1 Using AddressSanitizer in Subzero 2 ================================= 3 4 AddressSanitizer is a powerful compile-time tool used to detect and report 5 illegal memory accesses. For a full description of the tool, see the original 6 `paper 7 <https://www.usenix.org/system/files/conference/atc12/atc12-final39.pdf>`_. 8 AddressSanitizer is only supported on native builds of .pexe files and cannot be 9 used in production. 10 11 In Subzero, AddressSanitizer depends on being able to find and instrument calls 12 to various functions such as malloc() and free(), and as such the .pexe file 13 being translated must not have had those symbols stripped or inlined. Subzero 14 will not complain if it is told to translate a .pexe file with its symbols 15 stripped, but it will not be able to find calls to malloc(), calloc(), free(), 16 etc., so AddressSanitizer will not work correctly in the final executable. 17 18 Furthermore, pnacl-clang automatically inlines some calls to calloc(), 19 even with inlining turned off, so we provide wrapper scripts, 20 sz-clang.py and sz-clang++.py, that normally just pass their arguments 21 through to pnacl-clang or pnacl-clang++, but add instrumentation to 22 replace calls to calloc() at the source level if they are passed 23 -fsanitize-address. 24 25 These are the steps to compile hello.c to an instrumented object file:: 26 27 sz-clang.py -fsanitize-address -o hello.nonfinal.pexe hello.c 28 pnacl-finalize --no-strip-syms -o hello.pexe hello.nonfinal.pexe 29 pnacl-sz -fsanitize-address -filetype=obj -o hello.o hello.pexe 30 31 The resulting object file must be linked with the Subzero-specific 32 AddressSanitizer runtime to work correctly. A .pexe file can be compiled with 33 AddressSanitizer and properly linked into a final executable using 34 subzero/pydir/szbuild.py with the --fsanitize-address flag, i.e.:: 35 36 pydir/szbuild.py --fsanitize-address hello.pexe 37 38 Handling Wide Loads 39 =================== 40 41 Since AddressSanitizer is implemented only in Subzero, the target .pexe may 42 contain widened loads that would cause false positives. To avoid reporting such 43 loads as errors, we treat any word-aligned, four byte load as a potentially 44 widened load and only check the first byte of the loaded word against shadow 45 memory. 46 47 Building SPEC2000 Benchmark Suite 48 ================================= 49 50 Most of the SPEC2000 benchmarks can be built with Subzero and AddressSanitizer, 51 however due to the nature of our solution for LLVM's aggressive inlining of 52 calloc, 300.twolf and 252.eon will not build. AddressSanitizer correctly finds 53 bugs in 197.parser and 253.perlbmk. 176.gcc crashes for unknown reasons. Among 54 the benchmarks that do run to completion, the average slowdown introduced is 55 4.6x. 56 57 To build the benchmarks with AddressSanitizer, some small changes to the 58 Makefile are needed. They can be found `here 59 <https://codereview.chromium.org/2266553002/>`_. 60 61 Once the Makefile has been patched, build and run with these commands:: 62 63 cd native_client/tests/spec2k 64 ./run_all.sh BuildBenchmarks 0 SetupPnaclX8632Opt <benchmarks> 65 ../../toolchain_build/src/subzero/pydir/szbuild_spec2k.py -v -O2 \ 66 --fsanitize-address <benchmarks> 67 ./run_all.sh RunTimedBenchmarks SetupGccX8632Opt train <benchmarks> 68
