Dr. Memory
|
Dr. Memory Runtime Option Reference
Dr. Memory's behavior can be controlled through options passed to drmemory prior to the "--" delimiter. Boolean options can be disabled using a "-no_" prefix. Here is a list of options along with their default values and descriptions:
- -version
default: false
Display Dr. Memory version - -help
default: false
Display the full option list - -dr <string>
default: ""
The path to the DynamoRIO installation to use. Not needed when using a released Dr. Memory package. - -drmemory <string>
default: ""
The path to the base of the Dr. Memory installation. Not needed when invoking Dr. Memory from an unmodified installation tree. - -follow_children
default: true
Monitor child processes by following across execve on Linux or CreateProcess on Windows. On Linux, monitoring always continues across a fork. - -nudge <int>
default: 0 (minimum: 0, maximum: UINT_MAX)
Use this option to 'nudge' an already-running process in order to request leak checking and other Dr. Memory actions that normally only occur when the process exits. Not currently available on MacOS. - -v
default: false
Display verbose information in the Dr. Memory front end - -light
default: false
This option enables a lightweight mode that detects unaddressable accesses, free/delete/delete[] mismatches, and GDI API usage errors in Windows, but not uninitialized reads or memory leaks. - -brief
default: false
Show simplified and easier-to-read error reports that hide STL and CRT source paths, remove executable path prefixes from source files, omit absolute addresses, omit instruction disassembly, and omit thread timestamps. Also enables -delay_frees_stack and disables -callstack_use_top_fp, trading off performance for better error reports. - -logdir <string>
default: "<install>/logs"
Destination base directory for result files and the symbol cache (unless -symcache_dir is specified). A subdirectory inside this base directory is created for each process that is run, along with a single shared symbol cache directory. If you specify a separate base directory for every run, you will lose the benefits of symbol caching, unless you also specify a separate shared cache directory with the -symcache_dir option. - -verbose <int>
default: 1 (minimum: 0, maximum: 32)
Verbosity level in log files: 0=none, 1=warnings, 2+=diagnostic. Primarily for debugging of Dr. Memory itself. - -quiet
default: false
Suppress stderr messages and, on Windows, popup messages. Overrides -results_to_stderr and -summary. - -results_to_stderr
default: true
Print error reports to stderr in addition to results.txt, interleaving them with the application output. The output will be prefixed byDr.Mfor the main thread and by the thread id for other threads. This interleaving can make it easier to see which part of an application run raised an error. - -prefix_style <int>
default: 0 (minimum: 0, maximum: 2)
For -results_to_stderr, controls the per-line prefix:-
0 = Default prefix:
Dr.Mfor the main thread and the thread id for other threads. - 1 = No prefix.
- 2 = Use blank spaces. This makes the output compatible with Visual Studio file and line number parsing.
-
0 = Default prefix:
- -log_suppressed_errors
default: false
Log suppressed error reports for postprocessing. Enabling this option will increase the logfile size, but will allow users to re-process suppressed reports with alternate suppressions or additional symbols. - -ignore_asserts
default: false
Display, but do not abort, on asserts in debug build (in release build asserts are automatically disabled). - -exit_code_if_errors <int>
default: 0 (minimum: INT_MIN, maximum: INT_MAX)
If non-zero, the app's exit code is changed to this code if any errors are found. - -pause_at_error
default: false
Dr. Memory pauses at the point of each error that is identified. On Windows, this pause is a popup window. On Linux, the pause involves waiting for a keystroke, which may not work well if the application reads from stdin. In that case consider -pause_via_loop as an additional option. - -pause_at_unaddressable
default: false
Dr. Memory pauses at the point of each unaddressable access error that is identified. On Windows, this pause is a popup window. On Linux, the pause involves waiting for a keystroke, which may not work well if the application reads from stdin. In that case consider -pause_via_loop as an additional option. - -pause_at_uninitialized
default: false
Identical to -pause_at_unaddressable, but applies to uninitialized access errors. - -pause_at_exit
default: false
Pauses at exit, using the same mechanism described in -pause_at_unaddressable. Meant for examining leaks in the debugger. - -pause_at_assert
default: false
Dr. Memory pauses at the point of each debug-build assert. On Windows, this pause is a popup window. On Linux, the pause involves waiting for a keystroke, which may not work well if the application reads from stdin. In that case consider -pause_via_loop as an additional option. - -pause_via_loop
default: false
Used in conjunction with -pause_at_uninitialized and -pause_at_uninitialized on Linux, this option causes Dr. Memory to pause via an infinite loop instead of waiting for stdin. Dr. Memory will not continue beyond the first such error found. - -crash_at_unaddressable
default: false
Dr. Memory terminates the process in a crash at the point of the first unaddressable access error that is identified. - -crash_at_error
default: false
Dr. Memory terminates the process in a crash at the point of the first error that is identified. - -callstack_max_frames <int>
default: 20 (minimum: 0, maximum: 4096)
How many call stack frames to record for each non-leak error report. A larger maximum will ensure that no call stack is truncated, but can use more memory and slow down the tool if there are many error reports with large callstacks. This option must be larger than the largest suppression supplied to -suppress. The separate option -malloc_max_frames controls the callstack size for leak reports, while -free_max_frames controls the callstack size for freed memory overlap reports from -delay_frees_stack. - -malloc_max_frames <int>
default: 12 (minimum: 0, maximum: 4096)
How many call stack frames to record on each malloc, for use in leak error reports as well as alloc/free mismatch error reports (unless leaks are disabled (via -no_count_leaks or -light) and -malloc_callstacks is also disabled). A larger maximum will ensure that no call stack is truncated, but can use more memory and slow down the tool. - -free_max_frames <int>
default: 6 (minimum: 0, maximum: 4096)
If -delay_frees_stack is enabled, this controls how many call stack frames to record for each use-after-free informational report. A larger maximum will ensure that no call stack is truncated, but can use more memory and slow down the tool. - -callstack_style <int>
default: 0x0301 (minimum: 0, maximum: 0x1fff)
Set of flags that controls the callstack printing style:- 0x0001 = show frame numbers
- 0x0002 = show absolute address
- 0x0004 = show offset from library base
- 0x0008 = show offset from symbol start: "library!symbol+offs"
- 0x0010 = show offset from line start: "foo.c:44+0x8"
- 0x0020 = "file:line" on separate line
- 0x0040 = "file @ line" instead of "file:line"
- 0x0080 = "symbol library" instead of "library!symbol"
- 0x0100 = put fields in aligned columns
- 0x0200 = show symbol and module offset when symbols are missing
- 0x0400 = print unique module id
- 0x0800 = show "file(line):" instead of "file:line"d
- 0x1000 = expand template parameters (from "<>") for PDB symbols
- -callstack_truncate_below <string>
default: "main,wmain,WinMain,wWinMain,*RtlUserThreadStart,_threadstartex,BaseThreadInitThunk"
Callstacks will be truncated at any frame that matches any of these ,-separated function names. The function names can contain * or ? wildcards. - -callstack_modname_hide <string>
default: "*drmemory*"
Callstack frames will not list module names matching any of these ,-separated patterns. The names can contain * or ? wildcards. The module name will be displayed whenever the function name is uknown, however. The module name will only be hidden for error display purposes: it will still be included when considering suppressions, and it will be included in the generated suppression callstacks. - -callstack_exe_hide
default: true
Callstack frames will not list the executable name. The executable name will be displayed whenever the function name is uknown, however. The executable name will only be hidden for error display purposes: it will still be included when considering suppressions, and it will be included in the generated suppression callstacks. - -callstack_srcfile_hide <string>
default: ""
Callstack frames will not list source file paths matching any of these ,-separated patterns. The paths can contain * or ? wildcards. - -callstack_srcfile_prefix <string>
default: ""
Callstack frame source paths that match any of these ,-separated prefixes will be printed without the leading portion up to and including the match. - -lib_blocklist_default <string>
default: ""
This is the default-filled version of -lib_blocklist; the user is epxected to set -lib_blocklist and not this option. Error reports whose top N frames' module paths all match any of these ,-separated patterns will be separated by default as merely potential errors, where N is -lib_blocklist_frames. Every one of of the top N frames must match something on the list. These errors are then reported to potential_errors.txt rather than results.txt. This feature is disabled if -lib_blocklist_frames is 0. The -lib_allowlist takes priority over this blocklist: i.e., if any top frame matches the allowlist, the error will be reported normally, even if all frames also match the blocklist. Each pattern can use * and ? wildcards (which have the same semantics as in suppression files) and is matched against the full path of each module. The default on Windows, unless the user sets this value, is set to libraries in $SYSTEMROOT and in the 'Microsoft Shared' directories inside $CommonProgramFiles and $CommonProgramFiles(x86). - -lib_blocklist <string>
default: ""
Error reports whose top N frames' module paths all match any of these ,-separated patterns will be separated by default as merely potential errors, where N is -lib_blocklist_frames. Every one of of the top N frames must match something on the list. These errors are then reported to potential_errors.txt rather than results.txt. This feature is disabled if -lib_blocklist_frames is 0. The -lib_allowlist takes priority over this blocklist: i.e., if any top frame matches the allowlist, the error will be reported normally, even if all frames also match the blocklist. Each pattern can use * and ? wildcards (which have the same semantics as in suppression files) and is matched against the full path of each module. This option is combined with -lib_blocklist_default to produce the full blocklist used by the tool. - -lib_blocklist_frames <int>
default: 4 (minimum: 0, maximum: 4096)
The number of frames, starting from the top, that must match -lib_blocklist in a callstack in order for an error report to be separated from the regularly reported errors. Setting this value to 0 disables blocklist-based error separation. If the top frame is a system call or a replace_* Dr. Memory routine, it is ignored and matching starts from the second frame. - -lib_allowlist <string>
default: ""
Error reports where not a single one of the top N frames' module paths match any of these ,-separated patterns will be separated by default as merely potential errors, where N is -lib_allowlist_frames. These errors are reported to potential_errors.txt rather than results.txt. This feature is disabled if -lib_allowlist_frames is 0 or if -lib_allowlist is empty. This allowlist takes priority over -lib_blocklist: i.e., if any top frame matches the allowlist, the error will be reported normally, even if all frames also match the blocklist. Each pattern can use * and ? wildcards (which have the same semantics as in suppression files) and is matched against the full path of each module. - -lib_allowlist_frames <int>
default: 4 (minimum: 0, maximum: 4096)
The number of frames, starting from the top, that must not match -lib_allowlist in a callstack in order for an error report to be separated from the regularly reported errors. Setting this value to 0 disables -lib_allowlist-based error separation. If the top frame is a system call or a replace_* Dr. Memory routine, it is ignored and matching starts from the second frame. - -src_allowlist <string>
default: ""
Error reports where not a single one of the top N frames' source file paths match any of these ,-separated patterns will be separated by default as merely potential errors, where N is -src_allowlist_frames. These errors are reported to potential_errors.txt rather than results.txt. This feature is disabled if -src_allowlist_frames is 0 or if -src_allowlist is empty. This allowlist takes priority over -lib_blocklist: i.e., if any top frame matches the allowlist, the error will be reported normally, even if all frames also match the blocklist. If combined with -lib_allowlist, the -lib_allowlist will perform its check first, followed by -src_allowlist. Each pattern can use * and ? wildcards (which have the same semantics as in suppression files) and is matched against the full path of each source file. - -src_allowlist_frames <int>
default: 4 (minimum: 0, maximum: 4096)
The number of frames, starting from the top, that must not match -src_allowlist in a callstack in order for an error report to be separated from the regularly reported errors. Setting this value to 0 disables -src_allowlist-based error separation. If the top frame is a system call or a replace_* Dr. Memory routine, it is ignored and matching starts from the second frame. - -check_uninit_blocklist <string>
default: ""
For each library or executable basename on this list, Dr. Memory suspends checking of uninitialized reads. Instead Dr. Memory marks all memory written by such modules as defined. This is a more efficient way to ignore all errors from a module than suppressing them or adding to the lib_blocklist option. Dr. Memory does automatically turn a whole-module suppression consisting of a single frame of the form 'modulename!*' into an entry on this list. The entries on this list can contain wildcards. - -callstack_use_unwind
default: IF_LINUX_ELSE(true, false)
Use unwind info rather than stack scanning and frame pointers where available to walk callstacks. When enabled, the other callstack options regarding frame pointers are ignored. - -callstack_use_top_fp
default: true
Whether to trust the top-level ebp/rbp register to hold the next frame pointer. If enabled, overridden when -callstack_use_top_fp_selectively is enabled. Normally trusting the register is correct. However, if a frameless function is on top of the stack, using the ebp register can cause a callstack to skip the next function. If this option is set to false, the callstack walk will perform a stack scan at the top of every callstack. This adds additional overhead in exchange for more accuracy, although in -light mode the additional accuracy has some tradeoffs and can result in incorrect frames. It should not be necessary to disable this option normally, unless an application or one of its static libraries is built with optimizations that omit frame pointers. - -callstack_use_top_fp_selectively
default: true
Whether to trust the top-level ebp/rbp register to hold the next frame pointer in certain situations. When enabled, this overrides -callstack_use_top_fp if it is enabled; but if -callstack_use_top_fp is disabled then the top fp is never used. When this option is enabled, in full or -leaks_only modes then the top fp is not used for all non-leak errors, while in -light mode the top fp is only not used for non-leak errors where the top frame is in an application module. See the -callstack_use_top_fp option for further information about the top frame pointer. - -callstack_use_fp
default: true
Whether to use frame pointers at all. The -callstack_use_top_fp and -callstack_use_top_fp_selectively options control whether to use the top frame pointer. This option controls whether to continue walking the frame pointer chain. Turning this off may be necessary if a mixture of frame pointer optimized code and un-optimized code is in use in the application, to avoid skipping interior callstack frames. - -callstack_conservative
default: false
By default, callstack walking is tuned for performance. It is possible to miss some frames when application code is optimized. Enabling this option causes extra checks to be performed to attempt to create more accurate callstacks. These checks add extra overhead. - -callstack_max_scan <int>
default: 4096 (minimum: 0, maximum: 16384)
How far to scan to locate the first stack frame when starting in a frameless function, or to locate the next stack frame when crossing loader or glue stub thunks or a signal or exception frame. Increasing this can produce better callstacks but may incur noticeable overhead for applications that make many allocation calls. - -callstack_bad_fp_list <string>
default: "libstdc++*"
When walking frame pointers and transitioning from any module on this list to a frame not in the same module, the frame pointer chain is assumed to be suspect and a stack scan is performed. Use this option to avoid missing frames in your application's code that are skipped due to frame pointer optimizations in other libraries. - -check_leaks
default: true
Whether to list details of each individual memory leak. If this option is disabled and -count_leaks is enabled, leaks will still be detected, but only the count of leaks will be shown. - -count_leaks
default: true
Whether to detect memory leaks. Whether details on each leak are shown is controlled by the -check_leaks option. Disabling this option can reduce execution overhead as less information must be kept internally, while disabling -check_leaks will not affect execution overhead. - -symbol_offsets
default: false
Deprecated: use -callstack_style flag 0x4 - -ignore_early_leaks
default: true
Whether to ignore leaks from memory allocated by system code prior to Dr. Memory taking over. - -check_leaks_on_destroy
default: true
If enabled, when a heap is destroyed (HeapDestroy on Windows), report any live allocations inside it as possible leaks. - -possible_leaks
default: true
Whether to list possibly-reachable allocations when leak checking. Requires -check_leaks. - -midchunk_size_ok
default: true
Consider allocations reached by a mid-allocation pointer that points past a size field at the head of the allocation to be reachable instead of possibly leaked. Currently this option looks for a very specific pattern. If your application's header is slightly different please contact the authors about generalizing this check. - -midchunk_new_ok
default: true
Consider allocations reached by a mid-allocation pointer that points past a size field at the head of the allocation that looks like a new[] header to be reachable instead of possibly leaked. A heuristic is used for this identification that is not perfect. - -midchunk_inheritance_ok
default: true
Consider allocations reached by a mid-allocation pointer that points to a parent class instantiation to be reachable instead of possibly leaked. A heuristic is used for this identification that is not perfect. - -midchunk_string_ok
default: true
Consider allocations reached by a mid-allocation pointer that points to a char array inside an instance of a std::string representation to be reachable instead of possibly leaked. A heuristic is used for this identification that is not perfect. - -scan_read_only_files
default: false
Whether the leak scan should scan read-only file-mapped memory when looking for pointers to the heap. The leak scan does not track whether pages have been read-only since they were mapped, so it's possible for the application to store heap pointers in a file-mapped region and then mark it read-only. If your application does so, you may want to turn on this option. - -strings_vs_pointers
default: true
Use heuristics to rule out sub-strings as leak scan pointers, preventing strings from anchoring heap objects and resulting in false negatives. - -show_reachable
default: false
Whether to list reachable allocations when leak checking. Requires -check_leaks. - -suppress <string>
default: ""
File containing errors to suppress. May be repeated. See Suppressing Errors. - -default_suppress
default: true
Use the set of default suppressions that come with Dr. Memory. See Suppressing Errors. - -gen_suppress_offs
default: true
Generate mod+offs suppressions in addition to mod!sym suppressions in the output suppress file - -gen_suppress_syms
default: true
Generate mod!syms suppressions in addition to mod+offs suppressions in the output suppress file - -show_threads
default: true
Whether to print the callstack of each thread creation point referenced in an error report to the global logfile, which can be useful to identify which thread was involved in the error report. Look for 'NEW THREAD' in the global.pid.log file in the log directory where the results.txt file is found. - -show_all_threads
default: false
Whether to print the callstack of each thread creation point (whether referenced in an error report or not) to the global logfile. This can be useful to identify which thread was involved in error reports, as well as general diagnostics for what threads were present during a run. Look for 'NEW THREAD' in the global.pid.log file in the log directory where the results.txt file is found. - -conservative
default: false
Be conservative whenever reading application memory and when assuming registeres are dead. When this option is disabled, Dr. Memory may read return addresses and arguments passed to functions without fault-handling code, which gains performance but can sacrifice robustness when running hand-crafted assembly code. Additionally, with this option disabled, register liveness does not consider faults. - -check_uninit_cmps
default: true
Report definedness errors on compares instead of waiting for conditional jmps. - -check_uninit_non_moves
default: false
Report definedness errors on any instruction that is not a move. Note: turning this option on may result in false positives, but can also help diagnose errors through earlier error reporting. - -check_uninit_all
default: false
Report definedness errors on any instruction, rather than the default of waiting until something meaningful is done, which reduces false positives. Note: turning this option on may result in false positives, but can also help diagnose errors through earlier error reporting. - -strict_bitops
default: false
Currently, Dr. Memory's definedness granularity is per-byte. This can lead to false positives on code that uses bitfields. By default, Dr. Memory relaxes its uninitialized checking on certain bit operations that are typically only used with bitfields, to avoid these false positives. However, this can lead to false negatives. Turning this option on will eliminate all false negatives (at the cost of potential false positives). Eventually Dr. Memory will have bit-level granularity and this option will go away. - -check_pc
default: true
Check the program counter on each instruction to ensure it is executing from valid memory. - -stack_swap_threshold <int>
default: 0x9000 (minimum: 256, maximum: INT_MAX)
Stack change amount to consider a swap instead of an allocation or de-allocation on the same stack. Dr. Memory attempts to dynamically tune this value unless it is changed from its default. - -redzone_size <int>
default: 16 (minimum: 0, maximum: 32*1024)
Buffer on either side of each malloc. This should be a multiple of 8 for 32-bit and 16 for 64-bit. - -report_max <int>
default: 20000 (minimum: -1, maximum: INT_MAX)
Maximum non-leak errors to report (-1=no limit). This includes 'potential' errors listed separately. - -report_leak_max <int>
default: 10000 (minimum: -1, maximum: INT_MAX)
Maximum leaks to report (-1=no limit). This includes 'potential' leaks listed separately. - -report_write_to_read_only
default: true
Report writes to read-only memory as unaddressable errors. - -show_duplicates
default: false
Print details on each duplicate error rather than only showing unique error details - -batch
default: false
Do not launch notepad with the results file at application exit. - -summary
default: true
Display process startup information and a summary of errors to stderr at app exit. - -use_symcache
default: true
Cache results of symbol lookups to speed up future runs - -symcache_dir <string>
default: "<install>/logs/symcache"
Destination for symbol cache files. When using a unique log directory for each run, symbols will not be shared across runs because the default cache location is inside the log directory. Use this option to set a shared directory. - -symcache_minsize <int>
default: 1000 (minimum: 0, maximum: UINT_MAX)
Minimum module size to cache symbols for. Note that there's little downside to caching and it is pretty much always better to cache. - -use_symcache_postcall
default: true
Cache post-call sites to speed up future runs. Requires -use_symcache to be true. - -warn_null_ptr
default: false
Whether to warn when NULL is passed to free() or realloc(). - -delay_frees <int>
default: 2000 (minimum: 0, maximum: UINT_MAX)
Frees to delay before committing. The larger this number, the greater the likelihood that Dr. Memory will identify use-after-free errors. However, the larger this number, the more memory will be used. This value is separate for each set of allocation routines and each Windows Heap. - -delay_frees_maxsz <int>
default: 20000000 (minimum: 0, maximum: UINT_MAX)
Maximum size of frees to delay before committing. The larger this number, the greater the likelihood that Dr. Memory will identify use-after-free errors. However, the larger this number, the more memory will be used. This value is separate for each set of allocation routines and each Windows Heap. - -delay_frees_stack
default: true
Record callstacks on free to use when reporting use-after-free or other errors that overlap with freed objects. There is a slight performance hit incurred by this feature for malloc-intensive applications. The callstack size is controlled by -free_max_frames. - -leaks_only
default: false
Puts Dr. Memory into a leak-check-only mode that has lower overhead but does not detect other types of errors other than invalid frees. - -check_uninitialized
default: IF_ARM_ELSE(false, true)
Check for uninitialized read errors. When disabled, puts Dr. Memory into a mode that has lower overhead but does not detect definedness errors. Furthermore, the lack of definedness information reduces accuracy of leak identification, resulting in potentially failing to identify some leaks. - -check_stack_bounds
default: false
Only applies for -no_check_uninitialized. Determines whether to check for beyond-top-of-stack accesses. - -check_stack_access
default: false
Only applies for -no_check_uninitialized. Determines whether to check for errors on memory references that use esp or ebp as a base. These are normally local variable and function parameter references only, but for optimized or unusual code they could point elsewhere in memory. Checking these incurs additional overhead. - -check_alignment
default: false
Only applies for -no_check_uninitialized. Determines whether to incur additional overhead in order to handle memory accesses that are not aligned to their size. With this option off, the tool may miss bounds overflows that involve unaligned memory references. - -fault_to_slowpath
default: true
Only applies for -no_check_uninitialized. Determines whether to use faulting instructions rather than explicit jump-and-link to exit from fastpath to slowpath. - -check_delete_mismatch
default: true
Whether to check for free/delete/delete[] mismatches - -check_prefetch
default: true
Whether to report unaddressable prefetches as warnings - -malloc_callstacks
default: false
Record callstacks on allocations to use when reporting alloc/free mismatches. If leaks are enabled (i.e., -count_leaks is on), this option is always enabled. The callstack size is controlled by -malloc_max_frames. When enabled in light mode, this option incurs additional overhead, particularly on malloc-intensive applications. - -prctl_allowlist <string>
default: ""
If this list is non-empty, when Dr. Memory sees prctl(PR_SET_NAME) and the name is not on the list, then Dr. Memory will disable its instrumentation for the rest of the process and for all of its child processes. The list is ,-separated. - -auxlib <string>
default: ""
This option should specify the basename of an auxiliary system call handling library found in the same directory as the Dr. Memory client library. - -analyze_unknown_syscalls
default: true
For unknown syscalls use memory comparison to find output params - -syscall_dword_granularity
default: true
For unknown syscall comparisons (-analyze_unknown_syscalls), when changes are detected, consider the containing dword to have changed - -syscall_sentinels
default: false
Use sentinels to detect writes on unknown syscalls and reduce false positives, in particular for uninitialized reads. Can potentially result in incorrect behavior if definedness information is incorrect or application threads read syscall parameter info simultaneously. This option requires -analyze_unknown_syscalls to be enabled. - -prefer_msize
default: false
Prefer _msize to malloc_usable_size when both are present - -perturb
default: false
Adds random delays to thread synchronization and other operations to try and increase the chances of catching race conditions. - -perturb_only
default: false
Adds random delays to thread synchronization and other operations to try and increase the chances of catching race conditions, but disables all memory checking to create a low-overhead tool that executes significantly faster. However, without memory checking race conditions will only be detected if they result in an actual crash or other externally visible change in behavior. When this option is enabled, Dr. Memory will not produce an error summary or results.txt. - -perturb_max <int>
default: 50 (minimum: 0, maximum: UINT_MAX)
This option sets the maximum delay added by -perturb, in milliseconds for thread operations and in custom units for instruction-level operations. Delays added will be randomly selected from 0 up to -perturb_max. - -perturb_seed <int>
default: 0 (minimum: 0, maximum: UINT_MAX)
To reproduce the random delays added by -perturb, pass the seed from the logfile from the target run to this option. There may still be non-determinism in the rest of the system, however. - -unaddr_only
default: false
This option enables a lightweight mode that only detects critical errors of unaddressable accesses on heap data. This option cannot be used with 'light' or 'check_uninitialized'. - -pattern <int>
default: IF_ARM_ELSE(DEFAULT_PATTERN, 0) (minimum: 0, maximum: USHRT_MAX)
Use sentinels to detect accesses on unaddressable regions around allocated heap objects. When this option is enabled, checks for uninitialized read errors will be disabled. The value passed as the pattern must be a non-zero 2-byte value. - -persist_code
default: false
Cache instrumented code to speed up future runs. For short-running applications, this can provide a performance boost. It may not be worth enabling for long-running applications. Currently, this option is only supported with -light or -no_check_uninitialized. It also currently fails to re-use randomized libraries on Windows, resulting in less of a performance boost for applications that use many libraries with ASLR enabled. - -persist_dir <string>
default: "<install>/logs/codecache"
Destination for code cache files. When using a unique log directory for each run, symbols will not be shared across runs because the default cache location is inside the log directory. Use this option to set a shared directory. - -soft_kills
default: true
Ensure external processes terminated by this one exit cleanly. Often applications forcibly terminate child processes, which can prevent proper leak checking and error and suppression summarization as well as generation of symbol and code cache files needed for performance. When this option is enabled, every termination call to another process will be replaced with a directive to the Dr. Memory running in that process to perform a clean shutdown. If there is no DynamoRIO-based tool in the target process, the regular termination call will be carried out. - -ignore_kernel
default: false
Continue past the normally-fatal usage error of running on an unsupported kernel version. This risks false positives and potential tool failure due to unknown system call behavior. - -use_syscall_tables
default: true
On by default, this allows disabling the use of Dr. Memory's own syscall tables, in case the check for whether they match the underlying kernel is inaccurate. - -syscall_number_path <string>
default: ""
When running on an operating system version that this version of Dr. Memory does not have direct support for, a system call number file can be used to provide needed operating system information. These files are named syscalls_{x86,wow64,x64}.txt. This parameter should point at the directory containing the file. By default these are located in -symcache_dir. - -coverage
default: false
Measure code coverage during application execution. The resulting data is written to a separate file named with a 'drcov' prefix in the same directory as Dr. Memory's other results files. The raw data can be turned into a human-readable format using the drcov2lcov utility. - -fuzz
default: false
Enable fuzzing by Dr. Memory. See the other fuzz_* options for all of the different fuzzing options. - -fuzz_module <string>
default: ""
The fuzz target module name. The application main executable is used by default. - -fuzz_function <string>
default: "DrMemFuzzFunc"
The fuzz target function symbol name. DrMemFuzzFunc is used by default. - -fuzz_offset <int>
default: 0 (minimum: 0, maximum: UINT_MAX)
The fuzz target function offset in the module. - -fuzz_num_args <int>
default: 2 (minimum: 0, maximum: 32)
The number of arguments passed to the fuzz target function. For vararg functions this must match the actual number of arguments passed by the caller. - -fuzz_data_idx <int>
default: 0 (minimum: 0, maximum: 31)
The fuzz data argument index. - -fuzz_size_idx <int>
default: 1 (minimum: 0, maximum: 31)
The fuzz data size argument index. - -fuzz_num_iters <int>
default: 100 (minimum: 0, maximum: INT_MAX)
The number of times to repeat executing the target function. Use 0 for no repeat and no mutation, and -1 to repeat until the mutator is exhausted. - -fuzz_replace_buffer
default: false
Replace the input data buffer with separately allocated memory. This can be used for fuzzing functions whose input data is stored in read-only memory, or for fuzzing functions with different input data sizes, e.g., loading data via -fuzz_input_file. Note: this may cause problems if other pointers point to the original buffer, or the replaced buffer is used after the fuzzing iterations. - -fuzz_call_convention <string>
default: ""
The calling convention used by the fuzz target function. It can be specified using one of the following codes:arm32 = ARM32
amd64 = AMD64
fastcall = fastcall
ms64 = Microsoft x64 (Visual Studio)
stdcall = cdecl or stdcall
thiscall = thiscall
32-bit ARM: arm32
32-bit Unix: stdcall
32-bit Windows: stdcall
64-bit Unix: amd64
64-bit Windows: ms64
- -fuzz_dump_on_error
default: true
Dump the current fuzz input to current log directory on an error report. The file name can be found in the error report summary. - -fuzz_input_file <string>
default: ""
Load data from specified file as fuzz input. It can be used with -fuzz_num_iters 0 to reproduce an error from the input generated by -fuzz_dump_on_error. The data might be truncated if the data size is larger than the input buffer size. Use -fuzz_replace_buffer to replace the input buffer with a separately allocated buffer. - -fuzz_corpus <string>
default: ""
Load a corpus of input data files from the specified directory, perform coverage based fuzzing, and dump input data that causes more coverage. - -fuzz_corpus_out <string>
default: ""
Create the minimized corpus inputs from -fuzz_corpus and dump them to the directory specified by -fuzz_corpus_out. - -fuzz_coverage
default: false
Enable basic block coverage guided fuzzing for the default bit-flip based mutator. A custom mutator that implements drfuzz_mutator_feedback must use this option to enable the coverage feedback guided mutation. - -fuzz_target <string>
default: ""
Fuzz test the target program according to the specified descriptor, which should have the format:<target>|<arg-count>|<buffer-index>|<size-index>|<repeat-count>[|<calling-convention>]
<target>
has one of two formats:<module>!<symbol>
<module>+<offset>
<module>
refers to a single binary image file such as a library (.so or .dll) or an application executable (.exe on Windows). The<offset>
specifies the entry point of the target function as a hexadecimal offset (e.g. '0xf7d4') from the start of the module that contains it (i.e., the library or executable image). The<symbol>
may be either a plain C function name, a mangled C++ symbol, or (Windows only) a de-mangled C++ symbol of the form returned by the Symbol Query Tool. The option-fuzz_mangled_names
is required for using mangled names in Windows, and the mangled name must have every '@' character escaped by substituting a '-' in its place. The module alias <main> may be used to refer to the main module of the process, which is the program executable.
The <arg-count> specifies the number of arguments to the function (for vararg functions this must match the actual number of arguments passed by the app). The <*-index> arguments specify the index of the corresponding parameter in the target function. The <repeat-count> indicates the number of times to repeat the target function (use 0 to repeat until the mutator is exhuasted). The optional <calling-convention> can be specified using one of the following codes:1 = AMD64
2 = Microsoft x64 (Visual Studio)
3 = ARM32
4 = cdecl or stdcall
5 = fastcall
6 = thiscall
- -fuzz_mutator_lib <string>
default: ""
Specify a custom third-party mutator library to use instead of the default mutator library provided by Dr. Fuzz. - -fuzz_mutator_ops <string>
default: ""
Specify options to pass to either the default mutator library or to the custom third-party mutator library named in -fuzz_mutator_lib. - -fuzz_mutator_alg <string>
default: "ordered"
Specify the mutator algorithm as one of these strings:- random = random selection of bits or numbers.
- ordered = ordered sequence of bits or numbers.
- -fuzz_mutator_unit <string>
default: "bits"
Specify the mutator unit of operation as one of these strings:- bits = mutation by bit flipping.
- num = mutation by random number generation.
- token = mutation by inserting tokens from -fuzz_dictionary.
- -fuzz_mutator_flags <int>
default: 1 (minimum: 0, maximum: UINT_MAX)
Specify flags controlling mutator operation:- 0x1 = reset to the original buffer value passed by the app before each mutation.
- 0x2 = seed the mutator's random number generator with the current clock time.
- -fuzz_mutator_sparsity <int>
default: 1 (minimum: 0, maximum: UINT_MAX)
Specifies a number of values to skip between mutations. See also Dr. Fuzz Mutators. - -fuzz_mutator_max_value <int>
default: 0 (minimum: 0, maximum: ULLONG_MAX)
For buffers of size 8 bytes or smaller, specifies the maximum mutation value. Use value 0 to disable the maximum value (i.e., limit only by the buffer capacity). See also Dr. Fuzz Mutators. - -fuzz_mutator_random_seed <int>
default: 0x5a8390e9a31dc65fULL (minimum: 0, maximum: ULLONG_MAX)
Randomization seed for -fuzz_mutator_alg random. The default random seed is arbitrary, selected to have an equal number of 0 and 1 bits. See also Dr. Fuzz Mutators. - -fuzz_dictionary <string>
default: ""
Specify a dictionary file listing tokens to use for mutation by insertion into the input buffer. The file must be a text file with one double-quote-delimited token per line. Specifying this option automatically selects -fuzz_mutator_unit token. - -fuzz_one_input <string>
default: ""
Specify one fuzz input value to test. The value is a hexadecimal byte sequence using the printed byte order (i.e., non-endian), for example '7f392a' represents byte array { 0x7f, 0x39, 0x2a }. If the value length does not match the fuzz target buffer length, it will be truncated or zero-padded to fit. - -fuzz_buffer_fixed_size <int>
default: 0 (minimum: 0, maximum: UINT_MAX)
Use this option to ignore the size of the buffer argument and instead mutate a fixed span of bytes. If the actual buffer size is smaller than the specified fixed size, the actual size will be used instead. - -fuzz_buffer_offset <int>
default: 0 (minimum: 0, maximum: UINT_MAX)
Use this option to constrain mutation to a subset of buffer bytes starting at the specified offset from the buffer start. - -fuzz_skip_initial <int>
default: 0 (minimum: 0, maximum: UINT_MAX)
Skip fuzzing for the specified number of target invocations. - -fuzz_stat_freq <int>
default: 0 (minimum: 0, maximum: UINT_MAX)
Specify the fuzzer status log frequency in number of fuzz iterations (no status is logged when this option is not set).