Potential Bug in MLK Bug Detection Logic

[Feng-Jay]

Hi! @chengpeng-wang !

While running RepoAudit on MLK bugs, I noticed that it failed to detect a memory leak in a single-function bug, such as this commit.

Specifically, the leak in this line was not reported:
Line#76 at the buggy version:adis->xfer = kcalloc(scan_count + 1, sizeof(*adis->xfer), GFP_KERNEL);

I checked the logs and found that the LLM inference was actually correct. This led me to suspect there might be an issue in the logic of collect potential buggy path

It seems that this line:

if not path_set:

should be:

if not path_set or len(path_set) == 0:

At this line, if the source node meets no sink under the MLK setting, it returns an empty set, which may currently be misinterpreted.

After making this change locally, RepoAudit was able to correctly detect the bug.

Could you help me confirm if this is indeed a bug?
I’ve noticed that the same logic appears in both the artifact branch and the main branch.

Thanks!

[chengpeng-wang]

Hi @Feng-Jay! we also found this buggy logic several days ago. I just merged the PR #21, and I think it can fix the issue.

The fix plan you proposed is also reasonable. However, the empty set will not trigger the validation stage. In our adopted patch, we just regard [src_value] as a path, which can still enable the validation.

@jinyaoguo Could you please also check this issue to see whether your patch can resolve it thoroughly?

[jinyaoguo]

Yes. Originally, the potential_buggy_path is empty for intra-procedural MLK bugs. After applying PR#21, at least we'll have the source in the potential_buggy_path to trigger validation, which reports the bug.

[Feng-Jay]

Great! Thanks for the quick reply and solution! : )