Home Explore Blog CI



rustc
1st chunk of `src/sanitizers.md`
01820c5348c1e6256629a02da0fa80c073b92565b81f103c0000000100000988
# Sanitizers Support

The rustc compiler contains support for following sanitizers:

* [AddressSanitizer][clang-asan] a faster memory error detector. Can
  detect out-of-bounds access to heap, stack, and globals, use after free, use
  after return, double free, invalid free, memory leaks.
* [ControlFlowIntegrity][clang-cfi] LLVM Control Flow Integrity (CFI) provides
  forward-edge control flow protection.
* [Hardware-assisted AddressSanitizer][clang-hwasan]  a tool similar to
  AddressSanitizer but based on partial hardware assistance.
* [KernelControlFlowIntegrity][clang-kcfi] LLVM Kernel Control Flow Integrity
  (KCFI) provides forward-edge control flow protection for operating systems
  kernels.
* [LeakSanitizer][clang-lsan] a run-time memory leak detector.
* [MemorySanitizer][clang-msan] a detector of uninitialized reads.
* [ThreadSanitizer][clang-tsan] a fast data race detector.

## How to use the sanitizers?

To enable a sanitizer compile with `-Z sanitizer=...` option, where value is one
of `address`, `cfi`, `hwaddress`, `kcfi`, `leak`, `memory` or `thread`. For more
details on how to use sanitizers please refer to the sanitizer flag in [the
unstable book](https://doc.rust-lang.org/unstable-book/).

## How are sanitizers implemented in rustc?

The implementation of sanitizers (except CFI) relies almost entirely on LLVM.
The rustc is an integration point for LLVM compile time instrumentation passes
and runtime libraries. Highlight of the most important aspects of the
implementation:

*  The sanitizer runtime libraries are part of the [compiler-rt] project, and
   [will be built][sanitizer-build] on [supported targets][sanitizer-targets]
   when enabled in `bootstrap.toml`:

   ```toml
   [build]
   sanitizers = true
   ```

   The runtimes are [placed into target libdir][sanitizer-copy].

*  During LLVM code generation, the functions intended for instrumentation are
   [marked][sanitizer-attribute] with appropriate LLVM attribute:
   `SanitizeAddress`, `SanitizeHWAddress`, `SanitizeMemory`, or
   `SanitizeThread`. By default all functions are instrumented, but this
   behaviour can be changed with `#[no_sanitize(...)]`.

*  The decision whether to perform instrumentation or not is possible only at a
   function granularity. In the cases were those decision differ between
   functions it might be necessary to inhibit inlining, both at [MIR
   level][inline-mir] and [LLVM level][inline-llvm].
Title: Sanitizer Support in Rustc
Summary
The rustc compiler supports various sanitizers for detecting memory errors, control flow integrity issues, and data races. These sanitizers, including AddressSanitizer, ControlFlowIntegrity, Hardware-assisted AddressSanitizer, KernelControlFlowIntegrity, LeakSanitizer, MemorySanitizer, and ThreadSanitizer, can be enabled using the `-Z sanitizer=...` option. The implementation relies heavily on LLVM, with rustc acting as an integration point for compile-time instrumentation and runtime libraries. The sanitizer runtime libraries are built as part of the compiler-rt project and placed into the target libdir. Functions are marked for instrumentation with LLVM attributes, and inlining may be inhibited to ensure correct instrumentation.