An Alarm Classification Using Shovel

'_prologue_' is an imaginary function that initialize argc, argv

Solid arrow means call edge

Dotted arrow means return edge

Green arrow means branch (pair of call & return)
(For details, see II-A.'Backbone-Branch Decomposition' section of our paper)

Alarm #1

+ Taint Source : rpng-x.c:164 (_prologue_)
+ Sink (Allocation) : zutil.c:310 (zcalloc)

path 1

(User Feedback)

Path should NOT include a call edge from 'updatewindow' to 'zcalloc' in backbone, because tainted data cannot flow along the edge

path 2

(User Feedback)

Path should NOT include a call edge from 'inflateInit2_' to 'zcalloc' in backbone, because tainted data cannot flow along the edge

UNSAT (False Alarm)

Alarm #2

+ Taint Source : rpng-x.c:164 (_prologue_)
+ Sink (Allocation) : zutil.c:310 (zcalloc)

path 1

(User Feedback)

Path should NOT include a call edge from 'updatewindow' to 'zcalloc' in backbone, because tainted data cannot flow along the edge

path 2

(User Feedback)

Path should NOT include a call edge from 'inflateInit2_' to 'zcalloc' in backbone, because tainted data cannot flow along the edge

UNSAT (False Alarm)

Alarm #3

+ Taint Source : rpng-x.c:229 (main)
+ Sink (Allocation) : zutil.c:310 (zcalloc)

path 1

(User Feedback)

Path should NOT include a call edge from 'updatewindow' to 'zcalloc' in backbone, because tainted data cannot flow along the edge

path 2

(User Feedback)

Path should NOT include a call edge from 'inflateInit2_' to 'zcalloc' in backbone, because tainted data cannot flow along the edge

UNSAT (False Alarm)

Alarm #4

+ Taint Source : rpng-x.c:229 (main)
+ Sink (Allocation) : zutil.c:310 (zcalloc)

path 1

(User Feedback)

Path should NOT include a call edge from 'updatewindow' to 'zcalloc' in backbone, because tainted data cannot flow along the edge

path 2

(User Feedback)

Path should NOT include a call edge from 'inflateInit2_' to 'zcalloc' in backbone, because tainted data cannot flow along the edge

UNSAT (False Alarm)

Alarm #5

+ Taint Source : pngrio.c:60 (png_default_read_data)
+ Sink (Allocation) : readpng.c:267 (readpng_get_image)

path 1

(User Feedback)

Path should visit 'png_set_IHDR', to define a necessary variable used in the sink

path 2

(User Feedback)

Path should include a return edge from 'png_crc_read' to 'png_handle_IHDR' either in backbone or branch, for the correct taint propagation toward the sink

path 3

(User Feedback)

'readpng_get_image' cannot return from 'png_read_end' and then call alloc(), since 'readpng_get_image' always calls alloc() before calling 'png_read_end'

Found Bug (True Alarm)

Alarm #6

+ Taint Source : pngrio.c:60 (png_default_read_data)
+ Sink (Allocation) : readpng.c:271 (readpng_get_image)

path 1

(User Feedback)

Path should visit 'png_set_IHDR', to define a necessary variable used in the sink

path 2

(User Feedback)

Path should include a return edge from 'png_crc_read' to 'png_handle_IHDR' either in backbone or branch, for the correct taint propagation toward the sink

path 3

(User Feedback)

'readpng_get_image' cannot return from 'png_read_end' and then call alloc(), since 'readpng_get_image' always calls alloc() before calling 'png_read_end'

path 4

(User Feedback)

Path should NOT include a return-call sequence of 'readpng_init'--(R)-->'main'--(C)-->'readpng_get_image' in backbone, because there is a sanitization logic along the nodes

path 5

(User Feedback)

'main' cannot return from 'readpng_get_image' and then call 'readpng_get_image', since 'main' calls 'readpng_get_image' only once

UNSAT (False Alarm)

Alarm #7

+ Taint Source : pngrio.c:60 (png_default_read_data)
+ Sink (Allocation) : rpng-x.c:651 (rpng_x_create_window)

path 1

(User Feedback)

Path should visit 'png_set_IHDR', to define a necessary variable used in the sink

Found Bug (True Alarm)

Alarm #8

+ Taint Source : pngrio.c:60 (png_default_read_data)
+ Sink (Allocation) : rpng-x.c:651 (rpng_x_create_window)

path 1

(User Feedback)

Path should visit 'png_set_IHDR', to define a necessary variable used in the sink

Found Bug (True Alarm)

Alarm #9

+ Taint Source : pngrio.c:60 (png_default_read_data)
+ Sink (Allocation) : rpng-x.c:654 (rpng_x_create_window)

path 1

(User Feedback)

Path should visit 'png_set_IHDR', to define a necessary variable used in the sink

Found Bug (True Alarm)

Alarm #10

+ Taint Source : pngrio.c:60 (png_default_read_data)
+ Sink (Allocation) : rpng-x.c:657 (rpng_x_create_window)

path 1

(User Feedback)

Path should visit 'png_set_IHDR', to define a necessary variable used in the sink

Found Bug (True Alarm)

Alarm #11

+ Taint Source : pngrio.c:60 (png_default_read_data)
+ Sink (Allocation) : zutil.c:310 (zcalloc)

path 1

(User Feedback)

Path should NOT include a call edge from 'updatewindow' to 'zcalloc' in backbone, because tainted data cannot flow along the edge

path 2

(User Feedback)

Path should NOT include a call edge from 'inflateInit2_' to 'zcalloc' in backbone, because tainted data cannot flow along the edge

UNSAT (False Alarm)

Alarm #12

+ Taint Source : pngrio.c:60 (png_default_read_data)
+ Sink (Allocation) : zutil.c:310 (zcalloc)

path 1

(User Feedback)

Path should NOT include a call edge from 'updatewindow' to 'zcalloc' in backbone, because tainted data cannot flow along the edge

path 2

(User Feedback)

Path should NOT include a call edge from 'inflateInit2_' to 'zcalloc' in backbone, because tainted data cannot flow along the edge

UNSAT (False Alarm)