Advanced Debugging and the Address Sanitizer

Size: px

Start display at page:

Download "Advanced Debugging and the Address Sanitizer"

Virginia Jordan
6 years ago
Views:

1 Developer Tools #WWDC15 Advanced Debugging and the Address Sanitizer Finding your undocumented features Session 413 Mike Swingler Xcode UI Infrastructure Anna Zaks LLVM Program Analysis 2015 Apple Inc. All rights reserved. Redistribution or public display not permitted without written permission from Apple.

2 Overview

3 Overview View Debugger

4 Overview View Debugger Advanced Breakpoint Actions

5 Overview View Debugger Advanced Breakpoint Actions Address Sanitizer

6 Overview View Debugger Advanced Breakpoint Actions Address Sanitizer

7 Demo View Debugger and Advanced Breakpoints Mike Swingler Xcode UI Infrastructure

8 Summary

9 Summary View Debugger Focus on troublesome views Visualize your constraints

10 Summary View Debugger Focus on troublesome views Visualize your constraints Advanced Breakpoint Actions Catch exceptions at throw, print message Print expressions without adding clutter

11 Summary View Debugger Focus on troublesome views Visualize your constraints Advanced Breakpoint Actions Catch exceptions at throw, print message Print expressions without adding clutter Address Sanitizer

12 Address Sanitizer Anna Zaks LLVM Program Analysis

13 Memory Corruption

14 Memory Corruption

15 Memory Corruption Is Hard to Debug Hard to consistently reproduce The source of error is often far from its manifestation

16 Language Memory Safety

17 Language Memory Safety Less error prone Swift Objective-C Automatic Reference Counting

18 Language Memory Safety Less error prone Swift Objective-C Automatic Reference Counting More susceptible to memory issues Direct memory manipulation Code that interoperates with C/C++

19 Language Memory Safety Less error prone Swift Objective-C Automatic Reference Counting More susceptible to memory issues Direct memory manipulation Code that interoperates with C/C++

20 What Is Address Sanitizer? Similar to Guard Malloc and Valgrind Finds memory corruption at run time Less overhead Integrated into Debug Navigator Works on OS X, ios (simulator and device)

21 Analyze Memory Corruption Use after free Heap buffer overflow Stack buffer overflow Global variable overflow Overflows in C++ containers Use after return

22 Analyze Memory Corruption Use after free Heap buffer overflow Stack buffer overflow Global variable overflow Overflows in C++ containers Use after return

23 Demo Using Address Sanitizer from Xcode Anna Zaks LLVM Program Analysis

24 Demo Recap 1. Edit Scheme Diagnostics tab 2. Enable Address Sanitizer checkbox 3. Build and Run

25 When to Use Address Sanitizer Investigating memory corruption Manual testing Continuous integration

26 Continuous Integration Enable Sanitization in your non-performance tests In Xcode 1. Edit Scheme Test Diagnostics tab 2. Enable Address Sanitizer checkbox 3. Build and Test

27 Continuous Integration Enable Sanitization in your non-performance tests In Xcode 1. Edit Scheme Test Diagnostics tab 2. Enable Address Sanitizer checkbox 3. Build and Test Command Line $ xcodebuild -scheme "Jogr" test -enableaddresssanitizer YES

28 Compiler Optimization Level None [-O0] is recommended Fast [-O1] is supported Higher optimization is not supported

29 Under the Hood How Address Sanitizer works

30 How Address Sanitizer Works

31 How Address Sanitizer Works clang

32 How Address Sanitizer Works clang

33 How Address Sanitizer Works clang -fsanitize=address

34 How Address Sanitizer Works clang -fsanitize=address

35 How Address Sanitizer Works asan dylib clang -fsanitize=address

36 Shadow Mapping

37 Shadow Mapping Process memory Allocated objects

38 Shadow Mapping Process memory Shadow memory

39 Shadow Mapping Process memory Shadow memory Redzones

40 Shadow Mapping if (IsPoisoned(p)) *p = 0xb00; Crash(); *p = 0xb00;

41 Shadow Mapping if (IsPoisoned(p)) Crash(); *p = 0xb00; Process memory Shadow memory

42 Shadow Mapping if (IsPoisoned(p)) Crash(); *p = 0xb00; Process memory Shadow memory p IsPoisoned(p)

43 Shadow Mapping if (IsPoisoned(p)) Crash(); *p = 0xb00; Process memory Shadow memory p IsPoisoned(p)

44 Shadow Mapping if (IsPoisoned(p)) Crash(); *p = 0xb00; Process memory Shadow memory p IsPoisoned(p) 0xb00

45 Shadow Mapping if (IsPoisoned(p)) Crash(); *p = 0xb00; Process memory Shadow memory

46 Shadow Mapping if (IsPoisoned(p)) Crash(); *p = 0xb00; Process memory Shadow memory p IsPoisoned(p)

47 Shadow Mapping if (IsPoisoned(p)) Crash(); *p = 0xb00; Process memory Shadow memory p IsPoisoned(p)

48 Shadow Mapping 0x7fffffffffff IsPoisoned needs to be fast 1/8 of the address space 0x mmap d at launch 0x1fffffffffff Shadow Region 0x x0fffffffffff 0x

Shadow Mapping 0x7fffffffffff IsPoisoned needs to be fast 1/8 of the address space 0x200000000000 mmap d at launch 0x1fffffffffff

49 Shadow Mapping 0x7fffffffffff IsPoisoned needs to be fast 1/8 of the address space 0x mmap d at launch 0x1fffffffffff Shadow Region bool IsPoisoned(Addr) { Shadow = Addr >> 3 + Offset 0x return (*Shadow)!= 0 0x0fffffffffff } 0x

50 Default Malloc Implementation

51 Default Malloc Implementation allocations

52 Default Malloc Implementation allocations

53 Custom Malloc Implementation

54 Custom Malloc Implementation Valid Poisoned

55 Custom Malloc Implementation Valid Poisoned

56 Custom Malloc Implementation Valid Poisoned

57 Custom Malloc Implementation

58 Custom Malloc Implementation Inserts poisoned red zones around allocations Heap underflows/overflows

59 Custom Malloc Implementation Inserts poisoned red zones around allocations Heap underflows/overflows Delays reuse of freed memory Use-after-free, double free

60 Custom Malloc Implementation Inserts poisoned red zones around allocations Heap underflows/overflows Delays reuse of freed memory Use-after-free, double free Collects stack traces for allocations and frees Comprehensive error reports

61 Compiler Instrumentation of the Stack void foo() { char buffer[16]; int number; buffer } buffer[16] = \0 ; number

62 Compiler Instrumentation of the Stack void foo() { char buffer[16]; int number; if (IsPoisoned(&buffer[16])) Crash(); buffer } buffer[16] = \0 ; number

63 Compiler Instrumentation of Globals int array[] = {1, 2, 3}; void foo() { } int x = array[3];

64 Compiler Instrumentation of Globals char poisoned_redzone1[16]; int array[] = {1, 2, 3}; char poisoned_redzone2[16]; void foo() { if (IsPoisoned(&array[3])) Crash(); int x = array[3]; }

65 Catching C++ Container Overflows std::vector<t> v; v.begin() v.end() v.begin() + v.capacity()

66 Catching C++ Container Overflows std::vector<t> v; v.begin() v.end() v.begin() + v.capacity()

67 Catching C++ Container Overflows std::vector<t> v; v.begin() v.end() v.begin() + v.capacity() std::vector<int> V(8); V.resize(5); return V.data()[5];

68 Catching C++ Container Overflows std::vector<t> v; v.begin() v.end() v.begin() + v.capacity() std::vector<int> V(8); V.resize(5); return V.data()[5]; container-overflow

69 Runtime Function Interposition

70 Runtime Function Interposition Wraps memcpy, memset, strcpy, strlen, fwrite, printf, getline, Extended with extra memory checks These checks work even in non-instrumented code

71 Runtime Function Interposition Wraps memcpy, memset, strcpy, strlen, fwrite, printf, getline, Extended with extra memory checks These checks work even in non-instrumented code wrap_memcpy(dest, src, n) { ASSERT_MEMORY_READABLE(src, n) ASSERT_MEMORY_WRITABLE(dest, n) return orig_memcpy(dest, src, n) }

72 Small Performance Overhead

73 Small Performance Overhead CPU slowdown usually between 2x 5x

74 Small Performance Overhead CPU slowdown usually between 2x 5x Memory overhead 2x 3x

75 Small Performance Overhead CPU slowdown usually between 2x 5x Memory overhead 2x 3x

76 Address Sanitizer

78 Complementary Tools Guard Malloc Finds heap overruns and use-after-free Adds guard pages before and after allocations Does not require recompilation Supported on OS X and in ios simulator Misses some bugs that Address Sanitizer finds

79 Complementary Tools NSZombie Catches Objective-C object over-releases Replaces deallocated objects with zombie objects that trap Enable Zombie Objects in Xcode Zombies Instrument

80 Complementary Tools Malloc Scribble Helps detecting uninitialized variables Fills allocated memory with 0xAA Fills deallocated memory with 0x55

81 Complementary Tools Leaks Instrument Helps detecting leaks Retain cycles Abandoned memory

82 Summary

83 Summary View Debugger

84 Summary View Debugger Advanced Breakpoint Actions

85 Summary View Debugger Advanced Breakpoint Actions Address Sanitizer

86 More Information Documentation Xcode Debugging Address Sanitizer Apple Developer Forums developer.apple.com/forums Stefan Lesser Developer Technologies Evangelist

87 Related Sessions What s New in LLDB Nob Hill Tuesday 2:30PM UI Testing in Xcode Nob Hill Wednesday 11:00AM Implementing UI Designs in Interface Builder Pacific Hights Wednesday 1:30PM Continuous Integration and Code Coverage in Xcode Presidio Thursday 10:00AM Profiling in Depth Mission Thursday 3:30PM

88 Labs Instruments and Debugging Developer Tools Lab B Friday 9:00AM Xcode Open Hours Developer Tools Lab B Friday 1:00PM

Thread Sanitizer and Static Analysis

Developer Tools #WWDC16 Thread Sanitizer and Static Analysis Help with finding bugs in your code Session 412 Anna Zaks Manager, Program Analysis Team Devin Coughlin Engineer, Program Analysis Team 2016