5.3.13 · HinglishBuild Systems & Toolchain

Undefined Behavior Sanitizer (UBSan)

2,023 words9 min readRead in English

5.3.13 · Coding › Build Systems & Toolchain


WHAT is Undefined Behavior?

UB exist kyun karta hai? Taaki compilers har jagah defensive checks daale bina fast code generate kar sakein. Standard kehta hai "agar programmer X likhta hai, toh hum assume karte hain ki woh kabhi bad case trigger nahi karega, isliye hum optimize karne ke liye free hain." Woh freedom speed ke liye great hai — aur jab tum actually trigger karte ho toh correctness ke liye nightmare.


WHAT is UBSan (the mechanism)?

Tum ise kaise use karte ho:

clang -fsanitize=undefined -fno-sanitize-recover=all -g file.c -o prog
./prog
# Pehle UB par: print karta hai e.g.
# file.c:12:9: runtime error: signed integer overflow:
#   2147483647 + 1 cannot be represented in type 'int'
  • -g → debug info rakho taaki line numbers print ho sakein.
  • -fno-sanitize-recover=all → pehli error par abort karo (warna UBSan report karta hai aur continue karta hai, jo "pehla" cause hide kar sakta hai).
  • Aksar combine kiya jaata hai: -fsanitize=undefined,address UB + memory errors ke liye.

WHY ek check possible hai: overflow test ko first principles se derive karna

Signed integer overflow lo 32-bit int ke liye. Representable range hai

Yeh bounds kyun? bits ke saath Two's complement: most significant bit ka weight hota hai, baaki positive weights add karte hain up to . Toh:

Addition-overflow condition derive karna. True mathematical sum compute karo (unbounded integers mein). Overflow = " representable nahi hai":

Yeh step kyun? UBSan unbounded integers mein cheaply compute nahi kar sakta, isliye yeh ek hardware fact use karta hai: do same-sign numbers ko add karna sirf usi sign ki taraf overflow kar sakta hai. Formally, overflow tab hota hai jab a aur b ka same sign ho aur result ka sign alag ho:


Worked examples


Figure — Undefined Behavior Sanitizer (UBSan)

UBSan vs its siblings


Active recall

Recall Pehle forecast karo phir verify karo (answers cover karo!)
  • UBSan kaunsa flag enable karta hai? ⇒ -fsanitize=undefined
  • -fno-sanitize-recover=all kyun add karo? ⇒ pehli error par abort karo taaki true root cause dikhe
  • -g kyun add karo? ⇒ taaki reports file:line dikhayein
  • Kya signed overflow UB hai? Kya unsigned overflow UB hai? ⇒ signed = UB; unsigned = well-defined (wraps mod )
  • n << 32 "kaam" kaise kar sakta hai phir bhi UB kyun hai? ⇒ x86 shift ko & 31 se mask karta hai, deta hai galat-lekin-crash-na-karne-wala result
Recall Feynman: ek 12-saal ke bachche ko explain karo

Socho language mein kuch "forbidden moves" hain — jaise apne calculator pe dikhayi dene wale sabse bade number se aage count karna. Agar tum ek forbidden move karo, toh rulebook kehta hai "kuch bhi ho sakta hai" aur machine shayad ek weird answer de, ya crash kar jaaye, ya theek lagta rahe aur baad mein betray kare. UBSan ek referee ki tarah hai jo game dekh raha hai aur jaise hi tum forbidden move karo, usi waqt whistle bajata hai, exact line point karta hai: "Yahan! Tumne maximum se zyada add karne ki koshish ki!" Toh ek spooky bug jo randomly agle mahine dikhe uski jagah, tum immediately pakde jaate ho.


Flashcards

UBSan ka full form kya hai aur yeh kya detect karta hai?
Undefined Behavior Sanitizer; ek compiler runtime checker jo undefined behavior ke liye hai (signed overflow, bad shifts, null/misaligned pointers, INT_MIN/-1, etc.).
UBSan enable karne wala compiler flag kaunsa hai?
-fsanitize=undefined.
UBSan ke saath -fno-sanitize-recover=all kyun combine karo?
Taaki program pehle violation par abort kare report karke continue karne ki jagah, true root cause reveal ho.
Kya C mein unsigned integer overflow UB hai?
Nahi — unsigned arithmetic modulo wrap karne ke liye defined hai. Sirf signed overflow UB hai.
32-bit int ki two's-complement range kya hai aur kyun?
; top bit ka weight hota hai, baaki bits tak add hoti hain.
Signed addition overflow kab hota hai (single-bit test)?
Jab dono operands sign bit share karein lekin wrapped result ka sign bit alag ho — exactly CPU overflow flag.
INT_MIN / -1 undefined kyun hai?
Result hai jo INT_MAX () se zyada hai; division overflow karta hai aur trap bhi ho sakta hai.
n << 32 x86 par silently galat answer kyun de sakta hai?
Hardware shift count ko & 31 se mask karta hai, toh n << 0 compute hota hai; standard phir bhi ise UB kehta hai.
Kya clean UBSan run prove karta hai ki program UB-free hai?
Nahi — yeh sirf executed paths check karta hai aur har UB category cover nahi karta; ASan/MSan/TSan aur static analysis ke saath pair karo.
UBSan vs ASan — ek line each.
UBSan = logic/arithmetic/pointer UB (sasta); ASan = memory errors jaise buffer overflow aur use-after-free (~2× slower).
Standard mein UB exist kyun karta hai?
Taaki compilers aggressively optimize kar sakein bina defensive checks daale, assume karke ki programmers kabhi bad cases trigger nahi karte.

Connections

  • AddressSanitizer (ASan) — memory-error counterpart
  • Compiler Optimization Levels — kyun UB -O2/-O3 par zyada kaata hai
  • Two's Complement Representation — overflow test ka basis
  • Integer Overflow & Wraparound
  • Static Analysis vs Dynamic Analysis
  • GCC and Clang Toolchains
  • Debugging with -g and Debug Info

Concept Map

imposes no requirements

enables

invisibly triggers

catches at runtime

enables

works via

inserts

on violation calls

prints file line

halts on first error

often combined with

Undefined Behavior

ISO C/C++ Standard

Fast Optimized Code

Ran fine so correct

UBSan Runtime Checker

-fsanitize=undefined

Compile-time Instrumentation

Check-then-report Code

libubsan Report

-fno-sanitize-recover=all

ASan Memory Errors