Re: [Tinyos-help] Two bugs in Dip Protocol

Thu, 02 Jul 2009 21:57:24 -0700 

Hi Peng,

Have these two "bugs" actually caused something to break, or are you 
just suspicious of them?

Kaisen

li peng wrote:
> Hi There
> 
> I have been testing the Dip Protocol, and believe I found two suspicious
> bugs.
> 
> The first bug is in the command DipDecision.send() of component
> DipSummaryP.nc, there exists the problem in the following snippet of code:
> 
>     dip_msg_t* dmsg;
>     dip_summary_msg_t* dsmsg;
>     dmsg = (dip_msg_t*) call SummarySend.getPayloadPtr();
>     dmsg->type = ID_DIP_SUMMARY;
> 
> getPayloadPtr() may return NULL, and since the send() function fails to
> check for full, in the next line it will dereference the NULL pointer.
> 
> 
> The second one is array access out-of-bound error, which is in
> findRangeShadow() method of DipSummaryP.nc component. Since compared with
> the first bug, this bug is relatively more complicated to fix, I will just
> describe how this bug was triggered.
> 
>    for(i = LBound ; i + len <= RBound; i++) {
>       est1 = shadowEstimates[i];
>       // when the RBound is violated, this access is out-of-bound
>       est2 = shadowEstimates[i + len];
> 
>       /******* I evict the following code **********/
>    }
> 
> Actually, this bug is caused by the defective value of RBound. In my test,
> shadowEstimates is a array with UQCOUNT_DIP (128) elements,
> 
> there occur following two cases:
> 1. len: 128, LBound = RBound = 128 (highIndex:0)
> 2. len: 8, LBound: 114, RBound: 129 (highIndex:121)
> In addition, I still got the case with RBound is 130. where, highIndex, not
> shown in the above snippet of code, is a variable used to compute RBound.
> 
> Symptom: In all these cases listed above, RBound is all greater than the
> upper bound of array 127, hence, there occurs the array access out-of-bound
> error.
> 
> 
> Regards
> 
> 
> Peng
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Tinyos-help mailing list
> [email protected]
> https://www.millennium.berkeley.edu/cgi-bin/mailman/listinfo/tinyos-help

_______________________________________________
Tinyos-help mailing list
[email protected]
https://www.millennium.berkeley.edu/cgi-bin/mailman/listinfo/tinyos-help

Reply via email to