c/c++動態檢測記憶體錯誤利器 - ASan(轉)
阿新 • • 發佈:2021-08-10
https://www.extutorial.com/blog/391954
c/c++動態檢測記憶體錯誤利器 - ASan
由Existence提交於週四, 04/15/2021 - 21:44ASan,即Address Sanitizer,是一個適用於c/c++的動態記憶體錯誤檢測器,它由一個編譯器檢測模組(LLVM pass)和一個替換malloc
函式的執行時庫組成,在效能及檢測記憶體錯誤方面都優於Valgrind。
一、適用平臺
在LLVM3.1版之後,ASan就是其的一個組成部分,所以所有適用LLVM的平臺,且llvm版本大於3.1的,都可以適用asan來檢查c/c++記憶體錯誤。
對於gcc,則是4.8版本之後才加入asan,但是asan的完整功能則是要gcc版本在4.9.2以上。
二、強大功能
ASan作為編譯器內建功能,支援檢測各種記憶體錯誤:
- 緩衝區溢位
①、堆記憶體溢位
②、棧上記憶體溢位
③、全域性區快取溢位 - 懸空指標(引用)
①、使用釋放後的堆上記憶體
②、使用返回的棧上記憶體
③、使用退出作用域的變數 - 非法釋放
①、重複釋放
②、無效釋放 - 記憶體洩漏
- 初始化順序導致的問題
ASan和Valgrind對比如下圖:
三、如何使用
1、使用ASan時,只需gcc選項加上-fsanitize=address;
2、如果想要在使用asan的時候獲取更好的效能,可以加上O1或者更高的編譯優化選項;
3、想要在錯誤資訊中讓棧追溯資訊更友好,可以加上-fno-omit-frame-pointer選項。
本文針對linux x86-64平臺,gcc編譯器環境實驗。
本文實驗環境:
[root@yglocal ~]# lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 8.1.1911 (Core)
Release: 8.1.1911
Codename: Core
[root@yglocal ~]# uname -r
4.18.0-147.el8.x86_64
[root@yglocal ~]# gcc --version
gcc (GCC) 8.3.1 20190507 (Red Hat 8.3.1-4)
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE
在centos上使用ASan,編譯會報如下錯誤(gcc 4.8.5):
[root@localhost test]# gcc -g -O2 -fsanitize=address -fno-omit-frame-pointer hello.c
/usr/bin/ld: cannot find /usr/lib64/libasan.so.0.0.0
collect2: error: ld returned 1 exit status
安裝libasan即可:
[root@localhost test]# yum install libasan
注:ubuntu x86-64系統只需gcc版本高於4.8即可;但是在rhel/centos上使用ASan功能,除了gcc版本大於4.8之外,還需要安裝libasan。
下面針對記憶體的幾種c/c++常見記憶體錯誤,編寫例子,看下ASan的報錯輸出:
1、堆緩衝區溢位
測試程式碼:
[root@yglocal asan_test]# vi heap_ovf_test.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
char *heap_buf = (char*)malloc(32*sizeof(char));
memcpy(heap_buf+30, "overflow", 8); //在heap_buf的第30個位元組開始,拷貝8個字元
free(heap_buf);
return 0;
}
編譯並執行:
[root@yglocal asan_test]# gcc -fsanitize=address -fno-omit-frame-pointer -o heap_ovf_test heap_ovf_test.c
[root@yglocal asan_test]# ./heap_ovf_test
=================================================================
==40602==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000030 at pc 0x7f3de8f91a1d bp 0x7ffd4b4ebb60 sp 0x7ffd4b4eb308
WRITE of size 8 at 0x603000000030 thread T0
#0 0x7f3de8f91a1c (/lib64/libasan.so.5+0x40a1c)
#1 0x400845 in main (/root/asan_test/heap_ovf_test+0x400845)
#2 0x7f3de8bb1872 in __libc_start_main (/lib64/libc.so.6+0x23872)
#3 0x40075d in _start (/root/asan_test/heap_ovf_test+0x40075d)
0x603000000030 is located 0 bytes to the right of 32-byte region [0x603000000010,0x603000000030)
allocated by thread T0 here:
#0 0x7f3de9040ba8 in __interceptor_malloc (/lib64/libasan.so.5+0xefba8)
#1 0x400827 in main (/root/asan_test/heap_ovf_test+0x400827)
#2 0x7f3de8bb1872 in __libc_start_main (/lib64/libc.so.6+0x23872)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.5+0x40a1c)
Shadow bytes around the buggy address:
0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte