C语言 --段错误（核心已转储）

文章原地址：https://blog.csdn.net/qq_29350001/article/details/53780697

参看：Linux下的段错误产生的原因及调试方法

参看：Linux环境下段错误的产生原因及调试方法小结

参看：维基百科--Segmentation fault

参看：LINUX内核段错误调试详细指南精品培训PPT讲义

一、什么是段错误？

一旦一个程序发生了越界访问，cpu 就会产生相应的保护，于是 segmentation fault 就出现了，通过上面的解释，段错误应该就是访问了不可访问的内存，这个内存区要么是不存在的，要么是受到系统保护的，还有可能是缺少文件或者文件损坏。

二、段错误产生的原因

下面是一些典型的段错误的原因:
非关联化空指针——这是特殊情况由内存管理硬件
试图访问一个不存在的内存地址(在进程的地址空间)
试图访问内存的程序没有权利(如内核结构流程上下文)
试图写入只读存储器(如代码段)

1、访问不存在的内存地址

在C代码,分割错误通常发生由于指针的错误使用,特别是在C动态内存分配。非关联化一个空指针总是导致段错误,但野指针和悬空指针指向的内存,可能会或可能不会存在,而且可能或不可能是可读的还是可写的,因此会导致瞬态错误。

#include <stdio.h>

int main (void)
{
    int *ptr = NULL;
    *ptr = 0;
    return 0;
}
输出结果：
段错误（核心已转储）

现在,非关联化这些变量可能导致段错误:非关联化空指针通常会导致段错误,阅读时从野指针可能导致随机数据但没有段错误,和阅读从悬空指针可能导致有效数据,然后随机数据覆盖。

2、访问系统保护的内存地址 

#include <stdio.h>

int main (void)
{
    int *ptr = (int *)0;
    *ptr = 100;
    return 0;
}
输出结果:
段错误（核心已转储）

3、访问只读的内存地址

写入只读存储器提出了一个 segmentation fault,这个发生在程序写入自己的一部分代码段或者是只读的数据段,这些都是由操作系统加载到只读存储器。

#include <stdio.h>
#include <string.h>

int main (void)
{
    char *ptr = "test";
    strcpy (ptr, "TEST");
    return 0;
}
输出结果：
段错误（核心已转储）

#include <stdio.h>

int main (void)
{
    char *ptr = "hello";
    *ptr = 'H';
    return 0;
}
输出结果：
段错误（核心已转储）

上述例子ANSI C代码通常会导致段错误和内存保护平台。它试图修改一个字符串文字,这是根据ANSI C标准未定义的行为。大多数编译器在编译时不会抓,而是编译这个可执行代码,将崩溃。

包含这个代码被编译程序时,字符串“hello”位于rodata部分程序的可执行文件的只读部分数据段。当加载时,操作系统与其他字符串和地方常数只读段的内存中的数据。当执行时,一个变量 ptr 设置为指向字符串的位置,并试图编写一个H字符通过变量进入内存,导致段错误。编译程序的编译器不检查作业的只读的位置在编译时,和运行类unix操作系统产生以下运行时发生 segmentation fault。

可以纠正这个代码使用一个数组而不是一个字符指针,这个栈上分配内存并初始化字符串的值:

#include <stdio.h>

int main (void)
{
    char ptr[] = "hello";
    ptr[0] = 'H';
    return 0;
}

即使不能修改字符串(相反,这在C标准未定义行为),在C char *类型,所以没有隐式转换原始代码,在c++的 const char *类型,因此有一个隐式转换,所以编译器通常会抓住这个特定的错误。

4、空指针废弃

因为是一个很常见的程序错误空指针废弃（读或写在一个空指针，用于C的意思是“没有对象指针”作为一个错误指示器），大多数操作系统内存访问空指针的地址，这样它会导致段错误。

#include <stdio.h>

int main (void)
{
    int *ptr = NULL;
    printf ("%d\n", *ptr);
    return 0;
}
输出结果：
段错误（核心已转储）

这个示例代码创建了一个空指针，然后试图访问它的值（读值）。在运行时在许多操作系统中，这样做会导致段错误。

非关联化一个空指针，然后分配（写一个值到一个不存在的目标）也通常会导致段错误。

#include <stdio.h>

int main (void)
{
    int *ptr = NULL;
    *ptr = 1;
    return 0;
}
输出结果：
段错误（核心已转储）

下面的代码包含一个空指针，但当编译通常不会导致段错误，值是未使用的。因此，废弃通常会被优化掉，死代码消除。

#include <stdio.h>

int main (void)
{
    int *ptr = NULL;
    *ptr;
    return 0;
}

还有，比如malloc 动态分配内存，释放、置空完成后，不可再使用该指针。

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main()
{
    char* str=(char* )malloc(100);
    if(*str)
    {
        return;
    }
    strcpy(str,"hello");
    printf("%s\n",str);
    free(str);
    str=NULL;
    strcpy(str,"abcdef");
    return 0;
}
输出结果：
hello
段错误 (核心已转储)

5、堆栈溢出

#include <stdio.h>
#include <string.h>

int main (void)
{
    main ();
    return 0;
}
输出结果：
段错误（核心已转储）

上述例子的无限递归，导致的堆栈溢出会导致段错误，但无线递归未必导致堆栈溢出，优化执行的编译器和代码的确切结构。在这种情况下，遥不可及的代码（返回语句）行为是未定义的。因此，编译器可以消除它，使用尾部调用优化，可能导致没有堆栈使用。其他优化可能包括将递归转换成迭代，给出例子的结构功能永远会导致程序运行，虽然可能不是其他堆栈溢出。

6、内存越界（数组越界，变量类型不一致等）

#include <stdio.h>

int main (void)
{
    char test[10];
    printf ("%c\n", test[100000]);
    return 0;
}
输出结果：
段错误（核心已转储）

三、段错误信息的获取

程序发生段错误时，提示信息很少，下面有几种查看段错误的发生信息的途径。

1、dmesg

dmesg 可以在应用程序崩溃时，显示内存中保存的相关信息。如下所示，通过 dmesg 命令可以查看发生段错误的程序名称、引起段错误发生的内存地址、指令指针地址、堆栈指针地址、错误代码、错误原因等。

root@#dmesg
[ 6357.422282] a.out[3044]: segfault at 806851c ip b75cd668 sp bf8b2100 error 4 in libc-2.15.so[b7559000+19f000]

2、-g

使用gcc编译程序的源码时，加上 -g 参数，这样可以使得生成的二进制文件中加入可以用于 gdb 调试的有用信息。

参看：C语言再学习 -- GCC编译过程

可产生供gdb调试用的可执行文件，大小明显比只用-o选项编译汇编连接后的文件大。

root@ubuntu:/home/tarena/project/c_test# gcc hello.c
root@ubuntu:/home/tarena/project/c_test# ls -la a.out
-rwxr-xr-x 1 root root 7159 Nov 26 23:32 a.out
root@ubuntu:/home/tarena/project/c_test# gcc -g hello.c
root@ubuntu:/home/tarena/project/c_test# ls -la a.out
-rwxr-xr-x 1 root root 8051 Nov 26 23:32 a.out

gdb的简单使用：

(gdb)l  列表（list）
(gdb)r  执行（run）
(gdb)n  下一个（next）
(gdb)q  退出（quit）
(gdb)p  输出（print）
(gdb)c  继续（continue）
(gdb)b 4 设置断点（break）
(gdb)d   删除断点（delete）

root@ubuntu:/home/tarena/project/c_test# gdb a.out
GNU gdb (Ubuntu/Linaro 7.4-2012.02-0ubuntu2) 7.4-2012.02
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/tarena/project/c_test/a.out...done.
(gdb) l
1   #include <stdio.h>
2   int main (void)
3   {
4       printf ("hello world!\n");
5       return 0;
6   }
(gdb) r
Starting program: /home/tarena/project/c_test/a.out
hello world!
[Inferior 1 (process 6906) exited normally]
(gdb) q
root@ubuntu:/home/tarena/project/c_test#

3、nm

使用 nm 命令列出二进制文件中符号表，包括符号地址、符号类型、符号名等。这样可以帮助定位在哪里发生了段错误。

root@# nm a.out
08049f28 d _DYNAMIC
08049ff4 d _GLOBAL_OFFSET_TABLE_
080484ac R _IO_stdin_used
         w _Jv_RegisterClasses
08049f18 d __CTOR_END__
08049f14 d __CTOR_LIST__
08049f20 D __DTOR_END__
08049f1c d __DTOR_LIST__
080485a4 r __FRAME_END__
08049f24 d __JCR_END__
08049f24 d __JCR_LIST__
0804a010 A __bss_start
0804a008 D __data_start
08048460 t __do_global_ctors_aux
08048330 t __do_global_dtors_aux
0804a00c D __dso_handle
         w __gmon_start__
08048452 T __i686.get_pc_thunk.bx
08049f14 d __init_array_end
08049f14 d __init_array_start
08048450 T __libc_csu_fini
080483e0 T __libc_csu_init
         U __libc_start_main@@GLIBC_2.0
0804a010 A _edata
0804a018 A _end
0804848c T _fini
080484a8 R _fp_hw
08048294 T _init
08048300 T _start
0804a010 b completed.6159
0804a008 W data_start
0804a014 b dtor_idx.6161
08048390 t frame_dummy
080483b4 T main

4、ldd

使用 ldd 命令查看二进制程序的共享链接库依赖，包括库的名称、起始地址，这样可以确定段错误到底是发生在了自己的程序中还是依赖的共享库中。

root@t# ldd a.out
    linux-gate.so.1 =>  (0xb7765000)
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75ac000)
    /lib/ld-linux.so.2 (0xb7766000)

四、段错误的调试方法

接下来的讲解是围绕下面的代码进行的：

#include <stdio.h>

int main (void)
{
    int *ptr = NULL;
    *ptr = 10;
    return 0;
}
输出结果：
段错误（核心已转储）

1、使用 printf 输出信息

这个是看似最简单，但往往很多情况下十分有效的调试方式，也许可以说是程序员用的最多的调试方式。简单来说，就是在程序的重要代码附近加上像 printf 这类输出信息，这样可以跟踪并打印出段错误在代码中可能出现的位置。

为了方便使用这种方法，可以使用条件编译指令 #define DEBUG 和 #endif 把 printf 函数包起来。这样在程序编译时，如果加上 -DDEBUG 参数就可以查看调试信息；否则不加上参数就不会显示调试信息。

参看：C语言再学习 -- C 预处理器

2、使用 gcc 和 gdb

1）调试步骤

A、为了能够使用 gdb 调试程序，在编译阶段加上 -g 参数。

root@# gcc -g test.c

B、使用 gdb 命令调试程序

root@# gdb a.out
GNU gdb (Ubuntu/Linaro 7.4-2012.02-0ubuntu2) 7.4-2012.02
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/tarena/project/c_test/a.out...done.
(gdb)

C、进入 gdb 后，运行程序

(gdb) r
Starting program: /home/tarena/project/c_test/a.out

Program received signal SIGSEGV, Segmentation fault.
0x080483c4 in main () at test.c:6
6       *ptr = 10;
(gdb)

从输出看出，程序收到 SIGSEGV 信号，触发段错误，并提示地址 0x080483c4、创建了一个空指针，然后试图访问它的值（读值）。

可以通过man 7 signal查看SIGSEGV的信息

Signal     Value     Action   Comment
      ──────────────────────────────────────────────────────────────────────
      SIGHUP        1       Term    Hangup detected on controlling terminal
                                    or death of controlling process
      SIGINT        2       Term    Interrupt from keyboard
      SIGQUIT       3       Core    Quit from keyboard
      SIGILL        4       Core    Illegal Instruction
      SIGABRT       6       Core    Abort signal from abort(3)
      SIGFPE        8       Core    Floating point exception
      SIGKILL       9       Term    Kill signal
      SIGSEGV      11       Core    Invalid memory reference
      SIGPIPE      13       Term    Broken pipe: write to pipe with no
                                    readers
      SIGALRM      14       Term    Timer signal from alarm(2)
      SIGTERM      15       Term    Termination signal
      SIGUSR1   30,10,16    Term    User-defined signal 1
      SIGUSR2   31,12,17    Term    User-defined signal 2
      SIGCHLD   20,17,18    Ign     Child stopped or terminated
      SIGCONT   19,18,25    Cont    Continue if stopped
      SIGSTOP   17,19,23    Stop    Stop process
      SIGTSTP   18,20,24    Stop    Stop typed at tty
      SIGTTIN   21,21,26    Stop    tty input for background process
      SIGTTOU   22,22,27    Stop    tty output for background process

      The signals SIGKILL and SIGSTOP cannot be caught, blocked, or ignored.

D、完成调试后，输入 q 命令退出 gdb

(gdb) q
A debugging session is active.

    Inferior 1 [process 3483] will be killed.

Quit anyway? (y or n) y

2）适用场景

A、仅当能确定程序一定会发生段错误的情况下适用。

B、当程序的源码可以获得的情况下，使用 -g 参数编译程序

C、一般用于测试阶段，生产环境下 gdb 会有副作用：使程序运行减慢，运行不够稳定，等等。

D、即使在测试阶段，如果程序过于复杂，gdb 也不能处理。

3、使用 core 文件和 gdb

上面有提到段错误触发SIGSEGV信号，通过man 7 signal，可以看到SIGSEGV默认的处理程序（handler）会打印段错误信息，并产生 core 文件，由此我们可以借助于程序异常退出生成的 core 文件中的调试信息，使用 gdb 工具来调试程序中的段错误。

1）调试步骤

A、在一些Linux版本下，默认是不产生 core 文件的，首先可以查看一下系统 core 文件的大小限制：

root@# ulimit -c
0

B、可以看到默认设置情况下，本机Linux环境下发生段错误不会自动生成 core 文件，下面设置下 core 文件的大小限制（单位为KB）

root@# ulimit -c 1024
root@# ulimit -c
1024

C、运行程序，发生段错误生成的 core 文件

root@# ./a.out
段错误 (核心已转储)

D、加载 core 文件，使用 gdb 工具进行调试

root@ubuntu:/home/tarena/project/c_test# gdb a.out core
GNU gdb (Ubuntu/Linaro 7.4-2012.02-0ubuntu2) 7.4-2012.02
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/tarena/project/c_test/a.out...done.
[New LWP 3491]

warning: Can't read pathname for load map: 输入/输出错误.
Core was generated by `./a.out'.
Program terminated with signal 11, Segmentation fault.
#0  0x080483c4 in main () at test.c:6
6       *ptr = 10;
(gdb)

从输出看出，可以显示出异样的段错误信息

E、完成调试后，输入 q 命令退出 gdb

(gdb) q

2）适用场景

A、适合于在实际生成环境下调试程度的段错误（即在不用重新发生段错误的情况下重现段错误）

B、当程序很复杂，core 文件相当大时，该方法不可用

4、使用 objdump

1）调试步骤

A、使用 dmesg 命令，找到最近发生的段错误输入信息

root@# dmesg
[  372.350652] a.out[2712]: segfault at 0 ip 080483c4 sp bfd1f7b8 error 6 in a.out[8048000+1000]

其中，对我们接下来的调试过程有用的是发生段错误的地址 0 和指令指针地址 080483c4。

有时候,“地址引起的错”可以告诉你问题的根源。看到上面的例子,我们可以说，int *ptr = NULL; *ptr = 10;，创建了一个空指针，然后试图访问它的值（读值）。

B、使用 objdump 生成二进制的相关信息，重定向到文件中

root@# objdump -d a.out > a.outDump
root@# ls
a.out  a.outDump  core  test.c

其中，生成的 a.outDump 文件中包含了二进制文件的 a.out 的汇编代码

C、在 a.outDump 文件中查找发生段错误的地址

root@ubuntu:/home/tarena/project/c_test# grep -n -A 10 -B 10 "0" a.outDump
1-
2-a.out:     file format elf32-i386

118:080483b4 <main>:
119: 80483b4:   55                      push   %ebp
120: 80483b5:   89 e5                   mov    %esp,%ebp
121: 80483b7:   83 ec 10                sub    $0x10,%esp
122: 80483ba:   c7 45 fc 00 00 00 00    movl   $0x0,-0x4(%ebp)
123: 80483c1:   8b 45 fc                mov    -0x4(%ebp),%eax
124: 80483c4:   c7 00 0a 00 00 00       movl   $0xa,(%eax)
125: 80483ca:   b8 00 00 00 00          mov    $0x0,%eax
126: 80483cf:   c9                      leave
127: 80483d0:   c3                      ret
128: 80483d1:   90                      nop
129: 80483d2:   90                      nop
130: 80483d3:   90                      nop
131: 80483d4:   90                      nop
132: 80483d5:   90                      nop
133: 80483d6:   90                      nop
134: 80483d7:   90                      nop
135: 80483d8:   90                      nop
136: 80483d9:   90                      nop
137: 80483da:   90                      nop
138: 80483db:   90                      nop
139: 80483dc:   90                      nop
140: 80483dd:   90                      nop
141: 80483de:   90                      nop
142: 80483df:   90                      nop

通过对以上汇编代码分析，得知段错误发生main函数，对应的汇编指令是movl   $0xa,(%eax)，接下来打开程序的源码，找到汇编指令对应的源码，也就定位到段错误了。 

2）适用场景

A、不需要 -g 参数编译，不需要借助于core文件，但需要有一定的汇编语言基础。

B、如果使用 gcc 编译优化参数（-O1，-O2，-O3）的话，生成的汇编指令将会被优化，使得调试过程有些难度。

5、使用catchsegv

catchsegv 命令专门用来补货段错误，它通过动态加载器（ld-linux.so）的预加载机制（PRELOAD）把一个事先写好的 库（/lib/libSegFault.so）加载上，用于捕捉段错误的出错信息。

root@t# catchsegv ./a.out
Segmentation fault (core dumped)
*** Segmentation fault
Register dump:

 EAX: 00000000   EBX: b77a1ff4   ECX: bfd8a0e4   EDX: bfd8a074
 ESI: 00000000   EDI: 00000000   EBP: bfd8a048   ESP: bfd8a038

 EIP: 080483c4   EFLAGS: 00010282

 CS: 0073   DS: 007b   ES: 007b   FS: 0000   GS: 0033   SS: 007b

 Trap: 0000000e   Error: 00000006   OldMask: 00000000
 ESP/signal: bfd8a038   CR2: 00000000

Backtrace:
??:0(main)[0x80483c4]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb761a4d3]
??:0(_start)[0x8048321]

Memory map:

08048000-08049000 r-xp 00000000 08:01 2102158 /home/tarena/project/c_test/a.out
08049000-0804a000 r--p 00000000 08:01 2102158 /home/tarena/project/c_test/a.out
0804a000-0804b000 rw-p 00001000 08:01 2102158 /home/tarena/project/c_test/a.out
09467000-0948c000 rw-p 00000000 00:00 0 [heap]
b75e1000-b75fd000 r-xp 00000000 08:01 1704884 /lib/i386-linux-gnu/libgcc_s.so.1
b75fd000-b75fe000 r--p 0001b000 08:01 1704884 /lib/i386-linux-gnu/libgcc_s.so.1
b75fe000-b75ff000 rw-p 0001c000 08:01 1704884 /lib/i386-linux-gnu/libgcc_s.so.1
b75ff000-b7601000 rw-p 00000000 00:00 0
b7601000-b77a0000 r-xp 00000000 08:01 1704863 /lib/i386-linux-gnu/libc-2.15.so
b77a0000-b77a2000 r--p 0019f000 08:01 1704863 /lib/i386-linux-gnu/libc-2.15.so
b77a2000-b77a3000 rw-p 001a1000 08:01 1704863 /lib/i386-linux-gnu/libc-2.15.so
b77a3000-b77a6000 rw-p 00000000 00:00 0
b77b8000-b77bb000 r-xp 00000000 08:01 1704847 /lib/i386-linux-gnu/libSegFault.so
b77bb000-b77bc000 r--p 00002000 08:01 1704847 /lib/i386-linux-gnu/libSegFault.so
b77bc000-b77bd000 rw-p 00003000 08:01 1704847 /lib/i386-linux-gnu/libSegFault.so
b77bd000-b77bf000 rw-p 00000000 00:00 0
b77bf000-b77c0000 r-xp 00000000 00:00 0 [vdso]
b77c0000-b77e0000 r-xp 00000000 08:01 1704843 /lib/i386-linux-gnu/ld-2.15.so
b77e0000-b77e1000 r--p 0001f000 08:01 1704843 /lib/i386-linux-gnu/ld-2.15.so
b77e1000-b77e2000 rw-p 00020000 08:01 1704843 /lib/i386-linux-gnu/ld-2.15.so
bfd6b000-bfd8c000 rw-p 00000000 00:00 0 [stack]

五、内存泄漏检测工具Valgrind

参看：Unix下C程序内存泄漏检测工具Valgrind安装与使用

参看：valgrind 的使用简介

Valgrind是一款用于内存调试、内存泄漏检测以及性能分析的软件开发工具。

官网：valgrind

（1）下载安装

下载：https://sourceware.org/pub/valgrind/valgrind-3.13.0.tar.bz2
安装：

#tar xvf valgrind-3.13.0.tar.bz2
#cd valgrind-3.13.0
#./configure --prefix=/usr/local/webserver/valgrind
#make
#make install

添加环境变量：
#vi /etc/profile
PATH=${PATH}:/usr/local/webserver/valgrind/bin
#source /etc/profile

执行 valgrind ls -l 出现如下错误：

# valgrind ls -l
==16243== Memcheck, a memory error detector
==16243== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==16243== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==16243== Command: ls -l
==16243==

valgrind:  Fatal error at startup: a function redirection
valgrind:  which is mandatory for this platform-tool combination
valgrind:  cannot be set up.  Details of the redirection are:
valgrind:
valgrind:  A must-be-redirected function
valgrind:  whose name matches the pattern:      strlen
valgrind:  in an object with soname matching:   ld-linux.so.2
valgrind:  was not found whilst processing
valgrind:  symbols from the object with soname: ld-linux.so.2
valgrind:
valgrind:  Possible fixes: (1, short term): install glibc's debuginfo
valgrind:  package on this machine.  (2, longer term): ask the packagers
valgrind:  for your Linux distribution to please in future ship a non-
valgrind:  stripped ld.so (or whatever the dynamic linker .so is called)
valgrind:  that exports the above-named function using the standard
valgrind:  calling conventions for this platform.  The package you need
valgrind:  to install for fix (1) is called
valgrind:
valgrind:    On Debian, Ubuntu:                 libc6-dbg
valgrind:    On SuSE, openSuSE, Fedora, RHEL:   glibc-debuginfo
valgrind:
valgrind:  Note that if you are debugging a 32 bit process on a
valgrind:  64 bit system, you will need a corresponding 32 bit debuginfo
valgrind:  package (e.g. libc6-dbg:i386).
valgrind:
valgrind:  Cannot continue -- exiting now.  Sorry.

 以上错误，是因为在Ubuntu下还需要一个LIB：libc6-dbg
运行：sudo apt-get install libc6-dbg 以安装libc6-dbg

然后再次运行： valgrind ls -l

$ valgrind ls -l
==14297== Memcheck, a memory error detector
==14297== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==14297== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==14297== Command: ls -l
==14297==
总用量 4
-rw-rw-r-- 1 tarena tarena 105  1月 15 10:04 test.c
==14297==
==14297== HEAP SUMMARY:
==14297==     in use at exit: 13,265 bytes in 29 blocks
==14297==   total heap usage: 218 allocs, 189 frees, 73,974 bytes allocated
==14297==
==14297== LEAK SUMMARY:
==14297==    definitely lost: 80 bytes in 2 blocks
==14297==    indirectly lost: 240 bytes in 20 blocks
==14297==      possibly lost: 0 bytes in 0 blocks
==14297==    still reachable: 12,945 bytes in 7 blocks
==14297==         suppressed: 0 bytes in 0 blocks
==14297== Rerun with --leak-check=full to see details of leaked memory
==14297==
==14297== For counts of detected and suppressed errors, rerun with: -v
==14297== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

（2）选项：

<span style="color:#000000;">#valgrind -h
usage: valgrind [options] prog-and-args

  tool-selection option, with default in [ ]:
    --tool=<name>             use the Valgrind tool named <name> [memcheck]

  basic user options for all Valgrind tools, with defaults in [ ]:
    -h --help                 show this message
    --help-debug              show this message, plus debugging options
    --version                 show version
    -q --quiet                run silently; only print error msgs
    -v --verbose              be more verbose -- show misc extra info
    --trace-children=no|yes   Valgrind-ise child processes (follow execve)? [no]
    --trace-children-skip=patt1,patt2,...    specifies a list of executables
                              that --trace-children=yes should not trace into
    --trace-children-skip-by-arg=patt1,patt2,...   same as --trace-children-skip=
                              but check the argv[] entries for children, rather
                              than the exe name, to make a follow/no-follow decision
    --child-silent-after-fork=no|yes omit child output between fork & exec? [no]
    --vgdb=no|yes|full        activate gdbserver? [yes]
                              full is slower but provides precise watchpoint/step
    --vgdb-error=<number>     invoke gdbserver after <number> errors [999999999]
                              to get started quickly, use --vgdb-error=0
                              and follow the on-screen directions
    --vgdb-stop-at=event1,event2,... invoke gdbserver for given events [none]
         where event is one of:
           startup exit valgrindabexit all none
    --track-fds=no|yes        track open file descriptors? [no]
    --time-stamp=no|yes       add timestamps to log messages? [no]
    --log-fd=<number>         log messages to file descriptor [2=stderr]
    --log-file=<file>         log messages to <file>
    --log-socket=ipaddr:port  log messages to socket ipaddr:port

  user options for Valgrind tools that report errors:
    --xml=yes                 emit error output in XML (some tools only)
    --xml-fd=<number>         XML output to file descriptor
    --xml-file=<file>         XML output to <file>
    --xml-socket=ipaddr:port  XML output to socket ipaddr:port
    --xml-user-comment=STR    copy STR verbatim into XML output
    --demangle=no|yes         automatically demangle C++ names? [yes]
    --num-callers=<number>    show <number> callers in stack traces [12]
    --error-limit=no|yes      stop showing new errors if too many? [yes]
    --error-exitcode=<number> exit code to return if errors found [0=disable]
    --error-markers=<begin>,<end> add lines with begin/end markers before/after
                              each error output in plain text mode [none]
    --show-below-main=no|yes  continue stack traces below main() [no]
    --default-suppressions=yes|no
                              load default suppressions [yes]
    --suppressions=<filename> suppress errors described in <filename>
    --gen-suppressions=no|yes|all    print suppressions for errors? [no]
    --input-fd=<number>       file descriptor for input [0=stdin]
    --dsymutil=no|yes         run dsymutil on Mac OS X when helpful? [yes]
    --max-stackframe=<number> assume stack switch for SP changes larger
                              than <number> bytes [2000000]
    --main-stacksize=<number> set size of main thread's stack (in bytes)
                              [min(max(current 'ulimit' value,1MB),16MB)]

  user options for Valgrind tools that replace malloc:
    --alignment=<number>      set minimum alignment of heap allocations [8]
    --redzone-size=<number>   set minimum size of redzones added before/after
                              heap blocks (in bytes). [16]
    --xtree-memory=none|allocs|full   profile heap memory in an xtree [none]
                              and produces a report at the end of the execution
                              none: no profiling, allocs: current allocated
                              size/blocks, full: profile current and cumulative
                              allocated size/blocks and freed size/blocks.
    --xtree-memory-file=<file>   xtree memory report file [xtmemory.kcg.%p]

  uncommon user options for all Valgrind tools:
    --fullpath-after=         (with nothing after the '=')
                              show full source paths in call stacks
    --fullpath-after=string   like --fullpath-after=, but only show the
                              part of the path after 'string'.  Allows removal
                              of path prefixes.  Use this flag multiple times
                              to specify a set of prefixes to remove.
    --extra-debuginfo-path=path    absolute path to search for additional
                              debug symbols, in addition to existing default
                              well known search paths.
    --debuginfo-server=ipaddr:port    also query this server
                              (valgrind-di-server) for debug symbols
    --allow-mismatched-debuginfo=no|yes  [no]
                              for the above two flags only, accept debuginfo
                              objects that don't "match" the main object
    --smc-check=none|stack|all|all-non-file [all-non-file]
                              checks for self-modifying code: none, only for
                              code found in stacks, for all code, or for all
                              code except that from file-backed mappings
    --read-inline-info=yes|no read debug info about inlined function calls
                              and use it to do better stack traces.  [yes]
                              on Linux/Android/Solaris for Memcheck/Helgrind/DRD
                              only.  [no] for all other tools and platforms.
    --read-var-info=yes|no    read debug info on stack and global variables
                              and use it to print better error messages in
                              tools that make use of it (Memcheck, Helgrind,
                              DRD) [no]
    --vgdb-poll=<number>      gdbserver poll max every <number> basic blocks [5000]
    --vgdb-shadow-registers=no|yes   let gdb see the shadow registers [no]
    --vgdb-prefix=<prefix>    prefix for vgdb FIFOs [/tmp/vgdb-pipe]
    --run-libc-freeres=no|yes free up glibc memory at exit on Linux? [yes]
    --run-cxx-freeres=no|yes  free up libstdc++ memory at exit on Linux
                              and Solaris? [yes]
    --sim-hints=hint1,hint2,...  activate unusual sim behaviours [none]
         where hint is one of:
           lax-ioctls lax-doors fuse-compatible enable-outer
           no-inner-prefix no-nptl-pthread-stackcache fallback-llsc none
    --fair-sched=no|yes|try   schedule threads fairly on multicore systems [no]
    --kernel-variant=variant1,variant2,...
         handle non-standard kernel variants [none]
         where variant is one of:
           bproc android-no-hw-tls
           android-gpu-sgx5xx android-gpu-adreno3xx none
    --merge-recursive-frames=<number>  merge frames between identical
           program counters in max <number> frames) [0]
    --num-transtab-sectors=<number> size of translated code cache [32]
           more sectors may increase performance, but use more memory.
    --avg-transtab-entry-size=<number> avg size in bytes of a translated
           basic block [0, meaning use tool provided default]
    --aspace-minaddr=0xPP     avoid mapping memory below 0xPP [guessed]
    --valgrind-stacksize=<number> size of valgrind (host) thread's stack
                               (in bytes) [1048576]
    --show-emwarns=no|yes     show warnings about emulation limits? [no]
    --require-text-symbol=:sonamepattern:symbolpattern    abort run if the
                              stated shared object doesn't have the stated
                              text symbol.  Patterns can contain ? and *.
    --soname-synonyms=syn1=pattern1,syn2=pattern2,... synonym soname
              specify patterns for function wrapping or replacement.
              To use a non-libc malloc library that is
                  in the main exe:  --soname-synonyms=somalloc=NONE
                  in libxyzzy.so:   --soname-synonyms=somalloc=libxyzzy.so
    --sigill-diagnostics=yes|no  warn about illegal instructions? [yes]
    --unw-stack-scan-thresh=<number>   Enable stack-scan unwind if fewer
                  than <number> good frames found  [0, meaning "disabled"]
                  NOTE: stack scanning is only available on arm-linux.
    --unw-stack-scan-frames=<number>   Max number of frames that can be
                  recovered by stack scanning [5]
    --resync-filter=no|yes|verbose [yes on MacOS, no on other OSes]
              attempt to avoid expensive address-space-resync operations
    --max-threads=<number>    maximum number of threads that valgrind can
                              handle [500]

  user options for Memcheck:
    --leak-check=no|summary|full     search for memory leaks at exit?  [summary]
    --leak-resolution=low|med|high   differentiation of leak stack traces [high]
    --show-leak-kinds=kind1,kind2,.. which leak kinds to show?
                                            [definite,possible]
    --errors-for-leak-kinds=kind1,kind2,..  which leak kinds are errors?
                                            [definite,possible]
        where kind is one of:
          definite indirect possible reachable all none
    --leak-check-heuristics=heur1,heur2,... which heuristics to use for
        improving leak search false positive [all]
        where heur is one of:
          stdstring length64 newarray multipleinheritance all none
    --show-reachable=yes             same as --show-leak-kinds=all
    --show-reachable=no --show-possibly-lost=yes
                                     same as --show-leak-kinds=definite,possible
    --show-reachable=no --show-possibly-lost=no
                                     same as --show-leak-kinds=definite
    --xtree-leak=no|yes              output leak result in xtree format? [no]
    --xtree-leak-file=<file>         xtree leak report file [xtleak.kcg.%p]
    --undef-value-errors=no|yes      check for undefined value errors [yes]
    --track-origins=no|yes           show origins of undefined values? [no]
    --partial-loads-ok=no|yes        too hard to explain here; see manual [yes]
    --expensive-definedness-checks=no|yes
                                     Use extra-precise definedness tracking [no]
    --freelist-vol=<number>          volume of freed blocks queue     [20000000]
    --freelist-big-blocks=<number>   releases first blocks with size>= [1000000]
    --workaround-gcc296-bugs=no|yes  self explanatory [no].  Deprecated.
                                     Use --ignore-range-below-sp instead.
    --ignore-ranges=0xPP-0xQQ[,0xRR-0xSS]   assume given addresses are OK
    --ignore-range-below-sp=<number>-<number>  do not report errors for
                                     accesses at the given offsets below SP
    --malloc-fill=<hexnumber>        fill malloc'd areas with given value
    --free-fill=<hexnumber>          fill free'd areas with given value
    --keep-stacktraces=alloc|free|alloc-and-free|alloc-then-free|none
        stack trace(s) to keep for malloc'd/free'd areas       [alloc-and-free]
    --show-mismatched-frees=no|yes   show frees that don't match the allocator? [yes]

  Extra options read from ~/.valgrindrc, $VALGRIND_OPTS, ./.valgrindrc

  Memcheck is Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
  Valgrind is Copyright (C) 2000-2017, and GNU GPL'd, by Julian Seward et al.
  LibVEX is Copyright (C) 2004-2017, and GNU GPL'd, by OpenWorks LLP et al.

  Bug reports, feedback, admiration, abuse, etc, to: www.valgrind.org.</span><span style="color:#993399;">
</span>

（3）使用

参看：valgrind 的使用简介

1、使用未初始化内存问题

#include<stdio.h>
int main(void)
{

    int a[5];
    int i,s;
    a[0]=a[1]=a[2]=a[3]=a[4]=0;
    s=0;
    for (i =0;i<5;i++)
        s+=a[i];
    if(s==377)
        printf("sum is %d\n",s);
    return 0;
}
执行：
# gcc -Wall test.c -g -o test
# valgrind --tool=memcheck --leak-check=yes ./test

$ valgrind --tool=memcheck --leak-check=yes ./test
==14496== Memcheck, a memory error detector
==14496== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==14496== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==14496== Command: ./test
==14496==
==14496==
==14496== HEAP SUMMARY:
==14496==     in use at exit: 0 bytes in 0 blocks
==14496==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==14496==
==14496== All heap blocks were freed -- no leaks are possible
==14496==
==14496== For counts of detected and suppressed errors, rerun with: -v
==14496== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

2、内存读写越界

#include<stdlib.h>
#include<stdio.h>

int main(int argc,char *argv[])
{
    int len =4;
    int* pt =(int*)malloc(len*sizeof(int));
    int* p=pt;
    int i;
    for(i=0;i<len;i++)
    {
        p++;
    }
    *p=5;
    printf("the value of p equal:%d\n",*p);
    return 0;
}
执行：
# gcc -Wall test.c -g -o test
# valgrind --tool=memcheck --leak-check=yes ./test

$ valgrind --tool=memcheck --leak-check=yes ./test
==14514== Memcheck, a memory error detector
==14514== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==14514== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==14514== Command: ./test
==14514==
==14514== Invalid write of size 4
==14514==    at 0x8048462: main (test.c:14)
==14514==  Address 0x41f4038 is 0 bytes after a block of size 16 alloc'd
==14514==    at 0x402BD74: malloc (vg_replace_malloc.c:270)
==14514==    by 0x8048433: main (test.c:7)
==14514==
==14514== Invalid read of size 4
==14514==    at 0x804846C: main (test.c:15)
==14514==  Address 0x41f4038 is 0 bytes after a block of size 16 alloc'd
==14514==    at 0x402BD74: malloc (vg_replace_malloc.c:270)
==14514==    by 0x8048433: main (test.c:7)
==14514==
the value of p equal:5
==14514==
==14514== HEAP SUMMARY:
==14514==     in use at exit: 16 bytes in 1 blocks
==14514==   total heap usage: 1 allocs, 0 frees, 16 bytes allocated
==14514==
==14514== 16 bytes in 1 blocks are definitely lost in loss record 1 of 1
==14514==    at 0x402BD74: malloc (vg_replace_malloc.c:270)
==14514==    by 0x8048433: main (test.c:7)
==14514==
==14514== LEAK SUMMARY:
==14514==    definitely lost: 16 bytes in 1 blocks
==14514==    indirectly lost: 0 bytes in 0 blocks
==14514==      possibly lost: 0 bytes in 0 blocks
==14514==    still reachable: 0 bytes in 0 blocks
==14514==         suppressed: 0 bytes in 0 blocks
==14514==
==14514== For counts of detected and suppressed errors, rerun with: -v
==14514== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)

3、内存覆盖

#include<stdio.h>
#include<stdlib.h>
#include<string.h>

int main(int argc, char* argv[])
{
    char x[50];
    int i;
    for(i=0;i<50;i++)
    {
        x[i]=i+1;
    }
    strncpy(x+20,x,20);
    strncpy(x+20,x,21);
    strncpy(x,x+20,20);
    strncpy(x,x+20,21);

    x[39]='\0';
    strcpy(x,x+20);

    x[39]=39;
    x[50]='\0';
    strcpy(x,x+20);

    return 0;
}
执行：
# gcc -Wall test.c -g -o test
# valgrind --tool=memcheck --leak-check=yes ./test

$ valgrind --tool=memcheck --leak-check=yes ./test
==14551== Memcheck, a memory error detector
==14551== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==14551== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==14551== Command: ./test
==14551==
==14551== Source and destination overlap in strncpy(0xbec6a0c3, 0xbec6a0af, 21)
==14551==    at 0x402C860: strncpy (mc_replace_strmem.c:472)
==14551==    by 0x80484E6: main (test.c:14)
==14551==
==14551== Source and destination overlap in strncpy(0xbec6a0af, 0xbec6a0c3, 21)
==14551==    at 0x402C860: strncpy (mc_replace_strmem.c:472)
==14551==    by 0x8048524: main (test.c:16)
==14551==
==14551== Source and destination overlap in strcpy(0xbec6a09a, 0xbec6a0ae)
==14551==    at 0x402C6AB: strcpy (mc_replace_strmem.c:438)
==14551==    by 0x8048561: main (test.c:23)
==14551==
==14551==
==14551== HEAP SUMMARY:
==14551==     in use at exit: 0 bytes in 0 blocks
==14551==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==14551==
==14551== All heap blocks were freed -- no leaks are possible
==14551==
==14551== For counts of detected and suppressed errors, rerun with: -v
==14551== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)

4、动态内存管理错误

#include<stdlib.h>
#include<stdio.h>

int main(int argc,char *argv[])
{
    int i;
    char* p=(char*)malloc(10);
    char* pt=p;
    for(i =0;i<10;i++)
    {
        p[i]='z';
    }
    delete p;

    pt[1]='x';
    free(pt);
    return 0;
}
执行：
# g++ -Wall test.cpp -g -o test
# valgrind --tool=memcheck --leak-check=yes ./test

$ valgrind --tool=memcheck --leak-check=yes ./test
==14607== Memcheck, a memory error detector
==14607== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==14607== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==14607== Command: ./test
==14607==
==14607== Mismatched free() / delete / delete []
==14607==    at 0x402A92A: operator delete(void*) (vg_replace_malloc.c:480)
==14607==    by 0x80484F6: main (test.cpp:13)
==14607==  Address 0x4324028 is 0 bytes inside a block of size 10 alloc'd
==14607==    at 0x402BD74: malloc (vg_replace_malloc.c:270)
==14607==    by 0x80484B8: main (test.cpp:7)
==14607==
==14607== Invalid write of size 1
==14607==    at 0x80484FE: main (test.cpp:15)
==14607==  Address 0x4324029 is 1 bytes inside a block of size 10 free'd
==14607==    at 0x402A92A: operator delete(void*) (vg_replace_malloc.c:480)
==14607==    by 0x80484F6: main (test.cpp:13)
==14607==
==14607== Invalid free() / delete / delete[] / realloc()
==14607==    at 0x402AD3D: free (vg_replace_malloc.c:446)
==14607==    by 0x804850C: main (test.cpp:16)
==14607==  Address 0x4324028 is 0 bytes inside a block of size 10 free'd
==14607==    at 0x402A92A: operator delete(void*) (vg_replace_malloc.c:480)
==14607==    by 0x80484F6: main (test.cpp:13)
==14607==
==14607==
==14607== HEAP SUMMARY:
==14607==     in use at exit: 0 bytes in 0 blocks
==14607==   total heap usage: 1 allocs, 2 frees, 10 bytes allocated
==14607==
==14607== All heap blocks were freed -- no leaks are possible
==14607==
==14607== For counts of detected and suppressed errors, rerun with: -v
==14607== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)

5、内存泄漏

//tree.h
#ifndef _BADLEAK_
#define _BAD_LEAK_

typedef struct _node{
    struct _node *l;
    struct _node * r;
    char v;
}node;

node *mk( node *l,  node *r, char val);
void nodefr(node *n);
#endif

//tree.cpp
#include <stdio.h>
#include "tree.h"
#include <stdlib.h>

node *mk(node *l, node * r, char val)
{
    node *f=(node* )malloc(sizeof(node));
    f->l=l;
    f->r=r;
    f->v=val;
    return f;
}

void nodefr(node* n)
{
    if(n)
    {
        nodefr(n->l);
        nodefr(n->r);
        free(n);
    }
}

//badleak.cpp
#include <stdio.h>
#include <stdlib.h>
#include "tree.h"

int main()
{
    node* tree1, *tree2, * tree3;
    tree1=mk(mk(mk(0,0,'3'),0,'2'),0,'1');
    tree2=mk(0,mk(0,mk(0,0,'6'),'5'),'4');
    tree3=mk(mk(tree1,tree2,'8'),0,'7');
    //nodefr(tree3);
    return 0;
}

执行：
# g++ -Wall tree.cpp badleak.cpp -g -o badleak
#valgrind --tool=memcheck --leak-check=yes ./badleak

$ valgrind --tool=memcheck --leak-check=yes ./badleak
==14676== Memcheck, a memory error detector
==14676== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==14676== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==14676== Command: ./badleak
==14676==
==14676==
==14676== HEAP SUMMARY:
==14676==     in use at exit: 96 bytes in 8 blocks
==14676==   total heap usage: 8 allocs, 0 frees, 96 bytes allocated
==14676==
==14676== 96 (12 direct, 84 indirect) bytes in 1 blocks are definitely lost in loss record 8 of 8
==14676==    at 0x402BD74: malloc (vg_replace_malloc.c:270)
==14676==    by 0x804842B: mk(_node*, _node*, char) (tree.cpp:7)
==14676==    by 0x8048560: main (badleak.cpp:10)
==14676==
==14676== LEAK SUMMARY:
==14676==    definitely lost: 12 bytes in 1 blocks
==14676==    indirectly lost: 84 bytes in 7 blocks
==14676==      possibly lost: 0 bytes in 0 blocks
==14676==    still reachable: 0 bytes in 0 blocks
==14676==         suppressed: 0 bytes in 0 blocks
==14676==
==14676== For counts of detected and suppressed errors, rerun with: -v
==14676== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

六、一些注意事项

1）出现段错误时，首先应该想到段错误的定义，从它出发考虑引发错误的原因。

2）在使用指针时，定义了指针后记得初始化指针，在使用的时候记得判断是否为 NULL

3）在使用数组时，注意数组是否被初始化，数组下标是否越界，数组元素是否存在等

4）在访问变量，注意变量所占地址空间是否已经被程序释放掉

5）在处理变量时，注意变量的格式控制是否合理等