https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108674
Bug ID: 108674 Summary: [wish] *Please* silence *intentional* (non-UB!) unsigned overflow in an libstdc++ header Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: libstdc++ Assignee: unassigned at gcc dot gnu.org Reporter: lebedev.ri at gmail dot com Target Milestone: --- Dear maintainer. As everyone knows, unsigned integer overflow is well-defined in C and C++. However, there are situations where you *know* that a particular code should not have any overflows. To catch them, there's Integer Sanitizer in clang (`-fsanitize=integer`). Unfortunately as one would expect, while some might want to have no unsigned overflows, others may very well depend on the defined behavior. As is the case, the GCC, and in particular libstdc++ fall into the latter category. I believe in the version 12, a new instance of such intentional wraparound was introduced into libstdc++: https://godbolt.org/z/rq153fxKW Running this on a debian machine, we get: ``` /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/basic_string.h:483:51: runtime error: unsigned integer overflow: 4 - 6 cannot be represented in type 'size_type' (aka 'unsigned long') #0 0x55e69e5b6818 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::_S_compare(unsigned long, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/basic_string.h:483:51 #1 0x55e69e5b6818 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::compare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) const /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/basic_string.h:3150:10 <...> ``` I understand that there is no UB there. I understand that you are doing this intentionally. The problem is that it is happening in a header, so it's effectively dictating everyone that they should not use that sanitizer. Silencing this kind of thing from user side is possible, but it's somewhat cumbersome: it requires compiling with `-fsanitize-recover=integer`, and supplying a run-time suppressions file. On the other hand, suppressing this in-source is trivial: https://godbolt.org/z/E7sEnvvrT ... all it would take is applying `__attribute__((no_sanitize("unsigned-integer-overflow")))` to `_S_compare` on line 483 in `basic_string.h`. I have tried that locally, and it works, but it seems it needs to be wrapped into `#if defined(__clang__)` preprocessor check: https://godbolt.org/z/5a7ox4EWv Forwarded from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029970