Sanitizers do not catch out-of-bounds pointer arithmetic

[davidben]

Pointer arithmetic is required to stay in bounds, even if you don't use the pointer, but (as far as I can tell), Clang has no sanitizer that catches this. See https://godbolt.org/z/PE6P31fcq

I'm guessing ASan would have the easiest time catching this, since it knows where all the allocations are?

[davidben]

Thinking aloud as to how this might be done: the one-past-the-point pointer may be tricky, when two objects happen to be placed next to each other. Unless we want to make ASan start tracking pointer provenance, we can't tell the difference between a + 5 and b + 0 in char a[5], b[5];

Some thoughts:

1. We could make ASan bodge the stack layout so that it never puts two objects right next to each other on the stack.
2. If two objects end up next to each other anyway (does ASan control the malloc implementation?), just treat the pointer to the boundary as being potentially part of either object.

The second rule means we won't catch some issues (unless we can bodge malloc too), but we'll probably catch the most interesting ones. Notably, it would be could to flag whenever people write this:

struct Span { char *begin; char *end; };

bool SkipIncorrect(Span *span, size_t num) {
  if (span->begin + num > span->end) {  // Not a valid bounds check!
    return false;
  }
  span->begin += num;
  return true;
}

bool SkipCorrect(Span *span, size_t num) {
  // The cast is alas needed to avoid signed/unsigned comparison.
  // It is fine as long as span->end >= span->begin, which should
  // be true for any valid span.
  if (num > static_cast<size_t>(span->end - span->begin)) {
    return false;
  }
  span->begin += num;
  return true;
}

-fsanitize=pointer-overflow will flag this if num was so big that it caused span->begin + num to overflow. But perhaps your tests only exercised large nums that weren't quite that big. Checking the actual invariant avoids this problem.

CC @nico since this relates to the pointer overflow stuff. (This is the stronger rule that pointer overflow falls out of.)