[cfe-dev] Unsigned Integer Wrap and -fsanitize=integer
John McCall
rjmccall at apple.com
Tue Jul 30 09:56:21 PDT 2013
On Jul 30, 2013, at 7:46 AM, Sean McBride <sean at rogue-research.com> wrote:
> On Tue, 30 Jul 2013 07:00:52 -0400, Jeffrey Walton said:
>> I'm testing a crypto library under the sanitizers. Crypto libraries
>> are notorious for doing clever (and sometimes undefined) things to
>> integers.
>>
>> I'm catching a number of errors similar to below. Is (or should)
>> unsigned wrap be an error condition? I thought it was implementation
>> defined. Or is -fsanitize=integer catching signed integer overflow
>> (which is undefined behavior) and incorrectly reporting it?
>
> Unsigned wrapping is well-defined. See here:
> <http://clang.llvm.org/docs/UsersManual.html#controlling-code-generation>
>
> Notice for "-fsanitize=integer" they say "Enables checks for undefined or suspicious integer behavior." The 'suspicious' part refers to unsigned overflow, which, though well-defined, is often unexpected (though probably not in a crypto lib).
Right. Specifically, the class of security bugs where the calculation of an
allocation size overflows overwhelmingly involves unsigned overflow.
But of course there are also many reasonable calculations, like hash
functions, that should ignore unsigned overflow. So it’s important for
the user to provide direction here.
John.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130730/1c857e80/attachment.html>
More information about the cfe-dev
mailing list