Category: Software Correctness

  • Why Not Mix Signed and Unsigned Values in C/C++?

    Most C/C++ programmers have been told to avoid mixing signed and unsigned values in expressions. However — at least in part because we usually follow this advice — many of us are not totally on top of the underlying issues. This program illustrates what can go wrong: #include <stdio.h> int main (void) {   long…

  • Giving a Talk at the GCC Summit

    Last month I proposed giving a paper presentation at the next GCC Developers’ Summit about our compiler bug finding work. Happily, it was accepted and in late October I’ll head up to Ottawa to tell them what we’ve been doing and what we plan to do.  Here’s the abstract: About 60 wrong-code and crash bugs…

  • Static Analysis Fatigue

    My student Peng and I have been submitting lots of bug reports to maintainers of open source software packages. These bugs were found using Peng’s integer undefined behavior detector. We’ve found problems in OpenSSL, BIND, Perl, Python, PHP, GMP, GCC, and many others. As we reported these bugs, I noticed developers doing something funny: in…

  • The Future of Compiler Correctness

    Notes: This piece is mainly about compilers used for safety-critical or otherwise-critical systems. The intersection of formal methods and compilers for scripting languages is the empty set. Readers may be interested in a companion piece The Future of Compiler Optimization. A half-century of experience in developing compilers has not resulted in a body of widely-used…

  • Poll: Do You Want Compiler Bugs to Be Quiet or Loud?

    I’m preparing a longer piece on compiler correctness but thought this idea was worth putting into its own short post. The question is: Which would you choose: A compiler that crashes more often, or one that silently generates incorrect code more often? Of course, all real compilers have bugs, and all real compilers display both…

  • A Guide to Undefined Behavior in C and C++, Part 3

    Also see Part 1 and Part 2. A C or C++ implementation must perform side effecting operations in program order. For example, if a program executes these lines of code: printf (“Hello\n”) printf (“world.\n”); It is impermissible for the implementation to print: world. Hello This is obvious, but keep in mind that other things your…

  • A Guide to Undefined Behavior in C and C++, Part 2

    Also see Part 1 and Part 3. When tools like the bounds checking GCC, Purify, Valgrind, etc. first showed up, it was interesting to run a random UNIX utility under them. The output of the checker showed that these utility programs, despite working perfectly well, executed a ton of memory safety errors such as use…

  • A Guide to Undefined Behavior in C and C++, Part 1

    Also see Part 2 and Part 3. Programming languages typically make a distinction between normal program actions and erroneous actions. For Turing-complete languages we cannot reliably decide offline whether a program has the potential to execute an error; we have to just run it and see. In a safe programming language, errors are trapped as…

  • How to Debug

    One of the painful parts of teaching a lab-based embedded systems course is that over and over I have to watch a team with a relatively simple bug in their code, but who is trying to fix it by repeatedly making random changes. Generally they start with code that’s pretty close to working and break…

  • I Can Solve the World’s Debugging Problems

    Probably 10 times a semester, a student taking one of my courses sends me a mail like this: Dr. Regehr I have this bug I’ve been working on for a long time, I’ve tried everything, I’m going to miss the deadline… and then 15 minutes later, I get another email: Nevermind I figured it out.…