打全局断点的时候 控制台不会输出exception
可以通过输入 po $arg1 来输出错误
What Is Address Sanitizer
Similar to Guard Malloc and Valgrind
Finds memory corruption at runtime
Less overhead
Integrated into Debug Navigator
Works on OS X, iOS(simulator and device)
Analyze Memory Corruption
Use after free
Heap buffer overflow
Stack buffer overflow
Global variable overflow
Overflows in C++ containers
Use after return
Compiler Optimization Level
None [00] is recommended
Fast [01] is supported
Higher optimization is not supported
How Address Sanitizer Works
clang -fsanitize=address
At runtime, this binary links with as an runtime dylib that contains even more checks, and that dylib is required by the instrumentation
会进行一个检查
*p = 0xb00
--->
if (IsPoisoned(p)) Crash();
*p = 0xb00;
Shadow Mapping
IsPoisoned needs to be fast
1/8 of the address space
mmap'd at lunch
bool IsPosioned(Addr) {
Shadow = Addr >> 3 + offset
return (*Shadow) != 0
}
Heap
更改Malloc 的方式,从默认的连续分配内存改成间隔分配
Custom Malloc Implementation
Inserts poisoned "red zones" around allocations
Heap underflows/overflows
Delay reuse of freed memory
Use-after-free, double free
Collects stack traces for allocations and frees
Comprehensive error reports
Guard Malloc
NSZombie
Malloc SCribble
image.png
image.png
网友评论