Conversation

Nov 23, 2018

Gah, I just managed to convince myself that unsigned integer wraparound being Defined Behavior is bad because it’s often a bug, but not caught by tools...

@jfbastien

what happened to me? I blame you 😂

youtube.com

CppCon 2018: JF Bastien “Signed integers are two's complement”

http://CppCon.org—Presentation Slides, PDFs, Source Code and other presenter materials are available at: https://github.com/CppCon/CppCon2018—There is One Tr...

Replying to

and

Making it undefined won't make it any better... I was about to say that uint wraparound is useful, but then realized all the use-cases that come to my mind are from exploit development...

Replying to

and

Making it undefined at least allows you to trap it. If you want wrap around, be explicit about it.

Replying to

and

Signed Integer Overflow is caught by UBSan and that is actually valuable. Unsigned just fails quietly 😞

This Tweet was deleted by the Tweet author. Learn more

Replying to

It can? How? I want to try this 🤓

This Tweet was deleted by the Tweet author. Learn more

Replying to

You can use __attribute__((no_sanitize("integer"))) To suppress it, so I would just turn it on and suppress it if needed and the suppression acts as self documentation but you should commmet why it is intended too. stackoverflow.com/q/33351891/170

Replying to

Can also suppress it on a case-by-case basis with __builtin_add_overflow, etc. and simply ignoring the result if it's meant to wrap around. Those intrinsics provide well-defined signed overflow if needed too, as long as you don't care about portability beyond Clang and GCC.

Replying to

I prefer to mark it with the overflow intrinsics because it's more self-documenting. Can wrap them into functions defining wrapping operations instead of having the verbosity of the return value and output parameter and then use those in hash functions, etc. as needed.

8:41 PM · Nov 23, 2018Twitter Web Client

Replying to

Google has to work around a large number of non-bugs to keep expanding -fsanitize=integer coverage, and they've often marked non-trivial functions as no_sanitize which isn't great b/c it reduces coverage for other ops too and it's hard to tell which operations are meant to wrap.

Replying to

Signed overflow remains undefined with no_sanitize too. It's not possible to mix -fwrapv with this, although I think it should be. Passing -fsanitize=signed-integer-overflow -fsanitize-trap=signed-integer-overflow -fwrapv doesn't catch any signed overflows due to weird UBSan UX.

Show replies