Volatiles Are Miscompiled, and What to Do about It
C's volatile qualifier is intended to provide a reliable link between
operations at the source-code level and operations at the memory-system
level. We tested thirteen production-quality C compilers
and, for each, found situations in which the compiler generated
incorrect code for accessing volatile variables. This result is disturbing
because it implies that embedded software and operating
systems—both typically coded in C, both being bases for many
mission-critical and safety-critical applications, and both relying
on the correct translation of volatiles—may be being miscompiled.
Our contribution is centered on a novel technique for finding
volatile bugs and a novel technique for working around them. First,
we present access summary testing: an efficient, practical, and automatic
way to detect code-generation errors related to the volatile
qualifier. We have found a number of compiler bugs by performing
access summary testing on randomly generated C programs. Some
of these bugs have been confirmed and fixed by compiler developers.
Second, we present and evaluate a workaround for the compiler
defects we discovered. In 96% of the cases in which one of
our randomly generated programs is miscompiled, we can cause the
faulty C compiler to produce correctly behaving code by applying
a straightforward source-level transformation to the test program.