1*03ce13f7SAndroid Build Coastguard WorkerUsing AddressSanitizer in Subzero 2*03ce13f7SAndroid Build Coastguard Worker================================= 3*03ce13f7SAndroid Build Coastguard Worker 4*03ce13f7SAndroid Build Coastguard WorkerAddressSanitizer is a powerful compile-time tool used to detect and report 5*03ce13f7SAndroid Build Coastguard Workerillegal memory accesses. For a full description of the tool, see the original 6*03ce13f7SAndroid Build Coastguard Worker`paper 7*03ce13f7SAndroid Build Coastguard Worker<https://www.usenix.org/system/files/conference/atc12/atc12-final39.pdf>`_. 8*03ce13f7SAndroid Build Coastguard WorkerAddressSanitizer is only supported on native builds of .pexe files and cannot be 9*03ce13f7SAndroid Build Coastguard Workerused in production. 10*03ce13f7SAndroid Build Coastguard Worker 11*03ce13f7SAndroid Build Coastguard WorkerIn Subzero, AddressSanitizer depends on being able to find and instrument calls 12*03ce13f7SAndroid Build Coastguard Workerto various functions such as malloc() and free(), and as such the .pexe file 13*03ce13f7SAndroid Build Coastguard Workerbeing translated must not have had those symbols stripped or inlined. Subzero 14*03ce13f7SAndroid Build Coastguard Workerwill not complain if it is told to translate a .pexe file with its symbols 15*03ce13f7SAndroid Build Coastguard Workerstripped, but it will not be able to find calls to malloc(), calloc(), free(), 16*03ce13f7SAndroid Build Coastguard Workeretc., so AddressSanitizer will not work correctly in the final executable. 17*03ce13f7SAndroid Build Coastguard Worker 18*03ce13f7SAndroid Build Coastguard WorkerFurthermore, pnacl-clang automatically inlines some calls to calloc(), 19*03ce13f7SAndroid Build Coastguard Workereven with inlining turned off, so we provide wrapper scripts, 20*03ce13f7SAndroid Build Coastguard Workersz-clang.py and sz-clang++.py, that normally just pass their arguments 21*03ce13f7SAndroid Build Coastguard Workerthrough to pnacl-clang or pnacl-clang++, but add instrumentation to 22*03ce13f7SAndroid Build Coastguard Workerreplace calls to calloc() at the source level if they are passed 23*03ce13f7SAndroid Build Coastguard Worker-fsanitize-address. 24*03ce13f7SAndroid Build Coastguard Worker 25*03ce13f7SAndroid Build Coastguard WorkerThese are the steps to compile hello.c to an instrumented object file:: 26*03ce13f7SAndroid Build Coastguard Worker 27*03ce13f7SAndroid Build Coastguard Worker sz-clang.py -fsanitize-address -o hello.nonfinal.pexe hello.c 28*03ce13f7SAndroid Build Coastguard Worker pnacl-finalize --no-strip-syms -o hello.pexe hello.nonfinal.pexe 29*03ce13f7SAndroid Build Coastguard Worker pnacl-sz -fsanitize-address -filetype=obj -o hello.o hello.pexe 30*03ce13f7SAndroid Build Coastguard Worker 31*03ce13f7SAndroid Build Coastguard WorkerThe resulting object file must be linked with the Subzero-specific 32*03ce13f7SAndroid Build Coastguard WorkerAddressSanitizer runtime to work correctly. A .pexe file can be compiled with 33*03ce13f7SAndroid Build Coastguard WorkerAddressSanitizer and properly linked into a final executable using 34*03ce13f7SAndroid Build Coastguard Workersubzero/pydir/szbuild.py with the --fsanitize-address flag, i.e.:: 35*03ce13f7SAndroid Build Coastguard Worker 36*03ce13f7SAndroid Build Coastguard Worker pydir/szbuild.py --fsanitize-address hello.pexe 37*03ce13f7SAndroid Build Coastguard Worker 38*03ce13f7SAndroid Build Coastguard WorkerHandling Wide Loads 39*03ce13f7SAndroid Build Coastguard Worker=================== 40*03ce13f7SAndroid Build Coastguard Worker 41*03ce13f7SAndroid Build Coastguard WorkerSince AddressSanitizer is implemented only in Subzero, the target .pexe may 42*03ce13f7SAndroid Build Coastguard Workercontain widened loads that would cause false positives. To avoid reporting such 43*03ce13f7SAndroid Build Coastguard Workerloads as errors, we treat any word-aligned, four byte load as a potentially 44*03ce13f7SAndroid Build Coastguard Workerwidened load and only check the first byte of the loaded word against shadow 45*03ce13f7SAndroid Build Coastguard Workermemory. 46*03ce13f7SAndroid Build Coastguard Worker 47*03ce13f7SAndroid Build Coastguard WorkerBuilding SPEC2000 Benchmark Suite 48*03ce13f7SAndroid Build Coastguard Worker================================= 49*03ce13f7SAndroid Build Coastguard Worker 50*03ce13f7SAndroid Build Coastguard WorkerMost of the SPEC2000 benchmarks can be built with Subzero and AddressSanitizer, 51*03ce13f7SAndroid Build Coastguard Workerhowever due to the nature of our solution for LLVM's aggressive inlining of 52*03ce13f7SAndroid Build Coastguard Workercalloc, 300.twolf and 252.eon will not build. AddressSanitizer correctly finds 53*03ce13f7SAndroid Build Coastguard Workerbugs in 197.parser and 253.perlbmk. 176.gcc crashes for unknown reasons. Among 54*03ce13f7SAndroid Build Coastguard Workerthe benchmarks that do run to completion, the average slowdown introduced is 55*03ce13f7SAndroid Build Coastguard Worker4.6x. 56*03ce13f7SAndroid Build Coastguard Worker 57*03ce13f7SAndroid Build Coastguard WorkerTo build the benchmarks with AddressSanitizer, some small changes to the 58*03ce13f7SAndroid Build Coastguard WorkerMakefile are needed. They can be found `here 59*03ce13f7SAndroid Build Coastguard Worker<https://codereview.chromium.org/2266553002/>`_. 60*03ce13f7SAndroid Build Coastguard Worker 61*03ce13f7SAndroid Build Coastguard WorkerOnce the Makefile has been patched, build and run with these commands:: 62*03ce13f7SAndroid Build Coastguard Worker 63*03ce13f7SAndroid Build Coastguard Worker cd native_client/tests/spec2k 64*03ce13f7SAndroid Build Coastguard Worker ./run_all.sh BuildBenchmarks 0 SetupPnaclX8632Opt <benchmarks> 65*03ce13f7SAndroid Build Coastguard Worker ../../toolchain_build/src/subzero/pydir/szbuild_spec2k.py -v -O2 \ 66*03ce13f7SAndroid Build Coastguard Worker --fsanitize-address <benchmarks> 67*03ce13f7SAndroid Build Coastguard Worker ./run_all.sh RunTimedBenchmarks SetupGccX8632Opt train <benchmarks> 68