Valgrind Package Description

Valgrind is a system for debugging and profiling Linux programs. With its tool suite you can automatically detect many memory management and threading bugs, avoiding hours of frustrating bug-hunting and making your programs more stable. You can also perform detailed profiling to help speed up your programs and use Valgrind to build new tools. The Valgrind distribution currently includes six production-quality tools:

  • a memory error detector (Memcheck)
  • two thread error detectors (Helgrind and DRD)
  • a cache and branch-prediction profiler (Cachegrind)
  • a call-graph generating cache and branch-prediction profiler (Callgrind)
  • a heap profiler (Massif)

It also includes three experimental tools:

  • a stack/global array overrun detector (SGCheck)
  • a second heap profiler that examines how heap blocks are used (DHAT)
  • a SimPoint basic block vector generator (BBV)

Source: http://www.valgrind.org/downloads/
Valgrind Homepage | Kali Valgrind Repo

  • Author: Julian Seward
  • License: GPLv2

Tools included in the valgrind package

callgrind_annotate – Post-processing tool for the Callgrind
root@kali:~# callgrind_annotate -h
usage: callgrind_annotate [options] [callgrind-out-file [source-files...]]

  options for the user, with defaults in [ ], are:
    -h --help             show this message
    --version             show version
    --show=A,B,C          only show figures for events A,B,C [all]
    --sort=A,B,C          sort columns by events A,B,C [event column order]
    --threshold=<0--100>  percentage of counts (of primary sort event) we
                          are interested in [99%]
    --auto=yes|no         annotate all source files containing functions
                          that helped reach the event count threshold [no]
    --context=N           print N lines of context before and after
                          annotated lines [8]
    --inclusive=yes|no    add subroutine costs to functions calls [no]
    --tree=none|caller|   print for each function their callers,
           calling|both   the called functions or both [none]
    -I --include=<dir>    add <dir> to list of directories to search for
                          source files

callgrind_control – Observe and control programs being run by Callgrind

root@kali:~# callgrind_control -h
Observe the status and control currently active callgrind runs.
(C) 2003-2011, Josef Weidendorfer (Josef.Weidendorfer@gmx.de)

Usage: callgrind_control [options] [pid|program-name...]

If no pids/names are given, an action is applied to all currently
active Callgrind runs. Default action is printing short information.

Options:
  -h --help         Show this help text
  --version         Show version
  -s --stat         Show statistics
  -b --back         Show stack/back trace
  -e [<A>,...]      Show event counters for <A>,... (default: all)
  --dump[=<s>]      Request a dump optionally using <s> as description
  -z --zero         Zero all event counters
  -k --kill         Kill
  -i --instr=on|off Switch instrumentation state on/off
Uncommon options:
  --vgdb-prefix=<prefix> Only provide this if the same was given to Valgrind

cg_annotate – Post-processing tool for Cachegrind

root@kali:~# cg_annotate -h
usage: cg_annotate [options] cachegrind-out-file [source-files...]

  options for the user, with defaults in [ ], are:
    -h --help             show this message
    --version             show version
    --show=A,B,C          only show figures for events A,B,C [all]
    --sort=A,B,C          sort columns by events A,B,C [event column order]
    --threshold=<0--20>   a function is shown if it accounts for more than x% of
                          the counts of the primary sort event [0.1]
    --auto=yes|no         annotate all source files containing functions
                          that helped reach the event count threshold [no]
    --context=N           print N lines of context before and after
                          annotated lines [8]
    -I<d> --include=<d>   add <d> to list of directories to search for
                          source files

  cg_annotate is Copyright (C) 2002-2017 Nicholas Nethercote.
  and licensed under the GNU General Public License, version 2.
  Bug reports, feedback, admiration, abuse, etc, to: njn@valgrind.org.

cg_diff – Diffs cachegrind files

root@kali:~# cg_diff -h
usage: cg_diff [options] <cachegrind-out-file1> <cachegrind-out-file2>

  options for the user, with defaults in [ ], are:
    -h --help             show this message
    -v --version          show version
    --mod-filename=<expr> a Perl search-and-replace expression that is applied
                          to filenames, eg. --mod-filename='s/prog[0-9]/projN/'
    --mod-funcname=<expr> like --mod-filename, but applied to function names

  cg_diff is Copyright (C) 2002-2017 Nicholas Nethercote.
  and licensed under the GNU General Public License, version 2.
  Bug reports, feedback, admiration, abuse, etc, to: njn@valgrind.org.

cg_merge – Merges multiple cachegrind output files into one

root@kali:~# cg_merge
cg_merge: Merges multiple cachegrind output files into one
cg_merge: usage: cg_merge [-o outfile] [files-to-merge]

ms_print – Post-processing tool for Massif

root@kali:~# ms_print -h
usage: ms_print [options] massif-out-file

  options for the user, with defaults in [ ], are:
    -h --help             show this message
    --version             show version
    --threshold=<m.n>     significance threshold, in percent [1]
    --x=<4..1000>         graph width, in columns [72]
    --y=<4..1000>         graph height, in rows [20]

  ms_print is Copyright (C) 2007-2017 Nicholas Nethercote.
  and licensed under the GNU General Public License, version 2.
  Bug reports, feedback, admiration, abuse, etc, to: njn@valgrind.org.

valgrind – Suite of tools for debugging and profiling programs

root@kali:~# valgrind -h
uusage: valgrind [options] prog-and-args

  tool-selection option, with default in [ ]:
    --tool=<name>             use the Valgrind tool named <name> [memcheck]

  basic user options for all Valgrind tools, with defaults in [ ]:
    -h --help                 show this message
    --help-debug              show this message, plus debugging options
    --version                 show version
    -q --quiet                run silently; only print error msgs
    -v --verbose              be more verbose -- show misc extra info
    --trace-children=no|yes   Valgrind-ise child processes (follow execve)? [no]
    --trace-children-skip=patt1,patt2,...    specifies a list of executables
                              that --trace-children=yes should not trace into
    --trace-children-skip-by-arg=patt1,patt2,...   same as --trace-children-skip=
                              but check the argv[] entries for children, rather
                              than the exe name, to make a follow/no-follow decision
    --child-silent-after-fork=no|yes omit child output between fork & exec? [no]
    --vgdb=no|yes|full        activate gdbserver? [yes]
                              full is slower but provides precise watchpoint/step
    --vgdb-error=<number>     invoke gdbserver after <number> errors [999999999]
                              to get started quickly, use --vgdb-error=0
                              and follow the on-screen directions
    --vgdb-stop-at=event1,event2,... invoke gdbserver for given events [none]
         where event is one of:
           startup exit valgrindabexit all none
    --track-fds=no|yes        track open file descriptors? [no]
    --time-stamp=no|yes       add timestamps to log messages? [no]
    --log-fd=<number>         log messages to file descriptor [2=stderr]
    --log-file=<file>         log messages to <file>
    --log-socket=ipaddr:port  log messages to socket ipaddr:port

  user options for Valgrind tools that report errors:
    --xml=yes                 emit error output in XML (some tools only)
    --xml-fd=<number>         XML output to file descriptor
    --xml-file=<file>         XML output to <file>
    --xml-socket=ipaddr:port  XML output to socket ipaddr:port
    --xml-user-comment=STR    copy STR verbatim into XML output
    --demangle=no|yes         automatically demangle C++ names? [yes]
    --num-callers=<number>    show <number> callers in stack traces [12]
    --error-limit=no|yes      stop showing new errors if too many? [yes]
    --exit-on-first-error=no|yes exit code on the first error found? [no]
    --error-exitcode=<number> exit code to return if errors found [0=disable]
    --error-markers=<begin>,<end> add lines with begin/end markers before/after
                              each error output in plain text mode [none]
    --keep-debuginfo=no|yes   Keep symbols etc for unloaded code [no]
                              This allows saved stack traces (e.g. memory leaks)
                              to include file/line info for code that has been
                              dlclose'd (or similar)
    --show-below-main=no|yes  continue stack traces below main() [no]
    --default-suppressions=yes|no
                              load default suppressions [yes]
    --suppressions=<filename> suppress errors described in <filename>
    --gen-suppressions=no|yes|all    print suppressions for errors? [no]
    --input-fd=<number>       file descriptor for input [0=stdin]
    --dsymutil=no|yes         run dsymutil on Mac OS X when helpful? [yes]
    --max-stackframe=<number> assume stack switch for SP changes larger
                              than <number> bytes [2000000]
    --main-stacksize=<number> set size of main thread's stack (in bytes)
                              [min(max(current 'ulimit' value,1MB),16MB)]

  user options for Valgrind tools that replace malloc:
    --alignment=<number>      set minimum alignment of heap allocations [16]
    --redzone-size=<number>   set minimum size of redzones added before/after
                              heap blocks (in bytes). [16]
    --xtree-memory=none|allocs|full   profile heap memory in an xtree [none]
                              and produces a report at the end of the execution
                              none: no profiling, allocs: current allocated
                              size/blocks, full: profile current and cumulative
                              allocated size/blocks and freed size/blocks.
    --xtree-memory-file=<file>   xtree memory report file [xtmemory.kcg.%p]

  uncommon user options for all Valgrind tools:
    --fullpath-after=         (with nothing after the '=')
                              show full source paths in call stacks
    --fullpath-after=string   like --fullpath-after=, but only show the
                              part of the path after 'string'.  Allows removal
                              of path prefixes.  Use this flag multiple times
                              to specify a set of prefixes to remove.
    --extra-debuginfo-path=path    absolute path to search for additional
                              debug symbols, in addition to existing default
                              well known search paths.
    --debuginfo-server=ipaddr:port    also query this server
                              (valgrind-di-server) for debug symbols
    --allow-mismatched-debuginfo=no|yes  [no]
                              for the above two flags only, accept debuginfo
                              objects that don't "match" the main object
    --smc-check=none|stack|all|all-non-file [all-non-file]
                              checks for self-modifying code: none, only for
                              code found in stacks, for all code, or for all
                              code except that from file-backed mappings
    --read-inline-info=yes|no read debug info about inlined function calls
                              and use it to do better stack traces.  [yes]
                              on Linux/Android/Solaris for Memcheck/Helgrind/DRD
                              only.  [no] for all other tools and platforms.
    --read-var-info=yes|no    read debug info on stack and global variables
                              and use it to print better error messages in
                              tools that make use of it (Memcheck, Helgrind,
                              DRD) [no]
    --vgdb-poll=<number>      gdbserver poll max every <number> basic blocks [5000]
    --vgdb-shadow-registers=no|yes   let gdb see the shadow registers [no]
    --vgdb-prefix=<prefix>    prefix for vgdb FIFOs [/tmp/vgdb-pipe]
    --run-libc-freeres=no|yes free up glibc memory at exit on Linux? [yes]
    --run-cxx-freeres=no|yes  free up libstdc++ memory at exit on Linux
                              and Solaris? [yes]
    --sim-hints=hint1,hint2,...  activate unusual sim behaviours [none]
         where hint is one of:
           lax-ioctls lax-doors fuse-compatible enable-outer
           no-inner-prefix no-nptl-pthread-stackcache fallback-llsc none
    --fair-sched=no|yes|try   schedule threads fairly on multicore systems [no]
    --kernel-variant=variant1,variant2,...
         handle non-standard kernel variants [none]
         where variant is one of:
           bproc android-no-hw-tls
           android-gpu-sgx5xx android-gpu-adreno3xx none
    --merge-recursive-frames=<number>  merge frames between identical
           program counters in max <number> frames) [0]
    --num-transtab-sectors=<number> size of translated code cache [32]
           more sectors may increase performance, but use more memory.
    --avg-transtab-entry-size=<number> avg size in bytes of a translated
           basic block [0, meaning use tool provided default]
    --aspace-minaddr=0xPP     avoid mapping memory below 0xPP [guessed]
    --valgrind-stacksize=<number> size of valgrind (host) thread's stack
                               (in bytes) [1048576]
    --show-emwarns=no|yes     show warnings about emulation limits? [no]
    --require-text-symbol=:sonamepattern:symbolpattern    abort run if the
                              stated shared object doesn't have the stated
                              text symbol.  Patterns can contain ? and *.
    --soname-synonyms=syn1=pattern1,syn2=pattern2,... synonym soname
              specify patterns for function wrapping or replacement.
              To use a non-libc malloc library that is
                  in the main exe:  --soname-synonyms=somalloc=NONE
                  in libxyzzy.so:   --soname-synonyms=somalloc=libxyzzy.so
    --sigill-diagnostics=yes|no  warn about illegal instructions? [yes]
    --unw-stack-scan-thresh=<number>   Enable stack-scan unwind if fewer
                  than <number> good frames found  [0, meaning "disabled"]
                  NOTE: stack scanning is only available on arm-linux.
    --unw-stack-scan-frames=<number>   Max number of frames that can be
                  recovered by stack scanning [5]
    --resync-filter=no|yes|verbose [yes on MacOS, no on other OSes]
              attempt to avoid expensive address-space-resync operations
    --max-threads=<number>    maximum number of threads that valgrind can
                              handle [500]

  user options for Memcheck:
    --leak-check=no|summary|full     search for memory leaks at exit?  [summary]
    --leak-resolution=low|med|high   differentiation of leak stack traces [high]
    --show-leak-kinds=kind1,kind2,.. which leak kinds to show?
                                            [definite,possible]
    --errors-for-leak-kinds=kind1,kind2,..  which leak kinds are errors?
                                            [definite,possible]
        where kind is one of:
          definite indirect possible reachable all none
    --leak-check-heuristics=heur1,heur2,... which heuristics to use for
        improving leak search false positive [all]
        where heur is one of:
          stdstring length64 newarray multipleinheritance all none
    --show-reachable=yes             same as --show-leak-kinds=all
    --show-reachable=no --show-possibly-lost=yes
                                     same as --show-leak-kinds=definite,possible
    --show-reachable=no --show-possibly-lost=no
                                     same as --show-leak-kinds=definite
    --xtree-leak=no|yes              output leak result in xtree format? [no]
    --xtree-leak-file=<file>         xtree leak report file [xtleak.kcg.%p]
    --undef-value-errors=no|yes      check for undefined value errors [yes]
    --track-origins=no|yes           show origins of undefined values? [no]
    --partial-loads-ok=no|yes        too hard to explain here; see manual [yes]
    --expensive-definedness-checks=no|auto|yes
                                     Use extra-precise definedness tracking [auto]
    --freelist-vol=<number>          volume of freed blocks queue     [20000000]
    --freelist-big-blocks=<number>   releases first blocks with size>= [1000000]
    --workaround-gcc296-bugs=no|yes  self explanatory [no].  Deprecated.
                                     Use --ignore-range-below-sp instead.
    --ignore-ranges=0xPP-0xQQ[,0xRR-0xSS]   assume given addresses are OK
    --ignore-range-below-sp=<number>-<number>  do not report errors for
                                     accesses at the given offsets below SP
    --malloc-fill=<hexnumber>        fill malloc'd areas with given value
    --free-fill=<hexnumber>          fill free'd areas with given value
    --keep-stacktraces=alloc|free|alloc-and-free|alloc-then-free|none
        stack trace(s) to keep for malloc'd/free'd areas       [alloc-and-free]
    --show-mismatched-frees=no|yes   show frees that don't match the allocator? [yes]

  Extra options read from ~/.valgrindrc, $VALGRIND_OPTS, ./.valgrindrc

  Memcheck is Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
  Valgrind is Copyright (C) 2000-2017, and GNU GPL'd, by Julian Seward et al.
  LibVEX is Copyright (C) 2004-2017, and GNU GPL'd, by OpenWorks LLP et al.

  Bug reports, feedback, admiration, abuse, etc, to: www.valgrind.org.

valgrind-listener – A simple listener program for valgrind log redirection

root@kali:~# valgrind-listener -h

usage is:

   valgrind-listener [--exit-at-zero|-e] [--max-connect=INT] [port-number]

   where   --exit-at-zero or -e causes the listener to exit
           when the number of connections falls back to zero
           (the default is to keep listening forever)

           --max-connect=INT can be used to increase the maximum
           number of connected processes (default = 50).
           INT must be positive and less than 5000.

           port-number is the default port on which to listen for
           connections.  It must be between 1024 and 65535.
           Current default is 1500.

valgrind-di-server – Debuginfo server for Valgrind

root@kali:~# valgrind-di-server -h

usage is:

   valgrind-di-server [--exit-at-zero|-e] [port-number]

   where   --exit-at-zero or -e causes the listener to exit
           when the number of connections falls back to zero
           (the default is to keep listening forever)

           --max-connect=INT can be used to increase the maximum
           number of connected processes (default = 50).
           INT must be positive and less than 5000.

           port-number is the default port on which to listen for
           connections.  It must be between 1024 and 65535.
           Current default is 1500.

vgdb – Send monitor commands to a Valgrind gdbserver

root@kali:~# vgdb -h
Usage: vgdb [OPTION]... [[-c] COMMAND]...
vgdb (valgrind gdb) has two usages
  1. standalone to send monitor commands to a Valgrind gdbserver.
     The OPTION(s) must be followed by the command to send
     To send more than one command, separate the commands with -c
  2. relay application between gdb and a Valgrind gdbserver.
     Only OPTION(s) can be given.

 OPTIONS are [--pid=<number>] [--vgdb-prefix=<prefix>]
             [--wait=<number>] [--max-invoke-ms=<number>]
             [--port=<portnr>
             [--cmd-time-out=<number>] [-l] [-D] [-d]
             
  --pid arg must be given if multiple Valgrind gdbservers are found.
  --vgdb-prefix arg must be given to both Valgrind and vgdb utility
      if you want to change the prefix (default /tmp/vgdb-pipe) for the FIFOs communication
      between the Valgrind gdbserver and vgdb.
  --wait (default 0) tells vgdb to check during the specified number
      of seconds if a Valgrind gdbserver can be found.
  --max-invoke-ms (default 100) gives the nr of milli-seconds after which vgdb
      will force the invocation of the Valgrind gdbserver (if the Valgrind
         process is blocked in a system call).
  --port instructs vgdb to listen for gdb on the specified port nr.
  --cmd-time-out (default 99999999) tells vgdb to exit if the found Valgrind
     gdbserver has not processed a command after number seconds
  -l  arg tells to show the list of running Valgrind gdbserver and then exit.
  -D  arg tells to show shared mem status and then exit.
  -d  arg tells to show debug info. Multiple -d args for more debug info

  -h --help shows this message
  To get help from the Valgrind gdbserver, use vgdb help

valgrind Usage Example

root@kali:~# valgrind ./issue
==2909== Memcheck, a memory error detector
==2909== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2909== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==2909== Command: ./issue
==2909==
==2909== Invalid free() / delete / delete[] / realloc()
==2909==    at 0x48369AB: free (vg_replace_malloc.c:530)
==2909==    by 0x10916A: main (main.c:6)
==2909==  Address 0x4a2903f is 1 bytes before a block of size 5 alloc'd
==2909==    at 0x483577F: malloc (vg_replace_malloc.c:299)
==2909==    by 0x109156: main (main.c:5)
==2909==
==2909==
==2909== HEAP SUMMARY:
==2909==     in use at exit: 5 bytes in 1 blocks
==2909==   total heap usage: 1 allocs, 1 frees, 5 bytes allocated
==2909==
==2909== LEAK SUMMARY:
==2909==    definitely lost: 5 bytes in 1 blocks
==2909==    indirectly lost: 0 bytes in 0 blocks
==2909==      possibly lost: 0 bytes in 0 blocks
==2909==    still reachable: 0 bytes in 0 blocks
==2909==         suppressed: 0 bytes in 0 blocks
==2909== Rerun with --leak-check=full to see details of leaked memory
==2909==
==2909== For counts of detected and suppressed errors, rerun with: -v
==2909== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Menu