General

GCC undefined behaviors are getting wild

Joyful with my latest breakthrough in knowing C integer divisionsafter weeks of battle, I used to be once minding my beget alternate having fun writinginteger arithmetic code. Life was once factual, when … zsh: segmentation fault (core dumped).

That code wasn’t messing with memory noteworthy so it was all every other time at probability of be an aspectassemble of an overflow or something. Using -fsanitize=undefined rapidlyrecognized the nervousness, which confirmed the presence of an integer overflow. Therepair was once easy however something felt off. I used to be once beneath the impact my code was oncesturdy ample in opposition to that get of fair mistake. Turns out, the maintainingsituation I had in station must certainly had been ample, so I tried to extracta minimal reproducible case:

#include #include #include uint8_t tab[0x1ff + 1];uint8_t f(int32_t x){    if (x =0 && i 

The overflow can happen on i project. Since an integer overflow isundefined, GCC makes the assumption that it cannot happen, ever. In word inthis case it does, however the i>=0 && i situation desires to beample to tackle it, whatever crazy price it turns into, upright? Well, I in actuality haveexecrable data:

% cc -Wall -O2 overflow.c -o overflow && ./overflow 50000000tab[62183] looks safe because 62183 is between [0;512[zsh: segmentation fault (core dumped)  ./overflow 50000000

Show: that is GCC 12.2.0 on x86-64.

We’ve i=62183 because the live consequence of the overflow, and alternatively the executionviolates the gate situation, spout a non-sense lie, jog straight intodereferencing taband die miserably.

Let’s see what GCC is doing right here. Firing up Ghidra we detect the followingdecompiled code:

uint8_t f(int x){  int tmp;  if (-1 

After I stated GCC makes the assumption that it cannot happen that is what Iintended: tmp will not be supposed to overflow so segment of the location I had instation was once simply removed.

I reported that particular person nervousness to GCC to be definite that it wasn’t a malicious program, andit was once certainly confirmed to me that the undefined behaviour of an integeroverflow will not be microscopic in scope to whatever insane price it’ll also do away with: it isit sounds as if perfectly acceptable to mess up the code circulate entirely.

While I ticket how shining it’ll also also be from an optimization point of leer,the paranoid developer in me is straight up afraid by the perspective of asingle integer overflow pushing aside security safety and causing such havoc.I’ve worked a couple of years in a mission the attach aside the integer overflows had been (andpotentially easy are) legion. Identifying and fixing of all them is likely alifetime mission of a couple of opinionated other folks.

I’m searching forward to this article to make the rust crew jog in a crusade again, and Ijudge I’d be with them this time.

Edit: it was once made constructive to me whereas reading Predrag’s weblog thatthe most important to my misunderstanding boils down to this: “Undefined behavior will not bemuch like implementation-defined behavior”. While I used to be once certainly talking aboutundefined behaviour, subconsciously I used to be once pondering that the behaviour of anoverflow on a multiplication could well well be “implementation-defined behaviour”. Thiswill not be the case, it is certainly an undefined behaviour, and sure the compiler isfree to attain whatever it desires to attributable to it is compliant with thespecifications. It be my mistake for sure, however to my defense, no topic thearrogant comments I be taught, this confusion occurs loads. This occurs I judgeattributable to it be violating the Precept of least astonishment. Toillustrate this I’m going to do away with this attention-grabbing extinct OpenBSD developer weblogpost being pondering in regards to the live consequence of the multiplicationin preference to the invalidation of any express with regard to what’s going tohappen to the execution circulate (before and after). Here’s not outlandish and in myknowing perfectly understandable.

For updates and more frequent roar that you just might well apply me on Twitter or Mastodon. No doubt feel additionally free to subscribe to the RSS in mutter to be notified of latest write-ups. It’s a long way additionally frequently that that you just might well possess to succeed in me through assorted system (review the footer beneath). Lastly, discussions on some of the articles can infrequently be learned on HackerNews, Lobste.rs and Reddit.

Related Articles

11 Comments

  1. Pingback: 1reality

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button