Re: [PATCH 4/6] coverity-model: clean up the models for array allocation

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 4/6] coverity-model: clean up the models for array allocation

From:	Peter Maydell
Subject:	Re: [PATCH 4/6] coverity-model: clean up the models for array allocation functions
Date:	Wed, 4 Aug 2021 09:43:44 +0100

On Wed, 4 Aug 2021 at 09:35, Markus Armbruster <armbru@redhat.com> wrote:
>
> Paolo Bonzini <pbonzini@redhat.com> writes:
>
> > On 02/08/21 14:36, Peter Maydell wrote:
> >> Reviewed-by: Peter Maydell<peter.maydell@linaro.org>
> >> The real g_malloc_n() returns failure if the multiplication
> >> would overflow;
>
> Really?  Its documentation:
>
>     This function is similar to g_malloc(), allocating (n_blocks *
>     n_block_bytes) bytes, but care is taken to detect possible overflow
>     during multiplication.
>
> There's also g_try_malloc_n():
>
>     This function is similar to g_try_malloc(), allocating (n_blocks *
>     n_block_bytes) bytes, but care is taken to detect possible overflow
>     during multiplication.
>
> I read this as g_malloc_n() can return null only for zero size, and
> crashes on error, just like g_malloc_n().  g_try_malloc_n() behaves like
> g_try_malloc_n(), i.e. it returns null on failure.

Yeah, I misspoke -- I just meant to say "treats multiply overflow
like an allocation failure", not that it returns NULL.

> >>                 I guess Coverity currently doesn't have any
> >> warnings it generates as a result of assuming overflow
> >> might happen?
> >
> > I couldn't find any Coverity-specific way to detect overflow, but
>
> Does it need one?
>
> Quick peek at Coverity 2012.12 Checker Reference:
>
>     4.188. INTEGER_OVERFLOW

> The example that follows shows a memory allocation where the size is
> computed like TAINTED * sizeof(MUMBLE), where TAINTED is a "tainted
> source", and the allocation's size is a "tainted sink".

My point was that we *don't* want Coverity to report INTEGER_OVERFLOW
errors based on the way our g_malloc_n() model is written like this:
  __coverity_alloc__(nmemb * size)
That expression in our model *can* overflow. We know the real g_malloc_n()
cannot overflow, but we don't do anything to tell Coverity that, so it's
possible that (maybe in future) it will report false positives to us
based on analysis that assumes possible overflows in the multiplication.

thanks
-- PMM

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 4/6] coverity-model: clean up the models for array allocation functions, Peter Maydell, 2021/08/02
- Re: [PATCH 4/6] coverity-model: clean up the models for array allocation functions, Paolo Bonzini, 2021/08/02
  - Re: [PATCH 4/6] coverity-model: clean up the models for array allocation functions, Markus Armbruster, 2021/08/04
    - Re: [PATCH 4/6] coverity-model: clean up the models for array allocation functions, Peter Maydell <=

Prev by Date: Re: [PATCH] util: fix abstract socket path copy
Next by Date: Re: [PATCH 0/3] docs: convert qapi-code-gen.txt to qapi-code-gen.rst
Previous by thread: Re: [PATCH 4/6] coverity-model: clean up the models for array allocation functions
Next by thread: Re: [PATCH 5/6] coverity-model: constrain g_malloc/g_malloc0/g_realloc as never returning NULL
Index(es):
- Date
- Thread