aboutsummaryrefslogtreecommitdiff
path: root/scripts/coverity-model.c
AgeCommit message (Collapse)Author
2018-07-05coverity-model: Fix replay_get_byte()Markus Armbruster
Coverity 2018.06 chokes on replay_get_byte(): $ cov-make-library -of scripts/coverity-model.xmldb scripts/coverity-model.c output file: scripts/coverity-model.xmldb Compiling scripts/coverity-model.c with command /opt/cov-sa-2018.06/bin/cov-emit --dir /tmp/cov-armbru/930a6fb31e5f464fc1a53354b2deb66b/cov-make-library-emit -w --no_error_recovery --emit_header_functions --no_implicit_decl --preinclude /opt/cov-sa-2018.06/library/decls.h --c scripts/coverity-model.c "scripts/coverity-model.c", line 110: error #20: identifier "replay_file" is undefined if (replay_file) { ^ Emit for file '/work/armbru/qemu/scripts/coverity-model.c' complete. [ERROR] 1 error detected in the compilation of "scripts/coverity-model.c". ERROR: cov-emit returned with code 1 Broken in commit 04a0afe5285. Fix by dumbing down. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20180626085642.4973-1-armbru@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2018-06-13coverity-model: replay data is considered trustedPaolo Bonzini
Replay data is not considered a possible attack vector; add a model that does not use getc so that "tainted data" warnings are suppressed. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20180514141218.28438-1-pbonzini@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> [Whitespace tweaked] Signed-off-by: Markus Armbruster <armbru@redhat.com>
2017-03-15coverity-model: model address_space_read/writePaolo Bonzini
Commit eb7eeb8 ("memory: split address_space_read and address_space_write", 2015-12-17) made address_space_rw dispatch to one of address_space_read or address_space_write, rather than vice versa. For callers of address_space_read and address_space_write this causes false positive defects when Coverity sees a length-8 write in address_space_read and a length-4 (e.g. int*) buffer to read into. As long as the size of the buffer is okay, this is a false positive. Reflect the code change into the model. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20170315081641.20588-1-pbonzini@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
2015-12-17coverity: Model g_memdup()Markus Armbruster
We model all the non-deprecated memory allocation functions from https://developer.gnome.org/glib/stable/glib-Memory-Allocation.html except for g_memdup(), g_clear_pointer(), g_steal_pointer(). We don't use the latter two. Model the former. Coverity now reports an OVERRUN vl.c:2317: alloc_strlen: Allocating insufficient memory for the terminating null of the string. Correct, but we omit the terminating null intentionally there. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1448901152-11716-1-git-send-email-armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-12-17coverity: Model g_poll()Markus Armbruster
In my testing, Coverity reported two more CHECKED_RETURN: * qemu-char.c:1248: fixed in commit c1f2448: "qemu-char: retry g_poll on EINTR". * migration/qemu-file-unix.c:75: harmless, cleaned up in commit 4e39f57 "migration: Clean up use of g_poll() in socket_writev_buffer() Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1450336833-27710-1-git-send-email-armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-05-05coverity: fix address_space_rw modelPaolo Bonzini
If the is_write argument is true, address_space_rw writes to memory and thus reads from the buffer. The opposite holds if is_write is false. Fix the model. Cc: Markus Armbruster <armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
2015-04-26exec.c: Make address_space_rw take transaction attributesPeter Maydell
Make address_space_rw take transaction attributes, rather than always using the 'unspecified' attributes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
2015-03-17coverity: Fix g_malloc_n-like modelsJan Kiszka
Allocate the calculated overall size, not only the size of a single element. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2015-02-05coverity: Model g_free() isn't necessarily free()Markus Armbruster
Memory allocated with GLib needs to be freed with GLib. Freeing it with free() instead of g_free() is a common error. Harmless when g_free() is a trivial wrapper around free(), which is commonly the case. But model the difference anyway. In a local scan, this flags four ALLOC_FREE_MISMATCH. Requires --enable ALLOC_FREE_MISMATCH, because the checker is still preview. Signed-off-by: Markus Armbruster <armbru@redhat.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com>
2015-02-05coverity: Model GLib string allocation partiallyMarkus Armbruster
Without a model, Coverity can't know that the result of g_strdup() needs to be fed to g_free(). One way to get such a model is to scan GLib, build a derived model file with cov-collect-models, and use that when scanning QEMU. Unfortunately, the Coverity Scan service we use doesn't support that. Thus, we're stuck with the other way: write a user model. Doing that for all of GLib is hardly practical. I'm doing it for the "String Utility Functions" we actually use that return dynamically allocated strings. In a local scan, this flags 20 additional RESOURCE_LEAKs. The ones I checked look genuine. It also loses a NULL_RETURNS about ppce500_init() using qemu_find_file() without error checking. I don't understand why. Signed-off-by: Markus Armbruster <armbru@redhat.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com>
2015-02-05coverity: Improve model for GLib memory allocationMarkus Armbruster
In current versions of GLib, g_new() may expand into g_malloc_n(). When it does, Coverity can't see the memory allocation, because we don't model g_malloc_n(). Similarly for g_new0(), g_renew(), g_try_new(), g_try_new0(), g_try_renew(). Model g_malloc_n(), g_malloc0_n(), g_realloc_n(). Model g_try_malloc_n(), g_try_malloc0_n(), g_try_realloc_n() by adding indeterminate out of memory conditions on top. To avoid undue duplication, replace the existing models for g_malloc() & friends by trivial wrappers around g_malloc_n() & friends. In a local scan, this flags four additional RESOURCE_LEAKs and one NULL_RETURNS. The NULL_RETURNS is a false positive: Coverity can now see that g_try_malloc(l1_sz * sizeof(uint64_t)) in qcow2_check_metadata_overlap() may return NULL, but is too stupid to recognize that a loop executing l1_sz times won't be entered then. Three out of the four RESOURCE_LEAKs appear genuine. The false positive is in ppce500_prep_device_tree(): the pointer dies, but a pointer to a struct member escapes, and we get the pointer back for freeing with container_of(). Too funky for Coverity. Signed-off-by: Markus Armbruster <armbru@redhat.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com>
2014-04-18scripts: add sample model file for Coverity ScanPaolo Bonzini
This is the model file that is being used for the QEMU project's scans on scan.coverity.com. It fixed about 30 false positives (10% of the total) and exposed about 60 new memory leaks. The file is not automatically used; changes to it must be propagated to the website manually by an admin (right now Markus, Peter and me are admins). Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>