gcc-4.9 Undefined Behavior Sanitizer

user1508519 picture user1508519 · Dec 23, 2013 · Viewed 15k times · Source

In gcc-4.9 changes it says:

UndefinedBehaviorSanitizer (ubsan), a fast undefined behavior detector, has been added and can be enabled via -fsanitize=undefined. Various computations will be instrumented to detect undefined behavior at runtime. UndefinedBehaviorSanitizer is currently available for the C and C++ languages.

I looked at this question (A C++ implementation that detects undefined behavior?) but it seems fairly outdated.

This link (http://gcc.gnu.org/ml/gcc-patches/2013-06/msg00264.html) has some information on it, but it's several months old.

This is an attempt to add the Undefined Behavior Sanitizer to GCC. Note that it's very alpha version; so far it doesn't do that much, at the moment it should handle division by zero cases, INT_MIN / -1, and various shift cases (shifting by a negative value, shifting when second operand is >= than TYPE_PRECISION (first_operand) and suchlike. (On integer types, so far.)

From what I've read it's being ported to gcc from LLVM.

I've tried it with (5 / 0) and the only difference seems to be this output:

main.cpp:5:19: runtime error: division by zero

Does anyone have any more information on it or what features it has?

Answer

Nemo picture Nemo · Dec 23, 2013

This is more a framework for adding such checks than an attempt to detect all forms of undefined behavior (which is almost certainly impossible in the "halting problem" sense).

The GCC documentation lists these as the currently supported checks:

-fsanitize=undefined Enable UndefinedBehaviorSanitizer, a fast undefined behavior detector. Various computations will be instrumented to detect undefined behavior at runtime. Current suboptions are:

-fsanitize=shift This option enables checking that the result of a shift operation is not undefined. Note that what exactly is considered undefined differs slightly between C and C++, as well as between ISO C90 and C99, etc.

-fsanitize=integer-divide-by-zero Detect integer division by zero as well as INT_MIN / -1 division.

-fsanitize=unreachable With this option, the compiler will turn the __builtin_unreachable call into a diagnostics message call instead. When reaching the __builtin_unreachable call, the behavior is undefined.

-fsanitize=vla-bound This option instructs the compiler to check that the size of a variable length array is positive. This option does not have any effect in -std=c++1y mode, as the standard requires the exception be thrown instead.

-fsanitize=null This option enables pointer checking. Particularly, the application built with this option turned on will issue an error message when it tries to dereference a NULL pointer, or if a reference (possibly an rvalue reference) is bound to a NULL pointer.

-fsanitize=return This option enables return statement checking. Programs built with this option turned on will issue an error message when the end of a non-void function is reached without actually returning a value. This option works in C++ only.

-fsanitize=signed-integer-overflow This option enables signed integer overflow checking. We check that the result of +, *, and both unary and binary - does not overflow in the signed arithmetics. Note, integer promotion rules must be taken into account. That is, the following is not an overflow:

signed char a = SCHAR_MAX;
a++;

While -ftrapv causes traps for signed overflows to be emitted, -fsanitize=undefined gives a diagnostic message. This currently works only for the C family of languages.