* [Bug sanitizer/60275] [UBSAN] Add -f[no-]sanitize-recover/-fsanitize-undefined-trap-on-error to make UBSAN's runtime errors fatal
2014-02-19 14:04 [Bug sanitizer/60275] New: [UBSAN] Add -f[no-]sanitize-recover/-fsanitize-undefined-trap-on-error to make UBSAN's runtime errors fatal burnus at gcc dot gnu.org
@ 2014-02-19 14:08 ` mpolacek at gcc dot gnu.org
2014-03-28 15:57 ` burnus at gcc dot gnu.org
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: mpolacek at gcc dot gnu.org @ 2014-02-19 14:08 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60275
Marek Polacek <mpolacek at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2014-02-19
Assignee|unassigned at gcc dot gnu.org |mpolacek at gcc dot gnu.org
Ever confirmed|0 |1
--- Comment #1 from Marek Polacek <mpolacek at gcc dot gnu.org> ---
Mine. I think this is 5.0 material.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/60275] [UBSAN] Add -f[no-]sanitize-recover/-fsanitize-undefined-trap-on-error to make UBSAN's runtime errors fatal
2014-02-19 14:04 [Bug sanitizer/60275] New: [UBSAN] Add -f[no-]sanitize-recover/-fsanitize-undefined-trap-on-error to make UBSAN's runtime errors fatal burnus at gcc dot gnu.org
2014-02-19 14:08 ` [Bug sanitizer/60275] " mpolacek at gcc dot gnu.org
@ 2014-03-28 15:57 ` burnus at gcc dot gnu.org
2014-03-28 16:31 ` jakub at gcc dot gnu.org
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: burnus at gcc dot gnu.org @ 2014-03-28 15:57 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60275
--- Comment #2 from Tobias Burnus <burnus at gcc dot gnu.org> ---
Post script: CLANG has:
'-fsanitize=undefined' not allowed with '-fsanitize-undefined-trap-on-error'
And regarding the function call: With -fno-sanitize-recover one simply appends
an "_abort" to the function call, i.e. __ubsan_handle_add_overflow becomes
__ubsan_handle_add_overflow_abort. [For all functions but
__ubsan_handle_builtin_unreachable and __ubsan_handle_missing_return, which
always abort / Die() themselves.]
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/60275] [UBSAN] Add -f[no-]sanitize-recover/-fsanitize-undefined-trap-on-error to make UBSAN's runtime errors fatal
2014-02-19 14:04 [Bug sanitizer/60275] New: [UBSAN] Add -f[no-]sanitize-recover/-fsanitize-undefined-trap-on-error to make UBSAN's runtime errors fatal burnus at gcc dot gnu.org
2014-02-19 14:08 ` [Bug sanitizer/60275] " mpolacek at gcc dot gnu.org
2014-03-28 15:57 ` burnus at gcc dot gnu.org
@ 2014-03-28 16:31 ` jakub at gcc dot gnu.org
2014-03-28 16:48 ` burnus at gcc dot gnu.org
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: jakub at gcc dot gnu.org @ 2014-03-28 16:31 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60275
--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
I guess we shouldn't copy the design mistakes clang makes. What action to take
on detected undefined behavior should be orthogonal to how to report it
(runtime error message with recovery, fatal runtime error message or abort
without error message).
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/60275] [UBSAN] Add -f[no-]sanitize-recover/-fsanitize-undefined-trap-on-error to make UBSAN's runtime errors fatal
2014-02-19 14:04 [Bug sanitizer/60275] New: [UBSAN] Add -f[no-]sanitize-recover/-fsanitize-undefined-trap-on-error to make UBSAN's runtime errors fatal burnus at gcc dot gnu.org
` (2 preceding siblings ...)
2014-03-28 16:31 ` jakub at gcc dot gnu.org
@ 2014-03-28 16:48 ` burnus at gcc dot gnu.org
2014-04-14 18:34 ` jakub at gcc dot gnu.org
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: burnus at gcc dot gnu.org @ 2014-03-28 16:48 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60275
--- Comment #4 from Tobias Burnus <burnus at gcc dot gnu.org> ---
(In reply to Jakub Jelinek from comment #3)
> I guess we shouldn't copy the design mistakes clang makes. What action to
> take on detected undefined behavior should be orthogonal to how to report it
> (runtime error message with recovery, fatal runtime error message or abort
> without error message).
The question is how to implement this properly. One way is using environment
variables such as ASAN and TSAN do, which have environment variables, e.g. ASAN
has https://code.google.com/p/address-sanitizer/wiki/Flags#Run-time_flags ,
which permits:
ASAN_OPTIONS=
abort_on_error (default 0)
exitcode (default 1)
etc.
It would be also nice to have a back trace. (I had an always inlined add
function, which overflows and there pointing to the header file does not help
much.)
Still, it is also nice to be able to tell at compile time that failures should
be fatal as one can easily forget to set the environment variable. If one does
not want to go the route of Clang, I wonder how to handle it instead as one
does not have one initializing call to the library.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/60275] [UBSAN] Add -f[no-]sanitize-recover/-fsanitize-undefined-trap-on-error to make UBSAN's runtime errors fatal
2014-02-19 14:04 [Bug sanitizer/60275] New: [UBSAN] Add -f[no-]sanitize-recover/-fsanitize-undefined-trap-on-error to make UBSAN's runtime errors fatal burnus at gcc dot gnu.org
` (3 preceding siblings ...)
2014-03-28 16:48 ` burnus at gcc dot gnu.org
@ 2014-04-14 18:34 ` jakub at gcc dot gnu.org
2014-04-23 8:20 ` jakub at gcc dot gnu.org
2014-04-23 8:46 ` jakub at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: jakub at gcc dot gnu.org @ 2014-04-14 18:34 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60275
--- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Created attachment 32597
--> http://gcc.gnu.org/bugzilla/attachment.cgi?id=32597&action=edit
gcc410-pr60275.patch
Untested fix. Marek, sorry for hacking this up, but I'd like to backport it to
4.9-RH soon, some people complained about the lack of these features. I'll
leave all other ubsan hacking to you.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/60275] [UBSAN] Add -f[no-]sanitize-recover/-fsanitize-undefined-trap-on-error to make UBSAN's runtime errors fatal
2014-02-19 14:04 [Bug sanitizer/60275] New: [UBSAN] Add -f[no-]sanitize-recover/-fsanitize-undefined-trap-on-error to make UBSAN's runtime errors fatal burnus at gcc dot gnu.org
` (4 preceding siblings ...)
2014-04-14 18:34 ` jakub at gcc dot gnu.org
@ 2014-04-23 8:20 ` jakub at gcc dot gnu.org
2014-04-23 8:46 ` jakub at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: jakub at gcc dot gnu.org @ 2014-04-23 8:20 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60275
--- Comment #6 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Author: jakub
Date: Wed Apr 23 08:20:12 2014
New Revision: 209672
URL: http://gcc.gnu.org/viewcvs?rev=209672&root=gcc&view=rev
Log:
PR sanitizer/60275
* common.opt (fsanitize-recover, fsanitize-undefined-trap-on-error):
New options.
* gcc.c (sanitize_spec_function): Don't return "" for "undefined"
if flag_sanitize_undefined_trap_on_error.
* sanitizer.def (BUILT_IN_UBSAN_HANDLE_DIVREM_OVERFLOW_ABORT,
BUILT_IN_UBSAN_HANDLE_SHIFT_OUT_OF_BOUNDS_ABORT,
BUILT_IN_UBSAN_HANDLE_VLA_BOUND_NOT_POSITIVE_ABORT,
BUILT_IN_UBSAN_HANDLE_TYPE_MISMATCH_ABORT,
BUILT_IN_UBSAN_HANDLE_ADD_OVERFLOW_ABORT,
BUILT_IN_UBSAN_HANDLE_SUB_OVERFLOW_ABORT,
BUILT_IN_UBSAN_HANDLE_MUL_OVERFLOW_ABORT,
BUILT_IN_UBSAN_HANDLE_NEGATE_OVERFLOW_ABORT,
BUILT_IN_UBSAN_HANDLE_LOAD_INVALID_VALUE_ABORT): New builtins.
* ubsan.c (ubsan_instrument_unreachable): Return
__builtin_trap () if flag_sanitize_undefined_trap_on_error.
(ubsan_expand_null_ifn): Emit __builtin_trap ()
if flag_sanitize_undefined_trap_on_error and
__ubsan_handle_type_mismatch_abort if !flag_sanitize_recover.
(ubsan_expand_null_ifn, ubsan_build_overflow_builtin,
instrument_bool_enum_load): Emit __builtin_trap () if
flag_sanitize_undefined_trap_on_error and
__builtin_handle_*_abort () if !flag_sanitize_recover.
* doc/invoke.texi (-fsanitize-recover,
-fsanitize-undefined-trap-on-error): Document.
c-family/
* c-ubsan.c (ubsan_instrument_return): Return __builtin_trap ()
if flag_sanitize_undefined_trap_on_error.
(ubsan_instrument_division, ubsan_instrument_shift,
ubsan_instrument_vla): Likewise. Use __ubsan_handle_*_abort ()
if !flag_sanitize_recover.
testsuite/
* g++.dg/ubsan/return-2.C: Revert 2014-03-24 changes, add
-fno-sanitize-recover to dg-options.
* g++.dg/ubsan/cxx11-shift-1.C: Remove c++11 target restriction,
add -std=c++11 to dg-options.
* g++.dg/ubsan/cxx11-shift-2.C: Likewise.
* g++.dg/ubsan/cxx1y-vla.C: Remove c++1y target restriction,
add -std=c++1y to dg-options.
* c-c++-common/ubsan/undefined-1.c: Revert 2014-03-24 changes, add
-fno-sanitize-recover to dg-options.
* c-c++-common/ubsan/overflow-sub-1.c: Likewise.
* c-c++-common/ubsan/vla-4.c: Likewise.
* c-c++-common/ubsan/pr59503.c: Likewise.
* c-c++-common/ubsan/vla-3.c: Likewise.
* c-c++-common/ubsan/save-expr-1.c: Likewise.
* c-c++-common/ubsan/overflow-add-1.c: Likewise.
* c-c++-common/ubsan/shift-3.c: Likewise.
* c-c++-common/ubsan/overflow-1.c: Likewise.
* c-c++-common/ubsan/overflow-negate-2.c: Likewise.
* c-c++-common/ubsan/vla-2.c: Likewise.
* c-c++-common/ubsan/overflow-mul-1.c: Likewise.
* c-c++-common/ubsan/pr60613-1.c: Likewise.
* c-c++-common/ubsan/shift-6.c: Likewise.
* c-c++-common/ubsan/overflow-mul-3.c: Likewise.
* c-c++-common/ubsan/overflow-add-3.c: New test.
* c-c++-common/ubsan/overflow-add-4.c: New test.
* c-c++-common/ubsan/div-by-zero-6.c: New test.
* c-c++-common/ubsan/div-by-zero-7.c: New test.
Added:
trunk/gcc/testsuite/c-c++-common/ubsan/div-by-zero-6.c
trunk/gcc/testsuite/c-c++-common/ubsan/div-by-zero-7.c
trunk/gcc/testsuite/c-c++-common/ubsan/overflow-add-3.c
trunk/gcc/testsuite/c-c++-common/ubsan/overflow-add-4.c
Modified:
trunk/gcc/ChangeLog
trunk/gcc/c-family/ChangeLog
trunk/gcc/c-family/c-ubsan.c
trunk/gcc/common.opt
trunk/gcc/doc/invoke.texi
trunk/gcc/gcc.c
trunk/gcc/sanitizer.def
trunk/gcc/testsuite/ChangeLog
trunk/gcc/testsuite/c-c++-common/ubsan/overflow-1.c
trunk/gcc/testsuite/c-c++-common/ubsan/overflow-add-1.c
trunk/gcc/testsuite/c-c++-common/ubsan/overflow-mul-1.c
trunk/gcc/testsuite/c-c++-common/ubsan/overflow-mul-3.c
trunk/gcc/testsuite/c-c++-common/ubsan/overflow-negate-2.c
trunk/gcc/testsuite/c-c++-common/ubsan/overflow-sub-1.c
trunk/gcc/testsuite/c-c++-common/ubsan/pr59503.c
trunk/gcc/testsuite/c-c++-common/ubsan/pr60613-1.c
trunk/gcc/testsuite/c-c++-common/ubsan/save-expr-1.c
trunk/gcc/testsuite/c-c++-common/ubsan/shift-3.c
trunk/gcc/testsuite/c-c++-common/ubsan/shift-6.c
trunk/gcc/testsuite/c-c++-common/ubsan/undefined-1.c
trunk/gcc/testsuite/c-c++-common/ubsan/vla-2.c
trunk/gcc/testsuite/c-c++-common/ubsan/vla-3.c
trunk/gcc/testsuite/c-c++-common/ubsan/vla-4.c
trunk/gcc/testsuite/g++.dg/ubsan/cxx11-shift-1.C
trunk/gcc/testsuite/g++.dg/ubsan/cxx11-shift-2.C
trunk/gcc/testsuite/g++.dg/ubsan/cxx1y-vla.C
trunk/gcc/testsuite/g++.dg/ubsan/return-2.C
trunk/gcc/ubsan.c
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/60275] [UBSAN] Add -f[no-]sanitize-recover/-fsanitize-undefined-trap-on-error to make UBSAN's runtime errors fatal
2014-02-19 14:04 [Bug sanitizer/60275] New: [UBSAN] Add -f[no-]sanitize-recover/-fsanitize-undefined-trap-on-error to make UBSAN's runtime errors fatal burnus at gcc dot gnu.org
` (5 preceding siblings ...)
2014-04-23 8:20 ` jakub at gcc dot gnu.org
@ 2014-04-23 8:46 ` jakub at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: jakub at gcc dot gnu.org @ 2014-04-23 8:46 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60275
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #7 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Implemented now.
^ permalink raw reply [flat|nested] 8+ messages in thread