Implement address sanitizer (ASAN) support

[steveklabnik]

Issue by bstrie
Wednesday Dec 03, 2014 at 19:58 GMT

For earlier discussion, see rust-lang/rust#19504

This issue was labelled with: A-an-interesting-project, A-llvm, E-hard in the Rust repository

---

Backstory: being Valgrind-clean is a blocker for 1.0 (#13217). But Valgrind gives us tons of false positives (#5856) because of a specific tactic used by LLVM to generate optimized code (http://llvm.org/bugs/show_bug.cgi?id=12319). Neither LLVM nor Valgrind are incorrect here, so this is unlikely to ever be resolved (rust-lang/rust#5856 (comment)). And the overall volume of false positives is so great that we often succumb to just turning off Valgrind entirely to get any work done (rust-lang/rust#13217 (comment)).

There is an alternative: ASAN, which is integrated into LLVM and designed to produce no false positives in addition to being relatively low on runtime overhead (https://address-sanitizer.googlecode.com/files/address_sanity_checker.pdf). It is sponsored by Google and used in Chromium to great effect. But adding support is nontrivial:

This really needs to be refiled as "implement address sanitizer support" which is a huge project. It's not useful without frontend support, and IMO it's too much complexity to add to librustc in the current state it's in. Sanitizers would need to be added for all the unsafe intrinsics along with unsafe pointer dereferencing. It's not going to map well to the sanitizers used by Clang, since Rust does everything in the libraries with the basic compiler intrinsics. It doesn't have a language feature for unsafe indexing of arrays, etc.

rust-lang/rust#749 (comment)

Not only would ASAN support be a tremendous task, it would also ideally never generate any hits for Rust code. However, unsafe code exists, and developers can (and will (and have (we just don't know it yet))) get it wrong. More lines of defense are always valuable.

If you're looking for a very challenging and long-term but (IMO) very important Rust-related project to test your skills, this is the project for you.

[gnzlbg]

Memory Sanitizer and Thread Sanitizer would also be very useful.

[kmcallister]

This is a high priority for me. Among other reasons, it makes afl much more powerful.

I had a quick poke around the llvm/clang sources. It looks like almost all of ASan is in compiler-rt and llvm, which we can reuse. I'm sure we will run into some of the complications discussed on rust-lang/rust#749. I also would not be surprised if some of what strcat said turns out to be FUD.

Anyway I would love to see someone jump in and make progress on ASan support, even if it's not glitch-free. I can mentor with the rustc side (not so much the LLVM side).

unsafe code exists, and developers can (and will (and have (we just don't know it yet))) get it wrong

lol, I can give you plenty of examples, from my code and others. :)

[vks]

Also see rust-lang/rust#31605.

[burdges]

As an aside, Nick Matheson's Tor bug retrospective makes interesting reading and suggests that this matters.

[Manishearth]

This merged with rust-lang/rust#38699