new features in addresssanitizer
play

New features in AddressSanitizer LLVM developer meeting Nov 7, - PowerPoint PPT Presentation

Mar 31, 2023 •21 likes •301 views

New features in AddressSanitizer LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany Agenda AddressSanitizer (ASan): a quick reminder New features: Initialization-order-fiasco Stack-use-after-scope

  1. New features in AddressSanitizer LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany

  2. Agenda ● AddressSanitizer (ASan): a quick reminder ● New features: ○ Initialization-order-fiasco ○ Stack-use-after-scope ○ Stack-use-after-return ○ Leaks ● ASan for Linux Kernel ● Misc: compile time, MPX, ASM, libs ● BOF at 2:00pm today

  3. ASan: a quick reminder ● Dynamic testing tool, finds memory bugs ○ Buffer overflows, use-after-free ○ Found 5000+ bugs everywhere, including LLVM ● Compiler instrumentation + run-time library ● ~2x slowdown ● In LLVM since 3.1 ● Siblings: ○ ThreadSanitizer (TSan): data races ○ MemorySanitizer (MSan): uses of uninitialized memory

  4. ASan: a quick reminder (cont.) ● Every 8 bytes of application memory are associated with 1 byte of “shadow” memory ● Redzones are created around buffers; freed memory is put into quarantine ● Shadow of redzones and freed memory is “poisoned” ● On every memory access compiler-injected code checks if shadow is poisoned

  5. ASan report example: heap-use-after-free int main(int argc, char **argv) { int *array = new int[100]; delete [] array ; return array[argc] ; // BOOM } % clang++ -O1 -g -fsanitize=address a.cc && ./a.out ==30226== ERROR: AddressSanitizer heap-use-after-free READ of size 4 at 0x7faa07fce084 thread T0 #0 0x40433c in main a.cc:4 0x7faa07fce084 is located 4 bytes inside of 400-byte region freed by thread T0 here: #0 0x4058fd in operator delete[](void*) _asan_rtl_ #1 0x404303 in main a.cc:3 previously allocated by thread T0 here: #0 0x405579 in operator new[](unsigned long) _asan_rtl_ #1 0x4042f3 in main a.cc:2

  6. New Features

  7. ASan report example: init-order-fiasco // i1.cc // i2.cc extern int B; #include <stdlib.h> int A = B; int B = atoi("123"); int main() { return A; } % clang -g -fsanitize=address i1.cc i2.cc % ASAN_OPTIONS=check_initialization_order=1 ./a.out ==19504==ERROR: AddressSanitizer: initialization-order-fiasco READ of size 4 at 0x000001aaff60 thread T0 #0 0x414fa3 in __cxx_global_var_init i1.cc:2 #1 0x415015 in global constructors keyed to a i1.cc:5 0x000001aaff60 is located 0 bytes inside of global variable 'B' from 'i2.cc' (0x1aaff60) of size 4

  8. Detecting init-order-fiasco ● Frontend knows which globals are dynamically initialized ● Instrumented code registers globals struct __asan_global { void *address; size_t size; <...> const char *module_name; bool has_dynamic_initializer; } // asan.module_ctor has the highest priority. asan.module_ctor() { <...> __asan_register_globals(globals, n); }

  9. Detecting init-order-fiasco (cont.) // All globals from the translation unit are // initialized here. _GLOBAL__I_a() { // Poison shadow memory for {uninitialized, all} // globals in another TUs. __asan_before_dynamic_init(module_name); __cxx_global_var_init1(); <...> __cxx_global_var_initN(); // Unpoison shadow memory for all the globals. __asan_after_dynamic_init(); }

  10. Init-order fiasco detector modes // Poison shadow memory for {uninitialized [1], all [2]} // globals in another TUs. __asan_before_dynamic_init(module_name); [1] ASAN_OPTIONS=check_initialization_order=true [2] ASAN_OPTIONS=strict_init_order=true (has false positives). struct Foo { Foo() { if (!initialized) value = get_value(); } int get() { if (!initialized) value = get_value(); return value; } int value; static bool initialized; };

  11. Init-order fiasco status ● Works on Linux. ● OFF by default :( May bark on globals with no-op constructors, user has to blacklist them. ● Still worth using: ○ Strict mode ON by default for Google code, hundreds of errors are fixed. ○ Good for large code bases, which are difficult to be made -Wglobal-constructors -clean. ○ Finds potentials errors (LTO).

  12. ASan report example: stack-use-after-scope int main() { int *p; { int x = 0; p = &x; } return *p ; } % clang -g -fsanitize=address,use-after-scope a.cc ; ./a. out ==15839==ERROR: AddressSanitizer: stack-use-after-scope READ of size 4 at 0x7fffe06c20a0 thread T0 #0 0x46103d in main a.cc:4 Address is located in stack of thread T0 at offset 160 in frame #0 0x460daf in main a.cc:1 This frame has 4 object(s): [96, 104) 'p' [160, 164) 'x' <== Memory access at offset 160 is inside this variable

  13. Detecting stack-use-after-scope Use llvm.lifetime intrinsics to generate calls to ASan runtime: llvm.lifetime.start(size, ptr) -> __asan_unpoison_stack_memory(ptr, size) llvm.lifetime.end(size, ptr) -> __asan_poison_stack_memory(ptr, size)

  14. Stack-use-after-scope status ● Still at a prototype stage. ● Clang doesn’t yet emit llvm.lifetime intrinsics for temporaries: const char *s = FunctionReturningStdString().c_str(); char c = s[0]; // BOOM. ● Need to optimize redundant calls to ASan runtime (static analysis). ● Stack-use-after-scope will be bundled with stack-use- after-return (discussed further).

  15. ASan report example: stack-use-after-return int *g; int main() { void LeakLocal() { LeakLocal(); int local ; return *g ; g = &local; } } % clang -g -fsanitize=address a.cc % ASAN_OPTIONS=detect_stack_use_after_return=1 ./a.out ==19177==ERROR: AddressSanitizer: stack-use-after-return READ of size 4 at 0x7f473d0000a0 thread T0 #0 0x461ccf in main a.cc:8 Address is located in stack of thread T0 at offset 32 in frame #0 0x461a5f in LeakLocal() a.cc:2 This frame has 1 object(s): [32, 36) 'local' <== Memory access at offset 32

  16. Stack-use-after-return instrumentation // Function entry char frame[N]; char *fake_frame = &frame[0]; if (__asan_option_detect_stack_uar) fake_frame = asan_stack_malloc (N, frame); … // Function exit if (fake_frame != frame) asan_stack_free (fake_frame, N) ;

  17. Stack-use-after-return allocator char *asan_stack_malloc( size_t N, char *real_frame); void asan_stack_free( char *fake_frame, size_t N); ● Fast thread-local malloc-like allocator ● Has quarantine for freed chunks ● Uses a fixed size mmap-ed buffer ● If allocation fails, returns the original frame

  18. ASan report example: memory leak int *g = new int ; int main() { g = 0; // Lost the pointer. } % clang -g -fsanitize=address a.cc % ASAN_OPTIONS=detect_leaks=1 ./a.out ==19894==ERROR: AddressSanitizer: detected memory leaks Direct leak of 4 byte(s) in 1 object(s) allocated from: #0 0x44a3b1 in operator new(unsigned long) #1 0x414f66 in __cxx_global_var_init leak.cc:1

  19. LeakSanitizer (ASan’s leak detector) ● Similar to other tools: tcmalloc, valgrind, etc ● Faster than any of those ○ No extra overhead on top of ASan at run-time ○ Small overhead at shutdown ● Based on the ASan/MSan/TSan allocator ● Can be bundled with ASan/MSan/TSan or used as a standalone tool ○ Currently, supported only in ASan or standalone ● Requires StopTheWorld() -- today Linux only

  20. ASan/TSan/MSan allocator ● Full malloc/free API ○ thread-local caches, similar to tcmalloc ● Extra features for the tool: ○ Associate metadata with every heap chunk: ■ Stack trace of malloc/free ■ Other tool-specific metadata ○ ASan keeps metadata in the redzone ○ TSan/MSan: metadata is not adjacent to the chunk ○ Fast mapping “address => chunk => metadata”

  21. ASan/TSan/MSan allocator (cont.) (invalid) SizeClass0 SizeClass1 16-byte Chunk1 16-byte Chunk2 ... MetaData2 MetaData1 ... 64Kb Chunk1 64Kb Chunk2 ... MetaData2 MetaData1 SizeClass48 ... ● Memory is allocated from a fixed addr. range ○ ASan: [0x600000000000, 0x640000000000) -- 4Tb ● 64 regions; each allocates its own size class ○ Chunks are allocated left to right. Metadata: right to left. ● Fast “address=>chunk=>metadata” ○ Simple arithmetic ○ Lock-free

  22. MISC

  23. ASan for Linux Kernel ● … has nothing to do with LLVM :( ○ Our early prototype uses GCC’s TSan module ○ Instrumentation is a bit different ○ Run-time is different (inside the kernel) ● Found 12 bugs already, 5 fixed! ● Want to use Clang for better instrumentation ○ Clang issues are resolved (?) ○ Still some issues in the Kernel code ● Want to test another kernel? Talk to us!

  24. Intel MPX ● Intel MPX: Memory Protection Extensions ○ Published on July’13, HW available in ~ 2 years ○ Additional instructions to find buffer overflows ○ Expensive instructions touch two cache lines ○ Requires lots of memory ○ Slow for programs with graphs, lists and trees. ○ Does not detect use-after-free ○ Has false positives ○ *Biased* comparison against ASan: goo.gl/RrhZIz ● Still worth supporting in LLVM! ○ Finds intra-object buffer overflows ○ Very fast for long loops that traverse simple arrays

  25. Compile time with ASan ● ASan and MSan create more control flow ● Some LLVM passes downstream explode ● Example: PR17409 (quadratic?) ○ llvm::SpillPlacement::addLinks ○ InlineSpiller::propagateSiblingValue

  26. Why instrument all libs? ● ASan: stack unwinding with frame pointers ● TSan: catching synchronization via atomics ● MSan: avoid false positives ● All tools: more coverage ● Status: can build 50+ libs used by Chromium on Linux ● Help is welcome!

  27. We also want to instrument ASM! ● MSan: avoid false positives ○ Ex.: FD_ZERO on Linux is inline asm ○ Ex.: optimized libraries (openssl, libjpeg_turbo) ● All tools: more coverage (same as libs) Ideas ● Pattern matching for simple cases ● An MC Pass ● Use MCLayer

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AddressSanitizer for Windows Timur Iskhodzhanov Google AddressSanitizer (a.k.a. ASan) High

AddressSanitizer for Windows Timur Iskhodzhanov Google AddressSanitizer (a.k.a. ASan) High

AddressSanitizer for Windows Timur Iskhodzhanov Google AddressSanitizer (a.k.a. ASan) High performance Uses compile-time instrumentation Lightweight algorithm Multi-threaded Focuses on severe bugs buffer

533 views • 19 slides
AddressSanitizer/ThreadSanitizer for Linux Kernel and userspace. Konstantin Serebryany, Dmitry

AddressSanitizer/ThreadSanitizer for Linux Kernel and userspace. Konstantin Serebryany, Dmitry

AddressSanitizer/ThreadSanitizer for Linux Kernel and userspace. Konstantin Serebryany, Dmitry Vyukov Linux Collaboration Summit 15 April 2013 Agenda AddressSanitizer, a memory error detector (userspace) ThreadSanitizer, a data race

1.18k views • 69 slides
Supervised Learning Given: a set of inputs features X 1 , . . . , X n a set of target features Y 1

Supervised Learning Given: a set of inputs features X 1 , . . . , X n a set of target features Y 1

Supervised Learning Given: a set of inputs features X 1 , . . . , X n a set of target features Y 1 , . . . , Y k a set of training examples where the values for the input features and the target features are given for each example a new

323 views • 18 slides
Efficient visual search of local features Cordelia Schmid Bag-of-features

Efficient visual search of local features Cordelia Schmid Bag-of-features

Efficient visual search of local features Cordelia Schmid Bag-of-features [Sivic&amp;Zisserman03] Query Set of SIFT centroids image descriptors (visual words) sparse frequency vector Bag-of-features Harris-Hessian-Laplace processing

574 views • 33 slides
New Features of Net-FM v. 3.3 &amp; 3.3.1 ICC 2016 ICC 2016 New Features of Net-FM v. 3.3 &amp;

New Features of Net-FM v. 3.3 &amp; 3.3.1 ICC 2016 ICC 2016 New Features of Net-FM v. 3.3 &amp;

New Features of Net-FM v. 3.3 &amp; 3.3.1 ICC 2016 ICC 2016 New Features of Net-FM v. 3.3 &amp; 3.3.1 presented by Anthony J. Bunker Software QA &amp; Documentation Manager October 20, 2016 Slide 1 Introduction ICC 2016 ICC 2016 At

374 views • 15 slides
Image Features: Detection, Description, and Matching and their Applications Image

Image Features: Detection, Description, and Matching and their Applications Image

Image Features: Detection, Description, and Matching and their Applications Image Representation: Global Versus Local Features Features/ keypoints/ interset points are interesting locations in the image. Features serve to give a new

235 views • 22 slides
reliable innovation Main features Main features Lower part detachment Concept advantages

reliable innovation Main features Main features Lower part detachment Concept advantages

SIRE-NN Chocolate enrobing reliable innovation Main features Main features Lower part detachment Concept advantages Cantilever design for easy access (cleaning and maintenance) Detail features Detail features Pilot plant Compact

600 views • 13 slides
SI485i : NLP Set 12 Features and Prediction What is NLP, really? Many of our tasks boil down

SI485i : NLP Set 12 Features and Prediction What is NLP, really? Many of our tasks boil down

SI485i : NLP Set 12 Features and Prediction What is NLP, really? Many of our tasks boil down to finding intelligent features of language. We do lots of machine learning over features NLP researchers also use linguistic insights, deep

326 views • 18 slides
Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image features are useful descriptions of local or global image properties designed to accomplish a certain task You may want to choose different features

1.09k views • 71 slides
Mark Pagel pags@cray.com New features in XT MPT 3.1 and MPT 3.2 Features as a result of

Mark Pagel pags@cray.com New features in XT MPT 3.1 and MPT 3.2 Features as a result of

Mark Pagel pags@cray.com New features in XT MPT 3.1 and MPT 3.2 Features as a result of scaling to 150K MPI ranks MPI-IO Improvements(MPT 3.1 and MPT 3.2) SMP aware collective improvements(MPT 3.2) Misc Features (MPT 3.1)

694 views • 33 slides
Considered ELA Features Sunday, July 15, 2018 9 / 20 Considered ELA Features Meta-Model

Considered ELA Features Sunday, July 15, 2018 9 / 20 Considered ELA Features Meta-Model

Considered ELA Features Sunday, July 15, 2018 9 / 20 Considered ELA Features Meta-Model Features: fits linear and quadratic models (with and without pairwise interaction e ff ects) to the data extracts information from these models, such as

436 views • 7 slides
The e-Application Form Main features Main features ENI CBC Med Programme - Managing Authority

The e-Application Form Main features Main features ENI CBC Med Programme - Managing Authority

The e-Application Form Main features Main features ENI CBC Med Programme - Managing Authority Regione Autonoma della Sardegna 1 Intro Focus on the online Application Form (eAF) main features namely: Result based management applied to the ENI

562 views • 23 slides
http://cs246.stanford.edu Input features: N features: X 1 , X 2 , X N A Each X j

http://cs246.stanford.edu Input features: N features: X 1 , X 2 , X N A Each X j

CS246: Mining Massive Datasets Jure Leskovec, Stanford University http://cs246.stanford.edu Input features: N features: X 1 , X 2 , X N A Each X j has domain D j X 1 &lt;v 1 Categorical: C Y= 0.42 D j = {red, blue} X 2

508 views • 40 slides
Part I Georgia Milestones: Unique Features ***Some disabilities ***All schools MUST Features

Part I Georgia Milestones: Unique Features ***Some disabilities ***All schools MUST Features

Part I Georgia Milestones: Unique Features ***Some disabilities ***All schools MUST Features include: test some can be tested pencil- paper. students online. inclusion of constructed-response items in ELA and mathematics, in

784 views • 24 slides
Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image features are useful descriptions of local or global image properties designed (or learned!) to accomplish a certain task You may want to choose di ff

941 views • 70 slides
FACULTY MODULE This power point will guide you through the features and their usage Features:

FACULTY MODULE This power point will guide you through the features and their usage Features:

Student Accessibility and Accommodation FACULTY MODULE This power point will guide you through the features and their usage Features: 1. Electronically sign decision letters 2. You will be able to see students who have approved

744 views • 17 slides
HOW TO APPROACH COVID-19 Best Practices for Now and Key Ways to Prepare for the Future

HOW TO APPROACH COVID-19 Best Practices for Now and Key Ways to Prepare for the Future

HOW TO APPROACH COVID-19 Best Practices for Now and Key Ways to Prepare for the Future INTRODUCTIONS Samantha Osborne - Marketing Strategist Terry Salo - Sr. HR Consultant AGENDA Introduction to Families First Coronavirus Response Act

374 views • 22 slides
What Does the CARES Act Mean for my Small Business? Answering your Questions with Congressman

What Does the CARES Act Mean for my Small Business? Answering your Questions with Congressman

What Does the CARES Act Mean for my Small Business? Answering your Questions with Congressman Paul Mitchell This webinar was conducted on March 31, 2020. Please visit our website for the most up to date information. Questions?

202 views • 18 slides
COVID-19: Focus on Emerging Constitutional Challenges April 15, 2020 Co-sponsored by: 1 How

COVID-19: Focus on Emerging Constitutional Challenges April 15, 2020 Co-sponsored by: 1 How

COVID-19: Focus on Emerging Constitutional Challenges April 15, 2020 Co-sponsored by: 1 How to Use WebEx Q &amp; A 1. Open the Q&amp;A panel 2. Select All Panelists 3. Type your question 4. Click Send 2 Moderator Kayleen

660 views • 39 slides
The webinar will begin shortly COVID-19 Update Homeless Services Division &amp; Continuum of

The webinar will begin shortly COVID-19 Update Homeless Services Division &amp; Continuum of

For audio via telephone Dial-in number: (425) 436-6371 Access Code: 432873# If line is busy, please wait a few minutes and try again. The webinar will begin shortly COVID-19 Update Homeless Services Division &amp; Continuum of Care

788 views • 39 slides
ICFS MISSION Matthew 28:18 - 20 Jesus said, 18 All authority in heaven and on earth has been

ICFS MISSION Matthew 28:18 - 20 Jesus said, 18 All authority in heaven and on earth has been

On Mission during Quarantine and Beyond ACTS 1:1 - 11 A disciple is a learning, loyal, loving, lifelong follower of Jesus. A witness is someone who tells what they know to be true and what they have experienced. ICFS MISSION Matthew

455 views • 16 slides
TOPICS for TODAY + Superfund Enforcement Program, Process under Current Administration

TOPICS for TODAY + Superfund Enforcement Program, Process under Current Administration

TOPICS for TODAY + Superfund Enforcement Program, Process under Current Administration + Enforcement during COVID-19 + Environmental Justice Superfund Enforcement Superfund Process Overview of Superfund Enforcement

432 views • 31 slides
San Francisco Labor Laws Under COVID-19 July 29, 2020 Office of Labor Standards Enforcement 1

San Francisco Labor Laws Under COVID-19 July 29, 2020 Office of Labor Standards Enforcement 1

San Francisco Labor Laws Under COVID-19 July 29, 2020 Office of Labor Standards Enforcement 1 Webinar Ho Housek ekeep eeping You should see a control panel like this on the right side of your screen The panel should minimize

881 views • 55 slides
Rumliche und netzw erkbasierte Modelle zur Interventionsplanung bei direkt bertragenen

Rumliche und netzw erkbasierte Modelle zur Interventionsplanung bei direkt bertragenen

Rumliche und netzw erkbasierte Modelle zur Interventionsplanung bei direkt bertragenen Krankheiten Markus Schw ehm &amp; Martin Eichner Institut fr Medizinische Biometrie, Tbingen Influenzadynamik [image removed] The InfluSim

206 views • 19 slides

More recommend