airbus-seclab / c-compiler-security

Security-related flags and options for C compilers
https://airbus-seclab.github.io/c-compiler-security/
Creative Commons Attribution Share Alike 4.0 International
184 stars 16 forks source link

Warn about -fsanitize=integer for unsigned integers #19

Closed rben-dev closed 3 years ago

rben-dev commented 3 years ago

First of all, great work! Thanks for compiling all this very useful information :-)

Regarding clang's -fsanitize=integer option, the sanitizer might be a little picky when it comes to unsigned integers arithmetic and left shift operations. According to 6.2.5.9 of ISO C99, unsigned integers "can never overflow" (https://frama-c.com/download/frama-c-rte-manual.pdf), while the sanitizer will trigger a "runtime error" whenever a left shift on an unsigned integer will overflow a primitive unsigned integer type size or when an arithmetic operation does so. Nonetheless, such operations are quite common e.g. when developing big int or cryptographic libraries.

It might be useful to document the ways of deactivating explicitly such errors (especially if the integer sanitizer is used for production) while keeping the other undefined behaviors using -fno-sanitize=unsigned-integer-overflow -fno-sanitize=unsigned-shift-base.

Regards,

trou commented 3 years ago

Thanks for the report! I've actually suggested using attributes to limit the deactivation to specific functions, rather than globally.