Welcome to BitCell. Click here to register !
- sudo apt-get install valgrind
Tutorial Valgrind
1. Introducere
Cui i se adreseaza acest tutorial ?
Oricui isi propune sa scrie aplicatii C/C++ ruland pe sisteme Linux.
Ce este Valgrind ?
Valgrind este o suita de programe utilitare, putand fi folosit pentru depanarea problemelor privind utilizarea memoriei, detectarea memory leak-urilor si pentru profiling.
Cum functioneaza ?
Valgrind este, in esenta, o masina virtuala. Atunci cand executam un program folosind Valgrind, acesta este rulat in respectiva masina virtuala. Cu aceasta ocazie, sunt aplicate anumite tehnici si procedee de instrumentare a codului care permit detectia unor categorii de erori de programare.
Valgrind ruleaza doar pe platforme Linux.
Exista programe similare si pentru utilizatorii Windows, dar, de obicei, sunt comerciale. Dintre alternativele valabile pe sisteme Windows, putem enumera: IBM Purify, Parasoft Insure++, etc.
Care sunt categoriile de erori pe care le poate detecta Valgrind ?
Valgrind consta dintr-o suita de programe utilitare.
Proababil cel mai utilizat dintre ele este memcheck, destinat analizei utilizarii memoriei.
Acesta poate detecta erori precum:
- Utilizarea memoriei neinitializate
- Accesarea memoriei dezalocate
- Buffer overflows, pentru buffer-ele alocate pe heap
- Anumite cazuri de accesare incorecta a memoriei pe stiva curenta
- Memory leaks
- Utilizarea incorecta a functiilor de alocare/dezalocare a memoriei
In afara de memcheck, mai exista:
- Callgrind -> util pentru generarea de callgraph-uri (pentru profiling)
- Cachegrind -> util pentru profiling privind utilizarea cache-urilor
- Massif -> util pentru profiling privind utilizarea memoriei alocate dinamic
- Helgrind -> detecteaza greseli tipice in utilizarea thread-urilor POSIX
Cum il instalam ?
Este disponibil aici: http://valgrind.org/
Pe sistemele Debian (sau derivate din Debian, precum Ubuntu), se poate instala executand:
2. Utilizare
2.1. Detectia utilizarii memoriei neinitializate
Avem urmatorul cod (uninit_memory.c):
- #include <stdlib.h>
- #include <stdio.h>
- int main()
- {
- int i;
- /* bug -> uninitialized variable used */
- if (i == 0)
- printf("Is zero\n");
- else
- printf("Non zero\n");
- return EXIT_SUCCESS;
- }
Il compilam:
- gcc -Wall -Wextra -g -O0 uninit_memory.c -o uninit_memory
Ruland folosind utilitarul memcheck:
- valgrind --tool=memcheck ./uninit_memory
obtinem:
- ==8365== Conditional jump or move depends on uninitialised value(s)
- ==8365== at 0x80483D9: main (uninit_memory.c:8)
Precum se poate observa, Valgrind raporteaza o eroare la linia 8 (if (i == 0)), privind utilizarea unei variabile neinitializate.
Detectia functioneaza si in cazul unui array alocat pe stiva (uninit_array.c).
- #include <stdlib.h>
- #include <stdio.h>
- #include <string.h>
- int main()
- {
- char name[256];
- /* bug -> uninitialized array used */
- if (!strcmp(name, "root"))
- printf("Hello superuser\n");
- else
- printf("Hello user\n");
- return EXIT_SUCCESS;
- }
Compilare:
- gcc -Wall -Wextra -g -O0 uninit_array.c -o uninit_array
Executand folosind memcheck:
- valgrind --tool=memcheck ./uninit_array
obtinem:
- ==9104== Conditional jump or move depends on uninitialised value(s)
- ==9104== at 0x40279F3: strcmp (mc_replace_strmem.c:337)
- ==9104== by 0x8048488: main (uninit_array.c:9)
Valgrind raporteaza o eroare la linia if (strcmp(name, "root")), pentru ca array-ul name se foloseste neinitializat.
Sa vedem daca Valgrind detecteaza acest tip de eroare si in cazul utilizarii unui array alocat dinamic (pe heap).
Avem urmatorul cod sursa (uninit_dynamic_array.c):
- #include <stdlib.h>
- #include <stdio.h>
- #include <string.h>
- int main()
- {
- char *name = (char *)malloc(256 * sizeof(char));
- /* bug -> uninitialized array used */
- if (!strcmp(name, "root"))
- printf("Hello superuser\n");
- else
- printf("Hello user\n");
- free(name);
- return EXIT_SUCCESS;
- }
Compilare:
- gcc -Wall -Wextra -g -O0 uninit_dynamic_array.c -o uninit_dynamic_array
Executand folosind memcheck:
- valgrind --tool=memcheck --leak-check=yes ./uninit_dynamic_array
obtinem
- ==9385== Conditional jump or move depends on uninitialised value(s)
- ==9385== at 0x40279F3: strcmp (mc_replace_strmem.c:337)
- ==9385== by 0x8048496: main (uninit_dynamic_array.c:9)
Valgrind continua sa detecteze problema.
Precum se poate observa, fata de situatiile anterioare, am utilizat in plus optiunea --leak-check=yes, pentru a detecta posibilele erori de tip memory leak (pentru ca acum alocam dinamic memorie). In cazul programului de mai sus, nu avem astfel de erori.
2.2. Detectia acceselor la memoria dezalocata
Avem urmatorul cod sursa (deallocated_memory_access.c):
- #include <stdlib.h>
- int main()
- {
- int* p = (int*) malloc(sizeof(int));
- *p = 1;
- free(p);
- /* bug - access to deallocated memory pointed by p */
- *p = 2;
- return EXIT_SUCCESS;
- }
In acest program, se acceseaza memorie dezalocata la urmatoarea linie: *p = 2.
Compilare:
- gcc -Wall -Wextra -g -O0 deallocated_memory_access.c -o deallocated_memory_access
Executand folosind memcheck:
- valgrind --tool=memcheck --leak-check=yes ./deallocated_memory_access
obtinem:
- ==11741== Invalid write of size 4
- ==11741== at 0x804842B: main (deallocated_memory_access.c:9)
- ==11741== Address 0x41b1028 is 0 bytes inside a block of size 4 free'd
- ==11741== at 0x4025DFA: free (vg_replace_malloc.c:323)
- ==11741== by 0x8048427: main (deallocated_memory_access.c:7)
Mesajul oferit de catre Valgrind ne spune urmatoarele lucruri:
- s-a facut un acces invalid la memorie, in mod scriere, pe 4 octeti (dimensiunea tipului int, pe sistemul meu)
- accesul s-a facut la linia 9 in fisierul deallocated_memory_access.c
- adresa la care s-a incercat scrierea a fost 0x41b1028. Aceasta adresa este localizata intr-un bloc de memorie alocat dinamic, de dimensiune 4 octeti (iarasi egal cu dimensiunea int-ului pe sistemul meu), dar care a fost in prealabil dezalocat, la linia 7, in fisierul deallocated_memory_access.c
Utilizatorii limbajului C++ se pot intreba daca detectia functioneaza si in cazul in care memoria este alocata folosind operatorul new si dezalocata folosind operatorul delete.
Avem urmatorul cod C++ (deallocated_memory_access.cpp)
- #include <cstdlib>
- int main()
- {
- int* p = new int;
- *p = 1;
- delete p;
- /* bug - access to deallocated memory pointed by p */
- *p = 2;
- return EXIT_SUCCESS;
- }
Compilare:
- g++ -Wall -Wextra -g -O0 deallocated_memory_access.cpp -o deallocated_memory_access
Executand folosind memcheck:
- valgrind --tool=memcheck --leak-check=yes ./deallocated_memory_access
obtinem:
- ==12503== Invalid write of size 4
- ==12503== at 0x804852B: main (deallocated_memory_access.cpp:9)
- ==12503== Address 0x42d6028 is 0 bytes inside a block of size 4 free'd
- ==12503== at 0x402599A: operator delete(void*) (vg_replace_malloc.c:342)
- ==12503== by 0x8048527: main (deallocated_memory_access.cpp:7)
Precum se poate observa, detectia a fost efectuata si in acest caz.
In continuare, dorim sa vedem daca detectia functioneaza si in cazul unui array, alocat folosind operatorul new[], dezalocat folosind operatorul delete [], apoi accesat (deallocated_array_access.cpp)
- #include <iostream>
- int main()
- {
- int * array = new int[10];
- for (int i = 0; i < 10; ++i)
- array[i] = i;
- delete [] array;
- for (int i = 0; i < 10; ++i)
- std::cout << array[i] << "\n";
- }
Compilare:
- g++ -Wall -Wextra -g -O0 deallocated_array_access.cpp -o deallocated_array_access
Executand folosind memcheck:
- valgrind --tool=memcheck --leak-check=yes ./deallocated_array_access
obtinem:
- ==12842== Invalid read of size 4
- ==12842== at 0x8048766: main (deallocated_array_access.cpp:12)
- ==12842== Address 0x42d6028 is 0 bytes inside a block of size 40 free'd
- ==12842== at 0x402545A: operator delete[](void*) (vg_replace_malloc.c:364)
- ==12842== by 0x8048753: main (deallocated_array_access.cpp:9)
Acest mesaj ne spune urmatoarele lucruri:
- se face un acces invalid la memorie, in mod citire (read), pe 4 octeti
- accesul se face la linia 12, in fisierul deallocated_array_access.cpp (adica la linia std::cout << array[i] << "\n";)
- adresa accesata in mod incorect este 0x42d6028, aflandu-se intr-un block de memorie avand dimensiunea de 40 de octeti, alocat dinamic dar dezalocat in prealabil
- blocul de memorie a fost dezalocat la linia 9, in fisierul deallocated_array_access.cpp (adica delete [] array;)
2.3. Detectia problemelor de tip "memory leak"
Pentru cei nefamiliarizati cu termenul, aceast gen de probleme se refera la situatiile in care un program aloca dinamic memorie, dar nu o mai dezaloca.
Valgrind este un utilitar foarte bun in gasirea acestor tipuri de probleme. Exista si alte utilitare ce pot fi folosite, pe sisteme, Linux, pentru detectia acestor situatii (de exemplu mpatrol).
Urmatorul cod (memory_leaks.cpp) expune acest tip de problema.
- #include <iostream>
- #include <cstdlib>
- int main()
- {
- int i;
- int *c_p = (int *)std::malloc(sizeof(int));
- *c_p = 1;
- int *c_q = (int *)std::malloc(10 * sizeof(int));
- for (i = 0; i < 10; ++i)
- c_q[i] = i;
- for (i = 0; i < 10; ++i)
- std::cout << c_q[i] << "\n";
- int *cpp_p = new int;
- *cpp_p = 1;
- int *cpp_q = new int[10];
- for (i = 0; i < 10; ++i)
- cpp_q[i] = i;
- for (i = 0; i < 10; ++i)
- std::cout << cpp_q[i] << "\n";
- return EXIT_SUCCESS;
- }
Compilare:
- g++ -Wall -Wextra -g -O0 memory_leaks.cpp -o memory_leaks
Executand folosind memcheck:
- valgrind --tool=memcheck --leak-check=yes ./memory_leaks
obtinem:
- ==13843== 4 bytes in 1 blocks are definitely lost in loss record 1 of 4
- ==13843== at 0x40269EE: operator new(unsigned int) (vg_replace_malloc.c:224)
- ==13843== by 0x80487E4: main (memory_leaks.cpp:18)
- ==13843==
- ==13843==
- ==13843== 4 bytes in 1 blocks are definitely lost in loss record 2 of 4
- ==13843== at 0x4026FDE: malloc (vg_replace_malloc.c:207)
- ==13843== by 0x804875C: main (memory_leaks.cpp:8)
- ==13843==
- ==13843==
- ==13843== 40 bytes in 1 blocks are definitely lost in loss record 3 of 4
- ==13843== at 0x402630E: operator new[](unsigned int) (vg_replace_malloc.c:268)
- ==13843== by 0x80487FC: main (memory_leaks.cpp:20)
- ==13843==
- ==13843==
- ==13843== 40 bytes in 1 blocks are definitely lost in loss record 4 of 4
- ==13843== at 0x4026FDE: malloc (vg_replace_malloc.c:207)
- ==13843== by 0x8048774: main (memory_leaks.cpp:10)
- ==13843==
- ==13843== LEAK SUMMARY:
- ==13843== definitely lost: 88 bytes in 4 blocks.
- ==13843== possibly lost: 0 bytes in 0 blocks.
- ==13843== still reachable: 0 bytes in 0 blocks.
- ==13843== suppressed: 0 bytes in 0 blocks.
Observam faptul ca Valgrind raporteaza locatiile in care s-au facut alocari de memorie care au dus la memory leaks (pentru care nu au existat dezalocari):
-> Linia 8: int *c_p = (int *)std::malloc(sizeof(int));
S-au alocat 4 octeti, folosind functia malloc, si nu au mai fost dezalocati
-> Linia 10: int *c_q = (int *)std::malloc(10 * sizeof(int));
S-au alocat 10 x 4 = 40 de octeti, folosind functia malloc, si nu au mai fost dezalocati
->Linia 18: int *cpp_p = new int;
S-au alocat 4 octeti, folosind operatorul new, si nu au mai fost dezalocati
->Linia 20: int *cpp_q = new int[10];
S-au alocat 10 x 4 = 40 de octeti, folosind operatorul new[], si nu au mai fost dezalocati
Avem un memory leak de: 4 + 40 + 4 + 40 = 88 de octeti, lucru specificat si in sectiunea LEAK SUMMARY a raportului oferit de catre Valgrind
Haideti sa rezolvam problemele raportate de catre Valgrind, sa rulam din nou utilitarul si sa vedem cum arata noul raport.
Noul fisier sursa este no_memory_leaks.cpp:
- #include <iostream>
- #include <cstdlib>
- int main()
- {
- int i;
- int *c_p = (int *)std::malloc(sizeof(int));
- *c_p = 1;
- int *c_q = (int *)std::malloc(10 * sizeof(int));
- for (i = 0; i < 10; ++i)
- c_q[i] = i;
- for (i = 0; i < 10; ++i)
- std::cout << c_q[i] << "\n";
- std::free(c_p);
- std::free(c_q);
- int *cpp_p = new int;
- *cpp_p = 1;
- int *cpp_q = new int[10];
- for (i = 0; i < 10; ++i)
- cpp_q[i] = i;
- for (i = 0; i < 10; ++i)
- std::cout << cpp_q[i] << "\n";
- delete cpp_p;
- delete [] cpp_q;
- return EXIT_SUCCESS;
- }
Compilare:
- g++ -Wall -Wextra -g -O0 no_memory_leaks.cpp -o no_memory_leak
Executand folosind memcheck:
- valgrind --tool=memcheck --leak-check=yes ./no_memory_leaks
obtinem:
- ==14663== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 19 from 1)
- ==14663== malloc/free: in use at exit: 0 bytes in 0 blocks.
- ==14663== malloc/free: 4 allocs, 4 frees, 88 bytes allocated.
- ==14663== For counts of detected errors, rerun with: -v
- ==14663== All heap blocks were freed -- no leaks are possible.
Precum se poate observa, Valgrind nu mai raporteaza nici o problema de tip memory leak.
2.4. Utilizarea incorecta a functiilor de alocare/dezalocare a memoriei
O problema destul de frecvent intalnita de catre programatorii C++ incepatori este utilizarea operatorului delete in locul operatorului delete [], pentru a dezaloca un array alocat dinamic.
Haideti sa vedem daca Valgrind detecteaza aceasta situatie (array_delete_missuse.cpp):
- #include <iostream>
- #include <cstdlib>
- int main()
- {
- int i;
- int *p = new int[10];
- for (i = 0; i < 10; ++i)
- p[i] = i;
- for (i = 0; i < 10; ++i)
- std::cout << p[i] << "\n";
- /* bug - should be delete [] p */
- delete p;
- return EXIT_SUCCESS;
- }
Compilare:
- g++ -Wall -Wextra -g -O0 array_delete_missuse.cpp -o array_delete_missuse
Executand folosind memcheck:
- valgrind --tool=memcheck --leak-check=yes ./array_delete_missuse
obtinem:
- ==15289== Mismatched free() / delete / delete []
- ==15289== at 0x402599A: operator delete(void*) (vg_replace_malloc.c:342)
- ==15289== by 0x804878B: main (array_delete_missuse.cpp:15)
- ==15289== Address 0x42d6028 is 0 bytes inside a block of size 40 alloc'd
- ==15289== at 0x402630E: operator new[](unsigned int) (vg_replace_malloc.c:268)
- ==15289== by 0x804871C: main (array_delete_missuse.cpp:7)
Precum se poate observa, Valgrind raporteaza faptul ca s-a incercat eliberarea memoriei intr-un mod incorect, la linia 15 (delete p;), in fisierul array_delete_missuse.cpp
In general, regulile care trebuiesc urmate in privinta dezalocarii memoriei, in C++, sunt urmatoarele:
- memoria alocata folosind functiile malloc()/calloc()/realloc() trebuie sa fie dezalocata folosind functia free()
- memoria alocata folosind operatorul new trebuie dezalocata folosind operatorul delete
- memoria alocata folosind operatorul new [] trebuie dezalocata folosind operatorul delete []
Valgrind va detecta situatiile in care aceasta regula este incalcata (de exemplu in cazul in care se aloca memorie folosind functia malloc(), dar se dezaloca folosind operatorul delete).
O alta posibila problema este incercarea de a dezaloca o zona de memorie care nu a fost alocata dinamic.
Exemplul urmator (invalid_dealloc.c) demonstreaza acest tip de problema.
- #include <stdio.h>
- #include <stdlib.h>
- #define NUMBER_ELEMS 10
- int main()
- {
- int i;
- int array[NUMBER_ELEMS];
- for (i = 0; i < NUMBER_ELEMS; i++)
- {
- array[i] = i;
- printf("array[%d] = %d\n", i, array[i]);
- }
- free(array);
- return EXIT_SUCCESS;
- }
Compilare:
- gcc -Wall -Wextra -g -O0 invalid_dealloc.c -o invalid_dealloc
Executand folosind memcheck:
- valgrind --tool=memcheck --leak-check=yes ./invalid_dealloc
obtinem:
- ==19852== Invalid free() / delete / delete[]
- ==19852== at 0x4025DFA: free (vg_replace_malloc.c:323)
- ==19852== by 0x804844A: main (invalid_dealloc.c:17)
- ==19852== Address 0xbeaacd28 is on thread 1's stack
Mesajul ne spune faptul ca, la linia 17 in fisierul invalid_dealloc.c, am incercat sa dezalocam o zona de memorie alocata pe stiva.
De asemenea, Valgrind este capabil sa detecteze probleme de tip double-free (in care o zona de memorie alocata dinamic este dezalocata de doua sau mai multe ori).
Exemplul urmator demonstreaza acest lucru (double_free_error.c)
- #include <stdio.h>
- #include <stdlib.h>
- int main()
- {
- int* p = (int*)malloc(sizeof(int));
- *p = 5;
- printf("%d\n", *p);
- free(p);
- free(p);
- return EXIT_SUCCESS;
- }
Compilare:
- gcc -Wall -Wextra -g -O0 double_free_error.c -o double_free_error
Executand folosind memcheck:
- valgrind --tool=memcheck --leak-check=yes ./double_free_error
obtinem:
- ==20168== Invalid free() / delete / delete[]
- ==20168== at 0x4025DFA: free (vg_replace_malloc.c:323)
- ==20168== by 0x8048477: main (double_free_error.c:10)
- ==20168== Address 0x41b1028 is 0 bytes inside a block of size 4 free'd
- ==20168== at 0x4025DFA: free (vg_replace_malloc.c:323)
- ==20168== by 0x804846C: main (double_free_error.c:9)
Analizand mesajul, se observa ca a avut loc o operatie invalida de dezalocare, utilizand functia free(), la linia 10 in fisierul double_free_error.c.
2.5. Detectia problemelor de tip buffer-overflow
Problemele de tip buffer-overflow trebuiesc tratate in modul cel mai serios. Ele preprezinta un risc de securitate major, fiind o tinta predilecta a exploit-urilor, putandu-se ajunge chiar la executia de cod arbitrar pe sistemul "victimei", cu drepturi de super-user.
Incepem cu un exemplu simplu de buffer overflow, in cazul unui buffer alocat dinamic (pe heap) (simple_buffer_overflow.c)
- #include <stdio.h>
- #include <stdlib.h>
- #define NUMBER_ELEMS 10
- int main()
- {
- int i;
- int *array = malloc(NUMBER_ELEMS * sizeof(int));
- for (i = 1; i <= NUMBER_ELEMS; i++)
- {
- array[i] = i;
- printf("array[%d] = %d\n", i, array[i]);
- }
- free(array);
- return EXIT_SUCCESS;
- }
Compilare:
- gcc -Wall -Wextra -g -O0 simple_buffer_overflow.c -o simple_buffer_overflow
Daca rulez executabilul (fara sa folosesc Valgrind), obtin urmatorul output pe sistemul meu.
- ./simple_buffer_overflow
- array[1] = 1
- array[2] = 2
- array[3] = 3
- array[4] = 4
- array[5] = 5
- array[6] = 6
- array[7] = 7
- array[8] = 8
- array[9] = 9
- array[10] = 10
Aparent nu e nici o problema, programul nu a "crapat". Dar nu e deloc asa ... programul prezinta un buffer-overflow evident la linia array[i] = i, pentru cazul in care i = NUMBER_ELEMS. Iar daca nu a "crapat" in cazul meu, nu inseamna ca atunci cand va fi rulat din nou (eventual pe un alt sistem) nu se va intampla.
Erorile de acest gen duc la coruperea memoriei, care cauzeaza de obicei un comportament impredictibil al programului.
Sa rulam programul utilizand Valgrind:
- valgrind --tool=memcheck --leak-check=yes ./simple_buffer_overflow
Se obtine:
- ==17295== Invalid write of size 4
- ==17295== at 0x804845B: main (simple_buffer_overflow.c:13)
- ==17295== Address 0x41b1050 is 0 bytes after a block of size 40 alloc'd
- ==17295== at 0x4026FDE: malloc (vg_replace_malloc.c:207)
- ==17295== by 0x8048440: main (simple_buffer_overflow.c:9)
- ==17295==
- ==17295== Invalid read of size 4
- ==17295== at 0x8048466: main (simple_buffer_overflow.c:14)
- ==17295== Address 0x41b1050 is 0 bytes after a block of size 40 alloc'd
- ==17295== at 0x4026FDE: malloc (vg_replace_malloc.c:207)
- ==17295== by 0x8048440: main (simple_buffer_overflow.c:9)
- array[10] = 10
In acest moment devine evident faptul ca programul acceseaza incorect memoria (in afara buffer-ului):
- in mod scriere (la linia 13): array[i] = i;
- in mod citire (la linia 14): printf("array[%d] = %d\n", i, array[i]);
in cazul in care variabila i are valoarea 10.
Sa facem o mica modificare in codul anterior. Buffer-ul nu va mai fi alocat dinamic, ci va fi alocat pe stiva.
Rezulta urmatorul cod (stack_buffer_overflow.c):
- #include <stdio.h>
- #include <stdlib.h>
- #define NUMBER_ELEMS 10
- int main()
- {
- int i;
- int array[NUMBER_ELEMS];
- for (i = 1; i <= NUMBER_ELEMS; i++)
- {
- array[i] = i;
- printf("array[%d] = %d\n", i, array[i]);
- }
- return EXIT_SUCCESS;
- }
Compilare:
- gcc -Wall -Wextra -g -O0 stack_buffer_overflow.c -o stack_buffer_overflow
Ruland folosind mcheck:
- valgrind --tool=memcheck --leak-check=yes ./stack_buffer_overflow
obtinem:
- ==17691== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 13 from 1)
- ==17691== malloc/free: in use at exit: 0 bytes in 0 blocks.
- ==17691== malloc/free: 0 allocs, 0 frees, 0 bytes allocated.
- ==17691== For counts of detected errors, rerun with: -v
- ==17691== All heap blocks were freed -- no leaks are possible.
Precum se poate observa, Valgrind nu a raportat nici o eroare ... Asta inseamna cumva faptul ca codul nu are nici o problema ? Nu, inseamna doar faptul ca Valgrind nu a detectat overflow-ul unui buffer alocat pe stiva.
Pur si simplu Valgrind "nu stie" sa detecteze o astfel de problema.
2.6. Detectia de erori privind utilizarea thread-urilor POSIX
Utilitarul helgrind poate fi folosit pentru a detecta erori tipice privind utilizarea thread-urilor POSIX (pthreads).
2.6.1. Race-condition
In exemplul urmator (race_condition.c), vom utiliza helgrind pentru a detecta o problema de tip race-condtion.
- #include <pthread.h>
- #include <unistd.h>
- #include <stdio.h>
- #include <stdlib.h>
- int g_counter;
- void *increment_counter(void* arg)
- {
- int i;
- for (i = 0; i < 10; i++)
- {
- ++g_counter;
- sleep(1);
- ++g_counter;
- printf("counter = %d\n", g_counter);
- }
- return NULL;
- }
- int main ()
- {
- pthread_t thread1, thread2;
- pthread_create(&thread1, NULL, increment_counter, NULL);
- pthread_create(&thread2, NULL, increment_counter, NULL);
- pthread_join(thread1, NULL);
- pthread_join(thread2, NULL);
- return EXIT_SUCCESS;
- }
In acest exemplu sunt create doua thread-uri: thread1 si thread2.
Cele thread-uri incrementeaza valoarea unei variabile globale, g_counter (fiecare thread incrementeaza g_counter de doua ori, intr-o bucla).
Functia sleep este folosita doar pentru a creste probabilitatea desincronizarii celor doua thread-uri.
Este evident faptul ca cele doua thread-uri sunt in race unul cu celalat, accesul la variabila globala nefiind sincronizat in nici un fel.
Compilare:
- gcc -Wall -Wextra -g -O0 race_condition.c -o race_condition -lpthread
Ruland folosind helgrind:
- valgrind --tool=helgrind ./race_condition
obtinem:
- ==21286== Possible data race during read of size 4 at 0x804a028 by thread #3
- ==21286== at 0x80484F3: increment_counter (race_condition.c:13)
- ==21286== by 0x402A89B: mythread_wrapper (hg_intercepts.c:194)
- ==21286== by 0x40554FE: start_thread (in /lib/tls/i686/cmov/libpthread-2.9.so)
- ==21286== by 0x414C49D: clone (in /lib/tls/i686/cmov/libc-2.9.so)
- ==21286== This conflicts with a previous write of size 4 by thread #2
- ==21286== at 0x80484FB: increment_counter (race_condition.c:13)
- ==21286== by 0x402A89B: mythread_wrapper (hg_intercepts.c:194)
- ==21286== by 0x40554FE: start_thread (in /lib/tls/i686/cmov/libpthread-2.9.so)
- ==21286== by 0x414C49D: clone (in /lib/tls/i686/cmov/libc-2.9.so)
- ==21286==
- ==21286== Possible data race during write of size 4 at 0x804a028 by thread #3
- ==21286== at 0x80484FB: increment_counter (race_condition.c:13)
- ==21286== by 0x402A89B: mythread_wrapper (hg_intercepts.c:194)
- ==21286== by 0x40554FE: start_thread (in /lib/tls/i686/cmov/libpthread-2.9.so)
- ==21286== by 0x414C49D: clone (in /lib/tls/i686/cmov/libc-2.9.so)
- ==21286== This conflicts with a previous write of size 4 by thread #2
- ==21286== at 0x80484FB: increment_counter (race_condition.c:13)
- ==21286== by 0x402A89B: mythread_wrapper (hg_intercepts.c:194)
- ==21286== by 0x40554FE: start_thread (in /lib/tls/i686/cmov/libpthread-2.9.so)
- ==21286== by 0x414C49D: clone (in /lib/tls/i686/cmov/libc-2.9.so)
- ==21286==
- ==21286== Possible data race during read of size 4 at 0x804a028 by thread #2
- ==21286== at 0x804850C: increment_counter (race_condition.c:15)
- ==21286== by 0x402A89B: mythread_wrapper (hg_intercepts.c:194)
- ==21286== by 0x40554FE: start_thread (in /lib/tls/i686/cmov/libpthread-2.9.so)
- ==21286== by 0x414C49D: clone (in /lib/tls/i686/cmov/libc-2.9.so)
- ==21286==
- ==21286== Possible data race during write of size 4 at 0x804a028 by thread #2
- ==21286== at 0x8048514: increment_counter (race_condition.c:15)
- ==21286== by 0x402A89B: mythread_wrapper (hg_intercepts.c:194)
- ==21286== by 0x40554FE: start_thread (in /lib/tls/i686/cmov/libpthread-2.9.so)
- ==21286== by 0x414C49D: clone (in /lib/tls/i686/cmov/libc-2.9.so)
- ==21286== This conflicts with a previous read of size 4 by thread #3
- ==21286== at 0x80484F3: increment_counter (race_condition.c:13)
- ==21286== by 0x402A89B: mythread_wrapper (hg_intercepts.c:194)
- ==21286== by 0x40554FE: start_thread (in /lib/tls/i686/cmov/libpthread-2.9.so)
- ==21286== by 0x414C49D: clone (in /lib/tls/i686/cmov/libc-2.9.so)
- ==21286==
- ==21286== Possible data race during read of size 4 at 0x804a028 by thread #2
- ==21286== at 0x8048519: increment_counter (race_condition.c:16)
- ==21286== by 0x402A89B: mythread_wrapper (hg_intercepts.c:194)
- ==21286== by 0x40554FE: start_thread (in /lib/tls/i686/cmov/libpthread-2.9.so)
- ==21286== by 0x414C49D: clone (in /lib/tls/i686/cmov/libc-2.9.so)
Valgrind raporteaza faptul ca exista o problema de tip race-condition in fisierul race_condition.c, in functia increment_counter(), la liniile 13, 15 si 16 (adica exact acolo unde variabila globala g_counter este citita respectiv modificata).
Pentru a rezolva aceasta problema, putem folosi un mutex, pentru a asigura accesul sincronizat la variabila g_counter. Exemplul urmator ilustreaza acest lucru (no_race_condition.c):
- #include <pthread.h>
- #include <unistd.h>
- #include <stdio.h>
- #include <stdlib.h>
- int g_counter;
- /* mutex used to synchronize access to g_counter */
- pthread_mutex_t mutex;
- void *increment_counter(void* arg)
- {
- int i;
- for (i = 0; i < 10; i++)
- {
- pthread_mutex_lock(&mutex);
- ++g_counter;
- sleep(1);
- ++g_counter;
- printf("counter = %d\n", g_counter);
- pthread_mutex_unlock(&mutex);
- }
- return NULL;
- }
- int main ()
- {
- pthread_t thread1, thread2;
- pthread_mutex_init(&mutex, NULL);
- pthread_create(&thread1, NULL, increment_counter, NULL);
- pthread_create(&thread2, NULL, increment_counter, NULL);
- pthread_join(thread1, NULL);
- pthread_join(thread2, NULL);
- pthread_mutex_destroy(&mutex);
- return EXIT_SUCCESS;
- }
In acest caz, Valgrind nu mai raporteaza nici o problema.
2.6.2. Deadlock
O alta problema des intalnita in dezvoltarea de aplicatii multi-threaded este situatia de deadlock.
Programul de mai jos (deadlock.c) este vulnerabil la aceasta problema.
Se observa aplicarea unuia din cazurile clasice in care se ajunge la deadlock: doua thread-uri achizitioneaza 2 lock-uri (in cazul de fata de tip mutex) in ordine invers.
- #include <pthread.h>
- #include <unistd.h>
- #include <stdio.h>
- #include <stdlib.h>
- int g_counter;
- pthread_mutex_t mutex1;
- pthread_mutex_t mutex2;
- void *func1(void* arg)
- {
- pthread_mutex_lock(&mutex1);
- pthread_mutex_lock(&mutex2);
- ++g_counter;
- sleep(5);
- pthread_mutex_unlock(&mutex2);
- pthread_mutex_unlock(&mutex1);
- return NULL;
- }
- void *func2(void* arg)
- {
- pthread_mutex_lock(&mutex2);
- pthread_mutex_lock(&mutex1);
- ++g_counter;
- sleep(5);
- pthread_mutex_unlock(&mutex1);
- pthread_mutex_unlock(&mutex2);
- return NULL;
- }
- int main ()
- {
- pthread_t thread1, thread2;
- pthread_mutex_init(&mutex1, NULL);
- pthread_mutex_init(&mutex2, NULL);
- pthread_create(&thread1, NULL, func1, NULL);
- pthread_create(&thread2, NULL, func2, NULL);
- pthread_join(thread1, NULL);
- pthread_join(thread2, NULL);
- pthread_mutex_destroy(&mutex1);
- pthread_mutex_destroy(&mutex2);
- return EXIT_SUCCESS;
- }
Compilare:
- gcc -Wall -Wextra -g -O0 deadlock.c -o deadlock -lpthread
Ruland folosind helgrind:
- valgrind --tool=helgrind ./deadlock
obtinem:
- ==22570== Thread #3: lock order "0x804A034 before 0x804A04C" violated
- ==22570== at 0x4027CE7: pthread_mutex_lock (hg_intercepts.c:409)
- ==22570== by 0x8048627: func2 (deadlock.c:24)
- ==22570== by 0x402A89B: mythread_wrapper (hg_intercepts.c:194)
- ==22570== by 0x40554FE: start_thread (in /lib/tls/i686/cmov/libpthread-2.9.so)
- ==22570== by 0x414C49D: clone (in /lib/tls/i686/cmov/libc-2.9.so)
- ==22570== Required order was established by acquisition of lock at 0x804A034
- ==22570== at 0x4027CE7: pthread_mutex_lock (hg_intercepts.c:409)
- ==22570== by 0x80485C5: func1 (deadlock.c:12)
- ==22570== by 0x402A89B: mythread_wrapper (hg_intercepts.c:194)
- ==22570== by 0x40554FE: start_thread (in /lib/tls/i686/cmov/libpthread-2.9.so)
- ==22570== by 0x414C49D: clone (in /lib/tls/i686/cmov/libc-2.9.so)
- ==22570== followed by a later acquisition of lock at 0x804A04C
- ==22570== at 0x4027CE7: pthread_mutex_lock (hg_intercepts.c:409)
- ==22570== by 0x80485D1: func1 (deadlock.c:13)
- ==22570== by 0x402A89B: mythread_wrapper (hg_intercepts.c:194)
- ==22570== by 0x40554FE: start_thread (in /lib/tls/i686/cmov/libpthread-2.9.so)
- ==22570== by 0x414C49D: clone (in /lib/tls/i686/cmov/libc-2.9.so)
- ==22570==
- ==22570== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 60 from 5)
Se observa ca Valgrind a detectat situatia de deadlock, datorata faptului ca lock-urile sunt achizitionate in ordine inversa de catre cele doua thread-uri.
