[PE] Valgrind tool to detect memory errors, example analysis

###Date: 2017/10/15

###Author：SoaringLee

Valgrind tool to detect memory errors

      Valgrind is an open source tool for detecting memory problems, which can be used to detect memory leaks in applications under linux. But for the problem of static array out of bounds, valgrind cannot detect it. For this problem, you can use the Converity static check. This tool is very useful for diagnosing memory leaks, and the related issues are sorted out below.

1. Memory leak

1.1 Error message

       are definitely lost in loss

1.2 C source code mem_leak.c

#include <stdio.h>
#include <stdlib.h>

void memcheck()
{
  char* p = (char*)malloc(20);
}

intmain()
{
  memcheck();
  return 0;
}

1.3 Using commands

1.4 Test results

2. File pointer resource leak

2.1 Error message

  FILE DESCRIPTORS:4 open at exit

2.2 Source code

#include <stdio.h>
#include <stdlib.h>

void fopencheck()
{
  FILE* p = fopen("test.txt","w");
}

intmain()
{
  fopencheck();
  return 0;
}

2.3 Test Results

3. Dynamic memory out of bounds

3.1 Error message

   Invalid write

3.2 Source code

#include <stdio.h>
#include <stdlib.h>

void memcheck()
{
  char* p = malloc(1);
  *(short*)p = 2;
  free(p);
}

intmain()
{
  memcheck();
  return 0;
}

3.3 Test Results

4. Unable to detect array out of bounds

4.1 Error prompt

     Unable to detect out-of-bounds for static array allocated on stack

4.2 Source code

#include <stdio.h>
#include <stdlib.h>

void memcheck()
{
   char array[3];
   strcpy(array,"hello");
}

intmain()
{
  memcheck();
  return 0;
}

4.3 Test results

5. The memory is released two or more times

5.1 Error message

  Invalid free()/delete/delete[]/realloc()

5.2 源代码

#include <stdio.h>
#include <stdlib.h>

void memcheck()
{
  char* p = (char*)malloc(20);
   free(p);
   free(p);
}

int main()
{
  memcheck();
  return 0;
}

5.3 测试结果

6、使用野指针

6.1 错误提示

    Invalid write of size

6.2 源代码

#include <stdio.h>
#include <stdlib.h>

void memcheck()
{
  char* p = (void*)0x80808080;
  *p = 10;
}

int main()
{
  memcheck();
  return 0;
}

6.3 测试结果

7、释放野指针

7.1 错误提示

   Invalid free()/delete/delete[]/realloc()

7.2 源代码

#include <stdio.h>
#include <stdlib.h>

void memcheck()
{
  char* p;
  free(p);
}

int main()
{
  memcheck();
  return 0;
}

7.3 测试结果

8、valgrind的主要参数

• -h  --help

显示所有选项的帮助，包括内核和选定的工具。

• --help-debug

与--help相同，并且还能显示通常只有valgrind的开发人员使用的调试选项。

• --version

显示valgrind内核的版本号

• -q, --quiet

安静的运行，只打印错误信息（被调试的程序错误信息）。

• -v, --verbose：显示详细信息。

• -tool=<toolname>[default:memcheck]

运行toolname指定的Valgrind,例如：memcheck，addrcheck,cachegrind等。

• --log-file=<file>

指定valgrind把它所有的信息输出到指定为文件中。

• --trace-children=<yes|no>[default:no]

当这个选项打开时，valgrind会跟踪到子进程中，这通常会导致困惑，而且通常不是你所期望的，默认关闭。

9、常见错误

• malloc/free: in use at exit      内存在退出前没有释放
• invalid write of size               非法写入内存，一般为数组越界
• invalid read of size               非法读内存：一般为数组越界
• definitely lost /possibly lost /still reachable in loss record 内存未释放
• invalid free()/delete/delete[]  同一指针被多次释放
• source and destination overlay 一般是使用strncpy,memcpy引起
• syscall param contains uninitialized byte 调用系统函数时传入了未初始化的变量
• conditional jump or move depends on uninitialized value 条件判断时使用了未初始化的变量
• access not with mapped region/stack overflow 栈溢出
• mismatch free()/delete/delete[]/new  delete/malloc/free搭配错误