[WIP][PATCH] "pointer-overflow" sanitizer

Will Dietz wdietz2 at illinois.edu
Tue Oct 28 17:42:34 PDT 2014 

Hi all,

Attached are updated patches for adding -fsanitize=pointer-overflow.

Now with quite a bit more thorough testing of various constructs :).

On my blog I wrote a post detailing a few bugs found with this tool[1][2].

At least some developers care:

* LLVM accepted a patch to ASTVector to fix this behavior[3]
    (disclosure: I committed this one, but no one objected O:))
* ffmpeg fixed reported issue[4]

I haven't reported other issues yet, probably will do that soon :).

Anyway, please review and let me know any thoughts you have about this
checker :).

Enjoy!

~Will

[1] http://wdtz.org/catching-pointer-overflow-bugs.html
[2] http://wdtz.org/undefined-behavior-in-binutils-causes-segfault.html
[3] http://llvm.org/viewvc/llvm-project?view=revision&revision=216385
[4] https://trac.ffmpeg.org/ticket/3152

~Will

On Mon, Nov 18, 2013 at 11:13 PM, Will Dietz <wdietz2 at illinois.edu> wrote:
> Attached are updated patches, please take a look :).
>
> For now not checking struct indexing as doing so caught no additional bugs
> on my test programs and doing so requires a fair bit of plumbing to get
> the SourceLocation down into the struct indexing helpers.
>
> That said, this has been useful in catching bugs in LLVM and
> elsewhere, as previously reported.
>
> Thanks!
>
> ~Will
>
> On Mon, Oct 28, 2013 at 7:56 PM, Will Dietz <wdietz2 at illinois.edu> wrote:
>> Glad there's some interest.
>>
>> I have no test coverage of anything other than the Driver component,
>> that will be included.
>> I also need to do some plumbing work to support adding checks to
>> struct indexing.
>>
>> I've tried this on:
>> * LLVM/Clang
>> * ImageMagick
>> * binutils
>> * curl
>> * ffmpeg (w/FATE samples)
>> * openldap
>> * openssh
>> * pcre
>> * postgresql
>> * sqlite
>>
>> And the programs seem to build and at least pass their own non-trivial
>> test-suites.
>>
>> So far detected bugs in:
>> * binutils (what inspired this sanitizer)
>> * clang (reported earlier today)
>> * curl (unreported)
>> * pcre (unreported)
>> * ffmpeg (unreported)
>>
>> With a single bug location per software so far :).
>>
>> I also expect this to work particularly well with fuzz testing.
>>
>> ~Will
>>
>>
>> On Mon, Oct 28, 2013 at 5:44 PM, Richard Smith <richard at metafoo.co.uk> wrote:
>>> Seems like a nice idea to me. (Your test coverage is pretty weak, though.)
>>> Have you tried this much on large codebases? Does this find many bugs? (I
>>> can imagine it would be effective when combined with fuzz testing...)
>>>
>>>
>>> On Mon, Oct 28, 2013 at 3:39 PM, Will Dietz <wdietz2 at illinois.edu> wrote:
>>>>
>>>> Hi all,
>>>>
>>>> Recently I thought it would be useful to have a sanitizer for
>>>> detecting overflows in pointer expressions.  Such overflows are
>>>> undefined behavior and are pretty much always bugs.  While it's true
>>>> that if such an overflowed pointer is dereferenced a tool such as ASan
>>>> will catch the error, detection of these bugs when the occur helps fix
>>>> them without requiring an input that triggers a crash.
>>>>
>>>> Two examples of this in the wild:
>>>>
>>>> * binutils undefined behavior bug that leads to segfault when built
>>>> with clang[1]
>>>> * ASTVector bug I just submitted patch for, discovered using this
>>>> sanitizer[2]
>>>>
>>>> Attached are patches for clang and compiler-rt that implement this
>>>> sanitizer and seem to work well in my testing so far.
>>>>
>>>> There is some work to do yet:
>>>>
>>>> * Adding lit tests to clang/compiler-rt
>>>> * Finalizing what constructs are useful/worth checking (iterative
>>>> process, I imagine)
>>>> * More testing/benchmarking
>>>>
>>>> Before tackling the above, I was hoping to get some early feedback:
>>>>
>>>> * Is this something the community is interested in/would find useful?
>>>> * Code review (the current implementation should be complete in terms
>>>> of the checking code itself)
>>>>
>>>> Thank you for your time, here's to finding even more bugs! :)
>>>>
>>>> ~Will
>>>>
>>>> [1] http://wdtz.org/undefined-behavior-in-binutils-causes-segfault.html
>>>> [2]
>>>> http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-20131028/091878.html
>>>>
>>>> _______________________________________________
>>>> cfe-commits mailing list
>>>> cfe-commits at cs.uiuc.edu
>>>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
>>>>
>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ptrsan-rt.patch
Type: text/x-patch
Size: 3297 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20141028/9c94c996/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ptrsan-clang.patch
Type: text/x-patch
Size: 22236 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20141028/9c94c996/attachment-0001.bin>

More information about the cfe-commits mailing list