11. SGCheck: an experimental stack
and global array overrun detector
To use this tool, you must specify
--tool=exp-sgcheck
on the Valgrind command line.
11.1. Overview
SGCheck is a tool for finding overruns of stack and global arrays.
It works by using a heuristic approach derived
from an observation about the likely forms of stack and global array accesses.
11.2. SGCheck Command-line Options
There are no SGCheck-specific command-line options at present.
11.3. How SGCheck Works
When a source file is compiled with
-g
, the compiler attaches DWARF3 debugging information which describes the
location of all stack and global arrays in the file.
Checking of accesses to such arrays would then be relatively simple, if the compiler could also tell us which array (if
any) each memory referencing instruction was supposed to access.
Unfortunately the DWARF3 debugging format
does not provide a way to represent such information, so we have to resort to a heuristic technique to approximate it.
The key observation is that
if a memory referencing instruction accesses inside a stack or global array once, then it is
highly likely to always access that same array
.
To see how this might be useful, consider the following buggy fragment:
{ int i, a[10];
// both are auto vars
for (i = 0; i <= 10; i++)
a[i] = 42;
}
At run time we will know the precise address of
a[]
on the stack, and so we can observe that the first store resulting
from
a[i] = 42
writes
a[]
, and we will (correctly) assume that that instruction is intended always to access
a[]
.
Then, on the 11th iteration, it accesses somewhere else, possibly a different local, possibly an un-accounted for area
of the stack (eg, spill slot), so SGCheck reports an error.
There is an important caveat.
Imagine a function such as
memcpy
, which is used to read and write many different areas of memory over the lifetime
of the program.
If we insist that the read and write instructions in its memory copying loop only ever access one
particular stack or global variable, we will be flooded with errors resulting from calls to
memcpy
.
To avoid this problem, SGCheck instantiates fresh likely-target records for each entry to a function, and discards them
on exit.
This allows detection of cases where (e.g.)
memcpy
overflows its source or destination buffers for any
specific call, but does not carry any restriction from one call to the next. Indeed, multiple threads may make multiple
simultaneous calls to (e.g.)
memcpy
without mutual interference.
155