RISC OS Open: Forum: Possible bugs

Sep 11, 2017 6:41pm

Some of these are minor, some issues may not actually exist. These have been found with CPPcheck.

Fixed ~~Apps\Help2\c\main line 235 leaks expanded_string if malloc of buffer fails.~~
https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Apps/Help2/c/main?rev=1.7;content-type=text%2Fx-cvsweb-markup#l235

Fixed ~~FileSys\ImageFS\DosFS\c\DOSFS line 1566 .code[] is defined to have 384 elements for loop accesses up to element 480.~~
https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/FileSys/ImageFS/DOSFS/c/DOSFS?rev=4.28;content-type=text%2Fx-cvsweb-markup#l1566

Fixed ~~FileSys\ImageFS\DosFS\c\DOSFS line 621 dr.dr_discname might be being access beyond the end as I think sprintf might add and extra null terminator.~~
https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/FileSys/ImageFS/DOSFS/c/DOSFS?rev=4.28;content-type=text%2Fx-cvsweb-markup#l621

Fixed ~~Internat\IntKey\c\keygen line 577 Array uc⁴ is accessed at index 7~~
https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Internat/IntKey/c/keygen?rev=1.12;content-type=text%2Fx-cvsweb-markup#l577

Fixed ~~Networking\Omni\Protocols\LanManFS\c\SMB line 887 Array SMB_RxWords¹⁴ is accessed at index 16~~
https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Networking/Omni/Protocols/LanManFS/c/SMB?rev=1.23;content-type=text%2Fx-cvsweb-markup#l887

Fixed ~~HWSupport\USB\USBDriver\build\c\usbhal Line 245 Memory leak: softc~~
https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/HWSupport/USB/USBDriver/build/c/ohcimodule?rev=1.29;content-type=text%2Fx-cvsweb-markup#l245

Fixed ~~HWSupport\USB\USBDriver\build\c\usbkboard Line 209 Memory leak: softc~~
https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/HWSupport/USB/USBDriver/build/c/usbkboard?rev=1.10;content-type=text%2Fx-cvsweb-markup#l209

Fixed ~~HWSupport\VCHIQ\c\vchiq_riscos line 101 Memory leak : thread~~
https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/HWSupport/VCHIQ/c/vchiq_riscos?rev=1.2;content-type=text%2Fx-cvsweb-markup#l101

Fixed ~~Video\Render\SprExtend\c\asmcore Line 1013 Array ‘usedregs¹⁵’ accessed at index 15, which is out of bounds.~~
https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/Video/Render/SprExtend/c/asmcore?rev=4.7;content-type=text%2Fx-cvsweb-markup#l1013

Sep 11, 2017 9:12pm

Dominic Plunkett (2556) 29 posts

File removed ~~HWSupport\USB\USBDriver\build\c\usbhal line 691 Size of pointer ‘c’ used instead of size of its data. You probably intend to write ‘sizeof(*c)’~~

https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/HWSupport/USB/USBDriver/build/c/ohcimodule?rev=1.29;content-type=text%2Fx-cvsweb-markup#l691

Sep 12, 2017 7:38am

Jon Abbott (1421) 2239 posts

You should probably provide links to the source lines in question as the code is frequently updated.

Sep 12, 2017 6:38pm

Dominic Plunkett (2556) 29 posts

Fixed – \BCM2835Dev\mixed\RiscOS\Sources\HWSupport\USB\USBDriver\build\c\ohcimodule Line 741 tok buffer is too small. -

I’ll look into providing links

Sep 13, 2017 4:39pm

Jon Abbott (1421) 2239 posts

I’ll get you started:

mixed/RiscOS/Sources/HWSupport/USB/USBDriver/build/c/ohcimodule line 741

Sep 14, 2017 5:51pm

Dominic Plunkett (2556) 29 posts

links added to original posts

Sep 14, 2017 6:06pm

Dominic Plunkett (2556) 29 posts

Removed from build ~~dbox_name possible access beyond array~~
https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Lib/RISC_OSLib/rlib/c/ctl?rev=4.2;content-type=text%2Fx-cvsweb-markup#l814

Not a bug ~~Array ‘bustable⁴’ accessed at index 4, which is out of bounds.~~
https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/HWSupport/SCSI/SCSISwitch/c/scsi?rev=1.10;content-type=text%2Fx-cvsweb-markup#l1271

Sep 14, 2017 9:46pm

Rick Murray (539) 11225 posts

Array ‘bustable4’ accessed at index 4, which is out of bounds.

Are you sure?

I’ve noticed with examining some of my own code that it can return some rather eccentric results.

In this case it looks like the array index is always counted to be less than BUSCOUNT (which is the size of the array), once in a local loop, and once via a function.

In this case, we have the code you linked to, and we have find_free_bus(). I can’t quote here as my phone badly messes up quoting; suffice to say that how ‘b’ gets to be 4 (which I presume is the value of BUSCOUNT) eludes me.

dbox_name possible access beyond array

Yup. That one is a bug. If your array is 20 bytes, you don’t want a function that picks the smaller of the string length or 20, and pokes a terminull there, as array[20] means the elements go 0…19. ;-)

Sep 14, 2017 10:08pm

Dominic Plunkett (2556) 29 posts

Looking at the code again you are right bustable isn’t accessed at index 4

Sep 14, 2017 10:11pm

Rick Murray (539) 11225 posts

Networking\Omni\Protocols\LanManFS\c\SMB line 887 Array SMB_RxWords14 is accessed at index 16

This depends. The array is 14 if not long names and 17 or so otherwise. The offending code looks to be in a code block “if ( SMB_RxWords[0] >= DIALECT_LM12X002 )”; maybe this is only possible in a long names environment? I don’t know, if it was my code, I would use more #ifdef to only include relevant code so there’s no ambiguity.
That said, the code is ugly. What is array element 16? All these magic numbers all over the place…

Sep 14, 2017 10:21pm

Rick Murray (539) 11225 posts

Internat\IntKey\c\keygen line 577 Array uc4 is accessed at index 7

That entire code block. uc is defined as 4 bytes, then several loops access it like…

for (i=0; i<8; i++)

I’m guessing uc ought to be eight bytes.

HWSupport\VCHIQ\c\vchiq_riscos line 101 Memory leak : thread

The memory leaks that I’ve looked at are the result of bombing out early because something went wrong after having allocated memory for the array, but not having freed it before returning zero…

Dec 24, 2017 9:35pm

Dominic Plunkett (2556) 29 posts

I think some more brackets are needed ~~otherwise one of the terms is 15 != 0~~

Fixed https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/Video/Render/SprExtend/c/asmcore?rev=4.8;content-type=text%2Fx-cvsweb-markup#l867

same here too :
https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Lib/RISC_OSLib/rlib/c/drawcheck?rev=4.3;content-type=text%2Fx-cvsweb-markup#l178
https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Lib/RISC_OSLib/rlib/c/drawfobj?rev=4.4;content-type=text%2Fx-cvsweb-markup#l206

Do we need some {} here :
https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Video/UserI/Picker/c/cmyk?rev=4.6;content-type=text%2Fx-cvsweb-markup#l447
https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Video/UserI/Picker/c/hsv?rev=4.6;content-type=text%2Fx-cvsweb-markup#l1328
https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Video/UserI/Picker/c/rgb?rev=4.7;content-type=text%2Fx-cvsweb-markup#l1247

fixed ~~Code here isn’t executed due to the break instruction just before ?~~
https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/SystemRes/Internet/Sources/sysctl/c/SysCtl?rev=1.6;content-type=text%2Fx-cvsweb-markup#l210

Fixed ~~Is this sensible ?~~ : https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Toolbox/Gadgets/c/TextArea?rev=1.14;content-type=text%2Fx-cvsweb-markup#l1209
Fixed :https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Toolbox/Gadgets/c/ScrollList?rev=1.15;content-type=text%2Fx-cvsweb-markup#l557

Dec 25, 2017 3:33pm

Rick Murray (539) 11225 posts

Is this sensible ? :

Hmm… if (flags | TextArea_DesktopColours == flags).

You’d have thought that C would interpret that as if ((flags | TextArea_DesktopColours) == flags) but it turns out that ‘==’ has a higher precedence than ‘|’, so…

Dec 25, 2017 7:57pm

Dominic Plunkett (2556) 29 posts

given TextArea_DesktopColours = 1<<0

this simplifies to just ‘if (flags)’ is this what the programmer wanted ?

Dec 25, 2017 10:05pm

Dominic Plunkett (2556) 29 posts

fixed ~~This condition always evaluates to true :~~
https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Internat/IntKey/c/unicdata?rev=1.5;content-type=text%2Fx-cvsweb-markup#l239

~~not sure about this one :~~
braces added to make code clearer https://www.riscosopen.org/viewer/view/cddl/RiscOS/Sources/HWSupport/SD/SDIODriver/c/swi?rev=1.3;content-type=text%2Fx-cvsweb-markup#l731

Always evaluates to false :
https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Lib/RISC_OSLib/rlib/c/txtfile?rev=4.8;content-type=text%2Fx-cvsweb-markup#l307
https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Lib/RISC_OSLib/rlib/c/win?rev=4.4;content-type=text%2Fx-cvsweb-markup#l292
https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/SystemRes/Internet/Sources/host/c/host?rev=1.3;content-type=text%2Fx-cvsweb-markup#l463

~~some more boolean operators would be nice :~~
Fixed : https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Toolbox/Toolbox/c/memory?rev=4.4;content-type=text%2Fx-cvsweb-markup#l376
Fixed : https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Video/Render/Fonts/Manager/Utils/!CurveFit/c/Curvefit?rev=4.2;content-type=text%2Fx-cvsweb-markup#l85

Possible bugs

Reply

Search forums

Social

ROOL Store

Donate! Why?

RISC OS IPR

Description

Voices

Options

Sep 11, 2017 6:41pm Dominic Plunkett (2556) 29 posts	Some of these are minor, some issues may not actually exist. These have been found with CPPcheck. Fixed ~~Apps\Help2\c\main line 235 leaks expanded_string if malloc of buffer fails.~~ https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Apps/Help2/c/main?rev=1.7;content-type=text%2Fx-cvsweb-markup#l235 Fixed ~~FileSys\ImageFS\DosFS\c\DOSFS line 1566 .code[] is defined to have 384 elements for loop accesses up to element 480.~~ https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/FileSys/ImageFS/DOSFS/c/DOSFS?rev=4.28;content-type=text%2Fx-cvsweb-markup#l1566 Fixed ~~FileSys\ImageFS\DosFS\c\DOSFS line 621 dr.dr_discname might be being access beyond the end as I think sprintf might add and extra null terminator.~~ https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/FileSys/ImageFS/DOSFS/c/DOSFS?rev=4.28;content-type=text%2Fx-cvsweb-markup#l621 Fixed ~~Internat\IntKey\c\keygen line 577 Array uc⁴ is accessed at index 7~~ https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Internat/IntKey/c/keygen?rev=1.12;content-type=text%2Fx-cvsweb-markup#l577 Fixed ~~Networking\Omni\Protocols\LanManFS\c\SMB line 887 Array SMB_RxWords¹⁴ is accessed at index 16~~ https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Networking/Omni/Protocols/LanManFS/c/SMB?rev=1.23;content-type=text%2Fx-cvsweb-markup#l887 Fixed ~~HWSupport\USB\USBDriver\build\c\usbhal Line 245 Memory leak: softc~~ https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/HWSupport/USB/USBDriver/build/c/ohcimodule?rev=1.29;content-type=text%2Fx-cvsweb-markup#l245 Fixed ~~HWSupport\USB\USBDriver\build\c\usbkboard Line 209 Memory leak: softc~~ https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/HWSupport/USB/USBDriver/build/c/usbkboard?rev=1.10;content-type=text%2Fx-cvsweb-markup#l209 Fixed ~~HWSupport\VCHIQ\c\vchiq_riscos line 101 Memory leak : thread~~ https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/HWSupport/VCHIQ/c/vchiq_riscos?rev=1.2;content-type=text%2Fx-cvsweb-markup#l101 Fixed ~~Video\Render\SprExtend\c\asmcore Line 1013 Array ‘usedregs¹⁵’ accessed at index 15, which is out of bounds.~~ https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/Video/Render/SprExtend/c/asmcore?rev=4.7;content-type=text%2Fx-cvsweb-markup#l1013

Sep 11, 2017 9:12pm Dominic Plunkett (2556) 29 posts	File removed ~~HWSupport\USB\USBDriver\build\c\usbhal line 691 Size of pointer ‘c’ used instead of size of its data. You probably intend to write ‘sizeof(*c)’~~ https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/HWSupport/USB/USBDriver/build/c/ohcimodule?rev=1.29;content-type=text%2Fx-cvsweb-markup#l691

Sep 12, 2017 7:38am Jon Abbott (1421) 2239 posts	You should probably provide links to the source lines in question as the code is frequently updated.

Sep 12, 2017 6:38pm Dominic Plunkett (2556) 29 posts	Fixed – \BCM2835Dev\mixed\RiscOS\Sources\HWSupport\USB\USBDriver\build\c\ohcimodule Line 741 tok buffer is too small. - I’ll look into providing links

Sep 13, 2017 4:39pm Jon Abbott (1421) 2239 posts	I’ll get you started: mixed/RiscOS/Sources/HWSupport/USB/USBDriver/build/c/ohcimodule line 741

Sep 14, 2017 5:51pm Dominic Plunkett (2556) 29 posts	links added to original posts

Sep 14, 2017 6:06pm Dominic Plunkett (2556) 29 posts	Removed from build ~~dbox_name possible access beyond array~~ https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Lib/RISC_OSLib/rlib/c/ctl?rev=4.2;content-type=text%2Fx-cvsweb-markup#l814 Not a bug ~~Array ‘bustable⁴’ accessed at index 4, which is out of bounds.~~ https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/HWSupport/SCSI/SCSISwitch/c/scsi?rev=1.10;content-type=text%2Fx-cvsweb-markup#l1271

Sep 14, 2017 9:46pm Rick Murray (539) 11225 posts	Array ‘bustable4’ accessed at index 4, which is out of bounds. Are you sure? I’ve noticed with examining some of my own code that it can return some rather eccentric results. In this case it looks like the array index is always counted to be less than BUSCOUNT (which is the size of the array), once in a local loop, and once via a function. In this case, we have the code you linked to, and we have find_free_bus(). I can’t quote here as my phone badly messes up quoting; suffice to say that how ‘b’ gets to be 4 (which I presume is the value of BUSCOUNT) eludes me. dbox_name possible access beyond array Yup. That one is a bug. If your array is 20 bytes, you don’t want a function that picks the smaller of the string length or 20, and pokes a terminull there, as array[20] means the elements go 0…19. ;-)

Sep 14, 2017 10:08pm Dominic Plunkett (2556) 29 posts	Looking at the code again you are right bustable isn’t accessed at index 4

Sep 14, 2017 10:11pm Rick Murray (539) 11225 posts	Networking\Omni\Protocols\LanManFS\c\SMB line 887 Array SMB_RxWords14 is accessed at index 16 This depends. The array is 14 if not long names and 17 or so otherwise. The offending code looks to be in a code block “`if ( SMB_RxWords[0] >= DIALECT_LM12X002 )`”; maybe this is only possible in a long names environment? I don’t know, if it was my code, I would use more #ifdef to only include relevant code so there’s no ambiguity. That said, the code is ugly. What is array element 16? All these magic numbers all over the place…

Sep 14, 2017 10:21pm Rick Murray (539) 11225 posts	Internat\IntKey\c\keygen line 577 Array uc4 is accessed at index 7 That entire code block. uc is defined as 4 bytes, then several loops access it like… for (i=0; i<8; i++) I’m guessing uc ought to be eight bytes. HWSupport\VCHIQ\c\vchiq_riscos line 101 Memory leak : thread The memory leaks that I’ve looked at are the result of bombing out early because something went wrong after having allocated memory for the array, but not having freed it before returning zero…

Dec 24, 2017 9:35pm Dominic Plunkett (2556) 29 posts	I think some more brackets are needed ~~otherwise one of the terms is 15 != 0~~ Fixed https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/Video/Render/SprExtend/c/asmcore?rev=4.8;content-type=text%2Fx-cvsweb-markup#l867 same here too : https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Lib/RISC_OSLib/rlib/c/drawcheck?rev=4.3;content-type=text%2Fx-cvsweb-markup#l178 https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Lib/RISC_OSLib/rlib/c/drawfobj?rev=4.4;content-type=text%2Fx-cvsweb-markup#l206 Do we need some {} here : https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Video/UserI/Picker/c/cmyk?rev=4.6;content-type=text%2Fx-cvsweb-markup#l447 https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Video/UserI/Picker/c/hsv?rev=4.6;content-type=text%2Fx-cvsweb-markup#l1328 https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Video/UserI/Picker/c/rgb?rev=4.7;content-type=text%2Fx-cvsweb-markup#l1247 fixed ~~Code here isn’t executed due to the break instruction just before ?~~ https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/SystemRes/Internet/Sources/sysctl/c/SysCtl?rev=1.6;content-type=text%2Fx-cvsweb-markup#l210 Fixed ~~Is this sensible ?~~ : https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Toolbox/Gadgets/c/TextArea?rev=1.14;content-type=text%2Fx-cvsweb-markup#l1209 Fixed :https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Toolbox/Gadgets/c/ScrollList?rev=1.15;content-type=text%2Fx-cvsweb-markup#l557

Dec 25, 2017 3:33pm Rick Murray (539) 11225 posts	Is this sensible ? : Hmm… `if (flags \| TextArea_DesktopColours == flags)`. You’d have thought that C would interpret that as `if ((flags \| TextArea_DesktopColours) == flags)` but it turns out that ‘==’ has a higher precedence than ‘\|’, so…

Dec 25, 2017 7:57pm Dominic Plunkett (2556) 29 posts	given TextArea_DesktopColours = 1<<0 this simplifies to just ‘if (flags)’ is this what the programmer wanted ?

Dec 25, 2017 10:05pm Dominic Plunkett (2556) 29 posts	fixed ~~This condition always evaluates to true :~~ https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Internat/IntKey/c/unicdata?rev=1.5;content-type=text%2Fx-cvsweb-markup#l239 ~~not sure about this one :~~ braces added to make code clearer https://www.riscosopen.org/viewer/view/cddl/RiscOS/Sources/HWSupport/SD/SDIODriver/c/swi?rev=1.3;content-type=text%2Fx-cvsweb-markup#l731 Always evaluates to false : https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Lib/RISC_OSLib/rlib/c/txtfile?rev=4.8;content-type=text%2Fx-cvsweb-markup#l307 https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Lib/RISC_OSLib/rlib/c/win?rev=4.4;content-type=text%2Fx-cvsweb-markup#l292 https://www.riscosopen.org/viewer/view/mixed/RiscOS/Sources/SystemRes/Internet/Sources/host/c/host?rev=1.3;content-type=text%2Fx-cvsweb-markup#l463 ~~some more boolean operators would be nice :~~ Fixed : https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Toolbox/Toolbox/c/memory?rev=4.4;content-type=text%2Fx-cvsweb-markup#l376 Fixed : https://www.riscosopen.org/viewer/view/castle/RiscOS/Sources/Video/Render/Fonts/Manager/Utils/!CurveFit/c/Curvefit?rev=4.2;content-type=text%2Fx-cvsweb-markup#l85