VALGRIND(1) Release 3.2.1 VALGRIND(1)NAMEvalgrind - a suite of tools for debugging and profiling programs
SYNOPSISvalgrind [[valgrind] [options]] [your-program] [[your-program-options]]
DESCRIPTION
Valgrind is a flexible program for debugging and profiling Linux
executables. It consists of a core, which provides a synthetic CPU in
software, and a series of "tools", each of which is a debugging or
profiling tool. The architecture is modular, so that new tools can be
created easily and without disturbing the existing structure.
This manual page covers only basic usage and options. For more
comprehensive information, please see the HTML documentation on your
system: /usr/share/doc/valgrind/html/index.html, or online:
http://www.valgrind.org/docs/manual/index.html.
INVOCATION
Valgrind is typically invoked as follows:
valgrind program args
This runs program (with arguments args) under Valgrind using the
Memcheck tool. Memcheck performs a range of memory-checking functions,
including detecting accesses to uninitialised memory, misuse of
allocated memory (double frees, access after free, etc.) and detecting
memory leaks.
To use a different tool, use the --tool option:
valgrind --tool=toolname program args
The following tools are available:
· cachegrind is a cache simulator. It can be used to annotate every
line of your program with the number of instructions executed and
cache misses incurred.
· callgrind adds call graph tracing to cachegrind. It can be used to
get call counts and inclusive cost for each call happening in your
program. In addition to cachegrind, callgrind can annotate threads
separatly, and every instruction of disassembler output of your
program with the number of instructions executed and cache misses
incurred.
· helgrind spots potential race conditions in your program.
· lackey is a sample tool that can be used as a template for
generating your own tools. After the program terminates, it prints
out some basic statistics about the program execution.
· massif is a heap profiler. It measures how much heap memory your
program uses.
· memcheck is a fine-grained memory checker.
· none performs no function - it simply runs the program under
Valgrind. This is typically used for debugging and benchmarking
Valgrind.
BASIC OPTIONS
These options work with all tools.
-h --help
Show help for all options, both for the core and for the
selected tool.
--help-debug
Same as --help, but also lists debugging options which usually
are only of use to Valgrind's developers.
--version
Show the version number of the Valgrind core. Tools can have
their own version numbers. There is a scheme in place to ensure
that tools only execute when the core version is one they are
known to work with. This was done to minimise the chances of
strange problems arising from tool-vs-core version
incompatibilities.
-q --quiet
Run silently, and only print error messages. Useful if you are
running regression tests or have some other automated test
machinery.
-v --verbose
Be more verbose. Gives extra information on various aspects of
your program, such as: the shared objects loaded, the
suppressions used, the progress of the instrumentation and
execution engines, and warnings about unusual behaviour.
Repeating the flag increases the verbosity level.
-d Emit information for debugging Valgrind itself. This is usually
only of interest to the Valgrind developers. Repeating the flag
produces more detailed output. If you want to send us a bug
report, a log of the output generated by -v -v -d -d will make
your report more useful.
--tool=<toolname> [default: memcheck]
Run the Valgrind tool called toolname, e.g. Memcheck, Addrcheck,
Cachegrind, etc.
--trace-children=<yes|no> [default: no]
When enabled, Valgrind will trace into child processes. This can
be confusing and isn't usually what you want, so it is disabled
by default.
--track-fds=<yes|no> [default: no]
When enabled, Valgrind will print out a list of open file
descriptors on exit. Along with each file descriptor is printed
a stack backtrace of where the file was opened and any details
relating to the file descriptor such as the file name or socket
details.
--time-stamp=<yes|no> [default: no]
When enabled, each message is preceded with an indication of the
elapsed wallclock time since startup, expressed as days, hours,
minutes, seconds and milliseconds.
--log-fd=<number> [default: 2, stderr]
Specifies that Valgrind should send all of its messages to the
specified file descriptor. The default, 2, is the standard error
channel (stderr). Note that this may interfere with the client's
own use of stderr, as Valgrind's output will be interleaved with
any output that the client sends to stderr.
--log-file=<filename>
Specifies that Valgrind should send all of its messages to the
specified file. In fact, the file name used is created by
concatenating the text filename, "." and the process ID, (ie.
<filename>.<pid>), so as to create a file per process. The
specified file name may not be the empty string.
--log-file-exactly=<filename>
Just like --log-file, but the suffix ".pid" is not added. If you
trace multiple processes with Valgrind when using this option
the log file may get all messed up.
--log-file-qualifier=<VAR>
When used in conjunction with --log-file, causes the log file
name to be qualified using the contents of the environment
variable $VAR. This is useful when running MPI programs. For
further details, see Section 2.3 "The Commentary" in the manual.
--log-socket=<ip-address:port-number>
Specifies that Valgrind should send all of its messages to the
specified port at the specified IP address. The port may be
omitted, in which case port 1500 is used. If a connection cannot
be made to the specified socket, Valgrind falls back to writing
output to the standard error (stderr). This option is intended
to be used in conjunction with the valgrind-listener program.
For further details, see Section 2.3 "The Commentary" in the
manual.
ERROR-RELATED OPTIONS
These options are used by all tools that can report errors, e.g.
Memcheck, but not Cachegrind.
--xml=<yes|no> [default: no]
When enabled, output will be in XML format. This is aimed at
making life easier for tools that consume Valgrind's output as
input, such as GUI front ends. Currently this option only works
with Memcheck.
--xml-user-comment=<string>
Embeds an extra user comment string at the start of the XML
output. Only works when --xml=yes is specified; ignored
otherwise.
--demangle=<yes|no> [default: yes]
Enable/disable automatic demangling (decoding) of C++ names.
Enabled by default. When enabled, Valgrind will attempt to
translate encoded C++ names back to something approaching the
original. The demangler handles symbols mangled by g++ versions
2.X, 3.X and 4.X.
An important fact about demangling is that function names
mentioned in suppressions files should be in their mangled form.
Valgrind does not demangle function names when searching for
applicable suppressions, because to do otherwise would make
suppressions file contents dependent on the state of Valgrind's
demangling machinery, and would also be slow and pointless.
--num-callers=<number> [default: 12]
By default, Valgrind shows twelve levels of function call names
to help you identify program locations. You can change that
number with this option. This can help in determining the
program's location in deeply-nested call chains. Note that
errors are commoned up using only the top four function
locations (the place in the current function, and that of its
three immediate callers). So this doesn't affect the total
number of errors reported.
The maximum value for this is 50. Note that higher settings will
make Valgrind run a bit more slowly and take a bit more memory,
but can be useful when working with programs with deeply-nested
call chains.
--error-limit=<yes|no> [default: yes]
When enabled, Valgrind stops reporting errors after 10,000,000
in total, or 1,000 different ones, have been seen. This is to
stop the error tracking machinery from becoming a huge
performance overhead in programs with many errors.
--error-exitcode=<number> [default: 0]
Specifies an alternative exit code to return if Valgrind
reported any errors in the run. When set to the default value
(zero), the return value from Valgrind will always be the return
value of the process being simulated. When set to a nonzero
value, that value is returned instead, if Valgrind detects any
errors. This is useful for using Valgrind as part of an
automated test suite, since it makes it easy to detect test
cases for which Valgrind has reported errors, just by inspecting
return codes.
--show-below-main=<yes|no> [default: no]
By default, stack traces for errors do not show any functions
that appear beneath main() (or similar functions such as glibc's
__libc_start_main(), if main() is not present in the stack
trace); most of the time it's uninteresting C library stuff. If
this option is enabled, those entries below main() will be
shown.
--suppressions=<filename> [default: $PREFIX/lib/valgrind/default.supp]
Specifies an extra file from which to read descriptions of
errors to suppress. You may use as many extra suppressions files
as you like.
--gen-suppressions=<yes|no|all> [default: no]
When set to yes, Valgrind will pause after every error shown and
print the line:
---- Print suppression ? --- [Return/N/n/Y/y/C/c] ----
The prompt's behaviour is the same as for the --db-attach option
(see below).
If you choose to, Valgrind will print out a suppression for this
error. You can then cut and paste it into a suppression file if
you don't want to hear about the error in the future.
When set to all, Valgrind will print a suppression for every
reported error, without querying the user.
This option is particularly useful with C++ programs, as it
prints out the suppressions with mangled names, as required.
Note that the suppressions printed are as specific as possible.
You may want to common up similar ones, eg. by adding wildcards
to function names. Also, sometimes two different errors are
suppressed by the same suppression, in which case Valgrind will
output the suppression more than once, but you only need to have
one copy in your suppression file (but having more than one
won't cause problems). Also, the suppression name is given as
<insert a suppression name here>; the name doesn't really
matter, it's only used with the -v option which prints out all
used suppression records.
--db-attach=<yes|no> [default: no]
When enabled, Valgrind will pause after every error shown and
print the line:
---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ----
Pressing Ret, or N Ret or n Ret, causes Valgrind not to start a
debugger for this error.
Pressing Y Ret or y Ret causes Valgrind to start a debugger for
the program at this point. When you have finished with the
debugger, quit from it, and the program will continue. Trying to
continue from inside the debugger doesn't work.
C Ret or c Ret causes Valgrind not to start a debugger, and not
to ask again.
Note: --db-attach=yes conflicts with --trace-children=yes. You
can't use them together. Valgrind refuses to start up in this
situation.
May 2002: this is a historical relic which could be easily fixed
if it gets in your way. Mail us and complain if this is a
problem for you.
Nov 2002: if you're sending output to a logfile or to a network
socket, I guess this option doesn't make any sense. Caveat
emptor.
--db-command=<command> [default: gdb -nw %f %p]
Specify the debugger to use with the --db-attach command. The
default debugger is gdb. This option is a template that is
expanded by Valgrind at runtime. %f is replaced with the
executable's file name and %p is replaced by the process ID of
the executable.
This specifies how Valgrind will invoke the debugger. By default
it will use whatever GDB is detected at build time, which is
usually /usr/bin/gdb. Using this command, you can specify some
alternative command to invoke the debugger you want to use.
The command string given can include one or instances of the %p
and %f expansions. Each instance of %p expands to the PID of the
process to be debugged and each instance of %f expands to the
path to the executable for the process to be debugged.
--input-fd=<number> [default: 0, stdin]
When using --db-attach=yes and --gen-suppressions=yes, Valgrind
will stop so as to read keyboard input from you, when each error
occurs. By default it reads from the standard input (stdin),
which is problematic for programs which close stdin. This option
allows you to specify an alternative file descriptor from which
to read input.
--max-stackframe=<number> [default: 2000000]
The maximum size of a stack frame - if the stack pointer moves
by more than this amount then Valgrind will assume that the
program is switching to a different stack.
You may need to use this option if your program has large
stack-allocated arrays. Valgrind keeps track of your program's
stack pointer. If it changes by more than the threshold amount,
Valgrind assumes your program is switching to a different stack,
and Memcheck behaves differently than it would for a stack
pointer change smaller than the threshold. Usually this
heuristic works well. However, if your program allocates large
structures on the stack, this heuristic will be fooled, and
Memcheck will subsequently report large numbers of invalid stack
accesses. This option allows you to change the threshold to a
different value.
You should only consider use of this flag if Valgrind's debug
output directs you to do so. In that case it will tell you the
new threshold you should specify.
In general, allocating large structures on the stack is a bad
idea, because (1) you can easily run out of stack space,
especially on systems with limited memory or which expect to
support large numbers of threads each with a small stack, and
(2) because the error checking performed by Memcheck is more
effective for heap-allocated data than for stack-allocated data.
If you have to use this flag, you may wish to consider rewriting
your code to allocate on the heap rather than on the stack.
MALLOC()-RELATED OPTIONS
For tools that use their own version of malloc() (e.g. Memcheck and
Massif), the following options apply.
--alignment=<number> [default: 8]
By default Valgrind's malloc(), realloc(), etc, return 8-byte
aligned addresses. This is standard for most processors.
However, some programs might assume that malloc() et al return
16-byte or more aligned memory. The supplied value must be
between 8 and 4096 inclusive, and must be a power of two.
UNCOMMON OPTIONS
These options apply to all tools, as they affect certain obscure
workings of the Valgrind core. Most people won't need to use these.
--run-libc-freeres=<yes|no> [default: yes]
The GNU C library (libc.so), which is used by all programs, may
allocate memory for its own uses. Usually it doesn't bother to
free that memory when the program ends - there would be no
point, since the Linux kernel reclaims all process resources
when a process exits anyway, so it would just slow things down.
The glibc authors realised that this behaviour causes leak
checkers, such as Valgrind, to falsely report leaks in glibc,
when a leak check is done at exit. In order to avoid this, they
provided a routine called __libc_freeres specifically to make
glibc release all memory it has allocated. Memcheck therefore
tries to run __libc_freeres at exit.
Unfortunately, in some versions of glibc, __libc_freeres is
sufficiently buggy to cause segmentation faults. This is
particularly noticeable on Red Hat 7.1. So this flag is provided
in order to inhibit the run of __libc_freeres. If your program
seems to run fine on Valgrind, but segfaults at exit, you may
find that --run-libc-freeres=no fixes that, although at the cost
of possibly falsely reporting space leaks in libc.so.
--sim-hints=hint1,hint2,...
Pass miscellaneous hints to Valgrind which slightly modify the
simulated behaviour in nonstandard or dangerous ways, possibly
to help the simulation of strange features. By default no hints
are enabled. Use with caution! Currently known hints are:
· lax-ioctls: Be very lax about ioctl handling; the only
assumption is that the size is correct. Doesn't require the
full buffer to be initialized when writing. Without this,
using some device drivers with a large number of strange
ioctl commands becomes very tiresome.
· enable-inner: Enable some special magic needed when the
program being run is itself Valgrind.
--kernel-variant=variant1,variant2,...
Handle system calls and ioctls arising from minor variants of
the default kernel for this platform. This is useful for running
on hacked kernels or with kernel modules which support
nonstandard ioctls, for example. Use with caution. If you don't
understand what this option does then you almost certainly don't
need it. Currently known variants are:
· bproc: Support the sys_broc system call on x86. This is for
running on BProc, which is a minor variant of standard Linux
which is sometimes used for building clusters.
--show-emwarns=<yes|no> [default: no]
When enabled, Valgrind will emit warnings about its CPU
emulation in certain cases. These are usually not interesting.
--smc-check=<none|stack|all> [default: stack]
This option controls Valgrind's detection of self-modifying
code. Valgrind can do no detection, detect self-modifying code
on the stack, or detect self-modifying code anywhere. Note that
the default option will catch the vast majority of cases, as far
as we know. Running with all will slow Valgrind down greatly
(but running with none will rarely speed things up, since very
little code gets put on the stack for most programs).
DEBUGGING VALGRIND OPTIONS
There are also some options for debugging Valgrind itself. You
shouldn't need to use them in the normal run of things. If you wish to
see the list, use the --help-debug option.
MEMCHECK OPTIONS
--leak-check=<no|summary|yes|full> [default: summary]
When enabled, search for memory leaks when the client program
finishes. A memory leak means a malloc'd block, which has not
yet been free'd, but to which no pointer can be found. Such a
block can never be free'd by the program, since no pointer to it
exists. If set to summary, it says how many leaks occurred. If
set to full or yes, it gives details of each individual leak.
--show-reachable=<yes|no> [default: no]
When disabled, the memory leak detector only shows blocks for
which it cannot find a pointer to at all, or it can only find a
pointer to the middle of. These blocks are prime candidates for
memory leaks. When enabled, the leak detector also reports on
blocks which it could find a pointer to. Your program could, at
least in principle, have freed such blocks before exit. Contrast
this to blocks for which no pointer, or only an interior pointer
could be found: they are more likely to indicate memory leaks,
because you do not actually have a pointer to the start of the
block which you can hand to free, even if you wanted to.
--leak-resolution=<low|med|high> [default: low]
When doing leak checking, determines how willing memcheck is to
consider different backtraces to be the same. When set to low,
only the first two entries need match. When med, four entries
have to match. When high, all entries need to match.
For hardcore leak debugging, you probably want to use
--leak-resolution=high together with --num-callers=40 or some
such large number. Note however that this can give an
overwhelming amount of information, which is why the defaults
are 4 callers and low-resolution matching.
Note that the --leak-resolution= setting does not affect
memcheck's ability to find leaks. It only changes how the
results are presented.
--freelist-vol=<number> [default: 5000000]
When the client program releases memory using free (in C) or
delete (C++), that memory is not immediately made available for
re-allocation. Instead, it is marked inaccessible and placed in
a queue of freed blocks. The purpose is to defer as long as
possible the point at which freed-up memory comes back into
circulation. This increases the chance that memcheck will be
able to detect invalid accesses to blocks for some significant
period of time after they have been freed.
This flag specifies the maximum total size, in bytes, of the
blocks in the queue. The default value is five million bytes.
Increasing this increases the total amount of memory used by
memcheck but may detect invalid uses of freed blocks which would
otherwise go undetected.
--workaround-gcc296-bugs=<yes|no> [default: no]
When enabled, assume that reads and writes some small distance
below the stack pointer are due to bugs in gcc 2.96, and does
not report them. The "small distance" is 256 bytes by default.
Note that gcc 2.96 is the default compiler on some older Linux
distributions (RedHat 7.X) and so you may need to use this flag.
Do not use it if you do not have to, as it can cause real errors
to be overlooked. A better alternative is to use a more recent
gcc/g++ in which this bug is fixed.
--partial-loads-ok=<yes|no> [default: no]
Controls how memcheck handles word-sized, word-aligned loads
from addresses for which some bytes are addressible and others
are not. When yes, such loads do not elicit an address error.
Instead, the loaded V bytes corresponding to the illegal
addresses indicate Undefined, and those corresponding to legal
addresses are loaded from shadow memory, as usual.
When no, loads from partially invalid addresses are treated the
same as loads from completely invalid addresses: an
illegal-address error is issued, and the resulting V bytes
indicate valid data.
Note that code that behaves in this way is in violation of the
the ISO C/C++ standards, and should be considered broken. If at
all possible, such code should be fixed. This flag should be
used only as a last resort.
--undef-value-errors=<yes|no> [default: yes]
Controls whether memcheck detects dangerous uses of undefined
value errors. When yes, Memcheck behaves like Addrcheck, a
lightweight memory-checking tool that used to be part of
Valgrind, which didn't detect undefined value errors. Use this
option if you don't like seeing undefined value errors.
CACHEGRIND OPTIONS
Manually specifies the I1/D1/L2 cache configuration, where size and
line_size are measured in bytes. The three items must be
comma-separated, but with no spaces, eg:
valgrind --tool=cachegrind --I1=65535,2,64
You can specify one, two or three of the I1/D1/L2 caches. Any level not
manually specified will be simulated using the configuration found in
the normal way (via the CPUID instruction for automagic cache
configuration, or failing that, via defaults).
--I1=<size>,<associativity>,<line size>
Specify the size, associativity and line size of the level 1
instruction cache.
--D1=<size>,<associativity>,<line size>
Specify the size, associativity and line size of the level 1
data cache.
--L2=<size>,<associativity>,<line size>
Specify the size, associativity and line size of the level 2
cache.
CALLGRIND OPTIONS
<xi:include></xi:include>.SH "MASSIF OPTIONS"
--heap=<yes|no> [default: yes]
When enabled, profile heap usage in detail. Without it, the
massif.pid.txt or massif.pid.html will be very short.
--heap-admin=<number> [default: 8]
The number of admin bytes per block to use. This can only be an
estimate of the average, since it may vary. The allocator used
by glibc requires somewhere between 4 to 15 bytes per block,
depending on various factors. It also requires admin space for
freed blocks, although massif does not count this.
--stacks=<yes|no> [default: yes]
When enabled, include stack(s) in the profile. Threaded programs
can have multiple stacks.
--depth=<number> [default: 3]
Depth of call chains to present in the detailed heap
information. Increasing it will give more information, but
massif will run the program more slowly, using more memory, and
produce a bigger massif.pid.txt or massif.pid.hp file.
--alloc-fn=<name>
Specify a function that allocates memory. This is useful for
functions that are wrappers to malloc(), which can fill up the
context information uselessly (and give very uninformative bands
on the graph). Functions specified will be ignored in contexts,
i.e. treated as though they were malloc(). This option can be
specified multiple times on the command line, to name multiple
functions.
--format=<text|html> [default: text]
Produce the detailed heap information in text or HTML format.
The file suffix used will be either .txt or .html.
HELGRIND OPTIONS
--private-stacks=<yes|no> [default: no]
Assume thread stacks are used privately.
--show-last-access=<yes|some|no> [default: no]
Show location of last word access on error.
LACKEY OPTIONS
--fnname=<name> [default: _dl_runtime_resolve()]
Count calls to <name>.
--detailed-counts=<no|yes> [default: no]
Count loads, stores and alu ops.
SEE ALSO
/usr/share/doc/valgrind/html/index.html, and/or
http://www.valgrind.org/docs/manual/index.html.
AUTHOR
This manpage has been written by Andres Roldan <aroldan@debian.org> for
the Debian Project, but can be used for any other distribution.
Updated, rearranged and expanded by Robert Walsh <rjwalsh@durables.org>
for the 2.4.0 release, and by other Valgrind developers subsequently.
Release 3.2.1 09/15/2006 VALGRIND(1)
