# Tips for using analyzers on NetBSD # ## Address Sanitizer (+UBsan) (preliminary) ## ASan reports memory violations, and detects many off-by-ones. It seems to produce very high quality reports. It only needs to be compiled on the resulting binary[1]. It cannot compile static objects so requires some fiddling with makefiles to disable those. I've been running it on netbsd tests in the following manner[2]: cd /usr/src/tests/lib/libc env USETOOLS=never MK_SSP=no HAVE_SSP=no CFLAGS="-fno-omit-frame-pointer -O0 -g -ggdb -U_FORTIFY_SOURCE -fsanitize=address -fsanitize=undefined" LDFLAGS="-lasan -lubsan" make -j20 env ASAN_OPTIONS=alloc_dealloc_mismatch=0 LD_PRELOAD="/usr/lib/libasan.so /usr/lib/libubsan.so" atf-run 1. Seems like this is a cause of worse reports, as in-library functions are not intercepted. 2. Not even close to canonical commands, should probably be improved. 3. ASAN_OPTIONS=alloc_dealloc_mismatch=0 is because atf-run itself triggers a bug. Should have a look at it so this option doesn't need to be disabled. Important note: ASan should not be run on production systems. [It can pose a security risk](http://www.openwall.com/lists/oss-security/2016/02/17/9). ## Coverity ## Coverity is a static analyzer. You can see a part of its output in coverity-updates@, and a lot more if you go to the website (sign up with your netbsd email or poke someone for access). A lot of the reports are about strncpy/strcpy or in code that belongs to GCC (in the case of userland), you can tackle this by limiting results to a particular directory (click the folder icon). You can also sort by issue. Some suggestions for things to focus on, as there are many defects reported: - Setuid programs - Anything kernel - Stuff that runs as root - Library or other code you know well already - Drivers for hardware you actually own and can test Future ideas: - GCC could be told to add ASan flags for all shared objects, making it easier to build world with those flags - We could run all of NetBSD with ASan for some real world tests. - ASan for kernel? (subr_kmem.c has some flags which do some of the work, could it do more?) - Fuzzers are cool.