[clang] Add flag to disable container overflow checks at compile time.

Add a compiler flag to allow library developers to support disabling
AddressSanitizer's container overflow detection in template code at
compile time.

The primary motivation is to reduce false positives in environments where
libraries and frameworks that cannot be recompiled with sanitizers enabled
are called from application code.  This supports disabling checks when the
runtime environment cannot be reliably controlled to use ASAN_OPTIONS.

Key changes:
- Add -fsanitize-address-disable-container-overflow driver flag
- Add __has_feature(sanitize_address_disable_container_overflow) feature test
- Connect flag through LangOptions and CodeGenOptions
- Update compiler-rt test to conditionally use container annotations
- Add comprehensive test coverage for driver flag and feature macro
- Update documentation in AddressSanitizer.rst and UsersManual.rst

The recommended usage pattern is:
This provides backward compatibility with compilers that don't support
the new feature test macro.

The flag is marked experimental.

Author: padriff

clang/docs/AddressSanitizer.rst

@@ -18,6 +18,7 @@ following types of bugs:
     * Enable with: ``ASAN_OPTIONS=detect_stack_use_after_return=1`` (already enabled on Linux).
     * Disable with: ``ASAN_OPTIONS=detect_stack_use_after_return=0``.
 * Use-after-scope (clang flag ``-fsanitize-address-use-after-scope``)
+* Container overflow detection (clang flag ``-fsanitize-address-disable-container-overflow`` to disable (experimental))
 * Double-free, invalid free
 * Memory leaks (experimental)
 
@@ -164,6 +165,23 @@ To summarize: ``-fsanitize-address-use-after-return=<mode>``
   * ``always``: Enables detection of UAR errors in all cases. (reduces code
     size, but not as much as ``never``).
 
+Container Overflow Detection
+----------------------------
+
+AddressSanitizer can detect overflows in containers with custom allocators
+(such as std::vector) where the Library developers have added calls into the
+AddressSanitizer runtime to indicate which memory is poisoned etc.
+
+In environments where not all the process binaries can be recompiled with 
+AddressSanitizer enabled, these checks can cause false positives.
+
+These checks can be disabled at runtime using
+``ASAN_OPTIONS=detect_container_overflow=0``
+
+``-fsanitize-address-disable-container-overflow`` can be used at compile time
+to disable container overflow checks if both the container and compiler support
+the flag (experimental).
+
 Memory leak detection
 ---------------------
 
@@ -242,6 +260,32 @@ AddressSanitizer also supports
 works similar to ``__attribute__((no_sanitize("address")))``, but it also
 prevents instrumentation performed by other sanitizers.
 
+Disabling container overflow checks with ``__has_feature(sanitize_address_disable_container_overflow)``
+-------------------------------------------------------------------------------------------------------
+
+Library developers may use this feature test in conjunction with the
+AddressSanitizer feature test to conditionally include container overflow
+related code compiled into user code:
+
+The recommended form is
+
+.. code-block:: c
+
+    #if __has_feature(address_sanitizer) && !__has_feature(sanitize_address_disable_container_overflow)
+    // Container overflow detection enabled - include annotations
+    __sanitizer_annotate_contiguous_container(beg, end, old_mid, new_mid);
+    #endif
+
+This pattern ensures that:
+
+* Container overflow annotations are only included when AddressSanitizer is
+  enabled
+* Container overflow detection can be disabled by 
+  ``-fsanitize-address-disable-container-overflow``
+* Code compiles correctly with older compilers that don't support the 
+  ``sanitize_address_disable_container_overflow`` feature test (defaulting to
+  enabled container overflow checks)
+
 Suppressing Errors in Recompiled Code (Ignorelist)
 --------------------------------------------------
 

clang/docs/UsersManual.rst

@@ -5125,6 +5125,8 @@ Execute ``clang-cl /?`` to see a list of supported options:
                               Select the mode of detecting stack use-after-return in AddressSanitizer: never | runtime (default) | always
       -fsanitize-address-use-after-scope
                               Enable use-after-scope detection in AddressSanitizer
+      -fsanitize-address-disable-container-overflow
+                              Disable container overflow detection at compile time in AddressSanitizer (experimental)
       -fsanitize-address-use-odr-indicator
                               Enable ODR indicator globals to avoid false ODR violation reports in partially sanitized programs at the cost of an increase in binary size
       -fsanitize-ignorelist=<value>

clang/include/clang/Basic/CodeGenOptions.def

@@ -245,6 +245,8 @@ CODEGENOPT(NewStructPathTBAA , 1, 0, Benign) ///< Whether or not to use enhanced
 CODEGENOPT(SaveTempLabels    , 1, 0, Benign) ///< Save temporary labels.
 CODEGENOPT(SanitizeAddressUseAfterScope , 1, 0, Benign) ///< Enable use-after-scope detection
                                                         ///< in AddressSanitizer
+CODEGENOPT(SanitizeAddressDisableContainerOverflow, 1, 0, Benign) ///< Disable container overflow checks 
+                                                                  ///< in AddressSanitizer
 ENUM_CODEGENOPT(SanitizeAddressUseAfterReturn,
                 AsanDetectStackUseAfterReturnMode, 2,
                 AsanDetectStackUseAfterReturnMode::Runtime,

clang/include/clang/Basic/Features.def

@@ -40,6 +40,8 @@ FEATURE(speculative_load_hardening, LangOpts.SpeculativeLoadHardening)
 FEATURE(address_sanitizer,
         LangOpts.Sanitize.hasOneOf(SanitizerKind::Address |
                                    SanitizerKind::KernelAddress))
+FEATURE(sanitize_address_disable_container_overflow, 
+        LangOpts.SanitizeAddressDisableContainerOverflow)
 FEATURE(leak_sanitizer,
         LangOpts.Sanitize.has(SanitizerKind::Leak))
 FEATURE(hwaddress_sanitizer,

clang/include/clang/Basic/LangOptions.def

@@ -499,6 +499,9 @@ LANGOPT(EnableLifetimeSafety, 1, 0, NotCompatible, "Experimental lifetime safety
 
 LANGOPT(PreserveVec3Type, 1, 0, NotCompatible, "Preserve 3-component vector type")
 
+LANGOPT(SanitizeAddressDisableContainerOverflow, 1, 0, NotCompatible,
+        "Disable container overflow checks in AddressSanitizer (experimental)")
+
 #undef LANGOPT
 #undef ENUM_LANGOPT
 #undef VALUE_LANGOPT

clang/include/clang/Driver/Options.td

@@ -2512,6 +2512,12 @@ An operator new\[\] is "custom" if it is not one of the allocation functions
 provided by the C++ standard library. Array cookies from non-custom allocation
 functions are always poisoned.}]>,
   Group<f_clang_Group>;
+defm sanitize_address_disable_container_overflow : BoolOption<"f", "sanitize-address-disable-container-overflow",
+  CodeGenOpts<"SanitizeAddressDisableContainerOverflow">, DefaultFalse,
+  PosFlag<SetTrue, [], [ClangOption], "Disable">,
+  NegFlag<SetFalse, [], [ClangOption], "Enable">,
+  BothFlags<[], [ClangOption], " container overflow checks in AddressSanitizer (experimental)">>,
+  Group<f_clang_Group>;
 defm sanitize_address_globals_dead_stripping : BoolOption<"f", "sanitize-address-globals-dead-stripping",
   CodeGenOpts<"SanitizeAddressGlobalsDeadStripping">, DefaultFalse,
   PosFlag<SetTrue, [], [ClangOption], "Enable linker dead stripping of globals in AddressSanitizer">,

clang/include/clang/Driver/SanitizerArgs.h

@@ -50,6 +50,7 @@ class SanitizerArgs {
   bool SharedRuntime = false;
   bool StableABI = false;
   bool AsanUseAfterScope = true;
+  bool AsanDisableContainerOverflow = false;
   bool AsanPoisonCustomArrayCookie = false;
   bool AsanGlobalsDeadStripping = false;
   bool AsanUseOdrIndicator = false;

clang/lib/Driver/SanitizerArgs.cpp

@@ -1131,8 +1131,13 @@ SanitizerArgs::SanitizerArgs(const ToolChain &TC,
     AsanUseAfterScope = Args.hasFlag(
         options::OPT_fsanitize_address_use_after_scope,
         options::OPT_fno_sanitize_address_use_after_scope, AsanUseAfterScope);
+    AsanDisableContainerOverflow = Args.hasFlag(
+        options::OPT_fsanitize_address_disable_container_overflow,
+        options::OPT_fno_sanitize_address_disable_container_overflow,
+        AsanDisableContainerOverflow);
   } else {
     AsanUseAfterScope = false;
+    AsanDisableContainerOverflow = false;
   }
 
   if (AllAddedKinds & SanitizerKind::HWAddress) {
@@ -1459,6 +1464,9 @@ void SanitizerArgs::addArgs(const ToolChain &TC, const llvm::opt::ArgList &Args,
   if (AsanUseAfterScope)
     CmdArgs.push_back("-fsanitize-address-use-after-scope");
 
+  if (AsanDisableContainerOverflow)
+    CmdArgs.push_back("-fsanitize-address-disable-container-overflow");
+
   if (AsanPoisonCustomArrayCookie)
     CmdArgs.push_back("-fsanitize-address-poison-custom-array-cookie");
 

clang/lib/Frontend/CompilerInvocation.cpp

@@ -586,6 +586,8 @@ static bool FixupInvocation(CompilerInvocation &Invocation,
   LangOpts.ForceEmitVTables = CodeGenOpts.ForceEmitVTables;
   LangOpts.SpeculativeLoadHardening = CodeGenOpts.SpeculativeLoadHardening;
   LangOpts.CurrentModule = LangOpts.ModuleName;
+  LangOpts.SanitizeAddressDisableContainerOverflow =
+      CodeGenOpts.SanitizeAddressDisableContainerOverflow;
 
   llvm::Triple T(TargetOpts.Triple);
   llvm::Triple::ArchType Arch = T.getArch();

clang/test/Driver/fsanitize-address-disable-container-overflow.c

@@ -0,0 +1,34 @@
+// Test the -fsanitize-address-disable-container-overflow option
+
+// RUN: %clang -target x86_64-linux-gnu -fsanitize=address %s \
+// RUN:   -### 2>&1 | \
+// RUN:   FileCheck %s --check-prefix=CHECK-DEFAULT
+// CHECK-DEFAULT-NOT: -fsanitize-address-disable-container-overflow
+
+// RUN: %clang -target x86_64-linux-gnu -fsanitize=address \
+// RUN:   -fsanitize-address-disable-container-overflow %s -### 2>&1 | \
+// RUN:   FileCheck -check-prefix=CHECK-ENABLE %s
+// CHECK-ENABLE: "-fsanitize-address-disable-container-overflow"
+
+// RUN: %clang -target x86_64-linux-gnu -fsanitize=address \
+// RUN:   -fno-sanitize-address-disable-container-overflow %s -### 2>&1 | \
+// RUN:   FileCheck -check-prefix=CHECK-DISABLE %s
+// CHECK-DISABLE-NOT: -fsanitize-address-disable-container-overflow
+
+// RUN: %clang -target x86_64-linux-gnu -fsanitize=address \
+// RUN:   -fsanitize-address-disable-container-overflow \
+// RUN:   -fno-sanitize-address-disable-container-overflow %s -### 2>&1 | \
+// RUN:   FileCheck -check-prefix=CHECK-OVERRIDE %s
+// CHECK-OVERRIDE-NOT: -fsanitize-address-disable-container-overflow
+
+// Test that the flag generates unused warning without address sanitizer
+// RUN: %clang -target x86_64-linux-gnu -fsanitize-address-disable-container-overflow %s \
+// RUN:   -### 2>&1 | \
+// RUN:   FileCheck -check-prefix=CHECK-NO-ASAN %s
+// CHECK-NO-ASAN: warning: argument unused during compilation: '-fsanitize-address-disable-container-overflow'
+
+// Test with kernel address sanitizer
+// RUN: %clang -target x86_64-linux-gnu -fsanitize=kernel-address \
+// RUN:   -fsanitize-address-disable-container-overflow %s -### 2>&1 | \
+// RUN:   FileCheck -check-prefix=CHECK-KERNEL-ASAN %s  
+// CHECK-KERNEL-ASAN: "-fsanitize-address-disable-container-overflow"