Svadev mailing list

["Sean McBride" <sean AT rogue-research.com>]

On Wed, 21 Dec 2011 16:55:49 -0600, John Criswell said:

>We've run SAFECode on GNU flex, GNU zip, GNU tar, Bonjour, and the 
>DotGNU C# compiler (which is about 300,000 source lines of code).  It 
>found an unknown buffer overflow in Bonjour (which we reported to Apple) 
>and two invalid strcpy() calls in one of the DotGNU utilities.
>
>We compiled these programs using our libLTO extension which performs 
>whole-program, inter-procedural points-to analysis and makes the 
>run-time checks more stringent (i.e., they can catch more errors).  
>There is still some work to do to make the points-to analysis consume 
>less memory (which is why the install directions don't mention libLTO at 
>present), but hopefully we'll get that fixed soon.

Very cool!

>Hrm.  How do you create the out-of-bounds pointer?  Do you dereference 
>the out of bounds pointer, or do you merely create it?  SAFECode permits 
>pointers to go out-of-bounds; it only creates an error alert if the 
>out-of-bounds pointer is used in a load or store.

Like this:

        char* foo = malloc(100);
        for (unsigned i = 0; i < 1000; i++)
                foo[i] = 0;

It catches it if stick this in a simple test.c and do everything on the 
command line.  But added into my actual Cocoa app I don't see anything 
logged.  I'm sure the code runs.  Can SAFECode be made to assert(0) in 
addition to logging?

Cheers,

-- 
____________________________________________________________
Sean McBride, B. Eng                 
sean AT rogue-research.com
Rogue Research                        www.rogue-research.com 
Mac Software Developer              Montréal, Québec, Canada