Re: How serious is undefined behavior?

[John Haxby <john.haxby () oracle com>]

> On 6 Jul 2015, at 17:17, Hanno Böck <hanno () hboeck de> wrote:
>
> However I wonder how practically relevant these issues are and also
> how much focus should be given to them. Do people have good examples
> where e.g. an invalid shift operation caused a real, severe security
> issue?
> Would people think it's a wise idea to put a lot of effort into testing
> applications with ubsan enabled and reporting all the bugs that pop up?
> (that would mean a lot of bugreports) Or would this be perceived as an
> annoying "that's a theoretical C language nitpick issue and not a real
> bug".

I don't have the example any more, but some years ago(*) we did have a problem because undefined behaviour on one 
compiler showed up differently on another.  In our case it was a hard to track down bug because it wasn't particularly 
obvious that it was undefined.   We were similarly bitten when a new compiler changed the implementation of something 
else undefined.

And of course, the classic foo(a++, bar(a++)) crops up in one form or another on a regular basis,  It may have been 
that that changed from one release to another: one compiler evaluated all the arguments right to left, another one 
evaluated the first few left to right (to go into registers) and the later ones right to left.  I forget, sorry.

Of course, most of the time these just result in peculiar bugs rather than exploitable security issues, but it's not 
too hard to come up with plausible cases that would lead to a failing security check.

jch

(*) OpenMail, if anyone wonders or cares.