Jeffrey Walton wrote: > I prefer to run a release > build with diagnostics. Something like '-g2 -O3 -DNDEBUG > -fsanitize=asan', install it, and then use it long term. > > One of the [many] reasons this is important is, it provides additional > coverage beyond the test cases. In the wild I may encounter an > attacker supplied input that tickles a problem, like a buffer > overflow. Or I may encounter an otherwise benign input that tickles a > problem.
Excellent point. So, basically you run a hardened system. (Probably you also have MALLOC_PERTURB_ permanently set?) And you would like to set ASAN_OPTIONS=detect_leaks=1 and have most programs succeed? Let's see what you need to attain that goal, assuming the developers follow the approach with 'valgrind --show-reachable=yes' and suppressions files. 1) You would need a suppressions file for every executable that you install. This means, the suppressions file should better be distributed in the tarball. Right? 2) You would need the suppressions file in ASAN syntax, not in valgrind syntax. Do you have a converter for the suppressions files? 3) The suppressions files that you use would not need to (but could still) contain the suppressions for leaks through global and static variables. 4) You would also need to set the environment variable CLEANUP_BEFORE_EXIT and hope that as many programs as possible obey it. Right? Anything else? Bruno
