Compiling with AddressSanitizer: Difference between revisions

From Libreswan
Jump to navigation Jump to search
No edit summary
No edit summary
Line 14: Line 14:
<pre>
<pre>
ipsec stop
ipsec stop
SAN_OPTIONS=detect_leaks=0 ipsec _stackmanager start
ASAN_OPTIONS=detect_leaks=0 ipsec _stackmanager start
ipsec pluto --config /etc/ipsec.conf --nofork --stderrlog
ipsec pluto --config /etc/ipsec.conf --nofork --stderrlog
</pre>
</pre>

Revision as of 00:20, 24 May 2015

AddressSanitizer (or ASAN) is a programming tool that detects memory corruption bugs such as buffer overflows or accesses to a dangling pointer (use-after-free). AddressSanitizer is based on compiler instrumentation and directly-mapped shadow memory. For more information see the [Wikipedia Page https://en.wikipedia.org/wiki/AddressSanitizer] page and the [Google ASAN https://code.google.com/p/address-sanitizer/wiki/] page.

To enable ASAN (which requires clang or gcc >= 4.8) for libreswan, you need to change the linking flags. This can be done by setting the USERLINK environment variable, or setting this variable in the file Makefile.inc.local. See also the USERLINK setting in mk/config.mk.

export USERLINK="-Wl,-z,relro,-z,now -g -pie -fsanitize=address"

You will also need to install libasan (using yum, dnf or apt-get)

Enabling ASAN will cause it to throw reports to stdout. Use libreswan-3.14 or the git master code which fixes _stackmanager to ignore these. But pluto still throws out some leak reports which confuses some sartup systems, such as systemd. The initsystems will also redirect these messages elsewhere. So the easiest way to start libreswan and get the ASAN reporting on the console is to use:

ipsec stop
ASAN_OPTIONS=detect_leaks=0 ipsec _stackmanager start
ipsec pluto --config /etc/ipsec.conf --nofork --stderrlog

In another terminal, run the tests you want to add with adding/upping/removing any connections. When done run:

ipsec whack --shutdown

The ASAN messages will now appear on the terminal you started pluto on.

Note that you should not enable --leak-detective and not link against ElectricFence, because those mechanisms try to do similar things and you will just make it harder to debug any ASAN messages you will get,