Description
C programs have two main options for mutual exclusion of a shared resource in a concurrent setting: the mutex lock and the semaphore. Mutex locks exist in two states, locked and unlocked. However a semaphore, more specifically a counting semaphore, can be used to keep track of an arbitrary number of resources that are available at any given time, allowing access until all of the resources are being used. Using a counting semaphore, multiple unlocks will cause the semaphore to enter a bad state in which it indicates that there are more resources available than there actually are. This will then allow more threads to access the given resource than are allowed, leading to a bad state. This weakness variant uses a counting semaphore initialized to one unit of the shared resource. For inputs that contain a capital letter, a function is called that requests a resource, acts upon this resource, and releases the resource twice. This causes the semaphore to erroneously increment its number of units to two. Two threads are then spawned, both of which request the resource. The semaphore erroneously allows both to access the resource, and one thread gets a null pointer dereference. In the benign case, the semaphore allows only one thread to access the resource at a time, and the test case executes safely.
Metadata
- Base program: Subversion
- Source Taint: FILE_CONTENTS
- Data Type: ARRAY
- Data Flow: VAR_ARG_LIST
- Control Flow: CALLBACK
Flaws
Test Suites
Documentation
Have any comments on this test case? Please, send us an email.