What is Clang?¶

Clang is the C, C++ and Objective C front-end for the LLVM compiler. Thefront-end provides access to LLVM’s optimizer and code generator. Thesanitizers - or checkers - are hooks into the code generation phase toinstrument compiled code so suspicious behavior is flagged.

What are sanitizers?¶

Clang sanitizers are runtime checkers used to identify suspicious and undefinedbehavior. The checking occurs at runtime with actual runtime parameters so falsepositives are kept to a minimum.

There are a number of sanitizers available, but two that should be used on aregular basis are the Address Sanitizer (or ASan) and the Undefined BehaviorSanitizer (or UBSan). ASan is invoked with the compiler option-fsanitize=address, and UBSan is invoked with-fsanitize=undefined. Theflags are passed throughCFLAGS andCXXFLAGS, and sometimes throughCC andCXX (in addition to the compiler).

A complete list of sanitizers can be found atControlling Code Generation.

Clang and its sanitizers have strengths (and weaknesses). Its just one tool inthe war chest to uncovering bugs and improving code quality. Clang should beused to complement other methods, including Code Reviews,Valgrind,etc.

Clang/LLVM setup¶

Pre-built Clang builds are available for most platforms:

• On macOS, Clang is the default compiler.

• For mainstream Linux distros, you can install aclang package.In some cases, you also need to installllvm separately, otherwisesome tools are not available.

• On Windows, the installer for Visual Studio (not Code)includes the “C++ clang tools for windows” feature.

You can also buildclang from source; refer tothe clang documentation for details.

The installer does not install all the components needed on occasion. Forexample, you might want to run ascan-build or examine the results withscan-view. If this is your case, you can build Clang from source andcopy tools fromtools/clang/tools to a directory on yourPATH.

Another reason to build from source is to get the latest version of Clang/LLVM,if your platform’s channels don’t provide it yet.Newer versions of Clang/LLVM introduce new sanitizer checks.

Python build setup¶

This portion of the document covers invoking Clang and LLVM with the optionsrequired so the sanitizers analyze Python with under its test suite.

Set the compiler to Clang, in case it’s not the default:

exportCC="clang"

If you want to use additional sanitizer options (found in Clang documentation),add them to theCFLAGS variable.For example, you may want the checked process to exit after the first failure:

exportCFLAGS="-fno-sanitize-recover"

Then, run./configure with the relevant flags:

• ASan:--with-address-sanitizer--without-pymalloc

• UBsan:--with-undefined-behavior-sanitizer

It is OK to specify both sanitizers.

After that, runmake andmaketest as usual.Note thatmake itself may fail with a sanitizer failure,since the just-compiled Python runs during later stages of the build.

# ASanexportCC="clang -fsanitize=address"exportCXX="clang++ -fsanitize=address -fno-sanitize=vptr"

# UBSanexportCC="clang -fsanitize=undefined"exportCXX="clang++ -fsanitize=undefined -fno-sanitize=vptr"

Analyzing the output¶

Sanitizer failures will make the process fail and output a diagnostic,for example:

Objects/longobject.c:39:42: runtime error: index -1 out of bounds    for type 'PyLongObject [262]'Objects/tupleobject.c:188:13: runtime error: member access within    misaligned address 0x2b76be018078 for type 'PyGC_Head' (aka    'union _gc_head'), which requires 16 byte alignment    0x2b76be018078: note: pointer points here    00 00 00 00  40 53 5a b6 76 2b 00 00  60 52 5a b6 ...                 ^...

If you are using the address sanitizer, an additional tool is needed toget good traces. Usually, this happens automatically through thellvm-symbolizer tool. If this tool is not installed on yourPATH,you can setASAN_SYMBOLIZER_PATH to the location of the tool,or pipe test output throughasan_symbolize.py script from theClang distribution. For example, from Issue 20953 duringcompile (formatting added for clarity):

$ make test 2>&1 | asan_symbolize.py.../usr/local/bin/clang -fsanitize=address -Xlinker -export-dynamic    -o python Modules/python.o libpython3.3m.a -ldl -lutil    /usr/local/ssl/lib/libssl.a /usr/local/ssl/lib/libcrypto.a -lm./python -E -S -m sysconfig --generate-posix-vars===================================================================24064==ERROR: AddressSanitizer: heap-buffer-overflow on address0x619000004020 at pc 0x4ed4b2 bp 0x7fff80fff010 sp 0x7fff80fff008READ of size 4 at 0x619000004020 thread T0  #0 0x4ed4b1 in PyObject_Free Python-3.3.5/./Objects/obmalloc.c:987  #1 0x7a2141 in code_dealloc Python-3.3.5/./Objects/codeobject.c:359  #2 0x620c00 in PyImport_ImportFrozenModuleObject       Python-3.3.5/./Python/import.c:1098  #3 0x620d5c in PyImport_ImportFrozenModule       Python-3.3.5/./Python/import.c:1114  #4 0x63fd07 in import_init Python-3.3.5/./Python/pythonrun.c:206  #5 0x63f636 in _Py_InitializeEx_Private       Python-3.3.5/./Python/pythonrun.c:369  #6 0x681d77 in Py_Main Python-3.3.5/./Modules/main.c:648  #7 0x4e6894 in main Python-3.3.5/././Modules/python.c:62  #8 0x2abf9a525eac in __libc_start_main       /home/aurel32/eglibc/eglibc-2.13/csu/libc-start.c:244  #9 0x4e664c in _start (Python-3.3.5/./python+0x4e664c)AddressSanitizer can not describe address in more detail (wildmemory access suspected).SUMMARY: AddressSanitizer: heap-buffer-overflow  Python-3.3.5/./Objects/obmalloc.c:987 PyObject_FreeShadow bytes around the buggy address:  0x0c327fff87b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  0x0c327fff87c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  0x0c327fff87d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  0x0c327fff87e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  0x0c327fff87f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa=>0x0c327fff8800: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa  0x0c327fff8810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  0x0c327fff8820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  0x0c327fff8830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  0x0c327fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  0x0c327fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa faShadow byte legend (one shadow byte represents 8 application bytes):  Addressable:           00  Partially addressable: 01 02 03 04 05 06 07  Heap left redzone:     fa  Heap right redzone:    fb  Freed heap region:     fd  Stack left redzone:    f1  Stack mid redzone:     f2  Stack right redzone:   f3  Stack partial redzone: f4  Stack after return:    f5  Stack use after scope: f8  Global redzone:        f9  Global init order:     f6  Poisoned by user:      f7  ASan internal:         fe==24064==ABORTINGmake: *** [pybuilddir.txt] Error 1

-fsanitize-ignorelist=my_ignorelist.txt

fun:_Ios_Fmtflags

./Modules/audioop.c:422:11: runtime error: left shift of negative value -1./Modules/audioop.c:446:19: runtime error: left shift of negative value -1./Modules/audioop.c:476:19: runtime error: left shift of negative value -1./Modules/audioop.c:504:16: runtime error: left shift of negative value -1./Modules/audioop.c:533:22: runtime error: left shift of negative value -128./Modules/audioop.c:775:19: runtime error: left shift of negative value -70./Modules/audioop.c:831:19: runtime error: left shift of negative value -70./Modules/audioop.c:881:19: runtime error: left shift of negative value -1./Modules/audioop.c:920:22: runtime error: left shift of negative value -70./Modules/audioop.c:967:23: runtime error: left shift of negative value -70./Modules/audioop.c:968:23: runtime error: left shift of negative value -70...

fun:audioop_getsample_imp

src:Modules/audioop.c