8/21/2019 AddressSanitizer is Fully Functional on Supported Platforms Starting From LLVM 3.1
http://slidepdf.com/reader/full/addresssanitizer-is-fully-functional-on-supported-platforms-starting-from-llvm 1/5
Clang 3.7 documentation ADDRESSSANITIZER
« Thread Safety Analysis :: Contents :: ThreadSanitizer »
AddressSanitizer
• Introduction
• How to build
• Usage
o __has_feature(address_sanitizer)
o __attribute__((no_sanitize_address))
o Initialization order checking
o Blacklist
o Memory leak detection
• Supported latforms
• !imitations
• "urrent Status
• More Information
Introduction
AddressSanitier is a !ast memor" error detector. It consists o! a com#iler instrumentation module and arun$time li%rar". T&e tool can detect t&e !ollo'ing t"#es o! %ugs:
• (ut$o!$%ounds accesses to &ea#) stac* and glo%als
• +se$a!ter$!ree
• +se$a!ter$return ,to some e-tent
• Dou%le$!ree) in/alid !ree
• 0emor" lea*s ,e-#erimental
T"#ical slo'do'n introduced %" AddressSanitier is #$.
How to build
1uild 2204Clang 'it& "Make.
8/21/2019 AddressSanitizer is Fully Functional on Supported Platforms Starting From LLVM 3.1
http://slidepdf.com/reader/full/addresssanitizer-is-fully-functional-on-supported-platforms-starting-from-llvm 2/5
Usage
Sim#l" com#ile and lin* "our #rogram 'it& -fsanitize=address !lag. T&e AddressSanitier run$time
li%rar" s&ould %e lin*ed to t&e !inal e-ecuta%le) so ma*e sure to use clang ,not ld !or t&e !inal lin* ste#.
5&en lin*ing s&ared li%raries) t&e AddressSanitier run$time is not lin*ed) so -Wl,-z,defs ma" cause lin*
errors ,don6t use it 'it& AddressSanitier. To get a reasona%le #er!ormance add -O1 or &ig&er. To get nicer
stac* traces in error messages add -fno-omit-frame-pointer. To get #er!ect stac* traces "ou ma"
need to disa%le inlining ,ust use -O1 and tail call elimination ,-fno-optimize-sibling-calls.
% cat example_UseAfterFree.cc
int main(int argc, car !!arg"# $
int !arra% = ne& int'1)*
delete ') arra%*
ret+rn arra%'argc)* OO
/
# 0ompile and lin
% clang -O1 -g -fsanitize=address -fno-omit-frame-pointer example_UseAfterFree.cc
or:
# 0ompile
% clang -O1 -g -fsanitize=address -fno-omit-frame-pointer -c example_UseAfterFree.cc
# 2in
% clang -g -fsanitize=address example_UseAfterFree.o
I! a %ug is detected) t&e #rogram 'ill #rint an error message to stderr and e-it 'it& a non$ero e-it code. Toma*e AddressSanitier s"m%olie its out#ut "ou need to set t&e A3A4_35O26789_:A;< en/ironment
/aria%le to #oint to t&e ll"m-s%mbolizer %inar" ,or ma*e sure ll"m-s%mbolizer is in "our :A;<:
% A3A4_35O26789_:A;<=+srlocalbinll"m-s%mbolizer .a.o+t
==>??@== 899O9 Address3anitizer eap-+se-after-free on address xBfBddabCcC? at pcx?DcCc bp xBfffCBfbC@d sp xBfffCBfbC@cC
98AE of size ? at xBfBddabCcC? tread ;
x?DcCc in main example_UseAfterFree.cc?
1 xBfBddabcac?d in __libc_start_main GG
xBfBddabCcC? is located ? b%tes inside of ?-b%te region'xBfBddabCcC,xBfBddabCc@1#
freed b% tread ; ere
x??B? in operator delete')("oid!# GG
1 x?DcHD in main example_UseAfterFree.cc?
@ xBfBddabcac?d in __libc_start_main GG
8/21/2019 AddressSanitizer is Fully Functional on Supported Platforms Starting From LLVM 3.1
http://slidepdf.com/reader/full/addresssanitizer-is-fully-functional-on-supported-platforms-starting-from-llvm 3/5
pre"io+sl% allocated b% tread ; ere
x??H?? in operator ne&')(+nsigned long# GG
1 x?Dc?D in main example_UseAfterFree.cc@
@ xBfBddabcac?d in __libc_start_main GG
==>??@== AO9;64I
I! t&at does not 'or* !or "ou ,e.g. "our #rocess is sand%o-ed) "ou can use a se#arate scri#t to s"m%oliet&e result o!!line ,online s"m%oliation can %e !orce disa%led %" setting A3A4_O:;6O43=s%mbolize=:
% A3A4_O:;6O43=s%mbolize= .a.o+t @J log
% proKectscompiler-rtlibasanscriptsasan_s%mbolize.p% L log M cNNfilt
==>??@== 899O9 Address3anitizer eap-+se-after-free on address xBfBddabCcC? at pcx?DcCc bp xBfffCBfbC@d sp xBfffCBfbC@cC
98AE of size ? at xBfBddabCcC? tread ;
x?DcCc in main example_UseAfterFree.cc?
1 xBfBddabcac?d in __libc_start_main GG
...
Note t&at on (S 8 "ou ma" need to run ds%m+til on "our %inar" to &a/e t&e !ile:line in!o in t&e
AddressSanitier re#orts.
AddressSanitier e-its on t&e !irst detected error. T&is is %" design. (ne reason: it ma*es t&e generated
code smaller and !aster ,%ot& %" 9;. Anot&er reason: t&is ma*es !i-ing %ugs una/oida%le. 5it& algrind)it is o!ten t&e case t&at users treat algrind 'arnings as !alse #ositi/es ,'&ic& t&e" are not and don6t !i-t&em.
__has_feature(address_sanitizer)
In some cases one ma" need to e-ecute di!!erent code de#ending on '&et&er AddressSanitier isena%led. __has_feature can %e used !or t&is #ur#ose.
if defined(__as_feat+re#
if __as_feat+re(address_sanitizer#
// code that builds only under AddressSanitizer
endif
endif
__attribute__((no_sanitize_address))
Some code s&ould not %e instrumented %" AddressSanitier. (ne ma" use t&e !unctionattri%ute no_sanitize_address ,or a de#recated s"non"mno_address_safety_analysis to disa%leinstrumentation o! a #articular !unction. T&is attri%ute ma" not %e su##orted %" ot&er com#ilers) so 'esuggest to use it toget&er 'it& __as_feat+re(address_sanitizer#.
8/21/2019 AddressSanitizer is Fully Functional on Supported Platforms Starting From LLVM 3.1
http://slidepdf.com/reader/full/addresssanitizer-is-fully-functional-on-supported-platforms-starting-from-llvm 4/5
Initialization order checking
AddressSanitier can o#tionall" detect d"namic initialiation order #ro%lems) '&en initialiation o! glo%alsde!ined in one translation unit uses glo%als de!ined in anot&er translation unit. To ena%le t&is c&ec* atruntime) "ou s&ould set en/ironment /aria%le A3A4_O:;6O43=cec_initialization_order=1.
Blacklist
AddressSanitier su##orts src and f+n entit" t"#es in Sanitizer special case list ) t&at can %e used to
su##ress error re#orts in t&e s#eci!ied source !iles or !unctions. Additionall") AddressSanitier introduces global and t%pe entit" t"#es t&at can %e used to su##ress error re#orts !or out$o!$%ound
access to glo%als 'it& certain names and t"#es ,"ou ma" onl" s#eci!" class or struct t"#es.
<ou ma" use an init categor" to su##ress re#orts a%out initialiation$order #ro%lems &a##ening in certain
source !iles or 'it& certain glo%al /aria%les.
# Suppress error reports for code in a file or in a function:
srcbad_file.cpp
# Ignore all functions with names containing MyFooBar:
f+n!%Fooar!
# isable out!of!bound chec"s for global:
globalbad_arra%
# isable out!of!bound chec"s for global instances of a gien class $$$
t%pe4amespacead0lass4ame
# $$$ or a gien struct$ %se wildcard to deal with anonymous namespace$
t%pe4amespace@!ad3tr+ct4ame
# isable initialization!order chec"s for globals:
globalbad_init_global=init
t%pe!ad6nit0lass3+bstring!=init
srcbadinitfiles!=init
Memory leak detection
=or t&e e-#erimental memor" lea* detector in AddressSanitier) see LeakSanitizer .
Supported latforms
AddressSanitier is su##orted on
• 2inu- i3>?4->?@? ,tested on +%untu B.
• 0ac(S B.? $ B.F ,i3>?4->?@?.
• Android AR0
• =ree1SD i3>?4->?@? ,tested on =ree1SD BB$current
8/21/2019 AddressSanitizer is Fully Functional on Supported Platforms Starting From LLVM 3.1
http://slidepdf.com/reader/full/addresssanitizer-is-fully-functional-on-supported-platforms-starting-from-llvm 5/5
Gorts to /arious ot&er #lat!orms are in #rogress.
!imitations
• AddressSanitier uses more real memor" t&an a nati/e run. E-act o/er&ead de#ends on t&e
allocations sies. T&e smaller t&e allocations "ou ma*e t&e %igger t&e o/er&ead is.
• AddressSanitier uses more stac* memor". 5e &a/e seen u# to 3- increase.
• (n ?$%it #lat!orms AddressSanitier ma#s ,%ut not reser/es B?H Tera%"tes o! /irtual
address s#ace. T&is means t&at tools li*e +limit ma" not 'or* as usuall" e-#ected.
• Static lin*ing is not su##orted.
"urrent Status
AddressSanitier is !ull" !unctional on su##orted #lat!orms starting !rom 220 3.B. T&e test suite is
integrated into C0a*e %uild and can %e run 'it& mae cec-asancommand.
More Information
http%&&code'google'com&p&address(sanitizer
« Thread Safety Analysis :: Contents :: ThreadSanitizer »
Co#"rig&t 7$B) T&e Clang Team. Created using Sphin$ B.B.3.