[cfe-dev] Unsigned Integer Wrap and -fsanitize=integer

Richard Smith richard at metafoo.co.uk
Tue Jul 30 11:50:02 PDT 2013 

On Tue, Jul 30, 2013 at 7:46 AM, Sean McBride <sean at rogue-research.com>wrote:

> On Tue, 30 Jul 2013 07:00:52 -0400, Jeffrey Walton said:
>
> >I'm testing a crypto library under the sanitizers. Crypto libraries
> >are notorious for doing clever (and sometimes undefined) things to
> >integers.
> >
> >I'm catching a number of errors similar to below. Is (or should)
> >unsigned wrap be an error condition? I thought it was implementation
> >defined. Or is -fsanitize=integer catching signed integer overflow
> >(which is undefined behavior) and incorrectly reporting it?
>
> Unsigned wrapping is well-defined.  See here:
> <http://clang.llvm.org/docs/UsersManual.html#controlling-code-generation>
>
> Notice for "-fsanitize=integer" they say "Enables checks for undefined or
> suspicious integer behavior."  The 'suspicious' part refers to unsigned
> overflow, which, though well-defined, is often unexpected (though probably
> not in a crypto lib).
>
> I think you want -fsanitize=undefined.
>
> >Related: is -fsanize-integer Peng and Regehr's Integer Overflow
> >Checker? I'm very interested in IOC because Intel's ICC is ruthless
> >about removing code with undefined behavior.
>
> It is.


Actually, I would instead say that -fsanitize=integer is the spiritual
successor of IOC. It is Regehr and Peng's idea, it is *not* the IOC
implementation of that idea, but some of the implementation is due to their
group. Here's the story:

-fsanitize=undefined ("UBSan") was inspired by IOC. With John Regehr's
consent, I started with the intention of committing the IOC patches into
upstream Clang. However, the scope of the project got extended to an
attempt to catch a much more comprehensive set of undefined behavior, and
what I ended with was a near-complete rewrite -- there is essentially no
code in common between UBSan and IOC, and UBSan has a large number of other
sanitizers that were never part of IOC.
-fsanitize=unsigned-integer-overflow is not part of UBSan, since it is not
a check for undefined behavior.

-fsanitize=integer is -fsanitize=undefined's checks for integer undefined
behavior, plus -fsanitize=unsigned-integer-overflow, and its feature set is
similar to that of IOC (but not exactly the same).
-fsanitize=unsigned-integer-overflow was the work of Will Dietz, under (I
believe) the direction of John Regehr, and Will also contributed various
fixes and features to the rest of UBSan (in some cases, adding features
that were present in IOC but not in UBSan).

Hope that clears things up somewhat.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130730/fdf12fed/attachment.html>

More information about the cfe-dev mailing list