Presentation is loading. Please wait.

Presentation is loading. Please wait.

Finding and Understanding Bugs in C Compilers Xuejun Yang Yang Chen Eric Eide John Regehr University of Utah.

Published byAdam Holt Modified over 8 years ago

Similar presentations

Presentation on theme: "Finding and Understanding Bugs in C Compilers Xuejun Yang Yang Chen Eric Eide John Regehr University of Utah."— Presentation transcript:

1 Finding and Understanding Bugs in C Compilers Xuejun Yang Yang Chen Eric Eide John Regehr University of Utah

2 C compilers should be correct – Part of trusted computing base – Used to compile OS and safety critical applications But sometimes compilers are incorrect – Fail to compile a valid program – Generate wrong code 2

3 Contributions Developed Csmith, a random C program generator that is expressive and generates unambiguous code Used Csmith to find 382 bugs in widely used C compilers – Most of the bugs have been fixed 3

4 Random Generator: Csmith gcc -O0gcc -O2clang -Os … vote minority majority C program results 4

5 5

6 6

7 Why Csmith Works Unambiguous: avoid undefined or unspecified behaviors that create ambiguous meanings of a program Integer operations Loops (with break/continue) Conditionals Function calls Const and volatile Structs and Bitfields Pointers and arrays Goto Expressiveness: support most commonly used C features 7 Integer undefined behavior Use without initialization Unspecified evaluation order Use of dangling pointer Null pointer dereference OOB array access

8 8

9 Avoiding Undefined/unspecified Behaviors 9 ProblemGeneration Time SolutionRun Time Solution Integer undefined behaviors Constant folding/propagation Algebraic simplification Safe math wrappers Use without initialization explicit initializers OOB array accessForce index within rangeTake modulus Null pointer dereference Inter-procedural points-to analysis Use of dangling pointers Inter-procedural points-to analysis Unspecified evaluation order Inter-procedural effect analysis

10 Code Generator 10 assign call func_2 validate ok? Generation Time Analyzer no *q … RHS LHS

11 Code Generator 11 assign call func_2 Generation Time Analyzer … RHS LHS

12 *p 12 *p Code Generator update facts assign call func_2 validate ok? yes Generation Time Analyzer … RHS LHS

13 From March, 2008 to present: Do they matter? – 25 priority 1 bugs for GCC – 8 of our bugs were re-reported by others CompilerBugs reported (fixed) GCC104 (86) LLVM228 (221) Others (Compcert, icc, armcc, tcc, cil, suncc, open64, etc) 50 Total382 13 Accounts for 1% total valid GCC bugs reported in the same period Accounts for 3.5% total valid LLVM bugs reported in the same period

14 Bug Dist. Across Compiler Stages GCCLLVM Front end111 Middle end7193 Back end2878 Unclassified446 Total104228 14

15 15 Coverage of GCCCoverage of LLVM/Clang

16 Common Compiler Bug Pattern Analysis Safety Check Transformation Y N if (condition1 && condition2 ) 16 missing safety condition Compiler Optimization

17 CompCert Bugs Certified C compiler 11 bugs reported – All in the unproved front end or back end – No bugs in the proved part Developing compiler optimizations within a proof framework is helpful for compiler correctness 17

18 Conclusion By randomly generating expressive and unambiguous test cases, we have found, and continue to find, compiler bugs effectively Csmith is open source: http://embed.cs.utah.edu/csmith 18

Download ppt "Finding and Understanding Bugs in C Compilers Xuejun Yang Yang Chen Eric Eide John Regehr University of Utah."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Numerical Recipes The Art of Scientific Computing (with some applications in computational physics)

Numerical Recipes The Art of Scientific Computing (with some applications in computational physics)
Undefined Behavior What happened to my code?

Undefined Behavior What happened to my code?
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.

1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
1 Code Optimization Code produced by compilation algorithms can often be improved (ideally optimized) in terms of run-time speed and the amount of memory.

1 Code Optimization Code produced by compilation algorithms can often be improved (ideally optimized) in terms of run-time speed and the amount of memory.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.

Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Kernighan/Ritchie: Kelley/Pohl:

Kernighan/Ritchie: Kelley/Pohl:
Lecture # 20 Type Systems. 2 A type system defines a set of types and rules to assign types to programming language constructs Informal type system rules,

Lecture # 20 Type Systems. 2 A type system defines a set of types and rules to assign types to programming language constructs Informal type system rules,
Technology from seed Weakest Precondition Synthesis for Compiler Optimizations Nuno Lopes and José Monteiro.

Technology from seed Weakest Precondition Synthesis for Compiler Optimizations Nuno Lopes and José Monteiro.
Technology from seed Automatic Synthesis of Weakest Preconditions for Compiler Optimizations Nuno Lopes Advisor: José Monteiro.

Technology from seed Automatic Synthesis of Weakest Preconditions for Compiler Optimizations Nuno Lopes Advisor: José Monteiro.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Ross Tate, Juan Chen, Chris Hawblitzel. Typed Assembly Languages Compilers are great but they make mistakes and can introduce vulnerabilities Typed assembly.

Ross Tate, Juan Chen, Chris Hawblitzel. Typed Assembly Languages Compilers are great but they make mistakes and can introduce vulnerabilities Typed assembly.
1 Pointers A pointer variable holds an address We may add or subtract an integer to get a different address. Adding an integer k to a pointer p with base.

1 Pointers A pointer variable holds an address We may add or subtract an integer to get a different address. Adding an integer k to a pointer p with base.
Korey Breshears. Overview  What are automated security tools?  Why do we need them?  What types of tools are there?  What problems do these tools.

Korey Breshears. Overview  What are automated security tools?  Why do we need them?  What types of tools are there?  What problems do these tools.
C Language Elements (II) H&K Chapter 2 Instructor – Gokcen Cilingir Cpt S 121 (June 22, 2011) Washington State University.

C Language Elements (II) H&K Chapter 2 Instructor – Gokcen Cilingir Cpt S 121 (June 22, 2011) Washington State University.
1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.

1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.
1 Efficient Memory Safety for TinyOS Nathan Cooprider Will Archer Eric Eide David Gay † John Regehr University of Utah School of Computing † Intel Research.

1 Efficient Memory Safety for TinyOS Nathan Cooprider Will Archer Eric Eide David Gay † John Regehr University of Utah School of Computing † Intel Research.

Similar presentations

Ads by Google