Skip to content

MSVC AddressSanitizer — enable for debug builds to catch memory errors

Summary

MSVC AddressSanitizer (/fsanitize=address) catches heap overflows, stack overflows, use-after-free, and use-after-scope in debug builds at ~2x runtime cost. It is the most effective runtime tool for finding memory bugs in C++.

Given the number of raw pointer and buffer patterns in this codebase (see REF-010, AUDIT-BUGS.md history), ASan would have caught many of the bugs fixed in the 2026-03-30 hardening pass at development time.

Prerequisite Notes

  • Requires MSVC v143 (already in use).
  • Incompatible with /RTC (runtime checks) — disable /RTC in the ASan configuration.
  • Requires separate ASan DLL (clang_rt.asan_dbg-x86_64.dll) in the output directory or on PATH.

CMake Configuration

# CMakePresets.json — add a dedicated ASan preset
{
  "name": "Debug-ASan",
  "displayName": "Debug with AddressSanitizer",
  "inherits": "Debug",
  "cacheVariables": {
    "CMAKE_CXX_FLAGS": "/fsanitize=address",
    "CMAKE_MSVC_RUNTIME_LIBRARY": "MultiThreadedDebug"
  }
}

# In CMakeLists.txt — strip /RTC when ASan is active
if(CMAKE_CXX_FLAGS MATCHES "fsanitize=address")
    string(REPLACE "/RTC1" "" CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG}")
endif()

Usage

cmake --preset Debug-ASan
cmake --build --preset Debug-ASan
# Run eMule.exe — ASan reports go to stderr or ASAN_OPTIONS log

What It Catches

  • Heap buffer overflow (e.g. the packet size underflows fixed by BBUG_001–003)
  • Stack buffer overflow
  • Use-after-free (e.g. delete-this patterns, upload queue lifetime bugs)
  • Use-after-scope (e.g. dangling &ref to local variable)
  • Double-free

Acceptance Criteria

  • [ ] Debug-ASan CMake preset works (CI-001 prerequisite)
  • [ ] ASan build compiles and launches without false positives
  • [ ] At least one CI run per sprint uses the ASan build
  • [ ] Known suppressions documented in asan.supp file

Prerequisite

CI-001 (CMake), CI-003 (MSVC hardening — /RTC conflict must be handled)