Hi There
I have been testing the Dip Protocol, and believe I found two suspicious
bugs.
The first bug is in the command DipDecision.send() of component
DipSummaryP.nc, there exists the problem in the following snippet of code:
dip_msg_t* dmsg;
dip_summary_msg_t* dsmsg;
dmsg = (dip_msg_t*) call SummarySend.getPayloadPtr();
dmsg->type = ID_DIP_SUMMARY;
getPayloadPtr() may return NULL, and since the send() function fails to
check for full, in the next line it will dereference the NULL pointer.
The second one is array access out-of-bound error, which is in
findRangeShadow() method of DipSummaryP.nc component. Since compared with
the first bug, this bug is relatively more complicated to fix, I will just
describe how this bug was triggered.
for(i = LBound ; i + len <= RBound; i++) {
est1 = shadowEstimates[i];
// when the RBound is violated, this access is out-of-bound
est2 = shadowEstimates[i + len];
/******* I evict the following code **********/
}
Actually, this bug is caused by the defective value of RBound. In my test,
shadowEstimates is a array with UQCOUNT_DIP (128) elements,
there occur following two cases:
1. len: 128, LBound = RBound = 128 (highIndex:0)
2. len: 8, LBound: 114, RBound: 129 (highIndex:121)
In addition, I still got the case with RBound is 130. where, highIndex, not
shown in the above snippet of code, is a variable used to compute RBound.
Symptom: In all these cases listed above, RBound is all greater than the
upper bound of array 127, hence, there occurs the array access out-of-bound
error.
Regards
Peng
_______________________________________________
Tinyos-help mailing list
[email protected]
https://www.millennium.berkeley.edu/cgi-bin/mailman/listinfo/tinyos-help
