2011-11-29 04:51:02 +08:00
|
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|
|
|
|
"http://www.w3.org/TR/html4/strict.dtd">
|
|
|
|
<!-- Material used from: HTML 4.01 specs: http://www.w3.org/TR/html401/ -->
|
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
|
|
|
<title>AddressSanitizer, a fast memory error detector</title>
|
|
|
|
<link type="text/css" rel="stylesheet" href="../menu.css">
|
|
|
|
<link type="text/css" rel="stylesheet" href="../content.css">
|
|
|
|
<style type="text/css">
|
|
|
|
td {
|
|
|
|
vertical-align: top;
|
|
|
|
}
|
|
|
|
</style>
|
|
|
|
</head>
|
|
|
|
<body>
|
|
|
|
|
|
|
|
<!--#include virtual="../menu.html.incl"-->
|
|
|
|
|
2011-11-29 06:34:10 +08:00
|
|
|
<div id="content">
|
|
|
|
|
2011-11-29 04:51:02 +08:00
|
|
|
<h1>AddressSanitizer</h1>
|
|
|
|
<ul>
|
2012-04-23 17:05:50 +08:00
|
|
|
<li> <a href="#intro">Introduction</a>
|
|
|
|
<li> <a href="#howtobuild">How to Build</a>
|
|
|
|
<li> <a href="#usage">Usage</a>
|
|
|
|
<ul><li> <a href="#has_feature">__has_feature(address_sanitizer)</a></ul>
|
|
|
|
<ul><li> <a href="#no_address_safety_analysis">
|
|
|
|
__attribute__((no_address_safety_analysis))</a></ul>
|
|
|
|
<li> <a href="#platforms">Supported Platforms</a>
|
|
|
|
<li> <a href="#limitations">Limitations</a>
|
|
|
|
<li> <a href="#status">Current Status</a>
|
|
|
|
<li> <a href="#moreinfo">More Information</a>
|
2011-11-29 04:51:02 +08:00
|
|
|
</ul>
|
|
|
|
|
|
|
|
<h2 id="intro">Introduction</h2>
|
|
|
|
AddressSanitizer is a fast memory error detector.
|
|
|
|
It consists of a compiler instrumentation module and a run-time library.
|
|
|
|
The tool can detect the following types of bugs:
|
2011-12-13 07:22:31 +08:00
|
|
|
<ul> <li> Out-of-bounds accesses to heap, stack and globals
|
2011-11-29 04:51:02 +08:00
|
|
|
<li> Use-after-free
|
|
|
|
<li> Use-after-return (to some extent)
|
2011-12-13 07:22:31 +08:00
|
|
|
<li> Double-free, invalid free
|
2011-11-29 04:51:02 +08:00
|
|
|
</ul>
|
|
|
|
Typical slowdown introduced by AddressSanitizer is <b>2x</b>.
|
|
|
|
|
2011-12-13 07:22:31 +08:00
|
|
|
<h2 id="howtobuild">How to build</h2>
|
2012-03-16 00:20:29 +08:00
|
|
|
Follow the <a href="../get_started.html">clang build instructions</a>. <BR>
|
|
|
|
Note: CMake build does not work yet.
|
2012-03-16 00:22:06 +08:00
|
|
|
See <a href="http://llvm.org/bugs/show_bug.cgi?id=12272">bug 12272</a>.
|
2011-12-13 07:22:31 +08:00
|
|
|
|
2012-01-15 23:26:07 +08:00
|
|
|
<h2 id="usage">Usage</h2>
|
2011-12-13 07:22:31 +08:00
|
|
|
Simply compile and link your program with <tt>-faddress-sanitizer</tt> flag. <BR>
|
|
|
|
To get a reasonable performance add <tt>-O1</tt> or higher. <BR>
|
2012-01-07 01:35:27 +08:00
|
|
|
To get nicer stack traces in error messages add
|
|
|
|
<tt>-fno-omit-frame-pointer</tt>. <BR>
|
2012-01-24 02:50:23 +08:00
|
|
|
To get perfect stack traces you may need to disable inlining (just use <tt>-O1</tt>) and tail call
|
|
|
|
elimination (</tt>-fno-optimize-sibling-calls</tt>).
|
2011-12-13 07:22:31 +08:00
|
|
|
|
|
|
|
<pre>
|
|
|
|
% cat example_UseAfterFree.cc
|
|
|
|
int main(int argc, char **argv) {
|
|
|
|
int *array = new int[100];
|
|
|
|
delete [] array;
|
|
|
|
return array[argc]; // BOOM
|
|
|
|
}
|
|
|
|
</pre>
|
|
|
|
|
|
|
|
<pre>
|
2012-01-07 01:35:27 +08:00
|
|
|
% clang -O1 -g -faddress-sanitizer -fno-omit-frame-pointer example_UseAfterFree.cc
|
2011-12-13 07:22:31 +08:00
|
|
|
</pre>
|
|
|
|
|
|
|
|
If a bug is detected, the program will print an error message to stderr and exit with a
|
2011-12-02 08:24:42 +08:00
|
|
|
non-zero exit code.
|
2011-12-13 07:22:31 +08:00
|
|
|
Currently, AddressSanitizer does not symbolize its output, so you may need to use a
|
|
|
|
separate script to symbolize the result offline (this will be fixed in future).
|
|
|
|
<pre>
|
|
|
|
% ./a.out 2> log
|
|
|
|
% projects/compiler-rt/lib/asan/scripts/asan_symbolize.py / < log | c++filt
|
|
|
|
==9442== ERROR: AddressSanitizer heap-use-after-free on address 0x7f7ddab8c084 at pc 0x403c8c bp 0x7fff87fb82d0 sp 0x7fff87fb82c8
|
|
|
|
READ of size 4 at 0x7f7ddab8c084 thread T0
|
|
|
|
#0 0x403c8c in main example_UseAfterFree.cc:4
|
|
|
|
#1 0x7f7ddabcac4d in __libc_start_main ??:0
|
|
|
|
0x7f7ddab8c084 is located 4 bytes inside of 400-byte region [0x7f7ddab8c080,0x7f7ddab8c210)
|
|
|
|
freed by thread T0 here:
|
|
|
|
#0 0x404704 in operator delete[](void*) ??:0
|
|
|
|
#1 0x403c53 in main example_UseAfterFree.cc:4
|
|
|
|
#2 0x7f7ddabcac4d in __libc_start_main ??:0
|
|
|
|
previously allocated by thread T0 here:
|
|
|
|
#0 0x404544 in operator new[](unsigned long) ??:0
|
|
|
|
#1 0x403c43 in main example_UseAfterFree.cc:2
|
|
|
|
#2 0x7f7ddabcac4d in __libc_start_main ??:0
|
|
|
|
==9442== ABORTING
|
|
|
|
</pre>
|
2011-11-29 04:51:02 +08:00
|
|
|
|
|
|
|
<h3 id="has_feature">__has_feature(address_sanitizer)</h3>
|
|
|
|
In some cases one may need to execute different code depending on whether
|
|
|
|
AddressSanitizer is enabled.
|
|
|
|
<a href="LanguageExtensions.html#__has_feature_extension">__has_feature</a>
|
|
|
|
can be used for this purpose.
|
|
|
|
<pre>
|
2012-01-15 23:26:07 +08:00
|
|
|
#if defined(__has_feature) && __has_feature(address_sanitizer)
|
2011-11-29 04:51:02 +08:00
|
|
|
code that runs only under AddressSanitizer
|
|
|
|
#else
|
|
|
|
code that does not run under AddressSanitizer
|
|
|
|
#endif
|
|
|
|
</pre>
|
|
|
|
|
2012-04-23 17:05:50 +08:00
|
|
|
<h3 id="no_address_safety_analysis">__attribute__((no_address_safety_analysis))</h3>
|
|
|
|
Some code should not be instrumentated by AddressSanitizer.
|
|
|
|
One may use the function attribute
|
|
|
|
<a href="LanguageExtensions.html#address_sanitizer">
|
|
|
|
<tt>no_address_safety_analysis</tt></a>
|
|
|
|
to disable instrumentation of a particular function.
|
|
|
|
Note: currently, this attribute will be lost if the function is inlined.
|
|
|
|
|
2011-11-29 04:51:02 +08:00
|
|
|
<h2 id="platforms">Supported Platforms</h2>
|
2011-12-13 07:22:31 +08:00
|
|
|
AddressSanitizer is supported on
|
|
|
|
<ul><li>Linux x86_64 (tested on Ubuntu 10.04).
|
|
|
|
<li>MacOS 10.6 i386/x86_64.
|
2011-11-29 04:51:02 +08:00
|
|
|
</ul>
|
2012-03-16 00:20:29 +08:00
|
|
|
Support for Linux i386/ARM and MacOS 10.7 is in progress
|
|
|
|
(it may work, but is not guaranteed too).
|
|
|
|
|
2011-11-29 04:51:02 +08:00
|
|
|
|
|
|
|
<h2 id="limitations">Limitations</h2>
|
|
|
|
<ul>
|
2012-04-23 17:05:50 +08:00
|
|
|
<li> AddressSanitizer uses more real memory than a native run.
|
|
|
|
How much -- depends on the allocations sizes. The smaller the
|
|
|
|
allocations you make the bigger the overhead.
|
|
|
|
<li> AddressSanitizer uses more stack memory. We have seen up to 3x increase.
|
|
|
|
<li> On 64-bit platforms AddressSanitizer maps (but not reserves)
|
|
|
|
16+ Terabytes of virtual address space.
|
|
|
|
This means that tools like <tt>ulimit</tt> may not work as usually expected.
|
|
|
|
<li> Static linking is not supported.
|
2011-11-29 04:51:02 +08:00
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
|
|
<h2 id="status">Current Status</h2>
|
2012-04-23 18:15:18 +08:00
|
|
|
AddressSanitizer is fully functional on supported platforms starting from LLVM 3.1.
|
2011-12-13 07:22:31 +08:00
|
|
|
However, the test suite is not fully integrated yet and we lack the testing
|
|
|
|
process (buildbots).
|
|
|
|
|
|
|
|
<h2 id="moreinfo">More Information</h2>
|
2011-11-29 04:51:02 +08:00
|
|
|
<a href="http://code.google.com/p/address-sanitizer/">http://code.google.com/p/address-sanitizer</a>.
|
|
|
|
|
|
|
|
|
2011-11-29 06:34:10 +08:00
|
|
|
</div>
|
2011-11-29 04:51:02 +08:00
|
|
|
</body>
|
|
|
|
</html>
|