Yeh static analysis nahi hai (yeh compile time pe tumhara code reason nahi karta) aur Valgrind ki tarah ek alag VM bhi nahi hai. Balki compiler tumhare loads aur stores ke aas-paas extra check code inject karta hai, aur ek runtime library malloc/free ko replace karti hai.
C/C++ tumhe raw pointers deta hai bina kisi bounds checking ke. Yeh fast hai lekin dangerous hai:
int a[4];a[4] = 42; // writes 1 element past the end — undefined behaviour
Plain execution often kaam karta dikh-ta hai (tum bas kuch adjacent memory smash kar dete ho), phir 10,000 lines baad mysteriously crash ho jaata hai. Aise bugs ~70% security CVEs ka karan hain. Humein kuch chahiye jo loudly, immediately, exact line pe fail kare.
Humein ek quick tarika chahiye yeh poochne ka ki "kya address A valid hai?". Har application byte ke liye ek byte of metadata store karna memory double kar deta. Isliye ASan ek key observation use karta hai:
Application memory 8-byte granules mein aligned hoti hai. Ek granule ke andar, pehle k bytes usually valid hote hain aur baaki poisoned.
To ek shadow byte 8 application bytes describe karta hai. Mapping ek simple affine function hai:
Shadow byte values encode karta hai ki 8 bytes mein se kitne bytes addressable hain:
ASan ki runtime malloc(n) ko actually n + dono taraf redzones allocate karati hai, aur un redzone shadow bytes ko poison karti hai. Yahi stack arrays (compiler-inserted) aur globals ke liye bhi hota hai. To a[4] ek red strip mein land karta hai aur check fire ho jaata hai.
Fuzzing (libFuzzer / AFL) — ASan ke saath pair karo taaki buggy paths tak pahuncho
Recall Feynman: ek 12-saal ke bacche ko explain karo
Socho tumhare khilone ek box ke andar rehne chahiye. ASan har box ke aas-paas "do-not-touch" floor ki ek patli red border paint karta hai. Yeh ek choti si cheat-sheet bhi rakhta hai (8 floor tiles per ek note) jo batati hai ki kaunsi tiles safe hain. Jab bhi tumhara robot hand floor pe reach karta hai, woh pehle cheat-sheet dekhta hai. Green floor pe kadam rakho → theek hai. Red border pe kadam rakho → robot STOP chillata hai aur tumhe exactly batata hai ki tum kis toy box ke paas se nikal gaye. Isi tarah yeh tumhe tumhare box ke bahar pahunchte waqt usi waqt pakad leta hai, baad mein nahi jab sab kuch mess ho chuka ho.
Recall Active recall — quick self-test
Kaunsa formula ek address ko uske shadow byte pe map karta hai?
Ek shadow byte 8 application bytes kyun cover karta hai?
ASan specifically use-after-free kaise detect karta hai?
Ek aise overflow ka naam batao jise ASan miss kar sakta hai.
AddressSanitizer enable karne wala compiler flag kya hai?
-fsanitize=address (GCC aur Clang mein)
ASan mein shadow-address mapping formula kya hai?
Shadow(A)=(A≫3)+Offset
Ek shadow byte 8 application bytes kyun describe karta hai?
Memory ko 8-byte aligned granules mein track kiya jaata hai; shadow byte store karta hai ki un 8 bytes mein se kitne addressable hain (0=saare, k=pehle k, negative=koi nahi).
Shadow value 0 ka matlab kya hai vs negative value?
Poisoned padding jo har buffer (heap, stack, global) ke pehle/baad insert ki jaati hai taaki adjacent overflows poisoned shadow se takraayein aur report hon.
ASan use-after-free kaise pakadta hai?
free() par woh block ki shadow ko poison karta hai aur use quarantine karta hai (reuse delay karta hai), to baad ka access poisoned shadow padhta hai → reported.
A par N-byte access ke liye, report trigger karne wali condition kya hai?
shadow ≠ 0 AND ((A & 7) + N − 1) ≥ shadow, yaani accessed byte poisoned part mein pahunch jaata hai.
Ek aisi OOB bug class batao jo ASan MISS kar sakta hai.
Ek wild pointer jo object se door hai aur kisi doosre valid (green) object ki memory mein land ho jaata hai — beech mein koi redzone nahi.
ASan static hai ya runtime detection?
Runtime — yeh compile time pe loads/stores ko instrument karta hai lekin checks execution ke dauran un paths par run hote hain jo tum actually execute karte ho.
Typical ASan overhead kya hai?
Roughly 2× CPU slowdown aur 2–3× memory use (shadow + redzones + quarantine); yeh ek debug/test tool hai, production ke liye nahi.
ASan ko fuzzing ke saath kyun pair karo?
ASan sirf executed paths par bugs dhundta hai; fuzzing aisi inputs generate karta hai jo zyada paths tak pahunchti hain taaki redzone checks actually fire hon.