is a flexible program for debugging and profiling Linux executables. It consists of a core, which provides a synthetic CPU in software, and a series of "tools", each of which is a debugging or profiling tool. The architecture is modular, so that new tools can be created easily and without disturbing the existing structure.
This manual page covers only basic usage and options. For more comprehensive information, please see the HTML documentation on your system:
/usr/share/doc/valgrind/html/index.html, or online:
http://www.valgrind.org/docs/manual/index.html.
INVOCATION
Valgrind
is typically invoked as follows:
valgrind program args
This runs
program
(with arguments
args) under Valgrind using the Memcheck tool. Memcheck performs a range of memory-checking functions, including detecting accesses to uninitialised memory, misuse of allocated memory (double frees, access after free, etc.) and detecting memory leaks.
To use a different tool, use the
--tool
option:
valgrind --tool=toolname program args
The following tools are available:
*
cachegrind
is a cache simulator. It can be used to annotate every line of your program with the number of instructions executed and cache misses incurred.
*
callgrind
adds call graph tracing to cachegrind. It can be used to get call counts and inclusive cost for each call happening in your program. In addition to cachegrind, callgrind can annotate threads separatly, and every instruction of disassembler output of your program with the number of instructions executed and cache misses incurred.
*
helgrind
spots potential race conditions in your program.
*
lackey
is a sample tool that can be used as a template for generating your own tools. After the program terminates, it prints out some basic statistics about the program execution.
*
massif
is a heap profiler. It measures how much heap memory your program uses.
*
memcheck
is a fine-grained memory checker.
*
none
performs no function - it simply runs the program under Valgrind. This is typically used for debugging and benchmarking Valgrind.
BASIC OPTIONS
These options work with all tools.
-h --help
Show help for all options, both for the core and for the selected tool.
--help-debug
Same as
--help, but also lists debugging options which usually are only of use to Valgrind's developers.
--version
Show the version number of the Valgrind core. Tools can have their own version numbers. There is a scheme in place to ensure that tools only execute when the core version is one they are known to work with. This was done to minimise the chances of strange problems arising from tool-vs-core version incompatibilities.
-q --quiet
Run silently, and only print error messages. Useful if you are running regression tests or have some other automated test machinery.
-v --verbose
Be more verbose. Gives extra information on various aspects of your program, such as: the shared objects loaded, the suppressions used, the progress of the instrumentation and execution engines, and warnings about unusual behaviour. Repeating the flag increases the verbosity level.
-d
Emit information for debugging Valgrind itself. This is usually only of interest to the Valgrind developers. Repeating the flag produces more detailed output. If you want to send us a bug report, a log of the output generated by
-v -v -d -d
will make your report more useful.
--tool=<toolname> [default: memcheck]
Run the Valgrind tool called
toolname, e.g. Memcheck, Addrcheck, Cachegrind, etc.
--trace-children=<yes|no> [default: no]
When enabled, Valgrind will trace into child processes. This can be confusing and isn't usually what you want, so it is disabled by default.
--track-fds=<yes|no> [default: no]
When enabled, Valgrind will print out a list of open file descriptors on exit. Along with each file descriptor is printed a stack backtrace of where the file was opened and any details relating to the file descriptor such as the file name or socket details.
--time-stamp=<yes|no> [default: no]
When enabled, each message is preceded with an indication of the elapsed wallclock time since startup, expressed as days, hours, minutes, seconds and milliseconds.
--log-fd=<number> [default: 2, stderr]
Specifies that Valgrind should send all of its messages to the specified file descriptor. The default, 2, is the standard error channel (stderr). Note that this may interfere with the client's own use of stderr, as Valgrind's output will be interleaved with any output that the client sends to stderr.
--log-file=<filename>
Specifies that Valgrind should send all of its messages to the specified file. In fact, the file name used is created by concatenating the text
filename, "." and the process ID, (ie. <filename>.<pid>), so as to create a file per process. The specified file name may not be the empty string.
--log-file-exactly=<filename>
Just like
--log-file, but the suffix
".pid"
is not added. If you trace multiple processes with Valgrind when using this option the log file may get all messed up.
--log-file-qualifier=<VAR>
When used in conjunction with
--log-file, causes the log file name to be qualified using the contents of the environment variable
$VAR. This is useful when running MPI programs. For further details, see
Section 2.3 "The Commentary"
in the manual.
--log-socket=<ip-address:port-number>
Specifies that Valgrind should send all of its messages to the specified port at the specified IP address. The port may be omitted, in which case port 1500 is used. If a connection cannot be made to the specified socket, Valgrind falls back to writing output to the standard error (stderr). This option is intended to be used in conjunction with the
valgrind-listener
program. For further details, see
Section 2.3 "The Commentary"
in the manual.
ERROR-RELATED OPTIONS
These options are used by all tools that can report errors, e.g. Memcheck, but not Cachegrind.
--xml=<yes|no> [default: no]
When enabled, output will be in XML format. This is aimed at making life easier for tools that consume Valgrind's output as input, such as GUI front ends. Currently this option only works with Memcheck.
--xml-user-comment=<string>
Embeds an extra user comment string at the start of the XML output. Only works when
--xml=yes
is specified; ignored otherwise.
--demangle=<yes|no> [default: yes]
Enable/disable automatic demangling (decoding) of C++ names. Enabled by default. When enabled, Valgrind will attempt to translate encoded C++ names back to something approaching the original. The demangler handles symbols mangled by g++ versions 2.X, 3.X and 4.X.
An important fact about demangling is that function names mentioned in suppressions files should be in their mangled form. Valgrind does not demangle function names when searching for applicable suppressions, because to do otherwise would make suppressions file contents dependent on the state of Valgrind's demangling machinery, and would also be slow and pointless.
--num-callers=<number> [default: 12]
By default, Valgrind shows twelve levels of function call names to help you identify program locations. You can change that number with this option. This can help in determining the program's location in deeply-nested call chains. Note that errors are commoned up using only the top four function locations (the place in the current function, and that of its three immediate callers). So this doesn't affect the total number of errors reported.
The maximum value for this is 50. Note that higher settings will make Valgrind run a bit more slowly and take a bit more memory, but can be useful when working with programs with deeply-nested call chains.
--error-limit=<yes|no> [default: yes]
When enabled, Valgrind stops reporting errors after 10,000,000 in total, or 1,000 different ones, have been seen. This is to stop the error tracking machinery from becoming a huge performance overhead in programs with many errors.
--error-exitcode=<number> [default: 0]
Specifies an alternative exit code to return if Valgrind reported any errors in the run. When set to the default value (zero), the return value from Valgrind will always be the return value of the process being simulated. When set to a nonzero value, that value is returned instead, if Valgrind detects any errors. This is useful for using Valgrind as part of an automated test suite, since it makes it easy to detect test cases for which Valgrind has reported errors, just by inspecting return codes.
--show-below-main=<yes|no> [default: no]
By default, stack traces for errors do not show any functions that appear beneath
main()
(or similar functions such as glibc's
__libc_start_main(), if
main()
is not present in the stack trace); most of the time it's uninteresting C library stuff. If this option is enabled, those entries below
main()
will be shown.
The prompt's behaviour is the same as for the
--db-attach
option (see below).
If you choose to, Valgrind will print out a suppression for this error. You can then cut and paste it into a suppression file if you don't want to hear about the error in the future.
When set to
all, Valgrind will print a suppression for every reported error, without querying the user.
This option is particularly useful with C++ programs, as it prints out the suppressions with mangled names, as required.
Note that the suppressions printed are as specific as possible. You may want to common up similar ones, eg. by adding wildcards to function names. Also, sometimes two different errors are suppressed by the same suppression, in which case Valgrind will output the suppression more than once, but you only need to have one copy in your suppression file (but having more than one won't cause problems). Also, the suppression name is given as
<insert a suppression name here>; the name doesn't really matter, it's only used with the
-v
option which prints out all used suppression records.
--db-attach=<yes|no> [default: no]
When enabled, Valgrind will pause after every error shown and print the line:
---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ----
Pressing
Ret, or
N Ret
or
n Ret, causes Valgrind not to start a debugger for this error.
Pressing
Y Ret
or
y Ret
causes Valgrind to start a debugger for the program at this point. When you have finished with the debugger, quit from it, and the program will continue. Trying to continue from inside the debugger doesn't work.
C Ret
or
c Ret
causes Valgrind not to start a debugger, and not to ask again.
Note:--db-attach=yes
conflicts with
--trace-children=yes. You can't use them together. Valgrind refuses to start up in this situation.
May 2002: this is a historical relic which could be easily fixed if it gets in your way. Mail us and complain if this is a problem for you.
Nov 2002: if you're sending output to a logfile or to a network socket, I guess this option doesn't make any sense. Caveat emptor.
--db-command=<command> [default: gdb -nw %f %p]
Specify the debugger to use with the
--db-attach
command. The default debugger is gdb. This option is a template that is expanded by Valgrind at runtime.
%f
is replaced with the executable's file name and
%p
is replaced by the process ID of the executable.
This specifies how Valgrind will invoke the debugger. By default it will use whatever GDB is detected at build time, which is usually
/usr/bin/gdb. Using this command, you can specify some alternative command to invoke the debugger you want to use.
The command string given can include one or instances of the
%p
and
%f
expansions. Each instance of
%p
expands to the PID of the process to be debugged and each instance of
%f
expands to the path to the executable for the process to be debugged.
--input-fd=<number> [default: 0, stdin]
When using
--db-attach=yes
and
--gen-suppressions=yes, Valgrind will stop so as to read keyboard input from you, when each error occurs. By default it reads from the standard input (stdin), which is problematic for programs which close stdin. This option allows you to specify an alternative file descriptor from which to read input.
--max-stackframe=<number> [default: 2000000]
The maximum size of a stack frame - if the stack pointer moves by more than this amount then Valgrind will assume that the program is switching to a different stack.
You may need to use this option if your program has large stack-allocated arrays. Valgrind keeps track of your program's stack pointer. If it changes by more than the threshold amount, Valgrind assumes your program is switching to a different stack, and Memcheck behaves differently than it would for a stack pointer change smaller than the threshold. Usually this heuristic works well. However, if your program allocates large structures on the stack, this heuristic will be fooled, and Memcheck will subsequently report large numbers of invalid stack accesses. This option allows you to change the threshold to a different value.
You should only consider use of this flag if Valgrind's debug output directs you to do so. In that case it will tell you the new threshold you should specify.
In general, allocating large structures on the stack is a bad idea, because (1) you can easily run out of stack space, especially on systems with limited memory or which expect to support large numbers of threads each with a small stack, and (2) because the error checking performed by Memcheck is more effective for heap-allocated data than for stack-allocated data. If you have to use this flag, you may wish to consider rewriting your code to allocate on the heap rather than on the stack.
MALLOC()-RELATED OPTIONS
For tools that use their own version of
malloc()
(e.g. Memcheck and Massif), the following options apply.
--alignment=<number> [default: 8]
By default Valgrind's
malloc(),
realloc(), etc, return 8-byte aligned addresses. This is standard for most processors. However, some programs might assume that
malloc()
et al return 16-byte or more aligned memory. The supplied value must be between 8 and 4096 inclusive, and must be a power of two.
UNCOMMON OPTIONS
These options apply to all tools, as they affect certain obscure workings of the Valgrind core. Most people won't need to use these.
--run-libc-freeres=<yes|no> [default: yes]
The GNU C library (libc.so), which is used by all programs, may allocate memory for its own uses. Usually it doesn't bother to free that memory when the program ends - there would be no point, since the Linux kernel reclaims all process resources when a process exits anyway, so it would just slow things down.
The glibc authors realised that this behaviour causes leak checkers, such as Valgrind, to falsely report leaks in glibc, when a leak check is done at exit. In order to avoid this, they provided a routine called
__libc_freeres
specifically to make glibc release all memory it has allocated. Memcheck therefore tries to run
__libc_freeres
at exit.
Unfortunately, in some versions of glibc,
__libc_freeres
is sufficiently buggy to cause segmentation faults. This is particularly noticeable on Red Hat 7.1. So this flag is provided in order to inhibit the run of
__libc_freeres. If your program seems to run fine on Valgrind, but segfaults at exit, you may find that
--run-libc-freeres=no
fixes that, although at the cost of possibly falsely reporting space leaks in
libc.so.
--sim-hints=hint1,hint2,...
Pass miscellaneous hints to Valgrind which slightly modify the simulated behaviour in nonstandard or dangerous ways, possibly to help the simulation of strange features. By default no hints are enabled. Use with caution! Currently known hints are:
*
lax-ioctls:
Be very lax about ioctl handling; the only assumption is that the size is correct. Doesn't require the full buffer to be initialized when writing. Without this, using some device drivers with a large number of strange ioctl commands becomes very tiresome.
*
enable-inner:
Enable some special magic needed when the program being run is itself Valgrind.
--kernel-variant=variant1,variant2,...
Handle system calls and ioctls arising from minor variants of the default kernel for this platform. This is useful for running on hacked kernels or with kernel modules which support nonstandard ioctls, for example. Use with caution. If you don't understand what this option does then you almost certainly don't need it. Currently known variants are:
*
bproc:
Support the sys_broc system call on x86. This is for running on BProc, which is a minor variant of standard Linux which is sometimes used for building clusters.
--show-emwarns=<yes|no> [default: no]
When enabled, Valgrind will emit warnings about its CPU emulation in certain cases. These are usually not interesting.
--smc-check=<none|stack|all> [default: stack]
This option controls Valgrind's detection of self-modifying code. Valgrind can do no detection, detect self-modifying code on the stack, or detect self-modifying code anywhere. Note that the default option will catch the vast majority of cases, as far as we know. Running with
all
will slow Valgrind down greatly (but running with
none
will rarely speed things up, since very little code gets put on the stack for most programs).
DEBUGGING VALGRIND OPTIONS
There are also some options for debugging Valgrind itself. You shouldn't need to use them in the normal run of things. If you wish to see the list, use the
--help-debug
option.
When enabled, search for memory leaks when the client program finishes. A memory leak means a malloc'd block, which has not yet been free'd, but to which no pointer can be found. Such a block can never be free'd by the program, since no pointer to it exists. If set to
summary, it says how many leaks occurred. If set to
full
or
yes, it gives details of each individual leak.
--show-reachable=<yes|no> [default: no]
When disabled, the memory leak detector only shows blocks for which it cannot find a pointer to at all, or it can only find a pointer to the middle of. These blocks are prime candidates for memory leaks. When enabled, the leak detector also reports on blocks which it could find a pointer to. Your program could, at least in principle, have freed such blocks before exit. Contrast this to blocks for which no pointer, or only an interior pointer could be found: they are more likely to indicate memory leaks, because you do not actually have a pointer to the start of the block which you can hand to
free, even if you wanted to.
--leak-resolution=<low|med|high> [default: low]
When doing leak checking, determines how willing
memcheck
is to consider different backtraces to be the same. When set to
low, only the first two entries need match. When
med, four entries have to match. When
high, all entries need to match.
For hardcore leak debugging, you probably want to use
--leak-resolution=high
together with
--num-callers=40
or some such large number. Note however that this can give an overwhelming amount of information, which is why the defaults are 4 callers and low-resolution matching.
Note that the
--leak-resolution=
setting does not affect
memcheck's
ability to find leaks. It only changes how the results are presented.
--freelist-vol=<number> [default: 5000000]
When the client program releases memory using
free
(in
C) or delete (C++), that memory is not immediately made available for re-allocation. Instead, it is marked inaccessible and placed in a queue of freed blocks. The purpose is to defer as long as possible the point at which freed-up memory comes back into circulation. This increases the chance that
memcheck
will be able to detect invalid accesses to blocks for some significant period of time after they have been freed.
This flag specifies the maximum total size, in bytes, of the blocks in the queue. The default value is five million bytes. Increasing this increases the total amount of memory used by
memcheck
but may detect invalid uses of freed blocks which would otherwise go undetected.
--workaround-gcc296-bugs=<yes|no> [default: no]
When enabled, assume that reads and writes some small distance below the stack pointer are due to bugs in gcc 2.96, and does not report them. The "small distance" is 256 bytes by default. Note that gcc 2.96 is the default compiler on some older Linux distributions (RedHat 7.X) and so you may need to use this flag. Do not use it if you do not have to, as it can cause real errors to be overlooked. A better alternative is to use a more recent gcc/g++ in which this bug is fixed.
--partial-loads-ok=<yes|no> [default: no]
Controls how
memcheck
handles word-sized, word-aligned loads from addresses for which some bytes are addressible and others are not. When
yes, such loads do not elicit an address error. Instead, the loaded V bytes corresponding to the illegal addresses indicate Undefined, and those corresponding to legal addresses are loaded from shadow memory, as usual.
When
no, loads from partially invalid addresses are treated the same as loads from completely invalid addresses: an illegal-address error is issued, and the resulting V bytes indicate valid data.
Note that code that behaves in this way is in violation of the the ISO C/C++ standards, and should be considered broken. If at all possible, such code should be fixed. This flag should be used only as a last resort.
--undef-value-errors=<yes|no> [default: yes]
Controls whether
memcheck
detects dangerous uses of undefined value errors. When
yes, Memcheck behaves like Addrcheck, a lightweight memory-checking tool that used to be part of Valgrind, which didn't detect undefined value errors. Use this option if you don't like seeing undefined value errors.
CACHEGRIND OPTIONS
Manually specifies the I1/D1/L2 cache configuration, where
size
and
line_size
are measured in bytes. The three items must be comma-separated, but with no spaces, eg:
valgrind --tool=cachegrind --I1=65535,2,64
You can specify one, two or three of the I1/D1/L2 caches. Any level not manually specified will be simulated using the configuration found in the normal way (via the CPUID instruction for automagic cache configuration, or failing that, via defaults).
--I1=<size>,<associativity>,<line size>
Specify the size, associativity and line size of the level 1 instruction cache.
--D1=<size>,<associativity>,<line size>
Specify the size, associativity and line size of the level 1 data cache.
--L2=<size>,<associativity>,<line size>
Specify the size, associativity and line size of the level 2 cache.
CALLGRIND OPTIONS
<xi:include></xi:include>.SH "MASSIF OPTIONS"
--heap=<yes|no> [default: yes]
When enabled, profile heap usage in detail. Without it, the
massif.pid.txt
or
massif.pid.html
will be very short.
--heap-admin=<number> [default: 8]
The number of admin bytes per block to use. This can only be an estimate of the average, since it may vary. The allocator used by
glibc
requires somewhere between 4 to 15 bytes per block, depending on various factors. It also requires admin space for freed blocks, although
massif
does not count this.
--stacks=<yes|no> [default: yes]
When enabled, include stack(s) in the profile. Threaded programs can have multiple stacks.
--depth=<number> [default: 3]
Depth of call chains to present in the detailed heap information. Increasing it will give more information, but
massif
will run the program more slowly, using more memory, and produce a bigger
massif.pid.txt
or
massif.pid.hp
file.
--alloc-fn=<name>
Specify a function that allocates memory. This is useful for functions that are wrappers to
malloc(), which can fill up the context information uselessly (and give very uninformative bands on the graph). Functions specified will be ignored in contexts, i.e. treated as though they were
malloc(). This option can be specified multiple times on the command line, to name multiple functions.
--format=<text|html> [default: text]
Produce the detailed heap information in text or HTML format. The file suffix used will be either
.txt
or
.html.