为什么ulimit -v不能在clang的地址清洁剂下工作?
[英]why does ulimit -v not work under clang's address sanitizer?
问题描述
I'm using libFuzzer to fuzz an API. 
我正在使用libFuzzer来模糊API。
The API is deserializing an array of bits (given by libFuzzer) API正在反序列化一个位数组(由libFuzzer提供)
and converting them into c++ class instantiations. 并将它们转换为c ++类实例化。
Due to the serialization format, libFuzer is able construct a serialized object that tell the deserializer to reserve large amounts of data (which cannot be met). 由于序列化格式,libFuzer能够构造一个序列化对象,告诉解串器保留大量数据(无法满足)。
This is done through calls to std::vector::resize() . 这是通过调用std::vector::resize() 。 The vector throws a std::bad_alloc , and although the problem is caught and safely mitigated, it causes extreme lag in the fuzzer (as mentioned in the following documentation on OOM issues). 向量抛出std::bad_alloc ,虽然捕获并安全地减轻了问题,但它会导致模糊器出现极端延迟(如以下 OOM问题文档中所述)。
In an attempt to lower the amount of memory used when the fuzzer is running, I was hoping to set ulimit -v and adjust the available virtual memory of the process. 为了降低运行模糊器时使用的内存量,我希望设置ulimit -v并调整进程的可用虚拟内存。 However doing so causes 但这样做会导致
==27609==ERROR: AddressSanitizer failed to allocate 0xdfff0001000 (15392894357504) bytes at address 2008fff7000 (errno: 12)
==27609==ReserveShadowMemoryRange failed while trying to map 0xdfff0001000 bytes. Perhaps you're using ulimit -v
Why can't the address sanitizer work under ulmit -v? 为什么地址消毒剂不能在ulmit -v下工作?
I wish it could, then I might be able to fuzz more effectively. 我希望它可以,然后我可以更有效地模糊。
Other information: 其他信息:
My build flags were: 我的构建标志是:
copts = [
"-fsanitize=address,fuzzer",
"-fsanitize-trap=undefined,integer",
"-fsanitize-coverage=trace-pc,trace-cmp,trace-pc-guard",
"-g",
"-O0",
"-fno-omit-frame-pointer",
"-fno-sanitize=vptr",
],
linkopts = [
"-fsanitize=address,fuzzer",
"-fsanitize-trap=undefined,integer",
"-fno-sanitize=vptr",
"-fsanitize-link-c++-runtime",
],
I tried turning flags off so I could set ulimit and run the fuzzer: 我尝试关闭标志,所以我可以设置ulimit并运行模糊器:
copts = [
"-fsanitize=fuzzer",
"-g",
"-O0",
"-fno-omit-frame-pointer",
],
linkopts = [
"-fsanitize=fuzzer",
],
but this causes an immediate segfault. 但这会导致立即发生段错误。
1 个解决方案
解决方案1
0 2018-10-24 14:27:29
Asan reserves 1/8-th of process address space for shadow memory at startup to hold status of user data (allocated, freed, etc.). Asan在启动时为影子存储器保留1/8的进程地址空间,以保存用户数据的状态(已分配,释放等)。 This is by design and there is nothing one can do about it. 这是设计上的,没有什么可以做的。
Note that you generally don't care about virtual memory but rather physical one (which is also causing new to fail in your case). 请注意,您通常不关心虚拟内存,而是关注虚拟内存(在您的情况下也会导致new内存失败)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.