Dr.memory
Posted 莫水千流
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Dr.memory相关的知识,希望对你有一定的参考价值。
Run Dr.memory on visual c++ 2013
Title: Dr. Memory Command: C:\Program Files (x86)\Dr. Memory\bin\drmemory.exe Arguments: -visual_studio -- $(TargetPath) Initial Directory: $(TargetDir)
set arguments
-light -no_midchunk_inheritance_ok -no_check_gdi -no_check_handle_leaks -visual_studio -- $(TargetPath)
command option reference.
详细检查项目
Dr. Memory‘s behavior can be controlled through options passed to drmemory prior to the "--" delimiter. Boolean options can be disabled using a "-no_" prefix. Here is a list of options along with their default values and descriptions:
-version
default: false
Display Dr. Memory version
#NAME?
default: false
Display the full option list
-dr <string>
default: ""
The path to the DynamoRIO installation to use. Not needed when using a released Dr. Memory package.
-drmemory <string>
default: ""
The path to the base of the Dr. Memory installation. Not needed when invoking Dr. Memory from an unmodified installation tree.
-top_stats
default: false
Primarily for use by developers of the tool. Shows time taken and memory usage of the whole process at the end of the run
-fetch_symbols
default: false
Fetch missing symbol files at the end of the run. While fetching of arbitrary symbols is off by default, auto-fetching of C library symbols is enabled unless -no_fetch_symbols is explicitly requested.
-follow_children
default: true
Monitor child processes by following across execve on Linux or CreateProcess on Windows. On Linux, monitoring always continues across a fork.
-nudge <int>
default: 0 (minimum: 0, maximum: UINT_MAX)
Use this option to ‘nudge‘ an already-running process in order to request leak checking and other Dr. Memory actions that normally only occur when the process exits. Not currently available on MacOS.
-v
default: false
Display verbose information in the Dr. Memory front end
-light
default: false true
This option enables a lightweight mode that detects unaddressable accesses, free/delete/delete[] mismatches, and GDI API usage errors in Windows, but not uninitialized reads or memory leaks.
-brief
default: false
Show simplified and easier-to-read error reports that hide STL and CRT source paths, remove executable path prefixes from source files, omit absolute addresses, omit instruction disassembly, and omit thread timestamps. Also enables -delay_frees_stack and disables -callstack_use_top_fp, trading off performance for better error reports.
-visual_studio true
default: false
Produce output suitable for a Visual Studio external tool. Enables -prefix_style 2, -callstack_style 0x820, -batch, and -brief. Windows-only.
-logdir <string>
default: "<install>/logs"
Destination base directory for result files and the symbol cache (unless -symcache_dir is specified). A subdirectory inside this base directory is created for each process that is run, along with a single shared symbol cache directory. If you specify a separate base directory for every run, you will lose the benefits of symbol caching, unless you also specify a separate shared cache directory with the -symcache_dir option.
-verbose <int>
default: 1 (minimum: 0, maximum: 32)
Verbosity level in log files: 0=none, 1=warnings, 2+=diagnostic. Primarily for debugging of Dr. Memory itself.
-quiet
default: false
Suppress stderr messages and, on Windows, popup messages. Overrides -results_to_stderr and -summary.
-results_to_stderr
default: true
Print error reports to stderr in addition to results.txt, interleaving them with the application output. The output will be prefixed by ~~Dr.M~~ for the main thread and by the thread id for other threads. This interleaving can make it easier to see which part of an application run raised an error.
-prefix_style <int>
default: 0 (minimum: 0, maximum: 2)
For -results_to_stderr, controls the per-line prefix:
0 = Default prefix: ~~Dr.M~~ for the main thread and the thread id for other threads.
1 = No prefix.
2 = Use blank spaces. This makes the output compatible with Visual Studio file and line number parsing.
-log_suppressed_errors
default: false
Log suppressed error reports for postprocessing. Enabling this option will increase the logfile size, but will allow users to re-process suppressed reports with alternate suppressions or additional symbols.
-ignore_asserts
default: false
Display, but do not abort, on asserts in debug build (in release build asserts are automatically disabled).
-exit_code_if_errors <int>
default: 0 (minimum: INT_MIN, maximum: INT_MAX)
If non-zero, the app‘s exit code is changed to this code if any errors are found.
-pause_at_error
default: false
Dr. Memory pauses at the point of each error that is identified. On Windows, this pause is a popup window. On Linux, the pause involves waiting for a keystroke, which may not work well if the application reads from stdin. In that case consider -pause_via_loop as an additional option.
-pause_at_unaddressable
default: false
Dr. Memory pauses at the point of each unaddressable access error that is identified. On Windows, this pause is a popup window. On Linux, the pause involves waiting for a keystroke, which may not work well if the application reads from stdin. In that case consider -pause_via_loop as an additional option.
-pause_at_uninitialized
default: false
Identical to -pause_at_unaddressable, but applies to uninitialized access errors.
-pause_at_exit
default: false
Pauses at exit, using the same mechanism described in -pause_at_unaddressable. Meant for examining leaks in the debugger.
-pause_at_assert
default: false
Dr. Memory pauses at the point of each debug-build assert. On Windows, this pause is a popup window. On Linux, the pause involves waiting for a keystroke, which may not work well if the application reads from stdin. In that case consider -pause_via_loop as an additional option.
-pause_via_loop
default: false
Used in conjunction with -pause_at_uninitialized and -pause_at_uninitialized on Linux, this option causes Dr. Memory to pause via an infinite loop instead of waiting for stdin. Dr. Memory will not continue beyond the first such error found.
-crash_at_unaddressable
default: false
Dr. Memory terminates the process in a crash at the point of the first unaddressable access error that is identified.
-crash_at_error
default: false
Dr. Memory terminates the process in a crash at the point of the first error that is identified.
-dump_at_error_mask <int>
default: 0 (minimum: 0, maximum: 0x2f)
At each reported unique error selected by the mask value, a memory dump file is created. This option is a work-in-progress and is currently experimental, using the DynamoRIO livedump format which is not yet publicly documented. The mask takes the following bitfields:
0x0001 = unaddressable access
0x0002 = uninitialized read
0x0004 = invalid heap argument
0x0008 = GDI usage error
0x0020 = warning
-dump_at_unaddressable
default: false
Equivalent to -dump_at_error_mask 1.
-callstack_max_frames <int>
default: 20 (minimum: 0, maximum: 4096)
How many call stack frames to record for each non-leak error report. A larger maximum will ensure that no call stack is truncated, but can use more memory and slow down the tool if there are many error reports with large callstacks. This option must be larger than the largest suppression supplied to -suppress. The separate option -malloc_max_frames controls the callstack size for leak reports, while -free_max_frames controls the callstack size for freed memory overlap reports from -delay_frees_stack.
-malloc_max_frames <int>
default: 12 (minimum: 0, maximum: 4096)
How many call stack frames to record on each malloc, for use in leak error reports as well as alloc/free mismatch error reports (unless leaks are disabled (via -no_count_leaks or -light) and -malloc_callstacks is also disabled). A larger maximum will ensure that no call stack is truncated, but can use more memory and slow down the tool.
-free_max_frames <int>
default: 6 (minimum: 0, maximum: 4096)
If -delay_frees_stack is enabled, this controls how many call stack frames to record for each use-after-free informational report. A larger maximum will ensure that no call stack is truncated, but can use more memory and slow down the tool.
-callstack_style <int>
default: 0x0301 (minimum: 0, maximum: 0x1fff)
Set of flags that controls the callstack printing style:
0x0001 = show frame numbers
0x0002 = show absolute address
0x0004 = show offset from library base
0x0008 = show offset from symbol start: "library!symbol+offs"
0x0010 = show offset from line start: "foo.c:44+0x8"
0x0020 = "file:line" on separate line
0x0040 = "file @ line" instead of "file:line"
0x0080 = "symbol library" instead of "library!symbol"
0x0100 = put fields in aligned columns
0x0200 = show symbol and module offset when symbols are missing
0x0400 = print unique module id
0x0800 = show "file(line):" instead of "file:line"d
0x1000 = expand template parameters (from "<>") for PDB symbols
-callstack_truncate_below <string>
default: "main,wmain,WinMain,wWinMain,*RtlUserThreadStart,_threadstartex,BaseThreadInitThunk"
Callstacks will be truncated at any frame that matches any of these ,-separated function names. The function names can contain * or ? wildcards.
-callstack_modname_hide <string>
default: "*drmemory*"
Callstack frames will not list module names matching any of these ,-separated patterns. The names can contain * or ? wildcards. The module name will be displayed whenever the function name is uknown, however. The module name will only be hidden for error display purposes: it will still be included when considering suppressions, and it will be included in the generated suppression callstacks.
-callstack_exe_hide
default: true
Callstack frames will not list the executable name. The executable name will be displayed whenever the function name is uknown, however. The executable name will only be hidden for error display purposes: it will still be included when considering suppressions, and it will be included in the generated suppression callstacks.
-callstack_srcfile_hide <string>
default: ""
Callstack frames will not list source file paths matching any of these ,-separated patterns. The paths can contain * or ? wildcards.
-callstack_srcfile_prefix <string>
default: ""
Callstack frame source paths that match any of these ,-separated prefixes will be printed without the leading portion up to and including the match.
-lib_blacklist <string>
default: ""
Error reports whose top N frames‘ module paths match any of these ,-separated patterns will be separated by default as merely potential errors, where N is -lib_blacklist_frames. These errors are reported to potential_errors.txt rather than results.txt. This feature is disabled if -lib_blacklist_frames is 0. The -lib_whitelist takes priority over this blacklist: i.e., if any top frame matches the whitelist, the error will be reported normally, even if all frames also match the blacklist. Each pattern can use * and ? wildcards (which have the same semantics as in suppression files) and is matched against the full path of each module. The default on Windows is set to $SYSTEMROOT*.d?? if not otherwise specified.
-lib_blacklist_frames <int>
default: 4 (minimum: 0, maximum: 4096)
The number of frames, starting from the top, that must match -lib_blacklist in a callstack in order for an error report to be separated from the regularly reported errors. Setting this value to 0 disables blacklist-based error separation. If the top frame is a system call or a replace_* Dr. Memory routine, it is ignored and matching starts from the second frame.
-lib_whitelist <string>
default: ""
Error reports where not a single one of the top N frames‘ module paths match any of these ,-separated patterns will be separated by default as merely potential errors, where N is -lib_whitelist_frames. These errors are reported to potential_errors.txt rather than results.txt. This feature is disabled if -lib_whitelist_frames is 0 or if -lib_whitelist is empty. This whitelist takes priority over -lib_blacklist: i.e., if any top frame matches the whitelist, the error will be reported normally, even if all frames also match the blacklist. Each pattern can use * and ? wildcards (which have the same semantics as in suppression files) and is matched against the full path of each module.
-lib_whitelist_frames <int>
default: 4 (minimum: 0, maximum: 4096)
The number of frames, starting from the top, that must not match -lib_whitelist in a callstack in order for an error report to be separated from the regularly reported errors. Setting this value to 0 disables -lib_whitelist-based error separation. If the top frame is a system call or a replace_* Dr. Memory routine, it is ignored and matching starts from the second frame.
-src_whitelist <string>
default: ""
Error reports where not a single one of the top N frames‘ source file paths match any of these ,-separated patterns will be separated by default as merely potential errors, where N is -src_whitelist_frames. These errors are reported to potential_errors.txt rather than results.txt. This feature is disabled if -src_whitelist_frames is 0 or if -src_whitelist is empty. This whitelist takes priority over -lib_blacklist: i.e., if any top frame matches the whitelist, the error will be reported normally, even if all frames also match the blacklist. If combined with -lib_whitelist, the -lib_whitelist will perform its check first, followed by -src_whitelist. Each pattern can use * and ? wildcards (which have the same semantics as in suppression files) and is matched against the full path of each source file.
-src_whitelist_frames <int>
default: 4 (minimum: 0, maximum: 4096)
The number of frames, starting from the top, that must not match -src_whitelist in a callstack in order for an error report to be separated from the regularly reported errors. Setting this value to 0 disables -src_whitelist-based error separation. If the top frame is a system call or a replace_* Dr. Memory routine, it is ignored and matching starts from the second frame.
-check_uninit_blacklist <string>
default: ""
For each library or executable basename on this list, Dr. Memory suspends checking of uninitialized reads. Instead Dr. Memory marks all memory written by such modules as defined. This is a more efficient way to ignore all errors from a module than suppressing them or adding to the lib_blacklist option. Dr. Memory does automatically turn a whole-module suppression consisting of a single frame of the form ‘modulename!*‘ into an entry on this list. The entries on this list can contain wildcards.
-callstack_use_top_fp
default: true
Whether to trust the top-level ebp/rbp register to hold the next frame pointer. If enabled, overridden when -callstack_use_top_fp_selectively is enabled. Normally trusting the register is correct. However, if a frameless function is on top of the stack, using the ebp register can cause a callstack to skip the next function. If this option is set to false, the callstack walk will perform a stack scan at the top of every callstack. This adds additional overhead in exchange for more accuracy, although in -light mode the additional accuracy has some tradeoffs and can result in incorrect frames. It should not be necessary to disable this option normally, unless an application or one of its static libraries is built with optimizations that omit frame pointers.
-callstack_use_top_fp_selectively
default: true
Whether to trust the top-level ebp/rbp register to hold the next frame pointer in certain situations. When enabled, this overrides -callstack_use_top_fp if it is enabled; but if -callstack_use_top_fp is disabled then the top fp is never used. When this option is enabled, in full or -leaks_only modes then the top fp is not used for all non-leak errors, while in -light mode the top fp is only not used for non-leak errors where the top frame is in an application module. See the -callstack_use_top_fp option for further information about the top frame pointer.
-callstack_use_fp
default: true
Whether to use frame pointers at all. The -callstack_use_top_fp and -callstack_use_top_fp_selectively options control whether to use the top frame pointer. This option controls whether to continue walking the frame pointer chain. Turning this off may be necessary if a mixture of frame pointer optimized code and un-optimized code is in use in the application, to avoid skipping interior callstack frames.
-callstack_conservative
default: false
By default, callstack walking is tuned for performance. It is possible to miss some frames when application code is optimized. Enabling this option causes extra checks to be performed to attempt to create more accurate callstacks. These checks add extra overhead.
-callstack_max_scan <int>
default: 2048 (minimum: 0, maximum: 16384)
How far to scan to locate the first stack frame when starting in a frameless function, or to locate the next stack frame when crossing loader or glue stub thunks or a signal or exception frame. Increasing this can produce better callstacks but may incur noticeable overhead for applications that make many allocation calls.
-callstack_bad_fp_list <string>
default: ""
When walking frame pointers and transitioning from any module on this list to a frame not in the same module, the frame pointer chain is assumed to be suspect and a stack scan is performed. Use this option to avoid missing frames in your application‘s code that are skipped due to frame pointer optimizations in other libraries.
-check_leaks
default: true
Whether to list details of each individual memory leak. If this option is disabled and -count_leaks is enabled, leaks will still be detected, but only the count of leaks will be shown.
-count_leaks
default: true
Whether to detect memory leaks. Whether details on each leak are shown is controlled by the -check_leaks option. Disabling this option can reduce execution overhead as less information must be kept internally, while disabling -check_leaks will not affect execution overhead.
-symbol_offsets
default: false
Deprecated: use -callstack_style flag 0x4
-ignore_early_leaks
default: true
Whether to ignore leaks from memory allocated by system code prior to Dr. Memory taking over.
-check_leaks_on_destroy
default: true
If enabled, when a heap is destroyed (HeapDestroy on Windows), report any live allocations inside it as possible leaks.
-possible_leaks
default: true
Whether to list possibly-reachable allocations when leak checking. Requires -check_leaks.
-check_encoded_pointers
default: true
Check for encoded pointers to eliminate false positives from pointers kept in encoded form.
-midchunk_size_ok
default: true
Consider allocations reached by a mid-allocation pointer that points past a size field at the head of the allocation to be reachable instead of possibly leaked. Currently this option looks for a very specific pattern. If your application‘s header is slightly different please contact the authors about generalizing this check.
-midchunk_new_ok
default: true
Consider allocations reached by a mid-allocation pointer that points past a size field at the head of the allocation that looks like a new[] header to be reachable instead of possibly leaked. A heuristic is used for this identification that is not perfect.
-midchunk_inheritance_ok
default: true
Consider allocations reached by a mid-allocation pointer that points to a parent class instantiation to be reachable instead of possibly leaked. A heuristic is used for this identification that is not perfect.
-midchunk_string_ok
default: true
Consider allocations reached by a mid-allocation pointer that points to a char array inside an instance of a std::string representation to be reachable instead of possibly leaked. A heuristic is used for this identification that is not perfect.
-scan_read_only_files
default: false
Whether the leak scan should scan read-only file-mapped memory when looking for pointers to the heap. The leak scan does not track whether pages have been read-only since they were mapped, so it‘s possible for the application to store heap pointers in a file-mapped region and then mark it read-only. If your application does so, you may want to turn on this option.
-strings_vs_pointers
default: true
Use heuristics to rule out sub-strings as leak scan pointers, preventing strings from anchoring heap objects and resulting in false negatives.
-show_reachable
default: false
Whether to list reachable allocations when leak checking. Requires -check_leaks.
-suppress <string>
default: ""
File containing errors to suppress. May be repeated. See Suppressing Errors.
-default_suppress
default: true
Use the set of default suppressions that come with Dr. Memory. See Suppressing Errors.
-gen_suppress_offs
default: true
Generate mod+offs suppressions in addition to mod!sym suppressions in the output suppress file
-gen_suppress_syms
default: true
Generate mod!syms suppressions in addition to mod+offs suppressions in the output suppress file
-show_threads
default: true
Whether to print the callstack of each thread creation point referenced in an error report to the global logfile, which can be useful to identify which thread was involved in the error report. Look for ‘NEW THREAD‘ in the global.pid.log file in the log directory where the results.txt file is found.
-show_all_threads
default: false
Whether to print the callstack of each thread creation point (whether referenced in an error report or not) to the global logfile. This can be useful to identify which thread was involved in error reports, as well as general diagnostics for what threads were present during a run. Look for ‘NEW THREAD‘ in the global.pid.log file in the log directory where the results.txt file is found.
-conservative
default: false
Be conservative whenever reading application memory and when assuming registeres are dead. When this option is disabled, Dr. Memory may read return addresses and arguments passed to functions without fault-handling code, which gains performance but can sacrifice robustness when running hand-crafted assembly code. Additionally, with this option disabled, register liveness does not consider faults.
-check_uninit_cmps
default: true
Report definedness errors on compares instead of waiting for conditional jmps.
-check_uninit_non_moves
default: false
Report definedness errors on any instruction that is not a move. Note: turning this option on may result in false positives, but can also help diagnose errors through earlier error reporting.
-check_uninit_all
default: false
Report definedness errors on any instruction, rather than the default of waiting until something meaningful is done, which reduces false positives. Note: turning this option on may result in false positives, but can also help diagnose errors through earlier error reporting.
-strict_bitops
default: false
Currently, Dr. Memory‘s definedness granularity is per-byte. This can lead to false positives on code that uses bitfields. By default, Dr. Memory relaxes its uninitialized checking on certain bit operations that are typically only used with bitfields, to avoid these false positives. However, this can lead to false negatives. Turning this option on will eliminate all false negatives (at the cost of potential false positives). Eventually Dr. Memory will have bit-level granularity and this option will go away.
-check_pc
default: true
Check the program counter on each instruction to ensure it is executing from valid memory.
-stack_swap_threshold <int>
default: 0x9000 (minimum: 256, maximum: INT_MAX)
Stack change amount to consider a swap instead of an allocation or de-allocation on the same stack. Dr. Memory attempts to dynamically tune this value unless it is changed from its default.
-redzone_size <int>
default: 16 (minimum: 0, maximum: 32*1024)
Buffer on either side of each malloc. This should be a multiple of 8.
-report_max <int>
default: 20000 (minimum: -1, maximum: INT_MAX)
Maximum non-leak errors to report (-1=no limit). This includes ‘potential‘ errors listed separately.
-report_leak_max <int>
default: 10000 (minimum: -1, maximum: INT_MAX)
Maximum leaks to report (-1=no limit). This includes ‘potential‘ leaks listed separately.
-report_write_to_read_only
default: true
Report writes to read-only memory as unaddressable errors.
-show_duplicates
default: false
Print details on each duplicate error rather than only showing unique error details
-batch
default: false
Do not launch notepad with the results file at application exit.
-summary
default: true
Display process startup information and a summary of errors to stderr at app exit.
-use_symcache
default: true
Cache results of symbol lookups to speed up future runs
-symcache_dir <string>
default: "<install>/logs/symcache"
Destination for symbol cache files. When using a unique log directory for each run, symbols will not be shared across runs because the default cache location is inside the log directory. Use this option to set a shared directory.
-symcache_minsize <int>
default: 1000 (minimum: 0, maximum: UINT_MAX)
Minimum module size to cache symbols for. Note that there‘s little downside to caching and it is pretty much always better to cache.
-use_symcache_postcall
default: true
Cache post-call sites to speed up future runs. Requires -use_symcache to be true.
-preload_symbols
default: false
Preload debug symbols on module load. Debug symbols cannot be loaded during leak reporting on Vista, so this option is on by default on Vista. This option may cause excess memory usage from unneeded debugging symbols.
-skip_msvc_importers
default: true
Do not search for alloc routines in modules that import from msvc*
-warn_null_ptr
default: false
Whether to warn when NULL is passed to free() or realloc().
-delay_frees <int>
default: 2000 (minimum: 0, maximum: UINT_MAX)
Frees to delay before committing. The larger this number, the greater the likelihood that Dr. Memory will identify use-after-free errors. However, the larger this number, the more memory will be used. This value is separate for each set of allocation routines and each Windows Heap.
-delay_frees_maxsz <int>
default: 20000000 (minimum: 0, maximum: UINT_MAX)
Maximum size of frees to delay before committing. The larger this number, the greater the likelihood that Dr. Memory will identify use-after-free errors. However, the larger this number, the more memory will be used. This value is separate for each set of allocation routines and each Windows Heap.
-delay_frees_stack
default: true
Record callstacks on free to use when reporting use-after-free or other errors that overlap with freed objects. There is a slight performance hit incurred by this feature for malloc-intensive applications. The callstack size is controlled by -free_max_frames.
-leaks_only
default: false
Puts Dr. Memory into a leak-check-only mode that has lower overhead but does not detect other types of errors other than invalid frees.
-handle_leaks_only
default: false
Puts Dr. Memory into a handle-leak-check-only mode that has lower overhead but does not detect other types of errors other than handle leaks in Windows.
-check_uninitialized
default: IF_ARM_ELSE(false, IF_X64_ELSE(false, true))
Check for uninitialized read errors. When disabled, puts Dr. Memory into a mode that has lower overhead but does not detect definedness errors. Furthermore, the lack of definedness information reduces accuracy of leak identification, resulting in potentially failing to identify some leaks.
-check_stack_bounds
default: false
Only applies for -no_check_uninitialized. Determines whether to check for beyond-top-of-stack accesses.
-check_stack_access
default: false
Only applies for -no_check_uninitialized. Determines whether to check for errors on memory references that use esp or ebp as a base. These are normally local variable and function parameter references only, but for optimized or unusual code they could point elsewhere in memory. Checking these incurs additional overhead.
-check_alignment
default: false
Only applies for -no_check_uninitialized. Determines whether to incur additional overhead in order to handle memory accesses that are not aligned to their size. With this option off, the tool may miss bounds overflows that involve unaligned memory references.
-fault_to_slowpath
default: true
Only applies for -no_check_uninitialized. Determines whether to use faulting instructions rather than explicit jump-and-link to exit from fastpath to slowpath.
-check_gdi
default: true
Check for GDI API usage errors. Any errors detected will be reported as errors of type GDI USAGE ERROR.
-check_gdi_multithread
default: false
Check for GDI API usage error of one DC used by multiple threads. Some system libraries violate this guideline, however, resulting in potential false positives.
-check_handle_leaks
default: true
Check for handle leak errors. Any errors detected will be reported as errors of type HANDLE LEAK. This is currently an experimental option and is very conservative, placing any error it is not sure about in potential_errors.txt rather than reporting in the main set of errors found.
-check_heap_mismatch
default: IF_X64_ELSE(false, true)
Whether to check for Windows API vs C library mismatches
-check_delete_mismatch
default: true
Whether to check for free/delete/delete[] mismatches
-check_prefetch
default: true
Whether to report unaddressable prefetches as warnings
-malloc_callstacks
default: false
Record callstacks on allocations to use when reporting alloc/free mismatches. If leaks are enabled (i.e., -count_leaks is on), this option is always enabled. The callstack size is controlled by -malloc_max_frames. When enabled in light mode, this option incurs additional overhead, particularly on malloc-intensive applications.
-prctl_whitelist <string>
default: ""
If this list is non-empty, when Dr. Memory sees prctl(PR_SET_NAME) and the name is not on the list, then Dr. Memory will disable its instrumentation for the rest of the process and for all of its child processes. The list is ,-separated.
-auxlib <string>
default: ""
This option should specify the basename of an auxiliary system call handling library found in the same directory as the Dr. Memory client library.
-analyze_unknown_syscalls
default: true
For unknown syscalls use memory comparison to find output params
-syscall_dword_granularity
default: true
For unknown syscall comparisons (-analyze_unknown_syscalls), when changes are detected, consider the containing dword to have changed
-syscall_sentinels
default: false
Use sentinels to detect writes on unknown syscalls and reduce false positives, in particular for uninitialized reads. Can potentially result in incorrect behavior if definedness information is incorrect or application threads read syscall parameter info simultaneously. This option requires -analyze_unknown_syscalls to be enabled.
-prefer_msize
default: true
Prefer _msize to malloc_usable_size when both are present
-perturb
default: false
Adds random delays to thread synchronization and other operations to try and increase the chances of catching race conditions.
-perturb_only
default: false
Adds random delays to thread synchronization and other operations to try and increase the chances of catching race conditions, but disables all memory checking to create a low-overhead tool that executes significantly faster. However, without memory checking race conditions will only be detected if they result in an actual crash or other externally visible change in behavior. When this option is enabled, Dr. Memory will not produce an error summary or results.txt.
-perturb_max <int>
default: 50 (minimum: 0, maximum: UINT_MAX)
This option sets the maximum delay added by -perturb, in milliseconds for thread operations and in custom units for instruction-level operations. Delays added will be randomly selected from 0 up to -perturb_max.
-perturb_seed <int>
default: 0 (minimum: 0, maximum: UINT_MAX)
To reproduce the random delays added by -perturb, pass the seed from the logfile from the target run to this option. There may still be non-determinism in the rest of the system, however.
-unaddr_only
default: false
This option enables a lightweight mode that only detects critical errors of unaddressable accesses on heap data. This option cannot be used with ‘light‘ or ‘check_uninitialized‘.
-pattern <int>
default: IF_ARM_ELSE(DEFAULT_PATTERN, IF_X64_ELSE(DEFAULT_PATTERN, 0)) (minimum: 0, maximum: USHRT_MAX)
Use sentinels to detect accesses on unaddressable regions around allocated heap objects. When this option is enabled, checks for uninitialized read errors will be disabled. The value passed as the pattern must be a non-zero 2-byte value.
-persist_code
default: false
Cache instrumented code to speed up future runs. For short-running applications, this can provide a performance boost. It may not be worth enabling for long-running applications. Currently, this option is only supported with -light or -no_check_uninitialized. It also currently fails to re-use randomized libraries on Windows, resulting in less of a performance boost for applications that use many libraries with ASLR enabled.
-persist_dir <string>
default: "<install>/logs/codecache"
Destination for code cache files. When using a unique log directory for each run, symbols will not be shared across runs because the default cache location is inside the log directory. Use this option to set a shared directory.
-soft_kills
default: true
Ensure external processes terminated by this one exit cleanly. Often applications forcibly terminate child processes, which can prevent proper leak checking and error and suppression summarization as well as generation of symbol and code cache files needed for performance. When this option is enabled, every termination call to another process will be replaced with a directive to the Dr. Memory running in that process to perform a clean shutdown. If there is no DynamoRIO-based tool in the target process, the regular termination call will be carried out.
-coverage
default: false
Measure code coverage during application execution. The resulting data is written to a separate file named with a ‘drcov‘ prefix in the same directory as Dr. Memory‘s other results files. The raw data can be turned into a human-readable format using the drcov2lcov utility.
-fuzz
default: false
Enable fuzzing by Dr. Memory. See the other fuzz_* options for all of the different fuzzing options.
-fuzz_module <string>
default: ""
The fuzz target module name. The application main executable is used by default.
-fuzz_function <string>
default: "DrMemFuzzFunc"
The fuzz target function symbol name. DrMemFuzzFunc is used by default.
-fuzz_offset <int>
default: 0 (minimum: 0, maximum: UINT_MAX)
The fuzz target function offset in the module.
-fuzz_num_args <int>
default: 2 (minimum: 0, maximum: 32)
The number of arguments passed to the fuzz target function. For vararg functions this must match the actual number of arguments passed by the caller.
-fuzz_data_idx <int>
default: 0 (minimum: 0, maximum: 31)
The fuzz data argument index.
-fuzz_size_idx <int>
default: 1 (minimum: 0, maximum: 31)
The fuzz data size argument index.
-fuzz_num_iters <int>
default: 100 (minimum: 0, maximum: INT_MAX)
The number of times to repeat executing the target function. Use 0 for no repeat and no mutation, and -1 to repeat until the mutator is exhausted.
-fuzz_replace_buffer
default: false
Replace the input data buffer with separately allocated memory. This can be used for fuzzing functions whose input data is stored in read-only memory, or for fuzzing functions with different input data sizes, e.g., loading data via -fuzz_input_file. Note: this may cause problems if other pointers point to the original buffer, or the replaced buffer is used after the fuzzing iterations.
-fuzz_call_convention <string>
default: ""
The calling convention used by the fuzz target function. It can be specified using one of the following codes:
arm32 = ARM32
amd64 = AMD64
fastcall = fastcall
ms64 = Microsoft x64 (Visual Studio)
stdcall = cdecl or stdcall
thiscall = thiscall
If no calling convention is specified, the most common calling convention on the platform is used:
32-bit ARM: arm32
32-bit Unix: stdcall
32-bit Windows: stdcall
64-bit Unix: amd64
64-bit Windows: ms64
-fuzz_dump_on_error
default: true
Dump the current fuzz input to current log directory on an error report. The file name can be found in the error report summary.
-fuzz_input_file <string>
default: ""
Load data from specified file as fuzz input. It can be used with -fuzz_num_iters 0 to reproduce an error from the input generated by -fuzz_dump_on_error. The data might be truncated if the data size is larger than the input buffer size. Use -fuzz_replace_buffer to replace the input buffer with a separately allocated buffer.
-fuzz_corpus <string>
default: ""
Load a corpus of input data files from the specified directory, perform coverage based fuzzing, and dump input data that causes more coverage.
-fuzz_corpus_out <string>
default: ""
Create the minimized corpus inputs from -fuzz_corpus and dump them to the directory specified by -fuzz_corpus_out.
-fuzz_bbcov
default: false
Enable basic block coverage guided fuzzing. Not yet implemented.
-fuzz_target <string>
default: ""
Fuzz test the target program according to the specified descriptor, which should have the format:
<target>|<arg-count>|<buffer-index>|<size-index>|<repeat-count>[|<calling-convention>]
where <target> has one of two formats:
<module>!<symbol>
<module>+<offset>
Here, <module> refers to a single binary image file such as a library (.so or .dll) or an application executable (.exe on Windows). The <offset> specifies the entry point of the target function as a hexadecimal offset (e.g. ‘0xf7d4‘) from the start of the module that contains it (i.e., the library or executable image). The <symbol> may be either a plain C function name, a mangled C++ symbol, or (Windows only) a de-mangled C++ symbol of the form returned by the Symbol Query Tool. The option -fuzz_mangled_names is required for using mangled names in Windows, and the mangled name must have every ‘@‘ character escaped by substituting a ‘-‘ in its place. The module alias <main> may be used to refer to the main module of the process, which is the program executable.
The <arg-count> specifies the number of arguments to the function (for vararg functions this must match the actual number of arguments passed by the app). The <*-index> arguments specify the index of the corresponding parameter in the target function. The <repeat-count> indicates the number of times to repeat the target function (use 0 to repeat until the mutator is exhuasted). The optional <calling-convention> can be specified using one of the following codes:
1 = AMD64
2 = Microsoft x64 (Visual Studio)
3 = ARM32
4 = cdecl or stdcall
5 = fastcall
6 = thiscall
-fuzz_mutator_lib <string>
default: ""
Specify a custom third-party mutator library to use instead of the default mutator library provided by Dr. Fuzz.
-fuzz_mutator_ops <string>
default: ""
Specify options to pass to either the default mutator library or to the custom third-party mutator library named in -fuzz_mutator_lib.
-fuzz_mutator_alg <string>
default: "ordered"
Specify the mutator algorithm as one of these strings:
random = random selection of bits or numbers.
ordered = ordered sequence of bits or numbers.
See also Dr. Fuzz Mutators.
-fuzz_mutator_unit <string>
default: "bits"
Specify the mutator unit of operation as one of these strings:
bits = mutation by bit flipping.
num = mutation by random number generation.
token = mutation by inserting tokens from -fuzz_dictionary.
See also Dr. Fuzz Mutators.
-fuzz_mutator_flags <int>
default: 1 (minimum: 0, maximum: UINT_MAX)
Specify flags controlling mutator operation:
0x1 = reset to the original buffer value passed by the app before each mutation.
0x2 = seed the mutator‘s random number generator with the current clock time.
See also Dr. Fuzz Mutators.
-fuzz_mutator_sparsity <int>
default: 1 (minimum: 0, maximum: UINT_MAX)
Specifies a number of values to skip between mutations. See also Dr. Fuzz Mutators.
-fuzz_mutator_max_value <int>
default: 0 (minimum: 0, maximum: ULLONG_MAX)
For buffers of size 8 bytes or smaller, specifies the maximum mutation value. Use value 0 to disable the maximum value (i.e., limit only by the buffer capacity). See also Dr. Fuzz Mutators.
-fuzz_mutator_random_seed <int>
default: 0x5a8390e9a31dc65fULL (minimum: 0, maximum: ULLONG_MAX)
Randomization seed for -fuzz_mutator_alg random. The default random seed is arbitrary, selected to have an equal number of 0 and 1 bits. See also Dr. Fuzz Mutators.
-fuzz_dictionary <string>
default: ""
Specify a dictionary file listing tokens to use for mutation by insertion into the input buffer. The file must be a text file with one double-quote-delimited token per line. Specifying this option automatically selects -fuzz_mutator_unit token.
-fuzz_one_input <string>
default: ""
Specify one fuzz input value to test. The value is a hexadecimal byte sequence using the printed byte order (i.e., non-endian), for example ‘7f392a‘ represents byte array { 0x7f, 0x39, 0x2a }. If the value length does not match the fuzz target buffer length, it will be truncated or zero-padded to fit.
-fuzz_buffer_fixed_size <int>
default: 0 (minimum: 0, maximum: UINT_MAX)
Use this option to ignore the size of the buffer argument and instead mutate a fixed span of bytes. If the actual buffer size is smaller than the specified fixed size, the actual size will be used instead.
-fuzz_buffer_offset <int>
default: 0 (minimum: 0, maximum: UINT_MAX)
Use this option to constrain mutation to a subset of buffer bytes starting at the specified offset from the buffer start.
-fuzz_skip_initial <int>
default: 0 (minimum: 0, maximum: UINT_MAX)
Skip fuzzing for the specified number of target invocations.
-fuzz_stat_freq <int>
default: 0 (minimum: 0, maximum: UINT_MAX)
Specify the fuzzer status log frequency in number of fuzz iterations (no status is logged when this option is not set).
-fuzz_mangled_names
default: false
By default, fuzz targets on Windows must use demangled names. Use this option to enabled mangled names. It is required to escape every ‘@‘ character by replacing it with a ‘-‘ in the mangled name (due to delimiter conflicts over ‘@‘ in the toolchain).
以上是关于Dr.memory的主要内容,如果未能解决你的问题,请参考以下文章
INVALID HEAP ARGUMENT:用 operator new[] 分配,用 operator delete 释放