Volatiles Are Miscompiled, and What to Do about It Eric Eide and John Regehr University of Utah EMSOFT 2008 / October 22, 2008.

Slides:



Advertisements
Similar presentations
Code Optimization and Performance Chapter 5 CS 105 Tour of the Black Holes of Computing.
Advertisements

Overview of programming in C C is a fast, efficient, flexible programming language Paradigm: C is procedural (like Fortran, Pascal), not object oriented.
Intermediate Code Generation
Making Choices in C if/else statement logical operators break and continue statements switch statement the conditional operator.
Click to add text © IBM Corporation Optimization Issues in SSE/AVX-compatible functions on PowerPC Ian McIntosh November 5, 2014.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Type Checking Compiler Design Lecture (02/25/98) Computer Science Rensselaer Polytechnic.
Type Checking.
Compiler Construction
Homework Starting Chapter 2 K&R. Read ahead. Questions?
IntroductionIntroduction  Computer program: an ordered sequence of statements whose objective is to accomplish a task.  Programming: process of planning.
ECE 353: Lab C Pointers and Structs. Basics A pointer holds an address to some variable Notation: – Dereferencing operator: * int *x is a declaration.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Inline Assembly Section 1: Recitation 7. In the early days of computing, most programs were written in assembly code. –Unmanageable because No type checking,
1 Homework Turn in HW2 at start of next class. Starting Chapter 2 K&R. Read ahead. HW3 is on line. –Due: class 9, but a lot to do! –You may want to get.
1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.
Introduction to Computers and Programming Lecture 4: Mathematical Operators New York University.
Lecture 22 Code Generation Topics Arrays Code Generation Readings: 9 April 10, 2006 CSCE 531 Compiler Construction.
1 Assembly Language: Overview. 2 If you’re a computer, What’s the fastest way to multiply by 5? What’s the fastest way to divide by 5?
1 Homework Reading –PAL, pp Machine Projects –MP2 due at start of Class 12 Labs –Continue labs with your assigned section.
C Programming for Embedded Systems. fig_06_00 Computer Layers Low-level hardware to high-level software (4GL: “domain-specific”, report-driven, e.g.)
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 5 Data Flow Testing
ITEC 352 Lecture 11 ISA - CPU. ISA (2) Review Questions? HW 2 due on Friday ISA –Machine language –Buses –Memory.
Prof. amr Goneid, AUC1 CSCE 110 PROGRAMMING FUNDAMENTALS WITH C++ Prof. Amr Goneid AUC Part 10. Pointers & Dynamic Data Structures.
CSC3315 (Spring 2009)1 CSC 3315 Programming Languages Hamid Harroud School of Science and Engineering, Akhawayn University
Assembly Questions תרגול 12.
DEPARTMENT OF COMPUTER SCIENCE & TECHNOLOGY FACULTY OF SCIENCE & TECHNOLOGY UNIVERSITY OF UWA WELLASSA 1 CST 221 OBJECT ORIENTED PROGRAMMING(OOP) ( 2 CREDITS.
Goals: To gain an understanding of assembly To get your hands dirty in GDB.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
8-1 Embedded Systems Fixed-Point Math and Other Optimizations.
Hello.java Program Output 1 public class Hello { 2 public static void main( String [] args ) 3 { 4 System.out.println( “Hello!" ); 5 } // end method main.
Summary of what we learned yesterday Basics of C++ Format of a program Syntax of literals, keywords, symbols, variables Simple data types and arithmetic.
UniMAP Sem1-07/08EKT120: Computer Programming1 Week2.
16 October Reminder Types of Testing: Purpose  Functional testing  Usability testing  Conformance testing  Performance testing  Acceptance.
1 Compiler 3.2 A Level computing. 2 So, Sir what is a compiler?
University of Amsterdam Computer Systems – optimizing program performance Arnoud Visser 1 Computer Systems Optimizing program performance.
Towards Beautiful Test Cases for Compiler Bugs John Regehr University of Utah.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Computer Organization II Topics: Theme Five great realities of computer systems How this fits within CS curriculum CS 2733.
COIT29222 Structured Programming 1 COIT29222-Structured Programming Lecture Week 02  Reading: Textbook(4 th Ed.), Chapter 2 Textbook (6 th Ed.), Chapters.
1 Becoming More Effective with C++ … Day Two Stanley B. Lippman
University of Washington Today Lab 3 out  Buffer overflow! Finish-up data structures 1.
By Anand George SourceLens.org Copyright. All rights reserved. Content Owner - Meera R (meera at sourcelens.org)
CSE 332: C++ expressions Expressions: Operators and Operands Operators obey arity, associativity, and precedence int result = 2 * 3 + 5; // assigns 11.
Announcements Assignment 2 Out Today Quiz today - so I need to shut up at 4:25 1.
Introduction to Algorithmic Processes CMPSC 201C Fall 2000.
Finding and Understanding Bugs in C Compilers Xuejun Yang Yang Chen Eric Eide John Regehr University of Utah.
Fundamental Programming Fundamental Programming Data Processing and Expressions.
INTRODUCTION TO PROGRAMING System Development Mansoura October 2015.
Automatic program generation for detecting vulnerabilities and errors in compilers and interpretersAutomatic program generation for detecting vulnerabilities.
1Object-Oriented Program Development Using C++ Built-in Data Types Data type –Range of values –Set of operations on those values Literal: refers to acceptable.
7-Nov Fall 2001: copyright ©T. Pearce, D. Hutchinson, L. Marshall Oct lecture23-24-hll-interrupts 1 High Level Language vs. Assembly.
Windows Programming Lecture 03. Pointers and Arrays.
Bitwise Operations C includes operators that permit working with the bit-level representation of a value. You can: - shift the bits of a value to the left.
Dynamic Allocation in C
Chapter 9: Value-Returning Functions
Homework Reading Labs PAL, pp
Instructor: David Ferry
Chapter 2 Assignment and Interactive Input
Volatiles Are Miscompiled, and What to Do about It
Character Set The character set of C represents alphabet, digit or any symbol used to represent information. Types Character Set Uppercase Alphabets A,
Comp Integers Spring 2015 Topics Numeric Encodings
C Prog. To Object Code text text binary binary Code in files p1.c p2.c
C Operators, Operands, Expressions & Statements
Homework Reading Machine Projects Labs PAL, pp
C structures and Compilation to IA32
Summary of what we learned yesterday
02/02/10 20:53 Assembly Questions תרגול 12 1.
C Language B. DHIVYA 17PCA140 II MCA.
Software Testing and QA Theory and Practice (Chapter 5: Data Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Presentation transcript:

Volatiles Are Miscompiled, and What to Do about It Eric Eide and John Regehr University of Utah EMSOFT 2008 / October 22, 2008

int get_time() { // … } void set_led() { // … } int get_time() { // … } void set_led() { // … } Code Meets World 2 volatile int TIME; volatile int LED; volatile int TIME; volatile int LED; int get_time() { return TIME; } void set_led() { LED = 1; } int get_time() { return TIME; } void set_led() { LED = 1; } 70F1 0001

Volatile Semantics compiled program must “do” what the source program says i.e., volatile side-effects must occur 3 volatile int WATCHDOG; void reset_watchdog() { WATCHDOG = WATCHDOG; } volatile int WATCHDOG; void reset_watchdog() { WATCHDOG = WATCHDOG; } reset_watchdog: movl WATCHDOG, %eax movl %eax, WATCHDOG ret reset_watchdog: movl WATCHDOG, %eax movl %eax, WATCHDOG ret reset_watchdog: ret reset_watchdog: ret GCC / IA32GCC / MSP430

Our Contributions performed study of volatile bugs developed automated testing framework –“careful” random program generator –access summary testing found defects in all compilers we tested evaluated a workaround for volatile errors helped to make one compiler “10,000× better” 4

Talk Outline examine error rates evaluate workaround investigate compiler defects help make compiler better 5 random program gen..c randprogcompiler access summary testing exe checker

Generating Good Test Cases our test cases are C programs a good test case has a “right answer” an “answer” for us is an executable we judge “rightness” by inspecting its output –the computed result and the trail of side-effects  we must generate C programs that have predictable behaviors –independent of compiler, compiler options, … 6

Our Test Programs randprog creates programs that compute over integer variables –signed/unsigned; 8/16/32 bits –some globals declared volatile –functions take and return integer values –assignments, for-loops, arithmetic & logical operators –no pointers, arrays, structs, or unions 7.c randprog

Test Program I/O no input (“closed”) two outputs –a checksum over global variables –a sequence of accesses to volatile variables now we must… –…ensure that every test has a “right answer” not just the checksum, but also the volatile invariant –…figure out what that answer is 8

Strictly Conforming avoid creating programs whose output depends on –unspecified behavior — e.g., evaluation order –impl.-defined behavior — e.g., range of int –undefined behavior — e.g., division by zero …according to the C standard enforce statically & dynamically 9

Evaluation Order ensure that expression value is independent of evaluation order track read/write effect of expressions as they are built –may-read set –may-write set –volatile-access flag sequence point 10 volatile int vol_1; int glo_2; int func_3(void) { vol_1 = glo_2; return 7; } void func_4() { int loc_5 = …; int loc_6 = func_3() + ???; } volatile int vol_1; int glo_2; int func_3(void) { vol_1 = glo_2; return 7; } void func_4() { int loc_5 = …; int loc_6 = func_3() + ???; }

Dealing with Integers avoid most problematic behaviors, e.g. –integer range issues — avoid statically –signed shifts, div-by-zero — avoid dynamically but still there are issues… –signed integer overflow & underflow –arithmetic & logical operators in combination –integer promotions these do not matter in practice for us so, “nearly strictly conforming” programs 11

Evaluating Test Cases 12 random program gen.access summary testing.c exe randprogcompilerchecker

Access Summary Testing compile the test case run executable in instrumented environment map memory accesses to volatile variables create an access summary compare to the correct access summary 13.c exe compilerchecker ✔/✖✔/✖ ✔/✖✔/✖

Access Summary Implementation two instrumented environments –volcheck — binary rewriting for IA32 (Valgrind) –Avrora — an AVR platform simulator –each outputs a log of memory accesses creating the summary –scan source & object code  volatile variables –count total # of loads & stores to each volatile –effective: compact & sufficiently precise 14

Is It Right? 15.c exe compilerchecker ✔/✖✔/✖ ✔/✖✔/✖ exe ✔ ? identical checksum & summaries ? yes ✔ no ✖ ✖

From Errors to Defects volatile error –volatile-access summary differs across the executables functional error –output checksum differs across the executables a single test case can be both 16

Experimental Results …and what to do about them 17

Methodology examined 13 production-quality C compilers –IA32GCC (×5), LLVM-GCC, Intel, Sun –AVRGCC (×3) –ColdfireCodeWarrior –MSP430GCC all: handwritten tests + manual inspection 9: random tests + access summary testing –250,000 test programs 18

Access Summary Results 19

Work Around Volatile Errors idea: “protect” volatile accesses from overeager compilers via helper functions 20 int vol_read_int(volatile int *vp) { return *vp; } volatile int *vol_id_int(volatile int *vp) { return vp; } int vol_read_int(volatile int *vp) { return *vp; } volatile int *vol_id_int(volatile int *vp) { return vp; } x = vol_read_int(vol_1); *vol_id_int(&vol_1) = 0; x = vol_read_int(vol_1); *vol_id_int(&vol_1) = 0; x = vol_1; vol_1 = 0; x = vol_1; vol_1 = 0; opaque

Volatile Helper Results 21

Sample GCC Bug (#1) 22 const volatile int x; volatile int y; void foo(void) { for (y=0; y>10; y++) { int z = x; } const volatile int x; volatile int y; void foo(void) { for (y=0; y>10; y++) { int z = x; } foo: movl $0, y movl x, %eax jmp.L3.L2: movl y, %eax incl %eax movl %eax, y.L3: movl y, %eax cmpl $10, %eax jg.L3 ret foo: movl $0, y movl x, %eax jmp.L3.L2: movl y, %eax incl %eax movl %eax, y.L3: movl y, %eax cmpl $10, %eax jg.L3 ret GCC / IA32 / -Os

Sample LLVM-GCC Bug 23 volatile int a; void baz(void) { int i; for (i=0; i<3; i++) { a += 7; } volatile int a; void baz(void) { int i; for (i=0; i<3; i++) { a += 7; } baz: movl a, %eax leal 7(%eax), %ecx movl %ecx, a leal 14(%eax), %ecx movl %ecx, a addl $21, %eax movl %eax, a ret baz: movl a, %eax leal 7(%eax), %ecx movl %ecx, a leal 14(%eax), %ecx movl %ecx, a addl $21, %eax movl %eax, a ret LLVM-GCC 2.2 / IA32 / -O2

Toward Zero Volatile Bugs we distilled random-program errors into bug reports against LLVM-GCC –Mar–Jul 2008: 5 volatile + 8 functional bugs fixed over our 250,000 test programs: 24 10,000× improvement

Summary we developed an automated and effective framework for discovering volatile-related defects in C compilers –“careful” random program generation –access summary testing –first published study of volatile bugs that we know of the miscompilation of volatiles is disturbingly common –serious consequences for critical & embedded software what to do about it? –a simple workaround can avoid 96% of volatile errors –report bugs to compiler writers –give advice to developers & compiler writers (in paper) 25

Thank you! questions? 26

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.