1 <?xml version="1.0"?> <!-- -*- sgml -*- -->
2 <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
4 [ <!ENTITY % vg-entities SYSTEM "vg-entities.xml"> %vg-entities; ]>
7 <chapter id="manual-core" xreflabel="Valgrind's core">
8 <title>Using and understanding the Valgrind core</title>
10 <para>This chapter describes the Valgrind core services, command-line
11 options and behaviours. That means it is relevant regardless of what
12 particular tool you are using. The information should be sufficient for you
13 to make effective day-to-day use of Valgrind. Advanced topics related to
14 the Valgrind core are described in <xref linkend="manual-core-adv"/>.
18 A point of terminology: most references to "Valgrind" in this chapter
19 refer to the Valgrind core services. </para>
23 <sect1 id="manual-core.whatdoes"
24 xreflabel="What Valgrind does with your program">
25 <title>What Valgrind does with your program</title>
27 <para>Valgrind is designed to be as non-intrusive as possible. It works
28 directly with existing executables. You don't need to recompile, relink,
29 or otherwise modify the program to be checked.</para>
31 <para>You invoke Valgrind like this:</para>
32 <programlisting><![CDATA[
33 valgrind [valgrind-options] your-prog [your-prog-options]]]></programlisting>
35 <para>The most important option is <option>--tool</option> which dictates
36 which Valgrind tool to run. For example, if want to run the command
37 <computeroutput>ls -l</computeroutput> using the memory-checking tool
38 Memcheck, issue this command:</para>
40 <programlisting><![CDATA[
41 valgrind --tool=memcheck ls -l]]></programlisting>
43 <para>However, Memcheck is the default, so if you want to use it you can
44 omit the <option>--tool</option> option.</para>
46 <para>Regardless of which tool is in use, Valgrind takes control of your
47 program before it starts. Debugging information is read from the
48 executable and associated libraries, so that error messages and other
49 outputs can be phrased in terms of source code locations, when
52 <para>Your program is then run on a synthetic CPU provided by the
53 Valgrind core. As new code is executed for the first time, the core
54 hands the code to the selected tool. The tool adds its own
55 instrumentation code to this and hands the result back to the core,
56 which coordinates the continued execution of this instrumented
59 <para>The amount of instrumentation code added varies widely between
60 tools. At one end of the scale, Memcheck adds code to check every
61 memory access and every value computed,
62 making it run 10-50 times slower than natively.
63 At the other end of the spectrum, the minimal tool, called Nulgrind,
64 adds no instrumentation at all and causes in total "only" about a 4 times
67 <para>Valgrind simulates every single instruction your program executes.
68 Because of this, the active tool checks, or profiles, not only the code
69 in your application but also in all supporting dynamically-linked libraries,
70 including the C library, graphical libraries, and so on.</para>
72 <para>If you're using an error-detection tool, Valgrind may
73 detect errors in system libraries, for example the GNU C or X11
74 libraries, which you have to use. You might not be interested in these
75 errors, since you probably have no control over that code. Therefore,
76 Valgrind allows you to selectively suppress errors, by recording them in
77 a suppressions file which is read when Valgrind starts up. The build
78 mechanism selects default suppressions which give reasonable
79 behaviour for the OS and libraries detected on your machine.
80 To make it easier to write suppressions, you can use the
81 <option>--gen-suppressions=yes</option> option. This tells Valgrind to
82 print out a suppression for each reported error, which you can then
83 copy into a suppressions file.</para>
85 <para>Different error-checking tools report different kinds of errors.
86 The suppression mechanism therefore allows you to say which tool or
87 tool(s) each suppression applies to.</para>
92 <sect1 id="manual-core.started" xreflabel="Getting started">
93 <title>Getting started</title>
95 <para>First off, consider whether it might be beneficial to recompile
96 your application and supporting libraries with debugging info enabled
97 (the <option>-g</option> option). Without debugging info, the best
98 Valgrind tools will be able to do is guess which function a particular
99 piece of code belongs to, which makes both error messages and profiling
100 output nearly useless. With <option>-g</option>, you'll get
101 messages which point directly to the relevant source code lines.</para>
103 <para>Another option you might like to consider, if you are working with
104 C++, is <option>-fno-inline</option>. That makes it easier to see the
105 function-call chain, which can help reduce confusion when navigating
106 around large C++ apps. For example, debugging
107 OpenOffice.org with Memcheck is a bit easier when using this option. You
108 don't have to do this, but doing so helps Valgrind produce more accurate
109 and less confusing error reports. Chances are you're set up like this
110 already, if you intended to debug your program with GNU GDB, or some
111 other debugger.</para>
113 <para>If you are planning to use Memcheck: On rare
114 occasions, compiler optimisations (at <option>-O2</option>
115 and above, and sometimes <option>-O1</option>) have been
116 observed to generate code which fools Memcheck into wrongly reporting
117 uninitialised value errors, or missing uninitialised value errors. We have
118 looked in detail into fixing this, and unfortunately the result is that
119 doing so would give a further significant slowdown in what is already a slow
120 tool. So the best solution is to turn off optimisation altogether. Since
121 this often makes things unmanageably slow, a reasonable compromise is to use
122 <option>-O</option>. This gets you the majority of the
123 benefits of higher optimisation levels whilst keeping relatively small the
124 chances of false positives or false negatives from Memcheck. Also, you
125 should compile your code with <option>-Wall</option> because
126 it can identify some or all of the problems that Valgrind can miss at the
127 higher optimisation levels. (Using <option>-Wall</option>
128 is also a good idea in general.) All other tools (as far as we know) are
129 unaffected by optimisation level, and for profiling tools like Cachegrind it
130 is better to compile your program at its normal optimisation level.</para>
132 <para>Valgrind understands both the older "stabs" debugging format, used
133 by GCC versions prior to 3.1, and the newer DWARF2/3/4 formats
135 3.1 and later. We continue to develop our debug-info readers,
136 although the majority of effort will naturally enough go into the newer
137 DWARF readers.</para>
139 <para>When you're ready to roll, run Valgrind as described above.
140 Note that you should run the real
141 (machine-code) executable here. If your application is started by, for
142 example, a shell or Perl script, you'll need to modify it to invoke
143 Valgrind on the real executables. Running such scripts directly under
144 Valgrind will result in you getting error reports pertaining to
145 <filename>/bin/sh</filename>,
146 <filename>/usr/bin/perl</filename>, or whatever interpreter
147 you're using. This may not be what you want and can be confusing. You
148 can force the issue by giving the option
149 <option>--trace-children=yes</option>, but confusion is still
155 <sect1 id="manual-core.comment" xreflabel="The Commentary">
156 <title>The Commentary</title>
158 <para>Valgrind tools write a commentary, a stream of text, detailing
159 error reports and other significant events. All lines in the commentary
162 <programlisting><![CDATA[
163 ==12345== some-message-from-Valgrind]]></programlisting>
166 <para>The <computeroutput>12345</computeroutput> is the process ID.
167 This scheme makes it easy to distinguish program output from Valgrind
168 commentary, and also easy to differentiate commentaries from different
169 processes which have become merged together, for whatever reason.</para>
171 <para>By default, Valgrind tools write only essential messages to the
172 commentary, so as to avoid flooding you with information of secondary
173 importance. If you want more information about what is happening,
174 re-run, passing the <option>-v</option> option to Valgrind. A second
175 <option>-v</option> gives yet more detail.
178 <para>You can direct the commentary to three different places:</para>
182 <listitem id="manual-core.out2fd" xreflabel="Directing output to fd">
183 <para>The default: send it to a file descriptor, which is by default
184 2 (stderr). So, if you give the core no options, it will write
185 commentary to the standard error stream. If you want to send it to
186 some other file descriptor, for example number 9, you can specify
187 <option>--log-fd=9</option>.</para>
189 <para>This is the simplest and most common arrangement, but can
190 cause problems when Valgrinding entire trees of processes which
191 expect specific file descriptors, particularly stdin/stdout/stderr,
192 to be available for their own use.</para>
195 <listitem id="manual-core.out2file"
196 xreflabel="Directing output to file"> <para>A less intrusive
197 option is to write the commentary to a file, which you specify by
198 <option>--log-file=filename</option>. There are special format
199 specifiers that can be used to use a process ID or an environment
200 variable name in the log file name. These are useful/necessary if your
201 program invokes multiple processes (especially for MPI programs).
202 See the <link linkend="manual-core.basicopts">basic options section</link>
203 for more details.</para>
206 <listitem id="manual-core.out2socket"
207 xreflabel="Directing output to network socket"> <para>The
208 least intrusive option is to send the commentary to a network
209 socket. The socket is specified as an IP address and port number
210 pair, like this: <option>--log-socket=192.168.0.1:12345</option> if
211 you want to send the output to host IP 192.168.0.1 port 12345
213 have no idea if 12345 is a port of pre-existing significance). You
214 can also omit the port number:
215 <option>--log-socket=192.168.0.1</option>, in which case a default
216 port of 1500 is used. This default is defined by the constant
217 <computeroutput>VG_CLO_DEFAULT_LOGPORT</computeroutput> in the
220 <para>Note, unfortunately, that you have to use an IP address here,
221 rather than a hostname.</para>
223 <para>Writing to a network socket is pointless if you don't
224 have something listening at the other end. We provide a simple
226 <computeroutput>valgrind-listener</computeroutput>, which accepts
227 connections on the specified port and copies whatever it is sent to
228 stdout. Probably someone will tell us this is a horrible security
229 risk. It seems likely that people will write more sophisticated
230 listeners in the fullness of time.</para>
232 <para><computeroutput>valgrind-listener</computeroutput> can accept
233 simultaneous connections from up to 50 Valgrinded processes. In front
234 of each line of output it prints the current number of active
235 connections in round brackets.</para>
237 <para><computeroutput>valgrind-listener</computeroutput> accepts two
238 command-line options:</para>
241 <para><option>-e</option> or <option>--exit-at-zero</option>:
242 when the number of connected processes falls back to zero,
243 exit. Without this, it will run forever, that is, until you
244 send it Control-C.</para>
247 <para><option>portnumber</option>: changes the port it listens
248 on from the default (1500). The specified port must be in the
249 range 1024 to 65535. The same restriction applies to port
250 numbers specified by a <option>--log-socket</option> to
251 Valgrind itself.</para>
255 <para>If a Valgrinded process fails to connect to a listener, for
256 whatever reason (the listener isn't running, invalid or unreachable
257 host or port, etc), Valgrind switches back to writing the commentary
258 to stderr. The same goes for any process which loses an established
259 connection to a listener. In other words, killing the listener
260 doesn't kill the processes sending data to it.</para>
265 <para>Here is an important point about the relationship between the
266 commentary and profiling output from tools. The commentary contains a
267 mix of messages from the Valgrind core and the selected tool. If the
268 tool reports errors, it will report them to the commentary. However, if
269 the tool does profiling, the profile data will be written to a file of
270 some kind, depending on the tool, and independent of what
271 <option>--log-*</option> options are in force. The commentary is
272 intended to be a low-bandwidth, human-readable channel. Profiling data,
273 on the other hand, is usually voluminous and not meaningful without
274 further processing, which is why we have chosen this arrangement.</para>
279 <sect1 id="manual-core.report" xreflabel="Reporting of errors">
280 <title>Reporting of errors</title>
282 <para>When an error-checking tool
283 detects something bad happening in the program, an error
284 message is written to the commentary. Here's an example from Memcheck:</para>
286 <programlisting><![CDATA[
287 ==25832== Invalid read of size 4
288 ==25832== at 0x8048724: BandMatrix::ReSize(int, int, int) (bogon.cpp:45)
289 ==25832== by 0x80487AF: main (bogon.cpp:66)
290 ==25832== Address 0xBFFFF74C is not stack'd, malloc'd or free'd]]></programlisting>
292 <para>This message says that the program did an illegal 4-byte read of
293 address 0xBFFFF74C, which, as far as Memcheck can tell, is not a valid
294 stack address, nor corresponds to any current heap blocks or recently freed
295 heap blocks. The read is happening at line 45 of
296 <filename>bogon.cpp</filename>, called from line 66 of the same file,
297 etc. For errors associated with an identified (current or freed) heap block,
298 for example reading freed memory, Valgrind reports not only the
299 location where the error happened, but also where the associated heap block
300 was allocated/freed.</para>
302 <para>Valgrind remembers all error reports. When an error is detected,
303 it is compared against old reports, to see if it is a duplicate. If so,
304 the error is noted, but no further commentary is emitted. This avoids
305 you being swamped with bazillions of duplicate error reports.</para>
307 <para>If you want to know how many times each error occurred, run with
308 the <option>-v</option> option. When execution finishes, all the
309 reports are printed out, along with, and sorted by, their occurrence
310 counts. This makes it easy to see which errors have occurred most
313 <para>Errors are reported before the associated operation actually
314 happens. For example, if you're using Memcheck and your program attempts to
315 read from address zero, Memcheck will emit a message to this effect, and
316 your program will then likely die with a segmentation fault.</para>
318 <para>In general, you should try and fix errors in the order that they
319 are reported. Not doing so can be confusing. For example, a program
320 which copies uninitialised values to several memory locations, and later
321 uses them, will generate several error messages, when run on Memcheck.
322 The first such error message may well give the most direct clue to the
323 root cause of the problem.</para>
325 <para>The process of detecting duplicate errors is quite an
326 expensive one and can become a significant performance overhead
327 if your program generates huge quantities of errors. To avoid
328 serious problems, Valgrind will simply stop collecting
329 errors after 1,000 different errors have been seen, or 10,000,000 errors
330 in total have been seen. In this situation you might as well
331 stop your program and fix it, because Valgrind won't tell you
332 anything else useful after this. Note that the 1,000/10,000,000 limits
333 apply after suppressed errors are removed. These limits are
334 defined in <filename>m_errormgr.c</filename> and can be increased
337 <para>To avoid this cutoff you can use the
338 <option>--error-limit=no</option> option. Then Valgrind will always show
339 errors, regardless of how many there are. Use this option carefully,
340 since it may have a bad effect on performance.</para>
345 <sect1 id="manual-core.suppress" xreflabel="Suppressing errors">
346 <title>Suppressing errors</title>
348 <para>The error-checking tools detect numerous problems in the system
349 libraries, such as the C library,
350 which come pre-installed with your OS. You can't easily fix
351 these, but you don't want to see these errors (and yes, there are many!)
352 So Valgrind reads a list of errors to suppress at startup. A default
353 suppression file is created by the
354 <computeroutput>./configure</computeroutput> script when the system is
357 <para>You can modify and add to the suppressions file at your leisure,
358 or, better, write your own. Multiple suppression files are allowed.
359 This is useful if part of your project contains errors you can't or
360 don't want to fix, yet you don't want to continuously be reminded of
363 <formalpara><title>Note:</title> <para>By far the easiest way to add
364 suppressions is to use the <option>--gen-suppressions=yes</option> option
365 described in <xref linkend="manual-core.options"/>. This generates
366 suppressions automatically. For best results,
367 though, you may want to edit the output
368 of <option>--gen-suppressions=yes</option> by hand, in which
369 case it would be advisable to read through this section.
373 <para>Each error to be suppressed is described very specifically, to
374 minimise the possibility that a suppression-directive inadvertently
375 suppresses a bunch of similar errors which you did want to see. The
376 suppression mechanism is designed to allow precise yet flexible
377 specification of errors to suppress.</para>
379 <para>If you use the <option>-v</option> option, at the end of execution,
380 Valgrind prints out one line for each used suppression, giving its name
381 and the number of times it got used. Here's the suppressions used by a
382 run of <computeroutput>valgrind --tool=memcheck ls -l</computeroutput>:</para>
384 <programlisting><![CDATA[
385 --27579-- supp: 1 socketcall.connect(serv_addr)/__libc_connect/__nscd_getgrgid_r
386 --27579-- supp: 1 socketcall.connect(serv_addr)/__libc_connect/__nscd_getpwuid_r
387 --27579-- supp: 6 strrchr/_dl_map_object_from_fd/_dl_map_object]]></programlisting>
389 <para>Multiple suppressions files are allowed. By default, Valgrind
390 uses <filename>$PREFIX/lib/valgrind/default.supp</filename>. You can
391 ask to add suppressions from another file, by specifying
392 <option>--suppressions=/path/to/file.supp</option>.
395 <para>If you want to understand more about suppressions, look at an
396 existing suppressions file whilst reading the following documentation.
397 The file <filename>glibc-2.3.supp</filename>, in the source
398 distribution, provides some good examples.</para>
400 <para>Each suppression has the following components:</para>
405 <para>First line: its name. This merely gives a handy name to the
406 suppression, by which it is referred to in the summary of used
407 suppressions printed out when a program finishes. It's not
408 important what the name is; any identifying string will do.</para>
412 <para>Second line: name of the tool(s) that the suppression is for
413 (if more than one, comma-separated), and the name of the suppression
414 itself, separated by a colon (n.b.: no spaces are allowed), eg:</para>
415 <programlisting><![CDATA[
416 tool_name1,tool_name2:suppression_name]]></programlisting>
418 <para>Recall that Valgrind is a modular system, in which
419 different instrumentation tools can observe your program whilst it
420 is running. Since different tools detect different kinds of errors,
421 it is necessary to say which tool(s) the suppression is meaningful
424 <para>Tools will complain, at startup, if a tool does not understand
425 any suppression directed to it. Tools ignore suppressions which are
426 not directed to them. As a result, it is quite practical to put
427 suppressions for all tools into the same suppression file.</para>
431 <para>Next line: a small number of suppression types have extra
432 information after the second line (eg. the <varname>Param</varname>
433 suppression for Memcheck)</para>
437 <para>Remaining lines: This is the calling context for the error --
438 the chain of function calls that led to it. There can be up to 24
439 of these lines.</para>
441 <para>Locations may be names of either shared objects or
442 functions. They begin
443 <computeroutput>obj:</computeroutput> and
444 <computeroutput>fun:</computeroutput> respectively. Function and
445 object names to match against may use the wildcard characters
446 <computeroutput>*</computeroutput> and
447 <computeroutput>?</computeroutput>.</para>
449 <para><command>Important note: </command> C++ function names must be
450 <command>mangled</command>. If you are writing suppressions by
451 hand, use the <option>--demangle=no</option> option to get the
452 mangled names in your error messages. An example of a mangled
453 C++ name is <computeroutput>_ZN9QListView4showEv</computeroutput>.
454 This is the form that the GNU C++ compiler uses internally, and
455 the form that must be used in suppression files. The equivalent
456 demangled name, <computeroutput>QListView::show()</computeroutput>,
457 is what you see at the C++ source code level.
460 <para>A location line may also be
461 simply "<computeroutput>...</computeroutput>" (three dots). This is
462 a frame-level wildcard, which matches zero or more frames. Frame
463 level wildcards are useful because they make it easy to ignore
464 varying numbers of uninteresting frames in between frames of
465 interest. That is often important when writing suppressions which
466 are intended to be robust against variations in the amount of
467 function inlining done by compilers.</para>
471 <para>Finally, the entire suppression must be between curly
472 braces. Each brace must be the first character on its own
478 <para>A suppression only suppresses an error when the error matches all
479 the details in the suppression. Here's an example:</para>
481 <programlisting><![CDATA[
483 __gconv_transform_ascii_internal/__mbrtowc/mbtowc
485 fun:__gconv_transform_ascii_internal
488 }]]></programlisting>
491 <para>What it means is: for Memcheck only, suppress a
492 use-of-uninitialised-value error, when the data size is 4, when it
493 occurs in the function
494 <computeroutput>__gconv_transform_ascii_internal</computeroutput>, when
495 that is called from any function of name matching
496 <computeroutput>__mbr*toc</computeroutput>, when that is called from
497 <computeroutput>mbtowc</computeroutput>. It doesn't apply under any
498 other circumstances. The string by which this suppression is identified
500 <computeroutput>__gconv_transform_ascii_internal/__mbrtowc/mbtowc</computeroutput>.</para>
502 <para>(See <xref linkend="mc-manual.suppfiles"/> for more details
503 on the specifics of Memcheck's suppression kinds.)</para>
505 <para>Another example, again for the Memcheck tool:</para>
507 <programlisting><![CDATA[
509 libX11.so.6.2/libX11.so.6.2/libXaw.so.7.0
511 obj:/usr/X11R6/lib/libX11.so.6.2
512 obj:/usr/X11R6/lib/libX11.so.6.2
513 obj:/usr/X11R6/lib/libXaw.so.7.0
514 }]]></programlisting>
516 <para>This suppresses any size 4 uninitialised-value error which occurs
517 anywhere in <filename>libX11.so.6.2</filename>, when called from
518 anywhere in the same library, when called from anywhere in
519 <filename>libXaw.so.7.0</filename>. The inexact specification of
520 locations is regrettable, but is about all you can hope for, given that
521 the X11 libraries shipped on the Linux distro on which this example
522 was made have had their symbol tables removed.</para>
524 <para>Although the above two examples do not make this clear, you can
525 freely mix <computeroutput>obj:</computeroutput> and
526 <computeroutput>fun:</computeroutput> lines in a suppression.</para>
528 <para>Finally, here's an example using three frame-level wildcards:</para>
530 <programlisting><![CDATA[
543 This suppresses Memcheck memory-leak errors, in the case where
544 the allocation was done by <computeroutput>main</computeroutput>
545 calling (though any number of intermediaries, including zero)
546 <computeroutput>ccc</computeroutput>,
548 <computeroutput>ddd</computeroutput> and eventually
549 to <computeroutput>malloc.</computeroutput>.
553 <sect1 id="manual-core.options"
554 xreflabel="Core Command-line Options">
555 <title>Core Command-line Options</title>
557 <para>As mentioned above, Valgrind's core accepts a common set of options.
558 The tools also accept tool-specific options, which are documented
559 separately for each tool.</para>
561 <para>Valgrind's default settings succeed in giving reasonable behaviour
562 in most cases. We group the available options by rough categories.</para>
564 <sect2 id="manual-core.toolopts" xreflabel="Tool-selection Option">
565 <title>Tool-selection Option</title>
567 <para>The single most important option.</para>
571 <varlistentry id="tool_name" xreflabel="--tool">
573 <option><![CDATA[--tool=<toolname> [default: memcheck] ]]></option>
576 <para>Run the Valgrind tool called <varname>toolname</varname>,
577 e.g. Memcheck, Cachegrind, etc.</para>
587 <sect2 id="manual-core.basicopts" xreflabel="Basic Options">
588 <title>Basic Options</title>
590 <!-- start of xi:include in the manpage -->
591 <para id="basic.opts.para">These options work with all tools.</para>
593 <variablelist id="basic.opts.list">
595 <varlistentry id="opt.help" xreflabel="--help">
596 <term><option>-h --help</option></term>
598 <para>Show help for all options, both for the core and for the
599 selected tool. If the option is repeated it is equivalent to giving
600 <option>--help-debug</option>.</para>
604 <varlistentry id="opt.help-debug" xreflabel="--help-debug">
605 <term><option>--help-debug</option></term>
607 <para>Same as <option>--help</option>, but also lists debugging
608 options which usually are only of use to Valgrind's
613 <varlistentry id="opt.version" xreflabel="--version">
614 <term><option>--version</option></term>
616 <para>Show the version number of the Valgrind core. Tools can have
617 their own version numbers. There is a scheme in place to ensure
618 that tools only execute when the core version is one they are
619 known to work with. This was done to minimise the chances of
620 strange problems arising from tool-vs-core version
621 incompatibilities.</para>
625 <varlistentry id="opt.quiet" xreflabel="--quiet">
626 <term><option>-q</option>, <option>--quiet</option></term>
628 <para>Run silently, and only print error messages. Useful if you
629 are running regression tests or have some other automated test
634 <varlistentry id="opt.verbose" xreflabel="--verbose">
635 <term><option>-v</option>, <option>--verbose</option></term>
637 <para>Be more verbose. Gives extra information on various aspects
638 of your program, such as: the shared objects loaded, the
639 suppressions used, the progress of the instrumentation and
640 execution engines, and warnings about unusual behaviour. Repeating
641 the option increases the verbosity level.</para>
645 <varlistentry id="opt.trace-children" xreflabel="--trace-children">
647 <option><![CDATA[--trace-children=<yes|no> [default: no] ]]></option>
650 <para>When enabled, Valgrind will trace into sub-processes
651 initiated via the <varname>exec</varname> system call. This is
652 necessary for multi-process programs.
654 <para>Note that Valgrind does trace into the child of a
655 <varname>fork</varname> (it would be difficult not to, since
656 <varname>fork</varname> makes an identical copy of a process), so this
657 option is arguably badly named. However, most children of
658 <varname>fork</varname> calls immediately call <varname>exec</varname>
664 <varlistentry id="opt.trace-children-skip" xreflabel="--trace-children-skip">
666 <option><![CDATA[--trace-children-skip=patt1,patt2,... ]]></option>
669 <para>This option only has an effect when
670 <option>--trace-children=yes</option> is specified. It allows
671 for some children to be skipped. The option takes a comma
672 separated list of patterns for the names of child executables
673 that Valgrind should not trace into. Patterns may include the
674 metacharacters <computeroutput>?</computeroutput>
675 and <computeroutput>*</computeroutput>, which have the usual
678 This can be useful for pruning uninteresting branches from a
679 tree of processes being run on Valgrind. But you should be
680 careful when using it. When Valgrind skips tracing into an
681 executable, it doesn't just skip tracing that executable, it
682 also skips tracing any of that executable's child processes.
683 In other words, the flag doesn't merely cause tracing to stop
684 at the specified executables -- it skips tracing of entire
685 process subtrees rooted at any of the specified
690 <varlistentry id="opt.trace-children-skip-by-arg"
691 xreflabel="--trace-children-skip-by-arg">
693 <option><![CDATA[--trace-children-skip-by-arg=patt1,patt2,... ]]></option>
696 <para>This is the same as
697 <option>--trace-children-skip</option>, with one difference:
698 the decision as to whether to trace into a child process is
699 made by examining the arguments to the child process, rather
700 than the name of its executable.</para>
704 <varlistentry id="opt.child-silent-after-fork"
705 xreflabel="--child-silent-after-fork">
707 <option><![CDATA[--child-silent-after-fork=<yes|no> [default: no] ]]></option>
710 <para>When enabled, Valgrind will not show any debugging or
711 logging output for the child process resulting from
712 a <varname>fork</varname> call. This can make the output less
713 confusing (although more misleading) when dealing with processes
714 that create children. It is particularly useful in conjunction
715 with <varname>--trace-children=</varname>. Use of this option is also
716 strongly recommended if you are requesting XML output
717 (<varname>--xml=yes</varname>), since otherwise the XML from child and
718 parent may become mixed up, which usually makes it useless.
723 <varlistentry id="opt.vgdb" xreflabel="--vgdb">
725 <option><![CDATA[--vgdb=<no|yes|full> [default: yes] ]]></option>
728 <para>Valgrind will enable its embedded gdbserver if value yes
729 or full is given. This allows an
730 external <computeroutput>gdb</computeroutput> debuggger to debug
731 your program running under Valgrind. See
732 <xref linkend="manual-core.gdbserver"/> for a detailed
736 <para> If the embedded gdbserver is enabled but no gdb is
737 currently being used, the <xref linkend="manual-core.vgdb"/>
738 command line utility can send "monitor commands" to Valgrind
739 from a shell. The Valgrind core provides a set of
740 <xref linkend="manual-core.valgrind-monitor-commands"/>. A tool
741 can optionally provide tool specific monitor commands, which are
742 documented in the tool specific chapter.
745 <para>The value 'full' has a significant overhead
750 <varlistentry id="opt.vgdb-error" xreflabel="--vgdb-error">
752 <option><![CDATA[--vgdb-error=<number> [default: 999999999] ]]></option>
755 <para> Use this option when the Valgrind gdbserver is enabled with
756 <option>--vgdb</option> yes or full value. Tools that report
757 errors will invoke the embedded gdbserver for each error above
758 number. The value 0 will cause gdbserver to be invoked before
759 executing your program. This is typically used to insert gdb
760 breakpoints before execution, and will also work with tools that
761 do not report errors, such as Massif.
766 <varlistentry id="opt.vgdb" xreflabel="--vgdb">
768 <option><![CDATA[--vgdb=<no|yes|full> [default: yes] ]]></option>
771 <para>Valgrind will enable its embedded gdbserver if value yes
772 or full is given. This allows an
773 external <computeroutput>gdb</computeroutput> debuggger to debug
774 your program running under Valgrind. See
775 <xref linkend="manual-core.gdbserver"/> for a detailed
779 <para> If the embedded gdbserver is enabled but no gdb is
780 currently being used, the <xref linkend="manual-core.vgdb"/>
781 command line utility can send "monitor commands" to Valgrind
782 from a shell. The Valgrind core provides a set of
783 <xref linkend="manual-core.valgrind-monitor-commands"/>. A tool
784 can optionally provide tool specific monitor commands, which are
785 documented in the tool specific chapter.
788 <para>The value 'full' has a significant overhead
793 <varlistentry id="opt.vgdb-error" xreflabel="--vgdb-error">
795 <option><![CDATA[--vgdb-error=<number> [default: 999999999] ]]></option>
798 <para> Use this option when the Valgrind gdbserver is enabled with
799 <option>--vgdb</option> yes or full value. Tools that report
800 errors will invoke the embedded gdbserver for each error above
801 number. The value 0 will cause gdbserver to be invoked before
802 executing your program. This is typically used to insert gdb
803 breakpoints before execution, and will also work with tools that
804 do not report errors, such as Massif.
809 <varlistentry id="opt.track-fds" xreflabel="--track-fds">
811 <option><![CDATA[--track-fds=<yes|no> [default: no] ]]></option>
814 <para>When enabled, Valgrind will print out a list of open file
815 descriptors on exit. Along with each file descriptor is printed a
816 stack backtrace of where the file was opened and any details
817 relating to the file descriptor such as the file name or socket
822 <varlistentry id="opt.time-stamp" xreflabel="--time-stamp">
824 <option><![CDATA[--time-stamp=<yes|no> [default: no] ]]></option>
827 <para>When enabled, each message is preceded with an indication of
828 the elapsed wallclock time since startup, expressed as days,
829 hours, minutes, seconds and milliseconds.</para>
833 <varlistentry id="opt.log-fd" xreflabel="--log-fd">
835 <option><![CDATA[--log-fd=<number> [default: 2, stderr] ]]></option>
838 <para>Specifies that Valgrind should send all of its messages to
839 the specified file descriptor. The default, 2, is the standard
840 error channel (stderr). Note that this may interfere with the
841 client's own use of stderr, as Valgrind's output will be
842 interleaved with any output that the client sends to
847 <varlistentry id="opt.log-file" xreflabel="--log-file">
849 <option><![CDATA[--log-file=<filename> ]]></option>
852 <para>Specifies that Valgrind should send all of its messages to
853 the specified file. If the file name is empty, it causes an abort.
854 There are three special format specifiers that can be used in the file
857 <para><option>%p</option> is replaced with the current process ID.
858 This is very useful for program that invoke multiple processes.
859 WARNING: If you use <option>--trace-children=yes</option> and your
860 program invokes multiple processes OR your program forks without
861 calling exec afterwards, and you don't use this specifier
862 (or the <option>%q</option> specifier below), the Valgrind output from
863 all those processes will go into one file, possibly jumbled up, and
864 possibly incomplete.</para>
866 <para><option>%q{FOO}</option> is replaced with the contents of the
867 environment variable <varname>FOO</varname>. If the
868 <option>{FOO}</option> part is malformed, it causes an abort. This
869 specifier is rarely needed, but very useful in certain circumstances
870 (eg. when running MPI programs). The idea is that you specify a
871 variable which will be set differently for each process in the job,
872 for example <computeroutput>BPROC_RANK</computeroutput> or whatever is
873 applicable in your MPI setup. If the named environment variable is not
874 set, it causes an abort. Note that in some shells, the
875 <option>{</option> and <option>}</option> characters may need to be
876 escaped with a backslash.</para>
878 <para><option>%%</option> is replaced with <option>%</option>.</para>
880 <para>If an <option>%</option> is followed by any other character, it
881 causes an abort.</para>
885 <varlistentry id="opt.log-socket" xreflabel="--log-socket">
887 <option><![CDATA[--log-socket=<ip-address:port-number> ]]></option>
890 <para>Specifies that Valgrind should send all of its messages to
891 the specified port at the specified IP address. The port may be
892 omitted, in which case port 1500 is used. If a connection cannot
893 be made to the specified socket, Valgrind falls back to writing
894 output to the standard error (stderr). This option is intended to
895 be used in conjunction with the
896 <computeroutput>valgrind-listener</computeroutput> program. For
898 <link linkend="manual-core.comment">the commentary</link>
899 in the manual.</para>
904 <!-- end of xi:include in the manpage -->
909 <sect2 id="manual-core.erropts" xreflabel="Error-related Options">
910 <title>Error-related Options</title>
912 <!-- start of xi:include in the manpage -->
913 <para id="error-related.opts.para">These options are used by all tools
914 that can report errors, e.g. Memcheck, but not Cachegrind.</para>
916 <variablelist id="error-related.opts.list">
918 <varlistentry id="opt.xml" xreflabel="--xml">
920 <option><![CDATA[--xml=<yes|no> [default: no] ]]></option>
923 <para>When enabled, the important parts of the output (e.g. tool error
924 messages) will be in XML format rather than plain text. Furthermore,
925 the XML output will be sent to a different output channel than the
926 plain text output. Therefore, you also must use one of
927 <option>--xml-fd</option>, <option>--xml-file</option> or
928 <option>--xml-socket</option> to specify where the XML is to be sent.
931 <para>Less important messages will still be printed in plain text, but
932 because the XML output and plain text output are sent to different
933 output channels (the destination of the plain text output is still
934 controlled by <option>--log-fd</option>, <option>--log-file</option>
935 and <option>--log-socket</option>) this should not cause problems.
938 <para>This option is aimed at making life easier for tools that consume
939 Valgrind's output as input, such as GUI front ends. Currently this
940 option works with Memcheck, Helgrind and Ptrcheck. The output format
941 is specified in the file
942 <computeroutput>docs/internals/xml-output-protocol4.txt</computeroutput>
943 in the source tree for Valgrind 3.5.0 or later.</para>
945 <para>The recommended options for a GUI to pass, when requesting
946 XML output, are: <option>--xml=yes</option> to enable XML output,
947 <option>--xml-file</option> to send the XML output to a (presumably
948 GUI-selected) file, <option>--log-file</option> to send the plain
949 text output to a second GUI-selected file,
950 <option>--child-silent-after-fork=yes</option>, and
951 <option>-q</option> to restrict the plain text output to critical
952 error messages created by Valgrind itself. For example, failure to
953 read a specified suppressions file counts as a critical error message.
954 In this way, for a successful run the text output file will be empty.
955 But if it isn't empty, then it will contain important information
956 which the GUI user should be made aware
961 <varlistentry id="opt.xml-fd" xreflabel="--xml-fd">
963 <option><![CDATA[--xml-fd=<number> [default: -1, disabled] ]]></option>
966 <para>Specifies that Valgrind should send its XML output to the
967 specified file descriptor. It must be used in conjunction with
968 <option>--xml=yes</option>.</para>
972 <varlistentry id="opt.xml-file" xreflabel="--xml-file">
974 <option><![CDATA[--xml-file=<filename> ]]></option>
977 <para>Specifies that Valgrind should send its XML output
978 to the specified file. It must be used in conjunction with
979 <option>--xml=yes</option>. Any <option>%p</option> or
980 <option>%q</option> sequences appearing in the filename are expanded
981 in exactly the same way as they are for <option>--log-file</option>.
982 See the description of <option>--log-file</option> for details.
987 <varlistentry id="opt.xml-socket" xreflabel="--xml-socket">
989 <option><![CDATA[--xml-socket=<ip-address:port-number> ]]></option>
992 <para>Specifies that Valgrind should send its XML output the
993 specified port at the specified IP address. It must be used in
994 conjunction with <option>--xml=yes</option>. The form of the argument
995 is the same as that used by <option>--log-socket</option>.
996 See the description of <option>--log-socket</option>
997 for further details.</para>
1001 <varlistentry id="opt.xml-user-comment" xreflabel="--xml-user-comment">
1003 <option><![CDATA[--xml-user-comment=<string> ]]></option>
1006 <para>Embeds an extra user comment string at the start of the XML
1007 output. Only works when <option>--xml=yes</option> is specified;
1008 ignored otherwise.</para>
1012 <varlistentry id="opt.demangle" xreflabel="--demangle">
1014 <option><![CDATA[--demangle=<yes|no> [default: yes] ]]></option>
1017 <para>Enable/disable automatic demangling (decoding) of C++ names.
1018 Enabled by default. When enabled, Valgrind will attempt to
1019 translate encoded C++ names back to something approaching the
1020 original. The demangler handles symbols mangled by g++ versions
1021 2.X, 3.X and 4.X.</para>
1023 <para>An important fact about demangling is that function names
1024 mentioned in suppressions files should be in their mangled form.
1025 Valgrind does not demangle function names when searching for
1026 applicable suppressions, because to do otherwise would make
1027 suppression file contents dependent on the state of Valgrind's
1028 demangling machinery, and also slow down suppression matching.</para>
1032 <varlistentry id="opt.num-callers" xreflabel="--num-callers">
1034 <option><![CDATA[--num-callers=<number> [default: 12] ]]></option>
1037 <para>Specifies the maximum number of entries shown in stack traces
1038 that identify program locations. Note that errors are commoned up
1039 using only the top four function locations (the place in the current
1040 function, and that of its three immediate callers). So this doesn't
1041 affect the total number of errors reported.</para>
1043 <para>The maximum value for this is 50. Note that higher settings
1044 will make Valgrind run a bit more slowly and take a bit more
1045 memory, but can be useful when working with programs with
1046 deeply-nested call chains.</para>
1050 <varlistentry id="opt.error-limit" xreflabel="--error-limit">
1052 <option><![CDATA[--error-limit=<yes|no> [default: yes] ]]></option>
1055 <para>When enabled, Valgrind stops reporting errors after 10,000,000
1056 in total, or 1,000 different ones, have been seen. This is to
1057 stop the error tracking machinery from becoming a huge performance
1058 overhead in programs with many errors.</para>
1062 <varlistentry id="opt.error-exitcode" xreflabel="--error-exitcode">
1064 <option><![CDATA[--error-exitcode=<number> [default: 0] ]]></option>
1067 <para>Specifies an alternative exit code to return if Valgrind
1068 reported any errors in the run. When set to the default value
1069 (zero), the return value from Valgrind will always be the return
1070 value of the process being simulated. When set to a nonzero value,
1071 that value is returned instead, if Valgrind detects any errors.
1072 This is useful for using Valgrind as part of an automated test
1073 suite, since it makes it easy to detect test cases for which
1074 Valgrind has reported errors, just by inspecting return codes.</para>
1078 <varlistentry id="opt.stack-traces" xreflabel="--show-below-main">
1080 <option><![CDATA[--show-below-main=<yes|no> [default: no] ]]></option>
1083 <para>By default, stack traces for errors do not show any
1084 functions that appear beneath <function>main</function> because
1085 most of the time it's uninteresting C library stuff and/or
1086 gobbledygook. Alternatively, if <function>main</function> is not
1087 present in the stack trace, stack traces will not show any functions
1088 below <function>main</function>-like functions such as glibc's
1089 <function>__libc_start_main</function>. Furthermore, if
1090 <function>main</function>-like functions are present in the trace,
1091 they are normalised as <function>(below main)</function>, in order to
1092 make the output more deterministic.</para>
1094 <para>If this option is enabled, all stack trace entries will be
1095 shown and <function>main</function>-like functions will not be
1100 <varlistentry id="opt.fullpath-after" xreflabel="--fullpath-after">
1102 <option><![CDATA[--fullpath-after=<string>
1103 [default: don't show source paths] ]]></option>
1106 <para>By default Valgrind only shows the filenames in stack
1107 traces, but not full paths to source files. When using Valgrind
1108 in large projects where the sources reside in multiple different
1109 directories, this can be inconvenient.
1110 <option>--fullpath-after</option> provides a flexible solution
1111 to this problem. When this option is present, the path to each
1112 source file is shown, with the following all-important caveat:
1113 if <option>string</option> is found in the path, then the path
1114 up to and including <option>string</option> is omitted, else the
1115 path is shown unmodified. Note that <option>string</option> is
1116 not required to be a prefix of the path.</para>
1118 <para>For example, consider a file named
1119 <computeroutput>/home/janedoe/blah/src/foo/bar/xyzzy.c</computeroutput>.
1120 Specifying <option>--fullpath-after=/home/janedoe/blah/src/</option>
1121 will cause Valgrind to show the name
1122 as <computeroutput>foo/bar/xyzzy.c</computeroutput>.</para>
1124 <para>Because the string is not required to be a prefix,
1125 <option>--fullpath-after=src/</option> will produce the same
1126 output. This is useful when the path contains arbitrary
1127 machine-generated characters. For example, the
1129 <computeroutput>/my/build/dir/C32A1B47/blah/src/foo/xyzzy</computeroutput>
1130 can be pruned to <computeroutput>foo/xyzzy</computeroutput>
1132 <option>--fullpath-after=/blah/src/</option>.</para>
1134 <para>If you simply want to see the full path, just specify an
1135 empty string: <option>--fullpath-after=</option>. This isn't a
1136 special case, merely a logical consequence of the above rules.</para>
1138 <para>Finally, you can use <option>--fullpath-after</option>
1139 multiple times. Any appearance of it causes Valgrind to switch
1140 to producing full paths and applying the above filtering rule.
1141 Each produced path is compared against all
1142 the <option>--fullpath-after</option>-specified strings, in the
1143 order specified. The first string to match causes the path to
1144 be truncated as described above. If none match, the full path
1145 is shown. This facilitates chopping off prefixes when the
1146 sources are drawn from a number of unrelated directories.
1151 <varlistentry id="opt.suppressions" xreflabel="--suppressions">
1153 <option><![CDATA[--suppressions=<filename> [default: $PREFIX/lib/valgrind/default.supp] ]]></option>
1156 <para>Specifies an extra file from which to read descriptions of
1157 errors to suppress. You may use up to 100 extra suppression
1162 <varlistentry id="opt.gen-suppressions" xreflabel="--gen-suppressions">
1164 <option><![CDATA[--gen-suppressions=<yes|no|all> [default: no] ]]></option>
1167 <para>When set to <varname>yes</varname>, Valgrind will pause
1168 after every error shown and print the line:
1169 <literallayout><computeroutput> ---- Print suppression ? --- [Return/N/n/Y/y/C/c] ----</computeroutput></literallayout>
1171 The prompt's behaviour is the same as for the
1172 <option>--db-attach</option> option (see below).</para>
1174 <para>If you choose to, Valgrind will print out a suppression for
1175 this error. You can then cut and paste it into a suppression file
1176 if you don't want to hear about the error in the future.</para>
1178 <para>When set to <varname>all</varname>, Valgrind will print a
1179 suppression for every reported error, without querying the
1182 <para>This option is particularly useful with C++ programs, as it
1183 prints out the suppressions with mangled names, as
1186 <para>Note that the suppressions printed are as specific as
1187 possible. You may want to common up similar ones, by adding
1188 wildcards to function names, and by using frame-level wildcards.
1189 The wildcarding facilities are powerful yet flexible, and with a
1190 bit of careful editing, you may be able to suppress a whole
1191 family of related errors with only a few suppressions.
1192 <!-- commented out because it causes broken links in the man page
1193 For details on how to do this, see
1194 <xref linkend="manual-core.suppress"/>.
1198 <para>Sometimes two different errors
1199 are suppressed by the same suppression, in which case Valgrind
1200 will output the suppression more than once, but you only need to
1201 have one copy in your suppression file (but having more than one
1202 won't cause problems). Also, the suppression name is given as
1203 <computeroutput><insert a suppression name
1204 here></computeroutput>; the name doesn't really matter, it's
1205 only used with the <option>-v</option> option which prints out all
1206 used suppression records.</para>
1210 <varlistentry id="opt.db-attach" xreflabel="--db-attach">
1212 <option><![CDATA[--db-attach=<yes|no> [default: no] ]]></option>
1215 <para>When enabled, Valgrind will pause after every error shown
1217 <literallayout><computeroutput> ---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ----</computeroutput></literallayout>
1219 Pressing <varname>Ret</varname>, or <varname>N Ret</varname> or
1220 <varname>n Ret</varname>, causes Valgrind not to start a debugger
1221 for this error.</para>
1223 <para>Pressing <varname>Y Ret</varname> or
1224 <varname>y Ret</varname> causes Valgrind to start a debugger for
1225 the program at this point. When you have finished with the
1226 debugger, quit from it, and the program will continue. Trying to
1227 continue from inside the debugger doesn't work.</para>
1230 Note : if you use gdb, a more powerful debugging support is
1231 provided by the <option>--vgdb</option> yes or full value,
1232 allowing among others to insert breakpoints, continue from
1233 inside the debugger, etc.
1237 Note : if you use gdb, a more powerful debugging support is
1238 provided by the <option>--vgdb</option> yes or full value,
1239 allowing among others to insert breakpoints, continue from
1240 inside the debugger, etc.
1243 <para><varname>C Ret</varname> or <varname>c Ret</varname> causes
1244 Valgrind not to start a debugger, and not to ask again.</para>
1248 <varlistentry id="opt.db-command" xreflabel="--db-command">
1250 <option><![CDATA[--db-command=<command> [default: gdb -nw %f %p] ]]></option>
1253 <para>Specify the debugger to use with the
1254 <option>--db-attach</option> command. The default debugger is
1255 GDB. This option is a template that is expanded by Valgrind at
1256 runtime. <literal>%f</literal> is replaced with the executable's
1257 file name and <literal>%p</literal> is replaced by the process ID
1258 of the executable.</para>
1260 <para>This specifies how Valgrind will invoke the debugger. By
1261 default it will use whatever GDB is detected at build time, which
1262 is usually <computeroutput>/usr/bin/gdb</computeroutput>. Using
1263 this command, you can specify some alternative command to invoke
1264 the debugger you want to use.</para>
1266 <para>The command string given can include one or instances of the
1267 <literal>%p</literal> and <literal>%f</literal> expansions. Each
1268 instance of <literal>%p</literal> expands to the PID of the
1269 process to be debugged and each instance of <literal>%f</literal>
1270 expands to the path to the executable for the process to be
1273 <para>Since <computeroutput><command></computeroutput> is likely
1274 to contain spaces, you will need to put this entire option in
1275 quotes to ensure it is correctly handled by the shell.</para>
1279 <varlistentry id="opt.input-fd" xreflabel="--input-fd">
1281 <option><![CDATA[--input-fd=<number> [default: 0, stdin] ]]></option>
1284 <para>When using <option>--db-attach=yes</option> or
1285 <option>--gen-suppressions=yes</option>, Valgrind will stop so as
1286 to read keyboard input from you when each error occurs. By
1287 default it reads from the standard input (stdin), which is
1288 problematic for programs which close stdin. This option allows
1289 you to specify an alternative file descriptor from which to read
1294 <varlistentry id="opt.dsymutil" xreflabel="--dsymutil">
1296 <option><![CDATA[--dsymutil=no|yes [no] ]]></option>
1299 <para>This option is only relevant when running Valgrind on
1302 <para>Mac OS X uses a deferred debug information (debuginfo)
1303 linking scheme. When object files containing debuginfo are
1304 linked into a <computeroutput>.dylib</computeroutput> or an
1305 executable, the debuginfo is not copied into the final file.
1306 Instead, the debuginfo must be linked manually by
1307 running <computeroutput>dsymutil</computeroutput>, a
1308 system-provided utility, on the executable
1309 or <computeroutput>.dylib</computeroutput>. The resulting
1310 combined debuginfo is placed in a directory alongside the
1311 executable or <computeroutput>.dylib</computeroutput>, but with
1312 the extension <computeroutput>.dSYM</computeroutput>.</para>
1314 <para>With <option>--dsymutil=no</option>, Valgrind
1315 will detect cases where the
1316 <computeroutput>.dSYM</computeroutput> directory is either
1317 missing, or is present but does not appear to match the
1318 associated executable or <computeroutput>.dylib</computeroutput>,
1319 most likely because it is out of date. In these cases, Valgrind
1320 will print a warning message but take no further action.</para>
1322 <para>With <option>--dsymutil=yes</option>, Valgrind
1323 will, in such cases, automatically
1324 run <computeroutput>dsymutil</computeroutput> as necessary to
1325 bring the debuginfo up to date. For all practical purposes, if
1326 you always use <option>--dsymutil=yes</option>, then
1327 there is never any need to
1328 run <computeroutput>dsymutil</computeroutput> manually or as part
1329 of your applications's build system, since Valgrind will run it
1330 as necessary.</para>
1332 <para>Valgrind will not attempt to
1333 run <computeroutput>dsymutil</computeroutput> on any
1334 executable or library in
1335 <computeroutput>/usr/</computeroutput>,
1336 <computeroutput>/bin/</computeroutput>,
1337 <computeroutput>/sbin/</computeroutput>,
1338 <computeroutput>/opt/</computeroutput>,
1339 <computeroutput>/sw/</computeroutput>,
1340 <computeroutput>/System/</computeroutput>,
1341 <computeroutput>/Library/</computeroutput> or
1342 <computeroutput>/Applications/</computeroutput>
1343 since <computeroutput>dsymutil</computeroutput> will always fail
1344 in such situations. It fails both because the debuginfo for
1345 such pre-installed system components is not available anywhere,
1346 and also because it would require write privileges in those
1349 <para>Be careful when
1350 using <option>--dsymutil=yes</option>, since it will
1351 cause pre-existing <computeroutput>.dSYM</computeroutput>
1352 directories to be silently deleted and re-created. Also note that
1353 <computeroutput>dsymutil</computeroutput> is quite slow, sometimes
1354 excessively so.</para>
1358 <varlistentry id="opt.max-stackframe" xreflabel="--max-stackframe">
1360 <option><![CDATA[--max-stackframe=<number> [default: 2000000] ]]></option>
1363 <para>The maximum size of a stack frame. If the stack pointer moves by
1364 more than this amount then Valgrind will assume that
1365 the program is switching to a different stack.</para>
1367 <para>You may need to use this option if your program has large
1368 stack-allocated arrays. Valgrind keeps track of your program's
1369 stack pointer. If it changes by more than the threshold amount,
1370 Valgrind assumes your program is switching to a different stack,
1371 and Memcheck behaves differently than it would for a stack pointer
1372 change smaller than the threshold. Usually this heuristic works
1373 well. However, if your program allocates large structures on the
1374 stack, this heuristic will be fooled, and Memcheck will
1375 subsequently report large numbers of invalid stack accesses. This
1376 option allows you to change the threshold to a different
1379 <para>You should only consider use of this option if Valgrind's
1380 debug output directs you to do so. In that case it will tell you
1381 the new threshold you should specify.</para>
1383 <para>In general, allocating large structures on the stack is a
1384 bad idea, because you can easily run out of stack space,
1385 especially on systems with limited memory or which expect to
1386 support large numbers of threads each with a small stack, and also
1387 because the error checking performed by Memcheck is more effective
1388 for heap-allocated data than for stack-allocated data. If you
1389 have to use this option, you may wish to consider rewriting your
1390 code to allocate on the heap rather than on the stack.</para>
1394 <varlistentry id="opt.main-stacksize" xreflabel="--main-stacksize">
1396 <option><![CDATA[--main-stacksize=<number>
1397 [default: use current 'ulimit' value] ]]></option>
1400 <para>Specifies the size of the main thread's stack.</para>
1402 <para>To simplify its memory management, Valgrind reserves all
1403 required space for the main thread's stack at startup. That
1404 means it needs to know the required stack size at
1407 <para>By default, Valgrind uses the current "ulimit" value for
1408 the stack size, or 16 MB, whichever is lower. In many cases
1409 this gives a stack size in the range 8 to 16 MB, which almost
1410 never overflows for most applications.</para>
1412 <para>If you need a larger total stack size,
1413 use <option>--main-stacksize</option> to specify it. Only set
1414 it as high as you need, since reserving far more space than you
1415 need (that is, hundreds of megabytes more than you need)
1416 constrains Valgrind's memory allocators and may reduce the total
1417 amount of memory that Valgrind can use. This is only really of
1418 significance on 32-bit machines.</para>
1420 <para>On Linux, you may request a stack of size up to 2GB.
1421 Valgrind will stop with a diagnostic message if the stack cannot
1422 be allocated. On AIX5 the allowed stack size is restricted to
1425 <para><option>--main-stacksize</option> only affects the stack
1426 size for the program's initial thread. It has no bearing on the
1427 size of thread stacks, as Valgrind does not allocate
1430 <para>You may need to use both <option>--main-stacksize</option>
1431 and <option>--max-stackframe</option> together. It is important
1432 to understand that <option>--main-stacksize</option> sets the
1433 maximum total stack size,
1434 whilst <option>--max-stackframe</option> specifies the largest
1435 size of any one stack frame. You will have to work out
1436 the <option>--main-stacksize</option> value for yourself
1437 (usually, if your applications segfaults). But Valgrind will
1438 tell you the needed <option>--max-stackframe</option> size, if
1441 <para>As discussed further in the description
1442 of <option>--max-stackframe</option>, a requirement for a large
1443 stack is a sign of potential portability problems. You are best
1444 advised to place all large data in heap-allocated memory.</para>
1449 <!-- end of xi:include in the manpage -->
1454 <sect2 id="manual-core.mallocopts" xreflabel="malloc-related Options">
1455 <title>malloc-related Options</title>
1457 <!-- start of xi:include in the manpage -->
1458 <para id="malloc-related.opts.para">For tools that use their own version of
1459 <computeroutput>malloc</computeroutput> (e.g. Memcheck and
1460 Massif), the following options apply.</para>
1462 <variablelist id="malloc-related.opts.list">
1464 <varlistentry id="opt.alignment" xreflabel="--alignment">
1466 <option><![CDATA[--alignment=<number> [default: 8 or 16, depending on the platform] ]]></option>
1469 <para>By default Valgrind's <function>malloc</function>,
1470 <function>realloc</function>, etc, return a block whose starting
1471 address is 8-byte aligned or 16-byte aligned (the value depends on the
1472 platform and matches the platform default). This option allows you to
1473 specify a different alignment. The supplied value must be greater
1474 than or equal to the default, less than or equal to 4096, and must be
1475 a power of two.</para>
1480 <!-- end of xi:include in the manpage -->
1485 <sect2 id="manual-core.rareopts" xreflabel="Uncommon Options">
1486 <title>Uncommon Options</title>
1488 <!-- start of xi:include in the manpage -->
1489 <para id="uncommon.opts.para">These options apply to all tools, as they
1490 affect certain obscure workings of the Valgrind core. Most people won't
1491 need to use these.</para>
1493 <variablelist id="uncommon.opts.list">
1495 <varlistentry id="opt.smc-check" xreflabel="--smc-check">
1497 <option><![CDATA[--smc-check=<none|stack|all> [default: stack] ]]></option>
1500 <para>This option controls Valgrind's detection of self-modifying
1501 code. If no checking is done, if a program executes some code, then
1502 overwrites it with new code, and executes the new code, Valgrind will
1503 continue to execute the translations it made for the old code. This
1504 will likely lead to incorrect behaviour and/or crashes.</para>
1506 <para>Valgrind has three levels of self-modifying code detection:
1507 no detection, detect self-modifying code on the stack (which is used by
1508 GCC to implement nested functions), or detect self-modifying code
1509 everywhere. Note that the default option will catch the vast majority
1510 of cases. The main case it will not catch is programs such as JIT
1511 compilers that dynamically generate code <emphasis>and</emphasis>
1512 subsequently overwrite part or all of it. Running with
1513 <varname>all</varname> will slow Valgrind down noticeably. Running with
1514 <varname>none</varname> will rarely speed things up, since very little
1515 code gets put on the stack for most programs. The
1516 <function>VALGRIND_DISCARD_TRANSLATIONS</function> client request is
1517 an alternative to <option>--smc-check=all</option> that requires more
1518 effort but is much faster.
1519 <!-- commented out because it causes broken links in the man page
1521 linkend="manual-core-adv.clientreq"/> for more details.
1525 <para>Some architectures (including ppc32, ppc64 and ARM) require
1526 programs which create code at runtime to flush the instruction
1527 cache in between code generation and first use. Valgrind
1528 observes and honours such instructions. Hence, on ppc32/Linux,
1529 ppc64/Linux and ARM/Linux, Valgrind always provides complete, transparent
1530 support for self-modifying code. It is only on platforms such as
1531 x86/Linux, AMD64/Linux and x86/Darwin that you need to use this
1536 <varlistentry id="opt.read-var-info" xreflabel="--read-var-info">
1538 <option><![CDATA[--read-var-info=<yes|no> [default: no] ]]></option>
1541 <para>When enabled, Valgrind will read information about
1542 variable types and locations from DWARF3 debug info.
1543 This slows Valgrind down and makes it use more memory, but for
1544 the tools that can take advantage of it (Memcheck, Helgrind,
1545 DRD) it can result in more precise error messages. For example,
1546 here are some standard errors issued by Memcheck:</para>
1547 <programlisting><![CDATA[
1548 ==15516== Uninitialised byte(s) found during client check request
1549 ==15516== at 0x400633: croak (varinfo1.c:28)
1550 ==15516== by 0x4006B2: main (varinfo1.c:55)
1551 ==15516== Address 0x60103b is 7 bytes inside data symbol "global_i2"
1553 ==15516== Uninitialised byte(s) found during client check request
1554 ==15516== at 0x400633: croak (varinfo1.c:28)
1555 ==15516== by 0x4006BC: main (varinfo1.c:56)
1556 ==15516== Address 0x7fefffefc is on thread 1's stack]]></programlisting>
1558 <para>And here are the same errors with
1559 <option>--read-var-info=yes</option>:</para>
1561 <programlisting><![CDATA[
1562 ==15522== Uninitialised byte(s) found during client check request
1563 ==15522== at 0x400633: croak (varinfo1.c:28)
1564 ==15522== by 0x4006B2: main (varinfo1.c:55)
1565 ==15522== Location 0x60103b is 0 bytes inside global_i2[7],
1566 ==15522== a global variable declared at varinfo1.c:41
1568 ==15522== Uninitialised byte(s) found during client check request
1569 ==15522== at 0x400633: croak (varinfo1.c:28)
1570 ==15522== by 0x4006BC: main (varinfo1.c:56)
1571 ==15522== Location 0x7fefffefc is 0 bytes inside local var "local"
1572 ==15522== declared at varinfo1.c:46, in frame #1 of thread 1]]></programlisting>
1576 <varlistentry id="opt.vgdb-poll" xreflabel="--vgdb-poll">
1578 <option><![CDATA[--vgdb-poll=<number> [default: 5000] ]]></option>
1581 <para> As part of its main loop, the Valgrind scheduler will
1582 poll to check if some activity (such as an external command or
1583 some input from a gdb) has to be handled by gdbserver. This
1584 activity poll will be done after having run the given number of
1585 basic blocks (or slightly more than the given number of basic
1586 blocks). This poll is quite cheap so the default value is set
1587 relatively low. You might further decrease this value if vgdb
1588 cannot use ptrace system call to interrupt Valgrind if all
1589 threads are (most of the time) blocked in a system call.
1591 <para> GDBTD??? unclear why we have sometimes slightly more BB:
1592 it seems that from time to time, some BB are run outside of
1593 run_thread_for_a_while. Maybe this is due to block chasing ? I
1594 do not think this is a problem, as I never saw more than a few
1595 additional basic blocks being run without being visible in the
1596 blocks executed by run_thread_for_a_while.
1601 <varlistentry id="opt.vgdb-shadow-registers" xreflabel="--vgdb-shadow-registers">
1603 <option><![CDATA[--vgdb-shadow-registers=no|yes [default: no] ]]></option>
1606 <para> When activated, gdbserver will expose the Valgrind shadow registers
1607 to gdb. With this, the value of the Valgrind shadow registers can be examined
1608 or changed using gdb. Exposing shadows registers only works with a gdb version
1614 <varlistentry id="opt.vgdb-prefix" xreflabel="--vgdb-prefix">
1616 <option><![CDATA[--vgdb-prefix=<prefix> [default: /tmp/vgdb-pipe] ]]></option>
1619 <para> To communicate with gdb/vgdb, the Valgrind gdbserver
1620 creates 3 files (2 named FIFOs and a mmap shared memory
1621 file). The prefix option controls the directory and prefix for
1622 the creation of these files.
1627 <varlistentry id="opt.vgdb-poll" xreflabel="--vgdb-poll">
1629 <option><![CDATA[--vgdb-poll=<number> [default: 5000] ]]></option>
1632 <para> As part of its main loop, the Valgrind scheduler will
1633 poll to check if some activity (such as an external command or
1634 some input from a gdb) has to be handled by gdbserver. This
1635 activity poll will be done after having run the given number of
1636 basic blocks (or slightly more than the given number of basic
1637 blocks). This poll is quite cheap so the default value is set
1638 relatively low. You might further decrease this value if vgdb
1639 cannot use ptrace system call to interrupt Valgrind if all
1640 threads are (most of the time) blocked in a system call.
1642 <para> GDBTD??? unclear why we have sometimes slightly more BB:
1643 it seems that from time to time, some BB are run outside of
1644 run_thread_for_a_while. Maybe this is due to block chasing ? I
1645 do not think this is a problem, as I never saw more than a few
1646 additional basic blocks being run without being visible in the
1647 blocks executed by run_thread_for_a_while.
1652 <varlistentry id="opt.vgdb-shadow-registers" xreflabel="--vgdb-shadow-registers">
1654 <option><![CDATA[--vgdb-shadow-registers=no|yes [default: no] ]]></option>
1657 <para> When activated, gdbserver will expose the Valgrind shadow registers
1658 to gdb. With this, the value of the Valgrind shadow registers can be examined
1659 or changed using gdb. Exposing shadows registers only works with a gdb version
1665 <varlistentry id="opt.vgdb-prefix" xreflabel="--vgdb-prefix">
1667 <option><![CDATA[--vgdb-prefix=<prefix> [default: /tmp/vgdb-pipe] ]]></option>
1670 <para> To communicate with gdb/vgdb, the Valgrind gdbserver
1671 creates 3 files (2 named FIFOs and a mmap shared memory
1672 file). The prefix option controls the directory and prefix for
1673 the creation of these files.
1678 <varlistentry id="opt.run-libc-freeres" xreflabel="--run-libc-freeres">
1680 <option><![CDATA[--run-libc-freeres=<yes|no> [default: yes] ]]></option>
1683 <para>This option is only relevant when running Valgrind on Linux.</para>
1685 <para>The GNU C library (<function>libc.so</function>), which is
1686 used by all programs, may allocate memory for its own uses.
1687 Usually it doesn't bother to free that memory when the program
1688 ends—there would be no point, since the Linux kernel reclaims
1689 all process resources when a process exits anyway, so it would
1690 just slow things down.</para>
1692 <para>The glibc authors realised that this behaviour causes leak
1693 checkers, such as Valgrind, to falsely report leaks in glibc, when
1694 a leak check is done at exit. In order to avoid this, they
1695 provided a routine called <function>__libc_freeres</function>
1696 specifically to make glibc release all memory it has allocated.
1697 Memcheck therefore tries to run
1698 <function>__libc_freeres</function> at exit.</para>
1700 <para>Unfortunately, in some very old versions of glibc,
1701 <function>__libc_freeres</function> is sufficiently buggy to cause
1702 segmentation faults. This was particularly noticeable on Red Hat
1703 7.1. So this option is provided in order to inhibit the run of
1704 <function>__libc_freeres</function>. If your program seems to run
1705 fine on Valgrind, but segfaults at exit, you may find that
1706 <option>--run-libc-freeres=no</option> fixes that, although at the
1707 cost of possibly falsely reporting space leaks in
1708 <filename>libc.so</filename>.</para>
1712 <varlistentry id="opt.sim-hints" xreflabel="--sim-hints">
1714 <option><![CDATA[--sim-hints=hint1,hint2,... ]]></option>
1717 <para>Pass miscellaneous hints to Valgrind which slightly modify
1718 the simulated behaviour in nonstandard or dangerous ways, possibly
1719 to help the simulation of strange features. By default no hints
1720 are enabled. Use with caution! Currently known hints are:</para>
1723 <para><option>lax-ioctls: </option> Be very lax about ioctl
1724 handling; the only assumption is that the size is
1725 correct. Doesn't require the full buffer to be initialized
1726 when writing. Without this, using some device drivers with a
1727 large number of strange ioctl commands becomes very
1731 <para><option>enable-inner: </option> Enable some special
1732 magic needed when the program being run is itself
1739 <varlistentry id="opt.kernel-variant" xreflabel="--kernel-variant">
1741 <option>--kernel-variant=variant1,variant2,...</option>
1744 <para>Handle system calls and ioctls arising from minor variants
1745 of the default kernel for this platform. This is useful for
1746 running on hacked kernels or with kernel modules which support
1747 nonstandard ioctls, for example. Use with caution. If you don't
1748 understand what this option does then you almost certainly don't
1749 need it. Currently known variants are:</para>
1752 <para><option>bproc: </option> Support the
1753 <function>sys_broc</function> system call on x86. This is for
1754 running on BProc, which is a minor variant of standard Linux which
1755 is sometimes used for building clusters.</para>
1761 <varlistentry id="opt.show-emwarns" xreflabel="--show-emwarns">
1763 <option><![CDATA[--show-emwarns=<yes|no> [default: no] ]]></option>
1766 <para>When enabled, Valgrind will emit warnings about its CPU
1767 emulation in certain cases. These are usually not
1772 <varlistentry id="opt.require-text-symbol"
1773 xreflabel="--require-text-symbol">
1775 <option><![CDATA[--require-text-symbol=:sonamepatt:fnnamepatt]]></option>
1778 <para>When a shared object whose soname
1779 matches <varname>sonamepatt</varname> is loaded into the
1780 process, examine all the text symbols it exports. If none of
1781 those match <varname>fnnamepatt</varname>, print an error
1782 message and abandon the run. This makes it possible to ensure
1783 that the run does not continue unless a given shared object
1784 contains a particular function name.
1787 Both <varname>sonamepatt</varname> and
1788 <varname>fnnamepatt</varname> can be written using the usual
1789 <varname>?</varname> and <varname>*</varname> wildcards. For
1790 example: <varname>":*libc.so*:foo?bar"</varname>. You may use
1791 characters other than a colon to separate the two patterns. It
1792 is only important that the first character and the separator
1793 character are the same. For example, the above example could
1794 also be written <varname>"Q*libc.so*Qfoo?bar"</varname>.
1795 Multiple <varname> --require-text-symbol</varname> flags are
1796 allowed, in which case shared objects that are loaded into
1797 the process will be checked against all of them.
1800 The purpose of this is to support reliable usage of marked-up
1801 libraries. For example, suppose we have a version of GCC's
1802 <varname>libgomp.so</varname> which has been marked up with
1803 annotations to support Helgrind. It is only too easy and
1804 confusing to load the wrong, un-annotated
1805 <varname>libgomp.so</varname> into the application. So the idea
1806 is: add a text symbol in the marked-up library, for
1807 example <varname>annotated_for_helgrind_3_6</varname>, and then
1809 <varname>--require-text-symbol=:*libgomp*so*:annotated_for_helgrind_3_6</varname>
1810 so that when <varname>libgomp.so</varname> is loaded, Valgrind
1811 scans its symbol table, and if the symbol isn't present the run
1812 is aborted, rather than continuing silently with the
1813 un-marked-up library. Note that you should put the entire flag
1814 in quotes to stop shells expanding up the <varname>*</varname>
1815 and <varname>?</varname> wildcards.
1822 <!-- end of xi:include in the manpage -->
1827 <sect2 id="manual-core.debugopts" xreflabel="Debugging Options">
1828 <title>Debugging Options</title>
1830 <!-- start of xi:include in the manpage -->
1831 <para id="debug.opts.para">There are also some options for debugging
1832 Valgrind itself. You shouldn't need to use them in the normal run of
1833 things. If you wish to see the list, use the
1834 <option>--help-debug</option> option.</para>
1836 <para>If you wish to debug your program rather than debugging
1837 Valgrind itself, then you should use the options
1838 <option>--vgdb=yes</option> or <option>--vgdb=full</option>
1839 or <option>--db-attach=yes</option>.
1842 <!-- end of xi:include in the manpage -->
1847 <sect2 id="manual-core.defopts" xreflabel="Setting Default Options">
1848 <title>Setting Default Options</title>
1850 <para>Note that Valgrind also reads options from three places:</para>
1854 <para>The file <computeroutput>~/.valgrindrc</computeroutput></para>
1858 <para>The environment variable
1859 <computeroutput>$VALGRIND_OPTS</computeroutput></para>
1863 <para>The file <computeroutput>./.valgrindrc</computeroutput></para>
1867 <para>These are processed in the given order, before the
1868 command-line options. Options processed later override those
1869 processed earlier; for example, options in
1870 <computeroutput>./.valgrindrc</computeroutput> will take
1871 precedence over those in
1872 <computeroutput>~/.valgrindrc</computeroutput>.
1875 <para>Please note that the <computeroutput>./.valgrindrc</computeroutput>
1876 file is ignored if it is marked as world writeable or not owned
1877 by the current user. This is because the
1878 <computeroutput>./.valgrindrc</computeroutput> can contain options that are
1879 potentially harmful or can be used by a local attacker to execute code under
1883 <para>Any tool-specific options put in
1884 <computeroutput>$VALGRIND_OPTS</computeroutput> or the
1885 <computeroutput>.valgrindrc</computeroutput> files should be
1886 prefixed with the tool name and a colon. For example, if you
1887 want Memcheck to always do leak checking, you can put the
1888 following entry in <literal>~/.valgrindrc</literal>:</para>
1890 <programlisting><![CDATA[
1891 --memcheck:leak-check=yes]]></programlisting>
1893 <para>This will be ignored if any tool other than Memcheck is
1894 run. Without the <computeroutput>memcheck:</computeroutput>
1895 part, this will cause problems if you select other tools that
1897 <option>--leak-check=yes</option>.</para>
1904 <sect1 id="manual-core.gdbserver"
1905 xreflabel="Debugging your program using Valgrind gdbserver and gdb">
1906 <title>Debugging your program using Valgrind gdbserver and gdb</title>
1908 <para>A program running under Valgrind is not executed directly by the
1909 CPU. It rather runs on a synthetic CPU provided by Valgrind. This is
1910 why a debugger cannot debug your program under Valgrind the usual way.
1913 This section describes the special way gdb can interact with the
1914 Valgrind gdbserver to provide a fully debuggable program under
1915 Valgrind. Used in this way, gdb also provides an interactive usage of
1916 Valgrind core or tool functionalities (such as incremental leak search
1917 under Memcheck, on-demand Massif snapshot production, ...).
1920 <sect2 id="manual-core.gdbserver-simple"
1921 xreflabel="gdbserver simple example">
1922 <title>Quick Start : debugging in 3 steps</title>
1924 <para>If you want to debug a program with gdb when using Memcheck
1925 tool, start Valgrind the following way:
1927 valgrind --vgdb=yes --vgdb-error=0 prog
1930 <para>In another window, start a gdb the following way:
1935 <para>Then give the following command to gdb:
1937 (gdb) target remote | vgdb
1940 <para>You can now debug your program e.g. by inserting a breakpoint
1941 and then using the gdb 'continue' command.</para>
1943 <para> The above quick start is enough for a basic usage of the
1944 Valgrind gdbserver. Read the sections below to learn about the
1945 advanced functionalities provided by the combination of Valgrind and
1946 gdb. Note that the option --vgdb=yes can be omitted, as this is the
1952 <sect2 id="manual-core.gdbserver-concept"
1953 xreflabel="gdbserver">
1954 <title>Valgrind gdbserver concept</title>
1955 <para>The gdb debugger is typically used to debug a process running on
1956 the same machine : gdb uses system calls to do actions such as read
1957 the values of the process variables or registers. This technique only
1958 allows gdb to debug a program running on the same computer.
1961 <para>Gdb can also debug processes running on a different computer.
1962 For this, gdb defines a protocol (i.e. a set of query and reply
1963 packets) that allows to e.g. fetch the value of memory or registers,
1964 to set breakpoints, etc. A gdbserver is an implementation of this
1965 'gdb remote debugging' protocol. To debug a process running on a
1966 remote computer, a gdbserver (sometimes also called a gdb stub) must
1967 run at the remote computer side.
1970 <para>The Valgrind core integrates an embedded gdbserver
1971 implementation, which is activated using <option>--vgdb=yes</option>
1972 or <option>--vgdb=full</option>. This gdbserver allows the process
1973 running on the Valgrind synthetic CPU to be debugged 'remotely' by gdb
1974 : gdb sends protocol query packets (such as 'get registers values') to
1975 the Valgrind embedded gdbserver. The embedded gdbserver executes the
1976 queries (for example, it will get the registers values of the
1977 synthetic CPU) and give the result back to gdb.
1980 <para> Gdb can use various ways (tcp/ip, serial line, ...) to send and
1981 receive the remote protocol packets to a gdbserver. In the case of the
1982 Valgrind gdbserver, gdb communicates using a pipe and the
1983 <xref linkend="manual-core.vgdb"/> command as a relay application. If
1984 no gdb is currently being used, vgdb can also be used to send monitor
1985 commands to the Valgrind gdbserver from the shell command line.
1990 <sect2 id="manual-core.gdbserver-gdb"
1991 xreflabel="Connecting gdb to a Valgrind gdbserver">
1992 <title>Connecting gdb to a Valgrind gdbserver</title>
1993 <para>To debug a program <filename>prog</filename> running under
1994 Valgrind, ensures that the Valgrind gdbserver is activated
1995 (i.e. --vgdb=yes or --vgdb=full). The option
1996 <![CDATA[--vgdb-error=<number> ]]> can be used to ask an invocation of
1997 the gdbserver for each error above number. A zero value will cause an
1998 invocation of the Valgrind gdbserver at startup, allowing to insert
1999 breakpoints before starting the execution. Example:
2001 valgrind --tool=memcheck --vgdb=yes --vgdb-error=0 ./prog
2004 <para>With the above command, the Valgrind gdbserver is invoked at startup
2005 and indicates it is waiting for a connection from a gdb:</para>
2007 <programlisting><![CDATA[
2008 ==2418== Memcheck, a memory error detector
2009 ==2418== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
2010 ==2418== Using Valgrind-3.7.0.SVN and LibVEX; rerun with -h for copyright info
2011 ==2418== Command: ./prog
2013 ==2418== (action at startup) vgdb me ...
2014 ]]></programlisting>
2017 <para>A gdb in another window can then be connected to the Valgrind gdbserver.
2018 For this, gdb must be started on the program <filename>prog</filename>:
2024 <para>You then indicate to gdb that a remote target debugging is to be done:
2026 (gdb) target remote | vgdb
2028 gdb then starts a vgdb relay application to communicate with the
2029 Valgrind embedded gdbserver:</para>
2031 <programlisting><![CDATA[
2032 (gdb) target remote | vgdb
2033 Remote debugging using | vgdb
2034 relaying data between gdb and process 2418
2035 Reading symbols from /lib/ld-linux.so.2...done.
2036 Reading symbols from /usr/lib/debug/lib/ld-2.11.2.so.debug...done.
2037 Loaded symbols for /lib/ld-linux.so.2
2038 [Switching to Thread 2418]
2039 0x001f2850 in _start () from /lib/ld-linux.so.2
2041 ]]></programlisting>
2043 <para> In case vgdb detects that multiple Valgrind gdbserver can be connected
2044 to, it will exit after reporting the list of the debuggable Valgrind
2045 processes and their PIDs. You can then relaunch the gdb 'target' command, but
2046 specifying the process id of the process you want to debug:
2049 <programlisting><![CDATA[
2050 (gdb) target remote | vgdb
2051 Remote debugging using | vgdb
2052 no --pid= arg given and multiple valgrind pids found:
2053 use --pid=2479 for valgrind --tool=memcheck --vgdb=yes --vgdb-error=0 ./prog
2054 use --pid=2481 for valgrind --tool=memcheck --vgdb=yes --vgdb-error=0 ./prog
2055 use --pid=2483 for valgrind --vgdb=yes --vgdb-error=0 ./another_prog
2056 Remote communication error: Resource temporarily unavailable.
2057 (gdb) target remote | vgdb --pid=2479
2058 Remote debugging using | vgdb --pid=2479
2059 relaying data between gdb and process 2479
2060 Reading symbols from /lib/ld-linux.so.2...done.
2061 Reading symbols from /usr/lib/debug/lib/ld-2.11.2.so.debug...done.
2062 Loaded symbols for /lib/ld-linux.so.2
2063 [Switching to Thread 2479]
2064 0x001f2850 in _start () from /lib/ld-linux.so.2
2066 ]]></programlisting>
2068 <para>Once gdb is connected to the Valgrind gdbserver, gdb can be used
2069 similarly to a native debugging session:</para>
2072 <para> Breakpoints can be inserted or deleted. </para>
2075 <para> Variables and registers values can be examined or modified.
2079 <para> Signal handling can be configured (printing, ignoring, ...).
2083 <para> Execution can be controlled (continue, step, next, stepi, ...).
2087 <para> Program execution can be interrupted using Control-C. </para>
2094 <para> Refer to the gdb user manual for a complete list of gdb functionalities.
2099 <sect2 id="manual-core.gdbserver-commandhandling"
2100 xreflabel="Monitor command handling by the Valgrind gdbserver">
2101 <title>Monitor command handling by the Valgrind gdbserver</title>
2103 <para> The Valgrind gdbserver provides a set of additional specific
2104 functionalities through "monitor commands". Such monitor commands can
2105 be sent from the gdb command line or from the shell command line. See
2106 <xref linkend="manual-core.valgrind-monitor-commands"/> for the list
2107 of the Valgrind core monitor commands.
2110 <para> Each tool can also provide tool specific monitor commands. An
2111 example of a tool specific monitor command is the Memcheck monitor
2112 command <computeroutput>mc.leak_check any full
2113 reachable</computeroutput>. This requests a full reporting of the
2114 allocated memory blocks. To have this leak check executed, use the gdb
2117 (gdb) monitor mc.leak_check any full reachable
2121 <para> gdb will send the mc.leak_check command to the Valgrind gdbserver. The
2122 Valgrind gdbserver will either execute the monitor command itself (if
2123 it recognises a Valgrind core monitor command) or let the tool execute the
2124 tool specific monitor commands:
2126 <programlisting><![CDATA[
2127 (gdb) monitor mc.leak_check any full reachable
2128 ==2418== 100 bytes in 1 blocks are still reachable in loss record 1 of 1
2129 ==2418== at 0x4006E9E: malloc (vg_replace_malloc.c:236)
2130 ==2418== by 0x804884F: main (prog.c:88)
2132 ==2418== LEAK SUMMARY:
2133 ==2418== definitely lost: 0 bytes in 0 blocks
2134 ==2418== indirectly lost: 0 bytes in 0 blocks
2135 ==2418== possibly lost: 0 bytes in 0 blocks
2136 ==2418== still reachable: 100 bytes in 1 blocks
2137 ==2418== suppressed: 0 bytes in 0 blocks
2140 ]]></programlisting>
2142 <para> Like for the gdb commands, the Valgrind gdbserver will accept
2143 abbreviated monitor command names and arguments, as long as the given
2144 abbreviation is non ambiguous. For example, the above mc.leak_check
2145 command can also be typed as:
2150 The letters <computeroutput>mo</computeroutput> are recognised by gdb as being
2151 <computeroutput>monitor</computeroutput>. So, gdb sends the
2152 string <computeroutput>mc.l a f r</computeroutput> to the Valgrind
2153 gdbserver. The letters provided in this string are unambiguous for the
2154 Valgrind gdbserver. So, this will give the same output as the non
2155 abbreviated command and arguments. If the provided abbreviation is
2156 ambiguous, the Valgrind gdbserver will report the list of commands (or
2157 argument values) that can match:
2158 <programlisting><![CDATA[
2160 mc. can match mc.get_vbits mc.leak_check mc.make_memory mc.check_memory
2162 ]]></programlisting>
2165 <para> Instead of sending a monitor command from gdb, you can also
2166 send these from a shell command line. For example, the below command lines
2167 given in a shell will cause the same leak search to be executed by the
2170 vgdb --pid=3145 mc.leak_check any full reachable
2171 vgdb --pid=3145 mc.l a f r
2174 <para>Note that the Valgrind gdbserver automatically continues the
2175 execution of the program after a standalone invocation of
2176 vgdb. Monitor commands sent from gdb do not cause the program to
2177 continue: the program execution is controlled explicitely using gdb
2178 commands such as 'continue' or 'next'.</para>
2182 <sect2 id="manual-core.gdbserver-threads"
2183 xreflabel="Valgrind gdbserver thread info">
2184 <title>Valgrind gdbserver thread info</title>
2186 <para> The Valgrind gdbserver enriches the output of the
2187 gdb <computeroutput>info threads</computeroutput> with Valgrind
2188 specific information. The operating system thread number is followed
2189 by the Valgrind 'tid' and the Valgrind scheduler thread state:</para>
2191 <programlisting><![CDATA[
2193 4 Thread 6239 (tid 4 VgTs_Yielding) 0x001f2832 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
2194 * 3 Thread 6238 (tid 3 VgTs_Runnable) make_error (s=0x8048b76 "called from London") at prog.c:20
2195 2 Thread 6237 (tid 2 VgTs_WaitSys) 0x001f2832 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
2196 1 Thread 6234 (tid 1 VgTs_Yielding) main (argc=1, argv=0xbedcc274) at prog.c:105
2198 ]]></programlisting>
2202 <sect2 id="manual-core.gdbserver-shadowregisters"
2203 xreflabel="Examining and modifying Valgrind shadow registers">
2204 <title>Examining and modifying Valgrind shadow registers</title>
2206 <para> When the option <![CDATA[--vgdb-shadow-registers=yes ]]> is
2207 given, the Valgrind gdbserver will let gdb examine and/or modify the
2208 Valgrind shadow registers. A gdb version >= 7.1 is needed for this
2211 <para> For each CPU register, the Valgrind core maintains two
2212 shadow registers. These shadow registers can be accessed from
2213 gdb by giving a postfix s1 or s2 for respectively the first
2214 and second shadow registers. As an example, the x86 register
2215 <computeroutput>eax</computeroutput> and its two shadow
2216 registers can be examined using the following commands:</para>
2218 <programlisting><![CDATA[
2226 ]]></programlisting>
2231 <sect2 id="manual-core.gdbserver-limitations"
2232 xreflabel="Limitations of the Valgrind gdbserver">
2233 <title>Limitations of the Valgrind gdbserver</title>
2235 <para>Debugging with the Valgrind gdbserver is very similar to native
2236 debugging. The implementation of the Valgrind gdbserver is quite
2237 complete, and so provides most of the gdb debugging facilities. There
2238 are however some limitations or particularities described in details
2239 in this section:</para>
2242 <para> Precision of 'stopped at instruction'.</para>
2243 <para>Gdb commands such as 'step', 'next', 'stepi', breakpoints,
2244 watchpoints, ... will stop the execution of the process. With
2245 the option --vgdb=yes, the process might not stop at the exact
2246 instruction needed. Instead, it might continue execution of the
2247 current block and stop at one of the following blocks. This is
2248 linked to the fact that Valgrind gdbserver has to instrument a
2249 block to allow stopping at the exact instruction requested.
2250 Currently, re-instrumenting the current block being executed is
2251 not supported. So, if the action requested by gdb (e.g. single
2252 stepping or inserting a breakpoint) implies to re-instrument the
2253 current block, the gdb action might not be executed precisely.
2255 <para> This limitation will be triggered when the current block
2256 being executed has not (yet) been instrumented for debugging.
2257 This typically happens when the gdbserver is activated due to the
2258 tool reporting an error or to a watchpoint. If the gdbserver
2259 block has been activated following a breakpoint (or if a
2260 breakpoint has been inserted in the block before its execution),
2261 then the block has already been instrumented for debugging.
2263 <para> If you use the option --vgdb=full, then gdb 'stop actions'
2264 will always be obeyed precisely, but this implies that each
2265 instruction will be instrumented with an additional call to a
2266 gdbserver helper function, which implies some overhead compared
2267 to --vgdb=no. Option --vgdb=yes has neglectible overhead compared
2273 <para>Hardware watchpoint support by the Valgrind
2276 <para> The Valgrind gdbserver can simulate hardware watchpoints
2277 (but only if the tool provides the support for this). Currently,
2278 only Memcheck provides hardware watchpoint simulation. The
2279 hardware watchpoint simulation provided by Memcheck is much
2280 faster that gdb software watchpoints (which are implemented by
2281 gdb checking the value of the watched zone(s) after each
2282 instruction). Hardware watchpoint simulation also provides read
2283 watchpoints. The hardware watchpoint simulation by Memcheck has
2284 some limitations compared to the real hardware
2285 watchpoints. However, the number and length of simulated
2286 watchpoints are not limited.
2288 <para> Typically, the number of (real) hardware watchpoint is
2289 limited. For example, the x86 architecture supports a maximum of
2290 4 hardware watchpoints, each watchpoint watching 1, 2, 4 or 8
2291 bytes. The Valgrind gdbserver does not have a limitation on the
2292 number of simulated hardware watchpoints. It also has no
2293 limitation on the length of the memory zone being
2294 watched. However, gdb currently does not (yet) understand that
2295 Valgrind gdbserver watchpoints have no length limit. A gdb patch
2296 providing a command 'set remote hardware-watchpoint-length-limit'
2297 has been developped. The integration of this patch in gdb would
2298 allow to fully use the flexibility of the Valgrind gdbserver
2299 simulated hardware watchpoints (is there a gdb developper reading
2302 <para> Memcheck implements hardware watchpoint simulation by
2303 marking the watched zone(s) as being unaddressable. In case a
2304 hardware watchpoint is removed, the zone is marked as addressable
2305 and defined. Hardware watchpoint simulation of addressable
2306 undefined memory zones will properly work, but will have as a
2307 side effect to mark the zone as defined when the watchpoint is
2309 <para> Write watchpoints might not be reported at the instruction
2310 which is modifying the value unless option --vgdb=full is
2311 given. Read watchpoints will always be reported at the exact
2312 instruction reading the watched memory.</para>
2313 <para> It is better to avoid using hardware watchpoint of not
2314 addressable (yet) memory: in such a case, gdb will fallback to
2315 extremely slow software watchpoints. Also, if you do not quit gdb
2316 between two debugging sessions, the hardware watchpoints of the
2317 previous sessions will be re-inserted as software watchpoints if
2318 the watched memory zone is not addressable at program startup.
2323 <para> Stepping inside shared libraries on ARM.</para>
2324 <para> For a not (yet?) clear reason, stepping inside a shared
2325 library on ARM might fail. The bypass is to use the ldd command
2326 to find the list of shared libraries and their loading address
2327 and inform gdb of the loading address using the gdb command
2328 'add-symbol-file'. Example (for a ./p executable):
2329 <programlisting><![CDATA[
2331 libc.so.6 => /lib/libc.so.6 (0x4002c000)
2332 /lib/ld-linux.so.3 (0x40000000)
2333 (gdb) add-symbol-file /lib/libc.so.6 0x4002c000
2334 add symbol table from file "/lib/libc.so.6" at
2335 .text_addr = 0x4002c000
2337 Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
2339 ]]></programlisting>
2344 <para> gdb version needed for ARM and PPC32/64.</para>
2345 <para> You must use a gdb version which is able to read XML
2346 target description sent by gdbserver (this is the standard setup
2347 if the gdb was configured on a computer with the expat
2348 library). If your gdb was not configured with XML support, it
2349 will report an error message when using the target
2350 command. Debugging will not work because gdb will then not be
2351 able to fetch the registers from the Valgrind gdbserver.
2356 <para> Stack unwinding on PPC32/PPC64. </para>
2357 <para> On PPC32/PPC64, stack unwinding for leaf functions
2358 (i.e. functions not calling other functions) does work properly
2359 only with <option>--vex-iropt-precise-memory-exns=yes</option>.
2360 You must also pass this option to have a precise stack when
2361 a signal is trapped by gdb.
2366 <para> Breakpoint encountered multiple times. </para>
2367 <para> Some instructions (e.g. the x86 "rep movsb")
2368 are translated by Valgrind using a loop. If a breakpoint is placed
2369 on such an instruction, the breakpoint will be encountered
2370 multiple times (i.e. once for each step of the "implicit" loop
2371 implementing the instruction).
2376 <para> Execution of Inferior function calls by the Valgrind
2379 <para> gdb allows the user to "call" functions inside the process
2380 being debugged. Such calls are named 'Inferior calls' in the gdb
2381 terminology. A typical usage of an 'Inferior call' is to execute
2382 a function that outputs a readable image of a complex data
2383 structure. To make an Inferior call, use the gdb 'print' command
2384 followed by the function to call and its arguments. As an
2385 example, the following gdb command causes an Inferior call to the
2386 libc printf function to be executed by (and inside) the process
2389 <programlisting><![CDATA[
2390 (gdb) p printf("process being debugged has pid %d\n", getpid())
2393 ]]></programlisting>
2395 <para>The Valgrind gdbserver accepts Inferior function
2396 calls. During Inferior calls, the Valgrind tool will report
2397 errors as usual. If you do not want to have such errors stopping
2398 the execution of the Inferior call, you can use 'vg.set
2399 vgdb-error' to set a big value before the call, and reset the
2400 value after the Inferior call.</para>
2402 <para>To execute Inferior calls, gdb changes registers such as
2403 the program counter, and then continues the execution of the
2404 program. In a multi-thread program, all threads are continued,
2405 not only the thread instructed to make an Inferior call. If
2406 another thread reports an error or encounters a break, the
2407 evaluation of the Inferior call is abandonned.</para>
2409 <para> Note that Inferior function calls is a powerful gdb
2410 functionality but it has to be used with caution. For example, if
2411 the program being debugged is stopped inside the function printf,
2412 'forcing' a recursive call to printf via an Inferior call will
2413 very probably create problems. The Valgrind tool might also add
2414 another level of complexity to Inferior calls, e.g. by reporting
2415 tool errors during the Inferior call or due to the
2416 instrumentation done.
2422 <para>Connecting to or interrupting a Valgrind process blocked in
2423 a system call.</para>
2425 <para> Connecting to or interrupting a Valgrind process blocked
2426 in a system call is depending on ptrace system call, which might
2427 be disabled on your kernel. </para>
2429 <para> At regular interval, after having executed some basic
2430 blocks, the Valgrind scheduler checks if some input is to be
2431 handled by the Valgrind gdbserver. However, this check is only
2432 done if at least one thread of the process is executing (enough)
2433 basic blocks. If all the threads of the process are blocked in a
2434 system call, then no basic blocks are being executed, and the
2435 Valgrind scheduler will not invoke the Valgrind gdbserver. In
2436 such a case, the vgdb relay application will 'force' the Valgrind
2437 gdbserver to be invoked, without the intervention of the Valgrind
2441 <para> Such forced invocation of the Valgrind gdbserver is
2442 implemented by vgdb using ptrace system calls. On a properly
2443 implemented kernel, the ptrace calls done by vgdb will not
2444 influence the behaviour of the program running under Valgrind. In
2445 case of unexpected impact, giving the option --max-invoke-ms=0 to
2446 the vgdb relay application will disable the usage of ptrace
2447 system call. The consequence of disabling ptrace system call in
2448 vgdb is that a Valgrind process blocked in a system call cannot
2449 be waken up or interrupted from gdb till it executes (enough)
2450 basic blocks to let the scheduler poll invoke the gdbserver..
2452 <para>When ptrace is disabled in vgdb, you might increase the
2453 responsiveness of the Valgrind gdbserver to commands or
2454 interrupts by giving a lower value to the option --vgdb-poll: if
2455 your application is most of the time blocked in a system call,
2456 using a very low value for vgdb-poll will cause a faster
2457 invocation of gdbserver. As the gdbserver poll done by the
2458 scheduler is very efficient, the more frequent check by the
2459 scheduler should not cause significant performance degradation.
2461 <para>When ptrace is disabled in vgdb, a query packet sent by gdb
2462 might take a significant time to be handled by the Valgrind
2463 gdbserver. In such a case, gdb might encounter a protocol
2464 timeout. To avoid having gdb encountering such a timeout error,
2465 you can increase the value of this timeout by using the gdb
2466 command 'set remotetimeout'.
2469 <para> Ubuntu version >= 10.10 can also restrict the scope of
2470 ptrace to the children of the process calling ptrace. As the
2471 Valgrind process is not a child of vgdb, such restricted scope
2472 causes ptrace system call to fail. To avoid that, when Valgrind
2473 gdbserver receives the first packet from a vgdb, it calls
2474 prctl(PR_SET_PTRACER, vgdb_pid, 0, 0, 0) to ensure vgdb can use
2475 ptrace. Once vgdb_pid has been set as ptracer, vgdb can then
2476 properly force the invocation of Valgrind gdbserver when
2477 needed. To ensure the vgdb is set as ptracer before the Valgrind
2478 process could be blocked in a system call, connect your gdb to
2479 the Valgrind gdbserver at startup (i.e. use --vgdb-error=0).
2480 Note that this 'set ptracer' is not solving the problem for the
2481 connection of a standalone vgdb: the first command to be sent by
2482 a standalone vgdb must wake up the Valgrind process before
2483 Valgrind gdbserver will set vgdb as ptracer.
2486 <para> Unblocking a process blocked in a system call is
2487 not implemented on Darwin. So, waiting for vgdb on Darwin to
2488 be enhanced, you cannot connect/interrupt a process blocked
2489 in a system call on Darwin.
2495 <para> Changing registers of a thread.</para>
2496 <para> The Valgrind gdbserver only accepts to modify the values
2497 of the registers of a thread when the thread is in status
2498 Runnable or Yielding. In other states (typically, WaitSys), changing
2499 registers values will not be accepted. This among others ensures
2500 that Inferior calls are not executed for a thread which is in a
2501 system call : the Valgrind gdbserver does not implement system
2507 <para> gdb functionalities not supported.</para>
2508 <para> gdb provides an awful lot of debugging functionalities.
2509 At least the following are not supported: reversible debugging,
2515 <para> Unknown limitations or problems.</para>
2516 <para> The combination of gdb, Valgrind and the Valgrind
2517 gdbserver has for sure some still unknown other
2518 limitations/problems but we do not know about these unknown
2519 limitations/problems :). If you encounter such (annoying)
2520 limitations or problems, feel free to report a bug. But first
2521 verify if the limitation or problem is not inherent to gdb or the
2522 gdb remote protocol e.g. by checking the behaviour with the
2523 standard gdbserver part of the gdb package.
2533 <sect1 id="manual-core.vgdb"
2535 <title>vgdb command line options</title>
2536 <para> Usage: vgdb [OPTION]... [[-c] COMMAND]...</para>
2538 <para> vgdb (Valgrind to gdb) has two usages:</para>
2540 <listitem id="manual-core.vgdb-standalone" xreflabel="vgdb standalone">
2541 <para>As a standalone utility, it is used from a shell command
2542 line to send monitor commands to a process running under
2543 Valgrind. For this usage, the vgdb OPTION(s) must be followed by
2544 the monitor command to send. To send more than one command,
2545 separate them with the -c option.
2549 <listitem id="manual-core.vgdb-relay" xreflabel="vgdb relay">
2550 <para>In combination with gdb 'target remote |' command, it is
2551 used as the relay application between gdb and the Valgrind
2552 gdbserver. For this usage, only OPTION(s) can be given, no
2553 command can be given.
2559 <para><computeroutput>vgdb</computeroutput> accepts the following
2563 <para><option>--pid=<number></option>: specifies the pid of
2564 the process to which vgdb must connect to. This option is useful
2565 in case more than one Valgrind gdbserver can be connected to. If
2566 --pid argument is not given and multiple Valgrind gdbserver
2567 processes are running, vgdb will report the list of such processes
2568 and then exit.</para>
2572 <para><option>--vgdb-prefix</option> must be given to both
2573 Valgrind and vgdb utility if you want to change the default prefix
2574 for the FIFOs communication between the Valgrind gdbserver and
2579 <para><option>--max-invoke-ms=<number></option> gives the
2580 number of milli-seconds after which vgdb will force the invocation
2581 of gdbserver embedded in valgrind. Default value is 100
2582 milli-seconds. A value of 0 disables the forced invocation.
2585 <para>If you specify a big value here, you might need to increase
2586 the gdb remote timeout. The default value of the gdb remotetimeout
2587 is 2 seconds. You should ensure that the gdb remotetimeout (in
2588 seconds) is bigger than the max-invoke-ms value. For example, for
2589 a 5000 --max-invoke-ms, the following gdb command will set a value
2592 (gdb) set remotetimeout 6
2598 <para><option>--wait=<number></option> instructs vgdb to
2599 check during the specified number of seconds if a Valgrind
2600 gdbserver can be found. This allows to start a vgdb before the
2601 Valgrind gdbserver is started. This option will be more useful in
2602 combination with a --vgdb-prefix unique for the process you want
2603 to wait for. Also, if you use the --wait argument in the gdb
2604 'target remote' command, you must set the gdb remotetimeout to a
2605 value bigger than the --wait argument value. See option
2606 --max-invoke-ms for an example of setting this remotetimeout
2611 <para><option>-c</option> To give more than one command, separate
2612 the commands by an option -c. Example:
2614 vgdb vg.set log_output -c mc.leak_check any
2619 <para><option>-d</option> instructs vgdb to produce debugging
2620 output. Give multiple -d args for more debug info.</para>
2624 <para><option>-D</option> instructs vgdb to show the state of the
2625 shared memory used by the Valgrind gdbserver. vgdb will exit after
2626 having shown the Valgrind gdbserver shared memory state.</para>
2630 <para><option>-l</option> instructs vgdb to report the list of
2631 the Valgrind gdbserver processes running and then exit.</para>
2638 <sect1 id="manual-core.valgrind-monitor-commands"
2639 xreflabel="Valgrind monitor commands">
2640 <title>Valgrind monitor commands</title>
2642 <para>The Valgrind monitor commands are available whatever the
2643 tool. They can be sent either from a shell command line (using a
2644 standalone vgdb) or from gdb (using the gdb 'monitor' command).</para>
2648 <para><varname>help [debug]</varname> instructs Valgrind gdbserver
2649 to give the list of all monitor commands of the Valgrind core and
2650 of the tool. The optional 'debug' argument tells to also give help
2651 for the monitor commands aimed at Valgrind internals debugging.
2656 <para><varname>vg.info all_errors</varname> shows all errors found
2660 <para><varname>vg.info last_error</varname> shows the last error
2665 <para><varname>vg.info n_errs_found</varname> shows the nr of
2666 errors found so far and the current value of the --vgdb-error
2671 <para><varname>vg.set {gdb_output | log_output |
2672 mixed_output}</varname> allows to redirect the Valgrind output
2673 (e.g. the errors detected by the tool). By default, the setting is
2674 mixed_output. </para>
2676 <para>With mixed_output, the Valgrind output goes to the Valgrind
2677 log (typically stderr) while the output of the interactive gdb
2678 monitor commands (e.g. vg.info last_error) is displayed by
2681 <para>With gdb_output, both the Valgrind output and the
2682 interactive gdb monitor commands output is displayed by
2685 <para>With log_output, both the Valgrind output and the
2686 interactive gdb monitor commands output go to the Valgrind
2691 <para><varname>vg.wait [ms (default 0)]</varname> instructs
2692 Valgrind gdbserver to sleep 'ms' milli-seconds and then
2693 continue. When sent from a standalone vgdb, if this is the last
2694 command, the Valgrind process will continue the execution of the
2695 guest process. The typical usage of this is to use vgdb to send a
2696 "no-op" command to a Valgrind gdbserver so as to continue the
2697 execution of the guess process.
2702 <para><varname>vg.kill;</varname> requests the gdbserver to kill
2703 the process. This can be used from a standalone vgdb to properly
2704 kill a Valgrind process which is currently expecting a vgdb
2709 <para><varname>vg.set vgdb-error <errornr></varname>
2710 dynamically changes the value of the --vgdb-error argument. A
2711 typical usage of this is to start with --vgdb-error=0 on the
2712 command line, then set a few breakpoints, set the vgdb-error value
2713 to a huge value and continue execution.</para>
2718 <para>The below Valgrind monitor commands are useful to investigate
2719 the behaviour of Valgrind or Valgrind gdbserver in case of problem or
2725 <para><varname>vg.info gdbserver_status</varname> shows the
2726 gdbserver status. In case of problem (e.g. of communications),
2727 this gives the value of some relevant Valgrind gdbserver internal
2728 variables. Note that the variables related to breakpoints and
2729 watchpoints (e.g. the nr of gdbserved addresses and the nr of
2730 watchpoints) will be zero, as gdb by default removes all
2731 watchpoints and breakpoints when execution stops, and re-inserts
2732 them when resuming the execution of the debugged process. You can
2733 change this gdb behaviour by using the gdb command 'set breakpoint
2734 always-inserted on'.
2739 <para><varname>vg.info memory</varname> shows the statistics of
2740 the Valgrind heap management. If
2741 option <option>--profile-heap=yes=yes</option> was given, detailed
2742 statistics will be output.
2747 <para><varname>vg.set debuglog <intvalue></varname> sets the
2748 valgrind debug log level to <intvalue>. This allows to
2749 dynamically change the log level of Valgrind e.g. when a problem
2754 <para><varname>vg.translate <address>
2755 [<traceflags>]</varname> traces the translation of the block
2756 containing address with the given trace flags. The traceflags is a
2757 bit pattern similar to the --trace-flags option. It can be given
2758 in hexadecimal (e.g. 0x20) or decimal (e.g. 32) or in binary 1s
2759 and 0s bit (e.g. 0b00100000). The default value of the traceflags
2760 is 0b00100000, corresponding to 'show after instrumentation'. Note
2761 that the output of this command always goes to the Valgrind
2762 log. The additional bit flag 0b100000000 traces in addition the
2763 gdbserver specific instrumentation. Note that bit can only enable
2764 the addition of the gdbserver instrumentation in the trace.
2765 Keeping this flag to 0 will not disable the tracing of the
2766 gdbserver instrumentation if it is active for another reason
2767 (e.g. because there is a breakpoint at this address or because
2768 gdbserver is in single stepping mode). </para>
2775 <sect1 id="manual-core.pthreads" xreflabel="Support for Threads">
2776 <title>Support for Threads</title>
2778 <para>Threaded programs are fully supported.</para>
2780 <para>The main thing to point out with respect to threaded programs is
2781 that your program will use the native threading library, but Valgrind
2782 serialises execution so that only one (kernel) thread is running at a
2783 time. This approach avoids the horrible implementation problems of
2784 implementing a truly multithreaded version of Valgrind, but it does
2785 mean that threaded apps run only on one CPU, even if you have a
2786 multiprocessor or multicore machine.</para>
2788 <para>Valgrind doesn't schedule the threads itself. It merely ensures
2789 that only one thread runs at once, using a simple locking scheme. The
2790 actual thread scheduling remains under control of the OS kernel. What
2791 this does mean, though, is that your program will see very different
2792 scheduling when run on Valgrind than it does when running normally.
2793 This is both because Valgrind is serialising the threads, and because
2794 the code runs so much slower than normal.</para>
2796 <para>This difference in scheduling may cause your program to behave
2797 differently, if you have some kind of concurrency, critical race,
2798 locking, or similar, bugs. In that case you might consider using the
2799 tools Helgrind and/or DRD to track them down.</para>
2801 <para>On Linux, Valgrind also supports direct use of the
2802 <computeroutput>clone</computeroutput> system call,
2803 <computeroutput>futex</computeroutput> and so on.
2804 <computeroutput>clone</computeroutput> is supported where either
2805 everything is shared (a thread) or nothing is shared (fork-like); partial
2812 <sect1 id="manual-core.signals" xreflabel="Handling of Signals">
2813 <title>Handling of Signals</title>
2815 <para>Valgrind has a fairly complete signal implementation. It should be
2816 able to cope with any POSIX-compliant use of signals.</para>
2818 <para>If you're using signals in clever ways (for example, catching
2819 SIGSEGV, modifying page state and restarting the instruction), you're
2820 probably relying on precise exceptions. In this case, you will need
2821 to use <option>--vex-iropt-precise-memory-exns=yes</option>.
2824 <para>If your program dies as a result of a fatal core-dumping signal,
2825 Valgrind will generate its own core file
2826 (<computeroutput>vgcore.NNNNN</computeroutput>) containing your program's
2827 state. You may use this core file for post-mortem debugging with GDB or
2828 similar. (Note: it will not generate a core if your core dump size limit is
2829 0.) At the time of writing the core dumps do not include all the floating
2830 point register information.</para>
2832 <para>In the unlikely event that Valgrind itself crashes, the operating system
2833 will create a core dump in the usual way.</para>
2844 <sect1 id="manual-core.install" xreflabel="Building and Installing">
2845 <title>Building and Installing Valgrind</title>
2847 <para>We use the standard Unix
2848 <computeroutput>./configure</computeroutput>,
2849 <computeroutput>make</computeroutput>, <computeroutput>make
2850 install</computeroutput> mechanism. Once you have completed
2851 <computeroutput>make install</computeroutput> you may then want
2852 to run the regression tests
2853 with <computeroutput>make regtest</computeroutput>.
2856 <para>In addition to the usual
2857 <option>--prefix=/path/to/install/tree</option>, there are three
2858 options which affect how Valgrind is built:
2862 <para><option>--enable-inner</option></para>
2863 <para>This builds Valgrind with some special magic hacks which make
2864 it possible to run it on a standard build of Valgrind (what the
2865 developers call "self-hosting"). Ordinarily you should not use
2866 this option as various kinds of safety checks are disabled.
2871 <para><option>--enable-only64bit</option></para>
2872 <para><option>--enable-only32bit</option></para>
2873 <para>On 64-bit platforms (amd64-linux, ppc64-linux,
2874 amd64-darwin), Valgrind is by default built in such a way that
2875 both 32-bit and 64-bit executables can be run. Sometimes this
2876 cleverness is a problem for a variety of reasons. These two
2877 options allow for single-target builds in this situation. If you
2878 issue both, the configure script will complain. Note they are
2879 ignored on 32-bit-only platforms (x86-linux, ppc32-linux,
2880 arm-linux, x86-darwin).
2887 <para>The <computeroutput>configure</computeroutput> script tests
2888 the version of the X server currently indicated by the current
2889 <computeroutput>$DISPLAY</computeroutput>. This is a known bug.
2890 The intention was to detect the version of the current X
2891 client libraries, so that correct suppressions could be selected
2892 for them, but instead the test checks the server version. This
2893 is just plain wrong.</para>
2895 <para>If you are building a binary package of Valgrind for
2896 distribution, please read <literal>README_PACKAGERS</literal>
2897 <xref linkend="dist.readme-packagers"/>. It contains some
2898 important information.</para>
2900 <para>Apart from that, there's not much excitement here. Let us
2901 know if you have build problems.</para>
2907 <sect1 id="manual-core.problems" xreflabel="If You Have Problems">
2908 <title>If You Have Problems</title>
2910 <para>Contact us at <ulink url="&vg-url;">&vg-url;</ulink>.</para>
2912 <para>See <xref linkend="manual-core.limits"/> for the known
2913 limitations of Valgrind, and for a list of programs which are
2914 known not to work on it.</para>
2916 <para>All parts of the system make heavy use of assertions and
2917 internal self-checks. They are permanently enabled, and we have no
2918 plans to disable them. If one of them breaks, please mail us!</para>
2920 <para>If you get an assertion failure
2921 in <filename>m_mallocfree.c</filename>, this may have happened because
2922 your program wrote off the end of a heap block, or before its
2923 beginning, thus corrupting head metadata. Valgrind hopefully will have
2924 emitted a message to that effect before dying in this way.</para>
2926 <para>Read the <xref linkend="FAQ"/> for more advice about common problems,
2927 crashes, etc.</para>
2933 <sect1 id="manual-core.limits" xreflabel="Limitations">
2934 <title>Limitations</title>
2936 <para>The following list of limitations seems long. However, most
2937 programs actually work fine.</para>
2939 <para>Valgrind will run programs on the supported platforms
2940 subject to the following constraints:</para>
2944 <para>On x86 and amd64, there is no support for 3DNow!
2945 instructions. If the translator encounters these, Valgrind will
2946 generate a SIGILL when the instruction is executed. Apart from
2947 that, on x86 and amd64, essentially all instructions are supported,
2948 up to and including SSE4.2 in 64-bit mode and SSSE3 in 32-bit mode.
2949 Some exceptions: SSE4.2 AES instructions are not supported in
2950 64-bit mode, and 32-bit mode does in fact support the bare minimum
2951 SSE4 instructions to needed to run programs on MacOSX 10.6 on
2957 <para>On ppc32 and ppc64, almost all integer, floating point and
2958 Altivec instructions are supported. Specifically: integer and FP
2959 insns that are mandatory for PowerPC, the "General-purpose
2960 optional" group (fsqrt, fsqrts, stfiwx), the "Graphics optional"
2961 group (fre, fres, frsqrte, frsqrtes), and the Altivec (also known
2962 as VMX) SIMD instruction set, are supported. Also, instructions
2963 from the Power ISA 2.05 specification, as present in POWER6 CPUs,
2964 are supported.</para>
2968 <para>On ARM, essentially the entire ARMv7-A instruction set
2969 is supported, in both ARM and Thumb mode. ThumbEE and Jazelle are
2970 not supported. NEON and VFPv3 support is fairly complete. ARMv6
2971 media instruction support is mostly done but not yet complete.
2976 <para>If your program does its own memory management, rather than
2977 using malloc/new/free/delete, it should still work, but Memcheck's
2978 error checking won't be so effective. If you describe your
2979 program's memory management scheme using "client requests" (see
2980 <xref linkend="manual-core-adv.clientreq"/>), Memcheck can do
2981 better. Nevertheless, using malloc/new and free/delete is still
2982 the best approach.</para>
2986 <para>Valgrind's signal simulation is not as robust as it could be.
2987 Basic POSIX-compliant sigaction and sigprocmask functionality is
2988 supplied, but it's conceivable that things could go badly awry if you
2989 do weird things with signals. Workaround: don't. Programs that do
2990 non-POSIX signal tricks are in any case inherently unportable, so
2991 should be avoided if possible.</para>
2995 <para>Machine instructions, and system calls, have been implemented
2996 on demand. So it's possible, although unlikely, that a program will
2997 fall over with a message to that effect. If this happens, please
2998 report all the details printed out, so we can try and implement the
2999 missing feature.</para>
3003 <para>Memory consumption of your program is majorly increased
3004 whilst running under Valgrind's Memcheck tool. This is due to the
3005 large amount of administrative information maintained behind the
3006 scenes. Another cause is that Valgrind dynamically translates the
3007 original executable. Translated, instrumented code is 12-18 times
3008 larger than the original so you can easily end up with 100+ MB of
3009 translations when running (eg) a web browser.</para>
3013 <para>Valgrind can handle dynamically-generated code just fine. If
3014 you regenerate code over the top of old code (ie. at the same
3015 memory addresses), if the code is on the stack Valgrind will
3016 realise the code has changed, and work correctly. This is
3017 necessary to handle the trampolines GCC uses to implemented nested
3018 functions. If you regenerate code somewhere other than the stack,
3019 and you are running on an 32- or 64-bit x86 CPU, you will need to
3020 use the <option>--smc-check=all</option> option, and Valgrind will
3021 run more slowly than normal. Or you can add client requests that
3022 tell Valgrind when your program has overwritten code.
3024 <para> On other platforms (ARM, PowerPC) Valgrind observes and
3025 honours the cache invalidation hints that programs are obliged to
3026 emit to notify new code, and so self-modifying-code support should
3027 work automatically, without the need
3028 for <option>--smc-check=all</option>.</para>
3032 <para>Valgrind has the following limitations
3033 in its implementation of x86/AMD64 floating point relative to
3036 <para>Precision: There is no support for 80 bit arithmetic.
3037 Internally, Valgrind represents all such "long double" numbers in 64
3038 bits, and so there may be some differences in results. Whether or
3039 not this is critical remains to be seen. Note, the x86/amd64
3040 fldt/fstpt instructions (read/write 80-bit numbers) are correctly
3041 simulated, using conversions to/from 64 bits, so that in-memory
3042 images of 80-bit numbers look correct if anyone wants to see.</para>
3044 <para>The impression observed from many FP regression tests is that
3045 the accuracy differences aren't significant. Generally speaking, if
3046 a program relies on 80-bit precision, there may be difficulties
3047 porting it to non x86/amd64 platforms which only support 64-bit FP
3048 precision. Even on x86/amd64, the program may get different results
3049 depending on whether it is compiled to use SSE2 instructions (64-bits
3050 only), or x87 instructions (80-bit). The net effect is to make FP
3051 programs behave as if they had been run on a machine with 64-bit IEEE
3052 floats, for example PowerPC. On amd64 FP arithmetic is done by
3053 default on SSE2, so amd64 looks more like PowerPC than x86 from an FP
3054 perspective, and there are far fewer noticeable accuracy differences
3055 than with x86.</para>
3057 <para>Rounding: Valgrind does observe the 4 IEEE-mandated rounding
3058 modes (to nearest, to +infinity, to -infinity, to zero) for the
3059 following conversions: float to integer, integer to float where
3060 there is a possibility of loss of precision, and float-to-float
3061 rounding. For all other FP operations, only the IEEE default mode
3062 (round to nearest) is supported.</para>
3064 <para>Numeric exceptions in FP code: IEEE754 defines five types of
3065 numeric exception that can happen: invalid operation (sqrt of
3066 negative number, etc), division by zero, overflow, underflow,
3067 inexact (loss of precision).</para>
3069 <para>For each exception, two courses of action are defined by IEEE754:
3070 either (1) a user-defined exception handler may be called, or (2) a
3071 default action is defined, which "fixes things up" and allows the
3072 computation to proceed without throwing an exception.</para>
3074 <para>Currently Valgrind only supports the default fixup actions.
3075 Again, feedback on the importance of exception support would be
3078 <para>When Valgrind detects that the program is trying to exceed any
3079 of these limitations (setting exception handlers, rounding mode, or
3080 precision control), it can print a message giving a traceback of
3081 where this has happened, and continue execution. This behaviour used
3082 to be the default, but the messages are annoying and so showing them
3083 is now disabled by default. Use <option>--show-emwarns=yes</option> to see
3086 <para>The above limitations define precisely the IEEE754 'default'
3087 behaviour: default fixup on all exceptions, round-to-nearest
3088 operations, and 64-bit precision.</para>
3092 <para>Valgrind has the following limitations in
3093 its implementation of x86/AMD64 SSE2 FP arithmetic, relative to
3096 <para>Essentially the same: no exceptions, and limited observance of
3097 rounding mode. Also, SSE2 has control bits which make it treat
3098 denormalised numbers as zero (DAZ) and a related action, flush
3099 denormals to zero (FTZ). Both of these cause SSE2 arithmetic to be
3100 less accurate than IEEE requires. Valgrind detects, ignores, and can
3101 warn about, attempts to enable either mode.</para>
3105 <para>Valgrind has the following limitations in
3106 its implementation of ARM VFPv3 arithmetic, relative to
3109 <para>Essentially the same: no exceptions, and limited observance
3110 of rounding mode. Also, switching the VFP unit into vector mode
3111 will cause Valgrind to abort the program -- it has no way to
3112 emulate vector uses of VFP at a reasonable performance level. This
3113 is no big deal given that non-scalar uses of VFP instructions are
3114 in any case deprecated.</para>
3118 <para>Valgrind has the following limitations
3119 in its implementation of PPC32 and PPC64 floating point
3120 arithmetic, relative to IEEE754.</para>
3122 <para>Scalar (non-Altivec): Valgrind provides a bit-exact emulation of
3123 all floating point instructions, except for "fre" and "fres", which are
3124 done more precisely than required by the PowerPC architecture specification.
3125 All floating point operations observe the current rounding mode.
3128 <para>However, fpscr[FPRF] is not set after each operation. That could
3129 be done but would give measurable performance overheads, and so far
3130 no need for it has been found.</para>
3132 <para>As on x86/AMD64, IEEE754 exceptions are not supported: all floating
3133 point exceptions are handled using the default IEEE fixup actions.
3134 Valgrind detects, ignores, and can warn about, attempts to unmask
3135 the 5 IEEE FP exception kinds by writing to the floating-point status
3136 and control register (fpscr).
3139 <para>Vector (Altivec, VMX): essentially as with x86/AMD64 SSE/SSE2:
3140 no exceptions, and limited observance of rounding mode.
3141 For Altivec, FP arithmetic
3142 is done in IEEE/Java mode, which is more accurate than the Linux default
3143 setting. "More accurate" means that denormals are handled properly,
3144 rather than simply being flushed to zero.</para>
3148 <para>Programs which are known not to work are:</para>
3151 <para>emacs starts up but immediately concludes it is out of
3152 memory and aborts. It may be that Memcheck does not provide
3153 a good enough emulation of the
3154 <computeroutput>mallinfo</computeroutput> function.
3155 Emacs works fine if you build it to use
3156 the standard malloc/free routines.</para>
3163 <sect1 id="manual-core.example" xreflabel="An Example Run">
3164 <title>An Example Run</title>
3166 <para>This is the log for a run of a small program using Memcheck.
3167 The program is in fact correct, and the reported error is as the
3168 result of a potentially serious code generation bug in GNU g++
3169 (snapshot 20010527).</para>
3171 <programlisting><![CDATA[
3172 sewardj@phoenix:~/newmat10$ ~/Valgrind-6/valgrind -v ./bogon
3173 ==25832== Valgrind 0.10, a memory error detector for x86 RedHat 7.1.
3174 ==25832== Copyright (C) 2000-2001, and GNU GPL'd, by Julian Seward.
3175 ==25832== Startup, with flags:
3176 ==25832== --suppressions=/home/sewardj/Valgrind/redhat71.supp
3177 ==25832== reading syms from /lib/ld-linux.so.2
3178 ==25832== reading syms from /lib/libc.so.6
3179 ==25832== reading syms from /mnt/pima/jrs/Inst/lib/libgcc_s.so.0
3180 ==25832== reading syms from /lib/libm.so.6
3181 ==25832== reading syms from /mnt/pima/jrs/Inst/lib/libstdc++.so.3
3182 ==25832== reading syms from /home/sewardj/Valgrind/valgrind.so
3183 ==25832== reading syms from /proc/self/exe
3185 ==25832== Invalid read of size 4
3186 ==25832== at 0x8048724: BandMatrix::ReSize(int,int,int) (bogon.cpp:45)
3187 ==25832== by 0x80487AF: main (bogon.cpp:66)
3188 ==25832== Address 0xBFFFF74C is not stack'd, malloc'd or free'd
3190 ==25832== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
3191 ==25832== malloc/free: in use at exit: 0 bytes in 0 blocks.
3192 ==25832== malloc/free: 0 allocs, 0 frees, 0 bytes allocated.
3193 ==25832== For a detailed leak analysis, rerun with: --leak-check=yes
3194 ]]></programlisting>
3196 <para>The GCC folks fixed this about a week before GCC 3.0
3202 <sect1 id="manual-core.warnings" xreflabel="Warning Messages">
3203 <title>Warning Messages You Might See</title>
3205 <para>Some of these only appear if you run in verbose mode
3206 (enabled by <option>-v</option>):</para>
3211 <para><computeroutput>More than 100 errors detected. Subsequent
3212 errors will still be recorded, but in less detail than
3213 before.</computeroutput></para>
3215 <para>After 100 different errors have been shown, Valgrind becomes
3216 more conservative about collecting them. It then requires only the
3217 program counters in the top two stack frames to match when deciding
3218 whether or not two errors are really the same one. Prior to this
3219 point, the PCs in the top four frames are required to match. This
3220 hack has the effect of slowing down the appearance of new errors
3221 after the first 100. The 100 constant can be changed by recompiling
3226 <para><computeroutput>More than 1000 errors detected. I'm not
3227 reporting any more. Final error counts may be inaccurate. Go fix
3228 your program!</computeroutput></para>
3230 <para>After 1000 different errors have been detected, Valgrind
3231 ignores any more. It seems unlikely that collecting even more
3232 different ones would be of practical help to anybody, and it avoids
3233 the danger that Valgrind spends more and more of its time comparing
3234 new errors against an ever-growing collection. As above, the 1000
3235 number is a compile-time constant.</para>
3239 <para><computeroutput>Warning: client switching stacks?</computeroutput></para>
3241 <para>Valgrind spotted such a large change in the stack pointer
3242 that it guesses the client is switching to
3243 a different stack. At this point it makes a kludgey guess where the
3244 base of the new stack is, and sets memory permissions accordingly.
3245 You may get many bogus error messages following this, if Valgrind
3246 guesses wrong. At the moment "large change" is defined as a change
3247 of more that 2000000 in the value of the
3248 stack pointer register.</para>
3252 <para><computeroutput>Warning: client attempted to close Valgrind's
3253 logfile fd <number></computeroutput></para>
3255 <para>Valgrind doesn't allow the client to close the logfile,
3256 because you'd never see any diagnostic information after that point.
3257 If you see this message, you may want to use the
3258 <option>--log-fd=<number></option> option to specify a
3259 different logfile file-descriptor number.</para>
3263 <para><computeroutput>Warning: noted but unhandled ioctl
3264 <number></computeroutput></para>
3266 <para>Valgrind observed a call to one of the vast family of
3267 <computeroutput>ioctl</computeroutput> system calls, but did not
3268 modify its memory status info (because nobody has yet written a
3269 suitable wrapper). The call will still have gone through, but you may get
3270 spurious errors after this as a result of the non-update of the
3275 <para><computeroutput>Warning: set address range perms: large range
3276 <number></computeroutput></para>
3278 <para>Diagnostic message, mostly for benefit of the Valgrind
3279 developers, to do with memory permissions.</para>