[cfe-dev] -fsanitize=integer improvements?

[Timo Sirainen]

I was excited to find out about this feature and trying it out on my code.

The first problem was that I had been using -1U instead of UINT_MAX a lot. I think it's pretty obvious that -1U is meant as UINT_MAX instead of overflowing the integer. Anyway, I switched them to UINT_MAX so this isn't really an issue.

The main problem is with code like:

	unsigned int foo = 1000; // always a positive number
	int diff = -1; // positive or negative number that doesn't overflow/underflow foo

	printf("%u\n", foo + diff);

Because diff gets translated to UINT_MAX here, which then overflows the calculation. Couldn't these type of calculations somehow be skipped over? Or alternatively could the compiler give a warning when it's mixing up signed and unsigned integer calculations so these could at least be found easily at compile stage?

I see someone else already asked about disabling the checks for some specific calculations. Will Dietz replied about planning to soon add "safe attributes" to do that. Is this implemented yet? Or can I use some #pragma to remove the checks from md5/sha code files (I'd rather not want to mess with automake for this). I was also wondering about the possibility of doing this in a somewhat standard way by explicitly using modulo on the result, such as:

printf("%u\n", (UINT_MAX + 5) % UINT_MAX);

or even any modulo:

printf("%u\n", (UINT_MAX + 5) % 2);

I think these make it clear that modulo arithmetic is intended and an overflow can't be a bug.