Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Meaningful stack traces for address sanitizer in GCC

I just tried compiling with GCC and the -fsanitize=address flag. When I run my program, the address sanitizer finds a flaw, but the stack trace is not helpful. How can I configure this so that it points to the source code locations I need to look at?

=================================================================
==32415== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6006004b38a0 at pc 0x10b136d5c bp 0x7fff54b8e5d0 sp 0x7fff54b8e5c8
WRITE of size 8 at 0x6006004b38a0 thread T0
    #0 0x10b136d5b (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c6d5b)
    #1 0x10b136e0c (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c6e0c)
    #2 0x10b138ef5 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c8ef5)
    #3 0x10b137a2e (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c7a2e)
    #4 0x10b13acf2 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000cacf2)
    #5 0x10b253647 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001e3647)
    #6 0x10b24ee55 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001dee55)
    #7 0x10b237108 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c7108)
    #8 0x10b237c17 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c7c17)
    #9 0x10b2385c9 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c85c9)
    #10 0x10b23f659 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001cf659)
    #11 0x10b254951 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001e4951)
    #12 0x10b24fbeb (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001dfbeb)
    #13 0x10b23dc38 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001cdc38)
    #14 0x10b229d28 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001b9d28)
    #15 0x10b229bda (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001b9bda)
    #16 0x7fff8b7785fc (/usr/lib/system/libdyld.dylib+0x35fc)
    #17 0x2
0x6006004b38a0 is located 0 bytes to the right of 32-byte region [0x6006004b3880,0x6006004b38a0)
allocated by thread T0 here:
    #0 0x10b8bb63a (/usr/local/lib/gcc/x86_64-apple-darwin13.0.0/4.8.2/libasan.0.dylib+0xe63a)
    #1 0x10b0777c6 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000077c6)
    #2 0x10b07701e (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x10000701e)
    #3 0x10b09cd1b (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x10002cd1b)
    #4 0x10b09c6ef (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x10002c6ef)
    #5 0x10b09960e (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x10002960e)
    #6 0x10b137844 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c7844)
    #7 0x10b13acf2 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000cacf2)
    #8 0x10b253647 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001e3647)
    #9 0x10b24ee55 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001dee55)
    #10 0x10b237108 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c7108)
    #11 0x10b237c17 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c7c17)
    #12 0x10b2385c9 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c85c9)
    #13 0x10b23f659 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001cf659)
    #14 0x10b254951 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001e4951)
    #15 0x10b24fbeb (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001dfbeb)
    #16 0x10b23dc38 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001cdc38)
    #17 0x10b229d28 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001b9d28)
    #18 0x10b229bda (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001b9bda)
    #19 0x7fff8b7785fc (/usr/lib/system/libdyld.dylib+0x35fc)
    #20 0x2
Shadow bytes around the buggy address:
  0x1c00c00966c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c00c00966d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c00c00966e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c00c00966f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c00c0096700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c00c0096710: 00 00 00 00[fa]fa fd fd fd fd fa fa fd fd fd fa
  0x1c00c0096720: fa fa fd fd fd fa fa fa 00 00 00 07 fa fa 00 00
  0x1c00c0096730: 00 04 fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x1c00c0096740: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 07
  0x1c00c0096750: fa fa 00 00 00 00 fa fa 00 00 00 04 fa fa fd fd
  0x1c00c0096760: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==32415== ABORTING
like image 596
clstaudt Avatar asked Jan 16 '14 13:01

clstaudt


People also ask

What is AddressSanitizer in GCC?

Address Sanitizer is a tool developed by Google detect memory access error such as use-after-free and memory leaks. It is built into GCC versions >= 4.8 and can be used on both C and C++ codes.

How does AddressSanitizer work?

AddressSanitizer dedicates one-eighth of the virtual address space to its shadow memory and uses a direct mapping with a scale and offset to translate an applica- tion address to its corresponding shadow address. Given the application memory address Addr, the address of the shadow byte is computed as (Addr>>3)+Offset.

What is a code sanitizer?

HTML sanitization is the process of examining an HTML document and producing a new HTML document that preserves only whatever tags are designated “safe” and desired. HTML sanitization can be used to protect against cross-site scripting (XSS) attacks by sanitizing any HTML code submitted by a user.


3 Answers

This is what is working for me:

  • Make sure you have installed llvm (including llvm-symbolizer).
  • Export the following variable

    export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer

    (replace with your correct path to the llvm-symbolizer command).

  • Now run your executable (a.out for now) as

    ASAN_OPTIONS=symbolize=1 a.out
like image 84
iluvatar Avatar answered Oct 22 '22 06:10

iluvatar


=================================================================
==32415== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6006004b38a0 at pc 0x10b136d5c bp 0x7fff54b8e5d0 sp 0x7fff54b8e5c8
WRITE of size 8 at 0x6006004b38a0 thread T0
    #0 0x10b136d5b (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c6d5b)
    #1 0x10b136e0c (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c6e0c)
    #2 0x10b138ef5 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c8ef5)
    #3 0x10b137a2e (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c7a2e)
    #4 0x10b13acf2 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000cacf2)
    #5 0x10b253647 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001e3647)
    #6 0x10b24ee55 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001dee55)
    #7 0x10b237108 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c7108)
    #8 0x10b237c17 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c7c17)
    #9 0x10b2385c9 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c85c9)
    #10 0x10b23f659 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001cf659)
    #11 0x10b254951 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001e4951)
    #12 0x10b24fbeb (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001dfbeb)
    #13 0x10b23dc38 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001cdc38)
    #14 0x10b229d28 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001b9d28)
    #15 0x10b229bda (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001b9bda)
    #16 0x7fff8b7785fc (/usr/lib/system/libdyld.dylib+0x35fc)
    #17 0x2

As an alternative, this is what I have been doing for years under Clang. Pipe your output through asan_symbolize to get the symbols. So you should do something like:

./test.exe 2>&1 | asan_symbolize

I have asan_symbolize in both /usr/bin and /usr/local/bin:

$ find /usr/ -name asan*
/usr/bin/asan_symbolize
/usr/lib/llvm-3.4/lib/clang/3.4/include/sanitizer/asan_interface.h
/usr/local/bin/asan_symbolize.py
/usr/local/lib/clang/3.5.0/include/sanitizer/asan_interface.h

I have two copies because one was installed with Clang via apt-get (/usr/bin/asan_symbolize), and I build Clang from sources on occasion (/usr/local/bin/asan_symbolize.py).

If you have no copies, then I believe you can fetch it from address-sanitizer on Google Code.


Once you start using asan_symbolize, you might encounter a situation where asan_symbolize cannot find the symbols due to a path change (for example, a program or library was copied from its build location to a destination directory). For that, see Specify Symbol Path to asan_symbolize? on the Asan mailing list.

In kcc's answer, he meant to do something like:

./test.exe 2>&1 | sed "s/<old path>/<new path>/g" | asan_symbolize

(I think that's what I had to do when testing Postgres).


Python has a crash course in Clang and its sanitizers at Dynamic Analysis with Clang. It discusses topics like getting stack traces. (I wrote the page for the the Python project to help them add Clang and its sanitizers to its release engineering process. Its a few years old now, but I believe all the information still applies).

like image 23
jww Avatar answered Oct 22 '22 06:10

jww


GCC 4.9.3 above does not require separate symbolizer.

Check How to compile with GCC with static options

like image 4
Gayan Pathirage Avatar answered Oct 22 '22 08:10

Gayan Pathirage