2. Sun Memory Error Discovery Tool (Discover)
Requirements for Using Discover
Binaries Must Be Prepared Correctly
Binaries That Use Preloading or Auditing Cannot Be Used
Binaries That Redefine Standard Memory Allocation Functions Can Be Used
Instrumenting a Prepared Binary
Instrumenting Shared Libraries
SUNW_DISCOVER_OPTIONS Environment Variable
SUNW_DISCOVER_FOLLOW_FORK_MODE Environment Variable
Running an Instrumented Binary
Interpreting Discover Error Messages
Limitations When Using Discover
Only Annotated Code is Instrumented
Machine Instruction Might Differ From Source Code
Compiler Options Affect the Generated Code
System Libraries Can Affect the Errors Reported
Custom Memory Management Can Affect the Accuracy of the Data
Out of Bounds Errors for Static and Automatic Arrays Cannot Be Detected
Discover detects and reports many memory access errors, as well as warning you about accesses that might be errors.
Discover detects the following memory access errors:
ABR: beyond array bounds read
ABW: beyond array bounds write
BFM: freeing the wrong memory block
BRP: bad realloc address parameter
CGB: corrupted array guard block
DFM: double freeing memory
FMR: freed memory read
FMW: freed memory write
FRP: freed realloc parameter
IMR: invalid memory read
IMW: invalid memory write
PIR: partially initialized read
SBR: beyond stack frame bounds read
SBW: beyond stack frame bounds write
UAR: unallocated memory read
UAW: unallocated memory write
UMR: unitialized memory read
The following sections list some simple sample programs that will produce some of these errors.
#include <stdio.h> #include <stdlib.h> int main() { // ABR: reading memory beyond array bounds at address 0x%1x (%d byte%s)" int *a = (int*) malloc(sizeof(int[5])); printf("a[5] = %d\n",a[5]); )
#include <stdlib.h> int main() { // ABW: writing to memory beyond array bounds int *a = (int*) malloc(sizeof(int[5])); a[5] = 5; }
#include <stdlib.h> int main() { // BFM: freeing wrong memory block int *p = (int*) malloc(sizeof(int)); free(p+1); }
#include <stdlib.h> int main() { // BRP is "bad address parameter for realloc 0x%1x" int *p = (int*) realloc(0,sizeof(int)); int *q = (int*) realloc(p+20,sizeof(int[2])); }
#include <stdlib.h> int main() { // DFM is "double freeing memory" int *p = (int*) malloc(sizeof(int)); free(p); free(p);' }
#includ <stdio.h> #include <stdlib.h> int main() { // FMR is "reading from freed memory at address 0x%1x (%d byte%s)" int *p = (int*) malloc(sizeof(int)); free(p); printf("p = 0x%h\n",p); }
#include <stdlib.h> int main() { // FMW is "writing to freed memory at address 0x%1x (%d byte%s)" int *p = (int*) malloc(sizeof(int)); free(p); *p = 1; }
#include <stdlib.h> int main() { // FRP: freed pointer passed to realloc int *p = (int*) malloc(sizeof(int)); free(0); int *q = (int*) realloc(p,sizeof(int[2])); }
#include <stdlib.h> int main() { // IMR: read from invalid memory address int *p = 0; int i = *p; // generates Signal 11... }
#include <stdlib.h> int main() { // IMW: write to invalide memory address int *p = 0; *p = 1; // generates Signal 11... }
#include <stdio.h> #include <stdlib.h> int main() { // PIR: accessing partially initialized data int *p = (int*) malloc(sizeof(int)); *((char*)p) = 'c'; printf("*(p = %d\n",*(p+1)); }
#include <stdio.h> #include <stdlib> int main() { // UAR is "reading from unallocated memory" int *p = (int*) malloc(sizeof(int)); printf("*(p+1) = %d\n",*(p+1)); }
#include <stdio.h> #include <stdlib.h> int main() { // UAW is "writing to unallocated memory" int *p = (int*) malloc(sizeof(int)); *(p+1) = 1; }
#include <stdio.h> #include <stdlib.h> int main() { // UMR is "accessing uninitialized data from address 0x%1x (A%d byte%s)" int *p = (int*) malloc(sizeof(int)); printf("*p = %d\n",*p); }
Discover reports the following memory access warnings:
AZS: allocating zero size
NAR: non-annotated read
NAW: non-annotated write
SMR: speculative memory read
SMW: speculative memory write
UFR: unknown stack frame read
UFW: unknown stack frame write
USR: unknown status while reading
USW: unknown status while writing
The following section lists a simple example program that will produce an AZS warning.
#include <stdlib.h> int main() { // AZS: allocating zero size memory block int *p = malloc(); }