[all-commits] [llvm/llvm-project] 295fe0: [Clang] Re-land Overflow Pattern Exclusions (#104889)

Justin Stitt via All-commits all-commits at lists.llvm.org
Tue Aug 20 13:14:06 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 295fe0bd438209831071ffbacf003c4941f31b90
      https://github.com/llvm/llvm-project/commit/295fe0bd438209831071ffbacf003c4941f31b90
  Author: Justin Stitt <justinstitt at google.com>
  Date:   2024-08-20 (Tue, 20 Aug 2024)

  Changed paths:
    M clang/docs/ReleaseNotes.rst
    M clang/docs/UndefinedBehaviorSanitizer.rst
    M clang/include/clang/AST/Expr.h
    M clang/include/clang/AST/Stmt.h
    M clang/include/clang/Basic/LangOptions.h
    M clang/include/clang/Driver/Options.td
    M clang/include/clang/Driver/SanitizerArgs.h
    M clang/lib/AST/Expr.cpp
    M clang/lib/CodeGen/CGExprScalar.cpp
    M clang/lib/Driver/SanitizerArgs.cpp
    M clang/lib/Driver/ToolChains/Clang.cpp
    M clang/lib/Frontend/CompilerInvocation.cpp
    M clang/lib/Serialization/ASTReaderStmt.cpp
    M clang/lib/Serialization/ASTWriterStmt.cpp
    A clang/test/CodeGen/ignore-overflow-pattern-false-pos.c
    A clang/test/CodeGen/ignore-overflow-pattern.c

  Log Message:
  -----------
  [Clang] Re-land Overflow Pattern Exclusions (#104889)

Introduce "-fsanitize-undefined-ignore-overflow-pattern=" which can
be used to disable sanitizer instrumentation for common overflow-dependent
code patterns.

For a wide selection of projects, proper overflow sanitization could
help catch bugs and solve security vulnerabilities. Unfortunately, in
some cases the integer overflow sanitizers are too noisy for their users
and are often left disabled. Providing users with a method to disable
sanitizer instrumentation of common patterns could mean more projects
actually utilize the sanitizers in the first place.

One such project that has opted to not use integer overflow (or
truncation) sanitizers is the Linux Kernel. There has been some
discussion[1] recently concerning mitigation strategies for unexpected
arithmetic overflow. This discussion is still ongoing and a succinct
article[2] accurately sums up the discussion. In summary, many Kernel
developers do not want to introduce more arithmetic wrappers when
most developers understand the code patterns as they are.

Patterns like:

  if (base + offset < base) { ... }

or

  while (i--) { ... }

or

  #define SOME -1UL

are extremely common in a code base like the Linux Kernel. It is
perhaps too much to ask of kernel developers to use arithmetic wrappers
in these cases. For example:

  while (wrapping_post_dec(i)) { ... }

which wraps some builtin would not fly. This would incur too many
changes to existing code; the code churn would be too much, at least too
much to justify turning on overflow sanitizers.

Currently, this commit tackles three pervasive idioms:

1. "if (a + b < a)" or some logically-equivalent re-ordering like "if (a > b + a)"
2. "while (i--)" (for unsigned) a post-decrement always overflows here
3. "-1UL, -2UL, etc" negation of unsigned constants will always overflow

The patterns that are excluded can be chosen from the following list:

- add-overflow-test
- post-decr-while
- negated-unsigned-const

These can be enabled with a comma-separated list:

  -fsanitize-undefined-ignore-overflow-pattern=add-overflow-test,negated-unsigned-const

"all" or "none" may also be used to specify that all patterns should be
excluded or that none should be.

[1] https://lore.kernel.org/all/202404291502.612E0A10@keescook/
[2] https://lwn.net/Articles/979747/

CCs: @efriedma-quic @kees @jyknight @fmayer @vitalybuka
Signed-off-by: Justin Stitt <justinstitt at google.com>
Co-authored-by: Bill Wendling <morbo at google.com>



To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications

More information about the All-commits mailing list