东莞网站平台后缀,长沙百度,北京商场关闭通知,太仓网站开发公司Sanitizers介绍
Sanitizers 是谷歌开源的内存检测工具#xff0c;包括AddressSanitizer、MemorySanitizer、ThreadSanitizer、LeakSanitizer。 Sanitizers是LLVM的一部分。 gcc4.8#xff1a;支持Address和Thread Sanitizer。 gcc4.9#xff1a;支持Leak Sanitizer和UBSani…Sanitizers介绍
Sanitizers 是谷歌开源的内存检测工具包括AddressSanitizer、MemorySanitizer、ThreadSanitizer、LeakSanitizer。 Sanitizers是LLVM的一部分。 gcc4.8支持Address和Thread Sanitizer。 gcc4.9支持Leak Sanitizer和UBSanitizer。
注意gcc不支持MemorySanitizer。
可以支持的内存检测问题
1heap use after free 堆内存释放后继续使用
2stack use after return 栈内存函数返回后继续使用
3stack use after scope 栈内存在作用域范围外继续使用
4heap buffer overflow 堆内存溢出
5stack buffer overflow 栈内存溢出
6global buffer overflow 全局内存溢出
7memory leaks 内存泄露
8double free 堆内存重复释放
9initialization order bugs 初始化命令错误
编译参数 123456-fsanitizeaddress 7-fsanitizeaddress 或者 -fsanitizeleak 8-fsanitizeaddress 9-fsanitizememory
编译参数通过 -fsanitize 决定开启 sanitizer
-fsanitizeaddress 开启AddressSanitizerASan包括LeakSanitizerLSan检测地址越界 和 内存泄漏。
-fsanitizeleak 开启LeakSanitizerLSan检测内存泄漏。
-fsanitizeaddress 和 -fsanitizeleak 都能检测 内存泄漏。
-fsanitizethread 开启ThreadSanitizerTSan检测数据竞争和死锁。
-fsanitizeundefined 开启UndefinedBehaviorSanitizerUBSsan检测未定义行为。
-fsanitizememory 开启MemorySanitizerMSan检测未初始化内存问题。gcc不支持MemorySanitizer
-fno-omit-frame-pointer 检测到内存错误时打印函数调用栈这个参数一直都带上。
检测案例
编译器gcc/g
1heap use after free 堆内存释放后继续使用
#include stdio.h
int main (int argc, char* argv[]) {int* p new int[100];delete [] p;int num p[0];return 0;
}编译命令 g -o out main.cpp -g -fsanitizeaddress -fno-omit-frame-pointer
执行命令 ./out 10606ERROR: AddressSanitizer: heap-use-after-free on address 0x61400000fe40 at pc 0x00000040075d bp 0x7ffe7a4adfe0 sp 0x7ffe7a4adfd8
READ of size 4 at 0x61400000fe40 thread T0#0 0x40075c in main /home/code/main.cpp:5#1 0x7efec0def504 in __libc_start_main (/lib64/libc.so.60x22504)#2 0x400628 (/home/code/out0x400628)0x61400000fe40 is located 0 bytes inside of 400-byte region [0x61400000fe40,0x61400000ffd0)
freed by thread T0 here:#0 0x7efec1ac1f2a in operator delete[](void*) ../../../../libsanitizer/asan/asan_new_delete.cc:96#1 0x400725 in main /home/code/main.cpp:4#2 0x7efec0def504 in __libc_start_main (/lib64/libc.so.60x22504)previously allocated by thread T0 here:#0 0x7efec1ac19ea in operator new[](unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cc:62#1 0x40070e in main /home/code/main.cpp:3#2 0x7efec0def504 in __libc_start_main (/lib64/libc.so.60x22504)SUMMARY: AddressSanitizer: heap-use-after-free /home/code/main.cpp:5 main
Shadow bytes around the buggy address:0x0c287fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff9fc0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd0x0c287fff9fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c287fff9fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c287fff9ff0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faHeap right redzone: fbFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack partial redzone: f4Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: fe
10606ABORTING2stack use after return 栈内存函数返回后继续使用
#include stdio.h
int* p NULL;
void fun() {int a[10];p a; // 或者 p a[0];
}
int main(int argc, char* argv[]) {fun();int num p[0];return 0;
}编译命令 g -o out main.cpp -g -fsanitizeaddress -fno-omit-frame-pointer
执行命令 ASAN_OPTIONSdetect_stack_use_after_return1 ./out
注意: 默认没有开启需要在运行时开启。 18619ERROR: AddressSanitizer: stack-use-after-return on address 0x7f4f81500020 at pc 0x0000004008ea bp 0x7fffb49f6700 sp 0x7fffb49f66f8
WRITE of size 4 at 0x7f4f81500020 thread T0#0 0x4008e9 in main /home/code/main.cpp:9#1 0x7f4f84a7a504 in __libc_start_main (/lib64/libc.so.60x22504)#2 0x400708 (/home/code/out0x400708)Address 0x7f4f81500020 is located in stack of thread T0 at offset 32 in frame#0 0x4007e5 in fun() /home/code/main.cpp:3This frame has 1 object(s):[32, 72) a Memory access at offset 32 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext(longjmp and C exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-return /home/code/main.cpp:9 main
Shadow bytes around the buggy address:0x0fea70297fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70297fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70297fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70297fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70297ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fea70298000: f5 f5 f5 f5[f5]f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f50x0fea70298010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70298020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70298030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70298040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70298050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faHeap right redzone: fbFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack partial redzone: f4Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: fe
18619ABORTING3stack use after scope 栈内存在作用域范围外继续使用
暂时还没有找到能够检测出来的样例。
4heap buffer overflow 堆内存溢出
#include stdio.h
int main (int argc, char* argv[]) {int* p new int[100];int num p[100];delete [] p;return 0;
}编译命令 g -o out main.cpp -g -fsanitizeaddress -fno-omit-frame-pointer
执行命令 ./out 9226ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000ffd0 at pc 0x000000400750 bp 0x7ffef70c5d80 sp 0x7ffef70c5d78
READ of size 4 at 0x61400000ffd0 thread T0#0 0x40074f in main /home/code/main.cpp:4#1 0x7f12e7482504 in __libc_start_main (/lib64/libc.so.60x22504)#2 0x400628 (/home/code/out0x400628)0x61400000ffd0 is located 0 bytes to the right of 400-byte region [0x61400000fe40,0x61400000ffd0)
allocated by thread T0 here:#0 0x7f12e81549ea in operator new[](unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cc:62#1 0x40070e in main /home/code/main.cpp:3#2 0x7f12e7482504 in __libc_start_main (/lib64/libc.so.60x22504)SUMMARY: AddressSanitizer: heap-buffer-overflow /home/code/main.cpp:4 main
Shadow bytes around the buggy address:0x0c287fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fff9fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 000x0c287fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c287fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff9ff0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faHeap right redzone: fbFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack partial redzone: f4Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: fe
9226ABORTING5stack buffer overflow 栈内存溢出
#include stdio.h
int main(int argc, char* argv[]) {int a[2] {100,200};int num a[2];return 0;
}编译命令 g -o out main.cpp -g -fsanitizeaddress -fno-omit-frame-pointer
执行命令 ./out 787ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcade3daa8 at pc 0x0000004007df bp 0x7ffcade3da50 sp 0x7ffcade3da48
READ of size 4 at 0x7ffcade3daa8 thread T0#0 0x4007de in main /home/code/main.cpp:4#1 0x7f8c39562504 in __libc_start_main (/lib64/libc.so.60x22504)#2 0x400648 (/home/code/out0x400648)Address 0x7ffcade3daa8 is located in stack of thread T0 at offset 40 in frame#0 0x400725 in main /home/code/main.cpp:2This frame has 1 object(s):[32, 40) a Memory access at offset 40 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext(longjmp and C exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/code/main.cpp:4 main
Shadow bytes around the buggy address:0x100015bbfb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100015bbfb50: f1 f1 f1 f1 00[f4]f4 f4 f3 f3 f3 f3 00 00 00 000x100015bbfb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faHeap right redzone: fbFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack partial redzone: f4Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: fe
787ABORTING6global buffer overflow 全局内存溢出
#include stdio.h
int a[100];
int main(int argc, char* argv[]) {int num a[100];return 0;
}编译命令 g -o out main.cpp -g -fsanitizeaddress -fno-omit-frame-pointer
执行命令 ./out 9628ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000601270 at pc 0x000000400755 bp 0x7ffd15bcd0d0 sp 0x7ffd15bcd0c8
READ of size 4 at 0x000000601270 thread T0#0 0x400754 in main /home/code/main.cpp:4#1 0x7fc3d46e9504 in __libc_start_main (/lib64/libc.so.60x22504)#2 0x400648 (/home/code/out0x400648)0x000000601270 is located 0 bytes to the right of global variable array defined in main.cpp:2:5 (0x6010e0) of size 400
SUMMARY: AddressSanitizer: global-buffer-overflow /home/code/main.cpp:4 main
Shadow bytes around the buggy address:0x0000800b81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800b8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]f90x0000800b8250: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faHeap right redzone: fbFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack partial redzone: f4Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: fe
9628ABORTING7memory leaks 内存泄露
#include stdlib.h
int main(int argc, char *argv[]) {int* p (int*)malloc(10 * sizeof(int));return 0;
}编译命令 g -o out main.cpp -g -fsanitizeaddress -fno-omit-frame-pointer 或者 g -o out main.cpp -g -fsanitizeleak -fno-omit-frame-pointer
执行命令 ./out 12458ERROR: LeakSanitizer: detected memory leaksDirect leak of 40 byte(s) in 1 object(s) allocated from:#0 0x7f36642dc5e6 in __interceptor_malloc ../../../../libsanitizer/lsan/lsan_interceptors.cc:51#1 0x400611 in main /home/code/main.cpp:3#2 0x7f3663692504 in __libc_start_main (/lib64/libc.so.60x22504)SUMMARY: LeakSanitizer: 40 byte(s) leaked in 1 allocation(s).8double free 堆内存重复释放
#include stdio.h
int main(int argc, char* argv[]) {int* p new int[10];delete [] p;delete [] p;return 0;
}编译命令 g -o out main.cpp -g -fsanitizeaddress -fno-omit-frame-pointer
执行命令 ./out 31497ERROR: AddressSanitizer: attempting double-free on 0x60400000dfd0 in thread T0:#0 0x7fa32a746f2a in operator delete[](void*) ../../../../libsanitizer/asan/asan_new_delete.cc:96#1 0x4006d8 in main /home/code/main.cpp:5#2 0x7fa329a74504 in __libc_start_main (/lib64/libc.so.60x22504)#3 0x4005c8 (/home/code/out0x4005c8)0x60400000dfd0 is located 0 bytes inside of 40-byte region [0x60400000dfd0,0x60400000dff8)
freed by thread T0 here:#0 0x7fa32a746f2a in operator delete[](void*) ../../../../libsanitizer/asan/asan_new_delete.cc:96#1 0x4006c5 in main /home/code/main.cpp:4#2 0x7fa329a74504 in __libc_start_main (/lib64/libc.so.60x22504)previously allocated by thread T0 here:#0 0x7fa32a7469ea in operator new[](unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cc:62#1 0x4006ae in main /home/code/main.cpp:3#2 0x7fa329a74504 in __libc_start_main (/lib64/libc.so.60x22504)SUMMARY: AddressSanitizer: double-free ../../../../libsanitizer/asan/asan_new_delete.cc:96 operator delete[](void*)
31497ABORTING9initialization order bugs 初始化命令错误
暂时还没有找到能够检测出来的样例。
