diff options
| author | Vedant Kumar <vsk@apple.com> | 2017-06-01 19:22:18 +0000 |
|---|---|---|
| committer | Vedant Kumar <vsk@apple.com> | 2017-06-01 19:22:18 +0000 |
| commit | 10aee78afb384ad8c70cb9e9183ff39c032e8caf (patch) | |
| tree | e555e5c224a55551a45f72c1fbf7d5c01fae2c84 /include/clang/Basic/Sanitizers.def | |
| parent | e397992a6204455301c7d67d25025422eeec98a0 (diff) | |
[ubsan] Add a check for pointer overflow UB
Check pointer arithmetic for overflow.
For some more background on this check, see:
https://wdtz.org/catching-pointer-overflow-bugs.html
https://reviews.llvm.org/D20322
Patch by Will Dietz and John Regehr!
This version of the patch is different from the original in a few ways:
- It introduces the EmitCheckedInBoundsGEP utility which inserts
checks when the pointer overflow check is enabled.
- It does some constant-folding to reduce instrumentation overhead.
- It does not check some GEPs in CGExprCXX. I'm not sure that
inserting checks here, or in CGClass, would catch many bugs.
Possible future directions for this check:
- Introduce CGF.EmitCheckedStructGEP, to detect overflows when
accessing structures.
Testing: Apart from the added lit test, I ran check-llvm and check-clang
with a stage2, ubsan-instrumented clang. Will and John have also done
extensive testing on numerous open source projects.
Differential Revision: https://reviews.llvm.org/D33305
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@304459 91177308-0d34-0410-b5e6-96231b3b80d8
Diffstat (limited to 'include/clang/Basic/Sanitizers.def')
| -rw-r--r-- | include/clang/Basic/Sanitizers.def | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/include/clang/Basic/Sanitizers.def b/include/clang/Basic/Sanitizers.def index f20d326e08..71b11974db 100644 --- a/include/clang/Basic/Sanitizers.def +++ b/include/clang/Basic/Sanitizers.def @@ -73,6 +73,7 @@ SANITIZER("nullability-return", NullabilityReturn) SANITIZER_GROUP("nullability", Nullability, NullabilityArg | NullabilityAssign | NullabilityReturn) SANITIZER("object-size", ObjectSize) +SANITIZER("pointer-overflow", PointerOverflow) SANITIZER("return", Return) SANITIZER("returns-nonnull-attribute", ReturnsNonnullAttribute) SANITIZER("shift-base", ShiftBase) @@ -108,9 +109,9 @@ SANITIZER("safe-stack", SafeStack) SANITIZER_GROUP("undefined", Undefined, Alignment | Bool | ArrayBounds | Enum | FloatCastOverflow | FloatDivideByZero | IntegerDivideByZero | NonnullAttribute | - Null | ObjectSize | Return | ReturnsNonnullAttribute | - Shift | SignedIntegerOverflow | Unreachable | VLABound | - Function | Vptr) + Null | ObjectSize | PointerOverflow | Return | + ReturnsNonnullAttribute | Shift | SignedIntegerOverflow | + Unreachable | VLABound | Function | Vptr) // -fsanitize=undefined-trap is an alias for -fsanitize=undefined. SANITIZER_GROUP("undefined-trap", UndefinedTrap, Undefined) |