Thanks! I will look into fixing it within the next 3 weeks.
Kaisen
John Regehr wrote:
> Hi Kaisen-
>
> Peng is testing a tool that is designed to stress TinyOS applications to
> make these sorts of problems reveal themselves prior to deployment.
>
> The real answer to you question is something like: yes, it looks like
> these bugs happen during actual execution. On the other hand it would
> be strong to say they caused something to break since we are out looking
> for trouble.
>
> I haven't followed the logic for the OOB array access but for the NULL
> pointer access, it seems completely obvious that the code is wrong and
> should be fixed.
>
> John Regehr
>
>
>
> On Thu, 2 Jul 2009, Kaisen Lin wrote:
>
>> Hi Peng,
>>
>> Have these two "bugs" actually caused something to break, or are you
>> just suspicious of them?
>>
>> Kaisen
>>
>> li peng wrote:
>>> Hi There
>>>
>>> I have been testing the Dip Protocol, and believe I found two suspicious
>>> bugs.
>>>
>>> The first bug is in the command DipDecision.send() of component
>>> DipSummaryP.nc, there exists the problem in the following snippet of
>>> code:
>>>
>>> dip_msg_t* dmsg;
>>> dip_summary_msg_t* dsmsg;
>>> dmsg = (dip_msg_t*) call SummarySend.getPayloadPtr();
>>> dmsg->type = ID_DIP_SUMMARY;
>>>
>>> getPayloadPtr() may return NULL, and since the send() function fails to
>>> check for full, in the next line it will dereference the NULL pointer.
>>>
>>>
>>> The second one is array access out-of-bound error, which is in
>>> findRangeShadow() method of DipSummaryP.nc component. Since compared
>>> with
>>> the first bug, this bug is relatively more complicated to fix, I will
>>> just
>>> describe how this bug was triggered.
>>>
>>> for(i = LBound ; i + len <= RBound; i++) {
>>> est1 = shadowEstimates[i];
>>> // when the RBound is violated, this access is out-of-bound
>>> est2 = shadowEstimates[i + len];
>>>
>>> /******* I evict the following code **********/
>>> }
>>>
>>> Actually, this bug is caused by the defective value of RBound. In my
>>> test,
>>> shadowEstimates is a array with UQCOUNT_DIP (128) elements,
>>>
>>> there occur following two cases:
>>> 1. len: 128, LBound = RBound = 128 (highIndex:0)
>>> 2. len: 8, LBound: 114, RBound: 129 (highIndex:121)
>>> In addition, I still got the case with RBound is 130. where,
>>> highIndex, not
>>> shown in the above snippet of code, is a variable used to compute
>>> RBound.
>>>
>>> Symptom: In all these cases listed above, RBound is all greater than the
>>> upper bound of array 127, hence, there occurs the array access
>>> out-of-bound
>>> error.
>>>
>>>
>>> Regards
>>>
>>>
>>> Peng
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Tinyos-help mailing list
>>> [email protected]
>>> https://www.millennium.berkeley.edu/cgi-bin/mailman/listinfo/tinyos-help
>>
>> _______________________________________________
>> Tinyos-help mailing list
>> [email protected]
>> https://www.millennium.berkeley.edu/cgi-bin/mailman/listinfo/tinyos-help
>>
_______________________________________________
Tinyos-help mailing list
[email protected]
https://www.millennium.berkeley.edu/cgi-bin/mailman/listinfo/tinyos-help
