[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: checking against signed integer overflow
From: |
Bruno Haible |
Subject: |
Re: checking against signed integer overflow |
Date: |
Sun, 06 Dec 2020 17:30:03 +0100 |
User-agent: |
KMail/5.1.3 (Linux/4.4.0-193-generic; KDE/5.18.0; x86_64; ; ) |
Paul Eggert wrote:
> I gave it a shot by installing the attached patches.
Thanks. This could even be moved to the Autoconf manual, if there is
sufficient agreement among GNU developers.
> what Florian said a couple of years ago
> <https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/>.
This is worth reading; thanks. Note that the option '-mcet' does not actually
exist. I guess it was folded into the '-fcf-protection=...' option before
GCC 8.1 was released. Cf. <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98162>
> I'm reluctant to recommend -fsanitize=whatever flags for production builds
> because they're ABI-incompatible with future library versions
Florian's post mentions
"the Address Sanitizer interceptors disable ABI compatibility with future
library versions."
This in understandable: A pointer into an array may be passed as a 3 words
(array start, array end, and actual pointer value).
But for '-fsanitize=signed-integer-overflow' there is no reason for an
ABI change. It's only the code inside functions which behaves differently.
> > Would it make sense to tell the GCC people that
> > - the '-fsanitize=signed-integer-overflow
> > -fno-sanitize-recover=signed-integer-overflow'
> > options are practically useless when they force a dependency towards
> > libstdc++,
Reported as <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98165>.
> > - the 'ftrapv' option is useless when it does not work in combination
> > with
> > '-O2' ?
>
> I'm not observing the latter problem with GCC 10.2.1 (Red Hat 10.2.1-9) on
> Fedora 33 x86-64; maybe it's fixed now?
Oops, indeed. My test program could be optimized in way that the overflow
disappears. Find attached a corrected test program.
So, '-fsanitize=signed-integer-overflow -fsanitize-undefined-trap-on-error' and
'-ftrapv' both work. The former generates better code, whereas the latter has
less surprising behaviour (an abort() is a better response than an illegal
instruction, IMO).
I'll try to use '-ftrapv' globally, to see how this works out.
Bruno
foo.c
Description: Text Data
- Re: checking against signed integer overflow, (continued)
- Re: checking against signed integer overflow, Bruno Haible, 2020/12/05
- Re: checking against signed integer overflow, Paul Eggert, 2020/12/05
- Re: checking against signed integer overflow, Bruno Haible, 2020/12/06
- Re: checking against signed integer overflow, Paul Eggert, 2020/12/07
- Re: checking against signed integer overflow, Bruno Haible, 2020/12/07
- Re: checking against signed integer overflow, Jeffrey Walton, 2020/12/05
- Re: checking against signed integer overflow, Paul Eggert, 2020/12/05
- Re: checking against signed integer overflow, Bruno Haible, 2020/12/05
- Re: checking against signed integer overflow, Paul Eggert, 2020/12/06
Re: checking against signed integer overflow, Paul Eggert, 2020/12/05
Re: checking against signed integer overflow, Paul Eggert, 2020/12/06
Re: checking against signed integer overflow, Jeffrey Walton, 2020/12/06
Re: checking against signed integer overflow, Bruno Haible, 2020/12/06
Re: checking against signed integer overflow, Paul Eggert, 2020/12/06
Re: checking against signed integer overflow, Bruno Haible, 2020/12/06
Re: checking against signed integer overflow, Jeffrey Walton, 2020/12/06