0. 机器环境

• centos7
• gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-11)

1. 安装libasan（安装过忽略此条）

yum install libasan
yum install llvm

2. 使用AddressSanitizer

gcc -fsanitize=address -fno-omit-frame-pointer -O1 -g -o main main.cpp

需要在使用 GCC 或 Clang 编译链接程序时加上 -fsanitize=address 开关（性能慢一半）。为了获得合理的性能，可以加上 -O1 或更高。为了在错误信息中获得更友好的栈追踪信息可以加上 -fno-omit-frame-pointer。为了获得完美的栈追踪信息，还可以禁用内联（使用 -O1）和尾调用消除（-fno-optimize-sibling-calls），-g可以换成-ggdb更有益gdb调试。

可能遇到编译错误：undefined reference to `__asan_report_store8'
在编译选项和连接选项里都添加-fsanitize=address

3. 运行

ASAN_SYMBOLIZER_PATH=$(which llvm-symbolizer) ./main

• 单独运行 ./main 可能出现 WARNING: invalid path to external symbolizer!导致看不到具体文件符号，错误在哪行代码；
• 如果ASAN_SYMBOLIZER_PATH失败的话换成MSAN_SYMBOLIZER_PATH；

4. AddressSanitizer内存错误类型

• Use after free：访问堆上已经被释放的内存
• Heap buffer overflow：堆上缓冲区访问溢出
• Stack buffer overflow：栈上缓冲区访问溢出
• Global buffer overflow：全局缓冲区访问溢出
• Use after return：访问栈上已被释放的内存
• Use after scope：栈对象使用超过定义范围
• Initialization order bugs：初始化命令错误
• Memory leaks：内存泄漏

5. 错误类型示例

(1) heap-buffer-overflow

int main(int argc, char **argv)
{
    //int a[9];
    int *a = new int(9);
    a[11] ++;
    return a[11];
}

=================================================================
==6515== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040000e01c at pc 0x400881 bp 0x7ffd91a90a10 sp 0x7ffd91a90a00
READ of size 4 at 0x60040000e01c thread T0
    #0 0x400880 in main /home/work/test/main.cpp:5
    #1 0x7f70a3f40b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
    #2 0x400748 in _start (/home/work/test/main+0x400748)
0x60040000e01c is located 12 bytes to the right of 0-byte region [0x60040000e010,0x60040000e010)
==6515== AddressSanitizer CHECK failed: ../../../../libsanitizer/asan/asan_allocator2.cc:216 "((id)) != (0)" (0x0, 0x0)
    #0 0x7f70a4b13b9a (/lib64/libasan.so.0+0x12b9a)
    #1 0x7f70a4b1ae03 (/lib64/libasan.so.0+0x19e03)
    #2 0x7f70a4b06426 (/lib64/libasan.so.0+0x5426)
    #3 0x7f70a4b189ff (/lib64/libasan.so.0+0x179ff)
    #4 0x7f70a4b19be1 (/lib64/libasan.so.0+0x18be1)
    #5 0x7f70a4b13fc2 (/lib64/libasan.so.0+0x12fc2)
    #6 0x400880 in main /home/work/test/main.cpp:6
    #7 0x7f70a3f40b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
    #8 0x400748 in _start (/home/work/test/main+0x400748)

(2) stack-buffer-overflow

int main(int argc, char **argv)
{
    int a[9];
    //int *a = new int(9);
    a[11] ++;
    return a[11];
}

=================================================================
==6605== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc56432ac at pc 0x4007d9 bp 0x7ffdc5643240 sp 0x7ffdc5643230
READ of size 4 at 0x7ffdc56432ac thread T0
    #0 0x4007d8 in main /home/work/test/main.cpp:5
    #1 0x7f9010e30b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
    #2 0x400688 in _start (/home/work/test/main+0x400688)
Address 0x7ffdc56432ac is located at offset 76 in frame <main> of T0's stack:
  This frame has 1 object(s):
    [32, 68) 'a'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/work/test/main.cpp:6 main
Shadow bytes around the buggy address:
  0x100038ac0600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac0610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac0620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac0630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac0640: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x100038ac0650: 00 00 00 00 04[f4]f4 f4 f3 f3 f3 f3 00 00 00 00
  0x100038ac0660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac0670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac0680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac0690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038ac06a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==6605== ABORTING

6. 参考：

[1]如何排查大型C程序中的内存写越界导致的coredump？
[2]应用 AddressSanitizer 发现程序内存错误
[3]Linux 下的 AddressSanitizer
[4]从segmentfault段错误谈起-(1)
[5]踩内存专题分析
[6]How to use AddressSanitizer with GCC?