scripts/coverity-scan/model.c

   1 /* Coverity Scan model
   2  *
   3  * Copyright (C) 2014 Red Hat, Inc.
   4  *
   5  * Authors:
   6  *  Markus Armbruster <armbru@redhat.com>
   7  *  Paolo Bonzini <pbonzini@redhat.com>
   8  *
   9  * This work is licensed under the terms of the GNU GPL, version 2 or, at your
  10  * option, any later version.  See the COPYING file in the top-level directory.
  11  */
  12
  13
  14 /*
  15  * This is the source code for our Coverity user model file.  The
  16  * purpose of user models is to increase scanning accuracy by explaining
  17  * code Coverity can't see (out of tree libraries) or doesn't
  18  * sufficiently understand.  Better accuracy means both fewer false
  19  * positives and more true defects.  Memory leaks in particular.
  20  *
  21  * - A model file can't import any header files.  Some built-in primitives are
  22  *   available but not wchar_t, NULL etc.
  23  * - Modeling doesn't need full structs and typedefs. Rudimentary structs
  24  *   and similar types are sufficient.
  25  * - An uninitialized local variable signifies that the variable could be
  26  *   any value.
  27  *
  28  * The model file must be uploaded by an admin in the analysis settings of
  29  * http://scan.coverity.com/projects/378
  30  */
  31
  32 #define NULL ((void *)0)
  33
  34 typedef unsigned char uint8_t;
  35 typedef char int8_t;
  36 typedef unsigned int uint32_t;
  37 typedef int int32_t;
  38 typedef long ssize_t;
  39 typedef unsigned long long uint64_t;
  40 typedef long long int64_t;
  41 typedef _Bool bool;
  42
  43 typedef struct va_list_str *va_list;
  44
  45 /* Tainting */
  46
  47 typedef struct {} name2keysym_t;
  48 static int get_keysym(const name2keysym_t *table,
  49                       const char *name)
  50 {
  51     int result;
  52     if (result > 0) {
  53         __coverity_tainted_string_sanitize_content__(name);
  54         return result;
  55     } else {
  56         return 0;
  57     }
  58 }
  59
  60 /* Replay data is considered trusted.  */
  61 uint8_t replay_get_byte(void)
  62 {
  63     uint8_t byte;
  64     return byte;
  65 }
  66
  67
  68 /*
  69  * GLib memory allocation functions.
  70  *
  71  * Note that we ignore the fact that g_malloc of 0 bytes returns NULL,
  72  * and g_realloc of 0 bytes frees the pointer.
  73  *
  74  * Modeling this would result in Coverity flagging a lot of memory
  75  * allocations as potentially returning NULL, and asking us to check
  76  * whether the result of the allocation is NULL or not.  However, the
  77  * resulting pointer should never be dereferenced anyway, and in fact
  78  * it is not in the vast majority of cases.
  79  *
  80  * If a dereference did happen, this would suppress a defect report
  81  * for an actual null pointer dereference.  But it's too unlikely to
  82  * be worth wading through the false positives, and with some luck
  83  * we'll get a buffer overflow reported anyway.
  84  */
  85
  86 /*
  87  * Allocation primitives, cannot return NULL
  88  * See also Coverity's library/generic/libc/all/all.c
  89  */
  90
  91 void *g_malloc_n(size_t nmemb, size_t size)
  92 {
  93     void *ptr;
  94
  95     __coverity_negative_sink__(nmemb);
  96     __coverity_negative_sink__(size);
  97     ptr = __coverity_alloc__(nmemb * size);
  98     if (!ptr) {
  99         __coverity_panic__();
 100     }
 101     __coverity_mark_as_uninitialized_buffer__(ptr);
 102     __coverity_mark_as_afm_allocated__(ptr, AFM_free);
 103     return ptr;
 104 }
 105
 106 void *g_malloc0_n(size_t nmemb, size_t size)
 107 {
 108     void *ptr;
 109
 110     __coverity_negative_sink__(nmemb);
 111     __coverity_negative_sink__(size);
 112     ptr = __coverity_alloc__(nmemb * size);
 113     if (!ptr) {
 114         __coverity_panic__();
 115     }
 116     __coverity_writeall0__(ptr);
 117     __coverity_mark_as_afm_allocated__(ptr, AFM_free);
 118     return ptr;
 119 }
 120
 121 void *g_realloc_n(void *ptr, size_t nmemb, size_t size)
 122 {
 123     __coverity_negative_sink__(nmemb);
 124     __coverity_negative_sink__(size);
 125     __coverity_escape__(ptr);
 126     ptr = __coverity_alloc__(nmemb * size);
 127     if (!ptr) {
 128         __coverity_panic__();
 129     }
 130     /*
 131      * Memory beyond the old size isn't actually initialized.  Can't
 132      * model that.  See Coverity's realloc() model
 133      */
 134     __coverity_writeall__(ptr);
 135     __coverity_mark_as_afm_allocated__(ptr, AFM_free);
 136     return ptr;
 137 }
 138
 139 void g_free(void *ptr)
 140 {
 141     __coverity_free__(ptr);
 142     __coverity_mark_as_afm_freed__(ptr, AFM_free);
 143 }
 144
 145 /*
 146  * Derive the g_try_FOO_n() from the g_FOO_n() by adding indeterminate
 147  * out of memory conditions
 148  */
 149
 150 void *g_try_malloc_n(size_t nmemb, size_t size)
 151 {
 152     int nomem;
 153
 154     if (nomem) {
 155         return NULL;
 156     }
 157     return g_malloc_n(nmemb, size);
 158 }
 159
 160 void *g_try_malloc0_n(size_t nmemb, size_t size)
 161 {
 162     int nomem;
 163
 164     if (nomem) {
 165         return NULL;
 166     }
 167     return g_malloc0_n(nmemb, size);
 168 }
 169
 170 void *g_try_realloc_n(void *ptr, size_t nmemb, size_t size)
 171 {
 172     int nomem;
 173
 174     if (nomem) {
 175         return NULL;
 176     }
 177     return g_realloc_n(ptr, nmemb, size);
 178 }
 179
 180 /* Derive the g_FOO() from the g_FOO_n() */
 181
 182 void *g_malloc(size_t size)
 183 {
 184     void *ptr;
 185
 186     __coverity_negative_sink__(size);
 187     ptr = __coverity_alloc__(size);
 188     if (!ptr) {
 189         __coverity_panic__();
 190     }
 191     __coverity_mark_as_uninitialized_buffer__(ptr);
 192     __coverity_mark_as_afm_allocated__(ptr, AFM_free);
 193     return ptr;
 194 }
 195
 196 void *g_malloc0(size_t size)
 197 {
 198     void *ptr;
 199
 200     __coverity_negative_sink__(size);
 201     ptr = __coverity_alloc__(size);
 202     if (!ptr) {
 203         __coverity_panic__();
 204     }
 205     __coverity_writeall0__(ptr);
 206     __coverity_mark_as_afm_allocated__(ptr, AFM_free);
 207     return ptr;
 208 }
 209
 210 void *g_realloc(void *ptr, size_t size)
 211 {
 212     __coverity_negative_sink__(size);
 213     __coverity_escape__(ptr);
 214     ptr = __coverity_alloc__(size);
 215     if (!ptr) {
 216         __coverity_panic__();
 217     }
 218     /*
 219      * Memory beyond the old size isn't actually initialized.  Can't
 220      * model that.  See Coverity's realloc() model
 221      */
 222     __coverity_writeall__(ptr);
 223     __coverity_mark_as_afm_allocated__(ptr, AFM_free);
 224     return ptr;
 225 }
 226
 227 void *g_try_malloc(size_t size)
 228 {
 229     int nomem;
 230
 231     if (nomem) {
 232         return NULL;
 233     }
 234     return g_malloc(size);
 235 }
 236
 237 void *g_try_malloc0(size_t size)
 238 {
 239     int nomem;
 240
 241     if (nomem) {
 242         return NULL;
 243     }
 244     return g_malloc0(size);
 245 }
 246
 247 void *g_try_realloc(void *ptr, size_t size)
 248 {
 249     int nomem;
 250
 251     if (nomem) {
 252         return NULL;
 253     }
 254     return g_realloc(ptr, size);
 255 }
 256
 257 /* Other glib functions */
 258
 259 typedef struct pollfd GPollFD;
 260
 261 int poll();
 262
 263 int g_poll (GPollFD *fds, unsigned nfds, int timeout)
 264 {
 265     return poll(fds, nfds, timeout);
 266 }
 267
 268 typedef struct _GIOChannel GIOChannel;
 269 GIOChannel *g_io_channel_unix_new(int fd)
 270 {
 271     /* cannot use incomplete type, the actual struct is roughly this size.  */
 272     GIOChannel *c = g_malloc0(20 * sizeof(void *));
 273     __coverity_escape__(fd);
 274     return c;
 275 }
 276
 277 void g_assertion_message_expr(const char     *domain,
 278                               const char     *file,
 279                               int             line,
 280                               const char     *func,
 281                               const char     *expr)
 282 {
 283     __coverity_panic__();
 284 }