This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
Re: [RFC] Implement Undefined Behavior Sanitizer
- From: "Joseph S. Myers" <joseph at codesourcery dot com>
- To: Marek Polacek <polacek at redhat dot com>
- Cc: GCC Patches <gcc-patches at gcc dot gnu dot org>
- Date: Wed, 5 Jun 2013 19:50:52 +0000
- Subject: Re: [RFC] Implement Undefined Behavior Sanitizer
- References: <20130605175728 dot GD4160 at redhat dot com>
On Wed, 5 Jun 2013, Marek Polacek wrote:
> It works by creating a COMPOUND_EXPR around original expression, so e.g.
> it creates:
>
> if (b < 0 || (b > 31 || a < 0))
> {
> __builtin___ubsan_handle_shift_out_of_bounds ();
> }
> else
> {
> 0
> }, a << b;
>
> from original "a <<= b;".
For the "a < 0" here, and signed left shift of a positive value shifting a
1 into or past the sign bit, I think it should be possible to control the
checks separately from other checks on shifts - both because those cases
were implementation-defined in C90, only undefined in C99/C11, and because
they are widely used in practice.
> There is of course a lot of stuff that needs to be done, more
> specifically:
5) Testcases (or if applicable, running existing testcases coming with the
library).
6) Map -ftrapv onto an appropriate subset of this option that handles the
cases -ftrapv was meant to handle (so arithmetic overflow, which I'd say
should include INT_MIN / -1).
> 4) and of course, more instrumentation (C/C++ FE, gimple level)
> What comes to mind is:
> - float/double to integer conversions,
Under Annex F, these return an unspecified value rather than being
undefined behavior.
> - integer overflows (a long list of various cases here),
Strictly, including INT_MIN % -1 (both / and % are undefined if the result
of either is unrepresentable) - it appears you've already got that. Of
course INT_MIN % -1 and INT_MIN / -1 should *work* reliably with -fwrapv,
which is another bug (30484).
> - invalid conversions of int to bool,
What do you mean? Conversion to bool is just a comparison != 0.
> - VLAs size (e.g. negative size),
Or the multiplication used to compute the size in bytes overflows (really,
there should be some code generated expanding the stack bit by bit to
avoid it accidentally overflowing into another allocated area of memory, I
suppose).
> +@item -fsanitize=undefined
> +Enable UndefinedBehaviorSanitizer, a fast undefined behavior detector
> +Various computations will be instrumented to detect
> +undefined behavior, e.g. division by zero or various overflows.
e.g.@:
--
Joseph S. Myers
joseph@codesourcery.com