On 22.05.2024 11:56, scan-ad...@coverity.com wrote: > ** CID 1598431: Memory - corruptions (OVERRUN) > > > ________________________________________________________________________________________________________ > *** CID 1598431: Memory - corruptions (OVERRUN) > /xen/common/trace.c: 798 in trace() > 792 } > 793 > 794 if ( rec_size > bytes_to_wrap ) > 795 insert_wrap_record(buf, rec_size); > 796 > 797 /* Write the original record */ >>>> CID 1598431: Memory - corruptions (OVERRUN) >>>> Overrunning callee's array of size 28 by passing argument "extra" >>>> (which evaluates to 31) in call to "__insert_record". > 798 __insert_record(buf, event, extra, cycles, rec_size, extra_data); > 799 > 800 unlock: > 801 spin_unlock_irqrestore(&this_cpu(t_lock), flags); > 802 > 803 /* Notify trace buffer consumer that we've crossed the high water > mark. */
How does the tool conclude "extra" evaluating to 31, when at the top of the function it is clearly checked to be less than 28? > ** CID 1598430: Uninitialized variables (UNINIT) > > > ________________________________________________________________________________________________________ > *** CID 1598430: Uninitialized variables (UNINIT) > /xen/arch/x86/mm/shadow/multi.c: 2109 in trace_shadow_emulate() > 2103 d.va = va; > 2104 #if GUEST_PAGING_LEVELS == 3 > 2105 d.emulation_count = this_cpu(trace_extra_emulation_count); > 2106 #endif > 2107 d.flags = this_cpu(trace_shadow_path_flags); > 2108 >>>> CID 1598430: Uninitialized variables (UNINIT) >>>> Using uninitialized value "d". Field "d.emulation_count" is >>>> uninitialized when calling "trace". > 2109 trace(event, sizeof(d), &d); > 2110 } > 2111 } > 2112 #endif /* CONFIG_HVM */ > 2113 > 2114 > /**************************************************************************/ This, otoh, looks to be a valid (but long-standing) issue, which I'll make a patch for. Jan
