From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id F2F0E3858407; Tue, 14 Sep 2021 15:57:28 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org F2F0E3858407 From: "kees at outflux dot net" To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/102317] signed integer overflow sanitizer cannot work well with -fno-strict-overflow Date: Tue, 14 Sep 2021 15:57:28 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: sanitizer X-Bugzilla-Version: 12.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: kees at outflux dot net X-Bugzilla-Status: RESOLVED X-Bugzilla-Resolution: INVALID X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2021 15:57:29 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D102317 --- Comment #7 from Kees Cook --- The problem the kernel needs to solve is basically having our cake and eati= ng it too. :) In _most_ situations, we want signed overflows to trap (i.e. get caught by "-fsanitize=3Dsigned-integer-overflow"). In some limited situations, we want to be able to depend on 2s-complement wrap-around on overflow -- and we would create a helper function to do this work, marked with __attribute__((no_sanitize("signed-integer-overflow"))). = (We need this most for our atomic_t/refcount_t code, as well as all the open-co= ded bounds checks -- see details below.) For the latter case (wrap-around), the kernel must depend on the effects of "-fwrapv-pointer" and "-fwrapv" because otherwise some cases end up being elided due to being classified as undefined behavior. (In reply to Jakub Jelinek from comment #6) > That doesn't make sense. -fsanitize=3Dsigned-integer-overflow also remov= es > that undefined behavior by defining what happens on signed integer overfl= ow, > one can choose whether to get a non-fatal runtime diagnostic + wrapv > behavior, or fatal runtime diagnostic, or just abort. There doesn't appear to be a way to remove the UB _and_ the diagnostic on a case-by-case basis. The matrix of behaviors: code generation: UB, no UB (2s-complement wrap-around) diagnostics: no diagnostic, warn or trap -fno-strict-overflow provides "no UB", and "no diagnostic". ("warn or trap"= are not available.) -fsanitize=3Dsigned-integer-overflow provides "no UB" and "warn or trap". (= "no diagnostic" is not available; using __attribute__((no_sanitize("signed-integer-overflow"))) also removes "no UB= ") So, on a per-function basis, we need to _either_ catch overflow _or_ deterministically perform 2s-complement wrap-around. If there's a way to achieve this already, I would be very grateful, as I've= not been able to find the correct combination. Background on the kernel's use of -fno-strict-overflow: https://git.kernel.org/linus/a137802ee839ace40079bebde24cfb416f73208a and (earlier) -fwrapv: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 An example of wanting no-UB without diagnostic: https://git.kernel.org/linus/adb03115f4590baa280ddc440a8eff08a6be0cb7 which ultimately had to be reverted: https://git.kernel.org/linus/a6211caa634da39d861a47437ffcda8b38ef421b and all of UBSAN integer overflow support was removed: https://git.kernel.org/linus/6aaa31aeb9cf260e1b7155cc11ec864f052db5ec=