public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug c++/44786] New: -fcatch-undefined-behavior: Turn on runtime code generation to check for undefined behavior
@ 2010-07-02 16:47 manu at gcc dot gnu dot org
2010-07-05 1:22 ` [Bug c++/44786] " pinskia at gcc dot gnu dot org
2010-07-23 20:41 ` joseph at codesourcery dot com
0 siblings, 2 replies; 5+ messages in thread
From: manu at gcc dot gnu dot org @ 2010-07-02 16:47 UTC (permalink / raw)
To: gcc-bugs
Clang provides a number of ways to control code generation. The options are
listed below.
-fcatch-undefined-behavior: Turn on runtime code generation to check for
undefined behavior.
This option, which defaults to off, controls whether or not Clang adds
runtime checks for undefined runtime behavior. If the check fails,
__builtin_trap() is used to indicate failure. The checks are:
# Subscripting where the static type of one operand is variable which is
decayed from an array type and the other operand is greater than the size of
the array or less than zero.
# Shift operators where the amount shifted is greater or equal to the
promoted bit-width of the left-hand-side or less than zero.
# If control flow reaches __builtin_unreachable.
--
Summary: -fcatch-undefined-behavior: Turn on runtime code
generation to check for undefined behavior
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: enhancement
Priority: P3
Component: c++
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: manu at gcc dot gnu dot org
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44786
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug c++/44786] -fcatch-undefined-behavior: Turn on runtime code generation to check for undefined behavior
2010-07-02 16:47 [Bug c++/44786] New: -fcatch-undefined-behavior: Turn on runtime code generation to check for undefined behavior manu at gcc dot gnu dot org
@ 2010-07-05 1:22 ` pinskia at gcc dot gnu dot org
2010-07-23 20:41 ` joseph at codesourcery dot com
1 sibling, 0 replies; 5+ messages in thread
From: pinskia at gcc dot gnu dot org @ 2010-07-05 1:22 UTC (permalink / raw)
To: gcc-bugs
------- Comment #1 from pinskia at gcc dot gnu dot org 2010-07-05 01:21 -------
-ftrapv checks for one undefined behavior which is not mentioned in that list.
Why isn't that listed?
> # Shift operators where the amount shifted is greater or equal to the
promoted bit-width of the left-hand-side or less than zero.
I think C90 and C99 say slightly different things here.
Really I think this is a not good option. It adds a huge overhead in some
cases and does not fix a security issue. In fact it allows the developer to
feel more safe when in reality they are not.
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44786
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug c++/44786] -fcatch-undefined-behavior: Turn on runtime code generation to check for undefined behavior
2010-07-02 16:47 [Bug c++/44786] New: -fcatch-undefined-behavior: Turn on runtime code generation to check for undefined behavior manu at gcc dot gnu dot org
2010-07-05 1:22 ` [Bug c++/44786] " pinskia at gcc dot gnu dot org
@ 2010-07-23 20:41 ` joseph at codesourcery dot com
1 sibling, 0 replies; 5+ messages in thread
From: joseph at codesourcery dot com @ 2010-07-23 20:41 UTC (permalink / raw)
To: gcc-bugs
------- Comment #2 from joseph at codesourcery dot com 2010-07-23 20:41 -------
Subject: Re: -fcatch-undefined-behavior: Turn on runtime code
generation to check for undefined behavior
On Mon, 5 Jul 2010, pinskia at gcc dot gnu dot org wrote:
> -ftrapv checks for one undefined behavior which is not mentioned in that list.
> Why isn't that listed?
>
> > # Shift operators where the amount shifted is greater or equal to the
> promoted bit-width of the left-hand-side or less than zero.
>
> I think C90 and C99 say slightly different things here.
You may be thinking of the cases of signed left shift that are undefined
only in C99 (and implementation-defined in C90).
I think having options to trap on various detectable cases of undefined
behavior *is* a good idea, but there should be separate options for the
separate cases. Thus we already have -ftrapv (which, if made to work
properly, might have different variants for strict detection of overflow
and for allowing overflows to be folded away) and could add -ftrapv-shift
to detect cases of shift counts out of range (similarly, -fwrapv-shift to
give defined results for such shifts). You might then consider a
catch-all option to enable the various separate options.
The C1x drafts have a woefully underdefined Analyzability annex describing
an option that bounds most kinds of undefined behavior. If this ever gets
better specified than it is at present, there would be various
possibilities for an option to implement that annex, either trapping on
particular undefined behavior or bounding what effects it has.
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44786
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug c++/44786] -fcatch-undefined-behavior: Turn on runtime code generation to check for undefined behavior
[not found] <bug-44786-4@http.gcc.gnu.org/bugzilla/>
2012-04-08 12:11 ` vanyacpp at gmail dot com
@ 2012-04-08 14:06 ` redi at gcc dot gnu.org
1 sibling, 0 replies; 5+ messages in thread
From: redi at gcc dot gnu.org @ 2012-04-08 14:06 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44786
--- Comment #4 from Jonathan Wakely <redi at gcc dot gnu.org> 2012-04-08 14:06:31 UTC ---
Indeed. I think it's meant to be useful for catching some of the problems that
valgrind identifies, and valgrind has even more performance overhead.
That said, although I haven't used it heavily clang's
-fcatch-undefined-behavior has never caught any problems for me. YMMV.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug c++/44786] -fcatch-undefined-behavior: Turn on runtime code generation to check for undefined behavior
[not found] <bug-44786-4@http.gcc.gnu.org/bugzilla/>
@ 2012-04-08 12:11 ` vanyacpp at gmail dot com
2012-04-08 14:06 ` redi at gcc dot gnu.org
1 sibling, 0 replies; 5+ messages in thread
From: vanyacpp at gmail dot com @ 2012-04-08 12:11 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44786
Ivan Sorokin <vanyacpp at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |vanyacpp at gmail dot com
--- Comment #3 from Ivan Sorokin <vanyacpp at gmail dot com> 2012-04-08 12:11:02 UTC ---
> Really I think this is a not good option. It adds a huge overhead in some
> cases and does not fix a security issue. In fact it allows the developer to
> feel more safe when in reality they are not.
I think the rationale for this checking is not a security issue, but the ease
of debugging. When a program is shipped to end user these checks could be
omitted.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-04-08 14:06 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-07-02 16:47 [Bug c++/44786] New: -fcatch-undefined-behavior: Turn on runtime code generation to check for undefined behavior manu at gcc dot gnu dot org
2010-07-05 1:22 ` [Bug c++/44786] " pinskia at gcc dot gnu dot org
2010-07-23 20:41 ` joseph at codesourcery dot com
[not found] <bug-44786-4@http.gcc.gnu.org/bugzilla/>
2012-04-08 12:11 ` vanyacpp at gmail dot com
2012-04-08 14:06 ` redi at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).