Memcheck: a memory error detector
• When memory is read into the CPU’s registers, the relevant V bits are fetched from memory and stored in the
simulated CPU. They are not consulted.
• When a register is written out to memory, the V bits for that register are written back to memory too.
• When values in CPU registers are used to generate a memory address, or to determine the outcome of a conditional
branch, the V bits for those values are checked, and an error emitted if any of them are undefined.
• When values in CPU registers are used for any other purpose, Memcheck computes the V bits for the result, but
does not check them.
• Once the V bits for a value in the CPU have been checked, they are then set to indicate validity. This avoids long
chains of errors.
• When values are loaded from memory, Memcheck checks the A bits for that location and issues an illegal-address
warning if needed. In that case, the V bits loaded are forced to indicate Valid, despite the location being invalid.
This apparently strange choice reduces the amount of confusing information presented to the user.
It avoids the
unpleasant phenomenon in which memory is read from a place which is both unaddressable and contains invalid
values, and, as a result, you get not only an invalid-address (read/write) error, but also a potentially large set of
uninitialised-value errors, one for every time the value is used.
There is a hazy boundary case to do with multi-byte loads from addresses which are partially valid and partially
invalid. See details of the option
--partial-loads-ok
for details.
Memcheck intercepts calls to
malloc
,
calloc
,
realloc
,
valloc
,
memalign
,
free
,
new
,
new[]
,
delete
and
delete[]
. The behaviour you get is:
•
malloc
/
new
/
new[]
: the returned memory is marked as addressable but not having valid values. This means you
have to write to it before you can read it.
•
calloc
: returned memory is marked both addressable and valid, since
calloc
clears the area to zero.
•
realloc
: if the new size is larger than the old, the new section is addressable but invalid, as with
malloc
. If the
new size is smaller, the dropped-off section is marked as unaddressable. You may only pass to
realloc
a pointer
previously issued to you by
malloc
/
calloc
/
realloc
.
•
free
/
delete
/
delete[]
: you may only pass to these functions a pointer previously issued to you by the
corresponding allocation function.
Otherwise, Memcheck complains.
If the pointer is indeed valid, Memcheck
marks the entire area it points at as unaddressable, and places the block in the freed-blocks-queue.
The aim is
to defer as long as possible reallocation of this block.
Until that happens, all attempts to access it will elicit an
invalid-address error, as you would hope.
4.6. Memcheck Monitor Commands
The Memcheck tool provides monitor commands handled by Valgrind’s built-in gdbserver (see
Monitor command
handling by the Valgrind gdbserver
).
63
