/home/stefan/src/qemu/qemu.org/qemu/hw/ppc/mac

Bug Summary

File:	hw/ppc/mac_oldworld.c
Location:	line 251, column 9
Description:	Access to field 'bus_model' results in a dereference of a null pointer (loaded from variable 'env')

Annotated Source Code

* QEMU OldWorld PowerMac (currently ~G3 Beige) hardware System Emulator

* Permission is hereby granted, free of charge, to any person obtaining a copy

* of this software and associated documentation files (the "Software"), to deal

* in the Software without restriction, including without limitation the rights

* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

* copies of the Software, and to permit persons to whom the Software is

* furnished to do so, subject to the following conditions:

* The above copyright notice and this permission notice shall be included in

* all copies or substantial portions of the Software.

* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL

* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

* THE SOFTWARE.

#include "hw/hw.h"

#include "hw/ppc/ppc.h"

#include "mac.h"

#include "hw/input/adb.h"

#include "hw/timer/m48t59.h"

#include "sysemu/sysemu.h"

#include "net/net.h"

#include "hw/isa/isa.h"

#include "hw/pci/pci.h"

#include "hw/boards.h"

#include "hw/nvram/fw_cfg.h"

#include "hw/char/escc.h"

#include "hw/ide.h"

#include "hw/loader.h"

#include "elf.h"

#include "sysemu/kvm.h"

#include "kvm_ppc.h"

#include "sysemu/blockdev.h"

#include "exec/address-spaces.h"

#define MAX_IDE_BUS2 2

#define CFG_ADDR0xf0000510 0xf0000510

#define TBFREQ16600000UL 16600000UL

static int fw_cfg_boot_set(void *opaque, const char *boot_device)

{

fw_cfg_add_i16(opaque, FW_CFG_BOOT_DEVICE0x0c, boot_device[0]);

return 0;

}

static uint64_t translate_kernel_address(void *opaque, uint64_t addr)

{

return (addr & 0x0fffffff) + KERNEL_LOAD_ADDR0x01000000;

}

static hwaddr round_page(hwaddr addr)

{

return (addr + TARGET_PAGE_SIZE(1 << 10) - 1) & TARGET_PAGE_MASK~((1 << 10) - 1);

}

static void ppc_heathrow_reset(void *opaque)

{

PowerPCCPU *cpu = opaque;

cpu_reset(CPU(cpu)((CPUState *)object_dynamic_cast_assert(((Object *)((cpu))), (
"cpu"), "/home/stefan/src/qemu/qemu.org/qemu/hw/ppc/mac_oldworld.c"
, 71, __func__)));

}

static void ppc_heathrow_init(QEMUMachineInitArgs *args)

{

ram_addr_t ram_size = args->ram_size;

const char *cpu_model = args->cpu_model;

const char *kernel_filename = args->kernel_filename;

const char *kernel_cmdline = args->kernel_cmdline;

const char *initrd_filename = args->initrd_filename;

const char *boot_device = args->boot_order;

MemoryRegion *sysmem = get_system_memory();

PowerPCCPU *cpu = NULL((void*)0);

CPUPPCState *env = NULL((void*)0);

'env' initialized to a null pointer value

→

char *filename;

qemu_irq *pic, **heathrow_irqs;

int linux_boot, i;

MemoryRegion *ram = g_new(MemoryRegion, 1)((MemoryRegion *) g_malloc_n ((1), sizeof (MemoryRegion)));

MemoryRegion *bios = g_new(MemoryRegion, 1)((MemoryRegion *) g_malloc_n ((1), sizeof (MemoryRegion)));

MemoryRegion *isa = g_new(MemoryRegion, 1)((MemoryRegion *) g_malloc_n ((1), sizeof (MemoryRegion)));

uint32_t kernel_base, initrd_base, cmdline_base = 0;

int32_t kernel_size, initrd_size;

PCIBus *pci_bus;

PCIDevice *macio;

MACIOIDEState *macio_ide;

DeviceState *dev;

BusState *adb_bus;

int bios_size;

MemoryRegion *pic_mem;

100

MemoryRegion *escc_mem, *escc_bar = g_new(MemoryRegion, 1)((MemoryRegion *) g_malloc_n ((1), sizeof (MemoryRegion)));

101

uint16_t ppc_boot_device;

102

DriveInfo *hd[MAX_IDE_BUS2 * MAX_IDE_DEVS2];

103

void *fw_cfg;

104

105

linux_boot = (kernel_filename != NULL((void*)0));

←

Assuming 'kernel_filename' is equal to null

→

106

107

/* init CPUs */

108

if (cpu_model == NULL((void*)0))

←

Assuming 'cpu_model' is not equal to null

→

←

Taking false branch

→

109

cpu_model = "G3";

110

for (i = 0; i < smp_cpus; i++) {

←

Assuming 'i' is >= 'smp_cpus'

→

←

Loop condition is false. Execution continues on line 124

→

111

cpu = cpu_ppc_init(cpu_model);

112

if (cpu == NULL((void*)0)) {

113

fprintf(stderrstderr, "Unable to find PowerPC CPU definition\n");

114

exit(1);

115

}

116

env = &cpu->env;

117

118

/* Set time-base frequency to 16.6 Mhz */

119

cpu_ppc_tb_init(env, TBFREQ16600000UL);

120

qemu_register_reset(ppc_heathrow_reset, cpu);

121

}

122

123

/* allocate RAM */

124

if (ram_size > (2047 << 20)) {

←

Taking false branch

→

125

fprintf(stderrstderr,

126

"qemu: Too much memory for this machine: %d MB, maximum 2047 MB\n",

127

((unsigned int)ram_size / (1 << 20)));

128

exit(1);

129

}

130

131

memory_region_init_ram(ram, NULL((void*)0), "ppc_heathrow.ram", ram_size);

132

vmstate_register_ram_global(ram);

133

memory_region_add_subregion(sysmem, 0, ram);

134

135

/* allocate and load BIOS */

136

memory_region_init_ram(bios, NULL((void*)0), "ppc_heathrow.bios", BIOS_SIZE(1024 * 1024));

137

vmstate_register_ram_global(bios);

138

if (bios_name == NULL((void*)0))

←

Assuming 'bios_name' is not equal to null

→

←

Taking false branch

→

139

bios_name = PROM_FILENAME"openbios-ppc";

140

filename = qemu_find_file(QEMU_FILE_TYPE_BIOS0, bios_name);

141

memory_region_set_readonly(bios, true1);

142

memory_region_add_subregion(sysmem, PROM_ADDR0xfff00000, bios);

143

144

/* Load OpenBIOS (ELF) */

145

if (filename) {

←

Assuming 'filename' is non-null

→

←

Taking true branch

→

146

bios_size = load_elf(filename, 0, NULL((void*)0), NULL((void*)0), NULL((void*)0), NULL((void*)0),

147

1, ELF_MACHINE20, 0);

148

g_free(filename);

149

} else {

150

bios_size = -1;

151

}

152

if (bios_size < 0 || bios_size > BIOS_SIZE(1024 * 1024)) {

←

Assuming 'bios_size' is >= 0

→

←

Taking false branch

→

153

hw_error("qemu: could not load PowerPC bios '%s'\n", bios_name);

154

exit(1);

155

}

156

157

if (linux_boot) {

←

Taking false branch

→

158

uint64_t lowaddr = 0;

159

int bswap_needed;

160

161

#ifdef BSWAP_NEEDED

162

bswap_needed = 1;

163

#else

164

bswap_needed = 0;

165

#endif

166

kernel_base = KERNEL_LOAD_ADDR0x01000000;

167

kernel_size = load_elf(kernel_filename, translate_kernel_address, NULL((void*)0),

168

NULL((void*)0), &lowaddr, NULL((void*)0), 1, ELF_MACHINE20, 0);

169

if (kernel_size < 0)

170

kernel_size = load_aout(kernel_filename, kernel_base,

171

ram_size - kernel_base, bswap_needed,

172

TARGET_PAGE_SIZE(1 << 10));

173

if (kernel_size < 0)

174

kernel_size = load_image_targphys(kernel_filename,

175

kernel_base,

176

ram_size - kernel_base);

177

if (kernel_size < 0) {

178

hw_error("qemu: could not load kernel '%s'\n",

179

kernel_filename);

180

exit(1);

181

}

182

/* load initrd */

183

if (initrd_filename) {

184

initrd_base = round_page(kernel_base + kernel_size + KERNEL_GAP0x00100000);

185

initrd_size = load_image_targphys(initrd_filename, initrd_base,

186

ram_size - initrd_base);

187

if (initrd_size < 0) {

188

hw_error("qemu: could not load initial ram disk '%s'\n",

189

initrd_filename);

190

exit(1);

191

}

192

cmdline_base = round_page(initrd_base + initrd_size);

193

} else {

194

initrd_base = 0;

195

initrd_size = 0;

196

cmdline_base = round_page(kernel_base + kernel_size + KERNEL_GAP0x00100000);

197

}

198

ppc_boot_device = 'm';

199

} else {

200

kernel_base = 0;

201

kernel_size = 0;

202

initrd_base = 0;

203

initrd_size = 0;

204

ppc_boot_device = '\0';

205

for (i = 0; boot_device[i] != '\0'; i++) {

←

Loop condition is true. Entering loop body

→

206

/* TOFIX: for now, the second IDE channel is not properly

207

* used by OHW. The Mac floppy disk are not emulated.

208

* For now, OHW cannot boot from the network.

209

210

#if 0

211

if (boot_device[i] >= 'a' && boot_device[i] <= 'f') {

212

ppc_boot_device = boot_device[i];

213

break;

214

}

215

#else

216

if (boot_device[i] >= 'c' && boot_device[i] <= 'd') {

←

Taking true branch

→

217

ppc_boot_device = boot_device[i];

218

break;

←

Execution continues on line 222

→

219

}

220

#endif

221

}

222

if (ppc_boot_device == '\0') {

←

Taking false branch

→

223

fprintf(stderrstderr, "No valid boot device for G3 Beige machine\n");

224

exit(1);

225

}

226

}

227

228

/* Register 2 MB of ISA IO space */

229

memory_region_init_alias(isa, NULL((void*)0), "isa_mmio",

230

get_system_io(), 0, 0x00200000);

231

memory_region_add_subregion(sysmem, 0xfe000000, isa);

232

233

/* XXX: we register only 1 output pin for heathrow PIC */

234

heathrow_irqs = g_malloc0(smp_cpus * sizeof(qemu_irq *));

235

heathrow_irqs[0] =

236

g_malloc0(smp_cpus * sizeof(qemu_irq) * 1);

237

/* Connect the heathrow PIC outputs to the 6xx bus */

238

for (i = 0; i < smp_cpus; i++) {

←

Assuming 'i' is >= 'smp_cpus'

→

←

Loop condition is false. Execution continues on line 251

→

239

switch (PPC_INPUT(env)(env->bus_model)) {

240

case PPC_FLAGS_INPUT_6xx:

241

heathrow_irqs[i] = heathrow_irqs[0] + (i * 1);

242

heathrow_irqs[i][0] =

243

((qemu_irq *)env->irq_inputs)[PPC6xx_INPUT_INT];

244

break;

245

default:

246

hw_error("Bus model not supported on OldWorld Mac machine\n");

247

}

248

}

249

250

/* init basic PC hardware */

251

if (PPC_INPUT(env)(env->bus_model) != PPC_FLAGS_INPUT_6xx) {

←

Within the expansion of the macro 'PPC_INPUT':

a	Access to field 'bus_model' results in a dereference of a null pointer (loaded from variable 'env')

252

hw_error("Only 6xx bus is supported on heathrow machine\n");

253

}

254

pic = heathrow_pic_init(&pic_mem, 1, heathrow_irqs);

255

pci_bus = pci_grackle_init(0xfec00000, pic,

256

get_system_memory(),

257

get_system_io());

258

pci_vga_init(pci_bus);

259

260

escc_mem = escc_init(0, pic[0x0f], pic[0x10], serial_hds[0],

261

serial_hds[1], ESCC_CLOCK3686400, 4);

262

memory_region_init_alias(escc_bar, NULL((void*)0), "escc-bar",

263

escc_mem, 0, memory_region_size(escc_mem));

264

265

for(i = 0; i < nb_nics; i++)

266

pci_nic_init_nofail(&nd_table[i], pci_bus, "ne2k_pci", NULL((void*)0));

267

268

269

ide_drive_get(hd, MAX_IDE_BUS2);

270

271

macio = pci_create(pci_bus, -1, TYPE_OLDWORLD_MACIO"macio-oldworld");

272

dev = DEVICE(macio)((DeviceState *)object_dynamic_cast_assert(((Object *)((macio
))), ("device"), "/home/stefan/src/qemu/qemu.org/qemu/hw/ppc/mac_oldworld.c"
, 272, __func__));

273

qdev_connect_gpio_out(dev, 0, pic[0x12]); /* CUDA */

274

qdev_connect_gpio_out(dev, 1, pic[0x0D]); /* IDE-0 */

275

qdev_connect_gpio_out(dev, 2, pic[0x02]); /* IDE-0 DMA */

276

qdev_connect_gpio_out(dev, 3, pic[0x0E]); /* IDE-1 */

277

qdev_connect_gpio_out(dev, 4, pic[0x03]); /* IDE-1 DMA */

278

macio_init(macio, pic_mem, escc_bar);

279

280

macio_ide = MACIO_IDE(object_resolve_path_component(OBJECT(macio),((MACIOIDEState *)object_dynamic_cast_assert(((Object *)((object_resolve_path_component
(((Object *)(macio)), "ide[0]")))), ("macio-ide"), "/home/stefan/src/qemu/qemu.org/qemu/hw/ppc/mac_oldworld.c"
, 281, __func__))

281

"ide[0]"))((MACIOIDEState *)object_dynamic_cast_assert(((Object *)((object_resolve_path_component
(((Object *)(macio)), "ide[0]")))), ("macio-ide"), "/home/stefan/src/qemu/qemu.org/qemu/hw/ppc/mac_oldworld.c"
, 281, __func__));

282

macio_ide_init_drives(macio_ide, hd);

283

284

macio_ide = MACIO_IDE(object_resolve_path_component(OBJECT(macio),((MACIOIDEState *)object_dynamic_cast_assert(((Object *)((object_resolve_path_component
(((Object *)(macio)), "ide[1]")))), ("macio-ide"), "/home/stefan/src/qemu/qemu.org/qemu/hw/ppc/mac_oldworld.c"
, 285, __func__))

285

"ide[1]"))((MACIOIDEState *)object_dynamic_cast_assert(((Object *)((object_resolve_path_component
(((Object *)(macio)), "ide[1]")))), ("macio-ide"), "/home/stefan/src/qemu/qemu.org/qemu/hw/ppc/mac_oldworld.c"
, 285, __func__));

286

macio_ide_init_drives(macio_ide, &hd[MAX_IDE_DEVS2]);

287

288

dev = DEVICE(object_resolve_path_component(OBJECT(macio), "cuda"))((DeviceState *)object_dynamic_cast_assert(((Object *)((object_resolve_path_component
(((Object *)(macio)), "cuda")))), ("device"), "/home/stefan/src/qemu/qemu.org/qemu/hw/ppc/mac_oldworld.c"
, 288, __func__));

289

adb_bus = qdev_get_child_bus(dev, "adb.0");

290

dev = qdev_create(adb_bus, TYPE_ADB_KEYBOARD"adb-keyboard");

291

qdev_init_nofail(dev);

292

dev = qdev_create(adb_bus, TYPE_ADB_MOUSE"adb-mouse");

293

qdev_init_nofail(dev);

294

295

if (usb_enabled(false0)) {

296

pci_create_simple(pci_bus, -1, "pci-ohci");

297

}

298

299

if (graphic_depth != 15 && graphic_depth != 32 && graphic_depth != 8)

300

graphic_depth = 15;

301

302

/* No PCI init: the BIOS will do it */

303

304

fw_cfg = fw_cfg_init(0, 0, CFG_ADDR0xf0000510, CFG_ADDR0xf0000510 + 2);

305

fw_cfg_add_i16(fw_cfg, FW_CFG_MAX_CPUS0x0f, (uint16_t)max_cpus);

306

fw_cfg_add_i32(fw_cfg, FW_CFG_ID0x01, 1);

307

fw_cfg_add_i64(fw_cfg, FW_CFG_RAM_SIZE0x03, (uint64_t)ram_size);

308

fw_cfg_add_i16(fw_cfg, FW_CFG_MACHINE_ID0x06, ARCH_HEATHROW);

309

fw_cfg_add_i32(fw_cfg, FW_CFG_KERNEL_ADDR0x07, kernel_base);

310

fw_cfg_add_i32(fw_cfg, FW_CFG_KERNEL_SIZE0x08, kernel_size);

311

if (kernel_cmdline) {

312

fw_cfg_add_i32(fw_cfg, FW_CFG_KERNEL_CMDLINE0x09, cmdline_base);

313

pstrcpy_targphys("cmdline", cmdline_base, TARGET_PAGE_SIZE(1 << 10), kernel_cmdline);

314

} else {

315

fw_cfg_add_i32(fw_cfg, FW_CFG_KERNEL_CMDLINE0x09, 0);

316

}

317

fw_cfg_add_i32(fw_cfg, FW_CFG_INITRD_ADDR0x0a, initrd_base);

318

fw_cfg_add_i32(fw_cfg, FW_CFG_INITRD_SIZE0x0b, initrd_size);

319

fw_cfg_add_i16(fw_cfg, FW_CFG_BOOT_DEVICE0x0c, ppc_boot_device);

320

321

fw_cfg_add_i16(fw_cfg, FW_CFG_PPC_WIDTH(0x8000 + 0x00), graphic_width);

322

fw_cfg_add_i16(fw_cfg, FW_CFG_PPC_HEIGHT(0x8000 + 0x01), graphic_height);

323

fw_cfg_add_i16(fw_cfg, FW_CFG_PPC_DEPTH(0x8000 + 0x02), graphic_depth);

324

325

fw_cfg_add_i32(fw_cfg, FW_CFG_PPC_IS_KVM(0x8000 + 0x05), kvm_enabled()(0));

326

if (kvm_enabled()(0)) {

327

#ifdef CONFIG_KVM

328

uint8_t *hypercall;

329

330

fw_cfg_add_i32(fw_cfg, FW_CFG_PPC_TBFREQ(0x8000 + 0x03), kvmppc_get_tbfreq());

331

hypercall = g_malloc(16);

332

kvmppc_get_hypercall(env, hypercall, 16);

333

fw_cfg_add_bytes(fw_cfg, FW_CFG_PPC_KVM_HC(0x8000 + 0x06), hypercall, 16);

334

fw_cfg_add_i32(fw_cfg, FW_CFG_PPC_KVM_PID(0x8000 + 0x07), getpid());

335

#endif

336

} else {

337

fw_cfg_add_i32(fw_cfg, FW_CFG_PPC_TBFREQ(0x8000 + 0x03), TBFREQ16600000UL);

338

}

339

/* Mac OS X requires a "known good" clock-frequency value; pass it one. */

340

fw_cfg_add_i32(fw_cfg, FW_CFG_PPC_CLOCKFREQ(0x8000 + 0x04), 266000000);

341

342

qemu_register_boot_set(fw_cfg_boot_set, fw_cfg);

343

}

344

345

static QEMUMachine heathrow_machine = {

346

.name = "g3beige",

347

.desc = "Heathrow based PowerMAC",

348

.init = ppc_heathrow_init,

349

.max_cpus = MAX_CPUS1,

350

#ifndef TARGET_PPC64

351

.is_default = 1,

352

#endif

353

.default_boot_order = "cd", /* TOFIX "cad" when Mac floppy is implemented */

354

};

355

356

static void heathrow_machine_init(void)

357

{

358

qemu_register_machine(&heathrow_machine);

359

}

360

361

machine_init(heathrow_machine_init)static void __attribute__((constructor)) do_qemu_init_heathrow_machine_init
(void) { register_module_init(heathrow_machine_init, MODULE_INIT_MACHINE
); };