Open marcinguy opened 3 years ago
Ah! It looks like you're encountering the fact that Sys skips code in order to find bugs in really big codebases, potentially leading to FPs. In this case, Sys has determined that it's possible, given no context, to end up with an uninit bug off of ind (if neither of the loops execute). True! But the function is never called in such a buggy way... There are a few approaches here, depending on what your goal is in using Sys:
EDITING TO ADD: one thing we also found very helpful was re-running the tool on debug builds of the browser (builds with assertions). If the bug didn't exist with the assertions turned on, it was likely not a bug they cared about
Thank you for taking the time to explain it in such detail. It helps to understand the project better.
IMHO the assumption that the loops could be skipped is valid as n
could be zero.
That there is no callee that actually calls the function with that value is a hard analysis to tackle.
but still here is an issue I think - that an assumption was made which results in the identified vulnerability be detected.
If there would be no loop it would not be a false positive.
So the fix should be that if loops etc. are skipped because of non-concrete values then the message should maybe look like this: Stack uninit bug (assumption)
to make it clear that this could be a false positive.
FYI Here seems like another false positive.
Got an uninit bug that p_quant_data_msb[0]
could be uninitialized in a call to calc_diff_freq()
, I don't see how however.
It seems it is properly assigned value in all conditions (if, else if, else)
Relevant code:
INT fdk_sacenc_ecDataPairEnc(HANDLE_FDK_BITSTREAM strm,
SHORT aaInData[][MAXBANDS],
SHORT aHistory[MAXBANDS],
const DATA_TYPE data_type, const INT setIdx,
const INT startBand, const INT dataBands,
const INT coarse_flag,
const INT independency_flag) {
.
.
.
SHORT quant_data_lsb[2][MAXBANDS];
SHORT quant_data_msb[2][MAXBANDS];
SHORT quant_data_hist_lsb[MAXBANDS];
SHORT quant_data_hist_msb[MAXBANDS];
SHORT data_diff_freq[2][MAXBANDS];
SHORT data_diff_time[2][MAXBANDS + 2];
SHORT *p_quant_data_msb[2];
SHORT *p_quant_data_hist_msb = NULL;
.
.
.
/* Split off LSB */
if (splitLsb_flag) {
split_lsb(aaInData[setIdx] + startBand, quant_offset, dataBands,
quant_data_lsb[0], quant_data_msb[0]);
split_lsb(aaInData[setIdx + 1] + startBand, quant_offset, dataBands,
quant_data_lsb[1], quant_data_msb[1]);
p_quant_data_msb[0] = quant_data_msb[0];
p_quant_data_msb[1] = quant_data_msb[1];
num_lsb_bits = 2 * dataBands;
} else if (quant_offset != 0) {
for (pb = 0; pb < dataBands; pb++) {
quant_data_msb[0][pb] = aaInData[setIdx][startBand + pb] + quant_offset;
quant_data_msb[1][pb] =
aaInData[setIdx + 1][startBand + pb] + quant_offset;
}
p_quant_data_msb[0] = quant_data_msb[0];
p_quant_data_msb[1] = quant_data_msb[1];
num_lsb_bits = 0;
} else {
p_quant_data_msb[0] = aaInData[setIdx] + startBand;
p_quant_data_msb[1] = aaInData[setIdx + 1] + startBand;
num_lsb_bits = 0;
}
if (allowDiffTimeBack_flag) {
if (splitLsb_flag) {
split_lsb(aHistory + startBand, quant_offset, dataBands,
quant_data_hist_lsb, quant_data_hist_msb);
p_quant_data_hist_msb = quant_data_hist_msb;
} else if (quant_offset != 0) {
for (pb = 0; pb < dataBands; pb++) {
quant_data_hist_msb[pb] = aHistory[startBand + pb] + quant_offset;
}
p_quant_data_hist_msb = quant_data_hist_msb;
} else {
p_quant_data_hist_msb = aHistory + startBand;
}
}
/* Calculate frequency differences */
calc_diff_freq(p_quant_data_msb[0], data_diff_freq[0], dataBands);
calc_diff_freq(p_quant_data_msb[1], data_diff_freq[1], dataBands);
.
.
.
Thanks,
Guessing, right now without looking at IR, that it's related to #1 (I broke something in the insert/extract operations recently). Would it be possible to see the ll file?
Yes, sure. LL file (with debugs): https://github.com/marcinguy/public/blob/master/sacenc_nlc_enc.o.ll
Sys output
C Code:
here is the bug:
However tmp in the line above is referenced and assigned good values in for loop.
Any explanation why Sys flagged it? Using static and symbolic execution
Working on a real project and would like to understand Sys better.
Thanks in advance
LL for reference: