Meaningful stack traces for address sanitizer in GCC

主宰稳场 提交于 2019-12-28 05:31:11

问题


I just tried compiling with GCC and the -fsanitize=address flag. When I run my program, the address sanitizer finds a flaw, but the stack trace is not helpful. How can I configure this so that it points to the source code locations I need to look at?

=================================================================
==32415== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6006004b38a0 at pc 0x10b136d5c bp 0x7fff54b8e5d0 sp 0x7fff54b8e5c8
WRITE of size 8 at 0x6006004b38a0 thread T0
    #0 0x10b136d5b (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c6d5b)
    #1 0x10b136e0c (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c6e0c)
    #2 0x10b138ef5 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c8ef5)
    #3 0x10b137a2e (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c7a2e)
    #4 0x10b13acf2 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000cacf2)
    #5 0x10b253647 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001e3647)
    #6 0x10b24ee55 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001dee55)
    #7 0x10b237108 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c7108)
    #8 0x10b237c17 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c7c17)
    #9 0x10b2385c9 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c85c9)
    #10 0x10b23f659 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001cf659)
    #11 0x10b254951 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001e4951)
    #12 0x10b24fbeb (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001dfbeb)
    #13 0x10b23dc38 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001cdc38)
    #14 0x10b229d28 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001b9d28)
    #15 0x10b229bda (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001b9bda)
    #16 0x7fff8b7785fc (/usr/lib/system/libdyld.dylib+0x35fc)
    #17 0x2
0x6006004b38a0 is located 0 bytes to the right of 32-byte region [0x6006004b3880,0x6006004b38a0)
allocated by thread T0 here:
    #0 0x10b8bb63a (/usr/local/lib/gcc/x86_64-apple-darwin13.0.0/4.8.2/libasan.0.dylib+0xe63a)
    #1 0x10b0777c6 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000077c6)
    #2 0x10b07701e (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x10000701e)
    #3 0x10b09cd1b (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x10002cd1b)
    #4 0x10b09c6ef (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x10002c6ef)
    #5 0x10b09960e (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x10002960e)
    #6 0x10b137844 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c7844)
    #7 0x10b13acf2 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000cacf2)
    #8 0x10b253647 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001e3647)
    #9 0x10b24ee55 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001dee55)
    #10 0x10b237108 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c7108)
    #11 0x10b237c17 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c7c17)
    #12 0x10b2385c9 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c85c9)
    #13 0x10b23f659 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001cf659)
    #14 0x10b254951 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001e4951)
    #15 0x10b24fbeb (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001dfbeb)
    #16 0x10b23dc38 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001cdc38)
    #17 0x10b229d28 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001b9d28)
    #18 0x10b229bda (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001b9bda)
    #19 0x7fff8b7785fc (/usr/lib/system/libdyld.dylib+0x35fc)
    #20 0x2
Shadow bytes around the buggy address:
  0x1c00c00966c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c00c00966d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c00c00966e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c00c00966f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c00c0096700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c00c0096710: 00 00 00 00[fa]fa fd fd fd fd fa fa fd fd fd fa
  0x1c00c0096720: fa fa fd fd fd fa fa fa 00 00 00 07 fa fa 00 00
  0x1c00c0096730: 00 04 fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x1c00c0096740: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 07
  0x1c00c0096750: fa fa 00 00 00 00 fa fa 00 00 00 04 fa fa fd fd
  0x1c00c0096760: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==32415== ABORTING

回答1:


This is what is working for me:

  • Make sure you have installed llvm (including llvm-symbolizer).
  • Export the following variable

    export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer

    (replace with your correct path to the llvm-symbolizer command).

  • Now run your executable (a.out for now) as

    ASAN_OPTIONS=symbolize=1 a.out



回答2:


=================================================================
==32415== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6006004b38a0 at pc 0x10b136d5c bp 0x7fff54b8e5d0 sp 0x7fff54b8e5c8
WRITE of size 8 at 0x6006004b38a0 thread T0
    #0 0x10b136d5b (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c6d5b)
    #1 0x10b136e0c (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c6e0c)
    #2 0x10b138ef5 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c8ef5)
    #3 0x10b137a2e (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000c7a2e)
    #4 0x10b13acf2 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1000cacf2)
    #5 0x10b253647 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001e3647)
    #6 0x10b24ee55 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001dee55)
    #7 0x10b237108 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c7108)
    #8 0x10b237c17 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c7c17)
    #9 0x10b2385c9 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001c85c9)
    #10 0x10b23f659 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001cf659)
    #11 0x10b254951 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001e4951)
    #12 0x10b24fbeb (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001dfbeb)
    #13 0x10b23dc38 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001cdc38)
    #14 0x10b229d28 (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001b9d28)
    #15 0x10b229bda (/Users/cls/workspace/NetworKit/./NetworKit-Tests-D+0x1001b9bda)
    #16 0x7fff8b7785fc (/usr/lib/system/libdyld.dylib+0x35fc)
    #17 0x2

As an alternative, this is what I have been doing for years under Clang. Pipe your output through asan_symbolize to get the symbols. So you should do something like:

./test.exe 2>&1 | asan_symbolize

I have asan_symbolize in both /usr/bin and /usr/local/bin:

$ find /usr/ -name asan*
/usr/bin/asan_symbolize
/usr/lib/llvm-3.4/lib/clang/3.4/include/sanitizer/asan_interface.h
/usr/local/bin/asan_symbolize.py
/usr/local/lib/clang/3.5.0/include/sanitizer/asan_interface.h

I have two copies because one was installed with Clang via apt-get (/usr/bin/asan_symbolize), and I build Clang from sources on occasion (/usr/local/bin/asan_symbolize.py).

If you have no copies, then I believe you can fetch it from address-sanitizer on Google Code.


Once you start using asan_symbolize, you might encounter a situation where asan_symbolize cannot find the symbols due to a path change (for example, a program or library was copied from its build location to a destination directory). For that, see Specify Symbol Path to asan_symbolize? on the Asan mailing list.

In kcc's answer, he meant to do something like:

./test.exe 2>&1 | sed "s/<old path>/<new path>/g" | asan_symbolize

(I think that's what I had to do when testing Postgres).


Python has a crash course in Clang and its sanitizers at Dynamic Analysis with Clang. It discusses topics like getting stack traces. (I wrote the page for the the Python project to help them add Clang and its sanitizers to its release engineering process. Its a few years old now, but I believe all the information still applies).




回答3:


GCC 4.9.3 above does not require separate symbolizer.

Check How to compile with GCC with static options



来源:https://stackoverflow.com/questions/21163828/meaningful-stack-traces-for-address-sanitizer-in-gcc

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!