</para> |
njn | ab5b714 | 2005-08-16 02:20:17 +0000 | [diff] [blame] | 558 | </listitem> |
| 559 | |
| 560 | </itemizedlist> |
| 561 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 562 | <para>For each block mentioned, Memcheck will also tell you where the |
| 563 | block was allocated. It cannot tell you how or why the pointer to a |
| 564 | leaked block has been lost; you have to work that out for yourself. In |
| 565 | general, you should attempt to ensure your programs do not have any |
| 566 | leaked or dubious blocks at exit.</para> |
njn | ab5b714 | 2005-08-16 02:20:17 +0000 | [diff] [blame] | 567 | |
| 568 | <para>For example:</para> |
| 569 | <programlisting><![CDATA[ |
| 570 | 8 bytes in 1 blocks are definitely lost in loss record 1 of 14 |
| 571 | at 0x........: malloc (vg_replace_malloc.c:...) |
| 572 | by 0x........: mk (leak-tree.c:11) |
| 573 | by 0x........: main (leak-tree.c:39) |
| 574 | |
sewardj | 8d9fec5 | 2005-11-15 20:56:23 +0000 | [diff] [blame] | 575 | 88 (8 direct, 80 indirect) bytes in 1 blocks are definitely lost |
| 576 | in loss record 13 of 14 |
njn | ab5b714 | 2005-08-16 02:20:17 +0000 | [diff] [blame] | 577 | at 0x........: malloc (vg_replace_malloc.c:...) |
| 578 | by 0x........: mk (leak-tree.c:11) |
| 579 | by 0x........: main (leak-tree.c:25) |
| 580 | ]]></programlisting> |
| 581 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 582 | <para>The first message describes a simple case of a single 8 byte block |
| 583 | that has been definitely lost. The second case mentions both "direct" |
| 584 | and "indirect" leaks. The distinction is that a direct leak is a block |
| 585 | which has no pointers to it. An indirect leak is a block which is only |
| 586 | pointed to by other leaked blocks. Both kinds of leak are bad.</para> |
njn | ab5b714 | 2005-08-16 02:20:17 +0000 | [diff] [blame] | 587 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 588 | <para>The precise area of memory in which Memcheck searches for pointers |
| 589 | is: all naturally-aligned machine-word-sized words for which all A bits |
| 590 | indicate addressibility and all V bits indicated that the stored value |
| 591 | is actually valid.</para> |
njn | ab5b714 | 2005-08-16 02:20:17 +0000 | [diff] [blame] | 592 | |
| 593 | </sect2> |
| 594 | |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 595 | </sect1> |
| 596 | |
| 597 | |
| 598 | |
njn | 62ad73d | 2005-08-15 04:26:13 +0000 | [diff] [blame] | 599 | <sect1 id="mc-manual.suppfiles" xreflabel="Writing suppression files"> |
| 600 | <title>Writing suppression files</title> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 601 | |
| 602 | <para>The basic suppression format is described in |
| 603 | <xref linkend="manual-core.suppress"/>.</para> |
| 604 | |
| 605 | <para>The suppression (2nd) line should have the form:</para> |
| 606 | <programlisting><![CDATA[ |
| 607 | Memcheck:suppression_type]]></programlisting> |
| 608 | |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 609 | <para>The Memcheck suppression types are as follows:</para> |
| 610 | |
| 611 | <itemizedlist> |
| 612 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 613 | <para><varname>Value1</varname>, |
| 614 | <varname>Value2</varname>, |
| 615 | <varname>Value4</varname>, |
| 616 | <varname>Value8</varname>, |
| 617 | <varname>Value16</varname>, |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 618 | meaning an uninitialised-value error when |
| 619 | using a value of 1, 2, 4, 8 or 16 bytes.</para> |
| 620 | </listitem> |
| 621 | |
| 622 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 623 | <para>Or: <varname>Cond</varname> (or its old |
| 624 | name, <varname>Value0</varname>), meaning use |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 625 | of an uninitialised CPU condition code.</para> |
| 626 | </listitem> |
| 627 | |
| 628 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 629 | <para>Or: <varname>Addr1</varname>, |
| 630 | <varname>Addr2</varname>, |
| 631 | <varname>Addr4</varname>, |
| 632 | <varname>Addr8</varname>, |
| 633 | <varname>Addr16</varname>, |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 634 | meaning an invalid address during a |
| 635 | memory access of 1, 2, 4, 8 or 16 bytes respectively.</para> |
| 636 | </listitem> |
| 637 | |
| 638 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 639 | <para>Or: <varname>Param</varname>, meaning an |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 640 | invalid system call parameter error.</para> |
| 641 | </listitem> |
| 642 | |
| 643 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 644 | <para>Or: <varname>Free</varname>, meaning an |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 645 | invalid or mismatching free.</para> |
| 646 | </listitem> |
| 647 | |
| 648 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 649 | <para>Or: <varname>Overlap</varname>, meaning a |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 650 | <computeroutput>src</computeroutput> / |
| 651 | <computeroutput>dst</computeroutput> overlap in |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 652 | <function>memcpy()</function> or a similar function.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 653 | </listitem> |
| 654 | |
| 655 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 656 | <para>Or: <varname>Leak</varname>, meaning |
njn | 62ad73d | 2005-08-15 04:26:13 +0000 | [diff] [blame] | 657 | a memory leak.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 658 | </listitem> |
| 659 | |
| 660 | </itemizedlist> |
| 661 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 662 | <para>The extra information line: for Param errors, is the name of the |
| 663 | offending system call parameter. No other error kinds have this extra |
| 664 | line.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 665 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 666 | <para>The first line of the calling context: for Value and Addr errors, |
| 667 | it is either the name of the function in which the error occurred, or, |
| 668 | failing that, the full path of the .so file or executable containing the |
| 669 | error location. For Free errors, is the name of the function doing the |
| 670 | freeing (eg, <function>free</function>, |
| 671 | <function>__builtin_vec_delete</function>, etc). For Overlap errors, is |
| 672 | the name of the function with the overlapping arguments (eg. |
| 673 | <function>memcpy()</function>, <function>strcpy()</function>, |
| 674 | etc).</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 675 | |
| 676 | <para>Lastly, there's the rest of the calling context.</para> |
| 677 | |
| 678 | </sect1> |
| 679 | |
| 680 | |
| 681 | |
| 682 | <sect1 id="mc-manual.machine" |
| 683 | xreflabel="Details of Memcheck's checking machinery"> |
| 684 | <title>Details of Memcheck's checking machinery</title> |
| 685 | |
| 686 | <para>Read this section if you want to know, in detail, exactly |
| 687 | what and how Memcheck is checking.</para> |
| 688 | |
| 689 | |
| 690 | <sect2 id="mc-manual.value" xreflabel="Valid-value (V) bit"> |
| 691 | <title>Valid-value (V) bits</title> |
| 692 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 693 | <para>It is simplest to think of Memcheck implementing a synthetic CPU |
| 694 | which is identical to a real CPU, except for one crucial detail. Every |
| 695 | bit (literally) of data processed, stored and handled by the real CPU |
| 696 | has, in the synthetic CPU, an associated "valid-value" bit, which says |
| 697 | whether or not the accompanying bit has a legitimate value. In the |
| 698 | discussions which follow, this bit is referred to as the V (valid-value) |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 699 | bit.</para> |
| 700 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 701 | <para>Each byte in the system therefore has a 8 V bits which follow it |
| 702 | wherever it goes. For example, when the CPU loads a word-size item (4 |
| 703 | bytes) from memory, it also loads the corresponding 32 V bits from a |
| 704 | bitmap which stores the V bits for the process' entire address space. |
| 705 | If the CPU should later write the whole or some part of that value to |
| 706 | memory at a different address, the relevant V bits will be stored back |
| 707 | in the V-bit bitmap.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 708 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 709 | <para>In short, each bit in the system has an associated V bit, which |
| 710 | follows it around everywhere, even inside the CPU. Yes, all the CPU's |
| 711 | registers (integer, floating point, vector and condition registers) have |
| 712 | their own V bit vectors.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 713 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 714 | <para>Copying values around does not cause Memcheck to check for, or |
| 715 | report on, errors. However, when a value is used in a way which might |
| 716 | conceivably affect the outcome of your program's computation, the |
| 717 | associated V bits are immediately checked. If any of these indicate |
| 718 | that the value is undefined, an error is reported.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 719 | |
| 720 | <para>Here's an (admittedly nonsensical) example:</para> |
| 721 | <programlisting><![CDATA[ |
| 722 | int i, j; |
| 723 | int a[10], b[10]; |
| 724 | for ( i = 0; i < 10; i++ ) { |
| 725 | j = a[i]; |
| 726 | b[i] = j; |
| 727 | }]]></programlisting> |
| 728 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 729 | <para>Memcheck emits no complaints about this, since it merely copies |
| 730 | uninitialised values from <varname>a[]</varname> into |
| 731 | <varname>b[]</varname>, and doesn't use them in any way. However, if |
| 732 | the loop is changed to:</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 733 | <programlisting><![CDATA[ |
| 734 | for ( i = 0; i < 10; i++ ) { |
| 735 | j += a[i]; |
| 736 | } |
| 737 | if ( j == 77 ) |
| 738 | printf("hello there\n"); |
| 739 | ]]></programlisting> |
| 740 | |
| 741 | <para>then Valgrind will complain, at the |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 742 | <computeroutput>if</computeroutput>, that the condition depends on |
| 743 | uninitialised values. Note that it <command>doesn't</command> complain |
| 744 | at the <varname>j += a[i];</varname>, since at that point the |
| 745 | undefinedness is not "observable". It's only when a decision has to be |
| 746 | made as to whether or not to do the <function>printf</function> -- an |
| 747 | observable action of your program -- that Memcheck complains.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 748 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 749 | <para>Most low level operations, such as adds, cause Memcheck to use the |
| 750 | V bits for the operands to calculate the V bits for the result. Even if |
| 751 | the result is partially or wholly undefined, it does not |
njn | 62ad73d | 2005-08-15 04:26:13 +0000 | [diff] [blame] | 752 | complain.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 753 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 754 | <para>Checks on definedness only occur in three places: when a value is |
| 755 | used to generate a memory address, when control flow decision needs to |
| 756 | be made, and when a system call is detected, Valgrind checks definedness |
| 757 | of parameters as required.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 758 | |
| 759 | <para>If a check should detect undefinedness, an error message is |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 760 | issued. The resulting value is subsequently regarded as well-defined. |
| 761 | To do otherwise would give long chains of error messages. In effect, we |
| 762 | say that undefined values are non-infectious.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 763 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 764 | <para>This sounds overcomplicated. Why not just check all reads from |
| 765 | memory, and complain if an undefined value is loaded into a CPU |
| 766 | register? Well, that doesn't work well, because perfectly legitimate C |
| 767 | programs routinely copy uninitialised values around in memory, and we |
| 768 | don't want endless complaints about that. Here's the canonical example. |
| 769 | Consider a struct like this:</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 770 | <programlisting><![CDATA[ |
| 771 | struct S { int x; char c; }; |
| 772 | struct S s1, s2; |
| 773 | s1.x = 42; |
| 774 | s1.c = 'z'; |
| 775 | s2 = s1; |
| 776 | ]]></programlisting> |
| 777 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 778 | <para>The question to ask is: how large is <varname>struct S</varname>, |
| 779 | in bytes? An <varname>int</varname> is 4 bytes and a |
| 780 | <varname>char</varname> one byte, so perhaps a <varname>struct |
| 781 | S</varname> occupies 5 bytes? Wrong. All (non-toy) compilers we know |
| 782 | of will round the size of <varname>struct S</varname> up to a whole |
| 783 | number of words, in this case 8 bytes. Not doing this forces compilers |
| 784 | to generate truly appalling code for subscripting arrays of |
| 785 | <varname>struct S</varname>'s.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 786 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 787 | <para>So <varname>s1</varname> occupies 8 bytes, yet only 5 of them will |
| 788 | be initialised. For the assignment <varname>s2 = s1</varname>, gcc |
| 789 | generates code to copy all 8 bytes wholesale into <varname>s2</varname> |
| 790 | without regard for their meaning. If Memcheck simply checked values as |
| 791 | they came out of memory, it would yelp every time a structure assignment |
| 792 | like this happened. So the more complicated semantics described above |
| 793 | is necessary. This allows <literal>gcc</literal> to copy |
| 794 | <varname>s1</varname> into <varname>s2</varname> any way it likes, and a |
| 795 | warning will only be emitted if the uninitialised values are later |
| 796 | used.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 797 | |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 798 | </sect2> |
| 799 | |
| 800 | |
| 801 | <sect2 id="mc-manual.vaddress" xreflabel=" Valid-address (A) bits"> |
| 802 | <title>Valid-address (A) bits</title> |
| 803 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 804 | <para>Notice that the previous subsection describes how the validity of |
| 805 | values is established and maintained without having to say whether the |
| 806 | program does or does not have the right to access any particular memory |
| 807 | location. We now consider the latter issue.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 808 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 809 | <para>As described above, every bit in memory or in the CPU has an |
| 810 | associated valid-value (V) bit. In addition, all bytes in memory, but |
| 811 | not in the CPU, have an associated valid-address (A) bit. This |
| 812 | indicates whether or not the program can legitimately read or write that |
| 813 | location. It does not give any indication of the validity or the data |
| 814 | at that location -- that's the job of the V bits -- only whether or not |
| 815 | the location may be accessed.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 816 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 817 | <para>Every time your program reads or writes memory, Memcheck checks |
| 818 | the A bits associated with the address. If any of them indicate an |
| 819 | invalid address, an error is emitted. Note that the reads and writes |
| 820 | themselves do not change the A bits, only consult them.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 821 | |
njn | 62ad73d | 2005-08-15 04:26:13 +0000 | [diff] [blame] | 822 | <para>So how do the A bits get set/cleared? Like this:</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 823 | |
| 824 | <itemizedlist> |
| 825 | <listitem> |
| 826 | <para>When the program starts, all the global data areas are |
| 827 | marked as accessible.</para> |
| 828 | </listitem> |
| 829 | |
| 830 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 831 | <para>When the program does malloc/new, the A bits for exactly the |
| 832 | area allocated, and not a byte more, are marked as accessible. Upon |
| 833 | freeing the area the A bits are changed to indicate |
| 834 | inaccessibility.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 835 | </listitem> |
| 836 | |
| 837 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 838 | <para>When the stack pointer register (<literal>SP</literal>) moves |
| 839 | up or down, A bits are set. The rule is that the area from |
| 840 | <literal>SP</literal> up to the base of the stack is marked as |
| 841 | accessible, and below <literal>SP</literal> is inaccessible. (If |
| 842 | that sounds illogical, bear in mind that the stack grows down, not |
| 843 | up, on almost all Unix systems, including GNU/Linux.) Tracking |
| 844 | <literal>SP</literal> like this has the useful side-effect that the |
| 845 | section of stack used by a function for local variables etc is |
| 846 | automatically marked accessible on function entry and inaccessible |
| 847 | on exit.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 848 | </listitem> |
| 849 | |
| 850 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 851 | <para>When doing system calls, A bits are changed appropriately. |
| 852 | For example, mmap() magically makes files appear in the process' |
| 853 | address space, so the A bits must be updated if mmap() |
| 854 | succeeds.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 855 | </listitem> |
| 856 | |
| 857 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 858 | <para>Optionally, your program can tell Valgrind about such changes |
| 859 | explicitly, using the client request mechanism described |
| 860 | above.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 861 | </listitem> |
| 862 | |
| 863 | </itemizedlist> |
| 864 | |
| 865 | </sect2> |
| 866 | |
| 867 | |
| 868 | <sect2 id="mc-manual.together" xreflabel="Putting it all together"> |
| 869 | <title>Putting it all together</title> |
| 870 | |
| 871 | <para>Memcheck's checking machinery can be summarised as |
| 872 | follows:</para> |
| 873 | |
| 874 | <itemizedlist> |
| 875 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 876 | <para>Each byte in memory has 8 associated V (valid-value) bits, |
| 877 | saying whether or not the byte has a defined value, and a single A |
| 878 | (valid-address) bit, saying whether or not the program currently has |
| 879 | the right to read/write that address.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 880 | </listitem> |
| 881 | |
| 882 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 883 | <para>When memory is read or written, the relevant A bits are |
| 884 | consulted. If they indicate an invalid address, Valgrind emits an |
| 885 | Invalid read or Invalid write error.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 886 | </listitem> |
| 887 | |
| 888 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 889 | <para>When memory is read into the CPU's registers, the relevant V |
| 890 | bits are fetched from memory and stored in the simulated CPU. They |
| 891 | are not consulted.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 892 | </listitem> |
| 893 | |
| 894 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 895 | <para>When a register is written out to memory, the V bits for that |
| 896 | register are written back to memory too.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 897 | </listitem> |
| 898 | |
| 899 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 900 | <para>When values in CPU registers are used to generate a memory |
| 901 | address, or to determine the outcome of a conditional branch, the V |
| 902 | bits for those values are checked, and an error emitted if any of |
| 903 | them are undefined.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 904 | </listitem> |
| 905 | |
| 906 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 907 | <para>When values in CPU registers are used for any other purpose, |
| 908 | Valgrind computes the V bits for the result, but does not check |
| 909 | them.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 910 | </listitem> |
| 911 | |
| 912 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 913 | <para>One the V bits for a value in the CPU have been checked, they |
| 914 | are then set to indicate validity. This avoids long chains of |
| 915 | errors.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 916 | </listitem> |
| 917 | |
| 918 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 919 | <para>When values are loaded from memory, valgrind checks the A bits |
| 920 | for that location and issues an illegal-address warning if needed. |
| 921 | In that case, the V bits loaded are forced to indicate Valid, |
| 922 | despite the location being invalid.</para> |
| 923 | |
| 924 | <para>This apparently strange choice reduces the amount of confusing |
| 925 | information presented to the user. It avoids the unpleasant |
| 926 | phenomenon in which memory is read from a place which is both |
| 927 | unaddressible and contains invalid values, and, as a result, you get |
| 928 | not only an invalid-address (read/write) error, but also a |
| 929 | potentially large set of uninitialised-value errors, one for every |
| 930 | time the value is used.</para> |
| 931 | |
| 932 | <para>There is a hazy boundary case to do with multi-byte loads from |
| 933 | addresses which are partially valid and partially invalid. See |
| 934 | details of the flag <option>--partial-loads-ok</option> for details. |
| 935 | </para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 936 | </listitem> |
| 937 | |
| 938 | </itemizedlist> |
| 939 | |
| 940 | |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 941 | <para>Memcheck intercepts calls to malloc, calloc, realloc, valloc, |
| 942 | memalign, free, new, new[], delete and delete[]. The behaviour you get |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 943 | is:</para> |
| 944 | |
| 945 | <itemizedlist> |
| 946 | |
| 947 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 948 | <para>malloc/new/new[]: the returned memory is marked as addressible |
| 949 | but not having valid values. This means you have to write on it |
| 950 | before you can read it.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 951 | </listitem> |
| 952 | |
| 953 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 954 | <para>calloc: returned memory is marked both addressible and valid, |
| 955 | since calloc() clears the area to zero.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 956 | </listitem> |
| 957 | |
| 958 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 959 | <para>realloc: if the new size is larger than the old, the new |
| 960 | section is addressible but invalid, as with malloc.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 961 | </listitem> |
| 962 | |
| 963 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 964 | <para>If the new size is smaller, the dropped-off section is marked |
| 965 | as unaddressible. You may only pass to realloc a pointer previously |
| 966 | issued to you by malloc/calloc/realloc.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 967 | </listitem> |
| 968 | |
| 969 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 970 | <para>free/delete/delete[]: you may only pass to these functions a |
| 971 | pointer previously issued to you by the corresponding allocation |
| 972 | function. Otherwise, Valgrind complains. If the pointer is indeed |
| 973 | valid, Valgrind marks the entire area it points at as unaddressible, |
| 974 | and places the block in the freed-blocks-queue. The aim is to defer |
| 975 | as long as possible reallocation of this block. Until that happens, |
| 976 | all attempts to access it will elicit an invalid-address error, as |
| 977 | you would hope.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 978 | </listitem> |
| 979 | |
| 980 | </itemizedlist> |
| 981 | |
| 982 | </sect2> |
| 983 | </sect1> |
| 984 | |
| 985 | |
| 986 | |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 987 | <sect1 id="mc-manual.clientreqs" xreflabel="Client requests"> |
| 988 | <title>Client Requests</title> |
| 989 | |
| 990 | <para>The following client requests are defined in |
njn | 1d0825f | 2006-03-27 11:37:07 +0000 | [diff] [blame] | 991 | <filename>memcheck.h</filename>. |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 992 | See <filename>memcheck.h</filename> for exact details of their |
| 993 | arguments.</para> |
| 994 | |
| 995 | <itemizedlist> |
| 996 | |
| 997 | <listitem> |
njn | dbf7ca7 | 2006-03-31 11:57:59 +0000 | [diff] [blame^] | 998 | <para><varname>VALGRIND_MAKE_MEM_NOACCESS</varname>, |
| 999 | <varname>VALGRIND_MAKE_MEM_UNDEFINED</varname> and |
| 1000 | <varname>VALGRIND_MAKE_MEM_DEFINED</varname>. |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 1001 | These mark address ranges as completely inaccessible, |
| 1002 | accessible but containing undefined data, and accessible and |
| 1003 | containing defined data, respectively. Subsequent errors may |
| 1004 | have their faulting addresses described in terms of these |
| 1005 | blocks. Returns a "block handle". Returns zero when not run |
| 1006 | on Valgrind.</para> |
| 1007 | </listitem> |
| 1008 | |
| 1009 | <listitem> |
njn | dbf7ca7 | 2006-03-31 11:57:59 +0000 | [diff] [blame^] | 1010 | <para><varname>VALGRIND_MAKE_MEM_DEFINED_IF_ADDRESSABLE</varname>. |
| 1011 | This is just like <varname>VALGRIND_MAKE_MEM_DEFINED</varname> but only |
| 1012 | affects those bytes that are already addressable.</para> |
| 1013 | </listitem> |
| 1014 | |
| 1015 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 1016 | <para><varname>VALGRIND_DISCARD</varname>: At some point you may |
| 1017 | want Valgrind to stop reporting errors in terms of the blocks |
| 1018 | defined by the previous three macros. To do this, the above macros |
| 1019 | return a small-integer "block handle". You can pass this block |
| 1020 | handle to <varname>VALGRIND_DISCARD</varname>. After doing so, |
| 1021 | Valgrind will no longer be able to relate addressing errors to the |
| 1022 | user-defined block associated with the handle. The permissions |
| 1023 | settings associated with the handle remain in place; this just |
| 1024 | affects how errors are reported, not whether they are reported. |
| 1025 | Returns 1 for an invalid handle and 0 for a valid handle (although |
| 1026 | passing invalid handles is harmless). Always returns 0 when not run |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 1027 | on Valgrind.</para> |
| 1028 | </listitem> |
| 1029 | |
| 1030 | <listitem> |
njn | dbf7ca7 | 2006-03-31 11:57:59 +0000 | [diff] [blame^] | 1031 | <para><varname>VALGRIND_CHECK_MEM_IS_ADDRESSABLE</varname> and |
| 1032 | <varname>VALGRIND_CHECK_MEM_IS_DEFINED</varname>: check immediately |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 1033 | whether or not the given address range has the relevant property, |
| 1034 | and if not, print an error message. Also, for the convenience of |
| 1035 | the client, returns zero if the relevant property holds; otherwise, |
| 1036 | the returned value is the address of the first byte for which the |
| 1037 | property is not true. Always returns 0 when not run on |
| 1038 | Valgrind.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 1039 | </listitem> |
| 1040 | |
| 1041 | <listitem> |
njn | dbf7ca7 | 2006-03-31 11:57:59 +0000 | [diff] [blame^] | 1042 | <para><varname>VALGRIND_CHECK_VALUE_IS_DEFINED</varname>: a quick and easy |
| 1043 | way to find out whether Valgrind thinks a particular value |
| 1044 | (lvalue, to be precise) is addressable and defined. Prints an error |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 1045 | message if not. Returns no value.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 1046 | </listitem> |
| 1047 | |
| 1048 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 1049 | <para><varname>VALGRIND_DO_LEAK_CHECK</varname>: run the memory leak |
| 1050 | detector right now. Returns no value. I guess this could be used |
| 1051 | to incrementally check for leaks between arbitrary places in the |
| 1052 | program's execution. Warning: not properly tested!</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 1053 | </listitem> |
| 1054 | |
| 1055 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 1056 | <para><varname>VALGRIND_COUNT_LEAKS</varname>: fills in the four |
| 1057 | arguments with the number of bytes of memory found by the previous |
| 1058 | leak check to be leaked, dubious, reachable and suppressed. Again, |
| 1059 | useful in test harness code, after calling |
| 1060 | <varname>VALGRIND_DO_LEAK_CHECK</varname>.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 1061 | </listitem> |
| 1062 | |
| 1063 | <listitem> |
de | 03e0e7c | 2005-12-03 23:02:33 +0000 | [diff] [blame] | 1064 | <para><varname>VALGRIND_GET_VBITS</varname> and |
| 1065 | <varname>VALGRIND_SET_VBITS</varname>: allow you to get and set the |
| 1066 | V (validity) bits for an address range. You should probably only |
| 1067 | set V bits that you have got with |
| 1068 | <varname>VALGRIND_GET_VBITS</varname>. Only for those who really |
njn | 1d0825f | 2006-03-27 11:37:07 +0000 | [diff] [blame] | 1069 | know what they are doing.</para> |
njn | 3e986b2 | 2004-11-30 10:43:45 +0000 | [diff] [blame] | 1070 | </listitem> |
| 1071 | |
| 1072 | </itemizedlist> |
| 1073 | |
| 1074 | </sect1> |
| 1075 | </chapter> |