Re: checking against signed integer overflow

Sun, 06 Dec 2020 08:30:38 -0800 

Paul Eggert wrote:
> I gave it a shot by installing the attached patches.

Thanks. This could even be moved to the Autoconf manual, if there is
sufficient agreement among GNU developers.

> what Florian said a couple of years ago 
> <https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/>.

This is worth reading; thanks. Note that the option '-mcet' does not actually
exist. I guess it was folded into the '-fcf-protection=...' option before
GCC 8.1 was released. Cf. <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98162>

> I'm reluctant to recommend -fsanitize=whatever flags for production builds 
> because they're ABI-incompatible with future library versions

Florian's post mentions
  "the Address Sanitizer interceptors disable ABI compatibility with future
   library versions."
This in understandable: A pointer into an array may be passed as a 3 words
(array start, array end, and actual pointer value).

But for '-fsanitize=signed-integer-overflow' there is no reason for an
ABI change. It's only the code inside functions which behaves differently.

> > Would it make sense to tell the GCC people that
> >    - the '-fsanitize=signed-integer-overflow 
> > -fno-sanitize-recover=signed-integer-overflow'
> >      options are practically useless when they force a dependency towards 
> > libstdc++,

Reported as <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98165>.

> >    - the 'ftrapv' option is useless when it does not work in combination 
> > with
> >      '-O2' ?
> 
> I'm not observing the latter problem with GCC 10.2.1 (Red Hat 10.2.1-9) on 
> Fedora 33 x86-64; maybe it's fixed now?

Oops, indeed. My test program could be optimized in way that the overflow
disappears. Find attached a corrected test program.

So, '-fsanitize=signed-integer-overflow -fsanitize-undefined-trap-on-error' and
'-ftrapv' both work. The former generates better code, whereas the latter has
less surprising behaviour (an abort() is a better response than an illegal
instruction, IMO).

I'll try to use '-ftrapv' globally, to see how this works out.

Bruno

#include <stdio.h>

unsigned int ua = 0xA0000000;
unsigned int ub = 0x70000000;
unsigned int uc;
int a = 0x50000000;
int b = 0x60000000;
int c;

int main ()
{
  uc = ua + ub;
  c = a + b;
  c += b;
  c += b;
  c += b;
  printf ("Still there.\n");
  return 0;
}

Reply via email to