C++ Undefined Behavior (Code::Dive 2016)
•
0 gefällt mir•364 views
C++ Undefined Behavior (Code::Dive 2016)
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Andere mochten auch
Andere mochten auch (12)
Ähnlich wie C++ Undefined Behavior (Code::Dive 2016)
Ähnlich wie C++ Undefined Behavior (Code::Dive 2016) (20)
Mehr von Sławomir Zborowski
Mehr von Sławomir Zborowski (7)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
C++ Undefined Behavior (Code::Dive 2016)
- 1. UNDEFINED BEHAVIORUNDEFINED BEHAVIOR SŁAWOMIR ZBOROWSKISŁAWOMIR ZBOROWSKI CODE::DIVE V3.0 (2016), WROCŁAW, PLCODE::DIVE V3.0 (2016), WROCŁAW, PL http://www.krschannel.com/blackhole.jpg 1 of 74
- 2. SŁAWEK ZBOROWSKISŁAWEK ZBOROWSKI WROCŁAW, POLANDWROCŁAW, POLAND C++ Engineer @ Opinions expressed are solely my own and do not express the views or opinions of my employer. 2 of 74
- 3. TARGET AUDIENCETARGET AUDIENCE 3 of 74
- 4. OUTLINEOUTLINE low level = danger perils of undefined behavior undefined behavior what, where & why? UB in C/C++ list, examples ub sanitizer motivation, usage, ubsan in action 4 of 74
- 5. OUTLINEOUTLINE low level = danger perils of undefined behavior undefined behavior what, where & why? UB in C/C++ list, examples ub sanitizer motivation, usage, ubsan in action 5 of 74
- 6. UNRTF STORYUNRTF STORY 6 of 74
- 8. UNRTF STORYUNRTF STORY 8 of 74
- 9. UNRTF STORYUNRTF STORY 9 of 74
- 13. UNRTF STORYUNRTF STORY 1 from subprocess import Popen, PIPE 2 3 # ... 4 5 p = Popen(["unrtf"], stdin=PIPE, stdout=PIPE, stderr=PIPE) 6 7 r = p.communicate(input_data) 13 of 74
- 14. UNRTF STORYUNRTF STORY 1 from subprocess import Popen, PIPE 2 3 # ... 4 5 p = Popen(["unrtf"], stdin=PIPE, stdout=PIPE, stderr=PIPE) 6 7 r = p.communicate(input_data) http://ci.memecdn.com/53/5397053.jpg 14 of 74
- 16. C++C++ 10X FASTER10X FASTER 16 of 74
- 17. UNRTF STORYUNRTF STORY 17 of 74
- 18. UNRTF STORYUNRTF STORY 18 of 74
- 19. UNRTF STORYUNRTF STORY 19 of 74
- 20. UNRTF STORYUNRTF STORY global-buffer-overflow @ font entry table 20 of 74
- 23. OUTLINEOUTLINE low level = danger perils of undefined behavior undefined behavior what, where & why? UB in C/C++ list, examples ub sanitizer motivation, usage, ubsan in action 23 of 74
- 24. THE DEFINITONTHE DEFINITON 24 of 74
- 25. BUT WHAT DOES IT MEAN?BUT WHAT DOES IT MEAN? actually anything and this is the most frightening thing… 25 of 74
- 26. UB CAN EXHIBITUB CAN EXHIBIT - SIMPLY NOTHING- SIMPLY NOTHING you don't want this 26 of 74
- 27. UB CAN EXHIBITUB CAN EXHIBIT - WEIRD BEHAVIOR- WEIRD BEHAVIOR a little bit better, but still not preferred 27 of 74
- 28. UB CAN EXHIBITUB CAN EXHIBIT - A CRASH- A CRASH https://i.imgur.com/YxjYp.jpg this is what you want 28 of 74
- 29. UB OUTSIDE C/C++UB OUTSIDE C/C++ C++ is not the only one: Fortran … Go Rust (Unsafe Rust) 29 of 74
- 31. 2 = 12 = 1 a = b a2 = ab a2 – b2 = ab – b2 (a – b)(a + b) = b(a – b) a + b = b b + b = b 2 = 1 division by zero invalidates all subsequent operations in C++ it is even worse! 31 of 74
- 36. WHY NOT AVOID UB AT ALL?WHY NOT AVOID UB AT ALL? 36 of 74
- 37. 37 of 74
- 38. Is bounds checking in C or C++ expensive? 38 of 74
- 39. 39 of 74
- 40. 40 of 74
- 41. OUTLINEOUTLINE low level = danger perils of undefined behavior undefined behavior what, where & why? UB in C/C++ list, examples ub sanitizer motivation, usage, ubsan in action 41 of 74
- 42. , ACCU 2016 the more complicated the code, the higher chance it contains UB J. Daniel Garcia 42 of 74
- 43. arr[i] = i++; // you think it's safe? 43 of 74
- 44. 44 of 74
- 45. UB IN C/C++UB IN C/C++ "is undefined" - 130 occurences in the standard report more than 190 UBs available online, so created some sources dra� sources "ub extractor" 45 of 74
- 46. UB EXTRACTORUB EXTRACTOR 46 of 74
- 47. ARRAY BOUNDARIESARRAY BOUNDARIES 47 of 74
- 48. MODIFYING CONSTSMODIFYING CONSTS 1 char * PREFERRED_PROTOCOL_VERSION = "2.0"; 2 3 void foo(Environment const& environment) { 4 if (environment.get("PROTO_V1")) { 5 PREFERRED_PROTOCOL_VERSION[0] = '1'; // KABOOM 6 } 7 } §7.1.7.1[dcl.type.cv]/4 48 of 74
- 49. UNDEF MATH OPSUNDEF MATH OPS 1 int ret = 0; 2 for (int i = 100; i > 0; --i) { 3 ret += i; 4 } 5 return ret; movl $5050, %eax 1 float ret = 1; 2 for (int i = 10; i > 1; --i) { 3 ret /= i; 4 } 5 return static_cast<int>(ret * 1e7); movl $2, %eax 49 of 74
- 50. UNDEFINED MATH OPSUNDEFINED MATH OPS 1 void foo(int x, int y) { 2 for (int i = 0; i < 100; ++i) { 3 globalVar += i * (y / (x - 2)); 4 } 5 } 50 of 74
- 51. UNDEFINED MATH OPSUNDEFINED MATH OPS 1 void foo(int x, int y) { 2 int _X = y / (x - 2); 3 for (int i = 0; i < 100; ++i) { 4 globalVar += i * _X; 5 } 6 } TRAVELLING BUG PROBLEMTRAVELLING BUG PROBLEM 51 of 74
- 52. INT OVERFLOWINT OVERFLOW example taken from http://www.airs.com/blog/archives/120 1 int foo(int i) { 2 int k = 0; 3 for (int j = i; j < i + 10; ++j, ++k); 4 return k; 5 } foo(30); §5[expr]/4 foo(INT_MAX-1); // Oops! 52 of 74
- 53. taken from LEFT SHIFTLEFT SHIFT Chromium bug #3905 1 void 2 RelocIterator::AdvanceReadPosition() { 3 int x = 0; 4 for (int i = 0; i < kIntSize; i++) { 5 x |= static_cast<int>(*--pos_) << i * kBitsPerByte; 6 } 7 last_position_ += x; 8 rinfo_.data_ = last_position_; 9 } §5.8[expr.shi�]/2 53 of 74
- 54. FLOATING POINT → INTFLOATING POINT → INT 1 void bar(int value); 2 3 void foo(float user_data) { 4 bar(user_data); 5 } (approx) int range (x86-64): ±231 ±2.15·109 float range (iee754): ±3.4·1038 Oops! §4.10[conv.fpint]/1 54 of 74
- 55. INT → ENUMINT → ENUM 1 enum class Color { 2 Red, 3 Blue, 4 // ... 5 Green, 6 7 Invalid 8 }; 9 10 void foo(int user_data) { 11 if (static_cast<Color>(user_data) > Color::Invalid) { 12 // ... 13 } 14 // ... 15 } 55 of 74
- 56. BOOL ∉ {TRUE,FALSE}BOOL ∉ {TRUE,FALSE} §3.9.1[basic.fundamental]/6 56 of 74
- 57. DANGEROUS CONSTRUCTORSDANGEROUS CONSTRUCTORS 1 struct Screen : ScreenBase { 2 ScreenResolution getResolution(VideoMode const&) override { 3 return {}; 4 } 5 6 explicit Screen(VideoMode const& vm) 7 : ScreenBase(getResolution(vm)) { 8 } 9 }; 57 of 74
- 58. DANGEROUS DESTRUCTORSDANGEROUS DESTRUCTORS 1 struct A; 2 void foo(A * a) { 3 delete a; 4 } §5.3.5[expr.delete]/5 BTW — compilers are more verbose nowadays 58 of 74
- 59. DANGEROUS DESTRUCTORSDANGEROUS DESTRUCTORS 1 struct A {}; 2 struct B : public A { std::string foo = "foo"; }; 3 4 void foo() { 5 A * b = new B; 6 delete b; 7 } §5.3.5[expr.delete]/3 59 of 74
- 60. BESIDES UBBESIDES UB conditionally-supported behavior unspecified behavior implementation-defined behavior locale-specific behavior https://www.flickr.com/photos/andrew_jian/475479747 60 of 74
- 61. OUTLINEOUTLINE low level = danger perils of undefined behavior undefined behavior what, where & why? UB in C/C++ list, examples ub sanitizer motivation, usage, ubsan in action 61 of 74
- 62. UBSANUBSAN Undefined Behavior Sanitizer compiler-generated instrumentalization for detecting UB at runtime sibling of ASan, TSan, etc. 62 of 74
- 63. WHY COMPILER-GENERATED?WHY COMPILER-GENERATED? static analysis — no way valgrind-like — too slow separate tool — support for multiple targets needed 63 of 74
- 64. USING UBSANUSING UBSAN just add -fsanitize=undefined compiler flag can specify what happens upon UB print & continue print & exit trap div by zero x int overflow x array bounds x … 64 of 74
- 65. ACHTUNG!ACHTUNG! not all HW architectures / OSes are supported out-of- the-box! it doesn't find everything 65 of 74
- 66. HUNTING FOR UBHUNTING FOR UB vs no UB spotted 66 of 74
- 67. HUNTING FOR UBHUNTING FOR UB vs 67 of 74
- 68. HUNTING FOR UBHUNTING FOR UB https://static.ylilauta.org/files/ke/orig/99tjgpx9/knallil%C3%B6tk%C3%B6tin.jpg 68 of 74
- 69. HUNTING FOR UBHUNTING FOR UB 69 of 74
- 70. HUNTING FOR UBHUNTING FOR UB vs zero UBs 70 of 74
- 71. GOING FURTHER?GOING FURTHER? American Fuzzy Lop (or other) LFS VM/QEMU 71 of 74
- 72. DISCLAIMERSDISCLAIMERS ISO C++ standard used: N4606 (2016-07-12) Compiler used for hunting: Clang 4.0 no animals were harmed in the making of this presentation 72 of 74
- 73. WRAP UPWRAP UP UB is dangerous UB exists because of high performance needs UB can be fought with UB sanitizer 73 of 74