[rustc.git] / src / doc / rustc-dev-guide / src / sanitizers.md

# Sanitizers Support

The rustc compiler contains support for following sanitizers:

* [AddressSanitizer][clang-asan] a faster memory error detector. Can
  detect out-of-bounds access to heap, stack, and globals, use after free, use
  after return, double free, invalid free, memory leaks.
* [LeakSanitizer][clang-lsan] a run-time memory leak detector.
* [MemorySanitizer][clang-msan] a detector of uninitialized reads.
* [ThreadSanitizer][clang-tsan] a fast data race detector.

## How to use the sanitizers?

To enable a sanitizer compile with `-Z sanitizer=...` option, where value is one
of `address`, `leak`, `memory` or `thread`. For more details how to use
sanitizers please refer to [the unstable book](https://doc.rust-lang.org/unstable-book/).

## How are sanitizers implemented in rustc?

The implementation of sanitizers relies almost entirely on LLVM. The rustc is
an integration point for LLVM compile time instrumentation passes and runtime
libraries. Highlight of the most important aspects of the implementation:

*  The sanitizer runtime libraries are part of the [compiler-rt] project, and
   [will be built on supported targets][sanitizer-build] when enabled in `config.toml`:

   ```toml
   [build]
   sanitizers = true
   ```

   The runtimes are [placed into target libdir][sanitizer-copy].

*  During LLVM code generation, the functions intended for instrumentation are
   [marked][sanitizer-attribute] with appropriate LLVM attribute:
   `SanitizeAddress`, `SanitizeMemory`, or `SanitizeThread`. By default all
   functions are instrumented, but this behaviour can be changed with
   `#[no_sanitize(...)]`.

*  The decision whether to perform instrumentation or not is possible only at a
   function granularity. In the cases were those decision differ between
   functions it might be necessary to inhibit inlining, both at [MIR
   level][inline-mir] and [LLVM level][inline-llvm].

*  The LLVM IR generated by rustc is instrumented by [dedicated LLVM
   passes][sanitizer-pass], different for each sanitizer. Instrumentation
   passes are invoked after optimization passes.

*  When producing an executable, the sanitizer specific runtime library is
   [linked in][sanitizer-link]. The libraries are searched for in target libdir
   relative to default system root, so that this process is not affected
   by sysroot overrides used for example by cargo `-Z build-std` functionality.

[compiler-rt]: https://github.com/llvm/llvm-project/tree/main/compiler-rt
[sanitizer-build]: https://github.com/rust-lang/rust/blob/a29424a2265411dda7d7446516ac5fd7499e2b55/src/bootstrap/native.rs#L566-L624
[sanitizer-copy]: https://github.com/rust-lang/rust/blob/a29424a2265411dda7d7446516ac5fd7499e2b55/src/bootstrap/compile.rs#L270-L304
[sanitizer-attribute]: https://github.com/rust-lang/rust/blob/a29424a2265411dda7d7446516ac5fd7499e2b55/src/librustc_codegen_llvm/attributes.rs#L49-L72
[inline-mir]: https://github.com/rust-lang/rust/blob/a29424a2265411dda7d7446516ac5fd7499e2b55/src/librustc_mir/transform/inline.rs#L232-L252
[inline-llvm]: https://github.com/rust-lang/llvm-project/blob/9330ec5a4c1df5fc1fa62f993ed6a04da68cb040/llvm/include/llvm/IR/Attributes.td#L225-L241
[sanitizer-pass]: https://github.com/rust-lang/rust/blob/a29424a2265411dda7d7446516ac5fd7499e2b55/src/librustc_codegen_llvm/back/write.rs#L454-L475
[sanitizer-link]: https://github.com/rust-lang/rust/blob/a29424a2265411dda7d7446516ac5fd7499e2b55/src/librustc_codegen_ssa/back/link.rs#L748-L787

## Additional Information

* [Sanitizers project page](https://github.com/google/sanitizers/wiki/)
* [AddressSanitizer in Clang][clang-asan]
* [LeakSanitizer in Clang][clang-lsan]
* [MemorySanitizer in Clang][clang-msan]
* [ThreadSanitizer in Clang][clang-tsan]

[clang-asan]: https://clang.llvm.org/docs/AddressSanitizer.html
[clang-lsan]: https://clang.llvm.org/docs/LeakSanitizer.html
[clang-msan]: https://clang.llvm.org/docs/MemorySanitizer.html
[clang-tsan]: https://clang.llvm.org/docs/ThreadSanitizer.html
Commit	Line	Data
74b04a01 XL	1	# Sanitizers Support
	2
	3	The rustc compiler contains support for following sanitizers:
	4
	5	* [AddressSanitizer][clang-asan] a faster memory error detector. Can
	6	detect out-of-bounds access to heap, stack, and globals, use after free, use
	7	after return, double free, invalid free, memory leaks.
	8	* [LeakSanitizer][clang-lsan] a run-time memory leak detector.
	9	* [MemorySanitizer][clang-msan] a detector of uninitialized reads.
	10	* [ThreadSanitizer][clang-tsan] a fast data race detector.
	11
	12	## How to use the sanitizers?
	13
6a06907d	14	To enable a sanitizer compile with `-Z sanitizer=...` option, where value is one
74b04a01 XL	15	of `address`, `leak`, `memory` or `thread`. For more details how to use
	16	sanitizers please refer to [the unstable book](https://doc.rust-lang.org/unstable-book/).
	17
	18	## How are sanitizers implemented in rustc?
	19
	20	The implementation of sanitizers relies almost entirely on LLVM. The rustc is
	21	an integration point for LLVM compile time instrumentation passes and runtime
	22	libraries. Highlight of the most important aspects of the implementation:
	23
	24	* The sanitizer runtime libraries are part of the [compiler-rt] project, and
	25	[will be built on supported targets][sanitizer-build] when enabled in `config.toml`:
	26
	27	```toml
	28	[build]
	29	sanitizers = true
	30	```
	31
	32	The runtimes are [placed into target libdir][sanitizer-copy].
	33
	34	* During LLVM code generation, the functions intended for instrumentation are
	35	[marked][sanitizer-attribute] with appropriate LLVM attribute:
	36	`SanitizeAddress`, `SanitizeMemory`, or `SanitizeThread`. By default all
	37	functions are instrumented, but this behaviour can be changed with
	38	`#[no_sanitize(...)]`.
	39
	40	* The decision whether to perform instrumentation or not is possible only at a
	41	function granularity. In the cases were those decision differ between
	42	functions it might be necessary to inhibit inlining, both at [MIR
	43	level][inline-mir] and [LLVM level][inline-llvm].
	44
	45	* The LLVM IR generated by rustc is instrumented by [dedicated LLVM
	46	passes][sanitizer-pass], different for each sanitizer. Instrumentation
	47	passes are invoked after optimization passes.
	48
	49	* When producing an executable, the sanitizer specific runtime library is
	50	[linked in][sanitizer-link]. The libraries are searched for in target libdir
	51	relative to default system root, so that this process is not affected
6a06907d	52	by sysroot overrides used for example by cargo `-Z build-std` functionality.
74b04a01	53
6a06907d	54	[compiler-rt]: https://github.com/llvm/llvm-project/tree/main/compiler-rt
74b04a01 XL	55	[sanitizer-build]: https://github.com/rust-lang/rust/blob/a29424a2265411dda7d7446516ac5fd7499e2b55/src/bootstrap/native.rs#L566-L624
	56	[sanitizer-copy]: https://github.com/rust-lang/rust/blob/a29424a2265411dda7d7446516ac5fd7499e2b55/src/bootstrap/compile.rs#L270-L304
	57	[sanitizer-attribute]: https://github.com/rust-lang/rust/blob/a29424a2265411dda7d7446516ac5fd7499e2b55/src/librustc_codegen_llvm/attributes.rs#L49-L72
	58	[inline-mir]: https://github.com/rust-lang/rust/blob/a29424a2265411dda7d7446516ac5fd7499e2b55/src/librustc_mir/transform/inline.rs#L232-L252
	59	[inline-llvm]: https://github.com/rust-lang/llvm-project/blob/9330ec5a4c1df5fc1fa62f993ed6a04da68cb040/llvm/include/llvm/IR/Attributes.td#L225-L241
	60	[sanitizer-pass]: https://github.com/rust-lang/rust/blob/a29424a2265411dda7d7446516ac5fd7499e2b55/src/librustc_codegen_llvm/back/write.rs#L454-L475
	61	[sanitizer-link]: https://github.com/rust-lang/rust/blob/a29424a2265411dda7d7446516ac5fd7499e2b55/src/librustc_codegen_ssa/back/link.rs#L748-L787
	62
	63	## Additional Information
	64
	65	* [Sanitizers project page](https://github.com/google/sanitizers/wiki/)
	66	* [AddressSanitizer in Clang][clang-asan]
	67	* [LeakSanitizer in Clang][clang-lsan]
	68	* [MemorySanitizer in Clang][clang-msan]
	69	* [ThreadSanitizer in Clang][clang-tsan]
	70
	71	[clang-asan]: https://clang.llvm.org/docs/AddressSanitizer.html
	72	[clang-lsan]: https://clang.llvm.org/docs/LeakSanitizer.html
	73	[clang-msan]: https://clang.llvm.org/docs/MemorySanitizer.html
	74	[clang-tsan]: https://clang.llvm.org/docs/ThreadSanitizer.html