Re: [Qemu-trivial] [Qemu-devel] [PATCH v2] scripts: add sample model file for Coverity Scan

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paolo Bonzini <pbonzini@redhat.com>
To: Markus Armbruster <armbru@redhat.com>
Cc: qemu-trivial@nongnu.org, Eric Blake <eblake@redhat.com>,
	qemu-devel@nongnu.org
Subject: Re: [Qemu-trivial] [Qemu-devel] [PATCH v2] scripts: add sample model file for Coverity Scan
Date: Thu, 20 Mar 2014 14:01:18 +0100	[thread overview]
Message-ID: <532AE69E.4070502@redhat.com> (raw)
In-Reply-To: <874n2tgw9h.fsf@blackfin.pond.sub.org>

Il 20/03/2014 08:32, Markus Armbruster ha scritto:
>>>> +static void __write(uint8_t *buf, int len)
>>>
>>> Will the fact that you used 'int len' instead of 'size_t' bite us on 32-
>>> vs. 64-bit?  Same for __read.
>>
>> Yeah, I copied this from address_space_rw.  I'll change to ssize_t to
>> catch negative values.
>
> Change the real address_space_rw(), or the model's __write()?

__read and __write for now (hard freeze etc. etc.).

>> +    if (is_write) __write(buf, len); else __read(buf, len);
>> +
>> +    return result;
>> +}
>
> I'm curious: could you give me a rough idea on how modelling
> address_space_rw() affects results?

Sure!  The problematic code is this one:

             if (!memory_access_is_direct(mr, is_write)) {
                 l = memory_access_size(mr, l, addr1);
                 /* XXX: could force current_cpu to NULL to avoid
                    potential bugs */
                 switch (l) {
                 case 8:
                     /* 64 bit write access */
                     val = ldq_p(buf);
                     error |= io_mem_write(mr, addr1, val, 8);
                     break;

Coverity doesn't understand that memory_access_size return a value that 
is less than l, and thus thinks that address_space_rw can do an 8-byte 
access.  So it flags cases where we use it to read into an int or a 
similarly small char[].

It's actually fairly common, it occurs ~20 times.

>> +static int get_keysym(const name2keysym_t *table,
>> +                      const char *name)
>
> Curious again: is this just insurance, or did you observe scanning
> improvements?

It fixes exactly one error.  All of the "tainted value" can be 
considered false positives, but I wanted to have an example on how to 
shut them up.

> This claims g_malloc(0) returns a non-null pointer to a block of size 1.
> Could we say it returns a non-null pointer to a block of size 0?

Not sure of the semantics of __coverity_alloc__(0).  Leave it to further 
future improvements?

>     if (success) {
>         void* tmp = __coverity_alloc__(size);
>         if (tmp) __coverity_mark_as_uninitialized_buffer__(tmp);
>         __coverity_mark_as_afm_allocated__(tmp, AFM_free);
>         return tmp;
>     } else {
>         __coverity_panic__ ();
>     }

Is the "if" needed at all?  The "else" path is killed altogether by 
__coverity_panic__().

Paolo

WARNING: multiple messages have this Message-ID (diff)

From: Paolo Bonzini <pbonzini@redhat.com>
To: Markus Armbruster <armbru@redhat.com>
Cc: qemu-trivial@nongnu.org, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v2] scripts: add sample model file for Coverity Scan
Date: Thu, 20 Mar 2014 14:01:18 +0100	[thread overview]
Message-ID: <532AE69E.4070502@redhat.com> (raw)
In-Reply-To: <874n2tgw9h.fsf@blackfin.pond.sub.org>

Il 20/03/2014 08:32, Markus Armbruster ha scritto:
>>>> +static void __write(uint8_t *buf, int len)
>>>
>>> Will the fact that you used 'int len' instead of 'size_t' bite us on 32-
>>> vs. 64-bit?  Same for __read.
>>
>> Yeah, I copied this from address_space_rw.  I'll change to ssize_t to
>> catch negative values.
>
> Change the real address_space_rw(), or the model's __write()?

__read and __write for now (hard freeze etc. etc.).

>> +    if (is_write) __write(buf, len); else __read(buf, len);
>> +
>> +    return result;
>> +}
>
> I'm curious: could you give me a rough idea on how modelling
> address_space_rw() affects results?

Sure!  The problematic code is this one:

             if (!memory_access_is_direct(mr, is_write)) {
                 l = memory_access_size(mr, l, addr1);
                 /* XXX: could force current_cpu to NULL to avoid
                    potential bugs */
                 switch (l) {
                 case 8:
                     /* 64 bit write access */
                     val = ldq_p(buf);
                     error |= io_mem_write(mr, addr1, val, 8);
                     break;

Coverity doesn't understand that memory_access_size return a value that 
is less than l, and thus thinks that address_space_rw can do an 8-byte 
access.  So it flags cases where we use it to read into an int or a 
similarly small char[].

It's actually fairly common, it occurs ~20 times.

>> +static int get_keysym(const name2keysym_t *table,
>> +                      const char *name)
>
> Curious again: is this just insurance, or did you observe scanning
> improvements?

It fixes exactly one error.  All of the "tainted value" can be 
considered false positives, but I wanted to have an example on how to 
shut them up.

> This claims g_malloc(0) returns a non-null pointer to a block of size 1.
> Could we say it returns a non-null pointer to a block of size 0?

Not sure of the semantics of __coverity_alloc__(0).  Leave it to further 
future improvements?

>     if (success) {
>         void* tmp = __coverity_alloc__(size);
>         if (tmp) __coverity_mark_as_uninitialized_buffer__(tmp);
>         __coverity_mark_as_afm_allocated__(tmp, AFM_free);
>         return tmp;
>     } else {
>         __coverity_panic__ ();
>     }

Is the "if" needed at all?  The "else" path is killed altogether by 
__coverity_panic__().

Paolo

next prev parent reply	other threads:[~2014-03-20 13:01 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-03-19 16:52 [Qemu-trivial] [PATCH v2] scripts: add sample model file for Coverity Scan Paolo Bonzini
2014-03-19 16:52 ` [Qemu-devel] " Paolo Bonzini
2014-03-19 17:32 ` [Qemu-trivial] " Eric Blake
2014-03-19 17:32   ` Eric Blake
2014-03-19 19:46   ` [Qemu-trivial] " Paolo Bonzini
2014-03-19 19:46     ` Paolo Bonzini
2014-03-20  7:32     ` [Qemu-trivial] " Markus Armbruster
2014-03-20  7:32       ` Markus Armbruster
2014-03-20 13:01       ` Paolo Bonzini [this message]
2014-03-20 13:01         ` Paolo Bonzini
2014-03-26 15:37         ` [Qemu-trivial] " Markus Armbruster
2014-03-26 15:37           ` Markus Armbruster
2014-03-20  8:26 ` [Qemu-trivial] " Markus Armbruster
2014-03-20  8:26   ` Markus Armbruster

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=532AE69E.4070502@redhat.com \
    --to=pbonzini@redhat.com \
    --cc=armbru@redhat.com \
    --cc=eblake@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-trivial@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.