Error while running SPARROW on tiffsplit (libtiff-4.0.6)

[Siyuan-Li201]

Thank you for open-sourcing such meaningful work. However, I meet an error when using DAFL to test libtiff for CVE-2016-10095. I followed the ReadMe to perform smake analysis, but an error occurred at the Sparrow step. The error message is as follows:

Fatal error: exception Failure ("Error: target not found")

But I set the target line in /benchmark/target/tiffsplit/2016-10095:

tif_dir.c:1056

I dynamically debugged run_sparrow.py and ensured that the executed cmd was as follows (including the target line):

(Pdb) p cmd
['/sparrow/bin/sparrow', '-outdir', '/benchmark/tmp/tiffsplit', '-frontend', 'cli', '-unsound_alloc', '-unsound_const_string', '-unsound_recursion', '-unsound_noreturn_function', '-unsound_skip_global_array_init', '1000', '-skip_main_analysis', '-cut_cyclic_call', '-unwrap_alloc', '-entry_point', 'main', '-max_pre_iter', '10', '-slice', '2016-10095=tif_dir.c:1056', '/benchmark/smake-out/tiffsplit/1c.tif_predict.o.i', '/benchmark/smake-out/tiffsplit/01.tif_aux.o.i', '/benchmark/smake-out/tiffsplit/24.tif_version.o.i', '/benchmark/smake-out/tiffsplit/1b.tif_pixarlog.o.i', '/benchmark/smake-out/tiffsplit/10.tif_getimage.o.i', '/benchmark/smake-out/tiffsplit/21.tif_thunder.o.i', '/benchmark/smake-out/tiffsplit/0c.tif_extension.o.i', '/benchmark/smake-out/tiffsplit/1d.tif_print.o.i', '/benchmark/smake-out/tiffsplit/13.tif_jpeg_12.o.i', '/benchmark/smake-out/tiffsplit/14.tif_luv.o.i', '/benchmark/smake-out/tiffsplit/02.tif_close.o.i', '/benchmark/smake-out/tiffsplit/0d.tif_fax3.o.i', '/benchmark/smake-out/tiffsplit/06.tif_dir.o.i', '/benchmark/smake-out/tiffsplit/04.tif_color.o.i', '/benchmark/smake-out/tiffsplit/23.tif_unix.o.i', '/benchmark/smake-out/tiffsplit/27.tif_zip.o.i', '/benchmark/smake-out/tiffsplit/03.tif_codec.o.i', '/benchmark/smake-out/tiffsplit/0f.tif_flush.o.i', '/benchmark/smake-out/tiffsplit/0e.tif_fax3sm.o.i', '/benchmark/smake-out/tiffsplit/25.tif_warning.o.i', '/benchmark/smake-out/tiffsplit/09.tif_dirwrite.o.i', '/benchmark/smake-out/tiffsplit/05.tif_compress.o.i', '/benchmark/smake-out/tiffsplit/17.tif_next.o.i', '/benchmark/smake-out/tiffsplit/00.tiffsplit.o.i', '/benchmark/smake-out/tiffsplit/08.tif_dirread.o.i', '/benchmark/smake-out/tiffsplit/19.tif_open.o.i', '/benchmark/smake-out/tiffsplit/1a.tif_packbits.o.i', '/benchmark/smake-out/tiffsplit/16.tif_lzw.o.i', '/benchmark/smake-out/tiffsplit/0a.tif_dumpmode.o.i', '/benchmark/smake-out/tiffsplit/11.tif_jbig.o.i', '/benchmark/smake-out/tiffsplit/1e.tif_read.o.i', '/benchmark/smake-out/tiffsplit/28.dummy.o.i', '/benchmark/smake-out/tiffsplit/15.tif_lzma.o.i', '/benchmark/smake-out/tiffsplit/07.tif_dirinfo.o.i', '/benchmark/smake-out/tiffsplit/0b.tif_error.o.i', '/benchmark/smake-out/tiffsplit/1f.tif_strip.o.i', '/benchmark/smake-out/tiffsplit/18.tif_ojpeg.o.i', '/benchmark/smake-out/tiffsplit/26.tif_write.o.i', '/benchmark/smake-out/tiffsplit/22.tif_tile.o.i', '/benchmark/smake-out/tiffsplit/12.tif_jpeg.o.i', '/benchmark/smake-out/tiffsplit/20.tif_swab.o.i']

The complete error message is as follows:

# python3 run_sparrow.py tiffsplit naive
/benchmark/smake-out/tiffsplit/20.tif_swab.o.i /benchmark/smake-out/tiffsplit/12.tif_jpeg.o.i /benchmark/smake-out/tiffsplit/22.tif_tile.o.i /benchmark/smake-out/tiffsplit/26.tif_write.o.i /benchmark/smake-out/tiffsplit/18.tif_ojpeg.o.i /benchmark/smake-out/tiffsplit/1f.tif_strip.o.i /benchmark/smake-out/tiffsplit/0b.tif_error.o.i /benchmark/smake-out/tiffsplit/07.tif_dirinfo.o.i /benchmark/smake-out/tiffsplit/15.tif_lzma.o.i /benchmark/smake-out/tiffsplit/28.dummy.o.i /benchmark/smake-out/tiffsplit/1e.tif_read.o.i /benchmark/smake-out/tiffsplit/11.tif_jbig.o.i /benchmark/smake-out/tiffsplit/0a.tif_dumpmode.o.i /benchmark/smake-out/tiffsplit/16.tif_lzw.o.i /benchmark/smake-out/tiffsplit/1a.tif_packbits.o.i /benchmark/smake-out/tiffsplit/19.tif_open.o.i /benchmark/smake-out/tiffsplit/08.tif_dirread.o.i /benchmark/smake-out/tiffsplit/00.tiffsplit.o.i /benchmark/smake-out/tiffsplit/17.tif_next.o.i /benchmark/smake-out/tiffsplit/05.tif_compress.o.i /benchmark/smake-out/tiffsplit/09.tif_dirwrite.o.i /benchmark/smake-out/tiffsplit/25.tif_warning.o.i /benchmark/smake-out/tiffsplit/0e.tif_fax3sm.o.i /benchmark/smake-out/tiffsplit/0f.tif_flush.o.i /benchmark/smake-out/tiffsplit/03.tif_codec.o.i /benchmark/smake-out/tiffsplit/27.tif_zip.o.i /benchmark/smake-out/tiffsplit/23.tif_unix.o.i /benchmark/smake-out/tiffsplit/04.tif_color.o.i /benchmark/smake-out/tiffsplit/06.tif_dir.o.i /benchmark/smake-out/tiffsplit/0d.tif_fax3.o.i /benchmark/smake-out/tiffsplit/02.tif_close.o.i /benchmark/smake-out/tiffsplit/14.tif_luv.o.i /benchmark/smake-out/tiffsplit/13.tif_jpeg_12.o.i /benchmark/smake-out/tiffsplit/1d.tif_print.o.i /benchmark/smake-out/tiffsplit/0c.tif_extension.o.i /benchmark/smake-out/tiffsplit/21.tif_thunder.o.i /benchmark/smake-out/tiffsplit/10.tif_getimage.o.i /benchmark/smake-out/tiffsplit/1b.tif_pixarlog.o.i /benchmark/smake-out/tiffsplit/24.tif_version.o.i /benchmark/smake-out/tiffsplit/01.tif_aux.o.i /benchmark/smake-out/tiffsplit/1c.tif_predict.o.i

--------------------------------------------------------------------------------
Front-end begins...
--------------------------------------------------------------------------------

Front-end completes: 0.788687
'void*' returning functions: [TIFFClientdata;TIFFGetClientInfo;TIFFSetClientdata;_TIFFCheckMalloc;_TIFFCheckRealloc;_TIFFmalloc;_TIFFrealloc;td_lfind]
'void*' returning fields: []
Unwrapped functions: []
Unwrapped fields: []

--------------------------------------------------------------------------------
Graph construction begins...
--------------------------------------------------------------------------------
WARN: too large global array initialization (4096) @ tif_fax3sm.c:20
WARN: too large global array initialization (8192) @ tif_fax3sm.c:432

#nodes all    : 44132
#unreachable  : 770

Graph construction completes: 0.941140

--------------------------------------------------------------------------------
Pre-processing begins...
--------------------------------------------------------------------------------
#functions all  : 620
#referred       : 444
{ChopUpSingleUncompressedStrip,DumpFixupTags,DumpModeDecode,DumpModeEncode,DumpModeSeek,EstimateStripByteCounts,Fax3BadLength,Fax3Cleanup,Fax3Close,Fax3Decode1D,Fax3Decode2D,Fax3DecodeRLE,Fax3Encode,Fax3Encode1DRow,Fax3Encode2DRow,Fax3Extension,Fax3FixupTags,Fax3PostEncode,Fax3PreDecode,Fax3PreEncode,Fax3PrematureEOF,Fax3PrintDir,Fax3PutBits,Fax3PutEOL,Fax3SetupState,Fax3Unexpected,Fax3VGetField,Fax3VSetField,Fax4Decode,Fax4Encode,Fax4PostEncode,InitCCITTFax3,L16fromY,L16toGry,L16toY,LZWCleanup,LZWDecode,LZWDecodeCompat,LZWEncode,LZWFixupTags,LZWPostEncode,LZWPreDecode,LZWPreEncode,LZWSetupDecode,LZWSetupEncode,LogL10fromY,LogL10toY,LogL16Decode,LogL16Encode,LogL16GuessDataFmt,LogL16InitState,LogL16fromY,LogL16toY,LogLuv24fromXYZ,LogLuv24toXYZ,LogLuv32fromXYZ,LogLuv32toXYZ,LogLuvCleanup,LogLuvClose,LogLuvDecode24,LogLuvDecode32,LogLuvDecodeStrip,LogLuvDecodeTile,LogLuvEncode24,LogLuvEncode32,LogLuvEncodeStrip,LogLuvEncodeTile,LogLuvFixupTags,LogLuvGuessDataFmt,LogLuvInitState,LogLuvSetupDecode,LogLuvSetupEncode,LogLuvVGetField,LogLuvVSetField,Luv24fromLuv48,Luv24fromXYZ,Luv24toLuv48,Luv24toRGB,Luv24toXYZ,Luv32fromLuv48,Luv32fromXYZ,Luv32toLuv48,Luv32toRGB,Luv32toXYZ,MissingRequired,NeXTDecode,NeXTPreDecode,NotConfigured,OkToChangeTag,PackBitsDecode,PackBitsEncode,PackBitsEncodeChunk,PackBitsPostEncode,PackBitsPreEncode,PixarLogCleanup,PixarLogClose,PixarLogDecode,PixarLogEncode,PixarLogFixupTags,PixarLogGuessDataFmt,PixarLogMakeTables,PixarLogPostEncode,PixarLogPreDecode,PixarLogPreEncode,PixarLogSetupDecode,PixarLogSetupEncode,PixarLogVGetField,PixarLogVSetField,PredictorDecodeRow,PredictorDecodeTile,PredictorEncodeRow,PredictorEncodeTile,PredictorPrintDir,PredictorSetup,PredictorSetupDecode,PredictorSetupEncode,PredictorVGetField,PredictorVSetField,TIFFAppendToStrip,TIFFCheckDirOffset,TIFFCheckRead,TIFFCleanup,TIFFClientOpen,TIFFClose,TIFFCreateDirectory,TIFFDataWidth,TIFFDefaultDirectory,TIFFDefaultRefBlackWhite,TIFFDefaultTransferFunction,TIFFErrorExt,TIFFFdOpen,TIFFFetchDirectory,TIFFFetchNormalTag,TIFFFetchStripThing,TIFFFieldWithTag,TIFFFindCODEC,TIFFFindField,TIFFFlush,TIFFFlushData,TIFFFlushData1,TIFFFreeDirectory,TIFFGetBitRevTable,TIFFGetField,TIFFGetFieldDefaulted,TIFFGetVersion,TIFFGrowStrips,TIFFInitCCITTFax3,TIFFInitCCITTFax4,TIFFInitCCITTRLE,TIFFInitCCITTRLEW,TIFFInitDumpMode,TIFFInitLZW,TIFFInitNeXT,TIFFInitPackBits,TIFFInitPixarLog,TIFFInitSGILog,TIFFInitThunderScan,TIFFInitZIP,TIFFIsBigEndian,TIFFIsTiled,TIFFLinkDirectory,TIFFNoDecode,TIFFNoEncode,TIFFNumberOfStrips,TIFFNumberOfTiles,TIFFOpen,TIFFPredictorCleanup,TIFFPredictorInit,TIFFReadDirEntryArray,TIFFReadDirEntryByte,TIFFReadDirEntryByteArray,TIFFReadDirEntryCheckRangeByteLong,TIFFReadDirEntryCheckRangeByteLong8,TIFFReadDirEntryCheckRangeByteSbyte,TIFFReadDirEntryCheckRangeByteShort,TIFFReadDirEntryCheckRangeByteSlong,TIFFReadDirEntryCheckRangeByteSlong8,TIFFReadDirEntryCheckRangeByteSshort,TIFFReadDirEntryCheckRangeLong8Sbyte,TIFFReadDirEntryCheckRangeLong8Slong,TIFFReadDirEntryCheckRangeLong8Slong8,TIFFReadDirEntryCheckRangeLong8Sshort,TIFFReadDirEntryCheckRangeLongLong8,TIFFReadDirEntryCheckRangeLongSbyte,TIFFReadDirEntryCheckRangeLongSlong,TIFFReadDirEntryCheckRangeLongSlong8,TIFFReadDirEntryCheckRangeLongSshort,TIFFReadDirEntryCheckRangeSbyteByte,TIFFReadDirEntryCheckRangeSbyteLong,TIFFReadDirEntryCheckRangeSbyteLong8,TIFFReadDirEntryCheckRangeSbyteShort,TIFFReadDirEntryCheckRangeSbyteSlong,TIFFReadDirEntryCheckRangeSbyteSlong8,TIFFReadDirEntryCheckRangeSbyteSshort,TIFFReadDirEntryCheckRangeShortLong,TIFFReadDirEntryCheckRangeShortLong8,TIFFReadDirEntryCheckRangeShortSbyte,TIFFReadDirEntryCheckRangeShortSlong,TIFFReadDirEntryCheckRangeShortSlong8,TIFFReadDirEntryCheckRangeShortSshort,TIFFReadDirEntryCheckRangeSlong8Long8,TIFFReadDirEntryCheckRangeSlongLong,TIFFReadDirEntryCheckRangeSlongLong8,TIFFReadDirEntryCheckRangeSlongSlong8,TIFFReadDirEntryCheckRangeSshortLong,TIFFReadDirEntryCheckRangeSshortLong8,TIFFReadDirEntryCheckRangeSshortShort,TIFFReadDirEntryCheckRangeSshortSlong,TIFFReadDirEntryCheckRangeSshortSlong8,TIFFReadDirEntryCheckedByte,TIFFReadDirEntryCheckedDouble,TIFFReadDirEntryCheckedFloat,TIFFReadDirEntryCheckedLong,TIFFReadDirEntryCheckedLong8,TIFFReadDirEntryCheckedRational,TIFFReadDirEntryCheckedSbyte,TIFFReadDirEntryCheckedShort,TIFFReadDirEntryCheckedSlong,TIFFReadDirEntryCheckedSlong8,TIFFReadDirEntryCheckedSrational,TIFFReadDirEntryCheckedSshort,TIFFReadDirEntryData,TIFFReadDirEntryDouble,TIFFReadDirEntryDoubleArray,TIFFReadDirEntryFloat,TIFFReadDirEntryFloatArray,TIFFReadDirEntryIfd8,TIFFReadDirEntryIfd8Array,TIFFReadDirEntryLong,TIFFReadDirEntryLong8,TIFFReadDirEntryLong8Array,TIFFReadDirEntryLongArray,TIFFReadDirEntryOutputErr,TIFFReadDirEntryPersampleShort,TIFFReadDirEntrySbyteArray,TIFFReadDirEntryShort,TIFFReadDirEntryShortArray,TIFFReadDirEntrySlong8Array,TIFFReadDirEntrySlongArray,TIFFReadDirEntrySshortArray,TIFFReadDirectory,TIFFReadDirectoryCheckOrder,TIFFReadDirectoryFindEntry,TIFFReadDirectoryFindFieldInfo,TIFFReadRawStrip,TIFFReadRawStrip1,TIFFReadRawTile,TIFFReadRawTile1,TIFFReadUInt64,TIFFReverseBits,TIFFRewriteDirectory,TIFFScanlineSize,TIFFScanlineSize64,TIFFSetCompressionScheme,TIFFSetField,TIFFSetupStrips,TIFFStripSize,TIFFStripSize64,TIFFSwabArrayOfDouble,TIFFSwabArrayOfFloat,TIFFSwabArrayOfLong,TIFFSwabArrayOfLong8,TIFFSwabArrayOfShort,TIFFSwabArrayOfTriples,TIFFSwabLong,TIFFSwabLong8,TIFFSwabShort,TIFFTileRowSize,TIFFTileRowSize64,TIFFTileSize,TIFFTileSize64,TIFFVGetField,TIFFVGetFieldDefaulted,TIFFVSetField,TIFFVStripSize64,TIFFVTileSize64,TIFFWarningExt,TIFFWriteCheck,TIFFWriteDirectory,TIFFWriteDirectorySec,TIFFWriteDirectoryTagAscii,TIFFWriteDirectoryTagByteArray,TIFFWriteDirectoryTagCheckedAscii,TIFFWriteDirectoryTagCheckedByteArray,TIFFWriteDirectoryTagCheckedDoubleArray,TIFFWriteDirectoryTagCheckedFloatArray,TIFFWriteDirectoryTagCheckedIfd8Array,TIFFWriteDirectoryTagCheckedIfdArray,TIFFWriteDirectoryTagCheckedLong,TIFFWriteDirectoryTagCheckedLong8Array,TIFFWriteDirectoryTagCheckedLongArray,TIFFWriteDirectoryTagCheckedRational,TIFFWriteDirectoryTagCheckedRationalArray,TIFFWriteDirectoryTagCheckedSbyteArray,TIFFWriteDirectoryTagCheckedShort,TIFFWriteDirectoryTagCheckedShortArray,TIFFWriteDirectoryTagCheckedSlong8Array,TIFFWriteDirectoryTagCheckedSlongArray,TIFFWriteDirectoryTagCheckedSrationalArray,TIFFWriteDirectoryTagCheckedSshortArray,TIFFWriteDirectoryTagCheckedUndefinedArray,TIFFWriteDirectoryTagColormap,TIFFWriteDirectoryTagData,TIFFWriteDirectoryTagDoubleArray,TIFFWriteDirectoryTagFloatArray,TIFFWriteDirectoryTagIfdArray,TIFFWriteDirectoryTagIfdIfd8Array,TIFFWriteDirectoryTagLong,TIFFWriteDirectoryTagLong8Array,TIFFWriteDirectoryTagLongArray,TIFFWriteDirectoryTagLongLong8Array,TIFFWriteDirectoryTagRational,TIFFWriteDirectoryTagRationalArray,TIFFWriteDirectoryTagSampleformatArray,TIFFWriteDirectoryTagSbyteArray,TIFFWriteDirectoryTagShort,TIFFWriteDirectoryTagShortArray,TIFFWriteDirectoryTagShortLong,TIFFWriteDirectoryTagShortPerSample,TIFFWriteDirectoryTagSlong8Array,TIFFWriteDirectoryTagSlongArray,TIFFWriteDirectoryTagSrationalArray,TIFFWriteDirectoryTagSshortArray,TIFFWriteDirectoryTagSubifd,TIFFWriteDirectoryTagTransferfunction,TIFFWriteDirectoryTagUndefinedArray,TIFFWriteRawStrip,TIFFWriteRawTile,ThunderDecode,ThunderDecodeRow,ThunderSetupDecode,XYZtoRGB24,ZIPCleanup,ZIPDecode,ZIPEncode,ZIPFixupTags,ZIPPostEncode,ZIPPreDecode,ZIPPreEncode,ZIPSetupDecode,ZIPSetupEncode,ZIPVGetField,ZIPVSetField,_G_,_TIFFCheckMalloc,_TIFFCheckRealloc,_TIFFCreateAnonField,_TIFFDataSize,_TIFFDefaultStripSize,_TIFFDefaultTileSize,_TIFFFax3fillruns,_TIFFFillStriles,_TIFFGetFields,_TIFFMergeFields,_TIFFMultiply32,_TIFFMultiply64,_TIFFNoFixupTags,_TIFFNoPostDecode,_TIFFNoPreCode,_TIFFNoRowDecode,_TIFFNoRowEncode,_TIFFNoSeek,_TIFFNoStripDecode,_TIFFNoStripEncode,_TIFFNoTileDecode,_TIFFNoTileEncode,_TIFFRewriteField,_TIFFSetDefaultCompressionState,_TIFFSetupFields,_TIFFSwab16BitData,_TIFFSwab24BitData,_TIFFSwab32BitData,_TIFFSwab64BitData,_TIFFVGetField,_TIFFVSetField,_TIFFfree,_TIFFgetMode,_TIFFmalloc,_TIFFmemcmp,_TIFFmemcpy,_TIFFmemset,_TIFFrealloc,_TIFFsetDoubleArray,_TIFFsetFloatArray,_TIFFsetLong8Array,_TIFFsetNString,_TIFFsetShortArray,_TIFFtrue,_TIFFvoid,_logLuvNop,_notConfigured,_tiffCloseProc,_tiffDummyMapProc,_tiffDummyUnmapProc,_tiffMapProc,_tiffReadProc,_tiffSeekProc,_tiffSizeProc,_tiffUnmapProc,_tiffWriteProc,add_ms,checkInkNamesString,cl_hash,codeLoop,cpStrips,cpTiles,find0span,find1span,fpAcc,fpDiff,horAcc16,horAcc32,horAcc8,horDiff16,horDiff32,horDiff8,horizontalAccumulate11,horizontalAccumulate12,horizontalAccumulate16,horizontalAccumulate8,horizontalAccumulate8abgr,horizontalAccumulateF,horizontalDifference16,horizontalDifference8,horizontalDifferenceF,main,multiply_ms,multiply_ms___0,newfilename,oog_encode,putspan,setByteArray,setDoubleArrayOneValue,setExtraSamples,swabHorAcc16,swabHorAcc32,swabHorDiff16,swabHorDiff32,tagCompare,tiffcp,unixErrorHandler,unixWarningHandler,uv_decode,uv_encode}
#unreferred     : 176
{BuildMapBitdepth16To8,BuildMapUaToAa,CheckDirCount,PickContigCase,PickSeparateCase,TIFFAccessTagMethods,TIFFAdvanceDirectory,TIFFCIELabToRGBInit,TIFFCIELabToXYZ,TIFFCheckTile,TIFFCheckpointDirectory,TIFFClientdata,TIFFComputeStrip,TIFFComputeTile,TIFFCreateCustomDirectory,TIFFCreateEXIFDirectory,TIFFCurrentDirOffset,TIFFCurrentDirectory,TIFFCurrentRow,TIFFCurrentStrip,TIFFCurrentTile,TIFFDefaultStripSize,TIFFDefaultTileSize,TIFFError,TIFFFetchSubjectDistance,TIFFFieldDataType,TIFFFieldName,TIFFFieldPassCount,TIFFFieldReadCount,TIFFFieldTag,TIFFFieldWithName,TIFFFieldWriteCount,TIFFFileName,TIFFFileno,TIFFFillStrip,TIFFFillStripPartial,TIFFFillTile,TIFFGetClientInfo,TIFFGetCloseProc,TIFFGetConfiguredCODECs,TIFFGetMapFileProc,TIFFGetMode,TIFFGetReadProc,TIFFGetSeekProc,TIFFGetSizeProc,TIFFGetTagListCount,TIFFGetTagListEntry,TIFFGetUnmapFileProc,TIFFGetWriteProc,TIFFIsByteSwapped,TIFFIsCODECConfigured,TIFFIsMSB2LSB,TIFFIsUpSampled,TIFFLastDirectory,TIFFMergeFieldInfo,TIFFNumberOfDirectories,TIFFPrintDirectory,TIFFRGBAImageBegin,TIFFRGBAImageEnd,TIFFRGBAImageGet,TIFFRGBAImageOK,TIFFRasterScanlineSize,TIFFRasterScanlineSize64,TIFFRawStripSize,TIFFRawStripSize64,TIFFReadBufferSetup,TIFFReadCustomDirectory,TIFFReadEXIFDirectory,TIFFReadEncodedStrip,TIFFReadEncodedTile,TIFFReadRGBAImage,TIFFReadRGBAImageOriented,TIFFReadRGBAStrip,TIFFReadRGBATile,TIFFReadScanline,TIFFReadTile,TIFFRegisterCODEC,TIFFSeek,TIFFSetClientInfo,TIFFSetClientdata,TIFFSetDirectory,TIFFSetErrorHandler,TIFFSetErrorHandlerExt,TIFFSetFileName,TIFFSetFileno,TIFFSetMode,TIFFSetSubDirectory,TIFFSetTagExtender,TIFFSetWarningHandler,TIFFSetWarningHandlerExt,TIFFSetWriteOffset,TIFFStartStrip,TIFFStartTile,TIFFSwabDouble,TIFFSwabFloat,TIFFUnRegisterCODEC,TIFFUnlinkDirectory,TIFFUnsetField,TIFFVStripSize,TIFFVTileSize,TIFFWarning,TIFFWriteBufferSetup,TIFFWriteCustomDirectory,TIFFWriteEncodedStrip,TIFFWriteEncodedTile,TIFFWriteScanline,TIFFWriteTile,TIFFXYZToRGB,TIFFYCbCrToRGBInit,TIFFYCbCrtoRGB,_TIFFFindFieldByName,_TIFFFindOrRegisterField,_TIFFGetExifFields,_TIFFPrettyPrintField,_TIFFPrintField,_TIFFPrintFieldInfo,_TIFFSetGetType,_TIFFUInt64ToDouble,_TIFFUInt64ToFloat,_TIFFprintAscii,_TIFFprintAsciiBounded,_TIFFprintAsciiTag,_TIFFsetByteArray,_TIFFsetLongArray,_TIFFsetString,buildMap,checkcmap,cvtcmap,gtStripContig,gtStripSeparate,gtTileContig,gtTileSeparate,initCIELabConversion,initYCbCrConversion,isCCITTCompression,libport_dummy_function,makebwmap,makecmap,put16bitbwtile,put1bitbwtile,put1bitcmaptile,put2bitbwtile,put2bitcmaptile,put4bitbwtile,put4bitcmaptile,put8bitcmaptile,putCMYKseparate8bittile,putRGBAAcontig16bittile,putRGBAAcontig8bittile,putRGBAAseparate16bittile,putRGBAAseparate8bittile,putRGBUAcontig16bittile,putRGBUAcontig8bittile,putRGBUAseparate16bittile,putRGBUAseparate8bittile,putRGBcontig16bittile,putRGBcontig8bitCMYKMaptile,putRGBcontig8bitCMYKtile,putRGBcontig8bittile,putRGBseparate16bittile,putRGBseparate8bittile,putagreytile,putcontig8bitCIELab,putcontig8bitYCbCr11tile,putcontig8bitYCbCr12tile,putcontig8bitYCbCr21tile,putcontig8bitYCbCr22tile,putcontig8bitYCbCr41tile,putcontig8bitYCbCr42tile,putcontig8bitYCbCr44tile,putgreytile,putseparate8bitYCbCr11tile,setorientation,setupMap,tagNameCompare,td_lfind}
#recursive      : 47
{DumpFixupTags,DumpModeSeek,Fax3FixupTags,Fax3PrintDir,Fax3VGetField,LZWFixupTags,LogLuvClose,LogLuvFixupTags,LogLuvVGetField,Luv32fromLuv48,Luv32toLuv48,NotConfigured,PixarLogClose,PixarLogFixupTags,PixarLogVGetField,PredictorDecodeRow,PredictorDecodeTile,PredictorEncodeRow,PredictorPrintDir,PredictorVGetField,PredictorVSetField,TIFFInitDumpMode,TIFFInitNeXT,TIFFInitPackBits,TIFFInitThunderScan,ZIPFixupTags,ZIPVGetField,_TIFFDefaultTileSize,_TIFFFax3fillruns,_TIFFNoFixupTags,_TIFFNoPostDecode,_TIFFNoPreCode,_TIFFtrue,_TIFFvoid,_logLuvNop,_tiffCloseProc,_tiffDummyMapProc,_tiffDummyUnmapProc,_tiffReadProc,_tiffSeekProc,_tiffUnmapProc,_tiffWriteProc,horAcc8,horDiff8,tagCompare,unixErrorHandler,unixWarningHandler}

Pre-processing completes: 0.091449
To inline : []
Excluded variable-arguments functions : []
Excluded recursive functions : []
Excluded too large functions : []
List of cyclic call edges:

--------------------------------------------------------------------------------
Pre-analysis begins...
--------------------------------------------------------------------------------
iteration : 10#iteration : 10 (unsound)
mem size : 4357

#functions all  : 444
#reachable      : 231
#unreachable    : 213
{DumpFixupTags,DumpModeDecode,DumpModeEncode,DumpModeSeek,Fax3BadLength,Fax3Cleanup,Fax3Close,Fax3Decode1D,Fax3Decode2D,Fax3DecodeRLE,Fax3Encode,Fax3Encode1DRow,Fax3Encode2DRow,Fax3Extension,Fax3FixupTags,Fax3PostEncode,Fax3PreDecode,Fax3PreEncode,Fax3PrematureEOF,Fax3PrintDir,Fax3PutBits,Fax3PutEOL,Fax3SetupState,Fax3Unexpected,Fax3VGetField,Fax3VSetField,Fax4Decode,Fax4Encode,Fax4PostEncode,InitCCITTFax3,L16fromY,L16toGry,L16toY,LZWCleanup,LZWDecode,LZWDecodeCompat,LZWEncode,LZWFixupTags,LZWPostEncode,LZWPreDecode,LZWPreEncode,LZWSetupDecode,LZWSetupEncode,LogL10fromY,LogL10toY,LogL16Decode,LogL16Encode,LogL16GuessDataFmt,LogL16InitState,LogL16fromY,LogL16toY,LogLuv24fromXYZ,LogLuv24toXYZ,LogLuv32fromXYZ,LogLuv32toXYZ,LogLuvCleanup,LogLuvClose,LogLuvDecode24,LogLuvDecode32,LogLuvDecodeStrip,LogLuvDecodeTile,LogLuvEncode24,LogLuvEncode32,LogLuvEncodeStrip,LogLuvEncodeTile,LogLuvFixupTags,LogLuvGuessDataFmt,LogLuvInitState,LogLuvSetupDecode,LogLuvSetupEncode,LogLuvVGetField,LogLuvVSetField,Luv24fromLuv48,Luv24fromXYZ,Luv24toLuv48,Luv24toRGB,Luv24toXYZ,Luv32fromLuv48,Luv32fromXYZ,Luv32toLuv48,Luv32toRGB,Luv32toXYZ,NeXTDecode,NeXTPreDecode,NotConfigured,PackBitsDecode,PackBitsEncode,PackBitsEncodeChunk,PackBitsPostEncode,PackBitsPreEncode,PixarLogCleanup,PixarLogClose,PixarLogDecode,PixarLogEncode,PixarLogFixupTags,PixarLogGuessDataFmt,PixarLogMakeTables,PixarLogPostEncode,PixarLogPreDecode,PixarLogPreEncode,PixarLogSetupDecode,PixarLogSetupEncode,PixarLogVGetField,PixarLogVSetField,PredictorDecodeRow,PredictorDecodeTile,PredictorEncodeRow,PredictorEncodeTile,PredictorPrintDir,PredictorSetup,PredictorSetupDecode,PredictorSetupEncode,PredictorVGetField,PredictorVSetField,TIFFFindCODEC,TIFFGetBitRevTable,TIFFInitCCITTFax3,TIFFInitCCITTFax4,TIFFInitCCITTRLE,TIFFInitCCITTRLEW,TIFFInitDumpMode,TIFFInitLZW,TIFFInitNeXT,TIFFInitPackBits,TIFFInitPixarLog,TIFFInitSGILog,TIFFInitThunderScan,TIFFInitZIP,TIFFNoDecode,TIFFNoEncode,TIFFPredictorCleanup,TIFFPredictorInit,TIFFSetCompressionScheme,TIFFSwabArrayOfTriples,TIFFTileRowSize,ThunderDecode,ThunderDecodeRow,ThunderSetupDecode,XYZtoRGB24,ZIPCleanup,ZIPDecode,ZIPEncode,ZIPFixupTags,ZIPPostEncode,ZIPPreDecode,ZIPPreEncode,ZIPSetupDecode,ZIPSetupEncode,ZIPVGetField,ZIPVSetField,_TIFFDataSize,_TIFFDefaultStripSize,_TIFFDefaultTileSize,_TIFFFax3fillruns,_TIFFNoPostDecode,_TIFFNoPreCode,_TIFFNoRowDecode,_TIFFNoRowEncode,_TIFFNoSeek,_TIFFNoStripDecode,_TIFFNoStripEncode,_TIFFNoTileDecode,_TIFFNoTileEncode,_TIFFSwab16BitData,_TIFFSwab24BitData,_TIFFSwab32BitData,_TIFFSwab64BitData,_TIFFVGetField,_TIFFVSetField,_TIFFsetDoubleArray,_TIFFsetFloatArray,_TIFFsetLong8Array,_TIFFsetNString,_TIFFsetShortArray,_logLuvNop,_notConfigured,add_ms,checkInkNamesString,cl_hash,codeLoop,find0span,find1span,fpAcc,fpDiff,horAcc16,horAcc32,horAcc8,horDiff16,horDiff32,horDiff8,horizontalAccumulate11,horizontalAccumulate12,horizontalAccumulate16,horizontalAccumulate8,horizontalAccumulate8abgr,horizontalAccumulateF,horizontalDifference16,horizontalDifference8,horizontalDifferenceF,multiply_ms,multiply_ms___0,oog_encode,putspan,setByteArray,setDoubleArrayOneValue,setExtraSamples,swabHorAcc16,swabHorAcc32,swabHorDiff16,swabHorDiff32,tagCompare,uv_decode,uv_encode}
#recursive      : 0
List of cyclic call edges:

Pre-analysis completes: 1.316622
Fatal error: exception Failure("Error: target not found")
Raised at Stdlib.failwith in file "stdlib.ml", line 29, characters 17-33
Called from SlicingUtils.find_target_node_set in file "src/slicing/slicingUtils.ml", line 71, characters 43-77
Called from SlicingUtils.register_target in file "src/slicing/slicingUtils.ml", line 77, characters 22-58
Called from Stdlib__List.iter in file "list.ml", line 110, characters 12-15
Called from DugSlicer.construct_dug in file "src/slicing/dugSlicer.ml", line 41, characters 2-36
Called from DugSlicer.run in file "src/slicing/dugSlicer.ml", line 301, characters 12-48
Called from Dune__exe__Main.run_slicing in file "src/core/main.ml", line 115, characters 4-24
Called from Dune__exe__Main in file "src/core/main.ml", line 153, characters 8-15
[*] Executing: cp /benchmark/tmp/tiffsplit/2016-10095/slice_func.txt /benchmark/DAFL-input-naive/inst-targ/tiffsplit/2016-10095
[*] Executing: cp /benchmark/tmp/tiffsplit/2016-10095/slice_dfg.txt /benchmark/DAFL-input-naive/dfg/tiffsplit/2016-10095

The SLICE_TARGETS:

'tiffsplit': {
        'frontend':'cli',
        'entry_point':'main',
        'bugs': ['2016-10095']
    },

The output of smake:

/benchmark/smake-out/tiffsplit# ls
00.tiffsplit.o.i  05.tif_compress.o.i  0a.tif_dumpmode.o.i   0f.tif_flush.o.i     14.tif_luv.o.i    19.tif_open.o.i      1e.tif_read.o.i     23.tif_unix.o.i     28.dummy.o.i
01.tif_aux.o.i    06.tif_dir.o.i       0b.tif_error.o.i      10.tif_getimage.o.i  15.tif_lzma.o.i   1a.tif_packbits.o.i  1f.tif_strip.o.i    24.tif_version.o.i
02.tif_close.o.i  07.tif_dirinfo.o.i   0c.tif_extension.o.i  11.tif_jbig.o.i      16.tif_lzw.o.i    1b.tif_pixarlog.o.i  20.tif_swab.o.i     25.tif_warning.o.i
03.tif_codec.o.i  08.tif_dirread.o.i   0d.tif_fax3.o.i       12.tif_jpeg.o.i      17.tif_next.o.i   1c.tif_predict.o.i   21.tif_thunder.o.i  26.tif_write.o.i
04.tif_color.o.i  09.tif_dirwrite.o.i  0e.tif_fax3sm.o.i     13.tif_jpeg_12.o.i   18.tif_ojpeg.o.i  1d.tif_print.o.i     22.tif_tile.o.i     27.tif_zip.o.i

[Siyuan-Li201]

I have been troubled by this error for a long time. May I ask for your insight on what the issue might be?

[goodtaeeun]

Hi, I am sorry for the inconvenience.

Sparrow converts the given source code into CIL representation before the analysis. Thus, if the CIL interprets the line numbers differently, it may not be visible to the analysis logic. For example, in the CIL representation of the following code, there are no lines 2 and 3, but there is only line 1, where the condition of the if statement begins.

1:  if ( foo() &&
2:       goo() &&
3:       moo() )

If you provide me the +-3 lines of the target line tif_dir.c:1056, I might be able to check if this is the case.

[Siyuan-Li201]

Thank you very much for your prompt reply. The following is the context of tif_dir.c:1056:

(gdb) list tif_dir.c:1056
1051                        if (fip->field_passcount) {
1052                            if (fip->field_readcount == TIFF_VARIABLE2)
1053                                *va_arg(ap, uint32*) = (uint32)tv->count;
1054                            else  /* Assume TIFF_VARIABLE */
1055                                *va_arg(ap, uint16*) = (uint16)tv->count;
1056                            *va_arg(ap, void **) = tv->value;
1057                            ret_val = 1;
1058                        } else if (fip->field_tag == TIFFTAG_DOTRANGE
1059                               && strcmp(fip->field_name,"DotRange") == 0) {
1060                            /* TODO: This is an evil exception and should not have been

In addition, I debugged the code of sparrow and found that in the comparison with target_node in /sparrow/src/slicing/slicingUtils.ml, the source code lines extracted by static analysis did not include tif_dir.c:1056. It did not even include any code lines between 900-1100. I was going to try using tif_dir.c:824, the starting address of the function where tif_dir.c:1056 is located, which is in the comparison node list of sparrow. The node list is as follows, excluding 1056: nodes_output.txt

[goodtaeeun]

Hmm, that is strange...

In my experience, when Sparrow does not recognize some line, it is either due to CIL representation, or the line residing inside an unreachable function. However, in your case, some lines of the same function are recognized while others are not. I guess giving line tif_dir.c:824 can be an alternative.

[Siyuan-Li201]

Thanks for your reply. I successfully verified the vulnerability using the alternative line. I will try more to see if this is a common issue. Before that, I will close this issue.