https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87837
Bug ID: 87837
Summary: -O2 -fsanitize=signed-integer-overflow misses
overflows on x86-64
Product: gcc
Version: 8.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: eggert at cs dot ucla.edu
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at
gcc dot gnu.org
Target Milestone: ---
In GCC 8, -O2 -fsanitize=signed-integer-overflow (and -fsanitize=undefined) is
missing signed integer overflows. GCC 7 caught them so this is a regression. I
observed the problem with GCC 8.2.1 20181011 (Red Hat 8.2.1-4) on x86-64.
Consider this function in the file testovf.c:
_Bool
testovf (long n)
{
return n + 9223372036854775807 < n;
}
Compile it with:
gcc -O2 -S -fsanitize=signed-integer-overflow testovf.c
With GCC 7.3.0, an overflow will be detected at runtime if one passes a
positive value to 'testovf', but with GCC 8.2.1 no overflow is detected. This
is because GCC 7.3.0 generates overflow-checking code (e.g., "addq %rdx, %rdp;
jo .L6") whereas GCC 8.2.1 merely generates this:
testovf:
xorl %eax, %eax
ret
Apparently GCC 8 is optimizing away the overflow test on the ground that if
overflow occurs, behavior is undefined so the generated code can do anything.
But when -fsanitize=signed-integer-overflow is used, that's not correct: the
user wants overflows to be diagnosed, not to be optimized away. That is, when
-fsanitize=signed-integer-overflow is used, behavior is not undefined when
signed integer overflow occurs (it is well-defined to trap), so these
optimizations should be inhibited.
