From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:58681)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jan.kiszka@siemens.com>) id 1T2NGN-0006et-NV
	for qemu-devel@nongnu.org; Fri, 17 Aug 2012 10:11:00 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jan.kiszka@siemens.com>) id 1T2NGM-0007PY-Cv
	for qemu-devel@nongnu.org; Fri, 17 Aug 2012 10:10:59 -0400
Received: from thoth.sbs.de ([192.35.17.2]:26579)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jan.kiszka@siemens.com>) id 1T2NGM-0007PN-2w
	for qemu-devel@nongnu.org; Fri, 17 Aug 2012 10:10:58 -0400
Message-ID: <502E50EF.7060707@siemens.com>
Date: Fri, 17 Aug 2012 16:10:55 +0200
From: Jan Kiszka <jan.kiszka@siemens.com>
MIME-Version: 1.0
References: <1345211444-5002-1-git-send-email-sw@weilnetz.de>
In-Reply-To: <1345211444-5002-1-git-send-email-sw@weilnetz.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH for 1.2] console: Fix warning from clang
 (and potential crash)
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Weil <sw@weilnetz.de>
Cc: Anthony Liguori <aliguori@us.ibm.com>, "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>

On 2012-08-17 15:50, Stefan Weil wrote:
> ccc-analyzer reports this warning:
> 
> console.c:1090:29: warning: Dereference of null pointer
>         if (active_console->cursor_timer) {
>                             ^
> 
> Function console_select allows active_console to be NULL,
> but would crash when accessing cursor_timer. Fix this.
> 
> Signed-off-by: Stefan Weil <sw@weilnetz.de>
> ---
> 
> Please note that I don't have a test case which triggers the crash.
> 
> Regards,
> Stefan Weil
> 
>  console.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/console.c b/console.c
> index 4525cc7..f5e8814 100644
> --- a/console.c
> +++ b/console.c
> @@ -1087,7 +1087,7 @@ void console_select(unsigned int index)
>      if (s) {
>          DisplayState *ds = s->ds;
>  
> -        if (active_console->cursor_timer) {
> +        if (active_console && active_console->cursor_timer) {
>              qemu_del_timer(active_console->cursor_timer);
>          }
>          active_console = s;
> 

The only path that could trigger this is console_select() in the absence
of any console. Not sure if that is possible, but the above is surely
consistent with existing code.

Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>

Jan

-- 
Siemens AG, Corporate Technology, CT RTC ITP SDP-DE
Corporate Competence Center Embedded Linux