Bug fix sharing : where does bug come from

where does bug come from
Yu Shen
2017.6
1

experiences
2 years
200+ bug fixs
2

bugs can be deadly
if (launch = true)
{
launch_missile();
}
3

bugs can be deadly
a shell script to clean the TMPDIR.
rm ‐rf $TMPDIR/
5

bugs can be deadly
a script to clean the TMPDIR.
rm ‐rf $TMPDIR/*
but when $TMPDIR is empty
6

if you see
core dump
freeze
unexpected error message
software behave in unintended ways
7

There is likey to be a bug...
8

all kinds of bugs
bad programming practice
dangerous C functions: strcmp, strcpy, strcat, sprintf ...
function is not declared before use
forgot to check input arguments
forgot to check function's return code
memory management
buffers overflow
free memory on stack
de‐referencing/accessing NULL pointers
memory leak
9

bugs in catogories
concurrency
without locks
dead locks
TLS ‐ thread local storage
compiler optimization
buggy new features/codes
bad design
10

example1: strcmp
11

strcmp
if (strcmp(te‐>desc, "MATERIALIZED VIEW DATA"))
{
...
click to see on gerrit
12

strcmp
if (strcmp(te‐>desc, "MATERIALIZED VIEW DATA") == 0)
{
...
13

example2: function is not declared before use
14

#0 strlen ()
#1 vfprintf ()
#2 vsnprintf ()
#3 appendStringInfoVA (str=0x7fffb327c000,
fmt=0x3e87260 "table %s is remapped to %s by mapping rule "%s""
#4 elog_finish (elevel=13, fmt=0x4f9de0 "table %s is remapped to %s b
#5 ApplyCatalogMappingRules
15

char *
ApplyCatalogMappingRules(
const char *schema, const char *object)
{
  rewritten_fqname = filter_RE_replace(fqname, li_entry‐>re,  li_entr
  elog(DEBUG2, "table %s is remapped to %s by mapping rule "%s""
(gdb) p rewritten_fqname
$2 = 0xffffffffd53b9d90
    <Address 0xffffffffd53b9d90 out of bounds>
16

(gdb) disas filter_RE_replace
...
<filter_RE_replace+214>: callq 0x45a54a <text_to_cstring>
<filter_RE_replace+219>: cltq
...
17

if the function is not declared before use. the complier will assume
the return type of the function to be int32 which is not enough to
store 64bit memory address. and later use 'cltq' to extend the
int32﴾eax﴿ to int64﴾rax﴿ which is an illegal memory address.
to fix the bug, add declaration before use.
extern char *text_to_cstring(const text *t);
18

example3: forget to check input arguments
19

sword
DCIBindArrayOfStruct(DCIBind *bindp, DCIError *errhp,
ub4 pvskip, ub4 indskip,
ub4 alskip, ub4 rcskip)
{
mylog("[DCIBindArrayOfStruct]: bindp = %p, pvskip = %u, indsk
bindp‐>pvskip = pvskip;
bindp‐>indskip = indskip;
...
20

sword
DCIBindArrayOfStruct(DCIBind *bindp, DCIError *errhp,
ub4 pvskip, ub4 indskip,
ub4 alskip, ub4 rcskip)
{
    if (NULL == bindp ||
    bindp‐>head.handle_type != DCI_HTYPE_BIND)
        return DCI_INVALID_HANDLE;
...
21

example4: forget to check input arguments
22

forget to check input arguments
builder@h1:~/manael/C_INTERFACE/src/odbc$ isql ‐v kingbase_s
[28000][unixODBC]Unexpected protocol character during
authentication or KingbaseES has been closed;
Error while reading to the socket.
[ISQL]ERROR: Could not SQLConnect
23

#define RETRY_TICK  1000000   /* in microseconds */
int
SOCK_wait_for_ready(SocketClass *sock, int retry_count)
{
do {
  struct  timeval  tm;
  if (!no_timeout)
  {
    tm.tv_sec = 0;
    tm.tv_usec = RETRY_TICK;
  }
  ret = select((int)sock‐>socket + 1, ...,  &tm);
} while (ret < 0 && EINTR == SOCK_ERRNO);
  return ret;
}
24

SOCK_wait_for_ready, returned ‐1, errno 22 : Invalid arguments
25

26

memory management
example1: buffers overflow
27

buffers overflow
strcpy(NameStr(*change‐>llogdata‐>schema), schema_name);
strcpy(NameStr(*change‐>llogdata‐>object), object_name);
28

buffers overflow
use strncpy instead of strcpy
strncpy(NameStr(*change‐>llogdata‐>schema),
        schema_name,
        NAMEDATALEN);
strncpy(NameStr(*change‐>llogdata‐>object),
        object_name,
        NAMEDATALEN);
29

memory management
example2: free memory on stack
30

free memory on stack
char
QR_read_tuple(QResultClass *self, char binary)
{
  char tidoidbuf[32];
  if (field_lf >= effective_cols)
    buffer = tidoidbuf;
  else
    buffer = (char *) malloc(len + 1);
...
this_tuplefield[field_lf].value = buffer;
...
void
QR_free_memory(QResultClass *self)
{
free(tuple[lf].value);
...
31

memory management
example3: accessing NULL pointers
32

accessing NULL pointers
else if(errornum == SOCKET_CLOSED)
{
    DBC_set_fullerror(self,
    HYT00_SOCKET_NOTEXPECT_ERROR,
    sock‐>errormsg,
    "08S01");
33

accessing NULL pointers
#define SOCK_get_errmsg(self)
(self ? self‐>errormsg : "socket closed")
...
else if(errornum == SOCKET_CLOSED)
{
DBC_set_fullerror(self,
HYT00_SOCKET_NOTEXPECT_ERROR,
SOCK_get_errmsg(sock),
"08S01");
34

memory management
example4: memory leak
35

memory leak
HeapTuple
BuildTupleFromCStrings(AttInMetadata *attinmeta, char **values)
{
...
  for (i = 0; i < natts; i++)
  {
     dvalues[i] =
     InputFunctionCall(&attinmeta‐>attinfuncs[i],
          values[i],
...
tuple = heap_formtuple(tupdesc, dvalues, nulls);
...
return tuple;
36

memory leak
for (i = 0; i < natts; i++)
{
/*
  * Free the mem allocated in xxx_in to avoid memory leak
  */
  switch(tupdesc‐>attrs[i]‐>atttypid)
  {
  /* Type below are pass by ref, e.g. see numeric_in */
  case NUMERICOID:
  case VARCHAROID:
  case TEXTOID:
  case INT2VECTOROID:
  case TIDOID:
  case OIDVECTOROID:
    if (NULL != dvalues[i])
    {
      pfree((void *)(dvalues[i]));
    }
    break;
click to see on gerrit 37

TLS - thread local storage
ODBCEnv odbcEnvHandle;
38

TLS - thread local storage
MT_LOCAL ODBCEnv odbcEnvHandle = NULL;
39

UCHAR
SOCK_get_next_byte(SocketClass *self)
{
self‐>buffer_filled_in = recv(self‐>socket, (char *) self‐>buffer_in,
if (self‐>buffer_filled_in < 0)
{
...
SocketClass *sc_temp = self; /* remember the pointer value. */
readycode = SOCK_wait_for_ready(self, FALSE, retry_count);
if (NULL == self)
{
if (sc_temp != NULL)
self = sc_temp;
...
41

To avoid compiler optimization:
1. we avoid to use
if (NULL == self)
{
  ... code here will be optimized by gcc ‐O2
  because SOCK_get_next_byte check self != NULL
  if reach here gcc think self must not be NULL
}
2. we have to make self_value and self volatile
42

volatile void * self_value;
/*
* The below C code in asm looks like:
*          ...
* mov    %rbx,0x8(%rsp) ‐‐save self
* callq  595d0 <SOCK_wait_for_ready>
* test   %eax,%eax
* mov    0x8(%rsp),%rbx ‐‐restore self
*          ...
* if you change the code you have to check the asm
* that the self is saved and restored.
*/
self_value = (void *)self; /* remember the pointer value. */
readycode = SOCK_wait_for_ready(self, FALSE, retry_count);
self = (SocketClass *)self_value; /* restore self */
43

buggy new features/codes
dump partation table
45

dump partation table
for (cell = patterns‐>head; cell; cell = cell‐>next)
{
  isparttab = parsePartition(cell‐>val, &maintab, &parttab);
  /* bug24408 add _PRT_oid_ to parttab */
  if (isparttab)
    partitionNameAddOid(maintab, &parttab);
When add new features, do not forget dump/restore, replication...
46

how to avoid bugs
think twice before you type
40% of coments/documentation.
don't ignore compiler warnings
defensive programming: do not coredump in my code!
use tools such as lint/valgrind to find out possible bugs
unit test and regression test: code coverage
47

Bug fix sharing : where does bug come from

More Related Content

What's hot (20)

Similar to Bug fix sharing : where does bug come from (20)

Recently uploaded (20)

Bug fix sharing : where does bug come from