个人网站备案 各省,做i网站,做我的世界皮肤壁纸的网站,古腾堡 wordpress1 Asan工具简介
1.1 Asan工具历史背景
AddressSanitizer#xff08;ASan#xff09;最初由Google开发#xff0c;并作为LLVM项目的一部分。ASan的设计目的是帮助开发者检测并修复内存错误#xff0c;如堆栈和全局缓冲区溢出、使用已释放的内存等#xff0c;这些问题可能…1 Asan工具简介
1.1 Asan工具历史背景
AddressSanitizerASan最初由Google开发并作为LLVM项目的一部分。ASan的设计目的是帮助开发者检测并修复内存错误如堆栈和全局缓冲区溢出、使用已释放的内存等这些问题可能会影响程序的正确性和安全性。ASan通过在编译时插入额外的代码来检查每次内存访问并在运行时监控这些访问从而发现错误。
ASan的实现基于shadow memory技术它为程序的内存分配创建了一个影子区域用于跟踪内存的使用情况。当程序试图访问未初始化或已释放的内存时ASan能够检测到这些非法访问并报告错误。这项技术使得ASan能够在不牺牲太多性能的情况下有效地发现难以察觉的内存错误。
随着时间的推移ASan已经成为GCC和Clang编译器的标准组成部分广泛用于提高软件质量特别是在内存安全性方面。此外ASan的集成和易用性也得到了不断改进例如在Visual Studio中从2019版本16.9开始MSVC编译器和IDE支持AddressSanitizer并且提供了与IDE的集成使得开发者可以更容易地在Windows平台上使用ASan。
1.2 Asan工具软件定位
AddressSanitizerASan主要用于C和C程序。它通过在编译时插入额外的检查代码运行时监控程序的内存访问来定位常见的内存错误包括但不限于
堆缓冲区溢出检测堆上分配的内存是否被越界访问。栈缓冲区溢出检测栈上分配的局部变量是否超出其声明的范围。全局变量溢出检测全局或静态变量的内存是否被越界访问。使用已释放的内存检测程序是否尝试访问已经被释放的内存。内存泄漏实验性地检测内存泄漏问题。初始化顺序问题检测由于不正确的初始化顺序导致的问题。内存越界访问检测对内存的读写操作是否超出了其分配的范围。函数返回局部变量检测函数返回局部变量的引用这通常会导致悬挂指针问题。
Asan的工作原理是在编译时对代码进行插桩即在内存访问点周围添加额外的检查代码。运行时Asan的运行时库会接管标准的内存管理函数如malloc和free以跟踪内存分配和释放的状态。当检测到内存错误时Asan会立即报告错误并提供详细的错误信息包括错误类型、发生错误的代码位置、调用栈信息等。
Asan的使用可以显著提高软件的内存安全性帮助开发者在开发阶段就发现并修复潜在的内存问题。然而由于ASan会引入额外的性能开销它通常用于调试和测试阶段而不推荐在生产环境中启用。
总的来说ASan是一个功能强大且广泛使用的内存错误检测工具能够有效地帮助开发者定位和解决C/C程序中的内存问题提高软件的稳定性和安全性。
接下来我们看看如何使用Asan工具。
2 Asan工具使用
2.1 如何使用Asan工具
使用ASan你需要使用支持ASan的编译器。比如Clang或GCC并开启ASan相关的编译选项。
如果使用Clang编译器在终端执行以下命令
$clang -fsanitizeaddress -g hellp.c -o hello
如果使用GCC编译器在终端执行以下命令
$gcc -fsanitizeaddress -g hello.c -o hello
在上述命令中-fsanitizeaddress是ASan的编译选项用于开启ASan。但在大型工程使用makefile方式进行编译中我们一般通过环境变量的方式加入ASan编译选项然后编译额时候需要加上环境变量一般是CFLAGS或者CXXFLAGS。
2.2 -fsanitize选项常见的sanitizer解读
以下是一些常见的sanitizer选项及其含义
-fsanitizeaddress这个选项启用了地址sanitizer它是一个运行时检测工具用于检测C/C程序中的内存错误如缓冲区溢出、使用后释放use-after-free错误等。地址sanitizer会在程序运行时监控内存操作当检测到错误时它会提供详细的错误报告包括错误类型、发生位置和堆栈跟踪信息。-fsanitize-recoveraddress这个选项与-fsanitizeaddress一起使用它告诉地址sanitizer在检测到内存错误时尝试恢复程序的执行而不是立即终止程序。这可以使得程序在检测到某些内存错误后继续运行这对于调试和分析程序的行为非常有用。-fsanitizememoryMemorySanitizerMSan用于检测未初始化的内存读取。它通过为每个值关联一个“起源”来工作如果一个值被读取时其起源是未知的MSAN就会报告一个错误。-fsanitizeundefinedUndefinedBehaviorSanitizerUBSan用于检测未定义行为例如整数溢出、空指针解引用、除以零等问题。-fsanitizethreadThreadSanitizerTSan用于检测多线程程序中的数据竞争和死锁问题。-fsanitizeleak这个选项已经被弃用取而代之的是使用-fsanitizeaddress它现在包含了内存泄漏检测功能。-fsanitizecoverageCoverageSanitizerCovSan用于生成代码覆盖率报告检测程序中哪些部分被执行过。-fsanitizekernel-addressKernel Address SanitizerKASan是AddressSanitizer的一个变种专门用于检测Linux内核中的内存错误。-fsanitizedataflow这个选项允许开发者定义自己的数据流问题并在运行时检测它们。-fsanitizecfiControl Flow IntegrityCFISanitizer用于检测控制流相关的安全问题比如虚拟函数表破坏攻击。-fsanitizesafe-stackSafeStack通过将安全关键的栈数据移动到堆上来保护程序从而防止栈溢出攻击。-fsanitizehwaddressHardware Address SanitizerHWASAN用于检测硬件级别的内存错误比如加载无效的地址。
这些sanitizer工具是查找隐藏bug的利器它们可以帮助开发者在开发和测试阶段发现和修复潜在的错误。需要注意的是这些工具会增加程序的运行时间和内存开销因此主要用于调试和测试阶段不推荐在生产环境中启用。
3 asan部分实战解读
这里给出一些asan的具体使用方法当然限于常用的一些场景。其他场景参考即可。分析问题和解决问题的思路是类似的。
3.1 堆缓冲区溢出Heap Buffer Overflow
案例描述检测对堆分配的缓冲区边界以外的内存写入操作。
参考代码如下
#include stdio.h
#include stdlib.hint main() {char *buffer (char *)malloc(5 * sizeof(char));if (buffer NULL) {fprintf(stderr, Memory allocation failed\n);return 1;}sprintf(buffer, Hello, World!);printf(Buffer contents: %s\n, buffer);free(buffer);return 0;
}
使用以下命令编译程序并启用AddressSanitizer
$gcc -fsanitizeaddress -g -o heap_overflow heap_overflow.c
然后使用gdb运行编译出的程序
$gdb ./heap_overflow
执行后 得到如下调试信息
[Thread debugging using libthread_db enabled]
Using host libthread_db library /lib/x86_64-linux-gnu/libthread_db.so.1.1346454ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000015 at pc 0x7ffff745f04f bp 0x7fffffffdaf0 sp 0x7fffffffd280
WRITE of size 14 at 0x602000000015 thread T0#0 0x7ffff745f04e in __interceptor_vsprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1687#1 0x7ffff745f27e in __interceptor_sprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1730#2 0x5555555552f2 in main /media/wangdaosheng/data/backup/tmp/test2/heap_overflow.c:14#3 0x7ffff7029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58#4 0x7ffff7029e3f in __libc_start_main_impl ../csu/libc-start.c:392#5 0x5555555551a4 in _start (/media/wangdaosheng/data/backup/tmp/test2/heap_overflow0x11a4)0x602000000015 is located 0 bytes to the right of 5-byte region [0x602000000010,0x602000000015)
allocated by thread T0 here:#0 0x7ffff74b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145#1 0x55555555527e in main /media/wangdaosheng/data/backup/tmp/test2/heap_overflow.c:6#2 0x7ffff7029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1687 in __interceptor_vsprintf
Shadow bytes around the buggy address:0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa[05]fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: faFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cbShadow gap: cc
1346454ABORTING
[Inferior 1 (process 1346454) exited with code 01]这个错误信息是由 AddressSanitizerASan提供的。根据提供的信息我们可以分析出以下关键信息 错误类型AddressSanitizer: heap-buffer-overflow 表示发生了堆缓冲区溢出。 错误位置错误发生在地址 0x602000000015这是一个堆内存地址。 出错指令WRITE of size 14 at 0x602000000015 表示在地址 0x602000000015 处尝试写入 14 个字节的数据。 程序计数器PC和基指针BPpc 0x7ffff745f04f 和 bp 0x7fffffffdaf0 提供了出错时的程序计数器和基指针的值这对于调试器来说是有用的。 出错函数错误发生在 __interceptor_vsprintf 函数中这是 ASan 对 vsprintf 函数的拦截实现。 调用栈调用栈显示了错误发生时的函数调用顺序。在这里我们看到 sprintf 函数第2行被 main 函数第3行调用这是错误发生的源头。 内存分配位置出错的内存是在 main 函数的第6行分配的由 __interceptor_malloc 拦截。 Shadow BytesShadow Bytes 是 ASan 使用的一块内存区域用于跟踪实际内存的状态。这里的 Shadow Bytes 显示了出错地址附近的内存状态。 错误摘要SUMMARY: AddressSanitizer: heap-buffer-overflow 再次总结了错误类型。 程序退出1346454ABORTING 表示由于这个严重错误程序被ASan中止执行。
在这个案例中错误是由于 sprintf 写入的数据超出了分配的5字节大小的缓冲区导致堆缓冲区溢出。
3.2 栈缓冲区溢出Stack Buffer Overflow
案例描述检测对栈分配的缓冲区边界以外的内存写入操作。
参考代码如下
#include stdio.h
#include string.hint main() {char buffer[4];strcpy(buffer, Hello);printf(Buffer contents: %s\n, buffer);return 0;
}
使用以下命令编译程序并启用AddressSanitizer
$gcc -fsanitizeaddress -g -o stack_overflow stack_overflow.c
然后使用gdb运行编译出的程序
$gdb ./stack_overflow
执行后 得到如下调试信息
[Thread debugging using libthread_db enabled]
Using host libthread_db library /lib/x86_64-linux-gnu/libthread_db.so.1.1680994ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffdba4 at pc 0x7ffff743a2c3 bp 0x7fffffffdb70 sp 0x7fffffffd318
WRITE of size 6 at 0x7fffffffdba4 thread T0#0 0x7ffff743a2c2 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827#1 0x5555555552ca in main /media/wangdaosheng/data/backup/tmp/test2/stack_overflow.c:6#2 0x7ffff7029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58#3 0x7ffff7029e3f in __libc_start_main_impl ../csu/libc-start.c:392#4 0x555555555164 in _start (/media/wangdaosheng/data/backup/tmp/test2/stack_overflow0x1164)Address 0x7fffffffdba4 is located in stack of thread T0 at offset 36 in frame#0 0x555555555238 in main /media/wangdaosheng/data/backup/tmp/test2/stack_overflow.c:4This frame has 1 object(s):[32, 36) buffer (line 5) Memory access at offset 36 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork(longjmp and C exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
Shadow bytes around the buggy address:0x10007fff7b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x10007fff7b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x10007fff7b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x10007fff7b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x10007fff7b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b70: f1 f1 f1 f1[04]f3 f3 f3 00 00 00 00 00 00 00 000x10007fff7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x10007fff7b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x10007fff7ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x10007fff7bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x10007fff7bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: faFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cbShadow gap: cc
1680994ABORTING
[Inferior 1 (process 1680994) exited with code 01]这个错误信息是由 AddressSanitizerASan提供的。根据提供的信息我们可以分析出以下关键信息
错误类型AddressSanitizer: stack-buffer-overflow 表示发生了栈缓冲区溢出。错误位置错误发生在地址 0x7fffffffdba4这是一个栈内存地址。出错指令WRITE of size 6 at 0x7fffffffdba4 表示在地址 0x7fffffffdba4 处尝试写入 6 个字节的数据。程序计数器PC和基指针BP以及栈指针SPpc 0x7ffff743a2c3, bp 0x7fffffffdb70, sp 0x7fffffffd318 提供了出错时的程序计数器、基指针和栈指针的值这对于调试器来说是有用的。出错函数错误发生在 __interceptor_memcpy 函数中这是 ASan 对 memcpy 函数的拦截实现。调用栈调用栈显示了错误发生时的函数调用顺序。在这里我们看到 memcpy 函数第1行被 main 函数第2行调用这是错误发生的源头。内存分配位置出错的内存是在 main 函数的第4行分配的由栈帧信息指出。Shadow BytesShadow Bytes 是 ASan 使用的一块内存区域用于跟踪实际内存的状态。这里的 Shadow Bytes 显示了出错地址附近的内存状态。错误摘要SUMMARY: AddressSanitizer: stack-buffer-overflow 再次总结了错误类型。程序退出1680994ABORTING 表示由于这个严重错误程序被ASan中止执行。
在这个案例中错误是由于 memcpy 写入的数据超出了分配的缓冲区大小导致栈缓冲区溢出。
3.3 全局缓冲区溢出Global Buffer Overflow
案例描述检测对全局变量边界以外的内存写入操作。
参考代码如下
#include stdio.h
#include string.hchar globalBuffer[5];int main() {strcpy(globalBuffer, Hello, World!);printf(Global Buffer contents: %s\n, globalBuffer);return 0;
}
使用以下命令编译程序并启用AddressSanitizer
$gcc -fsanitizeaddress -g -o global_overflow global_overflow.c
然后运行编译出的程序
$gdb ./global_overflow
执行后 得到如下调试信息
[Thread debugging using libthread_db enabled]
Using host libthread_db library /lib/x86_64-linux-gnu/libthread_db.so.1.1681772ERROR: AddressSanitizer: global-buffer-overflow on address 0x555555558125 at pc 0x7ffff743a2c3 bp 0x7fffffffdbf0 sp 0x7fffffffd398
WRITE of size 14 at 0x555555558125 thread T0#0 0x7ffff743a2c2 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827#1 0x55555555520e in main /media/wangdaosheng/data/backup/tmp/test2/global_overflow.c:7#2 0x7ffff7029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58#3 0x7ffff7029e3f in __libc_start_main_impl ../csu/libc-start.c:392#4 0x555555555124 in _start (/media/wangdaosheng/data/backup/tmp/test2/global_overflow0x1124)0x555555558125 is located 0 bytes to the right of global variable globalBuffer defined in global_overflow.c:4:6 (0x555555558120) of size 5
SUMMARY: AddressSanitizer: global-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
Shadow bytes around the buggy address:0x0aab2aaa2fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0aab2aaa2fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0aab2aaa2ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0aab2aaa3000: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f90x0aab2aaa3010: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aab2aaa3020: 00 00 00 00[05]f9 f9 f9 f9 f9 f9 f9 00 00 00 000x0aab2aaa3030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0aab2aaa3040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0aab2aaa3050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0aab2aaa3060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0aab2aaa3070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: faFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cbShadow gap: cc
1681772ABORTING
[Inferior 1 (process 1681772) exited with code 01]这个错误信息是由 AddressSanitizerASan提供的。根据提供的信息我们可以分析出以下关键信息
错误类型AddressSanitizer: global-buffer-overflow 表示发生了全局缓冲区溢出。错误位置错误发生在地址 0x555555558125这是一个全局变量的地址。出错指令WRITE of size 14 at 0x555555558125 表示在地址 0x555555558125 处尝试写入 14 个字节的数据。程序计数器PC、基指针BP和栈指针SPpc 0x7ffff743a2c3, bp 0x7fffffffdbf0, sp 0x7fffffffd398 提供了出错时的程序计数器、基指针和栈指针的值这对于调试器来说是有用的。出错函数错误发生在 __interceptor_memcpy 函数中这是 ASan 对 memcpy 函数的拦截实现。调用栈调用栈显示了错误发生时的函数调用顺序。在这里我们看到 memcpy 函数第1行被 main 函数第2行调用这是错误发生的源头。内存分配位置出错的内存是全局变量 globalBuffer定义在 global_overlap.c:4:6大小为 5 字节。Shadow BytesShadow Bytes 是 ASan 使用的一块内存区域用于跟踪实际内存的状态。这里的 Shadow Bytes 显示了出错地址附近的内存状态。错误摘要SUMMARY: AddressSanitizer: global-buffer-overflow 再次总结了错误类型。 程序退出1681772ABORTING 表示由于这个严重错误程序被ASan中止执行。
在这个案例中错误是由于 memcpy 写入的数据超出了全局变量 globalBuffer 分配的大小导致全局缓冲区溢出。
3.4 使用后释放Use After Free
案例描述检测已经释放的内存被再次访问的情况。
参考代码如下
#include stdio.h
#include stdlib.hint main() {int *ptr (int *)malloc(sizeof(int));if (ptr NULL) {fprintf(stderr, Memory allocation failed\n);return 1;}*ptr 42;printf(Value at ptr: %d\n, *ptr);free(ptr);printf(Value at ptr after free: %d\n, *ptr);return 0;
}
使用以下命令编译程序并启用AddressSanitizer
$gcc -fsanitizeaddress -g -o use_after_free use_after_free.c
然后运行编译出的程序
$gdb ./use_after_free
执行后 得到如下调试信息
[Thread debugging using libthread_db enabled]
Using host libthread_db library /lib/x86_64-linux-gnu/libthread_db.so.1.
Value at ptr: 421682910ERROR: AddressSanitizer: heap-use-after-free on address 0x602000000010 at pc 0x55555555539b bp 0x7fffffffd7a0 sp 0x7fffffffd790
READ of size 4 at 0x602000000010 thread T0#0 0x55555555539a in main /media/wangdaosheng/data/backup/tmp/test2/use_after_free.c:14#1 0x7ffff7029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58#2 0x7ffff7029e3f in __libc_start_main_impl ../csu/libc-start.c:392#3 0x5555555551c4 in _start (/media/wangdaosheng/data/backup/tmp/test2/use_after_free0x11c4)0x602000000010 is located 0 bytes inside of 4-byte region [0x602000000010,0x602000000014)
freed by thread T0 here:#0 0x7ffff74b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127#1 0x555555555363 in main /media/wangdaosheng/data/backup/tmp/test2/use_after_free.c:13#2 0x7ffff7029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58previously allocated by thread T0 here:#0 0x7ffff74b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145#1 0x55555555529e in main /media/wangdaosheng/data/backup/tmp/test2/use_after_free.c:5#2 0x7ffff7029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58SUMMARY: AddressSanitizer: heap-use-after-free /media/wangdaosheng/data/backup/tmp/test2/use_after_free.c:14 in main
Shadow bytes around the buggy address:0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa[fd]fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: faFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cbShadow gap: cc
1682910ABORTING
[Inferior 1 (process 1682910) exited with code 01]
这个错误信息是由 AddressSanitizerASan提供的。根据提供的信息我们可以分析出以下关键信息
错误类型AddressSanitizer: heap-use-after-free 表示发生了堆使用后释放的错误。错误位置错误发生在地址 0x602000000010这是一个堆内存地址。出错指令READ of size 4 at 0x602000000010 表示在地址 0x602000000010 处尝试读取 4 个字节的数据。程序计数器PC、基指针BP和栈指针SPpc 0x55555555539b, bp 0x7fffffffd7a0, sp 0x7fffffffd790 提供了出错时的程序计数器、基指针和栈指针的值这对于调试器来说是有用的。出错函数错误发生在 main 函数的第14行。内存释放位置出错的内存是在 main 函数的第13行被释放的。内存分配位置出错的内存是在 main 函数的第5行被分配的。Shadow BytesShadow Bytes 是 ASan 使用的一块内存区域用于跟踪实际内存的状态。这里的 Shadow Bytes 显示了出错地址附近的内存状态其中 fd 表示已释放的堆内存区域。错误摘要SUMMARY: AddressSanitizer: heap-use-after-free 再次总结了错误类型。程序退出1682910ABORTING 表示由于这个严重错误程序被ASan中止执行。
3.5 多线程数据竞争Data Race
案例描述检测多线程程序中不同线程对同一数据的竞态访问。
参考代码如下
#include stdio.h
#include pthread.hint global_var 0;void* increment(void* arg) {int i;for (i 0; i 100; i) {global_var; // 此处存在数据竞争}return NULL;
}int main() {pthread_t thread1, thread2;pthread_create(thread1, NULL, increment, NULL);pthread_create(thread2, NULL, increment, NULL);pthread_join(thread1, NULL);pthread_join(thread2, NULL);printf(Result: %d\n, global_var);return 0;
}
使用以下命令编译程序并启用AddressSanitizer
$gcc -fsanitizethread -g -o data_race data_race.c -lpthread
然后运行编译出的程序
$gdb ./data_race
执行后 得到如下调试信息
[Thread debugging using libthread_db enabled]
Using host libthread_db library /lib/x86_64-linux-gnu/libthread_db.so.1.
[New Thread 0x7ffff51ff640 (LWP 2156986)]
[New Thread 0x7ffff49fe640 (LWP 2156987)]
[Thread 0x7ffff49fe640 (LWP 2156987) exited]
[New Thread 0x7ffff41fd640 (LWP 2156988)]WARNING: ThreadSanitizer: data race (pid2156978)Read of size 4 at 0x555555558014 by thread T2:#0 increment /media/wangdaosheng/data/backup/tmp/test2/data_race.c:9 (data_race0x129d)Previous write of size 4 at 0x555555558014 by thread T1:#0 increment /media/wangdaosheng/data/backup/tmp/test2/data_race.c:9 (data_race0x12b5)Location is global global_var of size 4 at 0x555555558014 (data_race0x000000004014)Thread T2 (tid2156988, running) created by main thread at:#0 pthread_create ../../../../src/libsanitizer/tsan/tsan_interceptors_posix.cpp:969 (libtsan.so.00x605b8)#1 main /media/wangdaosheng/data/backup/tmp/test2/data_race.c:18 (data_race0x133a)Thread T1 (tid2156987, finished) created by main thread at:#0 pthread_create ../../../../src/libsanitizer/tsan/tsan_interceptors_posix.cpp:969 (libtsan.so.00x605b8)#1 main /media/wangdaosheng/data/backup/tmp/test2/data_race.c:17 (data_race0x131d)SUMMARY: ThreadSanitizer: data race /media/wangdaosheng/data/backup/tmp/test2/data_race.c:9 in incrementResult: 200
ThreadSanitizer: reported 1 warnings
[Thread 0x7ffff41fd640 (LWP 2156988) exited]
[Thread 0x7ffff51ff640 (LWP 2156986) exited]
[Inferior 1 (process 2156978) exited with code 0102]
这个错误信息是由 ThreadSanitizerTSan提供的它帮助检测多线程程序中的数据竞争问题。根据提供的信息我们可以分析出以下关键点
错误类型WARNING: ThreadSanitizer: data race 表示检测到数据竞争。竞争位置数据竞争发生在地址 0x555555558014这是全局变量 global_var 的地址。出错指令Read of size 4 at 0x555555558014 by thread T2 和 Previous write of size 4 at 0x555555558014 by thread T1 表示线程 T2 读取了 global_var而线程 T1 在之前写了 global_var。竞争变量竞争的变量是全局变量 global_var大小为 4 字节。线程信息线程 T2tid2156988和线程 T1tid2156987都参与了这次数据竞争。线程创建两个线程都是由主线程main thread创建的创建位置在 main 函数中。错误摘要SUMMARY: ThreadSanitizer: data race 再次总结了错误类型。程序退出[Inferior 1 (process 2156978) exited with code 0102] 表示程序由于TSan报告的错误而退出。
在这个案例中错误是由于两个线程同时访问和修改全局变量 global_var 导致的。
