/home/stefan/src/qemu/qemu.org/qemu/hw/arm/realview.c

Bug Summary

File:	hw/arm/realview.c
Location:	line 156, column 13
Description:	Function call argument is an uninitialized value

Annotated Source Code

* ARM RealView Baseboard System emulation.

* Written by Paul Brook

* This code is licensed under the GPL.

#include "hw/sysbus.h"

#include "hw/arm/arm.h"

#include "hw/arm/primecell.h"

#include "hw/devices.h"

#include "hw/pci/pci.h"

#include "net/net.h"

#include "sysemu/sysemu.h"

#include "hw/boards.h"

#include "hw/i2c/i2c.h"

#include "sysemu/blockdev.h"

#include "exec/address-spaces.h"

#define SMP_BOOT_ADDR0xe0000000 0xe0000000

#define SMP_BOOTREG_ADDR0x10000030 0x10000030

/* Board init. */

static struct arm_boot_info realview_binfo = {

.smp_loader_start = SMP_BOOT_ADDR0xe0000000,

.smp_bootreg_addr = SMP_BOOTREG_ADDR0x10000030,

};

/* The following two lists must be consistent. */

enum realview_board_type {

BOARD_EB,

BOARD_EB_MPCORE,

BOARD_PB_A8,

BOARD_PBX_A9,

};

static const int realview_board_id[] = {

0x33b,

0x769,

0x76d

};

static void realview_init(QEMUMachineInitArgs *args,

enum realview_board_type board_type)

{

ARMCPU *cpu = NULL((void*)0);

CPUARMState *env;

MemoryRegion *sysmem = get_system_memory();

MemoryRegion *ram_lo = g_new(MemoryRegion, 1)((MemoryRegion *) g_malloc_n ((1), sizeof (MemoryRegion)));

MemoryRegion *ram_hi = g_new(MemoryRegion, 1)((MemoryRegion *) g_malloc_n ((1), sizeof (MemoryRegion)));

MemoryRegion *ram_alias = g_new(MemoryRegion, 1)((MemoryRegion *) g_malloc_n ((1), sizeof (MemoryRegion)));

MemoryRegion *ram_hack = g_new(MemoryRegion, 1)((MemoryRegion *) g_malloc_n ((1), sizeof (MemoryRegion)));

DeviceState *dev, *sysctl, *gpio2, *pl041;

SysBusDevice *busdev;

qemu_irq pic[64];

qemu_irq mmc_irq[2];

PCIBus *pci_bus = NULL((void*)0);

NICInfo *nd;

i2c_bus *i2c;

int n;

int done_nic = 0;

qemu_irq cpu_irq[4];

int is_mpcore = 0;

int is_pb = 0;

uint32_t proc_id = 0;

uint32_t sys_id;

ram_addr_t low_ram_size;

ram_addr_t ram_size = args->ram_size;

switch (board_type) {

Control jumps to 'case BOARD_EB_MPCORE:' at line 77

→

case BOARD_EB:

break;

case BOARD_EB_MPCORE:

is_mpcore = 1;

break;

←

Execution continues on line 88

→

case BOARD_PB_A8:

is_pb = 1;

break;

case BOARD_PBX_A9:

is_mpcore = 1;

is_pb = 1;

break;

}

for (n = 0; n < smp_cpus; n++) {

←

Assuming 'n' is < 'smp_cpus'

→

←

Loop condition is true. Entering loop body

→

←

Assuming 'n' is >= 'smp_cpus'

→

←

Loop condition is false. Execution continues on line 96

→

cpu = cpu_arm_init(args->cpu_model);

if (!cpu) {

←

Assuming 'cpu' is non-null

→

←

Taking false branch

→

fprintf(stderrstderr, "Unable to find CPU definition\n");

exit(1);

}

cpu_irq[n] = qdev_get_gpio_in(DEVICE(cpu)((DeviceState *)object_dynamic_cast_assert(((Object *)((cpu))
), ("device"), "/home/stefan/src/qemu/qemu.org/qemu/hw/arm/realview.c"
, 94, __func__)), ARM_CPU_IRQ0);

}

env = &cpu->env;

if (arm_feature(env, ARM_FEATURE_V7)) {

Taking true branch

if (is_mpcore) {

Taking true branch

proc_id = 0x0c000000;

100

} else {

101

proc_id = 0x0e000000;

102

}

103

} else if (arm_feature(env, ARM_FEATURE_V6K)) {

104

proc_id = 0x06000000;

105

} else if (arm_feature(env, ARM_FEATURE_V6)) {

106

proc_id = 0x04000000;

107

} else {

108

proc_id = 0x02000000;

109

}

110

111

if (is_pb && ram_size > 0x20000000) {

112

/* Core tile RAM. */

113

low_ram_size = ram_size - 0x20000000;

114

ram_size = 0x20000000;

115

memory_region_init_ram(ram_lo, NULL((void*)0), "realview.lowmem", low_ram_size);

116

vmstate_register_ram_global(ram_lo);

117

memory_region_add_subregion(sysmem, 0x20000000, ram_lo);

118

}

119

120

memory_region_init_ram(ram_hi, NULL((void*)0), "realview.highmem", ram_size);

121

vmstate_register_ram_global(ram_hi);

122

low_ram_size = ram_size;

123

if (low_ram_size > 0x10000000)

←

Assuming 'low_ram_size' is <= 268435456

→

←

Taking false branch

→

124

low_ram_size = 0x10000000;

125

/* SDRAM at address zero. */

126

memory_region_init_alias(ram_alias, NULL((void*)0), "realview.alias",

127

ram_hi, 0, low_ram_size);

128

memory_region_add_subregion(sysmem, 0, ram_alias);

129

if (is_pb) {

←

Taking false branch

→

130

/* And again at a high address. */

131

memory_region_add_subregion(sysmem, 0x70000000, ram_hi);

132

} else {

133

ram_size = low_ram_size;

134

}

135

136

sys_id = is_pb ? 0x01780500 : 0xc1400400;

←

'?' condition is false

→

137

sysctl = qdev_create(NULL((void*)0), "realview_sysctl");

138

qdev_prop_set_uint32(sysctl, "sys_id", sys_id);

139

qdev_prop_set_uint32(sysctl, "proc_id", proc_id);

140

qdev_init_nofail(sysctl);

141

sysbus_mmio_map(SYS_BUS_DEVICE(sysctl)((SysBusDevice *)object_dynamic_cast_assert(((Object *)((sysctl
))), ("sys-bus-device"), "/home/stefan/src/qemu/qemu.org/qemu/hw/arm/realview.c"
, 141, __func__)), 0, 0x10000000);

142

143

if (is_mpcore) {

←

Taking true branch

→

144

hwaddr periphbase;

145

dev = qdev_create(NULL((void*)0), is_pb ? "a9mpcore_priv": "realview_mpcore");

←

'?' condition is false

→

146

qdev_prop_set_uint32(dev, "num-cpu", smp_cpus);

147

qdev_init_nofail(dev);

148

busdev = SYS_BUS_DEVICE(dev)((SysBusDevice *)object_dynamic_cast_assert(((Object *)((dev)
)), ("sys-bus-device"), "/home/stefan/src/qemu/qemu.org/qemu/hw/arm/realview.c"
, 148, __func__));

149

if (is_pb) {

←

Taking false branch

→

150

periphbase = 0x1f000000;

151

} else {

152

periphbase = 0x10100000;

153

}

154

sysbus_mmio_map(busdev, 0, periphbase);

155

for (n = 0; n < smp_cpus; n++) {

←

Assuming 'n' is < 'smp_cpus'

→

←

Loop condition is true. Entering loop body

→

←

Assuming 'n' is < 'smp_cpus'

→

←

Loop condition is true. Entering loop body

→

156

sysbus_connect_irq(busdev, n, cpu_irq[n]);

←

Function call argument is an uninitialized value

157

}

158

sysbus_create_varargs("l2x0", periphbase + 0x2000, NULL((void*)0));

159

/* Both A9 and 11MPCore put the GIC CPU i/f at base + 0x100 */

160

realview_binfo.gic_cpu_if_addr = periphbase + 0x100;

161

} else {

162

uint32_t gic_addr = is_pb ? 0x1e000000 : 0x10040000;

163

/* For now just create the nIRQ GIC, and ignore the others. */

164

dev = sysbus_create_simple("realview_gic", gic_addr, cpu_irq[0]);

165

}

166

for (n = 0; n < 64; n++) {

167

pic[n] = qdev_get_gpio_in(dev, n);

168

}

169

170

pl041 = qdev_create(NULL((void*)0), "pl041");

171

qdev_prop_set_uint32(pl041, "nc_fifo_depth", 512);

172

qdev_init_nofail(pl041);

173

sysbus_mmio_map(SYS_BUS_DEVICE(pl041)((SysBusDevice *)object_dynamic_cast_assert(((Object *)((pl041
))), ("sys-bus-device"), "/home/stefan/src/qemu/qemu.org/qemu/hw/arm/realview.c"
, 173, __func__)), 0, 0x10004000);

174

sysbus_connect_irq(SYS_BUS_DEVICE(pl041)((SysBusDevice *)object_dynamic_cast_assert(((Object *)((pl041
))), ("sys-bus-device"), "/home/stefan/src/qemu/qemu.org/qemu/hw/arm/realview.c"
, 174, __func__)), 0, pic[19]);

175

176

sysbus_create_simple("pl050_keyboard", 0x10006000, pic[20]);

177

sysbus_create_simple("pl050_mouse", 0x10007000, pic[21]);

178

179

sysbus_create_simple("pl011", 0x10009000, pic[12]);

180

sysbus_create_simple("pl011", 0x1000a000, pic[13]);

181

sysbus_create_simple("pl011", 0x1000b000, pic[14]);

182

sysbus_create_simple("pl011", 0x1000c000, pic[15]);

183

184

/* DMA controller is optional, apparently. */

185

sysbus_create_simple("pl081", 0x10030000, pic[24]);

186

187

sysbus_create_simple("sp804", 0x10011000, pic[4]);

188

sysbus_create_simple("sp804", 0x10012000, pic[5]);

189

190

sysbus_create_simple("pl061", 0x10013000, pic[6]);

191

sysbus_create_simple("pl061", 0x10014000, pic[7]);

192

gpio2 = sysbus_create_simple("pl061", 0x10015000, pic[8]);

193

194

sysbus_create_simple("pl111", 0x10020000, pic[23]);

195

196

dev = sysbus_create_varargs("pl181", 0x10005000, pic[17], pic[18], NULL((void*)0));

197

/* Wire up MMC card detect and read-only signals. These have

198

* to go to both the PL061 GPIO and the sysctl register.

199

* Note that the PL181 orders these lines (readonly,inserted)

200

* and the PL061 has them the other way about. Also the card

201

* detect line is inverted.

202

203

mmc_irq[0] = qemu_irq_split(

204

qdev_get_gpio_in(sysctl, ARM_SYSCTL_GPIO_MMC_WPROT0),

205

qdev_get_gpio_in(gpio2, 1));

206

mmc_irq[1] = qemu_irq_split(

207

qdev_get_gpio_in(sysctl, ARM_SYSCTL_GPIO_MMC_CARDIN1),

208

qemu_irq_invert(qdev_get_gpio_in(gpio2, 0)));

209

qdev_connect_gpio_out(dev, 0, mmc_irq[0]);

210

qdev_connect_gpio_out(dev, 1, mmc_irq[1]);

211

212

sysbus_create_simple("pl031", 0x10017000, pic[10]);

213

214

if (!is_pb) {

215

dev = qdev_create(NULL((void*)0), "realview_pci");

216

busdev = SYS_BUS_DEVICE(dev)((SysBusDevice *)object_dynamic_cast_assert(((Object *)((dev)
)), ("sys-bus-device"), "/home/stefan/src/qemu/qemu.org/qemu/hw/arm/realview.c"
, 216, __func__));

217

qdev_init_nofail(dev);

218

sysbus_mmio_map(busdev, 0, 0x10019000); /* PCI controller registers */

219

sysbus_mmio_map(busdev, 1, 0x60000000); /* PCI self-config */

220

sysbus_mmio_map(busdev, 2, 0x61000000); /* PCI config */

221

sysbus_mmio_map(busdev, 3, 0x62000000); /* PCI I/O */

222

sysbus_mmio_map(busdev, 4, 0x63000000); /* PCI memory window 1 */

223

sysbus_mmio_map(busdev, 5, 0x64000000); /* PCI memory window 2 */

224

sysbus_mmio_map(busdev, 6, 0x68000000); /* PCI memory window 3 */

225

sysbus_connect_irq(busdev, 0, pic[48]);

226

sysbus_connect_irq(busdev, 1, pic[49]);

227

sysbus_connect_irq(busdev, 2, pic[50]);

228

sysbus_connect_irq(busdev, 3, pic[51]);

229

pci_bus = (PCIBus *)qdev_get_child_bus(dev, "pci");

230

if (usb_enabled(false0)) {

231

pci_create_simple(pci_bus, -1, "pci-ohci");

232

}

233

n = drive_get_max_bus(IF_SCSI);

234

while (n >= 0) {

235

pci_create_simple(pci_bus, -1, "lsi53c895a");

236

n--;

237

}

238

}

239

for(n = 0; n < nb_nics; n++) {

240

nd = &nd_table[n];

241

242

if (!done_nic && (!nd->model ||

243

strcmp(nd->model, is_pb ? "lan9118" : "smc91c111") == 0)) {

244

if (is_pb) {

245

lan9118_init(nd, 0x4e000000, pic[28]);

246

} else {

247

smc91c111_init(nd, 0x4e000000, pic[28]);

248

}

249

done_nic = 1;

250

} else {

251

if (pci_bus) {

252

pci_nic_init_nofail(nd, pci_bus, "rtl8139", NULL((void*)0));

253

}

254

}

255

}

256

257

dev = sysbus_create_simple("versatile_i2c", 0x10002000, NULL((void*)0));

258

i2c = (i2c_bus *)qdev_get_child_bus(dev, "i2c");

259

i2c_create_slave(i2c, "ds1338", 0x68);

260

261

/* Memory map for RealView Emulation Baseboard: */

262

/* 0x10000000 System registers. */

263

/* 0x10001000 System controller. */

264

/* 0x10002000 Two-Wire Serial Bus. */

265

/* 0x10003000 Reserved. */

266

/* 0x10004000 AACI. */

267

/* 0x10005000 MCI. */

268

/* 0x10006000 KMI0. */

269

/* 0x10007000 KMI1. */

270

/* 0x10008000 Character LCD. (EB) */

271

/* 0x10009000 UART0. */

272

/* 0x1000a000 UART1. */

273

/* 0x1000b000 UART2. */

274

/* 0x1000c000 UART3. */

275

/* 0x1000d000 SSPI. */

276

/* 0x1000e000 SCI. */

277

/* 0x1000f000 Reserved. */

278

/* 0x10010000 Watchdog. */

279

/* 0x10011000 Timer 0+1. */

280

/* 0x10012000 Timer 2+3. */

281

/* 0x10013000 GPIO 0. */

282

/* 0x10014000 GPIO 1. */

283

/* 0x10015000 GPIO 2. */

284

/* 0x10002000 Two-Wire Serial Bus - DVI. (PB) */

285

/* 0x10017000 RTC. */

286

/* 0x10018000 DMC. */

287

/* 0x10019000 PCI controller config. */

288

/* 0x10020000 CLCD. */

289

/* 0x10030000 DMA Controller. */

290

/* 0x10040000 GIC1. (EB) */

291

/* 0x10050000 GIC2. (EB) */

292

/* 0x10060000 GIC3. (EB) */

293

/* 0x10070000 GIC4. (EB) */

294

/* 0x10080000 SMC. */

295

/* 0x1e000000 GIC1. (PB) */

296

/* 0x1e001000 GIC2. (PB) */

297

/* 0x1e002000 GIC3. (PB) */

298

/* 0x1e003000 GIC4. (PB) */

299

/* 0x40000000 NOR flash. */

300

/* 0x44000000 DoC flash. */

301

/* 0x48000000 SRAM. */

302

/* 0x4c000000 Configuration flash. */

303

/* 0x4e000000 Ethernet. */

304

/* 0x4f000000 USB. */

305

/* 0x50000000 PISMO. */

306

/* 0x54000000 PISMO. */

307

/* 0x58000000 PISMO. */

308

/* 0x5c000000 PISMO. */

309

/* 0x60000000 PCI. */

310

/* 0x60000000 PCI Self Config. */

311

/* 0x61000000 PCI Config. */

312

/* 0x62000000 PCI IO. */

313

/* 0x63000000 PCI mem 0. */

314

/* 0x64000000 PCI mem 1. */

315

/* 0x68000000 PCI mem 2. */

316

317

/* ??? Hack to map an additional page of ram for the secondary CPU

318

startup code. I guess this works on real hardware because the

319

BootROM happens to be in ROM/flash or in memory that isn't clobbered

320

until after Linux boots the secondary CPUs. */

321

memory_region_init_ram(ram_hack, NULL((void*)0), "realview.hack", 0x1000);

322

vmstate_register_ram_global(ram_hack);

323

memory_region_add_subregion(sysmem, SMP_BOOT_ADDR0xe0000000, ram_hack);

324

325

realview_binfo.ram_size = ram_size;

326

realview_binfo.kernel_filename = args->kernel_filename;

327

realview_binfo.kernel_cmdline = args->kernel_cmdline;

328

realview_binfo.initrd_filename = args->initrd_filename;

329

realview_binfo.nb_cpus = smp_cpus;

330

realview_binfo.board_id = realview_board_id[board_type];

331

realview_binfo.loader_start = (board_type == BOARD_PB_A8 ? 0x70000000 : 0);

332

arm_load_kernel(ARM_CPU(first_cpu)((ARMCPU *)object_dynamic_cast_assert(((Object *)((((&cpus
)->tqh_first)))), ("arm-cpu"), "/home/stefan/src/qemu/qemu.org/qemu/hw/arm/realview.c"
, 332, __func__)), &realview_binfo);

333

}

334

335

static void realview_eb_init(QEMUMachineInitArgs *args)

336

{

337

if (!args->cpu_model) {

338

args->cpu_model = "arm926";

339

}

340

realview_init(args, BOARD_EB);

341

}

342

343

static void realview_eb_mpcore_init(QEMUMachineInitArgs *args)

344

{

345

if (!args->cpu_model) {

346

args->cpu_model = "arm11mpcore";

347

}

348

realview_init(args, BOARD_EB_MPCORE);

349

}

350

351

static void realview_pb_a8_init(QEMUMachineInitArgs *args)

352

{

353

if (!args->cpu_model) {

354

args->cpu_model = "cortex-a8";

355

}

356

realview_init(args, BOARD_PB_A8);

357

}

358

359

static void realview_pbx_a9_init(QEMUMachineInitArgs *args)

360

{

361

if (!args->cpu_model) {

362

args->cpu_model = "cortex-a9";

363

}

364

realview_init(args, BOARD_PBX_A9);

365

}

366

367

static QEMUMachine realview_eb_machine = {

368

.name = "realview-eb",

369

.desc = "ARM RealView Emulation Baseboard (ARM926EJ-S)",

370

.init = realview_eb_init,

371

.block_default_type = IF_SCSI,

372

};

373

374

static QEMUMachine realview_eb_mpcore_machine = {

375

.name = "realview-eb-mpcore",

376

.desc = "ARM RealView Emulation Baseboard (ARM11MPCore)",

377

.init = realview_eb_mpcore_init,

378

.block_default_type = IF_SCSI,

379

.max_cpus = 4,

380

};

381

382

static QEMUMachine realview_pb_a8_machine = {

383

.name = "realview-pb-a8",

384

.desc = "ARM RealView Platform Baseboard for Cortex-A8",

385

.init = realview_pb_a8_init,

386

};

387

388

static QEMUMachine realview_pbx_a9_machine = {

389

.name = "realview-pbx-a9",

390

.desc = "ARM RealView Platform Baseboard Explore for Cortex-A9",

391

.init = realview_pbx_a9_init,

392

.block_default_type = IF_SCSI,

393

.max_cpus = 4,

394

};

395

396

static void realview_machine_init(void)

397

{

398

qemu_register_machine(&realview_eb_machine);

399

qemu_register_machine(&realview_eb_mpcore_machine);

400

qemu_register_machine(&realview_pb_a8_machine);

401

qemu_register_machine(&realview_pbx_a9_machine);

402

}

403

404

machine_init(realview_machine_init)static void __attribute__((constructor)) do_qemu_init_realview_machine_init
(void) { register_module_init(realview_machine_init, MODULE_INIT_MACHINE
); };