Memory leak detection
Linked lists
Now retrieve the program linkedlist.c, add it to the Makefile, and compile it as before.
Take some time to study the program and understand what it does.
Exercise 3.a: this program is affected by (at least) two memory-related bugs this time, but of a different nature than before. Identify both of them, explain what the consequences might be, and how to fix them.
Exercise 3.b: try linting/static analysis with Clang-Tidy on this program, as you did before.
Does it detect the (right) issues? (Tip: beware of false positives!)
Exercise 3.c: try source code instrumentation with LLVM sanitizers on this program, as you did before.
Do they detect the issues?
In both cases feel free to speculate about why the used approaches did or did not identify the memory issues affecting this program.
String parsing
You know the drill!
Next program is bracket-parser.c, that extracts a "substring [within brackets]"
from a larger string.
Exercise 4.a: read the program, find the memory problem with it, try Clang-Tidy and LLVM sanitizers on it, explaining what you are seeing.
Exercise 4.b: on most inputs the LLVM sanitizers will not detect a memory issue.
Based on your understanding of the bug and your reading of the code (= white-box inspection), can you craft a specific input for bracket-parser
that will make the LLVM sanitizer spot the bug at runtime?
(And while we are at it: what does this tell you about the reliability of dynamic analysis to detect memory issues?)
Fuzzing with LibFuzzer
Let's now see if fuzzing can help us finding automatically both the memory issue affecting bracket-parser
and a test input that proves the issue is there.
Read the introductory documentation of LibFuzzer.
Make sure to understand how to add fuzz targets to your code, what the required API is, and the fact you should not have a main
function when using LibFuzzer (because it adds its own main
).
Exercise 4.c: add a fuzz target to your code, that allows you to fuzz the input of the parse
function of bracket-parser.c
.
Tip: you can take inspiration from the example seen in lecture, but remember that in this case you should pass well-formed C strings (trailing \0
!) to avoid triggering bugs other than the one you are looking for.
Exercise 4.d: build the fuzzer (adding fuzzer
to the list of -fsanitize=...
sanitizers) and run it.
Does it find the issue?
Does it produce a test case with a sample input that proves the issue is there?
Explain why.
(Pretty cool, huh?)