Re: checking against signed integer overflow

[Jeffrey Walton]

On Sat, Dec 5, 2020 at 10:04 AM Bruno Haible <bruno@clisp.org> wrote:
>
> ...
> Now, let me ask the question "What compiler options would a distro have to
> provide, in order to globally enable signed integer overflow checks?"
> (like -D_FORTIFY_SOURCE=2, which many distro vendors now use).
>
> Through some experiments (below), I conclude that the appropriate options
> would be '-fsanitize=signed-integer-overflow 
> -fsanitize-undefined-trap-on-error'.

You might also checkout an overflow library. For the C language,
safe_iop is available. Android uses safe_iop. For C++, LeBlanc’s
SafeInt is a good choice. SafeInt is used internally by Microsoft.

I also have some GCC inline assembly one-liners that I use on
occasion. The good thing about inline assembly is, ASM does not suffer
C's undefined behavior. You are free to subtract two numbers that
overflow and there is no undefined behavior because ASM is not bound
by C rules.

Maybe GNU needs to provide something similar.

> Would it make sense to tell the GCC people that
>   - the '-fsanitize=signed-integer-overflow 
> -fno-sanitize-recover=signed-integer-overflow'
>     options are practically useless when they force a dependency towards 
> libstdc++,
>   - the 'ftrapv' option is useless when it does not work in combination with
>     '-O2' ?

-ftrapv is for defective programs. A program using -ftrapv is still
defective and should be fixed. -ftrapv will cause a program to fail a
security audit. Also see .

Jeff