February 5, 2010

Anderson and Reps in Embedded.com

"When good compilers go bad, or What you see is not what you execute" by Paul Anderson and Thomas Reps (GrammaTech VP of Engineering and President, respectively) is currently a Featured Design Article at Embedded.com. An excerpt appears below, with a link to the full article.

When good compilers go bad, or What you see is not what you execute

By Paul Anderson and Thomas W. Reps

The source-code representation of computer programs is often thought of as the supreme authoritative, precise, and unambiguous specification of what a software program does when it executes. Of course, plenty of errors can occur in source code, and static-analysis tools that find such errors can be effective in pinpointing where the problems are.

However, tools for analyzing source code have a key weakness: computers don't execute source code; they execute machine-code programs that may be generated from source code. The WYSINWYX phenomenon (What You See Is Not What You eXecute) refers to the mismatch between what the source-code description seems to indicate and what is actually executed by the processor. The consequence of WYSINWYX is that source-code-analysis tools are fundamentally blind to some kinds of code weaknesses--weaknesses that can only be detected by directly analyzing the machine code.

Compilers introduce WYSINWYX effects for several reasons. Sometimes they're created by machine-code optimization. Another reason is that the compiler author may have interpreted the source-language specification in an unexpected way. Some effects can even be maliciously introduced. Finally, compilers are themselves fairly complex programs and as such may have their own bugs.

In this article, we'll give describe some of these effects and their consequences with a few real-world examples. The cure for WYSINWYX is to use tools that analyze machine code directly, an approach we've taken in our research. We'll discuss some of the challenges we faced.

See the article on the Embedded.com website.

About GrammaTech
GrammaTech's static-analysis tools are used worldwide by startups, Fortune 500 companies, educational institutions, and government agencies. The staff includes thirteen researchers with PhDs in programming languages and program analysis. More information about GrammaTech can be found at www.grammatech.com.

GrammaTech, Inc.
531 Esty Street
Ithaca, NY 14850 USA
phone: 607-273-7340
fax: 607-273-8752
e-mail: info@grammatech.com


Areas | Products | Sponsors | Publications | News | About Us © 2007-2012, GrammaTech, Inc. All rights reserved.
The Synthesizer Generator, Ada-ASSURED, Ada-Utilities, and SmashProof are trademarks of GrammaTech, Inc. CodeSurfer and CodeSonar are registered trademarks of GrammaTech, Inc.