Understanding Valgrind errors (1)
While debugging segmentation faults (crashes) in PHP and its extensions, I often use Valgrind to assist me finding the root cause. Valgrind is an instrumentation framework for building dynamic analysis tools. It contains several tools, and its Memcheck tool is the one that detects memory-management problems. Memcheck is really valuable for C and C++ developers and something you should learn, especially when you write PHP extensions.
Memcheck's error messages can sometimes be difficult to understand, so with this (infrequent series), I hope to shed some light on it.
Let's have a look at the following Valgrind error output, which I encountered while debugging issue PHP-963 of the MongoDB driver for PHP:
==18500== Invalid read of size 8 ==18500== at 0xC5FB7F1: zim_MongoCursor_info (cursor.c:866) ==18500== by 0x9AF93F: execute_internal (zend_execute.c:1480) ==18500== by 0xBF1B8FD: xdebug_execute_internal (xdebug.c:1565) ==18500== by 0x9B0715: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:645) ==18500== by 0x9B0D88: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:756) ==18500== by 0x9AFCAA: execute (zend_vm_execute.h:410) ==18500== by 0xBF1B47C: xdebug_execute (xdebug.c:1453) ==18500== by 0x976CC6: zend_execute_scripts (zend.c:1315) ==18500== by 0x8F3340: php_execute_script (main.c:2502) ==18500== by 0xA172B9: do_cli (php_cli.c:989) ==18500== by 0xA1825E: main (php_cli.c:1365) ==18500== Address 0x38 is not stack'd, malloc'd or (recently) free'd
An Invalid read means that the memory location that the process was trying to read is outside of the memory addresses that are available to the process. size 8 means that the process was trying to read 8 bytes. On 64-bit platforms this could be a pointer, but also for example a long int.
The last line of the error report says Address 0x38 is not stack'd, malloc'd
or (recently) free'd, which means that the address that the process was trying to read 8 bytes from starts at 0x38. The line also says that the address is unavailable through stack space, heap space (malloc), or that it was recently a valid memory location.
A very low address, such as 0x38 (56 in decimal), combined with size 8 often indicates that you tried to dereference an element of a struct which was pointed to by a NULL pointer.
When I checked line 866 of cursor.c I saw:
add_assoc_string(return_value, "server", cursor->connection->hash, 1);
cursor is a struct of type mongo_cursor which is defined as:
typedef struct {
zend_object std;
/* Connection */
mongo_connection *connection;
…
} mongo_cursor;
The zend_object std; is a general struct that is part of every overloaded object (overloaded in the PHP Internals sense) and contains four pointers that make up the first 32 bytes. This means that connection starts at offset 32.
The connection member is a struct of type mongo_connection that is defined as:
typedef struct _mongo_connection
{
time_t last_ping; // 0
int ping_ms; // 8
int last_ismaster; // 12
int last_reqid; // 16
void *socket; // 24
int connection_type; // 32
int max_bson_size; // 36
int max_message_size; // 40
int tag_count; // 44
char **tags; // 48
char *hash; // 56
mongo_connection_deregister_callback *cleanup_list; // 64
} mongo_connection;
I've added the offsets as they are on a 64-bit platform as comments.
In C the code cursor->connection->hash gets converted to an address as follows:
-
Take the address in
cursor -
Find the offset for the
connectionmember (32) -
Find the address that is stored at offset 32 (In my example, that'd be
NULL) -
Find the offset of
hashin the struct thatconnectionrepresents (56) -
Read the pointer data (8 bytes data) at the address from step 3 plus the offset of step 4.
This reads 8 bytes of data from address 56 (0x38) which is not valid, and hence Valgrind produces the error message, and then kills the process.
In short, an error where Address 0x38 is not stack'd, malloc'd or (recently)
free'd has a low address in the message often means a NULL-pointer dereference.
Comments
Thanks for sharing this insight! I'm new to c and there's something I do not understand about the offsets. I wonder why some mongo_connection members of type int are counted as 4 bytes and others as 8 bytes. How is this possible?
@Jaap: An int is always 4 bytes (on my platform), but offsets also need to be aligned. This means that a data object that is 4 bytes large, needs to start on an address divisible by 4. And if a data object is 8 bytes large(such as a pointer), it needs to start on an address divisible by 8.
last_reqid seems to take up 8 bytes because of this, as the void* for socket is 8 bytes long and hence cannot start on offset 20.
Thanks for pointing that out!
Are all these structs and types (cursor, mongo_cursor etc.) in the same file cursor.c. If not do they belong to the files defined as "by" line in the Valgrind output.
They are not all in the same file. The "by" lines just indicate the current stack, and not where structs live.
Life Line
What the United States and Israel are doing to Iran is undistinguishable from Russia is doing to Ukraine.
Created 8 waste_baskets, 7 benches, and 5 other objects
Updated a pub
Created 3 recyclings, 3 waste_baskets, and 2 other objects
I walked 3.4km in 56m37s
Updates from walk
🐰🥚 Two bunnies lazing about, tired from hiding all the chocolate eggs.
Created a bench; Updated a bus_stop
I walked 1.7km in 28m08s
Updated 2 bus_stops
Created a telephone; Updated a cafe and a toilet; Deleted a kiosk shop and a toilet; Confirmed an atm
Updated a bench
Updated a restaurant
I hiked 17.3km in 3h37m57s
Updated a restaurant
I walked 9.6km in 2h5m58s
I walked 7.2km in 1h10m18s
Updated a pet_grooming shop; Deleted a dry_cleaning shop; Confirmed 2 variety_store shops, a fitness_centre, and a convenience shop
I walked 4.1km in 47m50s
I walked 1.2km in 9m08s
Map new layout of Meanwhile Gardens
I walked 10.4km in 1h45m58s
This is probably the shortest chapter I've ever read in any book. And it'll likely stay like that.
Shortlink
This article has a short URL available: https://drck.me/valgrind1-aum