[WIP][PATCH] "pointer-overflow" sanitizer

Will Dietz wdietz2 at illinois.edu
Mon Oct 28 15:39:12 PDT 2013

Hi all,

Recently I thought it would be useful to have a sanitizer for
detecting overflows in pointer expressions.  Such overflows are
undefined behavior and are pretty much always bugs.  While it's true
that if such an overflowed pointer is dereferenced a tool such as ASan
will catch the error, detection of these bugs when the occur helps fix
them without requiring an input that triggers a crash.

Two examples of this in the wild:

* binutils undefined behavior bug that leads to segfault when built
with clang[1]
* ASTVector bug I just submitted patch for, discovered using this sanitizer[2]

Attached are patches for clang and compiler-rt that implement this
sanitizer and seem to work well in my testing so far.

There is some work to do yet:

* Adding lit tests to clang/compiler-rt
* Finalizing what constructs are useful/worth checking (iterative
process, I imagine)
* More testing/benchmarking

Before tackling the above, I was hoping to get some early feedback:

* Is this something the community is interested in/would find useful?
* Code review (the current implementation should be complete in terms
of the checking code itself)

Thank you for your time, here's to finding even more bugs! :)


[1] http://wdtz.org/undefined-behavior-in-binutils-causes-segfault.html
[2] http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-20131028/091878.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-handler-for-pointer-overflow-sanitizer.patch
Type: text/x-patch
Size: 1894 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20131028/55f177b0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-pointer-overflow-sanitizer-for-undefined-overflo.patch
Type: text/x-patch
Size: 18829 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20131028/55f177b0/attachment-0001.bin>

More information about the cfe-commits mailing list