taming undefined behavior
play

Taming Undefined Behavior in LLVM Juneyoung Lee Yoonseung Kim - PowerPoint PPT Presentation

Feb 24, 2024 •190 likes •843 views

PLDI 2017 Barcelona Taming Undefined Behavior in LLVM Juneyoung Lee Yoonseung Kim Seoul National Univ. Youngju Song Chung-Kil Hur Sanjoy Das Azul Systems Google David Majnemer University of Utah John Regehr Nuno P. Lopes Microsoft

  1. PLDI 2017 Barcelona Taming Undefined Behavior in LLVM Juneyoung Lee Yoonseung Kim Seoul National Univ. Youngju Song Chung-Kil Hur Sanjoy Das Azul Systems Google David Majnemer University of Utah John Regehr Nuno P. Lopes Microsoft Research

  2. What this talk is about • A compiler IR (Intermediate Representation) can be designed to allow more optimizations by supporting “undefined behaviors (UBs)” • LLVM IR’s UB model - Complicated - Invalidates some textbook optimizations • Our new UB model - Simpler - Can validate textbook optimizations (and more) 2 / 21

  3. Undefined Behavior (UB) & Problems 3 / 21

  4. Motivation for UB Peephole Optimization int* p int a int b IR IR output(p + a > p + b) output(a > b) 4 / 21

  5. Motivation for UB Peephole Optimization int* p int a int b 0xFFFFFF00 IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 4 / 21

  6. Motivation for UB Peephole Optimization int* p int a int b 0xFFFFFF00 IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 (Overflow!) 4 / 21

  7. Motivation for UB Peephole Optimization int* p int a int b 0xFFFFFF00 IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 false (Overflow!) 4 / 21

  8. Motivation for UB Peephole Optimization int* p int a int b 0xFFFFFF00 IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 false true (Overflow!) 4 / 21

  9. Motivation for UB Peephole Optimization Simple UB Model: int* p Pointer Arithmetic Overflow is int a Undefined Behavior int b UB 0xFFFFFF00 IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 false true (Overflow!) 4 / 21

  10. Problems with UB Loop Invariant Code Motion Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior IR IR ... q = p + 0x100 for(i=0; i<n; ++i) for(i=0; i<n; ++i) { { a[i] = p + 0x100 a[i] = q } } 5 / 21

  11. Problems with UB Loop Invariant Code Motion Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior 0xFFFFFF00 IR IR 0 ... q = p + 0x100 for(i=0; i<n; ++i) for(i=0; i<n; ++i) { { 0 a[i] = p + 0x100 a[i] = q } } 0xFFFFFF00 5 / 21

  12. Problems with UB Loop Invariant Code Motion Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior 0xFFFFFF00 Overflow! IR IR 0 ... q = p + 0x100 for(i=0; i<n; ++i) for(i=0; i<n; ++i) { { 0 a[i] = p + 0x100 a[i] = q } } 0xFFFFFF00 5 / 21

  13. Problems with UB Loop Invariant Code Motion Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior 0xFFFFFF00 UB Overflow! IR IR 0 ... q = p + 0x100 for(i=0; i<n; ++i) for(i=0; i<n; ++i) { { 0 a[i] = p + 0x100 a[i] = q } } 0xFFFFFF00 5 / 21

  14. Existing Approaches 6 / 21

  15. Poison Value: A Deferred UB Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior 0xFFFFFF00 Overflow! UB IR IR 0 q = p + 0x100 ... for(i=0; i<n; ++i) for(i=0; i<n; ++i) { { 0 a[i] = q a[i] = p + 0x100 } } 0xFFFFFF00 7 / 21

  16. Poison Value: A Deferred UB LLVM’s UB Model: Simple UB Model: Pointer Arithmetic Overflow is Pointer Arithmetic Overflow is A Poison “Value” Undefined Behavior 0xFFFFFF00 poison Overflow! UB IR IR 0 q = p + 0x100 ... for(i=0; i<n; ++i) for(i=0; i<n; ++i) { { 0 a[i] = q a[i] = p + 0x100 } } 0xFFFFFF00 7 / 21

  17. Poison Value: A Deferred UB LLVM’s UB Model: Simple UB Model: Pointer Arithmetic Overflow is Pointer Arithmetic Overflow is A Poison “Value” Undefined Behavior 0xFFFFFF00 poison Overflow! UB IR IR 0 q = p + 0x100 ... for(i=0; i<n; ++i) for(i=0; i<n; ++i) { { 0 a[i] = q a[i] = p + 0x100 } } 0xFFFFFF00 7 / 21

  18. Poison Value: A Deferred UB LLVM’s UB Model: Pointer Arithmetic Overflow is A Poison “Value” 0xFFFFFF00 UB IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 (Overflow!) 8 / 21

  19. Poison Value: A Deferred UB LLVM’s UB Model: Pointer Arithmetic Overflow is A Poison “Value” 0xFFFFFF00 UB IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 Poison (Overflow!) 8 / 21

  20. Poison Value: A Deferred UB LLVM’s UB Model: Pointer Arithmetic Overflow is A Poison “Value” 0xFFFFFF00 UB IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 Poison (Overflow!) 8 / 21

  21. Poison Value: A Deferred UB LLVM’s UB Model: Pointer Arithmetic Overflow is A Poison “Value” UB 0xFFFFFF00 UB IR IR output(p + a > p + b) output(a > b) 0x100 0 0x100 0 0x0 Poison (Overflow!) 8 / 21

  22. Summary of Poison 0xFFFFFF00 0x100 p a p b + + > output 9 / 21

  23. Summary of Poison 0xFFFFFF00 0x100 p a p b poison + + > output 9 / 21

  24. Summary of Poison 0xFFFFFF00 0x100 p a p b poison + + > poison Propagate output 9 / 21

  25. Summary of Poison 0xFFFFFF00 0x100 p a p b poison + + > poison Propagate Raise UB output UB 9 / 21

  26. Summary of Poison 0xFFFFFF00 0x100 p a p b poison + + “Poison is > poison Propagate Sometimes Too Poisonous” Raise UB output UB 9 / 21

  27. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: Branching on poison is ??? if (x == y) { if (x == y) { .. use x .. .. use y .. } } 10 / 21

  28. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: Branching on poison is ??? 0 poison 0 poison if (x == y) { if (x == y) { .. use x .. .. use y .. } } 10 / 21

  29. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: Branching on poison is ??? poison poison 0 poison 0 poison if (x == y) { if (x == y) { .. use x .. .. use y .. } } 10 / 21

  30. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: Branching on poison is ??? poison poison 0 poison 0 poison if (x == y) { if (x == y) { .. use x .. .. use y .. } } 10 / 21

  31. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: Branching on poison is ??? poison poison 0 poison 0 poison if (x == y) { if (x == y) { .. use x .. .. use y .. } } poison 0 10 / 21

  32. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: Branching on poison is ??? poison poison 0 poison 0 poison UB if (x == y) { if (x == y) { .. use x .. .. use y .. } } poison 0 10 / 21

  33. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: LLVM’s UB Model: Branching on poison is Branching on poison is Undefined Behavior ??? poison poison 0 poison 0 poison UB if (x == y) { if (x == y) { .. use x .. .. use y .. } } poison 0 10 / 21

  34. Problems with LLVM’s UB Global Value Numbering (GVN) LLVM’s UB Model: LLVM’s UB Model: Branching on poison is Branching on poison is Undefined Behavior ??? poison poison UB UB 0 poison 0 poison if (x == y) { if (x == y) { .. use x .. .. use y .. } } poison 0 10 / 21

  35. Problems with LLVM’s UB Loop Unswitching (LU) LLVM’s UB Model: Branching on poison is Undefined Behavior while (n > 0) { if (cond) if (cond) while (n > 0) A { A } else else B while (n > 0) } { B } 11 / 21

  36. Problems with LLVM’s UB Loop Unswitching (LU) LLVM’s UB Model: Branching on poison is Undefined Behavior 0 poison while (n > 0) { if (cond) if (cond) while (n > 0) A { A } 0 poison else else B while (n > 0) } { B } 11 / 21

  37. Problems with LLVM’s UB Loop Unswitching (LU) LLVM’s UB Model: Branching on poison is Undefined Behavior UB 0 poison while (n > 0) { if (cond) if (cond) while (n > 0) A { A } 0 poison else else B while (n > 0) } { B } 11 / 21

  38. Inconsistency in LLVM • GVN + LU is inconsistent. • We found a miscompilation bug in LLVM due to the inconsistency (LLVM Bugzilla 31652). - It is being discussed in the community - No solution has been found yet 12 / 21

  39. Our Approach 13 / 21

  40. Overview Existing Approaches Complex Inconsistent GVN + LU UB Can’t Control More Defined Poison Poison values Undef. values Defined values 14 / 21

  41. Overview Existing Approaches Our Approach Simpler Complex Inconsistent GVN + LU UB UB Can’t Control More Defined Poison Poison values Poison values 𝒈𝒔𝒇𝒇𝒜𝒇 Undef. values Defined values Defined values 14 / 21

  42. Overview Existing Approaches Our Approach Simpler Complex Inconsistent GVN + LU UB UB Can’t Control More Defined Poison Poison values Poison values Can Control 𝒈𝒔𝒇𝒇𝒜𝒇 Undef. values Poison Defined values Defined values 14 / 21

  43. Overview Existing Approaches Our Approach Simpler Complex Consistent Inconsistent GVN + LU UB UB Can’t Control More Defined Poison Poison values Poison values Can Control 𝒈𝒔𝒇𝒇𝒜𝒇 Undef. values Poison Defined values Defined values 14 / 21

  44. Key Idea: “Freeze” • Introduce a new instruction y = freeze x • Semantics: When x is a defined value: freeze x x 0 1 When x is a poison value: freeze x 2 . . . Nondet. Choice of A Defined Value 15 / 21

Recommend

Undefined, Unspecified, Non-deterministic, and Implementation Defined Behavior in Verifiable Specs

Undefined, Unspecified, Non-deterministic, and Implementation Defined Behavior in Verifiable Specs

Undefined, Unspecified, Non-deterministic, and Implementation Defined Behavior in Verifiable Specs Clifford Wolf Symbiotic EDA 8 th RISC-V Workshop Barcelona 7-10 May, 2018 Why and how to not specify something? It is quite usual for a

604 views • 22 slides
Software Tool Seminar WS1516 - Taming the Snake November 4, 2015 1 Taming the Snake 1.1

Software Tool Seminar WS1516 - Taming the Snake November 4, 2015 1 Taming the Snake 1.1

Software Tool Seminar WS1516 - Taming the Snake November 4, 2015 1 Taming the Snake 1.1 Understanding how Python works in N simple steps (with N still growing) 1.2 Step 0. What this talk is about (and what it isnt) Four basic things you

266 views • 12 slides
Hardware Support for Compiler Speculation Hardware support for preserving exception behavior

Hardware Support for Compiler Speculation Hardware support for preserving exception behavior

Hardware Support for Compiler Speculation Hardware support for preserving exception behavior ignore exception until instruction is no longer speculative handle resumable exceptions return undefined value for terminating exceptions

73 views • 3 slides
Taming Pointers A Symbolic Approach Jianwen Zhu jzhu@eecg.toronto.edu Electrical and Computer

Taming Pointers A Symbolic Approach Jianwen Zhu jzhu@eecg.toronto.edu Electrical and Computer

Taming Pointers A Symbolic Approach Jianwen Zhu jzhu@eecg.toronto.edu Electrical and Computer Engineering University of Toronto 04 p.1/33 J. Zhu c Outline An Old Problem A New Strategy Taming Context Sensitivity Result and

1.43k views • 100 slides
Taming Effects in a Dependent World Pierre-Marie Pdrot Max Planck Institute for Software

Taming Effects in a Dependent World Pierre-Marie Pdrot Max Planck Institute for Software

. . . . . . . . . . . . . . . Taming Effects in a Dependent World Pierre-Marie Pdrot Max Planck Institute for Software Systems Journes Nationales Gocal-LAC 14th November 2017 P.-M. Pdrot (MPI-SWS) Taming efgects in a

1.09k views • 90 slides
Taming Your Dragon: From No QA to Fully Integrated QA

Taming Your Dragon: From No QA to Fully Integrated QA

W7 Test Transformation Wednesday, October 23rd, 2019 11:30 AM Taming Your Dragon: From No QA to Fully Integrated QA Presented

880 views • 51 slides
Euclidean Geometry Introduction Undefined Terms A point is like a dot, only smaller. It has a

Euclidean Geometry Introduction Undefined Terms A point is like a dot, only smaller. It has a

Euclidean Geometry Introduction Undefined Terms A point is like a dot, only smaller. It has a location but no size. A line is like a drawn line, only thinner, straighter and longer. It extends through all space along a specific direction but

784 views • 49 slides
CSE 351 Section 2 C Debugging with GDB http://goo.gl/3dHdz Lab 1 Lab 1 Tips Do a smaller

CSE 351 Section 2 C Debugging with GDB http://goo.gl/3dHdz Lab 1 Lab 1 Tips Do a smaller

CSE 351 Section 2 C Debugging with GDB http://goo.gl/3dHdz Lab 1 Lab 1 Tips Do a smaller version (i.e. 8-bit) on paper If you shift by more than the word size, behavior is undefined 0x01&lt;&lt;32 will not always be 0x00

481 views • 14 slides
ON NSITION By: KENFACK Chrislain Eric I DEAS ABOUT NATURE Nature as an external undefined

ON NSITION By: KENFACK Chrislain Eric I DEAS ABOUT NATURE Nature as an external undefined

C ARBON ON M ARKE TS VE SUS J UST ST KETS VERSU T RANSITI ON NSITION By: KENFACK Chrislain Eric I DEAS ABOUT NATURE Nature as an external undefined entity, associated to the idea of transcendence Williams calls primitive condition before

571 views • 12 slides
TAMING NG T THE C CAVEMAN: STRESS MANAGEMENT FOR THE NEW AGE Diana F. Hott, LCSW CEAP

TAMING NG T THE C CAVEMAN: STRESS MANAGEMENT FOR THE NEW AGE Diana F. Hott, LCSW CEAP

TAMING NG T THE C CAVEMAN: STRESS MANAGEMENT FOR THE NEW AGE Diana F. Hott, LCSW CEAP www.dianafhottlcsw.com (c) 2013 Diana F. Hott LCSW TAMING T THE C CAVEM EMAN (c) 2013 Diana F. Hott LCSW The physical and emotional reaction people

245 views • 13 slides
BEHAVIOR @ HOME Behavior Basics Simple strategies that can make a big difference! Presented by

BEHAVIOR @ HOME Behavior Basics Simple strategies that can make a big difference! Presented by

BEHAVIOR @ HOME Behavior Basics Simple strategies that can make a big difference! Presented by Michelle Heid, MA, BCBA Hosted by Family Focus Resource Center Behavior Basics Behavior as communication ABCs of Behavior Functions of

717 views • 35 slides
Taming the Many Headed Dragon: Collaborative Models and Systems Issues Presentation for Putting

Taming the Many Headed Dragon: Collaborative Models and Systems Issues Presentation for Putting

Taming the Many Headed Dragon: Collaborative Models and Systems Issues Presentation for Putting the Pieces Together for Children and Families September 2011 Taming the Many Headed Dragon: Collaborative Models and Systems Issues Maria

282 views • 27 slides
Taming UTF-8 in pdfTeX Frank Mittelbach TUG 2019, Palo Alto A short history lession part 2

Taming UTF-8 in pdfTeX Frank Mittelbach TUG 2019, Palo Alto A short history lession part 2

Presentation given at the TUG 2019 Conference, Palo Alto 1 file version: August 25, 2019 0:02 Taming UTF-8 in pdfT EX Frank Mittelbach Abstract To understand the concepts in pdfL A T EX for processing UTF-8 encoded files it is helpful to

237 views • 5 slides
MORE C Samira Khan Agenda Pointer vs array Using man page Structure and dynamic

MORE C Samira Khan Agenda Pointer vs array Using man page Structure and dynamic

MORE C Samira Khan Agenda Pointer vs array Using man page Structure and dynamic allocation Undefined behavior Into to instruction set architecture (ISA) Understanding Pointers &amp; Arrays Variable Decl size int A1[3] 12

748 views • 46 slides
Taming the Beast Workshop Bayesian inference of species tree Species &amp; gene trees *BEAST

Taming the Beast Workshop Bayesian inference of species tree Species &amp; gene trees *BEAST

Taming the Beast Taming the Beast Workshop Bayesian inference of species tree Species &amp; gene trees *BEAST Species tree prior Multispecies coalescent Bayesian inference of species tree Molecular clock model Felsenstein likelihood and

205 views • 19 slides
Taming the SOA Beast SOA introduces complexity as well as new organizational impacts. We need to

Taming the SOA Beast SOA introduces complexity as well as new organizational impacts. We need to

Taming the SOA Beast SOA introduces complexity as well as new organizational impacts. We need to re-think the process. December 2008 Why SOA? Business Effectiveness Agility, responsiveness to market/competitive dynamics Business

513 views • 24 slides
Defined and Undefined Roles for Taiwans Legislative Yuan Chung-li Wu Part 1 The Relationship

Defined and Undefined Roles for Taiwans Legislative Yuan Chung-li Wu Part 1 The Relationship

Defined and Undefined Roles for Taiwans Legislative Yuan Chung-li Wu Part 1 The Relationship between the Legislative and the Executive Yuan (1) Consent of Appointment From Article 55 of ROC Constitution The Prime Minister of the

843 views • 28 slides
Foundational Ideas Everyone needs support for behavior. Behavior is communication.

Foundational Ideas Everyone needs support for behavior. Behavior is communication.

Foundational Ideas Everyone needs support for behavior. Behavior is communication. Punishment doesnt work. Respond to the root of the behavior, not the surface. Positive Behavioral Interventions &amp; Support Intensive Supports

489 views • 33 slides
Numbers in C Balance Sheet so far Lost Gained Contracts Preprocessor Safety

Numbers in C Balance Sheet so far Lost Gained Contracts Preprocessor Safety

Numbers in C Balance Sheet so far Lost Gained Contracts Preprocessor Safety Undefined behavior Garbage collection Explicit memory management Memory initialization Separate compilation Well-behaved arrays

826 views • 45 slides
Lion Taming 101 Classroom Management Part 1 Presented By: Debbie Silver, Ed. D.

Lion Taming 101 Classroom Management Part 1 Presented By: Debbie Silver, Ed. D.

Lion Taming 101 Classroom Management Part 1 Presented By: Debbie Silver, Ed. D. &lt;www.debbiesilver.com&gt; The Teacher Concerning a teachers influence, I have come to the frightening conclusion that I am the decisive element in the

299 views • 27 slides
Taming Metadata Storms in Parallel Filesystems with MetaFS Tim Shaffer Motivation A

Taming Metadata Storms in Parallel Filesystems with MetaFS Tim Shaffer Motivation A

Taming Metadata Storms in Parallel Filesystems with MetaFS Tim Shaffer Motivation A (well-meaning) user tried to run a bioinformatics pipeline to analyze a batch of genomic data. MAKER 2 Motivation Shared filesystem performance became

507 views • 35 slides
Behavior Based Saf ety Behavior Based Saf ety PCL INDUSTRIAL CONSTRUCTORS INC. Objectives Upon

Behavior Based Saf ety Behavior Based Saf ety PCL INDUSTRIAL CONSTRUCTORS INC. Objectives Upon

Behavior Based Saf ety Behavior Based Saf ety PCL INDUSTRIAL CONSTRUCTORS INC. Objectives Upon completion of this presentation the participants will: Define activator, behavior, and consequence. Classify consequences to determine their

738 views • 71 slides
Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

The 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016) Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory Marius Muench, Fabio Pagani, Yan Shoshitaishvili,

559 views • 25 slides
Taming the Firehose: Thematically summarizing very large news corpora using topic modeling

Taming the Firehose: Thematically summarizing very large news corpora using topic modeling

Taming the Firehose: Thematically summarizing very large news corpora using topic modeling Philip A. Schrodt Parus Analytics Charlottesville, Virginia, USA schrodt735@gmail.com philipschrodt.org Presentation at PolMeth XXXV: 2018 Conference

532 views • 18 slides

More recommend