當(dāng)前位置:首頁 > 公眾號(hào)精選 > C語言與CPP編程

C/C 動(dòng)態(tài)檢測(cè)內(nèi)存錯(cuò)誤利器 - ASan

時(shí)間:2021-11-29 15:25:10
關(guān)鍵字: 內(nèi)存   
手機(jī)看文章

掃描二維碼
隨時(shí)隨地手機(jī)看文章

[導(dǎo)讀]來自公眾號(hào):大胖聊編程作者:大胖ASan,即AddressSanitizer,是一個(gè)適用于c/c程序的動(dòng)態(tài)內(nèi)存錯(cuò)誤檢測(cè)器,它由一個(gè)編譯器檢測(cè)模塊(LLVMpass)和一個(gè)替換malloc函數(shù)的運(yùn)行時(shí)庫組成,在性能及檢測(cè)內(nèi)存錯(cuò)誤方面都優(yōu)于Valgrind,你值得擁有。一適用平臺(tái)在L...


來自公眾號(hào):大胖聊編程


作者:大胖


ASan,即Address Sanitizer,是一個(gè)適用于c/c 程序的動(dòng)態(tài)內(nèi)存錯(cuò)誤檢測(cè)器,它由一個(gè)編譯器檢測(cè)模塊(LLVM pass)和一個(gè)替換malloc函數(shù)的運(yùn)行時(shí)庫組成,在性能及檢測(cè)內(nèi)存錯(cuò)誤方面都優(yōu)于Valgrind,你值得擁有。
一適用平臺(tái)在LLVM3.1版之后,ASan就是其的一個(gè)組成部分,所以所有適用LLVM的平臺(tái),且llvm版本大于3.1的,都可以適用ASan來檢查c/c 內(nèi)存錯(cuò)誤。對(duì)于gcc,則是4.8版本之后才加入ASan,但是ASan的完整功能則是要gcc版本在4.9.2以上。



二強(qiáng)大功能ASan作為編譯器內(nèi)置功能,支持檢測(cè)各種內(nèi)存錯(cuò)誤:
  • 緩沖區(qū)溢出
    ① 堆內(nèi)存溢出
    ② 棧上內(nèi)存溢出
    ③ 全局區(qū)緩存溢出
  • 懸空指針(引用)
    ① 使用釋放后的堆上內(nèi)存
    ② 使用返回的棧上內(nèi)存
    ③ 使用退出作用域的變量
  • 非法釋放
    ① 重復(fù)釋放
    ② 無效釋放
  • 內(nèi)存泄漏
  • 初始化順序?qū)е碌膯栴}
ASan和Valgrind對(duì)比如下圖:



三如何使用
  1. 使用ASan時(shí),只需gcc選項(xiàng)加上-fsanitize=address選項(xiàng);
  2. 如果想要在使用asan的時(shí)候獲取更好的性能,可以加上O1或者更高的編譯優(yōu)化選項(xiàng);
  3. 想要在錯(cuò)誤信息中讓棧追溯信息更友好,可以加上-fno-omit-frame-pointer選項(xiàng)。
  4. 本文針對(duì)linux x86-64平臺(tái),gcc編譯器環(huán)境實(shí)驗(yàn)。

本文實(shí)驗(yàn)環(huán)境:
[root@yglocal ~]# lsb_release -aLSB Version: :core-4.1-amd64:core-4.1-noarchDistributor ID: CentOSDescription: CentOS Linux release 8.1.1911 (Core) Release: 8.1.1911Codename: Core[root@yglocal ~]# uname -r4.18.0-147.el8.x86_64[root@yglocal ~]# gcc --versiongcc (GCC) 8.3.1 20190507 (Red Hat 8.3.1-4)Copyright (C) 2018 Free Software Foundation, Inc.This is free software; see the source for copying conditions. There is NOwarranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE
在centos上使用ASan,編譯會(huì)報(bào)如下錯(cuò)誤(gcc 4.8.5):


[root@localhost test]# gcc -g -O2 -fsanitize=address -fno-omit-frame-pointer hello.c /usr/bin/ld: cannot find /usr/lib64/libasan.so.0.0.0collect2: error: ld returned 1 exit status


安裝libasan即可:
[root@localhost test]# yum install libasan


注:ubuntu x86-64系統(tǒng)只需gcc版本高于4.8即可;但是在rhel/centos上使用ASan功能,除了gcc版本大于4.8之外,還需要安裝libasan。
下面針對(duì)內(nèi)存的幾種c/c 常見內(nèi)存錯(cuò)誤,編寫例子,看下ASan的檢測(cè)輸出情況:


1
堆緩沖區(qū)溢出


測(cè)試代碼:
[root@yglocal asan_test]# vi heap_ovf_test.c
#include #include #include

int main(){ char *heap_buf = (char*)malloc(32*sizeof(char)); memcpy(heap_buf 30, "overflow", 8); //在heap_buf的第30個(gè)字節(jié)開始,拷貝8個(gè)字符
 free(heap_buf);
 return 0;}
編譯并運(yùn)行:


[root@yglocal asan_test]# gcc -fsanitize=address -fno-omit-frame-pointer -o heap_ovf_test heap_ovf_test.c [root@yglocal asan_test]# ./heap_ovf_test ===================================================================40602==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000030 at pc 0x7f3de8f91a1d bp 0x7ffd4b4ebb60 sp 0x7ffd4b4eb308WRITE of size 8 at 0x603000000030 thread T0 #0 0x7f3de8f91a1c (/lib64/libasan.so.5 0x40a1c) #1 0x400845 in main (/root/asan_test/heap_ovf_test 0x400845) #2 0x7f3de8bb1872 in __libc_start_main (/lib64/libc.so.6 0x23872) #3 0x40075d in _start (/root/asan_test/heap_ovf_test 0x40075d)
0x603000000030 is located 0 bytes to the right of 32-byte region [0x603000000010,0x603000000030)allocated by thread T0 here: #0 0x7f3de9040ba8 in __interceptor_malloc (/lib64/libasan.so.5 0xefba8) #1 0x400827 in main (/root/asan_test/heap_ovf_test 0x400827) #2 0x7f3de8bb1872 in __libc_start_main (/lib64/libc.so.6 0x23872)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.5 0x40a1c) Shadow bytes around the buggy address: 0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00=>0x0c067fff8000: fa fa 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa 0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa faShadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb==40602==ABORTING[root@yglocal asan_test]#
可以看到asan報(bào)錯(cuò):==40602==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000030 at xxxx,下面也列出了發(fā)生heap-buffer-overflow時(shí)的調(diào)用鏈及heap buffer在哪里申請(qǐng)的。



2
棧緩沖區(qū)溢出


測(cè)試代碼:
[root@yglocal asan_test]# vi stack_ovf_test.c
#include #include
int main(){ char stack_buf[4] = {0}; strcpy(stack_buf, "1234");
 return 0;}
編譯并運(yùn)行:


[root@yglocal asan_test]# ./stack_ovf_test ===================================================================38634==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcf3d8b8d4 at pc 0x7f8714bbaa1d bp 0x7ffcf3d8b8a0 sp 0x7ffcf3d8b048WRITE of size 5 at 0x7ffcf3d8b8d4 thread T0 #0 0x7f8714bbaa1c (/lib64/libasan.so.5 0x40a1c) #1 0x400949 in main (/root/asan_test/stack_ovf_test 0x400949) #2 0x7f87147da872 in __libc_start_main (/lib64/libc.so.6 0x23872) #3 0x4007cd in _start (/root/asan_test/stack_ovf_test 0x4007cd)
Address 0x7ffcf3d8b8d4 is located in stack of thread T0 at offset 36 in frame #0 0x400895 in main (/root/asan_test/stack_ovf_test 0x400895)
 This frame has 1 object(s): [32, 36) 'stack_buf' <== Memory access at offset 36 overflows this variableHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C exceptions *are* supported)SUMMARY: AddressSanitizer: stack-buffer-overflow (/lib64/libasan.so.5 0x40a1c) Shadow bytes around the buggy address: 0x10001e7a96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001e7a96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001e7a96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001e7a96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001e7a9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00=>0x10001e7a9710: 00 00 00 00 00 00 f1 f1 f1 f1[04]f2 f2 f2 f3 f3 0x10001e7a9720: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001e7a9730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001e7a9740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001e7a9750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001e7a9760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00......


可以看到asan報(bào)錯(cuò):==38634==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcf3d8b8d4 at xxx,發(fā)生stack buffer overflow時(shí)函數(shù)的調(diào)用鏈信息。


3
使用懸空指針


測(cè)試代碼:
[root@yglocal asan_test]# vi dangling_pointer_test.c
#include #include #include
int main(){ char *p = (char*)malloc(32*sizeof(char)); free(p);
 int a = p[1];
 return 0;} 編譯并運(yùn)行:
[root@yglocal asan_test]# gcc -fsanitize=address -fno-omit-frame-pointer -o dangling_pointer_test dangling_pointer_test.c [root@yglocal asan_test]# ./dangling_pointer_test ===================================================================83532==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000011 at pc 0x0000004007c4 bp 0x7ffd7f562760 sp 0x7ffd7f562750READ of size 1 at 0x603000000011 thread T0 #0 0x4007c3 in main (/root/asan_test/dangling_pointer_test 0x4007c3) #1 0x7f56196cd872 in __libc_start_main (/lib64/libc.so.6 0x23872) #2 0x4006ad in _start (/root/asan_test/dangling_pointer_test 0x4006ad)
0x603000000011 is located 1 bytes inside of 32-byte region [0x603000000010,0x603000000030)freed by thread T0 here: #0 0x7f5619b5c7e0 in __interceptor_free (/lib64/libasan.so.5 0xef7e0) #1 0x400787 in main (/root/asan_test/dangling_pointer_test 0x400787) #2 0x7f56196cd872 in __libc_start_main (/lib64/libc.so.6 0x23872)
previously allocated by thread T0 here: #0 0x7f5619b5cba8 in __interceptor_malloc (/lib64/libasan.so.5 0xefba8) #1 0x400777 in main (/root/asan_test/dangling_pointer_test 0x400777) #2 0x7f56196cd872 in __libc_start_main (/lib64/libc.so.6 0x23872)
SUMMARY: AddressSanitizer: heap-use-after-free (/root/asan_test/dangling_pointer_test 0x4007c3) in mainShadow bytes around the buggy address: 0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00=>0x0c067fff8000: fa fa[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa 0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa faShadow byte legend (one shadow byte represents 8 application bytes):......
4
使用棧上返回的變量


[root@yglocal asan_test]# vi use-after-return.c
#include #include #include int *ptr;void get_pointer(){ int local[10]; ptr =
本站聲明: 本文章由作者或相關(guān)機(jī)構(gòu)授權(quán)發(fā)布,目的在于傳遞更多信息,并不代表本站贊同其觀點(diǎn),本站亦不保證或承諾內(nèi)容真實(shí)性等。需要轉(zhuǎn)載請(qǐng)聯(lián)系該專欄作者,如若文章內(nèi)容侵犯您的權(quán)益,請(qǐng)及時(shí)聯(lián)系本站刪除。
換一批
延伸閱讀

三星宣布,其最新的LPDDR5X內(nèi)存已通過驗(yàn)證,可在驍龍(Snapdragon)移動(dòng)平臺(tái)上使用,該內(nèi)存速度可達(dá)到當(dāng)前業(yè)界最快的8.5 千兆比特每秒(Gbps)。通過優(yōu)化應(yīng)用處理器和存儲(chǔ)器之間的高速信號(hào)環(huán)境,三星超過了自身...

關(guān)鍵字: GBPS 三星 內(nèi)存 LPDDR5

(全球TMT2022年10月18日訊)三星宣布,其最新的LPDDR5X內(nèi)存已通過驗(yàn)證,可在驍龍(Snapdragon)移動(dòng)平臺(tái)上使用,該內(nèi)存速度可達(dá)到當(dāng)前業(yè)界最快的8.5 千兆比特每秒(Gbps)。通過優(yōu)化應(yīng)用處理器和...

關(guān)鍵字: GBPS 三星 亞馬遜 內(nèi)存

在三星 Tech Day 2022 活動(dòng)上,三星電子總裁兼內(nèi)存業(yè)務(wù)負(fù)責(zé)人 Jung-bae Lee 表示,三星 40 多年來共生產(chǎn)了 1 萬億 GB 內(nèi)存,僅在過去三年中就產(chǎn)生了大約一半。

關(guān)鍵字: 三星 內(nèi)存 儲(chǔ)存芯片

擱在四五年前,板載內(nèi)存極大可能會(huì)被用戶視為一臺(tái)輕薄本的缺點(diǎn),其實(shí)這也很好理解,板載內(nèi)存無法擴(kuò)容,而且當(dāng)時(shí)內(nèi)存容量并不大,板載內(nèi)存的頻率也普遍偏低,性能稍差,所以很多朋友選購輕薄本的時(shí)候,都會(huì)避開板載內(nèi)存。

關(guān)鍵字: 板載 內(nèi)存 半導(dǎo)體

繼DDR5 DRAM成為英特爾“Alder Lake”第12代處理器的標(biāo)準(zhǔn)配置之后,AMD近日也宣布其7000系列處理器將支持DDR5內(nèi)存,并在9月27日正式上市。AMD表示,該平臺(tái)將不再支持DDR4,只支持DDR5產(chǎn)品...

關(guān)鍵字: DDR5 內(nèi)存 三星

GRL通過與FuturePlus的合作伙伴關(guān)系,擴(kuò)大了全球七個(gè)實(shí)驗(yàn)室所提供的DDR和LPDDR內(nèi)存測(cè)試服務(wù)組合  加利福尼亞州圣克拉拉市2022年9月15日 /美...

關(guān)鍵字: DDR FUTURE SYSTEMS 內(nèi)存

上海2022年9月1日 /美通社/ -- 瀾起科技宣布在業(yè)界率先推出DDR5第一子代時(shí)鐘驅(qū)動(dòng)器(簡(jiǎn)稱CKD或DDR5CK01)工程樣片,并已送樣給業(yè)界主流內(nèi)存廠商,該產(chǎn)品將用于新一代臺(tái)式機(jī)和筆記本電腦的內(nèi)存。 瀾起科技...

關(guān)鍵字: DDR 驅(qū)動(dòng)器 時(shí)鐘驅(qū)動(dòng) 內(nèi)存

(全球TMT2022年9月1日訊)IMAX中國宣布2022年暑期檔IMAX總票房達(dá)到3.03億元人民幣,較去年同期大幅增長34%。與此同時(shí),2022年全國暑期檔票房達(dá)到92億元,較去年增長24%。目前全國有680家IM...

關(guān)鍵字: 亞馬遜 DDR 內(nèi)存 安集科技

(全球TMT2022年8月23日訊)科大訊飛披露2022年半年度報(bào)告,上半年實(shí)現(xiàn)營業(yè)收入為80.23億元,同比增長26.97%;歸母凈利潤2.78億元,同比下滑33.57%。 云米發(fā)布截至6月30日的20...

關(guān)鍵字: 科大訊飛 內(nèi)存 VR AI

北京2022年8月22日 /美通社/ -- 前言: 在企業(yè)數(shù)字化轉(zhuǎn)型的今天,數(shù)據(jù)已經(jīng)成為企業(yè)賴以生存的基礎(chǔ)。數(shù)據(jù)的丟失或者損壞將會(huì)給企業(yè)帶來無法估量的損失。因此如何進(jìn)行數(shù)據(jù)保護(hù)與保障數(shù)據(jù)一致性成為必須面對(duì)的挑戰(zhàn)...

關(guān)鍵字: 內(nèi)存 虛擬化 OPENSTACK OS

C語言與CPP編程

252 篇文章

關(guān)注

發(fā)布文章

編輯精選

技術(shù)子站

關(guān)閉