On 2/12/20 10:48 AM, Greg Kurz wrote: > On Mon, 3 Feb 2020 17:11:22 +1100 > David Gibson <da...@gibson.dropbear.id.au> wrote: > >> From: Richard Henderson <richard.hender...@linaro.org> >> >> Using probe_write instead of tlb_vaddr_to_host means that we >> process watchpoints and notdirty pages more efficiently. >> >> Signed-off-by: Richard Henderson <richard.hender...@linaro.org> >> Message-Id: <20200129235040.24022-5-richard.hender...@linaro.org> >> Tested-by: Howard Spoelstra <hsp.c...@gmail.com> >> Signed-off-by: David Gibson <da...@gibson.dropbear.id.au> >> --- >> target/ppc/mem_helper.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/target/ppc/mem_helper.c b/target/ppc/mem_helper.c >> index 0cb78777e7..98f589552b 100644 >> --- a/target/ppc/mem_helper.c >> +++ b/target/ppc/mem_helper.c >> @@ -298,7 +298,7 @@ static void dcbz_common(CPUPPCState *env, target_ulong >> addr, >> } >> >> /* Try fast path translate */ >> - haddr = tlb_vaddr_to_host(env, addr, MMU_DATA_STORE, mmu_idx); >> + haddr = probe_write(env, addr, dcbz_size, mmu_idx, retaddr); > > Hi Richard, > > This one is making coverity unhappy. > > > ** CID 1419390: Memory - corruptions (OVERRUN) > > > ______________________________________________________________________________________________________ > *** CID 1419390: Memory - corruptions (OVERRUN) > /target/ppc/mem_helper.c: 301 in dcbz_common() > 295 /* Check reservation */ > 296 if ((env->reserve_addr & mask) == addr) { > 297 env->reserve_addr = (target_ulong)-1ULL; > 298 } > 299 > 300 /* Try fast path translate */ >>>> CID 1419390: Memory - corruptions (OVERRUN) >>>> Overrunning callee's array of size 9 by passing argument "mmu_idx" >>>> (which evaluates to 9) in call to "probe_write". > 301 haddr = probe_write(env, addr, dcbz_size, mmu_idx, retaddr); > 302 if (haddr) { > 303 memset(haddr, 0, dcbz_size); > 304 } else { > 305 /* Slow path */ > 306 for (i = 0; i < dcbz_size; i += 8) { > > > Can you have a look ?
That's a bit of a mystery, given #define NB_MMU_MODES 10 So I wonder what array is supposed to be of size 9... Ho hum. False positive. Expanding everything in the coverity gui shows it's taking the definition from target/xtensa/cpu-param.h. r~