你的浏览器版本过低,可能导致网站不能正常访问!
为了你能正常使用网站功能,请使用这些浏览器。

st-img
chrome st-img
firefox st-img
safari st-img
ie8及以上

如何排查内存泄漏问题?

[复制链接]
gaosmile 发布时间:2020-10-1 16:06
内存泄漏是指由于疏忽或错误造成程序未能释放已经不再使用的内存。内存泄漏并非指内存在物理上的消失,而是应用程序分配某段内存后,由于设计错误,导致在释放该段内存之前就失去了对该段内存的控制,从而造成了内存的浪费。
我们平时开发过程中不可避免的会遇到内存泄漏问题,你是如何排查的呢?估计你是使用下面这几个工具吧?
  • valgrind
  • mtrace
  • dmalloc
  • ccmalloc
  • memwatch
  • debug_new

这里程序喵向大家推荐新的一个排查内存泄漏的工具:AddressSanitizer(ASan),该工具为gcc自带,4.8以上版本都可以使用,支持Linux、OS、Android等多种平台,不止可以检测内存泄漏,它其实是一个内存错误检测工具,可以检测的问题有:
  • 内存泄漏
  • 堆栈和全局内存越界访问
  • free后继续使用
  • 局部内存被外层使用
  • Initialization order bugs(中文不知道怎么翻译才好,后面有代码举例,重要)

使用方法直接看我下面的代码:
检测内存泄漏
内存泄漏代码:

  2. #include <stdlib.h>

  4. void func1() { malloc(7); }

  6. void func2() { malloc(5); }

  8. int main() {
  9.    func1();
  10.    func2();
  11.    return 0;
  12. }
复制代码

编译and输出:

  2. g++ -fsanitize=address -g test_leak.cc && ./a.out

  4. =================================================================
  5. ==103==ERROR: LeakSanitizer: detected memory leaks

  7. Direct leak of 7 byte(s) in 1 object(s) allocated from:
  8.    #0 0x7f95b231eb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
  9.    #1 0x7f95b36007f7 in func1() /home/wangzhiqiang/test/test_leak.cc:3
  10.    #2 0x7f95b3600814 in main /home/wangzhiqiang/test/test_leak.cc:8
  11.    #3 0x7f95b1e61b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

  13. Direct leak of 5 byte(s) in 1 object(s) allocated from:
  14.    #0 0x7f95b231eb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
  15.    #1 0x7f95b3600808 in func2() /home/wangzhiqiang/test/test_leak.cc:5
  16.    #2 0x7f95b3600819 in main /home/wangzhiqiang/test/test_leak.cc:9
  17.    #3 0x7f95b1e61b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

  19. SUMMARY: AddressSanitizer: 12 byte(s) leaked in 2 allocation(s).
复制代码

编译方式很简单,只需要添加-fsanitize=address -g就可以检测出具体产生内存泄漏的位置以及泄漏空间的大小。
检测堆栈内存越界访问
示例:

  2. #include <iostream>

  4. int main() {
  5.    int *array = new int[100];
  6.    array[0] = 0;
  7.    int res = array[100];  // out of bounds
  8.    delete[] array;
  9.    return res;
  10. }
复制代码

编译and输出:

  2. g++ -fsanitize=address -g test_leak.cc && ./a.out
  3.    
  4. =================================================================
  5. ==110==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000001d0 at pc 0x7f0e06400d2e bp 0x7ffff5963f10 sp 0x7ffff5963f00
  6. READ of size 4 at 0x6140000001d0 thread T0
  7.    #0 0x7f0e06400d2d in main /home/wangzhiqiang/test/test_leak.cc:6
  8.    #1 0x7f0e048d1b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
  9.    #2 0x7f0e06400bb9 in _start (/mnt/d/wzq/wzq/util/test/a.out+0xbb9)

  11. 0x6140000001d0 is located 0 bytes to the right of 400-byte region [0x614000000040,0x6140000001d0)
  12. allocated by thread T0 here:
  13.    #0 0x7f0e05120608 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0608)
  14.    #1 0x7f0e06400cab in main /home/wangzhiqiang/test/test_leak.cc:4
  15.    #2 0x7f0e048d1b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

  17. SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wangzhiqiang/test/test_leak.cc:6 in main
  18. Shadow bytes around the buggy address:
  19. 0x0c287fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  20. 0x0c287fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  21. 0x0c287fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  22. 0x0c287fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  23. 0x0c287fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  24. =>0x0c287fff8030: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
  25. 0x0c287fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  26. 0x0c287fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  27. 0x0c287fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  28. 0x0c287fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  29. 0x0c287fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  30. Shadow byte legend (one shadow byte represents 8 application bytes):
  31. Addressable:           00
  32. Partially addressable: 01 02 03 04 05 06 07
  33. Heap left redzone:       fa
  34. Freed heap region:       fd
  35. Stack left redzone:      f1
  36. Stack mid redzone:       f2
  37. Stack right redzone:     f3
  38. Stack after return:      f5
  39. Stack use after scope:   f8
  40. Global redzone:          f9
  41. Global init order:       f6
  42. Poisoned by user:        f7
  43. Container overflow:      fc
  44. Array cookie:            ac
  45. Intra object redzone:    bb
  46. ASan internal:           fe
  47. Left alloca redzone:     ca
  48. Right alloca redzone:    cb
  49. ==110==ABORTING
复制代码

可以方便定位到堆栈内存越界访问的错误。
全局内存越界访问
示例:

  2. #include <iostream>

  4. int global_array[100] = {0};

  6. int main() {
  7.    int res = global_array[100];  // out of bounds
  8.    return 0;
  9. }
复制代码

编译and输出:

  2. g++ -fsanitize=address -g test_leak.cc && ./a.out
  3. =================================================================
  4. ==116==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f42e6e02310 at pc 0x7f42e6c00c84 bp 0x7fffdda52780 sp 0x7fffdda52770
  5. READ of size 4 at 0x7f42e6e02310 thread T0
  6.    #0 0x7f42e6c00c83 in main /home/wangzhiqiang/test/test_leak.cc:6
  7.    #1 0x7f42e50d1b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
  8.    #2 0x7f42e6c00b69 in _start (/mnt/d/wzq/wzq/util/test/a.out+0xb69)

  10. 0x7f42e6e02310 is located 0 bytes to the right of global variable 'global_array' defined in 'test_leak.cc:3:5' (0x7f42e6e02180) of size 400
  11. SUMMARY: AddressSanitizer: global-buffer-overflow /home/wangzhiqiang/test/test_leak.cc:6 in main
  12. Shadow bytes around the buggy address:
  13. 0x0fe8dcdb8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  14. 0x0fe8dcdb8420: 00 00 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
  15. 0x0fe8dcdb8430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  16. 0x0fe8dcdb8440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  17. 0x0fe8dcdb8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  18. =>0x0fe8dcdb8460: 00 00[f9]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  19. 0x0fe8dcdb8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  20. 0x0fe8dcdb8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  21. 0x0fe8dcdb8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  22. 0x0fe8dcdb84a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  23. 0x0fe8dcdb84b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  24. Shadow byte legend (one shadow byte represents 8 application bytes):
  25. Addressable:           00
  26. Partially addressable: 01 02 03 04 05 06 07
  27. Heap left redzone:       fa
  28. Freed heap region:       fd
  29. Stack left redzone:      f1
  30. Stack mid redzone:       f2
  31. Stack right redzone:     f3
  32. Stack after return:      f5
  33. Stack use after scope:   f8
  34. Global redzone:          f9
  35. Global init order:       f6
  36. Poisoned by user:        f7
  37. Container overflow:      fc
  38. Array cookie:            ac
  39. Intra object redzone:    bb
  40. ASan internal:           fe
  41. Left alloca redzone:     ca
  42. Right alloca redzone:    cb
  43. ==116==ABORTING
复制代码

局部内存被外层使用
示例:

  2. #include <iostream>

  4. volatile int *p = 0;

  6. int main() {
  7. {
  8.    int x = 0;
  9.    p = &x;
  10. }
  11. *p = 5;
  12. return 0;
  13. }
复制代码

编译and输出:

  2. g++ -fsanitize=address -g test_leak.cc && ./a.out
  3. =================================================================
  4. ==243==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fffce12a4b0 at pc 0x7f3993e00e7e bp 0x7fffce12a480 sp 0x7fffce12a470
  5. WRITE of size 4 at 0x7fffce12a4b0 thread T0
  6.   #0 0x7f3993e00e7d in main /home/wangzhiqiang/test/test_leak.cc:10
  7.   #1 0x7f39922d1b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
  8.   #2 0x7f3993e00c89 in _start (/mnt/d/wzq/wzq/util/test/a.out+0xc89)

  10. Address 0x7fffce12a4b0 is located in stack of thread T0 at offset 32 in frame
  11.   #0 0x7f3993e00d79 in main /home/wangzhiqiang/test/test_leak.cc:5

  13. This frame has 1 object(s):
  14.   [32, 36) 'x' <== Memory access at offset 32 is inside this variable
  15. HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
  16.     (longjmp and C++ exceptions *are* supported)
  17. SUMMARY: AddressSanitizer: stack-use-after-scope /home/wangzhiqiang/test/test_leak.cc:10 in main
  18. Shadow bytes around the buggy address:
  19. 0x100079c1d440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  20. 0x100079c1d450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  21. 0x100079c1d460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  22. 0x100079c1d470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  23. 0x100079c1d480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  24. =>0x100079c1d490: 00 00 f1 f1 f1 f1[f8]f2 f2 f2 00 00 00 00 00 00
  25. 0x100079c1d4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  26. 0x100079c1d4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  27. 0x100079c1d4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  28. 0x100079c1d4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  29. 0x100079c1d4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  30. Shadow byte legend (one shadow byte represents 8 application bytes):
  31. Addressable:           00
  32. Partially addressable: 01 02 03 04 05 06 07
  33. Heap left redzone:       fa
  34. Freed heap region:       fd
  35. Stack left redzone:     f1
  36. Stack mid redzone:       f2
  37. Stack right redzone:     f3
  38. Stack after return:     f5
  39. Stack use after scope:   f8
  40. Global redzone:         f9
  41. Global init order:       f6
  42. Poisoned by user:       f7
  43. Container overflow:     fc
  44. Array cookie:           ac
  45. Intra object redzone:   bb
  46. ASan internal:           fe
  47. Left alloca redzone:     ca
  48. Right alloca redzone:   cb
  49. ==243==ABORTING
复制代码

free后被使用
示例:

  2. #include <iostream>

  4. int main() {
  5.     int *array = new int[100];
  6.     delete[] array;
  7.     int a = array[0];  // error
  8.     return 0;
  9. }
复制代码

编译and输出:

  2. g++ -fsanitize=address -g test_leak.cc && ./a.out
  3. =================================================================
  4. ==282==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000000040 at pc 0x7f209fa00caa bp 0x7ffff2a15020 sp 0x7ffff2a15010
  5. READ of size 4 at 0x614000000040 thread T0
  6.     #0 0x7f209fa00ca9 in main /home/wangzhiqiang/test/test_leak.cc:6
  7.     #1 0x7f209ded1b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
  8.     #2 0x7f209fa00b69 in _start (/mnt/d/wzq/wzq/util/test/a.out+0xb69)

  10. 0x614000000040 is located 0 bytes inside of 400-byte region [0x614000000040,0x6140000001d0)
  11. freed by thread T0 here:
  12.     #0 0x7f209e721480 in operator delete[](void*) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe1480)
  13.     #1 0x7f209fa00c72 in main /home/wangzhiqiang/test/test_leak.cc:5
  14.     #2 0x7f209ded1b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

  16. previously allocated by thread T0 here:
  17.     #0 0x7f209e720608 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0608)
  18.     #1 0x7f209fa00c5b in main /home/wangzhiqiang/test/test_leak.cc:4
  19.     #2 0x7f209ded1b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

  21. SUMMARY: AddressSanitizer: heap-use-after-free /home/wangzhiqiang/test/test_leak.cc:6 in main
  22. Shadow bytes around the buggy address:
  23.   0x0c287fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  24.   0x0c287fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  25.   0x0c287fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  26.   0x0c287fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  27.   0x0c287fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  28. =>0x0c287fff8000: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  29.   0x0c287fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  30.   0x0c287fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  31.   0x0c287fff8030: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  32.   0x0c287fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  33.   0x0c287fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  34. Shadow byte legend (one shadow byte represents 8 application bytes):
  35.   Addressable:           00
  36.   Partially addressable: 01 02 03 04 05 06 07
  37.   Heap left redzone:       fa
  38.   Freed heap region:       fd
  39.   Stack left redzone:      f1
  40.   Stack mid redzone:       f2
  41.   Stack right redzone:     f3
  42.   Stack after return:      f5
  43.   Stack use after scope:   f8
  44.   Global redzone:          f9
  45.   Global init order:       f6
  46.   Poisoned by user:        f7
  47.   Container overflow:      fc
  48.   Array cookie:            ac
  49.   Intra object redzone:    bb
  50.   ASan internal:           fe
  51.   Left alloca redzone:     ca
  52.   Right alloca redzone:    cb
  53. ==282==ABORTING
复制代码

Initialization order bugs
示例,这里有两个文件:

  2. // test_memory1.cc
  3. #include <stdio.h>

  5. extern int extern_global;
  6. int read_extern_global() { return extern_global; }

  8. int x = read_extern_global() + 1;

  10. int main() {
  11.     printf("%d\n", x);
  12.     return 0;
  13. }
复制代码

  2. // test_memory2.cc

  4. int foo() { return 123; }
  5. int extern_global = foo();
复制代码

第一种编译方式输出如下:

  2. g++ test_memory1.cc test_memory2.cc && ./a.out
  3. 1
复制代码

第二种编译方式输出如下:

  2. g++ test_memory2.cc test_memory1.cc && ./a.out
  3. 124
复制代码

这种问题我们平时编程过程中可以都不会太注意,然而通过ASan可以检测出这种潜在的bug:
编译and输出:

  2. g++ -fsanitize=address -g test_memory1.cc test_memory2.cc

  4. ASAN_OPTIONS=check_initialization_order=true:strict_init_order=true ./a.out
  5. =================================================================
  6. ==419==ERROR: AddressSanitizer: initialization-order-fiasco on address 0x7f46c20021a0 at pc 0x7f46c1e00c28 bp 0x7fffe423d920 sp 0x7fffe423d910
  7. READ of size 4 at 0x7f46c20021a0 thread T0
  8.     #0 0x7f46c1e00c27 in read_extern_global() /home/wangzhiqiang/test/test_memory1.cc:3
  9.     #1 0x7f46c1e00cb3 in __static_initialization_and_destruction_0 /home/wangzhiqiang/test/test_memory1.cc:4
  10.     #2 0x7f46c1e00d0a in _GLOBAL__sub_I__Z18read_extern_globalv /home/wangzhiqiang/test/test_memory1.cc:8
  11.     #3 0x7f46c1e00e5c in __libc_csu_init (/mnt/d/wzq/wzq/util/test/a.out+0xe5c)
  12.     #4 0x7f46c0461b27 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b27)
  13.     #5 0x7f46c1e00b09 in _start (/mnt/d/wzq/wzq/util/test/a.out+0xb09)

  15. 0x7f46c20021a0 is located 0 bytes inside of global variable 'extern_global' defined in 'test_memory2.cc:2:5' (0x7f46c20021a0) of size 4
  16.   registered at:
  17.     #0 0x7f46c08764a8  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x364a8)
  18.     #1 0x7f46c1e00e0b in _GLOBAL__sub_I_00099_1__Z3foov (/mnt/d/wzq/wzq/util/test/a.out+0xe0b)
  19.     #2 0x7f46c1e00e5c in __libc_csu_init (/mnt/d/wzq/wzq/util/test/a.out+0xe5c)

  21. SUMMARY: AddressSanitizer: initialization-order-fiasco /home/wangzhiqiang/test/test_memory1.cc:3 in read_extern_global()
  22. Shadow bytes around the buggy address:
  23.   0x0fe9583f83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  24.   0x0fe9583f83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  25.   0x0fe9583f8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  26.   0x0fe9583f8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  27.   0x0fe9583f8420: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
  28. =>0x0fe9583f8430: 00 00 00 00[f6]f6 f6 f6 f6 f6 f6 f6 00 00 00 00
  29.   0x0fe9583f8440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  30.   0x0fe9583f8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  31.   0x0fe9583f8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  32.   0x0fe9583f8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  33.   0x0fe9583f8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  34. Shadow byte legend (one shadow byte represents 8 application bytes):
  35.   Addressable:           00
  36.   Partially addressable: 01 02 03 04 05 06 07
  37.   Heap left redzone:       fa
  38.   Freed heap region:       fd
  39.   Stack left redzone:      f1
  40.   Stack mid redzone:       f2
  41.   Stack right redzone:     f3
  42.   Stack after return:      f5
  43.   Stack use after scope:   f8
  44.   Global redzone:          f9
  45.   Global init order:       f6
  46.   Poisoned by user:        f7
  47.   Container overflow:      fc
  48.   Array cookie:            ac
  49.   Intra object redzone:    bb
  50.   ASan internal:           fe
  51.   Left alloca redzone:     ca
  52.   Right alloca redzone:    cb
  53. ==419==ABORTING
复制代码

注意:这里在运行程序前需要添加环境变量:

  2. ASAN_OPTIONS=check_initialization_order=true:strict_init_order=true
复制代码

小总结
ASan是个很好的检测内存问题的工具,不需要配置环境,使用还方便,编译时只需要-fsanitize=address -g就可以,运行程序时候可以选择添加对应的ASAN_OPTIONS环境变量就可以检测出很多内存问题。它的错误信息也很有用,明确指出当前是什么类型的内存错误,如:
  • detected memory leaks
  • heap-buffer-overflow
  • stack-buffer-overflow
  • global-buffer-overflow
  • heap-use-after-free
  • initialization-order-fiasco


收藏 评论0 发布时间:2020-10-1 16:06

举报

0个回答

所属标签

关于
意法半导体
我们是谁
投资者关系
意法半导体可持续发展举措
创新与技术
意法半导体官网
联系我们
联系ST分支机构
寻找销售人员和分销渠道
社区
媒体中心
活动与培训
隐私策略
隐私策略
Cookies管理
行使您的权利
官方最新发布
STM32N6 AI生态系统
STM32MCU,MPU高性能GUI
ST ACEPACK电源模块
意法半导体生物传感器
STM32Cube扩展软件包
关注我们
st-img 微信公众号
st-img 手机版