[Bug libstdc++/108674] New: [wish] *Please* silence *intentional* (non-UB!) unsigned overflow in an libstdc++ header

Sat, 04 Feb 2023 15:29:49 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108674

            Bug ID: 108674
           Summary: [wish] *Please* silence *intentional* (non-UB!)
                    unsigned overflow in an libstdc++ header
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: libstdc++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: lebedev.ri at gmail dot com
  Target Milestone: ---

Dear maintainer.

As everyone knows, unsigned integer overflow is well-defined in C and C++.
However, there are situations where you *know* that a particular code
should not have any overflows. To catch them, there's Integer Sanitizer
in clang (`-fsanitize=integer`). 

Unfortunately as one would expect, while some might want to have no
unsigned overflows, others may very well depend on the defined behavior.
As is the case, the GCC, and in particular libstdc++ fall into the
latter category.

I believe in the version 12, a new instance of such intentional wraparound
was introduced into libstdc++: https://godbolt.org/z/rq153fxKW
Running this on a debian machine, we get:
```
/usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/basic_string.h:483:51:
runtime error: unsigned integer overflow: 4 - 6 cannot be represented in type
'size_type' (aka 'unsigned long')
    #0 0x55e69e5b6818 in std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char>>::_S_compare(unsigned long,
unsigned long)
/usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/basic_string.h:483:51
    #1 0x55e69e5b6818 in std::__cxx11::basic_string<char,
std::char_traits<char>,
std::allocator<char>>::compare(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char>> const&) const
/usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/basic_string.h:3150:10
<...>
```

I understand that there is no UB there.
I understand that you are doing this intentionally.
The problem is that it is happening in a header,
so it's effectively dictating everyone
that they should not use that sanitizer.

Silencing this kind of thing from user side is possible,
but it's somewhat cumbersome: it requires compiling with
`-fsanitize-recover=integer`, and supplying a run-time suppressions file.

On the other hand, suppressing this in-source is trivial:
https://godbolt.org/z/E7sEnvvrT
... all it would take is applying
`__attribute__((no_sanitize("unsigned-integer-overflow")))`
to `_S_compare` on line 483 in `basic_string.h`.

I have tried that locally, and it works, but it seems it needs to be
wrapped into `#if defined(__clang__)` preprocessor check:
https://godbolt.org/z/5a7ox4EWv

Forwarded from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029970

Reply via email to