[C++知识库]c++使用sanitizer代码分析

sanitizer

Sanitizers(请参考https://github.com/google/Sanitizers )已经成为静态和动态代码分析的非常有用的工具。通过使用适当的标志重新编译代码并链接到必要的库，可以检查内存错误(地址清理器)、未初始化的读取(内存清理器)、线程安全(线程清理器)和未定义的行为(未定义的行为清理器)相关的问题。与同类型分析工具相比，Sanitizers带来的性能损失通常要小得多，而且往往提供关于检测到的问题的更详细的信息。缺点是，代码(可能还有工具链的一部分)需要使用附加的标志重新编译。

sanitizer标志

sanitizer已经被集成到gcc，在使用只需要设置相应的标志位即可：相应标志如下

• 地址错误： -fsanitize=address
• 内存错误： -fsanitize=memory
• 内存泄漏： -fsanitize=leak
• 线程竞速问题： -fsanitize=thread
• 未定义问题： -fsanitize=undefined

为方便回溯可同时添加保留函数指针标志：-fno-omit-frame-pointer

gcc/g++使用sanitizer

gcc/g++编译只需要将sanitizer的标志作为flag设置即可，如下：

gcc/g++ -fsanitize=address -g -fno-omit-frame-pointer test.cpp

CMakeLists使用sanitizer

使用CMAKE_CXX_FLAGS或add_compile_options的配置即可使用，如下：

set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fno-omit-frame-pointer")

或

add_compile_options(-fsanitize=address -fsanitize=memory -fno-omit-frame-pointer)
link_libraries(-fsanitize=address -fsanitize=memory)

使用例子

建立如下名为address_sanitizers.cpp的文件，其中存在越界访问。

#include <iostream>

void f()
{
    int a[2] = {1, 0};
    int b = a[2];
    std::cout << b << std::endl;
}

int main()
{
    f();
    return 0;
}

使用sanitizer进行编译并运行

g++ -g -fsanitize=address address_sanitizers.cpp
./a.out

得到如下错误输出。

=================================================================
==79521==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff4c428dd8 at pc 0x563deecc541d bp 0x7fff4c428d90 sp 0x7fff4c428d80
READ of size 4 at 0x7fff4c428dd8 thread T0
    #0 0x563deecc541c in f() /home/zmy/test_cpp/sanitizers/address_sanitizers.cpp:6
    #1 0x563deecc54ae in main /home/zmy/test_cpp/sanitizers/address_sanitizers.cpp:12
    #2 0x7f813aa660b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #3 0x563deecc522d in _start (/home/zmy/test_cpp/sanitizers/a.out+0x122d)

Address 0x7fff4c428dd8 is located in stack of thread T0 at offset 40 in frame
    #0 0x563deecc52f8 in f() /home/zmy/test_cpp/sanitizers/address_sanitizers.cpp:4

  This frame has 1 object(s):
    [32, 40) 'a' (line 5) <== Memory access at offset 40 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/zmy/test_cpp/sanitizers/address_sanitizers.cpp:6 in f()
Shadow bytes around the buggy address:
  0x10006987d160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006987d170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006987d180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006987d190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006987d1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006987d1b0: 00 00 00 00 00 00 f1 f1 f1 f1 00[f3]f3 f3 00 00
  0x10006987d1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006987d1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006987d1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006987d1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006987d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==79521==ABORTING