Hi Richard, all, It's so nice of you to help out. Now we understand better what we should do to reduce the number of false positives. Thanks a lot.
I'm sorry to bother you again. But it would be great if you could provide some feedback on the new error trace returned by our tool. Basically, the error trace indicate that `sqlite3SrcListAppend` can return a null pointer under the presence of OOM and this return value can propagate to somewhere in the program, resulting in a null pointer deference. For instance, `targetSrcList` calls `sqlite3SrcListAppend` and returns a null pointer if its callee does it, too. `codeTriggerProgram` calls `sqlite3Insert` with a call expression to `targetSrcList` as its second argument, which can be a null pointer following the deduction before. Finally, its second argument `pTabList` gets dereferenced without a null test. I tried to do a dummy experiment by setting the return value of `sqlite3DbMallocRawNN` inside `sqlite3SrcListAppend` to null and ran regression tests. A number of them failed with segmentation fault. I don't know if this experiment is meaningful or not. Please let me know if it makes sense. Thanks for your time and I am looking forward to your reply. Shaobo Richard Hipp <[email protected]>于2017年1月31日周二 下午9:41写道: > On 1/31/17, Shaobo He <[email protected]> wrote: > > Hi there, > > > > My name is Shaobo He and I am a graduate student at University of Utah. I > > am applying a couple of static analysis tools to C projects. The tools I > am > > using reports a few partial error traces about null pointer > dereferences. I > > was wondering if you could help me to identify whether they (described > > below) were true bugs or just false positives. Your feedback is really > > appreciated. > > They are both false-positives. > > > > > 1) In function `statGet`, `sqlite3_value_blob` can return a null pointer. > > One possible case is that `ExpandBlob(p)` returns `SQLITE_OK` and the > > condition expression `p->n ? p->z : 0;` evaluates to null given `p->n == > > 0`. I tried to figure out if `p->n` can be 0 by adding an assertion > before > > the call site to `sqlite_value_blob` and running all regression tests. It > > seems it cannot be for these test cases. My question is that if the case > > described above can happen. Moreover, function `statPush` has a similar > > error trace. > > The first parameter to statGet() and statPush() will always be a > sizeof(void*)-byte blob that is in fact a pointer to an object. So > sqlite3_value_blob() will never return NULL there. > > > > > 2) In function `walCleanupHash`, `aHash` is initialized to null and is > > probably updated by function `walHashGet`. However, the update may not > > happen if `walIndexPage` returns a status not equal to `SQLITE_OK`. So > > `aHash` remains null and got dereferenced. > > In walCleanupHash(), the pages of the -shm file that contains the hash > have already been allocated and initialized - otherwise > walCleanupHash() would have never been called. But if the -shm file > has already been allocated and initialized, then there is no way for > walHashGet() to fail and leave aHash uninitialized. > > -- > D. Richard Hipp > [email protected] > _______________________________________________ > sqlite-users mailing list > [email protected] > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list [email protected] http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
