2. SŁAWEK ZBOROWSKISŁAWEK ZBOROWSKI
WROCŁAW, POLANDWROCŁAW, POLAND
C++ Engineer @
Opinions expressed are solely my own and do not express the
views or opinions of my employer.
2 of 74
31. 2 = 12 = 1
a = b
a2 = ab
a2 – b2 = ab – b2
(a – b)(a + b) = b(a – b)
a + b = b
b + b = b
2 = 1
division by zero
invalidates all
subsequent operations
in C++ it is even worse!
31 of 74
45. UB IN C/C++UB IN C/C++
"is undefined" - 130 occurences in the standard
report more than 190 UBs
available online, so created
some sources
dra� sources "ub extractor"
45 of 74
49. UNDEF MATH OPSUNDEF MATH OPS
1 int ret = 0;
2 for (int i = 100; i > 0; --i) {
3 ret += i;
4 }
5 return ret;
movl $5050, %eax
1 float ret = 1;
2 for (int i = 10; i > 1; --i) {
3 ret /= i;
4 }
5 return static_cast<int>(ret * 1e7);
movl $2, %eax
49 of 74
50. UNDEFINED MATH OPSUNDEFINED MATH OPS
1 void foo(int x, int y) {
2 for (int i = 0; i < 100; ++i) {
3 globalVar += i * (y / (x - 2));
4 }
5 }
50 of 74
51. UNDEFINED MATH OPSUNDEFINED MATH OPS
1 void foo(int x, int y) {
2 int _X = y / (x - 2);
3 for (int i = 0; i < 100; ++i) {
4 globalVar += i * _X;
5 }
6 }
TRAVELLING BUG PROBLEMTRAVELLING BUG PROBLEM
51 of 74
52. INT OVERFLOWINT OVERFLOW
example taken from http://www.airs.com/blog/archives/120
1 int foo(int i) {
2 int k = 0;
3 for (int j = i; j < i + 10; ++j, ++k);
4 return k;
5 }
foo(30);
§5[expr]/4
foo(INT_MAX-1); // Oops!
52 of 74
53. taken from
LEFT SHIFTLEFT SHIFT
Chromium bug #3905
1 void
2 RelocIterator::AdvanceReadPosition() {
3 int x = 0;
4 for (int i = 0; i < kIntSize; i++) {
5 x |= static_cast<int>(*--pos_) << i * kBitsPerByte;
6 }
7 last_position_ += x;
8 rinfo_.data_ = last_position_;
9 }
§5.8[expr.shi�]/2
53 of 74
54. FLOATING POINT → INTFLOATING POINT → INT
1 void bar(int value);
2
3 void foo(float user_data) {
4 bar(user_data);
5 }
(approx) int range (x86-64): ±231 ±2.15·109
float range (iee754): ±3.4·1038
Oops!
§4.10[conv.fpint]/1
54 of 74
55. INT → ENUMINT → ENUM
1 enum class Color {
2 Red,
3 Blue,
4 // ...
5 Green,
6
7 Invalid
8 };
9
10 void foo(int user_data) {
11 if (static_cast<Color>(user_data) > Color::Invalid) {
12 // ...
13 }
14 // ...
15 }
55 of 74
64. USING UBSANUSING UBSAN
just add -fsanitize=undefined compiler flag
can specify what happens upon UB
print & continue print & exit trap
div by zero x
int overflow x
array bounds x
…
64 of 74
65. ACHTUNG!ACHTUNG!
not all HW architectures / OSes are supported out-of-
the-box!
it doesn't find everything
65 of 74
72. DISCLAIMERSDISCLAIMERS
ISO C++ standard used: N4606 (2016-07-12)
Compiler used for hunting: Clang 4.0
no animals were harmed in the making of this presentation
72 of 74
73. WRAP UPWRAP UP
UB is dangerous
UB exists because of high performance needs
UB can be fought with UB sanitizer
73 of 74