一、AddressSanitizer简单教程
1.1、安装
yum install libasan
1.2、demo
#include <stdlib.h>
int main() {
char *x = (char*)malloc(10 * sizeof(char*));
free(x);
return x[5];
}
1.2.1、编译
gcc -fsanitize=address -fno-omit-frame-pointer -O1 -g use-after-free.cc -o use-after-free
参数说明:
用-fsanitize=address选项编译和链接你的程序;
用-fno-omit-frame-pointer编译,以在错误消息中添加更好的堆栈跟踪。
增加-O1以获得更好的性能
1.2.2、运行
LD_PRELOAD=/usr/lib64/libasan.so.5.0.0 ./use-after-free
=================================================================
==1949==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000025 at pc 0x0000004011b4 bp 0x7ffd5bdf1fb0 sp 0x7ffd5bdf1fa0
READ of size 1 at 0x607000000025 thread T0
#0 0x4011b3 in main /code/test/use-after-free.cc:5
#1 0x7f3a0d0e06a2 in __libc_start_main (/lib64/libc.so.6+0x236a2)
#2 0x4010ad in _start (/code/test/use-after-free+0x4010ad)
0x607000000025 is located 5 bytes inside of 80-byte region [0x607000000020,0x607000000070)
freed by thread T0 here:
#0 0x7f3a0d56e890 in __interceptor_free (/usr/lib64/libasan.so.5.0.0+0xef890)
#1 0x401183 in main /code/test/use-after-free.cc:4
#2 0x7f3a0d0e06a2 in __libc_start_main (/lib64/libc.so.6+0x236a2)
previously allocated by thread T0 here:
#0 0x7f3a0d56ec58 in __interceptor_malloc (/usr/lib64/libasan.so.5.0.0+0xefc58)
#1 0x401178 in main /code/test/use-after-free.cc:3
#2 0x7f3a0d0e06a2 in __libc_start_main (/lib64/libc.so.6+0x236a2)
SUMMARY: AddressSanitizer: heap-use-after-free /code/test/use-after-free.cc:5 in main
Shadow bytes around the buggy address:
0x0c0e7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c0e7fff8000: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fa fa
0x0c0e7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1949==ABORTING
如果只需要检测内存泄漏,只需要加-fsanitize=leak这个参数,不需要加-fsanitize=address
1.3、检测内存泄漏
1.3.1、demo
#include <stdlib.h>
void *p;
int main() {
p = malloc(7);
p = 0; // The memory is leaked here.
return 0;
}
1.3.2、编译
gcc -fsanitize=leak -fno-omit-frame-pointer -O1 -g memory-leak.cc -o memory-leak
1.3.3、报错
如果报下面错误
/usr/bin/ld: cannot find /usr/lib64/liblsan.so.0.0.0
collect2: error: ld returned 1 exit status
解决办法
wget https://vault.centos.org/centos/8/BaseOS/x86_64/os/Packages/liblsan-8.5.0-3.el8.x86_64.rpm
rpm -ivh liblsan-8.5.0-3.el8.x86_64.rpm
1.3.4、运行
./memory-leak
==2136==LeakSanitizer has encountered a fatal error.
==2136==HINT: For debugging, try setting environment variable LSAN_OPTIONS=verbosity=1:log_threads=1
==2136==HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc)
此问题,目前还没有找到解决方案,即使按下面编译和运行,还是会报同样的错误
gcc -fsanitize=address -fno-omit-frame-pointer -O1 -g memory-leak.cc -o memory-leak
LD_PRELOAD=/usr/lib64/libasan.so.5.0.0 ./memory-leak
二、AddressSanitizer能检测的错误类型
| 错误类型 | 错误描述 |
|---|---|
| (heap) Use after free | 访问堆上已被释放的内存 |
| Heap buffer overflow | 堆上缓冲区访问溢出 |
| Stack buffer overflow | 栈上缓冲区访问溢出 |
| Global buffer overflow | 全局缓冲区访问溢出 |
| Use after return | 访问栈上已被释放的内存 |
| Use after scope | 栈对象使用超过定义范围 |
| Initialization order bugs | 初始化命令错误 |
| Memory leaks | 内存泄漏 |
扫一扫
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
