xref: /openbmc/qemu/scripts/coverity-scan/model.c (revision 55abfc1f)
1 /* Coverity Scan model
2  *
3  * Copyright (C) 2014 Red Hat, Inc.
4  *
5  * Authors:
6  *  Markus Armbruster <armbru@redhat.com>
7  *  Paolo Bonzini <pbonzini@redhat.com>
8  *
9  * This work is licensed under the terms of the GNU GPL, version 2 or, at your
10  * option, any later version.  See the COPYING file in the top-level directory.
11  */
12 
13 
14 /*
15  * This is the source code for our Coverity user model file.  The
16  * purpose of user models is to increase scanning accuracy by explaining
17  * code Coverity can't see (out of tree libraries) or doesn't
18  * sufficiently understand.  Better accuracy means both fewer false
19  * positives and more true defects.  Memory leaks in particular.
20  *
21  * - A model file can't import any header files.  Some built-in primitives are
22  *   available but not wchar_t, NULL etc.
23  * - Modeling doesn't need full structs and typedefs. Rudimentary structs
24  *   and similar types are sufficient.
25  * - An uninitialized local variable signifies that the variable could be
26  *   any value.
27  *
28  * The model file must be uploaded by an admin in the analysis settings of
29  * http://scan.coverity.com/projects/378
30  */
31 
32 #define NULL ((void *)0)
33 
34 typedef unsigned char uint8_t;
35 typedef char int8_t;
36 typedef unsigned int uint32_t;
37 typedef int int32_t;
38 typedef long ssize_t;
39 typedef unsigned long long uint64_t;
40 typedef long long int64_t;
41 typedef _Bool bool;
42 
43 typedef struct va_list_str *va_list;
44 
45 /* Tainting */
46 
47 typedef struct {} name2keysym_t;
48 static int get_keysym(const name2keysym_t *table,
49                       const char *name)
50 {
51     int result;
52     if (result > 0) {
53         __coverity_tainted_string_sanitize_content__(name);
54         return result;
55     } else {
56         return 0;
57     }
58 }
59 
60 /* Replay data is considered trusted.  */
61 uint8_t replay_get_byte(void)
62 {
63     uint8_t byte;
64     return byte;
65 }
66 
67 
68 /*
69  * GLib memory allocation functions.
70  *
71  * Note that we ignore the fact that g_malloc of 0 bytes returns NULL,
72  * and g_realloc of 0 bytes frees the pointer.
73  *
74  * Modeling this would result in Coverity flagging a lot of memory
75  * allocations as potentially returning NULL, and asking us to check
76  * whether the result of the allocation is NULL or not.  However, the
77  * resulting pointer should never be dereferenced anyway, and in fact
78  * it is not in the vast majority of cases.
79  *
80  * If a dereference did happen, this would suppress a defect report
81  * for an actual null pointer dereference.  But it's too unlikely to
82  * be worth wading through the false positives, and with some luck
83  * we'll get a buffer overflow reported anyway.
84  */
85 
86 /*
87  * Allocation primitives, cannot return NULL
88  * See also Coverity's library/generic/libc/all/all.c
89  */
90 
91 void *g_malloc_n(size_t nmemb, size_t size)
92 {
93     void *ptr;
94 
95     __coverity_negative_sink__(nmemb);
96     __coverity_negative_sink__(size);
97     ptr = __coverity_alloc__(nmemb * size);
98     if (!ptr) {
99         __coverity_panic__();
100     }
101     __coverity_mark_as_uninitialized_buffer__(ptr);
102     __coverity_mark_as_afm_allocated__(ptr, AFM_free);
103     return ptr;
104 }
105 
106 void *g_malloc0_n(size_t nmemb, size_t size)
107 {
108     void *ptr;
109 
110     __coverity_negative_sink__(nmemb);
111     __coverity_negative_sink__(size);
112     ptr = __coverity_alloc__(nmemb * size);
113     if (!ptr) {
114         __coverity_panic__();
115     }
116     __coverity_writeall0__(ptr);
117     __coverity_mark_as_afm_allocated__(ptr, AFM_free);
118     return ptr;
119 }
120 
121 void *g_realloc_n(void *ptr, size_t nmemb, size_t size)
122 {
123     __coverity_negative_sink__(nmemb);
124     __coverity_negative_sink__(size);
125     __coverity_escape__(ptr);
126     ptr = __coverity_alloc__(nmemb * size);
127     if (!ptr) {
128         __coverity_panic__();
129     }
130     /*
131      * Memory beyond the old size isn't actually initialized.  Can't
132      * model that.  See Coverity's realloc() model
133      */
134     __coverity_writeall__(ptr);
135     __coverity_mark_as_afm_allocated__(ptr, AFM_free);
136     return ptr;
137 }
138 
139 void g_free(void *ptr)
140 {
141     __coverity_free__(ptr);
142     __coverity_mark_as_afm_freed__(ptr, AFM_free);
143 }
144 
145 /*
146  * Derive the g_try_FOO_n() from the g_FOO_n() by adding indeterminate
147  * out of memory conditions
148  */
149 
150 void *g_try_malloc_n(size_t nmemb, size_t size)
151 {
152     int nomem;
153 
154     if (nomem) {
155         return NULL;
156     }
157     return g_malloc_n(nmemb, size);
158 }
159 
160 void *g_try_malloc0_n(size_t nmemb, size_t size)
161 {
162     int nomem;
163 
164     if (nomem) {
165         return NULL;
166     }
167     return g_malloc0_n(nmemb, size);
168 }
169 
170 void *g_try_realloc_n(void *ptr, size_t nmemb, size_t size)
171 {
172     int nomem;
173 
174     if (nomem) {
175         return NULL;
176     }
177     return g_realloc_n(ptr, nmemb, size);
178 }
179 
180 /* Derive the g_FOO() from the g_FOO_n() */
181 
182 void *g_malloc(size_t size)
183 {
184     void *ptr;
185 
186     __coverity_negative_sink__(size);
187     ptr = __coverity_alloc__(size);
188     if (!ptr) {
189         __coverity_panic__();
190     }
191     __coverity_mark_as_uninitialized_buffer__(ptr);
192     __coverity_mark_as_afm_allocated__(ptr, AFM_free);
193     return ptr;
194 }
195 
196 void *g_malloc0(size_t size)
197 {
198     void *ptr;
199 
200     __coverity_negative_sink__(size);
201     ptr = __coverity_alloc__(size);
202     if (!ptr) {
203         __coverity_panic__();
204     }
205     __coverity_writeall0__(ptr);
206     __coverity_mark_as_afm_allocated__(ptr, AFM_free);
207     return ptr;
208 }
209 
210 void *g_realloc(void *ptr, size_t size)
211 {
212     __coverity_negative_sink__(size);
213     __coverity_escape__(ptr);
214     ptr = __coverity_alloc__(size);
215     if (!ptr) {
216         __coverity_panic__();
217     }
218     /*
219      * Memory beyond the old size isn't actually initialized.  Can't
220      * model that.  See Coverity's realloc() model
221      */
222     __coverity_writeall__(ptr);
223     __coverity_mark_as_afm_allocated__(ptr, AFM_free);
224     return ptr;
225 }
226 
227 void *g_try_malloc(size_t size)
228 {
229     int nomem;
230 
231     if (nomem) {
232         return NULL;
233     }
234     return g_malloc(size);
235 }
236 
237 void *g_try_malloc0(size_t size)
238 {
239     int nomem;
240 
241     if (nomem) {
242         return NULL;
243     }
244     return g_malloc0(size);
245 }
246 
247 void *g_try_realloc(void *ptr, size_t size)
248 {
249     int nomem;
250 
251     if (nomem) {
252         return NULL;
253     }
254     return g_realloc(ptr, size);
255 }
256 
257 /* Other glib functions */
258 
259 typedef struct pollfd GPollFD;
260 
261 int poll();
262 
263 int g_poll (GPollFD *fds, unsigned nfds, int timeout)
264 {
265     return poll(fds, nfds, timeout);
266 }
267 
268 typedef struct _GIOChannel GIOChannel;
269 GIOChannel *g_io_channel_unix_new(int fd)
270 {
271     /* cannot use incomplete type, the actual struct is roughly this size.  */
272     GIOChannel *c = g_malloc0(20 * sizeof(void *));
273     __coverity_escape__(fd);
274     return c;
275 }
276 
277 void g_assertion_message_expr(const char     *domain,
278                               const char     *file,
279                               int             line,
280                               const char     *func,
281                               const char     *expr)
282 {
283     __coverity_panic__();
284 }
285