Skip to content
This repository has been archived by the owner on Mar 30, 2021. It is now read-only.

Memcached XTU Analysis

Jump to bottom
Whisperity edited this page Jan 26, 2017 · 8 revisions

Baseline:

Memcached without xtu - clang 4.0 http://cc.elte.hu:8080/#run=3

Memcached XTU with XTU - clang 4.0

http://cc.elte.hu:8080/#run=4

###Summary

Analyzed project All Non-CTU Findings (baseline) All CTU Findings New CTU findings Disappeared findings Successfully analyzed Failed to analyze Analysis Time (baseline)[s] Analysis Time XTU (1st Phase + 2nd Phase)[s] Median of bug path length (BPL) in baseline Median of BPL CTU Median of BPL of new findings Median of BPL of disappeared findings
Curl 17 30 14 3 35 files 0 files 26.91 42.82 9.5 8 8.5 58
Checker ID Number of new findings
core.CallAndMessage 2
core.DivideZero 1
core.NonNullParamChecker 2
core.NullDereference 2
core.uninitialized.Assign 3
unix.Malloc 4

Resolved false positives:

Remaining false positives:

Lost true positives:

in the last but one version there were lost true positives, but this version performed much better in this respect

Remaining true positives:

###New true positives

  • MOST IMPORTANT XTU-SPECIFIC finding: memcached.c core.DivideZero http://cc.elte.hu:8080/#run=62&report=6833 safe_strtol sets the output c-string to null, and if a range overflow error happens (or str == endptr, see line 126 in util.c), it remains null.
  • items.c core.uninitialized.Assign if allocation fails, there is a branch, where a -= operator is called with unitialized value on the left side
Clone this wiki locally