scripts/coverity-model.c

   1 /* Coverity Scan model
   2  *
   3  * Copyright (C) 2014 Red Hat, Inc.
   4  *
   5  * Authors:
   6  *  Markus Armbruster <armbru@redhat.com>
   7  *  Paolo Bonzini <pbonzini@redhat.com>
   8  *
   9  * This work is licensed under the terms of the GNU GPL, version 2 or, at your
  10  * option, any later version.  See the COPYING file in the top-level directory.
  11  */
  12
  13
  14 /*
  15  * This is the source code for our Coverity user model file.  The
  16  * purpose of user models is to increase scanning accuracy by explaining
  17  * code Coverity can't see (out of tree libraries) or doesn't
  18  * sufficiently understand.  Better accuracy means both fewer false
  19  * positives and more true defects.  Memory leaks in particular.
  20  *
  21  * - A model file can't import any header files.  Some built-in primitives are
  22  *   available but not wchar_t, NULL etc.
  23  * - Modeling doesn't need full structs and typedefs. Rudimentary structs
  24  *   and similar types are sufficient.
  25  * - An uninitialized local variable signifies that the variable could be
  26  *   any value.
  27  *
  28  * The model file must be uploaded by an admin in the analysis settings of
  29  * http://scan.coverity.com/projects/378
  30  */
  31
  32 #define NULL ((void *)0)
  33
  34 typedef unsigned char uint8_t;
  35 typedef char int8_t;
  36 typedef unsigned int uint32_t;
  37 typedef int int32_t;
  38 typedef long ssize_t;
  39 typedef unsigned long long uint64_t;
  40 typedef long long int64_t;
  41 typedef _Bool bool;
  42
  43 typedef struct va_list_str *va_list;
  44
  45 /* exec.c */
  46
  47 typedef struct AddressSpace AddressSpace;
  48 typedef uint64_t hwaddr;
  49
  50 static void __write(uint8_t *buf, ssize_t len)
  51 {
  52     int first, last;
  53     __coverity_negative_sink__(len);
  54     if (len == 0) return;
  55     buf[0] = first;
  56     buf[len-1] = last;
  57     __coverity_writeall__(buf);
  58 }
  59
  60 static void __read(uint8_t *buf, ssize_t len)
  61 {
  62     __coverity_negative_sink__(len);
  63     if (len == 0) return;
  64     int first = buf[0];
  65     int last = buf[len-1];
  66 }
  67
  68 bool address_space_rw(AddressSpace *as, hwaddr addr, uint8_t *buf,
  69                       int len, bool is_write)
  70 {
  71     bool result;
  72
  73     // TODO: investigate impact of treating reads as producing
  74     // tainted data, with __coverity_tainted_data_argument__(buf).
  75     if (is_write) __write(buf, len); else __read(buf, len);
  76
  77     return result;
  78 }
  79
  80 /* Tainting */
  81
  82 typedef struct {} name2keysym_t;
  83 static int get_keysym(const name2keysym_t *table,
  84                       const char *name)
  85 {
  86     int result;
  87     if (result > 0) {
  88         __coverity_tainted_string_sanitize_content__(name);
  89         return result;
  90     } else {
  91         return 0;
  92     }
  93 }
  94
  95 /*
  96  * GLib memory allocation functions.
  97  *
  98  * Note that we ignore the fact that g_malloc of 0 bytes returns NULL,
  99  * and g_realloc of 0 bytes frees the pointer.
 100  *
 101  * Modeling this would result in Coverity flagging a lot of memory
 102  * allocations as potentially returning NULL, and asking us to check
 103  * whether the result of the allocation is NULL or not.  However, the
 104  * resulting pointer should never be dereferenced anyway, and in fact
 105  * it is not in the vast majority of cases.
 106  *
 107  * If a dereference did happen, this would suppress a defect report
 108  * for an actual null pointer dereference.  But it's too unlikely to
 109  * be worth wading through the false positives, and with some luck
 110  * we'll get a buffer overflow reported anyway.
 111  */
 112
 113 /*
 114  * Allocation primitives, cannot return NULL
 115  * See also Coverity's library/generic/libc/all/all.c
 116  */
 117
 118 void *g_malloc_n(size_t nmemb, size_t size)
 119 {
 120     size_t sz;
 121     void *ptr;
 122
 123     __coverity_negative_sink__(nmemb);
 124     __coverity_negative_sink__(size);
 125     sz = nmemb * size;
 126     ptr = __coverity_alloc__(size);
 127     __coverity_mark_as_uninitialized_buffer__(ptr);
 128     __coverity_mark_as_afm_allocated__(ptr, AFM_free);
 129     return ptr;
 130 }
 131
 132 void *g_malloc0_n(size_t nmemb, size_t size)
 133 {
 134     size_t sz;
 135     void *ptr;
 136
 137     __coverity_negative_sink__(nmemb);
 138     __coverity_negative_sink__(size);
 139     sz = nmemb * size;
 140     ptr = __coverity_alloc__(size);
 141     __coverity_writeall0__(ptr);
 142     __coverity_mark_as_afm_allocated__(ptr, AFM_free);
 143     return ptr;
 144 }
 145
 146 void *g_realloc_n(void *ptr, size_t nmemb, size_t size)
 147 {
 148     size_t sz;
 149
 150     __coverity_negative_sink__(nmemb);
 151     __coverity_negative_sink__(size);
 152     sz = nmemb * size;
 153     __coverity_escape__(ptr);
 154     ptr = __coverity_alloc__(size);
 155     /*
 156      * Memory beyond the old size isn't actually initialized.  Can't
 157      * model that.  See Coverity's realloc() model
 158      */
 159     __coverity_writeall__(ptr);
 160     __coverity_mark_as_afm_allocated__(ptr, AFM_free);
 161     return ptr;
 162 }
 163
 164 void g_free(void *ptr)
 165 {
 166     __coverity_free__(ptr);
 167     __coverity_mark_as_afm_freed__(ptr, AFM_free);
 168 }
 169
 170 /*
 171  * Derive the g_try_FOO_n() from the g_FOO_n() by adding indeterminate
 172  * out of memory conditions
 173  */
 174
 175 void *g_try_malloc_n(size_t nmemb, size_t size)
 176 {
 177     int nomem;
 178
 179     if (nomem) {
 180         return NULL;
 181     }
 182     return g_malloc_n(nmemb, size);
 183 }
 184
 185 void *g_try_malloc0_n(size_t nmemb, size_t size)
 186 {
 187     int nomem;
 188
 189     if (nomem) {
 190         return NULL;
 191     }
 192     return g_malloc0_n(nmemb, size);
 193 }
 194
 195 void *g_try_realloc_n(void *ptr, size_t nmemb, size_t size)
 196 {
 197     int nomem;
 198
 199     if (nomem) {
 200         return NULL;
 201     }
 202     return g_realloc_n(ptr, nmemb, size);
 203 }
 204
 205 /* Trivially derive the g_FOO() from the g_FOO_n() */
 206
 207 void *g_malloc(size_t size)
 208 {
 209     return g_malloc_n(1, size);
 210 }
 211
 212 void *g_malloc0(size_t size)
 213 {
 214     return g_malloc0_n(1, size);
 215 }
 216
 217 void *g_realloc(void *ptr, size_t size)
 218 {
 219     return g_realloc_n(ptr, 1, size);
 220 }
 221
 222 void *g_try_malloc(size_t size)
 223 {
 224     return g_try_malloc_n(1, size);
 225 }
 226
 227 void *g_try_malloc0(size_t size)
 228 {
 229     return g_try_malloc0_n(1, size);
 230 }
 231
 232 void *g_try_realloc(void *ptr, size_t size)
 233 {
 234     return g_try_realloc_n(ptr, 1, size);
 235 }
 236
 237 /*
 238  * GLib string allocation functions
 239  */
 240
 241 char *g_strdup(const char *s)
 242 {
 243     char *dup;
 244     size_t i;
 245
 246     if (!s) {
 247         return NULL;
 248     }
 249
 250     __coverity_string_null_sink__(s);
 251     __coverity_string_size_sink__(s);
 252     dup = __coverity_alloc_nosize__();
 253     __coverity_mark_as_afm_allocated__(dup, AFM_free);
 254     for (i = 0; (dup[i] = s[i]); i++) ;
 255     return dup;
 256 }
 257
 258 char *g_strndup(const char *s, size_t n)
 259 {
 260     char *dup;
 261     size_t i;
 262
 263     __coverity_negative_sink__(n);
 264
 265     if (!s) {
 266         return NULL;
 267     }
 268
 269     dup = g_malloc(n + 1);
 270     for (i = 0; i < n && (dup[i] = s[i]); i++) ;
 271     dup[i] = 0;
 272     return dup;
 273 }
 274
 275 char *g_strdup_printf(const char *format, ...)
 276 {
 277     char ch, *s;
 278     size_t len;
 279
 280     __coverity_string_null_sink__(format);
 281     __coverity_string_size_sink__(format);
 282
 283     ch = *format;
 284
 285     s = __coverity_alloc_nosize__();
 286     __coverity_writeall__(s);
 287     __coverity_mark_as_afm_allocated__(s, AFM_free);
 288     return s;
 289 }
 290
 291 char *g_strdup_vprintf(const char *format, va_list ap)
 292 {
 293     char ch, *s;
 294     size_t len;
 295
 296     __coverity_string_null_sink__(format);
 297     __coverity_string_size_sink__(format);
 298
 299     ch = *format;
 300     ch = *(char *)ap;
 301
 302     s = __coverity_alloc_nosize__();
 303     __coverity_writeall__(s);
 304     __coverity_mark_as_afm_allocated__(s, AFM_free);
 305
 306     return len;
 307 }
 308
 309 char *g_strconcat(const char *s, ...)
 310 {
 311     char *s;
 312
 313     /*
 314      * Can't model: last argument must be null, the others
 315      * null-terminated strings
 316      */
 317
 318     s = __coverity_alloc_nosize__();
 319     __coverity_writeall__(s);
 320     __coverity_mark_as_afm_allocated__(s, AFM_free);
 321     return s;
 322 }
 323
 324 /* Other glib functions */
 325
 326 typedef struct _GIOChannel GIOChannel;
 327 GIOChannel *g_io_channel_unix_new(int fd)
 328 {
 329     GIOChannel *c = g_malloc0(sizeof(GIOChannel));
 330     __coverity_escape__(fd);
 331     return c;
 332 }
 333
 334 void g_assertion_message_expr(const char     *domain,
 335                               const char     *file,
 336                               int             line,
 337                               const char     *func,
 338                               const char     *expr)
 339 {
 340     __coverity_panic__();
 341 }