Bug 771021
| Summary: | Coverity scan revealed defects | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Alex Jia <ajia> |
| Component: | libvirt | Assignee: | Gunannan Ren <gren> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.3 | CC: | acathrow, dallan, dyuan, eblake, jdenemar, jyang, mluscon, mzhan, rwu, veillard |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-0.9.10-17.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 06:40:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Attachments: | |||
Created attachment 550104 [details]
CoverityScan-libvirt-0.9.9-0rc1.el6
Coverity detected some issues on libvirt-0.9.9-1.el6:
Analysis summary report:
------------------------
Files analyzed : 237
Total LoC input to cov-analyze : 296656
Functions analyzed : 7265
Paths analyzed : 797255
New defects found : 20 Total
5 CHECKED_RETURN
5 DEADCODE
1 FORWARD_NULL
1 MISSING_RETURN
1 NEGATIVE_RETURNS
1 NULL_RETURNS
2 RESOURCE_LEAK
1 RETURN_LOCAL
1 UNINIT
2 UNUSED_VALUE
Created attachment 551582 [details]
CoverityScan-libvirt-0.9.9-1.el6
Coverity detected some issues on libvirt-0.9.9-2.el6:
Analysis summary report:
------------------------
Files analyzed : 237
Total LoC input to cov-analyze : 296687
Functions analyzed : 7265
Paths analyzed : 800811
Defect occurrences found : 38 Total
5 CHECKED_RETURN
15 DEADCODE
1 FORWARD_NULL
1 MISSING_RETURN
1 NEGATIVE_RETURNS
1 NULL_RETURNS
1 OVERRUN_STATIC
9 RESOURCE_LEAK
1 RETURN_LOCAL
1 UNINIT
2 UNUSED_VALUE
Created attachment 556536 [details]
CoverityScan-libvirt-0.9.9-2.el6
The log is pretty clear, I need to check what the each defect is really meant to be. Created attachment 559606 [details]
CoverityScan-libvirt-0.9.10-0rc1.el6
Analysis summary report:
------------------------
Files analyzed : 247
Total LoC input to cov-analyze : 303350
Functions analyzed : 7440
Paths analyzed : 827248
Defect occurrences found : 54 Total
6 CHECKED_RETURN
22 DEADCODE
1 FORWARD_NULL
1 MISSING_RETURN
2 NEGATIVE_RETURNS
1 NO_EFFECT
3 NULL_RETURNS
1 OVERRUN_STATIC
10 RESOURCE_LEAK
1 RETURN_LOCAL
1 SIZEOF_MISMATCH
3 UNINIT
2 UNUSED_VALUE
A new memory leak is introduced, it should be easy to fix:
Error: RESOURCE_LEAK:
/builddir/build/BUILD/libvirt-0.9.10/src/conf/nwfilter_conf.c:363: alloc_fn: Calling allocation function "virNWFilterVarAccessParse".
/builddir/build/BUILD/libvirt-0.9.10/src/conf/nwfilter_params.c:930: alloc_arg: "virAlloc" allocates memory that is stored into "dest".
/builddir/build/BUILD/libvirt-0.9.10/src/util/memory.c:101: alloc_fn: Storage is returned from allocation function "calloc".
/builddir/build/BUILD/libvirt-0.9.10/src/util/memory.c:101: var_assign: Assigning: "*((void **)ptrptr)" = "calloc(1UL, size)".
/builddir/build/BUILD/libvirt-0.9.10/src/conf/nwfilter_params.c:946: return_alloc: Returning allocated memory "dest".
/builddir/build/BUILD/libvirt-0.9.10/src/conf/nwfilter_conf.c:363: var_assign: Assigning: "varAccess" = storage returned from "virNWFilterVarAccessParse(var)".
/builddir/build/BUILD/libvirt-0.9.10/src/conf/nwfilter_conf.c:369: noescape: Variable "varAccess" is not freed or pointed-to in function "virNWFilterVarAccessEqual".
/builddir/build/BUILD/libvirt-0.9.10/src/conf/nwfilter_params.c:897:57: noescape: "virNWFilterVarAccessEqual" does not free or save its pointer parameter "b".
/builddir/build/BUILD/libvirt-0.9.10/src/conf/nwfilter_conf.c:378: leaked_storage: Variable "varAccess" going out of scope leaks the storage it points to.
The libvirt-0.9.10-0rc2.el6 hasn't introduced new issues, the test report is the same to rc1.
Analysis summary report:
------------------------
Files analyzed : 247
Total LoC input to cov-analyze : 303342
Functions analyzed : 7440
Paths analyzed : 827727
Defect occurrences found : 54 Total
6 CHECKED_RETURN
22 DEADCODE
1 FORWARD_NULL
1 MISSING_RETURN
2 NEGATIVE_RETURNS
1 NO_EFFECT
3 NULL_RETURNS
1 OVERRUN_STATIC
10 RESOURCE_LEAK
1 RETURN_LOCAL
1 SIZEOF_MISMATCH
3 UNINIT
2 UNUSED_VALUE
CoverityScan on libvirt-0.9.10-1.el6.
Analysis summary report:
------------------------
Files analyzed : 247
Total LoC input to cov-analyze : 303567
Functions analyzed : 7445
Paths analyzed : 827631
Defect occurrences found : 55 Total
6 CHECKED_RETURN
22 DEADCODE
2 FORWARD_NULL
1 MISSING_RETURN
2 NEGATIVE_RETURNS
1 NO_EFFECT
3 NULL_RETURNS
1 OVERRUN_STATIC
10 RESOURCE_LEAK
1 RETURN_LOCAL
1 SIZEOF_MISMATCH
3 UNINIT
2 UNUSED_VALUE
Created attachment 561770 [details]
CoverityScan-libvirt-0.9.10-1.el6
CoverityScan on libvirt-0.9.10-3.el6:
Analysis summary report:
------------------------
Files analyzed : 248
Total LoC input to cov-analyze : 303885
Functions analyzed : 7455
Paths analyzed : 828776
Defect occurrences found : 55 Total
6 CHECKED_RETURN
22 DEADCODE
2 FORWARD_NULL
1 MISSING_RETURN
2 NEGATIVE_RETURNS
1 NO_EFFECT
3 NULL_RETURNS
1 OVERRUN_STATIC
10 RESOURCE_LEAK
1 RETURN_LOCAL
1 SIZEOF_MISMATCH
3 UNINIT
2 UNUSED_VALUE
Notes, the same test report to libvirt-0.9.10-1.el6 version.
Commit v0.9.10-17-g2ccc4a6 should fix a 'FORWARD_NULL' error about dereferencing null variable 'host':
commit 2ccc4a607f6e122aff2e3b9d133d6e6b4b661a1e
Author: Jiri Denemark <jdenemar>
Date: Wed Feb 15 12:18:25 2012 +0100
qemu: Fix segfault when host CPU is empty
In case libvirtd cannot detect host CPU model (which may happen if it
runs inside a virtual machine), the daemon is likely to segfault when
starting a new qemu domain. It segfaults when domain XML asks for host
(either model or passthrough) CPU or does not ask for any specific CPU
model at all.
CoverityScan on libvirt-0.9.10-5.el6:
Analysis summary report:
------------------------
Files analyzed : 249
Total LoC input to cov-analyze : 306833
Functions analyzed : 7520
Paths analyzed : 849861
Defect occurrences found : 49 Total
6 CHECKED_RETURN
13 DEADCODE
3 FORWARD_NULL
1 MISSING_RETURN
2 NEGATIVE_RETURNS
1 NO_EFFECT
3 NULL_RETURNS
1 OVERRUN_STATIC
11 RESOURCE_LEAK
1 RETURN_LOCAL
1 REVERSE_INULL
1 SIZEOF_MISMATCH
3 UNINIT
2 UNUSED_VALUE
Defects in patches:
Error: DEADCODE:
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2746: dead_error_condition: On this path, the switch value "netType" cannot be "VIR_DOMAIN_NET_TYPE_HOSTDEV".
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2693: const: After this line, the value of "netType" is equal to 2.
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2693: const: After this line, the value of "netType" is equal to 3.
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2693: const: After this line, the value of "netType" is equal to 4.
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2717: equality_cond: Jumping to case "VIR_DOMAIN_NET_TYPE_CLIENT".
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2719: equality_cond: Jumping to case "VIR_DOMAIN_NET_TYPE_MCAST".
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2718: equality_cond: Jumping to case "VIR_DOMAIN_NET_TYPE_SERVER".
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2746: dead_error_line: Execution cannot reach this statement "case VIR_DOMAIN_NET_TYPE_HO...".
Error: FORWARD_NULL:
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_hotplug.c:2065: assign_zero: Assigning: "detach" = 0.
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_hotplug.c:2079: var_deref_model: Passing null variable "detach" to function "virDomainNetGetActualType", which dereferences it.
/builddir/build/BUILD/libvirt-0.9.10/src/conf/domain_conf.c:14284: deref_parm: Directly dereferencing parameter "iface".
Error: MISSING_RETURN:
/tmp/tmpixld3n.c:1: missing_return: Arriving at the end of a function without returning a value.
Error: RESOURCE_LEAK:
/builddir/build/BUILD/libvirt-0.9.10/src/util/virnetlink.c:338: alloc_arg: Calling allocation function "virAlloc" on "srv".
/builddir/build/BUILD/libvirt-0.9.10/src/util/memory.c:101: alloc_fn: Storage is returned from allocation function "calloc".
/builddir/build/BUILD/libvirt-0.9.10/src/util/memory.c:101: var_assign: Assigning: "*((void **)ptrptr)" = "calloc(1UL, size)".
/builddir/build/BUILD/libvirt-0.9.10/src/util/virnetlink.c:343: noescape: Variable "srv" is not freed or pointed-to in function "virMutexInit".
/builddir/build/BUILD/libvirt-0.9.10/src/util/threads-pthread.c:49:30: noescape: "virMutexInit" does not free or save its pointer parameter "m".
/builddir/build/BUILD/libvirt-0.9.10/src/util/virnetlink.c:404: leaked_storage: Variable "srv" going out of scope leaks the storage it points to.
Error: REVERSE_INULL:
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_hotplug.c:2079: deref_ptr_in_call: Dereferencing pointer "detach".
/builddir/build/BUILD/libvirt-0.9.10/src/conf/domain_conf.c:14284: deref_parm: Directly dereferencing parameter "iface".
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_hotplug.c:2086: check_after_deref: Dereferencing "detach" before a null check.
Created attachment 569956 [details]
CoverityScan-libvirt-0.9.10-5.el6
CoverityScan on libvirt-0.9.10-6.el6:
Analysis summary report:
------------------------
Files analyzed : 249
Total LoC input to cov-analyze : 307044
Functions analyzed : 7523
Paths analyzed : 850591
Defect occurrences found : 49 Total
6 CHECKED_RETURN
13 DEADCODE
1 EVALUATION_ORDER
2 FORWARD_NULL
1 MISSING_RETURN
2 NEGATIVE_RETURNS
1 NO_EFFECT
3 NULL_RETURNS
1 OVERRUN_STATIC
12 RESOURCE_LEAK
1 RETURN_LOCAL
1 SIZEOF_MISMATCH
3 UNINIT
2 UNUSED_VALUE
A new memory leak is introduced:
Error: RESOURCE_LEAK:
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_process.c:1691: alloc_arg: Calling allocation function "virAllocN" on "cpumap".
/builddir/build/BUILD/libvirt-0.9.10/src/util/memory.c:129: alloc_fn: Storage is returned from allocation function "calloc".
/builddir/build/BUILD/libvirt-0.9.10/src/util/memory.c:129: var_assign: Assigning: "*((void **)ptrptr)" = "calloc(count, size)".
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_process.c:1702: leaked_storage: Variable "cpumap" going out of scope leaks the storage it points to.
CoverityScan on libvirt-0.9.10-8.el6:
Analysis summary report:
------------------------
Files analyzed : 249
Total LoC input to cov-analyze : 308322
Functions analyzed : 7551
Paths analyzed : 856402
Defect occurrences found : 51 Total
6 CHECKED_RETURN
13 DEADCODE
1 EVALUATION_ORDER
4 FORWARD_NULL
1 MISSING_RETURN
2 NEGATIVE_RETURNS
1 NO_EFFECT
3 NULL_RETURNS
1 OVERRUN_STATIC
12 RESOURCE_LEAK
1 RETURN_LOCAL
1 SIZEOF_MISMATCH
3 UNINIT
2 UNUSED_VALUE
There are 2 new FORWARD_NULL are introduced on this build:
Error: FORWARD_NULL:
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_driver.c:9850: assign_zero: Assigning: "driverType" = 0.
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_driver.c:9907: var_deref_model: Passing null variable "driverType" to function "qemuMonitorDiskSnapshot", which dereferences it.
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_monitor.c:2632: deref_parm_in_call: Function "__coverity_strcmp" dereferences parameter "format".
Error: FORWARD_NULL:
/builddir/build/BUILD/libvirt-0.9.10/python/libvirt-override.c:392: assign_zero: Assigning: "params" = 0.
/builddir/build/BUILD/libvirt-0.9.10/python/libvirt-override.c:505: var_deref_model: Passing null variable "params" to function "getPyVirTypedParameter", which dereferences it. (The dereference is assumed on the basis of the 'nonnull' parameter attribute.)
CoverityScan on libvirt-0.9.10-11.el6:
Analysis summary report:
------------------------
Files analyzed : 249
Total LoC input to cov-analyze : 308611
Functions analyzed : 7563
Paths analyzed : 857338
Defect occurrences found : 48 Total
6 CHECKED_RETURN
13 DEADCODE
1 EVALUATION_ORDER
2 FORWARD_NULL
1 MISSING_RETURN
2 NEGATIVE_RETURNS
1 NO_EFFECT
3 NULL_RETURNS
1 OVERRUN_STATIC
11 RESOURCE_LEAK
1 RETURN_LOCAL
1 SIZEOF_MISMATCH
3 UNINIT
2 UNUSED_VALUE
New leaks:
Error: RESOURCE_LEAK:
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_process.c:1733: alloc_arg: Calling allocation function "virAllocN" on "cpumap".
/builddir/build/BUILD/libvirt-0.9.10/src/util/memory.c:129: alloc_fn: Storage is returned from allocation function "calloc".
/builddir/build/BUILD/libvirt-0.9.10/src/util/memory.c:129: var_assign: Assigning: "*((void **)ptrptr)" = "calloc(count, size)".
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_process.c:1744: leaked_storage: Variable "cpumap" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK:
/builddir/build/BUILD/libvirt-0.9.10/src/util/virnetlink.c:338: alloc_arg: Calling allocation function "virAlloc" on "srv".
/builddir/build/BUILD/libvirt-0.9.10/src/util/memory.c:101: alloc_fn: Storage is returned from allocation function "calloc".
/builddir/build/BUILD/libvirt-0.9.10/src/util/memory.c:101: var_assign: Assigning: "*((void **)ptrptr)" = "calloc(1UL, size)".
/builddir/build/BUILD/libvirt-0.9.10/src/util/virnetlink.c:343: noescape: Variable "srv" is not freed or pointed-to in function "virMutexInit".
/builddir/build/BUILD/libvirt-0.9.10/src/util/threads-pthread.c:49:30: noescape: "virMutexInit" does not free or save its pointer parameter "m".
/builddir/build/BUILD/libvirt-0.9.10/src/util/virnetlink.c:404: leaked_storage: Variable "srv" going out of scope leaks the storage it points to.
Created attachment 577032 [details]
CoverityScan-libvirt-0.9.10-11.el6
*** Bug 811993 has been marked as a duplicate of this bug. *** CoverityScan on libvirt-0.9.10-13.el6:
Analysis summary report:
------------------------
Files analyzed : 227
Total LoC input to cov-analyze : 380801
Functions analyzed : 6323
Paths analyzed : 447757
Defect occurrences found : 68 Total
7 CHECKED_RETURN
5 DEADCODE
2 FORWARD_NULL
2 MISSING_BREAK
1 MISSING_RETURN
2 NEGATIVE_RETURNS
4 NULL_RETURNS
1 OVERRUN_STATIC
24 RESOURCE_LEAK
1 RETURN_LOCAL
14 REVERSE_INULL
1 SIGN_EXTENSION
4 UNINIT
Defects in patches:
Error: FORWARD_NULL:
/builddir/build/BUILD/libvirt-0.9.10/python/libvirt-override.c:355: assign_zero: Assigning: "params" = 0.
/builddir/build/BUILD/libvirt-0.9.10/python/libvirt-override.c:458: var_deref_model: Passing null variable "params" to function "getPyVirTypedParameter", which dereferences it. (The dereference is assumed on the basis of the 'nonnull' parameter attribute.)
Error: RESOURCE_LEAK:
/builddir/build/BUILD/libvirt-0.9.10/src/util/virnetlink.c:338: alloc_arg: Calling allocation function "virAlloc" on "srv".
/builddir/build/BUILD/libvirt-0.9.10/src/util/memory.c:101: alloc_fn: Storage is returned from allocation function "calloc".
/builddir/build/BUILD/libvirt-0.9.10/src/util/memory.c:101: var_assign: Assigning: "*((void **)ptrptr)" = "calloc(1UL, size)".
/builddir/build/BUILD/libvirt-0.9.10/src/util/virnetlink.c:343: noescape: Variable "srv" is not freed or pointed-to in function "virMutexInit".
/builddir/build/BUILD/libvirt-0.9.10/src/util/threads-pthread.c:49:30: noescape: "virMutexInit" does not free or save its pointer parameter "m".
/builddir/build/BUILD/libvirt-0.9.10/src/util/virnetlink.c:404: leaked_storage: Variable "srv" going out of scope leaks the storage it points to.
Created attachment 578527 [details]
CoverityScan-libvirt-0.9.10-13.el6
CoverityScan on libvirt-0.9.10-14.el6:
Analysis summary report:
------------------------
Files analyzed : 227
Total LoC input to cov-analyze : 381431
Functions analyzed : 6323
Paths analyzed : 447675
Defect occurrences found : 68 Total
7 CHECKED_RETURN
5 DEADCODE
2 FORWARD_NULL
2 MISSING_BREAK
1 MISSING_RETURN
2 NEGATIVE_RETURNS
4 NULL_RETURNS
1 OVERRUN_STATIC
24 RESOURCE_LEAK
1 RETURN_LOCAL
14 REVERSE_INULL
1 SIGN_EXTENSION
4 UNINIT
The -14 test report is the same to -13, there are not new issues are introduced.
CoverityScan on libvirt-0.9.10-15.el6:
Analysis summary report:
------------------------
Files analyzed : 227
Total LoC input to cov-analyze : 381570
Functions analyzed : 6324
Paths analyzed : 447540
Defect occurrences found : 68 Total
7 CHECKED_RETURN
5 DEADCODE
2 FORWARD_NULL
2 MISSING_BREAK
1 MISSING_RETURN
2 NEGATIVE_RETURNS
4 NULL_RETURNS
1 OVERRUN_STATIC
24 RESOURCE_LEAK
1 RETURN_LOCAL
14 REVERSE_INULL
1 SIGN_EXTENSION
4 UNINIT
The -15 test report is the same to -14, there are not new issues are
introduced.
CoverityScan on libvirt-0.9.10-16.el6:
Analysis summary report:
------------------------
Files analyzed : 227
Total LoC input to cov-analyze : 381600
Functions analyzed : 6324
Paths analyzed : 447540
Defect occurrences found : 68 Total
7 CHECKED_RETURN
5 DEADCODE
2 FORWARD_NULL
2 MISSING_BREAK
1 MISSING_RETURN
2 NEGATIVE_RETURNS
4 NULL_RETURNS
1 OVERRUN_STATIC
24 RESOURCE_LEAK
1 RETURN_LOCAL
14 REVERSE_INULL
1 SIGN_EXTENSION
4 UNINIT
The -16 test report is the same to -15, there are not new issues are
introduced.
Error: RESOURCE_LEAK: /builddir/build/BUILD/libvirt-0.9.10/src/uml/uml_conf.c:351: open_fn: Calling opening function "open". /builddir/build/BUILD/libvirt-0.9.10/src/uml/uml_conf.c:351: var_assign: Assigning: "fd_out" = handle returned from "open(def->source.data.file.path, 1089, 432)". /builddir/build/BUILD/libvirt-0.9.10/src/uml/uml_conf.c:358: noescape: Variable "fd_out" is not freed or pointed-to in function "virAsprintf". /builddir/build/BUILD/libvirt-0.9.10/src/uml/uml_conf.c:358: noescape: Variable "fd_out" is not closed or saved in function "virAsprintf". /builddir/build/BUILD/libvirt-0.9.10/src/uml/uml_conf.c:363: noescape: Variable "fd_out" is not closed or saved in function "virCommandTransferFD". /builddir/build/BUILD/libvirt-0.9.10/src/uml/uml_conf.c:364: leaked_handle: Handle variable "fd_out" going out of scope leaks the handle. ==== For the above leak, it's not a valid checking, virCommandTransferFD will close the file handle. (In reply to comment #27) > Error: RESOURCE_LEAK: > /builddir/build/BUILD/libvirt-0.9.10/src/uml/uml_conf.c:351: open_fn: Calling > opening function "open". > /builddir/build/BUILD/libvirt-0.9.10/src/uml/uml_conf.c:351: var_assign: > Assigning: "fd_out" = handle returned from "open(def->source.data.file.path, > 1089, 432)". > /builddir/build/BUILD/libvirt-0.9.10/src/uml/uml_conf.c:358: noescape: Variable > "fd_out" is not freed or pointed-to in function "virAsprintf". > /builddir/build/BUILD/libvirt-0.9.10/src/uml/uml_conf.c:358: noescape: Variable > "fd_out" is not closed or saved in function "virAsprintf". > /builddir/build/BUILD/libvirt-0.9.10/src/uml/uml_conf.c:363: noescape: Variable > "fd_out" is not closed or saved in function "virCommandTransferFD". > /builddir/build/BUILD/libvirt-0.9.10/src/uml/uml_conf.c:364: leaked_handle: > Handle variable "fd_out" going out of scope leaks the handle. > > ==== > For the above leak, it's not a valid checking, virCommandTransferFD will close > the file handle. Likewise for below: Error: RESOURCE_LEAK: /builddir/build/BUILD/libvirt-0.9.10/src/rpc/virnetsocket.c:324: open_fn: Calling opening function "socket". /builddir/build/BUILD/libvirt-0.9.10/src/rpc/virnetsocket.c:324: var_assign: Assigning: "fd" = handle returned from "socket(1, 1, 0)". /builddir/build/BUILD/libvirt-0.9.10/src/rpc/virnetsocket.c:342: noescape: Variable "fd" is not closed or saved in function "bind". /builddir/build/BUILD/libvirt-0.9.10/src/rpc/virnetsocket.c:361: noescape: Variable "fd" is not closed or saved in function "virNetSocketNew". /builddir/build/BUILD/libvirt-0.9.10/src/rpc/virnetsocket.c:364: leaked_handle: Handle variable "fd" going out of scope leaks the handle. The file descriptor will be marked as close-on-exec in virNetSocketNew. (In reply to comment #27) > /builddir/build/BUILD/libvirt-0.9.10/src/uml/uml_conf.c:363: noescape: Variable > "fd_out" is not closed or saved in function "virCommandTransferFD". > /builddir/build/BUILD/libvirt-0.9.10/src/uml/uml_conf.c:364: leaked_handle: > Handle variable "fd_out" going out of scope leaks the handle. > > ==== > For the above leak, it's not a valid checking, virCommandTransferFD will close > the file handle. 826 /* 827 * Preserve the specified file descriptor in the child, instead of 828 * closing it. FD must not be one of the three standard streams. If 829 * transfer is true, then fd will be closed in the parent after a call 830 * to Run/RunAsync/Free, otherwise caller is still responsible for fd. 831 * Returns true if a transferring caller should close FD now, and 832 * false if the transfer is successfully recorded. 833 */ 834 static bool 835 virCommandKeepFD(virCommandPtr cmd, int fd, bool transfer) CoverityScan on libvirt-0.9.10-18.el6:
Analysis summary report:
------------------------
Files analyzed : 227
Total LoC input to cov-analyze : 382010
Functions analyzed : 6329
Paths analyzed : 448825
Defect occurrences found : 61 Total
7 CHECKED_RETURN
5 DEADCODE
2 FORWARD_NULL
2 MISSING_BREAK
1 MISSING_RETURN
2 NEGATIVE_RETURNS
3 NULL_RETURNS
1 OVERRUN_STATIC
18 RESOURCE_LEAK
1 RETURN_LOCAL
14 REVERSE_INULL
1 SIGN_EXTENSION
4 UNINIT
Exceeded path limit of 5000 paths in 0.22% of functions (normally up to 5% of functions encounter this limitation)
Elapsed time: 00:07:16
In addition, a new issue is introduced by patch:
Error: FORWARD_NULL:
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_process.c:2477: assign_zero: Assigning: "nodemask" = 0.
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_process.c:2534: var_deref_model: Passing null variable "nodemask" to function "qemuProcessInitCpuAffinity", which dereferences it.
/builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_process.c:1754: deref_parm: Directly dereferencing parameter "nodemask".
For 18 RESOURCE_LEAK, please help confirm them except previous Comment 27-30(7 leaks), also need to check 14 REVERSE_INULL
Created attachment 583201 [details]
CoverityScan-libvirt-0.9.10-18.el6
CoverityScan on libvirt-0.9.10-19.el6:
Analysis summary report:
------------------------
Files analyzed : 227
Total LoC input to cov-analyze : 382017
Functions analyzed : 6329
Paths analyzed : 449426
Defect occurrences found : 60 Total
7 CHECKED_RETURN
5 DEADCODE
1 FORWARD_NULL
2 MISSING_BREAK
1 MISSING_RETURN
2 NEGATIVE_RETURNS
3 NULL_RETURNS
1 OVERRUN_STATIC
18 RESOURCE_LEAK
1 RETURN_LOCAL
14 REVERSE_INULL
1 SIGN_EXTENSION
4 UNINIT
Hasn't a new issue is introduced by patches.
Created attachment 584630 [details]
CoverityScan-libvirt-0.9.10-19.el6
CoverityScan on libvirt-0.9.10-20.el6:
Analysis summary report:
------------------------
Files analyzed : 249
Total LoC input to cov-analyze : 310014
Functions analyzed : 7587
Paths analyzed : 868885
Defect occurrences found : 43 Total
6 CHECKED_RETURN
13 DEADCODE
1 EVALUATION_ORDER
1 FORWARD_NULL
1 MISSING_RETURN
2 NEGATIVE_RETURNS
1 NO_EFFECT
3 NULL_RETURNS
1 OVERRUN_STATIC
7 RESOURCE_LEAK
1 RETURN_LOCAL
1 SIZEOF_MISMATCH
3 UNINIT
2 UNUSED_VALUE
There are many issues are fixed by this build, and still need to confirm the following items:
1 FORWARD_NULL if 'from' is NULL, need to check the following codes:
<snip>
16808 if (tree) {
16809 char indentBuf[INDENT_BUFLEN];
16810 for (i = 0 ; i < actual ; i++) {
16811 memset(indentBuf, '\0', sizeof(indentBuf));
16812 if (ctl->useSnapshotOld ? STREQ(names[i], from) : !parents[i])
</snip>
7 RESOURCE_LEAK (it should be confirmed by Osier)
3 UNINIT (need to confirm them)
In addition, for other error, please also confirm whether they're harmless for libvirt.
Moreover, there are 2 new issues are introduced by patches: Error: DEADCODE: /builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2852: dead_error_condition: On this path, the switch value "netType" cannot be "VIR_DOMAIN_NET_TYPE_HOSTDEV". /builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2799: const: After this line, the value of "netType" is equal to 2. /builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2799: const: After this line, the value of "netType" is equal to 3. /builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2799: const: After this line, the value of "netType" is equal to 4. /builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2823: equality_cond: Jumping to case "VIR_DOMAIN_NET_TYPE_CLIENT". /builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2825: equality_cond: Jumping to case "VIR_DOMAIN_NET_TYPE_MCAST". /builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2824: equality_cond: Jumping to case "VIR_DOMAIN_NET_TYPE_SERVER". /builddir/build/BUILD/libvirt-0.9.10/src/qemu/qemu_command.c:2852: dead_error_line: Execution cannot reach this statement "case VIR_DOMAIN_NET_TYPE_HO...". Error: EVALUATION_ORDER: /builddir/build/BUILD/libvirt-0.9.10/src/conf/domain_conf.c:7159: write_write_order: In "disk = disk = def->disks[i]", "disk" is written in "disk" (the assignment left-hand side) and written in "disk = def->disks[i]" but the order in which the side effects take place is undefined because there is no intervening sequence point. IMHO, they should be harmless for libvirt. Created attachment 584879 [details]
CoverityScan-libvirt-0.9.10-20.el6
Coverity hasn't new complaint for libvirt-0.9.10-21.el6 except new "Error: MISSING_RETURN", it's harmless for libvirt. In addition, some memory leaks issues have been fixed and still need to confirm NULL pointer defering issues, I will close the bug then file a new bug for 6.4 to trace reset of Coverity relevant issues, meanwhile, the bug is a tracking bug for 6.4 like 6.3. File a new bug for 6.4: https://bugzilla.redhat.com/show_bug.cgi?id=825903 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0748.html |
Description of problem: Coverity detected some issues on libvirt-0.9.9-0rc1.el6: Analysis summary report: ------------------------ Files analyzed : 237 Total LoC input to cov-analyze : 296390 Functions analyzed : 7262 Paths analyzed : 794212 New defects found : 21 Total 4 CHECKED_RETURN 5 DEADCODE 1 FORWARD_NULL 1 MISSING_RETURN 1 NEGATIVE_RETURNS 1 NULL_RETURNS 3 RESOURCE_LEAK 1 RETURN_LOCAL 1 SIZEOF_MISMATCH 1 UNINIT 2 UNUSED_VALUE Version-Release number of selected component (if applicable): # rpm -q libvirt libvirt-0.9.9-0rc1.el6.x86_64 How reproducible: always Steps to Reproduce: 1. coverity scan 2. 3. Actual results: Please see attachment. Expected results: Fix memory leaks. Additional info: