Valgrind

Building valgrind

valgrind is built using the standard ./configure, make, make install trilogoy.

Building and running target program

Options with which the targetted program should (or might) be built include:

-g
-fno-inline (or alternatively using the valgrind option --read-inline-info=yes)
-O0 or -O (except when using cachegrind (and callgrind?))

Otherwise, the target program does not need to be linked to special valgrind libraries.

The target program can then be analyzed with

valgrind [valgrind-options] the-executable [options of the-executable]

the-executable is then executed on a synthetic CPU (i. e. every instruction is simulated).

Valgrind Core and Tools

The Valgrind core offers a set of low-level functionality which are used by the valgrind tools depending on the tools' focus.

The functionality of the Valgrind core includes

JIT compiler
Memory manager
Signal handling
Thread scheduler
Support for error recording
Support for replacing malloc (and other memory related functions?).

Selecting a tool

When executing valgrind, the --tool option allows to select a tool (memcheck being the default).

Tools include:

memcheck	Intercepts calls to `malloc`, `new`, `free` and `delete`, and generally checks all reads and writes of memory.
cachegrind	A cache and prediction profiler. It simulates the CPU's I1, D1 and L2 caches and is used to make programs faster. (It seems that the simulation of the cache hierarchy is turned off by default and apparantly, `perf` that accesses hardeware counters is the better tool for such things)
callgrind	An extension to cachegrind (call-graph generation). The collected data can be visualized with KCachegrind.
massif	A heap profiler helping to reduce memory usage.
helgrind	A thread debugger.
drd	Detect errors in POSIX-multithreaded C/C++ programs, similar to helgrind.
dhat	Examine how programs use heap allocations
lackey and nulgrind	Used for testing and demonstration purposes.
bbv	A bbv is a basic block vector and refers to a linear section of code with an entry point and an exit point. BBV is an experimental (SimPoint basic block vector generator) tool (also referred to as exp-bbv).
SGCheck	Find overruns of arrays.

Writing a tool

Valgrinds allows to write one's own tool.

As per the documentation, at least the following four functions must be implemented:

pre_clo_init() (registereed with the VG_DETERMINE_INTERFACE_VERSION macro)
post_clo_init()
instrument()
fini()

The last three functions are registered with VG_(basic_tool_funcs) function (coregrind/m_tooliface.c).

clo stands for command line options.

Simple example

prog.c

#include <stdlib.h>

int main() {

    char *mem_1 = malloc(100);
    char *mem_2 = malloc(200);

    free(mem_1); // Note: mem_1 is freed twice, but
    free(mem_1); // mem_2 is not freed at all.

}

Github repository about-Valgrind, path: /first/prog.c

Makefile

valgrind.out: prog
	valgrind --log-file=valgrind.out prog 

prog: prog.c
	gcc -g prog.c -o prog

Github repository about-Valgrind, path: /first/Makefile

Callgrind Output Format

callgrind writes an ASCII file. The format of this ASCII file is a superset of the format written by cachegrind.

The file written by callgrind can be read by parsers such as callgrind_annotate or KCachegrind.

TODO

Callgrind

The command line option -d increases the log level.

The additional logging seems to be written to STDOUT.

VEX IR

VEX IR is Valgrind's RISC-like intermediate language.

This language is somewhat commented in the source code file VEX/pub/libvex_ir.h.

instrument() instruments the VEX IR.

The tool Lackey (lackey/lk_main.c) offers a simple example how the VEX IR can be instrumented with calls to c functions when «things happen».

Source code

include/pub_tool_*.h (notably include/pub_tool_basics.h) contains the necessary types, macros, functions etc. a tool might need.

include/pub_tool_basics_asm.h defines the VG(…) macro.

Another important include file is VEX/pub/libvex_basictypes.h.

pub_tool_libc*.h. contains a subset of the C library.

docs/internals/