Bug Summary

File:hw/ppc/mac_oldworld.c
Location:line 239, column 17
Description:Access to field 'bus_model' results in a dereference of a null pointer (loaded from variable 'env')

Annotated Source Code

1
2/*
3 * QEMU OldWorld PowerMac (currently ~G3 Beige) hardware System Emulator
4 *
5 * Copyright (c) 2004-2007 Fabrice Bellard
6 * Copyright (c) 2007 Jocelyn Mayer
7 *
8 * Permission is hereby granted, free of charge, to any person obtaining a copy
9 * of this software and associated documentation files (the "Software"), to deal
10 * in the Software without restriction, including without limitation the rights
11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 * copies of the Software, and to permit persons to whom the Software is
13 * furnished to do so, subject to the following conditions:
14 *
15 * The above copyright notice and this permission notice shall be included in
16 * all copies or substantial portions of the Software.
17 *
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24 * THE SOFTWARE.
25 */
26#include "hw/hw.h"
27#include "hw/ppc/ppc.h"
28#include "mac.h"
29#include "hw/input/adb.h"
30#include "hw/timer/m48t59.h"
31#include "sysemu/sysemu.h"
32#include "net/net.h"
33#include "hw/isa/isa.h"
34#include "hw/pci/pci.h"
35#include "hw/boards.h"
36#include "hw/nvram/fw_cfg.h"
37#include "hw/char/escc.h"
38#include "hw/ide.h"
39#include "hw/loader.h"
40#include "elf.h"
41#include "sysemu/kvm.h"
42#include "kvm_ppc.h"
43#include "sysemu/blockdev.h"
44#include "exec/address-spaces.h"
45
46#define MAX_IDE_BUS2 2
47#define CFG_ADDR0xf0000510 0xf0000510
48#define TBFREQ16600000UL 16600000UL
49
50static int fw_cfg_boot_set(void *opaque, const char *boot_device)
51{
52 fw_cfg_add_i16(opaque, FW_CFG_BOOT_DEVICE0x0c, boot_device[0]);
53 return 0;
54}
55
56
57static uint64_t translate_kernel_address(void *opaque, uint64_t addr)
58{
59 return (addr & 0x0fffffff) + KERNEL_LOAD_ADDR0x01000000;
60}
61
62static hwaddr round_page(hwaddr addr)
63{
64 return (addr + TARGET_PAGE_SIZE(1 << 10) - 1) & TARGET_PAGE_MASK~((1 << 10) - 1);
65}
66
67static void ppc_heathrow_reset(void *opaque)
68{
69 PowerPCCPU *cpu = opaque;
70
71 cpu_reset(CPU(cpu)((CPUState *)object_dynamic_cast_assert(((Object *)((cpu))), (
"cpu"), "/home/stefan/src/qemu/qemu.org/qemu/hw/ppc/mac_oldworld.c"
, 71, __func__))
);
72}
73
74static void ppc_heathrow_init(QEMUMachineInitArgs *args)
75{
76 ram_addr_t ram_size = args->ram_size;
77 const char *cpu_model = args->cpu_model;
78 const char *kernel_filename = args->kernel_filename;
79 const char *kernel_cmdline = args->kernel_cmdline;
80 const char *initrd_filename = args->initrd_filename;
81 const char *boot_device = args->boot_order;
82 MemoryRegion *sysmem = get_system_memory();
83 PowerPCCPU *cpu = NULL((void*)0);
84 CPUPPCState *env = NULL((void*)0);
1
'env' initialized to a null pointer value
85 char *filename;
86 qemu_irq *pic, **heathrow_irqs;
87 int linux_boot, i;
88 MemoryRegion *ram = g_new(MemoryRegion, 1)((MemoryRegion *) g_malloc_n ((1), sizeof (MemoryRegion)));
89 MemoryRegion *bios = g_new(MemoryRegion, 1)((MemoryRegion *) g_malloc_n ((1), sizeof (MemoryRegion)));
90 MemoryRegion *isa = g_new(MemoryRegion, 1)((MemoryRegion *) g_malloc_n ((1), sizeof (MemoryRegion)));
91 uint32_t kernel_base, initrd_base, cmdline_base = 0;
92 int32_t kernel_size, initrd_size;
93 PCIBus *pci_bus;
94 PCIDevice *macio;
95 MACIOIDEState *macio_ide;
96 DeviceState *dev;
97 BusState *adb_bus;
98 int bios_size;
99 MemoryRegion *pic_mem;
100 MemoryRegion *escc_mem, *escc_bar = g_new(MemoryRegion, 1)((MemoryRegion *) g_malloc_n ((1), sizeof (MemoryRegion)));
101 uint16_t ppc_boot_device;
102 DriveInfo *hd[MAX_IDE_BUS2 * MAX_IDE_DEVS2];
103 void *fw_cfg;
104
105 linux_boot = (kernel_filename != NULL((void*)0));
2
Assuming 'kernel_filename' is equal to null
106
107 /* init CPUs */
108 if (cpu_model == NULL((void*)0))
3
Assuming 'cpu_model' is not equal to null
4
Taking false branch
109 cpu_model = "G3";
110 for (i = 0; i < smp_cpus; i++) {
5
Assuming 'i' is >= 'smp_cpus'
6
Loop condition is false. Execution continues on line 124
111 cpu = cpu_ppc_init(cpu_model);
112 if (cpu == NULL((void*)0)) {
113 fprintf(stderrstderr, "Unable to find PowerPC CPU definition\n");
114 exit(1);
115 }
116 env = &cpu->env;
117
118 /* Set time-base frequency to 16.6 Mhz */
119 cpu_ppc_tb_init(env, TBFREQ16600000UL);
120 qemu_register_reset(ppc_heathrow_reset, cpu);
121 }
122
123 /* allocate RAM */
124 if (ram_size > (2047 << 20)) {
7
Taking false branch
125 fprintf(stderrstderr,
126 "qemu: Too much memory for this machine: %d MB, maximum 2047 MB\n",
127 ((unsigned int)ram_size / (1 << 20)));
128 exit(1);
129 }
130
131 memory_region_init_ram(ram, NULL((void*)0), "ppc_heathrow.ram", ram_size);
132 vmstate_register_ram_global(ram);
133 memory_region_add_subregion(sysmem, 0, ram);
134
135 /* allocate and load BIOS */
136 memory_region_init_ram(bios, NULL((void*)0), "ppc_heathrow.bios", BIOS_SIZE(1024 * 1024));
137 vmstate_register_ram_global(bios);
138 if (bios_name == NULL((void*)0))
8
Assuming 'bios_name' is not equal to null
9
Taking false branch
139 bios_name = PROM_FILENAME"openbios-ppc";
140 filename = qemu_find_file(QEMU_FILE_TYPE_BIOS0, bios_name);
141 memory_region_set_readonly(bios, true1);
142 memory_region_add_subregion(sysmem, PROM_ADDR0xfff00000, bios);
143
144 /* Load OpenBIOS (ELF) */
145 if (filename) {
10
Assuming 'filename' is non-null
11
Taking true branch
146 bios_size = load_elf(filename, 0, NULL((void*)0), NULL((void*)0), NULL((void*)0), NULL((void*)0),
147 1, ELF_MACHINE20, 0);
148 g_free(filename);
149 } else {
150 bios_size = -1;
151 }
152 if (bios_size < 0 || bios_size > BIOS_SIZE(1024 * 1024)) {
12
Assuming 'bios_size' is >= 0
13
Taking false branch
153 hw_error("qemu: could not load PowerPC bios '%s'\n", bios_name);
154 exit(1);
155 }
156
157 if (linux_boot) {
14
Taking false branch
158 uint64_t lowaddr = 0;
159 int bswap_needed;
160
161#ifdef BSWAP_NEEDED
162 bswap_needed = 1;
163#else
164 bswap_needed = 0;
165#endif
166 kernel_base = KERNEL_LOAD_ADDR0x01000000;
167 kernel_size = load_elf(kernel_filename, translate_kernel_address, NULL((void*)0),
168 NULL((void*)0), &lowaddr, NULL((void*)0), 1, ELF_MACHINE20, 0);
169 if (kernel_size < 0)
170 kernel_size = load_aout(kernel_filename, kernel_base,
171 ram_size - kernel_base, bswap_needed,
172 TARGET_PAGE_SIZE(1 << 10));
173 if (kernel_size < 0)
174 kernel_size = load_image_targphys(kernel_filename,
175 kernel_base,
176 ram_size - kernel_base);
177 if (kernel_size < 0) {
178 hw_error("qemu: could not load kernel '%s'\n",
179 kernel_filename);
180 exit(1);
181 }
182 /* load initrd */
183 if (initrd_filename) {
184 initrd_base = round_page(kernel_base + kernel_size + KERNEL_GAP0x00100000);
185 initrd_size = load_image_targphys(initrd_filename, initrd_base,
186 ram_size - initrd_base);
187 if (initrd_size < 0) {
188 hw_error("qemu: could not load initial ram disk '%s'\n",
189 initrd_filename);
190 exit(1);
191 }
192 cmdline_base = round_page(initrd_base + initrd_size);
193 } else {
194 initrd_base = 0;
195 initrd_size = 0;
196 cmdline_base = round_page(kernel_base + kernel_size + KERNEL_GAP0x00100000);
197 }
198 ppc_boot_device = 'm';
199 } else {
200 kernel_base = 0;
201 kernel_size = 0;
202 initrd_base = 0;
203 initrd_size = 0;
204 ppc_boot_device = '\0';
205 for (i = 0; boot_device[i] != '\0'; i++) {
15
Loop condition is true. Entering loop body
206 /* TOFIX: for now, the second IDE channel is not properly
207 * used by OHW. The Mac floppy disk are not emulated.
208 * For now, OHW cannot boot from the network.
209 */
210#if 0
211 if (boot_device[i] >= 'a' && boot_device[i] <= 'f') {
212 ppc_boot_device = boot_device[i];
213 break;
214 }
215#else
216 if (boot_device[i] >= 'c' && boot_device[i] <= 'd') {
16
Taking true branch
217 ppc_boot_device = boot_device[i];
218 break;
17
Execution continues on line 222
219 }
220#endif
221 }
222 if (ppc_boot_device == '\0') {
18
Taking false branch
223 fprintf(stderrstderr, "No valid boot device for G3 Beige machine\n");
224 exit(1);
225 }
226 }
227
228 /* Register 2 MB of ISA IO space */
229 memory_region_init_alias(isa, NULL((void*)0), "isa_mmio",
230 get_system_io(), 0, 0x00200000);
231 memory_region_add_subregion(sysmem, 0xfe000000, isa);
232
233 /* XXX: we register only 1 output pin for heathrow PIC */
234 heathrow_irqs = g_malloc0(smp_cpus * sizeof(qemu_irq *));
235 heathrow_irqs[0] =
236 g_malloc0(smp_cpus * sizeof(qemu_irq) * 1);
237 /* Connect the heathrow PIC outputs to the 6xx bus */
238 for (i = 0; i < smp_cpus; i++) {
19
Assuming 'i' is < 'smp_cpus'
20
Loop condition is true. Entering loop body
239 switch (PPC_INPUT(env)(env->bus_model)) {
21
Within the expansion of the macro 'PPC_INPUT':
a
Access to field 'bus_model' results in a dereference of a null pointer (loaded from variable 'env')
240 case PPC_FLAGS_INPUT_6xx:
241 heathrow_irqs[i] = heathrow_irqs[0] + (i * 1);
242 heathrow_irqs[i][0] =
243 ((qemu_irq *)env->irq_inputs)[PPC6xx_INPUT_INT];
244 break;
245 default:
246 hw_error("Bus model not supported on OldWorld Mac machine\n");
247 }
248 }
249
250 /* init basic PC hardware */
251 if (PPC_INPUT(env)(env->bus_model) != PPC_FLAGS_INPUT_6xx) {
252 hw_error("Only 6xx bus is supported on heathrow machine\n");
253 }
254 pic = heathrow_pic_init(&pic_mem, 1, heathrow_irqs);
255 pci_bus = pci_grackle_init(0xfec00000, pic,
256 get_system_memory(),
257 get_system_io());
258 pci_vga_init(pci_bus);
259
260 escc_mem = escc_init(0, pic[0x0f], pic[0x10], serial_hds[0],
261 serial_hds[1], ESCC_CLOCK3686400, 4);
262 memory_region_init_alias(escc_bar, NULL((void*)0), "escc-bar",
263 escc_mem, 0, memory_region_size(escc_mem));
264
265 for(i = 0; i < nb_nics; i++)
266 pci_nic_init_nofail(&nd_table[i], pci_bus, "ne2k_pci", NULL((void*)0));
267
268
269 ide_drive_get(hd, MAX_IDE_BUS2);
270
271 macio = pci_create(pci_bus, -1, TYPE_OLDWORLD_MACIO"macio-oldworld");
272 dev = DEVICE(macio)((DeviceState *)object_dynamic_cast_assert(((Object *)((macio
))), ("device"), "/home/stefan/src/qemu/qemu.org/qemu/hw/ppc/mac_oldworld.c"
, 272, __func__))
;
273 qdev_connect_gpio_out(dev, 0, pic[0x12]); /* CUDA */
274 qdev_connect_gpio_out(dev, 1, pic[0x0D]); /* IDE-0 */
275 qdev_connect_gpio_out(dev, 2, pic[0x02]); /* IDE-0 DMA */
276 qdev_connect_gpio_out(dev, 3, pic[0x0E]); /* IDE-1 */
277 qdev_connect_gpio_out(dev, 4, pic[0x03]); /* IDE-1 DMA */
278 macio_init(macio, pic_mem, escc_bar);
279
280 macio_ide = MACIO_IDE(object_resolve_path_component(OBJECT(macio),((MACIOIDEState *)object_dynamic_cast_assert(((Object *)((object_resolve_path_component
(((Object *)(macio)), "ide[0]")))), ("macio-ide"), "/home/stefan/src/qemu/qemu.org/qemu/hw/ppc/mac_oldworld.c"
, 281, __func__))
281 "ide[0]"))((MACIOIDEState *)object_dynamic_cast_assert(((Object *)((object_resolve_path_component
(((Object *)(macio)), "ide[0]")))), ("macio-ide"), "/home/stefan/src/qemu/qemu.org/qemu/hw/ppc/mac_oldworld.c"
, 281, __func__))
;
282 macio_ide_init_drives(macio_ide, hd);
283
284 macio_ide = MACIO_IDE(object_resolve_path_component(OBJECT(macio),((MACIOIDEState *)object_dynamic_cast_assert(((Object *)((object_resolve_path_component
(((Object *)(macio)), "ide[1]")))), ("macio-ide"), "/home/stefan/src/qemu/qemu.org/qemu/hw/ppc/mac_oldworld.c"
, 285, __func__))
285 "ide[1]"))((MACIOIDEState *)object_dynamic_cast_assert(((Object *)((object_resolve_path_component
(((Object *)(macio)), "ide[1]")))), ("macio-ide"), "/home/stefan/src/qemu/qemu.org/qemu/hw/ppc/mac_oldworld.c"
, 285, __func__))
;
286 macio_ide_init_drives(macio_ide, &hd[MAX_IDE_DEVS2]);
287
288 dev = DEVICE(object_resolve_path_component(OBJECT(macio), "cuda"))((DeviceState *)object_dynamic_cast_assert(((Object *)((object_resolve_path_component
(((Object *)(macio)), "cuda")))), ("device"), "/home/stefan/src/qemu/qemu.org/qemu/hw/ppc/mac_oldworld.c"
, 288, __func__))
;
289 adb_bus = qdev_get_child_bus(dev, "adb.0");
290 dev = qdev_create(adb_bus, TYPE_ADB_KEYBOARD"adb-keyboard");
291 qdev_init_nofail(dev);
292 dev = qdev_create(adb_bus, TYPE_ADB_MOUSE"adb-mouse");
293 qdev_init_nofail(dev);
294
295 if (usb_enabled(false0)) {
296 pci_create_simple(pci_bus, -1, "pci-ohci");
297 }
298
299 if (graphic_depth != 15 && graphic_depth != 32 && graphic_depth != 8)
300 graphic_depth = 15;
301
302 /* No PCI init: the BIOS will do it */
303
304 fw_cfg = fw_cfg_init(0, 0, CFG_ADDR0xf0000510, CFG_ADDR0xf0000510 + 2);
305 fw_cfg_add_i16(fw_cfg, FW_CFG_MAX_CPUS0x0f, (uint16_t)max_cpus);
306 fw_cfg_add_i32(fw_cfg, FW_CFG_ID0x01, 1);
307 fw_cfg_add_i64(fw_cfg, FW_CFG_RAM_SIZE0x03, (uint64_t)ram_size);
308 fw_cfg_add_i16(fw_cfg, FW_CFG_MACHINE_ID0x06, ARCH_HEATHROW);
309 fw_cfg_add_i32(fw_cfg, FW_CFG_KERNEL_ADDR0x07, kernel_base);
310 fw_cfg_add_i32(fw_cfg, FW_CFG_KERNEL_SIZE0x08, kernel_size);
311 if (kernel_cmdline) {
312 fw_cfg_add_i32(fw_cfg, FW_CFG_KERNEL_CMDLINE0x09, cmdline_base);
313 pstrcpy_targphys("cmdline", cmdline_base, TARGET_PAGE_SIZE(1 << 10), kernel_cmdline);
314 } else {
315 fw_cfg_add_i32(fw_cfg, FW_CFG_KERNEL_CMDLINE0x09, 0);
316 }
317 fw_cfg_add_i32(fw_cfg, FW_CFG_INITRD_ADDR0x0a, initrd_base);
318 fw_cfg_add_i32(fw_cfg, FW_CFG_INITRD_SIZE0x0b, initrd_size);
319 fw_cfg_add_i16(fw_cfg, FW_CFG_BOOT_DEVICE0x0c, ppc_boot_device);
320
321 fw_cfg_add_i16(fw_cfg, FW_CFG_PPC_WIDTH(0x8000 + 0x00), graphic_width);
322 fw_cfg_add_i16(fw_cfg, FW_CFG_PPC_HEIGHT(0x8000 + 0x01), graphic_height);
323 fw_cfg_add_i16(fw_cfg, FW_CFG_PPC_DEPTH(0x8000 + 0x02), graphic_depth);
324
325 fw_cfg_add_i32(fw_cfg, FW_CFG_PPC_IS_KVM(0x8000 + 0x05), kvm_enabled()(0));
326 if (kvm_enabled()(0)) {
327#ifdef CONFIG_KVM
328 uint8_t *hypercall;
329
330 fw_cfg_add_i32(fw_cfg, FW_CFG_PPC_TBFREQ(0x8000 + 0x03), kvmppc_get_tbfreq());
331 hypercall = g_malloc(16);
332 kvmppc_get_hypercall(env, hypercall, 16);
333 fw_cfg_add_bytes(fw_cfg, FW_CFG_PPC_KVM_HC(0x8000 + 0x06), hypercall, 16);
334 fw_cfg_add_i32(fw_cfg, FW_CFG_PPC_KVM_PID(0x8000 + 0x07), getpid());
335#endif
336 } else {
337 fw_cfg_add_i32(fw_cfg, FW_CFG_PPC_TBFREQ(0x8000 + 0x03), TBFREQ16600000UL);
338 }
339 /* Mac OS X requires a "known good" clock-frequency value; pass it one. */
340 fw_cfg_add_i32(fw_cfg, FW_CFG_PPC_CLOCKFREQ(0x8000 + 0x04), 266000000);
341
342 qemu_register_boot_set(fw_cfg_boot_set, fw_cfg);
343}
344
345static QEMUMachine heathrow_machine = {
346 .name = "g3beige",
347 .desc = "Heathrow based PowerMAC",
348 .init = ppc_heathrow_init,
349 .max_cpus = MAX_CPUS1,
350#ifndef TARGET_PPC64
351 .is_default = 1,
352#endif
353 .default_boot_order = "cd", /* TOFIX "cad" when Mac floppy is implemented */
354};
355
356static void heathrow_machine_init(void)
357{
358 qemu_register_machine(&heathrow_machine);
359}
360
361machine_init(heathrow_machine_init)static void __attribute__((constructor)) do_qemu_init_heathrow_machine_init
(void) { register_module_init(heathrow_machine_init, MODULE_INIT_MACHINE
); }
;