From: David Hildenbrand <david@redhat.com>
To: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>,
qemu-devel@nongnu.org
Cc: philmd@linaro.org, peterx@redhat.com, pbonzini@redhat.com,
peter.maydell@linaro.org, armbru@redhat.com
Subject: Re: [PATCH] coverity: physmem: use simple assertions instead of modelling
Date: Mon, 23 Jan 2023 12:05:36 +0100 [thread overview]
Message-ID: <03656161-1299-c362-89c3-3af7ccc1c691@redhat.com> (raw)
In-Reply-To: <20221226220351.754204-1-vsementsov@yandex-team.ru>
On 26.12.22 23:03, Vladimir Sementsov-Ogievskiy wrote:
> Unfortunately Coverity doesn't follow the logic aroung "len" and "l"
> variables in stacks finishing with flatview_{read,write}_continue() and
> generate a lot of OVERRUN false-positives. When small buffer (2 or 4
> bytes) is passed to mem read/write path, Coverity assumes the worst
> case of sz=8 in stn_he_p()/ldn_he_p() (defined in
> include/qemu/bswap.h), and reports buffer overrun.
>
> To silence these false-positives we have model functions, which hide
> real logic from Coverity.
>
> However, it turned out that these new two assertions are enough to
> quiet Coverity.
>
> Assertions are better than hiding the logic, so let's drop the
> modelling and move to assertions for memory r/w call stacks.
>
> After patch, the sequence
>
> cov-make-library --output-file /tmp/master.xmldb \
> scripts/coverity-scan/model.c
> cov-build --dir ~/covtmp/master make -j9
> cov-analyze --user-model-file /tmp/master.xmldb \
> --dir ~/covtmp/master --all --strip-path "$(pwd)
> cov-format-errors --dir ~/covtmp/master \
> --html-output ~/covtmp/master_html_report
>
> Generate for me the same big set of CIDs excepept for 6 disappeared (so
> it becomes even better).
>
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
> ---
> scripts/coverity-scan/model.c | 88 -----------------------------------
> softmmu/physmem.c | 18 +++++++
> 2 files changed, 18 insertions(+), 88 deletions(-)
>
> diff --git a/scripts/coverity-scan/model.c b/scripts/coverity-scan/model.c
> index 686d1a3008..a064d84084 100644
> --- a/scripts/coverity-scan/model.c
> +++ b/scripts/coverity-scan/model.c
> @@ -42,94 +42,6 @@ typedef _Bool bool;
>
> typedef struct va_list_str *va_list;
>
> -/* exec.c */
> -
> -typedef struct AddressSpace AddressSpace;
> -typedef struct MemoryRegionCache MemoryRegionCache;
> -typedef uint64_t hwaddr;
> -typedef uint32_t MemTxResult;
> -typedef struct MemTxAttrs {} MemTxAttrs;
> -
> -static void __bufwrite(uint8_t *buf, ssize_t len)
> -{
> - int first, last;
> - __coverity_negative_sink__(len);
> - if (len == 0) return;
> - buf[0] = first;
> - buf[len-1] = last;
> - __coverity_writeall__(buf);
> -}
> -
> -static void __bufread(uint8_t *buf, ssize_t len)
> -{
> - __coverity_negative_sink__(len);
> - if (len == 0) return;
> - int first = buf[0];
> - int last = buf[len-1];
> -}
> -
> -MemTxResult address_space_read_cached(MemoryRegionCache *cache, hwaddr addr,
> - MemTxAttrs attrs,
> - void *buf, int len)
> -{
> - MemTxResult result;
> - // TODO: investigate impact of treating reads as producing
> - // tainted data, with __coverity_tainted_data_argument__(buf).
> - __bufwrite(buf, len);
> - return result;
> -}
> -
> -MemTxResult address_space_write_cached(MemoryRegionCache *cache, hwaddr addr,
> - MemTxAttrs attrs,
> - const void *buf, int len)
> -{
> - MemTxResult result;
> - __bufread(buf, len);
> - return result;
> -}
> -
> -MemTxResult address_space_rw_cached(MemoryRegionCache *cache, hwaddr addr,
> - MemTxAttrs attrs,
> - void *buf, int len, bool is_write)
> -{
> - if (is_write) {
> - return address_space_write_cached(cache, addr, attrs, buf, len);
> - } else {
> - return address_space_read_cached(cache, addr, attrs, buf, len);
> - }
> -}
> -
> -MemTxResult address_space_read(AddressSpace *as, hwaddr addr,
> - MemTxAttrs attrs,
> - void *buf, int len)
> -{
> - MemTxResult result;
> - // TODO: investigate impact of treating reads as producing
> - // tainted data, with __coverity_tainted_data_argument__(buf).
> - __bufwrite(buf, len);
> - return result;
> -}
> -
> -MemTxResult address_space_write(AddressSpace *as, hwaddr addr,
> - MemTxAttrs attrs,
> - const void *buf, int len)
> -{
> - MemTxResult result;
> - __bufread(buf, len);
> - return result;
> -}
> -
> -MemTxResult address_space_rw(AddressSpace *as, hwaddr addr,
> - MemTxAttrs attrs,
> - void *buf, int len, bool is_write)
> -{
> - if (is_write) {
> - return address_space_write(as, addr, attrs, buf, len);
> - } else {
> - return address_space_read(as, addr, attrs, buf, len);
> - }
> -}
> -
> /* Tainting */
>
> typedef struct {} name2keysym_t;
> diff --git a/softmmu/physmem.c b/softmmu/physmem.c
> index edec095c7a..24571002b3 100644
> --- a/softmmu/physmem.c
> +++ b/softmmu/physmem.c
> @@ -2821,6 +2821,15 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
> l = memory_access_size(mr, l, addr1);
> /* XXX: could force current_cpu to NULL to avoid
> potential bugs */
> +
> + /*
> + * Assure Coverity (and ourselves) that we are not going to OVERRUN
> + * the buffer by following ldn_he_p().
> + */
> + assert((l == 1 && len >= 1) ||
> + (l == 2 && len >= 2) ||
> + (l == 4 && len >= 4) ||
> + (l == 8 && len >= 8));
> val = ldn_he_p(buf, l);
> result |= memory_region_dispatch_write(mr, addr1, val,
> size_memop(l), attrs);
> @@ -2891,6 +2900,15 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
> l = memory_access_size(mr, l, addr1);
> result |= memory_region_dispatch_read(mr, addr1, &val,
> size_memop(l), attrs);
> +
> + /*
> + * Assure Coverity (and ourselves) that we are not going to OVERRUN
> + * the buffer by following stn_he_p().
> + */
> + assert((l == 1 && len >= 1) ||
> + (l == 2 && len >= 2) ||
> + (l == 4 && len >= 4) ||
> + (l == 8 && len >= 8));
> stn_he_p(buf, l, val);
> } else {
> /* RAM case */
I'm no coverity expert, but if it gets the job done reliably
Acked-by: David Hildenbrand <david@redhat.com>
--
Thanks,
David / dhildenb
next prev parent reply other threads:[~2023-01-23 11:06 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-26 22:03 [PATCH] coverity: physmem: use simple assertions instead of modelling Vladimir Sementsov-Ogievskiy
2023-01-09 13:37 ` Vladimir Sementsov-Ogievskiy
2023-01-23 11:05 ` David Hildenbrand [this message]
2023-02-15 20:20 ` Vladimir Sementsov-Ogievskiy
2023-02-22 14:18 ` Stefan Hajnoczi
2023-02-22 15:57 ` Peter Maydell
2023-03-15 14:28 ` Vladimir Sementsov-Ogievskiy
2023-03-15 21:22 ` Paolo Bonzini
2023-04-20 19:06 ` Vladimir Sementsov-Ogievskiy
2023-06-09 13:25 ` Vladimir Sementsov-Ogievskiy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=03656161-1299-c362-89c3-3af7ccc1c691@redhat.com \
--to=david@redhat.com \
--cc=armbru@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=peterx@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=vsementsov@yandex-team.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).