MATF-Software-Verification
diff --git a/‎ProjectAnalysisReport.md
Lines changed: 368 additions & 4 deletions b/‎ProjectAnalysisReport.md
Lines changed: 368 additions & 4 deletions
diff --git a/‎patches/memleak_demo_initial.patch
Lines changed: 34 additions & 0 deletions b/‎patches/memleak_demo_initial.patch
Lines changed: 34 additions & 0 deletions
diff --git a/‎patches/memleak_demo_no_optimize.patch
Lines changed: 45 additions & 0 deletions b/‎patches/memleak_demo_no_optimize.patch
Lines changed: 45 additions & 0 deletions
diff --git a/‎patches/userchan_fix_uninit_access.patch
Lines changed: 55 additions & 0 deletions b/‎patches/userchan_fix_uninit_access.patch
Lines changed: 55 additions & 0 deletions
diff --git a/‎valgrind/README.md renamed to ‎valgrind/memcheck/README.md
Lines changed: 6 additions & 2 deletions b/‎valgrind/README.md renamed to ‎valgrind/memcheck/README.md
Lines changed: 6 additions & 2 deletions
diff --git a/‎valgrind/memcheck/memcheck_beacon/run_beacon_valgrind.sh
Lines changed: 69 additions & 0 deletions b/‎valgrind/memcheck/memcheck_beacon/run_beacon_valgrind.sh
Lines changed: 69 additions & 0 deletions
diff --git a/‎valgrind/memcheck/memcheck_beacon/valgrind_20250209_115049_initial.log
Lines changed: 146 additions & 0 deletions b/‎valgrind/memcheck/memcheck_beacon/valgrind_20250209_115049_initial.log
Lines changed: 146 additions & 0 deletions
@@ -0,0 +1,34 @@
+diff --git a/samples/bluetooth/beacon/src/main.c b/samples/bluetooth/beacon/src/main.c
+index 484b6e94c8f..1cedb95bdd2 100644
+--- a/samples/bluetooth/beacon/src/main.c
++++ b/samples/bluetooth/beacon/src/main.c
+@@ -40,6 +40,18 @@ static const struct bt_data sd[] = {
+ 	BT_DATA(BT_DATA_NAME_COMPLETE, DEVICE_NAME, DEVICE_NAME_LEN),
+ };
+ 
++void mem_leak(){
++	printk("mem_leak()\n");
++	void *ptr = malloc(100);
++}
++
++void use_uninitialized_mem(){
++	printk("use_uninitialized_mem()\n");
++	int *ptr = malloc(sizeof(int));
++	int value = *ptr;
++	free(ptr);
++}
++
+ static void bt_ready(int err)
+ {
+ 	char addr_s[BT_ADDR_LE_STR_LEN];
+@@ -80,6 +92,10 @@ int main(void)
+ 
+ 	printk("Starting Beacon Demo\n");
+ 
++	printk("Calling memleak functions\n");
++	mem_leak();
++	use_uninitialized_mem();
++
+ 	/* Initialize the Bluetooth Subsystem */
+ 	err = bt_enable(bt_ready);
+ 	if (err) {
@@ -0,0 +1,45 @@
+diff --git a/samples/bluetooth/beacon/prj.conf b/samples/bluetooth/beacon/prj.conf
+index 045c5c5f61d..dad48c73103 100644
+--- a/samples/bluetooth/beacon/prj.conf
++++ b/samples/bluetooth/beacon/prj.conf
+@@ -1,3 +1,5 @@
+ CONFIG_BT=y
+ CONFIG_LOG=y
+ CONFIG_BT_DEVICE_NAME="Test beacon"
++CONFIG_DEBUG=y
++CONFIG_NO_OPTIMIZATIONS=y
+\ No newline at end of file
+diff --git a/samples/bluetooth/beacon/src/main.c b/samples/bluetooth/beacon/src/main.c
+index 484b6e94c8f..1cedb95bdd2 100644
+--- a/samples/bluetooth/beacon/src/main.c
++++ b/samples/bluetooth/beacon/src/main.c
+@@ -40,6 +40,18 @@ static const struct bt_data sd[] = {
+ 	BT_DATA(BT_DATA_NAME_COMPLETE, DEVICE_NAME, DEVICE_NAME_LEN),
+ };
+ 
++void mem_leak(){
++	printk("mem_leak()\n");
++	void *ptr = malloc(100);
++}
++
++void use_uninitialized_mem(){
++	printk("use_uninitialized_mem()\n");
++	int *ptr = malloc(sizeof(int));
++	int value = *ptr;
++	free(ptr);
++}
++
+ static void bt_ready(int err)
+ {
+ 	char addr_s[BT_ADDR_LE_STR_LEN];
+@@ -80,6 +92,10 @@ int main(void)
+ 
+ 	printk("Starting Beacon Demo\n");
+ 
++	printk("Calling memleak functions\n");
++	mem_leak();
++	use_uninitialized_mem();
++
+ 	/* Initialize the Bluetooth Subsystem */
+ 	err = bt_enable(bt_ready);
+ 	if (err) {
@@ -0,0 +1,55 @@
+diff --git a/drivers/bluetooth/hci/userchan.c b/drivers/bluetooth/hci/userchan.c
+index 50c3165809d..4ad0e8a3c16 100644
+--- a/drivers/bluetooth/hci/userchan.c
++++ b/drivers/bluetooth/hci/userchan.c
+@@ -58,7 +58,7 @@ static K_KERNEL_STACK_DEFINE(rx_thread_stack,
+ 			     CONFIG_ARCH_POSIX_RECOMMENDED_STACK_SIZE);
+ static struct k_thread rx_thread_data;
+ 
+-static unsigned short bt_dev_index;
++static unsigned short bt_dev_index = 0;
+ 
+ #define TCP_ADDR_BUFF_SIZE 16
+ static bool hci_socket;
+@@ -328,7 +328,9 @@ static int user_chan_open(void)
+ 	int fd;
+ 
+ 	if (hci_socket) {
+-		struct sockaddr_hci addr;
++		// struct sockaddr_hci addr = {0};
++		struct sockaddr addr;
++		struct sockaddr_hci *hci_addr = (struct sockaddr_hci *)&addr;
+ 
+ 		fd = socket(PF_BLUETOOTH, SOCK_RAW | SOCK_CLOEXEC | SOCK_NONBLOCK,
+ 			    BTPROTO_HCI);
+@@ -337,9 +339,19 @@ static int user_chan_open(void)
+ 		}
+ 
+ 		(void)memset(&addr, 0, sizeof(addr));
+-		addr.hci_family = AF_BLUETOOTH;
+-		addr.hci_dev = bt_dev_index;
+-		addr.hci_channel = HCI_CHANNEL_USER;
++		// addr.hci_family = AF_BLUETOOTH;
++		// addr.hci_dev = bt_dev_index;
++		// addr.hci_channel = HCI_CHANNEL_USER;
++		hci_addr->hci_family = AF_BLUETOOTH;
++		hci_addr->hci_dev = bt_dev_index;
++		hci_addr->hci_channel = HCI_CHANNEL_USER;
++
++		LOG_ERR("sizeof(sockaddr_hci) = %zu\n", sizeof(struct sockaddr_hci));
++		LOG_ERR("sizeof(sockaddr_rc) = %zu\n", sizeof(struct sockaddr));
++
++
++		LOG_ERR("before BIND -------------- %d", bt_dev_index);
++		LOG_ERR("before BIND -------------- %d", HCI_CHANNEL_USER);
+ 
+ 		if (bind(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
+ 			int err = -errno;
+@@ -380,6 +392,7 @@ static int uc_open(const struct device *dev, bt_hci_recv_t recv)
+ 	struct uc_data *uc = dev->data;
+ 
+ 	if (hci_socket) {
++		LOG_ERR("TESTSSSSSSSSSSSS________________________%d", bt_dev_index);
+ 		LOG_DBG("hci%d", bt_dev_index);
+ 	} else {
+ 		LOG_DBG("hci %s:%d", ip_addr, port);
@@ -50,12 +50,16 @@ export BSIM_COMPONENTS_PATH=${BSIM_OUT_PATH}/components/
 
 #### Running the sample utilizing BabbleSim
 
-The process for running the sample with BabbleSim is similar to running it as a native app. In order to do so, you can transfer (and rename) the built `zephyr.exe` to the location where you installed BabbleSim (using the instructions above). Now you need to run a simulated physical link (for example `bs_2G4_phy_v1`), supply the custom test name, the number of devices PHY link should expect and chain executables, connecting them to the same name of test, while also providing the unique device numbers. It's easier to explain with an example:
+The process for running the sample with BabbleSim is similar to running it as a native app. The main difference is that the app should be build with the bsim board. Supported boards are listed [here](https://docs.zephyrproject.org/latest/boards/native/doc/bsim_boards_design.html). In order to build the sample targeting the bsim board, following command can be used:
+
+`west build -p always -b nrf52_bsim`
+
+After you build the app, you can transfer (and rename) the built `zephyr.exe` to the location where you installed BabbleSim (using the instructions above). Now you need to run a simulated physical link (for example `bs_2G4_phy_v1`), supply the custom test name, the number of devices PHY link should expect and chain executables, connecting them to the same name of test, while also providing the unique device numbers. It's easier to explain with an example:
 
 ```
 cd <path_to_bablesim>/bin
 
-/bs_2G4_phy_v1 -s=sample_test -D=1 & ./zephyr.exe -s=sample_test -d=0
+/bs_2G4_phy_v1 -s=sample_test -D=1 & ./<zephyr_executable> -s=sample_test -d=0
 ```
 
 Where `-s=sample_test` uniquely names the test, `-D=1` indicates that there will be a single device connected to the PHY, and `-d=0` uniquely identifies a device that'll connect to the physical layer.
 
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+usage() {
+	echo "Usage $0 [-h] [d HCI_DEVICE] [-t TIMEOUT]"
+	echo " -d HCI_DEVICE Specify the BLE capable hci device. Default: hci0"
+	echo " -t TIMEOUT Specify the timeout in seconds. Default: 0 (no timeout)"
+    echo " -c y|n Specify if cleanup is needed. Default: n (no cleanup)"
+    echo " -s y|n Specify whether the suppression file for valgrind is to be used"
+	echo " -h Show help message"
+	exit 1
+}
+
+PROJECT_BASE=$HOME/2023_Analysis_zephyr/
+
+source $PROJECT_BASE/zephyr/zephyr-env.sh
+
+HCI_DEVICE=hci0
+CLEAN="n"
+TIMEOUT=0
+delay=5
+SUPPRESSION="n"
+SUPPRESSION_FILE=$PROJECT_BASE/zephyr/scripts/valgrind.supp
+SUPPRESSION_FLAG=""
+
+while getopts "d:t:c:s:h" opt; do
+	case $opt in
+		d) HCI_DEVICE="$OPTARG" ;;
+		t) TIMEOUT="$OPTARG" ;;
+        c) CLEAN="$OPTARG" ;;
+        s) SUPPRESSION="$OPTARG" ;;
+		h) usage ;;
+		*) echo "Invalid option: -$OPTARG" >&2; usage ;;
+	esac
+done
+
+# build the application
+west build -p auto -b native_posix $ZEPHYR_BASE/samples/bluetooth/beacon
+
+# Bring down hci to avoid EBUSY errors
+bring_down_hci() {
+	echo "Bringing down HCI interface: $HCI_DEVICE"
+	sudo hciconfig $HCI_DEVICE down
+	if [ $? -ne 0 ]; then
+		echo "Failed to bring down HCI interface. Exiting."
+		exit 1
+	fi
+}
+
+valgrind_output_dir=.
+
+bring_down_hci
+
+if [ "$SUPPRESSION" == "y" ]; then
+    SUPPRESSION_FLAG="--suppressions=$SUPPRESSION_FILE"
+    echo "Using supression - $SUPPRESSION_FLAG"
+fi
+
+sudo valgrind $SUPPRESSION_FLAG --tool=memcheck --leak-check=full --log-file="$valgrind_output_dir/valgrind_$(date +%Y%m%d_%H%M%S).log" --show-leak-kinds=all --track-origins=yes ./build/zephyr/zephyr.exe --bt-dev="$HCI_DEVICE" > "$valgrind_output_dir/valgrind_stdout_$(date +%Y%m%d_%H%M%S).log" 2>&1 &
+VALGRIND_PID=$!
+sleep $TIMEOUT
+
+sudo kill $VALGRIND_PID
+
+if [ "$CLEAN" == "y" ]; then
+    echo "Cleaning up ..."
+    rm -rf ./build
+fi
+
+reset
@@ -0,0 +1,146 @@
+==87752== Memcheck, a memory error detector
+==87752== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
+==87752== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
+==87752== Command: ./build/zephyr/zephyr.exe --bt-dev=hci0
+==87752== Parent PID: 87751
+==87752== 
+==87752== Thread 3:
+==87752== Syscall param socketcall.bind(my_addr.rc_bdaddr) points to uninitialised byte(s)
+==87752==    at 0x42924B2: bind (bind.c:32)
+==87752==    by 0x80508D6: user_chan_open (userchan.c:344)
+==87752==    by 0x80508D6: uc_open (userchan.c:388)
+==87752==    by 0x804F5AE: bt_hci_open (bluetooth.h:127)
+==87752==    by 0x804F5AE: bt_enable (hci_core.c:4360)
+==87752==    by 0x8049B34: _posix_zephyr_main (main.c:105)
+==87752==    by 0x80514F7: bg_thread_main (init.c:564)
+==87752==    by 0x804A615: z_thread_entry (thread_entry.c:48)
+==87752==    by 0x804BB21: posix_arch_thread_entry (thread.c:96)
+==87752==    by 0x804BE4D: nct_thread_starter (nct.c:366)
+==87752==    by 0x41F4C00: start_thread (pthread_create.c:442)
+==87752==    by 0x428F309: clone (clone.S:107)
+==87752==  Address 0x57a620c is on thread 3's stack
+==87752==  in frame #1, created by uc_open (userchan.c:379)
+==87752==  Uninitialised value was created by a stack allocation
+==87752==    at 0x8050879: uc_open (userchan.c:379)
+==87752== 
+==87752== Syscall param socketcall.bind(my_addr.rc_channel) points to uninitialised byte(s)
+==87752==    at 0x42924B2: bind (bind.c:32)
+==87752==    by 0x80508D6: user_chan_open (userchan.c:344)
+==87752==    by 0x80508D6: uc_open (userchan.c:388)
+==87752==    by 0x804F5AE: bt_hci_open (bluetooth.h:127)
+==87752==    by 0x804F5AE: bt_enable (hci_core.c:4360)
+==87752==    by 0x8049B34: _posix_zephyr_main (main.c:105)
+==87752==    by 0x80514F7: bg_thread_main (init.c:564)
+==87752==    by 0x804A615: z_thread_entry (thread_entry.c:48)
+==87752==    by 0x804BB21: posix_arch_thread_entry (thread.c:96)
+==87752==    by 0x804BE4D: nct_thread_starter (nct.c:366)
+==87752==    by 0x41F4C00: start_thread (pthread_create.c:442)
+==87752==    by 0x428F309: clone (clone.S:107)
+==87752==  Address 0x57a620e is on thread 3's stack
+==87752==  in frame #1, created by uc_open (userchan.c:379)
+==87752==  Uninitialised value was created by a stack allocation
+==87752==    at 0x8050879: uc_open (userchan.c:379)
+==87752== 
+==87752== 
+==87752== HEAP SUMMARY:
+==87752==     in use at exit: 2,768 bytes in 7 blocks
+==87752==   total heap usage: 18 allocs, 11 frees, 14,278 bytes allocated
+==87752== 
+==87752== Thread 1:
+==87752== 80 bytes in 1 blocks are still reachable in loss record 1 of 7
+==87752==    at 0x4048354: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-x86-linux.so)
+==87752==    by 0x804C208: nce_init (nce.c:60)
+==87752==    by 0x804C8B1: posix_boot_cpu (soc.c:124)
+==87752==    by 0x804D762: posix_init (main.c:80)
+==87752==    by 0x804D78F: main (main.c:112)
+==87752== 
+==87752== 96 bytes in 1 blocks are still reachable in loss record 2 of 7
+==87752==    at 0x4048354: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-x86-linux.so)
+==87752==    by 0x804C018: nct_init (nct.c:512)
+==87752==    by 0x804BBB5: posix_arch_init (posix_core_nsi.c:23)
+==87752==    by 0x804C8BB: posix_boot_cpu (soc.c:125)
+==87752==    by 0x804D762: posix_init (main.c:80)
+==87752==    by 0x804D78F: main (main.c:112)
+==87752== 
+==87752== 136 bytes in 1 blocks are possibly lost in loss record 3 of 7
+==87752==    at 0x4048354: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-x86-linux.so)
+==87752==    by 0x4011D66: calloc (rtld-malloc.h:44)
+==87752==    by 0x4011D66: allocate_dtv (dl-tls.c:375)
+==87752==    by 0x4012823: _dl_allocate_tls (dl-tls.c:634)
+==87752==    by 0x41F57F9: allocate_stack (allocatestack.c:430)
+==87752==    by 0x41F57F9: pthread_create@@GLIBC_2.34 (pthread_create.c:647)
+==87752==    by 0x804C322: nce_boot_cpu (nce.c:209)
+==87752==    by 0x804C8CD: posix_boot_cpu (soc.c:126)
+==87752==    by 0x804D762: posix_init (main.c:80)
+==87752==    by 0x804D78F: main (main.c:112)
+==87752== 
+==87752== 136 bytes in 1 blocks are possibly lost in loss record 4 of 7
+==87752==    at 0x4048354: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-x86-linux.so)
+==87752==    by 0x4011D66: calloc (rtld-malloc.h:44)
+==87752==    by 0x4011D66: allocate_dtv (dl-tls.c:375)
+==87752==    by 0x4012823: _dl_allocate_tls (dl-tls.c:634)
+==87752==    by 0x41F57F9: allocate_stack (allocatestack.c:430)
+==87752==    by 0x41F57F9: pthread_create@@GLIBC_2.34 (pthread_create.c:647)
+==87752==    by 0x804BFEF: nct_new_thread (nct.c:476)
+==87752==    by 0x804BC19: posix_new_thread (posix_core_nsi.c:48)
+==87752==    by 0x804BAF9: arch_new_thread (thread.c:55)
+==87752==    by 0x80521BC: z_setup_new_thread (thread.c:564)
+==87752==    by 0x805154A: init_idle_thread (init.c:597)
+==87752==    by 0x805154A: z_init_cpu (init.c:610)
+==87752==    by 0x805160D: prepare_multithreading (init.c:681)
+==87752==    by 0x805160D: z_cstart (init.c:795)
+==87752==    by 0x804C17B: sw_wrapper (nce.c:184)
+==87752==    by 0x41F4C00: start_thread (pthread_create.c:442)
+==87752== 
+==87752== 136 bytes in 1 blocks are possibly lost in loss record 5 of 7
+==87752==    at 0x4048354: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-x86-linux.so)
+==87752==    by 0x4011D66: calloc (rtld-malloc.h:44)
+==87752==    by 0x4011D66: allocate_dtv (dl-tls.c:375)
+==87752==    by 0x4012823: _dl_allocate_tls (dl-tls.c:634)
+==87752==    by 0x41F57F9: allocate_stack (allocatestack.c:430)
+==87752==    by 0x41F57F9: pthread_create@@GLIBC_2.34 (pthread_create.c:647)
+==87752==    by 0x804BFEF: nct_new_thread (nct.c:476)
+==87752==    by 0x804BC19: posix_new_thread (posix_core_nsi.c:48)
+==87752==    by 0x804BAF9: arch_new_thread (thread.c:55)
+==87752==    by 0x80521BC: z_setup_new_thread (thread.c:564)
+==87752==    by 0x8052210: z_impl_k_thread_create (thread.c:659)
+==87752==    by 0x805202C: k_thread_create (kernel.h:85)
+==87752==    by 0x805202C: k_work_queue_start (work.c:752)
+==87752==    by 0x8051B71: k_sys_work_q_init (system_work_q.c:30)
+==87752==    by 0x805142B: z_sys_init_run_level (init.c:371)
+==87752== 
+==87752== 136 bytes in 1 blocks are possibly lost in loss record 6 of 7
+==87752==    at 0x4048354: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-x86-linux.so)
+==87752==    by 0x4011D66: calloc (rtld-malloc.h:44)
+==87752==    by 0x4011D66: allocate_dtv (dl-tls.c:375)
+==87752==    by 0x4012823: _dl_allocate_tls (dl-tls.c:634)
+==87752==    by 0x41F57F9: allocate_stack (allocatestack.c:430)
+==87752==    by 0x41F57F9: pthread_create@@GLIBC_2.34 (pthread_create.c:647)
+==87752==    by 0x804BFEF: nct_new_thread (nct.c:476)
+==87752==    by 0x804BC19: posix_new_thread (posix_core_nsi.c:48)
+==87752==    by 0x804BAF9: arch_new_thread (thread.c:55)
+==87752==    by 0x80521BC: z_setup_new_thread (thread.c:564)
+==87752==    by 0x8052210: z_impl_k_thread_create (thread.c:659)
+==87752==    by 0x8050986: k_thread_create (kernel.h:85)
+==87752==    by 0x8050986: uc_open (userchan.c:397)
+==87752==    by 0x804F5AE: bt_hci_open (bluetooth.h:127)
+==87752==    by 0x804F5AE: bt_enable (hci_core.c:4360)
+==87752==    by 0x8049B34: _posix_zephyr_main (main.c:105)
+==87752== 
+==87752== 2,048 bytes in 1 blocks are still reachable in loss record 7 of 7
+==87752==    at 0x4048354: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-x86-linux.so)
+==87752==    by 0x804C084: nct_init (nct.c:524)
+==87752==    by 0x804BBB5: posix_arch_init (posix_core_nsi.c:23)
+==87752==    by 0x804C8BB: posix_boot_cpu (soc.c:125)
+==87752==    by 0x804D762: posix_init (main.c:80)
+==87752==    by 0x804D78F: main (main.c:112)
+==87752== 
+==87752== LEAK SUMMARY:
+==87752==    definitely lost: 0 bytes in 0 blocks
+==87752==    indirectly lost: 0 bytes in 0 blocks
+==87752==      possibly lost: 544 bytes in 4 blocks
+==87752==    still reachable: 2,224 bytes in 3 blocks
+==87752==         suppressed: 0 bytes in 0 blocks
+==87752== 
+==87752== For lists of detected and suppressed errors, rerun with: -s
+==87752== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 0 from 0)