[cfe-dev] Traps for signed arithmetic overflow

Roman Lebedev via cfe-dev cfe-dev at lists.llvm.org
Sat Nov 24 05:45:33 PST 2018 

On Sat, Nov 24, 2018 at 4:34 PM Liu Hao via cfe-dev
<cfe-dev at lists.llvm.org> wrote:
>
> 在 2018/11/24 5:36, Marc Glisse 写道:
> > On Fri, 23 Nov 2018, Helmut Eller wrote:
> >
> >> On Fri, Nov 23 2018, Marc Glisse wrote:
> >>
> >>> On Fri, 23 Nov 2018, Helmut Eller wrote:
> >>>
> >>>> when compiling this example with gcc -O2 -ftrapv:
> >>>> [...]
> >>> Try with "-fsanitize=undefined
> >>> -fsanitize-undefined-trap-on-error". -ftrapv is quite broken and not
> >>> really maintained. I think fixing it would mean making it an alias for
> >>> the sanitizer version.
> >>
> >> Thanks for the quick reply.  That does indeed produce exactly the code I
> >> want.
> >>
> >> It doesn't seem so detect overflow for short or char types, though:
> >
> > That's because there is no overflow. Read about integer promotion.
>
> I think I had better say something about this.
>
> You are right; there is no overflow. But who needs such apparently
> deficient (if not incomplete at all) behavior? People could start
> arguing that integer promotion is mandated by the C standard and is what
> 'portable' code might rely on. Yes you are right, totally right about a
> _very_ poor excuse: The so-called 'portable' code should not rely on the `int`
> -> `short` conversion either, which is implementation-defined and not so
> portable after all. It is a shame for C to have integer promotion.

> It is a flaw for UBSan to discriminate overflows on `short`.
It is not an ubsan flaw.
There is no overflow happening, therefore it has nothing to report.

First, the sub-int types are promoted to int-sized types, then
those promoted values are added (and this addition is what the ubsan sanitizes),
and then the result is implicitly cast back to the original type.

Naturally, sometimes that is lossy. That is indeed an issue.
There are several bugs about this:
https://bugs.llvm.org/show_bug.cgi?id=21530
https://github.com/google/sanitizers/issues/940

If you look at the release notes, you may see that clang-7 has
gained -fsanitize=implicit-conversion (https://reviews.llvm.org/D48958),
which *does* detect just *this* kind of issues. Yay.

TBN, the version in clang-7 is *very* partial (only detects lossy
truncations), so if you want to use that,
you should use trunk, in which more cases are now detected - sign
changes (https://reviews.llvm.org/D50250)
compound assignment operations (https://reviews.llvm.org/D53949).

Though trunk still does not catch everything - i still need to look
into unary inc/dec, bitfields; atomics.

> --
> Best regards,
> LH_Mouse
Roman.

> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

More information about the cfe-dev mailing list