Address Sanitizer for MSVC Now Generally Available

Augustin Popa

⌚ This post was last updated on March 10th, 2021.

Special thanks to Aaron Gorenstein who provided most of the content for this blog post. Special thanks as well to Kevin Cadieux and Jim Radigan who also made contributions.  

You can check out a demo on this feature in the latest Visual Studio Toolbox episode on YouTube: Visual Studio Toolbox Live – What’s New in Visual Studio 2019 version 16.9? – YouTube

To get started with this experience, check out our documentation.

We’re thrilled to announce that as of Visual Studio 2019 version 16.9, the C++ Address Sanitizer (ASan) for MSVC experience is fully supported. Thanks to all who tried it out while it was experimental in earlier versions of the IDE and filed issues to help make this release all-the-better!


The Address Sanitizer

The Address Sanitizer (ASan) is an immensely valuable technology for finding and fixing memory bugs. Here’s a quick illustration:

Image ASan example

It was originally designed and implemented for the LLVM/Clang compiler. Starting in version 16.1, we brought the technology to Visual Studio 2019 for targeting Linux, then added MSVC support in version 16.4. Now with version 16.9, we have altogether resolved over 50 customer-reported bugs and improved the user experience to the point where we are ready to announce that we are moving the ASan for Windows experience out of experimental state. We consider the feature stable and ready to use for production environments. When we last blogged about the AddressSanitizer for Windows experience with version 16.7, we had announced x64 and Debug target support. Since then, we simplified the compilation model to match LLVM by automatically linking runtime libraries when the /fsanitize=address compiler flag is specified. Now, most users will just need to add that single flag to get ASan, with no additional flags or linker options needed. We also polished the debugging experience by cleaning up runtime-generated exceptions and fixing line number mismatches.

ASan helps catch a variety of memory issues, all of which can have real impact in running your programs. These issues range from the “classics” like use-after-free, to subtler issues like the use of a local variable after it has left scope. We’ve provided documentation on how to get started with ASan with Visual Studio in a variety of build environments (MSBuild, CMake, and the command line), any of which require just a few small changes. Read on to learn more of what ASan is and how it can help you in developing your software.


The Value

We’re grateful that the core ASan technologies and benefits are well-established with LLVM/Clang. It’s been exciting bringing those benefits to MSVC customers and see just how it can help find and investigate a great many bugs. Some examples:

  • To validate our ASan feature, we ran our test suite with the ASan option turned on. The test suite includes Electron, Qt Creator, Eigen, FLAC, postgresql, OpenSSL, and around 30 other projects.
  • We built the MSVC compiler itself with ASan and ran some key tests. This is helping us identify bugs in our C++ toolchain. Furthermore, it is saving us time identifying issues when we investigate MSVC bugs reported by the community.
  • The Windows team is fuzzing their codebase with ASan and OneFuzz and their team has been instrumental in identifying and fixing issues in the ASan for Windows experience.
  • We are expanding efforts to use ASan internally at Microsoft, including in the Windows and Office organization.

We will be saying more about the topics above in some future blog posts. We’ve also been contributing our changes to the ASan components shared between MSVC and Clang upstream to the shared OSS repo. The latest of our PRs has been submitted for review, adding support for tracking allocations made through low-level Windows APIs. We expect with future fixes and enhancements there will be more. Our north star is to always contribute to, and use, the same OSS ASan components.

Moreover, with version 16.9 we have full Visual Studio IDE integration with ASan. Now you can obtain the core value of the fundamental ASan technology in the first-class Visual Studio debugging experience on Windows. In the opening picture you see how Visual Studio points right to the ASan-detected bug, complete with explanatory pop-up, call stack, and all the other debugging information you’d expect. We’ve documented more of the details of the debugger integration, and the text-based ASan report is still available in the Output window for advanced users.

Moving beyond the local dev loop, we also added the ability to save ASan crash dumps, thereby enabling whole new cloud and distributed testing scenarios. A deep dive on this scenario can be found in our documentation.


Getting Started

If you’re eager to jump in and try ASan for yourself, check out our documentation.


The Journey, and Thanks!

Bringing ASan to Visual Studio as a first-class experience took time. Of course, we are grateful for the LLVM/Clang team that created and continues to develop ASan, and we feel exceptionally grateful to the many customers who took our invitation to try out ASan while it was experimental and helped us improve its quality. False positives, those where ASan reports a memory bug that is not truly a memory bug, we treat with highest priority and we strain to fix those as soon as possible. False negatives, where ASan should have reported an issue but didn’t, are intrinsically harder to find but fortunately less disruptive; to maximize the value of ASan we also strive to fix those quickly. We have been heads-down working to address the last, recently-reported issues. While we of course hope that the ASan integration quality satisfies your requirements, we have documented an “escape hatch” to selectively turn off ASan in the rare case you do hit a bug.

We see ASan as just the start of bringing more sanitizer-and-related technology to Visual Studio. If you have thoughts on the future of undefined-behavior-, memory-, thread-, or other-sanitizers, please share them as a suggestion on Developer Community! If you suspect you’ve hit an issue or bug, please also don’t hesitate to open a ticket on Developer Community!

Thanks for reading!