Skip to content

ASAN Snippets

Jump to bottom
Sushant Dinesh edited this page Sep 3, 2018 · 3 revisions

This page outlines various parts of ASAN instrumentation.

Constructor and Initialization

ASAN registers a new constructor in .init_array, this is the contents of the initialization function registered by ASAN.

	.align	16, 0x90
	.type	asan.module_ctor,@function
asan.module_ctor:                       # @asan.module_ctor
	.cfi_startproc
# BB#0:
	pushq	%rax
.Ltmp11:
	.cfi_def_cfa_offset 16
	callq	__asan_init@PLT
	callq	__asan_version_mismatch_check_v6@PLT
	leaq	__unnamed_1(%rip), %rdi
	movl	$3, %eax
	movl	%eax, %esi
	callq	__asan_register_globals@PLT
	popq	%rax
	retq
.Lfunc_end3:
	.size	asan.module_ctor, .Lfunc_end3-asan.module_ctor
	.cfi_endproc

Destructor and Deinitialization

ASAN registers a new deconstruvtor in .fini_array, this is the contents of the deinitialization function registered by ASAN.

	.align	16, 0x90
	.type	asan.module_dtor,@function
asan.module_dtor:                       # @asan.module_dtor
	.cfi_startproc
# BB#0:
	pushq	%rax
.Ltmp12:
	.cfi_def_cfa_offset 16
	leaq	__unnamed_1(%rip), %rdi
	movl	$3, %eax
	movl	%eax, %esi
	callq	__asan_unregister_globals@PLT
	popq	%rax
	retq
.Lfunc_end4:
	.size	asan.module_dtor, .Lfunc_end4-asan.module_dtor
	.cfi_endproc

Notes on __asan_(de)register_globals

Function Prototype: void __asan_register_globals(__asan_global *globals, uptr n)

Where, __asan_global is defined in lib/asan/asan_interface_internal.h:

  // This structure describes an instrumented global variable.
  struct __asan_global {
    uptr beg;                // The address of the global.
    uptr size;               // The original size of the global.
    uptr size_with_redzone;  // The size with the redzone.
    const char *name;        // Name as a C string.
    const char *module_name; // Module name as a C string. This pointer is a
                             // unique identifier of a module.
    uptr has_dynamic_init;   // Non-zero if the global has dynamic initializer.
    __asan_global_source_location *location;  // Source location of a global,
                                              // or NULL if it is unknown.
    uptr odr_indicator;      // The address of the ODR indicator symbol.
  };

Equivalently, this is the structure in data section of assembly:

	.type	__unnamed_1,@object     # @0
	.data
	.align	16
__unnamed_1:
	.quad	KEY
	.quad	72                      # 0x48
	.quad	128                     # 0x80
	.quad	.L__asan_gen_.3
	.quad	.L__asan_gen_.2
	.quad	0                       # 0x0
	.quad	.L__asan_gen_.5
	.quad	BAR
	.quad	72                      # 0x48
	.quad	128                     # 0x80
	.quad	.L__asan_gen_.6
	.quad	.L__asan_gen_.2
	.quad	0                       # 0x0
	.quad	.L__asan_gen_.8
	.quad	.str
	.quad	3                       # 0x3
	.quad	64                      # 0x40
	.quad	.L__asan_gen_.9
	.quad	.L__asan_gen_.2
	.quad	0                       # 0x0
	.quad	.L__asan_gen_.11
	.size	__unnamed_1, 168

Safety Checks

See here: AsanAlg for more details. This section is basically a TL;DR of that to simplify when implementing.

Clone this wiki locally