Compiling with AddressSanitizer: Difference between revisions
Paul Wouters (talk | contribs) (Created page with " AddressSanitizer (or ASAN) is a programming tool that detects memory corruption bugs such as buffer overflows or accesses to a dangling pointer (use-after-free). AddressSanit...") |
Paul Wouters (talk | contribs) No edit summary |
||
Line 25: | Line 25: | ||
The ASAN messages will now appear on the terminal you started pluto on. | The ASAN messages will now appear on the terminal you started pluto on. | ||
Note that you should <b>not</b> enable --leak-detective and not link against ElectricFence, because those mechanisms try to do similar things and you will just make it harder to debug any ASAN messages you will get, |
Revision as of 00:06, 24 May 2015
AddressSanitizer (or ASAN) is a programming tool that detects memory corruption bugs such as buffer overflows or accesses to a dangling pointer (use-after-free). AddressSanitizer is based on compiler instrumentation and directly-mapped shadow memory. For more information see the [Wikipedia Page https://en.wikipedia.org/wiki/AddressSanitizer] page and the [Google ASAN https://code.google.com/p/address-sanitizer/wiki/] page.
To enable ASAN (which requires clang or gcc >= 4.8) for libreswan, you need to change the linking flags. This can be done by setting the USERLINK environment variable, or setting this variable in the file Makefile.inc.local. See also the USERLINK setting in mk/config.mk.
export USERLINK="-Wl,-z,relro,-z,now -g -pie -fsanitize=address"
You will also need to install libasan (using yum, dnf or apt-get)
Enabling ASAN will cause it to throw leak reports to stdout. Since the addconn binary has some leaks, this will confuse the startup scripts when using addconn to determine the protostack. So to start libreswan, use:
ipsec stop ASAN_OPTIONS=detect_leaks=0 ipsec _stackmanager start ipsec pluto --config /etc/ipsec.conf --nofork --stderrlog
In another terminal, run the tests you want to add with adding/upping/removing any connections. When done run:
ipsec whack --shutdown
The ASAN messages will now appear on the terminal you started pluto on.
Note that you should not enable --leak-detective and not link against ElectricFence, because those mechanisms try to do similar things and you will just make it harder to debug any ASAN messages you will get,