diff mbox

Implement -fsanitize=null + new sanopt pass

Message ID 20131118161706.GC30062@redhat.com
State New
Headers show

Commit Message

Marek Polacek Nov. 18, 2013, 4:17 p.m. UTC 
On Mon, Nov 18, 2013 at 02:52:34PM +0100, Jakub Jelinek wrote:
> Oh, one more thing, please update gcc/doc/, the -fsanitize= description is
> far from up to date there.

Ok, the following (incremental) hopefully improves the docs.  Joseph, would
you mind having a look at this?  Thanks,

2013-11-18  Marek Polacek  <polacek@redhat.com>

	* doc/invoke.texi: Extend -fsanitize=undefined documentation.


	Marek

Comments

Joseph Myers Nov. 18, 2013, 4:58 p.m. UTC | #1 
On Mon, 18 Nov 2013, Marek Polacek wrote:

> +@item @option{-fsanitize=shift}
> +
> +This option enables checking that the result of a shift operation is
> +not undefined.  Note that what exactly is considered undefined differs
> +slightly between C and C++, as well as between ANSI C and C99, etc.

We generally refer to ISO C90, not ANSI C.

> +Detect integer division by zero as well as @code{INT_MIN / -1} division.
> +Note that the latter is only made undefined from C99 onwards.

INT_MIN / -1 is unambiguously undefined in C90 - it's a signed arithmetic 
overflow (result not within the range of its type).  It's INT_MIN % -1 
where there's more ambiguity, but I consider the wording changes in C11 as 
a defect correction that should be applied back to C90.  (A comment on 
what the semantics should be, not on whether the documentation accurately 
reflects the code.)
diff mbox

Patch

--- gcc/doc/invoke.texi.mp3	2013-11-18 15:57:47.104103101 +0100
+++ gcc/doc/invoke.texi	2013-11-18 17:08:51.305594441 +0100
@@ -5260,9 +5260,45 @@  data race bugs.
 See @uref{http://code.google.com/p/data-race-test/wiki/ThreadSanitizer} for more details.
 
 @item -fsanitize=undefined
-Enable UndefinedBehaviorSanitizer, a fast undefined behavior detector
+Enable UndefinedBehaviorSanitizer, a fast undefined behavior detector.
 Various computations will be instrumented to detect undefined behavior
-at runtime, e.g.@: division by zero or various overflows.
+at runtime.  Current suboptions are:
+
+@itemize @bullet
+
+@item @option{-fsanitize=shift}
+
+This option enables checking that the result of a shift operation is
+not undefined.  Note that what exactly is considered undefined differs
+slightly between C and C++, as well as between ANSI C and C99, etc.
+
+@item @option{-fsanitize=integer-divide-by-zero}
+
+Detect integer division by zero as well as @code{INT_MIN / -1} division.
+Note that the latter is only made undefined from C99 onwards.
+
+@item @option{-fsanitize=unreachable}
+
+With this option, the compiler will turn the @code{__builtin_unreachable}
+call into a diagnostics message call instead.  When reaching the
+@code{__builtin_unreachable} call, the behavior is undefined.
+
+@item @option{-fsanitize=vla-bound}
+
+This option instructs the compiler to check that the size of a variable
+length array is positive.  This option does not have any effect in
+@option{-std=c++1y} mode, as the standard requires the exception be thrown
+instead.
+
+@item @option{-fsanitize=null}
+
+This option enables pointer checking.  Particularly, the application
+built with this option turned on will issue an error message when it
+tries to dereference a NULL pointer, or if a reference (possibly an
+rvalue reference) is bound to a NULL pointer.
+
+@end itemize
+
 While @option{-ftrapv} causes traps for signed overflows to be emitted,
 @option{-fsanitize=undefined} gives a diagnostic message.
 This currently works only for the C family of languages.