[WIP][PATCH] "pointer-overflow" sanitizer

Will Dietz wdietz2 at illinois.edu
Tue Nov 4 21:10:45 PST 2014 

Hi all!

Attached are updated copies of the patches, previous ones no longer
apply cleanly to ToT.
Also cleaned up the clang patch a bit.

Enjoy, feedback/review requested :).

~Will

On Tue, Oct 28, 2014 at 7:42 PM, Will Dietz <wdietz2 at illinois.edu> wrote:
> Hi all,
>
> Attached are updated patches for adding -fsanitize=pointer-overflow.
>
> Now with quite a bit more thorough testing of various constructs :).
>
> On my blog I wrote a post detailing a few bugs found with this tool[1][2].
>
> At least some developers care:
>
> * LLVM accepted a patch to ASTVector to fix this behavior[3]
>     (disclosure: I committed this one, but no one objected O:))
> * ffmpeg fixed reported issue[4]
>
> I haven't reported other issues yet, probably will do that soon :).
>
> Anyway, please review and let me know any thoughts you have about this
> checker :).
>
> Enjoy!
>
> ~Will
>
> [1] http://wdtz.org/catching-pointer-overflow-bugs.html
> [2] http://wdtz.org/undefined-behavior-in-binutils-causes-segfault.html
> [3] http://llvm.org/viewvc/llvm-project?view=revision&revision=216385
> [4] https://trac.ffmpeg.org/ticket/3152
>
> ~Will
>
> On Mon, Nov 18, 2013 at 11:13 PM, Will Dietz <wdietz2 at illinois.edu> wrote:
>> Attached are updated patches, please take a look :).
>>
>> For now not checking struct indexing as doing so caught no additional bugs
>> on my test programs and doing so requires a fair bit of plumbing to get
>> the SourceLocation down into the struct indexing helpers.
>>
>> That said, this has been useful in catching bugs in LLVM and
>> elsewhere, as previously reported.
>>
>> Thanks!
>>
>> ~Will
>>
>> On Mon, Oct 28, 2013 at 7:56 PM, Will Dietz <wdietz2 at illinois.edu> wrote:
>>> Glad there's some interest.
>>>
>>> I have no test coverage of anything other than the Driver component,
>>> that will be included.
>>> I also need to do some plumbing work to support adding checks to
>>> struct indexing.
>>>
>>> I've tried this on:
>>> * LLVM/Clang
>>> * ImageMagick
>>> * binutils
>>> * curl
>>> * ffmpeg (w/FATE samples)
>>> * openldap
>>> * openssh
>>> * pcre
>>> * postgresql
>>> * sqlite
>>>
>>> And the programs seem to build and at least pass their own non-trivial
>>> test-suites.
>>>
>>> So far detected bugs in:
>>> * binutils (what inspired this sanitizer)
>>> * clang (reported earlier today)
>>> * curl (unreported)
>>> * pcre (unreported)
>>> * ffmpeg (unreported)
>>>
>>> With a single bug location per software so far :).
>>>
>>> I also expect this to work particularly well with fuzz testing.
>>>
>>> ~Will
>>>
>>>
>>> On Mon, Oct 28, 2013 at 5:44 PM, Richard Smith <richard at metafoo.co.uk> wrote:
>>>> Seems like a nice idea to me. (Your test coverage is pretty weak, though.)
>>>> Have you tried this much on large codebases? Does this find many bugs? (I
>>>> can imagine it would be effective when combined with fuzz testing...)
>>>>
>>>>
>>>> On Mon, Oct 28, 2013 at 3:39 PM, Will Dietz <wdietz2 at illinois.edu> wrote:
>>>>>
>>>>> Hi all,
>>>>>
>>>>> Recently I thought it would be useful to have a sanitizer for
>>>>> detecting overflows in pointer expressions.  Such overflows are
>>>>> undefined behavior and are pretty much always bugs.  While it's true
>>>>> that if such an overflowed pointer is dereferenced a tool such as ASan
>>>>> will catch the error, detection of these bugs when the occur helps fix
>>>>> them without requiring an input that triggers a crash.
>>>>>
>>>>> Two examples of this in the wild:
>>>>>
>>>>> * binutils undefined behavior bug that leads to segfault when built
>>>>> with clang[1]
>>>>> * ASTVector bug I just submitted patch for, discovered using this
>>>>> sanitizer[2]
>>>>>
>>>>> Attached are patches for clang and compiler-rt that implement this
>>>>> sanitizer and seem to work well in my testing so far.
>>>>>
>>>>> There is some work to do yet:
>>>>>
>>>>> * Adding lit tests to clang/compiler-rt
>>>>> * Finalizing what constructs are useful/worth checking (iterative
>>>>> process, I imagine)
>>>>> * More testing/benchmarking
>>>>>
>>>>> Before tackling the above, I was hoping to get some early feedback:
>>>>>
>>>>> * Is this something the community is interested in/would find useful?
>>>>> * Code review (the current implementation should be complete in terms
>>>>> of the checking code itself)
>>>>>
>>>>> Thank you for your time, here's to finding even more bugs! :)
>>>>>
>>>>> ~Will
>>>>>
>>>>> [1] http://wdtz.org/undefined-behavior-in-binutils-causes-segfault.html
>>>>> [2]
>>>>> http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-20131028/091878.html
>>>>>
>>>>> _______________________________________________
>>>>> cfe-commits mailing list
>>>>> cfe-commits at cs.uiuc.edu
>>>>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
>>>>>
>>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ptrsan-rt.patch
Type: text/x-patch
Size: 3291 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20141104/a7171b8b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ptrsan-clang.patch
Type: text/x-patch
Size: 22595 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20141104/a7171b8b/attachment-0001.bin>

More information about the cfe-commits mailing list