Index: lib/ubsan/ubsan_checks.inc =================================================================== --- lib/ubsan/ubsan_checks.inc +++ lib/ubsan/ubsan_checks.inc @@ -19,6 +19,7 @@ UBSAN_CHECK(GenericUB, "undefined-behavior", "undefined") UBSAN_CHECK(NullPointerUse, "null-pointer-use", "null") +UBSAN_CHECK(PointerOverflow, "pointer-overflow", "pointer-overflow") UBSAN_CHECK(MisalignedPointerUse, "misaligned-pointer-use", "alignment") UBSAN_CHECK(InsufficientObjectSize, "insufficient-object-size", "object-size") UBSAN_CHECK(SignedIntegerOverflow, "signed-integer-overflow", Index: lib/ubsan/ubsan_handlers.h =================================================================== --- lib/ubsan/ubsan_handlers.h +++ lib/ubsan/ubsan_handlers.h @@ -148,6 +148,13 @@ /// \brief Handle passing null pointer to function with nonnull attribute. RECOVERABLE(nonnull_arg, NonNullArgData *Data) +struct PointerOverflowData { + SourceLocation Loc; +}; + +RECOVERABLE(pointer_overflow, PointerOverflowData *Data, ValueHandle Base, + ValueHandle Result) + /// \brief Known CFI check kinds. /// Keep in sync with the enum of the same name in CodeGenFunction.h enum CFITypeCheckKind : unsigned char { Index: lib/ubsan/ubsan_handlers.cc =================================================================== --- lib/ubsan/ubsan_handlers.cc +++ lib/ubsan/ubsan_handlers.cc @@ -523,6 +523,37 @@ Die(); } +static void handlePointerOverflowImpl(PointerOverflowData *Data, + ValueHandle Base, + ValueHandle Result, + ReportOptions Opts) { + SourceLocation Loc = Data->Loc.acquire(); + ErrorType ET = ErrorType::PointerOverflow; + + if (ignoreReport(Loc, Opts, ET)) + return; + + ScopedReport R(Opts, Loc, ET); + + Diag(Loc, DL_Error, "pointer index expression with base %0 overflowed to %1") + << (void *)Base << (void*)Result; +} + +void __ubsan::__ubsan_handle_pointer_overflow(PointerOverflowData *Data, + ValueHandle Base, + ValueHandle Result) { + GET_REPORT_OPTIONS(false); + handlePointerOverflowImpl(Data, Base, Result, Opts); +} + +void __ubsan::__ubsan_handle_pointer_overflow_abort(PointerOverflowData *Data, + ValueHandle Base, + ValueHandle Result) { + GET_REPORT_OPTIONS(true); + handlePointerOverflowImpl(Data, Base, Result, Opts); + Die(); +} + static void handleCFIBadIcall(CFICheckFailData *Data, ValueHandle Function, ReportOptions Opts) { if (Data->CheckKind != CFITCK_ICall) Index: test/ubsan/TestCases/Pointer/index-overflow.cpp =================================================================== --- test/ubsan/TestCases/Pointer/index-overflow.cpp +++ test/ubsan/TestCases/Pointer/index-overflow.cpp @@ -0,0 +1,54 @@ +// RUN: %clangxx -fsanitize=pointer-overflow %s -o %t +// RUN: %t 0 2>&1 | FileCheck %s --check-prefix=SAFE +// RUN: %t 1 2>&1 | FileCheck %s --check-prefix=ERR +// RUN: %t -1 2>&1 | FileCheck %s --check-prefix=SAFE + + +#include +#include +#include + +int main(int argc, char *argv[]) { + // SAFE-NOT: runtime error + // ERR: runtime error: pointer index expression with base {{.*}} overflowed to + uintptr_t p = (uintptr_t)argv[0] + atoi(argv[1]); + printf("%p\n", argv[0] - p); + + return 0; +} +// RUN: %clangxx -fsanitize=pointer-overflow %s -o %t +// RUN: %t 0 2>&1 | FileCheck %s --check-prefix=SAFE +// RUN: %t 1 2>&1 | FileCheck %s --check-prefix=ERR +// RUN: %t -1 2>&1 | FileCheck %s --check-prefix=SAFE + + +#include +#include +#include + +int main(int argc, char *argv[]) { + // SAFE-NOT: runtime error + // ERR: runtime error: pointer index expression with base {{.*}} overflowed to + uintptr_t p = (uintptr_t)argv[0] + atoi(argv[1]); + printf("%p\n", argv[0] - p); + + return 0; +} +// RUN: %clangxx -fsanitize=pointer-overflow %s -o %t +// RUN: %t 0 2>&1 | FileCheck %s --check-prefix=SAFE +// RUN: %t 1 2>&1 | FileCheck %s --check-prefix=ERR +// RUN: %t -1 2>&1 | FileCheck %s --check-prefix=SAFE + + +#include +#include +#include + +int main(int argc, char *argv[]) { + // SAFE-NOT: runtime error + // ERR: runtime error: pointer index expression with base {{.*}} overflowed to + uintptr_t p = (uintptr_t)argv[0] + atoi(argv[1]); + printf("%p\n", argv[0] - p); + + return 0; +}