taming undefined behavior
play

Taming Undefined Behavior in LLVM Juneyoung Lee Yoonseung Kim - PowerPoint PPT Presentation

Feb 24, 2024 •190 likes •843 views

PLDI 2017 Barcelona Taming Undefined Behavior in LLVM Juneyoung Lee Yoonseung Kim Seoul National Univ. Youngju Song Chung-Kil Hur Sanjoy Das Azul Systems Google David Majnemer University of Utah John Regehr Nuno P. Lopes Microsoft

  1. PLDI 2017 Barcelona Taming Undefined Behavior in LLVM Juneyoung Lee Yoonseung Kim Seoul National Univ. Youngju Song Chung-Kil Hur Sanjoy Das Azul Systems Google David Majnemer University of Utah John Regehr Nuno P. Lopes Microsoft Research

  2. What this talk is about • A compiler IR (Intermediate Representation) can be designed to allow more optimizations by supporting “undefined behaviors (UBs)” • LLVM IR’s UB model - Complicated - Invalidates some textbook optimizations • Our new UB model - Simpler - Can validate textbook optimizations (and more) 2 / 21

  3. Undefined Behavior (UB) & Problems 3 / 21

  4. Motivation for UB Peephole Optimization int* p int a int b IR IR output(p + a > p + b) output(a > b) 4 / 21

  5. Motivation for UB Peephole Optimization int* p int a int b 0xFFFFFF00 IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 4 / 21

  6. Motivation for UB Peephole Optimization int* p int a int b 0xFFFFFF00 IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 (Overflow!) 4 / 21

  7. Motivation for UB Peephole Optimization int* p int a int b 0xFFFFFF00 IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 false (Overflow!) 4 / 21

  8. Motivation for UB Peephole Optimization int* p int a int b 0xFFFFFF00 IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 false true (Overflow!) 4 / 21

  9. Motivation for UB Peephole Optimization Simple UB Model: int* p Pointer Arithmetic Overflow is int a Undefined Behavior int b UB 0xFFFFFF00 IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 false true (Overflow!) 4 / 21

  10. Problems with UB Loop Invariant Code Motion Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior IR IR ... q = p + 0x100 for(i=0; i<n; ++i) for(i=0; i<n; ++i) { { a[i] = p + 0x100 a[i] = q } } 5 / 21

  11. Problems with UB Loop Invariant Code Motion Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior 0xFFFFFF00 IR IR 0 ... q = p + 0x100 for(i=0; i<n; ++i) for(i=0; i<n; ++i) { { 0 a[i] = p + 0x100 a[i] = q } } 0xFFFFFF00 5 / 21

  12. Problems with UB Loop Invariant Code Motion Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior 0xFFFFFF00 Overflow! IR IR 0 ... q = p + 0x100 for(i=0; i<n; ++i) for(i=0; i<n; ++i) { { 0 a[i] = p + 0x100 a[i] = q } } 0xFFFFFF00 5 / 21

  13. Problems with UB Loop Invariant Code Motion Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior 0xFFFFFF00 UB Overflow! IR IR 0 ... q = p + 0x100 for(i=0; i<n; ++i) for(i=0; i<n; ++i) { { 0 a[i] = p + 0x100 a[i] = q } } 0xFFFFFF00 5 / 21

  14. Existing Approaches 6 / 21

  15. Poison Value: A Deferred UB Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior 0xFFFFFF00 Overflow! UB IR IR 0 q = p + 0x100 ... for(i=0; i<n; ++i) for(i=0; i<n; ++i) { { 0 a[i] = q a[i] = p + 0x100 } } 0xFFFFFF00 7 / 21

  16. Poison Value: A Deferred UB LLVM’s UB Model: Simple UB Model: Pointer Arithmetic Overflow is Pointer Arithmetic Overflow is A Poison “Value” Undefined Behavior 0xFFFFFF00 poison Overflow! UB IR IR 0 q = p + 0x100 ... for(i=0; i<n; ++i) for(i=0; i<n; ++i) { { 0 a[i] = q a[i] = p + 0x100 } } 0xFFFFFF00 7 / 21

  17. Poison Value: A Deferred UB LLVM’s UB Model: Simple UB Model: Pointer Arithmetic Overflow is Pointer Arithmetic Overflow is A Poison “Value” Undefined Behavior 0xFFFFFF00 poison Overflow! UB IR IR 0 q = p + 0x100 ... for(i=0; i<n; ++i) for(i=0; i<n; ++i) { { 0 a[i] = q a[i] = p + 0x100 } } 0xFFFFFF00 7 / 21

  18. Poison Value: A Deferred UB LLVM’s UB Model: Pointer Arithmetic Overflow is A Poison “Value” 0xFFFFFF00 UB IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 (Overflow!) 8 / 21

  19. Poison Value: A Deferred UB LLVM’s UB Model: Pointer Arithmetic Overflow is A Poison “Value” 0xFFFFFF00 UB IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 Poison (Overflow!) 8 / 21

  20. Poison Value: A Deferred UB LLVM’s UB Model: Pointer Arithmetic Overflow is A Poison “Value” 0xFFFFFF00 UB IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 Poison (Overflow!) 8 / 21

  21. Poison Value: A Deferred UB LLVM’s UB Model: Pointer Arithmetic Overflow is A Poison “Value” UB 0xFFFFFF00 UB IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 Poison (Overflow!) 8 / 21

  22. Summary of Poison 0xFFFFFF00 0x100 p a p b + + > output 9 / 21

  23. Summary of Poison 0xFFFFFF00 0x100 p a p b poison + + > output 9 / 21

  24. Summary of Poison 0xFFFFFF00 0x100 p a p b poison + + > poison Propagate output 9 / 21

  25. Summary of Poison 0xFFFFFF00 0x100 p a p b poison + + > poison Propagate Raise UB output UB 9 / 21

  26. Summary of Poison 0xFFFFFF00 0x100 p a p b poison + + “Poison is > poison Propagate Sometimes Too Poisonous” Raise UB output UB 9 / 21

  27. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: Branching on poison is ??? if (x == y) { if (x == y) { .. use x .. .. use y .. } } 10 / 21

  28. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: Branching on poison is ??? 0 poison 0 poison if (x == y) { if (x == y) { .. use x .. .. use y .. } } 10 / 21

  29. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: Branching on poison is ??? poison poison 0 poison 0 poison if (x == y) { if (x == y) { .. use x .. .. use y .. } } 10 / 21

  30. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: Branching on poison is ??? poison poison 0 poison 0 poison if (x == y) { if (x == y) { .. use x .. .. use y .. } } 10 / 21

  31. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: Branching on poison is ??? poison poison 0 poison 0 poison if (x == y) { if (x == y) { .. use x .. .. use y .. } } poison 0 10 / 21

  32. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: Branching on poison is ??? poison poison 0 poison 0 poison UB if (x == y) { if (x == y) { .. use x .. .. use y .. } } poison 0 10 / 21

  33. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: LLVM’s UB Model: Branching on poison is Branching on poison is Undefined Behavior ??? poison poison 0 poison 0 poison UB if (x == y) { if (x == y) { .. use x .. .. use y .. } } poison 0 10 / 21

  34. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: LLVM’s UB Model: Branching on poison is Branching on poison is Undefined Behavior ??? poison poison UB UB 0 poison 0 poison if (x == y) { if (x == y) { .. use x .. .. use y .. } } poison 0 10 / 21

  35. Problems with LLVM’s UB Loop Unswitching (LU) LLVM’s UB Model: Branching on poison is Undefined Behavior while (n > 0) { if (cond) if (cond) while (n > 0) A { A } else else B while (n > 0) } { B } 11 / 21

  36. Problems with LLVM’s UB Loop Unswitching (LU) LLVM’s UB Model: Branching on poison is Undefined Behavior 0 poison while (n > 0) { if (cond) if (cond) while (n > 0) A { A } 0 poison else else B while (n > 0) } { B } 11 / 21

  37. Problems with LLVM’s UB Loop Unswitching (LU) LLVM’s UB Model: Branching on poison is Undefined Behavior UB 0 poison while (n > 0) { if (cond) if (cond) while (n > 0) A { A } 0 poison else else B while (n > 0) } { B } 11 / 21

  38. Inconsistency in LLVM • GVN + LU is inconsistent. • We found a miscompilation bug in LLVM due to the inconsistency (LLVM Bugzilla 31652). - It is being discussed in the community - No solution has been found yet 12 / 21

  39. Our Approach 13 / 21

  40. Overview Existing Approaches Complex Inconsistent GVN + LU UB Can’t Control More Defined Poison Poison values Undef. values Defined values 14 / 21

  41. Overview Existing Approaches Our Approach Simpler Complex Inconsistent GVN + LU UB UB Can’t Control More Defined Poison Poison values Poison values 𝒈𝒔𝒇𝒇𝒜𝒇 Undef. values Defined values Defined values 14 / 21

  42. Overview Existing Approaches Our Approach Simpler Complex Inconsistent GVN + LU UB UB Can’t Control More Defined Poison Poison values Poison values Can Control 𝒈𝒔𝒇𝒇𝒜𝒇 Undef. values Poison Defined values Defined values 14 / 21

  43. Overview Existing Approaches Our Approach Simpler Complex Consistent Inconsistent GVN + LU UB UB Can’t Control More Defined Poison Poison values Poison values Can Control 𝒈𝒔𝒇𝒇𝒜𝒇 Undef. values Poison Defined values Defined values 14 / 21

  44. Key Idea: “Freeze” • Introduce a new instruction y = freeze x • Semantics: When x is a defined value: freeze x x 0 1 When x is a poison value: freeze x 2 . . . Nondet. Choice of A Defined Value 15 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Undefined, Unspecified, Non-deterministic, and Implementation Defined Behavior in Verifiable Specs

Undefined, Unspecified, Non-deterministic, and Implementation Defined Behavior in Verifiable Specs

Undefined, Unspecified, Non-deterministic, and Implementation Defined Behavior in Verifiable Specs Clifford Wolf Symbiotic EDA 8 th RISC-V Workshop Barcelona 7-10 May, 2018 Why and how to not specify something? It is quite usual for a

604 views • 22 slides
Software Tool Seminar WS1516 - Taming the Snake November 4, 2015 1 Taming the Snake 1.1

Software Tool Seminar WS1516 - Taming the Snake November 4, 2015 1 Taming the Snake 1.1

Software Tool Seminar WS1516 - Taming the Snake November 4, 2015 1 Taming the Snake 1.1 Understanding how Python works in N simple steps (with N still growing) 1.2 Step 0. What this talk is about (and what it isnt) Four basic things you

266 views • 12 slides
Hardware Support for Compiler Speculation Hardware support for preserving exception behavior

Hardware Support for Compiler Speculation Hardware support for preserving exception behavior

Hardware Support for Compiler Speculation Hardware support for preserving exception behavior ignore exception until instruction is no longer speculative handle resumable exceptions return undefined value for terminating exceptions

73 views • 3 slides
Taming Pointers A Symbolic Approach Jianwen Zhu jzhu@eecg.toronto.edu Electrical and Computer

Taming Pointers A Symbolic Approach Jianwen Zhu jzhu@eecg.toronto.edu Electrical and Computer

Taming Pointers A Symbolic Approach Jianwen Zhu jzhu@eecg.toronto.edu Electrical and Computer Engineering University of Toronto 04 p.1/33 J. Zhu c Outline An Old Problem A New Strategy Taming Context Sensitivity Result and

1.43k views • 100 slides
Taming Effects in a Dependent World Pierre-Marie Pdrot Max Planck Institute for Software

Taming Effects in a Dependent World Pierre-Marie Pdrot Max Planck Institute for Software

. . . . . . . . . . . . . . . Taming Effects in a Dependent World Pierre-Marie Pdrot Max Planck Institute for Software Systems Journes Nationales Gocal-LAC 14th November 2017 P.-M. Pdrot (MPI-SWS) Taming efgects in a

1.09k views • 90 slides
Taming Your Dragon: From No QA to Fully Integrated QA

Taming Your Dragon: From No QA to Fully Integrated QA

W7 Test Transformation Wednesday, October 23rd, 2019 11:30 AM Taming Your Dragon: From No QA to Fully Integrated QA Presented

880 views • 51 slides
Euclidean Geometry Introduction Undefined Terms A point is like a dot, only smaller. It has a

Euclidean Geometry Introduction Undefined Terms A point is like a dot, only smaller. It has a

Euclidean Geometry Introduction Undefined Terms A point is like a dot, only smaller. It has a location but no size. A line is like a drawn line, only thinner, straighter and longer. It extends through all space along a specific direction but

784 views • 49 slides
CSE 351 Section 2 C Debugging with GDB http://goo.gl/3dHdz Lab 1 Lab 1 Tips Do a smaller

CSE 351 Section 2 C Debugging with GDB http://goo.gl/3dHdz Lab 1 Lab 1 Tips Do a smaller

CSE 351 Section 2 C Debugging with GDB http://goo.gl/3dHdz Lab 1 Lab 1 Tips Do a smaller version (i.e. 8-bit) on paper If you shift by more than the word size, behavior is undefined 0x01&lt;&lt;32 will not always be 0x00

481 views • 14 slides
ON NSITION By: KENFACK Chrislain Eric I DEAS ABOUT NATURE Nature as an external undefined

ON NSITION By: KENFACK Chrislain Eric I DEAS ABOUT NATURE Nature as an external undefined

C ARBON ON M ARKE TS VE SUS J UST ST KETS VERSU T RANSITI ON NSITION By: KENFACK Chrislain Eric I DEAS ABOUT NATURE Nature as an external undefined entity, associated to the idea of transcendence Williams calls primitive condition before

571 views • 12 slides
TAMING NG T THE C CAVEMAN: STRESS MANAGEMENT FOR THE NEW AGE Diana F. Hott, LCSW CEAP

TAMING NG T THE C CAVEMAN: STRESS MANAGEMENT FOR THE NEW AGE Diana F. Hott, LCSW CEAP

TAMING NG T THE C CAVEMAN: STRESS MANAGEMENT FOR THE NEW AGE Diana F. Hott, LCSW CEAP www.dianafhottlcsw.com (c) 2013 Diana F. Hott LCSW TAMING T THE C CAVEM EMAN (c) 2013 Diana F. Hott LCSW The physical and emotional reaction people

245 views • 13 slides
BEHAVIOR @ HOME Behavior Basics Simple strategies that can make a big difference! Presented by

BEHAVIOR @ HOME Behavior Basics Simple strategies that can make a big difference! Presented by

BEHAVIOR @ HOME Behavior Basics Simple strategies that can make a big difference! Presented by Michelle Heid, MA, BCBA Hosted by Family Focus Resource Center Behavior Basics Behavior as communication ABCs of Behavior Functions of

717 views • 35 slides
Taming the Many Headed Dragon: Collaborative Models and Systems Issues Presentation for Putting

Taming the Many Headed Dragon: Collaborative Models and Systems Issues Presentation for Putting

Taming the Many Headed Dragon: Collaborative Models and Systems Issues Presentation for Putting the Pieces Together for Children and Families September 2011 Taming the Many Headed Dragon: Collaborative Models and Systems Issues Maria

282 views • 27 slides
Taming UTF-8 in pdfTeX Frank Mittelbach TUG 2019, Palo Alto A short history lession part 2

Taming UTF-8 in pdfTeX Frank Mittelbach TUG 2019, Palo Alto A short history lession part 2

Presentation given at the TUG 2019 Conference, Palo Alto 1 file version: August 25, 2019 0:02 Taming UTF-8 in pdfT EX Frank Mittelbach Abstract To understand the concepts in pdfL A T EX for processing UTF-8 encoded files it is helpful to

237 views • 5 slides
MORE C Samira Khan Agenda Pointer vs array Using man page Structure and dynamic

MORE C Samira Khan Agenda Pointer vs array Using man page Structure and dynamic

MORE C Samira Khan Agenda Pointer vs array Using man page Structure and dynamic allocation Undefined behavior Into to instruction set architecture (ISA) Understanding Pointers &amp; Arrays Variable Decl size int A1[3] 12

748 views • 46 slides
Taming the Beast Workshop Bayesian inference of species tree Species &amp; gene trees *BEAST

Taming the Beast Workshop Bayesian inference of species tree Species &amp; gene trees *BEAST

Taming the Beast Taming the Beast Workshop Bayesian inference of species tree Species &amp; gene trees *BEAST Species tree prior Multispecies coalescent Bayesian inference of species tree Molecular clock model Felsenstein likelihood and

205 views • 19 slides
Taming the SOA Beast SOA introduces complexity as well as new organizational impacts. We need to

Taming the SOA Beast SOA introduces complexity as well as new organizational impacts. We need to

Taming the SOA Beast SOA introduces complexity as well as new organizational impacts. We need to re-think the process. December 2008 Why SOA? Business Effectiveness Agility, responsiveness to market/competitive dynamics Business

513 views • 24 slides
a legal case study The importance of mens rea (Latin: guilty mind) Most crimes require

a legal case study The importance of mens rea (Latin: guilty mind) Most crimes require

Paul: a legal case study The importance of mens rea (Latin: guilty mind) Most crimes require a guilty intent Example: Im in the kitchen putting rat poison into traps I leave to answer a knock at the door My houseguest

853 views • 57 slides
5/3/16 May 2, 2016 Channel Ecology Assignment for Weds, May 4 (Mon lab)/11 (Tues Lab) Pen your

5/3/16 May 2, 2016 Channel Ecology Assignment for Weds, May 4 (Mon lab)/11 (Tues Lab) Pen your

5/3/16 May 2, 2016 Channel Ecology Assignment for Weds, May 4 (Mon lab)/11 (Tues Lab) Pen your poison: http://www.amnh.org/exhibitions/current-exhibitions/the- power-of-poison Power of Poison: an enchanted book- Interactive botanical book

190 views • 5 slides
KernelAddressSanitizer (KASan) a fast memory error detector for the Linux kernel Andrey Konovalov

KernelAddressSanitizer (KASan) a fast memory error detector for the Linux kernel Andrey Konovalov

KernelAddressSanitizer (KASan) a fast memory error detector for the Linux kernel Andrey Konovalov &lt;andreyknvl@google.com&gt;, Google Dmitry Vyukov &lt;dvyukov@google.com&gt;, Google LinuxCon North America 2015 July 18th 2015 Agenda

1.1k views • 49 slides
Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel

Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel

Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel Computers Dynamic Scheduling (Section 3.4, 3.5) Dynamic Branch Prediction (Section 3.3, 3.9, and Appendix C) Hardware Speculation and Precise Interrupts

733 views • 24 slides
Entity-centric Topic Extraction and Exploration: A Network-based Approach Andreas Spitz and

Entity-centric Topic Extraction and Exploration: A Network-based Approach Andreas Spitz and

Entity-centric Topic Extraction and Exploration: A Network-based Approach Andreas Spitz and Michael Gertz March 27, 2018 ECIR 2018, Grenoble Heidelberg University, Germany Database Systems Research Group A Topic From Recent News term

826 views • 40 slides
CS412 Software Security Program Testing Sanitization Mathias Payer EPFL, Spring 2019

CS412 Software Security Program Testing Sanitization Mathias Payer EPFL, Spring 2019

CS412 Software Security Program Testing Sanitization Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Why testing? Testing is the process of executing a program to find errors. An error is a deviation between

503 views • 28 slides
Implementing machine learning methods in Stata Austin Nichols 6 September 2018 Austin Nichols

Implementing machine learning methods in Stata Austin Nichols 6 September 2018 Austin Nichols

Introduction Examples Trees and Forests Stata approach References Implementing machine learning methods in Stata Austin Nichols 6 September 2018 Austin Nichols Implementing machine learning methods in Stata Introduction Examples

544 views • 31 slides
A Semantic Framework for Data Analysis in Networked Systems Arun Viswanathan , Alefiya Hussain,

A Semantic Framework for Data Analysis in Networked Systems Arun Viswanathan , Alefiya Hussain,

A Semantic Framework for Data Analysis in Networked Systems Arun Viswanathan , Alefiya Hussain, Jelena Mirkovic, Stephen Schwab, John Wroclawski USC/Information Sciences Institute 1 Data Analysis in Networked Systems Audit Logs Alerts Did

585 views • 19 slides

More recommend