Sanitizer `pointer-overflow` does not appear to function

[kees]

Using -fsanitize=pointer-overflow doesn't appear to provide any checking on pointer math. GCC's implementation correctly triggers if NULL is operated on or if a value would wrap around.

https://godbolt.org/z/1c6ec9TTP

#include <stdlib.h>
#include <stdio.h>

/* Using stderr for all output or else godbolt doesn't intermix output. */
int main(int argc, char *argv[]) {
    void *p = NULL;

    fprintf(stderr, "%p (%zu)\n", p, (unsigned long)p);

    /* argc is a stand-in for "1" to avoid optimization */
    p -= argc;

    fprintf(stderr, "%p (%zu)\n", p, (unsigned long)p);

    p += argc;

    fprintf(stderr, "%p (%zu)\n", p, (unsigned long)p);

    return 0;
}

Clang just shows the value wrapping:

(nil) (0)
0xffffffffffffffff (18446744073709551615)
(nil) (0)

But GCC will catch it:

(nil) (0)
/app/example.c:11:7: runtime error: applying non-zero offset 18446744073709551615 to null pointer
0xffffffffffffffff (18446744073709551615)
/app/example.c:15:7: runtime error: applying non-zero offset to non-null pointer 0xffffffffffffffff produced null pointer
(nil) (0)

[llvmbot]

@llvm/issue-subscribers-clang-codegen

Using `-fsanitize=pointer-overflow` doesn't appear to provide any checking on pointer math. GCC's implementation correctly triggers if `NULL` is operated on or if a value would wrap around.

https://godbolt.org/z/1c6ec9TTP

#include <stdlib.h>
#include <stdio.h>

/* Using stderr for all output or else godbolt doesn't intermix output. */
int main(int argc, char *argv[]) {
    void *p = NULL;

    fprintf(stderr, "%p (%zu)\n", p, (unsigned long)p);

    /* argc is a stand-in for "1" to avoid optimization */
    p -= argc;

    fprintf(stderr, "%p (%zu)\n", p, (unsigned long)p);

    p += argc;

    fprintf(stderr, "%p (%zu)\n", p, (unsigned long)p);

    return 0;
}

Clang just shows the value wrapping:

(nil) (0)
0xffffffffffffffff (18446744073709551615)
(nil) (0)

But GCC will catch it:

(nil) (0)
/app/example.c:11:7: runtime error: applying non-zero offset 18446744073709551615 to null pointer
0xffffffffffffffff (18446744073709551615)
/app/example.c:15:7: runtime error: applying non-zero offset to non-null pointer 0xffffffffffffffff produced null pointer
(nil) (0)

[kees]

@dtzWill @regehr @vedantk

[nikic]

It seems like this sanitizer currently only works on pointer arithmetic in the form of &p[x] but not p + x, see https://godbolt.org/z/rG5W81W8q.

[JustinStitt]

@nikic Seems to only be the case for void* and not for other pointer types: https://godbolt.org/z/Ef3Kvqq1x

What is going on here? This is the case from clang5 (when it was introduced) to trunk.

[nikic]

Good point, that makes the cause pretty obvious:

llvm-project/clang/lib/CodeGen/CGExprScalar.cpp

Lines 3723 to 3735 in 3f8d4a8

	// Explicitly handle GNU void* and function pointer arithmetic extensions. The
	// GNU void* casts amount to no-ops since our void* type is i8*, but this is
	// future proof.
	if (elementType->isVoidType() || elementType->isFunctionType())
	return CGF.Builder.CreateGEP(CGF.Int8Ty, pointer, index, "add.ptr");
	llvm::Type *elemTy = CGF.ConvertTypeForMem(elementType);
	if (CGF.getLangOpts().isSignedOverflowDefined())
	return CGF.Builder.CreateGEP(elemTy, pointer, index, "add.ptr");
	return CGF.EmitCheckedInBoundsGEP(
	elemTy, pointer, index, isSigned, isSubtraction, op.E->getExprLoc(),
	"add.ptr");

The void pointer case is handled separately and fails to call EmitCheckedInBoundsGEP.