嵌入式 内存泄漏检测工具valgrind以及mtrace

注意：

1、二进制文件不能strip

2、二进制文件最好使用-g

3、官方文档valgrind:http://valgrind.org/docs/download_docs.html，这是其官方帮助文档，比较全面

 valgrind --tool=memcheck --leak-check=full  ./x86_joseph_qrcode

usage

• x86 平台
• 先编译你自己的应用程序
• 命令行：
  • valgrind --log-file=1 --tool=memcheck ./a.out

error specification

一、有malloc，但未free

• code

  <span style="font-family:Courier New;font-size:10px;">#include <stdio.h>#include <stdlib.h>void main(){        char *p = malloc(20);        sprintf(p, "%s", "test");        fprintf(stderr, "p:%s/n", p);}</span>

• 分析：
  • 文件后部，总体来看，有确定无疑的lost 20字节。如下：

    <span style="font-family:Courier New;font-size:10px;">==26512== LEAK SUMMARY:==26512==    definitely lost: 20 bytes in 1 blocks.</span>

  • 在文件之前描述的内容，细节可以看出，有1个malloc，但未去free。如下：

    <span style="font-family:Courier New;font-size:10px;">==26512== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 11 from 1)==26512== malloc/free: in use at exit: 20 bytes in 1 blocks.==26512== malloc/free: 1 allocs, 0 frees, 20 bytes allocated.</span>

二、free一个未malloc的指针

• code

  <span style="font-family:Courier New;font-size:10px;">void main(){        char p[] = "hello";        fprintf(stderr, "p:%s/n", p);        free(p);}</span>

• 分析：
  • 文件后部，总体来看，有1个错误，0个malloc，1个free。如下：

    <span style="font-family:Courier New;font-size:10px;">==26786== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 11 from 1)==26786== malloc/free: in use at exit: 0 bytes in 0 blocks.==26786== malloc/free: 0 allocs, 1 frees, 0 bytes allocated.</span>

  • 在文件之前描述的内容，细节可以看出，有一个无效的free。如下：

    <span style="font-family:Courier New;font-size:10px;">==26786== Invalid free() / delete / delete[]==26786==    at 0x402265C: free (vg_replace_malloc.c:323)==26786==    by 0x804841F: main (in /home/yutao/test/a.out)</span>

三、stack中，无效的读取，不会提示出错

• code

  <span style="font-family:Courier New;font-size:10px;">void main(){        char p[8] = "hello"; //p在栈上， "hello"在常量区        fprintf(stderr, "p10:%c/n", p[10]);}</span>

• 分析：
  • 读取stack栈中的内容，不会提示错误

    <span style="font-family:Courier New;font-size:10px;">==27452== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 11 from 1)==27452== malloc/free: in use at exit: 0 bytes in 0 blocks.==27452== malloc/free: 0 allocs, 0 frees, 0 bytes allocated.</span>

• 其为局部变量，存贮在stack中，由于p[10]未超出栈的长度，所以没提示出错？

四、heap堆中，无效的读取，会提示出错

• code

  <span style="font-family:Courier New;font-size:10px;">void main(){        char *p = malloc(8);        fprintf(stderr, "p10:%c/n", p[10]);        free(p);}</span>

• 分析：
  • 读取heap堆中的内容，会提示错误，提示无效的1个字节的读取，位置是malloc的8字节的后面第2字节

    <span style="font-family:Courier New;font-size:10px;">==27744== Invalid read of size 1==27744==    at 0x804842A: main (in /home/yutao/test/a.out)==27744==  Address 0x4190032 is 2 bytes after a block of size 8 alloc'd==27744==    at 0x4022AB8: malloc (vg_replace_malloc.c:207)==27744==    by 0x8048420: main (in /home/yutao/test/a.out)==27744====27744== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 11 from 1)==27744== malloc/free: in use at exit: 0 bytes in 0 blocks.==27744== malloc/free: 1 allocs, 1 frees, 8 bytes allocated.</span>

  • malloc的数据在heap堆中。

五、stack上的，无效的写

• code

  <span style="font-family:Courier New;font-size:10px;">void main(){        char p[8] = "hello";        p[10]='a';}</span>

• 分析：
  • 运行时会出错，会打印Backtrace

    <span style="font-family:Courier New;font-size:10px;">*** stack smashing detected ***: ./a.out terminated======= Backtrace: =========/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0x412d138]/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0x412d0f0]./a.out[0x80483d6]/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0x4056450]./a.out[0x8048331]======= Memory map: ========04000000-0401a000 r-xp 00000000 08:06 682589     /lib/ld-2.7.so</span>

  • 总体，会提示有1个错误，内容是5个malloc，0个free

    <span style="font-family:Courier New;font-size:10px;">==27918== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 13 from 1)==27918== malloc/free: in use at exit: 892 bytes in 5 blocks.==27918== malloc/free: 5 allocs, 0 frees, 892 bytes allocated.==27918== LEAK SUMMARY:==27918==    definitely lost: 0 bytes in 0 blocks.==27918==      possibly lost: 0 bytes in 0 blocks.==27918==    still reachable: 892 bytes in 5 blocks.</span>

  • 文件前面的错误信息是，有一个无效read，读了4个字节。

    <span style="font-family:Courier New;font-size:10px;">==27918== Invalid read of size 4==27918==    at 0x40151F3: (within /lib/ld-2.7.so)==27918==    by 0x4005C69: (within /lib/ld-2.7.so)==27918==    by 0x4007A97: (within /lib/ld-2.7.so)==27918==    by 0x4011543: (within /lib/ld-2.7.so)==27918==    by 0x400D5D5: (within /lib/ld-2.7.so)==27918==    by 0x4010F5D: (within /lib/ld-2.7.so)==27918==    by 0x414E291: (within /lib/tls/i686/cmov/libc-2.7.so)==27918==    by 0x400D5D5: (within /lib/ld-2.7.so)==27918==    by 0x414E454: __libc_dlopen_mode (in /lib/tls/i686/cmov/libc-2.7.so)==27918==    by 0x412A4D8: (within /lib/tls/i686/cmov/libc-2.7.so)==27918==    by 0x412A4D8: (within /lib/tls/i686/cmov/libc-2.7.so)==27918==    by 0x412A669: backtrace (in /lib/tls/i686/cmov/libc-2.7.so)==27918==    by 0x40A3B91: (within /lib/tls/i686/cmov/libc-2.7.so)==27918==  Address 0x4190038 is 16 bytes inside a block of size 19 alloc'd</span>

  • 这个提示的错误信息和代码中的信息，没很好的匹配上，但可以知道是已经出错了。

六、heap堆上，无效的写

• code

  <span style="font-family:Courier New;font-size:10px;">void main(){        char *p = malloc(8);        p[10]='a';        free(p);}</span>

• 分析：
  • 程序运行不会出错
  • 写heap堆中的内容，log会提示错误，提示无效的1个字节的写，位置是malloc的8字节的后面第2字节

    <span style="font-family:Courier New;font-size:10px;">==28351== Invalid write of size 1==28351==    at 0x80483CA: main (in /home/yutao/test/a.out)==28351==  Address 0x4190032 is 2 bytes after a block of size 8 alloc'd==28351==    at 0x4022AB8: malloc (vg_replace_malloc.c:207)==28351==    by 0x80483C0: main (in /home/yutao/test/a.out</span>

Valgrind 是一款 Linux下（支持 x86、x86_64和ppc32）程序的内存调试工具，它可以对编译后的二进制程序进行内存使用监测（C语言中的malloc和free，以及C++中的new和delete），找出内存泄漏问题。

　　Valgrind 中包含的 Memcheck 工具可以检查以下的程序错误：

　　使用未初始化的内存 (Use of uninitialised memory)
　　使用已经释放了的内存 (Reading/writing memory after it has been free’d)
　　使用超过malloc分配的内存空间(Reading/writing off the end of malloc’d blocks)
　　对堆栈的非法访问 (Reading/writing inappropriate areas on the stack)
　　申请的空间是否有释放 (Memory leaks – where pointers to malloc’d blocks are lost forever)
　　malloc/free/new/delete申请和释放内存的匹配(Mismatched use of malloc/new/new [] vs free/delete/delete [])
　　src和dst的重叠(Overlapping src and dst pointers in memcpy() and related functions)
　　重复free

　　1、编译安装 Valgrind：

wget http://valgrind.org/downloads/valgrind-3.4.1.tar.bz2
tar xvf valgrind-3.4.1.tar.bz2
cd valgrind-3.4.1/
./configure --prefix=/usr/local/webserver/valgrind
make
make install

　　2、使用示例：对“ls”程序进程检查，返回结果中的“definitely lost: 0 bytes in 0 blocks.”表示没有内存泄漏。

[root@xoyo42 /]# /usr/local/webserver/valgrind/bin/valgrind --tool=memcheck --leak-check=full ls /
==1157== Memcheck, a memory error detector.
==1157== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==1157== Using LibVEX rev 1884, a library for dynamic binary translation.
==1157== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==1157== Using valgrind-3.4.1, a dynamic binary instrumentation framework.
==1157== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==1157== For more details, rerun with: -v
==1157==
bin data0 dev home lib64 media mnt opt root selinux sys tcsql.db.idx.pkey.dec ttserver.pid var
boot data1 etc lib lost+found misc net proc sbin srv tcsql.db tmp usr
==1157==
==1157== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 5 from 1)
==1157== malloc/free: in use at exit: 28,471 bytes in 36 blocks.
==1157== malloc/free: 166 allocs, 130 frees, 51,377 bytes allocated.
==1157== For counts of detected errors, rerun with: -v
==1157== searching for pointers to 36 not-freed blocks.
==1157== checked 174,640 bytes.
==1157==
==1157== LEAK SUMMARY:
==1157== definitely lost: 0 bytes in 0 blocks.
==1157== possibly lost: 0 bytes in 0 blocks.
==1157== still reachable: 28,471 bytes in 36 blocks.
==1157== suppressed: 0 bytes in 0 blocks.
==1157== Reachable blocks (those to which a pointer was found) are not shown.
==1157== To see them, rerun with: --leak-check=full --show-reachable=yes

　　3、使用示例：对一个使用libevent库编写的“httptest”程序进程检查，返回结果中的“definitely lost: 255 bytes in 5 blocks.”表示发生内存泄漏。

[root@xoyo42 tcsql-0.1]# /usr/local/webserver/valgrind/bin/valgrind --tool=memcheck --leak-check=full ./httptest
==1274== Memcheck, a memory error detector.
==1274== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==1274== Using LibVEX rev 1884, a library for dynamic binary translation.
==1274== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==1274== Using valgrind-3.4.1, a dynamic binary instrumentation framework.
==1274== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==1274== For more details, rerun with: -v
==1274==
==1274== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 1005 from 2)
==1274== malloc/free: in use at exit: 402,291 bytes in 74 blocks.
==1274== malloc/free: 15,939 allocs, 15,865 frees, 6,281,523 bytes allocated.
==1274== For counts of detected errors, rerun with: -v
==1274== searching for pointers to 74 not-freed blocks.
==1274== checked 682,468,160 bytes.
==1274==
==1274== 255 bytes in 5 blocks are definitely lost in loss record 17 of 32
==1274== at 0x4A05FBB: malloc (vg_replace_malloc.c:207)
==1274== by 0x3C1D809BC6: evhttp_decode_uri (http.c:2105)
==1274== by 0x401C75: tcsql_handler (in /data0/tcsql/cankao/tcsql-0.1/tcsql)
==1274== by 0x3C1D80C88F: evhttp_get_body (http.c:1582)
==1274== by 0x3C1D8065F7: event_base_loop (event.c:392)
==1274== by 0x403E2F: main (in /data0/tcsql/cankao/tcsql-0.1/tcsql)
==1274==
==1274== LEAK SUMMARY:
==1274== definitely lost: 255 bytes in 5 blocks.
==1274== possibly lost: 0 bytes in 0 blocks.
==1274== still reachable: 402,036 bytes in 69 blocks.
==1274== suppressed: 0 bytes in 0 blocks.
==1274== Reachable blocks (those to which a pointer was found) are not shown.
==1274== To see them, rerun with: --leak-check=full --show-reachable=yes

　　检查httptest程序，发现有一处“char *decode_uri = evhttp_decode_uri(evhttp_request_uri(req));”中的“decode_uri”没有被free，再程序处理完成后加上“free(decode_uri);”后，再使用Valgrind检查，结果已经是“definitely lost: 0 bytes in 0 blocks.”。

 

mtrace:

前言

所有使用动态内存分配(dynamic memory allocation)的程序都有机会遇上内存泄露(memory leakage)问题，在Linux里有三种常用工具来检测内存泄露的情況，包括：

1. mtrace
2. dmalloc
3. memwatch

1. mtrace

mtrace是三款工具之中是最简单易用的，mtrace是一个C函數，在<mcheck.h>里声明及定义，函数原型为：

void mtrace(void);

其实mtrace是类似malloc_hook的 malloc handler，只不过mtrace的handler function已由系统为你写好，但既然如此，系统又怎么知道你想将malloc/free的记录写在哪里呢？为此，调用mtrace()前要先设置 MALLOC_TRACE环境变量：

#include <stdlib.h>
....
setenv("MALLOC_TRACE", "output_file_name", 1);
...

「output_file_name」就是储存检测结果的文件的名称。

但是检测结果的格式是一般人无法理解的，而只要有安装mtrace的话，就会有一名为mtrace的Perl script，在shell输入以下指令：

mtrace [binary] output_file_name

就会将output_file_name的內容转化成能被理解的语句，例如「No memory leaks」，「0x12345678 Free 10 was never alloc」诸如此类。

例如以下有一函数：(暂且放下single entry single exit的原则)

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <mcheck.h>
int main() {
char *hello;

setenv("MALLOC_TRACE", "output", 1);
mtrace();
if ((hello = (char *) malloc(sizeof(char))) == NULL) {
perror("Cannot allocate memory.");
return -1;
}

return 0;
}

执行后，再用mtrace 将结果输出：

- 0x08049670 Free 3 was never alloc'd 0x42029acc
- 0x080496f0 Free 4 was never alloc'd 0x420dc9e9
- 0x08049708 Free 5 was never alloc'd 0x420dc9f1
- 0x08049628 Free 6 was never alloc'd 0x42113a22
- 0x08049640 Free 7 was never alloc'd 0x42113a52
- 0x08049658 Free 8 was never alloc'd 0x42113a96

Memory not freed:
-----------------
Address Size Caller
0x08049a90 0x1 at 0x80483fe

最后一行标明有一个大小为1 byte的内存尚未释放，大概是指「hello」吧。

若我们把该段内存释放：

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <mcheck.h>
int main() {
char *hello;

setenv("MALLOC_TRACE", "output", 1);
mtrace();
if ((hello = (char *) malloc(sizeof(char))) == NULL) {
perror("Cannot allocate memory.");
return -1;
}

free(hello);
return 0;
}

结果如下：

- 0x080496b0 Free 4 was never alloc'd 0x42029acc
- 0x08049730 Free 5 was never alloc'd 0x420dc9e9
- 0x08049748 Free 6 was never alloc'd 0x420dc9f1
- 0x08049668 Free 7 was never alloc'd 0x42113a22
- 0x08049680 Free 8 was never alloc'd 0x42113a52
- 0x08049698 Free 9 was never alloc'd 0x42113a96
No memory leaks.

mtrace的原理是记录每一对malloc-free的执行，若每一个malloc都有相应的free，则代表没有内存泄露，对于任何非malloc/free情況下所发生的内存泄露问题，mtrace并不能找出来。