lockbud
lockbud copied to clipboard
BurtonQin
LockBud False Negative for AtomicityViolation Vulnerability
I encountered a false negative in AtomicityViolation detection when using LockBud. The minimized code example is provided below. Lockbud should report an AtomicityViolation warning because atomic::store in line 15 is dependent on atomic::load in line 8. BTW, I used the cargo lockbud -k all command to run LockBud.
Minimized Code Example
use std::sync::atomic::Ordering;
use std::sync::atomic::{AtomicBool, AtomicI32};
fn gen_rand_val_i32() -> i32 {
rand::random::<i32>()
}
fn func() {
let a = AtomicI32::new(gen_rand_val_i32());
let v = a.load(Ordering::Relaxed); //atomic_reader
let v3 = v.wrapping_add(1);
let v4 = match v3 > 10 {
true => v3.wrapping_add(2),
false => v3.wrapping_sub(1),
};
if v4 > 11 && gen_rand_val_i32() < 12 {
a.store(10, Ordering::Relaxed); //atomic_writer
}
println!("{:?}", a);
}
fn main() {
func();
}
This is another issue in AtomicityViolation detection. LockBud should report an AtomicityViolation warning because atomic::store (line 15) depends on atomic::load (line 11). However, the root cause appears to be different.
use std::sync::atomic::Ordering;
use std::sync::atomic::{AtomicBool, AtomicI32};
fn gen_rand_val_i32() -> i32 {
rand::random::<i32>()
}
fn inc_val(v: i32) -> i32 {
v + 1
}
fn func2() {
let a = AtomicI32::new(gen_rand_val_i32());
let v = a.load(Ordering::Relaxed); //atomic_reader
let v3 = inc_val(v);
let v4 = if v3 > 10 { v3 + 2 } else { v3 - 1 };
if v4 > 11 && gen_rand_val_i32() < 12 {
a.store(10, Ordering::Relaxed); //atomic_writer
}
println!("{:?}", a);
}
fn main() {
func2();
}