[WIP][PATCH] "pointer-overflow" sanitizer

Mon Nov 18 21:13:29 PST 2013

Attached are updated patches, please take a look :).

For now not checking struct indexing as doing so caught no additional bugs
on my test programs and doing so requires a fair bit of plumbing to get
the SourceLocation down into the struct indexing helpers.

That said, this has been useful in catching bugs in LLVM and
elsewhere, as previously reported.

Thanks!

~Will

On Mon, Oct 28, 2013 at 7:56 PM, Will Dietz <wdietz2 at illinois.edu> wrote:
> Glad there's some interest.
>
> I have no test coverage of anything other than the Driver component,
> that will be included.
> I also need to do some plumbing work to support adding checks to
> struct indexing.
>
> I've tried this on:
> * LLVM/Clang
> * ImageMagick
> * binutils
> * curl
> * ffmpeg (w/FATE samples)
> * openldap
> * openssh
> * pcre
> * postgresql
> * sqlite
>
> And the programs seem to build and at least pass their own non-trivial
> test-suites.
>
> So far detected bugs in:
> * binutils (what inspired this sanitizer)
> * clang (reported earlier today)
> * curl (unreported)
> * pcre (unreported)
> * ffmpeg (unreported)
>
> With a single bug location per software so far :).
>
> I also expect this to work particularly well with fuzz testing.
>
> ~Will
>
>
> On Mon, Oct 28, 2013 at 5:44 PM, Richard Smith <richard at metafoo.co.uk> wrote:
>> Seems like a nice idea to me. (Your test coverage is pretty weak, though.)
>> Have you tried this much on large codebases? Does this find many bugs? (I
>> can imagine it would be effective when combined with fuzz testing...)
>>
>>
>> On Mon, Oct 28, 2013 at 3:39 PM, Will Dietz <wdietz2 at illinois.edu> wrote:
>>>
>>> Hi all,
>>>
>>> Recently I thought it would be useful to have a sanitizer for
>>> detecting overflows in pointer expressions.  Such overflows are
>>> undefined behavior and are pretty much always bugs.  While it's true
>>> that if such an overflowed pointer is dereferenced a tool such as ASan
>>> will catch the error, detection of these bugs when the occur helps fix
>>> them without requiring an input that triggers a crash.
>>>
>>> Two examples of this in the wild:
>>>
>>> * binutils undefined behavior bug that leads to segfault when built
>>> with clang[1]
>>> * ASTVector bug I just submitted patch for, discovered using this
>>> sanitizer[2]
>>>
>>> Attached are patches for clang and compiler-rt that implement this
>>> sanitizer and seem to work well in my testing so far.
>>>
>>> There is some work to do yet:
>>>
>>> * Adding lit tests to clang/compiler-rt
>>> * Finalizing what constructs are useful/worth checking (iterative
>>> process, I imagine)
>>> * More testing/benchmarking
>>>
>>> Before tackling the above, I was hoping to get some early feedback:
>>>
>>> * Is this something the community is interested in/would find useful?
>>> * Code review (the current implementation should be complete in terms
>>> of the checking code itself)
>>>
>>> Thank you for your time, here's to finding even more bugs! :)
>>>
>>> ~Will
>>>
>>> [1] http://wdtz.org/undefined-behavior-in-binutils-causes-segfault.html
>>> [2]
>>> http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-20131028/091878.html
>>>
>>> _______________________________________________
>>> cfe-commits mailing list
>>> cfe-commits at cs.uiuc.edu
>>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
>>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-pointer-overflow-sanitizer-for-undefined-overflo.patch
Type: text/x-patch
Size: 20718 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20131118/db7aeb3e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-handler-for-pointer-overflow-sanitizer.patch
Type: text/x-patch
Size: 2919 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20131118/db7aeb3e/attachment-0001.bin>