Linux 是否有任何静态代码分析器可以捕获此内存泄漏?
这样的泄漏对肉眼来说太微不足道了,我认为静态代码分析工具应该能够找到它们Linux 是否有任何静态代码分析器可以捕获此内存泄漏?,linux,memory-leaks,linux-kernel,coverity,Linux,Memory Leaks,Linux Kernel,Coverity,这样的泄漏对肉眼来说太微不足道了,我认为静态代码分析工具应该能够找到它们 Ex1: void foo(void) { u32 *ptr = kmalloc(512, GFP_KERNEL); ptr = (u32 *)0xffffffff; kfree(ptr); } 我知道Coverity可以发现如下漏洞,但不确定是否存在上述漏洞:有人能告诉我这是否会在Coverity或类似Sparse的工具中被检测到吗 Ex2: void foo(void) { km
Ex1:
void foo(void) {
u32 *ptr = kmalloc(512, GFP_KERNEL);
ptr = (u32 *)0xffffffff;
kfree(ptr);
}
CoverityCoveritySparseEx2:
void foo(void) {
kmalloc(512, GFP_KERNEL);
}
Ex3:
void foo(void) {
void * ptr = kmalloc(512, GFP_KERNEL);
if (true)
return;
kfree(ptr)
}
可用于检测Ex1中提到的内存泄漏
e.g.
#include<stdio.h>
void foo(void) {
int *ptr = (int *)malloc(512);
ptr = (int *)0xffffffff;
free(ptr);
}
int main(){
foo();
return 1;
}
Valigrind Output:
[test@myhost /tmp]# valgrind --tool=memcheck --leak-check=full ./Ex1
==23780== Memcheck, a memory error detector
==23780== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==23780== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==23780== Command: ./Ex1
==23780==
==23780== Invalid free() / delete / delete[]
==23780== at 0x4A05A31: free (vg_replace_malloc.c:325)
==23780== by 0x400509: foo (in /tmp/Ex1)
==23780== by 0x400514: main (in /tmp/Ex1)
==23780== Address 0xffffffff is not stack'd, malloc'd or (recently) free'd
==23780==
==23780==
==23780== HEAP SUMMARY:
==23780== in use at exit: 512 bytes in 1 blocks
==23780== total heap usage: 1 allocs, 1 frees, 512 bytes allocated
==23780==
==23780== 512 bytes in 1 blocks are definitely lost in loss record 1 of 1
==23780== at 0x4A05E1C: malloc (vg_replace_malloc.c:195)
==23780== by 0x4004E9: foo (in /tmp/Ex1)
==23780== by 0x400514: main (in /tmp/Ex1)
==23780==
==23780== LEAK SUMMARY:
==23780== definitely lost: 512 bytes in 1 blocks
==23780== indirectly lost: 0 bytes in 0 blocks
==23780== possibly lost: 0 bytes in 0 blocks
==23780== still reachable: 0 bytes in 0 blocks
==23780== suppressed: 0 bytes in 0 blocks
==23780==
==23780== For counts of detected and suppressed errors, rerun with: -v
==23780== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 4 from 4)
例如。
#包括
无效foo(无效){
int*ptr=(int*)malloc(512);
ptr=(int*)0xffffffff;
免费(ptr);
}
int main(){
foo();
返回1;
}
有效研磨输出:
[test@myhost/tmp]#valgrind--tool=memcheck--leak check=full./Ex1
==23780==Memcheck,内存错误检测器
==23780==2002-2009年版权(C)和GNU GPL'd,由Julian Seward等人。
==23780==使用Valgrind-3.5.0和LibVEX;使用-h重新运行以获取版权信息
==23780==命令:./Ex1
==23780==
==23780==无效的free()/delete/delete[]
==23780==at 0x4A05A31:自由(vg\U替换\U malloc.c:325)
==23780==by0x400509:foo(在/tmp/Ex1中)
==23780==by 0x400514:main(在/tmp/Ex1中)
==23780==地址0xffffffff不是堆栈、malloc或(最近)空闲
==23780==
==23780==
==23780==堆摘要:
==23780==在出口处使用:1个块中有512字节
==23780==总堆使用率:1个allocs,1个free,分配512字节
==23780==
==23780==1个块中的512字节在丢失记录1(共1个)中肯定丢失
==23780==0x4A05E1C:malloc(vg_替换_malloc.c:195)
==23780==by 0x4004E9:foo(在/tmp/Ex1中)
==23780==by 0x400514:main(在/tmp/Ex1中)
==23780==
==23780==泄漏汇总:
==23780==肯定丢失:1个块中有512字节
==23780==间接丢失:0个块中有0个字节
==23780==可能丢失:0块中的0字节
==23780==仍然可访问:0个块中有0个字节
==23780==抑制:0个块中有0个字节
==23780==
==23780==对于检测到的和抑制的错误计数,请使用:-v重新运行
==23780==错误摘要:来自2个上下文的2个错误(抑制:来自4个)
kmallocmalloc如果确实存在问题,您可以提供一个kmalloc函数的用户模型,该模型仅围绕malloc函数,以便Coverity知道如何处理该函数。但Valgrind不是静态代码分析器(他们只是“查看”源代码)。Valgrind执行代码!我是多布特。!!请注意,正如我提到的
kmalloc()ValgrindCovery/Sparsesparseu32*ptr=kmalloc(512,GFP_内核)它将报告类型分配错误警告
。但是对于这个ptr=(u32*)0xffffffff不会报告任何警告,因为类型转换正在使警告静音。那么Sparse
如何检测内存泄漏?如果我错了,请纠正我。他们跟踪“参考资料”。“malloc”类型函数必须存储在某些变量中。如果检查器/编译器看到“引用”变为零,则表示存在泄漏。malloc/free必须被注释(识别)为源/汇;与kmalloc
和kfree
或您使用的任何分配相同。执行ptr=xxx
时,如果看到对kmalloc
内存的唯一引用为零/无效,则会发出警告。请参阅:,和。这就是编译器的工作方式。您只需要知道“kmalloc()的返回值”是否无用;处理这个简单的案件。如果你需要完整的细节,答案是非常复杂的。