1Using AddressSanitizer in Subzero 2================================= 3 4AddressSanitizer is a powerful compile-time tool used to detect and report 5illegal memory accesses. For a full description of the tool, see the original 6`paper 7<https://www.usenix.org/system/files/conference/atc12/atc12-final39.pdf>`_. 8AddressSanitizer is only supported on native builds of .pexe files and cannot be 9used in production. 10 11In Subzero, AddressSanitizer depends on being able to find and instrument calls 12to various functions such as malloc() and free(), and as such the .pexe file 13being translated must not have had those symbols stripped or inlined. Subzero 14will not complain if it is told to translate a .pexe file with its symbols 15stripped, but it will not be able to find calls to malloc(), calloc(), free(), 16etc., so AddressSanitizer will not work correctly in the final executable. 17 18Furthermore, pnacl-clang automatically inlines some calls to calloc(), 19even with inlining turned off, so we provide wrapper scripts, 20sz-clang.py and sz-clang++.py, that normally just pass their arguments 21through to pnacl-clang or pnacl-clang++, but add instrumentation to 22replace calls to calloc() at the source level if they are passed 23-fsanitize-address. 24 25These are the steps to compile hello.c to an instrumented object file:: 26 27 sz-clang.py -fsanitize-address -o hello.nonfinal.pexe hello.c 28 pnacl-finalize --no-strip-syms -o hello.pexe hello.nonfinal.pexe 29 pnacl-sz -fsanitize-address -filetype=obj -o hello.o hello.pexe 30 31The resulting object file must be linked with the Subzero-specific 32AddressSanitizer runtime to work correctly. A .pexe file can be compiled with 33AddressSanitizer and properly linked into a final executable using 34subzero/pydir/szbuild.py with the --fsanitize-address flag, i.e.:: 35 36 pydir/szbuild.py --fsanitize-address hello.pexe 37 38Handling Wide Loads 39=================== 40 41Since AddressSanitizer is implemented only in Subzero, the target .pexe may 42contain widened loads that would cause false positives. To avoid reporting such 43loads as errors, we treat any word-aligned, four byte load as a potentially 44widened load and only check the first byte of the loaded word against shadow 45memory. 46 47Building SPEC2000 Benchmark Suite 48================================= 49 50Most of the SPEC2000 benchmarks can be built with Subzero and AddressSanitizer, 51however due to the nature of our solution for LLVM's aggressive inlining of 52calloc, 300.twolf and 252.eon will not build. AddressSanitizer correctly finds 53bugs in 197.parser and 253.perlbmk. 176.gcc crashes for unknown reasons. Among 54the benchmarks that do run to completion, the average slowdown introduced is 554.6x. 56 57To build the benchmarks with AddressSanitizer, some small changes to the 58Makefile are needed. They can be found `here 59<https://codereview.chromium.org/2266553002/>`_. 60 61Once the Makefile has been patched, build and run with these commands:: 62 63 cd native_client/tests/spec2k 64 ./run_all.sh BuildBenchmarks 0 SetupPnaclX8632Opt <benchmarks> 65 ../../toolchain_build/src/subzero/pydir/szbuild_spec2k.py -v -O2 \ 66 --fsanitize-address <benchmarks> 67 ./run_all.sh RunTimedBenchmarks SetupGccX8632Opt train <benchmarks> 68