Preview
Open Original
post, Jan 15, 2026, on Mitja Felicijan’s blog
What -fsanitize=address does
- Enables AddressSanitizer (ASan): a compile and link time instrumentation plus runtime library that detects memory errors.
- Detects: out-of-bounds accesses (heap, stack, globals), use-after-free, some use-after-return, double/invalid free, and (on some platforms) leaks.
- How it works: instrumented memory accesses are checked against a shadow memory; violations produce an error report with a stack trace and abort the program.
- Trade-offs: ~2x runtime slowdown (varies), higher memory use, large virtual address space reservation on 64-bit, and requires linking the ASan runtime (not suitable for production builds).
- Usage: compile and link with
-fsanitize=address...
post, Jan 15, 2026, on Mitja Felicijan’s blog
What -fsanitize=address does
- Enables AddressSanitizer (ASan): a compile and link time instrumentation plus runtime library that detects memory errors.
- Detects: out-of-bounds accesses (heap, stack, globals), use-after-free, some use-after-return, double/invalid free, and (on some platforms) leaks.
- How it works: instrumented memory accesses are checked against a shadow memory; violations produce an error report with a stack trace and abort the program.
- Trade-offs: ~2x runtime slowdown (varies), higher memory use, large virtual address space reservation on 64-bit, and requires linking the ASan runtime (not suitable for production builds).
- Usage: compile and link with
-fsanitize=address(and typically-gand-O0). Runtime behavior can be tuned viaASAN_OPTIONSand symbolization via llvm-symbolizer.
More about ASan on https://clang.llvm.org/docs/AddressSanitizer.html.
An example how to use it
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main(void) {
char *p = malloc(10);
if (!p) return 1;
// Out-of-bounds write (heap buffer overflow).
strcpy(p, "This string is way too long for the buffer");
// Use-after-free (unreachable if program aborts on previous error).
free(p);
p[0] = 'x';
return 0;
}
Now let’s compile with proper flags with clang -O0 -g -fsanitize=address -o main main.c.
If you run the binary it should trigger ASan. You can also specify what to show with ASAN_OPTIONS=detect_leaks=1:verbosity=1:symbolize=1 ./main and you should see something like this.
MemToShadow(shadow): 0x00008fff7000 0x000091ff6dff 0x004091ff6e00 0x02008fff6fff
redzone=16
max_redzone=2048
quarantine_size_mb=256M
thread_local_quarantine_size_kb=1024K
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 0x00007fff8000
==28825==Installed the sigaction for signal 11
==28825==Installed the sigaction for signal 7
==28825==Installed the sigaction for signal 8
==28825==T0: FakeStack created: 0x7be4d10f7000 -- 0x7be4d1c00000 stack_size_log: 20; mmapped 11300K, noreserve=0
==28825==T0: stack [0x7ffcf551c000,0x7ffcf5d1c000) size 0x800000; local=0x7ffcf5d1a664
==28825==AddressSanitizer Init done
=================================================================
==28825==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c04d25e001a at pc 0x5653c583826a bp 0x7ffcf5d1a5f0 sp 0x7ffcf5d19da8
WRITE of size 43 at 0x7c04d25e001a thread T0
#0 0x5653c5838269 in strcpy (/home/m/Junk/fsanitize/main+0xb7269) (BuildId: 69a0723cc8e27d59eb584f6cc902f6f12915111a)
#1 0x5653c5894e13 in main /home/m/Junk/fsanitize/main.c:10:5
#2 0x7fe4d328bbfb in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#3 0x7fe4d328bcb4 in __libc_start_main@GLIBC_2.2.5 csu/../csu/libc-start.c:360:3
#4 0x5653c57ad360 in _start /builddir/glibc-2.41/csu/../sysdeps/x86_64/start.S:115
0x7c04d25e001a is located 0 bytes after 10-byte region [0x7c04d25e0010,0x7c04d25e001a)
allocated by thread T0 here:
#0 0x5653c5851ca4 in malloc (/home/m/Junk/fsanitize/main+0xd0ca4) (BuildId: 69a0723cc8e27d59eb584f6cc902f6f12915111a)
#1 0x5653c5894de8 in main /home/m/Junk/fsanitize/main.c:6:15
#2 0x7fe4d328bbfb in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/m/Junk/fsanitize/main+0xb7269) (BuildId: 69a0723cc8e27d59eb584f6cc902f6f12915111a) in strcpy
Shadow bytes around the buggy address:
0x7c04d25dfd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7c04d25dfe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7c04d25dfe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7c04d25dff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7c04d25dff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7c04d25e0000: fa fa 00[02]fa fa fa fa fa fa fa fa fa fa fa fa
0x7c04d25e0080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7c04d25e0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7c04d25e0180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7c04d25e0200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7c04d25e0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==28825==ABORTING