Hi Kaisen-
Peng is testing a tool that is designed to stress TinyOS applications to
make these sorts of problems reveal themselves prior to deployment.
The real answer to you question is something like: yes, it looks like
these bugs happen during actual execution. On the other hand it would be
strong to say they caused something to break since we are out looking for
trouble.
I haven't followed the logic for the OOB array access but for the NULL
pointer access, it seems completely obvious that the code is wrong and
should be fixed.
John Regehr
On Thu, 2 Jul 2009, Kaisen Lin wrote:
> Hi Peng,
>
> Have these two "bugs" actually caused something to break, or are you
> just suspicious of them?
>
> Kaisen
>
> li peng wrote:
>> Hi There
>>
>> I have been testing the Dip Protocol, and believe I found two suspicious
>> bugs.
>>
>> The first bug is in the command DipDecision.send() of component
>> DipSummaryP.nc, there exists the problem in the following snippet of code:
>>
>> dip_msg_t* dmsg;
>> dip_summary_msg_t* dsmsg;
>> dmsg = (dip_msg_t*) call SummarySend.getPayloadPtr();
>> dmsg->type = ID_DIP_SUMMARY;
>>
>> getPayloadPtr() may return NULL, and since the send() function fails to
>> check for full, in the next line it will dereference the NULL pointer.
>>
>>
>> The second one is array access out-of-bound error, which is in
>> findRangeShadow() method of DipSummaryP.nc component. Since compared with
>> the first bug, this bug is relatively more complicated to fix, I will just
>> describe how this bug was triggered.
>>
>> for(i = LBound ; i + len <= RBound; i++) {
>> est1 = shadowEstimates[i];
>> // when the RBound is violated, this access is out-of-bound
>> est2 = shadowEstimates[i + len];
>>
>> /******* I evict the following code **********/
>> }
>>
>> Actually, this bug is caused by the defective value of RBound. In my test,
>> shadowEstimates is a array with UQCOUNT_DIP (128) elements,
>>
>> there occur following two cases:
>> 1. len: 128, LBound = RBound = 128 (highIndex:0)
>> 2. len: 8, LBound: 114, RBound: 129 (highIndex:121)
>> In addition, I still got the case with RBound is 130. where, highIndex, not
>> shown in the above snippet of code, is a variable used to compute RBound.
>>
>> Symptom: In all these cases listed above, RBound is all greater than the
>> upper bound of array 127, hence, there occurs the array access out-of-bound
>> error.
>>
>>
>> Regards
>>
>>
>> Peng
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Tinyos-help mailing list
>> [email protected]
>> https://www.millennium.berkeley.edu/cgi-bin/mailman/listinfo/tinyos-help
>
> _______________________________________________
> Tinyos-help mailing list
> [email protected]
> https://www.millennium.berkeley.edu/cgi-bin/mailman/listinfo/tinyos-help
>
_______________________________________________
Tinyos-help mailing list
[email protected]
https://www.millennium.berkeley.edu/cgi-bin/mailman/listinfo/tinyos-help
