-
Undefined Behavior Consequences Contest Winners
The contest that I posted the other day received some very nice entries. I decided to pick multiple winners since the best entries illustrate consequences of several kinds of undefined behavior. First, here’s the runner up, submitted by Octoploid: This program is undefined by C99, where signed left shifts must not push a 1 bit…
-
Contest: Craziest Compiler Output due to Undefined Behavior
[UPDATE: Winners are here.] The C and C++ standards fail to assign a meaning to a program that overflows a signed integer or performs any of the 190+ other kinds of undefined behavior. In principle, a conforming compiler can turn such a program into a binary that posts lewd messages to Twitter and then formats…
-
Parallelizing Delta Debugging
Delta debugging is a technique for taking an input to a computer program that causes the program to display a certain behavior (such as crashing) and automatically creating a smaller input that triggers the same behavior. For complex programs that typically process large inputs (compilers, web browsers, etc.) delta debugging is an important part of…
-
When is Undefined Behavior OK?
Under what circumstances is it acceptable for a programming language to admit undefined behaviors? Here I mean undefined behavior in the C/C++ sense where, for example, “anything can happen” when you use an uninitialized variable. In my opinion, five conditions need to be fulfilled. First, the undefined behavior must provide a significant, robust performance win.…
-
Academic Attention for Undefined Behavior
Undefined behaviors are like blind spots in a programming language; they are areas where the specification imposes no requirements. In other words, if you write code that executes an operation whose behavior is undefined, the language implementation can do anything it likes. In practice, a few specific undefined behaviors in C and C++ (buffer overflows and…
-
Burning in a Module with Random Unit Testing
Sometimes a class or subsystem makes us uneasy; when something goes wrong in our software, we’ll immediately suspect the shady module is somehow involved. Often this code needs to be scrapped or at least refactored, but other times it’s just immature and needs to be burned in. Randomized unit testing can help with this burn-in process,…
-
Slightly More Sensible Signed Left-Shifts in C11 and C++11
Left-shift of signed integers in C99, C11, and C++11 is difficult to use because shifting a 1 bit into or past the sign bit (assuming two’s complement, of course) is an undefined behavior. Many medium and large C and C++ programs do this. For example, many codes use 1<<31 for INT_MIN. IOC can detect this…
-
The Central Limit Theorem Makes Random Testing Hard
I believe that the central limit theorem provides a partial explanation for why it can be very difficult to create an effective random tester for a software system. Random testing is carpet bombing for software: the more of the system you can hit, the better it works. The central limit theorem, however, tells us that…
-
1500+ Bugs from One Fuzzer
This metabug links to all of the defects found in Firefox’s JavaScript engine by jsfunfuzz. The surprise here isn’t that bugs were found, but rather that more than 1500 bugs were found in a single language runtime by a single test case generator. I’m interested in exactly what is going on here. One possibility would be…
-
Announcing C-Reduce: A Better Test-Case Reducer for C/C++ Compiler Debugging
Test-case reduction means taking a large input to a computer program (for compiler debugging, the input is itself a program) and turning it into a much smaller input that still triggers the bug. It is a very important part of the debugging process. Delta, an excellent open-source implementation of the delta debugging algorithm ddmin, has been the test-case reduction…