Skip to content

AddressSanitizerFlags

Alexander Potapenko edited this page Aug 31, 2015 · 25 revisions

Compiler flags

flag default description
-fsanitize=address Enable AddressSanitizer
-fno-omit-frame-pointer Leave frame pointers. Allows the fast unwinder to function properly.
-fsanitize-blacklist=path Pass a blacklist file
-fno-common Do not treat global variable in C as common variables (allows ASan to instrument them)

ASan-specific compile-time flags are passed via clang flag -mllvm <flag>. In most cases you don't need them.

flag default description
-asan-stack 1 Detect overflow/underflow for stack objects
-asan-globals 1 Detect overflow/underflow for global objects

Run-time flags

Most run-time flags are passed to AddressSanitizer via ASAN_OPTIONS environment variable like this:

ASAN_OPTIONS=verbosity=1:malloc_context_size=20 ./a.out

Note that below list may (and probably is) incomplete. Also older versions of ASan may not support some of the listed flags. To get the idea of what's supported in your version, run

ASAN_OPTIONS=help=1 ./a.out
Flag Default value Description
verbosity 0 Be more verbose (mostly for testing the tool itself)
malloc_context_size 30 Number of frames in malloc/free stack traces. Valid values are 0...256.
redzone 16 Size of the minimal redzone. Since LLVM 3.3 asan uses adaptive redzones for heap, i.e. for large heap allocations the redzones are larger.
log_path (none) Path to the log files. If log_path=PATH is given, every process will write error reports to PATH.PID. By default all reports are written to stderr.
sleep_before_dying 0 Sleep for this number of seconds before exiting the process on failure.
quarantine_size_mb 256 Size of quarantine (in Mb) for finding use-after-free errors. Lower values save memory but increase false negatives rate.
quarantine_size 0 Deprecated since r225337, use quarantine_size_mb
fast_unwind_on_fatal 0 Use fast unwinder when found a bug. The fast one relies on frame pointers, while slow one does not. See also AddressSanitizerCallStack
fast_unwind_on_malloc 1 Same as fast_unwind_on_fatal, but control unwinding inside malloc/free, i.e. performance critical. See also AddressSanitizerCallStack
exitcode 1 Call _exit(exitcode) on error.
abort_on_error 0 If 1, call abort() instead of _exit(exitcode) on error.
allow_user_poisoning 1 Allow/disallow AddressSanitizerManualPoisoning
strict_memcmp 1 When set to 1 (default), memcmp("foo", "bar", 100) is treated as a bug
allocator_may_return_null 0 If false, the allocator will crash instead of returning 0 on out-of-memory.
alloc_dealloc_mismatch 1 When set to 1, checks for malloc()/new/new.md vs. free()/delete/delete.md mismatches. Default: 0 on Mac and Windows, 1 otherwise
detect_stack_use_after_return 0 If 1, will try to detect AddressSanitizerUseAfterReturn errors
min_uar_stack_size_log 16 Controls the size of Fake Stack for AddressSanitizerUseAfterReturn detector
max_uar_stack_size_log 20 Controls the size of Fake Stack for AddressSanitizerUseAfterReturn detector
debug 0 If set, prints some debugging information and does additional checks.
disable_core 0/1 Disable the core dumper. Since asan consumes many terabytes of virtual memory on 64-bit, dumping core is unwise. Default: 0 on 32-bit and 1 on 64-bit.
use_madv_dontdump 1 Instructs kernel to not store the (huge) shadow in core file.
handle_segv 1 When set to 1, AddressSanitizer installs its own handler for SIGSEGV
full_address_space 0/1 Sanitize complete address space; by default kernel area on 32-bit platforms will not be sanitized.
allow_user_segv_handler 0 When set to 1, allows user to override SIGSEGV handler installed by ASan
check_initialization_order 0 When set to 1, detect existing InitOrderFiasco problems.
report_globals 1 Controls the way to handle globals (0 - don't detect buffer overflow on globals, 1 - detect buffer overflow, 2 - print data about registered globals).
start_deactivated 0 If true, ASan tweaks a bunch of other flags (quarantine, redzone, heap poisoning) to reduce memory consumption as much as possible, and restores them to original values when the first instrumented module is loaded into the process. This is mainly intended to be used on Android.
strict_init_order 0 When set to 1, InitOrderFiasco also finds potential init order problems.
strip_path_prefix "" When strip_path_prefix=PREFIX the substring .*PREFIX will be removed from the reported file names.
detect_leaks 1 If 1, enables memory leak detection. See LeakSanitizer (Linux/x86_64-only).
use_sigaltstack 1 If 1, sigaltstack is called at start up time. This will provide verbose reports in case of stack overflow.
color auto Print reports in color. Possible values: auto
coverage 0 Enables coverage collection. See AddressSanitizerCoverage.
coverage_dir ./ Controls the path at which coverage is saved.
coverage_direct 0 Enables writing coverage directly to a memory-mapped file (compared to once at the end of the program). See AddressSanitizerCoverage.
coverage_pcs 1 If 1, will dump the coverage as PCs. See AddressSanitizerCoverage.
coverage_bitset 0 If 1, will dump the coverage as bitset. See AddressSanitizerCoverage.
detect_odr_violation 2 If > 0, detect ODR Violations
stack_frame_format "DEFAULT" Format of the stackframe. Placeholders in user-provided string are replaced with actual data. See sanitizer_stacktrace_printer.h for format description.
mmap_limit_mb 0 If > 0, abort if more than this number of megabytes were mmap-ed by user. Experimental, may change in future!
hard_rss_limit_mb 0 Experimental. Hard RSS limit in Mb. If non-zero, a background thread is spawned at startup which periodically reads RSS and aborts the process if the limit is reached
soft_rss_limit_mb 0 Experimental. Soft RSS limit in Mb. If non-zero, a background thread is spawned at startup which periodically reads RSS. If the limit is reached all subsequent malloc/new calls will fail or return NULL (depending on the value of allocator_may_return_null) until the RSS goes below the soft limit. This limit does not affect memory allocations other than malloc/new.
include (none) Parse more flags from the file at a given path. File contents are parsed exactly as if they replaced the include=/path flag. This flag can be used multiple times. Nested includes are supported as well.
Clone this wiki locally