[Bug sanitizer/63806] New: #UBSAN ignores signed char possible overflow

[Bug sanitizer/63806] New: #UBSAN ignores signed char possible overflow

[m.zakirov at samsung dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63806

            Bug ID: 63806
           Summary: #UBSAN ignores signed char possible overflow
           Product: gcc
           Version: 5.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: m.zakirov at samsung dot com
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org

For the following example GCC with ubsan do not constructs UBSAN_ADD_CHECK for
signed char return value.

signed char a;
signed char b;

signed char foo ()
{
   return a + b;
}

Dump after ubsan

foo ()
{
  signed char a.0_2;
  unsigned char a.1_3;
  signed char b.2_4;
  unsigned char b.3_5;
  unsigned char _6;
  signed char _7;

  <bb 2>:
  a.0_2 = a;
  a.1_3 = (unsigned char) a.0_2;
  b.2_4 = b;
  b.3_5 = (unsigned char) b.2_4;
  _6 = a.1_3 + b.3_5;
  _7 = (signed char) _6;
  return _7;

}

Command line to reproduce

gcc -O3 t.c -fsanitize=signed-integer-overflow -fdump-tree-ubsan -S

[Bug sanitizer/63806] #UBSAN ignores signed char possible overflow

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63806

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
?  That is the correct thing to do, there is no undefined behavior in C/C++ in
that testcase, for any a/b values.
a + b in C is computed on promoted arguments, so (signed char) ((int) a + (int)
b) in this case, so as long as signed char is narrower than int, it is fine.

[Bug sanitizer/63806] #UBSAN ignores signed char possible overflow

[y.gribov at samsung dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63806

--- Comment #2 from Yury Gribov <y.gribov at samsung dot com> ---
I think Marat meant that narrowing cast from int to char can be undefined and
it makes sense to emit some check for it as well.

[Bug sanitizer/63806] #UBSAN ignores signed char possible overflow

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63806

--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
No, narrowing conversion is implementation defined, and gcc defines that to the
modulo 2^N wrapping, so this is not undefined behavior, and furthermore,
something you'd complain about in pretty much all the code (there is no
difference between implicit and explicit narrowing cast).

[Bug sanitizer/63806] #UBSAN ignores signed char possible overflow

[y.gribov at samsung dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63806

--- Comment #4 from Yury Gribov <y.gribov at samsung dot com> ---
Looks like some compilers check integer demotions (e.g. MS checks with their
/RTCc flag).  I wonder if it makes sense to add an optional flag for this
(obviously not enabled under normal -fsanitize=undefined).

[Bug sanitizer/63806] #UBSAN ignores signed char possible overflow

[y.gribov at samsung dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63806

--- Comment #5 from Yury Gribov <y.gribov at samsung dot com> ---
I've posted feature request upstream:
http://llvm.org/bugs/show_bug.cgi?id=21530