Linaro, profile picture
Uploaded byLinaro
PDF, PPTX2,004 views

BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program Stopped Working With A Newer Compiler

The document discusses undefined behavior in C/C++ programming, highlighting its definitions, examples, and implications for compiler optimization. It outlines various cases of undefined behavior, such as signed integer overflow and divide by zero, and emphasizes the importance of detecting these issues through compiler warnings and the Undefined Behavior Sanitizer (ubsan). The conclusion reiterates that undefined behavior can lead to subtle bugs and security vulnerabilities, urging programmers to be vigilant in their coding practices.

Embed presentation

Download as PDF, PPTX
Presented by Date Event Undefined Behavior and Compiler Optimization Why Your Program Stopped Working With A Newer Compiler Kugan Vivekanandarajah and Yvan Roux BKK16-503 March 11, 2016 Linaro Connect BKK16
Outline ● What is undefined behavior ● Examples for undefined behavior ● Detecting undefined behavior ● Conclusion
How many times does this loop iterate ? int d[16]; int SATD (void) { int satd = 0, dd, k; for (dd = d[k = 0]; k<16; dd = d[++k]) { satd += (dd < 0 ? -dd : dd); } return satd; }
How many times does this loop iterate ? Infinite loop generated on non-infinite code (?) ● 464.h264ref goes into infinite loop for gcc 4.8 ● https://gcc.gnu.org/PR53073 int d[16]; int SATD (void) { int satd = 0, dd, k; for (dd = d[k = 0]; k<16; dd = d[++k]) { satd += (dd < 0 ? -dd : dd); } return satd; }
How many times does this loop iterate ? ● C standard says: ○ It is legal for a pointer to point to one element past the end ○ Accessing that location is undefined ● Compiler can therefore assume that the “k” can never be 16 at the point of k < 16 int d[16]; int SATD (void) { int satd = 0, dd, k; for (dd = d[k = 0]; k<16; dd = d[++k]) { satd += (dd < 0 ? -dd : dd); } return satd; }
What is undefined behavior ● ISO Standard definition: “behavior, upon use of a nonportable or erroneous program construct or of erroneous data, for which this International Standard imposes no requirements” ● C FAQ definition: “Anything at all can happens; the Standard imposes no requirements. The program may fail to compile, or it may execute incorrectly (either crashing or silently generating incorrect results), or it may fortuitously do exactly what the programmer intended” ● They may lead to very subtle bugs or have critical impact on security ○ Must be avoided by programmers
Why undefined behavior exists ? ● C/C++ is designed to be an efficient low-level programming language ● Offers compiler writers freedom to optimize ● Safe languages like Java have few undefined behavior ○ Safe and reproducible behavior across implementations ○ At the expense of performance X*2/2 X Optimized if no overflow Example:
Other kinds of behavior ● Implementation-defined behavior: unspecified behavior where each implementation documents how the choice is made
Other kinds of behavior ● Implementation-defined behavior: unspecified behavior where each implementation documents how the choice is made ● Unspecified behavior: use of an unspecified value, or other behavior where this International Standard provides two or more possibilities and imposes no further requirements on which is chosen in any instance
Other kinds of behavior ● Implementation-defined behavior: unspecified behavior where each implementation documents how the choice is made ● Unspecified behavior: use of an unspecified value, or other behavior where this International Standard provides two or more possibilities and imposes no further requirements on which is chosen in any instance ● Locale-specific behavior: behavior that depends on local conventions of nationality, culture, and language that each implementation documents
Examples for undefined behavior ● Signed integer overflow ● Shifting an n-bit integer by n or more bits ● Divide by zero ● Dereferencing a NULL pointer ● Pointer arithmetic that wraps ● Two pointers of different types that alias ● Reading an uninitialized variable
How to detect undefined behavior ● Compiler warnings ○ The compiler can issue a warning at compile time when it can statically detect some kind of wrongdoing ● Undefined Behavior Sanitizer - ubsan ○ GCC gained ubsan support from version 4.9 ■ Run-time checker for the C and C++ languages ○ Some undefined uses will not be obvious ■ Input might come from user / other modules and statically not detectable ■ Ubsan can help here with right input
What will be the output when int is 32 bit ? #include <stdio.h> int foo (int a) { if (a + 100 > a) printf ("%d GT %dn", a + 100, a); else printf ("%d LT %dn", a + 100, a); return 0; } int main () { foo (100); foo (0x7fffffff); return 0; }
Signed integer overflow - PR30475 ● Output At -O0 200 GT 100 -2147483549 LT 2147483647 ● Output At -O2 200 GT 100 -2147483549 GT 2147483647 #include <stdio.h> int foo (int a) { if (a + 100 > a) printf ("%d GT %dn", a + 100, a); else printf ("%d LT %dn", a + 100, a); return 0; } int main () { foo (100); foo (0x7fffffff); return 0; }
Signed integer overflow - PR30475 ● According to C and C++ language standards overflow of a signed value is undefined behavior ○ A correct (standard conforming) C/C++ program must never generate signed overflow ● (int + 100 > int) in example is always true ● -fno-strict-overflow /-fwrapv disables it gcc -O2 t.c -Wstrict-overflow t.c: In function ‘foo’: t.c:4:5: warning: assuming signed overflow does not occur when assuming that (X + c) >= X is always true [-Wstrict-overflow] gcc -O2 t.c -fsanitize=undefined ; ./a.out 200 GT 100 t.c:5:7: runtime error: signed integer overflow: 2147483647 + 100 cannot be represented in type 'int' -2147483549 GT 2147483647
Signed integer overflow and security implications ● Defence against many software security problems is validating input ● If the validating code is undefined, code can be vulnerable ● An axample from https://lwn. net/Articles/278137/ ○ If the “len” comes from user, then it can be used to overflow the buffer (and exploit) ● Some of these overflow checks are used as common idioms to prevent buffer overflows in security sensitive code if (buffer + len >= buffer_end || buffer + len < buffer) die_a_gory_death ("len is out of rangen"); if (buffer + len >= buffer_end) die_a_gory_death ("len is out of rangen"); Will be optimized into:
What will be the output for this ? #include <stdio.h> int foo (int x, int y) { x >>= (sizeof (int) << y); return x; } int main () { printf ("%dn", foo (1000, 3)); return 0; }
Shifting n-bit integer by n or more bits undefined - PR48418 gcc t.c -O0; ./a.out 1000 gcc t.c -O2; ./a.out 0 gcc -O2 t.c -fsanitize=undefined ; ./a.out t.c:5:4: runtime error: shift exponent 32 is too large for 32-bit type 'int' 1000 #include <stdio.h> int foo (int x, int y) { x >>= (sizeof (int) << y); return x; } int main () { printf ("%dn", foo (1000, 3)); return 0; }
What will be the output for this ? #include <stdio.h> int testdiv (int i, int k) { if (k == 0) printf ("found divide by zeron"); return (i / k); } int main() { int i = testdiv (1, 0); return (i); }
Divide by zero - PR29968 ● Divide by zero is undefined ● Based on error found with PostgreSQL 8.1.5 on Solaris 9 sparc with gcc-4.1 ● Since k is divisor, compiler assumed “k” cannot be zero ○ print statement is optimized away #include <stdio.h> int testdiv (int i, int k) { if (k == 0) printf ("found divide by zeron"); return (i / k); } int main() { int i = testdiv (1, 0); return (i); }
if (!msize) msize = 1 / msize; /* provoke a signal */ Divide by zero - PR29968 ● Divide by zero is undefined ● Based on error found with PostgreSQL 8.1.5 on Solaris 9 sparc with gcc-4.1 ● Since k is divisor, compiler assumed “k” cannot be zero ○ print statement is optimized away An example from Linux : (http://www.spinics.net/linux/fedora/linux-security-module/msg12814.html) #include <stdio.h> int testdiv (int i, int k) { if (k == 0) printf ("found divide by zeron"); return (i / k); } int main() { int i = testdiv (1, 0); return (i); }
What will be the output for this ? unsigned char* addr = (unsigned char*)0xfffffffe; unsigned len = 4; if (addr + len < addr) { printf( "wrapsn"); } else { printf( "no wrapn"); }
Pointer arithmetic that wraps - PR54365 (for ARM) gcc -O2 t.c; ./a.out no wrap gcc t.c; ./a.out wraps ● Current version of ubsan does not model this ○ No errors flagged ○ Not all the undefined behaviours are modelled in ubsan / as compiler warnings unsigned char* addr = (unsigned char*)0xfffffffe; unsigned len = 4; if (addr + len < addr) { printf( "wrapsn"); } else { printf( "no wrapn"); }
static unsigned int tun_chr_poll (struct file *file, poll_table * wait) { struct tun_file *tfile = file->private_data; struct tun_struct *tun = __tun_get(tfile); struct sock *sk = tun->sk; unsigned int mask = 0; if (!tun) return POLLERR; …. } Dereferencing a NULL pointer ● Example from Linux Kernel (https://lwn. net/Articles/342330/)
Calling a NULL Object - PR68853 ● gcc-6 exposes undefined behavior in Chromium v8 garbage collector ○ Calling a NULL object is undefined ○ -fno-delete-null-pointer-checks gets this to work
Reading an uninitialized variable ● Reading an uninitialized variable is undefined behavior ○ Compiler can assign any value to the variable and expressions derived from the variable ● http://kqueue. org/blog/2012/06/25/more- randomness-or-less/ ○ When compiled with a version of LLVM, entire seed computation is optimized away ○ Results of gettimeofday () and getpid () are not used at all ○ srandom () is called with some garbage value. struct timeval tv; unsigned long junk; gettimeofday (&tv, NULL); srandom ((getpid() << 16) ^ tv.tv_sec ^ tv. tv_usec ^ junk);
Conclusion ● Undefined behavior means standard non conforming code ○ Compilers will assume that undefined behavior is not present in the code while optimizing ● Undefined behavior can be subtle and not always obvious ● Use compiler warnings and ubsan to detect them ○ Unfortunately, not all the undefined behavior are modelled in ubsan ○ Know the compiler flags (if any) to disable optimization that might be relying on undefined behavior
Useful Links: ● http://blog.regehr.org/archives/213 ● http://blog.llvm.org/2011/05/what-every-c-programmer-should-know.html ● http://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan ● http://www.open-std.org/ ● https://gcc.gnu.org/onlinedocs/gcc/Standards.html ● http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf

More Related Content

PDF
Interpreter, Compiler, JIT from scratch
byNational Cheng Kung University
 
PDF
Q2.12: Debugging with GDB
byLinaro
 
PDF
BPF Internals (eBPF)
byBrendan Gregg
 
PDF
x86とコンテキストスイッチ
byMasami Ichikawa
 
PPTX
x86x64 SSE4.2 POPCNT
bytakesako
 
PPTX
Linux Kernel Booting Process (2) - For NLKB
byshimosawa
 
PPTX
GCC RTL and Machine Description
byPriyatham Bollimpalli
 
PDF
MySQL 8.0で憶えておいてほしいこと
byyoku0825
 
Interpreter, Compiler, JIT from scratch
byNational Cheng Kung University
 
Q2.12: Debugging with GDB
byLinaro
 
BPF Internals (eBPF)
byBrendan Gregg
 
x86とコンテキストスイッチ
byMasami Ichikawa
 
x86x64 SSE4.2 POPCNT
bytakesako
 
Linux Kernel Booting Process (2) - For NLKB
byshimosawa
 
GCC RTL and Machine Description
byPriyatham Bollimpalli
 
MySQL 8.0で憶えておいてほしいこと
byyoku0825
 

What's hot

PDF
Handling inline assembly in Clang and LLVM
byMin-Yih Hsu
 
PDF
用十分鐘 向jserv學習作業系統設計
by鍾誠 陳鍾誠
 
PDF
PowerShellが苦手だった男がPowerShellを愛するようになるまで
byKazuhiro Matsushima
 
PDF
Linux Performance Profiling and Monitoring
byGeorg Schönberger
 
PDF
LLVM Register Allocation (2nd Version)
byWang Hsiangkai
 
PPT
Introduction to gdb
byOwen Hsu
 
PDF
malloc & vmalloc in Linux
byAdrian Huang
 
PDF
Memory Management with Page Folios
byAdrian Huang
 
PDF
How A Compiler Works: GNU Toolchain
byNational Cheng Kung University
 
PDF
不揮発メモリ(NVDIMM)とLinuxの対応動向について
byYasunori Goto
 
PPT
Linux Crash Dump Capture and Analysis
byPaul V. Novarese
 
PDF
イマドキC++erのモテカワリソース管理術
byKohsuke Yuasa
 
PDF
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
byAdrian Huang
 
PDF
続・モジュール / Introduction to C++ modules (part 2)
byTetsuroMatsumura
 
PDF
速習!論理レプリケーション ~基礎から最新動向まで~(PostgreSQL Conference Japan 2022 発表資料)
byNTT DATA Technology & Innovation
 
PDF
Javaコードが速く実⾏される秘密 - JITコンパイラ⼊⾨(JJUG CCC 2020 Fall講演資料)
byNTT DATA Technology & Innovation
 
PPTX
Verilator勉強会 2021/05/29
byryuz88
 
PDF
GDB Rocks!
byKent Chen
 
PDF
Linux Performance Analysis: New Tools and Old Secrets
byBrendan Gregg
 
PPTX
C#とILとネイティブと
by信之 岩永
 
Handling inline assembly in Clang and LLVM
byMin-Yih Hsu
 
用十分鐘 向jserv學習作業系統設計
by鍾誠 陳鍾誠
 
PowerShellが苦手だった男がPowerShellを愛するようになるまで
byKazuhiro Matsushima
 
Linux Performance Profiling and Monitoring
byGeorg Schönberger
 
LLVM Register Allocation (2nd Version)
byWang Hsiangkai
 
Introduction to gdb
byOwen Hsu
 
malloc & vmalloc in Linux
byAdrian Huang
 
Memory Management with Page Folios
byAdrian Huang
 
How A Compiler Works: GNU Toolchain
byNational Cheng Kung University
 
不揮発メモリ(NVDIMM)とLinuxの対応動向について
byYasunori Goto
 
Linux Crash Dump Capture and Analysis
byPaul V. Novarese
 
イマドキC++erのモテカワリソース管理術
byKohsuke Yuasa
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
byAdrian Huang
 
続・モジュール / Introduction to C++ modules (part 2)
byTetsuroMatsumura
 
速習!論理レプリケーション ~基礎から最新動向まで~(PostgreSQL Conference Japan 2022 発表資料)
byNTT DATA Technology & Innovation
 
Javaコードが速く実⾏される秘密 - JITコンパイラ⼊⾨(JJUG CCC 2020 Fall講演資料)
byNTT DATA Technology & Innovation
 
Verilator勉強会 2021/05/29
byryuz88
 
GDB Rocks!
byKent Chen
 
Linux Performance Analysis: New Tools and Old Secrets
byBrendan Gregg
 
C#とILとネイティブと
by信之 岩永
 

Similar to BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program Stopped Working With A Newer Compiler

PDF
2014-06-26 - A guide to undefined behavior in c and c++
byChen-Han Hsiao
 
PDF
C++ integer arithmetic
byarvidn
 
PDF
Undefined Behavior: Overview with Examples
byKangjun Heo
 
PDF
C++ The Principles of Most Surprise
byPatricia Aas
 
PDF
Lesson 11. Pattern 3. Shift operations
byPVS-Studio
 
PDF
C++ Undefined Behavior (Code::Dive 2016)
bySławomir Zborowski
 
PPTX
Understand more about C
byYi-Hsiu Hsu
 
PDF
GC in C++0x [eng]
byyak1ex
 
PDF
C++11 and 64-bit Issues
byAndrey Karpov
 
PDF
Lesson 13. Pattern 5. Address arithmetic
byPVS-Studio
 
PDF
A nice 64-bit error in C
byPVS-Studio
 
PDF
Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)
byPatricia Aas
 
PDF
Secure Programming Practices in C++ (NDC Oslo 2018)
byPatricia Aas
 
PDF
Lesson 9. Pattern 1. Magic numbers
byPVS-Studio
 
PDF
Undefined behavior is closer than you think
byAndrey Karpov
 
PDF
A collection of examples of 64 bit errors in real programs
byMichael Scovetta
 
PDF
Development of a static code analyzer for detecting errors of porting program...
byPVS-Studio
 
PDF
Safety of 64-bit code
byPVS-Studio
 
PDF
Wade not in unknown waters. Part three.
byPVS-Studio
 
PDF
13 Jo P Jan 08
byGanesh Samarthyam
 
2014-06-26 - A guide to undefined behavior in c and c++
byChen-Han Hsiao
 
C++ integer arithmetic
byarvidn
 
Undefined Behavior: Overview with Examples
byKangjun Heo
 
C++ The Principles of Most Surprise
byPatricia Aas
 
Lesson 11. Pattern 3. Shift operations
byPVS-Studio
 
C++ Undefined Behavior (Code::Dive 2016)
bySławomir Zborowski
 
Understand more about C
byYi-Hsiu Hsu
 
GC in C++0x [eng]
byyak1ex
 
C++11 and 64-bit Issues
byAndrey Karpov
 
Lesson 13. Pattern 5. Address arithmetic
byPVS-Studio
 
A nice 64-bit error in C
byPVS-Studio
 
Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)
byPatricia Aas
 
Secure Programming Practices in C++ (NDC Oslo 2018)
byPatricia Aas
 
Lesson 9. Pattern 1. Magic numbers
byPVS-Studio
 
Undefined behavior is closer than you think
byAndrey Karpov
 
A collection of examples of 64 bit errors in real programs
byMichael Scovetta
 
Development of a static code analyzer for detecting errors of porting program...
byPVS-Studio
 
Safety of 64-bit code
byPVS-Studio
 
Wade not in unknown waters. Part three.
byPVS-Studio
 
13 Jo P Jan 08
byGanesh Samarthyam
 

More from Linaro

PDF
HKG18-318 - OpenAMP Workshop
byLinaro
 
PDF
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
byLinaro
 
PPTX
HKG18-120 - Devicetree Schema Documentation and Validation
byLinaro
 
PPTX
HKG18-223 - Trusted FirmwareM: Trusted boot
byLinaro
 
PDF
HKG18-TR08 - Upstreaming SVE in QEMU
byLinaro
 
PDF
HKG18-113- Secure Data Path work with i.MX8M
byLinaro
 
PDF
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
byLinaro
 
PDF
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
byLinaro
 
PDF
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
byLinaro
 
PDF
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
byLinaro
 
PDF
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
byLinaro
 
PDF
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
byLinaro
 
PDF
HKG18-100K1 - George Grey: Opening Keynote
byLinaro
 
PDF
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
byLinaro
 
PDF
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
byLinaro
 
PDF
Bud17 113: distribution ci using qemu and open qa
byLinaro
 
PDF
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
byLinaro
 
PDF
HPC network stack on ARM - Linaro HPC Workshop 2018
byLinaro
 
PDF
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
byLinaro
 
PDF
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
byLinaro
 
HKG18-318 - OpenAMP Workshop
byLinaro
 
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
byLinaro
 
HKG18-120 - Devicetree Schema Documentation and Validation
byLinaro
 
HKG18-223 - Trusted FirmwareM: Trusted boot
byLinaro
 
HKG18-TR08 - Upstreaming SVE in QEMU
byLinaro
 
HKG18-113- Secure Data Path work with i.MX8M
byLinaro
 
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
byLinaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
byLinaro
 
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
byLinaro
 
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
byLinaro
 
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
byLinaro
 
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
byLinaro
 
HKG18-100K1 - George Grey: Opening Keynote
byLinaro
 
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
byLinaro
 
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
byLinaro
 
Bud17 113: distribution ci using qemu and open qa
byLinaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
byLinaro
 
HPC network stack on ARM - Linaro HPC Workshop 2018
byLinaro
 
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
byLinaro
 
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
byLinaro
 

Recently uploaded

PPTX
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
PDF
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
PDF
Getting the Best of TrueDEM – January News & Updates
bypanagenda
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PPTX
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
PPTX
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PPTX
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
PDF
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
PDF
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
PDF
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
PDF
10 Best AI Tools for Fashion Brands in 2026
bymockitseo
 
PDF
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
DOCX
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
PDF
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
PPTX
Strategic Shelf Planning for the New Year Turning Resolutions into Revenue .pptx
byAnoop Ashok
 
PPTX
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
Getting the Best of TrueDEM – January News & Updates
bypanagenda
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
10 Best AI Tools for Fashion Brands in 2026
bymockitseo
 
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
Strategic Shelf Planning for the New Year Turning Resolutions into Revenue .pptx
byAnoop Ashok
 
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 

BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program Stopped Working With A Newer Compiler

  • 1.
    Presented by Date Event Undefined Behaviorand Compiler Optimization Why Your Program Stopped Working With A Newer Compiler Kugan Vivekanandarajah and Yvan Roux BKK16-503 March 11, 2016 Linaro Connect BKK16
  • 2.
    Outline ● What isundefined behavior ● Examples for undefined behavior ● Detecting undefined behavior ● Conclusion
  • 3.
    How many timesdoes this loop iterate ? int d[16]; int SATD (void) { int satd = 0, dd, k; for (dd = d[k = 0]; k<16; dd = d[++k]) { satd += (dd < 0 ? -dd : dd); } return satd; }
  • 4.
    How many timesdoes this loop iterate ? Infinite loop generated on non-infinite code (?) ● 464.h264ref goes into infinite loop for gcc 4.8 ● https://gcc.gnu.org/PR53073 int d[16]; int SATD (void) { int satd = 0, dd, k; for (dd = d[k = 0]; k<16; dd = d[++k]) { satd += (dd < 0 ? -dd : dd); } return satd; }
  • 5.
    How many timesdoes this loop iterate ? ● C standard says: ○ It is legal for a pointer to point to one element past the end ○ Accessing that location is undefined ● Compiler can therefore assume that the “k” can never be 16 at the point of k < 16 int d[16]; int SATD (void) { int satd = 0, dd, k; for (dd = d[k = 0]; k<16; dd = d[++k]) { satd += (dd < 0 ? -dd : dd); } return satd; }
  • 6.
    What is undefinedbehavior ● ISO Standard definition: “behavior, upon use of a nonportable or erroneous program construct or of erroneous data, for which this International Standard imposes no requirements” ● C FAQ definition: “Anything at all can happens; the Standard imposes no requirements. The program may fail to compile, or it may execute incorrectly (either crashing or silently generating incorrect results), or it may fortuitously do exactly what the programmer intended” ● They may lead to very subtle bugs or have critical impact on security ○ Must be avoided by programmers
  • 7.
    Why undefined behaviorexists ? ● C/C++ is designed to be an efficient low-level programming language ● Offers compiler writers freedom to optimize ● Safe languages like Java have few undefined behavior ○ Safe and reproducible behavior across implementations ○ At the expense of performance X*2/2 X Optimized if no overflow Example:
  • 8.
    Other kinds ofbehavior ● Implementation-defined behavior: unspecified behavior where each implementation documents how the choice is made
  • 9.
    Other kinds ofbehavior ● Implementation-defined behavior: unspecified behavior where each implementation documents how the choice is made ● Unspecified behavior: use of an unspecified value, or other behavior where this International Standard provides two or more possibilities and imposes no further requirements on which is chosen in any instance
  • 10.
    Other kinds ofbehavior ● Implementation-defined behavior: unspecified behavior where each implementation documents how the choice is made ● Unspecified behavior: use of an unspecified value, or other behavior where this International Standard provides two or more possibilities and imposes no further requirements on which is chosen in any instance ● Locale-specific behavior: behavior that depends on local conventions of nationality, culture, and language that each implementation documents
  • 11.
    Examples for undefinedbehavior ● Signed integer overflow ● Shifting an n-bit integer by n or more bits ● Divide by zero ● Dereferencing a NULL pointer ● Pointer arithmetic that wraps ● Two pointers of different types that alias ● Reading an uninitialized variable
  • 12.
    How to detectundefined behavior ● Compiler warnings ○ The compiler can issue a warning at compile time when it can statically detect some kind of wrongdoing ● Undefined Behavior Sanitizer - ubsan ○ GCC gained ubsan support from version 4.9 ■ Run-time checker for the C and C++ languages ○ Some undefined uses will not be obvious ■ Input might come from user / other modules and statically not detectable ■ Ubsan can help here with right input
  • 13.
    What will bethe output when int is 32 bit ? #include <stdio.h> int foo (int a) { if (a + 100 > a) printf ("%d GT %dn", a + 100, a); else printf ("%d LT %dn", a + 100, a); return 0; } int main () { foo (100); foo (0x7fffffff); return 0; }
  • 14.
    Signed integer overflow- PR30475 ● Output At -O0 200 GT 100 -2147483549 LT 2147483647 ● Output At -O2 200 GT 100 -2147483549 GT 2147483647 #include <stdio.h> int foo (int a) { if (a + 100 > a) printf ("%d GT %dn", a + 100, a); else printf ("%d LT %dn", a + 100, a); return 0; } int main () { foo (100); foo (0x7fffffff); return 0; }
  • 15.
    Signed integer overflow- PR30475 ● According to C and C++ language standards overflow of a signed value is undefined behavior ○ A correct (standard conforming) C/C++ program must never generate signed overflow ● (int + 100 > int) in example is always true ● -fno-strict-overflow /-fwrapv disables it gcc -O2 t.c -Wstrict-overflow t.c: In function ‘foo’: t.c:4:5: warning: assuming signed overflow does not occur when assuming that (X + c) >= X is always true [-Wstrict-overflow] gcc -O2 t.c -fsanitize=undefined ; ./a.out 200 GT 100 t.c:5:7: runtime error: signed integer overflow: 2147483647 + 100 cannot be represented in type 'int' -2147483549 GT 2147483647
  • 16.
    Signed integer overflowand security implications ● Defence against many software security problems is validating input ● If the validating code is undefined, code can be vulnerable ● An axample from https://lwn. net/Articles/278137/ ○ If the “len” comes from user, then it can be used to overflow the buffer (and exploit) ● Some of these overflow checks are used as common idioms to prevent buffer overflows in security sensitive code if (buffer + len >= buffer_end || buffer + len < buffer) die_a_gory_death ("len is out of rangen"); if (buffer + len >= buffer_end) die_a_gory_death ("len is out of rangen"); Will be optimized into:
  • 17.
    What will bethe output for this ? #include <stdio.h> int foo (int x, int y) { x >>= (sizeof (int) << y); return x; } int main () { printf ("%dn", foo (1000, 3)); return 0; }
  • 18.
    Shifting n-bit integerby n or more bits undefined - PR48418 gcc t.c -O0; ./a.out 1000 gcc t.c -O2; ./a.out 0 gcc -O2 t.c -fsanitize=undefined ; ./a.out t.c:5:4: runtime error: shift exponent 32 is too large for 32-bit type 'int' 1000 #include <stdio.h> int foo (int x, int y) { x >>= (sizeof (int) << y); return x; } int main () { printf ("%dn", foo (1000, 3)); return 0; }
  • 19.
    What will bethe output for this ? #include <stdio.h> int testdiv (int i, int k) { if (k == 0) printf ("found divide by zeron"); return (i / k); } int main() { int i = testdiv (1, 0); return (i); }
  • 20.
    Divide by zero- PR29968 ● Divide by zero is undefined ● Based on error found with PostgreSQL 8.1.5 on Solaris 9 sparc with gcc-4.1 ● Since k is divisor, compiler assumed “k” cannot be zero ○ print statement is optimized away #include <stdio.h> int testdiv (int i, int k) { if (k == 0) printf ("found divide by zeron"); return (i / k); } int main() { int i = testdiv (1, 0); return (i); }
  • 21.
    if (!msize) msize= 1 / msize; /* provoke a signal */ Divide by zero - PR29968 ● Divide by zero is undefined ● Based on error found with PostgreSQL 8.1.5 on Solaris 9 sparc with gcc-4.1 ● Since k is divisor, compiler assumed “k” cannot be zero ○ print statement is optimized away An example from Linux : (http://www.spinics.net/linux/fedora/linux-security-module/msg12814.html) #include <stdio.h> int testdiv (int i, int k) { if (k == 0) printf ("found divide by zeron"); return (i / k); } int main() { int i = testdiv (1, 0); return (i); }
  • 22.
    What will bethe output for this ? unsigned char* addr = (unsigned char*)0xfffffffe; unsigned len = 4; if (addr + len < addr) { printf( "wrapsn"); } else { printf( "no wrapn"); }
  • 23.
    Pointer arithmetic thatwraps - PR54365 (for ARM) gcc -O2 t.c; ./a.out no wrap gcc t.c; ./a.out wraps ● Current version of ubsan does not model this ○ No errors flagged ○ Not all the undefined behaviours are modelled in ubsan / as compiler warnings unsigned char* addr = (unsigned char*)0xfffffffe; unsigned len = 4; if (addr + len < addr) { printf( "wrapsn"); } else { printf( "no wrapn"); }
  • 24.
    static unsigned inttun_chr_poll (struct file *file, poll_table * wait) { struct tun_file *tfile = file->private_data; struct tun_struct *tun = __tun_get(tfile); struct sock *sk = tun->sk; unsigned int mask = 0; if (!tun) return POLLERR; …. } Dereferencing a NULL pointer ● Example from Linux Kernel (https://lwn. net/Articles/342330/)
  • 25.
    Calling a NULLObject - PR68853 ● gcc-6 exposes undefined behavior in Chromium v8 garbage collector ○ Calling a NULL object is undefined ○ -fno-delete-null-pointer-checks gets this to work
  • 26.
    Reading an uninitializedvariable ● Reading an uninitialized variable is undefined behavior ○ Compiler can assign any value to the variable and expressions derived from the variable ● http://kqueue. org/blog/2012/06/25/more- randomness-or-less/ ○ When compiled with a version of LLVM, entire seed computation is optimized away ○ Results of gettimeofday () and getpid () are not used at all ○ srandom () is called with some garbage value. struct timeval tv; unsigned long junk; gettimeofday (&tv, NULL); srandom ((getpid() << 16) ^ tv.tv_sec ^ tv. tv_usec ^ junk);
  • 27.
    Conclusion ● Undefined behaviormeans standard non conforming code ○ Compilers will assume that undefined behavior is not present in the code while optimizing ● Undefined behavior can be subtle and not always obvious ● Use compiler warnings and ubsan to detect them ○ Unfortunately, not all the undefined behavior are modelled in ubsan ○ Know the compiler flags (if any) to disable optimization that might be relying on undefined behavior
  • 28.
    Useful Links: ● http://blog.regehr.org/archives/213 ●http://blog.llvm.org/2011/05/what-every-c-programmer-should-know.html ● http://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan ● http://www.open-std.org/ ● https://gcc.gnu.org/onlinedocs/gcc/Standards.html ● http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf