Presentation is loading. Please wait.

Presentation is loading. Please wait.

Traffic Server Debugging using ASAN / TSAN Brian Geffon.

Published byLoraine Richardson Modified over 9 years ago

Similar presentations

Presentation on theme: "Traffic Server Debugging using ASAN / TSAN Brian Geffon."— Presentation transcript:

1 Traffic Server Debugging using ASAN / TSAN Brian Geffon

2 What exactly is ASAN ASAN : Address Sanitizer – ASAN is a Memory Error Detector for C/C++ – Created by Google https://code.google.com/p/address-sanitizer/

3 What can I use ASAN to find? Use after free (dangling pointer reference) Heap Buffer Overflow

4 What can I use ASAN to find? Stack buffer overflow Global buffer overflow

5 What can I use ASAN to find? Use after return

6 What can I use ASAN to find? Initialization Order Bugs (aka. Static Initialization Order Fiasco)

7 What can I use ASAN to find? Memory Leaks!

8 How does it work? The tool consists of a compiler instrumentation module and a runtime library that replaces malloc / free / new / delete / etc. The memory around the malloc-ed regions (red zones) is poisoned. The free-ed memory is placed in quarantine and also poisoned.

9 How does it work? Before After Not too different from Valgrind or other tools, ASAN is great because it’s FAST. https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm

10 Don’t tools like this slow things down? YES, Yes they do! Valgrind typically introduces a slowdown of 10 to 20x. ASAN introduces a slowdown of roughly 2x

11 Performance of ASAN https://code.google.com/p/address-sanitizer/wiki/PerformanceNumbers

12 Getting / Using ASAN ASAN is included in LLVM versions > 3.1 ASAN is included with GCC versions > 4.8 Unfortunately, you cannot just LD_PRELOAD the library like TCMALLOC or JEMALLOC. You’ll have to recompile.

13 Using ASAN You need to compile and link with the -fsanitize=address switch. To get the best possible stack traces make sure to also include - fno-omit-frame-pointer ASAN will require around 20TB of Virtual Memory (YES, 20TB). So you’ll likely need to enable memory overcommit if you have hard limits: sudo sysctl –w vm.overcommit_memory=1

14 But what about freelists? Given that Traffic Server uses freelist the memory is never out of scope…so once we suspect a memory bug we’ll need to disable freelist + enable ASAN../configure –disable-freelist \ CXXFLAGS=“-fsanitize=address –fno-omit- frame-pointer …”

15 Memory Corruption masked by Freelists These bugs are very difficult to find Because it’s a race condition. It requires the object to be returned to the freelist early and another thread to pick it up and starting using it in such a way that causes one of the two threads to crash. These are almost always dangling encapsulated pointers.

16 When to suspect memory problems w/ Freelists Typically it will look like a random crash, it won’t be entirely clear why memory has become corrupted Frequently you’ll spot an inconsistency between a code path and a variable value.

17 Variable / Codepath Mismatch A common example might be: if (close_connection) { a->boom(); // something weird happens here } (gdb) p close_connection close_connection = false // WTF? It appears the object has been recycled and is being used by two different threads, it’s clearly been reinitalized.

18 Let’s see the power of ASAN This example is based on a REAL bug. I’ll demo what we actually saw in a production environment (using a fake server). What we’ll see from the crash is something that is very very hard to explain…

19 Debug Builds Please consider running your internal integration / unit tests w/ ASAN. This extra coverage might uncover memory corruption bugs. Most plugins rely on malloc / new / etc, so you’ll actually be able to catch plugin bugs too.

20 Debug Production Builds Because ASAN doesn’t hurt performance too much please consider deploying a debug production build to help unmask these type of bugs. Every has a slightly different use case. We found 2 bugs between 5.0 and 5.2 that were of these type. docs.trafficserver.apache.org has an ASAN build: but it simply doesn’t get enough load to uncover most of these race conditions.

21 Using ASAN w/ GDB (gdb) break __asan_report_error Otherwise you’ll exit gdb before you have a chance to inspect the frame

Download ppt "Traffic Server Debugging using ASAN / TSAN Brian Geffon."

Similar presentations

11-Jun-14 The assert statement. 2 About the assert statement The purpose of the assert statement is to give you a way to catch program errors early The.

11-Jun-14 The assert statement. 2 About the assert statement The purpose of the assert statement is to give you a way to catch program errors early The.
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Hastings Purify: Fast Detection of Memory Leaks and Access Errors.

Hastings Purify: Fast Detection of Memory Leaks and Access Errors.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
CS510 Advanced OS Seminar Class 10 A Methodology for Implementing Highly Concurrent Data Objects by Maurice Herlihy.

CS510 Advanced OS Seminar Class 10 A Methodology for Implementing Highly Concurrent Data Objects by Maurice Herlihy.
Honors Compilers Addressing of Local Variables Mar 19 th, 2002.

Honors Compilers Addressing of Local Variables Mar 19 th, 2002.
C and Data Structures Baojian Hua

C and Data Structures Baojian Hua
Microprocessors Frame Pointers and the use of the –fomit-frame-pointer switch Feb 25th, 2002.

Microprocessors Frame Pointers and the use of the –fomit-frame-pointer switch Feb 25th, 2002.
Memory Layout C and Data Structures Baojian Hua

Memory Layout C and Data Structures Baojian Hua
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CIS*2450 Seminar I Makefiles Debugging/Design Approaches Exception Handling Library Revision Control Designed by: Terry Moreland Updated by: Tom Crabtree.

CIS*2450 Seminar I Makefiles Debugging/Design Approaches Exception Handling Library Revision Control Designed by: Terry Moreland Updated by: Tom Crabtree.
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.

CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
Outline Midterm results Static variables Memory model

Outline Midterm results Static variables Memory model
Dynamic Memory Allocation Conventional array and other data declarations An incorrect attempt to size memory dynamically Requirement for dynamic allocation.

Dynamic Memory Allocation Conventional array and other data declarations An incorrect attempt to size memory dynamically Requirement for dynamic allocation.
Goals: To gain an understanding of assembly To get your hands dirty in GDB.

Goals: To gain an understanding of assembly To get your hands dirty in GDB.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Computer Science and Software Engineering University of Wisconsin - Platteville 2. Pointer Yan Shi CS/SE2630 Lecture Notes.

Computer Science and Software Engineering University of Wisconsin - Platteville 2. Pointer Yan Shi CS/SE2630 Lecture Notes.
Testing and Debugging Version 1.0. All kinds of things can go wrong when you are developing a program. The compiler discovers syntax errors in your code.

Testing and Debugging Version 1.0. All kinds of things can go wrong when you are developing a program. The compiler discovers syntax errors in your code.

Similar presentations

Ads by Google