内存问题的排查工具和方法– Clang的AddressSanitizer

1 概述

Valgrind可以有效地监测处大多数内存问题，你肯定忍不住会想，既然c/c++的内存问题这么常见，为什么不在编译器中加入内存问题检测的功能呢？很可惜，GCC中还目前还不支持内存检测，可喜的是，clang支持。这里我们看看如何用clang发现内存问题

2 clang

clang 是一个C、C++、Objective-C编程语言的编译器前端。它采用了底层虚拟机作为其后端。它的目标是提供一个GNU编译器套装（GCC）的替代品，作者是克里斯·拉特纳，在苹果公司的赞助下进行开发。

3 内存泄漏监测

AddressSanitizer是clang中的一个内存错误检测器，它可以检测到以下问题：

Out-of-bounds accesses to heap, stack and globals
Use-after-free
Use-after-return (to some extent)
Double-free, invalid free
Memory leaks (experimental)

使用clang编译代码时用-fsanitize=address就能打开AddressSanitizer工具，为了在检测到内存错误时打印出您的程序调用栈，需要在编译时加上选项 -fno-omit-frame-pointer选项，同时为了得出更清晰的调用栈信息，请用-O1选项编译程序。

4 示例代码

下面我用clang3.4做一个示例

 1:  int main()

 2:  {

 3:      char *p = malloc(sizeof(char) * 10);

 4:      if (p == NULL) {

 5:          return 0;

 6:      }

 7:

 8:      struct elem *e = malloc(sizeof(struct elem));

 9:      if (e == NULL) {

10:          free(p);

11:          return 0;

12:      }

13:

14:      e->a = 10;

15:      e->b = 10.10;

16:      e->c = p;

17:

18:      double *xx = &e->b;

19:

20:      printf("%f\n", *xx);

21:

22:      free(e);

23:

24:      printf("%f\n", *xx);

25:

26:      return 0;

27:  }

上面的代码中有两处问题，一是p未被释放，导致了内存泄漏；二是xx指向了一块被释放了的内存。我们看看怎么用clang检测这两个问题

4.1 编译它

1:  clang -O1 -g -fsanitize=address -fno-omit-frame-pointer -o core core.c

4.2 用AddressSanitizer监测进程的内存泄漏

直接运行core文件，它就会自动打印出检测到的内存错误

 1:  [cobbliu@kftest25 test]$ ./core

 2:  10.100000

 3:  =================================================================

 4:  ==11254==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000efe8 at pc 0x48211a bp 0x7fff2c776450 sp 0x7fff2c776448

 5:  READ of size 8 at 0x60300000efe8 thread T0

 6:      #0 0x482119 in main /home/cobbliu/test/core.c:35

 7:      #1 0x36a101ecdc in __libc_start_main (/lib64/libc.so.6+0x36a101ecdc)

 8:      #2 0x481f3c in _start (/home/cobbliu/test/core+0x481f3c)

 9:

10:  0x60300000efe8 is located 8 bytes inside of 24-byte region [0x60300000efe0,0x60300000eff8)

11:  freed by thread T0 here:

12:      #0 0x46bca9 in __interceptor_free /home/ads/build23_6u0_x64/workspace/t-coresystem-clang/label/build23_6u0_x64/t-coresystem-clang/llvm-3.4/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64

13:      #1 0x4820c0 in main /home/cobbliu/test/core.c:32

14:      #2 0x36a101ecdc in __libc_start_main (/lib64/libc.so.6+0x36a101ecdc)

15:

16:  previously allocated by thread T0 here:

17:      #0 0x46be29 in malloc /home/ads/build23_6u0_x64/workspace/t-coresystem-clang/label/build23_6u0_x64/t-coresystem-clang/llvm-3.4/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74

18:      #1 0x48202a in main /home/cobbliu/test/core.c:18

19:      #2 0x36a101ecdc in __libc_start_main (/lib64/libc.so.6+0x36a101ecdc)

20:

21:  SUMMARY: AddressSanitizer: heap-use-after-free /home/cobbliu/test/core.c:35 main

22:  Shadow bytes around the buggy address:

23:    0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

24:    0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

25:    0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

26:    0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

27:    0x0c067fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

28:  =>0x0c067fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fd[fd]fd fa

29:    0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

30:    0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

31:    0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

32:    0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

33:    0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

34:  Shadow byte legend (one shadow byte represents 8 application bytes):

35:    Addressable:           00

36:    Partially addressable: 01 02 03 04 05 06 07

37:    Heap left redzone:     fa

38:    Heap right redzone:    fb

39:    Freed heap region:     fd

40:    Stack left redzone:    f1

41:    Stack mid redzone:     f2

42:    Stack right redzone:   f3

43:    Stack partial redzone: f4

44:    Stack after return:    f5

45:    Stack use after scope: f8

46:    Global redzone:        f9

47:    Global init order:     f6

48:    Poisoned by user:      f7

49:    ASan internal:         fe

50:  ==11254==ABORTING

可以看到，程序在提示core.c的第35行有个heap-use-after-free的错误，而且在最后还有个summary，把出错的代码位置和相应的栈信息打了出来。

5 示例代码2

上面的代码做一些小修改，我们看看它对double-free问题的检测

1:  /...

2:      struct elem *e2 = e;

3:      free(e);

4:      free(e2);

5:  /...

6:  }

按照上面相同的方法编译并运行后，提示信息如下：

 1:  [cobbliu@kftest25 test]$ ./core

 2:  10.100000

 3:  =================================================================

 4:  ==11952==ERROR: AddressSanitizer: attempting double-free on 0x60300000efe0 in thread T0:

 5:      #0 0x46bca9 in __interceptor_free /home/ads/build23_6u0_x64/workspace/t-coresystem-clang/label/build23_6u0_x64/t-coresystem-clang/llvm-3.4/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64

 6:      #1 0x4820bd in main /home/cobbliu/test/core.c:34

 7:      #2 0x36a101ecdc in __libc_start_main (/lib64/libc.so.6+0x36a101ecdc)

 8:      #3 0x481f3c in _start (/home/cobbliu/test/core+0x481f3c)

 9:

10:  0x60300000efe0 is located 0 bytes inside of 24-byte region [0x60300000efe0,0x60300000eff8)

11:  freed by thread T0 here:

12:      #0 0x46bca9 in __interceptor_free /home/ads/build23_6u0_x64/workspace/t-coresystem-clang/label/build23_6u0_x64/t-coresystem-clang/llvm-3.4/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64

13:      #1 0x4820b0 in main /home/cobbliu/test/core.c:33

14:      #2 0x36a101ecdc in __libc_start_main (/lib64/libc.so.6+0x36a101ecdc)

15:

16:  previously allocated by thread T0 here:

17:      #0 0x46be29 in malloc /home/ads/build23_6u0_x64/workspace/t-coresystem-clang/label/build23_6u0_x64/t-coresystem-clang/llvm-3.4/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74

18:      #1 0x482026 in main /home/cobbliu/test/core.c:18

19:      #2 0x36a101ecdc in __libc_start_main (/lib64/libc.so.6+0x36a101ecdc)

20:

21:  SUMMARY: AddressSanitizer: double-free /home/ads/build23_6u0_x64/workspace/t-coresystem-clang/label/build23_6u0_x64/t-coresystem-clang/llvm-3.4/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64 __interceptor_free

22:  ==11952==ABORTING

可以看到，AddressSanitizer报错，说core.c的34行有一个double-free的错误

6 示例代码3

上面的代码做一些小修改，把释放e的代码注释掉，看看它对内存泄漏的检测

1:  /...

2:      //free(e);

3:  /...

4:  }

按照上面相同的方法编译并运行后，提示信息如下：

1:  [cobbliu@kftest25 test]$ ./core

2:  10.100000

可以看到，对内存泄漏，AddressSanitizer无法检测出来 clang中有一个工具叫LeakSanitizer，它的设计目标是用来检测内存泄漏。直到3.7版，LeakSanitizer也是在实验阶段。

7 AddressSanitizer的缺陷

AddressSanitizer工具编译的程序的堆栈和栈占用比原生程序的大。
AddressSanitizer不支持静态编译

更新：gcc4.8版本之后，有了对AddressSanitizer的支持！

Date: 2015-04-16T21:24+0800

Author: Cobbliu

Org version 7.9.3f with Emacs version 24

Validate XHTML 1.0