Eric Eide
John Regehr
ABSTRACT
C's volatile qualifier is intended to provide a reliable link between operations at the source-code level and operations at the memory-system level. We tested thirteen production-quality C compilers and, for each, found situations in which the compiler generated incorrect code for accessing volatile variables. This result is disturbing because it implies that embedded software and operating systems---both typically coded in C, both being bases for many mission-critical and safety-critical applications, and both relying on the correct translation of volatiles---may be being miscompiled.
Our contribution is centered on a novel technique for finding volatile bugs and a novel technique for working around them. First, we present access summary testing: an efficient, practical, and automatic way to detect code-generation errors related to the volatile qualifier. We have found a number of compiler bugs by performing access summary testing on randomly generated C programs. Some of these bugs have been confirmed and fixed by compiler developers. Second, we present and evaluate a workaround for the compiler defects we discovered. In 96% of the cases in which one of our randomly generated programs is miscompiled, we can cause the faulty C compiler to produce correctly behaving code by applying a straightforward source-level transformation to the test program.
- Hans Boehm and Nick Maclaren. Should volatile acquire atomicity and thread visibility semantics? WG21 Paper N2016, ISO, April 2006. http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2006/n2016.html.Google Scholar
- Digital Equipment Corporation. DDT kits. http://nar-associates.com/site/sdr/projects/ddt/download/kits/, December 1996.Google Scholar
- Free Software Foundation. GCC, the GNU compiler collection. http://gcc.gnu.org/, 2008.Google Scholar
- Freescale Semiconductor, Inc. CodeWarrior Development Studio. http://www.freescale.com/webapp/sps/site/overview.jsp?nodeId=0127262E70, 2008.Google Scholar
- Douglas Gwyn. NEVERMIND! (was: Re: A question on volatile accesses). USENET post to comp.std.c, November 1990. http://groups.google.com/group/comp.std.c/msg/7709e4162620f2cd.Google Scholar
- Intel Corporation. Intel C++ Compiler 10.1, professional and standard editions, for Linux. http://www.intel.com/cd/software/products/asmo-na/eng/compilers/277618.htm, 2008.Google Scholar
- International Organization for Standardization. ISO/IEC 9899:TC2: Programming Languages -- C, May 2005. http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf.Google Scholar
- International Organization for Standardization. Information technology -- programming languages -- C -- extensions to support embedded processors. ISO/IEC draft Technical Report 18037, ISO, April 2006. http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1169.pdf.Google Scholar
- Philip Levis et al. T2: A second generation OS for embedded sensor networks. Technical Report TKN-05-007, Telecommunication Networks Group, Technische Universitaet Berlin, November 2005.Google Scholar
- Christian Lindig. Random testing of C calling conventions. In Proc. 6th Intl. Symp. on Automated Analysis-Driven Debugging (AADEBUG), pages 3--12, September 2005. Google ScholarDigital Library
- Christian Lindig. Quest - an extensible test-code generator for C. http://code.google.com/p/quest-tester/, 2007.Google Scholar
- LLVM Team, University of Illinois at Urbana-Champaign. The LLVM compiler infrastructure project. http://llvm.org/, 2008.Google Scholar
- William M. McKeeman. Differential testing for software. Digital Technical Journal, 10(1):100--107, December 1998.Google Scholar
- George C. Necula, Scott McPeak, S. P. Rahul, and Westley Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In Proc. Intl. Conf. on Compiler Construction (CC), pages 213--228, April 2002. Google ScholarDigital Library
- Nicholas Nethercote and Julian Seward. Valgrind: A framework for heavyweight dynamic binary instrumentation. In Proc. 2007 ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI), pages 89--100, June 2007. Google ScholarDigital Library
- NULLSTONE Corporation. NULLSTONE for C. http://www.nullstone.com/htmls/ns-c.htm, 2007.Google Scholar
- Flash Sheridan. Practical testing of a C99 compiler using output comparison. Software - Practice and Experience, 37(14):1475--1488, November 2007. Google ScholarDigital Library
- Steve Summit. comp.lang.c frequently asked questions. http://c-faq.com/.Google Scholar
- Sun Microsystems, Inc. Sun Studio 12 C, C++, and Fortran compilers and tools. http://developers.sun.com/sunstudio/, 2008.Google Scholar
- Ben L. Titzer and Jens Palsberg. Nonintrusive precision instrumentation of microcontroller software. In Proc. 2005 Conf. on Languages, Compilers, and Tools for Embedded Systems (LCTES), pages 59--68, June 2005. Google ScholarDigital Library
- Bryan Turner. Random C program generator. http://brturn.googlepages.com/randomcprogramgenerator, January 2007.Google Scholar
- Brian White et al. An integrated experimental environment for distributed systems and networks. In Proc. 5th Symposium on Operating Systems Design and Implementation (OSDI), pages 255--270, December 2002. Google ScholarDigital Library
Index Terms
- Volatiles are miscompiled, and what to do about it
Recommendations
Random testing for C and C++ compilers with YARPGen
Compilers should not crash and they should not miscompile applications. Random testing is an effective method for finding compiler bugs that have escaped other kinds of testing. This paper presents Yet Another Random Program Generator (YARPGen), a random ...
Finding and understanding bugs in C compilers
PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and ImplementationCompilers should be correct. To improve the quality of C compilers, we created Csmith, a randomized test-case generation tool, and spent three years using it to find compiler bugs. During this period we reported more than 325 previously unknown bugs to ...
Finding and understanding bugs in C compilers
PLDI '11Compilers should be correct. To improve the quality of C compilers, we created Csmith, a randomized test-case generation tool, and spent three years using it to find compiler bugs. During this period we reported more than 325 previously unknown bugs to ...
Comments