当前位置: 首页 > news >正文

内存检测工具Sanitizers

news 2025/7/7 22:33:30

Sanitizers介绍

Sanitizers 是谷歌开源的内存检测工具,包括AddressSanitizer、MemorySanitizer、ThreadSanitizer、LeakSanitizer。
Sanitizers是LLVM的一部分。
gcc4.8:支持Address和Thread Sanitizer。
gcc4.9:支持Leak Sanitizer和UBSanitizer。

注意:gcc不支持MemorySanitizer。

可以支持的内存检测问题:

(1)heap use after free 堆内存释放后继续使用

(2)stack use after return 栈内存函数返回后继续使用

(3)stack use after scope 栈内存在作用域范围外继续使用

(4)heap buffer overflow 堆内存溢出

(5)stack buffer overflow 栈内存溢出

(6)global buffer overflow 全局内存溢出

(7)memory leaks 内存泄露

(8)double free 堆内存重复释放

(9)initialization order bugs 初始化命令错误

编译参数:
(1)(2)(3)(4)(5)(6):-fsanitize=address
(7):-fsanitize=address 或者 -fsanitize=leak
(8):-fsanitize=address
(9):-fsanitize=memory

编译参数通过 -fsanitize 决定开启 sanitizer:

-fsanitize=address
开启AddressSanitizer(ASan),包括LeakSanitizer(LSan),检测:地址越界 和 内存泄漏。

-fsanitize=leak
开启LeakSanitizer(LSan),检测:内存泄漏。

-fsanitize=address 和 -fsanitize=leak 都能检测 内存泄漏。

-fsanitize=thread
开启ThreadSanitizer(TSan),检测:数据竞争和死锁。

-fsanitize=undefined
开启UndefinedBehaviorSanitizer(UBSsan),检测:未定义行为。

-fsanitize=memory
开启MemorySanitizer(MSan),检测:未初始化内存问题。(gcc不支持MemorySanitizer)

-fno-omit-frame-pointer
检测到内存错误时打印函数调用栈,这个参数一直都带上。

检测案例

编译器:gcc/g++

(1)heap use after free 堆内存释放后继续使用

#include <stdio.h>
int main (int argc, char* argv[]) {int* p = new int[100];delete [] p;int num = p[0];return 0;
}

编译命令:
g++ -o out main.cpp -g -fsanitize=address -fno-omit-frame-pointer

执行命令:
./out

=================================================================
==10606==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400000fe40 at pc 0x00000040075d bp 0x7ffe7a4adfe0 sp 0x7ffe7a4adfd8
READ of size 4 at 0x61400000fe40 thread T0#0 0x40075c in main /home/code/main.cpp:5#1 0x7efec0def504 in __libc_start_main (/lib64/libc.so.6+0x22504)#2 0x400628  (/home/code/out+0x400628)0x61400000fe40 is located 0 bytes inside of 400-byte region [0x61400000fe40,0x61400000ffd0)
freed by thread T0 here:#0 0x7efec1ac1f2a in operator delete[](void*) ../../../../libsanitizer/asan/asan_new_delete.cc:96#1 0x400725 in main /home/code/main.cpp:4#2 0x7efec0def504 in __libc_start_main (/lib64/libc.so.6+0x22504)previously allocated by thread T0 here:#0 0x7efec1ac19ea in operator new[](unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cc:62#1 0x40070e in main /home/code/main.cpp:3#2 0x7efec0def504 in __libc_start_main (/lib64/libc.so.6+0x22504)SUMMARY: AddressSanitizer: heap-use-after-free /home/code/main.cpp:5 main
Shadow bytes around the buggy address:0x0c287fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c287fff9fc0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd0x0c287fff9fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c287fff9fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c287fff9ff0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):Addressable:           00Partially addressable: 01 02 03 04 05 06 07Heap left redzone:       faHeap right redzone:      fbFreed heap region:       fdStack left redzone:      f1Stack mid redzone:       f2Stack right redzone:     f3Stack partial redzone:   f4Stack after return:      f5Stack use after scope:   f8Global redzone:          f9Global init order:       f6Poisoned by user:        f7Container overflow:      fcArray cookie:            acIntra object redzone:    bbASan internal:           fe
==10606==ABORTING

(2)stack use after return 栈内存函数返回后继续使用

#include <stdio.h>
int* p = NULL;
void fun() {int a[10];p = a; // 或者 p = &a[0];
}
int main(int argc, char* argv[]) {fun();int num = p[0];return 0;
}

编译命令:
g++ -o out main.cpp -g -fsanitize=address -fno-omit-frame-pointer

执行命令:
ASAN_OPTIONS=detect_stack_use_after_return=1 ./out

注意: 默认没有开启,需要在运行时开启。

=================================================================
==18619==ERROR: AddressSanitizer: stack-use-after-return on address 0x7f4f81500020 at pc 0x0000004008ea bp 0x7fffb49f6700 sp 0x7fffb49f66f8
WRITE of size 4 at 0x7f4f81500020 thread T0#0 0x4008e9 in main /home/code/main.cpp:9#1 0x7f4f84a7a504 in __libc_start_main (/lib64/libc.so.6+0x22504)#2 0x400708  (/home/code/out+0x400708)Address 0x7f4f81500020 is located in stack of thread T0 at offset 32 in frame#0 0x4007e5 in fun() /home/code/main.cpp:3This frame has 1 object(s):[32, 72) 'a' <== Memory access at offset 32 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-return /home/code/main.cpp:9 main
Shadow bytes around the buggy address:0x0fea70297fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70297fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70297fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70297fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70297ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fea70298000: f5 f5 f5 f5[f5]f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f50x0fea70298010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70298020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70298030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70298040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fea70298050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):Addressable:           00Partially addressable: 01 02 03 04 05 06 07Heap left redzone:       faHeap right redzone:      fbFreed heap region:       fdStack left redzone:      f1Stack mid redzone:       f2Stack right redzone:     f3Stack partial redzone:   f4Stack after return:      f5Stack use after scope:   f8Global redzone:          f9Global init order:       f6Poisoned by user:        f7Container overflow:      fcArray cookie:            acIntra object redzone:    bbASan internal:           fe
==18619==ABORTING

(3)stack use after scope 栈内存在作用域范围外继续使用

暂时还没有找到能够检测出来的样例。

(4)heap buffer overflow 堆内存溢出

#include <stdio.h>
int main (int argc, char* argv[]) {int* p = new int[100];int num = p[100];delete [] p;return 0;
}

编译命令:
g++ -o out main.cpp -g -fsanitize=address -fno-omit-frame-pointer

执行命令:
./out

=================================================================
==9226==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000ffd0 at pc 0x000000400750 bp 0x7ffef70c5d80 sp 0x7ffef70c5d78
READ of size 4 at 0x61400000ffd0 thread T0#0 0x40074f in main /home/code/main.cpp:4#1 0x7f12e7482504 in __libc_start_main (/lib64/libc.so.6+0x22504)#2 0x400628  (/home/code/out+0x400628)0x61400000ffd0 is located 0 bytes to the right of 400-byte region [0x61400000fe40,0x61400000ffd0)
allocated by thread T0 here:#0 0x7f12e81549ea in operator new[](unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cc:62#1 0x40070e in main /home/code/main.cpp:3#2 0x7f12e7482504 in __libc_start_main (/lib64/libc.so.6+0x22504)SUMMARY: AddressSanitizer: heap-buffer-overflow /home/code/main.cpp:4 main
Shadow bytes around the buggy address:0x0c287fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fff9fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 000x0c287fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c287fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff9ff0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c287fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):Addressable:           00Partially addressable: 01 02 03 04 05 06 07Heap left redzone:       faHeap right redzone:      fbFreed heap region:       fdStack left redzone:      f1Stack mid redzone:       f2Stack right redzone:     f3Stack partial redzone:   f4Stack after return:      f5Stack use after scope:   f8Global redzone:          f9Global init order:       f6Poisoned by user:        f7Container overflow:      fcArray cookie:            acIntra object redzone:    bbASan internal:           fe
==9226==ABORTING

(5)stack buffer overflow 栈内存溢出

#include <stdio.h>
int main(int argc, char* argv[]) {int a[2] = {100,200};int num = a[2];return 0;
}

编译命令:
g++ -o out main.cpp -g -fsanitize=address -fno-omit-frame-pointer

执行命令:
./out

=================================================================
==787==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcade3daa8 at pc 0x0000004007df bp 0x7ffcade3da50 sp 0x7ffcade3da48
READ of size 4 at 0x7ffcade3daa8 thread T0#0 0x4007de in main /home/code/main.cpp:4#1 0x7f8c39562504 in __libc_start_main (/lib64/libc.so.6+0x22504)#2 0x400648  (/home/code/out+0x400648)Address 0x7ffcade3daa8 is located in stack of thread T0 at offset 40 in frame#0 0x400725 in main /home/code/main.cpp:2This frame has 1 object(s):[32, 40) 'a' <== Memory access at offset 40 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/code/main.cpp:4 main
Shadow bytes around the buggy address:0x100015bbfb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100015bbfb50: f1 f1 f1 f1 00[f4]f4 f4 f3 f3 f3 f3 00 00 00 000x100015bbfb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100015bbfba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):Addressable:           00Partially addressable: 01 02 03 04 05 06 07Heap left redzone:       faHeap right redzone:      fbFreed heap region:       fdStack left redzone:      f1Stack mid redzone:       f2Stack right redzone:     f3Stack partial redzone:   f4Stack after return:      f5Stack use after scope:   f8Global redzone:          f9Global init order:       f6Poisoned by user:        f7Container overflow:      fcArray cookie:            acIntra object redzone:    bbASan internal:           fe
==787==ABORTING

(6)global buffer overflow 全局内存溢出

#include <stdio.h>
int a[100];
int main(int argc, char* argv[]) {int num = a[100];return 0;
}

编译命令:
g++ -o out main.cpp -g -fsanitize=address -fno-omit-frame-pointer

执行命令:
./out

=================================================================
==9628==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000601270 at pc 0x000000400755 bp 0x7ffd15bcd0d0 sp 0x7ffd15bcd0c8
READ of size 4 at 0x000000601270 thread T0#0 0x400754 in main /home/code/main.cpp:4#1 0x7fc3d46e9504 in __libc_start_main (/lib64/libc.so.6+0x22504)#2 0x400648  (/home/code/out+0x400648)0x000000601270 is located 0 bytes to the right of global variable 'array' defined in 'main.cpp:2:5' (0x6010e0) of size 400
SUMMARY: AddressSanitizer: global-buffer-overflow /home/code/main.cpp:4 main
Shadow bytes around the buggy address:0x0000800b81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800b8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]f90x0000800b8250: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0000800b8290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):Addressable:           00Partially addressable: 01 02 03 04 05 06 07Heap left redzone:       faHeap right redzone:      fbFreed heap region:       fdStack left redzone:      f1Stack mid redzone:       f2Stack right redzone:     f3Stack partial redzone:   f4Stack after return:      f5Stack use after scope:   f8Global redzone:          f9Global init order:       f6Poisoned by user:        f7Container overflow:      fcArray cookie:            acIntra object redzone:    bbASan internal:           fe
==9628==ABORTING

(7)memory leaks 内存泄露

#include <stdlib.h>
int main(int argc, char *argv[]) {int* p = (int*)malloc(10 * sizeof(int));return 0;
}

编译命令:
g++ -o out main.cpp -g -fsanitize=address -fno-omit-frame-pointer
或者
g++ -o out main.cpp -g -fsanitize=leak -fno-omit-frame-pointer

执行命令:
./out

=================================================================
==12458==ERROR: LeakSanitizer: detected memory leaksDirect leak of 40 byte(s) in 1 object(s) allocated from:#0 0x7f36642dc5e6 in __interceptor_malloc ../../../../libsanitizer/lsan/lsan_interceptors.cc:51#1 0x400611 in main /home/code/main.cpp:3#2 0x7f3663692504 in __libc_start_main (/lib64/libc.so.6+0x22504)SUMMARY: LeakSanitizer: 40 byte(s) leaked in 1 allocation(s).

(8)double free 堆内存重复释放

#include <stdio.h>
int main(int argc, char* argv[]) {int* p = new int[10];delete [] p;delete [] p;return 0;
}

编译命令:
g++ -o out main.cpp -g -fsanitize=address -fno-omit-frame-pointer

执行命令:
./out

=================================================================
==31497==ERROR: AddressSanitizer: attempting double-free on 0x60400000dfd0 in thread T0:#0 0x7fa32a746f2a in operator delete[](void*) ../../../../libsanitizer/asan/asan_new_delete.cc:96#1 0x4006d8 in main /home/code/main.cpp:5#2 0x7fa329a74504 in __libc_start_main (/lib64/libc.so.6+0x22504)#3 0x4005c8  (/home/code/out+0x4005c8)0x60400000dfd0 is located 0 bytes inside of 40-byte region [0x60400000dfd0,0x60400000dff8)
freed by thread T0 here:#0 0x7fa32a746f2a in operator delete[](void*) ../../../../libsanitizer/asan/asan_new_delete.cc:96#1 0x4006c5 in main /home/code/main.cpp:4#2 0x7fa329a74504 in __libc_start_main (/lib64/libc.so.6+0x22504)previously allocated by thread T0 here:#0 0x7fa32a7469ea in operator new[](unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cc:62#1 0x4006ae in main /home/code/main.cpp:3#2 0x7fa329a74504 in __libc_start_main (/lib64/libc.so.6+0x22504)SUMMARY: AddressSanitizer: double-free ../../../../libsanitizer/asan/asan_new_delete.cc:96 operator delete[](void*)
==31497==ABORTING

(9)initialization order bugs 初始化命令错误

暂时还没有找到能够检测出来的样例。

http://www.lryc.cn/news/568.html

相关文章:

  • Triton : OpenAI 开发的用于Gpu开发语言
  • Python文件操作-代码案例
  • 活动目录(Active Directory)管理,AD自动化
  • Allegro如何使用Vertext命令修改丝印线段的形状操作指导
  • Leetcode力扣秋招刷题路-0030
  • 基于Prometheus和k8s搭建监控系统
  • 类和对象(下)
  • 达梦数据库单机部署
  • 从零到一学习Flutter——(二)状态和路由
  • TC358774XBG/TC358775XBG替代方案|CS5518替代TC358774XBG/TC358775XBG设计DSI转LVSD设计资料
  • Linux---Kernal与Shell讲解
  • Thiol-PEG-Acid,HS-PEG-COOH,巯基-聚乙二醇-羧基试剂供应
  • 数据结构与算法基础-学习-09-线性表之栈的理解、初始化顺序栈、判断顺序栈空、获取顺序栈长度的实现
  • 深入Kafka核心设计与实践原理读书笔记第二章
  • 知乎kol投放怎么做?知乎kol资源从哪里找?
  • python设计模式-享元设计模式,抽象工厂设计模式,面向对象设计模式
  • 10条终身受益的Salesforce职业发展建议!
  • 电子科技大学人工智能期末复习笔记(四):概率与贝叶斯网络
  • 码上掘金实现电子木鱼
  • 深度学习_L2正则化
  • 第一章 认识Python
  • 复习0206
  • 小红书如何查看笔记
  • linux001之linux系统部署安装
  • 服务异步通信 RabbitMQ-高级篇
  • 【PR】零基础快速入门教程
  • Matlab 点云迭代加权最小二乘法拟合平面(抑制噪声)
  • 2023 软件测试行业内卷动荡,红利期过去后,何去何从?
  • 【王道数据结构】第六章(下) | 图的应用
  • Leetcode:518. 零钱兑换 II(C++)