using_sanitizers.rst 8.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211
  1. .. _doc_using_sanitizers:
  2. Using sanitizers
  3. ================
  4. What are sanitizers?
  5. --------------------
  6. Sanitizers are static instrumentation tools that help find bugs that traditional
  7. debuggers usually cannot catch. This is particularly useful when combined with
  8. :ref:`doc_unit_testing` in continuous integration.
  9. Sanitizers can be used on Windows, macOS and Linux by using the Clang (LLVM),
  10. GCC or Visual Studio compilers.
  11. :ref:`Certain platforms <doc_using_sanitizers_platform_specific_sanitizers>`
  12. may also have their own sanitizers available.
  13. In situations where a single sanitizer is provided by several different compilers,
  14. remember that their output and behavior will differ slightly.
  15. Using sanitizers on Godot
  16. -------------------------
  17. Sanitizers **require** recompiling the binary. This means you cannot use
  18. official Godot binaries to run sanitizers.
  19. When :ref:`compiling <toc-devel-compiling>` with any of the sanitizers enabled,
  20. the resulting binary will have the ``.san`` suffix added to its name to
  21. distinguish it from a binary without sanitizers.
  22. There is a performance impact as many additional runtime checks need to be
  23. performed. Memory utilization will also increase. It is possible to enable
  24. certain combinations of multiple sanitizers in a single build. Beware of the
  25. performance impact when using multiple sanitizers at once though, as the
  26. resulting binary may be excessively slow.
  27. Certain options can be passed to sanitizers without having to recompile the
  28. binary using environment variables.
  29. .. _doc_using_sanitizers_address_sanitizer:
  30. Address sanitizer (ASAN)
  31. ------------------------
  32. - Available in Clang and GCC.
  33. - **Supported platforms:** Linux, macOS, Windows (Visual Studio), Web
  34. - `Clang ASAN documentation <https://clang.llvm.org/docs/AddressSanitizer.html>`__
  35. The address sanitizer is generally the most frequently used sanitizer. It can
  36. diagnose issues such as buffer overruns and out-of-bounds access. If the engine
  37. crashes with a message such as ``free(): invalid pointer``, this is typically
  38. the result of a buffer overrun. (This message is printed by the C runtime, not
  39. Godot.)
  40. In certain situations (such as detecting uninitialized memory reads),
  41. the address sanitizer doesn't suffice. The :ref:`doc_using_sanitizers_memory_sanitizer`
  42. should be used instead.
  43. It is also possible to detect use-after-return situations by specifying the
  44. ``ASAN_OPTIONS=detect_stack_use_after_return=1`` environment variable before
  45. *running* Godot (not when compiling it). This increases the address sanitizer's
  46. runtime overhead, so only enable this feature when you actually need it.
  47. To enable the address sanitizer in a Godot build, pass the ``use_asan=yes``
  48. SCons option when compiling. Enabling ASAN generally makes the resulting binary
  49. about 2× slower.
  50. .. warning::
  51. Due to a `design decision
  52. <https://stackoverflow.com/questions/36971902/why-cant-clang-enable-all-sanitizers/>`__,
  53. the address, memory and thread sanitizers are mutually exclusive. This means
  54. you can only use one of those sanitizers in a given binary.
  55. Leak sanitizer (LSAN)
  56. ---------------------
  57. - Available in Clang and GCC.
  58. - **Supported platforms:** Linux, Web
  59. - `Clang LSAN documentation <https://clang.llvm.org/docs/LeakSanitizer.html>`__
  60. The leak sanitizer can detect memory leaks, which are situations where memory
  61. that is no longer in use is never freed by the running program. This can
  62. potentially lead to out-of-memory situations if the program runs for long
  63. enough. Since Godot may run on
  64. :ref:`dedicated servers <doc_exporting_for_dedicated_servers>` for months or
  65. even years without a restart, it's important to fix memory leaks when they occur.
  66. To enable the leak sanitizer in a Godot build, pass the ``use_lsan=yes`` SCons
  67. option when compiling. Enabling LSAN only has a small performance overhead, but
  68. the program will be much slower to exit as leak detection occurs when the
  69. program exits.
  70. .. _doc_using_sanitizers_memory_sanitizer:
  71. Memory sanitizer (MSAN)
  72. -----------------------
  73. - Available in Clang only, not GCC.
  74. - **Supported platforms:** Linux
  75. - `Clang MSAN documentation <https://clang.llvm.org/docs/MemorySanitizer.html>`__
  76. The memory sanitizer complements the
  77. :ref:`doc_using_sanitizers_address_sanitizer`. Unlike the address sanitizer,
  78. the memory sanitizer can detect uninitialized memory reads.
  79. To enable the memory sanitizer in a Godot build, pass the ``use_msan=yes``
  80. SCons option when compiling. Enabling MSAN generally makes the resulting binary
  81. about 3× slower.
  82. .. warning::
  83. Due to a `design decision
  84. <https://stackoverflow.com/questions/36971902/why-cant-clang-enable-all-sanitizers/>`__,
  85. the address, memory and thread sanitizers are mutually exclusive. This means
  86. you can only use one of those sanitizers in a given binary.
  87. Thread sanitizer (TSAN)
  88. -----------------------
  89. - Available in Clang and GCC.
  90. - **Supported platforms:** Linux, macOS
  91. - `Clang TSAN documentation <https://clang.llvm.org/docs/ThreadSanitizer.html>`__
  92. The thread sanitizer is used to track down race conditions related to
  93. multithreading. A race condition is when multiple threads try to modify the same
  94. data at the same time. Since thread scheduling can be ordered in any fashion by
  95. the operating system, this leads to incorrect behavior that only occurs
  96. occasionally (and can be difficult to track as a result). To prevent a race
  97. condition, you need to add a lock to ensure only one thread can access the
  98. shared data at a given time.
  99. To enable the thread sanitizer in a Godot build, pass the ``use_tsan=yes`` SCons
  100. option when compiling. Enabling TSAN generally makes the resulting binary 10×
  101. slower, while also multiplying memory usage by an approximately 8× factor.
  102. .. warning::
  103. Due to a `design decision
  104. <https://stackoverflow.com/questions/36971902/why-cant-clang-enable-all-sanitizers/>`__,
  105. the address, memory and thread sanitizers are mutually exclusive. This means
  106. you can only use one of those sanitizers in a given binary.
  107. .. note::
  108. On Linux, if you stumble upon the following error:
  109. ``FATAL: ThreadSanitizer: unexpected memory mapping``
  110. You may need to temporarily lower the Address Space Layout Randomization (ASLR) entropy in your system with:
  111. .. code:: sh
  112. sudo sysctl vm.mmap_rnd_bits=28
  113. Or preferably disable it entirely with:
  114. .. code:: sh
  115. sudo sysctl kernel.randomize_va_space=0
  116. And as soon as you are done with the thread sanitizer, increase the ASLR entropy with:
  117. .. code:: sh
  118. sudo sysctl vm.mmap_rnd_bits=32
  119. Or re-enable ASLR with:
  120. .. code:: sh
  121. sudo sysctl kernel.randomize_va_space=2
  122. Rebooting your machine will also revert the ASLR state to its default values.
  123. It's important to revert the changes as soon as possible because lowering the ASLR entropy or disabling ASLR entirely can be a security risk.
  124. Undefined behavior sanitizer (UBSAN)
  125. ------------------------------------
  126. - Available in Clang and GCC.
  127. - **Supported platforms:** Linux, macOS, Web
  128. - `Clang UBSAN documentation <https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html>`__
  129. The undefined behavior sanitizer is used to track down situations where the
  130. program exhibits random and unpredictable behavior. This is due to C/C++ code
  131. that is accepted by the compiler, but is not *correct*. Compiling with a
  132. different set of optimizations can also change the observed results of undefined
  133. behavior.
  134. To enable the undefined behavior sanitizer in a Godot build, pass the
  135. ``use_ubsan=yes`` SCons option when compiling. Enabling UBSAN only has a small
  136. performance overhead.
  137. .. _doc_using_sanitizers_platform_specific_sanitizers:
  138. Platform-specific sanitizers
  139. ----------------------------
  140. Web
  141. ^^^
  142. When :ref:`compiling for the Web <doc_compiling_for_web>`,
  143. there are 2 additional sanitizer SCons options available:
  144. - ``use_assertions=yes`` enables runtime Emscripten assertions, which can catch
  145. various issues.
  146. - ``use_safe_heap=yes`` enables `Emscripten's SAFE_HEAP sanitizer <https://emscripten.org/docs/debugging/Sanitizers.html>`__.
  147. It provides similar functionality to ASAN, but it focuses on issues that
  148. are specific to WebAssembly. ``SAFE_HEAP`` is not guaranteed to be compatible
  149. with ASAN and UBSAN in the same binary, so you may have to build it separately.