0. 機器環境

• centos7
• gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-11)

1. 安裝libasan（安裝過忽略此條）

yum install libasan
yum install llvm

2. 使用AddressSanitizer

gcc -fsanitize=address -fno-omit-frame-pointer -O1 -g -o main main.cpp

需要在使用 GCC 或 Clang 編譯鏈接程序時加上 -fsanitize=address 開關（性能慢一半）。為了獲得合理的性能，可以加上 -O1 或更高。為了在錯誤信息中獲得更友好的棧追蹤信息可以加上 -fno-omit-frame-pointer。為了獲得完美的棧追蹤信息，還可以禁用內聯（使用 -O1）和尾調用消除（-fno-optimize-sibling-calls），-g可以換成-ggdb更有益gdb調試。

可能遇到編譯錯誤：undefined reference to `__asan_report_store8'
在編譯選項和連接選項里都添加-fsanitize=address

3. 運行

ASAN_SYMBOLIZER_PATH=$(which llvm-symbolizer) ./main

• 單獨運行 ./main 可能出現 WARNING: invalid path to external symbolizer!導致看不到具體文件符號，錯誤在哪行代碼；
• 如果ASAN_SYMBOLIZER_PATH失敗的話換成MSAN_SYMBOLIZER_PATH；

4. AddressSanitizer內存錯誤類型

• Use after free：訪問堆上已經被釋放的內存
• Heap buffer overflow：堆上緩沖區訪問溢出
• Stack buffer overflow：棧上緩沖區訪問溢出
• Global buffer overflow：全局緩沖區訪問溢出
• Use after return：訪問棧上已被釋放的內存
• Use after scope：棧對象使用超過定義范圍
• Initialization order bugs：初始化命令錯誤
• Memory leaks：內存泄漏

5. 錯誤類型示例

(1) heap-buffer-overflow

int main(int argc, char **argv)
{
    //int a[9];
    int *a = new int(9);
    a[11] ++;
    return a[11];
}

=================================================================
==6515== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040000e01c at pc 0x400881 bp 0x7ffd91a90a10 sp 0x7ffd91a90a00
READ of size 4 at 0x60040000e01c thread T0
    #0 0x400880 in main /home/work/test/main.cpp:5
    #1 0x7f70a3f40b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
    #2 0x400748 in _start (/home/work/test/main+0x400748)
0x60040000e01c is located 12 bytes to the right of 0-byte region [0x60040000e010,0x60040000e010)
==6515== AddressSanitizer CHECK failed: ../../../../libsanitizer/asan/asan_allocator2.cc:216 "((id)) != (0)" (0x0, 0x0)
    #0 0x7f70a4b13b9a (/lib64/libasan.so.0+0x12b9a)
    #1 0x7f70a4b1ae03 (/lib64/libasan.so.0+0x19e03)
    #2 0x7f70a4b06426 (/lib64/libasan.so.0+0x5426)
    #3 0x7f70a4b189ff (/lib64/libasan.so.0+0x179ff)
    #4 0x7f70a4b19be1 (/lib64/libasan.so.0+0x18be1)
    #5 0x7f70a4b13fc2 (/lib64/libasan.so.0+0x12fc2)
    #6 0x400880 in main /home/work/test/main.cpp:6
    #7 0x7f70a3f40b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
    #8 0x400748 in _start (/home/work/test/main+0x400748)

(2) stack-buffer-overflow

int main(int argc, char **argv)
{
    int a[9];
    //int *a = new int(9);
    a[11] ++;
    return a[11];
}

=================================================================
==6605== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc56432ac at pc 0x4007d9 bp 0x7ffdc5643240 sp 0x7ffdc5643230
READ of size 4 at 0x7ffdc56432ac thread T0
    #0 0x4007d8 in main /home/work/test/main.cpp:5
    #1 0x7f9010e30b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
    #2 0x400688 in _start (/home/work/test/main+0x400688)
Address 0x7ffdc56432ac is located at offset 76 in frame <main> of T0's stack:
  This frame has 1 object(s):
    [32, 68) 'a'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/work/test/main.cpp:6 main
Shadow bytes around the buggy address:
  0x100038ac0600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac0610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac0620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac0630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac0640: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x100038ac0650: 00 00 00 00 04[f4]f4 f4 f3 f3 f3 f3 00 00 00 00
  0x100038ac0660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac0670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac0680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac0690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac06a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==6605== ABORTING

6. 參考：

[1]如何排查大型C程序中的內存寫越界導致的coredump？
[2]應用 AddressSanitizer 發現程序內存錯誤
[3]Linux 下的 AddressSanitizer
[4]從segmentfault段錯誤談起-(1)
[5]踩內存專題分析
[6]How to use AddressSanitizer with GCC?