1 ========================== 2 UndefinedBehaviorSanitizer 3 ========================== 4 5 .. contents:: 6 :local: 7 8 Introduction 9 ============ 10 11 UndefinedBehaviorSanitizer (UBSan) is a fast undefined behavior detector. 12 UBSan modifies the program at compile-time to catch various kinds of undefined 13 behavior during program execution, for example: 14 15 * Using misaligned or null pointer 16 * Signed integer overflow 17 * Conversion to, from, or between floating-point types which would 18 overflow the destination 19 20 See the full list of available :ref:`checks <ubsan-checks>` below. 21 22 UBSan has an optional run-time library which provides better error reporting. 23 The checks have small runtime cost and no impact on address space layout or ABI. 24 25 How to build 26 ============ 27 28 Build LLVM/Clang with `CMake <http://llvm.org/docs/CMake.html>`_. 29 30 Usage 31 ===== 32 33 Use ``clang++`` to compile and link your program with ``-fsanitize=undefined`` 34 flag. Make sure to use ``clang++`` (not ``ld``) as a linker, so that your 35 executable is linked with proper UBSan runtime libraries. You can use ``clang`` 36 instead of ``clang++`` if you're compiling/linking C code. 37 38 .. code-block:: console 39 40 % cat test.cc 41 int main(int argc, char **argv) { 42 int k = 0x7fffffff; 43 k += argc; 44 return 0; 45 } 46 % clang++ -fsanitize=undefined test.cc 47 % ./a.out 48 test.cc:3:5: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' 49 50 You can enable only a subset of :ref:`checks <ubsan-checks>` offered by UBSan, 51 and define the desired behavior for each kind of check: 52 53 * print a verbose error report and continue execution (default); 54 * print a verbose error report and exit the program; 55 * execute a trap instruction (doesn't require UBSan run-time support). 56 57 For example if you compile/link your program as: 58 59 .. code-block:: console 60 61 % clang++ -fsanitize=signed-integer-overflow,null,alignment -fno-sanitize-recover=null -fsanitize-trap=alignment 62 63 the program will continue execution after signed integer overflows, exit after 64 the first invalid use of a null pointer, and trap after the first use of misaligned 65 pointer. 66 67 .. _ubsan-checks: 68 69 Availablle checks 70 ================= 71 72 Available checks are: 73 74 - ``-fsanitize=alignment``: Use of a misaligned pointer or creation 75 of a misaligned reference. 76 - ``-fsanitize=bool``: Load of a ``bool`` value which is neither 77 ``true`` nor ``false``. 78 - ``-fsanitize=bounds``: Out of bounds array indexing, in cases 79 where the array bound can be statically determined. 80 - ``-fsanitize=enum``: Load of a value of an enumerated type which 81 is not in the range of representable values for that enumerated 82 type. 83 - ``-fsanitize=float-cast-overflow``: Conversion to, from, or 84 between floating-point types which would overflow the 85 destination. 86 - ``-fsanitize=float-divide-by-zero``: Floating point division by 87 zero. 88 - ``-fsanitize=function``: Indirect call of a function through a 89 function pointer of the wrong type (Linux, C++ and x86/x86_64 only). 90 - ``-fsanitize=integer-divide-by-zero``: Integer division by zero. 91 - ``-fsanitize=nonnull-attribute``: Passing null pointer as a function 92 parameter which is declared to never be null. 93 - ``-fsanitize=null``: Use of a null pointer or creation of a null 94 reference. 95 - ``-fsanitize=object-size``: An attempt to potentially use bytes which 96 the optimizer can determine are not part of the object being accessed. 97 This will also detect some types of undefined behavior that may not 98 directly access memory, but are provably incorrect given the size of 99 the objects involved, such as invalid downcasts and calling methods on 100 invalid pointers. These checks are made in terms of 101 ``__builtin_object_size``, and consequently may be able to detect more 102 problems at higher optimization levels. 103 - ``-fsanitize=return``: In C++, reaching the end of a 104 value-returning function without returning a value. 105 - ``-fsanitize=returns-nonnull-attribute``: Returning null pointer 106 from a function which is declared to never return null. 107 - ``-fsanitize=shift``: Shift operators where the amount shifted is 108 greater or equal to the promoted bit-width of the left hand side 109 or less than zero, or where the left hand side is negative. For a 110 signed left shift, also checks for signed overflow in C, and for 111 unsigned overflow in C++. You can use ``-fsanitize=shift-base`` or 112 ``-fsanitize=shift-exponent`` to check only left-hand side or 113 right-hand side of shift operation, respectively. 114 - ``-fsanitize=signed-integer-overflow``: Signed integer overflow, 115 including all the checks added by ``-ftrapv``, and checking for 116 overflow in signed division (``INT_MIN / -1``). 117 - ``-fsanitize=unreachable``: If control flow reaches 118 ``__builtin_unreachable``. 119 - ``-fsanitize=unsigned-integer-overflow``: Unsigned integer 120 overflows. 121 - ``-fsanitize=vla-bound``: A variable-length array whose bound 122 does not evaluate to a positive value. 123 - ``-fsanitize=vptr``: Use of an object whose vptr indicates that 124 it is of the wrong dynamic type, or that its lifetime has not 125 begun or has ended. Incompatible with ``-fno-rtti``. Link must 126 be performed by ``clang++``, not ``clang``, to make sure C++-specific 127 parts of the runtime library and C++ standard libraries are present. 128 129 You can also use the following check groups: 130 - ``-fsanitize=undefined``: All of the checks listed above other than 131 ``unsigned-integer-overflow``. 132 - ``-fsanitize=undefined-trap``: Deprecated alias of 133 ``-fsanitize=undefined``. 134 - ``-fsanitize=integer``: Checks for undefined or suspicious integer 135 behavior (e.g. unsigned integer overflow). 136 137 Stack traces and report symbolization 138 ===================================== 139 If you want UBSan to print symbolized stack trace for each error report, you 140 will need to: 141 142 #. Compile with ``-g`` and ``-fno-omit-frame-pointer`` to get proper debug 143 information in your binary. 144 #. Run your program with environment variable 145 ``UBSAN_OPTIONS=print_stacktrace=1``. 146 #. Make sure ``llvm-symbolizer`` binary is in ``PATH``. 147 148 Issue Suppression 149 ================= 150 151 UndefinedBehaviorSanitizer is not expected to produce false positives. 152 If you see one, look again; most likely it is a true positive! 153 154 Disabling Instrumentation with ``__attribute__((no_sanitize("undefined")))`` 155 ---------------------------------------------------------------------------- 156 157 You disable UBSan checks for particular functions with 158 ``__attribute__((no_sanitize("undefined")))``. You can use all values of 159 ``-fsanitize=`` flag in this attribute, e.g. if your function deliberately 160 contains possible signed integer overflow, you can use 161 ``__attribute__((no_sanitize("signed-integer-overflow")))``. 162 163 This attribute may not be 164 supported by other compilers, so consider using it together with 165 ``#if defined(__clang__)``. 166 167 Suppressing Errors in Recompiled Code (Blacklist) 168 ------------------------------------------------- 169 170 UndefinedBehaviorSanitizer supports ``src`` and ``fun`` entity types in 171 :doc:`SanitizerSpecialCaseList`, that can be used to suppress error reports 172 in the specified source files or functions. 173 174 Runtime suppressions 175 -------------------- 176 177 Sometimes you can suppress UBSan error reports for specific files, functions, 178 or libraries without recompiling the code. You need to pass a path to 179 suppression file in a ``UBSAN_OPTIONS`` environment variable. 180 181 .. code-block:: bash 182 183 UBSAN_OPTIONS=suppressions=MyUBSan.supp 184 185 You need to specify a :ref:`check <ubsan-checks>` you are suppressing and the 186 bug location. For example: 187 188 .. code-block:: bash 189 190 signed-integer-overflow:file-with-known-overflow.cpp 191 alignment:function_doing_unaligned_access 192 vptr:shared_object_with_vptr_failures.so 193 194 There are several limitations: 195 196 * Sometimes your binary must have enough debug info and/or symbol table, so 197 that the runtime could figure out source file or function name to match 198 against the suppression. 199 * It is only possible to suppress recoverable checks. For the example above, 200 you can additionally pass 201 ``-fsanitize-recover=signed-integer-overflow,alignment,vptr``, although 202 most of UBSan checks are recoverable by default. 203 * Check groups (like ``undefined``) can't be used in suppressions file, only 204 fine-grained checks are supported. 205 206 Supported Platforms 207 =================== 208 209 UndefinedBehaviorSanitizer is supported on the following OS: 210 211 * Android 212 * Linux 213 * FreeBSD 214 * OS X 10.6 onwards 215 216 and for the following architectures: 217 218 * i386/x86\_64 219 * ARM 220 * AArch64 221 * PowerPC64 222 * MIPS/MIPS64 223 224 Current Status 225 ============== 226 227 UndefinedBehaviorSanitizer is available on selected platforms starting from LLVM 228 3.3. The test suite is integrated into the CMake build and can be run with 229 ``check-ubsan`` command. 230 231 Additional Configuration 232 ======================== 233 234 UndefinedBehaviorSanitizer adds static check data for each check unless it is 235 in trap mode. This check data includes the full file name. The option 236 ``-fsanitize-undefined-strip-path-components=N`` can be used to trim this 237 information. If ``N`` is positive, file information emitted by 238 UndefinedBehaviorSanitizer will drop the first ``N`` components from the file 239 path. If ``N`` is negative, the last ``N`` components will be kept. 240 241 Example 242 ------- 243 244 For a file called ``/code/library/file.cpp``, here is what would be emitted: 245 * Default (No flag, or ``-fsanitize-undefined-strip-path-components=0``): ``/code/library/file.cpp`` 246 * ``-fsanitize-undefined-strip-path-components=1``: ``code/library/file.cpp`` 247 * ``-fsanitize-undefined-strip-path-components=2``: ``library/file.cpp`` 248 * ``-fsanitize-undefined-strip-path-components=-1``: ``file.cpp`` 249 * ``-fsanitize-undefined-strip-path-components=-2``: ``library/file.cpp`` 250 251 More Information 252 ================ 253 254 * From LLVM project blog: 255 `What Every C Programmer Should Know About Undefined Behavior 256 <http://blog.llvm.org/2011/05/what-every-c-programmer-should-know.html>`_ 257 * From John Regehr's *Embedded in Academia* blog: 258 `A Guide to Undefined Behavior in C and C++ 259 <http://blog.regehr.org/archives/213>`_ 260