This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [RFC] Implement Undefined Behavior Sanitizer

From: "Joseph S. Myers" <joseph at codesourcery dot com>
To: Marek Polacek <polacek at redhat dot com>
Cc: GCC Patches <gcc-patches at gcc dot gnu dot org>
Date: Wed, 5 Jun 2013 19:50:52 +0000
Subject: Re: [RFC] Implement Undefined Behavior Sanitizer
References: <20130605175728 dot GD4160 at redhat dot com>

On Wed, 5 Jun 2013, Marek Polacek wrote:

> It works by creating a COMPOUND_EXPR around original expression, so e.g.
> it creates:
> 
> if (b < 0 || (b > 31 || a < 0))
>   {
>     __builtin___ubsan_handle_shift_out_of_bounds ();
>   }
> else
>   {
>     0
>   }, a << b;
> 
> from original "a <<= b;".

For the "a < 0" here, and signed left shift of a positive value shifting a 
1 into or past the sign bit, I think it should be possible to control the 
checks separately from other checks on shifts - both because those cases 
were implementation-defined in C90, only undefined in C99/C11, and because 
they are widely used in practice.

> There is of course a lot of stuff that needs to be done, more
> specifically:

5) Testcases (or if applicable, running existing testcases coming with the 
library).

6) Map -ftrapv onto an appropriate subset of this option that handles the 
cases -ftrapv was meant to handle (so arithmetic overflow, which I'd say 
should include INT_MIN / -1).

>   4) and of course, more instrumentation (C/C++ FE, gimple level)
>      What comes to mind is:
>      - float/double to integer conversions,

Under Annex F, these return an unspecified value rather than being 
undefined behavior.

>      - integer overflows (a long list of various cases here),

Strictly, including INT_MIN % -1 (both / and % are undefined if the result 
of either is unrepresentable) - it appears you've already got that.  Of 
course INT_MIN % -1 and INT_MIN / -1 should *work* reliably with -fwrapv, 
which is another bug (30484).

>      - invalid conversions of int to bool,

What do you mean?  Conversion to bool is just a comparison != 0.

>      - VLAs size (e.g. negative size),

Or the multiplication used to compute the size in bytes overflows (really, 
there should be some code generated expanding the stack bit by bit to 
avoid it accidentally overflowing into another allocated area of memory, I 
suppose).

> +@item -fsanitize=undefined
> +Enable UndefinedBehaviorSanitizer, a fast undefined behavior detector
> +Various computations will be instrumented to detect
> +undefined behavior, e.g. division by zero or various overflows.

e.g.@:

-- 
Joseph S. Myers
joseph@codesourcery.com

Follow-Ups:
- Re: [RFC] Implement Undefined Behavior Sanitizer
  - From: Marek Polacek

References:
- [RFC] Implement Undefined Behavior Sanitizer
  - From: Marek Polacek

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]