On Tuesday, January 26, 2016 at 3:52:40 AM UTC+3, Hanno Böck wrote: > > Hi, > > I've been working on this for a while now and finally am able to share > it in a reasonably usable way: > I have created a Gentoo System with almost everything (except gcc, > glibc and a few deps) with asan: > > https://blog.hboeck.de/archives/879-Safer-use-of-C-code-running-Gentoo-with-Address-Sanitizer.html > > > Some docs in the Gentoo wiki: > https://wiki.gentoo.org/wiki/AddressSanitizer > > I hope people find this interesting and want to play with it. >
Hi Hanno, These are great news, thank you for sharing this. I believe that sanitization of full distribution and then using them in production would allow for many hidden errors in open-source software (AFAIK that was also experienced by Google folks). I'd also like to share our experience with sanitizing Tizen software distribution (which is a typical Linux distro for consumer electronic devices). We've done this activity last year and got more or less similar results (dozens of bugs all over SW stack and huge performance overheads). In our case situation was a little bit harder becauses we had to fit the resource-limited embedded systems which could not easily tolerate Asan's 2x memory increase. Some details (albeit outdated) are available in our paper "Fast memory debugger for large software projects" ( http://injoit.org/index.php/j1/article/view/231). Also there has been work on enabling ASan in Android (https://source.android.com/devices/tech/debug/asan.html) although I'm not sure about current status or their experience in general (Evgeny Stepanov may want to comment here). I guess some of the techniques which we used could also be interesting to you: * rather than relying on CFLAGS/CXXFLAGS (which seem to be ignored by many indisciplined packages) we used compiler wrappers which forcedly added ASan compilation flags * we found that ASan's continue-after-error mode (-fsanitize-recover=address) allowed for much longer test runs and significantly reduced time to detect bugs (we have added this to Clang 3.7 and GCC 6); this technique could introduce false positives (although unlikely) * regarding your comment in https://wiki.gentoo.org/wiki/AddressSanitizer : "It is not possible to use an application that is not using Address Sanitizer with a library that has been compiled with Address Sanitizer" - AFAIK this will work if you ensure to add ASan's runtime library to /etc/ld.so.preload (this won't work in 100% of cases due to issues with library initialization order but may be robust enough for many users) Best regards, Yury Gribov -- You received this message because you are subscribed to the Google Groups "address-sanitizer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
