2020: The Year of Sanitizers? Victor Ciura Principal Engineer @ciura_victor2 Abstract Clang-tidy is the go-to assistant for most C++ programmers looking to improve their code, whether to modernize @ciura_victor - 2020: The Year of Sanitizers?New venue, same great C++ conference 2019 ~~~~~~45 2020 Victor Ciura | @ciura_victor - 2020: The Year of Sanitizers? New venue, same great C++ conference @ciura_victor - 2020: The Year of Sanitizers? Have a great CppCon week, everyone !7 2020 Victor Ciura | @ciura_victor - 2020: The Year of Sanitizers? ❓ Due to the nature of delivery medium

com/tipi-build/sanitizers-cmakeSanitizers for C++ builds AddressSanitizer (ASan) UndefinedBehaviorSanitizer (UBSsan) ThreadSanitizer (TSan) LeakSanitizer (LSan) MemorySanitizer (MSan)Using LLVM Sanitizers in your your CMake project(safepp) find_package(Sanitizers MODULE REQUIRED) add_executable(use-after-free test/use-after-free.cpp) # enable sanitizers add_sanitizers(use-after-free)So we done ?ASan, TSan, UBSan set(SANITIZE_MEMORY TRUE CACHE BOOL "" FORCE) set(SANITIZE_THREAD TRUE CACHE BOOL "" FORCE)We want to run these Sanitizers on each key strokesThat requires a decent amount of CPU power Let's look at other build systemsLearning

The final piece of advice Use the tools!Part 2So many tools 1. GDB 2. LLDB 3. Valgrind 4. Sanitizers 5. strace & ltrace 6. libc++ debug mode 7. time travelGDB GNU Debugger ● TUI mode ● Python MemorySanitizer (msan) ● Essentially a compiler feature: ○ Much faster runtime ○ Knows more stuffSo many sanitizers… address float-cast-overflow nonnull-attribute returns-nonnull-attribute shift-base thread undefinedSo many sanitizers… address float-cast-overflow nonnull-attribute returns-nonnull-attribute

Allow yourself to go down tangentsKNOW THE TOOLS… AND USE THEM! 1. GDB 2. LLDB 3. Valgrind 4. Sanitizers 5. strace & ltrace 6. libc++ debug mode 7. time travelGDB GNU Debugger ● TUI mode ● Python MemorySanitizer (msan) ● Essentially a compiler feature: ○ Much faster runtime ○ Knows more stuffSO MANY SANITIZERS… address float-cast-overflow nonnull-attribute returns-nonnull-attribute shift-base thread undefinedSO MANY SANITIZERS… address float-cast-overflow nonnull-attribute returns-nonnull-attribute

obsolete C constructs as errorsCompiler Hardening 33 Prioritize Memory, type and thread safety: sanitizers Compiler Flag Supported Since Description -fsanitize=address GCC 4.8.0 Clang 3.1.0 Enables Multi-compiler Build Test Build ASan TSan LSan UBSan MSan RTSan Quality Gate Code Review Merge Sanitizers Static analyzers/QG Use of AI tools Rich IDE ❖ No new bugs are introduced ❖ No new vulnerabilities injection testing Stress testing Reliability testing Regression testing Testing with Sanitizers E2E Tests Integration Tests Unit TestsFrequent Upgrades 36 A superpower ❖ Being enabled to

and Artifactory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 14.25 Compiler sanitizers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 15 application/json" -T /tmp/build_ ˓→info.json "http://host:8081/artifactory/api/build" 14.25 Compiler sanitizers Sanitizers are tools that can detect bugs such as buffer overflows or accesses, dangling pointer or depending on if you are using clang or gcc, different sanitizers are supported. Here we explain different options on how to model and use sanitizers with your Conan packages. 14.25.1 Adding custom settings

and Artifactory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 14.26 Compiler sanitizers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 15 ˓→mergedbuildinfo.json You can check the complete conan_build_info reference. 14.26 Compiler sanitizers Sanitizers are tools that can detect bugs such as buffer overflows or accesses, dangling pointer or depending on if you are using clang or gcc, different sanitizers are supported. Here we explain different options on how to model and use sanitizers with your Conan packages. 14.26.1 Adding custom settings

and Artifactory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 14.26 Compiler sanitizers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 15 ˓→mergedbuildinfo.json You can check the complete conan_build_info reference. 14.26 Compiler sanitizers Sanitizers are tools that can detect bugs such as buffer overflows or accesses, dangling pointer or depending on if you are using clang or gcc, different sanitizers are supported. Here we explain different options on how to model and use sanitizers with your Conan packages. 14.26.1 Adding custom settings

для энтузиастов 9 / 77 Тестирование ClickHouse, которого мы заслуживаем Сборка: санитайзеры Sanitizers – библиотеки из поставки компиляторов, помогают найти проблемы в коде на С++ или Go. Виды: › Address использование неинициализованной памяти Ссылки: › Основной репозиторий: https://github.com/google/sanitizers › Внутри LLVM: http://compiler-rt.llvm.org/ 10 / 77 Тестирование ClickHouse, которого мы заслуживаем

executionDynamic analysis Sanitizers AddressSanitizer (ASan) LeakSanitizer (LSan) ThreadSanitizer (TSan) UndefinedBehaviorSanitizer (UBSan) https://github.com/google/sanitizers/ Available on GCC and Clang