[ASan] Document define to disable container overflow checks at compile time. #163468
Conversation
llvmbot
added
clang
|
@llvm/pr-subscribers-compiler-rt-sanitizer Author: Paddy McDonald (padriff) ChangesDocument a define to allow library developers to support disabling The primary motivation is to reduce false positives in environments where Key changes:
The recommended pattern is: This requires no compiler changes and should be supportable cross compiler toolchains. An RFC has been opened to discuss: https://discourse.llvm.org/t/rfc-add-fsanitize-address-disable-container-overflow-flag-to-addresssanitizer/88349 Full diff: https://github.com/llvm/llvm-project/pull/163468.diff 3 Files Affected:
diff --git a/clang/docs/AddressSanitizer.rst b/clang/docs/AddressSanitizer.rst
index 21e1a3652192e..2fb4d7056296b 100644
--- a/clang/docs/AddressSanitizer.rst
+++ b/clang/docs/AddressSanitizer.rst
@@ -164,6 +164,23 @@ To summarize: ``-fsanitize-address-use-after-return=<mode>``
* ``always``: Enables detection of UAR errors in all cases. (reduces code
size, but not as much as ``never``).
+Container Overflow Detection
+----------------------------
+
+AddressSanitizer can detect overflows in containers with custom allocators
+(such as std::vector) where the Library developers have added calls into the
+AddressSanitizer runtime to indicate which memory is poisoned etc.
+
+In environments where not all the process binaries can be recompiled with
+AddressSanitizer enabled, these checks can cause false positives.
+
+These checks can be disabled at runtime using
+``ASAN_OPTIONS=detect_container_overflow=0``
+
+``-D__ASAN_DISABLE_CONTAINER_OVERFLOW__`` can be used at compile time to
+disable container overflow checks if the container library has added support
+for this define.
+
Memory leak detection
---------------------
@@ -242,6 +259,29 @@ AddressSanitizer also supports
works similar to ``__attribute__((no_sanitize("address")))``, but it also
prevents instrumentation performed by other sanitizers.
+Disabling container overflow checks with ``-D__ASAN_DISABLE_CONTAINER_OVERFLOW__``
+----------------------------------------------------------------------------------
+
+To support a standard way to disable container overflow checks at compile time,
+Library developers should use this definition in conjunction with the
+AddressSanitizer feature test to conditionally include container overflow
+related code compiled into user code:
+
+The recommended form is
+
+.. code-block:: c
+ #if __has_feature(address_sanitizer) && !__ASAN_DISABLE_CONTAINER_OVERFLOW__
+ // Container overflow detection enabled - include annotations
+ __sanitizer_annotate_contiguous_container(beg, end, old_mid, new_mid);
+ #endif
+
+This pattern ensures that:
+
+* Container overflow annotations are only included when AddressSanitizer is
+ enabled
+* Container overflow detection can be disabled by passing
+ ``-D__ASAN_DISABLE_CONTAINER_OVERFLOW__`` to the compiler
+
Suppressing Errors in Recompiled Code (Ignorelist)
--------------------------------------------------
diff --git a/compiler-rt/lib/asan/asan_errors.cpp b/compiler-rt/lib/asan/asan_errors.cpp
index 2a207cd06ccac..5b3d479fbbcd4 100644
--- a/compiler-rt/lib/asan/asan_errors.cpp
+++ b/compiler-rt/lib/asan/asan_errors.cpp
@@ -514,11 +514,15 @@ ErrorGeneric::ErrorGeneric(u32 tid, uptr pc_, uptr bp_, uptr sp_, uptr addr,
}
static void PrintContainerOverflowHint() {
- Printf("HINT: if you don't care about these errors you may set "
- "ASAN_OPTIONS=detect_container_overflow=0.\n"
- "If you suspect a false positive see also: "
- "https://github.com/google/sanitizers/wiki/"
- "AddressSanitizerContainerOverflow.\n");
+ Printf(
+ "HINT: if you don't care about these errors you may set "
+ "ASAN_OPTIONS=detect_container_overflow=0.\n"
+ "If supported by the container library pass "
+ "-D__ASAN_DISABLE_CONTAINER_OVERFLOW__ to the compiler to disable "
+ " instrumentation.\n"
+ "If you suspect a false positive see also: "
+ "https://github.com/google/sanitizers/wiki/"
+ "AddressSanitizerContainerOverflow.\n");
}
static void PrintShadowByte(InternalScopedString *str, const char *before,
diff --git a/compiler-rt/test/asan/TestCases/contiguous_container_crash.cpp b/compiler-rt/test/asan/TestCases/contiguous_container_crash.cpp
index b88e02b84ad67..4661c20d3d792 100644
--- a/compiler-rt/test/asan/TestCases/contiguous_container_crash.cpp
+++ b/compiler-rt/test/asan/TestCases/contiguous_container_crash.cpp
@@ -7,55 +7,72 @@
// RUN: %env_asan_opts=detect_container_overflow=0 %run %t crash
//
// Test crash due to __sanitizer_annotate_contiguous_container.
+//
+// Test with -D__ASAN_DISABLE_CONTAINER_OVERFLOW__ flag - should not crash
+// RUN: %clangxx_asan -D__ASAN_DISABLE_CONTAINER_OVERFLOW__ -O %s -o %t-no-overflow
+// RUN: %run %t-no-overflow crash
+// RUN: %run %t-no-overflow bad-bounds
+// RUN: %run %t-no-overflow unaligned-bad-bounds
+// RUN: %run %t-no-overflow odd-alignment
+// RUN: %run %t-no-overflow odd-alignment-end
+//
+// Test overflow checks can be disabled
#include <assert.h>
#include <string.h>
-extern "C" {
-void __sanitizer_annotate_contiguous_container(const void *beg, const void *end,
- const void *old_mid,
- const void *new_mid);
-} // extern "C"
+// public definition of __sanitizer_annotate_contiguous_container
+#include "sanitizer/common_interface_defs.h"
static volatile int one = 1;
int TestCrash() {
long t[100];
t[60] = 0;
+#if __has_feature(address_sanitizer) && !__ASAN_DISABLE_CONTAINER_OVERFLOW__
__sanitizer_annotate_contiguous_container(&t[0], &t[0] + 100, &t[0] + 100,
&t[0] + 50);
-// CHECK-CRASH: AddressSanitizer: container-overflow
-// CHECK-CRASH: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0
- return (int)t[60 * one]; // Touches the poisoned memory.
+#endif
+ // CHECK-CRASH: AddressSanitizer: container-overflow
+ // CHECK-CRASH: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0
+ return (int)t[60 * one]; // Touches the poisoned memory.
}
void BadBounds() {
long t[100];
-// CHECK-BAD-BOUNDS: ERROR: AddressSanitizer: bad parameters to __sanitizer_annotate_contiguous_container
+#if __has_feature(address_sanitizer) && !__ASAN_DISABLE_CONTAINER_OVERFLOW__
+ // CHECK-BAD-BOUNDS: ERROR: AddressSanitizer: bad parameters to __sanitizer_annotate_contiguous_container
__sanitizer_annotate_contiguous_container(&t[0], &t[0] + 100, &t[0] + 101,
&t[0] + 50);
+#endif
}
void UnalignedBadBounds() {
char t[100];
+#if __has_feature(address_sanitizer) && !__ASAN_DISABLE_CONTAINER_OVERFLOW__
// CHECK-UNALIGNED-BAD-BOUNDS: ERROR: AddressSanitizer: bad parameters to __sanitizer_annotate_contiguous_container
__sanitizer_annotate_contiguous_container(&t[1], &t[0] + 100, &t[0] + 101,
&t[0] + 50);
+#endif
}
int OddAlignment() {
int t[100];
t[60] = 0;
+#if __has_feature(address_sanitizer) && !__ASAN_DISABLE_CONTAINER_OVERFLOW__
__sanitizer_annotate_contiguous_container(&t[1], &t[0] + 100, &t[0] + 100,
&t[1] + 50);
+#endif
return (int)t[60 * one]; // Touches the poisoned memory.
}
int OddAlignmentEnd() {
int t[99];
t[60] = 0;
+#if __has_feature(address_sanitizer) && !__ASAN_DISABLE_CONTAINER_OVERFLOW__
__sanitizer_annotate_contiguous_container(&t[0], &t[0] + 98, &t[0] + 98,
&t[0] + 50);
+#endif
return (int)t[60 * one]; // Touches the poisoned memory.
}
|
|
@llvm/pr-subscribers-clang Author: Paddy McDonald (padriff) ChangesDocument a define to allow library developers to support disabling The primary motivation is to reduce false positives in environments where Key changes:
The recommended pattern is: This requires no compiler changes and should be supportable cross compiler toolchains. An RFC has been opened to discuss: https://discourse.llvm.org/t/rfc-add-fsanitize-address-disable-container-overflow-flag-to-addresssanitizer/88349 Full diff: https://github.com/llvm/llvm-project/pull/163468.diff 3 Files Affected:
diff --git a/clang/docs/AddressSanitizer.rst b/clang/docs/AddressSanitizer.rst
index 21e1a3652192e..2fb4d7056296b 100644
--- a/clang/docs/AddressSanitizer.rst
+++ b/clang/docs/AddressSanitizer.rst
@@ -164,6 +164,23 @@ To summarize: ``-fsanitize-address-use-after-return=<mode>``
* ``always``: Enables detection of UAR errors in all cases. (reduces code
size, but not as much as ``never``).
+Container Overflow Detection
+----------------------------
+
+AddressSanitizer can detect overflows in containers with custom allocators
+(such as std::vector) where the Library developers have added calls into the
+AddressSanitizer runtime to indicate which memory is poisoned etc.
+
+In environments where not all the process binaries can be recompiled with
+AddressSanitizer enabled, these checks can cause false positives.
+
+These checks can be disabled at runtime using
+``ASAN_OPTIONS=detect_container_overflow=0``
+
+``-D__ASAN_DISABLE_CONTAINER_OVERFLOW__`` can be used at compile time to
+disable container overflow checks if the container library has added support
+for this define.
+
Memory leak detection
---------------------
@@ -242,6 +259,29 @@ AddressSanitizer also supports
works similar to ``__attribute__((no_sanitize("address")))``, but it also
prevents instrumentation performed by other sanitizers.
+Disabling container overflow checks with ``-D__ASAN_DISABLE_CONTAINER_OVERFLOW__``
+----------------------------------------------------------------------------------
+
+To support a standard way to disable container overflow checks at compile time,
+Library developers should use this definition in conjunction with the
+AddressSanitizer feature test to conditionally include container overflow
+related code compiled into user code:
+
+The recommended form is
+
+.. code-block:: c
+ #if __has_feature(address_sanitizer) && !__ASAN_DISABLE_CONTAINER_OVERFLOW__
+ // Container overflow detection enabled - include annotations
+ __sanitizer_annotate_contiguous_container(beg, end, old_mid, new_mid);
+ #endif
+
+This pattern ensures that:
+
+* Container overflow annotations are only included when AddressSanitizer is
+ enabled
+* Container overflow detection can be disabled by passing
+ ``-D__ASAN_DISABLE_CONTAINER_OVERFLOW__`` to the compiler
+
Suppressing Errors in Recompiled Code (Ignorelist)
--------------------------------------------------
diff --git a/compiler-rt/lib/asan/asan_errors.cpp b/compiler-rt/lib/asan/asan_errors.cpp
index 2a207cd06ccac..5b3d479fbbcd4 100644
--- a/compiler-rt/lib/asan/asan_errors.cpp
+++ b/compiler-rt/lib/asan/asan_errors.cpp
@@ -514,11 +514,15 @@ ErrorGeneric::ErrorGeneric(u32 tid, uptr pc_, uptr bp_, uptr sp_, uptr addr,
}
static void PrintContainerOverflowHint() {
- Printf("HINT: if you don't care about these errors you may set "
- "ASAN_OPTIONS=detect_container_overflow=0.\n"
- "If you suspect a false positive see also: "
- "https://github.com/google/sanitizers/wiki/"
- "AddressSanitizerContainerOverflow.\n");
+ Printf(
+ "HINT: if you don't care about these errors you may set "
+ "ASAN_OPTIONS=detect_container_overflow=0.\n"
+ "If supported by the container library pass "
+ "-D__ASAN_DISABLE_CONTAINER_OVERFLOW__ to the compiler to disable "
+ " instrumentation.\n"
+ "If you suspect a false positive see also: "
+ "https://github.com/google/sanitizers/wiki/"
+ "AddressSanitizerContainerOverflow.\n");
}
static void PrintShadowByte(InternalScopedString *str, const char *before,
diff --git a/compiler-rt/test/asan/TestCases/contiguous_container_crash.cpp b/compiler-rt/test/asan/TestCases/contiguous_container_crash.cpp
index b88e02b84ad67..4661c20d3d792 100644
--- a/compiler-rt/test/asan/TestCases/contiguous_container_crash.cpp
+++ b/compiler-rt/test/asan/TestCases/contiguous_container_crash.cpp
@@ -7,55 +7,72 @@
// RUN: %env_asan_opts=detect_container_overflow=0 %run %t crash
//
// Test crash due to __sanitizer_annotate_contiguous_container.
+//
+// Test with -D__ASAN_DISABLE_CONTAINER_OVERFLOW__ flag - should not crash
+// RUN: %clangxx_asan -D__ASAN_DISABLE_CONTAINER_OVERFLOW__ -O %s -o %t-no-overflow
+// RUN: %run %t-no-overflow crash
+// RUN: %run %t-no-overflow bad-bounds
+// RUN: %run %t-no-overflow unaligned-bad-bounds
+// RUN: %run %t-no-overflow odd-alignment
+// RUN: %run %t-no-overflow odd-alignment-end
+//
+// Test overflow checks can be disabled
#include <assert.h>
#include <string.h>
-extern "C" {
-void __sanitizer_annotate_contiguous_container(const void *beg, const void *end,
- const void *old_mid,
- const void *new_mid);
-} // extern "C"
+// public definition of __sanitizer_annotate_contiguous_container
+#include "sanitizer/common_interface_defs.h"
static volatile int one = 1;
int TestCrash() {
long t[100];
t[60] = 0;
+#if __has_feature(address_sanitizer) && !__ASAN_DISABLE_CONTAINER_OVERFLOW__
__sanitizer_annotate_contiguous_container(&t[0], &t[0] + 100, &t[0] + 100,
&t[0] + 50);
-// CHECK-CRASH: AddressSanitizer: container-overflow
-// CHECK-CRASH: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0
- return (int)t[60 * one]; // Touches the poisoned memory.
+#endif
+ // CHECK-CRASH: AddressSanitizer: container-overflow
+ // CHECK-CRASH: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0
+ return (int)t[60 * one]; // Touches the poisoned memory.
}
void BadBounds() {
long t[100];
-// CHECK-BAD-BOUNDS: ERROR: AddressSanitizer: bad parameters to __sanitizer_annotate_contiguous_container
+#if __has_feature(address_sanitizer) && !__ASAN_DISABLE_CONTAINER_OVERFLOW__
+ // CHECK-BAD-BOUNDS: ERROR: AddressSanitizer: bad parameters to __sanitizer_annotate_contiguous_container
__sanitizer_annotate_contiguous_container(&t[0], &t[0] + 100, &t[0] + 101,
&t[0] + 50);
+#endif
}
void UnalignedBadBounds() {
char t[100];
+#if __has_feature(address_sanitizer) && !__ASAN_DISABLE_CONTAINER_OVERFLOW__
// CHECK-UNALIGNED-BAD-BOUNDS: ERROR: AddressSanitizer: bad parameters to __sanitizer_annotate_contiguous_container
__sanitizer_annotate_contiguous_container(&t[1], &t[0] + 100, &t[0] + 101,
&t[0] + 50);
+#endif
}
int OddAlignment() {
int t[100];
t[60] = 0;
+#if __has_feature(address_sanitizer) && !__ASAN_DISABLE_CONTAINER_OVERFLOW__
__sanitizer_annotate_contiguous_container(&t[1], &t[0] + 100, &t[0] + 100,
&t[1] + 50);
+#endif
return (int)t[60 * one]; // Touches the poisoned memory.
}
int OddAlignmentEnd() {
int t[99];
t[60] = 0;
+#if __has_feature(address_sanitizer) && !__ASAN_DISABLE_CONTAINER_OVERFLOW__
__sanitizer_annotate_contiguous_container(&t[0], &t[0] + 98, &t[0] + 98,
&t[0] + 50);
+#endif
return (int)t[60 * one]; // Touches the poisoned memory.
}
|
padriff
force-pushed
the
eng/padriff/ContainerOverflowDefine
branch
from
4dcf58b to
1755359
Compare
|
✅ With the latest revision this PR passed the C/C++ code formatter. |
padriff
force-pushed
the
eng/padriff/ContainerOverflowDefine
branch
from
1755359 to
78f77f2
Compare
compiler-rt/test/asan/TestCases/disable_container_overflow_checks.cpp
Outdated
Show resolved
Hide resolved
| AddressSanitizer runtime to indicate which memory is poisoned etc. | ||
|
|
||
| In environments where not all the process binaries can be recompiled with | ||
| AddressSanitizer enabled, these checks can cause false positives. |
There was a problem hiding this comment.
ASan's expected behaviour is to output the error and kill the process unless a user explicitly changes this behaviour. This is done using the compiler switch -fsanitize-recover=address and setting the environment variable ASAN_OPTIONS=halt_on_error=false
clang/docs/AddressSanitizer.rst
Outdated
| ``-D__ASAN_DISABLE_CONTAINER_OVERFLOW__`` can be used at compile time to | ||
| disable container overflow checks if the container library has added support | ||
| for this define. |
There was a problem hiding this comment.
Question: is there a reason why we don't make the various __sanitizer_annotate_foo_container functions no-ops (or alternatively not declare them) when __ASAN_DISABLE_CONTAINER_OVERFLOW__ is set?
Sorry if this was already discussed.
There was a problem hiding this comment.
The __sanitizer_annotate_* functions are controllable at runtime using ASAN_OPTIONS=detect_container_overflow=0.
The issue we hit was where users were unable to recompile the entire set of dylibs / dlls to have uniformity of sanitized binaries and were unable to control the runtime environment to disable there.
The request was to allow this instrumentation to be disabled at compile time for the template library code that is instantiated into their application code to simplify the workflows.
There was a problem hiding this comment.
Actually we discussed it with @fmayer or @thurstond offline
and it could be a good idea to guard them in compiler-rt/include/sanitizer/common_interface_defs.h
with ASAN_DISABLE_CONTAINER_OVERFLOW and define empty body if condition is not met.
There was a problem hiding this comment.
Guarding the definitions in the interface defs would require recompiling the runtime to have an effect wouldn't it? To my understanding having the guard in the template definitions would not need this.
There was a problem hiding this comment.
I think I get it, @vitalybuka @fmayer @thurstond is this what you are proposing: DanBlackwell@fcdb4c2 ? e.g.
void SANITIZER_CDECL __sanitizer_annotate_contiguous_container(
const void *beg, const void *end, const void *old_mid, const void *new_mid)
#ifdef __ASAN_DISABLE_CONTAINER_OVERFLOW__
{} // no-op implementation (disabling checks)
#else
; // function declaration, runtime implementation
#endif
There was a problem hiding this comment.
What if we just introduce a new symbols:
void SANITIZER_CDECL __sanitizer_maybe_annotate_contiguous_container(
const void *beg, const void *end, const void *old_mid, const void *new_mid) {
#ifndef __ASAN_DISABLE_CONTAINER_OVERFLOW__
return __sanitizer_maybe_annotate_contiguous_container(...));
#endif
}
but then we need to update libc++ and other users.
Another option to use preprocessor
#ifdef __ASAN_DISABLE_CONTAINER_OVERFLOW__
void SANITIZER_CDECL __sanitizer_maybe_annotate_contiguous_container(
const void *beg, const void *end, const void *old_mid, const void *new_mid);
#else
#define __sanitizer_maybe_annotate_contiguous_container(...) while(false) {} // or what ever nop magic
#endif
}
There was a problem hiding this comment.
Actually the last one can break users who does not use the header and just declare __sanitizer_maybe_annotate_contiguous_container.
And I see @ldionne already suggested against the idea.
conflicts with other definitions are still a problem.
So, how bad is to switch libc++ to __sanitizer_maybe_annotate_contiguous_container ?
There was a problem hiding this comment.
Is there anything stopping libcxx from using the header? (I presume you can just guard it in #if __has_feature(address_sanitizer)) If not then I like the idea of having the functions static and no-ops if the macro is defined, i.e.
#ifdef __ASAN_DISABLE_CONTAINER_OVERFLOW__
static void SANITIZER_CDECL __sanitizer_maybe_annotate_contiguous_container(
const void *beg, const void *end, const void *old_mid, const void *new_mid) { // no-op }
#else
void SANITIZER_CDECL __sanitizer_maybe_annotate_contiguous_container(
const void *beg, const void *end, const void *old_mid, const void *new_mid); // forward declare for runtime
#endif
}
The header has an ifndef SANITIZER_COMMON_INTERFACE_DEFS_H guard, so you wouldn't get multiple definitions even if you include it multiple times, e.g.:
#include <vector>
#include <deque>
That being said I may be missing something wrt linking and ODR here.
There was a problem hiding this comment.
Is there anything stopping libcxx
That plan, we will use the header in libcxx.
The concerns are:
-
if some down stream users already forward declare the symbol e.g. https://github.com/marcov64/Lsd/blob/af565b26c806e678c475303567738735bcaceff9/gnu/include/c%2B%2B/13.2.0/bits/stl_vector.h#L74 They may hit errors like https://godbolt.org/z/oPKE3P8eb
-
Older versions of libcxx, do we need them with a new compiler-rt?
So I see either to do Pure macro stuff, which is OK to me, and simple:
#ifdef __ASAN_DISABLE_CONTAINER_OVERFLOW__
#define SANITIZER_ANNOTATE_CONTIGUOUS_CONTAINER(...) { // no-op in whatever safe way}
#else
#define SANITIZER_ANNOTATE_CONTIGUOUS_CONTAINER(...) { \
__sanitizer_annotate_contiguous_container(...); \
}
#endif
Or if we do "static" then we don't forward declare, just introduce a new symbol,
which either has an empty body, or calls to the existing one.
In either way changing libc++ is needed.
@ldionne WDYT?
There was a problem hiding this comment.
Changing libc++ is not a problem. I think we're happy to include the header, too, as long as compiler-rt headers are guaranteed to be dependency-free.
Personally, I'd just declare __sanitizer_annotate_contiguous_container like this:
#ifdef __ASAN_DISABLE_CONTAINER_OVERFLOW__
__attribute__((__internal_linkage__)) inline
void __sanitizer_annotate_contiguous_container(const void *, const void *, const void *, const void*) { }
#else
void __sanitizer_annotate_contiguous_container(const void *, const void *, const void *, const void*);
#endifNaming-wise, I am not a big fan of __sanitizer_maybe_annotate_contiguous_container, I'd rather just use __sanitizer_annotate_contiguous_container. But whatever, we'll use what you folks provide.
N.B.: You have to make sure to mangle all identifiers in compiler-rt headers, for example parameter names must start with __.
compiler-rt/test/asan/TestCases/disable_container_overflow_checks.cpp
Outdated
Show resolved
Hide resolved
padriff
force-pushed
the
eng/padriff/ContainerOverflowDefine
branch
3 times, most recently
from
f5fcc30 to
45d0d77
Compare
🐧 Linux x64 Test Results
|
padriff
force-pushed
the
eng/padriff/ContainerOverflowDefine
branch
2 times, most recently
from
98726dd to
2001470
Compare
padriff
force-pushed
the
eng/padriff/ContainerOverflowDefine
branch
from
2001470 to
1b21c65
Compare
AddressSanitizer's container overflow detection in template code at compile time. The primary motivation is to reduce false positives in environments where libraries and frameworks that cannot be recompiled with sanitizers enabled are called from application code. This supports disabling checks when the runtime environment cannot be reliably controlled to use ASAN_OPTIONS. Key changes: - Use the define `__SANITIZER_DISABLE_CONTAINER_OVERFLOW__` to disable instrumentation at compile time - Implemented redefining the container overflow APIs in common_interface_defs.h to use define to provide null implementation when define is present - Update documentation in AddressSanitizer.rst to suggest and illustrate use of the define - Add details of the define in PrintContainerOverflowHint() - Add test disable_container_overflow_checks to verify new hints on the error and fill the testing gap that ASAN_OPTIONS=detect_container_overflow=0 works - Add tests demonstrating the issue around closed source libraries and instrumented apps that both modify containers This requires no compiler changes and should be supportable cross compiler toolchains. An RFC has been opened to discuss: https://discourse.llvm.org/t/rfc-add-fsanitize-address-disable-container-overflow-flag-to-addresssanitizer/88349
padriff
force-pushed
the
eng/padriff/ContainerOverflowDefine
branch
from
1b21c65 to
9f2fe70
Compare
|
updated with the suggested approach |
| __attribute__((__internal_linkage__)) inline void SANITIZER_CDECL | ||
| __sanitizer_annotate_contiguous_container(const void *beg, const void *end, | ||
| const void *old_mid, | ||
| const void *new_mid) {}; |
There was a problem hiding this comment.
| const void *new_mid) {}; | |
| const void *new_mid) {} |
Throughout
7 participants
Document a define to allow library developers to support disabling
AddressSanitizer's container overflow detection in template code at
compile time.
The primary motivation is to reduce false positives in environments where
libraries and frameworks that cannot be recompiled with sanitizers enabled
are called from application code. This supports disabling checks when the
runtime environment cannot be reliably controlled to use ASAN_OPTIONS.
Key changes:
__SANITIZER_DISABLE_CONTAINER_OVERFLOW__to disableinstrumentation at compile time
to use define to provide null implementation when define is present
use of the define
error and fill the testing gap that ASAN_OPTIONS=detect_container_overflow=0
works
instrumented apps that both modify containers
This requires no compiler changes and should be supportable cross compiler toolchains.
An RFC has been opened to discuss:
https://discourse.llvm.org/t/rfc-add-fsanitize-address-disable-container-overflow-flag-to-addresssanitizer/88349