I want some tool to diagnose use-after-free bugs and uninitialized bugs. I am considering Sanitizer(Memory and/or Address) and Valgrind. But I have very little idea about their advantages and disadvantages. Can anyone tell the main features, differences and pros/cons of Sanitizer and Valgrind? Edit: I found some of comparisons like: Valgrind uses DBI(dynamic binary instrumentation) and Sanitizer uses CTI(compile-time instrumentation). Valgrind makes the program much slower(20x) whether Sanitizer runs much faster than Valgrind(2x). If anyone can give me some more important points to consider, it will be a great help.

I think you'll find this wiki useful. TLDR main advantages of sanitizers are <ul> <li>much smaller CPU overheads (Lsan is practically free, UBsan is 1.25x, Asan and Msan are 2-4x for computationally intensive tasks and 1.05-1.1x for GUIs, Tsan is 5-15x)</li> <li>wider class of detected errors (stack and global overflows, use-after-return)</li> <li>full support of multi-threaded apps (Valgrind support for multi-threading is a joke)</li> <li>much smaller memory overhead (up to 2x for Asan, up to 3x for Msan, up to 10x for Tsan which is way better than Valgrind)</li> </ul> Disadvantages are <ul> <li>more complicated integration (you need to teach your build system to understand Asan and sometimes work around limitations/bugs in Asan itself, you also need to use relatively recent compiler)</li> <li>MemorySanitizer is not reall^W easily usable at the moment as it requires one to rebuild all dependencies under Msan (including all standard libraries e.g. libstdc++); this means that casual users can only use Valgrind for detecting uninitialized errors</li> <li>sanitizers typically can not be combined with each other (the only supported combination is Asan+UBsan+Lsan) which means that you'll have to do separate QA runs to catch all types of bugs</li> </ul>

One big difference is that the LLVM-included memory and thread sanitizers implicitly map huge swathes of address space (e.g., by calling <code>mmap(X, Y, 0, MAP_NORESERVE|MAP_ANONYMOUS|MAP_FIXED|MAP_PRIVATE, -1, 0)</code> across terabytes of address space in the x86_64 environment). Even though they don't necessarily allocate that memory, the mapping can play havoc with restrictive environments (e.g., ones with reasonable settings for <code>ulimit</code> values).

Memory/Address Sanitizer vs Valgrind

Tags:

valgrind

address-sanitizer

memory-sanitizer

I want some tool to diagnose use-after-free bugs and uninitialized bugs. I am considering Sanitizer(Memory and/or Address) and Valgrind. But I have very little idea about their advantages and disadvantages. Can anyone tell the main features, differences and pros/cons of Sanitizer and Valgrind?

Edit: I found some of comparisons like: Valgrind uses DBI(dynamic binary instrumentation) and Sanitizer uses CTI(compile-time instrumentation). Valgrind makes the program much slower(20x) whether Sanitizer runs much faster than Valgrind(2x). If anyone can give me some more important points to consider, it will be a great help.

837

asked Nov 12 '17 17:11

kayas

2 Answers

I think you'll find this wiki useful.

TLDR main advantages of sanitizers are

much smaller CPU overheads (Lsan is practically free, UBsan is 1.25x, Asan and Msan are 2-4x for computationally intensive tasks and 1.05-1.1x for GUIs, Tsan is 5-15x)
wider class of detected errors (stack and global overflows, use-after-return)
full support of multi-threaded apps (Valgrind support for multi-threading is a joke)
much smaller memory overhead (up to 2x for Asan, up to 3x for Msan, up to 10x for Tsan which is way better than Valgrind)

Disadvantages are

more complicated integration (you need to teach your build system to understand Asan and sometimes work around limitations/bugs in Asan itself, you also need to use relatively recent compiler)
MemorySanitizer is not reall^W easily usable at the moment as it requires one to rebuild all dependencies under Msan (including all standard libraries e.g. libstdc++); this means that casual users can only use Valgrind for detecting uninitialized errors
sanitizers typically can not be combined with each other (the only supported combination is Asan+UBsan+Lsan) which means that you'll have to do separate QA runs to catch all types of bugs

199

answered Sep 25 '22 14:09

yugr

One big difference is that the LLVM-included memory and thread sanitizers implicitly map huge swathes of address space (e.g., by calling mmap(X, Y, 0, MAP_NORESERVE|MAP_ANONYMOUS|MAP_FIXED|MAP_PRIVATE, -1, 0) across terabytes of address space in the x86_64 environment). Even though they don't necessarily allocate that memory, the mapping can play havoc with restrictive environments (e.g., ones with reasonable settings for ulimit values).

answered Sep 22 '22 14:09

jhfrontz

Related questions
                            
                                valgrind memory leak errors when using pthread_create
                            
                                How do I add valgrind tests to my cmake "test" target
                            
                                How do I make ctest run a program with valgrind without dart?
                            
                                Should I use Helgrind or DRD for thread error detection?
                            
                                Why does this code not result in a memory leak? [duplicate]
                            
                                How to build and install Valgrind on Mac?
                            
                                Valgrind Unrecognised instruction
                            
                                How to install Valgrind on macOS Catalina (10.15) with Homebrew?
                            
                                Error installing valgrind
                            
                                Why does valgrind say basic SDL program is leaking memory?
                            
                                valgrind - Address ---- is 0 bytes after a block of size 8 alloc'd
                            
                                Terminate process running inside valgrind
                            
                                Windows Callgrind results browser, alternative to KCacheGrind [closed]
                            
                                How do you tell Valgrind to completely suppress a particular .so file?
                            
                                How can I use valgrind with Python C++ extensions?
                            
                                Is it overkill to run the unit test with Valgrind?
                            
                                use valgrind to know time(in seconds) spent in each function
                            
                                Valgrind: can possibly lost be treated as definitely lost?
                            
                                Helgrind (Valgrind) and OpenMP (C): avoiding false positives?
                            
                                Are there any alternatives to valgrind on Mac OS X Mountain Lion and Mavericks to detect memory leaks for C/C++ applications? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With