Glad there's some interest. I have no test coverage of anything other than the Driver component, that will be included. I also need to do some plumbing work to support adding checks to struct indexing.
I've tried this on: * LLVM/Clang * ImageMagick * binutils * curl * ffmpeg (w/FATE samples) * openldap * openssh * pcre * postgresql * sqlite And the programs seem to build and at least pass their own non-trivial test-suites. So far detected bugs in: * binutils (what inspired this sanitizer) * clang (reported earlier today) * curl (unreported) * pcre (unreported) * ffmpeg (unreported) With a single bug location per software so far :). I also expect this to work particularly well with fuzz testing. ~Will On Mon, Oct 28, 2013 at 5:44 PM, Richard Smith <[email protected]> wrote: > Seems like a nice idea to me. (Your test coverage is pretty weak, though.) > Have you tried this much on large codebases? Does this find many bugs? (I > can imagine it would be effective when combined with fuzz testing...) > > > On Mon, Oct 28, 2013 at 3:39 PM, Will Dietz <[email protected]> wrote: >> >> Hi all, >> >> Recently I thought it would be useful to have a sanitizer for >> detecting overflows in pointer expressions. Such overflows are >> undefined behavior and are pretty much always bugs. While it's true >> that if such an overflowed pointer is dereferenced a tool such as ASan >> will catch the error, detection of these bugs when the occur helps fix >> them without requiring an input that triggers a crash. >> >> Two examples of this in the wild: >> >> * binutils undefined behavior bug that leads to segfault when built >> with clang[1] >> * ASTVector bug I just submitted patch for, discovered using this >> sanitizer[2] >> >> Attached are patches for clang and compiler-rt that implement this >> sanitizer and seem to work well in my testing so far. >> >> There is some work to do yet: >> >> * Adding lit tests to clang/compiler-rt >> * Finalizing what constructs are useful/worth checking (iterative >> process, I imagine) >> * More testing/benchmarking >> >> Before tackling the above, I was hoping to get some early feedback: >> >> * Is this something the community is interested in/would find useful? >> * Code review (the current implementation should be complete in terms >> of the checking code itself) >> >> Thank you for your time, here's to finding even more bugs! :) >> >> ~Will >> >> [1] http://wdtz.org/undefined-behavior-in-binutils-causes-segfault.html >> [2] >> http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-20131028/091878.html >> >> _______________________________________________ >> cfe-commits mailing list >> [email protected] >> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits >> > _______________________________________________ cfe-commits mailing list [email protected] http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
