Software That Can Result in Undefined or Incorrect Behavior.
Undefined Behaviors in ISO-C: Their Effect on Your Embedded Software Part 1
Optimizing compilers sometimes give you...well, unexpected results. You take probably seen this before, but maybe wasn't certain what happened and why.
This two-part blog is near the undefined behaviors that be in ISO-C, the way optimizing compilers make use of it, which is frequently not well-understood by programmers, and the unpredictable software bugs that result from it and oftentimes show up in code that is attempting security checks.
Although the ISO-C language is widely used to build safety related software, ISO-C is not a "rubber" programming linguistic communication. Errors are not trapped as they happen; instead, they are trapped after executing an erroneous performance. The program continues simply in a silently-faulty fashion that may have observable consequences later on. Furthermore, the ISO-C standard specifies a long list of circumstances, called "undefined behaviors", in which no requirements on the behavior of the program are imposed. Compilers are not required to diagnose undefined behavior, and the compiled programme is non required to do anything meaningful, information technology may crash, silently generate incorrect results, or coincidentally exercise exactly what the programmer intended.
Why does "undefined behavior" exist, and what'due south good nearly it?
Declining to explicitly define the exact behavior of every possible program is not an mistake or weakness in the C linguistic communication specification. Instead it is an important characteristic to underpin the underlying principles of the linguistic communication such as: impose few constraints on the programmer, let low-level admission to the underlying hardware while retaining (some) portability, and enable fast program execution and small lawmaking-size.
Past making the outcome of certain operations intentionally ambiguous dissimilar CPU designs can be supported without sacrificing performance. Considering no specific behavior is required compilers are costless to practice whatever is the nearly efficient for the target platform. For instance, when calculation two signed integers, the compiler does non need to verify and take activeness if the result overflows and becomes negative.
What's bad about undefined behavior?
Undefined behavior, peculiarly in combination with optimizing compilers, as well has a dark side that can cause very subtle bugs that tin can have a critical bear on on rubber and security. Every programmer understands that accessing a null pointer or dividing by zero are erroneous actions that crusade undefined behavior. Writing code to detect and handle such cases seems simple, but information technology is non. Even very experienced programmers are sometimes fooled by the precise meaning of their program when a legalistic interpretation according to the semantics of the ISO-C standard is practical. Compiler developers often base their optimizations on such legalistic estimation of the standard. Sometimes the lawmaking that should notice and handle undefined behaviors is "miraculously", but legally, optimized out of the executable code. I will go deeper into this in Part two.
Other examples of undefined behavior may too be considered as "hands perceived and understood" such as:
- Reading from uninitialized variables
- Signed integer overflow (notice that the beliefs of unsigned integer overflow is divers!)
- Shift equal to or greater than the width of the operand
- Modifying a variable more than once in an expression
- Array / buffer overflow
- Pointer overflow
- Violating type rules
- Modifying a const variable
- Negating INT_MIN
- Modulo operation on a negative signed integer
- Calling a library function without fulfilling the prerequisites
- Information races caused past conflicting actions in different threads
The list is vast, ISO-C11 specifies 203 circumstances that cause undefined behaviors. Due to this large number and the subtleties involved programmers cannot be trusted to reliably avoid undefined behavior, which could event in programs that silently misbehave.
Furthermore, misbehavior due to undefined behavior is non easy to detect using dynamic tests since in most cases the undefined beliefs is exposed for certain inputs but. As a upshot code that contains undefined behaviors may "work" for a while, and then "break" when ported to new hardware, or after upgrading the compiler or irresolute its optimization level.
What do Safety Standards say virtually undefined behavior?
The undefined behavior topic is non explicitly addressed by prophylactic standards such as ISO 26262. Most safety standards refer to other (manufacture) standards that provide rules for safe and secure coding such as MISRA-C and CERT-C. At the SEI CERT website you lot can notice an overview of all undefined behaviors including the coding practices that mitigate the specific case of undefined behavior.
Today some compilers, including all TASKING C/C++ compilers, do discover violations against the MISRA and CERT brash coding practices and warn the programmer accordingly. This ensures that the intentions of the programmer are retained in the compiled program.
In Role 2, I volition show how a compiler can use undefined behavior to optimize the code and potentially outsmart the programmer in his endevour to create safe code.
Source: https://resources.tasking.com/p/undefined-behaviors-iso-c-their-effect-your-embedded-software-part-1
0 Response to "Software That Can Result in Undefined or Incorrect Behavior."
Post a Comment