[jart]

The -fsanitize=address flag is orthogonal to the runtime library. All -fsanitize=address does is each time the compiler uses memory at address x it generates a few extra instructions which check a bit is set at the shadow address ((x >> 3) + 0x7fff8000). I use a simplified runtime intended to support just that in a few hundred lines of code. Overlaps aren't possible since no shadow address can exist outside the range 0x7fff8000 ... 0x100080000000. Even if you use the stock runtime, I'm not convinced local escalation is possible through having the ability to write foo.PID files. I don't understand how that clobbers files like /etc/shadow.