sanitizer
Sanitizers(请参考https://github.com/google/Sanitizers )已经成为静态和动态代码分析的非常有用的工具。通过使用适当的标志重新编译代码并链接到必要的库,可以检查内存错误(地址清理器)、未初始化的读取(内存清理器)、线程安全(线程清理器)和未定义的行为(未定义的行为清理器)相关的问题。与同类型分析工具相比,Sanitizers带来的性能损失通常要小得多,而且往往提供关于检测到的问题的更详细的信息。缺点是,代码(可能还有工具链的一部分)需要使用附加的标志重新编译。
sanitizer标志
sanitizer已经被集成到gcc,在使用只需要设置相应的标志位即可:相应标志如下
- 地址错误: -fsanitize=address
- 内存错误: -fsanitize=memory
- 内存泄漏: -fsanitize=leak
- 线程竞速问题: -fsanitize=thread
- 未定义问题: -fsanitize=undefined
为方便回溯可同时添加保留函数指针标志:-fno-omit-frame-pointer
gcc/g++使用sanitizer
gcc/g++编译只需要将sanitizer的标志作为flag设置即可,如下:
gcc/g++ -fsanitize=address -g -fno-omit-frame-pointer test.cpp
CMakeLists使用sanitizer
使用CMAKE_CXX_FLAGS或add_compile_options的配置即可使用,如下:
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fno-omit-frame-pointer")
或
add_compile_options(-fsanitize=address -fsanitize=memory -fno-omit-frame-pointer)
link_libraries(-fsanitize=address -fsanitize=memory)
使用例子
建立如下名为address_sanitizers.cpp的文件,其中存在越界访问。
#include <iostream>
void f()
{
int a[2] = {1, 0};
int b = a[2];
std::cout << b << std::endl;
}
int main()
{
f();
return 0;
}
使用sanitizer进行编译并运行
g++ -g -fsanitize=address address_sanitizers.cpp
./a.out
得到如下错误输出。
=================================================================
==79521==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff4c428dd8 at pc 0x563deecc541d bp 0x7fff4c428d90 sp 0x7fff4c428d80
READ of size 4 at 0x7fff4c428dd8 thread T0
#0 0x563deecc541c in f() /home/zmy/test_cpp/sanitizers/address_sanitizers.cpp:6
#1 0x563deecc54ae in main /home/zmy/test_cpp/sanitizers/address_sanitizers.cpp:12
#2 0x7f813aa660b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#3 0x563deecc522d in _start (/home/zmy/test_cpp/sanitizers/a.out+0x122d)
Address 0x7fff4c428dd8 is located in stack of thread T0 at offset 40 in frame
#0 0x563deecc52f8 in f() /home/zmy/test_cpp/sanitizers/address_sanitizers.cpp:4
This frame has 1 object(s):
[32, 40) 'a' (line 5) <== Memory access at offset 40 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/zmy/test_cpp/sanitizers/address_sanitizers.cpp:6 in f()
Shadow bytes around the buggy address:
0x10006987d160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006987d170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006987d180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006987d190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006987d1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006987d1b0: 00 00 00 00 00 00 f1 f1 f1 f1 00[f3]f3 f3 00 00
0x10006987d1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006987d1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006987d1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006987d1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006987d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==79521==ABORTING