On Wed, Jun 05, 2013 at 07:50:52PM +0000, Joseph S. Myers wrote:
> On Wed, 5 Jun 2013, Marek Polacek wrote:
>
> > It works by creating a COMPOUND_EXPR around original expression, so e.g.
> > it creates:
> >
> > if (b < 0 || (b > 31 || a < 0))
> > {
> > __builtin___ubsan_handle_shift_out_of_bounds ();
> > }
> > else
> > {
> > 0
> > }, a << b;
> >
> > from original "a <<= b;".
>
> For the "a < 0" here, and signed left shift of a positive value shifting a
> 1 into or past the sign bit, I think it should be possible to control the
> checks separately from other checks on shifts - both because those cases
> were implementation-defined in C90, only undefined in C99/C11, and because
> they are widely used in practice.
Ok, I see.
> > There is of course a lot of stuff that needs to be done, more
> > specifically:
>
> 5) Testcases (or if applicable, running existing testcases coming with the
> library).
Yeah -- we definitely want to have some testcases; the trouble is
that, like for tsan, we don't have any infrastructure for that yet.
Probably we could just put new tests into gcc.dg and put
-fsanitize=undefined into dg-options? Or maybe tweak .exp files and
run some testcases also with -fsanitize=undefined, but the thing is
that we can't use dg-do compile tests, we need dg-do run tests.
> 6) Map -ftrapv onto an appropriate subset of this option that handles the
> cases -ftrapv was meant to handle (so arithmetic overflow, which I'd say
> should include INT_MIN / -1).
Ok, we can look at this maybe later when ubsan is more mature.
> > 4) and of course, more instrumentation (C/C++ FE, gimple level)
> > What comes to mind is:
> > - float/double to integer conversions,
>
> Under Annex F, these return an unspecified value rather than being
> undefined behavior.
Aha, good to know. I've mentioned it because clang instruments that.
> > - integer overflows (a long list of various cases here),
>
> Strictly, including INT_MIN % -1 (both / and % are undefined if the result
> of either is unrepresentable) - it appears you've already got that. Of
> course INT_MIN % -1 and INT_MIN / -1 should *work* reliably with -fwrapv,
> which is another bug (30484).
>
> > - invalid conversions of int to bool,
>
> What do you mean? Conversion to bool is just a comparison != 0.
Something like e.g.:
unsigned char c = 42;
int
main (void)
{
_Bool *b = (_Bool *) &c;
return *b;
}
(clang catches this.)
> > - VLAs size (e.g. negative size),
>
> Or the multiplication used to compute the size in bytes overflows (really,
> there should be some code generated expanding the stack bit by bit to
> avoid it accidentally overflowing into another allocated area of memory, I
> suppose).
Yeah, that sounds interesting as well.
> > +@item -fsanitize=undefined
> > +Enable UndefinedBehaviorSanitizer, a fast undefined behavior detector
> > +Various computations will be instrumented to detect
> > +undefined behavior, e.g. division by zero or various overflows.
>
> e.g.@:
Fixed. Thanks!
Marek
