Error: ARRAY_VS_SINGLETON: tcg/tcg.c:1996: address_of: Taking address with "&func_arg" yields a singleton pointer. tcg/tcg.c:1996: callee_ptr_arith: Passing "&func_arg" to function "tcg_out_op" which uses it as an array. This might corrupt or misinterpret adjacent memory locations. tcg/i386/tcg-target.c:1490: ptr_arith: Performing pointer arithmetic on "args" in expression "args + 1". Error: ARRAY_VS_SINGLETON: block/sheepdog.c:667: address_of: Taking address with "&iov" yields a singleton pointer. block/sheepdog.c:667: callee_ptr_arith: Passing "&iov" to function "do_readv_writev" which uses it as an array. This might corrupt or misinterpret adjacent memory locations. block/sheepdog.c:626: callee_ptr_arith: Performing pointer arithmetic on "iov" in callee "do_send_recv". block/sheepdog.c:531: assign: Assigning: "msg.msg_iov" = "iov". block/sheepdog.c:539: ptr_arith: Performing pointer arithmetic on "iov" in expression "iov++". Error: ATOMICITY: hw/ccid-card-emulated.c:245: lock: Locking "card->vreader_mutex.lock". hw/ccid-card-emulated.c:249: def: Assigning: "card->guest_apdu_list.sqh_first" = data that might be protected by the lock. hw/ccid-card-emulated.c:272: unlock: Unlocking "card->vreader_mutex.lock". "card->guest_apdu_list.sqh_first" might now be unreliable because other threads can now change the data that it depends on. hw/ccid-card-emulated.c:240: unlock: Unlocking "card->handle_apdu_mutex.lock". "card->guest_apdu_list.sqh_first" might now be unreliable because other threads can now change the data that it depends on. hw/ccid-card-emulated.c:245: lockagain: Locking "card->vreader_mutex.lock" again. hw/ccid-card-emulated.c:247: use: Using an unreliable value of "card->guest_apdu_list.sqh_first" inside the second locked section. If the data that "card->guest_apdu_list.sqh_first" depends on was changed by another thread, this use might be incorrect. Error: ATOMICITY: hw/ccid-card-emulated.c:324: lock: Locking "card->vreader_mutex.lock". hw/ccid-card-emulated.c:326: def: Assigning: "card->reader" = data that might be protected by the lock. hw/ccid-card-emulated.c:327: unlock: Unlocking "card->vreader_mutex.lock". "card->reader" might now be unreliable because other threads can now change the data that it depends on. hw/ccid-card-emulated.c:319: lockagain: Locking "card->vreader_mutex.lock" again. hw/ccid-card-emulated.c:320: use: Using an unreliable value of "card->reader" inside the second locked section. If the data that "card->reader" depends on was changed by another thread, this use might be incorrect. Error: ATOMICITY: hw/ccid-card-emulated.c:324: lock: Locking "card->vreader_mutex.lock". hw/ccid-card-emulated.c:326: def: Assigning: "card->reader" = data that might be protected by the lock. hw/ccid-card-emulated.c:327: unlock: Unlocking "card->vreader_mutex.lock". "card->reader" might now be unreliable because other threads can now change the data that it depends on. hw/ccid-card-emulated.c:333: lockagain: Locking "card->vreader_mutex.lock" again. hw/ccid-card-emulated.c:334: use: Using an unreliable value of "card->reader" inside the second locked section. If the data that "card->reader" depends on was changed by another thread, this use might be incorrect. Error: ATOMICITY: libcacard/vscclient.c:623: lock: Locking "pending_reader_lock.lock". libcacard/vscclient.c:627: def: Assigning: "pending_reader" = data that might be protected by the lock. libcacard/vscclient.c:630: unlock: Unlocking "pending_reader_lock.lock". "pending_reader" might now be unreliable because other threads can now change the data that it depends on. libcacard/vscclient.c:623: lockagain: Locking "pending_reader_lock.lock" again. libcacard/vscclient.c:625: use: Using an unreliable value of "pending_reader" inside the second locked section. If the data that "pending_reader" depends on was changed by another thread, this use might be incorrect. Error: CHECKED_RETURN: audio/audio.c:192: example_checked: "audio_bug("audio_calloc", cond)" has its value checked in "audio_bug("audio_calloc", cond)". audio/audio_template.h:387: example_checked: "audio_bug(, !card)" has its value checked in "audio_bug(, !card)". audio/audio.c:438: example_checked: "audio_bug(, !prefix)" has its value checked in "audio_bug(, !prefix)". audio/audio.c:443: example_checked: "audio_bug(, !opt)" has its value checked in "audio_bug(, !opt)". audio/audio_template.h:248: example_checked: "audio_bug(, !drv)" has its value checked in "audio_bug(, !drv)". audio/audio.c:176: check_return: Calling function "audio_bug" without checking return value (as is done elsewhere 24 out of 25 times). audio/audio.c:176: unchecked_value: No check of the return value of "audio_bug("bits_to_index", 1)". Error: CHECKED_RETURN: block/cow.c:111: example_assign: Assigning: "ret" = return value from "bdrv_pwrite_sync(bs->file, offset, &bitmap, 1)". block/cow.c:112: example_checked: "ret" has its value checked in "ret < 0". block/qcow.c:260: example_checked: "bdrv_pwrite_sync(bs->file, s->l1_table_offset + l1_index * 8UL, &tmp, 8)" has its value checked in "bdrv_pwrite_sync(bs->file, s->l1_table_offset + l1_index * 8UL, &tmp, 8) < 0". block/qcow.c:290: example_checked: "bdrv_pwrite_sync(bs->file, l2_offset, l2_table, s->l2_size * 8UL)" has its value checked in "bdrv_pwrite_sync(bs->file, l2_offset, l2_table, s->l2_size * 8UL) < 0". block/qcow.c:356: example_checked: "bdrv_pwrite_sync(bs->file, l2_offset + l2_index * 8UL, &tmp, 8)" has its value checked in "bdrv_pwrite_sync(bs->file, l2_offset + l2_index * 8UL, &tmp, 8) < 0". block/qcow.c:710: example_checked: "bdrv_pwrite_sync(bs->file, s->l1_table_offset, s->l1_table, l1_length)" has its value checked in "bdrv_pwrite_sync(bs->file, s->l1_table_offset, s->l1_table, l1_length) < 0". block/vpc.c:270: check_return: Calling function "bdrv_pwrite_sync" without checking return value (as is done elsewhere 30 out of 32 times). block/vpc.c:270: unchecked_value: No check of the return value of "bdrv_pwrite_sync(bs->file, bitmap_offset, bitmap, s->bitmap_size)". Error: CHECKED_RETURN: block/qcow.c:767: example_assign: Assigning: "ret" = return value from "bdrv_write(bs, sector_num, buf, s->cluster_sectors)". block/qcow.c:768: example_checked: "ret" has its value checked in "ret < 0". block/qcow2-cluster.c:370: example_assign: Assigning: "ret" = return value from "bdrv_write(bs->file, (cluster_offset >> 9) + n_start, s->cluster_data, n)". block/qcow2-cluster.c:372: example_checked: "ret" has its value checked in "ret < 0". block/qcow2.c:810: example_assign: Assigning: "ret" = return value from "bdrv_write(bs->file, (meta.cluster_offset >> 9) + num - 1UL, buf, 1)". block/qcow2.c:811: example_checked: "ret" has its value checked in "ret < 0". block/qcow2.c:1115: example_assign: Assigning: "ret" = return value from "bdrv_write(bs, sector_num, buf, s->cluster_sectors)". block/qcow2.c:1116: example_checked: "ret" has its value checked in "ret < 0". block/vmdk.c:696: example_assign: Assigning: "ret" = return value from "bdrv_write(extent->file, cluster_offset, whole_grain, extent->cluster_sectors)". block/vmdk.c:698: example_checked: "ret" has its value checked in "ret < 0". hw/pflash_cfi01.c:209: check_return: Calling function "bdrv_write" without checking return value (as is done elsewhere 35 out of 37 times). hw/pflash_cfi01.c:209: unchecked_value: No check of the return value of "bdrv_write(pfl->bs, offset, pfl->storage + (offset << 9), offset_end - offset)". Error: CHECKED_RETURN: block/qcow.c:767: example_assign: Assigning: "ret" = return value from "bdrv_write(bs, sector_num, buf, s->cluster_sectors)". block/qcow.c:768: example_checked: "ret" has its value checked in "ret < 0". block/qcow2-cluster.c:370: example_assign: Assigning: "ret" = return value from "bdrv_write(bs->file, (cluster_offset >> 9) + n_start, s->cluster_data, n)". block/qcow2-cluster.c:372: example_checked: "ret" has its value checked in "ret < 0". block/qcow2.c:810: example_assign: Assigning: "ret" = return value from "bdrv_write(bs->file, (meta.cluster_offset >> 9) + num - 1UL, buf, 1)". block/qcow2.c:811: example_checked: "ret" has its value checked in "ret < 0". block/qcow2.c:1115: example_assign: Assigning: "ret" = return value from "bdrv_write(bs, sector_num, buf, s->cluster_sectors)". block/qcow2.c:1116: example_checked: "ret" has its value checked in "ret < 0". block/vmdk.c:696: example_assign: Assigning: "ret" = return value from "bdrv_write(extent->file, cluster_offset, whole_grain, extent->cluster_sectors)". block/vmdk.c:698: example_checked: "ret" has its value checked in "ret < 0". hw/pflash_cfi02.c:238: check_return: Calling function "bdrv_write" without checking return value (as is done elsewhere 35 out of 37 times). hw/pflash_cfi02.c:238: unchecked_value: No check of the return value of "bdrv_write(pfl->bs, offset, pfl->storage + (offset << 9), offset_end - offset)". Error: CHECKED_RETURN: block/cow.c:111: example_assign: Assigning: "ret" = return value from "bdrv_pwrite_sync(bs->file, offset, &bitmap, 1)". block/cow.c:112: example_checked: "ret" has its value checked in "ret < 0". block/qcow.c:260: example_checked: "bdrv_pwrite_sync(bs->file, s->l1_table_offset + l1_index * 8UL, &tmp, 8)" has its value checked in "bdrv_pwrite_sync(bs->file, s->l1_table_offset + l1_index * 8UL, &tmp, 8) < 0". block/qcow.c:290: example_checked: "bdrv_pwrite_sync(bs->file, l2_offset, l2_table, s->l2_size * 8UL)" has its value checked in "bdrv_pwrite_sync(bs->file, l2_offset, l2_table, s->l2_size * 8UL) < 0". block/qcow.c:356: example_checked: "bdrv_pwrite_sync(bs->file, l2_offset + l2_index * 8UL, &tmp, 8)" has its value checked in "bdrv_pwrite_sync(bs->file, l2_offset + l2_index * 8UL, &tmp, 8) < 0". block/qcow.c:710: example_checked: "bdrv_pwrite_sync(bs->file, s->l1_table_offset, s->l1_table, l1_length)" has its value checked in "bdrv_pwrite_sync(bs->file, s->l1_table_offset, s->l1_table, l1_length) < 0". block/vpc.c:355: check_return: Calling function "bdrv_pwrite_sync" without checking return value (as is done elsewhere 30 out of 32 times). block/vpc.c:355: unchecked_value: No check of the return value of "bdrv_pwrite_sync(bs->file, s->free_data_block_offset, bitmap, s->bitmap_size)". Error: CHECKED_RETURN: block/raw-posix.c:719: example_checked: "stat(filename, &st)" has its value checked in "stat(filename, &st) >= 0". block/vvfat.c:734: example_checked: "stat(buffer, &st)" has its value checked in "stat(buffer, &st) < 0". m68k-semi.c:301: example_assign: Assigning: "result" = return value from "stat(p, &s)". m68k-semi.c:304: example_checked: "result" has its value checked in "result == 0U". monitor.c:4210: example_checked: "stat(file, &sb)" has its value checked in "stat(file, &sb) == 0". slirp/slirp.c:124: example_checked: "stat("/etc/resolv.conf", &dns_addr_stat)" has its value checked in "stat("/etc/resolv.conf", &dns_addr_stat) != 0". oslib-posix.c:194: check_return: Calling function "stat" without checking return value (as is done elsewhere 7 out of 8 times). oslib-posix.c:194: unchecked_value: No check of the return value of "stat(path, &st)". Error: CHECKED_RETURN: net/slirp.c:374: example_checked: "get_str_sep(buf, 256, &p, 58)" has its value checked in "get_str_sep(buf, 256, &p, 58) < 0". net/slirp.c:386: example_checked: "get_str_sep(buf, 256, &p, 58)" has its value checked in "get_str_sep(buf, 256, &p, 58) < 0". net/slirp.c:394: example_checked: "get_str_sep(buf, 256, &p, (legacy_format ? 58 : 45))" has its value checked in "get_str_sep(buf, 256, &p, (legacy_format ? 58 : 45)) < 0". net/slirp.c:402: example_checked: "get_str_sep(buf, 256, &p, 58)" has its value checked in "get_str_sep(buf, 256, &p, 58) < 0". net/slirp.c:342: example_checked: "get_str_sep(buf, 256, &p, 58)" has its value checked in "get_str_sep(buf, 256, &p, 58) < 0". net/slirp.c:332: check_return: Calling function "get_str_sep" without checking return value (as is done elsewhere 5 out of 6 times). net/slirp.c:332: unchecked_value: No check of the return value of "get_str_sep(buf, 256, &p, 58)". Error: CHECKED_RETURN: block/nbd.c:84: example_checked: "strstart(file, "nbd:", &host_spec)" has its value checked in "strstart(file, "nbd:", &host_spec)". block/nbd.c:89: example_checked: "strstart(host_spec, "unix:", &unixpath)" has its value checked in "strstart(host_spec, "unix:", &unixpath)". block/raw-posix.c:950: example_checked: "strstart(filename, "/dev/fd", NULL)" has its value checked in "strstart(filename, "/dev/fd", NULL)". block/raw-posix.c:764: example_checked: "strstart(temp, "/dev/sg", NULL)" has its value checked in "strstart(temp, "/dev/sg", NULL)". block/raw-posix.c:716: example_checked: "strstart(filename, "/dev/cdrom", NULL)" has its value checked in "strstart(filename, "/dev/cdrom", NULL)". block/sheepdog.c:1205: check_return: Calling function "strstart" without checking return value (as is done elsewhere 53 out of 55 times). block/sheepdog.c:1205: unchecked_value: No check of the return value of "strstart(filename, "sheepdog:", (char const **)&filename)". Error: CHECKED_RETURN: block/nbd.c:84: example_checked: "strstart(file, "nbd:", &host_spec)" has its value checked in "strstart(file, "nbd:", &host_spec)". block/nbd.c:89: example_checked: "strstart(host_spec, "unix:", &unixpath)" has its value checked in "strstart(host_spec, "unix:", &unixpath)". block/raw-posix.c:950: example_checked: "strstart(filename, "/dev/fd", NULL)" has its value checked in "strstart(filename, "/dev/fd", NULL)". block/raw-posix.c:764: example_checked: "strstart(temp, "/dev/sg", NULL)" has its value checked in "strstart(temp, "/dev/sg", NULL)". block/raw-posix.c:716: example_checked: "strstart(filename, "/dev/cdrom", NULL)" has its value checked in "strstart(filename, "/dev/cdrom", NULL)". block/sheepdog.c:1368: check_return: Calling function "strstart" without checking return value (as is done elsewhere 53 out of 55 times). block/sheepdog.c:1368: unchecked_value: No check of the return value of "strstart(filename, "sheepdog:", &vdiname)". Error: CHECKED_RETURN: block/raw-posix.c:976: example_checked: "fd_open(bs)" has its value checked in "fd_open(bs) >= 0". block/raw-posix.c:836: example_checked: "fd_open(bs)" has its value checked in "fd_open(bs) < 0". block/raw-posix.c:365: example_checked: "fd_open(bs)" has its value checked in "fd_open(bs) < 0". block/raw-posix.c:321: example_checked: "fd_open(bs)" has its value checked in "fd_open(bs) < 0". block/raw-posix.c:537: example_assign: Assigning: "ret" = return value from "fd_open(bs)". block/raw-posix.c:538: example_checked: "ret" has its value checked in "ret < 0". block/raw-posix.c:988: check_return: Calling function "fd_open" without checking return value (as is done elsewhere 5 out of 6 times). block/raw-posix.c:988: unchecked_value: No check of the return value of "fd_open(bs)". Error: CONSTANT_EXPRESSION_RESULT: target-sh4/translate.c:1432: result_independent_of_operands: ((ctx->opcode >> 4) & 7) < 8 is always true regardless of the values of its operands. This occurs as the logical first operand of '&&'. Error: CONSTANT_EXPRESSION_RESULT: target-sh4/translate.c:1436: result_independent_of_operands: ((ctx->opcode >> 4) & 7) < 8 is always true regardless of the values of its operands. This occurs as the logical first operand of '&&'. Error: CONSTANT_EXPRESSION_RESULT: target-sh4/translate.c:1441: result_independent_of_operands: ((ctx->opcode >> 4) & 7) < 8 is always true regardless of the values of its operands. This occurs as the logical first operand of '&&'. Error: CONSTANT_EXPRESSION_RESULT: target-sh4/translate.c:1448: result_independent_of_operands: ((ctx->opcode >> 4) & 7) < 8 is always true regardless of the values of its operands. This occurs as the logical first operand of '&&'. Error: CONSTANT_EXPRESSION_RESULT: target-sh4/translate.c:1867: result_independent_of_operands: ctx->opcode >> 16 is 0 regardless of the values of its operands. This occurs as the bitwise first operand of '&'. Error: CONSTANT_EXPRESSION_RESULT: target-sh4/translate.c:1868: result_independent_of_operands: ctx->opcode >> 18 is 0 regardless of the values of its operands. This occurs as the bitwise first operand of '&'. Error: CONSTANT_EXPRESSION_RESULT: target-sh4/translate.c:1880: result_independent_of_operands: ctx->opcode >> 18 is 0 regardless of the values of its operands. This occurs as the bitwise first operand of '&'. Error: CONSTANT_EXPRESSION_RESULT: hw/sm501.c:624: result_independent_of_operands: color_reg >> 16 is 0 regardless of the values of its operands. This occurs as the bitwise first operand of '&'. Error: CONSTANT_EXPRESSION_RESULT: hw/sun4c_intctl.c:129: result_independent_of_operands: s->reg & 0x80000000U is always 0 regardless of the values of its operands. This occurs as the logical operand of '!'. Error: CONSTANT_EXPRESSION_RESULT: hw/max111x.c:73: missing_parentheses: ((value & 4294967279U /* ~(1 << 4) */) >> 2 /* 2 + 0 */) & 4 is always 0 regardless of the values of its operands. This occurs as the bitwise first operand of '|'. Did you intend to apply '&' to 2 /* 2 + 0 */ and 4? If so, parentheses would be required to force this interpretation. Error: CONSTANT_EXPRESSION_RESULT: sparc-dis.c:3053: result_independent_of_operands: (unsigned int)((insn >> 14) & 31) < 32 is always true regardless of the values of its operands. This occurs as the logical operand of if. Error: CONSTANT_EXPRESSION_RESULT: sparc-dis.c:3061: result_independent_of_operands: (unsigned int)((insn >> 25) & 31) < 32 is always true regardless of the values of its operands. This occurs as the logical operand of if. Error: CONSTANT_EXPRESSION_RESULT: target-s390x/op_helper.c:380: result_independent_of_operands: (__uint128_t)env->regs[r1] << 64 is 0 regardless of the values of its operands. This occurs as the bitwise first operand of '|'. Error: CONSTANT_EXPRESSION_RESULT: hw/usb-net.c:1305: missing_parentheses: !s->rndis_state == RNDIS_DATA_INITIALIZED is always false regardless of the values of its operands. Did you intend to either negate the entire comparison expression, in which case parentheses would be required around the entire comparison expression to force that interpretation, or negate the sense of the comparison (that is, use '!=' rather than '==')? This occurs as the logical second operand of '&&'. Error: CONSTANT_EXPRESSION_RESULT: target-s390x/op_helper.c:359: result_independent_of_operands: res >> 64 is 0 regardless of the values of its operands. This occurs as the non-specific operand of assignment. Error: CONSTANT_EXPRESSION_RESULT: hw/usb-net.c:1271: missing_parentheses: !s->rndis_state == RNDIS_DATA_INITIALIZED is always false regardless of the values of its operands. Did you intend to either negate the entire comparison expression, in which case parentheses would be required around the entire comparison expression to force that interpretation, or negate the sense of the comparison (that is, use '!=' rather than '==')? This occurs as the logical operand of if. Error: CONSTANT_EXPRESSION_RESULT: buffered_file.c:224: result_independent_of_operands: new_rate > 18446744073709551615UL is always false regardless of the values of its operands. This occurs as the logical operand of if. Error: DEADCODE: target-s390x/translate.c:2037: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:1981: const: After this line, the value of "op" is equal to 29. target-s390x/translate.c:2027: equality_cond: Jumping to case "29". target-s390x/translate.c:2041: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:1993: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:1981: const: After this line, the value of "op" is equal to 10. target-s390x/translate.c:1981: const: After this line, the value of "op" is equal to 11. target-s390x/translate.c:1981: const: After this line, the value of "op" is equal to 12. target-s390x/translate.c:1981: const: After this line, the value of "op" is equal to 13. target-s390x/translate.c:1981: const: After this line, the value of "op" is equal to 28. target-s390x/translate.c:1984: equality_cond: Jumping to case "10". target-s390x/translate.c:1985: equality_cond: Jumping to case "11". target-s390x/translate.c:1982: equality_cond: Jumping to case "12". target-s390x/translate.c:1983: equality_cond: Jumping to case "13". target-s390x/translate.c:1986: equality_cond: Jumping to case "28". target-s390x/translate.c:2018: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:3722: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:3681: const: After this line, the value of "op" is equal to 11. target-s390x/translate.c:3681: const: After this line, the value of "op" is equal to 13. target-s390x/translate.c:3681: const: After this line, the value of "op" is equal to 7. target-s390x/translate.c:3719: equality_cond: Jumping to case "11". target-s390x/translate.c:3720: equality_cond: Jumping to case "13". target-s390x/translate.c:3718: equality_cond: Jumping to case "7". target-s390x/translate.c:3732: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:3784: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:3778: const: After this line, the value of "op" is equal to 10. target-s390x/translate.c:3778: const: After this line, the value of "op" is equal to 4. target-s390x/translate.c:3780: equality_cond: Jumping to case "10". target-s390x/translate.c:3779: equality_cond: Jumping to case "4". target-s390x/translate.c:3793: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:3806: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:3778: const: After this line, the value of "op" is equal to 11. target-s390x/translate.c:3778: const: After this line, the value of "op" is equal to 5. target-s390x/translate.c:3802: equality_cond: Jumping to case "11". target-s390x/translate.c:3801: equality_cond: Jumping to case "5". target-s390x/translate.c:3815: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:3344: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:3290: const: After this line, the value of "op" is equal to 10. target-s390x/translate.c:3290: const: After this line, the value of "op" is equal to 8. target-s390x/translate.c:3338: equality_cond: Jumping to case "10". target-s390x/translate.c:3337: equality_cond: Jumping to case "8". target-s390x/translate.c:3351: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:3527: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:3290: const: After this line, the value of "op" is equal to 128. target-s390x/translate.c:3290: const: After this line, the value of "op" is equal to 129. target-s390x/translate.c:3290: const: After this line, the value of "op" is equal to 130. target-s390x/translate.c:3522: equality_cond: Jumping to case "128". target-s390x/translate.c:3523: equality_cond: Jumping to case "129". target-s390x/translate.c:3524: equality_cond: Jumping to case "130". target-s390x/translate.c:3537: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:3383: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:3290: const: After this line, the value of "op" is equal to 11. target-s390x/translate.c:3363: const: After this line, the value of "op" is equal to 25. target-s390x/translate.c:3363: const: After this line, the value of "op" is equal to 27. target-s390x/translate.c:3290: const: After this line, the value of "op" is equal to 9. target-s390x/translate.c:3359: equality_cond: Jumping to case "11". target-s390x/translate.c:3361: equality_cond: Jumping to case "25". target-s390x/translate.c:3370: equality_cond: Jumping to case "25". target-s390x/translate.c:3360: equality_cond: Jumping to case "27". target-s390x/translate.c:3364: equality_cond: Jumping to case "27". target-s390x/translate.c:3358: equality_cond: Jumping to case "9". target-s390x/translate.c:3392: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:1725: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:1481: const: After this line, the value of "op" is equal to 90. target-s390x/translate.c:1481: const: After this line, the value of "op" is equal to 91. target-s390x/translate.c:1716: equality_cond: Jumping to case "90". target-s390x/translate.c:1717: equality_cond: Jumping to case "91". target-s390x/translate.c:1732: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:1771: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:1481: const: After this line, the value of "op" is equal to 118. target-s390x/translate.c:1481: const: After this line, the value of "op" is equal to 119. target-s390x/translate.c:1767: equality_cond: Jumping to case "118". target-s390x/translate.c:1768: equality_cond: Jumping to case "119". target-s390x/translate.c:1780: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:1736: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:1725: const: After this line, the value of "op" is equal to 90. target-s390x/translate.c:1725: const: After this line, the value of "op" is equal to 91. target-s390x/translate.c:1716: equality_cond: Jumping to case "90". target-s390x/translate.c:1726: equality_cond: Jumping to case "90". target-s390x/translate.c:1717: equality_cond: Jumping to case "91". target-s390x/translate.c:1729: equality_cond: Jumping to case "91". target-s390x/translate.c:1743: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:1796: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:1481: const: After this line, the value of "op" is equal to 128. target-s390x/translate.c:1481: const: After this line, the value of "op" is equal to 129. target-s390x/translate.c:1481: const: After this line, the value of "op" is equal to 130. target-s390x/translate.c:1791: equality_cond: Jumping to case "128". target-s390x/translate.c:1792: equality_cond: Jumping to case "129". target-s390x/translate.c:1793: equality_cond: Jumping to case "130". target-s390x/translate.c:1806: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:1649: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:1481: const: After this line, the value of "op" is equal to 32. target-s390x/translate.c:1481: const: After this line, the value of "op" is equal to 33. target-s390x/translate.c:1481: const: After this line, the value of "op" is equal to 48. target-s390x/translate.c:1481: const: After this line, the value of "op" is equal to 49. target-s390x/translate.c:1644: equality_cond: Jumping to case "32". target-s390x/translate.c:1645: equality_cond: Jumping to case "33". target-s390x/translate.c:1646: equality_cond: Jumping to case "48". target-s390x/translate.c:1647: equality_cond: Jumping to case "49". target-s390x/translate.c:1660: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:1546: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:1535: const: After this line, the value of "op" is equal to 10. target-s390x/translate.c:1535: const: After this line, the value of "op" is equal to 24. target-s390x/translate.c:1532: const: After this line, the value of "op" is equal to 26. target-s390x/translate.c:1535: const: After this line, the value of "op" is equal to 8. target-s390x/translate.c:1535: equality_cond: Condition "op == 24" is evaluated as false. target-s390x/translate.c:1532: equality_cond: Condition "op == 26" is evaluated as false. target-s390x/translate.c:1529: equality_cond: Jumping to case "10". target-s390x/translate.c:1530: equality_cond: Jumping to case "24". target-s390x/translate.c:1531: equality_cond: Jumping to case "26". target-s390x/translate.c:1528: equality_cond: Jumping to case "8". target-s390x/translate.c:1535: new_values: Noticing condition "op == 24". target-s390x/translate.c:1532: new_values: Noticing condition "op == 26". target-s390x/translate.c:1555: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:1578: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:1569: const: After this line, the value of "op" is equal to 11. target-s390x/translate.c:1567: const: After this line, the value of "op" is equal to 25. target-s390x/translate.c:1569: const: After this line, the value of "op" is equal to 27. target-s390x/translate.c:1569: const: After this line, the value of "op" is equal to 9. target-s390x/translate.c:1567: equality_cond: Condition "op == 25" is evaluated as false. target-s390x/translate.c:1569: equality_cond: Condition "op == 27" is evaluated as false. target-s390x/translate.c:1563: equality_cond: Jumping to case "11". target-s390x/translate.c:1564: equality_cond: Jumping to case "25". target-s390x/translate.c:1565: equality_cond: Jumping to case "27". target-s390x/translate.c:1562: equality_cond: Jumping to case "9". target-s390x/translate.c:1567: new_values: Noticing condition "op == 25". target-s390x/translate.c:1569: new_values: Noticing condition "op == 27". target-s390x/translate.c:1587: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:1663: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:1649: const: After this line, the value of "op" is equal to 32. target-s390x/translate.c:1649: const: After this line, the value of "op" is equal to 33. target-s390x/translate.c:1649: const: After this line, the value of "op" is equal to 48. target-s390x/translate.c:1649: const: After this line, the value of "op" is equal to 49. target-s390x/translate.c:1644: equality_cond: Jumping to case "32". target-s390x/translate.c:1650: equality_cond: Jumping to case "32". target-s390x/translate.c:1645: equality_cond: Jumping to case "33". target-s390x/translate.c:1651: equality_cond: Jumping to case "33". target-s390x/translate.c:1646: equality_cond: Jumping to case "48". target-s390x/translate.c:1654: equality_cond: Jumping to case "48". target-s390x/translate.c:1647: equality_cond: Jumping to case "49". target-s390x/translate.c:1657: equality_cond: Jumping to case "49". target-s390x/translate.c:1672: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:2361: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:2336: const: After this line, the value of "op" is equal to 4. target-s390x/translate.c:2336: const: After this line, the value of "op" is equal to 8. target-s390x/translate.c:2357: equality_cond: Jumping to case "4". target-s390x/translate.c:2358: equality_cond: Jumping to case "8". target-s390x/translate.c:2371: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:2386: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:2336: const: After this line, the value of "op" is equal to 5. target-s390x/translate.c:2336: const: After this line, the value of "op" is equal to 9. target-s390x/translate.c:2382: equality_cond: Jumping to case "5". target-s390x/translate.c:2383: equality_cond: Jumping to case "9". target-s390x/translate.c:2396: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:2412: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:2336: const: After this line, the value of "op" is equal to 10. target-s390x/translate.c:2336: const: After this line, the value of "op" is equal to 6. target-s390x/translate.c:2409: equality_cond: Jumping to case "10". target-s390x/translate.c:2408: equality_cond: Jumping to case "6". target-s390x/translate.c:2422: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:2438: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:2336: const: After this line, the value of "op" is equal to 11. target-s390x/translate.c:2336: const: After this line, the value of "op" is equal to 7. target-s390x/translate.c:2435: equality_cond: Jumping to case "11". target-s390x/translate.c:2434: equality_cond: Jumping to case "7". target-s390x/translate.c:2447: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:3224: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:3026: const: After this line, the value of "op" is equal to 164. target-s390x/translate.c:3026: const: After this line, the value of "op" is equal to 165. target-s390x/translate.c:3220: equality_cond: Jumping to case "164". target-s390x/translate.c:3221: equality_cond: Jumping to case "165". target-s390x/translate.c:3231: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:3091: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:3026: const: After this line, the value of "op" is equal to 14. target-s390x/translate.c:3026: const: After this line, the value of "op" is equal to 30. target-s390x/translate.c:3026: const: After this line, the value of "op" is equal to 31. target-s390x/translate.c:3084: equality_cond: Jumping to case "14". target-s390x/translate.c:3085: equality_cond: Jumping to case "30". target-s390x/translate.c:3086: equality_cond: Jumping to case "31". target-s390x/translate.c:3101: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:3180: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:3026: const: After this line, the value of "op" is equal to 148. target-s390x/translate.c:3026: const: After this line, the value of "op" is equal to 149. target-s390x/translate.c:3026: const: After this line, the value of "op" is equal to 150. target-s390x/translate.c:3175: equality_cond: Jumping to case "148". target-s390x/translate.c:3176: equality_cond: Jumping to case "149". target-s390x/translate.c:3177: equality_cond: Jumping to case "150". target-s390x/translate.c:3190: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:3202: dead_error_condition: On this path, the switch value "op" cannot reach the default case. target-s390x/translate.c:3026: const: After this line, the value of "op" is equal to 152. target-s390x/translate.c:3026: const: After this line, the value of "op" is equal to 153. target-s390x/translate.c:3026: const: After this line, the value of "op" is equal to 154. target-s390x/translate.c:3196: equality_cond: Jumping to case "152". target-s390x/translate.c:3197: equality_cond: Jumping to case "153". target-s390x/translate.c:3198: equality_cond: Jumping to case "154". target-s390x/translate.c:3212: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:4973: dead_error_condition: On this path, the switch value "opc" cannot reach the default case. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 192. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 194. target-s390x/translate.c:4967: equality_cond: Jumping to case "192". target-s390x/translate.c:4968: equality_cond: Jumping to case "194". target-s390x/translate.c:4980: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:4250: dead_error_condition: On this path, the switch value "opc" cannot reach the default case. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 74. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 75. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 76. target-s390x/translate.c:4238: equality_cond: Jumping to case "74". target-s390x/translate.c:4239: equality_cond: Jumping to case "75". target-s390x/translate.c:4240: equality_cond: Jumping to case "76". target-s390x/translate.c:4262: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:4573: dead_error_condition: On this path, the switch value "opc" cannot reach the default case. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 136. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 137. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 138. target-s390x/translate.c:4563: equality_cond: Jumping to case "136". target-s390x/translate.c:4564: equality_cond: Jumping to case "137". target-s390x/translate.c:4565: equality_cond: Jumping to case "138". target-s390x/translate.c:4584: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:4673: dead_error_condition: On this path, the switch value "opc" cannot reach the default case. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 148. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 150. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 151. target-s390x/translate.c:4666: equality_cond: Jumping to case "148". target-s390x/translate.c:4667: equality_cond: Jumping to case "150". target-s390x/translate.c:4668: equality_cond: Jumping to case "151". target-s390x/translate.c:4683: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:4372: dead_error_condition: On this path, the switch value "opc" cannot reach the default case. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 90. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 91. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 94. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 95. target-s390x/translate.c:4361: equality_cond: Jumping to case "90". target-s390x/translate.c:4362: equality_cond: Jumping to case "91". target-s390x/translate.c:4363: equality_cond: Jumping to case "94". target-s390x/translate.c:4364: equality_cond: Jumping to case "95". target-s390x/translate.c:4381: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:4385: dead_error_condition: On this path, the switch value "opc" cannot reach the default case. target-s390x/translate.c:4372: const: After this line, the value of "opc" is equal to 90. target-s390x/translate.c:4372: const: After this line, the value of "opc" is equal to 91. target-s390x/translate.c:4372: const: After this line, the value of "opc" is equal to 94. target-s390x/translate.c:4372: const: After this line, the value of "opc" is equal to 95. target-s390x/translate.c:4361: equality_cond: Jumping to case "90". target-s390x/translate.c:4373: equality_cond: Jumping to case "90". target-s390x/translate.c:4362: equality_cond: Jumping to case "91". target-s390x/translate.c:4377: equality_cond: Jumping to case "91". target-s390x/translate.c:4363: equality_cond: Jumping to case "94". target-s390x/translate.c:4374: equality_cond: Jumping to case "94". target-s390x/translate.c:4364: equality_cond: Jumping to case "95". target-s390x/translate.c:4378: equality_cond: Jumping to case "95". target-s390x/translate.c:4398: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-s390x/translate.c:4999: dead_error_condition: On this path, the switch value "opc" cannot reach the default case. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 210. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 212. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 213. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 214. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 215. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 220. target-s390x/translate.c:3883: const: After this line, the value of "opc" is equal to 243. target-s390x/translate.c:4984: equality_cond: Jumping to case "210". target-s390x/translate.c:4985: equality_cond: Jumping to case "212". target-s390x/translate.c:4986: equality_cond: Jumping to case "213". target-s390x/translate.c:4987: equality_cond: Jumping to case "214". target-s390x/translate.c:4988: equality_cond: Jumping to case "215". target-s390x/translate.c:4989: equality_cond: Jumping to case "220". target-s390x/translate.c:4990: equality_cond: Jumping to case "243". target-s390x/translate.c:5030: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: monitor.c:3444: dead_error_condition: On this path, the switch value "op" cannot reach the default case. monitor.c:3440: const: After this line, the value of "op" is equal to 37. monitor.c:3440: const: After this line, the value of "op" is equal to 42. monitor.c:3440: const: After this line, the value of "op" is equal to 47. monitor.c:3440: equality_cond: Condition "op != 42" is evaluated as true. monitor.c:3440: equality_cond: Condition "op != 47" is evaluated as true. monitor.c:3440: new_values: Noticing condition "op != 37". monitor.c:3440: new_values: Noticing condition "op != 42". monitor.c:3440: new_values: Noticing condition "op != 47". monitor.c:3445: dead_error_line: Execution cannot reach this statement "default:". Error: DEADCODE: slirp/misc.c:151: dead_error_condition: On this path, the condition "do_pty == 2" cannot be true. slirp/misc.c:129: cannot_single: After this line (or expression), the value of "do_pty" cannot be 2. slirp/misc.c:152: dead_error_line: Execution cannot reach this statement "close(master);". Error: DEADCODE: slirp/misc.c:159: dead_error_condition: On this path, the condition "do_pty == 2" cannot be true. slirp/misc.c:129: cannot_single: After this line (or expression), the value of "do_pty" cannot be 2. slirp/misc.c:160: dead_error_begin: Execution cannot reach this statement "(void)close(master);". Error: DEADCODE: slirp/misc.c:213: dead_error_condition: On this path, the condition "do_pty == 2" cannot be true. slirp/misc.c:186: cannot_set: After this line (or expression), the value of "do_pty" cannot be any of { 1 2 }. slirp/misc.c:129: cannot_single: After this line (or expression), the value of "do_pty" cannot be 2. slirp/misc.c:186: const: After this line, the value of "do_pty" is equal to 1. slirp/misc.c:129: equality_cond: Condition "do_pty == 2" is evaluated as false. slirp/misc.c:159: equality_cond: Condition "do_pty == 2" is evaluated as false. slirp/misc.c:186: new_values: Noticing condition "do_pty == 1". slirp/misc.c:214: dead_error_begin: Execution cannot reach this statement "close(s);". Error: DEADCODE: monitor.c:3475: dead_error_condition: On this path, the switch value "op" cannot reach the default case. monitor.c:3471: const: After this line, the value of "op" is equal to 124. monitor.c:3471: const: After this line, the value of "op" is equal to 38. monitor.c:3471: const: After this line, the value of "op" is equal to 94. monitor.c:3471: equality_cond: Condition "op != 124" is evaluated as true. monitor.c:3471: equality_cond: Condition "op != 38" is evaluated as true. monitor.c:3471: new_values: Noticing condition "op != 124". monitor.c:3471: new_values: Noticing condition "op != 38". monitor.c:3471: new_values: Noticing condition "op != 94". monitor.c:3476: dead_error_line: Execution cannot reach this statement "default:". Error: DEADCODE: target-mips/translate.c:2874: dead_error_condition: On this path, the switch value "opc" cannot reach the default case. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 1342177280. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 1409286144. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 1476395008. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 1543503872. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 268435456. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 335544320. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 402653184. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 469762048. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 67108864. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 67174400. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 67239936. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 67305472. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 68157440. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 68157445. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 68222976. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 68222981. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 68288512. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 68354048. target-mips/translate.c:2721: equality_cond: Jumping to case "1342177280U". target-mips/translate.c:2723: equality_cond: Jumping to case "1409286144U". target-mips/translate.c:2740: equality_cond: Jumping to case "1476395008U". target-mips/translate.c:2738: equality_cond: Jumping to case "1543503872U". target-mips/translate.c:2720: equality_cond: Jumping to case "268435456U". target-mips/translate.c:2722: equality_cond: Jumping to case "335544320U". target-mips/translate.c:2739: equality_cond: Jumping to case "402653184U". target-mips/translate.c:2737: equality_cond: Jumping to case "469762048U". target-mips/translate.c:2741: equality_cond: Jumping to case "67108864U". target-mips/translate.c:2732: equality_cond: Jumping to case "67174400U". target-mips/translate.c:2745: equality_cond: Jumping to case "67239936U". target-mips/translate.c:2736: equality_cond: Jumping to case "67305472U". target-mips/translate.c:2742: equality_cond: Jumping to case "68157440U". target-mips/translate.c:2743: equality_cond: Jumping to case "68157445U". target-mips/translate.c:2733: equality_cond: Jumping to case "68222976U". target-mips/translate.c:2734: equality_cond: Jumping to case "68222981U". target-mips/translate.c:2744: equality_cond: Jumping to case "68288512U". target-mips/translate.c:2735: equality_cond: Jumping to case "68354048U". target-mips/translate.c:2959: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 1543503872. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 1946157056. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 1946157061. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 201326592. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 201326597. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 268435456. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 329. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 335544320. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 336. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 402653184. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 469762048. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 67108864. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 67174400. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 67239936. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 67305472. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 68157440. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 68157445. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 68222976. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 68222981. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 68288512. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 68354048. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 8. target-mips/translate.c:2719: const: After this line, the value of "opc" is equal to 9. target-mips/translate.c:2721: equality_cond: Jumping to case "1342177280U". target-mips/translate.c:2753: equality_cond: Jumping to case "134217728U". target-mips/translate.c:2723: equality_cond: Jumping to case "1409286144U". target-mips/translate.c:2740: equality_cond: Jumping to case "1476395008U". target-mips/translate.c:2738: equality_cond: Jumping to case "1543503872U". target-mips/translate.c:2755: equality_cond: Jumping to case "1946157056U". target-mips/translate.c:2757: equality_cond: Jumping to case "1946157061U". target-mips/translate.c:2754: equality_cond: Jumping to case "201326592U". target-mips/translate.c:2756: equality_cond: Jumping to case "201326597U". target-mips/translate.c:2720: equality_cond: Jumping to case "268435456U". target-mips/translate.c:2763: equality_cond: Jumping to case "329U". target-mips/translate.c:2722: equality_cond: Jumping to case "335544320U". target-mips/translate.c:2764: equality_cond: Jumping to case "336U". target-mips/translate.c:2739: equality_cond: Jumping to case "402653184U". target-mips/translate.c:2737: equality_cond: Jumping to case "469762048U". target-mips/translate.c:2741: equality_cond: Jumping to case "67108864U". target-mips/translate.c:2732: equality_cond: Jumping to case "67174400U". target-mips/translate.c:2745: equality_cond: Jumping to case "67239936U". target-mips/translate.c:2736: equality_cond: Jumping to case "67305472U". target-mips/translate.c:2742: equality_cond: Jumping to case "68157440U". target-mips/translate.c:2743: equality_cond: Jumping to case "68157445U". target-mips/translate.c:2733: equality_cond: Jumping to case "68222976U". target-mips/translate.c:2734: equality_cond: Jumping to case "68222981U". target-mips/translate.c:2744: equality_cond: Jumping to case "68288512U". target-mips/translate.c:2735: equality_cond: Jumping to case "68354048U". target-mips/translate.c:2761: equality_cond: Jumping to case "8U". target-mips/translate.c:2762: equality_cond: Jumping to case "9U". target-mips/translate.c:2868: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-mips/translate.c:7730: dead_error_condition: On this path, the switch value "optype" cannot be "CMPOP". target-mips/translate.c:6558: const: After this line, the value of "optype" is equal to 0. target-mips/translate.c:6573: const: After this line, the value of "optype" is equal to 0. target-mips/translate.c:6588: const: After this line, the value of "optype" is equal to 0. target-mips/translate.c:6603: const: After this line, the value of "optype" is equal to 0. target-mips/translate.c:6956: const: After this line, the value of "optype" is equal to 0. target-mips/translate.c:6972: const: After this line, the value of "optype" is equal to 0. target-mips/translate.c:6988: const: After this line, the value of "optype" is equal to 0. target-mips/translate.c:7004: const: After this line, the value of "optype" is equal to 0. target-mips/translate.c:6541: const: After this line, the value of "optype" is equal to 2. target-mips/translate.c:6558: assignment: Assigning: "optype" = "BINOP". target-mips/translate.c:6573: assignment: Assigning: "optype" = "BINOP". target-mips/translate.c:6588: assignment: Assigning: "optype" = "BINOP". target-mips/translate.c:6603: assignment: Assigning: "optype" = "BINOP". target-mips/translate.c:6956: assignment: Assigning: "optype" = "BINOP". target-mips/translate.c:6972: assignment: Assigning: "optype" = "BINOP". target-mips/translate.c:6988: assignment: Assigning: "optype" = "BINOP". target-mips/translate.c:7004: assignment: Assigning: "optype" = "BINOP". target-mips/translate.c:6541: assignment: Assigning: "optype" = "OTHEROP". target-mips/translate.c:7730: dead_error_begin: Execution cannot reach this statement "case CMPOP:". Error: DEADCODE: fpu/softfloat-macros.h:171: dead_error_condition: On this path, the condition "count < 64" cannot be true. fpu/softfloat-macros.h:166: at_least: After this line, the value of "count" is at least 64. fpu/softfloat-macros.h:162: equality_cond: Condition "count == 0" is evaluated as false. fpu/softfloat-macros.h:166: new_values: Noticing condition "count < 64". fpu/softfloat-macros.h:171: dead_error_line: Execution cannot reach this expression "a0 >> (count & 0x3f)" inside statement "z1 = ((count < 64) ? a0 >> ...". Error: DEADCODE: bt-host.c:163: dead_error_condition: On this path, the condition "fd < 0" cannot be false. bt-host.c:148: const: After this line, the value of "fd" is equal to -1. bt-host.c:148: assignment: Assigning: "fd" = "-1". bt-host.c:180: dead_error_begin: Execution cannot reach this statement "s = g_malloc0(1096UL);". Error: DEADCODE: linux-user/syscall_defs.h:308: dead_error_condition: On this path, the condition "i < 1" cannot be true. linux-user/syscall_defs.h:308: const: After this line, the value of "i" is equal to 1. linux-user/syscall_defs.h:308: assignment: Assigning: "i" = "1". linux-user/syscall_defs.h:309: dead_error_begin: Execution cannot reach this statement "d->sig[i] = 0UL;". Error: DEADCODE: linux-user/signal.c:195: dead_error_condition: On this path, the condition "i < 1" cannot be true. linux-user/signal.c:195: const: After this line, the value of "i" is equal to 1. linux-user/signal.c:195: assignment: Assigning: "i" = "1". linux-user/signal.c:196: dead_error_begin: Execution cannot reach this statement "d.sig[i] = 0UL;". Error: DEADCODE: aes.c:798: dead_error_condition: On this path, the condition "bits == 256" cannot be false. aes.c:776: const: After this line, the value of "bits" is equal to 256. aes.c:745: equality_cond: Condition "bits == 128" is evaluated as false. aes.c:756: equality_cond: Condition "bits == 128" is evaluated as false. aes.c:747: equality_cond: Condition "bits == 192" is evaluated as false. aes.c:776: equality_cond: Condition "bits == 192" is evaluated as false. aes.c:740: equality_cond: Condition "bits != 128" is evaluated as true. aes.c:740: equality_cond: Condition "bits != 192" is evaluated as true. aes.c:740: new_values: Noticing condition "bits != 256". aes.c:826: dead_error_line: Execution cannot reach this statement "return 0;". Error: DEADCODE: target-i386/op_helper.c:1059: dead_error_condition: On this path, the condition "ist != 0" cannot be true. target-i386/op_helper.c:1045: const: After this line, the value of "ist" is equal to 0. target-i386/op_helper.c:1045: new_values: Noticing condition "ist != 0". target-i386/op_helper.c:1060: dead_error_line: Execution cannot reach this statement "esp = get_rsp_from_tss(ist ...". Error: DEADCODE: target-sparc/translate.c:4891: dead_error_condition: On this path, the switch value "xop" cannot reach the default case. target-sparc/translate.c:4887: between: After this line, the value of "xop" is between 32 and 35. target-sparc/translate.c:4675: equality_cond: Condition "xop == 31U" is evaluated as false. target-sparc/translate.c:4660: equality_cond: Condition "xop == 60U" is evaluated as false. target-sparc/translate.c:4675: equality_cond: Condition "xop == 61U" is evaluated as false. target-sparc/translate.c:4660: equality_cond: Condition "xop == 62U" is evaluated as false. target-sparc/translate.c:4675: new_values: Noticing condition "xop < 20U". target-sparc/translate.c:4887: new_values: Noticing condition "xop < 36U". target-sparc/translate.c:4675: new_values: Noticing condition "xop < 4U". target-sparc/translate.c:4675: new_values: Noticing condition "xop <= 29U". target-sparc/translate.c:4675: new_values: Noticing condition "xop > 23U". target-sparc/translate.c:4675: new_values: Noticing condition "xop > 44U". target-sparc/translate.c:4675: new_values: Noticing condition "xop > 7U". target-sparc/translate.c:4887: new_values: Noticing condition "xop >= 32U". target-sparc/translate.c:4936: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-sparc/translate.c:5038: dead_error_condition: On this path, the switch value "xop" cannot reach the default case. target-sparc/translate.c:5034: between: After this line, the value of "xop" is between 36 and 39. target-sparc/translate.c:4939: equality_cond: Condition "xop == 14U" is evaluated as false. target-sparc/translate.c:4939: equality_cond: Condition "xop == 30U" is evaluated as false. target-sparc/translate.c:4675: equality_cond: Condition "xop == 31U" is evaluated as false. target-sparc/translate.c:4660: equality_cond: Condition "xop == 60U" is evaluated as false. target-sparc/translate.c:4675: equality_cond: Condition "xop == 61U" is evaluated as false. target-sparc/translate.c:4660: equality_cond: Condition "xop == 62U" is evaluated as false. target-sparc/translate.c:4675: new_values: Noticing condition "xop < 20U". target-sparc/translate.c:4939: new_values: Noticing condition "xop < 24U". target-sparc/translate.c:4887: new_values: Noticing condition "xop < 36U". target-sparc/translate.c:5034: new_values: Noticing condition "xop < 40U". target-sparc/translate.c:4675: new_values: Noticing condition "xop < 4U". target-sparc/translate.c:4939: new_values: Noticing condition "xop < 8U". target-sparc/translate.c:4675: new_values: Noticing condition "xop <= 29U". target-sparc/translate.c:4675: new_values: Noticing condition "xop > 23U". target-sparc/translate.c:5034: new_values: Noticing condition "xop > 35U". target-sparc/translate.c:4675: new_values: Noticing condition "xop > 44U". target-sparc/translate.c:4675: new_values: Noticing condition "xop > 7U". target-sparc/translate.c:4939: new_values: Noticing condition "xop >= 20U". target-sparc/translate.c:4887: new_values: Noticing condition "xop >= 32U". target-sparc/translate.c:5089: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: target-sparc/translate.c:4942: dead_error_condition: On this path, the switch value "xop" cannot reach the default case. target-sparc/translate.c:4939: between: After this line, the value of "xop" is between 20 and 23. target-sparc/translate.c:4939: between: After this line, the value of "xop" is between 4 and 7. target-sparc/translate.c:4939: const: After this line, the value of "xop" is equal to 14. target-sparc/translate.c:4939: const: After this line, the value of "xop" is equal to 30. target-sparc/translate.c:4939: equality_cond: Condition "xop == 14U" is evaluated as false. target-sparc/translate.c:4675: equality_cond: Condition "xop == 31U" is evaluated as false. target-sparc/translate.c:4660: equality_cond: Condition "xop == 60U" is evaluated as false. target-sparc/translate.c:4675: equality_cond: Condition "xop == 61U" is evaluated as false. target-sparc/translate.c:4660: equality_cond: Condition "xop == 62U" is evaluated as false. target-sparc/translate.c:4675: new_values: Noticing condition "xop != 14U". target-sparc/translate.c:4675: new_values: Noticing condition "xop < 20U". target-sparc/translate.c:4939: new_values: Noticing condition "xop < 24U". target-sparc/translate.c:4675: new_values: Noticing condition "xop < 4U". target-sparc/translate.c:4939: new_values: Noticing condition "xop < 8U". target-sparc/translate.c:4675: new_values: Noticing condition "xop <= 29U". target-sparc/translate.c:4939: new_values: Noticing condition "xop == 14U". target-sparc/translate.c:4939: new_values: Noticing condition "xop == 30U". target-sparc/translate.c:4675: new_values: Noticing condition "xop > 23U". target-sparc/translate.c:4675: new_values: Noticing condition "xop > 44U". target-sparc/translate.c:4675: new_values: Noticing condition "xop > 7U". target-sparc/translate.c:4939: new_values: Noticing condition "xop >= 20U". target-sparc/translate.c:4887: new_values: Noticing condition "xop >= 32U". target-sparc/translate.c:5031: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: libcacard/vscclient.c:255: dead_error_condition: On this path, the condition "reader" cannot be false. libcacard/vscclient.c:253: cannot_single: After this line (or expression), the value of "reader" cannot be 0. libcacard/vscclient.c:255: dead_error_line: Execution cannot reach this expression ""invalid reader"" inside statement "printf("insert %s, returned...". Error: DEADCODE: libcacard/vscclient.c:268: dead_error_condition: On this path, the condition "reader" cannot be false. libcacard/vscclient.c:266: cannot_single: After this line (or expression), the value of "reader" cannot be 0. libcacard/vscclient.c:268: dead_error_line: Execution cannot reach this expression ""invalid reader"" inside statement "printf("remove %s, returned...". Error: DEADCODE: hw/ide/core.c:1520: dead_error_condition: On this path, the condition "hob" cannot be true. hw/ide/core.c:1511: const: After this line, the value of "hob" is equal to 0. hw/ide/core.c:1511: assignment: Assigning: "hob" = "0". hw/ide/core.c:1523: dead_error_line: Execution cannot reach this statement "ret = s->hob_feature;". Error: DEADCODE: hw/ide/core.c:1528: dead_error_condition: On this path, the condition "hob" cannot be true. hw/ide/core.c:1511: const: After this line, the value of "hob" is equal to 0. hw/ide/core.c:1511: assignment: Assigning: "hob" = "0". hw/ide/core.c:1531: dead_error_line: Execution cannot reach this statement "ret = s->hob_nsector;". Error: DEADCODE: hw/ide/core.c:1536: dead_error_condition: On this path, the condition "hob" cannot be true. hw/ide/core.c:1511: const: After this line, the value of "hob" is equal to 0. hw/ide/core.c:1511: assignment: Assigning: "hob" = "0". hw/ide/core.c:1539: dead_error_line: Execution cannot reach this statement "ret = s->hob_sector;". Error: DEADCODE: hw/ide/core.c:1544: dead_error_condition: On this path, the condition "hob" cannot be true. hw/ide/core.c:1511: const: After this line, the value of "hob" is equal to 0. hw/ide/core.c:1511: assignment: Assigning: "hob" = "0". hw/ide/core.c:1547: dead_error_line: Execution cannot reach this statement "ret = s->hob_lcyl;". Error: DEADCODE: hw/ide/core.c:1552: dead_error_condition: On this path, the condition "hob" cannot be true. hw/ide/core.c:1511: const: After this line, the value of "hob" is equal to 0. hw/ide/core.c:1511: assignment: Assigning: "hob" = "0". hw/ide/core.c:1555: dead_error_line: Execution cannot reach this statement "ret = s->hob_hcyl;". Error: DEADCODE: hw/pci-hotplug.c:202: dead_error_condition: On this path, the switch value "type" cannot reach the default case. hw/pci-hotplug.c:168: const: After this line, the value of "type" is equal to 2. hw/pci-hotplug.c:170: const: After this line, the value of "type" is equal to 7. hw/pci-hotplug.c:168: assignment: Assigning: "type" = "2". hw/pci-hotplug.c:170: assignment: Assigning: "type" = "7". hw/pci-hotplug.c:228: dead_error_begin: Execution cannot reach this statement "default:". Error: DEADCODE: hw/arm_gic.c:409: dead_error_condition: On this path, the condition "irq < 16" cannot be true. hw/arm_gic.c:407: between: After this line, the value of "irq" is between 32 and 95. hw/arm_gic.c:406: assignment: Assigning: "irq" = "(offset - 256U) * 8U + 32U". hw/arm_gic.c:407: new_values: Noticing condition "irq >= 96". hw/arm_gic.c:391: new_values: Noticing condition "offset < 256U". hw/arm_gic.c:410: dead_error_line: Execution cannot reach this statement "value = 255U;". Error: DEADCODE: hw/arm_gic.c:434: dead_error_condition: On this path, the condition "irq < 16" cannot be true. hw/arm_gic.c:432: between: After this line, the value of "irq" is between 32 and 95. hw/arm_gic.c:431: assignment: Assigning: "irq" = "(offset - 384U) * 8U + 32U". hw/arm_gic.c:432: new_values: Noticing condition "irq >= 96". hw/arm_gic.c:391: new_values: Noticing condition "offset < 256U". hw/arm_gic.c:435: dead_error_line: Execution cannot reach this statement "value = 0U;". Error: DEADCODE: hw/arm_gic.c:451: dead_error_condition: On this path, the condition "irq < 16" cannot be true. hw/arm_gic.c:449: between: After this line, the value of "irq" is between 32 and 95. hw/arm_gic.c:448: assignment: Assigning: "irq" = "(offset - 512U) * 8U + 32U". hw/arm_gic.c:449: new_values: Noticing condition "irq >= 96". hw/arm_gic.c:391: new_values: Noticing condition "offset < 256U". hw/arm_gic.c:452: dead_error_line: Execution cannot reach this statement "irq = 0;". Error: DEADCODE: hw/arm_gic.c:480: dead_error_condition: On this path, the condition "irq < 32" cannot be true. hw/arm_gic.c:478: between: After this line, the value of "irq" is between 32 and 95. hw/arm_gic.c:477: assignment: Assigning: "irq" = "offset - 1024U + 32U". hw/arm_gic.c:478: new_values: Noticing condition "irq >= 96". hw/arm_gic.c:472: new_values: Noticing condition "offset < 1024U". hw/arm_gic.c:481: dead_error_line: Execution cannot reach this statement "s->priority1[irq][cpu] = va...". Error: DEADCODE: ui/curses.c:181: dead_error_condition: On this path, the condition "nextchr == -1" cannot be false. ui/curses.c:178: const: After this line, the value of "nextchr" is equal to -1. ui/curses.c:181: const: After this line, the value of "nextchr" is equal to -1. ui/curses.c:211: const: After this line, the value of "nextchr" is equal to -1. ui/curses.c:215: const: After this line, the value of "nextchr" is equal to -1. ui/curses.c:178: assignment: Assigning: "nextchr" = "-1". ui/curses.c:215: assignment: Assigning: "nextchr" = "-1". ui/curses.c:211: new_values: Noticing condition "nextchr != -1". ui/curses.c:181: new_values: Noticing condition "nextchr == -1". ui/curses.c:184: dead_error_begin: Execution cannot reach this statement "chr = nextchr;". Error: DEADCODE: arm-dis.c:4012: dead_error_condition: On this path, the condition "is_data" cannot be true. arm-dis.c:3874: const: After this line, the value of "is_data" is equal to 0. arm-dis.c:3874: assignment: Assigning: "is_data" = "0". arm-dis.c:4014: dead_error_begin: Execution cannot reach this statement "int i;". Error: FORWARD_NULL: memory.c:651: assign_zero: Assigning: "ioeventfds" = 0. memory.c:670: var_deref_model: Passing null variable "ioeventfds" to function "address_space_add_del_ioeventfds", which dereferences it. memory.c:628: deref_parm: Directly dereferencing parameter "fds_new". Error: FORWARD_NULL: block/qcow2-refcount.c:420: assign_zero: Assigning: "refcount_block" = 0. block/qcow2-refcount.c:472: var_deref_op: Dereferencing null variable "refcount_block". Error: FORWARD_NULL: qapi-visit.c:679: var_compare_op: Comparing "*obj" to null implies that "*obj" might be null. qapi-visit.c:680: var_deref_op: Dereferencing null variable "*obj". Error: FORWARD_NULL: qapi-visit.c:679: var_compare_op: Comparing "obj" to null implies that "obj" might be null. qapi-visit.c:680: var_deref_op: Dereferencing null variable "obj". Error: FORWARD_NULL: qapi-visit.c:717: var_compare_op: Comparing "*obj" to null implies that "*obj" might be null. qapi-visit.c:718: var_deref_op: Dereferencing null variable "*obj". Error: FORWARD_NULL: qapi-visit.c:717: var_compare_op: Comparing "obj" to null implies that "obj" might be null. qapi-visit.c:718: var_deref_op: Dereferencing null variable "obj". Error: FORWARD_NULL: slirp/tcp_subr.c:117: var_compare_op: Comparing "tp" to null implies that "tp" might be null. slirp/tcp_subr.c:120: var_deref_op: Dereferencing null variable "tp". Error: FORWARD_NULL: qapi-visit.c:448: var_compare_op: Comparing "*obj" to null implies that "*obj" might be null. qapi-visit.c:449: var_deref_op: Dereferencing null variable "*obj". Error: FORWARD_NULL: qapi-visit.c:448: var_compare_op: Comparing "obj" to null implies that "obj" might be null. qapi-visit.c:449: var_deref_op: Dereferencing null variable "obj". Error: FORWARD_NULL: qapi-visit.c:746: var_compare_op: Comparing "*obj" to null implies that "*obj" might be null. qapi-visit.c:747: var_deref_op: Dereferencing null variable "*obj". Error: FORWARD_NULL: qapi-visit.c:746: var_compare_op: Comparing "obj" to null implies that "obj" might be null. qapi-visit.c:747: var_deref_op: Dereferencing null variable "obj". Error: FORWARD_NULL: qapi-visit.c:315: var_compare_op: Comparing "*obj" to null implies that "*obj" might be null. qapi-visit.c:316: var_deref_op: Dereferencing null variable "*obj". Error: FORWARD_NULL: qapi-visit.c:315: var_compare_op: Comparing "obj" to null implies that "obj" might be null. qapi-visit.c:316: var_deref_op: Dereferencing null variable "obj". Error: FORWARD_NULL: qapi-visit.c:271: var_compare_op: Comparing "*obj" to null implies that "*obj" might be null. qapi-visit.c:272: var_deref_op: Dereferencing null variable "*obj". Error: FORWARD_NULL: qapi-visit.c:271: var_compare_op: Comparing "obj" to null implies that "obj" might be null. qapi-visit.c:272: var_deref_op: Dereferencing null variable "obj". Error: FORWARD_NULL: block.c:948: var_compare_op: Comparing "bs->backing_hd" to null implies that "bs->backing_hd" might be null. block.c:956: var_deref_model: Passing null variable "bs->backing_hd" to function "bdrv_delete", which dereferences it. block.c:748: deref_parm: Directly dereferencing parameter "bs". Error: FORWARD_NULL: qapi-visit.c:350: var_compare_op: Comparing "*obj" to null implies that "*obj" might be null. qapi-visit.c:351: var_deref_op: Dereferencing null variable "*obj". Error: FORWARD_NULL: qapi-visit.c:350: var_compare_op: Comparing "obj" to null implies that "obj" might be null. qapi-visit.c:351: var_deref_op: Dereferencing null variable "obj". Error: FORWARD_NULL: qapi-visit.c:479: var_compare_op: Comparing "*obj" to null implies that "*obj" might be null. qapi-visit.c:480: var_deref_op: Dereferencing null variable "*obj". Error: FORWARD_NULL: qapi-visit.c:479: var_compare_op: Comparing "obj" to null implies that "obj" might be null. qapi-visit.c:480: var_deref_op: Dereferencing null variable "obj". Error: FORWARD_NULL: qapi-visit.c:414: var_compare_op: Comparing "*obj" to null implies that "*obj" might be null. qapi-visit.c:415: var_deref_op: Dereferencing null variable "*obj". Error: FORWARD_NULL: qapi-visit.c:414: var_compare_op: Comparing "obj" to null implies that "obj" might be null. qapi-visit.c:415: var_deref_op: Dereferencing null variable "obj". Error: FORWARD_NULL: qapi-visit.c:603: var_compare_op: Comparing "*obj" to null implies that "*obj" might be null. qapi-visit.c:604: var_deref_op: Dereferencing null variable "*obj". Error: FORWARD_NULL: qapi-visit.c:603: var_compare_op: Comparing "obj" to null implies that "obj" might be null. qapi-visit.c:604: var_deref_op: Dereferencing null variable "obj". Error: FORWARD_NULL: qapi-visit.c:21: var_compare_op: Comparing "*obj" to null implies that "*obj" might be null. qapi-visit.c:22: var_deref_op: Dereferencing null variable "*obj". Error: FORWARD_NULL: qapi-visit.c:21: var_compare_op: Comparing "obj" to null implies that "obj" might be null. qapi-visit.c:22: var_deref_op: Dereferencing null variable "obj". Error: FORWARD_NULL: hw/usb-ehci.c:1984: assign_zero: Assigning: "q" = 0. hw/usb-ehci.c:2027: var_deref_model: Passing null variable "q" to function "ehci_state_advqueue", which dereferences it. hw/usb-ehci.c:1763: deref_parm: Directly dereferencing parameter "q". hw/usb-ehci.c:2031: var_deref_model: Passing null variable "q" to function "ehci_state_fetchqtd", which dereferences it. hw/usb-ehci.c:1792: deref_parm: Directly dereferencing parameter "q". hw/usb-ehci.c:2035: var_deref_model: Passing null variable "q" to function "ehci_state_horizqh", which dereferences it. hw/usb-ehci.c:1811: deref_parm: Directly dereferencing parameter "q". hw/usb-ehci.c:2040: var_deref_model: Passing null variable "q" to function "ehci_state_execute", which dereferences it. hw/usb-ehci.c:1845: deref_parm_in_call: Function "ehci_qh_do_overlay" dereferences parameter "q". hw/usb-ehci.c:1143: deref_parm: Directly dereferencing parameter "q". Error: FORWARD_NULL: qapi-visit.c:209: var_compare_op: Comparing "*obj" to null implies that "*obj" might be null. qapi-visit.c:210: var_deref_op: Dereferencing null variable "*obj". Error: FORWARD_NULL: qapi-visit.c:209: var_compare_op: Comparing "obj" to null implies that "obj" might be null. qapi-visit.c:210: var_deref_op: Dereferencing null variable "obj". Error: FORWARD_NULL: qapi-visit.c:552: var_compare_op: Comparing "*obj" to null implies that "*obj" might be null. qapi-visit.c:553: var_deref_op: Dereferencing null variable "*obj". Error: FORWARD_NULL: qapi-visit.c:552: var_compare_op: Comparing "obj" to null implies that "obj" might be null. qapi-visit.c:553: var_deref_op: Dereferencing null variable "obj". Error: FORWARD_NULL: libcacard/vcard_emul_nss.c:1144: assign_zero: Assigning: "vreaderOpt" = 0. libcacard/vcard_emul_nss.c:1175: alias_transfer: Assigning null: "vreaderOpt" = "vreaderOpt + opts->vreader_count". libcacard/vcard_emul_nss.c:1176: var_deref_op: Dereferencing null variable "vreaderOpt". Error: FORWARD_NULL: block/qcow2-refcount.c:1000: assign_zero: Assigning: "l1_table" = 0. block/qcow2-refcount.c:1012: var_deref_op: Dereferencing null variable "l1_table". Error: FORWARD_NULL: block/qcow2-refcount.c:707: assign_zero: Assigning: "l1_table" = 0. block/qcow2-refcount.c:718: var_deref_model: Passing null variable "l1_table + i" to function "be64_to_cpus", which dereferences it. bswap.h:130: deref_parm: Directly dereferencing parameter "p". Error: FORWARD_NULL: block/qcow2-refcount.c:707: assign_zero: Assigning: "l1_table" = 0. block/qcow2-refcount.c:710: var_deref_model: Passing null variable "l1_table" to function "bdrv_pread", which dereferences it. block.c:1154: deref_parm_in_call: Function "memcpy" dereferences parameter "buf". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) Error: FORWARD_NULL: i386-dis.c:3826: var_compare_op: Comparing "dp->name" to null implies that "dp->name" might be null. i386-dis.c:3867: var_deref_model: Passing null variable "dp->name" to function "putop", which dereferences it. i386-dis.c:4340: var_assign_parm: Assigning: "p" = "template". i386-dis.c:4340: deref_var: Dereferencing "p" (which is a copy of "template"). Error: FORWARD_NULL: block/qed.c:581: var_compare_op: Comparing "backing_file" to null implies that "backing_file" might be null. block/qed.c:596: var_deref_model: Passing null variable "backing_file" to function "bdrv_pwrite", which dereferences it. block.c:1199: deref_parm_in_call: Function "memcpy" dereferences parameter "buf". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) Error: FORWARD_NULL: hw/omap_intc.c:475: assign_zero: Assigning: "bank" = 0. hw/omap_intc.c:525: var_deref_op: Dereferencing null variable "bank". hw/omap_intc.c:531: var_deref_op: Dereferencing null variable "bank". hw/omap_intc.c:537: var_deref_op: Dereferencing null variable "bank". hw/omap_intc.c:541: var_deref_op: Dereferencing null variable "bank". hw/omap_intc.c:547: var_deref_op: Dereferencing null variable "bank". Error: FORWARD_NULL: hw/ivshmem.c:712: var_compare_op: Comparing "s->shmobj" to null implies that "s->shmobj" might be null. hw/ivshmem.c:720: var_deref_model: Passing null variable "s->shmobj" to function "shm_open", which dereferences it. Error: FORWARD_NULL: hw/scsi-bus.c:225: var_compare_op: Comparing "req->dev" to null implies that "req->dev" might be null. hw/scsi-bus.c:228: var_deref_model: Passing null variable "req->dev" to function "scsi_req_build_sense", which dereferences it. hw/scsi-bus.c:613: deref_parm: Directly dereferencing parameter "req->dev". Error: FORWARD_NULL: usb-linux.c:1870: var_compare_op: Comparing "port" to null implies that "port" might be null. usb-linux.c:1893: var_deref_model: Passing null variable "port" to function "usb_host_open", which dereferences it. usb-linux.c:1266: deref_parm_in_call: Function "strcpy" dereferences parameter "port". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) Error: FORWARD_NULL: hw/omap_intc.c:394: assign_zero: Assigning: "bank" = 0. hw/omap_intc.c:434: var_deref_op: Dereferencing null variable "bank". hw/omap_intc.c:437: var_deref_op: Dereferencing null variable "bank". hw/omap_intc.c:444: var_deref_op: Dereferencing null variable "bank". hw/omap_intc.c:450: var_deref_op: Dereferencing null variable "bank". hw/omap_intc.c:453: var_deref_op: Dereferencing null variable "bank". Error: INFINITE_LOOP: block.c:1083: loop_top: Top of the loop. block.c:1084: loop_bottom: Bottom of the loop. block.c:1083: loop_condition: "rwco.ret == 2147483647" must remain true for the loop to continue. Error: INFINITE_LOOP: block.c:2872: loop_top: Top of the loop. block.c:2873: loop_bottom: Bottom of the loop. block.c:2872: loop_condition: "rwco.ret == 2147483647" must remain true for the loop to continue. Error: INFINITE_LOOP: block/qed-table.c:300: loop_top: Top of the loop. block/qed-table.c:301: loop_bottom: Bottom of the loop. block/qed-table.c:300: loop_condition: "ret == -115" must remain true for the loop to continue. Error: INFINITE_LOOP: block/qed-table.c:205: loop_top: Top of the loop. block/qed-table.c:206: loop_bottom: Bottom of the loop. block/qed-table.c:205: loop_condition: "ret == -115" must remain true for the loop to continue. Error: INFINITE_LOOP: block/qed-table.c:278: loop_top: Top of the loop. block/qed-table.c:279: loop_bottom: Bottom of the loop. block/qed-table.c:278: loop_condition: "ret == -115" must remain true for the loop to continue. Error: INFINITE_LOOP: block.c:2933: loop_top: Top of the loop. block.c:2934: loop_bottom: Bottom of the loop. block.c:2933: loop_condition: "rwco.ret == 2147483647" must remain true for the loop to continue. Error: INFINITE_LOOP: qemu-io.c:255: loop_top: Top of the loop. qemu-io.c:256: loop_bottom: Bottom of the loop. qemu-io.c:255: loop_condition: "async_ret == 2147483647" must remain true for the loop to continue. Error: INFINITE_LOOP: qemu-io.c:274: loop_top: Top of the loop. qemu-io.c:275: loop_bottom: Bottom of the loop. qemu-io.c:274: loop_condition: "async_ret == 2147483647" must remain true for the loop to continue. Error: INFINITE_LOOP: block/qed-table.c:184: loop_top: Top of the loop. block/qed-table.c:185: loop_bottom: Bottom of the loop. block/qed-table.c:184: loop_condition: "ret == -115" must remain true for the loop to continue. Error: INFINITE_LOOP: block/qed.c:689: loop_top: Top of the loop. block/qed.c:690: loop_bottom: Bottom of the loop. block/qed.c:689: loop_condition: "cb.is_allocated == -1" must remain true for the loop to continue. Error: MISSING_BREAK: json-lexer.c:302: unterminated_case: This case (value 104) is not terminated by a 'break' statement. json-lexer.c:304: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: qemu-option.c:222: unterminated_case: This case (value 107) is not terminated by a 'break' statement. qemu-option.c:224: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: qemu-option.c:217: unterminated_case: This case (value 71) is not terminated by a 'break' statement. qemu-option.c:219: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: qemu-option.c:219: unterminated_case: This case (value 77) is not terminated by a 'break' statement. qemu-option.c:221: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: qemu-option.c:215: unterminated_case: This case (value 84) is not terminated by a 'break' statement. qemu-option.c:217: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: cutils.c:368: unterminated_case: This case (value 0) is not terminated by a 'break' statement. cutils.c:372: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: console.c:1677: unterminated_case: This case (value 24) is not terminated by a 'break' statement. console.c:1690: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: console.c:981: unterminated_case: This case (value 74) is not terminated by a 'break' statement. console.c:1014: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: target-i386/translate.c:3681: unterminated_case: This case (value 312) is not terminated by a 'break' statement. target-i386/translate.c:3684: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/hid.c:168: unterminated_case: This case (value 224) is not terminated by a 'break' statement. hw/hid.c:173: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/hid.c:173: unterminated_case: This case (value 231) is not terminated by a 'break' statement. hw/hid.c:178: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/pcnet.c:1485: unterminated_case: This case (value 20) is not terminated by a 'break' statement. hw/pcnet.c:1508: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/usb-ohci.c:1054: unterminated_case: This case (value -1) is not terminated by a 'break' statement. hw/usb-ohci.c:1056: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: m68k-dis.c:1627: unterminated_case: This case (value 88) is not terminated by a 'break' statement. m68k-dis.c:1629: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/cirrus_vga.c:1305: unterminated_case: This case (value 7) is not terminated by a 'break' statement. hw/cirrus_vga.c:1307: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: target-i386/translate.c:4285: unterminated_case: This case (value 130) is not terminated by a 'break' statement. target-i386/translate.c:4288: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: target-i386/translate.c:7612: unterminated_case: This case (value 271) is not terminated by a 'break' statement. target-i386/translate.c:7615: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: target-sparc/translate.c:4045: unterminated_case: This case (value 46) is not terminated by a 'break' statement. target-sparc/translate.c:4051: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: target-mips/translate.c:12240: unterminated_case: This case (value 1155530752) is not terminated by a 'break' statement. target-mips/translate.c:12242: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/pflash_cfi02.c:144: unterminated_default: The default case is not terminated by a 'break' statement. hw/pflash_cfi02.c:149: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/sh_timer.c:71: unterminated_case: This case (value 3) is not terminated by a 'break' statement. hw/sh_timer.c:74: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/twl92230.c:492: unterminated_case: This case (value 19) is not terminated by a 'break' statement. hw/twl92230.c:493: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/omap1.c:534: unterminated_case: This case (value 44) is not terminated by a 'break' statement. hw/omap1.c:536: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/stellaris.c:180: unterminated_case: This case (value 72) is not terminated by a 'break' statement. hw/stellaris.c:183: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/omap1.c:638: unterminated_case: This case (value 44) is not terminated by a 'break' statement. hw/omap1.c:640: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/jazz_led.c:245: unterminated_case: This case (value 16) is not terminated by a 'break' statement. hw/jazz_led.c:248: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/es1370.c:540: unterminated_case: This case (value 40) is not terminated by a 'break' statement. hw/es1370.c:542: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/es1370.c:538: unterminated_case: This case (value 44) is not terminated by a 'break' statement. hw/es1370.c:540: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/pxa2xx.c:463: unterminated_case: This case (value 100) is not terminated by a 'break' statement. hw/pxa2xx.c:467: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: target-ppc/op_helper.c:836: unterminated_case: This case (value 29) is not terminated by a 'break' statement. target-ppc/op_helper.c:840: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/ds1338.c:98: unterminated_case: This case (value 5) is not terminated by a 'break' statement. hw/ds1338.c:100: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: hw/usb-ohci.c:1685: unterminated_case: This case (value 24) is not terminated by a 'break' statement. hw/usb-ohci.c:1688: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: bt-host.c:126: unterminated_case: This case (value 3) is not terminated by a 'break' statement. bt-host.c:134: fallthrough: The above case falls through to this one. Error: MISSING_BREAK: qemu-ga.c:362: unterminated_case: This case (value 1) is not terminated by a 'break' statement. qemu-ga.c:365: fallthrough: The above case falls through to this one. Error: MISSING_LOCK: posix-aio-compat.c:376: example_lock: Locking "lock". posix-aio-compat.c:377: example_access: qemu_paiocb.ret is being accessed with lock "lock" held. posix-aio-compat.c:583: example_lock: Locking "lock". posix-aio-compat.c:586: example_access: qemu_paiocb.ret is being accessed with lock "lock" held. posix-aio-compat.c:436: missing_lock: Accessing variable "aiocb->ret" (qemu_paiocb.ret) requires the lock lock. Error: NEGATIVE_RETURNS: slirp/slirp.c:820: var_tested_neg: Variable "so->s" tests negative. slirp/slirp.c:825: negative_returns: "so->s" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: target-s390x/translate.c:5123: var_tested_neg: Assigning: "lj" = a negative value. target-s390x/translate.c:5168: negative_returns: Using variable "lj" as an index to array "gen_opc_pc". Error: NEGATIVE_RETURNS: gdbstub.c:334: var_tested_neg: Assigning: "s->fd" = a negative value. gdbstub.c:331: negative_returns: "s->fd" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: slirp/socket.c:628: negative_return_fn: Function "qemu_socket(2, 1, 0)" returns a negative number. osdep.c:137: var_tested_neg: Variable "ret" is negative. osdep.c:138: return_negative_variable: Explicitly returning negative variable "ret". slirp/socket.c:628: var_assign: Assigning: signed variable "s" = "qemu_socket". slirp/socket.c:634: negative_returns: "s" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: slirp/udp.c:356: negative_return_fn: Function "qemu_socket(2, 2, 0)" returns a negative number. osdep.c:137: var_tested_neg: Variable "ret" is negative. osdep.c:138: return_negative_variable: Explicitly returning negative variable "ret". slirp/udp.c:356: var_assign: Assigning: signed variable "so->s" = "qemu_socket". slirp/udp.c:364: negative_returns: "so->s" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: slirp/misc.c:225: negative_return_fn: Function "accept(s, __SOCKADDR_ARG({ .__sockaddr__ = (struct sockaddr *)&addr}), &addrlen)" returns a negative number. slirp/misc.c:225: var_assign: Assigning: signed variable "so->s" = "accept". slirp/misc.c:229: negative_returns: "so->s" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: slirp/misc.c:136: negative_return_fn: Function "qemu_socket(2, 1, 0)" returns a negative number. osdep.c:137: var_tested_neg: Variable "ret" is negative. osdep.c:138: return_negative_variable: Explicitly returning negative variable "ret". slirp/misc.c:136: var_assign: Assigning: signed variable "s" = "qemu_socket". slirp/misc.c:140: negative_returns: "s" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: slirp/misc.c:171: negative_return_fn: Function "qemu_socket(2, 1, 0)" returns a negative number. osdep.c:137: var_tested_neg: Variable "ret" is negative. osdep.c:138: return_negative_variable: Explicitly returning negative variable "ret". slirp/misc.c:171: var_assign: Assigning: signed variable "s" = "qemu_socket". slirp/misc.c:174: negative_returns: "s" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: hw/pcnet.c:1213: var_tested_neg: Assigning: "s->xmit_pos" = a negative value. hw/pcnet.c:1240: negative_returns: Using variable "s->xmit_pos" as an index to array "s->buffer". Error: NEGATIVE_RETURNS: hw/pcnet.c:1263: var_tested_neg: Assigning: "s->xmit_pos" = a negative value. hw/pcnet.c:1240: negative_returns: Using variable "s->xmit_pos" as an index to array "s->buffer". Error: NEGATIVE_RETURNS: hw/loader.c:77: negative_return_fn: Function "lseek(fd, 0L, 2)" returns a negative number. hw/loader.c:77: var_assign: Assigning: signed variable "size" = "lseek". hw/loader.c:79: negative_returns: "size" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: block.c:293: negative_return_fn: Function "mkstemp(filename)" returns a negative number. block.c:293: var_assign: Assigning: signed variable "fd" = "mkstemp". block.c:294: negative_returns: "fd" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: hw/loader.c:587: negative_return_fn: Function "lseek(fd, 0L, 2)" returns a negative number. hw/loader.c:587: var_assign: Assigning: unsigned variable "rom->romsize" = "lseek". hw/loader.c:590: negative_returns: "rom->romsize" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: target-mips/translate.c:10586: negative_returns: Passing negative constant "-1" to a parameter that cannot be negative. target-mips/translate.c:6551: index: Function "gen_load_fpr32" uses "ft" as an array index. target-mips/translate.c:652: index: Indexing "NULL->active_fpu.fpr" with "reg". Error: NEGATIVE_RETURNS: slirp/tcp_subr.c:403: negative_return_fn: Function "accept(inso->s, __SOCKADDR_ARG({ .__sockaddr__ = (struct sockaddr *)&addr}), &addrlen)" returns a negative number. slirp/tcp_subr.c:403: negative_returns: "accept(inso->s, __SOCKADDR_ARG({ .__sockaddr__ = (struct sockaddr *)&addr}), &addrlen)" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: qemu-sockets.c:530: negative_return_fn: Function "mkstemp(un.sun_path)" returns a negative number. qemu-sockets.c:530: var_assign: Assigning: signed variable "fd" = "mkstemp". qemu-sockets.c:530: negative_returns: "fd" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: hw/pc.c:652: negative_return_fn: Function "ftell(f)" returns a negative number. hw/pc.c:652: var_assign: Assigning: signed variable "where" = "ftell". hw/pc.c:655: negative_returns: "where" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: linux-user/elfload.c:1147: negative_returns: A negative constant "-1" is passed as an argument to a parameter that cannot be negative. linux-user/mmap.c:428: neg_sink_parm_call: Passing "fd" to "fstat", which cannot accept a negative. Error: NEGATIVE_RETURNS: linux-user/syscall.c:3370: negative_return_fn: Function "thunk_type_size(arg_type, 0)" returns a negative number. thunk.h:114: return_negative_constant: Explicitly returning negative value "-1". linux-user/syscall.c:3370: var_assign: Assigning: signed variable "target_size" = "thunk_type_size". linux-user/syscall.c:3383: negative_returns: "target_size" is passed to a parameter that cannot be negative. linux-user/qemu.h:398: neg_sink_parm_call: Passing "len" to "access_ok", which cannot accept a negative. linux-user/qemu.h:273: neg_sink_parm_call: Passing "size" to "page_check_range", which cannot accept a negative. exec.c:2540: parm_loop_bound: Using unsigned parameter "len" in a loop exit test. linux-user/syscall.c:3392: negative_returns: "target_size" is passed to a parameter that cannot be negative. linux-user/qemu.h:398: neg_sink_parm_call: Passing "len" to "access_ok", which cannot accept a negative. linux-user/qemu.h:273: neg_sink_parm_call: Passing "size" to "page_check_range", which cannot accept a negative. exec.c:2540: parm_loop_bound: Using unsigned parameter "len" in a loop exit test. Error: NEGATIVE_RETURNS: slirp/slirp.c:302: var_tested_neg: Variable "so->s" tests negative. slirp/slirp.c:355: negative_returns: "so->s" is passed to a parameter that cannot be negative. slirp/udp.c:318: neg_sink_parm_call: Passing "so->s" to "close", which cannot accept a negative. Error: NEGATIVE_RETURNS: slirp/slirp.c:302: var_tested_neg: Variable "so->s" tests negative. slirp/slirp.c:355: negative_returns: "so->s" is passed to a parameter that cannot be negative. slirp/udp.c:318: neg_sink_parm_call: Passing "so->s" to "close", which cannot accept a negative. slirp/slirp.c:373: var_assign: Assigning: signed variable "nfds" = "so->s". slirp/slirp.c:389: negative_returns: "so->s" is passed to a parameter that cannot be negative. slirp/ip_icmp.c:105: neg_sink_parm_call: Passing "so->s" to "close", which cannot accept a negative. Error: NEGATIVE_RETURNS: slirp/slirp.c:302: var_tested_neg: Variable "so->s" tests negative. slirp/slirp.c:355: negative_returns: "so->s" is passed to a parameter that cannot be negative. slirp/udp.c:318: neg_sink_parm_call: Passing "so->s" to "close", which cannot accept a negative. slirp/slirp.c:373: var_assign: Assigning: signed variable "nfds" = "so->s". slirp/slirp.c:389: negative_returns: "so->s" is passed to a parameter that cannot be negative. slirp/ip_icmp.c:105: neg_sink_parm_call: Passing "so->s" to "close", which cannot accept a negative. slirp/slirp.c:398: var_assign: Assigning: signed variable "nfds" = "so->s". Error: NEGATIVE_RETURNS: hw/openpic.c:860: negative_return_fn: Function "IRQ_get_next(opp, &dst->raised)" returns a negative number. hw/openpic.c:302: var_tested_neg: Variable "q->next" is negative. hw/openpic.c:307: return_negative_variable: Explicitly returning negative variable "q->next". hw/openpic.c:860: var_assign: Assigning: signed variable "n_IRQ" = "IRQ_get_next". hw/openpic.c:861: negative_returns: Using variable "n_IRQ" as an index to array "opp->src". Error: NEGATIVE_RETURNS: qemu-ga.c:281: negative_return_fn: Function "conn_channel_send_payload(s->conn_channel, rsp)" returns a negative number. qemu-ga.c:252: negative_return: Calling "conn_channel_send_buf", which might return a negative value. qemu-ga.c:225: return_negative_constant: Explicitly returning negative value "-32". qemu-ga.c:252: var_assign: Assigning: "ret" = "conn_channel_send_buf(channel, buf, strlen(buf))", which might be negative. qemu-ga.c:269: return_negative_variable: Explicitly returning negative variable "ret". qemu-ga.c:281: var_assign: Assigning: signed variable "ret" = "conn_channel_send_payload". qemu-ga.c:283: negative_returns: "ret" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: target-arm/translate.c:9873: var_tested_neg: Assigning: "lj" = a negative value. target-arm/translate.c:9961: negative_returns: Using variable "lj" as an index to array "gen_opc_pc". Error: NEGATIVE_RETURNS: target-cris/translate.c:3261: var_tested_neg: Assigning: "lj" = a negative value. target-cris/translate.c:3280: negative_returns: Using variable "lj" as an index to array "gen_opc_pc". target-cris/translate.c:3282: negative_returns: Using variable "lj" as an index to array "gen_opc_pc". Error: NEGATIVE_RETURNS: target-lm32/translate.c:334: var_tested_neg: Assigning: "rZ" = a negative value. target-lm32/translate.c:340: negative_returns: Using variable "rZ" as an index to array "cpu_R". Error: NEGATIVE_RETURNS: target-unicore32/translate.c:1883: var_tested_neg: Assigning: "lj" = a negative value. target-unicore32/translate.c:1914: negative_returns: Using variable "lj" as an index to array "gen_opc_pc". Error: NEGATIVE_RETURNS: target-alpha/translate.c:3342: var_tested_neg: Assigning: "lj" = a negative value. target-alpha/translate.c:3387: negative_returns: Using variable "lj" as an index to array "gen_opc_pc". Error: NEGATIVE_RETURNS: target-microblaze/translate.c:1653: var_tested_neg: Assigning: "lj" = a negative value. target-microblaze/translate.c:1677: negative_returns: Using variable "lj" as an index to array "gen_opc_pc". Error: NEGATIVE_RETURNS: target-m68k/translate.c:2986: var_tested_neg: Assigning: "lj" = a negative value. target-m68k/translate.c:3014: negative_returns: Using variable "lj" as an index to array "gen_opc_pc". Error: NEGATIVE_RETURNS: target-i386/translate.c:7793: var_tested_neg: Assigning: "lj" = a negative value. target-i386/translate.c:7817: negative_returns: Using variable "lj" as an index to array "gen_opc_pc". Error: NEGATIVE_RETURNS: target-ppc/translate.c:9422: var_tested_neg: Assigning: "lj" = a negative value. target-ppc/translate.c:9483: negative_returns: Using variable "lj" as an index to array "gen_opc_pc". Error: NEGATIVE_RETURNS: target-xtensa/translate.c:2410: var_tested_neg: Assigning: "lj" = a negative value. target-xtensa/translate.c:2455: negative_returns: Using variable "lj" as an index to array "gen_opc_pc". Error: NEGATIVE_RETURNS: linux-user/flatload.c:462: negative_returns: A negative constant "-1" is passed as an argument to a parameter that cannot be negative. linux-user/mmap.c:428: neg_sink_parm_call: Passing "fd" to "fstat", which cannot accept a negative. linux-user/flatload.c:496: negative_returns: A negative constant "-1" is passed as an argument to a parameter that cannot be negative. linux-user/mmap.c:428: neg_sink_parm_call: Passing "fd" to "fstat", which cannot accept a negative. Error: NEGATIVE_RETURNS: target-lm32/translate.c:1048: var_tested_neg: Assigning: "lj" = a negative value. target-lm32/translate.c:1067: negative_returns: Using variable "lj" as an index to array "gen_opc_pc". Error: NEGATIVE_RETURNS: target-mips/translate.c:12386: var_tested_neg: Assigning: "lj" = a negative value. target-mips/translate.c:12438: negative_returns: Using variable "lj" as an index to array "gen_opc_pc". Error: NEGATIVE_RETURNS: target-sh4/translate.c:1962: var_tested_neg: Assigning: "ii" = a negative value. target-sh4/translate.c:1987: negative_returns: Using variable "ii" as an index to array "gen_opc_pc". Error: NEGATIVE_RETURNS: block/sheepdog.c:2017: negative_return_fn: Function "connect_to_sdog(s->addr, s->port)" returns a negative number. block/sheepdog.c:587: return_negative_constant: Explicitly returning negative value "-1". block/sheepdog.c:2017: var_assign: Assigning: signed variable "fd" = "connect_to_sdog". block/sheepdog.c:2051: negative_returns: "fd" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: monitor.c:989: negative_return_fn: Function "monitor_get_fd(mon, fdname)" returns a negative number. monitor.c:2591: return_negative_constant: Explicitly returning negative value "-1". monitor.c:989: var_assign: Assigning: signed variable "fd" = "monitor_get_fd". monitor.c:991: negative_returns: "fd" is passed to a parameter that cannot be negative. ui/vnc.c:2963: neg_sink_parm_call: Passing "csock" to "vnc_connect", which cannot accept a negative. ui/vnc.c:2533: var_assign_parm: Assigning: "vs->csock" = "csock". ui/vnc.c:2557: neg_sink_lv_call: Passing "vs->csock" to "vnc_client_cache_addr", which cannot accept a negative. ui/vnc.c:245: neg_sink_parm_call: Passing "client->csock" to "vnc_qdict_remote_addr", which cannot accept a negative. ui/vnc.c:143: neg_sink_parm_call: Passing "fd" to "getpeername", which cannot accept a negative. Error: NEGATIVE_RETURNS: qemu-ga.c:333: negative_return_fn: Function "conn_channel_send_payload(s->conn_channel, &qdict->base)" returns a negative number. qemu-ga.c:252: negative_return: Calling "conn_channel_send_buf", which might return a negative value. qemu-ga.c:225: return_negative_constant: Explicitly returning negative value "-32". qemu-ga.c:252: var_assign: Assigning: "ret" = "conn_channel_send_buf(channel, buf, strlen(buf))", which might be negative. qemu-ga.c:269: return_negative_variable: Explicitly returning negative variable "ret". qemu-ga.c:333: var_assign: Assigning: signed variable "ret" = "conn_channel_send_payload". qemu-ga.c:335: negative_returns: "ret" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: linux-user/syscall.c:3249: negative_return_fn: Function "thunk_type_size(arg_type, 0)" returns a negative number. thunk.h:114: return_negative_constant: Explicitly returning negative value "-1". linux-user/syscall.c:3249: var_assign: Assigning: signed variable "target_size" = "thunk_type_size". linux-user/syscall.c:3251: negative_returns: "target_size" is passed to a parameter that cannot be negative. linux-user/qemu.h:398: neg_sink_parm_call: Passing "len" to "access_ok", which cannot accept a negative. linux-user/qemu.h:273: neg_sink_parm_call: Passing "size" to "page_check_range", which cannot accept a negative. exec.c:2540: parm_loop_bound: Using unsigned parameter "len" in a loop exit test. Error: NEGATIVE_RETURNS: block/sheepdog.c:1802: negative_return_fn: Function "connect_to_sdog(s->addr, s->port)" returns a negative number. block/sheepdog.c:587: return_negative_constant: Explicitly returning negative value "-1". block/sheepdog.c:1802: var_assign: Assigning: signed variable "fd" = "connect_to_sdog". block/sheepdog.c:1841: negative_returns: "fd" is passed to a parameter that cannot be negative. Error: NEGATIVE_RETURNS: linux-user/syscall.c:3166: negative_return_fn: Function "thunk_type_size(arg_type, 0)" returns a negative number. thunk.h:114: return_negative_constant: Explicitly returning negative value "-1". linux-user/syscall.c:3166: var_assign: Assigning: signed variable "target_size_in" = "thunk_type_size". linux-user/syscall.c:3167: negative_returns: "target_size_in" is passed to a parameter that cannot be negative. linux-user/qemu.h:398: neg_sink_parm_call: Passing "len" to "access_ok", which cannot accept a negative. linux-user/qemu.h:273: neg_sink_parm_call: Passing "size" to "page_check_range", which cannot accept a negative. exec.c:2540: parm_loop_bound: Using unsigned parameter "len" in a loop exit test. Error: NULL_RETURNS: hw/acpi.c:114: example_assign: Assigning: "f" = return value from "strtok(NULL, ":")". hw/acpi.c:114: example_checked: "f" has its value checked in "f". hw/acpi.c:114: example_assign: Assigning: "f" = return value from "strtok(buf, ":")". hw/acpi.c:114: example_checked: "f" has its value checked in "f". qemu-timer.c:218: example_assign: Assigning: "name" = return value from "strtok(arg, ",")". qemu-timer.c:219: example_checked: "name" has its value checked in "name". qemu-timer.c:241: example_assign: Assigning: "name" = return value from "strtok(NULL, ",")". qemu-timer.c:219: example_checked: "name" has its value checked in "name". target-i386/cpuid.c:585: example_assign: Assigning: "name" = return value from "strtok(s, ",")". target-i386/cpuid.c:597: example_checked: "name" has its value checked in "name". target-sparc/cpu_init.c:642: returned_null: Function "strtok" returns null (checked 9 out of 10 times). target-sparc/cpu_init.c:642: var_assigned: Assigning: "name" = null return value from "strtok". target-sparc/cpu_init.c:649: dereference: Dereferencing a pointer that might be null "name" when calling "strcasecmp". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) Error: NULL_RETURNS: cris-dis.c:1872: example_assign: Assigning: "sregp" = return value from "spec_reg_info((insn >> 12) & 0xfU, distype)". cris-dis.c:1876: example_checked: "sregp" has its value checked in "sregp == NULL". cris-dis.c:1693: example_assign: Assigning: "sregp" = return value from "spec_reg_info(spec_reg, disdata->distype)". cris-dis.c:1697: example_checked: "sregp" has its value checked in "sregp". cris-dis.c:1722: example_assign: Assigning: "sregp" = return value from "spec_reg_info((insn >> 12) & 0xfU, disdata->distype)". cris-dis.c:1736: example_checked: "sregp" has its value checked in "sregp != NULL". cris-dis.c:2096: example_assign: Assigning: "sregp" = return value from "spec_reg_info((insn >> 12) & 0xfU, disdata->distype)". cris-dis.c:2101: example_checked: "sregp" has its value checked in "sregp == NULL". cris-dis.c:2198: example_assign: Assigning: "sregp" = return value from "spec_reg_info((insn >> 12) & 0xfU, disdata->distype)". cris-dis.c:2202: example_checked: "sregp" has its value checked in "sregp == NULL". cris-dis.c:2525: returned_null: Function "spec_reg_info" returns null (checked 5 out of 6 times). cris-dis.c:1359: return_null: Explicitly returning NULL. cris-dis.c:2525: var_assigned: Assigning: "sregp" = null return value from "spec_reg_info". cris-dis.c:2527: dereference: Dereferencing a null pointer "sregp". Error: NULL_RETURNS: linux-user/strace.c:237: example_checked: "lock_user_string(arg1)" has its value checked in "s = lock_user_string(arg1)". linux-user/strace.c:252: example_checked: "lock_user_string(arg_addr)" has its value checked in "s = lock_user_string(arg_addr)". linux-user/strace.c:613: example_checked: "lock_user_string(addr)" has its value checked in "(s = lock_user_string(addr)) != NULL". linux-user/syscall.c:7855: returned_null: Function "lock_user_string" returns null (checked 3 out of 3 times). linux-user/qemu.h:443: return_null: Explicitly returning NULL. linux-user/syscall.c:7855: var_assigned: Assigning: "p" = null return value from "lock_user_string". linux-user/syscall.c:7858: dereference: Dereferencing a pointer that might be null "p" when calling "mq_open". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) Error: NULL_RETURNS: linux-user/strace.c:237: example_checked: "lock_user_string(arg1)" has its value checked in "s = lock_user_string(arg1)". linux-user/strace.c:252: example_checked: "lock_user_string(arg_addr)" has its value checked in "s = lock_user_string(arg_addr)". linux-user/strace.c:613: example_checked: "lock_user_string(addr)" has its value checked in "(s = lock_user_string(addr)) != NULL". linux-user/syscall.c:7864: returned_null: Function "lock_user_string" returns null (checked 3 out of 3 times). linux-user/qemu.h:443: return_null: Explicitly returning NULL. linux-user/syscall.c:7864: var_assigned: Assigning: "p" = null return value from "lock_user_string". linux-user/syscall.c:7865: dereference: Dereferencing a pointer that might be null "p" when calling "mq_unlink". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) Error: NULL_RETURNS: linux-user/linuxload.c:104: example_checked: "lock_user(1, __gaddr, 8L, 0)" has its value checked in "__hptr = lock_user(1, __gaddr, 8L, 0)". linux-user/linuxload.c:106: example_checked: "lock_user(1, __gaddr, 8L, 0)" has its value checked in "__hptr = lock_user(1, __gaddr, 8L, 0)". linux-user/linuxload.c:110: example_checked: "lock_user(1, __gaddr, 8L, 0)" has its value checked in "__hptr = lock_user(1, __gaddr, 8L, 0)". exec.c:3872: example_checked: "lock_user(1, addr, l, 0)" has its value checked in "p = lock_user(1, addr, l, 0)". exec.c:3880: example_checked: "lock_user(0, addr, l, 1)" has its value checked in "p = lock_user(0, addr, l, 1)". linux-user/syscall.c:7873: returned_null: Function "lock_user" returns null (checked 164 out of 167 times). linux-user/qemu.h:399: return_null: Explicitly returning NULL. linux-user/syscall.c:7873: var_assigned: Assigning: "p" = null return value from "lock_user". linux-user/syscall.c:7876: dereference: Dereferencing a pointer that might be null "p" when calling "mq_timedsend". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) linux-user/syscall.c:7880: dereference: Dereferencing a pointer that might be null "p" when calling "mq_send". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) Error: NULL_RETURNS: linux-user/linuxload.c:104: example_checked: "lock_user(1, __gaddr, 8L, 0)" has its value checked in "__hptr = lock_user(1, __gaddr, 8L, 0)". linux-user/linuxload.c:106: example_checked: "lock_user(1, __gaddr, 8L, 0)" has its value checked in "__hptr = lock_user(1, __gaddr, 8L, 0)". linux-user/linuxload.c:110: example_checked: "lock_user(1, __gaddr, 8L, 0)" has its value checked in "__hptr = lock_user(1, __gaddr, 8L, 0)". exec.c:3872: example_checked: "lock_user(1, addr, l, 0)" has its value checked in "p = lock_user(1, addr, l, 0)". exec.c:3880: example_checked: "lock_user(0, addr, l, 1)" has its value checked in "p = lock_user(0, addr, l, 1)". linux-user/syscall.c:7890: returned_null: Function "lock_user" returns null (checked 164 out of 167 times). linux-user/qemu.h:399: return_null: Explicitly returning NULL. linux-user/syscall.c:7890: var_assigned: Assigning: "p" = null return value from "lock_user". linux-user/syscall.c:7893: dereference: Dereferencing a pointer that might be null "p" when calling "mq_timedreceive". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) linux-user/syscall.c:7897: dereference: Dereferencing a pointer that might be null "p" when calling "mq_receive". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) Error: NULL_RETURNS: block.c:3214: example_assign: Assigning: "backing_file" = return value from "get_option_parameter(param, "backing_file")". block.c:3215: example_checked: "backing_file" has its value checked in "backing_file". block.c:3224: example_assign: Assigning: "backing_fmt" = return value from "get_option_parameter(param, "backing_fmt")". block.c:3225: example_checked: "backing_fmt" has its value checked in "backing_fmt". block.c:3237: example_assign: Assigning: "size" = return value from "get_option_parameter(param, "size")". block.c:3238: example_checked: "size" has its value checked in "size". qemu-img.c:818: example_assign: Assigning: "out_baseimg_param" = return value from "get_option_parameter(param, "backing_file")". qemu-img.c:819: example_checked: "out_baseimg_param" has its value checked in "out_baseimg_param". qemu-img.c:825: example_assign: Assigning: "encryption" = return value from "get_option_parameter(param, "encryption")". qemu-img.c:836: example_checked: "encryption" has its value checked in "encryption". block/vpc.c:538: returned_null: Function "get_option_parameter" returns null (checked 9 out of 11 times). qemu-option.c:168: return_null: Explicitly returning NULL. block/vpc.c:538: dereference: Dereferencing a null pointer "get_option_parameter(options, "size")". Error: NULL_RETURNS: block.c:3214: example_assign: Assigning: "backing_file" = return value from "get_option_parameter(param, "backing_file")". block.c:3215: example_checked: "backing_file" has its value checked in "backing_file". block.c:3224: example_assign: Assigning: "backing_fmt" = return value from "get_option_parameter(param, "backing_fmt")". block.c:3225: example_checked: "backing_fmt" has its value checked in "backing_fmt". block.c:3237: example_assign: Assigning: "size" = return value from "get_option_parameter(param, "size")". block.c:3238: example_checked: "size" has its value checked in "size". qemu-img.c:818: example_assign: Assigning: "out_baseimg_param" = return value from "get_option_parameter(param, "backing_file")". qemu-img.c:819: example_checked: "out_baseimg_param" has its value checked in "out_baseimg_param". qemu-img.c:825: example_assign: Assigning: "encryption" = return value from "get_option_parameter(param, "encryption")". qemu-img.c:836: example_checked: "encryption" has its value checked in "encryption". qemu-img.c:1597: returned_null: Function "get_option_parameter" returns null (checked 9 out of 11 times). qemu-option.c:168: return_null: Explicitly returning NULL. qemu-img.c:1597: dereference: Dereferencing a null pointer "get_option_parameter(param, "size")". Error: NULL_RETURNS: hw/alpha_dp264.c:103: example_assign: Assigning: "palcode_filename" = return value from "qemu_find_file(0, palcode_filename)". hw/alpha_dp264.c:104: example_checked: "palcode_filename" has its value checked in "palcode_filename == NULL". hw/fw_cfg.c:154: example_assign: Assigning: "filename" = return value from "qemu_find_file(0, boot_splash_filename)". hw/fw_cfg.c:155: example_checked: "filename" has its value checked in "filename == NULL". hw/milkymist.c:134: example_assign: Assigning: "bios_filename" = return value from "qemu_find_file(0, bios_name)". hw/milkymist.c:136: example_checked: "bios_filename" has its value checked in "bios_filename". hw/mips_fulong2e.c:315: example_assign: Assigning: "filename" = return value from "qemu_find_file(0, bios_name)". hw/mips_fulong2e.c:316: example_checked: "filename" has its value checked in "filename". hw/mips_jazz.c:161: example_assign: Assigning: "filename" = return value from "qemu_find_file(0, bios_name)". hw/mips_jazz.c:162: example_checked: "filename" has its value checked in "filename". hw/leon3.c:158: returned_null: Function "qemu_find_file" returns null (checked 20 out of 23 times). vl.c:1722: return_null: Explicitly returning NULL. hw/leon3.c:158: var_assigned: Assigning: "filename" = null return value from "qemu_find_file". hw/leon3.c:160: dereference: Dereferencing a pointer that might be null "filename" when calling "get_image_size". hw/loader.c:61: deref_parm_in_call: Function "open" dereferences parameter "filename". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) Error: NULL_RETURNS: hw/alpha_dp264.c:103: example_assign: Assigning: "palcode_filename" = return value from "qemu_find_file(0, palcode_filename)". hw/alpha_dp264.c:104: example_checked: "palcode_filename" has its value checked in "palcode_filename == NULL". hw/fw_cfg.c:154: example_assign: Assigning: "filename" = return value from "qemu_find_file(0, boot_splash_filename)". hw/fw_cfg.c:155: example_checked: "filename" has its value checked in "filename == NULL". hw/milkymist.c:134: example_assign: Assigning: "bios_filename" = return value from "qemu_find_file(0, bios_name)". hw/milkymist.c:136: example_checked: "bios_filename" has its value checked in "bios_filename". hw/mips_fulong2e.c:315: example_assign: Assigning: "filename" = return value from "qemu_find_file(0, bios_name)". hw/mips_fulong2e.c:316: example_checked: "filename" has its value checked in "filename". hw/mips_jazz.c:161: example_assign: Assigning: "filename" = return value from "qemu_find_file(0, bios_name)". hw/mips_jazz.c:162: example_checked: "filename" has its value checked in "filename". hw/s390-virtio.c:244: returned_null: Function "qemu_find_file" returns null (checked 20 out of 23 times). vl.c:1722: return_null: Explicitly returning NULL. hw/s390-virtio.c:244: var_assigned: Assigning: "bios_filename" = null return value from "qemu_find_file". hw/s390-virtio.c:245: dereference: Dereferencing a pointer that might be null "bios_filename" when calling "load_image". hw/loader.c:74: deref_parm_in_call: Function "open" dereferences parameter "filename". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) Error: OVERRUN_STATIC: slirp/socket.c:320: overrun-local: Overrunning static array of size 2048 bytes at byte position 2048 by accessing with pointer "&buff[len]" through dereference in call to "memcpy". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) slirp/socket.c:320: overrun-local: Note: These bugs are often difficult to see at first glance. Coverity recommends a close inspection of the events leading to this overrun. Error: OVERRUN_STATIC: gdbstub.c:1759: overrun-call: Overrunning callee's array of size 16 at position 50 by passing argument "reg" of value 52 in call to function "cpu_gdb_write_register(env, mem_buf, reg)". gdbstub.c:1479: index_parm: Indexing "env->regs" with "n" minus an offset. Error: OVERRUN_STATIC: target-cris/translate.c:209: overrun-local: Overrunning static array "cpu_PR", with 16 elements, at position 16 with index variable "r". Error: OVERRUN_STATIC: gdbstub.c:1744: overrun-call: Overrunning callee's array of size 16 at position 50 by passing argument "reg" of value 52 in call to function "cpu_gdb_read_register(env, mem_buf, reg)". gdbstub.c:1449: index_parm: Indexing "env->regs" with "n" minus an offset. Error: OVERRUN_STATIC: hw/ide/core.c:1383: overrun-local: Overrunning static array "smart_attributes", with 8 elements, at position 29 with index variable "n". Error: OVERRUN_STATIC: target-mips/translate.c:12576: overrun-local: Overrunning static array of size 256 bytes at byte position 256 by indexing pointer "&env->active_fpu.fpr[i]" with index variable "1". target-mips/translate.c:12576: overrun-local: Note: These bugs are often difficult to see at first glance. Coverity recommends a close inspection of the events leading to this overrun. Error: OVERRUN_STATIC: slirp/ip_icmp.c:301: assignment: Assigning: "s_ip_len" = "548U". slirp/ip_icmp.c:312: overrun-buffer-arg: Overrunning struct type struct ip of size 20 bytes by passing it to a function which indexes it with argument "s_ip_len" at byte position 547. Error: OVERRUN_STATIC: block/vvfat.c:445: assignment: Assigning: "offset" = "14 + offset - 10". block/vvfat.c:443: assignment: Assigning: "offset" = "i % 26". block/vvfat.c:448: overrun-local: Overrunning static array "entry->name", with 8 elements, at position 25 with index variable "offset". Error: OVERRUN_STATIC: block/vvfat.c:615: overrun-buffer-arg: Overrunning static array "entry->name" of size 8 bytes by passing it to a function which indexes it with argument "11UL" at byte position 10. Error: OVERRUN_STATIC: block/vvfat.c:630: overrun-buffer-arg: Overrunning static array "entry->name" of size 8 bytes by passing it to a function which indexes it with argument "11UL" at byte position 10. Error: OVERRUN_STATIC: block/vvfat.c:653: overrun-buffer-arg: Overrunning static array "entry->name" of size 8 bytes by passing it to a function which indexes it with argument "11UL" at byte position 10. Error: OVERRUN_STATIC: block/vvfat.c:653: overrun-buffer-arg: Overrunning static array "entry1->name" of size 8 bytes by passing it to a function which indexes it with argument "11UL" at byte position 10. Error: OVERRUN_STATIC: block/vvfat.c:639: overrun-local: Overrunning static array "entry->name", with 8 elements, at position 9 with index variable "i". Error: OVERRUN_STATIC: target-cris/translate.c:3470: overrun-local: Overrunning static array "env->sregs", with 4 elements, at position 255 with index variable "srs". Error: OVERRUN_STATIC: target-cris/translate.c:178: overrun-local: Overrunning static array "cpu_R", with 16 elements, at position 16 with index variable "r". Error: OVERRUN_STATIC: hw/arm_gic.c:274: assignment: Assigning: "irq" = "(offset - 256U) * 8U". hw/arm_gic.c:277: assignment: Assigning: "irq" = "irq += 0". hw/arm_gic.c:282: overrun-local: Overrunning static array "s->irq_state", with 96 elements, at position 96 with index variable "irq + i". Error: OVERRUN_STATIC: hw/arm_gic.c:235: overrun-local: Overrunning static array "s->last_active", with 96 elements, at position 1023 with index variable "irq". Error: OVERRUN_STATIC: hw/arm_gic.c:235: overrun-local: Overrunning static array "s->last_active", with 96 elements, at position 1023 with index variable "irq". Error: OVERRUN_STATIC: target-cris/translate.c:226: overrun-local: Overrunning static array "cpu_PR", with 16 elements, at position 16 with index variable "r". Error: OVERRUN_STATIC: readline.c:238: overrun-local: Overrunning static array of size 512 bytes at byte position 512 by accessing with pointer "&rs->history[idx + 1]" through dereference in call to "memmove". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) readline.c:238: overrun-local: Note: These bugs are often difficult to see at first glance. Coverity recommends a close inspection of the events leading to this overrun. Error: OVERRUN_STATIC: hw/arm_gic.c:461: assignment: Assigning: "irq" = "(offset - 640U) * 8U + 0U". hw/arm_gic.c:469: overrun-local: Overrunning static array "s->irq_state", with 96 elements, at position 96 with index variable "irq + i". Error: OVERRUN_STATIC: target-i386/ops_sse.h:1903: assignment: Assigning: "i" = "validd". target-i386/ops_sse.h:1904: overrun-call: Overrunning callee's array of size 8 by passing index "i" of value 14 in call to function "pcmp_val(d, ctrl, i)". target-i386/ops_sse.h:1876: index_parm: Indexing "r->_w" with "i". Error: OVERRUN_STATIC: target-i386/ops_sse.h:1900: assignment: Assigning: "j" = "valids". target-i386/ops_sse.h:1902: overrun-call: Overrunning callee's array of size 8 by passing index "j" of value 14 in call to function "pcmp_val(s, ctrl, j)". target-i386/ops_sse.h:1876: index_parm: Indexing "r->_w" with "i". Error: OVERRUN_STATIC: hw/arm_gic.c:235: overrun-local: Overrunning static array "s->last_active", with 96 elements, at position 1023 with index variable "irq". Error: OVERRUN_STATIC: hw/bt-hci.c:1322: overrun-buffer-arg: Overrunning struct type evt_encrypt_change of size 4 bytes by passing it to a function which indexes it with argument "5" at byte position 4. hw/bt-hci.c:465: access_dbuff_in_call: Calling "memcpy" indexes array "params" with index "len". Error: OVERRUN_STATIC: hw/ccid-card-passthru.c:154: overrun-buffer-arg: Overrunning static array "card->atr" of size 40 bytes by passing it to a function which indexes it with argument "scr_msg_header->length" at byte position 40. Error: OVERRUN_STATIC: check-qjson.c:620: overrun-local: Overrunning static array "", with 4 elements, at position 4 with index variable "@dim0". Error: OVERRUN_STATIC: target-i386/ops_sse.h:208: assignment: Assigning: "i" = "0". target-i386/ops_sse.h:209: overrun-local: Overrunning static array "d->_b", with 16 elements, at position 16 with index variable "i + shift". Error: OVERRUN_STATIC: hw/arm_gic.c:461: assignment: Assigning: "irq" = "(offset - 640U) * 8U + 0U". hw/arm_gic.c:469: overrun-local: Overrunning static array "s->irq_state", with 64 elements, at position 64 with index variable "irq + i". Error: OVERRUN_STATIC: hw/arm_gic.c:235: overrun-local: Overrunning static array "s->last_active", with 64 elements, at position 1023 with index variable "irq". Error: OVERRUN_STATIC: hw/arm_gic.c:274: assignment: Assigning: "irq" = "(offset - 256U) * 8U". hw/arm_gic.c:277: assignment: Assigning: "irq" = "irq += 0". hw/arm_gic.c:282: overrun-local: Overrunning static array "s->irq_state", with 96 elements, at position 96 with index variable "irq + i". Error: OVERRUN_STATIC: hw/arm_gic.c:274: assignment: Assigning: "irq" = "(offset - 256U) * 8U". hw/arm_gic.c:277: assignment: Assigning: "irq" = "irq += 32". hw/arm_gic.c:282: overrun-local: Overrunning static array "s->irq_state", with 96 elements, at position 96 with index variable "irq + i". Error: OVERRUN_STATIC: hw/ppc405_uc.c:209: overrun-local: Overrunning static array "pob->besr", with 2 elements, at position 2 with index variable "dcrn - 160". Error: OVERRUN_STATIC: hw/arm_gic.c:406: assignment: Assigning: "irq" = "(offset - 256U) * 8U + 32U". hw/arm_gic.c:416: overrun-local: Overrunning static array "s->irq_state", with 96 elements, at position 96 with index variable "irq + i". Error: OVERRUN_STATIC: target-cris/translate.c:184: overrun-local: Overrunning static array "cpu_R", with 16 elements, at position 16 with index variable "r". Error: OVERRUN_STATIC: ui/curses.c:290: overrun-local: Overrunning static array "curses2qemu", with 511 elements, at position 511 with index variable "chr". Error: OVERRUN_STATIC: hw/musicpal.c:354: overrun-local: Overrunning static array "s->tx_queue", with 2 elements, at position 2 with index variable "(offset - 1248U) / 4U". Error: OVERRUN_STATIC: hw/vt82c686.c:90: overrun-local: Overrunning static array "superio_conf->config", with 255 elements, at position 255 with index variable "superio_conf->index". Error: OVERRUN_STATIC: linux-user/syscall.c:3261: overrun-buffer-val: Overrunning static array "ifreq_arg_type" of size 8 bytes by passing it as an argument to a function which indexes it at byte position 8. thunk.h:109: index_const: Pointer "type_ptr" indexed by constant "2" through dereference in call to "thunk_type_size_array". thunk.c:281: deref_parm_in_call: Function "thunk_type_size" dereferences parameter "type_ptr". thunk.h:86: deref_parm: Directly dereferencing parameter "type_ptr". Error: OVERRUN_STATIC: hw/ppc405_uc.c:232: overrun-local: Overrunning static array "pob->besr", with 2 elements, at position 2 with index variable "dcrn - 160". Error: OVERRUN_STATIC: check-qjson.c:488: overrun-local: Overrunning static array "", with 2 elements, at position 2 with index variable "@dim0". Error: OVERRUN_STATIC: linux-user/syscall.c:3159: overrun-buffer-val: Overrunning static array "extent_arg_type" of size 8 bytes by passing it as an argument to a function which indexes it at byte position 8. thunk.h:109: index_const: Pointer "type_ptr" indexed by constant "2" through dereference in call to "thunk_type_size_array". thunk.c:281: deref_parm_in_call: Function "thunk_type_size" dereferences parameter "type_ptr". thunk.h:86: deref_parm: Directly dereferencing parameter "type_ptr". Error: OVERRUN_STATIC: target-sparc/ldst_helper.c:2036: overrun-local: Overrunning static array "env->gregs", with 8 elements, at position 8 with index variable "rd + 1". Error: OVERRUN_STATIC: hw/arm_gic.c:274: assignment: Assigning: "irq" = "(offset - 256U) * 8U". hw/arm_gic.c:277: assignment: Assigning: "irq" = "irq += 0". hw/arm_gic.c:282: overrun-local: Overrunning static array "s->irq_state", with 64 elements, at position 64 with index variable "irq + i". Error: OVERRUN_STATIC: hw/arm_gic.c:461: assignment: Assigning: "irq" = "(offset - 640U) * 8U + 0U". hw/arm_gic.c:469: overrun-local: Overrunning static array "s->irq_state", with 96 elements, at position 96 with index variable "irq + i". Error: OVERRUN_STATIC: hw/musicpal.c:300: overrun-local: Overrunning static array "s->tx_queue", with 2 elements, at position 2 with index variable "(offset - 1248U) / 4U". Error: RESOURCE_LEAK: slirp/misc.c:171: open_fn: Calling opening function "qemu_socket". osdep.c:136: open_fn: Returning handle opened by function "socket". osdep.c:136: var_assign: Assigning: "ret" = "socket(domain, type | 0x80000, protocol)". osdep.c:138: return_handle: Returning opened handle "ret". slirp/misc.c:171: var_assign: Assigning: "s" = handle returned from "qemu_socket(2, 1, 0)". slirp/misc.c:174: noescape: Variable "s" is not closed or saved in function "connect". slirp/misc.c:178: noescape: Variable "s" is not closed or saved in function "dup2". slirp/misc.c:179: noescape: Variable "s" is not closed or saved in function "dup2". slirp/misc.c:180: noescape: Variable "s" is not closed or saved in function "dup2". slirp/misc.c:181: overwrite_var: Overwriting handle "s" in call "s = getdtablesize() - 1" leaks the handle. Error: RESOURCE_LEAK: block/vvfat.c:2200: open_fn: Calling opening function "open". block/vvfat.c:2200: var_assign: Assigning: "fd" = handle returned from "open(mapping->path, 66, 438)". block/vvfat.c:2208: noescape: Variable "fd" is not closed or saved in function "lseek". block/vvfat.c:2210: leaked_handle: Handle variable "fd" going out of scope leaks the handle. block/vvfat.c:2230: leaked_handle: Handle variable "fd" going out of scope leaks the handle. block/vvfat.c:2233: noescape: Variable "fd" is not closed or saved in function "write". block/vvfat.c:2235: leaked_handle: Handle variable "fd" going out of scope leaks the handle. Error: RESOURCE_LEAK: block/sheepdog.c:597: open_fn: Calling opening function "socket". block/sheepdog.c:597: var_assign: Assigning: "fd" = handle returned from "socket(res->ai_family, res->ai_socktype, res->ai_protocol)". block/sheepdog.c:603: noescape: Variable "fd" is not closed or saved in function "connect". block/sheepdog.c:614: overwrite_var: Overwriting handle "fd" in call "fd = -1" leaks the handle. Error: RESOURCE_LEAK: linux-user/syscall.c:2517: alloc_arg: Calling allocation function "target_to_host_semarray" on "array". linux-user/syscall.c:2452: alloc_fn: Storage is returned from allocation function "malloc". linux-user/syscall.c:2452: var_assign: Assigning: "*host_array" = "malloc(nsems * 2UL)". linux-user/syscall.c:2519: leaked_storage: Variable "array" going out of scope leaks the storage it points to. Error: RESOURCE_LEAK: gdbstub.c:2746: open_fn: Calling opening function "socket". gdbstub.c:2746: var_assign: Assigning: "fd" = handle returned from "socket(2, 1, 0)". gdbstub.c:2752: noescape: Variable "fd" is not closed or saved in function "fcntl". gdbstub.c:2757: noescape: Variable "fd" is not closed or saved in function "setsockopt". gdbstub.c:2762: noescape: Variable "fd" is not closed or saved in function "bind". gdbstub.c:2765: leaked_handle: Handle variable "fd" going out of scope leaks the handle. gdbstub.c:2767: noescape: Variable "fd" is not closed or saved in function "listen". gdbstub.c:2770: leaked_handle: Handle variable "fd" going out of scope leaks the handle. Error: RESOURCE_LEAK: qemu-ga.c:173: open_fn: Calling opening function "open". qemu-ga.c:173: var_assign: Assigning: "pidfd" = handle returned from "open(pidfile, 193, 384)". qemu-ga.c:183: noescape: Variable "pidfd" is not closed or saved in function "write". qemu-ga.c:202: leaked_handle: Handle variable "pidfd" going out of scope leaks the handle. Error: RESOURCE_LEAK: qemu-ga.c:493: open_fn: Calling opening function "qemu_open". osdep.c:85: open_fn: Returning handle opened by function "open". osdep.c:85: var_assign: Assigning: "ret" = "open(name, flags | 0x80000, mode)". osdep.c:93: return_handle: Returning opened handle "ret". qemu-ga.c:493: var_assign: Assigning: "fd" = handle returned from "qemu_open(s->path, 10242)". qemu-ga.c:498: noescape: Variable "fd" is not closed or saved in function "conn_channel_add". qemu-ga.c:547: leaked_handle: Handle variable "fd" going out of scope leaks the handle. Error: RESOURCE_LEAK: qemu-ga.c:504: open_fn: Calling opening function "qemu_open". osdep.c:85: open_fn: Returning handle opened by function "open". osdep.c:85: var_assign: Assigning: "ret" = "open(name, flags | 0x80000, mode)". osdep.c:93: return_handle: Returning opened handle "ret". qemu-ga.c:504: var_assign: Assigning: "fd" = handle returned from "qemu_open(s->path, 258)". qemu-ga.c:509: noescape: Variable "fd" is not closed or saved in function "tcgetattr". qemu-ga.c:523: noescape: Variable "fd" is not closed or saved in function "tcflush". qemu-ga.c:524: noescape: Variable "fd" is not closed or saved in function "tcsetattr". qemu-ga.c:525: noescape: Variable "fd" is not closed or saved in function "conn_channel_add". qemu-ga.c:547: leaked_handle: Handle variable "fd" going out of scope leaks the handle. Error: RESOURCE_LEAK: net/socket.c:409: open_fn: Calling opening function "qemu_socket". osdep.c:136: open_fn: Returning handle opened by function "socket". osdep.c:136: var_assign: Assigning: "ret" = "socket(domain, type | 0x80000, protocol)". osdep.c:138: return_handle: Returning opened handle "ret". net/socket.c:409: var_assign: Assigning: "fd" = handle returned from "qemu_socket(2, 1, 0)". net/socket.c:414: noescape: Variable "fd" is not closed or saved in function "socket_set_nonblock". net/socket.c:418: noescape: Variable "fd" is not closed or saved in function "setsockopt". net/socket.c:420: noescape: Variable "fd" is not closed or saved in function "bind". net/socket.c:423: leaked_handle: Handle variable "fd" going out of scope leaks the handle. net/socket.c:425: noescape: Variable "fd" is not closed or saved in function "listen". net/socket.c:428: leaked_handle: Handle variable "fd" going out of scope leaks the handle. Error: RESOURCE_LEAK: qemu-nbd.c:206: open_fn: Calling opening function "unix_socket_outgoing". nbd.c:164: open_fn: Returning handle opened by function "unix_connect". qemu-sockets.c:621: open_fn: Returning handle opened by function "unix_connect_opts". qemu-sockets.c:564: open_fn: Returning handle opened by function "qemu_socket". osdep.c:136: open_fn: Returning handle opened by function "socket". osdep.c:136: var_assign: Assigning: "ret" = "socket(domain, type | 0x80000, protocol)". osdep.c:138: return_handle: Returning opened handle "ret". qemu-sockets.c:564: var_assign: Assigning: "sock" = "qemu_socket(1, 1, 0)". qemu-sockets.c:573: noescape: Variable "sock" is not closed or saved in function "connect". qemu-sockets.c:581: return_handle: Returning opened handle "sock". qemu-sockets.c:621: var_assign: Assigning: "sock" = "unix_connect_opts(opts)". qemu-sockets.c:623: return_handle: Returning opened handle "sock". nbd.c:164: return_handle_fn: Directly returning handle opened by "unix_connect". qemu-nbd.c:206: var_assign: Assigning: "sock" = handle returned from "unix_socket_outgoing(sockpath)". qemu-nbd.c:212: noescape: Variable "sock" is not closed or saved in function "nbd_receive_negotiate". qemu-nbd.c:244: leaked_handle: Handle variable "sock" going out of scope leaks the handle. Error: REVERSE_INULL: qapi-visit.c:680: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:681: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:680: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:684: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:680: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:686: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:718: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:719: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:449: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:450: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:449: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:453: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:449: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:455: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:747: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:748: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:747: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:751: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:747: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:754: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:747: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:755: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:747: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:757: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:747: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:759: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:747: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:762: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:747: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:763: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:747: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:765: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:747: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:768: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:316: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:317: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:316: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:320: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: ui/keymaps.c:131: deref_ptr_in_call: Dereferencing pointer "rest". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) ui/keymaps.c:133: check_after_deref: Dereferencing "rest" before a null check. Error: REVERSE_INULL: qapi-visit.c:272: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:273: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:272: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:276: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:272: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:278: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:272: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:281: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:272: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:283: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:272: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:286: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:272: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:288: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:272: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:291: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:351: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:352: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:351: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:355: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:351: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:357: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:351: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:360: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:351: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:362: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:480: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:481: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:480: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:484: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:480: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:486: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:480: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:489: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:480: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:491: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:480: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:494: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:480: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:496: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:480: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:499: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:480: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:501: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:415: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:416: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:415: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:419: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:415: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:420: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:415: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:422: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:604: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:605: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:604: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:608: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:604: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:610: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:604: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:613: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:604: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:615: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:604: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:618: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:604: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:620: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:604: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:623: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:604: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:625: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:604: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:628: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:604: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:630: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:22: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:23: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:210: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:211: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:210: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:214: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:210: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:216: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:210: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:219: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:210: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:221: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:553: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:554: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:553: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:557: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:553: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:559: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:553: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:562: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:553: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:564: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:553: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:567: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:553: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:569: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:553: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:572: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:553: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:574: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:553: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:577: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qapi-visit.c:553: deref_ptr: Directly dereferencing pointer "*obj". qapi-visit.c:579: check_after_deref: Dereferencing "*obj" before a null check. Error: REVERSE_INULL: qemu-sockets.c:333: deref_ptr: Directly dereferencing pointer "peer". qemu-sockets.c:399: check_after_deref: Dereferencing "peer" before a null check. Error: REVERSE_INULL: hw/usb-msd.c:380: deref_ptr_in_call: Dereferencing pointer "s->req". hw/scsi-bus.c:628: deref_parm: Directly dereferencing parameter "req". hw/usb-msd.c:381: check_after_deref: Dereferencing "s->req" before a null check. Error: REVERSE_INULL: migration.c:220: deref_ptr_in_call: Dereferencing pointer "s->file". savevm.c:497: deref_parm: Directly dereferencing parameter "f". migration.c:221: check_after_deref: Dereferencing "s->file" before a null check. Error: REVERSE_INULL: kvm-all.c:709: deref_ptr: Directly dereferencing pointer "s". kvm-all.c:801: check_after_deref: Dereferencing "s" before a null check. Error: REVERSE_NEGATIVE: hw/openpic.c:861: negative_sink: Using "n_IRQ" as index to array "opp->src". hw/openpic.c:862: check_after_sink: You might be using variable "n_IRQ" before verifying that it is >= 0. Error: SIGN_EXTENSION: block.c:1606: sign_extension: Suspicious implicit sign extension: "parse->last_sect" with type "unsigned char" (8 bits, unsigned) is promoted in "(parse->max_head + 1) * parse->max_track * parse->last_sect" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(parse->max_head + 1) * parse->max_track * parse->last_sect" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: m68k-dis.c:4693: sign_extension: Suspicious implicit sign extension: "data[cur_byte]" with type "unsigned char" (8 bits, unsigned) is promoted in "data[cur_byte] << cur_bitshift" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "data[cur_byte] << cur_bitshift" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: hw/dp8393x.c:354: sign_extension: Suspicious implicit sign extension: "s->regs[6]" with type "unsigned short" (16 bits, unsigned) is promoted in "(s->regs[6] << 16) | s->regs[32]" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(s->regs[6] << 16) | s->regs[32]" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: hw/dp8393x.c:389: sign_extension: Suspicious implicit sign extension: "s->regs[6]" with type "unsigned short" (16 bits, unsigned) is promoted in "(s->regs[6] << 16) | s->regs[32]" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(s->regs[6] << 16) | s->regs[32]" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: hw/dp8393x.c:430: sign_extension: Suspicious implicit sign extension: "s->regs[6]" with type "unsigned short" (16 bits, unsigned) is promoted in "(s->regs[6] << 16) | s->regs[32]" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(s->regs[6] << 16) | s->regs[32]" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: cris-dis.c:2136: sign_extension: Suspicious implicit sign extension: "buffer[5]" with type "unsigned char" (8 bits, unsigned) is promoted in "buffer[2] + buffer[3] * 256 + buffer[4] * 65536 + buffer[5] * 16777216" to type "int" (32 bits, signed), then sign-extended to type "long" (64 bits, signed). If "buffer[2] + buffer[3] * 256 + buffer[4] * 65536 + buffer[5] * 16777216" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: cris-dis.c:2353: sign_extension: Suspicious implicit sign extension: "prefix_buffer[5]" with type "unsigned char" (8 bits, unsigned) is promoted in "prefix_buffer[2] + prefix_buffer[3] * 256 + prefix_buffer[4] * 65536 + prefix_buffer[5] * 16777216" to type "int" (32 bits, signed), then sign-extended to type "long" (64 bits, signed). If "prefix_buffer[2] + prefix_buffer[3] * 256 + prefix_buffer[4] * 65536 + prefix_buffer[5] * 16777216" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: cris-dis.c:2047: sign_extension: Suspicious implicit sign extension: "buffer[5]" with type "unsigned char" (8 bits, unsigned) is promoted in "buffer[2] + buffer[3] * 256 + buffer[4] * 65536 + buffer[5] * 16777216" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "buffer[2] + buffer[3] * 256 + buffer[4] * 65536 + buffer[5] * 16777216" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: cris-dis.c:2239: sign_extension: Suspicious implicit sign extension: "prefix_buffer[5]" with type "unsigned char" (8 bits, unsigned) is promoted in "prefix_buffer[2] + prefix_buffer[3] * 256 + prefix_buffer[4] * 65536 + prefix_buffer[5] * 16777216" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "prefix_buffer[2] + prefix_buffer[3] * 256 + prefix_buffer[4] * 65536 + prefix_buffer[5] * 16777216" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: microblaze-dis.c:773: sign_extension: Suspicious implicit sign extension: "ibytes[0]" with type "unsigned char" (8 bits, unsigned) is promoted in "(ibytes[0] << 24) | (ibytes[1] << 16) | (ibytes[2] << 8) | ibytes[3]" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(ibytes[0] << 24) | (ibytes[1] << 16) | (ibytes[2] << 8) | ibytes[3]" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: microblaze-dis.c:775: sign_extension: Suspicious implicit sign extension: "ibytes[3]" with type "unsigned char" (8 bits, unsigned) is promoted in "(ibytes[3] << 24) | (ibytes[2] << 16) | (ibytes[1] << 8) | ibytes[0]" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(ibytes[3] << 24) | (ibytes[2] << 16) | (ibytes[1] << 8) | ibytes[0]" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: hw/omap1.c:2678: sign_extension: Suspicious implicit sign extension: "from_bcd(value)" with type "unsigned char" (8 bits, unsigned) is promoted in "from_bcd(value) * 31536000" to type "int" (32 bits, signed), then sign-extended to type "long" (64 bits, signed). If "from_bcd(value) * 31536000" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: hw/dp8393x.c:754: sign_extension: Suspicious implicit sign extension: "s->regs[13]" with type "unsigned short" (16 bits, unsigned) is promoted in "(s->regs[13] << 16) | s->regs[14]" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(s->regs[13] << 16) | s->regs[14]" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: hw/dp8393x.c:812: sign_extension: Suspicious implicit sign extension: "s->regs[13]" with type "unsigned short" (16 bits, unsigned) is promoted in "(s->regs[13] << 16) | s->regs[14]" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(s->regs[13] << 16) | s->regs[14]" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: hw/dp8393x.c:821: sign_extension: Suspicious implicit sign extension: "s->regs[13]" with type "unsigned short" (16 bits, unsigned) is promoted in "(s->regs[13] << 16) | s->regs[14]" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(s->regs[13] << 16) | s->regs[14]" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: hw/stellaris_enet.c:173: sign_extension: Suspicious implicit sign extension: "s->conf.macaddr.a[3]" with type "unsigned char" (8 bits, unsigned) is promoted in "s->conf.macaddr.a[0] | (s->conf.macaddr.a[1] << 8) | (s->conf.macaddr.a[2] << 16) | (s->conf.macaddr.a[3] << 24)" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "s->conf.macaddr.a[0] | (s->conf.macaddr.a[1] << 8) | (s->conf.macaddr.a[2] << 16) | (s->conf.macaddr.a[3] << 24)" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: arm-dis.c:4041: sign_extension: Suspicious implicit sign extension: "b[0]" with type "unsigned char" (8 bits, unsigned) is promoted in "b[3] | (b[2] << 8) | (b[1] << 16) | (b[0] << 24)" to type "int" (32 bits, signed), then sign-extended to type "long" (64 bits, signed). If "b[3] | (b[2] << 8) | (b[1] << 16) | (b[0] << 24)" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIGN_EXTENSION: arm-dis.c:4039: sign_extension: Suspicious implicit sign extension: "b[3]" with type "unsigned char" (8 bits, unsigned) is promoted in "b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)" to type "int" (32 bits, signed), then sign-extended to type "long" (64 bits, signed). If "b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Error: SIZEOF_MISMATCH: cris-dis.c:1403: suspicious_sizeof: Passing argument "524288UL /* 65536 * sizeof (struct cris_opcode const **) */" to function "g_malloc" and then casting the return value to "struct cris_opcode const **" is suspicious. Did you intend to use "sizeof(struct cris_opcode const *)" instead of "sizeof (struct cris_opcode const **)" ? In this particular case sizeof(struct cris_opcode const **) happens to be equal to sizeof(struct cris_opcode const *), but this is not a portable assumption. Error: SIZEOF_MISMATCH: cris-dis.c:1408: suspicious_sizeof: Passing argument "524288UL /* 65536 * sizeof (struct cris_opcode const **) */" to function "g_malloc" and then casting the return value to "struct cris_opcode const **" is suspicious. Did you intend to use "sizeof(struct cris_opcode const *)" instead of "sizeof (struct cris_opcode const **)" ? In this particular case sizeof(struct cris_opcode const **) happens to be equal to sizeof(struct cris_opcode const *), but this is not a portable assumption. Error: SIZEOF_MISMATCH: cris-dis.c:1413: suspicious_sizeof: Passing argument "524288UL /* 65536 * sizeof (struct cris_opcode const **) */" to function "g_malloc" and then casting the return value to "struct cris_opcode const **" is suspicious. Did you intend to use "sizeof(struct cris_opcode const *)" instead of "sizeof (struct cris_opcode const **)" ? In this particular case sizeof(struct cris_opcode const **) happens to be equal to sizeof(struct cris_opcode const *), but this is not a portable assumption. Error: SIZEOF_MISMATCH: cris-dis.c:1418: suspicious_sizeof: Passing argument "524288UL /* 65536 * sizeof (struct cris_opcode const **) */" to function "g_malloc" and then casting the return value to "struct cris_opcode const **" is suspicious. Did you intend to use "sizeof(struct cris_opcode const *)" instead of "sizeof (struct cris_opcode const **)" ? In this particular case sizeof(struct cris_opcode const **) happens to be equal to sizeof(struct cris_opcode const *), but this is not a portable assumption. Error: SIZEOF_MISMATCH: cris-dis.c:1423: suspicious_sizeof: Passing argument "524288UL /* 65536 * sizeof (struct cris_opcode const **) */" to function "g_malloc" and then casting the return value to "struct cris_opcode const **" is suspicious. Did you intend to use "sizeof(struct cris_opcode const *)" instead of "sizeof (struct cris_opcode const **)" ? In this particular case sizeof(struct cris_opcode const **) happens to be equal to sizeof(struct cris_opcode const *), but this is not a portable assumption. Error: SIZEOF_MISMATCH: block/vvfat.c:2817: suspicious_sizeof: Passing argument "8UL /* sizeof (void *) */" to function "g_malloc" which returns a value of type "void *" is suspicious. Error: SIZEOF_MISMATCH: hw/wm8750.c:566: suspicious_division: Pointer differences, such as "s->rate - wm_rate_table", are automatically scaled down by the size (16 bytes) of the pointed-to type ("WMRate const"). Most likely, the division by "sizeof (*s->rate)" is extraneous and should be eliminated. Error: UNINIT: exec.c:1920: var_decl: Declaring variable "act" without initializer. exec.c:1923: uninit_use_in_call: Using uninitialized value "act": field "act".sa_restorer is uninitialized when calling "sigaction". Error: UNINIT: iohandler.c:168: var_decl: Declaring variable "act" without initializer. iohandler.c:173: uninit_use_in_call: Using uninitialized value "act": field "act".sa_restorer is uninitialized when calling "sigaction". Error: UNINIT: hw/scsi-bus.c:474: var_decl: Declaring variable "cmd" without initializer. hw/scsi-bus.c:476: uninit_use_in_call: Using uninitialized value "cmd.len" when calling "scsi_req_parse". hw/scsi-bus.c:937: read_parm_fld: Reading a parameter field. hw/scsi-bus.c:511: uninit_use: Using uninitialized value "cmd": field "cmd".len is uninitialized. Error: UNINIT: linux-user/signal.c:372: var_decl: Declaring variable "act" without initializer. linux-user/signal.c:401: uninit_use_in_call: Using uninitialized value "act": field "act".sa_restorer is uninitialized when calling "sigaction". Error: UNINIT: net/socket.c:251: var_decl: Declaring variable "saddr" without initializer. net/socket.c:293: uninit_use: Using uninitialized value "saddr.sin_port". Error: UNINIT: net/socket.c:253: var_decl: Declaring variable "saddr_len" without initializer. net/socket.c:263: uninit_use_in_call: Using uninitialized value "saddr_len" when calling "getsockname". Error: UNINIT: linux-user/signal.c:577: var_decl: Declaring variable "act1" without initializer. linux-user/signal.c:625: uninit_use_in_call: Using uninitialized value "act1": field "act1".sa_restorer is uninitialized when calling "sigaction". Error: UNINIT: slirp/slirp.c:411: var_decl: Declaring variable "ret" without initializer. slirp/slirp.c:491: uninit_use_in_call: Using uninitialized value "ret" when calling "send". Error: UNINIT: linux-user/syscall.c:7910: var_decl: Declaring variable "posix_mq_attr_in" without initializer. linux-user/syscall.c:7918: uninit_use_in_call: Using uninitialized value "posix_mq_attr_in": field "posix_mq_attr_in".__pad is uninitialized when calling "mq_setattr". Error: UNINIT: libcacard/vscclient.c:64: var_decl: Declaring variable "mhHeader" without initializer. libcacard/vscclient.c:76: uninit_use_in_call: Using uninitialized value "mhHeader": field "mhHeader".data is uninitialized when calling "write". Error: UNINIT: target-i386/kvm.c:701: var_decl: Declaring variable "regs" without initializer. target-i386/kvm.c:711: uninit_use_in_call: Using uninitialized value "regs.rax" when calling "kvm_getput_reg". target-i386/kvm.c:695: read_parm: Reading a parameter value. target-i386/kvm.c:712: uninit_use_in_call: Using uninitialized value "regs.rbx" when calling "kvm_getput_reg". target-i386/kvm.c:695: read_parm: Reading a parameter value. target-i386/kvm.c:713: uninit_use_in_call: Using uninitialized value "regs.rcx" when calling "kvm_getput_reg". target-i386/kvm.c:695: read_parm: Reading a parameter value. target-i386/kvm.c:714: uninit_use_in_call: Using uninitialized value "regs.rdx" when calling "kvm_getput_reg". target-i386/kvm.c:695: read_parm: Reading a parameter value. target-i386/kvm.c:715: uninit_use_in_call: Using uninitialized value "regs.rsi" when calling "kvm_getput_reg". target-i386/kvm.c:695: read_parm: Reading a parameter value. target-i386/kvm.c:716: uninit_use_in_call: Using uninitialized value "regs.rdi" when calling "kvm_getput_reg". target-i386/kvm.c:695: read_parm: Reading a parameter value. target-i386/kvm.c:717: uninit_use_in_call: Using uninitialized value "regs.rsp" when calling "kvm_getput_reg". target-i386/kvm.c:695: read_parm: Reading a parameter value. target-i386/kvm.c:718: uninit_use_in_call: Using uninitialized value "regs.rbp" when calling "kvm_getput_reg". target-i386/kvm.c:695: read_parm: Reading a parameter value. target-i386/kvm.c:730: uninit_use_in_call: Using uninitialized value "regs.rflags" when calling "kvm_getput_reg". target-i386/kvm.c:695: read_parm: Reading a parameter value. target-i386/kvm.c:731: uninit_use_in_call: Using uninitialized value "regs.rip" when calling "kvm_getput_reg". target-i386/kvm.c:695: read_parm: Reading a parameter value. Error: UNINIT: linux-user/arm/nwfpe/extended_cpdo.c:40: var_decl: Declaring variable "rFn" without initializer. linux-user/arm/nwfpe/extended_cpdo.c:96: uninit_use_in_call: Using uninitialized value "rFn": field "rFn".high is uninitialized when calling "floatx80_add". fpu/softfloat.c:4662: read_parm: Reading a parameter value. linux-user/arm/nwfpe/extended_cpdo.c:101: uninit_use_in_call: Using uninitialized value "rFn": field "rFn".high is uninitialized when calling "floatx80_mul". fpu/softfloat.c:4707: read_parm: Reading a parameter value. linux-user/arm/nwfpe/extended_cpdo.c:105: uninit_use_in_call: Using uninitialized value "rFn": field "rFn".high is uninitialized when calling "floatx80_sub". fpu/softfloat.c:4683: read_parm: Reading a parameter value. linux-user/arm/nwfpe/extended_cpdo.c:109: uninit_use_in_call: Using uninitialized value "rFn": field "rFn".high is uninitialized when calling "floatx80_sub". fpu/softfloat.c:4684: read_parm: Reading a parameter value. linux-user/arm/nwfpe/extended_cpdo.c:114: uninit_use_in_call: Using uninitialized value "rFn": field "rFn".high is uninitialized when calling "floatx80_div". fpu/softfloat.c:4767: read_parm: Reading a parameter value. linux-user/arm/nwfpe/extended_cpdo.c:119: uninit_use_in_call: Using uninitialized value "rFn": field "rFn".high is uninitialized when calling "floatx80_div". fpu/softfloat.c:4770: read_parm: Reading a parameter value. linux-user/arm/nwfpe/extended_cpdo.c:133: uninit_use_in_call: Using uninitialized value "rFn": field "rFn".high is uninitialized when calling "floatx80_rem". fpu/softfloat.c:4847: read_parm: Reading a parameter value. Error: UNINIT: linux-user/arm/nwfpe/double_cpdo.c:40: var_decl: Declaring variable "rFm" without initializer. linux-user/arm/nwfpe/double_cpdo.c:98: uninit_use_in_call: Using uninitialized value "rFm" when calling "float64_add". fpu/softfloat.c:3419: read_parm: Reading a parameter value. linux-user/arm/nwfpe/double_cpdo.c:103: uninit_use_in_call: Using uninitialized value "rFm" when calling "float64_mul". fpu/softfloat.c:3468: read_parm: Reading a parameter value. linux-user/arm/nwfpe/double_cpdo.c:107: uninit_use_in_call: Using uninitialized value "rFm" when calling "float64_sub". fpu/softfloat.c:3442: read_parm: Reading a parameter value. linux-user/arm/nwfpe/double_cpdo.c:111: uninit_use_in_call: Using uninitialized value "rFm" when calling "float64_sub". fpu/softfloat.c:3441: read_parm: Reading a parameter value. linux-user/arm/nwfpe/double_cpdo.c:116: uninit_use_in_call: Using uninitialized value "rFm" when calling "float64_div". fpu/softfloat.c:3530: read_parm: Reading a parameter value. linux-user/arm/nwfpe/double_cpdo.c:121: uninit_use_in_call: Using uninitialized value "rFm" when calling "float64_div". fpu/softfloat.c:3529: read_parm: Reading a parameter value. linux-user/arm/nwfpe/double_cpdo.c:135: uninit_use_in_call: Using uninitialized value "rFm" when calling "float64_rem". fpu/softfloat.c:3603: read_parm: Reading a parameter value. linux-user/arm/nwfpe/double_cpdo.c:146: uninit_use: Using uninitialized value "rFm". linux-user/arm/nwfpe/double_cpdo.c:175: uninit_use_in_call: Using uninitialized value "rFm" when calling "float64_round_to_int". fpu/softfloat.c:3196: read_parm: Reading a parameter value. linux-user/arm/nwfpe/double_cpdo.c:179: uninit_use_in_call: Using uninitialized value "rFm" when calling "float64_sqrt". fpu/softfloat.c:3906: read_parm: Reading a parameter value. Error: UNINIT: hw/sun4m.c:1705: var_decl: Declaring variable "fdc_tc" without initializer. hw/sun4m.c:1757: uninit_use_in_call: Using uninitialized value "fdc_tc" when calling "slavio_misc_init". hw/sun4m.c:514: read_parm: Reading a parameter value. Error: UNINIT: linux-user/signal.c:307: var_decl: Declaring variable "act" without initializer. linux-user/signal.c:344: uninit_use_in_call: Using uninitialized value "act": field "act".sa_restorer is uninitialized when calling "sigaction". Error: UNINIT: os-posix.c:59: var_decl: Declaring variable "act" without initializer. os-posix.c:63: uninit_use_in_call: Using uninitialized value "act": field "act".sa_restorer is uninitialized when calling "sigaction". Error: UNINIT: hw/usb-uhci.c:949: var_decl: Declaring variable "qhdb" without initializer. hw/usb-uhci.c:967: uninit_use_in_call: Using uninitialized element of array "qhdb.addr" when calling "qhdb_insert". hw/usb-uhci.c:932: read_parm_fld: Reading a parameter field. Error: UNINIT: hw/sun4m.c:828: var_decl: Declaring variable "fdc_tc" without initializer. hw/sun4m.c:927: uninit_use_in_call: Using uninitialized value "fdc_tc" when calling "slavio_misc_init". hw/sun4m.c:514: read_parm: Reading a parameter value. Error: UNINIT: hw/virtio-serial-bus.c:320: var_decl: Declaring variable "cpkt" without initializer. hw/virtio-serial-bus.c:388: uninit_use_in_call: Using uninitialized value "cpkt": field "cpkt".id is uninitialized when calling "memcpy". Error: UNINIT: vl.c:1039: var_decl: Declaring variable "p" without initializer. vl.c:1058: uninit_use_in_call: Using uninitialized value "p" when calling "hci_init". vl.c:618: read_parm: Reading a parameter value. Error: UNINIT: oslib-posix.c:168: var_decl: Declaring variable "tv_now" without initializer. oslib-posix.c:199: uninit_use: Using uninitialized value "tv_now.tv_sec". oslib-posix.c:200: uninit_use: Using uninitialized value "tv_now.tv_usec". Error: UNINIT: hw/elf_ops.h:80: var_decl: Declaring variable "key" without initializer. hw/elf_ops.h:85: uninit_use_in_call: Using uninitialized value "key": field "key".st_size is uninitialized when calling "bsearch". Error: UNINIT: qemu-timer.c:542: var_decl: Declaring variable "act" without initializer. qemu-timer.c:548: uninit_use_in_call: Using uninitialized value "act": field "act".sa_restorer is uninitialized when calling "sigaction". Error: UNINIT: qemu-timer.c:623: var_decl: Declaring variable "act" without initializer. qemu-timer.c:630: uninit_use_in_call: Using uninitialized value "act": field "act".sa_restorer is uninitialized when calling "sigaction". Error: UNINIT: hw/elf_ops.h:80: var_decl: Declaring variable "key" without initializer. hw/elf_ops.h:85: uninit_use_in_call: Using uninitialized value "key": field "key".st_shndx is uninitialized when calling "bsearch". Error: UNINIT: linux-user/elfload.c:1706: var_decl: Declaring variable "key" without initializer. linux-user/elfload.c:1711: uninit_use_in_call: Using uninitialized value "key": field "key".st_size is uninitialized when calling "bsearch". Error: UNREACHABLE: hw/usb-musb.c:573: unreachable: This code cannot be reached: "switch (ttype){ case 0: ...". Error: UNREACHABLE: hw/sd.c:335: unreachable: This code cannot be reached: "return sd_crc7(buffer, 5UL)...". Error: UNREACHABLE: target-s390x/op_helper.c:264: unreachable: This code cannot be reached: "if (dest != src + 1UL){ f...". Error: UNREACHABLE: hw/ide/microdrive.c:273: unreachable: This code cannot be reached: "if (s->cycle)ide_data_write...". Error: UNREACHABLE: hw/ide/microdrive.c:212: unreachable: This code cannot be reached: "if (s->cycle)ret = s->io >>...". Error: UNUSED_VALUE: linux-user/mmap.c:463: returned_pointer: Pointer "p" returned by "mmap((void *)((unsigned long)mmap_start + guest_base), len, prot, flags | 0x10, fd, host_offset)" is never used. Error: UNUSED_VALUE: linux-user/mmap.c:730: returned_pointer: Pointer "host_addr" returned by "mremap((void *)((unsigned long)old_addr + guest_base), new_size, old_size, flags)" is never used. Error: USE_AFTER_FREE: envlist.c:52: alias: Assigning: "entry" = "envlist->el_entries.lh_first". Now both point to the same storage. envlist.c:56: freed_arg: "free" frees "entry". envlist.c:52: use_after_free: Using freed pointer "envlist->el_entries.lh_first". Error: USE_AFTER_FREE: envlist.c:154: alias: Assigning: "entry" = "envlist->el_entries.lh_first". Now both point to the same storage. envlist.c:163: freed_arg: "free" frees "entry". envlist.c:174: use_after_free: Using freed pointer "envlist->el_entries.lh_first". Error: USE_AFTER_FREE: audio/wavaudio.c:212: freed_arg: "fclose" frees "wav->f". audio/wavaudio.c:213: pass_freed_arg: Passing freed pointer "wav->f" as an argument to function "dolog".