help wanted: SATE6

[Daniel Marjamäki]

SATE6 is now running.

https://samate.nist.gov/SATE6ClassicTrack.html

I will participate with Cppcheck.

Help is wanted!

I would really like to have help with looking at the known bugs. And determine if Cppcheck detects the bugs. How should Cppcheck be configured to detect as many bugs as possible? Are there some simple bugs that Cppcheck does not detect that we could detect with some additional heuristic?

The source code is available in these archives:

https://samate.nist.gov/SATE6/wireshark-1.2-sate6.tar.xz
https://samate.nist.gov/SATE6/cgc-sate6.tar.xz
https://samate.nist.gov/SATE6/sqlite-3.21-sate6.tar.xz

The known bugs are clearly marked. In wireshark they are marked with "BUG". In sqlite "FLAW". And in cgc I think we have to read the readme.

I am looking mostly on sqlite now to start with...

[orbitcowboy]

False negatives, found by looking at wireshark:

uninitalized struct members: https://trac.cppcheck.net/ticket/8825
invalidFree: https://trac.cppcheck.net/ticket/8826
constStatement: https://trac.cppcheck.net/ticket/8827
knownConditionTrueFalse: https://trac.cppcheck.net/ticket/8828
knownConditionTrueFalse: https://trac.cppcheck.net/ticket/8829
uninitStructMember: https://trac.cppcheck.net/ticket/8831
zerodiv: https://trac.cppcheck.net/ticket/8832
checkCastIntToCharAndBack: https://trac.cppcheck.net/ticket/8834

new checks:
https://trac.cppcheck.net/ticket/8830

Recommended settings to get better results for scanning wireshark:
Commandline arguments --library=posix,gnu,zlib,gtk --force

[Daniel Marjamäki]

Thanks! Those are great tickets. In particular 8826 and 8827 should be trivial to add..

[orbitcowboy]

Wild idea: Can we check the SATA6 packages with our donate-cpu script?

[Daniel Marjamäki]

Yes I guess so. It is very good test cases as far as I see!

[versat]

Not sure if that is known:
In the wireshark repository there is a script and files to do a cppcheck analysis in the directory tools/cppcheck. While they use no libraries, which would help a lot i guess, there is a file for the include directories and in the script some other settings can be seen (like --std=c99) which may help.

[Daniel Marjamäki]

great I guess I can use that. If the problems would be detected by some library configuration I would like to use that.

[orbitcowboy]

I am still on it. Our library is missing some configuration:

std.cfg:
- https://trac.cppcheck.net/ticket/8887 (std::string::append())
- std::string::replace, std::sort(),std::stringstream::seekg(),std::istringstream::seekg(),std::stringstream::get(),std::istringstream::get(),std::stringstream::put(), std::vector::erase(), std::ostream::precision(), std::getline(),std::ofstream::open(),std::min_element() ,std::string::assign(),std::rotate(), std::std::rotate_copy() has to be configured as well.

Side note: We have support for all functions mentioned above since https://github.com/danmar/cppcheck/commit/a6e681f71e8998b7e12a3938d97bca81a63e6641

[Daniel Marjamäki]

We need to submit our results now in December so I have to finish this now.

I will run wireshark as you suggested now..

[Daniel Marjamäki]

In the wireshark repository there is a script and files to do a cppcheck analysis in the directory tools/cppcheck

I do not see it. Are you talking about the official source code repository?

[versat]

Yes, the github project:
https://github.com/wireshark/wireshark/tree/master/tools/cppcheck

[Daniel Marjamäki]

Here are some notes about the bug IDs in wireshark:

80690AEF : seems difficult .. GTK stuff
28025470 : GTK
C728B755 : dynamic format string
4257033C : no (tainted input)
36CC316B : no, seems difficult
79A7B3EC : no, seems difficult
2CC07361 : [epan/dissectors/packet-gsm_a_common.c:702]: (error) Uninitialized variable: a_add_string
48FA9911 : no, seems difficult
DE4059F0 : need to know that packet length can be longer than 2^16
85B4530F : assumption of current packet length
220FD7EE : seems difficult, use packet data to calculate ...
256C7C53 : packet length
9B990EFD : global variables num_of_strings and string_offset
C58965E4 : [epan/dissectors/packet-dcerpc-nt.c:494] -> [epan/dissectors/packet-dcerpc-nt.c:501]: (warning) Either the condition 'value==NULL' is redundant or there is possible null pointer dereference: value.
299E59EB : have to know semantics of tvb_get_ptr and tvb_length_remaining
E8EE6FC2 : [epan/dissectors/packet-smb.c:2126]: (warning) Possible null pointer dereference: dialects
4C4FDA1B : too much knowledge is needed
40CB269F : inconclusive - unknown correlations between variables
A64A9234 : [epan/dissectors/packet-smb.c:10486] -> [epan/dissectors/packet-smb.c:10499]: (warning) Either the condition 't2i!=NULL' is redundant or there is possible null pointer dereference: t2i.
D206D57A : no
C75CCA7F : no
B0954EED : no
AD8F584C : no
52CA9094 : [epan/dissectors/packet-dns.c:620]: (error) Uninitialized variable: np
80FA3989 : no
6215DE11 : no, but should be possible with whole program analysis
A751D662 : [epan/dissectors/packet-ntlmssp.c:961]: (error) Uninitialized variable: conv_ntlmssp_info
2AB010E1 : no
8C32D803 : no
1B24CC26 : [epan/dissectors/packet-ipmi-transport.c:938]: (error) Array 'ett[8]' accessed at index 8, which is out of bounds.
9ACE7B07 : no
7169C840 : no
27748E77 : no (would not be too hard to detect; variable size allocation)
8708BE95 : no
BFE3CCB1 : no
E31410C9 : no
ACBA7CD4 : no
4E27A311 : should be possible to detect with better configuration
68DE1B7B : no
92F50CD2 : no
2D623370 : no
2D551C70 : no
8EBE37FF : no
E02CFE60 : no
BE33920B : no
848E3C4E : no
D5F4E690 : no
ABF12F56 : [epan/dissectors/packet-arp.c:442] -> [epan/dissectors/packet-arp.c:492]: (warning) Either the condition 'value!=NULL' is redundant or there is possible null pointer dereference: value.
4E251C0D : no
D5800C2A : no
533440B6 : no
916FD15B : no
28B3BB4B : no
B11C16A5 : no
48FA7F97 : no
B8F041DB : no
61CF9E42 : no
3723B848 : no
16D311E6 : should be possible to detect with --library=gtk
419BD03E : no
8926DD0C : no
F66DF60F : no
80690AEF : no
28025470 : no
245F0BFF : no
7DD70701 : no
6553F682 : no
F0469AF8 : no
97AB29AD : no
8CA9F2B4 : no
5EA75897 : no
8B973D84 : no
3E7D5A5F : no
ED75DEF0 : no
7394F5E6 : no

I used this command line now:

/home/danielmarjamaki/cppcheck/cppcheck -j4 --enable=warning -DDEBUG -D__STDC__ -D__linux__ --platform=unix64 --cppcheck-build-dir=cppcheck-build-dir --library=posix,gnu,zlib -Iepan -Iepan/dissectors -Itools/lemmon -Iui -Iwiretap -i asn1 --std=c99 .

I did not use --library=gtk because I get some strange XML error.

The comment "no" just means that Cppcheck did not find the issue.. I do not know if it can find it with better configuration.

[Daniel Marjamäki]

Here are my comments for sqlite:

There are multiline #error statements in the sqlite code that cppcheck has problem with. I took the liberty to concatenate those into single line statements even though that is "not allowed".

./ext/fts3/fts3_write.c:4859: I see no bug
./ext/fts3/fts3_write.c:5040: I see no bug
./sqlite3.c:104604: I see no bug
./sqlite3.c:105734: I see no bug
./sqlite3.c:108246: I see no bug
./sqlite3.c:111004: false negative! intra-function analysis
./sqlite3.c:114479: [sqlite3.c:114473] -> [sqlite3.c:114471]: (warning) Either the condition 'sqlite3PendingByte>99' is redundant or the array 'buf[100]' is accessed at index 100, which is out of bounds.
./sqlite3.c:124518: [sqlite3.c:124512] -> [sqlite3.c:124510]: (warning) Either the condition 'sqlite3PendingByte>99' is redundant or the array 'buf[100]' is accessed at index 100, which is out of bounds.
./sqlite3.c:142789: false negative! intra-function analysis
./sqlite3.c:144087: false negative! intra-function analysis
./sqlite3.c:162322: I see no bug
./sqlite3.c:162503: I see no bug
./sqlite3.c:20009: false negative! intra-function analysis
./sqlite3.c:25462: [sqlite3.c:25462]: (error) Memory leak: pz
./sqlite3.c:25494: [sqlite3.c:25497]: (error) Memory leak: db
./sqlite3.c:47095: I see no bug
./sqlite3.c:56462: [sqlite3.c:56457] -> [sqlite3.c:56455]: (warning) Either the condition 'sqlite3PendingByte>99' is redundant or the array 'buf[100]' is accessed at index 100, which is out of bounds.
./sqlite3.c:72588: [sqlite3.c:72583] -> [sqlite3.c:72581]: (warning) Either the condition 'sqlite3PendingByte>99' is redundant or the array 'buf[100]' is accessed at index 100, which is out of bounds.
./sqlite3.c:78417: memory leak! [sqlite3.c:78410]: (warning) Assignment of function parameter has no effect outside the function. Did you forget dereferencing it?
./sqlite3.c:90833: I see no bug
./src/build.c:3919: I see no bug
./src/date.c:586: false negative, allocated buffer, array index out of bounds, whole program analysis is needed
./src/delete.c:104: I see no bug
./src/func.c:1701: I see no bug
./src/insert.c:1140: false negative, allocated buffer, array index out of bounds, whole program analysis is needed
./src/main.c:2144: false negative, allocated buffer, array index out of bounds, whole program analysis is needed
./src/main.c:846: false negative, allocated buffer, array index out of bounds, whole program analysis is needed
./src/malloc.c:636: [src/malloc.c:639]: (error) Memory leak: pz
./src/malloc.c:668: [src/malloc.c:674]: (error) Memory leak: db
./src/pragma.c:160: no
./src/resolve.c:554: no
./src/rowset.c:280: no
./src/trigger.c:569: no
./src/vdbeapi.c:1500: no
./src/vdbeaux.c:412: no
./src/wal.c:1358: no
./tsrc/build.c:3919: no
./tsrc/date.c:586: no
./tsrc/delete.c:104: no
./tsrc/fts3_write.c:4859: no
./tsrc/fts3_write.c:5040: no
./tsrc/func.c:1701: no
./tsrc/insert.c:1140: no
./tsrc/main.c:2144: no
./tsrc/main.c:846: no
./tsrc/malloc.c:636: [tsrc/malloc.c:639]: (error) Memory leak: pz
./tsrc/malloc.c:668: [tsrc/malloc.c:674]: (error) Memory leak: db
./tsrc/pragma.c:160: no
./tsrc/resolve.c:554: no
./tsrc/rowset.c:280: no
./tsrc/trigger.c:569: no
./tsrc/vdbeapi.c:1500: no
./tsrc/vdbeaux.c:412: no
./tsrc/wal.c:1358: no

[Daniel Marjamäki]

I will submit the results ASAP.

I see a couple of bugs that I think we should have detected ... so we can try to fix those in the coming cppcheck releases.