Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

bugs/inappropriate coding practice discovered by interprocedural code analysis for version 2.2.8 of Apache

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


boya.sun at case

May 14, 2008, 11:44 AM

Post #1 of 11 (317 views)
Permalink
bugs/inappropriate coding practice discovered by interprocedural code analysis for version 2.2.8 of Apache
Dear Apache-HTTPD developers,

I am a Ph.D student in the Software Engineering Research Group of EECS department in Case Western Reserve University, under the instruction of Prof. Andy Podgurski. In our very recent research, we applied inter-procedural code analysis and data mining technique on the version 2.2.8 of Apache project, and we have found 6 potential bugs, as indicated at the end of this email. The reason why we did not submit these bugs to the bug tracking system is that these potential bugs have not triggered any failure, and we cannot be sure whether these potential bugs are real bugs or just bad coding practice. We hope that these potential bugs can help you recognize some real bugs or inappropriate coding practice. It would also be greately appreciated if you can reply to this email after you have gone over the bugs and tell us whether you have confirmed any of them, since these information are really valuable for us for testing our current method.

The 6 bugs can be categorized into the following 2 groups:

Category-1: missing of a check of the return value of a function
A function may return an error code such as 0, -1 or NULL to indicate that an error occured inside of a function. We've found several potential bugs where a check of the return value is likely to be missing for certain functions.
Category-2: missing of a function call
This normally happens when a function call is missing in a set of function calls that always need to be invoked together, for example, malloc() and free().

The detailed information of each potential bug is as followed:
Category-1 or 2
File Name-the file where the bug occurs
Function Name-the function where the bug occurs
Buggy Code-exact line numbers of the buggy code
Description-description of the bug

Some of the potential bugs are inter-procedural, which cross many functions. These potential bugs are normally hard to be discovered by manual effort, and if they are real bugs, it should be valuable to developers since they are hard to be recognized. Note that for interprocedural potential bugs, there are several code segments involved. The info of some code segment is titled "Code" instead of "Buggy Code". This indicates that the code is not buggy, but is the inter-procedural environment of the real location of the bug. Some of the code segments are titled "Correct Code" to show an example of the correct coding practice.

Our previous work with intra-procedural analysis, which is mainly implemented by Ray-yaung Chang, are published in the following two papers:

[1] R. Chang, A. Podgurski, J. Yang,ˇ°Finding WhatˇŻs Not There: A New Approach to Revealing Neglected Conditions in Softwareˇ±, Proceedings of the 2007 International Symposium on Software Testing and Analysis, London, UK, July 2007, pp. 163-173.(Best Paper Reward)
[2] R. Chang, A. Podgurski, J. Yang, "Discovering Neglected Conditions in Software by Mining Dependence Graphs,", IEEE Transactions on Software Engineering, 14 Apr 2008 (preprint), IEEE Computer Society, http://doi.ieeecomputersociety.org/10.1109/TSE.2008.24.

If you have any further informations, please contact any of us:

Andy Podgurski(andy[at]case.edu)
Ray-yaung Chang(ray-yaung.chang[at]case.edu)
Boya Sun(boya.sun[at]case.edu)

Thanks!

Boya
------------------------------------------------------------------------------------------------------------------------------------------------
BUG#1
Category: 1
File Name: /httpd-2.2.8/support/ab.c
Function Name: open_postfile()
Buggy Code:
1901: apr_file_info_get(&finfo, APR_FINFO_NORM, postfd);
1902: postlen = (apr_size_t)finfo.size;
Description: An error might occur if the output of the function apr_file_info_get() is not APR_SUCCESS. The above code does not check the return value of the function.

=====================================================================
BUG#2
Category: 1
File Name: / httpd-2.2.8/srclib/apr/file_io/unix/seek.c
Function Name: apr_file_seek()
Correct Code:
126: apr_status_t rv = apr_file_flush_locked(thefile);
127: if (rv != APR_SUCCESS)
128: return rv;


File Name: /httpd-2.2.8/srclib/apr/file_io/unix/readwrite.c
Function Name: apr_file_flush()
Code:
330: APR_DECLARE(apr_status_t) apr_file_flush(apr_file_t *thefile)
ˇ­ˇ­
336: rv = apr_file_flush_locked(thefile);
ˇ­ˇ­
342: return rv;

File Name: / httpd-2.2.8/server/log.c
Function Name: As follows
Buggy Code:
229: apr_file_flush(ˇ­); // file:/server/log.c Function Name: ap_replace_stderr_log()

424: apr_file_flush(ˇ­); // file:/server/log.c Function Name: ap_open_logs()

683: apr_file_flush(ˇ­); // file:/server/log.c Function Name: log_error_core()
901: apr_file_flush(ˇ­); // file:/src/mod_cgi.c Function Name: cgi_handler()

123: apr_file_flush(ˇ­); // file:/src/open.c Function Name: apr_file_close()


Description: As shown in the first code fragment (apr_file_seek()), the output of apr_file_flush_locked() should be checked to determine if it is APR_SUCESS. By inspecting the source code of apr_file_flush(), we infer that the output of apr_file_flush() should be checked to determine if it is APR_SUCCESS also. However, the output of apr_file_flush() is not checked in the third code fragment.


=====================================================================
BUG#3
Category: 1
File Name: /httpd-2.2.8/support/htcacheclean.c
Function Name: process_dir()
Buggy Code:
534: apr_file_read_full(fd, &expires, len, &len);

Description: We found a rule requiring checking if the output of apr_file_read_full() is APR_SUCCESS. However, the above code ignores this check.

=====================================================================
BUG#4
Category: 2
File Name: /httpd-2.2.8/modules/filters/mod_include.c
Function Name: handle_include
Buggy Code
1714: else {
1715: rr = ap_sub_req_lookup_uri(parsed_string, r, f->next);
1716: }


Description: We found a potential rule requiring that the ap_destroy_sub_req() be executed to release the object returned by ap_sub_req_lookup_uri(). However, ap_destroy_sub_req() is not called in the above code.

=====================================================================
BUG#5
Category: 2
File Name: /httpd-2.2.8/modules/http/http_request.c
Function Name: ap_internal_fast_redirect()
Buggy Code:
449: ap_remove_output_filter(r->output_filters);
450: r->output_filters = r->output_filters->next;
451: }

Description: We found a potential rule requiring that ap_pass_brigade() be called after the execution of ap_remove_output_filter(). However, the above code does not follow this potential rule.

=====================================================================
BUG#6
Category: 1
File Name: /httpd-2.2.8/srclib/srclib/apr-util/xml/expat/lib/xmlparse.c
Function Name: doProlog()
Buggy Code:
2670: ENTITY *entity = (ENTITY *)lookup(&dtd.paramEntities,
2671: externalSubsetName,
2672: 0);
2673: if (!externalEntityRefHandler(externalEntityRefHandlerArg,
2674: 0,
2675: entity->base,
2676: entity->systemId,
2677: entity->publicId))

Description: The function lookup() might return NULL. In the above code, the fields of the variable entity, returned by look(), are accessed without checking if it is NULL.



BOYA SUN
Computer Science Division
Electrical Engineering & Computer Science Department
513 Olin Building
Case Western Reserve University
10900 Euclid Avenue
Clevelnd, OH 44106
boya.sun[at]case.edu
2008-05-13


chip at force-elite

May 14, 2008, 1:19 PM

Post #2 of 11 (304 views)
Permalink
Re: bugs/inappropriate coding practice discovered by interprocedural code analysis for version 2.2.8 of Apache [In reply to]
BOYA SUN wrote:
> Dear Apache-HTTPD developers,
>
> I am a Ph.D student in the Software Engineering Research Group of EECS
> department in Case Western Reserve University, under the instruction of
> Prof. Andy Podgurski. In our very recent research, we applied
> inter-procedural code analysis and data mining technique on the
> version 2.2.8 of Apache project, and we have found 6 potential bugs, as
> indicated at the end of this email. The reason why we did not submit
> these bugs to the bug tracking system is that these potential bugs have
> not triggered any failure, and we cannot be sure whether these
> potential bugs are real bugs or just bad coding practice. We hope that
> these potential bugs can help you recognize some real bugs or
> inappropriate coding practice. *It would also be greately appreciated if
> you can reply to this email after you have gone over the bugs and tell
> us whether you have confirmed any of them*, since these information are
> really valuable for us for testing our current method.

Compared to previous automated code checking systems, the issues you
highlighted have a surprisingly high correctness rate.

Note that it is also generally best to work against trunk when reporting
bugs, if possible:
<https://svn.apache.org/repos/asf/httpd/httpd/trunk/>

> *BUG#1*
> *Category: 1*
> *File Name:* /httpd-2.2.8/support/ab.c
> *Function Name:* open_postfile()
> *Buggy Code:*
> 1901: apr_file_info_get(&finfo, APR_FINFO_NORM, postfd);
> 1902: postlen = (apr_size_t)finfo.size;
>
> *Description:* An error might occur if the output of the function
> apr_file_info_get() is not APR_SUCCESS. The above code does not check
> the return value of the function.


I agree, its a bug.

Fixed in r656400:
https://svn.apache.org/viewvc?view=rev&revision=656400

(Rudger, you hit commit 30 seconds before me, and then I got a conflict
when trying to commit!)


> *BUG#2*
> *Category: 1 *
> *File Name:* / httpd-2.2.8/srclib/apr/file_io/unix/seek.c
> *Function Name:* apr_file_seek()
> *Correct Code:*
.....
> *Function Name:* As follows
> *Buggy Code:*
> 229: apr_file_flush(…); // file:/server/log.c *Function Name:* ap_replace_stderr_log()
> 424: apr_file_flush(…); // file:/server/log.c *Function Name:* ap_open_logs()
> 683: apr_file_flush(…); // file:/server/log.c *Function Name:* log_error_core()
> 901: apr_file_flush(…); // file:/src/mod_cgi.c *Function Name:* cgi_handler()
> 123: apr_file_flush(…); // file:/src/open.c *Function Name:* apr_file_close()
> *Description:* As shown in the first code fragment (apr_file_seek()), the output of apr_file_flush_locked() should be checked to determine if it is APR_SUCESS. By inspecting the source code of apr_file_flush(), we infer that the output of apr_file_flush() should be checked to determine if it is APR_SUCCESS also. However, the output of apr_file_flush() is not checked in the third code fragment.

Yup, these are all bugs.

And no, its not okay if flush fails, because APR's 'flush' call will
call write() if you are using buffered file IO.

> *BUG#3*
> *Category: 1*
> *File Name:* /httpd-2.2.8/support/htcacheclean.c
> *Function Name:* process_dir()
> *Buggy Code:
> 534: apr_file_read_full(fd, &expires, len, &len);
> *Description:* We found a rule requiring checking if the output of
> apr_file_read_full() is APR_SUCCESS. However, the above code ignores
> this check.


Bug. Fixed in r656401:
https://svn.apache.org/viewvc?view=rev&revision=656401


> *BUG#4*
> *Category: 2*
> *File Name:* /httpd-2.2.8/modules/filters/mod_include.c
> *Function Name:* handle_include
> *Buggy Code
> 1714: else {
> 1715: rr = ap_sub_req_lookup_uri(parsed_string, r, f->next);
> 1716: }
>
> *Description:* We found a potential rule requiring that the
> ap_destroy_sub_req() be executed to release the object returned by
> ap_sub_req_lookup_uri(). However, ap_destroy_sub_req() is not called in
> the above code.


Ah, your first miss :-)

This one isn't a bug.

While it is potentially non-optimal, due to how Pool cleanups work, we
can 'leak' the rr variable. When the main request finishes, the
sub-pool for RR, created from the main request would be recursively
cleaned up.

> *BUG#5*
> *Category: 2*
> *File Name:* /httpd-2.2.8/modules/http/http_request.c
> *Function Name:* ap_internal_fast_redirect()
> *Buggy Code:*
> 449: ap_remove_output_filter(r->output_filters);
> 450: r->output_filters = r->output_filters->next;
> 451: }
> *Description:* We found a potential rule requiring that
> ap_pass_brigade() be called after the execution of
> ap_remove_output_filter(). However, the above code does not follow this
> potential rule.

Nope, ap_pass_brigade is commonly used in that way, for example when a
filter is done, it removes itself, and then passes the content down the
chain, but they are not dependent on each other.

> *Category: 1*
> *File Name:* /httpd-2.2.8/srclib/srclib/apr-util/xml/expat/lib/xmlparse.c
> *Function Name:* doProlog()
> *Buggy Code:*
> 2670: ENTITY *entity = (ENTITY *)lookup(&dtd.paramEntities,
>
> 2671: externalSubsetName,
> 2672: 0);
> 2673: if (!externalEntityRefHandler(externalEntityRefHandlerArg,
> 2674: 0,
> 2675: entity->base,
> 2676: entity->systemId,
> 2677: entity->publicId))
> *Description:* The function lookup() might return NULL. In the above
> code, the fields of the variable /entity/, returned by look(), are
> accessed without checking if it is NULL.


This one looks like a bug.. but in expat... I guess we should look at
reporting it upstream.

-Paul


boya.sun at case

May 14, 2008, 1:40 PM

Post #3 of 11 (306 views)
Permalink
Re: bugs/inappropriate coding practice discovered by interprocedural code analysis for version 2.2.8 of Apache [In reply to]
Dear Paul,

Thank you so much for replying to the email. It seems that our approach
is accurate in finding bugs of Category 1, but not so accurate for
Category 2 which involves ordering rules. Anyway, it is a big
encouragement of our work, thanks again!

Boya

----- Original Message -----
From: Paul Querna <chip[at]force-elite.com>
Date: Wednesday, May 14, 2008 4:27 pm
Subject: Re: bugs/inappropriate coding practice discovered by
interprocedural code analysis for version 2.2.8 of Apache
To: dev[at]httpd.apache.org

> BOYA SUN wrote:
> > Dear Apache-HTTPD developers,
> >
> > I am a Ph.D student in the Software Engineering Research Group of
> EECS
> > department in Case Western Reserve University, under the
> instruction of
> > Prof. Andy Podgurski. In our very recent research, we applied
> > inter-procedural code analysis and data mining technique on the
> > version 2.2.8 of Apache project, and we have found 6 potential
> bugs, as
> > indicated at the end of this email. The reason why we did not
> submit
> > these bugs to the bug tracking system is that these potential
> bugs have
> > not triggered any failure, and we cannot be sure whether these
> > potential bugs are real bugs or just bad coding practice. We hope
> that
> > these potential bugs can help you recognize some real bugs or
> > inappropriate coding practice. *It would also be greately
> appreciated if
> > you can reply to this email after you have gone over the bugs and
> tell
> > us whether you have confirmed any of them*, since these
> information are
> > really valuable for us for testing our current method.
>
> Compared to previous automated code checking systems, the issues
> you
> highlighted have a surprisingly high correctness rate.
>
> Note that it is also generally best to work against trunk when
> reporting
> bugs, if possible:
> <https://svn.apache.org/repos/asf/httpd/httpd/trunk/>
>
> > *BUG#1*
> > *Category: 1*
> > *File Name:* /httpd-2.2.8/support/ab.c
> > *Function Name:* open_postfile()
> > *Buggy Code:*
> > 1901: apr_file_info_get(&finfo, APR_FINFO_NORM, postfd);
> > 1902: postlen = (apr_size_t)finfo.size;
> >
> > *Description:* An error might occur if the output of the function
> > apr_file_info_get() is not APR_SUCCESS. The above code does not
> check
> > the return value of the function.
>
>
> I agree, its a bug.
>
> Fixed in r656400:
> https://svn.apache.org/viewvc?view=rev&revision=656400
>
> (Rudger, you hit commit 30 seconds before me, and then I got a
> conflict
> when trying to commit!)
>
>
> > *BUG#2*
> > *Category: 1 *
> > *File Name:* / httpd-2.2.8/srclib/apr/file_io/unix/seek.c
> > *Function Name:* apr_file_seek()
> > *Correct Code:*
> .....
> > *Function Name:* As follows
> > *Buggy Code:*
> > 229: apr_file_flush(…); // file:/server/log.c *Function
> Name:* ap_replace_stderr_log()
> > 424: apr_file_flush(…); // file:/server/log.c *Function
> Name:* ap_open_logs()
> > 683: apr_file_flush(…); // file:/server/log.c *Function
> Name:* log_error_core()
> > 901: apr_file_flush(…); // file:/src/mod_cgi.c *Function
> Name:* cgi_handler()
> > 123: apr_file_flush(…); // file:/src/open.c *Function
> Name:* apr_file_close()
> > *Description:* As shown in the first code fragment
> (apr_file_seek()), the output of apr_file_flush_locked() should be
> checked to determine if it is APR_SUCESS. By inspecting the source
> code of apr_file_flush(), we infer that the output of
> apr_file_flush() should be checked to determine if it is
> APR_SUCCESS also. However, the output of apr_file_flush() is not
> checked in the third code fragment.
>
> Yup, these are all bugs.
>
> And no, its not okay if flush fails, because APR's 'flush' call
> will
> call write() if you are using buffered file IO.
>
> > *BUG#3*
> > *Category: 1*
> > *File Name:* /httpd-2.2.8/support/htcacheclean.c
> > *Function Name:* process_dir()
> > *Buggy Code:
> > 534: apr_file_read_full(fd, &expires, len, &len);
> > *Description:* We found a rule requiring checking if the output
> of
> > apr_file_read_full() is APR_SUCCESS. However, the above code
> ignores
> > this check.
>
>
> Bug. Fixed in r656401:
> https://svn.apache.org/viewvc?view=rev&revision=656401
>
>
> > *BUG#4*
> > *Category: 2*
> > *File Name:* /httpd-2.2.8/modules/filters/mod_include.c
> > *Function Name:* handle_include
> > *Buggy Code
> > 1714: else {
> > 1715: rr = ap_sub_req_lookup_uri(parsed_string, r,
> f->next);
> > 1716: }
> >
> > *Description:* We found a potential rule requiring that the
> > ap_destroy_sub_req() be executed to release the object returned
> by
> > ap_sub_req_lookup_uri(). However, ap_destroy_sub_req() is not
> called in
> > the above code.
>
>
> Ah, your first miss :-)
>
> This one isn't a bug.
>
> While it is potentially non-optimal, due to how Pool cleanups work,
> we
> can 'leak' the rr variable. When the main request finishes, the
> sub-pool for RR, created from the main request would be recursively
> cleaned up.
>
> > *BUG#5*
> > *Category: 2*
> > *File Name:* /httpd-2.2.8/modules/http/http_request.c
> > *Function Name:* ap_internal_fast_redirect()
> > *Buggy Code:*
> > 449: ap_remove_output_filter(r->output_filters);
> > 450: r->output_filters = r->output_filters->next;
> > 451: }
> > *Description:* We found a potential rule requiring that
> > ap_pass_brigade() be called after the execution of
> > ap_remove_output_filter(). However, the above code does not
> follow this
> > potential rule.
>
> Nope, ap_pass_brigade is commonly used in that way, for example
> when a
> filter is done, it removes itself, and then passes the content down
> the
> chain, but they are not dependent on each other.
>
> > *Category: 1*
> > *File Name:* /httpd-2.2.8/srclib/srclib/apr-
> util/xml/expat/lib/xmlparse.c
> > *Function Name:* doProlog()
> > *Buggy Code:*
> > 2670: ENTITY *entity = (ENTITY *)lookup(&dtd.paramEntities,
> >
> > 2671:
> externalSubsetName,
> > 2672:
> 0);
> > 2673: if
> (!externalEntityRefHandler(externalEntityRefHandlerArg,> 2674:
>
> 0,
> > 2675:
> entity->base,
> > 2676:
> entity->systemId,
> > 2677:
> entity->publicId))
> > *Description:* The function lookup() might return NULL. In the
> above
> > code, the fields of the variable /entity/, returned by look(),
> are
> > accessed without checking if it is NULL.
>
>
> This one looks like a bug.. but in expat... I guess we should look
> at
> reporting it upstream.
>
> -Paul
>


rpluem at apache

May 14, 2008, 1:43 PM

Post #4 of 11 (306 views)
Permalink
Re: bugs/inappropriate coding practice discovered by interprocedural code analysis for version 2.2.8 of Apache [In reply to]
On 05/14/2008 10:19 PM, Paul Querna wrote:
> BOYA SUN wrote:

>
>> *BUG#1*
>> *Category: 1*
>> *File Name:* /httpd-2.2.8/support/ab.c *Function Name:* open_postfile()
>> *Buggy Code:*
>> 1901: apr_file_info_get(&finfo, APR_FINFO_NORM, postfd);
>> 1902: postlen = (apr_size_t)finfo.size;
>> *Description:* An error might occur if the output of the function
>> apr_file_info_get() is not APR_SUCCESS. The above code does not check
>> the return value of the function.
>
>
> I agree, its a bug.
>
> Fixed in r656400:
> https://svn.apache.org/viewvc?view=rev&revision=656400
>
> (Rudger, you hit commit 30 seconds before me, and then I got a conflict
> when trying to commit!)

The same happened to me in the htcacheclean case but only the other way round :-).

>
>
>> *BUG#2*
>> *Category: 1 *
>> *File Name:* / httpd-2.2.8/srclib/apr/file_io/unix/seek.c
>> *Function Name:* apr_file_seek()
>> *Correct Code:*
> .....
>> *Function Name:* As follows
>> *Buggy Code:*
>> 229: apr_file_flush(…); // file:/server/log.c *Function Name:*
>> ap_replace_stderr_log()
>> 424: apr_file_flush(…); // file:/server/log.c *Function
>> Name:* ap_open_logs() 683: apr_file_flush(…); //
>> file:/server/log.c *Function Name:* log_error_core()
>> 901: apr_file_flush(…); // file:/src/mod_cgi.c *Function Name:*
>> cgi_handler()
>> 123: apr_file_flush(…); // file:/src/open.c *Function Name:*
>> apr_file_close()
>> *Description:* As shown in the first code fragment (apr_file_seek()),
>> the output of apr_file_flush_locked() should be checked to determine
>> if it is APR_SUCESS. By inspecting the source code of
>> apr_file_flush(), we infer that the output of apr_file_flush() should
>> be checked to determine if it is APR_SUCCESS also. However, the output
>> of apr_file_flush() is not checked in the third code fragment.
>
> Yup, these are all bugs.
>
> And no, its not okay if flush fails, because APR's 'flush' call will
> call write() if you are using buffered file IO.

I think nothing really useful can be done in these situations, but ignoring it
if things fail here.
An regarding the one in apr_file_close: The code looks different now in trunk.


>
>> *BUG#4*
>> *Category: 2*
>> *File Name:* /httpd-2.2.8/modules/filters/mod_include.c *Function
>> Name:* handle_include
>> *Buggy Code
>> 1714: else {
>> 1715: rr = ap_sub_req_lookup_uri(parsed_string, r,
>> f->next);
>> 1716: }
> >
>> *Description:* We found a potential rule requiring that the
>> ap_destroy_sub_req() be executed to release the object returned by
>> ap_sub_req_lookup_uri(). However, ap_destroy_sub_req() is not called
>> in the above code.
>
>
> Ah, your first miss :-)
>
> This one isn't a bug.
>
> While it is potentially non-optimal, due to how Pool cleanups work, we
> can 'leak' the rr variable. When the main request finishes, the
> sub-pool for RR, created from the main request would be recursively
> cleaned up.

While it is true that this finally gets cleaned up when r->pool gets cleaned up
it is unfortunate that this happens in a loop. OTOH this problem is well known
(see comment from jorton a few lines later):

/* Do *not* destroy the subrequest here; it may have allocated
* variables in this r->subprocess_env in the subrequest's
* r->pool, so that pool must survive as long as this request.
* Yes, this is a memory leak. */


Regards

RĂĽdiger


boya.sun at case

May 14, 2008, 8:20 PM

Post #5 of 11 (299 views)
Permalink
Re: Re: bugs/inappropriate coding practice discovered by interproceduralcode analysis for version 2.2.8 of Apache [In reply to]
Here is another potential bug we've just discovered, and it seems to be occured in several places. Please also take a look at it if interested, thanks a lot!

Boya
-----------------------
Bug#7

File Name: /httpd-2.2.8/srclib/apr/file_io/unidx/readwrite.c (63)
Function Name: apr_file_puts()
Code:
304: APR_DECLARE(apr_status_t) apr_file_puts(const char *str, apr_file_t *thefile)
305: {
306: return apr_file_write_full(thefile, str, strlen(str), NULL);
307: }

Description: An error occur if apr_file_write_full() returns ˇ°!APR_SUCCESSˇ±. According to the above code, we infer that an error occurs if apr_file_puts() returns ˇ°!APR_SUCCESSˇ±. However, the return values of apr_file_puts() are not checked in the following locations.

\apache\src\log.c(682): apr_file_puts(errstr, logf);
\apache\src\mod_cgi.c(254): apr_file_puts("%request\n", f);
\apache\src\mod_cgi.c(265): apr_file_puts("%response\n", f);
\apache\src\mod_cgi.c(291): apr_file_puts("%stdout\n", f);
\apache\src\mod_cgi.c(295): apr_file_puts("\n", f);
\apache\src\mod_cgi.c(299): apr_file_puts("%stderr\n", f);
\apache\src\mod_cgi.c(300): apr_file_puts(argsbuffer, f);
\apache\src\mod_cgi.c(303): apr_file_puts(argsbuffer, f);
\apache\src\mod_cgi.c(305): apr_file_puts("\n", f);
\apache\src\mod_cgid.c(1029): apr_file_puts("%request\n", f);
\apache\src\mod_cgid.c(1040): apr_file_puts("%response\n", f);
\apache\src\mod_cgid.c(1067): apr_file_puts("%stdout\n", f);
\apache\src\mod_cgid.c(1071): apr_file_puts("\n", f);
\apache\src\mod_cgid.c(1077): apr_file_puts("%stderr\n", f);
\apache\src\mod_cgid.c(1078): apr_file_puts(argsbuffer, f);
\apache\src\mod_cgid.c(1081): apr_file_puts(argsbuffer, f);
\apache\src\mod_cgid.c(1082): apr_file_puts("\n", f);





BOYA SUN
2008-05-14



·˘ĽţČËŁş Ruediger Pluem
·˘ËÍʱĽäŁş 2008-05-14 16:50:30
ĘŐĽţČËŁş dev[at]httpd.apache.org
ł­ËÍŁş
Ö÷Ě⣺ Re: bugs/inappropriate coding practice discovered by interproceduralcode analysis for version 2.2.8 of Apache



On 05/14/2008 10:19 PM, Paul Querna wrote:
> BOYA SUN wrote:

>
> > *BUG#1*
> > *Category: 1*
> > *File Name:* /httpd-2.2.8/support/ab.c *Function Name:* open_postfile()
> > *Buggy Code:*
> > 1901: apr_file_info_get(&finfo, APR_FINFO_NORM, postfd);
> > 1902: postlen = (apr_size_t)finfo.size;
> > *Description:* An error might occur if the output of the function
> > apr_file_info_get() is not APR_SUCCESS. The above code does not check
> > the return value of the function.
>
>
> I agree, its a bug.
>
> Fixed in r656400:
> https://svn.apache.org/viewvc?view=rev&revision=656400
>
> (Rudger, you hit commit 30 seconds before me, and then I got a conflict
> when trying to commit!)

The same happened to me in the htcacheclean case but only the other way round :-).

>
>
> > *BUG#2*
> > *Category: 1 *
> > *File Name:* / httpd-2.2.8/srclib/apr/file_io/unix/seek.c
> > *Function Name:* apr_file_seek()
> > *Correct Code:*
> .....
> > *Function Name:* As follows
> > *Buggy Code:*
> > 229: apr_file_flush(ˇ­); // file:/server/log.c *Function Name:*
> > ap_replace_stderr_log()
> > 424: apr_file_flush(ˇ­); // file:/server/log.c *Function
> > Name:* ap_open_logs() 683: apr_file_flush(ˇ­); //
> > file:/server/log.c *Function Name:* log_error_core()
> > 901: apr_file_flush(ˇ­); // file:/src/mod_cgi.c *Function Name:*
> > cgi_handler()
> > 123: apr_file_flush(ˇ­); // file:/src/open.c *Function Name:*
> > apr_file_close()
> > *Description:* As shown in the first code fragment (apr_file_seek()),
> > the output of apr_file_flush_locked() should be checked to determine
> > if it is APR_SUCESS. By inspecting the source code of
> > apr_file_flush(), we infer that the output of apr_file_flush() should
> > be checked to determine if it is APR_SUCCESS also. However, the output
> > of apr_file_flush() is not checked in the third code fragment.
>
> Yup, these are all bugs.
>
> And no, its not okay if flush fails, because APR's 'flush' call will
> call write() if you are using buffered file IO.

I think nothing really useful can be done in these situations, but ignoring it
if things fail here.
An regarding the one in apr_file_close: The code looks different now in trunk.


>
> > *BUG#4*
> > *Category: 2*
> > *File Name:* /httpd-2.2.8/modules/filters/mod_include.c *Function
> > Name:* handle_include
> > *Buggy Code
> > 1714: else {
> > 1715: rr = ap_sub_req_lookup_uri(parsed_string, r,
> > f- >next);
> > 1716: }
> >
> > *Description:* We found a potential rule requiring that the
> > ap_destroy_sub_req() be executed to release the object returned by
> > ap_sub_req_lookup_uri(). However, ap_destroy_sub_req() is not called
> > in the above code.
>
>
> Ah, your first miss :-)
>
> This one isn't a bug.
>
> While it is potentially non-optimal, due to how Pool cleanups work, we
> can 'leak' the rr variable. When the main request finishes, the
> sub-pool for RR, created from the main request would be recursively
> cleaned up.

While it is true that this finally gets cleaned up when r- >pool gets cleaned up
it is unfortunate that this happens in a loop. OTOH this problem is well known
(see comment from jorton a few lines later):

/* Do *not* destroy the subrequest here; it may have allocated
* variables in this r- >subprocess_env in the subrequest's
* r- >pool, so that pool must survive as long as this request.
* Yes, this is a memory leak. */


Regards

R¨ądiger


rpluem at apache

May 15, 2008, 12:00 PM

Post #6 of 11 (279 views)
Permalink
Re: bugs/inappropriate coding practice discovered by interproceduralcode analysis for version 2.2.8 of Apache [In reply to]
On 05/15/2008 05:29 AM, BOYA SUN wrote:
> Here is another potential bug we've just discovered, and it seems to be occured in several places. Please also take a look at it if interested, thanks a lot!
>
> Boya
> -----------------------
> Bug#7
>
> File Name: /httpd-2.2.8/srclib/apr/file_io/unidx/readwrite.c (63)
> Function Name: apr_file_puts()
> Code:
> 304: APR_DECLARE(apr_status_t) apr_file_puts(const char *str, apr_file_t *thefile)
> 305: {
> 306: return apr_file_write_full(thefile, str, strlen(str), NULL);
> 307: }
>
> Description: An error occur if apr_file_write_full() returns “!APR_SUCCESS”. According to the above code, we infer that an error occurs if apr_file_puts() returns “!APR_SUCCESS”. However, the return values of apr_file_puts() are not checked in the following locations.
>
> \apache\src\log.c(682): apr_file_puts(errstr, logf);

I see nothing reasonable that we can do in this situation but ignoring the error.

> \apache\src\mod_cgi.c(254): apr_file_puts("%request\n", f);
> \apache\src\mod_cgi.c(265): apr_file_puts("%response\n", f);
> \apache\src\mod_cgi.c(291): apr_file_puts("%stdout\n", f);
> \apache\src\mod_cgi.c(295): apr_file_puts("\n", f);
> \apache\src\mod_cgi.c(299): apr_file_puts("%stderr\n", f);
> \apache\src\mod_cgi.c(300): apr_file_puts(argsbuffer, f);
> \apache\src\mod_cgi.c(303): apr_file_puts(argsbuffer, f);
> \apache\src\mod_cgi.c(305): apr_file_puts("\n", f);
> \apache\src\mod_cgid.c(1029): apr_file_puts("%request\n", f);
> \apache\src\mod_cgid.c(1040): apr_file_puts("%response\n", f);
> \apache\src\mod_cgid.c(1067): apr_file_puts("%stdout\n", f);
> \apache\src\mod_cgid.c(1071): apr_file_puts("\n", f);
> \apache\src\mod_cgid.c(1077): apr_file_puts("%stderr\n", f);
> \apache\src\mod_cgid.c(1078): apr_file_puts(argsbuffer, f);
> \apache\src\mod_cgid.c(1081): apr_file_puts(argsbuffer, f);
> \apache\src\mod_cgid.c(1082): apr_file_puts("\n", f);

We might could log an error in all these situations. Somebody eager to fix this :-)?

Regards

RĂĽdiger


henrik at henriknordstrom

May 15, 2008, 12:44 PM

Post #7 of 11 (278 views)
Permalink
Re: bugs/inappropriate coding practice discovered by interproceduralcode analysis for version 2.2.8 of Apache [In reply to]
On tor, 2008-05-15 at 21:00 +0200, Ruediger Pluem wrote:
> > \apache\src\log.c(682): apr_file_puts(errstr, logf);
>
> I see nothing reasonable that we can do in this situation but ignoring the error.

syslog?

Regards
Henrik


rpluem at apache

May 15, 2008, 1:04 PM

Post #8 of 11 (278 views)
Permalink
Re: bugs/inappropriate coding practice discovered by interproceduralcode analysis for version 2.2.8 of Apache [In reply to]
On 05/15/2008 09:44 PM, Henrik Nordstrom wrote:
> On tor, 2008-05-15 at 21:00 +0200, Ruediger Pluem wrote:
>>> \apache\src\log.c(682): apr_file_puts(errstr, logf);
>> I see nothing reasonable that we can do in this situation but ignoring the error.
>
> syslog?

Syslog may not be available and is likely not configured correctly by the user in this
situation. Thus I guess the user also doesn't bother to have a look in the syslog in
this case.

Regards

Rüdiger


john-perl at o-rourke

May 15, 2008, 1:07 PM

Post #9 of 11 (276 views)
Permalink
Re: bugs/inappropriate coding practice discovered by interproceduralcode analysis for version 2.2.8 of Apache [In reply to]
Henrik Nordstrom wrote:
> On tor, 2008-05-15 at 21:00 +0200, Ruediger Pluem wrote:
>
>>> \apache\src\log.c(682): apr_file_puts(errstr, logf);
>>>
>> I see nothing reasonable that we can do in this situation but ignoring the error.
>>
>
> syslog?
>

Please excuse me barging in here but I think it's appropriate to look at
typical use for this one.

This error would typically happen on a busy site with a full log
partition. Writing to syslog is likely to fail for the same reason, and
in a typical setup a full /var partition is going to cause all sorts of
problems. Good log files are very important on busy and/or distributed
sites, and sometimes business critical.

As a sysadmin I would prefer apache to die rather than end up with
corrupt logs, but I think the default should remain as it is, so perhaps
this could be a config file option? LogFaultAction or something.

cheers
John


henrik at henriknordstrom

May 16, 2008, 2:34 AM

Post #10 of 11 (261 views)
Permalink
Re: bugs/inappropriate coding practice discovered by interproceduralcode analysis for version 2.2.8 of Apache [In reply to]
On tor, 2008-05-15 at 21:07 +0100, John ORourke wrote:

> This error would typically happen on a busy site with a full log
> partition. Writing to syslog is likely to fail for the same reason,
> and in a typical setup a full /var partition is going to cause all
> sorts of problems. Good log files are very important on busy and/or
> distributed sites, and sometimes business critical.

Many bigger servers have syslog sent over network to a central
monitoring server.

Regards
Henrik


jim at jaguNET

May 16, 2008, 5:06 AM

Post #11 of 11 (258 views)
Permalink
Re: bugs/inappropriate coding practice discovered by interproceduralcode analysis for version 2.2.8 of Apache [In reply to]
On May 15, 2008, at 3:00 PM, Ruediger Pluem wrote:

>
>
> On 05/15/2008 05:29 AM, BOYA SUN wrote:
>> Here is another potential bug we've just discovered, and it seems
>> to be occured in several places. Please also take a look at it if
>> interested, thanks a lot!
>> Boya
>> -----------------------
>> Bug#7
>> File Name: /httpd-2.2.8/srclib/apr/file_io/unidx/readwrite.c (63)
>> Function Name: apr_file_puts()
>> Code:
>> 304: APR_DECLARE(apr_status_t) apr_file_puts(const char *str,
>> apr_file_t *thefile)
>> 305: {
>> 306: return apr_file_write_full(thefile, str, strlen(str),
>> NULL);
>> 307: }
>> Description: An error occur if apr_file_write_full() returns “!
>> APR_SUCCESS”. According to the above code, we infer that an error
>> occurs if apr_file_puts() returns “!APR_SUCCESS”. However, the
>> return values of apr_file_puts() are not checked in the following
>> locations.
>> \apache\src\log.c(682): apr_file_puts(errstr, logf);
>
> I see nothing reasonable that we can do in this situation but
> ignoring the error.
>

Agreed.

>> \apache\src\mod_cgi.c(254): apr_file_puts("%request\n", f);
>> \apache\src\mod_cgi.c(265): apr_file_puts("%response\n", f);
>> \apache\src\mod_cgi.c(291): apr_file_puts("%stdout\n", f);
>> \apache\src\mod_cgi.c(295): apr_file_puts("\n", f);
>> \apache\src\mod_cgi.c(299): apr_file_puts("%stderr\n", f);
>> \apache\src\mod_cgi.c(300): apr_file_puts(argsbuffer, f);
>> \apache\src\mod_cgi.c(303): apr_file_puts(argsbuffer, f);
>> \apache\src\mod_cgi.c(305): apr_file_puts("\n", f);
>> \apache\src\mod_cgid.c(1029): apr_file_puts("%request\n", f);
>> \apache\src\mod_cgid.c(1040): apr_file_puts("%response\n", f);
>> \apache\src\mod_cgid.c(1067): apr_file_puts("%stdout\n",
>> f);
>> \apache\src\mod_cgid.c(1071): apr_file_puts("\n", f);
>> \apache\src\mod_cgid.c(1077): apr_file_puts("%stderr\n",
>> f);
>> \apache\src\mod_cgid.c(1078): apr_file_puts(argsbuffer,
>> f);
>> \apache\src\mod_cgid.c(1081):
>> apr_file_puts(argsbuffer, f);
>> \apache\src\mod_cgid.c(1082): apr_file_puts("\n", f);
>
> We might could log an error in all these situations. Somebody eager
> to fix this :-)?
>

Well, not in 2.2.9 but once that's out, for trunk and 2.2.10 :)

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.