[LLVMdev] LLVM-based address sanity checker

Kostya Serebryany kcc at google.com
Thu Jun 16 12:14:47 PDT 2011


On Thu, Jun 16, 2011 at 11:00 PM, Chris Lattner <clattner at apple.com> wrote:

>
> On Jun 16, 2011, at 1:27 AM, Kostya Serebryany wrote:
>
> Hello again,
>
> The tool we announced 1.5 months ago has matured quite a bit.
> In addition to heap out-of-bound and use-after-free bugs it also finds
> stack overruns/underruns.
> AddressSanitizer is being actively used by the Chromium developers and
> already found over 20 bugs:
> http://blog.chromium.org/2011/06/testing-chromium-addresssanitizer-fast.html
>
> Question to the LLVM developers: would you consider adding the AddressSanitizer
> code to the LLVM trunk?
>
>
> Having functionality like this in mainline would be really interesting.  I
> haven't looked at your code yet, what are the major components, what impact
> does it have on the codebase?
>

LLVM:
  - The instrumentation pass
http://code.google.com/p/address-sanitizer/source/browse/trunk/llvm/AddressSanitizer.cpp
.
It instruments all memory accesses and inserts redzones around stack objects
(around globals too, but this is unfinished).
  - Tiny patch to actually insert the instrumentation pass and to handle the
"-fasan" flag in the driver.
http://code.google.com/p/address-sanitizer/source/browse/trunk/llvm/clang.patch
This
patch is a bit outdated (applies to r130919)
  - The 'ignore' machinery is taken from the ThreadSanitizer project. This
is basically a whitelist/blacklist by function name, file name or module
name.
http://code.google.com/p/data-race-test/source/browse/trunk/tsan/ignore.h.
If LLVM has its own whitelist/blacklist functionality, we could use that
instead.

This is my first code in LLVM, so it definitely needs cleanup to meet the
LLVM guidelines.

Run time library (could be used with any other compiler):
 - Almost everything is on one file:
http://code.google.com/p/address-sanitizer/source/browse/trunk/asan/asan_rtl.cc
This library replaces malloc, tracks thread stacks, replaces SIGILL and
SIGSEGV handlers, reports warnings. Linux x86/x86_64 and ChromiumOS is fully
functional, MacOS is in flight.

Tests:
http://code.google.com/p/address-sanitizer/source/browse/trunk/asan/asan_test.cc

--kcc


> -Chris
>
>
>
> Thanks,
>
> --kcc
>
> On Tue, May 3, 2011 at 10:52 PM, Kostya Serebryany <kcc at google.com> wrote:
>
>> Hello,
>>
>> We've just released the first version of our LLVM-based address sanity
>> checker: AddressSanitizer (http://code.google.com/p/address-sanitizer/).
>> The tool finds out-of-bound and use-after-free bugs (the subset of bugs
>> detectable by Valgrind/Memcheck);
>> it consists of a LLVM compiler plugin which performs simple code
>> instrumentation and a malloc replacement library.
>> The main advantage of the new tool is high speed: the slowdown is usually
>> within 2x-2.5x.
>> Detailed description of the algorithm is found here:
>> http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
>> The tool is young, but it already can run the Chromium browser
>> (interactively!) and find bugs in it.
>>
>> Would the LLVM community be interested in adopting this code into the LLVM
>> trunk?
>>  The instrumentation pass is ~350 LOC (
>> http://code.google.com/p/address-sanitizer/source/browse/trunk/llvm/AddressSanitizer.cpp),
>> but may grow over time as we add optimizations.
>> The run-time library (malloc replacement,
>> http://code.google.com/p/address-sanitizer/source/browse/trunk/asan/asan_rtl.cc)
>> is ~1500 LOC.
>>
>> Thanks,
>>
>> --kcc
>>
>
> _______________________________________________
> LLVM Developers mailing list
> LLVMdev at cs.uiuc.edu         http://llvm.cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20110616/7f3f3fdd/attachment.html>


More information about the llvm-dev mailing list