The address sanitizer (Asan) is a memory error detector, it finds a number of memory access errors that can occur in C, such as out-of-bounds accesses to heap, stack and global objects, and use-after-free. In general, these issues do not occur in the pure Go code, unless people intentionally use the unsafe package. However, people can use cgo to pass memory back and forth between C and Go, which will cause memory access problems.
Please refer to the following cases.
In this case https://play.golang.org/p/eE_8k4poelj, C passes Go an invalid pointer, causing the Go code to have use-after-free errors.
In this casehttps://play.golang.org/p/wtHjV-4xuiL, Go passes C a pointer, the C code has out-of-bounds access to heap objects errors.
In this case https://play.golang.org/p/rOyEo7I7vTY, Go passes C a pointer, the C code has out-of-bounds access to global objects errors.
Integrating Asan with Go would detect the above memory errors. So it is useful. And we can instrument ASan in exactly the same way as MSan. As with the -msan option, if we do not run with -asan option, it has no effect on code execution, if you use it, it may find some memory errors. In addition, Asan can help to detect some memory errors that MSan cannot. For example, use-after-free memory error case https://play.golang.org/p/eE_8k4poelj, MSan cannot detect writes on uninitialized memory, while ASan can.
Although the above cases are not real world cases. However, on the other hand, when debugging a memory error access in a Go program that calls C code, it is really good to be able to use Asan to ensure that code is correct. Obviously, this will require more code to be maintained in the toolchain, but since almost all of the code is next to the existing MSan code, this is quite limited. Besides, Arm has a hardware feature MTE (Memory Tagging Extension), it aims to further mitigate these memory safety bugs by enabling us to detect them with low overhead. If ASan will be proven to be useful, we may consider enabling MTE for ASan. In this way, ASan even be enabled in the production environment to help to detect memory errors with low overhead. I saw a blog that introduces enable MTE in Android to detect the most common classes of memory safety bugs. Please refer to the document https://security.googleblog.com/2019/08/adopting-arm-memory-tagging-extension.html.
I have updated the CLs for address sanitizer support, The implementation is divided into some smaller CLs 298610, 298611, 298612, 298613, 298614 for review. And with this implementation, the -asan option can check for error memory access to heap objects.
Any opinions? Thank you.
Fannie Zhang
I
think the main change is that "go build" will get a new -asan option.
Thanks.
Ian
On Saturday, March 6, 2021 at 6:45:19 AM UTC+8 Ian Lance Taylor wrote:On Thu, Mar 4, 2021 at 11:37 PM Fannie Zhang <Fannie...@arm.com> wrote:
>
> The address sanitizer (Asan) is a memory error detector, it finds a number of memory access errors that can occur in C, such as out-of-bounds accesses to heap, stack and global objects, and use-after-free. In general, these issues do not occur in the pure Go code, unless people intentionally use the unsafe package. However, people can use cgo to pass memory back and forth between C and Go, which will cause memory access problems.
>
>
>
> Please refer to the following cases.
>
> In this case https://play.golang.org/p/eE_8k4poelj, C passes Go an invalid pointer, causing the Go code to have use-after-free errors.
>
> In this casehttps://play.golang.org/p/wtHjV-4xuiL, Go passes C a pointer, the C code has out-of-bounds access to heap objects errors.
>
> In this case https://play.golang.org/p/rOyEo7I7vTY, Go passes C a pointer, the C code has out-of-bounds access to global objects errors.
>
>
>
> Integrating Asan with Go would detect the above memory errors. So it is useful. And we can instrument ASan in exactly the same way as MSan. As with the -msan option, if we do not run with -asan option, it has no effect on code execution, if you use it, it may find some memory errors. In addition, Asan can help to detect some memory errors that MSan cannot. For example, use-after-free memory error case https://play.golang.org/p/eE_8k4poelj, MSan cannot detect writes on uninitialized memory, while ASan can.
>
>
>
> Although the above cases are not real world cases. However, on the other hand, when debugging a memory error access in a Go program that calls C code, it is really good to be able to use Asan to ensure that code is correct. Obviously, this will require more code to be maintained in the toolchain, but since almost all of the code is next to the existing MSan code, this is quite limited. Besides, Arm has a hardware feature MTE (Memory Tagging Extension), it aims to further mitigate these memory safety bugs by enabling us to detect them with low overhead. If ASan will be proven to be useful, we may consider enabling MTE for ASan. In this way, ASan even be enabled in the production environment to help to detect memory errors with low overhead. I saw a blog that introduces enable MTE in Android to detect the most common classes of memory safety bugs. Please refer to the document https://security.googleblog.com/2019/08/adopting-arm-memory-tagging-extension.html.
>
>
>
> I have updated the CLs for address sanitizer support, The implementation is divided into some smaller CLs 298610, 298611, 298612, 298613, 298614 for review. And with this implementation, the -asan option can check for error memory access to heap objects.
>
>
>
> Any opinions? Thank you.
Thanks for the explanation. This seems reasonable to me. Can you
open a proposal issue for this? See https://golang.org/s/proposal.Thank you Ian. I will do it right now.
I
think the main change is that "go build" will get a new -asan option.Yes, we need to add this change, but it is not the main.
Ian
On Saturday, March 6, 2021 at 6:45:19 AM UTC+8 Ian Lance Taylor wrote:On Thu, Mar 4, 2021 at 11:37 PM Fannie Zhang <Fannie...@arm.com> wrote:
>
> The address sanitizer (Asan) is a memory error detector, it finds a number of memory access errors that can occur in C, such as out-of-bounds accesses to heap, stack and global objects, and use-after-free. In general, these issues do not occur in the pure Go code, unless people intentionally use the unsafe package. However, people can use cgo to pass memory back and forth between C and Go, which will cause memory access problems.
>
>
>
> Please refer to the following cases.
>
> In this case https://play.golang.org/p/eE_8k4poelj, C passes Go an invalid pointer, causing the Go code to have use-after-free errors.
>
> In this casehttps://play.golang.org/p/wtHjV-4xuiL, Go passes C a pointer, the C code has out-of-bounds access to heap objects errors.
>
> In this case https://play.golang.org/p/rOyEo7I7vTY, Go passes C a pointer, the C code has out-of-bounds access to global objects errors.
>
>
>
> Integrating Asan with Go would detect the above memory errors. So it is useful. And we can instrument ASan in exactly the same way as MSan. As with the -msan option, if we do not run with -asan option, it has no effect on code execution, if you use it, it may find some memory errors. In addition, Asan can help to detect some memory errors that MSan cannot. For example, use-after-free memory error case https://play.golang.org/p/eE_8k4poelj, MSan cannot detect writes on uninitialized memory, while ASan can.
>
>
>
> Although the above cases are not real world cases. However, on the other hand, when debugging a memory error access in a Go program that calls C code, it is really good to be able to use Asan to ensure that code is correct. Obviously, this will require more code to be maintained in the toolchain, but since almost all of the code is next to the existing MSan code, this is quite limited. Besides, Arm has a hardware feature MTE (Memory Tagging Extension), it aims to further mitigate these memory safety bugs by enabling us to detect them with low overhead. If ASan will be proven to be useful, we may consider enabling MTE for ASan. In this way, ASan even be enabled in the production environment to help to detect memory errors with low overhead. I saw a blog that introduces enable MTE in Android to detect the most common classes of memory safety bugs. Please refer to the document https://security.googleblog.com/2019/08/adopting-arm-memory-tagging-extension.html.
>
>
>
> I have updated the CLs for address sanitizer support, The implementation is divided into some smaller CLs 298610, 298611, 298612, 298613, 298614 for review. And with this implementation, the -asan option can check for error memory access to heap objects.
>
>
>
> Any opinions? Thank you.
Thanks for the explanation. This seems reasonable to me. Can you
open a proposal issue for this? See https://golang.org/s/proposal.Thank you Ian. I will do it right now.
Hi Zhang,Great new development! -- definitely can be useful for us as well.One question: do you plan to support detecting memory errors in pure Go code -- caused by sloppy use of unsafe pointers? Or is it purely for C/Go interaction?
вторник, 23 марта 2021 г. в 13:55:16 UTC+3, Fannie...@arm.com:> The current implenmentation of ASan in Go just detect the error memory access to heap objects. So if the pointer is allocated on heap, the ASan can detecte the memory access errors caused by the use of unsafe pointers both in pure Go codes and CGO codes.> The pure Go case: https://play.golang.org/p/W-i_5YC_qjXLet me modify your case a bit: https://play.golang.org/p/nKoBcMA2rjOIt seems that in the modified case (the only difference is stack vs heap for intSlice object) ASan won't detect a memory error, right?
TBH, this is odd. Especially given that Go places objects on stack via escape analysis, that might became better in the future and start placing some previously heap objects on stack, essentially inadvertently removing them from ASan scope.
To clarify, I don't think this is a deal breaker for accepting your development; just a potential point of improvement
вторник, 23 марта 2021 г. в 13:55:16 UTC+3, Fannie...@arm.com:
Ian, Dmitry, do you think that an ASan extension that would add support for stack objects have a chance to be accepted? The crucial difference here is that Fannie presented a valid use case (for heap objects), while the only use case for checking stack objects I can think of is "sloppy usage of unsafe pointers".
It seems that in the modified case (the only difference is stack vs heap for intSlice object) ASan won't detect a memory error, right?The ASan can detect the memory error in the modified case. Because "intSlice" is moved to heap via escape analysis.
In this pure Go case https://play.golang.org/p/wPzqFFLTcoi, the memory error cannot be detected by ASan.
Can you show us an example that Go placing some previously heap objects on stack via escape analysis? Thank you.
On Thu, Mar 25, 2021 at 8:35 AM Fannie...@arm.com <Fannie...@arm.com> wrote:
As we discussed above, we currently have no good ideas and no plan to implement it. Thank you.