1*67e74705SXin Li============== 2*67e74705SXin LiSanitizerStats 3*67e74705SXin Li============== 4*67e74705SXin Li 5*67e74705SXin Li.. contents:: 6*67e74705SXin Li :local: 7*67e74705SXin Li 8*67e74705SXin LiIntroduction 9*67e74705SXin Li============ 10*67e74705SXin Li 11*67e74705SXin LiThe sanitizers support a simple mechanism for gathering profiling statistics 12*67e74705SXin Lito help understand the overhead associated with sanitizers. 13*67e74705SXin Li 14*67e74705SXin LiHow to build and run 15*67e74705SXin Li==================== 16*67e74705SXin Li 17*67e74705SXin LiSanitizerStats can currently only be used with :doc:`ControlFlowIntegrity`. 18*67e74705SXin LiIn addition to ``-fsanitize=cfi*``, pass the ``-fsanitize-stats`` flag. 19*67e74705SXin LiThis will cause the program to count the number of times that each control 20*67e74705SXin Liflow integrity check in the program fires. 21*67e74705SXin Li 22*67e74705SXin LiAt run time, set the ``SANITIZER_STATS_PATH`` environment variable to direct 23*67e74705SXin Listatistics output to a file. The file will be written on process exit. 24*67e74705SXin LiThe following substitutions will be applied to the environment variable: 25*67e74705SXin Li 26*67e74705SXin Li - ``%b`` -- The executable basename. 27*67e74705SXin Li - ``%p`` -- The process ID. 28*67e74705SXin Li 29*67e74705SXin LiYou can also send the ``SIGUSR2`` signal to a process to make it write 30*67e74705SXin Lisanitizer statistics immediately. 31*67e74705SXin Li 32*67e74705SXin LiThe ``sanstats`` program can be used to dump statistics. It takes as a 33*67e74705SXin Licommand line argument the path to a statistics file produced by a program 34*67e74705SXin Licompiled with ``-fsanitize-stats``. 35*67e74705SXin Li 36*67e74705SXin LiThe output of ``sanstats`` is in four columns, separated by spaces. The first 37*67e74705SXin Licolumn is the file and line number of the call site. The second column is 38*67e74705SXin Lithe function name. The third column is the type of statistic gathered (in 39*67e74705SXin Lithis case, the type of control flow integrity check). The fourth column is 40*67e74705SXin Lithe call count. 41*67e74705SXin Li 42*67e74705SXin LiExample: 43*67e74705SXin Li 44*67e74705SXin Li.. code-block:: console 45*67e74705SXin Li 46*67e74705SXin Li $ cat -n vcall.cc 47*67e74705SXin Li 1 struct A { 48*67e74705SXin Li 2 virtual void f() {} 49*67e74705SXin Li 3 }; 50*67e74705SXin Li 4 51*67e74705SXin Li 5 __attribute__((noinline)) void g(A *a) { 52*67e74705SXin Li 6 a->f(); 53*67e74705SXin Li 7 } 54*67e74705SXin Li 8 55*67e74705SXin Li 9 int main() { 56*67e74705SXin Li 10 A a; 57*67e74705SXin Li 11 g(&a); 58*67e74705SXin Li 12 } 59*67e74705SXin Li $ clang++ -fsanitize=cfi -flto -fuse-ld=gold vcall.cc -fsanitize-stats -g 60*67e74705SXin Li $ SANITIZER_STATS_PATH=a.stats ./a.out 61*67e74705SXin Li $ sanstats a.stats 62*67e74705SXin Li vcall.cc:6 _Z1gP1A cfi-vcall 1 63