@@ -58,6 +58,29 @@ code bases.
|
58 | 58 | containing strict-aliasing violations. The new default behavior can be |
59 | 59 | disabled using ``-fno-pointer-tbaa``. |
60 | 60 | |
| 61 | +- Clang will now more aggressively use undefined behavior on pointer addition |
| 62 | + overflow for optimization purposes. For example, a check like |
| 63 | + ``ptr + unsigned_offset < ptr`` will now optimize to ``false``, because |
| 64 | + ``ptr + unsigned_offset`` will cause undefined behavior if it overflows (or |
| 65 | + advances past the end of the object). |
| 66 | + |
| 67 | + Previously, ``ptr + unsigned_offset < ptr`` was optimized (by both Clang and |
| 68 | + GCC) to ``(ssize_t)unsigned_offset < 0``. This also results in an incorrect |
| 69 | + overflow check, but in a way that is less apparent when only testing with |
| 70 | + pointers in the low half of the address space. |
| 71 | + |
| 72 | + To avoid pointer addition overflow, it is necessary to perform the addition |
| 73 | + on integers, for example using |
| 74 | + ``(uintptr_t)ptr + unsigned_offset < (uintptr_t)ptr``. Sometimes, it is also |
| 75 | + possible to rewrite checks by only comparing the offset. For example, |
| 76 | + ``ptr + offset < end_ptr && ptr + offset >= ptr`` can be written as |
| 77 | + ``offset < (uintptr_t)(end_ptr - ptr)``. |
| 78 | + |
| 79 | + Undefined behavior due to pointer addition overflow can be reliably detected |
| 80 | + using ``-fsanitize=pointer-overflow``. It is also possible to use |
| 81 | + ``-fno-strict-overflow`` to opt-in to a language dialect where signed integer |
| 82 | + and pointer overflow are well-defined. |
| 83 | + |
61 | 84 | C/C++ Language Potentially Breaking Changes |
62 | 85 | ------------------------------------------- |
63 | 86 | |
|