Bug #887883 “Coverity scan revealed defects” : Bugs : QEMU

Revision history for this message

Alex Jia (chuanchang-jia) wrote on 2011-11-09:

#1

qemu-1.0rc1.err Edit (182.6 KiB, text/plain)

Revision history for this message

Alex Jia (chuanchang-jia) wrote on 2011-11-23:

#2

This is latest result on qemu-1.0-rc3, and I notice that 'RESOURCE_LEAK' is 10 now:

Analysis summary report:
------------------------
Files analyzed : 825
Total LoC input to cov-analyze : 576887
Functions analyzed : 20639
Paths analyzed : 896645
Defect occurrences found : 432 Total
                                   2 ARRAY_VS_SINGLETON
                                   4 ATOMICITY
                                  10 CHECKED_RETURN
                                  17 CONSTANT_EXPRESSION_RESULT
                                  62 DEADCODE
                                  42 FORWARD_NULL
                                  10 INFINITE_LOOP
                                  34 MISSING_BREAK
                                   1 MISSING_LOCK
                                  44 NEGATIVE_RETURNS
                                  10 NULL_RETURNS
                                  46 OVERRUN_STATIC
                                  10 RESOURCE_LEAK
                                  78 REVERSE_INULL
                                   1 REVERSE_NEGATIVE
                                  18 SIGN_EXTENSION
                                   7 SIZEOF_MISMATCH
                                  26 UNINIT
                                   5 UNREACHABLE
                                   2 UNUSED_VALUE
                                   3 USE_AFTER_FREE

For details, please see attachment.

Revision history for this message

Alex Jia (chuanchang-jia) wrote on 2011-11-23:

#3

qemu-1.0-rc3.err Edit (169.5 KiB, text/plain)

Revision history for this message

Dr. David Alan Gilbert (davidgil-uk) wrote on 2011-12-30:

#4

Download full text (4.3 KiB)

I believe the ARM ones are bogus (although some could be clearer and simulataneously clear some of the warnings):

Error: DEADCODE: *** IFDEF dependent
hw/arm_gic.c:409:
dead_error_condition: On this path, the condition "irq < 16" cannot be true.
*** ifdef'd - only true if NVIC defined
hw/arm_gic.c:407:
between: After this line, the value of "irq" is between 32 and 95.
hw/arm_gic.c:406:
assignment: Assigning: "irq" = "(offset - 256U) * 8U + 32U".
hw/arm_gic.c:407:
new_values: Noticing condition "irq >= 96".
hw/arm_gic.c:391:
new_values: Noticing condition "offset < 256U".
hw/arm_gic.c:410:
dead_error_line: Execution cannot reach this statement "value = 255U;".

Error: DEADCODE: *** IFDEF dependent on NVIC
hw/arm_gic.c:434:
dead_error_condition: On this path, the condition "irq < 16" cannot be true.
hw/arm_gic.c:432:
between: After this line, the value of "irq" is between 32 and 95.
hw/arm_gic.c:431:
assignment: Assigning: "irq" = "(offset - 384U) * 8U + 32U".
hw/arm_gic.c:432:
new_values: Noticing condition "irq >= 96".
hw/arm_gic.c:391:
new_values: Noticing condition "offset < 256U".
hw/arm_gic.c:435:
dead_error_line: Execution cannot reach this statement "value = 0U;".

Error: DEADCODE: *** IFDEF dependent on NVIC
hw/arm_gic.c:451:
dead_error_condition: On this path, the condition "irq < 16" cannot be true.
hw/arm_gic.c:449:
between: After this line, the value of "irq" is between 32 and 95.
hw/arm_gic.c:448:
assignment: Assigning: "irq" = "(offset - 512U) * 8U + 32U".
hw/arm_gic.c:449:
new_values: Noticing condition "irq >= 96".
hw/arm_gic.c:391:
new_values: Noticing condition "offset < 256U".
hw/arm_gic.c:452:
dead_error_line: Execution cannot reach this statement "irq = 0;".

Error: DEADCODE: *** IFDEF depedent on NVIC
hw/arm_gic.c:480:
dead_error_condition: On this path, the condition "irq < 32" cannot be true.
hw/arm_gic.c:478:
between: After this line, the value of "irq" is between 32 and 95.
hw/arm_gic.c:477:
assignment: Assigning: "irq" = "offset - 1024U + 32U".
hw/arm_gic.c:478:
new_values: Noticing condition "irq >= 96".
hw/arm_gic.c:472:
new_values: Noticing condition "offset < 1024U".
hw/arm_gic.c:481:
dead_error_line: Execution cannot reach this statement "s->priority1[irq][cpu] = va...".

Error: DEADCODE: *** Set in ifdef 0'd path
arm-dis.c:4012:
dead_error_condition: On this path, the condition "is_data" cannot be true.
arm-dis.c:3874:
const: After this line, the value of "is_data" is equal to 0.
arm-dis.c:3874:
assignment: Assigning: "is_data" = "0".
arm-dis.c:4014:
dead_error_begin: Execution cannot reach this statement "int i;".

Error: NEGATIVE_RETURNS: *** I think the -1 value triggers the increment on line 9957 so it isn't -ve as an index
target-arm/translate.c:9873:
var_tested_neg: Assigning: "lj" = a negative value.
target-arm/translate.c:9961:
negative_returns: Using variable "lj" as an index to array "gen_opc_pc".

Error: OVERRUN_STATIC: *** Safe because irq%8 always =0 and GIC_NIRQ divisible by 8 (but would be better to do irq+8 > GIC_NIRQ
hw/arm_gic.c:274:
assignment: Assigning: "irq" = "(offset - 256U) * 8U".
hw/arm_gic.c:277:
assignment: Assigning: "irq" = "irq += 0".
hw/arm_gic.c:282:
overrun-local: Overrun...

I believe the ARM ones are bogus (although some could be clearer and simulataneously clear some of the warnings):

Error: DEADCODE:  *** IFDEF dependent
hw/arm_gic.c:409:
dead_error_condition: On this path, the condition "irq < 16" cannot be true.
    *** ifdef'd - only true if NVIC defined
hw/arm_gic.c:407:
between: After this line, the value of "irq" is between 32 and 95.
hw/arm_gic.c:406:
assignment: Assigning: "irq" = "(offset - 256U) * 8U + 32U".
hw/arm_gic.c:407:
new_values: Noticing condition "irq >= 96".
hw/arm_gic.c:391:
new_values: Noticing condition "offset < 256U".
hw/arm_gic.c:410:
dead_error_line: Execution cannot reach this statement "value = 255U;".

Error: DEADCODE: *** IFDEF dependent on NVIC
hw/arm_gic.c:434:
dead_error_condition: On this path, the condition "irq < 16" cannot be true.
hw/arm_gic.c:432:
between: After this line, the value of "irq" is between 32 and 95.
hw/arm_gic.c:431:
assignment: Assigning: "irq" = "(offset - 384U) * 8U + 32U".
hw/arm_gic.c:432:
new_values: Noticing condition "irq >= 96".
hw/arm_gic.c:391:
new_values: Noticing condition "offset < 256U".
hw/arm_gic.c:435:
dead_error_line: Execution cannot reach this statement "value = 0U;".

Error: DEADCODE: *** IFDEF dependent on NVIC
hw/arm_gic.c:451:
dead_error_condition: On this path, the condition "irq < 16" cannot be true.
hw/arm_gic.c:449:
between: After this line, the value of "irq" is between 32 and 95.
hw/arm_gic.c:448:
assignment: Assigning: "irq" = "(offset - 512U) * 8U + 32U".
hw/arm_gic.c:449:
new_values: Noticing condition "irq >= 96".
hw/arm_gic.c:391:
new_values: Noticing condition "offset < 256U".
hw/arm_gic.c:452:
dead_error_line: Execution cannot reach this statement "irq = 0;".

Error: DEADCODE: *** IFDEF depedent on NVIC
hw/arm_gic.c:480:
dead_error_condition: On this path, the condition "irq < 32" cannot be true.
hw/arm_gic.c:478:
between: After this line, the value of "irq" is between 32 and 95.
hw/arm_gic.c:477:
assignment: Assigning: "irq" = "offset - 1024U + 32U".
hw/arm_gic.c:478:
new_values: Noticing condition "irq >= 96".
hw/arm_gic.c:472:
new_values: Noticing condition "offset < 1024U".
hw/arm_gic.c:481:
dead_error_line: Execution cannot reach this statement "s->priority1[irq][cpu] = va...".

Error: DEADCODE: *** Set in ifdef 0'd path
arm-dis.c:4012:
dead_error_condition: On this path, the condition "is_data" cannot be true.
arm-dis.c:3874:
const: After this line, the value of "is_data" is equal to 0.
arm-dis.c:3874:
assignment: Assigning: "is_data" = "0".
arm-dis.c:4014:
dead_error_begin: Execution cannot reach this statement "int i;".

Error: NEGATIVE_RETURNS: *** I think the -1 value triggers the increment on line 9957 so it isn't -ve as an index
target-arm/translate.c:9873:
var_tested_neg: Assigning: "lj" = a negative value.
target-arm/translate.c:9961:
negative_returns: Using variable "lj" as an index to array "gen_opc_pc".

Error: OVERRUN_STATIC: *** Safe because irq%8 always =0 and GIC_NIRQ divisible by 8 (but would be better to do irq+8 > GIC_NIRQ
hw/arm_gic.c:274:
assignment: Assigning: "irq" = "(offset - 256U) * 8U".
hw/arm_gic.c:277:
assignment: Assigning: "irq" = "irq += 0".
hw/arm_gic.c:282:
overrun-local: Overrunning static array "s->irq_state", with 96 elements, at position 96 with index variable "irq + i".

Error: OVERRUN_STATIC:
hw/arm_gic.c:235: *** Don't think so, at that point we know array value !=1023 and array value == irq, so irq can't be 1023
overrun-local: Overrunning static array "s->last_active", with 96 elements, at position 1023 with index variable "irq".

Error: OVERRUN_STATIC:
hw/arm_gic.c:235:*** Don't think so, at that point we know array value !=1023 and array value == irq, so irq can't be 1023
overrun-local: Overrunning static array "s->last_active", with 96 elements, at position 1023 with index variable "irq".

Error: OVERRUN_STATIC:
hw/arm_gic.c:461: *** Safe because irq%8=0, and GIC_NIRQ divisibly by 8 (again safer to do irq+8 > GIC_NIRQ)
assignment: Assigning: "irq" = "(offset - 640U) * 8U + 0U".
hw/arm_gic.c:469:
overrun-local: Overrunning static array "s->irq_state", with 96 elements, at position 96 with index variable "irq + i".

Error: OVERRUN_STATIC:
hw/arm_gic.c:235: *** Same as case above???
overrun-local: Overrunning static array "s->last_active", with 96 elements, at position 1023 with index variable "irq".

Revision history for this message

Thomas Huth (th-huth) wrote on 2017-01-08:

#5

AFAIK a lot of issues reported by coverity have been addressed in the recent versions of QEMU ... is there still anything left here that needs special attention?

Changed in qemu:
status:	New → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-03-10:

#6

[Expired for QEMU because there has been no activity for 60 days.]

Changed in qemu:
status:	Incomplete → Expired

QEMU

Coverity scan revealed defects

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches