Static Analysis Fatigue

My student Peng and I have been submitting lots of bug reports to maintainers of open source software packages. These bugs were found using Peng’s integer undefined behavior detector. We’ve found problems in OpenSSL, BIND, Perl, Python, PHP, GMP, GCC, and many others. As we reported these bugs, I noticed developers doing something funny: in […]

The Future of Compiler Correctness

Notes: This piece is mainly about compilers used for safety-critical or otherwise-critical systems. The intersection of formal methods and compilers for scripting languages is the empty set. Readers may be interested in a companion piece The Future of Compiler Optimization. A half-century of experience in developing compilers has not resulted in a body of widely-used […]

Poll: Do You Want Compiler Bugs to Be Quiet or Loud?

I’m preparing a longer piece on compiler correctness but thought this idea was worth putting into its own short post. The question is: Which would you choose: A compiler that crashes more often, or one that silently generates incorrect code more often? Of course, all real compilers have bugs, and all real compilers display both […]

A Guide to Undefined Behavior in C and C++, Part 3

Also see Part 1 and Part 2. A C or C++ implementation must perform side effecting operations in program order. For example, if a program executes these lines of code: printf (“Hello\n”) printf (“world.\n”); It is impermissible for the implementation to print: world. Hello This is obvious, but keep in mind that other things your […]

A Guide to Undefined Behavior in C and C++, Part 2

Also see Part 1 and Part 3. When tools like the bounds checking GCC, Purify, Valgrind, etc. first showed up, it was interesting to run a random UNIX utility under them. The output of the checker showed that these utility programs, despite working perfectly well, executed a ton of memory safety errors such as use […]

A Guide to Undefined Behavior in C and C++, Part 1

Also see Part 2 and Part 3. Programming languages typically make a distinction between normal program actions and erroneous actions. For Turing-complete languages we cannot reliably decide offline whether a program has the potential to execute an error; we have to just run it and see. In a safe programming language, errors are trapped as […]