[cfe-dev] Why does integer overflow sanitizer exits the program with zero exit code

Riyad Parvez via cfe-dev cfe-dev at lists.llvm.org
Tue Nov 3 15:26:22 PST 2015 

Thanks a lot.

I had decided to detect overflow by SIGABRT. The issue SIGABRT is also
thorwn by when assertion violation occurs. So SIGABRT is not the perfect
indicator of overflow.

I see all the arithmetic operations are performed by
"__ubsan_handle_*_overflow" built-in functions. If I catch SIGABRT,
"__ubsan_handle_*_overflow" functions in the stack, can I safely assume the
program is terminated in overflow?

Thanks,
Riyad

On Fri, Oct 23, 2015 at 3:01 PM, Kostya Serebryany <kcc at google.com> wrote:

>
>
>
> On Fri, Oct 23, 2015 at 11:35 AM, Riyad Parvez <riyad.parvez at uwaterloo.ca>
> wrote:
>
>> Interesting! "UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1" works fine,
>> but just "UBSAN_OPTIONS=abort_on_error=1" doesn't work. Is it by design?
>>
>
>
> sort of.
> by default, ubsan simply does not exit, so it does not care about
> abort_on_error.
>
>
>
>
>>
>> On Fri, Oct 23, 2015 at 2:30 PM, Kostya Serebryany <kcc at google.com>
>> wrote:
>>
>>>
>>>
>>> On Fri, Oct 23, 2015 at 11:27 AM, Riyad Parvez <
>>> riyad.parvez at uwaterloo.ca> wrote:
>>>
>>>> Thanks! It works on the latest version of clang, but I was using clang
>>>> 3.4 where it didn't work.
>>>>
>>>
>>> 3.4 was loooong ago.
>>>
>>>
>>>>
>>>> On a more related note, SIGABRT better indicator of bugs than non-zero
>>>> exit status. So I've tried "ASAN_OPTIONS=abort_on_error=1" option which
>>>> works for address sanitizer where program exists with SIGABRT. But
>>>> "UBSAN_OPTIONS=abort_on_error=1" doesn't exit with SIGABRT. Is there any
>>>> way to make overflow sanitizer exit with SIGABRT similar to address
>>>> sanitizer?
>>>>
>>>
>>> Just checked:
>>>
>>> % clang -fsanitize=address,signed-integer-overflow int-overflow.c &&
>>> UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1 ./a.out ; echo EXIT STATUS:
>>> $?
>>> int-overflow.c:5:5: runtime error: signed integer overflow: 1073741824 +
>>> 1073741824 cannot be represented in type 'int'
>>> SUMMARY: AddressSanitizer: undefined-behavior int-overflow.c:5:5 in
>>> Aborted (core dumped)
>>> EXIT STATUS: 134
>>>
>>>
>>>
>>>>
>>>> On Fri, Oct 23, 2015 at 1:06 PM, Kostya Serebryany <kcc at google.com>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Fri, Oct 23, 2015 at 7:08 AM, Riyad Parvez <
>>>>> riyad.parvez at uwaterloo.ca> wrote:
>>>>>
>>>>>> Thanks for the reply.
>>>>>>
>>>>>> I am developing a fuzzer and interested to find overflows.
>>>>>>
>>>>>
>>>>> So am I :)
>>>>> llvm.org/docs/LibFuzzer.html
>>>>>
>>>>>
>>>>>> Is there any way to detect when errors are detected? To explain more,
>>>>>> I have instrumented the binary to see which functions are called in
>>>>>> run-time. What are the functions that are called when overflow is detected?
>>>>>> When these functions are called I will know overflow is detected.
>>>>>>
>>>>>>
>>>>>> On Thu, Oct 22, 2015 at 8:08 PM, Kostya Serebryany <kcc at google.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Oct 22, 2015 at 11:52 AM, Riyad Parvez via cfe-dev <
>>>>>>> cfe-dev at lists.llvm.org> wrote:
>>>>>>>
>>>>>>>> Hi All,
>>>>>>>>
>>>>>>>> With "-fsanitize=integer" flag, when an overflow is detected the
>>>>>>>> program is terminated with zero exit code.
>>>>>>>>
>>>>>>>
>>>>>>> You can change this behavior by using env. var.
>>>>>>> UBSAN_OPTIONS=halt_on_error=1
>>>>>>>
>>>>>>>
>>>>>> I've tried this; didn't work.
>>>>>>
>>>>>
>>>>> What exactly do you run?
>>>>>
>>>>> Here is what works for me:
>>>>>
>>>>> % cat int-overflow.c
>>>>> #include <stdio.h>
>>>>> int x;
>>>>> int main(int argc, char **argv) {
>>>>>   x += 1 << 30;
>>>>>   x += 1 << 30;
>>>>>   printf("%d\n", x);
>>>>>   return 0;
>>>>> }
>>>>>
>>>>>
>>>>> % clang -fsanitize=signed-integer-overflow int-overflow.c && ./a.out ;
>>>>> echo EXIT STATUS: $?
>>>>> int-overflow.c:5:5: runtime error: signed integer overflow: 1073741824
>>>>> + 1073741824 cannot be represented in type 'int'
>>>>> -2147483648
>>>>> EXIT STATUS: 0
>>>>> % clang -fsanitize=signed-integer-overflow int-overflow.c &&
>>>>> UBSAN_OPTIONS=halt_on_error=1 ./a.out ; echo EXIT STATUS: $?
>>>>> int-overflow.c:5:5: runtime error: signed integer overflow: 1073741824
>>>>> + 1073741824 cannot be represented in type 'int'
>>>>> EXIT STATUS: 1
>>>>> %
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>> (Not sure if this is properly documented anywhere. Alexey? )
>>>>>>>
>>>>>>>
>>>>>>>> But with "-fsanitize=address" flag, the program terminates with
>>>>>>>> non-zero exit code. I think the address sanitizer behavior of non-zero exit
>>>>>>>> code is more intuitive since the program did exit in error. Is there any
>>>>>>>> reason integer overflow sanitizer exits the program with zero exit code?
>>>>>>>>
>>>>>>>
>>>>>>> One of the reasons, maybe:
>>>>>>> Programs are more often ubsan-unclean than asan-unclean, and halting
>>>>>>> on every ubsan message makes it harder to deploy the tool.
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Riyad
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> cfe-dev mailing list
>>>>>>>> cfe-dev at lists.llvm.org
>>>>>>>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20151103/a636b677/attachment.html>

More information about the cfe-dev mailing list