I think the closest I ever came to this was when I stumbled into a bug in git.<p>We were asking git to do something utterly trivial, like clone, and it was segfaulting. We installed the debug symbols or something (as I recall you can install these separately in Debian) and started trying to see where the function was crashing. The crash was in a parser, and the code was doing,<p><pre><code> char *foo = strstr(input, "something constant");
</code></pre>
and segfaulting later (but not chasing null!), during the first use of foo. I figured that input must, therefore, be a bad pointer, since the string literal is by definition fine, and the only way to get a bad pointer <i>out</i> of strstr was to give it bad input in the first place.<p>So, in gdb, I print the input point. It's valid. "Damn" I think to myself "we've gotten unlucky, and whatever triggers the cascade of UB hasn't happened this run. Freakin' heisenbug." So, I told gdb to just continue running the program: it crashed. Same backtrace: dereferencing foo triggered a segfault, and not with a null pointer.<p>If the input pointer to strstr is valid, how can the output be a bad pointer? strstr is documented as,<p><pre><code> These functions return a pointer to the beginning of the located
substring, or NULL if the substring is not found.
</code></pre>
So, what gives?<p>I attempted to debug strstr … that was almost a mistake. strstr is, unfortunately heavily optimized. It might have been this one: <a href="https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/multiarch/strstr-sse2-unaligned.S;h=c6aa8f45a60d175826c3d4e6eb483495a2cbf424;hb=f2698954ff9c2f9626d4bcb5a30eb5729714e0b0" rel="nofollow">https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86...</a><p>I'm okay with a debugger, but I'm not going the be able to follow where vectorized code is going wrong. Almost stupidly, I told strstr to (f)inish the function's execution, at which point gdb printed the return value: it was a valid pointer!<p>"Odd. Is this run going to succeed?" I continue execution: <i>it crashes</i>.<p>I restart the debugging, and run to the completion of strstr: the pointer is correct, but again, crash. <i>How.</i> The segfaulting address isn't the pointer strstr is returning, either, and nothing modifies foo after the strstr.<p>I single step out of strstr, and immediately print foo. The resulting pointer is wrong. strstr is working fine … but what, the assignment operator is broken? At this point, I'm sure I'm crazy. I disassemble the source, and lo and behold, the disassembly is trivially wrong. Forgive me as I can't amd64 unless I'm looking at it, but the disassembly is something like,<p><pre><code> call strstr
cltq
<store foo>
</code></pre>
We look the odd instruction up; it sign extends eax into rax. That's … not a valid operation on a supposed char pointer … there's not even technically a value in eax at this point. strstr returned a pointer in rax. eax is just the lower 32 bits of that pointer, and sign extending that back into rax makes no sense. It's like the compiler thought the return from strstr was a signed int … and that's where it hits me: C is shooting us in the foot again.<p>> <i>and if no declaration is visible for this identifier, the identifier is implicitly declared exactly as if. in the innermost block containing the function call. the declaration</i><p>> <i>extern int identifier();</i><p>> <i>appeared.</i><p>The default return for an undeclared function, in C89, is int. (I'm actually not sure what C11 says about this. The C89 rule appears to be gone, but there doesn't seem to be anything in its place, which is bizarre. "Undeclared" does not appear, except for an unrelated footnote.)<p>Slap in the proper include for strstr, recompile. No segfault, disassembly is correct.<p>Upgrade to latest version, disassemble: disassembly is correct. Someone else fixed the bug, in the meantime. Should have just tried upgrading in the first place…<p>(After typing this up: had to dig up the debugging session. It was strchr, not strstr. Potato, potato. Someday … this should be a blog post…)