3

I'm in a safety critical embedded C project and there's a discussion about detecting memory corruptions (e.g. buffer overflows) in boolean variables. As everyone knows, in C, the "boolean" type is actually an N-bit integer and that means it has potentially 2N-2 invalid values. E.g. if you declare FALSE as 0 and TRUE as 1 (by macros, constants or enums), then it is possible to say that <0 (in case of signed type) or >1 are consequences of memory corruption (or a bug).

So theoretically it should be possible construct such fault capture code blocks:

if (b == TRUE)       { /* Good, do something               */ }
else if (b == FALSE) { /* Good, but don't do anything      */ }
else                 { /* Memory corruption. Deal with it. */ }

Or do it with switch-case. It is mandatory to have for state variables and other enum types, but doing it for booleans certainly adds a lot of code and my question is - is it worth the effort?

Mikk L.
  • 161
  • 2
  • 9
  • 3
    Considering that memory corruption could also overwrite `b` with precisely 0 or 1 I doubt this is really worth it. There's better ways of trying to detect memory overwrites that don't require programmers to add code to every single check they perform – UnholySheep May 18 '20 at 14:08
  • 1
    How do you detect corruption in variables of other types, e.g., `int`? Wouldn't they be just as critical, or even more so? – Fred Larson May 18 '20 at 14:10
  • [What is the benefit of terminating if … else if constructs with an else clause?](https://stackoverflow.com/questions/35053371/what-is-the-benefit-of-terminating-if-else-if-constructs-with-an-else-clause) might answer the question. I gave an example with bool in my answer. All safety-critical (and MISRA-C compatible) programs need to implement defensive programming. That includes, terminating all `else if` with `else`, as well as terminating all `switch` with `default`. – Lundin May 18 '20 at 14:16
  • 1
    A better question might be why you are still using C90 in safety-related software. It contains a lot of hazards that C99 solved: "implicit int", "the struct hack", reliable integer division etc. – Lundin May 18 '20 at 14:17
  • It's close to impossible to do this using a purely software approach in a single controller. A critical embedded project will have redundant hardware, error-correcting memory, hardware watchdogs and similar higher level supervisors. And if you used `stdbool.h` here instead, an optimizing compiler would simply optimize away the third path in this case, and this would likely happen with other "impossible" checks you try to implement. – vgru May 18 '20 at 14:35
  • 1
    There is no reason in the C standard to believe the code shown would suffice to detect invalid bit patterns, if `b` is declared as a `_Bool`. The C standard does not say what happens if, when reading a `_Bool` object, the bits in memory are other than those used for the values 0 or 1. To detect invalid bit patterns, you should examine the contents of memory using a pointer to `unsigned char`. If `b` is some integer type other than `_Bool`, then that code might work (although the C standard still permits padding bits and trap representations). – Eric Postpischil May 18 '20 at 14:47
  • On some old codebases, before a `bool` (`_Bool`) type was standardized and widely used, regular integers were used as booleans. Every time I have to work in one of those I hate it. What is the type of `b`? If it is a `bool` or `_Bool`, you're not going to get far trying to do what you're doing. You get into some weird behavior pretty quickly. This example: https://godbolt.org/z/Chcd7M returns the value `56` from a function returning `bool`. – Thomas Jager May 18 '20 at 14:58
  • 1
    If the `b` in your example code has type `_Bool` (or `bool`), it would be interesting to see which of your three branches is taken if it has a value other than 0 or 1. The behavior is probably undefined. So if you really need to check for things like this, it is probably better to avoid using `_Bool` (or `bool`) as the type of such objects altogether. – Ian Abbott May 18 '20 at 15:19
  • I would say @Lundin answered my question. I know about that MISRA else-if termination rule, which means it's about automotive safety topic, but I could find if MISRA tells about undetermined state of boolean (I guess not). Anyway, that link to another question answer gives me confidence that this scenario has been used out there. – Mikk L. May 18 '20 at 16:25
  • @FredLarson - integer values can have range checks. E.g. PWM duty cycle range can be 0 to 100 (in percentages). – Mikk L. May 18 '20 at 16:58
  • @Groo - there's one MCU, but it's safety MCU with ECC, WD and other features. But those features don't protect against internal SW caused corruptions. MPU protects, but it has it's own downsides. Anyway, this boolean thing is just one potential option to help detecting corruption. – Mikk L. May 18 '20 at 17:06
  • @UnholySheep - true, it won't be a single effective countermeasure, but having plenty of run-time sanity checks, asserts and other (hardware) features increases the likelyness of capturing corruption early. On the other hand increased code complexity also increases likelyness of bugs, so that's why there's probably some balance point... – Mikk L. May 18 '20 at 17:15
  • @MikkL. Safety-related design is all about minimizing the probability of failures. So you should have defensive programming _and_ ECC _and_ safety MCU _and_ wdog... and so on. Many safety features overlap each other, which is great, because if one of them isn't working for whatever reason, another will. – Lundin May 19 '20 at 07:08
  • Btw it actually doesn't matter if the bool type is a home-made enum or the type defined by the language. See this: https://stackoverflow.com/questions/52163870/bool-type-and-strict-aliasing. My evil, intentional UB access of the _Bool in that example could as well have been caused by runaway code or other memory corruption. – Lundin May 19 '20 at 07:31
  • @ThomasJager: [the example you have shown](https://godbolt.org/z/Chcd7M) is the result of an undefined behavior, and as such demonstrates a successful demonstration of purposefully confusing the compiler. You are only allowed to alias a pointer with char* for reading the contents of the memory, not for writing arbitrary values into memory and then using the previously aliased object afterwards, especially purposefully using values not representable using the aliased type. You may as well ask [why these two functions return different results](https://godbolt.org/z/q-2czB). – vgru May 19 '20 at 10:41
  • @Groo That was the point. – Thomas Jager May 19 '20 at 12:07

1 Answers1

0

Depends on the safety class you try to reach. The above example is not very safe when considering that the memory corruption also could mean a change in bit0 which would make a TRUE to FALSE or vice versa.

Therefore I have seen much more wrapping to secure critican variables.

such as storing each variable in a struct consisting of the variable itself and its complement as copy.

struct tag_intvar{
    int variable;
    int complement;
};

and then working with getter/setter functions to grant atomic access and and perform consistensy checking/handling.

int setintvalue(tag_intvar* var, int val){
    if(isconsistent(var)){
        var.variable = val;
        var.complement = ~val;
        return TRUE;
    }
    //... inconsistent... handler
    return FALSE;
}

while 

int isconsistent(tag_intvar* var){
   return (var.variable == ~var.complement)?TRUE:FALSE;
}
sbo
  • 23
  • 6
  • 1
    And then... the memory gets corrupted after line 4 in `setintvalue`. – vgru May 18 '20 at 14:37
  • yes, there are serveral levels of safety. Maybe Mikk clarifies the class of safety he is looking for. this is coming from the low end (white goods, like dishwashers). this is not as high as medical, automotive, aviation or even space. – sbo May 18 '20 at 14:42
  • @sbo - In fact I was thinking about something like that, but probably those getters/setters should be called from uninterrupted section (interrupts disabled). On the other hand it would be quite large update to existing code. – Mikk L. May 18 '20 at 16:33
  • yes, it needs to be as atomic as possible, therefore disable interrupt for line 3 and 4. But as @Groo mentioned, the disturbtion coud still happen in between line 3 and 4. but this would then be recognized by the getter, that has to check as well. – sbo May 18 '20 at 17:01
  • The corruption could take place in `setintvalue()`, however the likelihood of it happening at exactly this location is low. So you have significantly reduced the probability of a bit flip. Bit flips can often occur when higher power devices are used. Often the probability of an error is important in these standards. Safety is different in this aspect from *security* (and reliability). – artless noise Feb 28 '22 at 03:21