Starting March 27, 2025, we recommend using android-latest-release instead of aosp-main to build and contribute to AOSP. For more information, see Changes to AOSP.
Stay organized with collections
Save and categorize content based on your preferences.
The sanitizers are a group of dynamic analysis tools that find mistakes in
programs at runtime through additional instrumentation that was inserted by the
compiler. This includes detecting
memory safety issues. Android supports
and strongly recommends usage of the following sanitizers:
Hardware-assisted AddressSanitizer (HWASan)
HWASan is the main sanitizer to provide detection
for memory safety problems. It requires ARM64 and can detect:
Stack and heap buffer overflow or underflow
Heap use after free
Stack use after scope
Stack use after return
Double free or wild free
Address sanitizer (ASan)
ASan is a tool similar to HWASan. It works on more
platforms, but is unsupported on Android.
KernelAddress sanitizer (KASan)
KASan is the kernel counterpart of the userspace
tools above. It shares the same compiler implementation. KASan and ASan/HWASan
are complementary as one tool applies to the kernel and another to userspace.
We recommend enabling both at the same time to reduce the number of build
configurations and to reduce the testing matrix.
UndefinedBehavior sanitizer (UBSan)
UBSan performs compile-time instrumentation to
check for various types of (non memory-safety) undefined behavior. This includes
signed and unsigned integer overflow checking (IntSan), bounds checks for
statically-sized arrays (BoundsSan), and lots of other types of undefined
behavior. IntSan and BoundsSan are also suitable for enabling in production as a
security mitigation.
Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
Last updated 2024-08-26 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-08-26 UTC."],[],[],null,["# Sanitizers\n\n| **Note:** This page talks about sanitizers for Android platform development. For sanitizers for app development, refer to the [NDK documentation](https://developer.android.com/ndk/guides/memory-debug).\n\nThe sanitizers are a group of dynamic analysis tools that find mistakes in\nprograms at runtime through additional instrumentation that was inserted by the\ncompiler. This includes detecting\n[memory safety](/docs/security/test/memory-safety) issues. Android supports\nand strongly recommends usage of the following sanitizers:\n\nHardware-assisted AddressSanitizer (HWASan)\n-------------------------------------------\n\n[HWASan](/docs/security/test/hwasan) is the main sanitizer to provide detection\nfor memory safety problems. It requires ARM64 and can detect:\n\n- Stack and heap buffer overflow or underflow\n- Heap use after free\n- Stack use after scope\n- Stack use after return\n- Double free or wild free\n\nAddress sanitizer (ASan)\n------------------------\n\n[ASan](/docs/security/test/asan) is a tool similar to HWASan. It works on more\nplatforms, but is unsupported on Android.\n\nKernelAddress sanitizer (KASan)\n-------------------------------\n\n[KASan](/docs/security/test/kasan) is the kernel counterpart of the userspace\ntools above. It shares the same compiler implementation. KASan and ASan/HWASan\nare complementary as one tool applies to the kernel and another to userspace.\nWe recommend enabling both at the same time to reduce the number of build\nconfigurations and to reduce the testing matrix.\n\nUndefinedBehavior sanitizer (UBSan)\n-----------------------------------\n\n[UBSan](/docs/security/test/ubsan) performs compile-time instrumentation to\ncheck for various types of (non memory-safety) undefined behavior. This includes\nsigned and unsigned integer overflow checking (IntSan), bounds checks for\nstatically-sized arrays (BoundsSan), and lots of other types of undefined\nbehavior. IntSan and BoundsSan are also suitable for enabling in production as a\nsecurity mitigation."]]
