打全局?jǐn)帱c(diǎn)的時(shí)候 控制臺(tái)不會(huì)輸出exception
可以通過輸入 po $arg1 來輸出錯(cuò)誤
What Is Address Sanitizer
Similar to Guard Malloc and Valgrind
Finds memory corruption at runtime
Less overhead
Integrated into Debug Navigator
Works on OS X, iOS(simulator and device)
Analyze Memory Corruption
Use after free
Heap buffer overflow
Stack buffer overflow
Global variable overflow
Overflows in C++ containers
Use after return
Compiler Optimization Level
None [00] is recommended
Fast [01] is supported
Higher optimization is not supported
How Address Sanitizer Works
clang -fsanitize=address
At runtime, this binary links with as an runtime dylib that contains even more checks, and that dylib is required by the instrumentation
會(huì)進(jìn)行一個(gè)檢查
*p = 0xb00
--->
if (IsPoisoned(p)) Crash();
*p = 0xb00;
Shadow Mapping
IsPoisoned needs to be fast
1/8 of the address space
mmap'd at lunch
bool IsPosioned(Addr) {
Shadow = Addr >> 3 + offset
return (*Shadow) != 0
}
Heap
更改Malloc 的方式,從默認(rèn)的連續(xù)分配內(nèi)存改成間隔分配
Custom Malloc Implementation
Inserts poisoned "red zones" around allocations
Heap underflows/overflows
Delay reuse of freed memory
Use-after-free, double free
Collects stack traces for allocations and frees
Comprehensive error reports
