[amelius]

Is anyone using Valgrind even anymore these days?

I've noticed that using Valgrind on Python systems is almost impossible because most modules have not been built with Valgrind in mind and thus you get swamped in noise.

I suppose the same is true for any large system that uses many different third party libraries.

[deadletters]

ASan is better for finding memory corruption afaik

[TheNewAndy]

I use valgrind regularly, and prefer it over asan. asan will result in a faster executable which is nice, but I far prefer valgrind's output than asan's (this might be preference, but I find it to be clearer), and various things break when building with asan so I never make it default. Being able to valgrind stuff without recompiling is very convenient.

I'm also not sure if asan has an equivalent to --leak-check=full

[amelius]

Ok. But I'm guessing it has the same problems. I.e., if half your libraries/modules have never seen it, then you'll get a lot of noise. Happy to be proved wrong.

[deadletters]

The compiler can't add checks into code it hasn't compiled. External modules, unless they are doing weird things which you do want to know about, should not generate ASan reports... on Linux.

[gavinhoward]

Absolutely. I enable Valgrind on every default debug build of mine. It's my favorite tool.

I have even made it recognize my custom allocators and report bugs with them too.

When combined with my second favorite tool, AFL++, I have a good shot at eliminating most memory bugs. AFL++ finds paths through the software, and I run every single one of those paths through Valgrind. It's beautiful.

[fulafel]

It is useful but quite limited by itself for security bugs - it's dynamic instrumentation so you'd need to test with the input triggering the vulnerability. (But useful in combination with fuzzing, similarly to the compiler sanitizer options)

[PhilipRoman]

Valgrind, ASAN and AFL are my holy trinity when it comes to bug squashing. I'm surprised that you have a problem with python modules - I use Valgrind specifically when I need to test executables without recompiling.