AddressSanitizer 能够报出哪里分配的内存没有被释放

User after free 是指访问释放的内存，针对 use after free 错误，AddressSanitizer 能够报出使用释放地址的代码栈，地址分配的代码栈，地址释放的代码栈。比如：https://github.com/apache/doris/issues/9525中，使用释放地址的代码栈如下：

82849==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300074c420 at pc 0x56510f61a4f0 bp 0x7f48079d89a0 sp 0x7f48079d8990
READ of size 1 at 0x60300074c420 thread T94 (MemTableFlushTh)

#0 0x56510f61a4ef in doris::faststring::append(void const*, unsigned long) /mnt/ssd01/tjp/incubator-doris/be/src/util/faststring.h:120

// 更详细的代码栈请前往https://github.com/apache/doris/issues/9525查看
1
2
3
4
此地址初次分配的代码栈如下：

previously allocated by thread T94 (MemTableFlushTh) here:

#0 0x56510e9b74b7 in __interceptor_malloc (/mnt/ssd01/tjp/regression_test/be/lib/palo_be+0x536a4b7)
#1 0x56510ee77745 in Allocator<false, false>::alloc_no_track(unsigned long, unsigned long) /mnt/ssd01/tjp/incubator-doris/be/src/vec/common/allocator.h:223
#2 0x56510ee68520 in Allocator<false, false>::alloc(unsigned long, unsigned long) /mnt/ssd01/tjp/incubator-doris/be/src/vec/common/allocator.h:104

1
2
3
4
地址释放的代码栈如下：

0x60300074c420 is located 16 bytes inside of 32-byte region [0x60300074c410,0x60300074c430)
freed by thread T94 (MemTableFlushTh) here:

#0 0x56510e9b7868 in realloc (/mnt/ssd01/tjp/regression_test/be/lib/palo_be+0x536a868)
#1 0x56510ee8b913 in Allocator<false, false>::realloc(void*, unsigned long, unsigned long, unsigned long) /mnt/ssd01/tjp/incubator-doris/be/src/vec/common/allocator.h:125
#2 0x56510ee814bb in void doris::vectorized::PODArrayBase<1ul, 4096ul, Allocator<false, false>, 15ul, 16ul>::realloc<>(unsigned long) /mnt/ssd01/tjp/incubator-doris/be/src/vec/common/pod_array.h:147

1
2
3
4
5
有了详细的非法访问地址代码栈、分配代码栈、释放代码栈，问题定位就会非常容易。

说明：限于文章篇幅，示例中的栈展示不全，完整代码栈可以前往对应 Issue 中进行查看。

heap buffer overflow
AddressSanitizer 能够报出 heap buffer overflow 的代码栈。

比如https://github.com/apache/doris/issues/5951 里的，结合运行时生成的 Core Dump 文件就可以快速定位问题。

==3930==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000000878 at pc 0x000000ae00ce bp 0x7ffeb16aa660 sp 0x7ffeb16aa658
READ of size 8 at 0x60c000000878 thread T0

#0 0xae00cd in doris::StringFunctions::substring(doris_udf::FunctionContext*, doris_udf::StringVal const&, doris_udf::IntVal const&, doris_udf::IntVal const&) ../src/exprs/string_functions.cpp:98

1
2
3
memory leak
AddressSanitizer 能够报出哪里分配的内存没有被释放，就可以快速的分析出泄露原因。
————————————————