From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=43937 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Ofwss-0006YE-Ip
	for qemu-devel@nongnu.org; Mon, 02 Aug 2010 11:24:59 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <jschopp@austin.ibm.com>) id 1Ofwsq-0008J5-BS
	for qemu-devel@nongnu.org; Mon, 02 Aug 2010 11:24:58 -0400
Received: from e2.ny.us.ibm.com ([32.97.182.142]:58575)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <jschopp@austin.ibm.com>) id 1Ofwsq-0007vY-98
	for qemu-devel@nongnu.org; Mon, 02 Aug 2010 11:24:56 -0400
Received: from d01relay05.pok.ibm.com (d01relay05.pok.ibm.com [9.56.227.237])
	by e2.ny.us.ibm.com (8.14.4/8.13.1) with ESMTP id o72F9bR0002000
	for <qemu-devel@nongnu.org>; Mon, 2 Aug 2010 11:09:37 -0400
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215])
	by d01relay05.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	o72FNO6Z105924
	for <qemu-devel@nongnu.org>; Mon, 2 Aug 2010 11:23:24 -0400
Received: from d01av01.pok.ibm.com (loopback [127.0.0.1])
	by d01av01.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	o72FNNPK002158
	for <qemu-devel@nongnu.org>; Mon, 2 Aug 2010 11:23:23 -0400
Message-ID: <4C56E2E9.1000309@austin.ibm.com>
Date: Mon, 02 Aug 2010 10:23:21 -0500
From: Joel Schopp <jschopp@austin.ibm.com>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH 0/3] Fix broken if statements
References: <1279742717-10804-1-git-send-email-jschopp@austin.ibm.com>
	<4C486F66.7000303@mail.berlios.de>
	<0E21255B-6066-4F5A-B68C-3425E6F1102C@web.de>
	<4C55D716.9030805@mail.berlios.de>
In-Reply-To: <4C55D716.9030805@mail.berlios.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Weil <weil@mail.berlios.de>
Cc: =?ISO-8859-1?Q?Andreas_F=E4rber?= <andreas.faerber@web.de>, qemu-devel@nongnu.org

 > Is there some magic (= tool) which detected these "broken windows"
 > in hw/loader.c, qemu-io.c and vl.c, or was it just a manual code
 > review or luck?

I used a proprietary static analysis tool called BEAM.  
http://domino.research.ibm.com/comm/research.nsf/pages/r.da.beam.html
It found pages of potential errors, about 80% of which seem valid.  
Fixing the bugs with obvious fixes seems like a good way for me to learn 
the qemu code while providing a useful service at the same time.  If 
anybody wants to see the output of the tool (plenty of bugs to go 
around) please email me off list.  Some of the bugs it found, I'm 
thinking of out of bound array accesses and returning pointers to stack 
variables, probably have security implications so I'd like to not share 
those publicly until there are patches to fix them.