我刚刚构建了LLVM/Clang compiler-rt并尝试了该-fsanitize选项.但奇怪的是链接失败,因为它无法找到libclang_rt.san-x86_64.a.
/usr/bin/ld: cannot find /home/hongxu/RESEARCH/llvm-git/obj/bin/../lib/clang/3.7.0/lib/linux/libclang_rt.san-x86_64.a: No such file or directory
clang-3.7: error: linker command failed with exit code 1 (use -v to see invocation)
当我进入目录时/home/hongxu/RESEARCH/llvm-git/obj/bin/../lib/clang/3.7.0/lib/linux/,我发现还有其他库文件
# AddressSanitizer
libclang_rt.asan_cxx-x86_64.a
libclang_rt.asan-preinit-x86_64.a
libclang_rt.asan-x86_64.a
# DataFlowSanitizer
libclang_rt.dfsan-libc-x86_64.a
libclang_rt.dfsan-x86_64.a
# LeakSanitizer
libclang_rt.lsan-x86_64.a
# MemorySanitizer
libclang_rt.msan-x86_64.a
# ThreadSanitizer
libclang_rt.tsan-x86_64.a
# UndefinedBehaviorSanitizer
libclang_rt.ubsan_cxx-x86_64.a
libclang_rt.ubsan_standalone_cxx-x86_64.a
libclang_rt.ubsan_standalone-x86_64.a
libclang_rt.ubsan-x86_64.a
我可以根据compiler-rt页面从名称中猜出它们的功能.
但是什么libclang_rt.san-x86_64.a呢?我怎么能得到它?
但奇怪的是链接失败了,因为它找不到 libclang_rt.san-x86_64.a。
是的,make install不安装一些需要的东西。其他时候,它会将它们安装在非标准位置。
它没有安装的其他东西包括asan_symbolize.py,它用于符号化来自 Address Sanitizer (ASan) 的转储。
但什么是 libclang_rt.san-x86_64.a?我怎样才能得到它?
它是消毒剂库之一。您可能拥有它,只是您没有意识到它,因为它位于非标准位置。例如,在我的系统上(我自己构建 LLVM/Clang):
$ find /usr -name libclang_rt.san-x86_64.a 2>/dev/null
/usr/local/lib/clang/3.5.0/lib/linux/libclang_rt.san-x86_64.a
因此,您需要做的是使用LD_LIBRARY_PATH(Linux) 或DYLD_LIBRARY_PATH(OS X) 来确保编译器驱动程序可以找到它。您永远不必手动添加各种消毒剂库 - 编译器驱动程序应该始终为您添加它们。
为了完整起见,Clang 3.4/usr/local/lib/clang/3.4/lib/linux/在 Linux 上安装了 sanitizers 库;和 Clang 3.3/usr/local/lib/clang/3.3/lib/darwin/在 OS X 上安装它们。
您实际上可以更改源代码中的搜索目录,编译器驱动程序会自动选取它们。我想我必须更改实际来源,因为我找不到添加位置的配置选项,例如/usr/local/lib/clang/<version>/lib/linux/. 看看tools/clang/lib/Frontend/InitHeaderSearch.cpp和朋友。这就是路径之类的.../include/c++/4.2.1来源。
顺便说一下,这里是如何使用 Address Sanitizer 和asan_symbolize.py. 首先,运行2to3并asan_symbolize.py修复 Python 人员破坏的与基本 I/O 相关的问题:
$ find Clang-3.5/ -name asan_symbolize.py
Clang-3.5/llvm/projects/compiler-rt/lib/asan/scripts/asan_symbolize.py
2to3 -w Clang-3.5/llvm/projects/compiler-rt/lib/asan/scripts/asan_symbolize.py
echo "" | Clang-3.5/llvm/projects/compiler-rt/lib/asan/scripts/asan_symbolize.py
# Fix errors 2to3 missed
然后,将其复制到众所周知的位置(或将其放在路径上):
sudo cp Clang-3.5/llvm/projects/compiler-rt/lib/asan/scripts/asan_symbolize.py /usr/local/bin
然后,对于您的项目:
export CPPFLAGS="-fsanitze=undefined -fsanitize=address"
export CFLAGS="-fsanitze=undefined -fsanitize=address"
export CXXFLAGS="-fsanitze=undefined -fsanitize=address -fno-sanitize=vptr"
export CC=/usr/local/bin/clang
export CXX=/usr/local/bin/clang++
export LD_LIBRARY_PATH=/usr/local/lib/clang/3.5.0/lib/linux
./configure
make
make check 2>&1 | asan_symbolize.py
CPPFLAGS实际上对于 Autotools 项目非常重要。否则,你会得到可怕的C 编译器无法创建可执行文件的错误。
当您遇到 ASan 错误时,您将看到类似于:
make test 2>&1 | asan_symbolize.py
...
/usr/local/bin/clang -fsanitize=address -Xlinker -export-dynamic
-o python Modules/python.o libpython3.3m.a -ldl -lutil
/usr/local/ssl/lib/libssl.a /usr/local/ssl/lib/libcrypto.a -lm
./python -E -S -m sysconfig --generate-posix-vars
=================================================================
==24064==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x619000004020 at pc 0x4ed4b2 bp 0x7fff80fff010 sp 0x7fff80fff008
READ of size 4 at 0x619000004020 thread T0
#0 0x4ed4b1 in PyObject_Free Python-3.3.5/./Objects/obmalloc.c:987
#1 0x7a2141 in code_dealloc Python-3.3.5/./Objects/codeobject.c:359
#2 0x620c00 in PyImport_ImportFrozenModuleObject
Python-3.3.5/./Python/import.c:1098
#3 0x620d5c in PyImport_ImportFrozenModule
Python-3.3.5/./Python/import.c:1114
#4 0x63fd07 in import_init Python-3.3.5/./Python/pythonrun.c:206
#5 0x63f636 in _Py_InitializeEx_Private
Python-3.3.5/./Python/pythonrun.c:369
#6 0x681d77 in Py_Main Python-3.3.5/./Modules/main.c:648
#7 0x4e6894 in main Python-3.3.5/././Modules/python.c:62
#8 0x2abf9a525eac in __libc_start_main
/home/aurel32/eglibc/eglibc-2.13/csu/libc-start.c:244
#9 0x4e664c in _start (Python-3.3.5/./python+0x4e664c)
AddressSanitizer can not describe address in more detail (wild
memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow
Python-3.3.5/./Objects/obmalloc.c:987 PyObject_Free
Shadow bytes around the buggy address:
0x0c327fff87b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff87c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff87d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff87e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff87f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff8800: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==24064==ABORTING
make: *** [pybuilddir.txt] Error 1
在 Python 的Dynamic Analysis with Clang 中有更完整的 LLVM/Clang 构建过程和使用 santizer 的文章。我前段时间写的,所以版本和配方都是陈旧的。但是概念是一样的。