Abstract: Compiler Explorer is a neat tool not just for exploring the assembly output of compiled source code, but to analyze weird bugs that result from compiler optimization and undefined behavior.
Slides from my DC303 talk on Compiler Explorer can be found here:
https://docs.google.com/presentation/d/1Po9820xsBw6P_aZTNxFt8U4qjVOJIL_Y0Mo8WVyKoQw/
The format of this talk relies heavily on audience participation, but the individual examples are all sourced to the original articles for additional context. Examples include:
- a notorious Linux Kernel bug, where one lazy null pointer dereference resulted in a proven exploit
- undefined behavior that really will erase your hard disk (on linux distributions don’t protect the root directory)
- when clearing buffers fails enough to the point of creating an entry during CWE’s teenage [ID #’s]
- an absentminded ASSERT that just ruins everything (for one particular logging bug)
- that one concurrency bug that Facebook engineers keep making because they forget to type one letter
- when the compiler really thinks that your overflow detection is too paranoid and throws it in the garbage without telling you
This talk came about as I was talking about Matthew Butler’s course Exploiting Modern C++: Building Highly-Dependable Software at the DC303 meetup. The topic of who should present the next month came up, and others suggested that the topic of undefined behavior causing C++ security bugs would be of interest. Matthew Butler was gracious enough to give the green light to present any topic from his 2-day course as a 2 hour talk, so he gets a credit slide.