How does -fsanitize=address work under the hood?

Hi,

I am trying to see what -fsanitize=address does using the following
example. I see a number of _asan function and variables. But it is
still not clear how the original program is transformed so that memory
error will be catched. Could anybody help explain how it works?
Thanks.

Also, many functions (like __asan_report_load16) are not used. Why are
they declared? Thanks.

$ diff <(clang -Wno-array-bounds -S -emit-llvm -x c -o - - <<< 'int
main() { int a[2] = {1, 0}; int b=a[2]; return 0; }') <(clang
-Wno-array-bounds -fsanitize=address -S -emit-llvm -x c -o - -<<< 'int
main() { int a[2] = {1, 0}; int b=a[2]; return 0; }')
< @__const.main.a = private unnamed_addr constant [2 x i32] [i32 1,
i32 0], align 4
< ; Function Attrs: noinline nounwind optnone ssp uwtable

I recommend reading Address Sanitizer's paper:
https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/37752.pdf

It's an easy and quite interesting read.

Cheers,
Victor.

We also have a Wiki page explaining the basics of the algorithm: https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm