C++ Undefined Behavior (Code::Dive 2016)
0 likes419 views
This document discusses undefined behavior in C/C++ programming and introduces the Undefined Behavior Sanitizer (UBSan) tool. It defines undefined behavior as anything that can result from invalid operations according to the language specification. Examples of undefined behavior in C/C++ include array out of bounds access, integer overflow, null pointer dereferencing, and type punning. UBSan is a compiler-based tool that detects undefined behavior at runtime by instrumenting the compiled binary. It provides a way for developers to find and fix undefined behaviors in their code.
![UNRTF STORYUNRTF STORY
1 from subprocess import Popen, PIPE
2
3 # ...
4
5 p = Popen(["unrtf"], stdin=PIPE, stdout=PIPE, stderr=PIPE)
6
7 r = p.communicate(input_data)
13 of 74](https://image.slidesharecdn.com/cd2016-170327130650/85/C-Undefined-Behavior-Code-Dive-2016-13-320.jpg)
![UNRTF STORYUNRTF STORY
1 from subprocess import Popen, PIPE
2
3 # ...
4
5 p = Popen(["unrtf"], stdin=PIPE, stdout=PIPE, stderr=PIPE)
6
7 r = p.communicate(input_data)
http://ci.memecdn.com/53/5397053.jpg
14 of 74](https://image.slidesharecdn.com/cd2016-170327130650/85/C-Undefined-Behavior-Code-Dive-2016-14-320.jpg)
![arr[i] = i++; // you think it's safe?
43 of 74](https://image.slidesharecdn.com/cd2016-170327130650/85/C-Undefined-Behavior-Code-Dive-2016-43-320.jpg)
![MODIFYING CONSTSMODIFYING CONSTS
1 char * PREFERRED_PROTOCOL_VERSION = "2.0";
2
3 void foo(Environment const& environment) {
4 if (environment.get("PROTO_V1")) {
5 PREFERRED_PROTOCOL_VERSION[0] = '1'; // KABOOM
6 }
7 }
§7.1.7.1[dcl.type.cv]/4
48 of 74](https://image.slidesharecdn.com/cd2016-170327130650/85/C-Undefined-Behavior-Code-Dive-2016-48-320.jpg)
![INT OVERFLOWINT OVERFLOW
example taken from http://www.airs.com/blog/archives/120
1 int foo(int i) {
2 int k = 0;
3 for (int j = i; j < i + 10; ++j, ++k);
4 return k;
5 }
foo(30);
§5[expr]/4
foo(INT_MAX-1); // Oops!
52 of 74](https://image.slidesharecdn.com/cd2016-170327130650/85/C-Undefined-Behavior-Code-Dive-2016-52-320.jpg)
![taken from
LEFT SHIFTLEFT SHIFT
Chromium bug #3905
1 void
2 RelocIterator::AdvanceReadPosition() {
3 int x = 0;
4 for (int i = 0; i < kIntSize; i++) {
5 x |= static_cast<int>(*--pos_) << i * kBitsPerByte;
6 }
7 last_position_ += x;
8 rinfo_.data_ = last_position_;
9 }
§5.8[expr.shi�]/2
53 of 74](https://image.slidesharecdn.com/cd2016-170327130650/85/C-Undefined-Behavior-Code-Dive-2016-53-320.jpg)
![FLOATING POINT → INTFLOATING POINT → INT
1 void bar(int value);
2
3 void foo(float user_data) {
4 bar(user_data);
5 }
(approx) int range (x86-64): ±231 ±2.15·109
float range (iee754): ±3.4·1038
Oops!
§4.10[conv.fpint]/1
54 of 74](https://image.slidesharecdn.com/cd2016-170327130650/85/C-Undefined-Behavior-Code-Dive-2016-54-320.jpg)
![BOOL ∉ {TRUE,FALSE}BOOL ∉ {TRUE,FALSE}
§3.9.1[basic.fundamental]/6
56 of 74](https://image.slidesharecdn.com/cd2016-170327130650/85/C-Undefined-Behavior-Code-Dive-2016-56-320.jpg)
![DANGEROUS DESTRUCTORSDANGEROUS DESTRUCTORS
1 struct A;
2 void foo(A * a) {
3 delete a;
4 }
§5.3.5[expr.delete]/5
BTW — compilers are more verbose nowadays
58 of 74](https://image.slidesharecdn.com/cd2016-170327130650/85/C-Undefined-Behavior-Code-Dive-2016-58-320.jpg)
![DANGEROUS DESTRUCTORSDANGEROUS DESTRUCTORS
1 struct A {};
2 struct B : public A { std::string foo = "foo"; };
3
4 void foo() {
5 A * b = new B;
6 delete b;
7 }
§5.3.5[expr.delete]/3
59 of 74](https://image.slidesharecdn.com/cd2016-170327130650/85/C-Undefined-Behavior-Code-Dive-2016-59-320.jpg)
C++ Undefined Behavior (Code::Dive 2016)
- 1. UNDEFINED BEHAVIORUNDEFINED BEHAVIOR SŁAWOMIR ZBOROWSKISŁAWOMIR ZBOROWSKI CODE::DIVE V3.0 (2016), WROCŁAW, PLCODE::DIVE V3.0 (2016), WROCŁAW, PL http://www.krschannel.com/blackhole.jpg 1 of 74
- 2. SŁAWEK ZBOROWSKISŁAWEK ZBOROWSKI WROCŁAW, POLANDWROCŁAW, POLAND C++ Engineer @ Opinions expressed are solely my own and do not express the views or opinions of my employer. 2 of 74
- 3. TARGET AUDIENCETARGET AUDIENCE 3 of 74
- 4. OUTLINEOUTLINE low level = danger perils of undefined behavior undefined behavior what, where & why? UB in C/C++ list, examples ub sanitizer motivation, usage, ubsan in action 4 of 74
- 5. OUTLINEOUTLINE low level = danger perils of undefined behavior undefined behavior what, where & why? UB in C/C++ list, examples ub sanitizer motivation, usage, ubsan in action 5 of 74
- 6. UNRTF STORYUNRTF STORY 6 of 74
- 8. UNRTF STORYUNRTF STORY 8 of 74
- 9. UNRTF STORYUNRTF STORY 9 of 74
- 13. UNRTF STORYUNRTF STORY 1 from subprocess import Popen, PIPE 2 3 # ... 4 5 p = Popen(["unrtf"], stdin=PIPE, stdout=PIPE, stderr=PIPE) 6 7 r = p.communicate(input_data) 13 of 74
- 14. UNRTF STORYUNRTF STORY 1 from subprocess import Popen, PIPE 2 3 # ... 4 5 p = Popen(["unrtf"], stdin=PIPE, stdout=PIPE, stderr=PIPE) 6 7 r = p.communicate(input_data) http://ci.memecdn.com/53/5397053.jpg 14 of 74
- 16. C++C++ 10X FASTER10X FASTER 16 of 74
- 17. UNRTF STORYUNRTF STORY 17 of 74
- 18. UNRTF STORYUNRTF STORY 18 of 74
- 19. UNRTF STORYUNRTF STORY 19 of 74
- 20. UNRTF STORYUNRTF STORY global-buffer-overflow @ font entry table 20 of 74
- 23. OUTLINEOUTLINE low level = danger perils of undefined behavior undefined behavior what, where & why? UB in C/C++ list, examples ub sanitizer motivation, usage, ubsan in action 23 of 74
- 24. THE DEFINITONTHE DEFINITON 24 of 74
- 25. BUT WHAT DOES IT MEAN?BUT WHAT DOES IT MEAN? actually anything and this is the most frightening thing… 25 of 74
- 26. UB CAN EXHIBITUB CAN EXHIBIT - SIMPLY NOTHING- SIMPLY NOTHING you don't want this 26 of 74
- 27. UB CAN EXHIBITUB CAN EXHIBIT - WEIRD BEHAVIOR- WEIRD BEHAVIOR a little bit better, but still not preferred 27 of 74
- 28. UB CAN EXHIBITUB CAN EXHIBIT - A CRASH- A CRASH https://i.imgur.com/YxjYp.jpg this is what you want 28 of 74
- 29. UB OUTSIDE C/C++UB OUTSIDE C/C++ C++ is not the only one: Fortran … Go Rust (Unsafe Rust) 29 of 74
- 31. 2 = 12 = 1 a = b a2 = ab a2 – b2 = ab – b2 (a – b)(a + b) = b(a – b) a + b = b b + b = b 2 = 1 division by zero invalidates all subsequent operations in C++ it is even worse! 31 of 74
- 36. WHY NOT AVOID UB AT ALL?WHY NOT AVOID UB AT ALL? 36 of 74
- 37. 37 of 74
- 38. Is bounds checking in C or C++ expensive? 38 of 74
- 39. 39 of 74
- 40. 40 of 74
- 41. OUTLINEOUTLINE low level = danger perils of undefined behavior undefined behavior what, where & why? UB in C/C++ list, examples ub sanitizer motivation, usage, ubsan in action 41 of 74
- 42. , ACCU 2016 the more complicated the code, the higher chance it contains UB J. Daniel Garcia 42 of 74
- 43. arr[i] = i++; // you think it's safe? 43 of 74
- 44. 44 of 74
- 45. UB IN C/C++UB IN C/C++ "is undefined" - 130 occurences in the standard report more than 190 UBs available online, so created some sources dra� sources "ub extractor" 45 of 74
- 46. UB EXTRACTORUB EXTRACTOR 46 of 74
- 47. ARRAY BOUNDARIESARRAY BOUNDARIES 47 of 74
- 48. MODIFYING CONSTSMODIFYING CONSTS 1 char * PREFERRED_PROTOCOL_VERSION = "2.0"; 2 3 void foo(Environment const& environment) { 4 if (environment.get("PROTO_V1")) { 5 PREFERRED_PROTOCOL_VERSION[0] = '1'; // KABOOM 6 } 7 } §7.1.7.1[dcl.type.cv]/4 48 of 74
- 49. UNDEF MATH OPSUNDEF MATH OPS 1 int ret = 0; 2 for (int i = 100; i > 0; --i) { 3 ret += i; 4 } 5 return ret; movl $5050, %eax 1 float ret = 1; 2 for (int i = 10; i > 1; --i) { 3 ret /= i; 4 } 5 return static_cast<int>(ret * 1e7); movl $2, %eax 49 of 74
- 50. UNDEFINED MATH OPSUNDEFINED MATH OPS 1 void foo(int x, int y) { 2 for (int i = 0; i < 100; ++i) { 3 globalVar += i * (y / (x - 2)); 4 } 5 } 50 of 74
- 51. UNDEFINED MATH OPSUNDEFINED MATH OPS 1 void foo(int x, int y) { 2 int _X = y / (x - 2); 3 for (int i = 0; i < 100; ++i) { 4 globalVar += i * _X; 5 } 6 } TRAVELLING BUG PROBLEMTRAVELLING BUG PROBLEM 51 of 74
- 52. INT OVERFLOWINT OVERFLOW example taken from http://www.airs.com/blog/archives/120 1 int foo(int i) { 2 int k = 0; 3 for (int j = i; j < i + 10; ++j, ++k); 4 return k; 5 } foo(30); §5[expr]/4 foo(INT_MAX-1); // Oops! 52 of 74
- 53. taken from LEFT SHIFTLEFT SHIFT Chromium bug #3905 1 void 2 RelocIterator::AdvanceReadPosition() { 3 int x = 0; 4 for (int i = 0; i < kIntSize; i++) { 5 x |= static_cast<int>(*--pos_) << i * kBitsPerByte; 6 } 7 last_position_ += x; 8 rinfo_.data_ = last_position_; 9 } §5.8[expr.shi�]/2 53 of 74
- 54. FLOATING POINT → INTFLOATING POINT → INT 1 void bar(int value); 2 3 void foo(float user_data) { 4 bar(user_data); 5 } (approx) int range (x86-64): ±231 ±2.15·109 float range (iee754): ±3.4·1038 Oops! §4.10[conv.fpint]/1 54 of 74
- 55. INT → ENUMINT → ENUM 1 enum class Color { 2 Red, 3 Blue, 4 // ... 5 Green, 6 7 Invalid 8 }; 9 10 void foo(int user_data) { 11 if (static_cast<Color>(user_data) > Color::Invalid) { 12 // ... 13 } 14 // ... 15 } 55 of 74
- 56. BOOL ∉ {TRUE,FALSE}BOOL ∉ {TRUE,FALSE} §3.9.1[basic.fundamental]/6 56 of 74
- 57. DANGEROUS CONSTRUCTORSDANGEROUS CONSTRUCTORS 1 struct Screen : ScreenBase { 2 ScreenResolution getResolution(VideoMode const&) override { 3 return {}; 4 } 5 6 explicit Screen(VideoMode const& vm) 7 : ScreenBase(getResolution(vm)) { 8 } 9 }; 57 of 74
- 58. DANGEROUS DESTRUCTORSDANGEROUS DESTRUCTORS 1 struct A; 2 void foo(A * a) { 3 delete a; 4 } §5.3.5[expr.delete]/5 BTW — compilers are more verbose nowadays 58 of 74
- 59. DANGEROUS DESTRUCTORSDANGEROUS DESTRUCTORS 1 struct A {}; 2 struct B : public A { std::string foo = "foo"; }; 3 4 void foo() { 5 A * b = new B; 6 delete b; 7 } §5.3.5[expr.delete]/3 59 of 74
- 60. BESIDES UBBESIDES UB conditionally-supported behavior unspecified behavior implementation-defined behavior locale-specific behavior https://www.flickr.com/photos/andrew_jian/475479747 60 of 74
- 61. OUTLINEOUTLINE low level = danger perils of undefined behavior undefined behavior what, where & why? UB in C/C++ list, examples ub sanitizer motivation, usage, ubsan in action 61 of 74
- 62. UBSANUBSAN Undefined Behavior Sanitizer compiler-generated instrumentalization for detecting UB at runtime sibling of ASan, TSan, etc. 62 of 74
- 63. WHY COMPILER-GENERATED?WHY COMPILER-GENERATED? static analysis — no way valgrind-like — too slow separate tool — support for multiple targets needed 63 of 74
- 64. USING UBSANUSING UBSAN just add -fsanitize=undefined compiler flag can specify what happens upon UB print & continue print & exit trap div by zero x int overflow x array bounds x … 64 of 74
- 65. ACHTUNG!ACHTUNG! not all HW architectures / OSes are supported out-of- the-box! it doesn't find everything 65 of 74
- 66. HUNTING FOR UBHUNTING FOR UB vs no UB spotted 66 of 74
- 67. HUNTING FOR UBHUNTING FOR UB vs 67 of 74
- 68. HUNTING FOR UBHUNTING FOR UB https://static.ylilauta.org/files/ke/orig/99tjgpx9/knallil%C3%B6tk%C3%B6tin.jpg 68 of 74
- 69. HUNTING FOR UBHUNTING FOR UB 69 of 74
- 70. HUNTING FOR UBHUNTING FOR UB vs zero UBs 70 of 74
- 71. GOING FURTHER?GOING FURTHER? American Fuzzy Lop (or other) LFS VM/QEMU 71 of 74
- 72. DISCLAIMERSDISCLAIMERS ISO C++ standard used: N4606 (2016-07-12) Compiler used for hunting: Clang 4.0 no animals were harmed in the making of this presentation 72 of 74
- 73. WRAP UPWRAP UP UB is dangerous UB exists because of high performance needs UB can be fought with UB sanitizer 73 of 74