Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Code sanitizer
open-in-new
<h2 id="addresssanitizer">AddressSanitizer</h2> <p>Google's ASan, introduced in 2012, uses a <a href="/facts/Shadow_memory/nqheas9z">shadow memory</a> scheme to detect memory bugs. It is available in: </p> <ul><li><a href="/facts/Clang/MH7cjC67">Clang</a> (starting from version 3.1<a class="footnote-ref" id="fnref:1" href="#fn:1"><sup>1</sup></a>)</li> <li><a href="/facts/GNU_Compiler_Collection/t07jh01k">GCC</a> (starting from version 4.8<a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a>)</li> <li><a href="/facts/Xcode/glURdIVT">Xcode</a> (starting from version 7.0<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a>)</li> <li><a href="/facts/MSVC/RM3sbYw5">MSVC</a> (widely available starting from version 16.9<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a>).</li></ul> <p>On average, the instrumentation increases processing time by about 73% and memory usage by 240%.<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a> There is a hardware-accelerated ASan called HWAsan available for AArch64 and (in a limited fashion) x86_64.<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> </p><p>AddressSanitizer does not detect any uninitialized memory reads (but this is detected by MemorySanitizer<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a>), and only detects some use-after-return bugs.<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a> It is also not capable of detecting all arbitrary memory corruption bugs, nor all arbitrary write bugs due to integer underflow/overflows (when the integer with undefined behavior is used to calculate memory address offsets). Adjacent buffers in structs and classes are not protected from overflow, in part to prevent breaking backwards compatibility.<a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a> </p> <h3>KernelAddressSanitizer</h3> <p>The KernelAddressSanitizer (KASan) detects dynamic memory errors in the Linux kernel.<a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a> Kernel instrumentation requires a special feature in the compiler supplying the -fsanitize=kernel-address command line option, since kernels do not use the same address space as normal programs.<a class="footnote-ref" id="fnref:11" href="#fn:11"><sup>11</sup></a><a class="footnote-ref" id="fnref:12" href="#fn:12"><sup>12</sup></a> </p><p>KASan is also available for use with Windows kernel drivers beginning in Windows 11 22H2 and above.<a class="footnote-ref" id="fnref:13" href="#fn:13"><sup>13</sup></a> Similarly to Linux, compiling a Windows driver with KASAN requires passing the /fsanitize=kernel-address command line option to the MSVC compiler. </p> <h2 id="other-sanitizers">Other sanitizers</h2> <p>Google also produced LeakSanitizer (LSan, <a href="/facts/Memory_leak/JzufAL28">memory leaks</a>), ThreadSanitizer (TSan, <a href="/facts/Data_race/bvNpgy4F">data races</a> and <a href="/facts/Deadlock_(computer_science)/YDpdfnPP">deadlocks</a>), MemorySanitizer (MSan, <a href="/facts/Uninitialized_memory/WDFuGI3X">uninitialized memory</a>), and UndefinedBehaviorSanitizer (UBSan, <a href="/facts/Undefined_behavior/awUm2vGd">undefined behaviors</a>, with fine-grained control).<a class="footnote-ref" id="fnref:14" href="#fn:14"><sup>14</sup></a> These tools are generally available in Clang/LLVM and GCC.<a class="footnote-ref" id="fnref:15" href="#fn:15"><sup>15</sup></a><a class="footnote-ref" id="fnref:16" href="#fn:16"><sup>16</sup></a><a class="footnote-ref" id="fnref:17" href="#fn:17"><sup>17</sup></a> Similar to KASan, there are kernel-specific versions of LSan, MSan, TSan, as well as completely original kernel sanitizers such as KFENCE and KCSan.<a class="footnote-ref" id="fnref:18" href="#fn:18"><sup>18</sup></a> </p><p>Additional sanitizer tools (grouped by compilers under -fsanitize or a similar flag) include:<a class="footnote-ref" id="fnref:19" href="#fn:19"><sup>19</sup></a><a class="footnote-ref" id="fnref:20" href="#fn:20"><sup>20</sup></a><a class="footnote-ref" id="fnref:21" href="#fn:21"><sup>21</sup></a> </p> <ul><li>LLVM <a href="/facts/Control-flow_integrity/wsP7s8pr">control-flow integrity</a> and its kernel counterpart, which checks <a href="/facts/Virtual_table/rFISodUl">virtual tables</a> and type casts for forward-edge CFI</li> <li>MemTagSanitizer, an ASan-like tool that uses Armv8.5-A features for very low overhead</li> <li>ShadowCallStack, an AArch64 tool that provides a <a href="/facts/Shadow_stack/mnQMEvou">shadow stack</a> protection</li> <li>Scudo Hardened Allocator, an alternative memory allocator that includes GWP-ASan, a probabilistic ASan analogue with low overhead<a class="footnote-ref" id="fnref:22" href="#fn:22"><sup>22</sup></a></li> <li>libFuzzer, an LLVM tool that adds code coverage to fuzzing<a class="footnote-ref" id="fnref:23" href="#fn:23"><sup>23</sup></a></li></ul> <h2 id="usage">Usage</h2> <p>A code sanitizer detects suspicious behavior as the program runs. One common way to use a sanitizer is to combine it with <a href="/facts/Fuzzing/I1GK5kxr">fuzzing</a>, which generates inputs likely to trigger bugs.<a class="footnote-ref" id="fnref:24" href="#fn:24"><sup>24</sup></a> </p> <h2 id="users">Users</h2> <p><a href="/facts/Chromium_(web_browser)/F1S8sAEt">Chromium</a> and <a href="/facts/Firefox/xez2zv8H">Firefox</a> developers are active users of AddressSanitizer;<a class="footnote-ref" id="fnref:25" href="#fn:25"><sup>25</sup></a><a class="footnote-ref" id="fnref:26" href="#fn:26"><sup>26</sup></a> the tool has found hundreds of bugs in these web browsers.<a class="footnote-ref" id="fnref:27" href="#fn:27"><sup>27</sup></a> A number of bugs were found in <a href="/facts/FFmpeg/85yf3kHI">FFmpeg</a><a class="footnote-ref" id="fnref:28" href="#fn:28"><sup>28</sup></a> and <a href="/facts/FreeType/tCw3bSxv">FreeType</a>.<a class="footnote-ref" id="fnref:29" href="#fn:29"><sup>29</sup></a> The <a href="/facts/Linux_kernel/dlkduHuA">Linux kernel</a> has enabled the AddressSanitizer for the <a href="/facts/X86-64/cyWvUFlP">x86-64</a> architecture as of Linux version 4.0. </p> <h2 id="examples">Examples</h2> <h3>ASan: Heap-use-after-free</h3> // To compile: g++ -O -g -fsanitize=address heap-use-after-free.cc int main(int argc, char **argv) { int *array = new int[100]; delete [] array; return array[argc]; // BOOM } $ ./a.out ==5587==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400000fe44 at pc 0x47b55f bp 0x7ffc36b28200 sp 0x7ffc36b281f8 READ of size 4 at 0x61400000fe44 thread T0 #0 0x47b55e in main /home/test/example_UseAfterFree.cc:5 #1 0x7f15cfe71b14 in __libc_start_main (/lib64/libc.so.6+0x21b14) #2 0x47b44c in _start (/root/a.out+0x47b44c) 0x61400000fe44 is located 4 bytes inside of 400-byte region [0x61400000fe40,0x61400000ffd0) freed by thread T0 here: #0 0x465da9 in operator delete[](void*) (/root/a.out+0x465da9) #1 0x47b529 in main /home/test/example_UseAfterFree.cc:4 previously allocated by thread T0 here: #0 0x465aa9 in operator new[](unsigned long) (/root/a.out+0x465aa9) #1 0x47b51e in main /home/test/example_UseAfterFree.cc:3 SUMMARY: AddressSanitizer: heap-use-after-free /home/test/example_UseAfterFree.cc:5 main Shadow bytes around the buggy address: [...] 0x0c287fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c287fff9fc0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd 0x0c287fff9fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [...] Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==5587==ABORTING <h3>ASan: Heap-buffer-overflow</h3> // RUN: clang++ -O -g -fsanitize=address heap-buf-of.cc && ./a.out int main(int argc, char **argv) { int *array = new int[100]; array[0] = 0; int res = array[argc + 100]; // BOOM delete [] array; return res; } ==25372==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000ffd4 at pc 0x0000004ddb59 bp 0x7fffea6005a0 sp 0x7fffea600598 READ of size 4 at 0x61400000ffd4 thread T0 #0 0x46bfee in main /tmp/main.cpp:4:13 0x61400000ffd4 is located 4 bytes to the right of 400-byte region [0x61400000fe40,0x61400000ffd0) allocated by thread T0 here: #0 0x4536e1 in operator delete[](void*) #1 0x46bfb9 in main /tmp/main.cpp:2:16 <h3>ASan: Stack-buffer-overflow</h3> // RUN: clang -O -g -fsanitize=address stack-buf-of.cc && ./a.out int main(int argc, char **argv) { int stack_array[100]; stack_array[1] = 0; return stack_array[argc + 100]; // BOOM } ==7405==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff64740634 at pc 0x46c103 bp 0x7fff64740470 sp 0x7fff64740468 READ of size 4 at 0x7fff64740634 thread T0 #0 0x46c102 in main /tmp/example_StackOutOfBounds.cc:5 Address 0x7fff64740634 is located in stack of thread T0 at offset 436 in frame #0 0x46bfaf in main /tmp/example_StackOutOfBounds.cc:2 This frame has 1 object(s): [32, 432) 'stack_array' <== Memory access at offset 436 overflows this variable <h3>ASan: Global-buffer-overflow</h3> // RUN: clang -O -g -fsanitize=address global-buf-of.cc && ./a.out int global_array[100] = {-1}; int main(int argc, char **argv) { return global_array[argc + 100]; // BOOM } ==7455==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000689b54 at pc 0x46bfd8 bp 0x7fff515e5ba0 sp 0x7fff515e5b98 READ of size 4 at 0x000000689b54 thread T0 #0 0x46bfd7 in main /tmp/example_GlobalOutOfBounds.cc:4 0x000000689b54 is located 4 bytes to the right of global variable 'global_array' from 'example_GlobalOutOfBounds.cc' (0x6899c0) of size 400 <h3>UBSan: nullptr-dereference</h3> // RUN: g++ -O -g -fsanitize=null null-dereference.c && ./a.out int main(int argc, char **argv) { const char * ptr = nullptr; return *ptr; // BOOM } null-dereference.c:4:10: runtime error: load of null pointer of type 'const char' Segmentation fault (core dumped) <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Intel_MPX/GI1a54M2">Intel MPX</a></li> <li>The Application Verifier (AppVerif.exe) in <a href="/facts/Microsoft_Windows_SDK/8otR4u2w">Microsoft Windows SDK</a></li> <li><a href="/facts/Valgrind/XDJA4Es2">Valgrind</a>, a memory debugging tool</li></ul> <h2 id="external-links">External links</h2> <ul><li><a href="https://groups.google.com/g/address-sanitizer">AddressSanitizer Google Group</a> (no mailing list)</li> <li><a href="https://github.com/google/sanitizers">AddressSanitizer project page</a></li> <li><a href="http://clang.llvm.org/docs/AddressSanitizer.html">AddressSanitizer documentation (Clang)</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>"LLVM 3.1 Release Notes". LLVM. Retrieved 8 February 2014. <a href="http://llvm.org/releases/3.1/docs/ReleaseNotes.html#whatsnew" target="_blank">http://llvm.org/releases/3.1/docs/ReleaseNotes.html#whatsnew</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>"GCC 4.8 Release Notes". GCC. Retrieved 8 February 2014. <a href="https://gcc.gnu.org/gcc-4.8/changes.html" target="_blank">https://gcc.gnu.org/gcc-4.8/changes.html</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"Address Sanitizer | Apple Developer Documentation". <a href="https://developer.apple.com/documentation/code_diagnostics/address_sanitizer" target="_blank">https://developer.apple.com/documentation/code_diagnostics/address_sanitizer</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>"Visual Studio 2019 version 16.9 Release Notes". Microsoft. Retrieved 5 March 2021. <a href="https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes#16.9.0" target="_blank">https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes#16.9.0</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>Konstantin Serebryany; Derek Bruening; Alexander Potapenko; Dmitry Vyukov. "AddressSanitizer: a fast address sanity checker" (PDF). Proceedings of the 2012 USENIX conference on Annual Technical Conference. <a href="https://www.usenix.org/system/files/conference/atc12/atc12-final39.pdf" target="_blank">https://www.usenix.org/system/files/conference/atc12/atc12-final39.pdf</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>"Hardware-assisted AddressSanitizer Design Documentation — Clang 17.0.0git documentation". clang.llvm.org. <a href="https://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html" target="_blank">https://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>"MemorySanitizer". GitHub. <a href="https://github.com/google/sanitizers/wiki/MemorySanitizer" target="_blank">https://github.com/google/sanitizers/wiki/MemorySanitizer</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>"ComparisonOfMemoryTools". AddressSanitizer Wiki. Retrieved 1 December 2017. <a href="https://github.com/google/sanitizers/wiki/AddressSanitizerComparisonOfMemoryTools" target="_blank">https://github.com/google/sanitizers/wiki/AddressSanitizerComparisonOfMemoryTools</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>"Bypassing AddressSanitizer" (PDF). Eric Wimberley. Retrieved 1 July 2014. <a href="http://dl.packetstormsecurity.net/papers/general/BreakingAddressSanitizer.pdf" target="_blank">http://dl.packetstormsecurity.net/papers/general/BreakingAddressSanitizer.pdf</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>"KernelAddressSanitizer (KASAN)". Archived from the original on 2015-09-15. <a href="https://web.archive.org/web/20150915180313/http://lxr.free-electrons.com/source/Documentation/kasan.txt" target="_blank">https://web.archive.org/web/20150915180313/http://lxr.free-electrons.com/source/Documentation/kasan.txt</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> <li id="fn:11"><p>Jake Edge. "The kernel address sanitizer". <a href="https://lwn.net/Articles/612153/" target="_blank">https://lwn.net/Articles/612153/</a> <a href="#fnref:11" class="footnote-back-ref">↩</a></p></li> <li id="fn:12"><p>Jonathan Corbet. "3.20 merge window part 2". <a href="https://lwn.net/Articles/633096/" target="_blank">https://lwn.net/Articles/633096/</a> <a href="#fnref:12" class="footnote-back-ref">↩</a></p></li> <li id="fn:13"><p>"Kernel Address Sanitizer (KASAN)". Archived from the original on 2024-11-04. <a href="https://web.archive.org/web/20241104171917/https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/kasan" target="_blank">https://web.archive.org/web/20241104171917/https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/kasan</a> <a href="#fnref:13" class="footnote-back-ref">↩</a></p></li> <li id="fn:14"><p>Google (2 March 2023). "sanitizers: This project is the home for Sanitizers: AddressSanitizer, MemorySanitizer, ThreadSanitizer, LeakSanitizer, and more". GitHub. Google. {{cite web}}: |last1= has generic name (help) <a href="https://github.com/google/sanitizers" target="_blank">https://github.com/google/sanitizers</a> <a href="#fnref:14" class="footnote-back-ref">↩</a></p></li> <li id="fn:15"><p>"sanitizer - The Rust Unstable Book". doc.rust-lang.org. This feature allows for use of one of following sanitizers: [...] ControlFlowIntegrity LLVM Control Flow Integrity <a href="https://doc.rust-lang.org/beta/unstable-book/compiler-flags/sanitizer.html" target="_blank">https://doc.rust-lang.org/beta/unstable-book/compiler-flags/sanitizer.html</a> <a href="#fnref:15" class="footnote-back-ref">↩</a></p></li> <li id="fn:16"><p>"Clang Compiler User's Manual — Clang 17.0.0git documentation". clang.llvm.org. -f[no-]sanitize=check1,check2,... Turn on runtime checks for various forms of undefined or suspicious behavior <a href="https://clang.llvm.org/docs/UsersManual.html#cmdoption-f-no-sanitize" target="_blank">https://clang.llvm.org/docs/UsersManual.html#cmdoption-f-no-sanitize</a> <a href="#fnref:16" class="footnote-back-ref">↩</a></p></li> <li id="fn:17"><p>"Instrumentation Options (Using the GNU Compiler Collection (GCC))". gcc.gnu.org. <a href="https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html" target="_blank">https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html</a> <a href="#fnref:17" class="footnote-back-ref">↩</a></p></li> <li id="fn:18"><p>"Linux Kernel Sanitizers". Google. 2 March 2023. <a href="https://github.com/google/kernel-sanitizers" target="_blank">https://github.com/google/kernel-sanitizers</a> <a href="#fnref:18" class="footnote-back-ref">↩</a></p></li> <li id="fn:19"><p>"sanitizer - The Rust Unstable Book". doc.rust-lang.org. This feature allows for use of one of following sanitizers: [...] ControlFlowIntegrity LLVM Control Flow Integrity <a href="https://doc.rust-lang.org/beta/unstable-book/compiler-flags/sanitizer.html" target="_blank">https://doc.rust-lang.org/beta/unstable-book/compiler-flags/sanitizer.html</a> <a href="#fnref:19" class="footnote-back-ref">↩</a></p></li> <li id="fn:20"><p>"Clang Compiler User's Manual — Clang 17.0.0git documentation". clang.llvm.org. -f[no-]sanitize=check1,check2,... Turn on runtime checks for various forms of undefined or suspicious behavior <a href="https://clang.llvm.org/docs/UsersManual.html#cmdoption-f-no-sanitize" target="_blank">https://clang.llvm.org/docs/UsersManual.html#cmdoption-f-no-sanitize</a> <a href="#fnref:20" class="footnote-back-ref">↩</a></p></li> <li id="fn:21"><p>"Instrumentation Options (Using the GNU Compiler Collection (GCC))". gcc.gnu.org. <a href="https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html" target="_blank">https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html</a> <a href="#fnref:21" class="footnote-back-ref">↩</a></p></li> <li id="fn:22"><p>"GWP-ASan — LLVM 17.0.0git documentation". llvm.org. <a href="https://llvm.org/docs/GwpAsan.html" target="_blank">https://llvm.org/docs/GwpAsan.html</a> <a href="#fnref:22" class="footnote-back-ref">↩</a></p></li> <li id="fn:23"><p>"libFuzzer – a library for coverage-guided fuzz testing. — LLVM 17.0.0git documentation". llvm.org. <a href="https://llvm.org/docs/LibFuzzer.html?highlight=fsanitize" target="_blank">https://llvm.org/docs/LibFuzzer.html?highlight=fsanitize</a> <a href="#fnref:23" class="footnote-back-ref">↩</a></p></li> <li id="fn:24"><p>Abhishek Arya; Cris Neckar; Chrome Security Team. "Fuzzing for Security". <a href="https://blog.chromium.org/2012/04/fuzzing-for-security.html" target="_blank">https://blog.chromium.org/2012/04/fuzzing-for-security.html</a> <a href="#fnref:24" class="footnote-back-ref">↩</a></p></li> <li id="fn:25"><p>Abhishek Arya; Cris Neckar; Chrome Security Team. "Fuzzing for Security". <a href="https://blog.chromium.org/2012/04/fuzzing-for-security.html" target="_blank">https://blog.chromium.org/2012/04/fuzzing-for-security.html</a> <a href="#fnref:25" class="footnote-back-ref">↩</a></p></li> <li id="fn:26"><p>"Securing Firefox: Trying new code analysis techniques". Archived from the original on 2016-03-07. Retrieved 2018-06-18. <a href="https://web.archive.org/web/20160307095743/https://blog.mozilla.org/decoder/2012/01/27/trying-new-code-analysis-techniques/#more-14" target="_blank">https://web.archive.org/web/20160307095743/https://blog.mozilla.org/decoder/2012/01/27/trying-new-code-analysis-techniques/#more-14</a> <a href="#fnref:26" class="footnote-back-ref">↩</a></p></li> <li id="fn:27"><p>"Some of the bugs found by AddressSanitizer". GitHub. <a href="https://github.com/google/sanitizers/wiki/AddressSanitizerFoundBugs" target="_blank">https://github.com/google/sanitizers/wiki/AddressSanitizerFoundBugs</a> <a href="#fnref:27" class="footnote-back-ref">↩</a></p></li> <li id="fn:28"><p>Mateusz Jurczyk; Gynvael Coldwind (2014-01-10). "FFmpeg and a thousand fixes". J00Ru-Vx Tech Blog. <a href="http://j00ru.vexillium.org/?p=2211" target="_blank">http://j00ru.vexillium.org/?p=2211</a> <a href="#fnref:28" class="footnote-back-ref">↩</a></p></li> <li id="fn:29"><p>"Search results for AddressSanitizer in FreeType Bugs". <a href="http://savannah.nongnu.org/search/?words=AddressSanitizer&type_of_search=bugs&Search=Search&exact=1#options" target="_blank">http://savannah.nongnu.org/search/?words=AddressSanitizer&type_of_search=bugs&Search=Search&exact=1#options</a> <a href="#fnref:29" class="footnote-back-ref">↩</a></p></li> </ol>