Bounds Check Hoisting for AddressSanitizer

  • Simon Moll
  • Henrique Nazaré
  • Gustavo Vieira Machado
  • Raphael Ernani Rodrigues
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8771)


The C programming language is not memory safe, that is to say that the semantics of out-of-bounds memory accesses are undefined. There are tools that make certain guarantees about memory safety for C programs. Amongst these are SAFECode and AddressSanitizer. The latter instruments C programs with runtime checks to guarantee that no invalid memory accesses are allowed to execute. As is to be expected, this incurs in a notable performance decrease in instrumented programs. Our work consists in hoisting these checks out of loops in such a way that we maintain AddressSanitizer’s semantics, but, by providing increased locality of access and by increasing the stride of bounds checks, we make said checks notably cheaper. Unlike previous approaches to bounds check hoisting, we use a parametric interval analysis to bound the index ranges used in array accesses. We evaluated our method on a collection of benchmarks from Polybench and from the domain of scientific computing. The optimization recovers 60.6 % of the overhead introduced by AddressSanitizer on average. Since energy performance is a crucial factor on mobile systems, we have also evaluated our proposed solution on embedded systems in this regard. We observed a 31.7 % reduction in energy consumption in programs instrumented with AddressSanitizer.


Memory Access Iteration Variable Loop Nest Benchmark Suite Runtime Error 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Akritidis, P., Costa, M., Castro, M., Hand, S.: Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM 2009, pp. 51–66. USENIX Association, Berkeley (2009), Google Scholar
  2. 2.
    Bodik, R., Gupta, R., Sarkar, V.: ABCD: eliminating array bounds checks on demand. In: PLDI, pp. 321–333. ACM (2000)Google Scholar
  3. 3.
    Burke, M.G., Choi, J.D., Fink, S., Grove, D., Hind, M., Sarkar, V., Serrano, M.J., Sreedhar, V.C., Srinivasan, H., Whaley, J.: The jalapeno dynamic optimizing compiler for java. In: Proceedings of the ACM 1999 Conference on Java Grande, JAVA 1999, pp. 129–141. ACM, New York (1999), CrossRefGoogle Scholar
  4. 4.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252. ACM (1977)Google Scholar
  5. 5.
    Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: The ASTREÉ analyzer. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 21–30. Springer, Heidelberg (2005)Google Scholar
  6. 6.
    Dhurjati, D., Kowshik, S., Adve, V.: Safecode: enforcing alias analysis for weakly typed languages. In: PLDI 2006: Proceedings of the 2006 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 144–157. ACM, New York (2006)Google Scholar
  7. 7.
    Eichin, M.W., Rochlis, J.A.: With microscope and tweezers: An analysis of the internet virus of november 1988. In: Proceedings of 1989 IEEE Symposium on Research in Security and Privacy (1988)Google Scholar
  8. 8.
    Lattner, C., Adve, V.S.: LLVM: A compilation framework for lifelong program analysis & transformation. In: CGO, pp. 75–88. IEEE (2004)Google Scholar
  9. 9.
    Logozzo, F., Fähndrich, M.: Pentagons: A weakly relational abstract domain for the efficient validation of array accesses. Sci. Comput. Program. 75(9), 796–807 (2010)CrossRefzbMATHGoogle Scholar
  10. 10.
    Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: Softbound: Highly compatible and complete spatial safety for C. In: Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation (June 2009)Google Scholar
  11. 11.
    National Instruments Corporation: User Guide and Specifications NI USB-6008/6009: Bus-powered multifunction DAQ USB device (2004)Google Scholar
  12. 12.
    Nazaré, H., Maffra, I., Santos, W., Barbosa, L., Pereira, F., Gonnord, L.: Validation of memory accesses through symbolic analyses. In: Proceedings of the 2014 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages & Applications, OOPSLA 2014. ACM (to appear, 2014), Invited paper with publication expected for 2014 Google Scholar
  13. 13.
    Nethercote, N., Seward, J.: Valgrind: A framework for heavyweight dynamic binary instrumentation. SIGPLAN Not. 42(6), 89–100 (2007), CrossRefGoogle Scholar
  14. 14.
    Noorman, J., Nikiforakis, N., Piessens, F.: There is safety in numbers: Preventing control-flow hijacking by duplication. In: Jøsang, A., Carlsson, B. (eds.) NordSec 2012. LNCS, vol. 7617, pp. 105–120. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  15. 15.
    Pearce, D.J., Kelly, P.H., Hankin, C.: Efficient field-sensitive pointer analysis of C. ACM Transactions on Programming Languages and Systems (TOPLAS) 30(1), 4 (2007)Google Scholar
  16. 16.
    Pouchet, L.N.: PolyBench: The Polyhedral Benchmark suiteGoogle Scholar
  17. 17.
    Rugina, R., Rinard, M.: Symbolic bounds analysis of pointers, array indices, and accessed memory regions. SIGPLAN Not. 35(5), 182–195 (2000)CrossRefGoogle Scholar
  18. 18.
    Ruwase, O., Lam, M.S.: A practical dynamic buffer overflow detector. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium, pp. 159–169 (2004)Google Scholar
  19. 19.
    Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: A fast address sanity checker. In: Proceedings of the 2012 USENIX Conference on Annual Technical Conference, USENIX ATC 2012, p. 28. USENIX Association, Berkeley (2012), Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Simon Moll
    • 1
  • Henrique Nazaré
    • 2
  • Gustavo Vieira Machado
    • 2
  • Raphael Ernani Rodrigues
    • 2
  1. 1.Saarland UniversityGermany
  2. 2.Universidade Federal de Minas GeraisBrazil

Personalised recommendations