SlideShare ist ein Scribd-Unternehmen logo

20140531 serebryany lecture02_find_scary_cpp_bugs

Computer Science Club
Computer Science Club
1 von 55
Downloaden Sie, um offline zu lesen
[1/2] Fantastic C++ Bugs and Where to Find Them [2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014 @compsciclub.ru
● AddressSanitizer (aka ASan) ○ detects use-after-free and buffer overflows (C++) ● ThreadSanitizer (aka TSan) ○ detects data races (C++ & Go) ● MemorySanitizer (aka MSan) ○ detects uninitialized memory reads (C++) ● Related research areas Agenda
AddressSanitizer addressability bugs
AddressSanitizer overview ● Finds ○ buffer overflows (stack, heap, globals) ○ heap-use-after-free, stack-use-after-return ○ some more ● Compiler module (LLVM, GCC) ○ instruments all loads/stores ○ inserts redzones around stack and global Variables ● Run-time library ○ malloc replacement (redzones, quarantine) ○ Bookkeeping for error messages
int global_array[100] = {-1}; int main(int argc, char **argv) { return global_array[argc + 100]; // BOOM } % clang++ -O1 -fsanitize=address a.cc ; ./a.out ==10538== ERROR: AddressSanitizer global-buffer-overflow READ of size 4 at 0x000000415354 thread T0 #0 0x402481 in main a.cc:3 #1 0x7f0a1c295c4d in __libc_start_main ??:0 #2 0x402379 in _start ??:0 0x000000415354 is located 4 bytes to the right of global variable 'global_array' (0x4151c0) of size 400 ASan report example: global-buffer-overflow
int main(int argc, char **argv) { int stack_array[100]; stack_array[1] = 0; return stack_array[argc + 100]; // BOOM } % clang++ -O1 -fsanitize=address a.cc; ./a.out ==10589== ERROR: AddressSanitizer stack-buffer-overflow READ of size 4 at 0x7f5620d981b4 thread T0 #0 0x4024e8 in main a.cc:4 Address 0x7f5620d981b4 is located at offset 436 in frame <main> of T0's stack: This frame has 1 object(s): [32, 432) 'stack_array' ASan report example: stack-buffer-overflow
int main(int argc, char **argv) { int *array = new int[100]; int res = array[argc + 100]; // BOOM delete [] array; return res; } % clang++ -O1 -fsanitize=address a.cc; ./a.out ==10565== ERROR: AddressSanitizer heap-buffer-overflow READ of size 4 at 0x7fe4b0c76214 thread T0 #0 0x40246f in main a.cc:3 0x7fe4b0c76214 is located 4 bytes to the right of 400- byte region [0x7fe..., 0x7fe...) allocated by thread T0 here: #0 0x402c36 in operator new[](unsigned long) #1 0x402422 in main a.cc:2 ASan report example: heap-buffer-overflow
ASan report example: use-after-free int main(int argc, char **argv) { int *array = new int[100]; delete [] array; return array[argc]; // BOOM } % clang++ -O1 -fsanitize=address a.cc && ./a.out ==30226== ERROR: AddressSanitizer heap-use-after-free READ of size 4 at 0x7faa07fce084 thread T0 #0 0x40433c in main a.cc:4 0x7faa07fce084 is located 4 bytes inside of 400-byte region freed by thread T0 here: #0 0x4058fd in operator delete[](void*) _asan_rtl_ #1 0x404303 in main a.cc:3 previously allocated by thread T0 here: #0 0x405579 in operator new[](unsigned long) _asan_rtl_ #1 0x4042f3 in main a.cc:2
% clang -g -fsanitize=address a.cc % ASAN_OPTIONS=detect_stack_use_after_return=1 ./a.out ==19177==ERROR: AddressSanitizer: stack-use-after-return READ of size 4 at 0x7f473d0000a0 thread T0 #0 0x461ccf in main a.cc:8 Address is located in stack of thread T0 at offset 32 in frame #0 0x461a5f in LeakLocal() a.cc:2 This frame has 1 object(s): [32, 36) 'local' <== Memory access at offset 32 ASan report example: stack-use-after-return int *g; void LeakLocal() { int local; g = &local; } int main() { LeakLocal(); return *g; }
Any aligned 8 bytes may have 9 states: N good bytes and 8 - N bad (0<=N<=8) 0 7 6 5 4 3 2 1 -1 Good byte Bad byte Shadow value ASan shadow byte
ASan virtual address space 0xffffffff 0x20000000 0x1fffffff 0x04000000 0x03ffffff 0x00000000 Application Shadow mprotect-ed
ASan instrumentation: 8-byte access char *shadow = a >> 3; if (*shadow) ReportError(a); *a = ... *a = ...
ASan instrumentation: N-byte access (1, 2, 4) char *shadow = a >> 3; if (*shadow && *shadow <= ((a&7)+N-1)) ReportError(a); *a = ... *a = ...
Instrumentation example (x86_64) mov %rdi,%rax shr $0x3,%rax # shift by 3 cmpb $0x0,0x7fff8000(%rax) # load shadow je 1f <foo+0x1f> ud2a # generate SIGILL* movq $0x1234,(%rdi) # original store * May use call instead of UD2
Instrumenting stack frames void foo() { char a[328]; <------------- CODE -------------> }
Instrumenting stack frames void foo() { char rz1[32]; // 32-byte aligned char a[328]; char rz2[24]; char rz3[32]; int *shadow = (&rz1 >> 3) + kOffset; shadow[0] = 0xffffffff; // poison rz1 shadow[11] = 0xffffff00; // poison rz2 shadow[12] = 0xffffffff; // poison rz3 <------------- CODE -------------> shadow[0] = shadow[11] = shadow[12] = 0; }
Instrumenting globals int a; struct { int original; char redzone[60]; } a; // 32-aligned
Malloc replacement ● Insert redzones around every allocation ○ poison redzones on malloc ● Delay the reuse of freed memory ○ poison entire memory region on free ● Collect stack traces for every malloc/free
● 2x slowdown (Valgrind: 20x and more) ● 1.5x-3x memory overhead ● 2000+ bugs found in Chrome in 3 years ● 2000+ bugs found in Google server software ● 1000+ bugs everywhere else ○ Firefox, FreeType, FFmpeg, WebRTC, libjpeg-turbo, Perl, Vim, LLVM, GCC, MySQL ASan marketing slide
ASan and Chrome ● Chrome was the first ASan user (May 2011) ● Now all existing tests are running with ASan ● Fuzzing at massive scale (ClusterFuzz), 2000+ cores ○ Generate test cases, minimize, de-duplicate ○ Find regression ranges, verify fixes ● Over 2000 security bugs found in 2.5 years ○ External researchers found 100+ bugs ○ Most active: Oulu University (Finland)
ThreadSanitizer data races
ThreadSanitizer ● Detects data races ● Compile-time instrumentation (LLVM, GCC) ○ Intercepts all reads/writes ● Run-time library ○ Malloc replacement ○ Intercepts all synchronization ○ Handles reads/writes
TSan report example: data race void Thread1() { Global = 42; } int main() { pthread_create(&t, 0, Thread1, 0); Global = 43; ... % clang -fsanitize=thread -g a.c && ./a.out WARNING: ThreadSanitizer: data race (pid=20373) Write of size 4 at 0x7f... by thread 1: #0 Thread1 a.c:1 Previous write of size 4 at 0x7f... by main thread: #0 main a.c:4 Thread 1 (tid=20374, running) created at: #0 pthread_create ??:0 #1 main a.c:3
Compiler instrumentation void foo(int *p) { *p = 42; } void foo(int *p) { __tsan_func_entry(__builtin_return_address(0)); __tsan_write4(p); *p = 42; __tsan_func_exit() }
Direct shadow mapping (64-bit Linux) Application 0x7fffffffffff 0x7f0000000000 Protected 0x7effffffffff 0x200000000000 Shadow 0x1fffffffffff 0x180000000000 Protected 0x17ffffffffff 0x000000000000 Shadow = 4 * (Addr & kMask);
Shadow cell An 8-byte shadow cell represents one memory access: ○ ~16 bits: TID (thread ID) ○ ~42 bits: Epoch (scalar clock) ○ 5 bits: position/size in 8-byte word ○ 1 bit: IsWrite Full information (no more dereferences) TID Epo Pos IsW
4 shadow cells per 8 app. bytes TID Epo Pos IsW TID Epo Pos IsW TID Epo Pos IsW TID Epo Pos IsW
Example: first access T1 E1 0:2 W Write in thread T1
Example: second access T1 E1 0:2 W T2 E2 4:8 R Read in thread T2
Example: third access T1 E1 0:2 W T3 E3 0:4 R T2 E2 4:8 R Read in thread T3
Example: race? T1 E1 0:2 W T3 E3 0:4 R T2 E2 4:8 R Race if E1 does not "happen-before" E3
Fast happens-before ● Constant-time operation ○ Get TID and Epoch from the shadow cell ○ 1 load from thread-local storage ○ 1 comparison ● Somewhat similar to FastTrack (PLDI'09)
Stack trace for previous access ● Important to understand the report ● Per-thread cyclic buffer of events ○ 64 bits per event (type + PC) ○ Events: memory access, function entry/exit ○ Information will be lost after some time ○ Buffer size is configurable ● Replay the event buffer on report ○ Unlimited number of frames
TSan overhead ● CPU: 4x-10x ● RAM: 5x-8x
Trophies ● 500+ races in Google server-side apps (C++) ○ Scales to huge apps ● 100+ races in Go programs ○ 25+ bugs in Go stdlib ● 100+ races in Chrome
Key advantages ● Speed ○ > 10x faster than other tools ● Native support for atomics ○ Hard or impossible to implement with binary translation (Helgrind, Intel Inspector)
Limitations ● Only 64-bit Linux ○ Relies on atomic 64-bit load/store ○ Requires lots of RAM ● Does not instrument (yet): ○ pre-built libraries ○ inline assembly
MemorySanitizer uninitialized memory reads (UMR)
MSan report example: UMR int main(int argc, char **argv) { int x[10]; x[0] = 1; if (x[argc]) return 1; ... % clang -fsanitize=memory a.c -g; ./a.out WARNING: MemorySanitizer: UMR (uninitialized-memory-read) #0 0x7ff6b05d9ca7 in main stack_umr.c:4 ORIGIN: stack allocation: x@main
Shadow memory ● Bit to bit shadow mapping ○ 1 means 'poisoned' (uninitialized) ● Uninitialized memory: ○ Returned by malloc ○ Local stack objects (poisoned at function entry) ● Shadow is unpoisoned when constants are stored
Shadow propagation Reporting every load of uninitialized data is too noisy. struct { char x; // 3-byte padding int y; } It's OK to copy uninitialized data around. Uninit calculations are OK, too, as long as the result is discarded. People do it.
Shadow propagation A = B << C: A' = B' << C A = B & C: A' = (B' & C') | (B & C') | (B' & C) A = B + C: A' = B' | C' (approx.) Report errors only on some uses: conditional branch, syscall argument (visible side-effect).
Tracking origins ● Where was the poisoned memory allocated? a = malloc() ... b = malloc() ... c = *a + *b ... if (c) ... // UMR. Is 'a' guilty or 'b'? ● Valgrind --track-origins: propagate the origin of the poisoned memory alongside the shadow ● MemorySanitizer: secondary shadow ○ Origin-ID is 4 bytes, 1:1 mapping ○ 2x additional slowdown
Shadow mapping Application 0x7fffffffffff 0x600000000000 Origin 0x5fffffffffff 0x400000000000 Shadow 0x3fffffffffff 0x200000000000 Protected 0x1fffffffffff 0x000000000000 Shadow = Addr - 0x400000000000; Origin = Addr - 0x200000000000;
● Without origins: ○ CPU: 3x ○ RAM: 2x ● With origins: ○ CPU: 6x ○ RAM: 3x MSan overhead
Tricky part :( Missing any write causes false reports. ● Libc ○ Solution: function wrappers ● Inline assembly ○ Openssl, libjpeg_turbo, etc ● JITs (e.g. V8)
MSan trophies ● Proprietary console app, 1.3 MLOC in C++ ○ Not tested with Valgrind previously ○ 20+ unique bugs in < 2 hours ○ Valgrind finds the same bugs in 24+ hours ○ MSan gives better reports for stack memory ● 20+ in LLVM ○ Regressions caught by regular LLVM bootstrap ● 300+ bugs in Google server-side code
What’s next? You can help
Faster ● Use hardware features ○ Or even create them (!) ● Static analysis: eliminate redundant checks ○ Many attempts were made; not trivial! ○ How to test it??
More bugs ● Instrument assembler & binaries ○ SyzyASAN: instruments binaries statically, Win32 ● Instrument JIT-ed code & JIT’s heap ● More types of bugs ○ Intra-object overflows ○ Annotations in STL, e.g. std::vector<> ● Intel MPX ● Other languages (e.g. races in Java)
More environments ● Microsoft Windows ● Mobile, embedded ● OS Kernel (Linux and others) ● Production ○ Crowdsourcing bug detection?
Q&A http://code.google.com/p/address-sanitizer/ http://code.google.com/p/thread-sanitizer/ http://code.google.com/p/memory-sanitizer/
● AddressSanitizer (memory corruption) ○ Linux, OSX, CrOS, Android, iOS ○ i386, x86_64, ARM, PowerPC ○ WIP: Windows, *BSD (?) ○ Clang 3.1+ and GCC 4.8+ ● ThreadSanitizer (races) ○ A "must use" if you have threads (C++, Go) ○ Only x86_64 Linux; Clang 3.2+ and GCC 4.8+ ● MemorySanitizer (uses of uninitialized data) ○ WIP, usable for "console" apps (C++) ○ Only x86_64 Linux; Clang 3.3 Supported platforms
ASan/MSan vs Valgrind (Memcheck) Valgrind ASan MSan Heap out-of-bounds YES YES NO Stack out-of-bounds NO YES NO Global out-of-bounds NO YES NO Use-after-free YES YES NO Use-after-return NO Sometimes NO Uninitialized reads YES NO YES CPU Overhead 10x-300x 1.5x-3x 3x
● Slowdowns will add up ○ Bad for interactive or network apps ● Memory overheads will multiply ○ ASan redzone vs TSan/MSan large shadow ● Not trivial to implement Why not a single tool?

Empfohlen

20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugsComputer Science Club
 
C Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer CentreC Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer Centrejatin batra
 
Egor Bogatov - .NET Core intrinsics and other micro-optimizations
Egor Bogatov - .NET Core intrinsics and other micro-optimizationsEgor Bogatov - .NET Core intrinsics and other micro-optimizations
Egor Bogatov - .NET Core intrinsics and other micro-optimizationsEgor Bogatov
 
Yurii Shevtsov "V8 + libuv = Node.js. Under the hood"
Yurii Shevtsov "V8 + libuv = Node.js. Under the hood"Yurii Shevtsov "V8 + libuv = Node.js. Under the hood"
Yurii Shevtsov "V8 + libuv = Node.js. Under the hood"OdessaJS Conf
 
Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”Platonov Sergey
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 
Timur Shemsedinov "Пишу на колбеках, а что... (Асинхронное программирование)"
Timur Shemsedinov "Пишу на колбеках, а что... (Асинхронное программирование)"Timur Shemsedinov "Пишу на колбеках, а что... (Асинхронное программирование)"
Timur Shemsedinov "Пишу на колбеках, а что... (Асинхронное программирование)"OdessaJS Conf
 
Modern C++ Concurrency API
Modern C++ Concurrency APIModern C++ Concurrency API
Modern C++ Concurrency APISeok-joon Yun
 

Empfohlen

20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugsComputer Science Club
 
C Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer CentreC Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer Centrejatin batra
 
Egor Bogatov - .NET Core intrinsics and other micro-optimizations
Egor Bogatov - .NET Core intrinsics and other micro-optimizationsEgor Bogatov - .NET Core intrinsics and other micro-optimizations
Egor Bogatov - .NET Core intrinsics and other micro-optimizationsEgor Bogatov
 
Yurii Shevtsov "V8 + libuv = Node.js. Under the hood"
Yurii Shevtsov "V8 + libuv = Node.js. Under the hood"Yurii Shevtsov "V8 + libuv = Node.js. Under the hood"
Yurii Shevtsov "V8 + libuv = Node.js. Under the hood"OdessaJS Conf
 
Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”Platonov Sergey
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 
Timur Shemsedinov "Пишу на колбеках, а что... (Асинхронное программирование)"
Timur Shemsedinov "Пишу на колбеках, а что... (Асинхронное программирование)"Timur Shemsedinov "Пишу на колбеках, а что... (Асинхронное программирование)"
Timur Shemsedinov "Пишу на колбеках, а что... (Асинхронное программирование)"OdessaJS Conf
 
Modern C++ Concurrency API
Modern C++ Concurrency APIModern C++ Concurrency API
Modern C++ Concurrency APISeok-joon Yun
 
Advance features of C++
Advance features of C++Advance features of C++
Advance features of C++vidyamittal
 
DATASTRUCTURES PPTS PREPARED BY M V BRAHMANANDA REDDY
DATASTRUCTURES PPTS PREPARED BY M V BRAHMANANDA REDDYDATASTRUCTURES PPTS PREPARED BY M V BRAHMANANDA REDDY
DATASTRUCTURES PPTS PREPARED BY M V BRAHMANANDA REDDYMalikireddy Bramhananda Reddy
 
Александр Гранин, Функциональная 'Жизнь': параллельные клеточные автоматы и к...
Александр Гранин, Функциональная 'Жизнь': параллельные клеточные автоматы и к...Александр Гранин, Функциональная 'Жизнь': параллельные клеточные автоматы и к...
Александр Гранин, Функциональная 'Жизнь': параллельные клеточные автоматы и к...Sergey Platonov
 
AA-sort with SSE4.1
AA-sort with SSE4.1AA-sort with SSE4.1
AA-sort with SSE4.1MITSUNARI Shigeo
 
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321Teddy Hsiung
 
Whats new in_csharp4
Whats new in_csharp4Whats new in_csharp4
Whats new in_csharp4Abed Bukhari
 
Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”Platonov Sergey
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
 
WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装MITSUNARI Shigeo
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Sergey Platonov
 
Some examples of the 64-bit code errors
Some examples of the 64-bit code errorsSome examples of the 64-bit code errors
Some examples of the 64-bit code errorsPVS-Studio
 
Let’s talk about microbenchmarking
Let’s talk about microbenchmarkingLet’s talk about microbenchmarking
Let’s talk about microbenchmarkingAndrey Akinshin
 
Clang tidy
Clang tidyClang tidy
Clang tidyYury Yafimachau
 
GPU Programming on CPU - Using C++AMP
GPU Programming on CPU - Using C++AMPGPU Programming on CPU - Using C++AMP
GPU Programming on CPU - Using C++AMPMiller Lee
 
Mintz q207
Mintz q207Mintz q207
Mintz q207Obsidian Software
 
Алексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhereАлексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhereSergey Platonov
 
Roberto Gallea: Workshop Arduino, giorno #2 Arduino + Processing
Roberto Gallea: Workshop Arduino, giorno #2 Arduino + ProcessingRoberto Gallea: Workshop Arduino, giorno #2 Arduino + Processing
Roberto Gallea: Workshop Arduino, giorno #2 Arduino + ProcessingDemetrio Siragusa
 
Hacking Go Compiler Internals / GoCon 2014 Autumn
Hacking Go Compiler Internals / GoCon 2014 AutumnHacking Go Compiler Internals / GoCon 2014 Autumn
Hacking Go Compiler Internals / GoCon 2014 AutumnMoriyoshi Koizumi
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
Ds 2 cycle
Ds 2 cycleDs 2 cycle
Ds 2 cycleChaitanya Kn
 
20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugsComputer Science Club
 
20140427 parallel programming_zlobin_lecture11
20140427 parallel programming_zlobin_lecture1120140427 parallel programming_zlobin_lecture11
20140427 parallel programming_zlobin_lecture11Computer Science Club
 

Weitere ähnliche Inhalte

Was ist angesagt?

Advance features of C++
Advance features of C++Advance features of C++
Advance features of C++vidyamittal
 
DATASTRUCTURES PPTS PREPARED BY M V BRAHMANANDA REDDY
DATASTRUCTURES PPTS PREPARED BY M V BRAHMANANDA REDDYDATASTRUCTURES PPTS PREPARED BY M V BRAHMANANDA REDDY
DATASTRUCTURES PPTS PREPARED BY M V BRAHMANANDA REDDYMalikireddy Bramhananda Reddy
 
Александр Гранин, Функциональная 'Жизнь': параллельные клеточные автоматы и к...
Александр Гранин, Функциональная 'Жизнь': параллельные клеточные автоматы и к...Александр Гранин, Функциональная 'Жизнь': параллельные клеточные автоматы и к...
Александр Гранин, Функциональная 'Жизнь': параллельные клеточные автоматы и к...Sergey Platonov
 
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321Teddy Hsiung
 
Whats new in_csharp4
Whats new in_csharp4Whats new in_csharp4
Whats new in_csharp4Abed Bukhari
 
Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”Platonov Sergey
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
 
WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装MITSUNARI Shigeo
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Sergey Platonov
 
Some examples of the 64-bit code errors
Some examples of the 64-bit code errorsSome examples of the 64-bit code errors
Some examples of the 64-bit code errorsPVS-Studio
 
Let’s talk about microbenchmarking
Let’s talk about microbenchmarkingLet’s talk about microbenchmarking
Let’s talk about microbenchmarkingAndrey Akinshin
 
GPU Programming on CPU - Using C++AMP
GPU Programming on CPU - Using C++AMPGPU Programming on CPU - Using C++AMP
GPU Programming on CPU - Using C++AMPMiller Lee
 
Алексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhereАлексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhereSergey Platonov
 
Roberto Gallea: Workshop Arduino, giorno #2 Arduino + Processing
Roberto Gallea: Workshop Arduino, giorno #2 Arduino + ProcessingRoberto Gallea: Workshop Arduino, giorno #2 Arduino + Processing
Roberto Gallea: Workshop Arduino, giorno #2 Arduino + ProcessingDemetrio Siragusa
 
Hacking Go Compiler Internals / GoCon 2014 Autumn
Hacking Go Compiler Internals / GoCon 2014 AutumnHacking Go Compiler Internals / GoCon 2014 Autumn
Hacking Go Compiler Internals / GoCon 2014 AutumnMoriyoshi Koizumi
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 

Was ist angesagt? (20)

Advance features of C++
Advance features of C++Advance features of C++
Advance features of C++
 
DATASTRUCTURES PPTS PREPARED BY M V BRAHMANANDA REDDY
DATASTRUCTURES PPTS PREPARED BY M V BRAHMANANDA REDDYDATASTRUCTURES PPTS PREPARED BY M V BRAHMANANDA REDDY
DATASTRUCTURES PPTS PREPARED BY M V BRAHMANANDA REDDY
 
Александр Гранин, Функциональная 'Жизнь': параллельные клеточные автоматы и к...
Александр Гранин, Функциональная 'Жизнь': параллельные клеточные автоматы и к...Александр Гранин, Функциональная 'Жизнь': параллельные клеточные автоматы и к...
Александр Гранин, Функциональная 'Жизнь': параллельные клеточные автоматы и к...
 
AA-sort with SSE4.1
AA-sort with SSE4.1AA-sort with SSE4.1
AA-sort with SSE4.1
 
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
 
Whats new in_csharp4
Whats new in_csharp4Whats new in_csharp4
Whats new in_csharp4
 
Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
 
WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >
 
Some examples of the 64-bit code errors
Some examples of the 64-bit code errorsSome examples of the 64-bit code errors
Some examples of the 64-bit code errors
 
Let’s talk about microbenchmarking
Let’s talk about microbenchmarkingLet’s talk about microbenchmarking
Let’s talk about microbenchmarking
 
Clang tidy
Clang tidyClang tidy
Clang tidy
 
GPU Programming on CPU - Using C++AMP
GPU Programming on CPU - Using C++AMPGPU Programming on CPU - Using C++AMP
GPU Programming on CPU - Using C++AMP
 
Mintz q207
Mintz q207Mintz q207
Mintz q207
 
Алексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhereАлексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhere
 
Roberto Gallea: Workshop Arduino, giorno #2 Arduino + Processing
Roberto Gallea: Workshop Arduino, giorno #2 Arduino + ProcessingRoberto Gallea: Workshop Arduino, giorno #2 Arduino + Processing
Roberto Gallea: Workshop Arduino, giorno #2 Arduino + Processing
 
Hacking Go Compiler Internals / GoCon 2014 Autumn
Hacking Go Compiler Internals / GoCon 2014 AutumnHacking Go Compiler Internals / GoCon 2014 Autumn
Hacking Go Compiler Internals / GoCon 2014 Autumn
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
 
Ds 2 cycle
Ds 2 cycleDs 2 cycle
Ds 2 cycle
 

Andere mochten auch

20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugsComputer Science Club
 
20140427 parallel programming_zlobin_lecture11
20140427 parallel programming_zlobin_lecture1120140427 parallel programming_zlobin_lecture11
20140427 parallel programming_zlobin_lecture11Computer Science Club
 
20140511 parallel programming_kalishenko_lecture12
20140511 parallel programming_kalishenko_lecture1220140511 parallel programming_kalishenko_lecture12
20140511 parallel programming_kalishenko_lecture12Computer Science Club
 
20140420 parallel programming_kalishenko_lecture10
20140420 parallel programming_kalishenko_lecture1020140420 parallel programming_kalishenko_lecture10
20140420 parallel programming_kalishenko_lecture10Computer Science Club
 
20120413 videorecognition konushin_lecture01
20120413 videorecognition konushin_lecture0120120413 videorecognition konushin_lecture01
20120413 videorecognition konushin_lecture01Computer Science Club
 
20140216 parallel programming_kalishenko_lecture01
20140216 parallel programming_kalishenko_lecture0120140216 parallel programming_kalishenko_lecture01
20140216 parallel programming_kalishenko_lecture01Computer Science Club
 
2012 03 14_parallel_programming_lecture05
2012 03 14_parallel_programming_lecture052012 03 14_parallel_programming_lecture05
2012 03 14_parallel_programming_lecture05Computer Science Club
 

Andere mochten auch (10)

20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs
 
20140427 parallel programming_zlobin_lecture11
20140427 parallel programming_zlobin_lecture1120140427 parallel programming_zlobin_lecture11
20140427 parallel programming_zlobin_lecture11
 
Computer Vision
Computer VisionComputer Vision
Computer Vision
 
20141223 kuznetsov distributed
20141223 kuznetsov distributed20141223 kuznetsov distributed
20141223 kuznetsov distributed
 
20140511 parallel programming_kalishenko_lecture12
20140511 parallel programming_kalishenko_lecture1220140511 parallel programming_kalishenko_lecture12
20140511 parallel programming_kalishenko_lecture12
 
20140420 parallel programming_kalishenko_lecture10
20140420 parallel programming_kalishenko_lecture1020140420 parallel programming_kalishenko_lecture10
20140420 parallel programming_kalishenko_lecture10
 
20120413 videorecognition konushin_lecture01
20120413 videorecognition konushin_lecture0120120413 videorecognition konushin_lecture01
20120413 videorecognition konushin_lecture01
 
20140216 parallel programming_kalishenko_lecture01
20140216 parallel programming_kalishenko_lecture0120140216 parallel programming_kalishenko_lecture01
20140216 parallel programming_kalishenko_lecture01
 
2012 03 14_parallel_programming_lecture05
2012 03 14_parallel_programming_lecture052012 03 14_parallel_programming_lecture05
2012 03 14_parallel_programming_lecture05
 
Quimica
QuimicaQuimica
Quimica
 

Ähnlich wie 20140531 serebryany lecture02_find_scary_cpp_bugs

Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerPlatonov Sergey
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanDefconRussia
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기Ji Hun Kim
 
A Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with MultithreadingA Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with MultithreadingMatsuo and Tsumura lab.
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Gavin Guo
 
rrxv6 Build a Riscv xv6 Kernel in Rust.pdf
rrxv6 Build a Riscv xv6 Kernel in Rust.pdfrrxv6 Build a Riscv xv6 Kernel in Rust.pdf
rrxv6 Build a Riscv xv6 Kernel in Rust.pdfYodalee
 
Tema3_Introduction_to_CUDA_C.pdf
Tema3_Introduction_to_CUDA_C.pdfTema3_Introduction_to_CUDA_C.pdf
Tema3_Introduction_to_CUDA_C.pdfpepe464163
 
bpftrace - Tracing Summit 2018
bpftrace - Tracing Summit 2018bpftrace - Tracing Summit 2018
bpftrace - Tracing Summit 2018AlastairRobertson9
 
Embedded systemsproject_2020
Embedded systemsproject_2020Embedded systemsproject_2020
Embedded systemsproject_2020Nikos Mouzakitis
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)shimosawa
 
Happy To Use SIMD
Happy To Use SIMDHappy To Use SIMD
Happy To Use SIMDWei-Ta Wang
 
Productive OpenCL Programming An Introduction to OpenCL Libraries with Array...
Productive OpenCL Programming An Introduction to OpenCL Libraries with Array...Productive OpenCL Programming An Introduction to OpenCL Libraries with Array...
Productive OpenCL Programming An Introduction to OpenCL Libraries with Array...AMD Developer Central
 

Ähnlich wie 20140531 serebryany lecture02_find_scary_cpp_bugs (20)

Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory Sanitizer
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msan
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msan
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msan
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기
 
A Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with MultithreadingA Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with Multithreading
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
 
rrxv6 Build a Riscv xv6 Kernel in Rust.pdf
rrxv6 Build a Riscv xv6 Kernel in Rust.pdfrrxv6 Build a Riscv xv6 Kernel in Rust.pdf
rrxv6 Build a Riscv xv6 Kernel in Rust.pdf
 
Why learn Internals?
Why learn Internals?Why learn Internals?
Why learn Internals?
 
Faster Python, FOSDEM
Faster Python, FOSDEMFaster Python, FOSDEM
Faster Python, FOSDEM
 
Tema3_Introduction_to_CUDA_C.pdf
Tema3_Introduction_to_CUDA_C.pdfTema3_Introduction_to_CUDA_C.pdf
Tema3_Introduction_to_CUDA_C.pdf
 
bpftrace - Tracing Summit 2018
bpftrace - Tracing Summit 2018bpftrace - Tracing Summit 2018
bpftrace - Tracing Summit 2018
 
Embedded systemsproject_2020
Embedded systemsproject_2020Embedded systemsproject_2020
Embedded systemsproject_2020
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)
 
Valgrind
ValgrindValgrind
Valgrind
 
Quiz 9
Quiz 9Quiz 9
Quiz 9
 
Happy To Use SIMD
Happy To Use SIMDHappy To Use SIMD
Happy To Use SIMD
 
Productive OpenCL Programming An Introduction to OpenCL Libraries with Array...
Productive OpenCL Programming An Introduction to OpenCL Libraries with Array...Productive OpenCL Programming An Introduction to OpenCL Libraries with Array...
Productive OpenCL Programming An Introduction to OpenCL Libraries with Array...
 

Mehr von Computer Science Club

20140413 parallel programming_kalishenko_lecture09
20140413 parallel programming_kalishenko_lecture0920140413 parallel programming_kalishenko_lecture09
20140413 parallel programming_kalishenko_lecture09Computer Science Club
 
20140329 graph drawing_dainiak_lecture02
20140329 graph drawing_dainiak_lecture0220140329 graph drawing_dainiak_lecture02
20140329 graph drawing_dainiak_lecture02Computer Science Club
 
20140329 graph drawing_dainiak_lecture01
20140329 graph drawing_dainiak_lecture0120140329 graph drawing_dainiak_lecture01
20140329 graph drawing_dainiak_lecture01Computer Science Club
 
20140310 parallel programming_kalishenko_lecture03-04
20140310 parallel programming_kalishenko_lecture03-0420140310 parallel programming_kalishenko_lecture03-04
20140310 parallel programming_kalishenko_lecture03-04Computer Science Club
 
20130928 automated theorem_proving_harrison
20130928 automated theorem_proving_harrison20130928 automated theorem_proving_harrison
20130928 automated theorem_proving_harrisonComputer Science Club
 
20130915 lecture1 2-tarski_matiyasevich
20130915 lecture1 2-tarski_matiyasevich20130915 lecture1 2-tarski_matiyasevich
20130915 lecture1 2-tarski_matiyasevichComputer Science Club
 
20130420 mathematics and_internet-advertizing_in_internet-viktor_lobachev
20130420 mathematics and_internet-advertizing_in_internet-viktor_lobachev20130420 mathematics and_internet-advertizing_in_internet-viktor_lobachev
20130420 mathematics and_internet-advertizing_in_internet-viktor_lobachevComputer Science Club
 
20130429 dynamic c_c++_program_analysis-alexey_samsonov
20130429 dynamic c_c++_program_analysis-alexey_samsonov20130429 dynamic c_c++_program_analysis-alexey_samsonov
20130429 dynamic c_c++_program_analysis-alexey_samsonovComputer Science Club
 
20130407 csseminar ulanov_sentiment_analysis
20130407 csseminar ulanov_sentiment_analysis20130407 csseminar ulanov_sentiment_analysis
20130407 csseminar ulanov_sentiment_analysisComputer Science Club
 

Mehr von Computer Science Club (20)

20140413 parallel programming_kalishenko_lecture09
20140413 parallel programming_kalishenko_lecture0920140413 parallel programming_kalishenko_lecture09
20140413 parallel programming_kalishenko_lecture09
 
20140329 graph drawing_dainiak_lecture02
20140329 graph drawing_dainiak_lecture0220140329 graph drawing_dainiak_lecture02
20140329 graph drawing_dainiak_lecture02
 
20140329 graph drawing_dainiak_lecture01
20140329 graph drawing_dainiak_lecture0120140329 graph drawing_dainiak_lecture01
20140329 graph drawing_dainiak_lecture01
 
20140310 parallel programming_kalishenko_lecture03-04
20140310 parallel programming_kalishenko_lecture03-0420140310 parallel programming_kalishenko_lecture03-04
20140310 parallel programming_kalishenko_lecture03-04
 
20140223-SuffixTrees-lecture01-03
20140223-SuffixTrees-lecture01-0320140223-SuffixTrees-lecture01-03
20140223-SuffixTrees-lecture01-03
 
20131106 h10 lecture6_matiyasevich
20131106 h10 lecture6_matiyasevich20131106 h10 lecture6_matiyasevich
20131106 h10 lecture6_matiyasevich
 
20131027 h10 lecture5_matiyasevich
20131027 h10 lecture5_matiyasevich20131027 h10 lecture5_matiyasevich
20131027 h10 lecture5_matiyasevich
 
20131027 h10 lecture5_matiyasevich
20131027 h10 lecture5_matiyasevich20131027 h10 lecture5_matiyasevich
20131027 h10 lecture5_matiyasevich
 
20131013 h10 lecture4_matiyasevich
20131013 h10 lecture4_matiyasevich20131013 h10 lecture4_matiyasevich
20131013 h10 lecture4_matiyasevich
 
20131006 h10 lecture3_matiyasevich
20131006 h10 lecture3_matiyasevich20131006 h10 lecture3_matiyasevich
20131006 h10 lecture3_matiyasevich
 
20131006 h10 lecture3_matiyasevich
20131006 h10 lecture3_matiyasevich20131006 h10 lecture3_matiyasevich
20131006 h10 lecture3_matiyasevich
 
20131006 h10 lecture2_matiyasevich
20131006 h10 lecture2_matiyasevich20131006 h10 lecture2_matiyasevich
20131006 h10 lecture2_matiyasevich
 
20130922 h10 lecture1_matiyasevich
20130922 h10 lecture1_matiyasevich20130922 h10 lecture1_matiyasevich
20130922 h10 lecture1_matiyasevich
 
20130928 automated theorem_proving_harrison
20130928 automated theorem_proving_harrison20130928 automated theorem_proving_harrison
20130928 automated theorem_proving_harrison
 
20130922 lecture3 matiyasevich
20130922 lecture3 matiyasevich20130922 lecture3 matiyasevich
20130922 lecture3 matiyasevich
 
20130915 lecture1 2-tarski_matiyasevich
20130915 lecture1 2-tarski_matiyasevich20130915 lecture1 2-tarski_matiyasevich
20130915 lecture1 2-tarski_matiyasevich
 
20130420 mathematics and_internet-advertizing_in_internet-viktor_lobachev
20130420 mathematics and_internet-advertizing_in_internet-viktor_lobachev20130420 mathematics and_internet-advertizing_in_internet-viktor_lobachev
20130420 mathematics and_internet-advertizing_in_internet-viktor_lobachev
 
20130429 dynamic c_c++_program_analysis-alexey_samsonov
20130429 dynamic c_c++_program_analysis-alexey_samsonov20130429 dynamic c_c++_program_analysis-alexey_samsonov
20130429 dynamic c_c++_program_analysis-alexey_samsonov
 
20130407 csseminar ulanov_sentiment_analysis
20130407 csseminar ulanov_sentiment_analysis20130407 csseminar ulanov_sentiment_analysis
20130407 csseminar ulanov_sentiment_analysis
 
20120321 csseminar ulanov_duplicate
20120321 csseminar ulanov_duplicate20120321 csseminar ulanov_duplicate
20120321 csseminar ulanov_duplicate
 

20140531 serebryany lecture02_find_scary_cpp_bugs

  • 1. [1/2] Fantastic C++ Bugs and Where to Find Them [2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014 @compsciclub.ru
  • 2. ● AddressSanitizer (aka ASan) ○ detects use-after-free and buffer overflows (C++) ● ThreadSanitizer (aka TSan) ○ detects data races (C++ & Go) ● MemorySanitizer (aka MSan) ○ detects uninitialized memory reads (C++) ● Related research areas Agenda
  • 4. AddressSanitizer overview ● Finds ○ buffer overflows (stack, heap, globals) ○ heap-use-after-free, stack-use-after-return ○ some more ● Compiler module (LLVM, GCC) ○ instruments all loads/stores ○ inserts redzones around stack and global Variables ● Run-time library ○ malloc replacement (redzones, quarantine) ○ Bookkeeping for error messages
  • 5. int global_array[100] = {-1}; int main(int argc, char **argv) { return global_array[argc + 100]; // BOOM } % clang++ -O1 -fsanitize=address a.cc ; ./a.out ==10538== ERROR: AddressSanitizer global-buffer-overflow READ of size 4 at 0x000000415354 thread T0 #0 0x402481 in main a.cc:3 #1 0x7f0a1c295c4d in __libc_start_main ??:0 #2 0x402379 in _start ??:0 0x000000415354 is located 4 bytes to the right of global variable 'global_array' (0x4151c0) of size 400 ASan report example: global-buffer-overflow
  • 6. int main(int argc, char **argv) { int stack_array[100]; stack_array[1] = 0; return stack_array[argc + 100]; // BOOM } % clang++ -O1 -fsanitize=address a.cc; ./a.out ==10589== ERROR: AddressSanitizer stack-buffer-overflow READ of size 4 at 0x7f5620d981b4 thread T0 #0 0x4024e8 in main a.cc:4 Address 0x7f5620d981b4 is located at offset 436 in frame <main> of T0's stack: This frame has 1 object(s): [32, 432) 'stack_array' ASan report example: stack-buffer-overflow
  • 7. int main(int argc, char **argv) { int *array = new int[100]; int res = array[argc + 100]; // BOOM delete [] array; return res; } % clang++ -O1 -fsanitize=address a.cc; ./a.out ==10565== ERROR: AddressSanitizer heap-buffer-overflow READ of size 4 at 0x7fe4b0c76214 thread T0 #0 0x40246f in main a.cc:3 0x7fe4b0c76214 is located 4 bytes to the right of 400- byte region [0x7fe..., 0x7fe...) allocated by thread T0 here: #0 0x402c36 in operator new[](unsigned long) #1 0x402422 in main a.cc:2 ASan report example: heap-buffer-overflow
  • 8. ASan report example: use-after-free int main(int argc, char **argv) { int *array = new int[100]; delete [] array; return array[argc]; // BOOM } % clang++ -O1 -fsanitize=address a.cc && ./a.out ==30226== ERROR: AddressSanitizer heap-use-after-free READ of size 4 at 0x7faa07fce084 thread T0 #0 0x40433c in main a.cc:4 0x7faa07fce084 is located 4 bytes inside of 400-byte region freed by thread T0 here: #0 0x4058fd in operator delete[](void*) _asan_rtl_ #1 0x404303 in main a.cc:3 previously allocated by thread T0 here: #0 0x405579 in operator new[](unsigned long) _asan_rtl_ #1 0x4042f3 in main a.cc:2
  • 9. % clang -g -fsanitize=address a.cc % ASAN_OPTIONS=detect_stack_use_after_return=1 ./a.out ==19177==ERROR: AddressSanitizer: stack-use-after-return READ of size 4 at 0x7f473d0000a0 thread T0 #0 0x461ccf in main a.cc:8 Address is located in stack of thread T0 at offset 32 in frame #0 0x461a5f in LeakLocal() a.cc:2 This frame has 1 object(s): [32, 36) 'local' <== Memory access at offset 32 ASan report example: stack-use-after-return int *g; void LeakLocal() { int local; g = &local; } int main() { LeakLocal(); return *g; }
  • 10. Any aligned 8 bytes may have 9 states: N good bytes and 8 - N bad (0<=N<=8) 0 7 6 5 4 3 2 1 -1 Good byte Bad byte Shadow value ASan shadow byte
  • 11. ASan virtual address space 0xffffffff 0x20000000 0x1fffffff 0x04000000 0x03ffffff 0x00000000 Application Shadow mprotect-ed
  • 12. ASan instrumentation: 8-byte access char *shadow = a >> 3; if (*shadow) ReportError(a); *a = ... *a = ...
  • 13. ASan instrumentation: N-byte access (1, 2, 4) char *shadow = a >> 3; if (*shadow && *shadow <= ((a&7)+N-1)) ReportError(a); *a = ... *a = ...
  • 14. Instrumentation example (x86_64) mov %rdi,%rax shr $0x3,%rax # shift by 3 cmpb $0x0,0x7fff8000(%rax) # load shadow je 1f <foo+0x1f> ud2a # generate SIGILL* movq $0x1234,(%rdi) # original store * May use call instead of UD2
  • 15. Instrumenting stack frames void foo() { char a[328]; <------------- CODE -------------> }
  • 16. Instrumenting stack frames void foo() { char rz1[32]; // 32-byte aligned char a[328]; char rz2[24]; char rz3[32]; int *shadow = (&rz1 >> 3) + kOffset; shadow[0] = 0xffffffff; // poison rz1 shadow[11] = 0xffffff00; // poison rz2 shadow[12] = 0xffffffff; // poison rz3 <------------- CODE -------------> shadow[0] = shadow[11] = shadow[12] = 0; }
  • 17. Instrumenting globals int a; struct { int original; char redzone[60]; } a; // 32-aligned
  • 18. Malloc replacement ● Insert redzones around every allocation ○ poison redzones on malloc ● Delay the reuse of freed memory ○ poison entire memory region on free ● Collect stack traces for every malloc/free
  • 19. ● 2x slowdown (Valgrind: 20x and more) ● 1.5x-3x memory overhead ● 2000+ bugs found in Chrome in 3 years ● 2000+ bugs found in Google server software ● 1000+ bugs everywhere else ○ Firefox, FreeType, FFmpeg, WebRTC, libjpeg-turbo, Perl, Vim, LLVM, GCC, MySQL ASan marketing slide
  • 20. ASan and Chrome ● Chrome was the first ASan user (May 2011) ● Now all existing tests are running with ASan ● Fuzzing at massive scale (ClusterFuzz), 2000+ cores ○ Generate test cases, minimize, de-duplicate ○ Find regression ranges, verify fixes ● Over 2000 security bugs found in 2.5 years ○ External researchers found 100+ bugs ○ Most active: Oulu University (Finland)
  • 22. ThreadSanitizer ● Detects data races ● Compile-time instrumentation (LLVM, GCC) ○ Intercepts all reads/writes ● Run-time library ○ Malloc replacement ○ Intercepts all synchronization ○ Handles reads/writes
  • 23. TSan report example: data race void Thread1() { Global = 42; } int main() { pthread_create(&t, 0, Thread1, 0); Global = 43; ... % clang -fsanitize=thread -g a.c && ./a.out WARNING: ThreadSanitizer: data race (pid=20373) Write of size 4 at 0x7f... by thread 1: #0 Thread1 a.c:1 Previous write of size 4 at 0x7f... by main thread: #0 main a.c:4 Thread 1 (tid=20374, running) created at: #0 pthread_create ??:0 #1 main a.c:3
  • 24. Compiler instrumentation void foo(int *p) { *p = 42; } void foo(int *p) { __tsan_func_entry(__builtin_return_address(0)); __tsan_write4(p); *p = 42; __tsan_func_exit() }
  • 25. Direct shadow mapping (64-bit Linux) Application 0x7fffffffffff 0x7f0000000000 Protected 0x7effffffffff 0x200000000000 Shadow 0x1fffffffffff 0x180000000000 Protected 0x17ffffffffff 0x000000000000 Shadow = 4 * (Addr & kMask);
  • 26. Shadow cell An 8-byte shadow cell represents one memory access: ○ ~16 bits: TID (thread ID) ○ ~42 bits: Epoch (scalar clock) ○ 5 bits: position/size in 8-byte word ○ 1 bit: IsWrite Full information (no more dereferences) TID Epo Pos IsW
  • 27. 4 shadow cells per 8 app. bytes TID Epo Pos IsW TID Epo Pos IsW TID Epo Pos IsW TID Epo Pos IsW
  • 32. Fast happens-before ● Constant-time operation ○ Get TID and Epoch from the shadow cell ○ 1 load from thread-local storage ○ 1 comparison ● Somewhat similar to FastTrack (PLDI'09)
  • 33. Stack trace for previous access ● Important to understand the report ● Per-thread cyclic buffer of events ○ 64 bits per event (type + PC) ○ Events: memory access, function entry/exit ○ Information will be lost after some time ○ Buffer size is configurable ● Replay the event buffer on report ○ Unlimited number of frames
  • 34. TSan overhead ● CPU: 4x-10x ● RAM: 5x-8x
  • 35. Trophies ● 500+ races in Google server-side apps (C++) ○ Scales to huge apps ● 100+ races in Go programs ○ 25+ bugs in Go stdlib ● 100+ races in Chrome
  • 36. Key advantages ● Speed ○ > 10x faster than other tools ● Native support for atomics ○ Hard or impossible to implement with binary translation (Helgrind, Intel Inspector)
  • 37. Limitations ● Only 64-bit Linux ○ Relies on atomic 64-bit load/store ○ Requires lots of RAM ● Does not instrument (yet): ○ pre-built libraries ○ inline assembly
  • 39. MSan report example: UMR int main(int argc, char **argv) { int x[10]; x[0] = 1; if (x[argc]) return 1; ... % clang -fsanitize=memory a.c -g; ./a.out WARNING: MemorySanitizer: UMR (uninitialized-memory-read) #0 0x7ff6b05d9ca7 in main stack_umr.c:4 ORIGIN: stack allocation: x@main
  • 40. Shadow memory ● Bit to bit shadow mapping ○ 1 means 'poisoned' (uninitialized) ● Uninitialized memory: ○ Returned by malloc ○ Local stack objects (poisoned at function entry) ● Shadow is unpoisoned when constants are stored
  • 41. Shadow propagation Reporting every load of uninitialized data is too noisy. struct { char x; // 3-byte padding int y; } It's OK to copy uninitialized data around. Uninit calculations are OK, too, as long as the result is discarded. People do it.
  • 42. Shadow propagation A = B << C: A' = B' << C A = B & C: A' = (B' & C') | (B & C') | (B' & C) A = B + C: A' = B' | C' (approx.) Report errors only on some uses: conditional branch, syscall argument (visible side-effect).
  • 43. Tracking origins ● Where was the poisoned memory allocated? a = malloc() ... b = malloc() ... c = *a + *b ... if (c) ... // UMR. Is 'a' guilty or 'b'? ● Valgrind --track-origins: propagate the origin of the poisoned memory alongside the shadow ● MemorySanitizer: secondary shadow ○ Origin-ID is 4 bytes, 1:1 mapping ○ 2x additional slowdown
  • 45. ● Without origins: ○ CPU: 3x ○ RAM: 2x ● With origins: ○ CPU: 6x ○ RAM: 3x MSan overhead
  • 46. Tricky part :( Missing any write causes false reports. ● Libc ○ Solution: function wrappers ● Inline assembly ○ Openssl, libjpeg_turbo, etc ● JITs (e.g. V8)
  • 47. MSan trophies ● Proprietary console app, 1.3 MLOC in C++ ○ Not tested with Valgrind previously ○ 20+ unique bugs in < 2 hours ○ Valgrind finds the same bugs in 24+ hours ○ MSan gives better reports for stack memory ● 20+ in LLVM ○ Regressions caught by regular LLVM bootstrap ● 300+ bugs in Google server-side code
  • 49. Faster ● Use hardware features ○ Or even create them (!) ● Static analysis: eliminate redundant checks ○ Many attempts were made; not trivial! ○ How to test it??
  • 50. More bugs ● Instrument assembler & binaries ○ SyzyASAN: instruments binaries statically, Win32 ● Instrument JIT-ed code & JIT’s heap ● More types of bugs ○ Intra-object overflows ○ Annotations in STL, e.g. std::vector<> ● Intel MPX ● Other languages (e.g. races in Java)
  • 51. More environments ● Microsoft Windows ● Mobile, embedded ● OS Kernel (Linux and others) ● Production ○ Crowdsourcing bug detection?
  • 53. ● AddressSanitizer (memory corruption) ○ Linux, OSX, CrOS, Android, iOS ○ i386, x86_64, ARM, PowerPC ○ WIP: Windows, *BSD (?) ○ Clang 3.1+ and GCC 4.8+ ● ThreadSanitizer (races) ○ A "must use" if you have threads (C++, Go) ○ Only x86_64 Linux; Clang 3.2+ and GCC 4.8+ ● MemorySanitizer (uses of uninitialized data) ○ WIP, usable for "console" apps (C++) ○ Only x86_64 Linux; Clang 3.3 Supported platforms
  • 54. ASan/MSan vs Valgrind (Memcheck) Valgrind ASan MSan Heap out-of-bounds YES YES NO Stack out-of-bounds NO YES NO Global out-of-bounds NO YES NO Use-after-free YES YES NO Use-after-return NO Sometimes NO Uninitialized reads YES NO YES CPU Overhead 10x-300x 1.5x-3x 3x
  • 55. ● Slowdowns will add up ○ Bad for interactive or network apps ● Memory overheads will multiply ○ ASan redzone vs TSan/MSan large shadow ● Not trivial to implement Why not a single tool?