new features in addresssanitizer
play

New features in AddressSanitizer LLVM developer meeting Nov 7, - PowerPoint PPT Presentation

Mar 31, 2023 •21 likes •301 views

New features in AddressSanitizer LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany Agenda AddressSanitizer (ASan): a quick reminder New features: Initialization-order-fiasco Stack-use-after-scope

  1. New features in AddressSanitizer LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany

  2. Agenda ● AddressSanitizer (ASan): a quick reminder ● New features: ○ Initialization-order-fiasco ○ Stack-use-after-scope ○ Stack-use-after-return ○ Leaks ● ASan for Linux Kernel ● Misc: compile time, MPX, ASM, libs ● BOF at 2:00pm today

  3. ASan: a quick reminder ● Dynamic testing tool, finds memory bugs ○ Buffer overflows, use-after-free ○ Found 5000+ bugs everywhere, including LLVM ● Compiler instrumentation + run-time library ● ~2x slowdown ● In LLVM since 3.1 ● Siblings: ○ ThreadSanitizer (TSan): data races ○ MemorySanitizer (MSan): uses of uninitialized memory

  4. ASan: a quick reminder (cont.) ● Every 8 bytes of application memory are associated with 1 byte of “shadow” memory ● Redzones are created around buffers; freed memory is put into quarantine ● Shadow of redzones and freed memory is “poisoned” ● On every memory access compiler-injected code checks if shadow is poisoned

  5. ASan report example: heap-use-after-free int main(int argc, char **argv) { int *array = new int[100]; delete [] array ; return array[argc] ; // BOOM } % clang++ -O1 -g -fsanitize=address a.cc && ./a.out ==30226== ERROR: AddressSanitizer heap-use-after-free READ of size 4 at 0x7faa07fce084 thread T0 #0 0x40433c in main a.cc:4 0x7faa07fce084 is located 4 bytes inside of 400-byte region freed by thread T0 here: #0 0x4058fd in operator delete[](void*) _asan_rtl_ #1 0x404303 in main a.cc:3 previously allocated by thread T0 here: #0 0x405579 in operator new[](unsigned long) _asan_rtl_ #1 0x4042f3 in main a.cc:2

  6. New Features

  7. ASan report example: init-order-fiasco // i1.cc // i2.cc extern int B; #include <stdlib.h> int A = B; int B = atoi("123"); int main() { return A; } % clang -g -fsanitize=address i1.cc i2.cc % ASAN_OPTIONS=check_initialization_order=1 ./a.out ==19504==ERROR: AddressSanitizer: initialization-order-fiasco READ of size 4 at 0x000001aaff60 thread T0 #0 0x414fa3 in __cxx_global_var_init i1.cc:2 #1 0x415015 in global constructors keyed to a i1.cc:5 0x000001aaff60 is located 0 bytes inside of global variable 'B' from 'i2.cc' (0x1aaff60) of size 4

  8. Detecting init-order-fiasco ● Frontend knows which globals are dynamically initialized ● Instrumented code registers globals struct __asan_global { void *address; size_t size; <...> const char *module_name; bool has_dynamic_initializer; } // asan.module_ctor has the highest priority. asan.module_ctor() { <...> __asan_register_globals(globals, n); }

  9. Detecting init-order-fiasco (cont.) // All globals from the translation unit are // initialized here. _GLOBAL__I_a() { // Poison shadow memory for {uninitialized, all} // globals in another TUs. __asan_before_dynamic_init(module_name); __cxx_global_var_init1(); <...> __cxx_global_var_initN(); // Unpoison shadow memory for all the globals. __asan_after_dynamic_init(); }

  10. Init-order fiasco detector modes // Poison shadow memory for {uninitialized [1], all [2]} // globals in another TUs. __asan_before_dynamic_init(module_name); [1] ASAN_OPTIONS=check_initialization_order=true [2] ASAN_OPTIONS=strict_init_order=true (has false positives). struct Foo { Foo() { if (!initialized) value = get_value(); } int get() { if (!initialized) value = get_value(); return value; } int value; static bool initialized; };

  11. Init-order fiasco status ● Works on Linux. ● OFF by default :( May bark on globals with no-op constructors, user has to blacklist them. ● Still worth using: ○ Strict mode ON by default for Google code, hundreds of errors are fixed. ○ Good for large code bases, which are difficult to be made -Wglobal-constructors -clean. ○ Finds potentials errors (LTO).

  12. ASan report example: stack-use-after-scope int main() { int *p; { int x = 0; p = &x; } return *p ; } % clang -g -fsanitize=address,use-after-scope a.cc ; ./a. out ==15839==ERROR: AddressSanitizer: stack-use-after-scope READ of size 4 at 0x7fffe06c20a0 thread T0 #0 0x46103d in main a.cc:4 Address is located in stack of thread T0 at offset 160 in frame #0 0x460daf in main a.cc:1 This frame has 4 object(s): [96, 104) 'p' [160, 164) 'x' <== Memory access at offset 160 is inside this variable

  13. Detecting stack-use-after-scope Use llvm.lifetime intrinsics to generate calls to ASan runtime: llvm.lifetime.start(size, ptr) -> __asan_unpoison_stack_memory(ptr, size) llvm.lifetime.end(size, ptr) -> __asan_poison_stack_memory(ptr, size)

  14. Stack-use-after-scope status ● Still at a prototype stage. ● Clang doesn’t yet emit llvm.lifetime intrinsics for temporaries: const char *s = FunctionReturningStdString().c_str(); char c = s[0]; // BOOM. ● Need to optimize redundant calls to ASan runtime (static analysis). ● Stack-use-after-scope will be bundled with stack-use- after-return (discussed further).

  15. ASan report example: stack-use-after-return int *g; int main() { void LeakLocal() { LeakLocal(); int local ; return *g ; g = &local; } } % clang -g -fsanitize=address a.cc % ASAN_OPTIONS=detect_stack_use_after_return=1 ./a.out ==19177==ERROR: AddressSanitizer: stack-use-after-return READ of size 4 at 0x7f473d0000a0 thread T0 #0 0x461ccf in main a.cc:8 Address is located in stack of thread T0 at offset 32 in frame #0 0x461a5f in LeakLocal() a.cc:2 This frame has 1 object(s): [32, 36) 'local' <== Memory access at offset 32

  16. Stack-use-after-return instrumentation // Function entry char frame[N]; char *fake_frame = &frame[0]; if (__asan_option_detect_stack_uar) fake_frame = asan_stack_malloc (N, frame); … // Function exit if (fake_frame != frame) asan_stack_free (fake_frame, N) ;

  17. Stack-use-after-return allocator char *asan_stack_malloc( size_t N, char *real_frame); void asan_stack_free( char *fake_frame, size_t N); ● Fast thread-local malloc-like allocator ● Has quarantine for freed chunks ● Uses a fixed size mmap-ed buffer ● If allocation fails, returns the original frame

  18. ASan report example: memory leak int *g = new int ; int main() { g = 0; // Lost the pointer. } % clang -g -fsanitize=address a.cc % ASAN_OPTIONS=detect_leaks=1 ./a.out ==19894==ERROR: AddressSanitizer: detected memory leaks Direct leak of 4 byte(s) in 1 object(s) allocated from: #0 0x44a3b1 in operator new(unsigned long) #1 0x414f66 in __cxx_global_var_init leak.cc:1

  19. LeakSanitizer (ASan’s leak detector) ● Similar to other tools: tcmalloc, valgrind, etc ● Faster than any of those ○ No extra overhead on top of ASan at run-time ○ Small overhead at shutdown ● Based on the ASan/MSan/TSan allocator ● Can be bundled with ASan/MSan/TSan or used as a standalone tool ○ Currently, supported only in ASan or standalone ● Requires StopTheWorld() -- today Linux only

  20. ASan/TSan/MSan allocator ● Full malloc/free API ○ thread-local caches, similar to tcmalloc ● Extra features for the tool: ○ Associate metadata with every heap chunk: ■ Stack trace of malloc/free ■ Other tool-specific metadata ○ ASan keeps metadata in the redzone ○ TSan/MSan: metadata is not adjacent to the chunk ○ Fast mapping “address => chunk => metadata”

  21. ASan/TSan/MSan allocator (cont.) (invalid) SizeClass0 SizeClass1 16-byte Chunk1 16-byte Chunk2 ... MetaData2 MetaData1 ... 64Kb Chunk1 64Kb Chunk2 ... MetaData2 MetaData1 SizeClass48 ... ● Memory is allocated from a fixed addr. range ○ ASan: [0x600000000000, 0x640000000000) -- 4Tb ● 64 regions; each allocates its own size class ○ Chunks are allocated left to right. Metadata: right to left. ● Fast “address=>chunk=>metadata” ○ Simple arithmetic ○ Lock-free

  22. MISC

  23. ASan for Linux Kernel ● … has nothing to do with LLVM :( ○ Our early prototype uses GCC’s TSan module ○ Instrumentation is a bit different ○ Run-time is different (inside the kernel) ● Found 12 bugs already, 5 fixed! ● Want to use Clang for better instrumentation ○ Clang issues are resolved (?) ○ Still some issues in the Kernel code ● Want to test another kernel? Talk to us!

  24. Intel MPX ● Intel MPX: Memory Protection Extensions ○ Published on July’13, HW available in ~ 2 years ○ Additional instructions to find buffer overflows ○ Expensive instructions touch two cache lines ○ Requires lots of memory ○ Slow for programs with graphs, lists and trees. ○ Does not detect use-after-free ○ Has false positives ○ *Biased* comparison against ASan: goo.gl/RrhZIz ● Still worth supporting in LLVM! ○ Finds intra-object buffer overflows ○ Very fast for long loops that traverse simple arrays

  25. Compile time with ASan ● ASan and MSan create more control flow ● Some LLVM passes downstream explode ● Example: PR17409 (quadratic?) ○ llvm::SpillPlacement::addLinks ○ InlineSpiller::propagateSiblingValue

  26. Why instrument all libs? ● ASan: stack unwinding with frame pointers ● TSan: catching synchronization via atomics ● MSan: avoid false positives ● All tools: more coverage ● Status: can build 50+ libs used by Chromium on Linux ● Help is welcome!

  27. We also want to instrument ASM! ● MSan: avoid false positives ○ Ex.: FD_ZERO on Linux is inline asm ○ Ex.: optimized libraries (openssl, libjpeg_turbo) ● All tools: more coverage (same as libs) Ideas ● Pattern matching for simple cases ● An MC Pass ● Use MCLayer

Recommend

AddressSanitizer for Windows Timur Iskhodzhanov Google AddressSanitizer (a.k.a. ASan) High

AddressSanitizer for Windows Timur Iskhodzhanov Google AddressSanitizer (a.k.a. ASan) High

AddressSanitizer for Windows Timur Iskhodzhanov Google AddressSanitizer (a.k.a. ASan) High performance Uses compile-time instrumentation Lightweight algorithm Multi-threaded Focuses on severe bugs buffer

533 views • 19 slides
AddressSanitizer/ThreadSanitizer for Linux Kernel and userspace. Konstantin Serebryany, Dmitry

AddressSanitizer/ThreadSanitizer for Linux Kernel and userspace. Konstantin Serebryany, Dmitry

AddressSanitizer/ThreadSanitizer for Linux Kernel and userspace. Konstantin Serebryany, Dmitry Vyukov Linux Collaboration Summit 15 April 2013 Agenda AddressSanitizer, a memory error detector (userspace) ThreadSanitizer, a data race

1.18k views • 69 slides
Supervised Learning Given: a set of inputs features X 1 , . . . , X n a set of target features Y 1

Supervised Learning Given: a set of inputs features X 1 , . . . , X n a set of target features Y 1

Supervised Learning Given: a set of inputs features X 1 , . . . , X n a set of target features Y 1 , . . . , Y k a set of training examples where the values for the input features and the target features are given for each example a new

323 views • 18 slides
Efficient visual search of local features Cordelia Schmid Bag-of-features

Efficient visual search of local features Cordelia Schmid Bag-of-features

Efficient visual search of local features Cordelia Schmid Bag-of-features [Sivic&amp;Zisserman03] Query Set of SIFT centroids image descriptors (visual words) sparse frequency vector Bag-of-features Harris-Hessian-Laplace processing

574 views • 33 slides
New Features of Net-FM v. 3.3 &amp; 3.3.1 ICC 2016 ICC 2016 New Features of Net-FM v. 3.3 &amp;

New Features of Net-FM v. 3.3 &amp; 3.3.1 ICC 2016 ICC 2016 New Features of Net-FM v. 3.3 &amp;

New Features of Net-FM v. 3.3 &amp; 3.3.1 ICC 2016 ICC 2016 New Features of Net-FM v. 3.3 &amp; 3.3.1 presented by Anthony J. Bunker Software QA &amp; Documentation Manager October 20, 2016 Slide 1 Introduction ICC 2016 ICC 2016 At

374 views • 15 slides
Image Features: Detection, Description, and Matching and their Applications Image

Image Features: Detection, Description, and Matching and their Applications Image

Image Features: Detection, Description, and Matching and their Applications Image Representation: Global Versus Local Features Features/ keypoints/ interset points are interesting locations in the image. Features serve to give a new

235 views • 22 slides
reliable innovation Main features Main features Lower part detachment Concept advantages

reliable innovation Main features Main features Lower part detachment Concept advantages

SIRE-NN Chocolate enrobing reliable innovation Main features Main features Lower part detachment Concept advantages Cantilever design for easy access (cleaning and maintenance) Detail features Detail features Pilot plant Compact

600 views • 13 slides
SI485i : NLP Set 12 Features and Prediction What is NLP, really? Many of our tasks boil down

SI485i : NLP Set 12 Features and Prediction What is NLP, really? Many of our tasks boil down

SI485i : NLP Set 12 Features and Prediction What is NLP, really? Many of our tasks boil down to finding intelligent features of language. We do lots of machine learning over features NLP researchers also use linguistic insights, deep

326 views • 18 slides
Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image features are useful descriptions of local or global image properties designed to accomplish a certain task You may want to choose different features

1.09k views • 71 slides
Mark Pagel pags@cray.com New features in XT MPT 3.1 and MPT 3.2 Features as a result of

Mark Pagel pags@cray.com New features in XT MPT 3.1 and MPT 3.2 Features as a result of

Mark Pagel pags@cray.com New features in XT MPT 3.1 and MPT 3.2 Features as a result of scaling to 150K MPI ranks MPI-IO Improvements(MPT 3.1 and MPT 3.2) SMP aware collective improvements(MPT 3.2) Misc Features (MPT 3.1)

694 views • 33 slides
Considered ELA Features Sunday, July 15, 2018 9 / 20 Considered ELA Features Meta-Model

Considered ELA Features Sunday, July 15, 2018 9 / 20 Considered ELA Features Meta-Model

Considered ELA Features Sunday, July 15, 2018 9 / 20 Considered ELA Features Meta-Model Features: fits linear and quadratic models (with and without pairwise interaction e ff ects) to the data extracts information from these models, such as

436 views • 7 slides
The e-Application Form Main features Main features ENI CBC Med Programme - Managing Authority

The e-Application Form Main features Main features ENI CBC Med Programme - Managing Authority

The e-Application Form Main features Main features ENI CBC Med Programme - Managing Authority Regione Autonoma della Sardegna 1 Intro Focus on the online Application Form (eAF) main features namely: Result based management applied to the ENI

562 views • 23 slides
http://cs246.stanford.edu Input features: N features: X 1 , X 2 , X N A Each X j

http://cs246.stanford.edu Input features: N features: X 1 , X 2 , X N A Each X j

CS246: Mining Massive Datasets Jure Leskovec, Stanford University http://cs246.stanford.edu Input features: N features: X 1 , X 2 , X N A Each X j has domain D j X 1 &lt;v 1 Categorical: C Y= 0.42 D j = {red, blue} X 2

508 views • 40 slides
Part I Georgia Milestones: Unique Features ***Some disabilities ***All schools MUST Features

Part I Georgia Milestones: Unique Features ***Some disabilities ***All schools MUST Features

Part I Georgia Milestones: Unique Features ***Some disabilities ***All schools MUST Features include: test some can be tested pencil- paper. students online. inclusion of constructed-response items in ELA and mathematics, in

784 views • 24 slides
Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image features are useful descriptions of local or global image properties designed (or learned!) to accomplish a certain task You may want to choose di ff

941 views • 70 slides
FACULTY MODULE This power point will guide you through the features and their usage Features:

FACULTY MODULE This power point will guide you through the features and their usage Features:

Student Accessibility and Accommodation FACULTY MODULE This power point will guide you through the features and their usage Features: 1. Electronically sign decision letters 2. You will be able to see students who have approved

744 views • 17 slides
New features of 660 MW Units Turbine Maintenance Sipat Super thermal power project New features

New features of 660 MW Units Turbine Maintenance Sipat Super thermal power project New features

New features of 660 MW Units Turbine Maintenance Sipat Super thermal power project New features of 660 MW units Constructional features Operational features Lube oil system Governing system Feed water system Turbine

1.26k views • 98 slides
features and potentialities of the JOREP database features and potential uses in the studies on

features and potentialities of the JOREP database features and potential uses in the studies on

Joint and Open REsearch Programmes: Exploring JoREP 2.0: features and potentialities of the JOREP database features and potential uses in the studies on Europeanisation of research activities CERIS-CNR, Rome November 27-28, 2014 IRCrES-CNR,

303 views • 7 slides
Website Features Focus on Blogs Some Common Features of Websites Information Marketing

Website Features Focus on Blogs Some Common Features of Websites Information Marketing

Website Features Focus on Blogs Some Common Features of Websites Information Marketing messages/brand Benefits Contact Details Specialised interactions Shopping Parcel delivery tracking Blog Social Media

166 views • 14 slides
Advanced Features &amp; Ecommerce Features &amp; Ecommerce Configuration Guide Presented by:

Advanced Features &amp; Ecommerce Features &amp; Ecommerce Configuration Guide Presented by:

Advanced Features &amp; Ecommerce Features &amp; Ecommerce Configuration Guide Presented by: Brian Millward, Business Development Advanced Feature &amp; Ecommerce Configuration Guide Advanced TotalSnap Features. Facebook Marketing

157 views • 11 slides
Tutorial: TF-Ranking for sparse features Tutorial: TF-Ranking for sparse features This tutorial

Tutorial: TF-Ranking for sparse features Tutorial: TF-Ranking for sparse features This tutorial

Tutorial: TF-Ranking for sparse features Tutorial: TF-Ranking for sparse features This tutorial is an end-to-end walkthrough of training a TensorFlow Ranking (TF-Ranking) neural network model which incorporates sparse textual features.

257 views • 24 slides
Introducing Introducing Features &amp; Benefits Features &amp; Benefits Cleaning

Introducing Introducing Features &amp; Benefits Features &amp; Benefits Cleaning

Introducing Introducing Features &amp; Benefits Features &amp; Benefits Cleaning Onboard Rocker Blaster Bumper Blaster Multiple Chemical Wands Intelligence Onboard XPert monitors the entire system. Complete

871 views • 46 slides
SmartBright Panel (RC099V) 1 SmartBright Panel Features and benefits Features : Perfect

SmartBright Panel (RC099V) 1 SmartBright Panel Features and benefits Features : Perfect

SmartBright Panel (RC099V) 1 SmartBright Panel Features and benefits Features : Perfect replacement for Conv. System lumen 2600lm &amp; 3800lm to replace T5(3X14,4X14)/T8(3X18,4X18) troffer Energy saving - system efficacy &gt;90

267 views • 10 slides
New Type Inference &amp; Related Language Features Svetlana Isakova @sveta_isakova Agenda

New Type Inference &amp; Related Language Features Svetlana Isakova @sveta_isakova Agenda

New Type Inference &amp; Related Language Features Svetlana Isakova @sveta_isakova Agenda Experimental features Contracts New type inference Experimental features Experimental features Our goal: to let new features be tried by early

1.05k views • 84 slides

More recommend