What features does gcc-4.9 Undefined Behavior Sanitizer have?
Asked Answered
G

2

46

In gcc-4.9 changes it says:

UndefinedBehaviorSanitizer (ubsan), a fast undefined behavior detector, has been added and can be enabled via -fsanitize=undefined. Various computations will be instrumented to detect undefined behavior at runtime. UndefinedBehaviorSanitizer is currently available for the C and C++ languages.

I looked at this question (A C++ implementation that detects undefined behavior?) but it seems fairly outdated.

This link (http://gcc.gnu.org/ml/gcc-patches/2013-06/msg00264.html) has some information on it, but it's several months old.

This is an attempt to add the Undefined Behavior Sanitizer to GCC. Note that it's very alpha version; so far it doesn't do that much, at the moment it should handle division by zero cases, INT_MIN / -1, and various shift cases (shifting by a negative value, shifting when second operand is >= than TYPE_PRECISION (first_operand) and suchlike. (On integer types, so far.)

From what I've read it's being ported to gcc from LLVM.

I've tried it with (5 / 0) and the only difference seems to be this output:

main.cpp:5:19: runtime error: division by zero

Does anyone have any more information on it or what features it has?

Givens answered 23/12, 2013 at 6:38 Comment(1)
It seems like a lot of the ground work for this work would have to have been done in order to support detecting undefined behavior in constant expressions.Raising
B
54

This is more a framework for adding such checks than an attempt to detect all forms of undefined behavior (which is almost certainly impossible in the "halting problem" sense).

The GCC documentation lists these as the currently supported checks:

-fsanitize=undefined Enable UndefinedBehaviorSanitizer, a fast undefined behavior detector. Various computations will be instrumented to detect undefined behavior at runtime. Current suboptions are:

-fsanitize=shift This option enables checking that the result of a shift operation is not undefined. Note that what exactly is considered undefined differs slightly between C and C++, as well as between ISO C90 and C99, etc.

-fsanitize=integer-divide-by-zero Detect integer division by zero as well as INT_MIN / -1 division.

-fsanitize=unreachable With this option, the compiler will turn the __builtin_unreachable call into a diagnostics message call instead. When reaching the __builtin_unreachable call, the behavior is undefined.

-fsanitize=vla-bound This option instructs the compiler to check that the size of a variable length array is positive. This option does not have any effect in -std=c++1y mode, as the standard requires the exception be thrown instead.

-fsanitize=null This option enables pointer checking. Particularly, the application built with this option turned on will issue an error message when it tries to dereference a NULL pointer, or if a reference (possibly an rvalue reference) is bound to a NULL pointer.

-fsanitize=return This option enables return statement checking. Programs built with this option turned on will issue an error message when the end of a non-void function is reached without actually returning a value. This option works in C++ only.

-fsanitize=signed-integer-overflow This option enables signed integer overflow checking. We check that the result of +, *, and both unary and binary - does not overflow in the signed arithmetics. Note, integer promotion rules must be taken into account. That is, the following is not an overflow:

signed char a = SCHAR_MAX;
a++;

While -ftrapv causes traps for signed overflows to be emitted, -fsanitize=undefined gives a diagnostic message. This currently works only for the C family of languages.

Basilica answered 23/12, 2013 at 7:13 Comment(5)
it seems this text disappeared from the documentation page (as of 2016-01), any idea what's up?Larcener
@IgorSkochinsky: Thanks. I have fixed the link to something (maybe) more permanent. Now the text does not quite match my excerpt, but I do not have time to fix it at the moment...Basilica
Does -fsanitize=undefined by itself enables all those sub-options or do I have to also pass them?Oceania
I was told on IRC -fsanitize=undefined enables all those sub-options.Oceania
Great answers +1 - I am trying to figure out if you need to enable all the sub-options to make this feature useful... I can't find information if these are all enabled by default. Do you know about that?Factfinding
F
3

Complete list of options listed in UndefinedBehaviorSanitizer

Latest GCC 5.0 additions extracted from GCC 5 Release Series : Changes, New Features, and Fixes listed below;

UndefinedBehaviorSanitizer gained a few new sanitization options:

-fsanitize=float-divide-by-zero: detect floating-point division by zero;
-fsanitize=float-cast-overflow: check that the result of floating-point type to integer conversions do not overflow;
-fsanitize=bounds: enable instrumentation of array bounds and detect out-of-bounds accesses;
-fsanitize=alignment: enable alignment checking, detect various misaligned objects;
-fsanitize=object-size: enable object size checking, detect various out-of-bounds accesses.
-fsanitize=vptr: enable checking of C++ member function calls, member accesses and some conversions between pointers to base and derived classes, detect if the referenced object does not have the correct dynamic type.
Forbidden answered 28/3, 2016 at 7:7 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.