{{+bindTo:partials.standard_nacl_article}}

PNaCl Undefined Behavior

Overview

C and C++ undefined behavior allows efficient mapping of the source language onto hardware, but leads to different behavior on different platforms.

PNaCl exposes undefined behavior in the following ways:

Specification

PNaCl’s goal is that a single pexe should work reliably in the same manner on all architectures, irrespective of runtime parameters and through Chrome updates. This goal is unfortunately not attainable; PNaCl therefore specifies as much as it can and outlines areas for improvement.

One interesting solution is to offer good support for LLVM’s sanitizer tools (including UBSan) at development time, so that developers can test their code against undefined behavior. Shipping code would then still get good performance, and diverging behavior would be rare.

Note that none of these issues are vulnerabilities in PNaCl and Chrome: the NaCl sandboxing still constrains the code through Software Fault Isolation.

Behavior in PNaCl Bitcode

Well-Defined

The following are traditionally undefined behavior in C/C++ but are well defined at the pexe level:

Not Well-Defined

The following are traditionally undefined behavior in C/C++ which also exhibit undefined behavior at the pexe level. Some are easier to fix than others.

Potentially Fixable

Floating-Point

PNaCl offers a IEEE-754 implementation which is as correct as the underlying hardware allows, with a few limitations. These are a few sources of undefined behavior which are believed to be fixable:

SIMD Vectors

SIMD vector instructions aren’t part of the C/C++ standards and as such their behavior isn’t specified at all in C/C++; it is usually left up to the target architecture to specify behavior. Portable Native Client instead exposed Portable SIMD Vectors and offers the same guarantees on these vectors as the guarantees offered by the contained elements. Of notable interest amongst these guarantees are those of alignment for load/store instructions on vectors: they have the same alignment restriction as the contained elements.

Hard to Fix

{{/partials.standard_nacl_article}}