Linaro, profile picture
Uploaded byLinaro
PDF, PPTX2,000 views

BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program Stopped Working With A Newer Compiler

The document discusses undefined behavior in C/C++ programming, highlighting its definitions, examples, and implications for compiler optimization. It outlines various cases of undefined behavior, such as signed integer overflow and divide by zero, and emphasizes the importance of detecting these issues through compiler warnings and the Undefined Behavior Sanitizer (ubsan). The conclusion reiterates that undefined behavior can lead to subtle bugs and security vulnerabilities, urging programmers to be vigilant in their coding practices.

Technology
In this document
Powered by AI

Introductory slides on undefined behavior and its outline.

Discussion on loop iteration, compiler assumptions, and legal pointer behavior.

Definition and examples of undefined behavior in programming, its existence, and types.

Examples include signed integer overflow, NULL pointer dereference, compiler detection methods.

Case examples exploring signed integer overflow behavior and compiler output differences.

Discusses security vulnerabilities arising from undefined behavior and validation.

Examples of undefined behavior related to bit shifts and divide-by-zero errors.

Examples of pointer arithmetic and the implications of wrapping in undefined behavior.

Examples include dereferencing NULL pointers and reading uninitialized variables.

Summary on the importance of avoiding undefined behavior and tools for detection.

Additional resources for understanding and investigating undefined behavior in programming.

Download as PDF, PPTX
Presented by Date Event Undefined Behavior and Compiler Optimization Why Your Program Stopped Working With A Newer Compiler Kugan Vivekanandarajah and Yvan Roux BKK16-503 March 11, 2016 Linaro Connect BKK16
Outline ● What is undefined behavior ● Examples for undefined behavior ● Detecting undefined behavior ● Conclusion
How many times does this loop iterate ? int d[16]; int SATD (void) { int satd = 0, dd, k; for (dd = d[k = 0]; k<16; dd = d[++k]) { satd += (dd < 0 ? -dd : dd); } return satd; }
How many times does this loop iterate ? Infinite loop generated on non-infinite code (?) ● 464.h264ref goes into infinite loop for gcc 4.8 ● https://gcc.gnu.org/PR53073 int d[16]; int SATD (void) { int satd = 0, dd, k; for (dd = d[k = 0]; k<16; dd = d[++k]) { satd += (dd < 0 ? -dd : dd); } return satd; }
How many times does this loop iterate ? ● C standard says: ○ It is legal for a pointer to point to one element past the end ○ Accessing that location is undefined ● Compiler can therefore assume that the “k” can never be 16 at the point of k < 16 int d[16]; int SATD (void) { int satd = 0, dd, k; for (dd = d[k = 0]; k<16; dd = d[++k]) { satd += (dd < 0 ? -dd : dd); } return satd; }
What is undefined behavior ● ISO Standard definition: “behavior, upon use of a nonportable or erroneous program construct or of erroneous data, for which this International Standard imposes no requirements” ● C FAQ definition: “Anything at all can happens; the Standard imposes no requirements. The program may fail to compile, or it may execute incorrectly (either crashing or silently generating incorrect results), or it may fortuitously do exactly what the programmer intended” ● They may lead to very subtle bugs or have critical impact on security ○ Must be avoided by programmers
Why undefined behavior exists ? ● C/C++ is designed to be an efficient low-level programming language ● Offers compiler writers freedom to optimize ● Safe languages like Java have few undefined behavior ○ Safe and reproducible behavior across implementations ○ At the expense of performance X*2/2 X Optimized if no overflow Example:
Other kinds of behavior ● Implementation-defined behavior: unspecified behavior where each implementation documents how the choice is made
Other kinds of behavior ● Implementation-defined behavior: unspecified behavior where each implementation documents how the choice is made ● Unspecified behavior: use of an unspecified value, or other behavior where this International Standard provides two or more possibilities and imposes no further requirements on which is chosen in any instance
Other kinds of behavior ● Implementation-defined behavior: unspecified behavior where each implementation documents how the choice is made ● Unspecified behavior: use of an unspecified value, or other behavior where this International Standard provides two or more possibilities and imposes no further requirements on which is chosen in any instance ● Locale-specific behavior: behavior that depends on local conventions of nationality, culture, and language that each implementation documents
Examples for undefined behavior ● Signed integer overflow ● Shifting an n-bit integer by n or more bits ● Divide by zero ● Dereferencing a NULL pointer ● Pointer arithmetic that wraps ● Two pointers of different types that alias ● Reading an uninitialized variable
How to detect undefined behavior ● Compiler warnings ○ The compiler can issue a warning at compile time when it can statically detect some kind of wrongdoing ● Undefined Behavior Sanitizer - ubsan ○ GCC gained ubsan support from version 4.9 ■ Run-time checker for the C and C++ languages ○ Some undefined uses will not be obvious ■ Input might come from user / other modules and statically not detectable ■ Ubsan can help here with right input
What will be the output when int is 32 bit ? #include <stdio.h> int foo (int a) { if (a + 100 > a) printf ("%d GT %dn", a + 100, a); else printf ("%d LT %dn", a + 100, a); return 0; } int main () { foo (100); foo (0x7fffffff); return 0; }
Signed integer overflow - PR30475 ● Output At -O0 200 GT 100 -2147483549 LT 2147483647 ● Output At -O2 200 GT 100 -2147483549 GT 2147483647 #include <stdio.h> int foo (int a) { if (a + 100 > a) printf ("%d GT %dn", a + 100, a); else printf ("%d LT %dn", a + 100, a); return 0; } int main () { foo (100); foo (0x7fffffff); return 0; }
Signed integer overflow - PR30475 ● According to C and C++ language standards overflow of a signed value is undefined behavior ○ A correct (standard conforming) C/C++ program must never generate signed overflow ● (int + 100 > int) in example is always true ● -fno-strict-overflow /-fwrapv disables it gcc -O2 t.c -Wstrict-overflow t.c: In function ‘foo’: t.c:4:5: warning: assuming signed overflow does not occur when assuming that (X + c) >= X is always true [-Wstrict-overflow] gcc -O2 t.c -fsanitize=undefined ; ./a.out 200 GT 100 t.c:5:7: runtime error: signed integer overflow: 2147483647 + 100 cannot be represented in type 'int' -2147483549 GT 2147483647
Signed integer overflow and security implications ● Defence against many software security problems is validating input ● If the validating code is undefined, code can be vulnerable ● An axample from https://lwn. net/Articles/278137/ ○ If the “len” comes from user, then it can be used to overflow the buffer (and exploit) ● Some of these overflow checks are used as common idioms to prevent buffer overflows in security sensitive code if (buffer + len >= buffer_end || buffer + len < buffer) die_a_gory_death ("len is out of rangen"); if (buffer + len >= buffer_end) die_a_gory_death ("len is out of rangen"); Will be optimized into:
What will be the output for this ? #include <stdio.h> int foo (int x, int y) { x >>= (sizeof (int) << y); return x; } int main () { printf ("%dn", foo (1000, 3)); return 0; }
Shifting n-bit integer by n or more bits undefined - PR48418 gcc t.c -O0; ./a.out 1000 gcc t.c -O2; ./a.out 0 gcc -O2 t.c -fsanitize=undefined ; ./a.out t.c:5:4: runtime error: shift exponent 32 is too large for 32-bit type 'int' 1000 #include <stdio.h> int foo (int x, int y) { x >>= (sizeof (int) << y); return x; } int main () { printf ("%dn", foo (1000, 3)); return 0; }
What will be the output for this ? #include <stdio.h> int testdiv (int i, int k) { if (k == 0) printf ("found divide by zeron"); return (i / k); } int main() { int i = testdiv (1, 0); return (i); }
Divide by zero - PR29968 ● Divide by zero is undefined ● Based on error found with PostgreSQL 8.1.5 on Solaris 9 sparc with gcc-4.1 ● Since k is divisor, compiler assumed “k” cannot be zero ○ print statement is optimized away #include <stdio.h> int testdiv (int i, int k) { if (k == 0) printf ("found divide by zeron"); return (i / k); } int main() { int i = testdiv (1, 0); return (i); }
if (!msize) msize = 1 / msize; /* provoke a signal */ Divide by zero - PR29968 ● Divide by zero is undefined ● Based on error found with PostgreSQL 8.1.5 on Solaris 9 sparc with gcc-4.1 ● Since k is divisor, compiler assumed “k” cannot be zero ○ print statement is optimized away An example from Linux : (http://www.spinics.net/linux/fedora/linux-security-module/msg12814.html) #include <stdio.h> int testdiv (int i, int k) { if (k == 0) printf ("found divide by zeron"); return (i / k); } int main() { int i = testdiv (1, 0); return (i); }
What will be the output for this ? unsigned char* addr = (unsigned char*)0xfffffffe; unsigned len = 4; if (addr + len < addr) { printf( "wrapsn"); } else { printf( "no wrapn"); }
Pointer arithmetic that wraps - PR54365 (for ARM) gcc -O2 t.c; ./a.out no wrap gcc t.c; ./a.out wraps ● Current version of ubsan does not model this ○ No errors flagged ○ Not all the undefined behaviours are modelled in ubsan / as compiler warnings unsigned char* addr = (unsigned char*)0xfffffffe; unsigned len = 4; if (addr + len < addr) { printf( "wrapsn"); } else { printf( "no wrapn"); }
static unsigned int tun_chr_poll (struct file *file, poll_table * wait) { struct tun_file *tfile = file->private_data; struct tun_struct *tun = __tun_get(tfile); struct sock *sk = tun->sk; unsigned int mask = 0; if (!tun) return POLLERR; …. } Dereferencing a NULL pointer ● Example from Linux Kernel (https://lwn. net/Articles/342330/)
Calling a NULL Object - PR68853 ● gcc-6 exposes undefined behavior in Chromium v8 garbage collector ○ Calling a NULL object is undefined ○ -fno-delete-null-pointer-checks gets this to work
Reading an uninitialized variable ● Reading an uninitialized variable is undefined behavior ○ Compiler can assign any value to the variable and expressions derived from the variable ● http://kqueue. org/blog/2012/06/25/more- randomness-or-less/ ○ When compiled with a version of LLVM, entire seed computation is optimized away ○ Results of gettimeofday () and getpid () are not used at all ○ srandom () is called with some garbage value. struct timeval tv; unsigned long junk; gettimeofday (&tv, NULL); srandom ((getpid() << 16) ^ tv.tv_sec ^ tv. tv_usec ^ junk);
Conclusion ● Undefined behavior means standard non conforming code ○ Compilers will assume that undefined behavior is not present in the code while optimizing ● Undefined behavior can be subtle and not always obvious ● Use compiler warnings and ubsan to detect them ○ Unfortunately, not all the undefined behavior are modelled in ubsan ○ Know the compiler flags (if any) to disable optimization that might be relying on undefined behavior
Useful Links: ● http://blog.regehr.org/archives/213 ● http://blog.llvm.org/2011/05/what-every-c-programmer-should-know.html ● http://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan ● http://www.open-std.org/ ● https://gcc.gnu.org/onlinedocs/gcc/Standards.html ● http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf

More Related Content

PDF
Q2.12: Debugging with GDB
byLinaro
 
PDF
Interpreter, Compiler, JIT from scratch
byNational Cheng Kung University
 
PDF
Address/Thread/Memory Sanitizer
byPlatonov Sergey
 
PDF
How A Compiler Works: GNU Toolchain
byNational Cheng Kung University
 
PPT
Introduction to gdb
byOwen Hsu
 
PDF
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
byNational Cheng Kung University
 
PDF
GDB Rocks!
byKent Chen
 
PDF
用十分鐘 向jserv學習作業系統設計
by鍾誠 陳鍾誠
 
Q2.12: Debugging with GDB
byLinaro
 
Interpreter, Compiler, JIT from scratch
byNational Cheng Kung University
 
Address/Thread/Memory Sanitizer
byPlatonov Sergey
 
How A Compiler Works: GNU Toolchain
byNational Cheng Kung University
 
Introduction to gdb
byOwen Hsu
 
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
byNational Cheng Kung University
 
GDB Rocks!
byKent Chen
 
用十分鐘 向jserv學習作業系統設計
by鍾誠 陳鍾誠
 

What's hot

PPT
Debugging Applications with GNU Debugger
byPriyank Kapadia
 
PDF
C Programming - Refresher - Part I
byEmertxe Information Technologies Pvt Ltd
 
PDF
Launch the First Process in Linux System
byJian-Hong Pan
 
PDF
What Can Compilers Do for Us?
byNational Cheng Kung University
 
PDF
The Internals of "Hello World" Program
byNational Cheng Kung University
 
PDF
ARM and SoC Traning Part II - System
byNational Cheng Kung University
 
PDF
Constexpr 中3女子テクニック
byGenya Murakami
 
PDF
Linux Porting
byChamp Yen
 
PPTX
Python programming introduction
bySiddique Ibrahim
 
PPTX
为啥别读HotSpot VM的源码(2012-03-03)
byKris Mok
 
PDF
Vim Rocks!
byKent Chen
 
PPT
Python ppt
byMohita Pandey
 
PPT
3 algorithm-and-flowchart
byRohit Shrivastava
 
PPT
Unit 3-pipelining &amp; vector processing
byvishal choudhary
 
PDF
ctfで学ぼうリバースエンジニアリング
byjunk_coken
 
PDF
Develop Your Own Operating System
byNational Cheng Kung University
 
PDF
系統程式 - 附錄
by鍾誠 陳鍾誠
 
PDF
QEMUでARM64bitベアメタルプログラミング
byYuma Ohgami
 
PDF
CRC-32
by7shi
 
PPTX
Debuggers in system software
bygayathri ravi
 
Debugging Applications with GNU Debugger
byPriyank Kapadia
 
C Programming - Refresher - Part I
byEmertxe Information Technologies Pvt Ltd
 
Launch the First Process in Linux System
byJian-Hong Pan
 
What Can Compilers Do for Us?
byNational Cheng Kung University
 
The Internals of "Hello World" Program
byNational Cheng Kung University
 
ARM and SoC Traning Part II - System
byNational Cheng Kung University
 
Constexpr 中3女子テクニック
byGenya Murakami
 
Linux Porting
byChamp Yen
 
Python programming introduction
bySiddique Ibrahim
 
为啥别读HotSpot VM的源码(2012-03-03)
byKris Mok
 
Vim Rocks!
byKent Chen
 
Python ppt
byMohita Pandey
 
3 algorithm-and-flowchart
byRohit Shrivastava
 
Unit 3-pipelining &amp; vector processing
byvishal choudhary
 
ctfで学ぼうリバースエンジニアリング
byjunk_coken
 
Develop Your Own Operating System
byNational Cheng Kung University
 
系統程式 - 附錄
by鍾誠 陳鍾誠
 
QEMUでARM64bitベアメタルプログラミング
byYuma Ohgami
 
CRC-32
by7shi
 
Debuggers in system software
bygayathri ravi
 

Similar to BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program Stopped Working With A Newer Compiler

PPTX
Understand more about C
byYi-Hsiu Hsu
 
PDF
2014-06-26 - A guide to undefined behavior in c and c++
byChen-Han Hsiao
 
PDF
C++ integer arithmetic
byarvidn
 
PDF
Lesson 11. Pattern 3. Shift operations
byPVS-Studio
 
PDF
C++ The Principles of Most Surprise
byPatricia Aas
 
PDF
Undefined Behavior: Overview with Examples
byKangjun Heo
 
PDF
C++ Undefined Behavior (Code::Dive 2016)
bySławomir Zborowski
 
PDF
A nice 64-bit error in C
byPVS-Studio
 
PDF
GC in C++0x [eng]
byyak1ex
 
PDF
Lesson 13. Pattern 5. Address arithmetic
byPVS-Studio
 
PDF
C++11 and 64-bit Issues
byAndrey Karpov
 
PDF
Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)
byPatricia Aas
 
PDF
Secure Programming Practices in C++ (NDC Oslo 2018)
byPatricia Aas
 
PDF
Lesson 9. Pattern 1. Magic numbers
byPVS-Studio
 
PDF
Undefined behavior is closer than you think
byAndrey Karpov
 
PDF
A collection of examples of 64 bit errors in real programs
byMichael Scovetta
 
PDF
Safety of 64-bit code
byPVS-Studio
 
PDF
Development of a static code analyzer for detecting errors of porting program...
byPVS-Studio
 
PDF
Wade not in unknown waters. Part three.
byPVS-Studio
 
PDF
13 Jo P Jan 08
byGanesh Samarthyam
 
Understand more about C
byYi-Hsiu Hsu
 
2014-06-26 - A guide to undefined behavior in c and c++
byChen-Han Hsiao
 
C++ integer arithmetic
byarvidn
 
Lesson 11. Pattern 3. Shift operations
byPVS-Studio
 
C++ The Principles of Most Surprise
byPatricia Aas
 
Undefined Behavior: Overview with Examples
byKangjun Heo
 
C++ Undefined Behavior (Code::Dive 2016)
bySławomir Zborowski
 
A nice 64-bit error in C
byPVS-Studio
 
GC in C++0x [eng]
byyak1ex
 
Lesson 13. Pattern 5. Address arithmetic
byPVS-Studio
 
C++11 and 64-bit Issues
byAndrey Karpov
 
Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)
byPatricia Aas
 
Secure Programming Practices in C++ (NDC Oslo 2018)
byPatricia Aas
 
Lesson 9. Pattern 1. Magic numbers
byPVS-Studio
 
Undefined behavior is closer than you think
byAndrey Karpov
 
A collection of examples of 64 bit errors in real programs
byMichael Scovetta
 
Safety of 64-bit code
byPVS-Studio
 
Development of a static code analyzer for detecting errors of porting program...
byPVS-Studio
 
Wade not in unknown waters. Part three.
byPVS-Studio
 
13 Jo P Jan 08
byGanesh Samarthyam
 

More from Linaro

PDF
HKG18-318 - OpenAMP Workshop
byLinaro
 
PPTX
HKG18-120 - Devicetree Schema Documentation and Validation
byLinaro
 
PPTX
HKG18-223 - Trusted FirmwareM: Trusted boot
byLinaro
 
PDF
HKG18-TR08 - Upstreaming SVE in QEMU
byLinaro
 
PDF
HKG18-113- Secure Data Path work with i.MX8M
byLinaro
 
PDF
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
byLinaro
 
PDF
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
byLinaro
 
PDF
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
byLinaro
 
PDF
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
byLinaro
 
PDF
Bud17 113: distribution ci using qemu and open qa
byLinaro
 
PDF
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
byLinaro
 
PDF
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
byLinaro
 
PDF
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
byLinaro
 
PDF
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
byLinaro
 
PDF
HKG18-100K1 - George Grey: Opening Keynote
byLinaro
 
PDF
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
byLinaro
 
PDF
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
byLinaro
 
PDF
HPC network stack on ARM - Linaro HPC Workshop 2018
byLinaro
 
PDF
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
byLinaro
 
PDF
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
byLinaro
 
HKG18-318 - OpenAMP Workshop
byLinaro
 
HKG18-120 - Devicetree Schema Documentation and Validation
byLinaro
 
HKG18-223 - Trusted FirmwareM: Trusted boot
byLinaro
 
HKG18-TR08 - Upstreaming SVE in QEMU
byLinaro
 
HKG18-113- Secure Data Path work with i.MX8M
byLinaro
 
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
byLinaro
 
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
byLinaro
 
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
byLinaro
 
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
byLinaro
 
Bud17 113: distribution ci using qemu and open qa
byLinaro
 
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
byLinaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
byLinaro
 
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
byLinaro
 
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
byLinaro
 
HKG18-100K1 - George Grey: Opening Keynote
byLinaro
 
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
byLinaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
byLinaro
 
HPC network stack on ARM - Linaro HPC Workshop 2018
byLinaro
 
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
byLinaro
 
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
byLinaro
 

Recently uploaded

PDF
Log-based anomaly detection using BiLSTM-Autoencoder
byMohammed BEKKOUCHE
 
PDF
AWS Community Day Indonesia 2025 - Attack the Cloud Before Attackers Do Build...
byMuhammad Yuga Nugraha
 
PDF
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
PDF
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
 
PDF
Session 7 Specialized AI Associate Series: UiPath Communications Mining Overview
byDianaGray10
 
PDF
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
PDF
Build Agentic AI Applications with Oracle AI Database Private Agent Factory -...
bySandesh Rao
 
PDF
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 
PDF
AI64 - Mapping the Next Generation of Enterprise Software | Redpoint Ventures
byRazin Mustafiz
 
PDF
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
PDF
API Days Australia - API Management in the AI Era
byNilesh Gule
 
PDF
SQL Server BI Modeling Designing Data for Success with SqlDBM.pdf
bySQL DBM
 
PDF
How does a computer vision development company help retailers decode consumer...
byNextbrain Technologies
 
DOCX
Formula 3 - MACO using general limit.docx
byMarkus Janssen
 
PDF
The State of Adventure Capital - Grant Gregory | Cantos
byRazin Mustafiz
 
PDF
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
PDF
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
PDF
GDG Cloud Southlake #47: Bala Desikan: Build Autonomous Agentic AI Apps on GCP
byJames Anderson
 
PPTX
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
PDF
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
Log-based anomaly detection using BiLSTM-Autoencoder
byMohammed BEKKOUCHE
 
AWS Community Day Indonesia 2025 - Attack the Cloud Before Attackers Do Build...
byMuhammad Yuga Nugraha
 
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
 
Session 7 Specialized AI Associate Series: UiPath Communications Mining Overview
byDianaGray10
 
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
Build Agentic AI Applications with Oracle AI Database Private Agent Factory -...
bySandesh Rao
 
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 
AI64 - Mapping the Next Generation of Enterprise Software | Redpoint Ventures
byRazin Mustafiz
 
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
API Days Australia - API Management in the AI Era
byNilesh Gule
 
SQL Server BI Modeling Designing Data for Success with SqlDBM.pdf
bySQL DBM
 
How does a computer vision development company help retailers decode consumer...
byNextbrain Technologies
 
Formula 3 - MACO using general limit.docx
byMarkus Janssen
 
The State of Adventure Capital - Grant Gregory | Cantos
byRazin Mustafiz
 
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
GDG Cloud Southlake #47: Bala Desikan: Build Autonomous Agentic AI Apps on GCP
byJames Anderson
 
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 

BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program Stopped Working With A Newer Compiler

  • 1.
    Presented by Date Event Undefined Behaviorand Compiler Optimization Why Your Program Stopped Working With A Newer Compiler Kugan Vivekanandarajah and Yvan Roux BKK16-503 March 11, 2016 Linaro Connect BKK16
  • 2.
    Outline ● What isundefined behavior ● Examples for undefined behavior ● Detecting undefined behavior ● Conclusion
  • 3.
    How many timesdoes this loop iterate ? int d[16]; int SATD (void) { int satd = 0, dd, k; for (dd = d[k = 0]; k<16; dd = d[++k]) { satd += (dd < 0 ? -dd : dd); } return satd; }
  • 4.
    How many timesdoes this loop iterate ? Infinite loop generated on non-infinite code (?) ● 464.h264ref goes into infinite loop for gcc 4.8 ● https://gcc.gnu.org/PR53073 int d[16]; int SATD (void) { int satd = 0, dd, k; for (dd = d[k = 0]; k<16; dd = d[++k]) { satd += (dd < 0 ? -dd : dd); } return satd; }
  • 5.
    How many timesdoes this loop iterate ? ● C standard says: ○ It is legal for a pointer to point to one element past the end ○ Accessing that location is undefined ● Compiler can therefore assume that the “k” can never be 16 at the point of k < 16 int d[16]; int SATD (void) { int satd = 0, dd, k; for (dd = d[k = 0]; k<16; dd = d[++k]) { satd += (dd < 0 ? -dd : dd); } return satd; }
  • 6.
    What is undefinedbehavior ● ISO Standard definition: “behavior, upon use of a nonportable or erroneous program construct or of erroneous data, for which this International Standard imposes no requirements” ● C FAQ definition: “Anything at all can happens; the Standard imposes no requirements. The program may fail to compile, or it may execute incorrectly (either crashing or silently generating incorrect results), or it may fortuitously do exactly what the programmer intended” ● They may lead to very subtle bugs or have critical impact on security ○ Must be avoided by programmers
  • 7.
    Why undefined behaviorexists ? ● C/C++ is designed to be an efficient low-level programming language ● Offers compiler writers freedom to optimize ● Safe languages like Java have few undefined behavior ○ Safe and reproducible behavior across implementations ○ At the expense of performance X*2/2 X Optimized if no overflow Example:
  • 8.
    Other kinds ofbehavior ● Implementation-defined behavior: unspecified behavior where each implementation documents how the choice is made
  • 9.
    Other kinds ofbehavior ● Implementation-defined behavior: unspecified behavior where each implementation documents how the choice is made ● Unspecified behavior: use of an unspecified value, or other behavior where this International Standard provides two or more possibilities and imposes no further requirements on which is chosen in any instance
  • 10.
    Other kinds ofbehavior ● Implementation-defined behavior: unspecified behavior where each implementation documents how the choice is made ● Unspecified behavior: use of an unspecified value, or other behavior where this International Standard provides two or more possibilities and imposes no further requirements on which is chosen in any instance ● Locale-specific behavior: behavior that depends on local conventions of nationality, culture, and language that each implementation documents
  • 11.
    Examples for undefinedbehavior ● Signed integer overflow ● Shifting an n-bit integer by n or more bits ● Divide by zero ● Dereferencing a NULL pointer ● Pointer arithmetic that wraps ● Two pointers of different types that alias ● Reading an uninitialized variable
  • 12.
    How to detectundefined behavior ● Compiler warnings ○ The compiler can issue a warning at compile time when it can statically detect some kind of wrongdoing ● Undefined Behavior Sanitizer - ubsan ○ GCC gained ubsan support from version 4.9 ■ Run-time checker for the C and C++ languages ○ Some undefined uses will not be obvious ■ Input might come from user / other modules and statically not detectable ■ Ubsan can help here with right input
  • 13.
    What will bethe output when int is 32 bit ? #include <stdio.h> int foo (int a) { if (a + 100 > a) printf ("%d GT %dn", a + 100, a); else printf ("%d LT %dn", a + 100, a); return 0; } int main () { foo (100); foo (0x7fffffff); return 0; }
  • 14.
    Signed integer overflow- PR30475 ● Output At -O0 200 GT 100 -2147483549 LT 2147483647 ● Output At -O2 200 GT 100 -2147483549 GT 2147483647 #include <stdio.h> int foo (int a) { if (a + 100 > a) printf ("%d GT %dn", a + 100, a); else printf ("%d LT %dn", a + 100, a); return 0; } int main () { foo (100); foo (0x7fffffff); return 0; }
  • 15.
    Signed integer overflow- PR30475 ● According to C and C++ language standards overflow of a signed value is undefined behavior ○ A correct (standard conforming) C/C++ program must never generate signed overflow ● (int + 100 > int) in example is always true ● -fno-strict-overflow /-fwrapv disables it gcc -O2 t.c -Wstrict-overflow t.c: In function ‘foo’: t.c:4:5: warning: assuming signed overflow does not occur when assuming that (X + c) >= X is always true [-Wstrict-overflow] gcc -O2 t.c -fsanitize=undefined ; ./a.out 200 GT 100 t.c:5:7: runtime error: signed integer overflow: 2147483647 + 100 cannot be represented in type 'int' -2147483549 GT 2147483647
  • 16.
    Signed integer overflowand security implications ● Defence against many software security problems is validating input ● If the validating code is undefined, code can be vulnerable ● An axample from https://lwn. net/Articles/278137/ ○ If the “len” comes from user, then it can be used to overflow the buffer (and exploit) ● Some of these overflow checks are used as common idioms to prevent buffer overflows in security sensitive code if (buffer + len >= buffer_end || buffer + len < buffer) die_a_gory_death ("len is out of rangen"); if (buffer + len >= buffer_end) die_a_gory_death ("len is out of rangen"); Will be optimized into:
  • 17.
    What will bethe output for this ? #include <stdio.h> int foo (int x, int y) { x >>= (sizeof (int) << y); return x; } int main () { printf ("%dn", foo (1000, 3)); return 0; }
  • 18.
    Shifting n-bit integerby n or more bits undefined - PR48418 gcc t.c -O0; ./a.out 1000 gcc t.c -O2; ./a.out 0 gcc -O2 t.c -fsanitize=undefined ; ./a.out t.c:5:4: runtime error: shift exponent 32 is too large for 32-bit type 'int' 1000 #include <stdio.h> int foo (int x, int y) { x >>= (sizeof (int) << y); return x; } int main () { printf ("%dn", foo (1000, 3)); return 0; }
  • 19.
    What will bethe output for this ? #include <stdio.h> int testdiv (int i, int k) { if (k == 0) printf ("found divide by zeron"); return (i / k); } int main() { int i = testdiv (1, 0); return (i); }
  • 20.
    Divide by zero- PR29968 ● Divide by zero is undefined ● Based on error found with PostgreSQL 8.1.5 on Solaris 9 sparc with gcc-4.1 ● Since k is divisor, compiler assumed “k” cannot be zero ○ print statement is optimized away #include <stdio.h> int testdiv (int i, int k) { if (k == 0) printf ("found divide by zeron"); return (i / k); } int main() { int i = testdiv (1, 0); return (i); }
  • 21.
    if (!msize) msize= 1 / msize; /* provoke a signal */ Divide by zero - PR29968 ● Divide by zero is undefined ● Based on error found with PostgreSQL 8.1.5 on Solaris 9 sparc with gcc-4.1 ● Since k is divisor, compiler assumed “k” cannot be zero ○ print statement is optimized away An example from Linux : (http://www.spinics.net/linux/fedora/linux-security-module/msg12814.html) #include <stdio.h> int testdiv (int i, int k) { if (k == 0) printf ("found divide by zeron"); return (i / k); } int main() { int i = testdiv (1, 0); return (i); }
  • 22.
    What will bethe output for this ? unsigned char* addr = (unsigned char*)0xfffffffe; unsigned len = 4; if (addr + len < addr) { printf( "wrapsn"); } else { printf( "no wrapn"); }
  • 23.
    Pointer arithmetic thatwraps - PR54365 (for ARM) gcc -O2 t.c; ./a.out no wrap gcc t.c; ./a.out wraps ● Current version of ubsan does not model this ○ No errors flagged ○ Not all the undefined behaviours are modelled in ubsan / as compiler warnings unsigned char* addr = (unsigned char*)0xfffffffe; unsigned len = 4; if (addr + len < addr) { printf( "wrapsn"); } else { printf( "no wrapn"); }
  • 24.
    static unsigned inttun_chr_poll (struct file *file, poll_table * wait) { struct tun_file *tfile = file->private_data; struct tun_struct *tun = __tun_get(tfile); struct sock *sk = tun->sk; unsigned int mask = 0; if (!tun) return POLLERR; …. } Dereferencing a NULL pointer ● Example from Linux Kernel (https://lwn. net/Articles/342330/)
  • 25.
    Calling a NULLObject - PR68853 ● gcc-6 exposes undefined behavior in Chromium v8 garbage collector ○ Calling a NULL object is undefined ○ -fno-delete-null-pointer-checks gets this to work
  • 26.
    Reading an uninitializedvariable ● Reading an uninitialized variable is undefined behavior ○ Compiler can assign any value to the variable and expressions derived from the variable ● http://kqueue. org/blog/2012/06/25/more- randomness-or-less/ ○ When compiled with a version of LLVM, entire seed computation is optimized away ○ Results of gettimeofday () and getpid () are not used at all ○ srandom () is called with some garbage value. struct timeval tv; unsigned long junk; gettimeofday (&tv, NULL); srandom ((getpid() << 16) ^ tv.tv_sec ^ tv. tv_usec ^ junk);
  • 27.
    Conclusion ● Undefined behaviormeans standard non conforming code ○ Compilers will assume that undefined behavior is not present in the code while optimizing ● Undefined behavior can be subtle and not always obvious ● Use compiler warnings and ubsan to detect them ○ Unfortunately, not all the undefined behavior are modelled in ubsan ○ Know the compiler flags (if any) to disable optimization that might be relying on undefined behavior
  • 28.
    Useful Links: ● http://blog.regehr.org/archives/213 ●http://blog.llvm.org/2011/05/what-every-c-programmer-should-know.html ● http://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan ● http://www.open-std.org/ ● https://gcc.gnu.org/onlinedocs/gcc/Standards.html ● http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf