From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 6DD753858D3C; Sun, 27 Nov 2022 21:31:21 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 6DD753858D3C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1669584681; bh=qUzP6CK+b3p0NuspH1YwpmXFvyORBa1d9125gnUtY3E=; h=From:To:Subject:Date:From; b=DeWHMxIqZ4PBIgta66hxsulauz1ewayBeykn1toBdo41t2AyHV88fjsiv0tqo0MJK 14h/3pGiK71rmdRfuOaLolezCkx6BGRSVM1cjUpKMFA/p88SqRttkJyItTy6rROHna n4oHKcp/FRCWh4PnX2vwUBtbrzgRaJQW2sDTpeCY= From: "gcc at pkh dot me" To: gcc-bugs@gcc.gnu.org Subject: [Bug c/107890] New: UB on integer overflow impacts code flow Date: Sun, 27 Nov 2022 21:31:20 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c X-Bugzilla-Version: 12.2.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: gcc at pkh dot me X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D107890 Bug ID: 107890 Summary: UB on integer overflow impacts code flow Product: gcc Version: 12.2.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: gcc at pkh dot me Target Milestone: --- Following is a code that is sensible to a signed integer overflow. I was un= der the impression that this kind of undefined behavior essentially meant that = the value of that integer could become unreliable. But apparently this is not limited to the value of said integer, it can also dramatically impact the c= ode flow. Here is the pathological code: #include #include #include uint8_t tab[0x1ff + 1]; uint8_t f(int32_t x) { if (x < 0) return 0; int32_t i =3D x * 0x1ff / 0xffff; if (i >=3D 0 && i < sizeof(tab)) { printf("tab[%d] looks safe because %d is between [0;%d[\n", i, = i, (int)sizeof(tab)); return tab[i]; } return 0; } int main(int ac, char **av) { return f(atoi(av[1])); } Triggering an overflow actually enters the printf/dereference scope, violat= ing the protective condition and thus causing a crash: % cc -Wall -O2 overflow.c -o overflow && ./overflow 50000000 tab[62183] looks safe because 62183 is between [0;512[ zsh: segmentation fault (core dumped) ./overflow 50000000 I feel extremely uncomfortable about an integer overflow actually impacting something else than the integer itself. Is it expected or is this a bug?=