scripts/coverity-model.c at master

jcs.org / qemu
fork atom
qemu with hax to log dma reads & writes jcs.org/2018/11/12/vfio
fork atom
qemu / scripts / coverity-model.c
at master 386 lines 8.7 kB view raw
wrap content
Markus Armbruster coverity-model: Fix replay_get_byte() 7y ago
19020d41
  1/* Coverity Scan model
  2 *
  3 * Copyright (C) 2014 Red Hat, Inc.
  4 *
  5 * Authors:
  6 *  Markus Armbruster <armbru@redhat.com>
  7 *  Paolo Bonzini <pbonzini@redhat.com>
  8 *
  9 * This work is licensed under the terms of the GNU GPL, version 2 or, at your
 10 * option, any later version.  See the COPYING file in the top-level directory.
 11 */
 12
 13
 14/*
 15 * This is the source code for our Coverity user model file.  The
 16 * purpose of user models is to increase scanning accuracy by explaining
 17 * code Coverity can't see (out of tree libraries) or doesn't
 18 * sufficiently understand.  Better accuracy means both fewer false
 19 * positives and more true defects.  Memory leaks in particular.
 20 *
 21 * - A model file can't import any header files.  Some built-in primitives are
 22 *   available but not wchar_t, NULL etc.
 23 * - Modeling doesn't need full structs and typedefs. Rudimentary structs
 24 *   and similar types are sufficient.
 25 * - An uninitialized local variable signifies that the variable could be
 26 *   any value.
 27 *
 28 * The model file must be uploaded by an admin in the analysis settings of
 29 * http://scan.coverity.com/projects/378
 30 */
 31
 32#define NULL ((void *)0)
 33
 34typedef unsigned char uint8_t;
 35typedef char int8_t;
 36typedef unsigned int uint32_t;
 37typedef int int32_t;
 38typedef long ssize_t;
 39typedef unsigned long long uint64_t;
 40typedef long long int64_t;
 41typedef _Bool bool;
 42
 43typedef struct va_list_str *va_list;
 44
 45/* exec.c */
 46
 47typedef struct AddressSpace AddressSpace;
 48typedef uint64_t hwaddr;
 49typedef uint32_t MemTxResult;
 50typedef uint64_t MemTxAttrs;
 51
 52static void __bufwrite(uint8_t *buf, ssize_t len)
 53{
 54    int first, last;
 55    __coverity_negative_sink__(len);
 56    if (len == 0) return;
 57    buf[0] = first;
 58    buf[len-1] = last;
 59    __coverity_writeall__(buf);
 60}
 61
 62static void __bufread(uint8_t *buf, ssize_t len)
 63{
 64    __coverity_negative_sink__(len);
 65    if (len == 0) return;
 66    int first = buf[0];
 67    int last = buf[len-1];
 68}
 69
 70MemTxResult address_space_read(AddressSpace *as, hwaddr addr,
 71                               MemTxAttrs attrs,
 72                               uint8_t *buf, int len)
 73{
 74    MemTxResult result;
 75    // TODO: investigate impact of treating reads as producing
 76    // tainted data, with __coverity_tainted_data_argument__(buf).
 77    __bufwrite(buf, len);
 78    return result;
 79}
 80
 81MemTxResult address_space_write(AddressSpace *as, hwaddr addr,
 82                                MemTxAttrs attrs,
 83                                const uint8_t *buf, int len)
 84{
 85    MemTxResult result;
 86    __bufread(buf, len);
 87    return result;
 88}
 89
 90
 91/* Tainting */
 92
 93typedef struct {} name2keysym_t;
 94static int get_keysym(const name2keysym_t *table,
 95                      const char *name)
 96{
 97    int result;
 98    if (result > 0) {
 99        __coverity_tainted_string_sanitize_content__(name);
100        return result;
101    } else {
102        return 0;
103    }
104}
105
106/* Replay data is considered trusted.  */
107uint8_t replay_get_byte(void)
108{
109    uint8_t byte;
110    return byte;
111}
112
113
114/*
115 * GLib memory allocation functions.
116 *
117 * Note that we ignore the fact that g_malloc of 0 bytes returns NULL,
118 * and g_realloc of 0 bytes frees the pointer.
119 *
120 * Modeling this would result in Coverity flagging a lot of memory
121 * allocations as potentially returning NULL, and asking us to check
122 * whether the result of the allocation is NULL or not.  However, the
123 * resulting pointer should never be dereferenced anyway, and in fact
124 * it is not in the vast majority of cases.
125 *
126 * If a dereference did happen, this would suppress a defect report
127 * for an actual null pointer dereference.  But it's too unlikely to
128 * be worth wading through the false positives, and with some luck
129 * we'll get a buffer overflow reported anyway.
130 */
131
132/*
133 * Allocation primitives, cannot return NULL
134 * See also Coverity's library/generic/libc/all/all.c
135 */
136
137void *g_malloc_n(size_t nmemb, size_t size)
138{
139    size_t sz;
140    void *ptr;
141
142    __coverity_negative_sink__(nmemb);
143    __coverity_negative_sink__(size);
144    sz = nmemb * size;
145    ptr = __coverity_alloc__(sz);
146    __coverity_mark_as_uninitialized_buffer__(ptr);
147    __coverity_mark_as_afm_allocated__(ptr, "g_free");
148    return ptr;
149}
150
151void *g_malloc0_n(size_t nmemb, size_t size)
152{
153    size_t sz;
154    void *ptr;
155
156    __coverity_negative_sink__(nmemb);
157    __coverity_negative_sink__(size);
158    sz = nmemb * size;
159    ptr = __coverity_alloc__(sz);
160    __coverity_writeall0__(ptr);
161    __coverity_mark_as_afm_allocated__(ptr, "g_free");
162    return ptr;
163}
164
165void *g_realloc_n(void *ptr, size_t nmemb, size_t size)
166{
167    size_t sz;
168
169    __coverity_negative_sink__(nmemb);
170    __coverity_negative_sink__(size);
171    sz = nmemb * size;
172    __coverity_escape__(ptr);
173    ptr = __coverity_alloc__(sz);
174    /*
175     * Memory beyond the old size isn't actually initialized.  Can't
176     * model that.  See Coverity's realloc() model
177     */
178    __coverity_writeall__(ptr);
179    __coverity_mark_as_afm_allocated__(ptr, "g_free");
180    return ptr;
181}
182
183void g_free(void *ptr)
184{
185    __coverity_free__(ptr);
186    __coverity_mark_as_afm_freed__(ptr, "g_free");
187}
188
189/*
190 * Derive the g_try_FOO_n() from the g_FOO_n() by adding indeterminate
191 * out of memory conditions
192 */
193
194void *g_try_malloc_n(size_t nmemb, size_t size)
195{
196    int nomem;
197
198    if (nomem) {
199        return NULL;
200    }
201    return g_malloc_n(nmemb, size);
202}
203
204void *g_try_malloc0_n(size_t nmemb, size_t size)
205{
206    int nomem;
207
208    if (nomem) {
209        return NULL;
210    }
211    return g_malloc0_n(nmemb, size);
212}
213
214void *g_try_realloc_n(void *ptr, size_t nmemb, size_t size)
215{
216    int nomem;
217
218    if (nomem) {
219        return NULL;
220    }
221    return g_realloc_n(ptr, nmemb, size);
222}
223
224/* Trivially derive the g_FOO() from the g_FOO_n() */
225
226void *g_malloc(size_t size)
227{
228    return g_malloc_n(1, size);
229}
230
231void *g_malloc0(size_t size)
232{
233    return g_malloc0_n(1, size);
234}
235
236void *g_realloc(void *ptr, size_t size)
237{
238    return g_realloc_n(ptr, 1, size);
239}
240
241void *g_try_malloc(size_t size)
242{
243    return g_try_malloc_n(1, size);
244}
245
246void *g_try_malloc0(size_t size)
247{
248    return g_try_malloc0_n(1, size);
249}
250
251void *g_try_realloc(void *ptr, size_t size)
252{
253    return g_try_realloc_n(ptr, 1, size);
254}
255
256/* Other memory allocation functions */
257
258void *g_memdup(const void *ptr, unsigned size)
259{
260    unsigned char *dup;
261    unsigned i;
262
263    if (!ptr) {
264        return NULL;
265    }
266
267    dup = g_malloc(size);
268    for (i = 0; i < size; i++)
269        dup[i] = ((unsigned char *)ptr)[i];
270    return dup;
271}
272
273/*
274 * GLib string allocation functions
275 */
276
277char *g_strdup(const char *s)
278{
279    char *dup;
280    size_t i;
281
282    if (!s) {
283        return NULL;
284    }
285
286    __coverity_string_null_sink__(s);
287    __coverity_string_size_sink__(s);
288    dup = __coverity_alloc_nosize__();
289    __coverity_mark_as_afm_allocated__(dup, "g_free");
290    for (i = 0; (dup[i] = s[i]); i++) ;
291    return dup;
292}
293
294char *g_strndup(const char *s, size_t n)
295{
296    char *dup;
297    size_t i;
298
299    __coverity_negative_sink__(n);
300
301    if (!s) {
302        return NULL;
303    }
304
305    dup = g_malloc(n + 1);
306    for (i = 0; i < n && (dup[i] = s[i]); i++) ;
307    dup[i] = 0;
308    return dup;
309}
310
311char *g_strdup_printf(const char *format, ...)
312{
313    char ch, *s;
314    size_t len;
315
316    __coverity_string_null_sink__(format);
317    __coverity_string_size_sink__(format);
318
319    ch = *format;
320
321    s = __coverity_alloc_nosize__();
322    __coverity_writeall__(s);
323    __coverity_mark_as_afm_allocated__(s, "g_free");
324    return s;
325}
326
327char *g_strdup_vprintf(const char *format, va_list ap)
328{
329    char ch, *s;
330    size_t len;
331
332    __coverity_string_null_sink__(format);
333    __coverity_string_size_sink__(format);
334
335    ch = *format;
336    ch = *(char *)ap;
337
338    s = __coverity_alloc_nosize__();
339    __coverity_writeall__(s);
340    __coverity_mark_as_afm_allocated__(s, "g_free");
341
342    return len;
343}
344
345char *g_strconcat(const char *s, ...)
346{
347    char *s;
348
349    /*
350     * Can't model: last argument must be null, the others
351     * null-terminated strings
352     */
353
354    s = __coverity_alloc_nosize__();
355    __coverity_writeall__(s);
356    __coverity_mark_as_afm_allocated__(s, "g_free");
357    return s;
358}
359
360/* Other glib functions */
361
362typedef struct pollfd GPollFD;
363
364int poll();
365
366int g_poll (GPollFD *fds, unsigned nfds, int timeout)
367{
368    return poll(fds, nfds, timeout);
369}
370
371typedef struct _GIOChannel GIOChannel;
372GIOChannel *g_io_channel_unix_new(int fd)
373{
374    GIOChannel *c = g_malloc0(sizeof(GIOChannel));
375    __coverity_escape__(fd);
376    return c;
377}
378
379void g_assertion_message_expr(const char     *domain,
380                              const char     *file,
381                              int             line,
382                              const char     *func,
383                              const char     *expr)
384{
385    __coverity_panic__();
386}