Address Sanitizer-like functionality on MSVC

Question

Coming from Linux/gcc/clang I find myself working more and more on Windows/Visual Studio.

What I am really missing there is the address sanitizer (bounds checking, leaks, use after free,...). I've done some research and also tried a few things but haven't found a replacement that is complete (feature-wise) as well as reliable. I've tried Dr. Memory for example but learned it doesn't work for Qt-based programs (at least not on Windows 10).

So how do I get address sanitizer-like functionality on Windows/MSVC?

Answer 1

At least ASan and Ubsan from clang are supposed to work on Windows, with some limitations. These can be used with msvc toolchains using clang-cl as a drop-in replacement for cl.exe - google seems to be working on this, mozilla too.

Issues that I am aware of (and that keeped me from using it myself until now):

• linking with the required libraries is not automatic. There are two versions of them, depending on how the CRT is linked in your application ( /MT means static CRT, /MD means dynamic CRT, the latter is typically used in Qt). To find the required linker parameters, open Visual Studio command prompt, add clang bin folder to the path, and compile a simple main.cpp (empty main function) with verbose options with clang-cl like this: clang-cl -v /MD -fsanitize=address main.cpp The required link.exe command is in the end of verbose output, extract the required libs for linking from there.

• only release builds are supported on Windows

• no support for exceptions on Windows ( see this issue)

• there doesn't seem to be much further work on the Windows port, the wiki e.g. is terribly outdated (last change in 2015), so I doubt that many people are using this productively. So getting help from other users online might be quite hard ...

Talking about other alternatives on Windows, there are:

• Appverifier (coming with Windows SDK)
• Dr Memory(currently unmaintained on Windows according to some comments on its issue tracker, meaning that it's e.g. completely unusable for Qt and everybody who uses SSE 4.2 instructions, see here and here )
• Intel Inspector (commercial).

Sanitizers and Valgrind on Linux IMO are much more advanced and/or have much better performance than these tools, so keeping an application building on Linux seems the best idea, at least when working with a cross-platform toolkit like Qt (as you are mentioning).

Answer 2

Microsoft has integrated the Address Sanitizer into Visual Studio 2019 version 16.1 Preview 3 and up. Unfortunately currently only the Linux build is supported. But at least you can still use your favorite IDE and debug apps in WSL

Update:

Address Sanitizer for Windows projects is also available since Visual Studio 2019 version 16.4

We are pleased to announce AddressSanitizer (ASan) support for the MSVC toolset. ASan is a fast memory error detector that can find runtime memory issues such as use-after-free and perform out of bounds checks. Support for sanitizers has been one of our more popular suggestions on Developer Community, and we can now say that we have an experience for ASan on Windows, in addition to our existing support for Linux projects.

AddressSanitizer (ASan) for Windows with MSVC

The latest release 16.7 supports both x86 and x64 (the initial release only supported x86).

---

In Visual Studio 2019 version 16.1 Preview 3 we have integrated AddressSanitizer (ASan) into Visual Studio for Linux projects. ASan is a runtime memory error detector for C/C++ that catches the following errors:

• Use after free (dangling pointer reference)
• Heap buffer overflow
• Stack buffer overflow
• Use after return
• Use after scope
• Initialization order bugs

AddressSanitizer (ASan) for the Linux Workload in Visual Studio 2019

---

Note that MSVC itself already have various tools for debugging memory issues like CRT Debug Heap as mentioned above by Adrian McCarthy or Control Flow Guard

There are many tools that try to make your code secure from outside the box: Valgrind and address/thread sanitizers are popular examples. And there are many of these tools on Windows as well, both from Microsoft and other companies. But MSVC features powerful technologies inside the compiler that integrate security with your code. For example, Control Flow Guard, is highly-optimized security feature that combats many memory corruption vulnerabilities. We can’t talk openly our current security research but we’re always working to make your code (and ours!) safe from increasingly sophisticated attackers.

https://devblogs.microsoft.com/cppblog/msvc-the-best-choice-for-windows/

See also

• Find memory leaks with the CRT library
• Measure memory usage in Visual Studio
• C++ - Native Memory Diagnostics in Visual Studio 2015
• Finding memory leaks in a C++ application with Visual Studio