[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
nikic wrote: > > Shouldn't plain `-fsanitize=undefined` disable this sanitizer by default > > (requiring explicit opt-in)? In `-fwrapv` mode this is not undefined > > behavior, so `-fsanitize=undefined` should not complain about it. > > I was on the fence whether `-fsanitize=undefined` should expand to > signed-integer-overflow: [#80089 > (comment)](https://github.com/llvm/llvm-project/pull/80089#issuecomment-1945202620) > > Perhaps you have run into some convenience issues? #85501 for the > signed-integer-overflow suppresion. I don't use `-fwrapv` myself, so this is more a philosophical consideration. It seems wrong to me for `-fsanitize=undefined` to report something as undefined behavior which is not undefined behavior in the used language dialect. `-fsanitize=undefined` already has a lot of checks that are conditioned on the used language dialect, so excluding the signed overflow case in particular from that general approach it is a bit odd. Thanks for putting up the patch! https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
MaskRay wrote: > Shouldn't plain `-fsanitize=undefined` disable this sanitizer by default > (requiring explicit opt-in)? In `-fwrapv` mode this is not undefined > behavior, so `-fsanitize=undefined` should not complain about it. I was on the fence whether `-fsanitize=undefined` should expand to signed-integer-overflow: https://github.com/llvm/llvm-project/pull/80089#issuecomment-1945202620 Perhaps you have run into some convenience issues? #85501 for the signed-integer-overflow suppresion. https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
nikic wrote: Shouldn't plain `-fsanitize=undefined` disable this sanitizer by default (requiring explicit opt-in)? In `-fwrapv` mode this is not undefined behavior, so `-fsanitize=undefined` should not complain about it. https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
github-actions[bot] wrote: @JustinStitt Congratulations on having your first Pull Request (PR) merged into the LLVM Project! Your changes will be combined with recent changes from other authors, then tested by our [build bots](https://lab.llvm.org/buildbot/). If there is a problem with a build, you may recieve a report in an email or a comment on this PR. Please check whether problems have been caused by your change specifically, as the builds can include changes from many authors. It is not uncommon for your change to be included in a build that fails due to someone else's changes, or infrastructure issues. How to do this, and the rest of the post-merge process, is covered in detail [here](https://llvm.org/docs/MyFirstTypoFix.html#myfirsttypofix-issues-after-landing-your-pr). If your change does cause a problem, it may be reverted, or you can revert it yourself. This is a normal part of [LLVM development](https://llvm.org/docs/DeveloperPolicy.html#patch-reversion-policy). You can fix your changes and open a new PR to merge them again. If you don't get any reports, no action is required from you. Your changes are working as expected, well done! https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
https://github.com/bwendling closed https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
https://github.com/bwendling approved this pull request. https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
https://github.com/kees approved this pull request. Working as expected for me! https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
kees wrote: This doesn't seem to do anything for me with the Linux kernel's -next branch (which supports -sio as `CONFIG_UBSAN_SIGNED_WRAP=y`). e.g. I see no behavioral difference with test_ubsan.ko nor the expected atomic overflows. https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
https://github.com/MaskRay approved this pull request. https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
https://github.com/JustinStitt edited https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
@@ -70,6 +77,7 @@ void test1(void) { // WRAPV: add i8 {{.*}}, 1 JustinStitt wrote: How's [1d9cb0a](https://github.com/llvm/llvm-project/pull/82432/commits/1d9cb0aca8985aa1636780b3ff9a863962cc2d57) look? https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
https://github.com/JustinStitt updated https://github.com/llvm/llvm-project/pull/82432 >From b02b09b9eb4f9a8ac60dd077d95c67b959db3b70 Mon Sep 17 00:00:00 2001 From: Justin Stitt Date: Tue, 20 Feb 2024 22:21:02 + Subject: [PATCH 1/4] support fwrapv with signed int overflow sanitizer --- clang/docs/ReleaseNotes.rst | 3 +++ clang/docs/UndefinedBehaviorSanitizer.rst | 9 + clang/lib/CodeGen/CGExprScalar.cpp| 16 clang/test/CodeGen/integer-overflow.c | 12 4 files changed, 32 insertions(+), 8 deletions(-) diff --git a/clang/docs/ReleaseNotes.rst b/clang/docs/ReleaseNotes.rst index 5bca2c965c866b..685b19cabeb82c 100644 --- a/clang/docs/ReleaseNotes.rst +++ b/clang/docs/ReleaseNotes.rst @@ -399,6 +399,9 @@ Moved checkers Sanitizers -- +- ``-fsanitize=signed-integer-overflow`` now instruments signed arithmetic even + when ``-fwrapv`` is enabled. Previously, only division checks were enabled. + Python Binding Changes -- diff --git a/clang/docs/UndefinedBehaviorSanitizer.rst b/clang/docs/UndefinedBehaviorSanitizer.rst index b8ad3804f18903..8f58c92bd2a163 100644 --- a/clang/docs/UndefinedBehaviorSanitizer.rst +++ b/clang/docs/UndefinedBehaviorSanitizer.rst @@ -190,10 +190,11 @@ Available checks are: - ``-fsanitize=signed-integer-overflow``: Signed integer overflow, where the result of a signed integer computation cannot be represented in its type. This includes all the checks covered by ``-ftrapv``, as well as checks for - signed division overflow (``INT_MIN/-1``), but not checks for - lossy implicit conversions performed before the computation - (see ``-fsanitize=implicit-conversion``). Both of these two issues are - handled by ``-fsanitize=implicit-conversion`` group of checks. + signed division overflow (``INT_MIN/-1``). Note that checks are still + added even when ``-fwrapv`` is enabled. This sanitizer does not check for + lossy implicit conversions performed before the computation (see + ``-fsanitize=implicit-conversion``). Both of these two issues are handled + by ``-fsanitize=implicit-conversion`` group of checks. - ``-fsanitize=unreachable``: If control flow reaches an unreachable program point. - ``-fsanitize=unsigned-integer-overflow``: Unsigned integer overflow, where diff --git a/clang/lib/CodeGen/CGExprScalar.cpp b/clang/lib/CodeGen/CGExprScalar.cpp index 576734e460b9c1..7621d9bcdec991 100644 --- a/clang/lib/CodeGen/CGExprScalar.cpp +++ b/clang/lib/CodeGen/CGExprScalar.cpp @@ -723,7 +723,9 @@ class ScalarExprEmitter if (Ops.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateMul(Ops.LHS, Ops.RHS, "mul"); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) + return Builder.CreateMul(Ops.LHS, Ops.RHS, "mul"); +[[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWMul(Ops.LHS, Ops.RHS, "mul"); @@ -2568,7 +2570,9 @@ llvm::Value *ScalarExprEmitter::EmitIncDecConsiderOverflowBehavior( StringRef Name = IsInc ? "inc" : "dec"; switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateAdd(InVal, Amount, Name); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) +return Builder.CreateAdd(InVal, Amount, Name); +[[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWAdd(InVal, Amount, Name); @@ -3913,7 +3917,9 @@ Value *ScalarExprEmitter::EmitAdd(const BinOpInfo &op) { if (op.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: - return Builder.CreateAdd(op.LHS, op.RHS, "add"); + if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) +return Builder.CreateAdd(op.LHS, op.RHS, "add"); + [[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWAdd(op.LHS, op.RHS, "add"); @@ -4067,7 +4073,9 @@ Value *ScalarExprEmitter::EmitSub(const BinOpInfo &op) { if (op.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateSub(op.LHS, op.RHS, "sub"); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) + return Builder.CreateSub(op.LHS, op.RHS, "sub"); +[[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWSub(op.LHS, op.RHS, "sub"); d
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
@@ -70,6 +77,7 @@ void test1(void) { // WRAPV: add i8 {{.*}}, 1 MaskRay wrote: L72 needs a `// CATCH_WRAP: getelementptr i32, ptr` Actually, since -fsanitize=signed-integer-overflow and -fwrapv -fsanitize=signed-integer-overflow share so many checks. Perhaps share the check prefixes? ``` --check-prefixes=CATCH_UB,CATCH_UB_POINTER --check-prefixes=CATCH_UB,NOCATCH_UB_POINTER ``` https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
@@ -399,6 +399,9 @@ Moved checkers Sanitizers -- +- ``-fsanitize=signed-integer-overflow`` now instruments signed arithmetic even + when ``-fwrapv`` is enabled. Previously, only division checks were enabled. JustinStitt wrote: Gotcha, resolved with [0182698](https://github.com/llvm/llvm-project/pull/82432/commits/018269881647673b530b8cb4611c7a380a5a1b5c). Let me know if this is detailed enough 😄 https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
https://github.com/JustinStitt updated https://github.com/llvm/llvm-project/pull/82432 >From b02b09b9eb4f9a8ac60dd077d95c67b959db3b70 Mon Sep 17 00:00:00 2001 From: Justin Stitt Date: Tue, 20 Feb 2024 22:21:02 + Subject: [PATCH 1/3] support fwrapv with signed int overflow sanitizer --- clang/docs/ReleaseNotes.rst | 3 +++ clang/docs/UndefinedBehaviorSanitizer.rst | 9 + clang/lib/CodeGen/CGExprScalar.cpp| 16 clang/test/CodeGen/integer-overflow.c | 12 4 files changed, 32 insertions(+), 8 deletions(-) diff --git a/clang/docs/ReleaseNotes.rst b/clang/docs/ReleaseNotes.rst index 5bca2c965c866b..685b19cabeb82c 100644 --- a/clang/docs/ReleaseNotes.rst +++ b/clang/docs/ReleaseNotes.rst @@ -399,6 +399,9 @@ Moved checkers Sanitizers -- +- ``-fsanitize=signed-integer-overflow`` now instruments signed arithmetic even + when ``-fwrapv`` is enabled. Previously, only division checks were enabled. + Python Binding Changes -- diff --git a/clang/docs/UndefinedBehaviorSanitizer.rst b/clang/docs/UndefinedBehaviorSanitizer.rst index b8ad3804f18903..8f58c92bd2a163 100644 --- a/clang/docs/UndefinedBehaviorSanitizer.rst +++ b/clang/docs/UndefinedBehaviorSanitizer.rst @@ -190,10 +190,11 @@ Available checks are: - ``-fsanitize=signed-integer-overflow``: Signed integer overflow, where the result of a signed integer computation cannot be represented in its type. This includes all the checks covered by ``-ftrapv``, as well as checks for - signed division overflow (``INT_MIN/-1``), but not checks for - lossy implicit conversions performed before the computation - (see ``-fsanitize=implicit-conversion``). Both of these two issues are - handled by ``-fsanitize=implicit-conversion`` group of checks. + signed division overflow (``INT_MIN/-1``). Note that checks are still + added even when ``-fwrapv`` is enabled. This sanitizer does not check for + lossy implicit conversions performed before the computation (see + ``-fsanitize=implicit-conversion``). Both of these two issues are handled + by ``-fsanitize=implicit-conversion`` group of checks. - ``-fsanitize=unreachable``: If control flow reaches an unreachable program point. - ``-fsanitize=unsigned-integer-overflow``: Unsigned integer overflow, where diff --git a/clang/lib/CodeGen/CGExprScalar.cpp b/clang/lib/CodeGen/CGExprScalar.cpp index 576734e460b9c1..7621d9bcdec991 100644 --- a/clang/lib/CodeGen/CGExprScalar.cpp +++ b/clang/lib/CodeGen/CGExprScalar.cpp @@ -723,7 +723,9 @@ class ScalarExprEmitter if (Ops.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateMul(Ops.LHS, Ops.RHS, "mul"); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) + return Builder.CreateMul(Ops.LHS, Ops.RHS, "mul"); +[[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWMul(Ops.LHS, Ops.RHS, "mul"); @@ -2568,7 +2570,9 @@ llvm::Value *ScalarExprEmitter::EmitIncDecConsiderOverflowBehavior( StringRef Name = IsInc ? "inc" : "dec"; switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateAdd(InVal, Amount, Name); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) +return Builder.CreateAdd(InVal, Amount, Name); +[[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWAdd(InVal, Amount, Name); @@ -3913,7 +3917,9 @@ Value *ScalarExprEmitter::EmitAdd(const BinOpInfo &op) { if (op.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: - return Builder.CreateAdd(op.LHS, op.RHS, "add"); + if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) +return Builder.CreateAdd(op.LHS, op.RHS, "add"); + [[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWAdd(op.LHS, op.RHS, "add"); @@ -4067,7 +4073,9 @@ Value *ScalarExprEmitter::EmitSub(const BinOpInfo &op) { if (op.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateSub(op.LHS, op.RHS, "sub"); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) + return Builder.CreateSub(op.LHS, op.RHS, "sub"); +[[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWSub(op.LHS, op.RHS, "sub"); d
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
vitalybuka wrote: LGTM https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
@@ -399,6 +399,9 @@ Moved checkers Sanitizers -- +- ``-fsanitize=signed-integer-overflow`` now instruments signed arithmetic even + when ``-fwrapv`` is enabled. Previously, only division checks were enabled. vitalybuka wrote: It should work, it's about release note As a hint if users who had `-fsanitize=undefined -fwrapv` and not they suddenly see reports. https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
@@ -723,7 +723,9 @@ class ScalarExprEmitter if (Ops.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateMul(Ops.LHS, Ops.RHS, "mul"); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) vitalybuka wrote: not the same https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
@@ -399,6 +399,9 @@ Moved checkers Sanitizers -- +- ``-fsanitize=signed-integer-overflow`` now instruments signed arithmetic even + when ``-fwrapv`` is enabled. Previously, only division checks were enabled. JustinStitt wrote: Doesn't `-fno-sanitizer-signed-integer-overflow` already work? I did some [testing in godbolt](https://godbolt.org/z/oWdxvzs4P) and I am able to toggle this sanitizer on/off. https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
@@ -723,7 +723,9 @@ class ScalarExprEmitter if (Ops.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateMul(Ops.LHS, Ops.RHS, "mul"); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) JustinStitt wrote: One creates `CreateMul` and other `CreateNSWMul`. I believe this is useful for optimizations later https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
@@ -723,7 +723,9 @@ class ScalarExprEmitter if (Ops.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateMul(Ops.LHS, Ops.RHS, "mul"); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) vitalybuka wrote: Is'nt the same as: case LangOptions::SOB_Defined: case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWMul(Ops.LHS, Ops.RHS, "mul"); [[fallthrough]]; case LangOptions::SOB_Trapping: ``` https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
MaskRay wrote: @efriedma-quic @rjmccall https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
MaskRay wrote: Thanks! This does look simpler than `-fsanitize=signed-integer-wrap` https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
JustinStitt wrote: > ⚠️ C/C++ code formatter, clang-format found issues in your code. ⚠️ > > You can test this locally with the following command: > View the diff from clang-format here. Fixed in [e5e92e6](https://github.com/llvm/llvm-project/pull/82432/commits/e5e92e6c07a9fbbac698a3b6bb4422f26ea06583) https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
@@ -399,6 +399,9 @@ Moved checkers Sanitizers -- +- ``-fsanitize=signed-integer-overflow`` now instruments signed arithmetic even + when ``-fwrapv`` is enabled. Previously, only division checks were enabled. vitalybuka wrote: Maybe suggest to add `-fno-sanitize=signed-integer-overflow` with `-fwrapv` if we users does not care about errors. https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
github-actions[bot] wrote: :warning: C/C++ code formatter, clang-format found issues in your code. :warning: You can test this locally with the following command: ``bash git-clang-format --diff 1219214a3bcc51022492928b8bb4ff4bdb75d0cb b02b09b9eb4f9a8ac60dd077d95c67b959db3b70 -- clang/lib/CodeGen/CGExprScalar.cpp clang/test/CodeGen/integer-overflow.c `` View the diff from clang-format here. ``diff diff --git a/clang/lib/CodeGen/CGExprScalar.cpp b/clang/lib/CodeGen/CGExprScalar.cpp index 7621d9bcde..10b7457522 100644 --- a/clang/lib/CodeGen/CGExprScalar.cpp +++ b/clang/lib/CodeGen/CGExprScalar.cpp @@ -724,7 +724,7 @@ public: switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) - return Builder.CreateMul(Ops.LHS, Ops.RHS, "mul"); + return Builder.CreateMul(Ops.LHS, Ops.RHS, "mul"); [[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) @@ -2571,7 +2571,7 @@ llvm::Value *ScalarExprEmitter::EmitIncDecConsiderOverflowBehavior( switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) -return Builder.CreateAdd(InVal, Amount, Name); + return Builder.CreateAdd(InVal, Amount, Name); [[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) `` https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
https://github.com/JustinStitt edited https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
https://github.com/JustinStitt updated https://github.com/llvm/llvm-project/pull/82432 >From b02b09b9eb4f9a8ac60dd077d95c67b959db3b70 Mon Sep 17 00:00:00 2001 From: Justin Stitt Date: Tue, 20 Feb 2024 22:21:02 + Subject: [PATCH 1/2] support fwrapv with signed int overflow sanitizer --- clang/docs/ReleaseNotes.rst | 3 +++ clang/docs/UndefinedBehaviorSanitizer.rst | 9 + clang/lib/CodeGen/CGExprScalar.cpp| 16 clang/test/CodeGen/integer-overflow.c | 12 4 files changed, 32 insertions(+), 8 deletions(-) diff --git a/clang/docs/ReleaseNotes.rst b/clang/docs/ReleaseNotes.rst index 5bca2c965c866b..685b19cabeb82c 100644 --- a/clang/docs/ReleaseNotes.rst +++ b/clang/docs/ReleaseNotes.rst @@ -399,6 +399,9 @@ Moved checkers Sanitizers -- +- ``-fsanitize=signed-integer-overflow`` now instruments signed arithmetic even + when ``-fwrapv`` is enabled. Previously, only division checks were enabled. + Python Binding Changes -- diff --git a/clang/docs/UndefinedBehaviorSanitizer.rst b/clang/docs/UndefinedBehaviorSanitizer.rst index b8ad3804f18903..8f58c92bd2a163 100644 --- a/clang/docs/UndefinedBehaviorSanitizer.rst +++ b/clang/docs/UndefinedBehaviorSanitizer.rst @@ -190,10 +190,11 @@ Available checks are: - ``-fsanitize=signed-integer-overflow``: Signed integer overflow, where the result of a signed integer computation cannot be represented in its type. This includes all the checks covered by ``-ftrapv``, as well as checks for - signed division overflow (``INT_MIN/-1``), but not checks for - lossy implicit conversions performed before the computation - (see ``-fsanitize=implicit-conversion``). Both of these two issues are - handled by ``-fsanitize=implicit-conversion`` group of checks. + signed division overflow (``INT_MIN/-1``). Note that checks are still + added even when ``-fwrapv`` is enabled. This sanitizer does not check for + lossy implicit conversions performed before the computation (see + ``-fsanitize=implicit-conversion``). Both of these two issues are handled + by ``-fsanitize=implicit-conversion`` group of checks. - ``-fsanitize=unreachable``: If control flow reaches an unreachable program point. - ``-fsanitize=unsigned-integer-overflow``: Unsigned integer overflow, where diff --git a/clang/lib/CodeGen/CGExprScalar.cpp b/clang/lib/CodeGen/CGExprScalar.cpp index 576734e460b9c1..7621d9bcdec991 100644 --- a/clang/lib/CodeGen/CGExprScalar.cpp +++ b/clang/lib/CodeGen/CGExprScalar.cpp @@ -723,7 +723,9 @@ class ScalarExprEmitter if (Ops.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateMul(Ops.LHS, Ops.RHS, "mul"); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) + return Builder.CreateMul(Ops.LHS, Ops.RHS, "mul"); +[[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWMul(Ops.LHS, Ops.RHS, "mul"); @@ -2568,7 +2570,9 @@ llvm::Value *ScalarExprEmitter::EmitIncDecConsiderOverflowBehavior( StringRef Name = IsInc ? "inc" : "dec"; switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateAdd(InVal, Amount, Name); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) +return Builder.CreateAdd(InVal, Amount, Name); +[[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWAdd(InVal, Amount, Name); @@ -3913,7 +3917,9 @@ Value *ScalarExprEmitter::EmitAdd(const BinOpInfo &op) { if (op.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: - return Builder.CreateAdd(op.LHS, op.RHS, "add"); + if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) +return Builder.CreateAdd(op.LHS, op.RHS, "add"); + [[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWAdd(op.LHS, op.RHS, "add"); @@ -4067,7 +4073,9 @@ Value *ScalarExprEmitter::EmitSub(const BinOpInfo &op) { if (op.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateSub(op.LHS, op.RHS, "sub"); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) + return Builder.CreateSub(op.LHS, op.RHS, "sub"); +[[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWSub(op.LHS, op.RHS, "sub"); d
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
llvmbot wrote: @llvm/pr-subscribers-clang-codegen Author: Justin Stitt (JustinStitt) Changes **Reasoning** Clang has a `signed-integer-overflow` sanitizer to catch arithmetic overflow; however, most of its instrumentation [fails to apply](https://godbolt.org/z/ee41rE8o6) when `-fwrapv` is enabled; this is by design. The Linux kernel enables `-fno-strict-overflow` which implies `-fwrapv`. This means we are [currently unable to detect signed-integer wrap-around](https://github.com/KSPP/linux/issues/26). All the while, the root cause of many security vulnerabilities in the Linux kernel is [arithmetic overflow](https://cwe.mitre.org/data/definitions/190.html). To work around this and enhance the functionality of `-fsanitize=signed-integer-overflow`, let's instrument signed arithmetic even if the signed overflow behavior is defined. Initially, I created a [new sanitizer @ (pr/80089)](https://github.com/llvm/llvm-project/pull/80089) but simply changing the SIO sanitizer itself may be the better approach as per @MaskRay 's review from that PR. cc: @nickdesaulniers @kees @nathanchance @bwendling @MaskRay --- Full diff: https://github.com/llvm/llvm-project/pull/82432.diff 4 Files Affected: - (modified) clang/docs/ReleaseNotes.rst (+3) - (modified) clang/docs/UndefinedBehaviorSanitizer.rst (+5-4) - (modified) clang/lib/CodeGen/CGExprScalar.cpp (+12-4) - (modified) clang/test/CodeGen/integer-overflow.c (+12) ``diff diff --git a/clang/docs/ReleaseNotes.rst b/clang/docs/ReleaseNotes.rst index 5bca2c965c866b..685b19cabeb82c 100644 --- a/clang/docs/ReleaseNotes.rst +++ b/clang/docs/ReleaseNotes.rst @@ -399,6 +399,9 @@ Moved checkers Sanitizers -- +- ``-fsanitize=signed-integer-overflow`` now instruments signed arithmetic even + when ``-fwrapv`` is enabled. Previously, only division checks were enabled. + Python Binding Changes -- diff --git a/clang/docs/UndefinedBehaviorSanitizer.rst b/clang/docs/UndefinedBehaviorSanitizer.rst index b8ad3804f18903..8f58c92bd2a163 100644 --- a/clang/docs/UndefinedBehaviorSanitizer.rst +++ b/clang/docs/UndefinedBehaviorSanitizer.rst @@ -190,10 +190,11 @@ Available checks are: - ``-fsanitize=signed-integer-overflow``: Signed integer overflow, where the result of a signed integer computation cannot be represented in its type. This includes all the checks covered by ``-ftrapv``, as well as checks for - signed division overflow (``INT_MIN/-1``), but not checks for - lossy implicit conversions performed before the computation - (see ``-fsanitize=implicit-conversion``). Both of these two issues are - handled by ``-fsanitize=implicit-conversion`` group of checks. + signed division overflow (``INT_MIN/-1``). Note that checks are still + added even when ``-fwrapv`` is enabled. This sanitizer does not check for + lossy implicit conversions performed before the computation (see + ``-fsanitize=implicit-conversion``). Both of these two issues are handled + by ``-fsanitize=implicit-conversion`` group of checks. - ``-fsanitize=unreachable``: If control flow reaches an unreachable program point. - ``-fsanitize=unsigned-integer-overflow``: Unsigned integer overflow, where diff --git a/clang/lib/CodeGen/CGExprScalar.cpp b/clang/lib/CodeGen/CGExprScalar.cpp index 576734e460b9c1..7621d9bcdec991 100644 --- a/clang/lib/CodeGen/CGExprScalar.cpp +++ b/clang/lib/CodeGen/CGExprScalar.cpp @@ -723,7 +723,9 @@ class ScalarExprEmitter if (Ops.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateMul(Ops.LHS, Ops.RHS, "mul"); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) + return Builder.CreateMul(Ops.LHS, Ops.RHS, "mul"); +[[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWMul(Ops.LHS, Ops.RHS, "mul"); @@ -2568,7 +2570,9 @@ llvm::Value *ScalarExprEmitter::EmitIncDecConsiderOverflowBehavior( StringRef Name = IsInc ? "inc" : "dec"; switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateAdd(InVal, Amount, Name); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) +return Builder.CreateAdd(InVal, Amount, Name); +[[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWAdd(InVal, Amount, Name); @@ -3913,7 +3917,9 @@ Value *ScalarExprEmitter::EmitAdd(const BinOpInfo &op) { if (op.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: - return Builder.CreateAdd(op.LHS, op.RHS, "add"); + if (!CGF.SanOpts.has(SanitizerKind::Sign
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
github-actions[bot] wrote: Thank you for submitting a Pull Request (PR) to the LLVM Project! This PR will be automatically labeled and the relevant teams will be notified. If you wish to, you can add reviewers by using the "Reviewers" section on this page. If this is not working for you, it is probably because you do not have write permissions for the repository. In which case you can instead tag reviewers by name in a comment by using `@` followed by their GitHub username. If you have received no comments on your PR for a week, you can request a review by "ping"ing the PR by adding a comment “Ping”. The common courtesy "ping" rate is once a week. Please remember that you are asking for valuable time from other developers. If you have further questions, they may be answered by the [LLVM GitHub User Guide](https://llvm.org/docs/GitHub.html). You can also ask questions in a comment on this PR, on the [LLVM Discord](https://discord.com/invite/xS7Z362) or on the [forums](https://discourse.llvm.org/). https://github.com/llvm/llvm-project/pull/82432 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Sanitizer: Support -fwrapv with -fsanitize=signed-integer-overflow (PR #82432)
https://github.com/JustinStitt created https://github.com/llvm/llvm-project/pull/82432 **Reasoning** Clang has a `signed-integer-overflow` sanitizer to catch arithmetic overflow; however, most of its instrumentation [fails to apply](https://godbolt.org/z/ee41rE8o6) when `-fwrapv` is enabled; this is by design. The Linux kernel enables `-fno-strict-overflow` which implies `-fwrapv`. This means we are [currently unable to detect signed-integer wrap-around](https://github.com/KSPP/linux/issues/26). All the while, the root cause of many security vulnerabilities in the Linux kernel is [arithmetic overflow](https://cwe.mitre.org/data/definitions/190.html). To work around this and enhance the functionality of `-fsanitize=signed-integer-overflow`, let's instrument signed arithmetic even if the signed overflow behavior is defined. Initially, I created a [new sanitizer @ (pr/80089)](https://github.com/llvm/llvm-project/pull/80089) but simply changing the SIO sanitizer itself may be the better approach as per @MaskRay 's review from that PR. cc: @nickdesaulniers @kees @nathanchance @bwendling @MaskRay >From b02b09b9eb4f9a8ac60dd077d95c67b959db3b70 Mon Sep 17 00:00:00 2001 From: Justin Stitt Date: Tue, 20 Feb 2024 22:21:02 + Subject: [PATCH] support fwrapv with signed int overflow sanitizer --- clang/docs/ReleaseNotes.rst | 3 +++ clang/docs/UndefinedBehaviorSanitizer.rst | 9 + clang/lib/CodeGen/CGExprScalar.cpp| 16 clang/test/CodeGen/integer-overflow.c | 12 4 files changed, 32 insertions(+), 8 deletions(-) diff --git a/clang/docs/ReleaseNotes.rst b/clang/docs/ReleaseNotes.rst index 5bca2c965c866b..685b19cabeb82c 100644 --- a/clang/docs/ReleaseNotes.rst +++ b/clang/docs/ReleaseNotes.rst @@ -399,6 +399,9 @@ Moved checkers Sanitizers -- +- ``-fsanitize=signed-integer-overflow`` now instruments signed arithmetic even + when ``-fwrapv`` is enabled. Previously, only division checks were enabled. + Python Binding Changes -- diff --git a/clang/docs/UndefinedBehaviorSanitizer.rst b/clang/docs/UndefinedBehaviorSanitizer.rst index b8ad3804f18903..8f58c92bd2a163 100644 --- a/clang/docs/UndefinedBehaviorSanitizer.rst +++ b/clang/docs/UndefinedBehaviorSanitizer.rst @@ -190,10 +190,11 @@ Available checks are: - ``-fsanitize=signed-integer-overflow``: Signed integer overflow, where the result of a signed integer computation cannot be represented in its type. This includes all the checks covered by ``-ftrapv``, as well as checks for - signed division overflow (``INT_MIN/-1``), but not checks for - lossy implicit conversions performed before the computation - (see ``-fsanitize=implicit-conversion``). Both of these two issues are - handled by ``-fsanitize=implicit-conversion`` group of checks. + signed division overflow (``INT_MIN/-1``). Note that checks are still + added even when ``-fwrapv`` is enabled. This sanitizer does not check for + lossy implicit conversions performed before the computation (see + ``-fsanitize=implicit-conversion``). Both of these two issues are handled + by ``-fsanitize=implicit-conversion`` group of checks. - ``-fsanitize=unreachable``: If control flow reaches an unreachable program point. - ``-fsanitize=unsigned-integer-overflow``: Unsigned integer overflow, where diff --git a/clang/lib/CodeGen/CGExprScalar.cpp b/clang/lib/CodeGen/CGExprScalar.cpp index 576734e460b9c1..7621d9bcdec991 100644 --- a/clang/lib/CodeGen/CGExprScalar.cpp +++ b/clang/lib/CodeGen/CGExprScalar.cpp @@ -723,7 +723,9 @@ class ScalarExprEmitter if (Ops.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateMul(Ops.LHS, Ops.RHS, "mul"); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) + return Builder.CreateMul(Ops.LHS, Ops.RHS, "mul"); +[[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWMul(Ops.LHS, Ops.RHS, "mul"); @@ -2568,7 +2570,9 @@ llvm::Value *ScalarExprEmitter::EmitIncDecConsiderOverflowBehavior( StringRef Name = IsInc ? "inc" : "dec"; switch (CGF.getLangOpts().getSignedOverflowBehavior()) { case LangOptions::SOB_Defined: -return Builder.CreateAdd(InVal, Amount, Name); +if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) +return Builder.CreateAdd(InVal, Amount, Name); +[[fallthrough]]; case LangOptions::SOB_Undefined: if (!CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) return Builder.CreateNSWAdd(InVal, Amount, Name); @@ -3913,7 +3917,9 @@ Value *ScalarExprEmitter::EmitAdd(const BinOpInfo &op) { if (op.Ty->isSignedIntegerOrEnumerationType()) { switch (CGF.getLangOpts().getSignedOverflowBehav