WWDC2015 Advanced Debugging and the address santinizer

打全局断点的时候 控制台不会输出exception
可以通过输入 po $arg1 来输出错误

What Is Address Sanitizer

Similar to Guard Malloc and Valgrind
Finds memory corruption at runtime
Less overhead
Integrated into Debug Navigator
Works on OS X, iOS(simulator and device)

Analyze Memory Corruption

Use after free
Heap buffer overflow
Stack buffer overflow
Global variable overflow
Overflows in C++ containers
Use after return

Compiler Optimization Level

None [00] is recommended
Fast [
01] is supported
Higher optimization is not supported

How Address Sanitizer Works

clang -fsanitize=address
At runtime, this binary links with as an runtime dylib that contains even more checks, and that dylib is required by the instrumentation

会进行一个检查

*p = 0xb00

--->

if (IsPoisoned(p)) Crash();
*p = 0xb00;

Shadow Mapping

IsPoisoned needs to be fast
1/8 of the address space
mmap'd at lunch

bool IsPosioned(Addr) {
  Shadow = Addr >> 3 + offset
  return (*Shadow) != 0
}

Heap

更改Malloc 的方式,从默认的连续分配内存改成间隔分配

Custom Malloc Implementation

Inserts poisoned "red zones" around allocations
Heap underflows/overflows
Delay reuse of freed memory
Use-after-free, double free
Collects stack traces for allocations and frees
Comprehensive error reports

WWDC2015 Advanced Debugging and the address santinizer_第1张图片
Guard Malloc
WWDC2015 Advanced Debugging and the address santinizer_第2张图片
NSZombie
WWDC2015 Advanced Debugging and the address santinizer_第3张图片
Malloc SCribble
WWDC2015 Advanced Debugging and the address santinizer_第4张图片
image.png
WWDC2015 Advanced Debugging and the address santinizer_第5张图片
image.png

你可能感兴趣的:(WWDC2015 Advanced Debugging and the address santinizer)