37. 37
越界存取int main(int argc, char **argv) {
int stack_array[100];
stack_array[1] = 0;
return stack_array[argc + 100]; // BOOM
}
=================================================================
==28706==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff61e1f344 at pc 0x4a5dfb bp 0x7fff61e1f170 sp 0
READ of size 4 at 0x7fff61e1f344 thread T0
#0 0x4a5dfa in main /home/kito/test.cpp:4
#1 0x7ff11a8a1d64 in __libc_start_main (/lib64/libc.so.6+0x21d64)
#2 0x404c98 (/home/kito/a.out+0x404c98)
Address 0x7fff61e1f344 is located in stack of thread T0 at offset 436 in frame
#0 0x4a5d29 in main /home/kito/test.cpp:1
This frame has 1 object(s):
[32, 432) 'stack_array' <== Memory access at offset 436 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/kito/test.cpp:4 main
Shadow bytes around the buggy address:
0x10006c3bbe10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
...
=>0x10006c3bbe60: 00 00 00 00 00 00 00 00[f4]f4 f3 f3 f3 f3 00 00
...
0x10006c3bbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
...
38. 38
釋放後使用
==12254==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000eff0 at pc 0x4a5db4 bp 0x7fff3ff57520 sp
0x7fff3ff57518
READ of size 4 at 0x60200000eff0 thread T0
#0 0x4a5db3 in main /home/kito/coscup2014/use-after-free.c:6
#1 0x3c52221d64 in __libc_start_main (/lib64/libc.so.6+0x3c52221d64)
#2 0x404c98 (/home/kito/coscup2014/a.out+0x404c98)
0x60200000eff0 is located 0 bytes inside of 4-byte region [0x60200000eff0,0x60200000eff4)
freed by thread T0 here:
#0 0x476c79 in __interceptor_free /home/kito/gcc/gcc-src/libsanitizer/asan/asan_malloc_linux.cc:63
#1 0x4a5d7c in main /home/kito/coscup2014/use-after-free.c:5
#2 0x3c52221d64 in __libc_start_main (/lib64/libc.so.6+0x3c52221d64)
previously allocated by thread T0 here:
#0 0x476f19 in __interceptor_malloc /home/kito/gcc/gcc-src/libsanitizer/asan/asan_malloc_linux.cc:73
#1 0x4a5d2b in main /home/kito/coscup2014/use-after-free.c:3
#2 0x3c52221d64 in __libc_start_main (/lib64/libc.so.6+0x3c52221d64)
#include <malloc.h>
int main() {
int *a = malloc(sizeof(int));
*a = 100;
free(a);
return *a;
}
39. 39
不成對 free/delete/delete[]
int main() {
int *arr = new int[10];
delete arr;
return 0;
}
=================================================================
==12421==ERROR: AddressSanitizer: alloc-dealloc-mismatch (operator new [] vs operator delete) on 0x60400000dfd0
#0 0x478219 in operator delete(void*) /home/kito/gcc/gcc-src/libsanitizer/asan/asan_new_delete.cc:85
#1 0x4a5efb in main /home/kito/coscup2014/mismatch-delete.cpp:3
#2 0x3c52221d64 in __libc_start_main (/lib64/libc.so.6+0x3c52221d64)
#3 0x404e58 (/home/kito/coscup2014/a.out+0x404e58)
0x60400000dfd0 is located 0 bytes inside of 40-byte region [0x60400000dfd0,0x60400000dff8)
allocated by thread T0 here:
#0 0x477e29 in operator new[](unsigned long) /home/kito/gcc/gcc-src/libsanitizer/asan/asan_new_delete.cc:55
#1 0x4a5eeb in main /home/kito/coscup2014/mismatch-delete.cpp:2
#2 0x3c52221d64 in __libc_start_main (/lib64/libc.so.6+0x3c52221d64)
46. 46
Divde by 0
int main(int argc, const char *argv[]){
return argc/0;
}
div0.cpp:2:14: runtime error: division by zero
Floating point exception
47. 47
Deference Null pointer
int main(int argc, const char *argv[]){
int *a = nullptr;
return *a;
}
derefnull.cpp:3:11: runtime error: load of null pointer of type 'int'
Segmentation fault
48. 48
Shift
int main(int argc, const char *argv[]){
return argc >> 32;
}
shift.cpp:2:15: runtime error: shift exponent 32 is too large for 32-bit
type 'int'
49. 49
Signed Integer Overflow
#include <limits.h>
int main(int argc, const char *argv[]){
int a = INT_MAX;
return a + argc;
}
overflow.cpp:4:14: runtime error: signed integer overflow:
2147483647 + 1 cannot be represented in type 'int'
57. 57
錯誤診斷訊息改良
class T {
public:
int a;
}
#include <vector>
少一個分號
In file included from /home/kito/gcc-workspace/native-4.4/lib/gcc/x86_64-
unknown-linux-gnu/4.4.7/../../../../include/c++/4.4.7/cstddef:44,
from /home/kito/gcc-workspace/native-4.4/lib/gcc/x86_64-
unknown-linux-gnu/4.4.7/../../../../include/c++/4.4.7/bits/stl_algobase.h:61,
from /home/kito/gcc-workspace/native-4.4/lib/gcc/x86_64-
unknown-linux-gnu/4.4.7/../../../../include/c++/4.4.7/vector:61,
from test.cpp:5:
/home/kito/gcc-workspace/native-4.4/lib/gcc/x86_64-unknown-linux-
gnu/4.4.7/include/stddef.h:149: error: two or more data types in declaration
of ‘ptrdiff_t’
...
/home/kito/gcc-workspace/native-4.4/lib/gcc/x86_64-unknown-linux-
gnu/4.4.7/../../../../include/c++/4.4.7/bits/vector.tcc:629: error: there are
no arguments to ‘difference_type’ that depend on a template parameter, so a
declaration of ‘difference_type’ must be available
餵進 gcc 4.4 狂噴 132 行
錯誤訊息 XD
58. 58
錯誤診斷訊息改良
class T {
public:
int a;
}
#include <vector>
少一個分號
餵進 gcc 4.9
test.cpp:4:1: error: expected ‘;’ after class definition
}
^
糾甘心ㄟ不但會上色還會指出哪邊錯
( 聽說這是 clang 好像早就有的功能 ?
72. 72
OpenMP Support
• 千呼萬喚始出來的功能
• 快速平行化程式的好物
int main(int argc, char *argv[]) {
const int N = 100000;
int i, a[N];
#pragma omp parallel for
for (i = 0; i < N; i++)
a[i] = 2 * i;
return 0;
}
87. 87
GCC and LLVM collaboration
• GNU Tools Cauldron 2014
– July 18-20, 2014 at Cambridge
88. 88
GCC and LLVM collaboration
With LLVM mature enough to feature as the default toolchain
in some Unix distributions, and with the inherent (and
profitable) share of solutions, ideas and code between the
two, we need to start talking at a more profound level. There
will always be problems that can't be included in any
standard (language, extension, or machine-specific) and
are intrinsic to the compilation infrastructure. For those,
and other common problems, we need common solutions to at
least both LLVM and GCC, but ideally any open source (and
even closed source) toolchain. In this BoF session, we shall
discuss to what extent this collaboration can take us, how we
should start and what are the next steps to make this happen.