[Bug-gsl] Statically analyze GSL-2.1 with our tool Canalyze

[address@hidden]

Dear GSL Developers,
 
 We have analyzed GSL-2.1 (also GSL-1.16) with our symbolic execution (static) 
tool Canalyze [1] and detected 14 bugs, including following two kinds:
1)   Use of undefined values (3): variables are not initialized and are used 
later.
2)   Memory leak (11): do not free an allocated pointer.
We should point out that all the bugs are checked by ourselves, which maybe 
false positives, i.e., the bugs will not happened in actuality.
 
Our reports are very readable, which are attached with this email. Each report 
depicts one bug detected. We have written a document, within the attachment, 
for how to read the reports, which will cost your less than one minute to read. 
For each of the bug report, the developers of other applications analyzed by 
our tool gave the feedback of “I gave each bug no more than 2 minutes to check 
whether the bug is a real bug ore a false positive”.
 
 1, An example of bug detected 
One bug detected is exampled as followed: 

In the example above, we analyzed the function “gen_schur_standardize1()” of 
the file “gen.c” (which is depicted in the complete report) and detected a bug 
at line 1570 of this function: use the variable “top”, which is not 
initialized. The “top” should be initialized at the true branch of “if” 
statement at line 1565. However, there is another path that passes the false 
branch, with “w->needtop” is false, and reach the statement at line 1570. Thus, 
the bug is triggered. 
 
References
 
[1] Canalyze, home page, http://lcs.ios.ac.cn/~xuzb/canalyze/index.html



Xingming Wu
Institute of Software, Chinese Academy of Sciences
Beijing, China 
Email: address@hidden

gsl-2.1-bug-reports.zip
Description: Binary data