Linking with libcxx built with asan reports container-overflow error

greenb · October 24, 2025, 6:51pm

Is it possible to use a sanitized libc++ in LLVM 21.1.3? When I do that, ASAN always reports a container-overflow. When I do not link with a sanitized libc++, then ASAN does not report any error.

I am upgrading from LLVM 14.0.6 where this used to work.

My test program is:

#include <vector>
#include <string>

int main() {
  std::string test = "hello";
  std::vector<std::string> strs;
  strs.push_back(test);
  test = "hello again";
  strs.push_back(test);
  return 0;
}

I’m trying to build the sanitized libc++ like this (though I’ve tried a few variations like this)

/usr/bin/cmake ${src_dir}/runtimes                                  \
    -DLLVM_USE_SANITIZER=Address                                    \
    -DCMAKE_INSTALL_PREFIX=${install_dir}/libcxx-asan               \
    -DCMAKE_C_COMPILER=${install_dir}/bin/clang                     \
    -DCMAKE_CXX_COMPILER=${install_dir}/bin/clang++                 \
    -DCMAKE_BUILD_TYPE=Release                                      \
    -DCMAKE_POSITION_INDEPENDENT_CODE=ON                            \
    -DLLVM_ENABLE_RUNTIMES="libcxx;libcxxabi;libunwind;compiler-rt" \
    -DLLVM_INCLUDE_TESTS=OFF                                        \
    -DLIBCXX_HAS_ATOMIC_LIB=NO                                      \
    -DLIBCXXABI_USE_COMPILER_RT=ON                                  \
    -DLIBCXX_USE_COMPILER_RT=ON                                     \
    -DLIBCXX_ENABLE_STATIC_ABI_LIBRARY=ON                           \
    -DLIBCXX_STATICALLY_LINK_ABI_IN_SHARED_LIBRARY=OFF

make -j$(nproc) install

And I’m compiling my test program like this:

/opt/llvm-21.1.3/bin/clang++ -fsanitize=address test.cpp -L/opt/llvm-21.1.3/libcxx-asan/lib/ -static-libstdc++ -static-libgcc

Running it I get a container-overflow error

==166788==ERROR: AddressSanitizer: container-overflow on address 0x7bc086160017 at pc 0x5577299ad04b bp 0x7fff3795dc80 sp 0x7fff3795d440

(fwiw, it reports a container overflow whether I static link or not)

However if I do not link with the sanitized libc++, then there is no error.

/opt/llvm-21.1.3/bin/clang++ -fsanitize=address test.cpp -static-libstdc++ -static-libgcc

Is it possible to use a sanitized libc++ with asan anymore? Has anyone done this recently?

I’ve tried to look at the CMake builds within the LLVM source tree, but I haven’t been successful trying out similar options in my own build.

I can of course not link with the sanitized libc++ anymore, but I’ve been doing that to try to get the most sanitization possible with asan and tsan

greenb · October 30, 2025, 11:37pm

I figured this out! It turned out to be this:

github.com/llvm/llvm-project

[ASan][libc++] std::basic_string annotations

main ← trail-of-forks:string-annotations-base

opened 04:58PM - 17 Nov 23 UTC

AdvenamTacet

+862 -64

This commit introduces basic annotations for `std::basic_string`, mirroring the …approach used in `std::vector` and `std::deque`. Initially, only long strings with the default allocator will be annotated. Short strings (_SSO - short string optimization_) and strings with non-default allocators will be annotated in the near future, with separate commits dedicated to enabling them. The process will be similar to the workflow employed for enabling annotations in `std::deque`. **Please note**: these annotations function effectively only when libc++ and libc++abi dylibs are instrumented (with ASan). This aligns with the prevailing behavior of Memory Sanitizer. To avoid breaking everything, this commit also appends `_LIBCPP_INSTRUMENTED_WITH_ASAN` to `__config_site` whenever libc++ is compiled with ASan. If this macro is not defined, string annotations are not enabled. However, linking a binary that does **not** annotate strings with a dynamic library that annotates strings, is not permitted. Originally proposed here: https://reviews.llvm.org/D132769 Related patches on Phabricator: - Turning on annotations for short strings: https://reviews.llvm.org/D147680 - Turning on annotations for all allocators: https://reviews.llvm.org/D146214 This PR is a part of a series of patches extending AddressSanitizer C++ container overflow detection capabilities by adding annotations, similar to those existing in `std::vector` and `std::deque` collections. These enhancements empower ASan to effectively detect instances where the instrumented program attempts to access memory within a collection's internal allocation that remains unused. This includes cases where access occurs before or after the stored elements in `std::deque`, or between the `std::basic_string`'s size (including the null terminator) and capacity bounds. The introduction of these annotations was spurred by a real-world software bug discovered by Trail of Bits, involving an out-of-bounds memory access during the comparison of two strings using the `std::equals` function. This function was taking iterators (`iter1_begin`, `iter1_end`, `iter2_begin`) to perform the comparison, using a custom comparison function. When the `iter1` object exceeded the length of `iter2`, an out-of-bounds read could occur on the `iter2` object. Container sanitization, upon enabling these annotations, would effectively identify and flag this potential vulnerability. This Pull Request introduces basic annotations for `std::basic_string`. Long strings exhibit structural similarities to `std::vector` and will be annotated accordingly. Short strings are already implemented, but will be turned on separately in a forthcoming commit. Look at [a comment](https://github.com/llvm/llvm-project/pull/72677#issuecomment-1850554465) below to read about SSO issues at current moment. Due to the functionality introduced in [D132522](https://github.com/llvm/llvm-project/commit/dd1b7b797a116eed588fd752fbe61d34deeb24e4), the `__sanitizer_annotate_contiguous_container` function now offers compatibility with all allocators. However, enabling this support will be done in a subsequent commit. For the time being, only strings with the default allocator will be annotated. If you have any questions, please email: - advenam.tacet@trailofbits.com - disconnect3d@trailofbits.com

Which just means that I needed to use the headers from the sanitized libc++ when compiling.

So my example works when compiling like this:

/opt/llvm-21.1.3/bin/clang++ -fsanitize=address test.cpp -nostdinc++ -isystem /opt/llvm-21.1.3/libcxx-asan/include -isystem /opt/llvm-21.1.3/libcxx-asan/include/c++/v1 -L/opt/llvm-21.1.3/libcxx-asan/lib/ -static-libstdc++ -static-libgcc

Previously this didn’t matter since the sanitized libc++ includes used to be identical to the normal ones, but that’s no longer true.

Topic		Replies	Views
What the current state of Asan/Container Overflow detection? LLVM Dev List Archives	1	106	September 6, 2017
annotating libc++ to catch buffer overflows in vector/string with asan Clang Frontend	9	164	February 21, 2014
Using ASAN suppressions in mixed-instrumented environments LLVM Dev List Archives	0	106	October 2, 2019
linker warnings in Linking CXX executable Debug/AsanTest LLVM Dev List Archives	5	142	November 3, 2012
Making MSAN Easier to Use: Providing a Sanitized Libc++ Clang Frontend	24	277	August 17, 2016

Linking with libcxx built with asan reports container-overflow error

Related topics