Developers often use the C preprocessor to handle variability and portability. However, many researchers and practitioners criticize the use of preprocessor directives because of their negative effect on code understanding, maintainability, and error proneness. This negative effect may lead to configuration-related code weaknesses, which appear only when we enable or disable certain configuration options. A weakness is a type of mistake in software that, in proper conditions, could contribute to the introduction of vulnerabilities within that software. Configuration-related code weaknesses may be harder to detect and fix than weaknesses that appear in all configurations, because variability increases complexity. To address this problem, we propose a sampling-based white-box technique to detect configuration-related weaknesses in configurable systems. To evaluate our technique, we performed an empirical study with 24 popular highly configurable systems that make heavy use of the C preprocessor, such as Apache Httpd and Libssh. Using our technique, we detected 57 configuration-related weaknesses in 16 systems. In total, we found occurrences of the following five kinds of weaknesses: 30 memory leaks, 10 uninitialized variables, 9 null pointer dereferences, 6 resource leaks, and 2 buffer overflows. The corpus of these weaknesses is a valuable source to better support further research on configuration-related code weaknesses.
Table I: Preprocessor-Related Resource Leaks.
| PROJECT | FILE | TYPE | CONFIGURATION OPTIONS |
| Libssh | src/pki_crypto.c | resource leak | 1 |
| Libssh | tests/torture.c | resource leak | 1 |
| Libxml2 | libxml2/catalog.c | resource leak | 1 |
| Lighttpd | lighttpd/src/mod_dirlisting.c | resource leak | 1 |
| Lua | src/loadlib_rel.c | resource leak | 7 |
| Sylpheed | sylpheed/src/jpilot.c | resource leak | 1 |
Table II: Preprocessor-Related Uninitialized Variables.
| PROJECT | FILE | TYPE | CONFIGURATION OPTIONS |
| Apache | os/unix/unixd.c | uninitialized variable | 1 |
| Apache | modules/slotmem/mod_slotmem_shm.c | uninitialized variable | 2 |
| Apache | server/mpm/prefork/prefork.c | uninitialized variable | 1 |
| Bash | lib/malloc/malloc.c | uninitialized variable | 3 |
| Cherokee | cherokee/main.c | uninitialized variable | 1 |
| Dia | dia/tests/test-boundingbox.c | uninitialized variable | 1 |
| Dia | app/render_eps.c | uninitialized variable | 1 |
| Fvwm | fvwm/events.c | uninitialized variable | 1 |
| Libssh | libssh/sftp.c | Uninitialized Variable | 1 |
| Sylpheed | src/jpilot.c | uninitialized variable | 1 |
Table III: Preprocessor-Related Memory Leaks.
| PROJECT | FILE | TYPE | CONFIGURATION OPTIONS |
| Apache | server/mpm_common.c | memory leak | 1 |
| Cherokee | cherokee/thread.c | memory leak | 1 |
| Cherokee | cherokee/main.c | memory leak | 1 |
| Dia | app/commands.c | memory leak | 3 |
| Fvwm | libs/FlocaleCharset.c | memory leak | 1 |
| Fvwm | fvwm/style.c | memory leak | 1 |
| Fvwm | fvwm/builtins.c | memory leak | 5 |
| Fvwm | fvwm/icons.c | memory leak | 1 |
| Gawk | gawk/regcomp.c | memory leak | 1 |
| Libpng | pngset.c | memory leak | 1 |
| Libpng | contrib/libtests/pngimage.c | memory leak | 1 |
| Libpng | png.c | memory leak | 1 |
| Libssh | libssh/kex.c | memory leak | 1 |
| Libssh | src/ecdh.c | memory leak | 2 |
| Libssh | libssh/auth.c | memory leak | 1 |
| Libssh | libssh/keys.c | memory leak | 1 |
| Libssh | libssh/options.c | memory leak | 1 |
| Libssh | src/messages.c | memory leak | 1 |
| Lighttpd | src/condition.c | memory leak | 1 |
| Lighttpd | lighttpd/src/mod_dirlisting.c | memory leak | 1 |
| M4 | m4/hash.c | memory leak | 1 |
| Sylpheed | libsylph/utils.c | memory leak | 1 |
| Vim | src/if_cscope.c | memory leak | 1 |
| Vim | src/memline.c | memory leak | 2 |
| Vim | src/netbeans.c | memory leak | 1 |
| Vim | src/ops.c | memory leak | 1 |
| Vim | src/hardcopy.c | memory leak | 1 |
| Vim | src/ex_cmds.c | memory leak | 1 |
| Vim | src/eval.c | memory leak | 1 |
| Vim | src/window.c | memory leak | 1 |
Table IV: Preprocessor-Related Null Deferences.
| PROJECT | FILE | TYPE | CONFIGURATION OPTIONS |
| Apache | server/listen.c | null deference | 1 |
| Dia | lib/prop_text.c | null deference | 1 |
| Fvwm | fvwm/virtual.c | null deference | 1 |
| Irssi | src/core/recode.c | null deference | 1 |
| Irssi | src/core/network-openssl.c | null deference | 1 |
| Libssh | src/options.c | null deference | 1 |
| Libssh | src/agent.c | null deference | 1 |
| Libssh | src/pki.c | null deference | 1 |
| Libssh | src/messages.c | null deference | 1 |
Table V: Preprocessor-Related Buffer Overflow.
| PROJECT | FILE | TYPE | CONFIGURATION OPTIONS |
| Bison | data/glr.c | buffer overflow | 1 |
| Vim | src/ex_docmd.c | buffer overflow | 1 |
Table VI: Patches to Fix Preprocessor-Related Bugs.
| PROJECT | FILE | TYPE | STATUS |
| Apache | apache/modules/ssl/ssl_util.c | Null Deference | rejected |
| Apache | apache/os/win32/ap_regkey.c | uninitialized variable | rejected |
| Apache | apache/os/win32/ap_regkey.c | uninitialized variable | rejected |
| Apache | apache/server/mpm/winnt/mpm_winnt.c | memory leak | rejected |
| Dia | dia/tests/test-boundingbox.c | uninitialized variable | fixed |
| Gawk | gawk/regcomp.c | memory leak | fixed |
| Lighttpd | lighttpd/src/mod_dirlisting.c | memory leak | fixed |
| Lighttpd | lighttpd/src/mod_dirlisting.c | resource leak | fixed |
| Libxml2 | libxml2/catalog.c | resource leak | fixed |
| Sqlite | os_win.c | uninitialized variable | rejected |
| Sqlite | test_intarray.c | memory leak | rejected |
| Sylpheed | sylpheed/src/jpilot.c | resource leak | fixed |