-
Finding Undefined Behavior Bugs by Finding Dead Code
Here’s a draft of a very cool paper by Xi Wang and others at MIT; it is going to appear at the next SOSP. The idea is to look for code that becomes dead when a C/C++ compiler is smart about exploiting undefined behavior. The classic example of this class of error was found in…
-
What Other Dynamic Checkers for C/C++ are Needed?
Detectors for memory-related undefined behaviors in C/C++, while being imperfect, are at least something that smart people have spent a lot of time thinking about. Integer-related undefined behaviors have received much less attention, but then again they are a lot simpler than memory unsafety. Today’s question is: What other checkers should we create? Here are…
-
Integer Undefined Behavior Detection using Clang 3.3
Undefined behaviors in C/C++ are harmful to developers: There are many kinds of undefined behavior They can be hard to understand Their effect changes depending on which compiler version you use, which compiler options you use, and they get worse every time an optimizer gets smarter Plenty of them aren’t reliably detected by any tool…
-
Type Punning, Strict Aliasing, and Optimization
One of the basic jobs of a low-level programming language like C or C++ is to make it easy to peek and poke at data representations, as opposed to providing opaque high-level abstractions. Access to representations supports grungy tasks such as JIT compiling, setting up page tables, driving peripherals, and communicating with machines that use…
-
Crashy Compiler Flags
This post is for fun, no deep thoughts will be presented. For a research project that’s not yet ready to write up, I needed a bunch real programs (as opposed to, for example, programs generated by Csmith) that cause compilers to crash. So I built a few hundred randomly chosen revisions of GCC and LLVM/Clang…
-
Memory Safe C/C++: Time to Flip the Switch
For a number of years I’ve been asking: If the cost of memory safety bugs in C/C++ codes is significant, and if solutions are available, why aren’t we using them in production systems? Here’s a previous blog post on the subject and a quick summary of the possible answers to my question: The cost of…
-
Fuzzers Need Taming
[This post explains a paper that we recently made available; it’s going to be presented at PLDI 2013.] Random testing tools, or fuzzers, are excellent at finding bugs that human testers miss. A particularly important use case for fuzzing is finding exploitable bugs, and companies such as Google use clusters to do high-throughput fuzzing. Whether…
-
Exhaustive Testing is Not a Proof of Correctness
It is often said that exhaustively testing a piece of software is equivalent to performing a proof of correctness. Although this idea is intuitively appealing—and I’ve said it myself a few times—it is incorrect in a technical sense and also in practice. What’s wrong with exhaustive testing in practice? The problem comes from the question:…
-
Proofs from Tests
An idea that I’ve been interested in for a while is that a good test suite should be able to directly support formal verification. How would this work, given that testing usually misses bugs? The basic insight is that a test case is usually telling us about more than just one execution: it’s telling us…
-
str2long Contest Results Part 1
[NOTE: Reading this post only makes sense if you read and cared about this previous post.] Ok, evaluating the submissions has been more work than I anticipated, and also things have gotten pretty busy at work, so I’m going to split the evaluation of the submissions into two parts. This first part will discuss objective…