Detect every memory accesses made by a C/C++ program

Question

I am trying to detect every access programs written in C/C++ is making while running, in particular to dynamically allocated memory. In addition, I would like to have some information about where the access was made. The function name that made the access is what I am looking for.

For example, for the following code:

void MemoryAccess(int* my_vector) {
    int x = my_vector[0]; // Read access from 0xFFFF0000.
    my_vector[0] = x + 1; // Write access to 0XFFFF0000.
}

int main(void) {
    // Assume that the address returned by malloc is 0xFFFF0000.
    int* vec = malloc(VEC_SIZE * sizeof(int));
    if (!vec) {
        return MEMORY_ALLOCATION_FAIL;
    }
    MemoryAccess(vec);

    int second_elem = vec[1]; // Read access from 0xFFFF0004.
    v[1] = 10; // Write access to 0xFFFF0004.

    return 0;
}

I would like to record a log file, containing the following: address that have been accessed, the function name that made the access. For the above example, my log should look something like:

{Read}  {MemoryAccess} {0xFFFF0000}
{Write} {MemoryAccess} {0xFFFF0000}
{Read}  {main}         {0xFFFF0004}
{Write} {main}         {0xFFFF0004}

I have been able to do something like this on Windows using Exception Filter and modify the page protection of the monitored memory block. I couldn't get the function name that made the access, only Instruction Pointer value when the exception was raised and I couldn't figure how to use that to get the function name.

Note: My goal is to monitor memory access on a Linux based system (Debian/Ubuntu mostly), not Windows.

Please provide a link to the specification of that "C/C++" language. until then there are only the two **different** languages C and C++. This is not C++. There are like different solutions for your problem in both languages. — too honest for this site, Jan 27 '16 at 14:50
@Angew: I don't think Valgrind will monitor **every** access. — too honest for this site, Jan 27 '16 at 14:52
Please **give your motivations** so **edit your question** to improve it a big lot. — Basile Starynkevitch, Jan 27 '16 at 14:56
Do you care about one particular program (which one?) or are you ambitious enough to seek a more generic solution? Then why do you ask? — Basile Starynkevitch, Jan 27 '16 at 15:02
Question is "by a C/C++ program". Post says "program written in C++" and post is tagged `C`. So it is unclear what language an answer should use. — chux - Reinstate Monica, Jan 27 '16 at 17:33
@BasileStarynkevitch For the moment I am trying to monitor the functions that read/write a chunk of memory, so I can understand better what happens with that data inside a function (maybe one function just read from memory, other may only write to memory, or both). — Florin Avram, Jan 29 '16 at 09:20
@FlorinAvram: if you are struggling with one particular software, you just need GDB watchpoints & `valgrind` — Basile Starynkevitch, Jan 29 '16 at 09:27
@BasileStarynkevitch What I trying to do is similar with what GDB does, but I just want to log access made to a memory zone, applying different test cases to it and then analyze the logs to observe some patterns. That is the main reason why I need those log files. — Florin Avram, Jan 29 '16 at 16:49
But **why do you need this?**, how generic do you want the solution to be, do you accept it to be *very* slow, and how many many years can you invest in implementing it ? What is the software on which you want such instrumentation? Are you willing to spend a dozen of years of work? So please **edit your question** (or ask a much more focused one, explaining much more and giving a lot of details and of source code) — Basile Starynkevitch, Jan 29 '16 at 16:51
1. How generic do you want the solution to be? I want to create a simple API, that let's me modify the source code of a program, recompile it, run a suite of test cases and the have the logs for a chunk of memory that I have selected. For example, if in my source code I will have something like char* buff = malloc(100), free(buff). I want to add a piece of code after malloc that will start monitoring this memory, and one before free, to unmonitor the memory. — Florin Avram, Jan 29 '16 at 16:58
That should go in your question, not in comments. And do you want some generic solution, or simply something for one particular program? I guess using GCC MELT should fit quite well. But your goals are quite ambitious, even if you limit them to your above example. — Basile Starynkevitch, Jan 29 '16 at 18:58

score 2 · Answer 1 · edited May 23 '17 at 11:52

^{(I am focusing on Linux)}

What you want to do will be very slow and need unportable code if done naively. I am supposing that you want a generic solution (working on many C++ programs, not on some particular one).

You could patch some emulator, à la Qemu.

Maybe you just want to use valgrind or GCC debugging options like address sanitizer (search for -fsanitize=address). Or use gdb watchpoints. Notice that recent GDB are scriptable in Python or Guile.

Maybe you could take inspiration from valgrindtricks.

Look also into ptrace(2)

If you don't want disastrous performance (that is, naively interpreting each machine instruction and/or handling a SIGSEGV for every memory access, see this for more) you need to be tricky.

You could consider customizing the GCC compiler (e.g. with MELT) so that some (relevant) loads & stores get instrumented inside the compiler.

If you take a naive approach (sort of interpreting every machine instruction and/or crude SIGSEGV handling), you'll probably slow your program by more than a factor of thousand, and that "semi-naive" approach still needs months of work. And you'll encounter Heisenbugs.

If you want a serious approach, you'll need to modify your GCC compiler (e.g. with MELT) so that some instrumentation code is additionally emitted by the compiler, recompile the program to be instrumented (and all the libraries it is using) and that could probably take you at least a year (unless you are already fluent with GCC internals).

If you are serious, study more computer science (computer architecture, operating systems, compilers), and make your PhD working on that. You'll need several years of hard work.

Detect every memory accesses made by a C/C++ program

1 Answers1