[WIP][PATCH] "pointer-overflow" sanitizer

[Will Dietz]

Glad there's some interest.

I have no test coverage of anything other than the Driver component,
that will be included.
I also need to do some plumbing work to support adding checks to
struct indexing.

I've tried this on:
* LLVM/Clang
* ImageMagick
* binutils
* curl
* ffmpeg (w/FATE samples)
* openldap
* openssh
* pcre
* postgresql
* sqlite

And the programs seem to build and at least pass their own non-trivial
test-suites.

So far detected bugs in:
* binutils (what inspired this sanitizer)
* clang (reported earlier today)
* curl (unreported)
* pcre (unreported)
* ffmpeg (unreported)

With a single bug location per software so far :).

I also expect this to work particularly well with fuzz testing.

~Will


On Mon, Oct 28, 2013 at 5:44 PM, Richard Smith <richard at metafoo.co.uk> wrote:
> Seems like a nice idea to me. (Your test coverage is pretty weak, though.)
> Have you tried this much on large codebases? Does this find many bugs? (I
> can imagine it would be effective when combined with fuzz testing...)
>
>
> On Mon, Oct 28, 2013 at 3:39 PM, Will Dietz <wdietz2 at illinois.edu> wrote:
>>
>> Hi all,
>>
>> Recently I thought it would be useful to have a sanitizer for
>> detecting overflows in pointer expressions.  Such overflows are
>> undefined behavior and are pretty much always bugs.  While it's true
>> that if such an overflowed pointer is dereferenced a tool such as ASan
>> will catch the error, detection of these bugs when the occur helps fix
>> them without requiring an input that triggers a crash.
>>
>> Two examples of this in the wild:
>>
>> * binutils undefined behavior bug that leads to segfault when built
>> with clang[1]
>> * ASTVector bug I just submitted patch for, discovered using this
>> sanitizer[2]
>>
>> Attached are patches for clang and compiler-rt that implement this
>> sanitizer and seem to work well in my testing so far.
>>
>> There is some work to do yet:
>>
>> * Adding lit tests to clang/compiler-rt
>> * Finalizing what constructs are useful/worth checking (iterative
>> process, I imagine)
>> * More testing/benchmarking
>>
>> Before tackling the above, I was hoping to get some early feedback:
>>
>> * Is this something the community is interested in/would find useful?
>> * Code review (the current implementation should be complete in terms
>> of the checking code itself)
>>
>> Thank you for your time, here's to finding even more bugs! :)
>>
>> ~Will
>>
>> [1] http://wdtz.org/undefined-behavior-in-binutils-causes-segfault.html
>> [2]
>> http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-20131028/091878.html
>>
>> _______________________________________________
>> cfe-commits mailing list
>> cfe-commits at cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
>>
>