-
Counting to 4 Billion Really Fast
Before teaching today I wrote a silly program to make sure that the bitwise complement of any 32-bit value is equal to one less than the two’s complement negation of that value: When the program terminated without any perceptible delay, I figured there was a bug, but nope: the code is good. It turns out…
-
C-Reduce 2.1
Over the weekend we released a new version of C-Reduce, a tool for turning a large C/C++ program into a small one that still meets some criterion such as triggering a compiler bug. There are two major improvements since the last release about a year ago: We are now able to run “interestingness tests” in…
-
Finding Undefined Behavior Bugs by Finding Dead Code
Here’s a draft of a very cool paper by Xi Wang and others at MIT; it is going to appear at the next SOSP. The idea is to look for code that becomes dead when a C/C++ compiler is smart about exploiting undefined behavior. The classic example of this class of error was found in…
-
What Other Dynamic Checkers for C/C++ are Needed?
Detectors for memory-related undefined behaviors in C/C++, while being imperfect, are at least something that smart people have spent a lot of time thinking about. Integer-related undefined behaviors have received much less attention, but then again they are a lot simpler than memory unsafety. Today’s question is: What other checkers should we create? Here are…
-
Integer Undefined Behavior Detection using Clang 3.3
Undefined behaviors in C/C++ are harmful to developers: There are many kinds of undefined behavior They can be hard to understand Their effect changes depending on which compiler version you use, which compiler options you use, and they get worse every time an optimizer gets smarter Plenty of them aren’t reliably detected by any tool…
-
Type Punning, Strict Aliasing, and Optimization
One of the basic jobs of a low-level programming language like C or C++ is to make it easy to peek and poke at data representations, as opposed to providing opaque high-level abstractions. Access to representations supports grungy tasks such as JIT compiling, setting up page tables, driving peripherals, and communicating with machines that use…
-
Crashy Compiler Flags
This post is for fun, no deep thoughts will be presented. For a research project that’s not yet ready to write up, I needed a bunch real programs (as opposed to, for example, programs generated by Csmith) that cause compilers to crash. So I built a few hundred randomly chosen revisions of GCC and LLVM/Clang…
-
Memory Safe C/C++: Time to Flip the Switch
For a number of years I’ve been asking: If the cost of memory safety bugs in C/C++ codes is significant, and if solutions are available, why aren’t we using them in production systems? Here’s a previous blog post on the subject and a quick summary of the possible answers to my question: The cost of…
-
Fuzzers Need Taming
[This post explains a paper that we recently made available; it’s going to be presented at PLDI 2013.] Random testing tools, or fuzzers, are excellent at finding bugs that human testers miss. A particularly important use case for fuzzing is finding exploitable bugs, and companies such as Google use clusters to do high-throughput fuzzing. Whether…
-
Stochastic Superoptimization
“Stochastic Superoptimization” is a fancy way to say “randomized search for fast machine code.” It is also the title of a nice paper that was presented recently at ASPLOS. Before getting into the details, let’s look at some background. At first glance the term “superoptimization” sounds like nonsense because the optimum point is already the best one.…