| ================ |
| MemorySanitizer |
| ================ |
| |
| .. contents:: |
| :local: |
| |
| Introduction |
| ============ |
| |
| MemorySanitizer is a detector of uninitialized reads. It consists of a |
| compiler instrumentation module and a run-time library. |
| |
| Typical slowdown introduced by MemorySanitizer is **3x**. |
| |
| How to build |
| ============ |
| |
| Build LLVM/Clang with `CMake <https://llvm.org/docs/CMake.html>`_. |
| |
| Usage |
| ===== |
| |
| Simply compile and link your program with ``-fsanitize=memory`` flag. |
| The MemorySanitizer run-time library should be linked to the final |
| executable, so make sure to use ``clang`` (not ``ld``) for the final |
| link step. When linking shared libraries, the MemorySanitizer run-time |
| is not linked, so ``-Wl,-z,defs`` may cause link errors (don't use it |
| with MemorySanitizer). To get a reasonable performance add ``-O1`` or |
| higher. To get meaningful stack traces in error messages add |
| ``-fno-omit-frame-pointer``. To get perfect stack traces you may need |
| to disable inlining (just use ``-O1``) and tail call elimination |
| (``-fno-optimize-sibling-calls``). |
| |
| .. code-block:: console |
| |
| % cat umr.cc |
| #include <stdio.h> |
| |
| int main(int argc, char** argv) { |
| int* a = new int[10]; |
| a[5] = 0; |
| if (a[argc]) |
| printf("xx\n"); |
| return 0; |
| } |
| |
| % clang -fsanitize=memory -fno-omit-frame-pointer -g -O2 umr.cc |
| |
| If a bug is detected, the program will print an error message to |
| stderr and exit with a non-zero exit code. |
| |
| .. code-block:: console |
| |
| % ./a.out |
| WARNING: MemorySanitizer: use-of-uninitialized-value |
| #0 0x7f45944b418a in main umr.cc:6 |
| #1 0x7f45938b676c in __libc_start_main libc-start.c:226 |
| |
| By default, MemorySanitizer exits on the first detected error. If you |
| find the error report hard to understand, try enabling |
| :ref:`origin tracking <msan-origins>`. |
| |
| ``__has_feature(memory_sanitizer)`` |
| ------------------------------------ |
| |
| In some cases one may need to execute different code depending on |
| whether MemorySanitizer is enabled. :ref:`\_\_has\_feature |
| <langext-__has_feature-__has_extension>` can be used for this purpose. |
| |
| .. code-block:: c |
| |
| #if defined(__has_feature) |
| # if __has_feature(memory_sanitizer) |
| // code that builds only under MemorySanitizer |
| # endif |
| #endif |
| |
| ``__attribute__((no_sanitize("memory")))`` |
| ----------------------------------------------- |
| |
| Some code should not be checked by MemorySanitizer. One may use the function |
| attribute ``no_sanitize("memory")`` to disable uninitialized checks in a |
| particular function. MemorySanitizer may still instrument such functions to |
| avoid false positives. This attribute may not be supported by other compilers, |
| so we suggest to use it together with ``__has_feature(memory_sanitizer)``. |
| |
| Blacklist |
| --------- |
| |
| MemorySanitizer supports ``src`` and ``fun`` entity types in |
| :doc:`SanitizerSpecialCaseList`, that can be used to relax MemorySanitizer |
| checks for certain source files and functions. All "Use of uninitialized value" |
| warnings will be suppressed and all values loaded from memory will be |
| considered fully initialized. |
| |
| Report symbolization |
| ==================== |
| |
| MemorySanitizer uses an external symbolizer to print files and line numbers in |
| reports. Make sure that ``llvm-symbolizer`` binary is in ``PATH``, |
| or set environment variable ``MSAN_SYMBOLIZER_PATH`` to point to it. |
| |
| .. _msan-origins: |
| |
| Origin Tracking |
| =============== |
| |
| MemorySanitizer can track origins of uninitialized values, similar to |
| Valgrind's --track-origins option. This feature is enabled by |
| ``-fsanitize-memory-track-origins=2`` (or simply |
| ``-fsanitize-memory-track-origins``) Clang option. With the code from |
| the example above, |
| |
| .. code-block:: console |
| |
| % cat umr2.cc |
| #include <stdio.h> |
| |
| int main(int argc, char** argv) { |
| int* a = new int[10]; |
| a[5] = 0; |
| volatile int b = a[argc]; |
| if (b) |
| printf("xx\n"); |
| return 0; |
| } |
| |
| % clang -fsanitize=memory -fsanitize-memory-track-origins=2 -fno-omit-frame-pointer -g -O2 umr2.cc |
| % ./a.out |
| WARNING: MemorySanitizer: use-of-uninitialized-value |
| #0 0x7f7893912f0b in main umr2.cc:7 |
| #1 0x7f789249b76c in __libc_start_main libc-start.c:226 |
| |
| Uninitialized value was stored to memory at |
| #0 0x7f78938b5c25 in __msan_chain_origin msan.cc:484 |
| #1 0x7f7893912ecd in main umr2.cc:6 |
| |
| Uninitialized value was created by a heap allocation |
| #0 0x7f7893901cbd in operator new[](unsigned long) msan_new_delete.cc:44 |
| #1 0x7f7893912e06 in main umr2.cc:4 |
| |
| By default, MemorySanitizer collects both allocation points and all |
| intermediate stores the uninitialized value went through. Origin |
| tracking has proved to be very useful for debugging MemorySanitizer |
| reports. It slows down program execution by a factor of 1.5x-2x on top |
| of the usual MemorySanitizer slowdown and increases memory overhead. |
| |
| Clang option ``-fsanitize-memory-track-origins=1`` enables a slightly |
| faster mode when MemorySanitizer collects only allocation points but |
| not intermediate stores. |
| |
| Use-after-destruction detection |
| =============================== |
| |
| You can enable experimental use-after-destruction detection in MemorySanitizer. |
| After invocation of the destructor, the object will be considered no longer |
| readable, and using underlying memory will lead to error reports in runtime. |
| |
| This feature is still experimental, in order to enable it at runtime you need |
| to: |
| |
| #. Pass addition Clang option ``-fsanitize-memory-use-after-dtor`` during |
| compilation. |
| #. Set environment variable `MSAN_OPTIONS=poison_in_dtor=1` before running |
| the program. |
| |
| Handling external code |
| ====================== |
| |
| MemorySanitizer requires that all program code is instrumented. This |
| also includes any libraries that the program depends on, even libc. |
| Failing to achieve this may result in false reports. |
| For the same reason you may need to replace all inline assembly code that writes to memory |
| with a pure C/C++ code. |
| |
| Full MemorySanitizer instrumentation is very difficult to achieve. To |
| make it easier, MemorySanitizer runtime library includes 70+ |
| interceptors for the most common libc functions. They make it possible |
| to run MemorySanitizer-instrumented programs linked with |
| uninstrumented libc. For example, the authors were able to bootstrap |
| MemorySanitizer-instrumented Clang compiler by linking it with |
| self-built instrumented libc++ (as a replacement for libstdc++). |
| |
| Supported Platforms |
| =================== |
| |
| MemorySanitizer is supported on the following OS: |
| |
| * Linux |
| * NetBSD |
| * FreeBSD |
| |
| Limitations |
| =========== |
| |
| * MemorySanitizer uses 2x more real memory than a native run, 3x with |
| origin tracking. |
| * MemorySanitizer maps (but not reserves) 64 Terabytes of virtual |
| address space. This means that tools like ``ulimit`` may not work as |
| usually expected. |
| * Static linking is not supported. |
| * Older versions of MSan (LLVM 3.7 and older) didn't work with |
| non-position-independent executables, and could fail on some Linux |
| kernel versions with disabled ASLR. Refer to documentation for older versions |
| for more details. |
| |
| Current Status |
| ============== |
| |
| MemorySanitizer is known to work on large real-world programs |
| (like Clang/LLVM itself) that can be recompiled from source, including all |
| dependent libraries. |
| |
| More Information |
| ================ |
| |
| `<https://github.com/google/sanitizers/wiki/MemorySanitizer>`_ |
