Re: Runtime security/memory checks for gcc/gdb
Amos Shapira wrote: 2010/1/13 guy keren c...@actcom.co.il: if you are running on windows - you can use purify - it's a commercial tool, Why the condition of Windows? Purify is available for Linux as well. --Amos i meant (implied) that if he's using windows, he cannot use valgrind there - but instead he can use purify there. or the other way around - if he's using linux, he can use valgrind (depending on the CPU type, of-course) - so there's no need to use purify there. --guy ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
On Wed, Jan 13, 2010 at 10:50 AM, guy keren c...@actcom.co.il wrote: Amos Shapira wrote: 2010/1/13 guy keren c...@actcom.co.il: if you are running on windows - you can use purify - it's a commercial tool, Why the condition of Windows? Purify is available for Linux as well. --Amos i meant (implied) that if he's using windows, he cannot use valgrind there - but instead he can use purify there. or the other way around - if he's using linux, he can use valgrind (depending on the CPU type, of-course) - so there's no need to use purify there. Are you saying that Purify has no (or very few) advantages over valgrind for linux from your experience with both? (I never used purify, so I don't really know). --guy ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
i never performed a thorough head-to-head comparison between the two. valgrind has a few limitations - i didn't check if purify can overcome them or not. if it can - it could be a reason to use both of them. i think i did once check a program, that had a bug that valgrind didn't manage to identify, with pufiry, and it didn't report anything better then valgrind did for that case. this is of-course still not a good enough test. on one occasion, there was an application that failed to run under purify on windows (it looked like some problem with purify - it's not that purify reported errors in the application) - and after it was ported to linux - valgrind managed to run it there. i know this is comparing apples to oranges plus it being anecdotal evidence,- but it was enough for me to get more assurance with valgrind's abilities. --guy Elazar Leibovich wrote: On Wed, Jan 13, 2010 at 10:50 AM, guy keren c...@actcom.co.il mailto:c...@actcom.co.il wrote: Amos Shapira wrote: 2010/1/13 guy keren c...@actcom.co.il mailto:c...@actcom.co.il: if you are running on windows - you can use purify - it's a commercial tool, Why the condition of Windows? Purify is available for Linux as well. --Amos i meant (implied) that if he's using windows, he cannot use valgrind there - but instead he can use purify there. or the other way around - if he's using linux, he can use valgrind (depending on the CPU type, of-course) - so there's no need to use purify there. Are you saying that Purify has no (or very few) advantages over valgrind for linux from your experience with both? (I never used purify, so I don't really know). --guy ___ Linux-il mailing list Linux-il@cs.huji.ac.il mailto:Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
Elazar Leibovich wrote: IIRC the problem was using a different library, and tracing which problems are yours and which are of the library. See for instance this rant http://www.mega-nerd.com/erikd/Blog/CodeHacking/house_of_cards.html I haven't really got into this, so maybe the suprresion files does allow you to quickly fix it. The way I see it, a problem in a library you use is still a problem in your product. This is not really a false positive. It's more complex than that. The code currently work on the embedded device. This is a mission critical device, so we cannot make changes to the runtime code without testing it throughly first. I try therefor to fix the problem in the emulation level without touching the actual code. (for instance, overriding a certain problematic function which used an uninitialized variable, and got away with it in the embedded device, but not in the desktop, or, replace the macro which stores a specific memory address (hex number) which is used by a the code, and is obviously relevant only for the embedded device) I'll repeat it again, and then stop, as I don't want it to become a war. The fact it is mission critical is another reason to fix all warnings, not a reason to ignore them. Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
if you are running on windows - you can use purify - it's a commercial tool, it costs money, but it is worth every cent. it used to have a 2-weeks free evaluation version - so you could check that it works well with your product before you ask management for money. of-course, if you are running on windows - you are asking this question on the wrong forum ;) regarding false positives - from my experience, it's a price worth paying - once you manage to clean them out, you have much easier debugging later on. --guy Elazar Leibovich wrote: I tried using valgrind in a different project. The main problems I've had with valgrind are speed (which is not a problem here) and false positives. Getting gdb to report that during runtime has its advantages. Anyhow, I was hoping to hear about products/valgrind add-ons etc I do not know. The main practical problem with it, is convincing management that getting a linux box or VM and build the code on it is worth our while... On Tue, Jan 12, 2010 at 12:27 AM, guy keren c...@actcom.co.il mailto:c...@actcom.co.il wrote: valgrind will tell you whenever you are using an un-ninitialized variable. it'll do so using runtime analysis. have you tried using valgrind at all? --guy Elazar Leibovich wrote: Just a remark, as some people asked me about it privately. I'm not interested in static analysis (which gcc gives for uninitialized variables). But with runtime analysis of where the uninitialized variable have been actually used when the code was run. This is useful in many situations (for instance, when having 3000 (literally) static warnings, some of similar spirit, and no time to check them all) I didn't find anything parallel to that for gcc. On Mon, Jan 11, 2010 at 11:54 PM, Elazar Leibovich elaz...@gmail.com mailto:elaz...@gmail.com mailto:elaz...@gmail.com mailto:elaz...@gmail.com wrote: We have a big legacy embedded code we need to maintain. Often, we wish to run some functions of the code on the PC with injected input, to test them or to test changes we've done to them without loading the code to the device it should run on. The code is written with C. Obviously, this is not an easy task, it is more difficult because, the code is bug ridden, and many times it works by accident (for example, a NULL pointer added a constant and then derefeced, this worked because the memory address was legal). Since the code is big, our strategy is: compile just the parts you need, debug it enough so that it would run on the PC, and keep the changes. Hopefully, after enough time, all (or most) of the code would be runnable on a PC. We use gcc+gdb to compile and debug the code. In Visual Studio's cl.exe there are some security checks http://msdn.microsoft.com/en-us/library/aa289171(VS.71).aspx at run time. This can really assist debugging. For example knowing when an unintialized variable was used can save you alot of frustration when trying to figure out why you're getting a wrong numberic results. My questions are: 1) Are there parallel (or better) runtime security checks for gcc/gdb? I found the -fstack-protection stack canary switch, but are there more of this type? 2) What other tools are there which offer similar protection? Valgrind of course is the first thing that comes to my mind, but I'll be glad to hear any more ideas. For example, I would love to be able to get a warning whenever a pointer is dereferenced twice, where the first time the pointer points at the memory address of variable x, and the second time it points to variable y. That way I'll get a warning for the following bug: int x[3] = {1,2,3};int y[3] = {4,5,6}; int *p = x; for (int i=0;i=3;i++,p++) (*p) = (*p)++; // note the = 3) We use win32 for regular development, so if anyone knows what is the support for such tests in cygwin/mingw, I'll be glad to hear about it. Thanks Elazar Leibovich ___ Linux-il mailing list Linux-il@cs.huji.ac.il mailto:Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
Elazar Leibovich wrote: On Tue, Jan 12, 2010 at 8:02 AM, Shachar Shemesh shac...@shemesh.biz mailto:shac...@shemesh.biz wrote: Elazar Leibovich wrote: I tried using valgrind in a different project. The main problems I've had with valgrind are speed Yes, that is known. and false positives. That one is new to me. Can you elaborate? IIRC the problem was using a different library, and tracing which problems are yours and which are of the library. See for instance this rant http://www.mega-nerd.com/erikd/Blog/CodeHacking/house_of_cards.html I haven't really got into this, so maybe the suprresion files does allow you to quickly fix it. suppressions are very easy to generate (after you learn to spell the word ;) - you run valgrind with the flag --gen-suppressions - and every time it hits a problem - it will ask you whether to generage a suppression. if you say yes, it'll print the suppression info on screen. you copy this to a file, edit it a little to your liking (to make it a bit more general - i.e. not depend on the specific part in your code that invoked the problematic 3rd-part library), and it works. by the way - we had real false-positives in valgrind, that were fixed in a later valgrind version. so you will have to check this as well. --guy ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
2010/1/13 guy keren c...@actcom.co.il: if you are running on windows - you can use purify - it's a commercial tool, Why the condition of Windows? Purify is available for Linux as well. --Amos ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
valgrind should be your first tool for the task. use it and fix all the errors it reports. what valgrind does not catch, are: 1. corruptions with global variables. 2. many corruptions on the stack. but it catches a lot of other errors. i use no other tools at work - except for as many of gcc's warnings as possible (and the code is compiled with '-Werror' - so we must fix all warnings, one way or another). --guy Elazar Leibovich wrote: We have a big legacy embedded code we need to maintain. Often, we wish to run some functions of the code on the PC with injected input, to test them or to test changes we've done to them without loading the code to the device it should run on. The code is written with C. Obviously, this is not an easy task, it is more difficult because, the code is bug ridden, and many times it works by accident (for example, a NULL pointer added a constant and then derefeced, this worked because the memory address was legal). Since the code is big, our strategy is: compile just the parts you need, debug it enough so that it would run on the PC, and keep the changes. Hopefully, after enough time, all (or most) of the code would be runnable on a PC. We use gcc+gdb to compile and debug the code. In Visual Studio's cl.exe there are some security checks http://msdn.microsoft.com/en-us/library/aa289171(VS.71).aspx at run time. This can really assist debugging. For example knowing when an unintialized variable was used can save you alot of frustration when trying to figure out why you're getting a wrong numberic results. My questions are: 1) Are there parallel (or better) runtime security checks for gcc/gdb? I found the -fstack-protection stack canary switch, but are there more of this type? 2) What other tools are there which offer similar protection? Valgrind of course is the first thing that comes to my mind, but I'll be glad to hear any more ideas. For example, I would love to be able to get a warning whenever a pointer is dereferenced twice, where the first time the pointer points at the memory address of variable x, and the second time it points to variable y. That way I'll get a warning for the following bug: int x[3] = {1,2,3};int y[3] = {4,5,6}; int *p = x; for (int i=0;i=3;i++,p++) (*p) = (*p)++; // note the = 3) We use win32 for regular development, so if anyone knows what is the support for such tests in cygwin/mingw, I'll be glad to hear about it. Thanks Elazar Leibovich ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
valgrind will tell you whenever you are using an un-ninitialized variable. it'll do so using runtime analysis. have you tried using valgrind at all? --guy Elazar Leibovich wrote: Just a remark, as some people asked me about it privately. I'm not interested in static analysis (which gcc gives for uninitialized variables). But with runtime analysis of where the uninitialized variable have been actually used when the code was run. This is useful in many situations (for instance, when having 3000 (literally) static warnings, some of similar spirit, and no time to check them all) I didn't find anything parallel to that for gcc. On Mon, Jan 11, 2010 at 11:54 PM, Elazar Leibovich elaz...@gmail.com mailto:elaz...@gmail.com wrote: We have a big legacy embedded code we need to maintain. Often, we wish to run some functions of the code on the PC with injected input, to test them or to test changes we've done to them without loading the code to the device it should run on. The code is written with C. Obviously, this is not an easy task, it is more difficult because, the code is bug ridden, and many times it works by accident (for example, a NULL pointer added a constant and then derefeced, this worked because the memory address was legal). Since the code is big, our strategy is: compile just the parts you need, debug it enough so that it would run on the PC, and keep the changes. Hopefully, after enough time, all (or most) of the code would be runnable on a PC. We use gcc+gdb to compile and debug the code. In Visual Studio's cl.exe there are some security checks http://msdn.microsoft.com/en-us/library/aa289171(VS.71).aspx at run time. This can really assist debugging. For example knowing when an unintialized variable was used can save you alot of frustration when trying to figure out why you're getting a wrong numberic results. My questions are: 1) Are there parallel (or better) runtime security checks for gcc/gdb? I found the -fstack-protection stack canary switch, but are there more of this type? 2) What other tools are there which offer similar protection? Valgrind of course is the first thing that comes to my mind, but I'll be glad to hear any more ideas. For example, I would love to be able to get a warning whenever a pointer is dereferenced twice, where the first time the pointer points at the memory address of variable x, and the second time it points to variable y. That way I'll get a warning for the following bug: int x[3] = {1,2,3};int y[3] = {4,5,6}; int *p = x; for (int i=0;i=3;i++,p++) (*p) = (*p)++; // note the = 3) We use win32 for regular development, so if anyone knows what is the support for such tests in cygwin/mingw, I'll be glad to hear about it. Thanks Elazar Leibovich ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
Elazar Leibovich elaz...@gmail.com writes: Just a remark, as some people asked me about it privately. I'm not interested in static analysis (which gcc gives for uninitialized variables). But with runtime analysis of where the uninitialized variable have been actually used when the code was run. This is useful in many situations (for instance, when having 3000 (literally) static warnings, some of similar spirit, and no time to check them all) I didn't find anything parallel to that for gcc. Do you insist on gcc (or FOSS)? If you are willing to try a commercial product definitely try Insure++ from ParaSoft. I have not touched it for a while, but I have *very* fond memories. The only drawback I recall was that applications ran slower than with gcc due to all the instrumentation it inserts. But man, does it find bugs!... http://www.parasoft.com (no, I don't own the stock). I have not checked, but they used to have evaluation. -- Oleg Goldshmidt | p...@goldshmidt.org ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
I tried using valgrind in a different project. The main problems I've had with valgrind are speed (which is not a problem here) and false positives. Getting gdb to report that during runtime has its advantages. Anyhow, I was hoping to hear about products/valgrind add-ons etc I do not know. The main practical problem with it, is convincing management that getting a linux box or VM and build the code on it is worth our while... On Tue, Jan 12, 2010 at 12:27 AM, guy keren c...@actcom.co.il wrote: valgrind will tell you whenever you are using an un-ninitialized variable. it'll do so using runtime analysis. have you tried using valgrind at all? --guy Elazar Leibovich wrote: Just a remark, as some people asked me about it privately. I'm not interested in static analysis (which gcc gives for uninitialized variables). But with runtime analysis of where the uninitialized variable have been actually used when the code was run. This is useful in many situations (for instance, when having 3000 (literally) static warnings, some of similar spirit, and no time to check them all) I didn't find anything parallel to that for gcc. On Mon, Jan 11, 2010 at 11:54 PM, Elazar Leibovich elaz...@gmail.commailto: elaz...@gmail.com wrote: We have a big legacy embedded code we need to maintain. Often, we wish to run some functions of the code on the PC with injected input, to test them or to test changes we've done to them without loading the code to the device it should run on. The code is written with C. Obviously, this is not an easy task, it is more difficult because, the code is bug ridden, and many times it works by accident (for example, a NULL pointer added a constant and then derefeced, this worked because the memory address was legal). Since the code is big, our strategy is: compile just the parts you need, debug it enough so that it would run on the PC, and keep the changes. Hopefully, after enough time, all (or most) of the code would be runnable on a PC. We use gcc+gdb to compile and debug the code. In Visual Studio's cl.exe there are some security checks http://msdn.microsoft.com/en-us/library/aa289171(VS.71).aspx at run time. This can really assist debugging. For example knowing when an unintialized variable was used can save you alot of frustration when trying to figure out why you're getting a wrong numberic results. My questions are: 1) Are there parallel (or better) runtime security checks for gcc/gdb? I found the -fstack-protection stack canary switch, but are there more of this type? 2) What other tools are there which offer similar protection? Valgrind of course is the first thing that comes to my mind, but I'll be glad to hear any more ideas. For example, I would love to be able to get a warning whenever a pointer is dereferenced twice, where the first time the pointer points at the memory address of variable x, and the second time it points to variable y. That way I'll get a warning for the following bug: int x[3] = {1,2,3};int y[3] = {4,5,6}; int *p = x; for (int i=0;i=3;i++,p++) (*p) = (*p)++; // note the = 3) We use win32 for regular development, so if anyone knows what is the support for such tests in cygwin/mingw, I'll be glad to hear about it. Thanks Elazar Leibovich ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
Elazar Leibovich wrote: I tried using valgrind in a different project. The main problems I've had with valgrind are speed Yes, that is known. and false positives. That one is new to me. Can you elaborate? Getting gdb to report that during runtime has its advantages. Anyhow, I was hoping to hear about products/valgrind add-ons etc I do not know. The main practical problem with it, is convincing management that getting a linux box or VM and build the code on it is worth our while... Personally, I think that you should start with gcc. Just because it spews out thousands of warnings does not mean they are not all relevant. Compiler warnings are the easiest to fix, easiest to find, and are often written off for no justifiable reason. I'm not sure at which version this started, but gcc 4.4.2 with -Wextra catches your second example (array bounds problem). Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
On Tue, Jan 12, 2010 at 8:02 AM, Shachar Shemesh shac...@shemesh.bizwrote: Elazar Leibovich wrote: I tried using valgrind in a different project. The main problems I've had with valgrind are speed Yes, that is known. and false positives. That one is new to me. Can you elaborate? IIRC the problem was using a different library, and tracing which problems are yours and which are of the library. See for instance this rant http://www.mega-nerd.com/erikd/Blog/CodeHacking/house_of_cards.html I haven't really got into this, so maybe the suprresion files does allow you to quickly fix it. Getting gdb to report that during runtime has its advantages. Anyhow, I was hoping to hear about products/valgrind add-ons etc I do not know. The main practical problem with it, is convincing management that getting a linux box or VM and build the code on it is worth our while... Personally, I think that you should start with gcc. Just because it spews out thousands of warnings does not mean they are not all relevant. Compiler warnings are the easiest to fix, easiest to find, and are often written off for no justifiable reason. It's more complex than that. The code currently work on the embedded device. This is a mission critical device, so we cannot make changes to the runtime code without testing it throughly first. I try therefor to fix the problem in the emulation level without touching the actual code. (for instance, overriding a certain problematic function which used an uninitialized variable, and got away with it in the embedded device, but not in the desktop, or, replace the macro which stores a specific memory address (hex number) which is used by a the code, and is obviously relevant only for the embedded device) Having a good runtime error checks (such as valgrind) will help me with recognizing this anomalities. I'm not sure at which version this started, but gcc 4.4.2 with -Wextra catches your second example (array bounds problem). That surprising, more complex instances could be reducable to the halting problem (number of times we advance p might depend on any complex function). Didn't work for me. (Does it check that during runtime? perhaps it doesn't work with mingw). le...@leibo-pc ~ $ cat tmp.c int main(int argc,char **argv) { int x[10],y[10],i=0; int *p = x; for (;i=13;i++,p++) *p = (*p)++; return 0; } le...@leibo-pc ~ $ /cygdrive/c/MinGW/bin/gcc.exe --version gcc.exe (TDM-2 mingw32) 4.4.1 Copyright (C) 2009 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. le...@leibo-pc ~ $ /cygdrive/c/MinGW/bin/gcc.exe -Wextra -Wall tmp.c tmp.c: In function 'main': tmp.c:2: warning: unused variable 'y' tmp.c:1: warning: unused parameter 'argc' tmp.c:1: warning: unused parameter 'argv' Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd.http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
You can also try: gcc -fmudflap # On Monday 11 January 2010 23:54:09 Elazar Leibovich wrote: We have a big legacy embedded code we need to maintain. Often, we wish to run some functions of the code on the PC with injected input, to test them or to test changes we've done to them without loading the code to the device it should run on. The code is written with C. Obviously, this is not an easy task, it is more difficult because, the code is bug ridden, and many times it works by accident (for example, a NULL pointer added a constant and then derefeced, this worked because the memory address was legal). Since the code is big, our strategy is: compile just the parts you need, debug it enough so that it would run on the PC, and keep the changes. Hopefully, after enough time, all (or most) of the code would be runnable on a PC. We use gcc+gdb to compile and debug the code. In Visual Studio's cl.exe there are some security checkshttp://msdn.microsoft.com/en-us/library/aa289171(VS.71).aspxat run time. This can really assist debugging. For example knowing when an unintialized variable was used can save you alot of frustration when trying to figure out why you're getting a wrong numberic results. My questions are: 1) Are there parallel (or better) runtime security checks for gcc/gdb? I found the -fstack-protection stack canary switch, but are there more of this type? 2) What other tools are there which offer similar protection? Valgrind of course is the first thing that comes to my mind, but I'll be glad to hear any more ideas. For example, I would love to be able to get a warning whenever a pointer is dereferenced twice, where the first time the pointer points at the memory address of variable x, and the second time it points to variable y. That way I'll get a warning for the following bug: int x[3] = {1,2,3};int y[3] = {4,5,6}; int *p = x; for (int i=0;i=3;i++,p++) (*p) = (*p)++; // note the = 3) We use win32 for regular development, so if anyone knows what is the support for such tests in cygwin/mingw, I'll be glad to hear about it. Thanks Elazar Leibovich ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il