[LLVMdev] LLVM-based address sanity checker

Kostya Serebryany kcc at google.com
Thu Jun 16 12:29:34 PDT 2011 

On Thu, Jun 16, 2011 at 11:14 PM, Kostya Serebryany <kcc at google.com> wrote:

>
>
> On Thu, Jun 16, 2011 at 11:00 PM, Chris Lattner <clattner at apple.com>wrote:
>
>>
>> On Jun 16, 2011, at 1:27 AM, Kostya Serebryany wrote:
>>
>> Hello again,
>>
>> The tool we announced 1.5 months ago has matured quite a bit.
>> In addition to heap out-of-bound and use-after-free bugs it also finds
>> stack overruns/underruns.
>> AddressSanitizer is being actively used by the Chromium developers and
>> already found over 20 bugs:
>> http://blog.chromium.org/2011/06/testing-chromium-addresssanitizer-fast.html
>>
>> Question to the LLVM developers: would you consider adding the AddressSanitizer
>> code to the LLVM trunk?
>>
>>
>> Having functionality like this in mainline would be really interesting.  I
>> haven't looked at your code yet, what are the major components, what impact
>> does it have on the codebase?
>>
>
> LLVM:
>   - The instrumentation pass
> http://code.google.com/p/address-sanitizer/source/browse/trunk/llvm/AddressSanitizer.cpp .
> It instruments all memory accesses and inserts redzones around stack objects
> (around globals too, but this is unfinished).
>   - Tiny patch to actually insert the instrumentation pass and to handle
> the "-fasan" flag in the driver.
> http://code.google.com/p/address-sanitizer/source/browse/trunk/llvm/clang.patch This
> patch is a bit outdated (applies to r130919)
>   - The 'ignore' machinery is taken from the ThreadSanitizer project. This
> is basically a whitelist/blacklist by function name, file name or module
> name.
> http://code.google.com/p/data-race-test/source/browse/trunk/tsan/ignore.h.
> If LLVM has its own whitelist/blacklist functionality, we could use that
> instead.
>
> This is my first code in LLVM, so it definitely needs cleanup to meet the
> LLVM guidelines.
>
> Run time library (could be used with any other compiler):
>  - Almost everything is on one file:
> http://code.google.com/p/address-sanitizer/source/browse/trunk/asan/asan_rtl.cc
> This library replaces malloc, tracks thread stacks, replaces SIGILL and
> SIGSEGV handlers, reports warnings. Linux x86/x86_64 and ChromiumOS is fully
> functional, MacOS is in flight.
>
> Tests:
> http://code.google.com/p/address-sanitizer/source/browse/trunk/asan/asan_test.cc
>

One more part is the symbolizer -- when reporting an error we need to
provide function name, file name and line number of every PC in the stack.
There are two options: offline symbolizer (simple python script which uses
addr2line) and in-process symbolizer based on libbfd.
Due to the huge size of dwarf generated by llvm (suspected
http://llvm.org/bugs/show_bug.cgi?id=7554) both options are terribly slow --
up to 1 minute and 7G RAM on chromium per one report.
I don't like either option, please recommend if LLVM has another one.


> --kcc
>
>
>> -Chris
>>
>>
>>
>> Thanks,
>>
>> --kcc
>>
>> On Tue, May 3, 2011 at 10:52 PM, Kostya Serebryany <kcc at google.com>wrote:
>>
>>> Hello,
>>>
>>> We've just released the first version of our LLVM-based address sanity
>>> checker: AddressSanitizer (http://code.google.com/p/address-sanitizer/).
>>> The tool finds out-of-bound and use-after-free bugs (the subset of bugs
>>> detectable by Valgrind/Memcheck);
>>> it consists of a LLVM compiler plugin which performs simple code
>>> instrumentation and a malloc replacement library.
>>> The main advantage of the new tool is high speed: the slowdown is usually
>>> within 2x-2.5x.
>>> Detailed description of the algorithm is found here:
>>> http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
>>> The tool is young, but it already can run the Chromium browser
>>> (interactively!) and find bugs in it.
>>>
>>> Would the LLVM community be interested in adopting this code into the
>>> LLVM trunk?
>>>  The instrumentation pass is ~350 LOC (
>>> http://code.google.com/p/address-sanitizer/source/browse/trunk/llvm/AddressSanitizer.cpp),
>>> but may grow over time as we add optimizations.
>>> The run-time library (malloc replacement,
>>> http://code.google.com/p/address-sanitizer/source/browse/trunk/asan/asan_rtl.cc)
>>> is ~1500 LOC.
>>>
>>> Thanks,
>>>
>>> --kcc
>>>
>>
>> _______________________________________________
>> LLVM Developers mailing list
>> LLVMdev at cs.uiuc.edu         http://llvm.cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20110616/bd5cb1e9/attachment.html>

More information about the llvm-dev mailing list