/home/stefan/src/qemu/qemu.org/qemu/hw/xtensa/xtensa

Bug Summary

File:	hw/xtensa/xtensa_lx60.c
Location:	line 260, column 21
Description:	Access to field 'pc' results in a dereference of a null pointer (loaded from variable 'env')

Annotated Source Code

* Redistribution and use in source and binary forms, with or without

* modification, are permitted provided that the following conditions are met:

* * Redistributions of source code must retain the above copyright

* notice, this list of conditions and the following disclaimer.

* * Redistributions in binary form must reproduce the above copyright

* notice, this list of conditions and the following disclaimer in the

* documentation and/or other materials provided with the distribution.

* * Neither the name of the Open Source and Linux Lab nor the

* names of its contributors may be used to endorse or promote products

* derived from this software without specific prior written permission.

* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"

* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND

* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

#include "sysemu/sysemu.h"

#include "hw/boards.h"

#include "hw/loader.h"

#include "elf.h"

#include "exec/memory.h"

#include "exec/address-spaces.h"

#include "hw/char/serial.h"

#include "net/net.h"

#include "hw/sysbus.h"

#include "hw/block/flash.h"

#include "sysemu/blockdev.h"

#include "sysemu/char.h"

#include "xtensa_bootparam.h"

typedef struct LxBoardDesc {

size_t flash_size;

size_t flash_sector_size;

size_t sram_size;

} LxBoardDesc;

typedef struct Lx60FpgaState {

MemoryRegion iomem;

uint32_t leds;

uint32_t switches;

} Lx60FpgaState;

static void lx60_fpga_reset(void *opaque)

{

Lx60FpgaState *s = opaque;

s->leds = 0;

s->switches = 0;

}

static uint64_t lx60_fpga_read(void *opaque, hwaddr addr,

unsigned size)

{

Lx60FpgaState *s = opaque;

switch (addr) {

case 0x0: /*build date code*/

return 0x09272011;

case 0x4: /*processor clock frequency, Hz*/

return 10000000;

case 0x8: /*LEDs (off = 0, on = 1)*/

return s->leds;

case 0xc: /*DIP switches (off = 0, on = 1)*/

return s->switches;

}

return 0;

}

static void lx60_fpga_write(void *opaque, hwaddr addr,

uint64_t val, unsigned size)

{

Lx60FpgaState *s = opaque;

switch (addr) {

case 0x8: /*LEDs (off = 0, on = 1)*/

s->leds = val;

break;

case 0x10: /*board reset*/

if (val == 0xdead) {

qemu_system_reset_request();

}

break;

}

100

101

static const MemoryRegionOps lx60_fpga_ops = {

102

.read = lx60_fpga_read,

103

.write = lx60_fpga_write,

104

.endianness = DEVICE_NATIVE_ENDIAN,

105

};

106

107

static Lx60FpgaState *lx60_fpga_init(MemoryRegion *address_space,

108

hwaddr base)

109

{

110

Lx60FpgaState *s = g_malloc(sizeof(Lx60FpgaState));

111

112

memory_region_init_io(&s->iomem, NULL((void*)0), &lx60_fpga_ops, s,

113

"lx60.fpga", 0x10000);

114

memory_region_add_subregion(address_space, base, &s->iomem);

115

lx60_fpga_reset(s);

116

qemu_register_reset(lx60_fpga_reset, s);

117

return s;

118

}

119

120

static void lx60_net_init(MemoryRegion *address_space,

121

hwaddr base,

122

hwaddr descriptors,

123

hwaddr buffers,

124

qemu_irq irq, NICInfo *nd)

125

{

126

DeviceState *dev;

127

SysBusDevice *s;

128

MemoryRegion *ram;

129

130

dev = qdev_create(NULL((void*)0), "open_eth");

131

qdev_set_nic_properties(dev, nd);

132

qdev_init_nofail(dev);

133

134

s = SYS_BUS_DEVICE(dev)((SysBusDevice *)object_dynamic_cast_assert(((Object *)((dev)
)), ("sys-bus-device"), "/home/stefan/src/qemu/qemu.org/qemu/hw/xtensa/xtensa_lx60.c"
, 134, __func__));

135

sysbus_connect_irq(s, 0, irq);

136

memory_region_add_subregion(address_space, base,

137

sysbus_mmio_get_region(s, 0));

138

memory_region_add_subregion(address_space, descriptors,

139

sysbus_mmio_get_region(s, 1));

140

141

ram = g_malloc(sizeof(*ram));

142

memory_region_init_ram(ram, OBJECT(s)((Object *)(s)), "open_eth.ram", 16384);

143

vmstate_register_ram_global(ram);

144

memory_region_add_subregion(address_space, buffers, ram);

145

}

146

147

static uint64_t translate_phys_addr(void *opaque, uint64_t addr)

148

{

149

XtensaCPU *cpu = opaque;

150

151

return cpu_get_phys_page_debug(CPU(cpu)((CPUState *)object_dynamic_cast_assert(((Object *)((cpu))), (
"cpu"), "/home/stefan/src/qemu/qemu.org/qemu/hw/xtensa/xtensa_lx60.c"
, 151, __func__)), addr);

152

}

153

154

static void lx60_reset(void *opaque)

155

{

156

XtensaCPU *cpu = opaque;

157

158

cpu_reset(CPU(cpu)((CPUState *)object_dynamic_cast_assert(((Object *)((cpu))), (
"cpu"), "/home/stefan/src/qemu/qemu.org/qemu/hw/xtensa/xtensa_lx60.c"
, 158, __func__)));

159

}

160

161

static void lx_init(const LxBoardDesc *board, QEMUMachineInitArgs *args)

162

{

163

#ifdef TARGET_WORDS_BIGENDIAN1

164

int be = 1;

165

#else

166

int be = 0;

167

#endif

168

MemoryRegion *system_memory = get_system_memory();

169

XtensaCPU *cpu = NULL((void*)0);

170

CPUXtensaState *env = NULL((void*)0);

←

'env' initialized to a null pointer value

→

171

MemoryRegion *ram, *rom, *system_io;

172

DriveInfo *dinfo;

173

pflash_t *flash = NULL((void*)0);

174

const char *cpu_model = args->cpu_model;

175

const char *kernel_filename = args->kernel_filename;

176

const char *kernel_cmdline = args->kernel_cmdline;

177

int n;

178

179

if (!cpu_model) {

←

Assuming 'cpu_model' is non-null

→

←

Taking false branch

→

180

cpu_model = XTENSA_DEFAULT_CPU_MODEL"fsf";

181

}

182

183

for (n = 0; n < smp_cpus; n++) {

←

Assuming 'n' is >= 'smp_cpus'

→

←

Loop condition is false. Execution continues on line 199

→

184

cpu = cpu_xtensa_init(cpu_model);

185

if (cpu == NULL((void*)0)) {

186

fprintf(stderrstderr, "Unable to find CPU definition\n");

187

exit(1);

188

}

189

env = &cpu->env;

190

191

env->sregs[PRID] = n;

192

qemu_register_reset(lx60_reset, cpu);

193

/* Need MMU initialized prior to ELF loading,

194

* so that ELF gets loaded into virtual addresses

195

196

cpu_reset(CPU(cpu)((CPUState *)object_dynamic_cast_assert(((Object *)((cpu))), (
"cpu"), "/home/stefan/src/qemu/qemu.org/qemu/hw/xtensa/xtensa_lx60.c"
, 196, __func__)));

197

}

198

199

ram = g_malloc(sizeof(*ram));

200

memory_region_init_ram(ram, NULL((void*)0), "lx60.dram", args->ram_size);

201

vmstate_register_ram_global(ram);

202

memory_region_add_subregion(system_memory, 0, ram);

203

204

system_io = g_malloc(sizeof(*system_io));

205

memory_region_init(system_io, NULL((void*)0), "lx60.io", 224 * 1024 * 1024);

206

memory_region_add_subregion(system_memory, 0xf0000000, system_io);

207

lx60_fpga_init(system_io, 0x0d020000);

208

if (nd_table[0].used) {

←

Taking false branch

→

209

lx60_net_init(system_io, 0x0d030000, 0x0d030400, 0x0d800000,

210

xtensa_get_extint(env, 1), nd_table);

211

}

212

213

if (!serial_hds[0]) {

←

Taking false branch

→

214

serial_hds[0] = qemu_chr_new("serial0", "null", NULL((void*)0));

215

}

216

217

serial_mm_init(system_io, 0x0d050020, 2, xtensa_get_extint(env, 0),

218

115200, serial_hds[0], DEVICE_NATIVE_ENDIAN);

219

220

dinfo = drive_get(IF_PFLASH, 0, 0);

221

if (dinfo) {

←

Assuming 'dinfo' is null

→

←

Taking false branch

→

222

flash = pflash_cfi01_register(0xf8000000,

223

NULL((void*)0), "lx60.io.flash", board->flash_size,

224

dinfo->bdrv, board->flash_sector_size,

225

board->flash_size / board->flash_sector_size,

226

4, 0x0000, 0x0000, 0x0000, 0x0000, be);

227

if (flash == NULL((void*)0)) {

228

fprintf(stderrstderr, "Unable to mount pflash\n");

229

exit(1);

230

}

231

}

232

233

/* Use presence of kernel file name as 'boot from SRAM' switch. */

234

if (kernel_filename) {

←

Assuming 'kernel_filename' is non-null

→

←

Taking true branch

→

235

rom = g_malloc(sizeof(*rom));

236

memory_region_init_ram(rom, NULL((void*)0), "lx60.sram", board->sram_size);

237

vmstate_register_ram_global(rom);

238

memory_region_add_subregion(system_memory, 0xfe000000, rom);

239

240

/* Put kernel bootparameters to the end of that SRAM */

241

if (kernel_cmdline) {

←

Assuming 'kernel_cmdline' is null

→

←

Taking false branch

→

242

size_t cmdline_size = strlen(kernel_cmdline) + 1;

243

size_t bp_size = sizeof(BpTag[4]) + cmdline_size;

244

uint32_t tagptr = (0xfe000000 + board->sram_size - bp_size) & ~0xff;

245

246

env->regs[2] = tagptr;

247

248

tagptr = put_tag(tagptr, 0x7b0b, 0, NULL((void*)0));

249

if (cmdline_size > 1) {

250

tagptr = put_tag(tagptr, 0x1001,

251

cmdline_size, kernel_cmdline);

252

}

253

tagptr = put_tag(tagptr, 0x7e0b, 0, NULL((void*)0));

254

}

255

uint64_t elf_entry;

256

uint64_t elf_lowaddr;

257

int success = load_elf(kernel_filename, translate_phys_addr, cpu,

258

&elf_entry, &elf_lowaddr, NULL((void*)0), be, ELF_MACHINE94, 0);

259

if (success > 0) {

←

Assuming 'success' is > 0

→

←

Taking true branch

→

260

env->pc = elf_entry;

←

Access to field 'pc' results in a dereference of a null pointer (loaded from variable 'env')

261

}

262

} else {

263

if (flash) {

264

MemoryRegion *flash_mr = pflash_cfi01_get_memory(flash);

265

MemoryRegion *flash_io = g_malloc(sizeof(*flash_io));

266

267

memory_region_init_alias(flash_io, NULL((void*)0), "lx60.flash",

268

flash_mr, 0, board->flash_size);

269

memory_region_add_subregion(system_memory, 0xfe000000,

270

flash_io);

271

}

272

}

273

}

274

275

static void xtensa_lx60_init(QEMUMachineInitArgs *args)

276

{

277

static const LxBoardDesc lx60_board = {

278

.flash_size = 0x400000,

279

.flash_sector_size = 0x10000,

280

.sram_size = 0x20000,

281

};

282

lx_init(&lx60_board, args);

283

}

284

285

static void xtensa_lx200_init(QEMUMachineInitArgs *args)

286

{

287

static const LxBoardDesc lx200_board = {

288

.flash_size = 0x1000000,

289

.flash_sector_size = 0x20000,

290

.sram_size = 0x2000000,

291

};

292

lx_init(&lx200_board, args);

Calling 'lx_init'

→

293

}

294

295

static QEMUMachine xtensa_lx60_machine = {

296

.name = "lx60",

297

.desc = "lx60 EVB (" XTENSA_DEFAULT_CPU_MODEL"fsf" ")",

298

.init = xtensa_lx60_init,

299

.max_cpus = 4,

300

};

301

302

static QEMUMachine xtensa_lx200_machine = {

303

.name = "lx200",

304

.desc = "lx200 EVB (" XTENSA_DEFAULT_CPU_MODEL"fsf" ")",

305

.init = xtensa_lx200_init,

306

.max_cpus = 4,

307

};

308

309

static void xtensa_lx_machines_init(void)

310

{

311

qemu_register_machine(&xtensa_lx60_machine);

312

qemu_register_machine(&xtensa_lx200_machine);

313

}

314

315

machine_init(xtensa_lx_machines_init)static void __attribute__((constructor)) do_qemu_init_xtensa_lx_machines_init
(void) { register_module_init(xtensa_lx_machines_init, MODULE_INIT_MACHINE
); };