0. 机器环境
- centos7
- gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-11)
1. 安装libasan(安装过忽略此条)
yum install libasan
yum install llvm
2. 使用AddressSanitizer
gcc -fsanitize=address -fno-omit-frame-pointer -O1 -g -o main main.cpp
需要在使用 GCC 或 Clang 编译链接程序时加上 -fsanitize=address 开关(性能慢一半)。为了获得合理的性能,可以加上 -O1 或更高。为了在错误信息中获得更友好的栈追踪信息可以加上 -fno-omit-frame-pointer。为了获得完美的栈追踪信息,还可以禁用内联(使用 -O1)和尾调用消除(-fno-optimize-sibling-calls),-g可以换成-ggdb更有益gdb调试。
可能遇到编译错误:undefined reference to `__asan_report_store8'
在编译选项和连接选项里都添加-fsanitize=address
3. 运行
ASAN_SYMBOLIZER_PATH=$(which llvm-symbolizer) ./main
- 单独运行 ./main 可能出现 WARNING: invalid path to external symbolizer!导致看不到具体文件符号,错误在哪行代码;
- 如果ASAN_SYMBOLIZER_PATH失败的话换成MSAN_SYMBOLIZER_PATH;
4. AddressSanitizer内存错误类型
- Use after free:访问堆上已经被释放的内存
- Heap buffer overflow:堆上缓冲区访问溢出
- Stack buffer overflow:栈上缓冲区访问溢出
- Global buffer overflow:全局缓冲区访问溢出
- Use after return:访问栈上已被释放的内存
- Use after scope:栈对象使用超过定义范围
- Initialization order bugs:初始化命令错误
- Memory leaks:内存泄漏
5. 错误类型示例
(1) heap-buffer-overflow
int main(int argc, char **argv)
{
//int a[9];
int *a = new int(9);
a[11] ++;
return a[11];
}
=================================================================
==6515== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040000e01c at pc 0x400881 bp 0x7ffd91a90a10 sp 0x7ffd91a90a00
READ of size 4 at 0x60040000e01c thread T0
#0 0x400880 in main /home/work/test/main.cpp:5
#1 0x7f70a3f40b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
#2 0x400748 in _start (/home/work/test/main+0x400748)
0x60040000e01c is located 12 bytes to the right of 0-byte region [0x60040000e010,0x60040000e010)
==6515== AddressSanitizer CHECK failed: ../../../../libsanitizer/asan/asan_allocator2.cc:216 "((id)) != (0)" (0x0, 0x0)
#0 0x7f70a4b13b9a (/lib64/libasan.so.0+0x12b9a)
#1 0x7f70a4b1ae03 (/lib64/libasan.so.0+0x19e03)
#2 0x7f70a4b06426 (/lib64/libasan.so.0+0x5426)
#3 0x7f70a4b189ff (/lib64/libasan.so.0+0x179ff)
#4 0x7f70a4b19be1 (/lib64/libasan.so.0+0x18be1)
#5 0x7f70a4b13fc2 (/lib64/libasan.so.0+0x12fc2)
#6 0x400880 in main /home/work/test/main.cpp:6
#7 0x7f70a3f40b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
#8 0x400748 in _start (/home/work/test/main+0x400748)
(2) stack-buffer-overflow
int main(int argc, char **argv)
{
int a[9];
//int *a = new int(9);
a[11] ++;
return a[11];
}
=================================================================
==6605== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc56432ac at pc 0x4007d9 bp 0x7ffdc5643240 sp 0x7ffdc5643230
READ of size 4 at 0x7ffdc56432ac thread T0
#0 0x4007d8 in main /home/work/test/main.cpp:5
#1 0x7f9010e30b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
#2 0x400688 in _start (/home/work/test/main+0x400688)
Address 0x7ffdc56432ac is located at offset 76 in frame <main> of T0's stack:
This frame has 1 object(s):
[32, 68) 'a'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/work/test/main.cpp:6 main
Shadow bytes around the buggy address:
0x100038ac0600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100038ac0610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100038ac0620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100038ac0630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100038ac0640: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x100038ac0650: 00 00 00 00 04[f4]f4 f4 f3 f3 f3 f3 00 00 00 00
0x100038ac0660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100038ac0670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100038ac0680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100038ac0690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100038ac06a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==6605== ABORTING
6. 参考:
[1]如何排查大型C程序中的内存写越界导致的coredump?
[2]应用 AddressSanitizer 发现程序内存错误
[3]Linux 下的 AddressSanitizer
[4]从segmentfault段错误谈起-(1)
[5]踩内存专题分析
[6]How to use AddressSanitizer with GCC?
网友评论