问题
I want some tool to diagnose user-after-free bugs and uninitialized bugs. I am considering Sanitizer(Memory and/or Address) and Valgrind. But I have very little idea about their advantages and disadvantages. Can anyone tell the main features, differences and pros/cons of Sanitizer and Valgrind?
Edit: I found some of comparisons like: Valgrind uses DBI(dynamic binary instrumentation) and Sanitizer uses CTI(compile-time instrumentation). Valgrind makes the program much slower(20x) whether Sanitizer runs much faster than Valgrind(2x). If anyone can give me some more important points to consider, it will be a great help.
回答1:
I think you'll find this wiki useful.
TLDR main advantages of sanitizers are
- much smaller CPU overheads (Lsan is practically free, UBsan is 1.25x, Asan and Msan are 2-4x for computationally intensive tasks and 1.05-1.1x for GUIs, Tsan is 5-15x)
- wider class of detected errors (stack and global overflows, use-after-return)
- full support of multi-threaded apps (Valgrind support for multi-threading is a joke)
Disadvantages are
- significant memory overhead (up to 2x for Asan, up to 3x for Msan, up to 10x for Tsan) which may be a limiting factor for resource limited environments (e.g. phones); it's still way better than Valgrind
- more complicated integration (you need to teach your build system to understand Asan and sometimes work around limitations/bugs in Asan itself, you also need to use relatively recent compiler)
- MemorySanitizer is not reall^W easily usable at the moment as it requires one to rebuild all dependencies under Msan (including all standard libraries e.g. libstdc++); this means that casual users can only use Valgrind for detecting uninitialized errors
- sanitizers typically can not be combined with each other (the only supported combination is Asan+UBsan+Lsan) which means that you'll have to do separate QA runs to catch all types of bugs
回答2:
One big difference is that the LLVM-included memory and thread sanitizers implicitly map huge swathes of address space (e.g., by calling mmap(X, Y, 0, MAP_NORESERVE|MAP_ANONYMOUS|MAP_FIXED|MAP_PRIVATE, -1, 0)
across terabytes of address space in the x86_64 environment). Even though they don't necessarily allocate that memory, the mapping can play havoc with restrictive environments (e.g., ones with reasonable settings for ulimit
values).
来源:https://stackoverflow.com/questions/47251533/memory-address-sanitizer-vs-valgrind