search

nus-apr / CrashRepair

Security Vulnerability Repair via Concolic Execution and Code Mutations
17 stars 1 forks source link

Duplicate/conflicting fix locations are produced by analysis #47

Open ChrisTimperley opened 1 year ago

ChrisTimperley commented 1 year ago

@rshariffdeen Heads up that some fix locations are being reported twice, leading to duplicate candidate patches. For example, libxml2/CVE-2016-1838. Below is a snippet from the report.json for that bug scenario:

    "fix-locations": [
      {
        "constraint": "((@var(integer, tlen) < 16388) && (0 <= @var(integer, tlen)))",
        "location": "/data/vulnloc/libxml2/CVE-2016-1838/src/parser.c:9836:5",
        "values-file": "/data/vulnloc/libxml2/CVE-2016-1838/analysis/values/#data#vulnloc#libxml2#CVE-2016-1838#src#parser.c:9836:5.csv",
        "variables": [
          {
            "column": 13,
            "line": 9837,
            "name": "ctxt->input->cur[tlen]",
            "type": "integer"
          },
          {
            "column": 13,
            "line": 9837,
            "name": "ctxt",
            "type": "integer"
          },
          {
            "column": 13,
            "line": 9837,
            "name": "ctxt->input->cur[tlen]",
            "type": "pointer"
          },
          {
            "column": 13,
            "line": 9837,
            "name": "ctxt",
            "type": "pointer"
          },
          {
            "column": 30,
            "line": 9837,
            "name": "tlen",
            "type": "integer"
          },
          {
            "column": 26,
            "line": 9837,
            "name": "ctxt->input->cur",
            "type": "pointer"
          },
          {
            "column": 19,
            "line": 9837,
            "name": "ctxt->input",
            "type": "pointer"
          }
        ]
      },
      {
        "constraint": "((@var(integer, tlen) < 16388) && (0 <= @var(integer, tlen)))",
        "location": "/data/vulnloc/libxml2/CVE-2016-1838/src/parser.c:9836:5",
        "values-file": "/data/vulnloc/libxml2/CVE-2016-1838/analysis/values/#data#vulnloc#libxml2#CVE-2016-1838#src#parser.c:9836:24.csv",
        "variables": []
      }
    ]
ChrisTimperley commented 1 year ago

@rshariffdeen It looks like this is still an issue. Below is an except from the localization.json for tests/program-features/switch-case:

[
  {
    "constraint": "((@var(integer, b) - 6) != 0)",
    "distance": 1,
    "location": "/CrashRepair/tests/program-features/switch-case/src/test.c:19:5",
    "values-file": "/CrashRepair/tests/program-features/switch-case/analysis/values/#CrashRepair#tests#program-features#switch-case#src#test.c:21:13.csv",
    "variables": []
  },
  {
    "constraint": "((@var(integer, b) - 6) != 0)",
    "distance": 5,
    "location": "/CrashRepair/tests/program-features/switch-case/src/test.c:19:5",
    "values-file": "/CrashRepair/tests/program-features/switch-case/analysis/values/#CrashRepair#tests#program-features#switch-case#src#test.c:20:9.csv",
    "variables": [
      {
        "column": 13,
        "line": 20,
        "name": "a",
        "type": "integer"
      }
    ]
  }
]

Notice that we have two entries for the same location but those entries have conflicting distances and variable information. The value files for each of them also look wrong.

rshariffdeen commented 1 year ago

I am not able to reproduce this, which commit was used for this @ChrisTimperley ? Actually I don't see any location in line 19 is localized after commit 9b2d69f