[Novalug] "NULL pointer dereference" bug

Gregory Maxwell gmaxwell@gmail.com
Sat Jul 18 15:37:03 EDT 2009


On Sat, Jul 18, 2009 at 7:13 AM, Ed James<edjames@greenbelt.com> wrote:
> All,
>
>   I've recently read about a "NULL pointer dereference" bug which
> happens when kernel code is compiled using an optimizer.  It seems
> to be blown out of proportion a bit, IMHO.  However, it brings to
> mind a question...
>
>   In general, should optimization be used when a kernel is compiled?
>
> I've hit "unintended consequences" from optimized code in the past,
> and avoid optimizers because I ... just ... do .... not ... trust them.
> I'm curious how other, more experienced, people feel about this issue
> and why.  My experience is strictly on home machines, rather than big
> commercial systems.   However, the day may come when I'm running with
> the big dawgs, and it helps to know stuff ahead of time.


The description of this bug is incomplete.


The optimizer rightfully removed the check because the variable it was
checking had be previously dereferenced. If not for the crazy ability
to map something at zero the code would simply have crashed prior to
that point. There is nothing wrong with optimization— and in fact
since the code is normally developed with optimization disabled any
optimization dependant bugs are arguably more likely to appear in the
OFF case.


The screwups here are:

(1) that the user could randomly map stuff at zero.

(2) that the test was after the dereference


Regardless of optimization (2) would have been a crash bug. It was
tested too late. The optimizer isn't at fault here.

(even the a fairly simplistic static analysis tool like clang should
be able to whine at you that the check was dead code)



More information about the Novalug mailing list