runtime: enable address sanitizer in Go

[zhangfannie]

The address sanitizer (Asan) is a memory error detector, it finds a number of memory access errors that can occur in C, such as out-of-bounds accesses to heap, stack and global objects, and use-after-free. In general, these issues do not occur in the pure Go code, unless people intentionally use the unsafe package. However, people can use cgo to pass memory back and forth between C and Go, which will cause memory access problems.

Please refer to the following cases.
In this case (case-1) https://play.golang.org/p/eE_8k4poelj, C passes Go an invalid pointer, causing the Go code to have use-after-free errors. In this case (case-2) https://play.golang.org/p/wtHjV-4xuiL, Go passes C a pointer, the C code has out-of-bounds access to heap objects errors. In this case (case-3) https://play.golang.org/p/rOyEo7I7vTY, Go passes C a pointer, the C code has out-of-bounds access to global objects errors.

Integrating Asan with Go would detect the above memory errors. So it is useful. In addition, Asan can help to detect some memory errors that MSan cannot. For example, use-after-free memory error case https://play.golang.org/p/eE_8k4poelj, MSan cannot detect writes on uninitialized memory, while ASan can.

And we can instrument ASan in exactly the same way as MSan. As with the -msan option, if we do not run with -asan option, it has no effect on code execution, if you use it, it may find some memory errors.

Although the above cases are not real world cases. However, on the other hand, when debugging a memory error access in a Go program that calls C code, it is really good to be able to use Asan to ensure that code is correct. Obviously, this will require more code to be maintained in the toolchain, but since almost all of the code is next to the existing MSan code, this is quite limited.

Besides, Arm has a hardware feature MTE (Memory Tagging Extension), it aims to further mitigate these memory safety bugs by enabling us to detect them with low overhead. If ASan will be proven to be useful, we may consider enabling MTE for ASan. In this way, ASan even be enabled in the production environment to help to detect memory errors with low overhead. I saw a blog that introduces enable MTE in Android to detect the most common classes of memory safety bugs. Please refer to the document https://security.googleblog.com/2019/08/adopting-arm-memory-tagging-extension.html.

Thank you.

[zhangfannie]

I have updated the CLs for address sanitizer support, The implementation is divided into some smaller CLs 298610, 298611, 298612, 298613, 298614 for review. And with the current implementation, the -asan option can check for error memory access to heap objects. Thank you.

[AZ-X]

I care about size of binary. Can you compare both size including small samples(<5M) and big samples(>10M)?

[zhangfannie]

@AZ-X If you run the go program without the -asan option, the size of binary will not change. Generally, we only enable the address sanitizer in the test environment to help detect memory access issues, so I think the size of binary is not important. Thank you.

[zhangfannie]

@AZ-X Regarding your question, my answer above seems too one-sided. I wrote a test case to compare the size of binary, and the size of binary with -asan is almost 10% larger than that without -asan. Please refer to the following results.

func main() {
        var overall [][]int
        var m runtime.MemStats
        s := 2*1024*1024                 //  >10M big samples
        //s := 10*1024                     // <1M small samples
        for i := 0; i < 10; i++ {
                a := make([]int, 0, 10*s)
                overall = append(overall, a)
        }
        runtime.ReadMemStats(&m)
        fmt.Printf("Alloc = %v MB", bToMb(m.Alloc))
}
func bToMb(b uint64) uint64 {
        return b / 1024 / 1024
}

// the binay size:

  size           binary
2154616   big_asan               // build with -asan and big samples
1950161   big_noasan           // build without -asan and big samples  
2154624   small_asan            // build with -asan and small samples
1950161   small_noasan        // build without -asan and small samples
1940941   big_main              // build with master go and big samples
1940949   small_main           // build with master go and small samples

From the above result, the size of binary is bigger. But as I mentioned above, we don't recommend opening the asan option in a production environment. The factors to consider are not only size, but also performance. The good news is that ARM64 has a new feature of MTE, which is designed to detect error memory accesses with lower overhead. If ASan with MTE is enabled in Go in the future, the impact on performance and the size of the binary will be relatively small. Thank you.

[dvyukov]

If ASan with MTE is enabled in Go in the future

Do we need any support for this at all?
I would assume this will be done by just exporting some env var to enable MTE in the system malloc, e.g.:
https://sourceware.org/pipermail/libc-alpha/attachments/20200615/c8ef9e4e/attachment-0001.bin
https://patchwork.ozlabs.org/project/glibc/patch/8306e032-f980-a409-5239-74629e79d041@arm.com/
Or maybe in future it will be the default, so one doesn't need to do anything at all.

Though it can make sense to support MTE in Go runtime:
https://groups.google.com/g/golang-dev/c/ACKO07YeeW8/m/DX61CERlAwAJ

[zhangfannie]

Or maybe in future it will be the default, so one doesn't need to do anything at all.

In fact, we need to do something. Because Go has its own memory allocator, see https://golang.org/src/runtime/malloc.go, we may follow the implementaion in glic, refactor Go memory allcator (regarding the implementation details, I haven't done in-depth research. 🙂), setup memory tagging support if the hardware support it and if the user has requested it. Thank you.

[dvyukov]

Yes, that's what I mean by "support MTE in Go runtime". But we don't need anything related to asan (linking asan, asan hooks, etc)

[zhangfannie]

Yes, that's what I mean by "support MTE in Go runtime". But we don't need anything related to asan (linking asan, asan hooks, etc)

Yes, you are right. With MTE, all load and store instructions, except for with SP base register and immediate offset, do check tags. Here https://github.com/google/sanitizers/wiki/Stack-instrumentation-with-ARM-Memory-Tagging-Extension-(MTE) introduces how MTE works for stack. Thank you.

[gopherbot]

Change https://golang.org/cl/298610 mentions this issue: cmd/link: add -asan option

[gopherbot]

Change https://golang.org/cl/298611 mentions this issue: cmd/compile: add -asan option

[gopherbot]

Change https://golang.org/cl/298612 mentions this issue: cmd/go: add -asan option

[gopherbot]

Change https://golang.org/cl/298613 mentions this issue: runtime, runtime/asan: add asan runtime support