[Bug sanitizer/102515] UBSAN misses signed division instrumentation

Fri Oct 1 12:36:30 GMT 2021

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102515

--- Comment #8 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Jakub Jelinek <jakub@gcc.gnu.org>:

https://gcc.gnu.org/g:9c1a633d96926357155d4702b66f8a0ec856a81f

commit r12-4042-g9c1a633d96926357155d4702b66f8a0ec856a81f
Author: Jakub Jelinek <jakub@redhat.com>
Date:   Fri Oct 1 14:27:32 2021 +0200

    ubsan: Move INT_MIN / -1 instrumentation from
-fsanitize=integer-divide-by-zero to -fsanitize=signed-integer-overflow
[PR102515]

    As noted by Richi, in clang INT_MIN / -1 is instrumented under
    -fsanitize=signed-integer-overflow rather than
    -fsanitize=integer-divide-by-zero as we did and doing it in the former
    makes more sense, as it is overflow during division rather than division
    by zero.
    I've verified on godbolt that clang behaved that way since 3.2-ish times or
    so when sanitizers were added.
    Furthermore, we've been using
    -f{,no-}sanitize-recover=integer-divide-by-zero to decide on the float
    -fsanitize=float-divide-by-zero instrumentation _abort suffix.
    The case where INT_MIN / -1 is instrumented by one sanitizer and
    x / 0 by another one when both are enabled is slightly harder if
    the
-f{,no-}sanitize-recover={integer-divide-by-zero,signed-integer-overflow}
    flags differ, then we need to emit both __ubsan_handle_divrem_overflow
    and __ubsan_handle_divrem_overflow_abort calls guarded by their respective
    checks rather than one guarded by check1 || check2.

    2021-10-01  Jakub Jelinek  <jakub@redhat.com>
                Richard Biener  <rguenther@suse.de>

            PR sanitizer/102515
    gcc/
            * doc/invoke.texi (-fsanitize=integer-divide-by-zero): Remove
            INT_MIN / -1 division detection from here ...
            (-fsanitize=signed-integer-overflow): ... and add it here.
    gcc/c-family/
            * c-ubsan.c (ubsan_instrument_division): Check the right
            flag_sanitize_recover bit, depending on which sanitization
            is done.  Sanitize INT_MIN / -1 under SANITIZE_SI_OVERFLOW
            rather than SANITIZE_DIVIDE.  If both SANITIZE_SI_OVERFLOW
            and SANITIZE_DIVIDE is enabled, neither check is known
            to be false and flag_sanitize_recover bits for those two
            aren't the same, emit both __ubsan_handle_divrem_overflow
            and __ubsan_handle_divrem_overflow_abort calls.
    gcc/c/
            * c-typeck.c (build_binary_op): Call ubsan_instrument_division
            for division even for SANITIZE_SI_OVERFLOW.
    gcc/cp/
            * typeck.c (cp_build_binary_op): Call ubsan_instrument_division
            for division even for SANITIZE_SI_OVERFLOW.
    gcc/testsuite/
            * c-c++-common/ubsan/div-by-zero-3.c: Use
            -fsanitize=signed-integer-overflow instead of
            -fsanitize=integer-divide-by-zero.
            * c-c++-common/ubsan/div-by-zero-5.c: Likewise.
            * c-c++-common/ubsan/div-by-zero-4.c: Likewise.  Add
            -fsanitize-undefined-trap-on-error.
            * c-c++-common/ubsan/float-div-by-zero-2.c: New test.
            * c-c++-common/ubsan/overflow-div-1.c: New test.
            * c-c++-common/ubsan/overflow-div-2.c: New test.
            * c-c++-common/ubsan/overflow-div-3.c: New test.