Fwd: New Defects reported by Coverity Scan for Das U-Boot
Tom Rini
trini at konsulko.com
Fri Jul 25 15:26:45 CEST 2025
Here's the latest report. These aren't new issues as much as they are
Coverity now looking at FPGA code issues.
---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Thu, Jul 24, 2025 at 8:03 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini at gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 8
- 3 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 8 of 8 defect(s)
Defect Details
** CID 583150: Null pointer dereferences (NULL_RETURNS)
/drivers/fpga/xilinx.c: 54 in fpga_loadbitstream()
_____________________________________________________________________________________________
*** CID 583150: Null pointer dereferences (NULL_RETURNS)
/drivers/fpga/xilinx.c: 54 in fpga_loadbitstream()
48 xilinx_desc *xdesc;
49
50 dataptr = (unsigned char *)fpgadata;
51 /* Find out fpga_description */
52 desc = fpga_validate(devnum, dataptr, 0);
53 /* Assign xilinx device description */
>>> CID 583150: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing "desc", which is known to be "NULL".
54 xdesc = desc->devdesc;
55
56 /* skip the first bytes of the bitsteam, their meaning is unknown */
57 length = (*dataptr << 8) + *(dataptr + 1);
58 dataptr += 2;
59 dataptr += length;
** CID 583149: Control flow issues (DEADCODE)
/drivers/fpga/ACEX1K.c: 226 in ACEX1K_ps_load()
_____________________________________________________________________________________________
*** CID 583149: Control flow issues (DEADCODE)
/drivers/fpga/ACEX1K.c: 226 in ACEX1K_ps_load()
220
221 #ifdef CONFIG_SYS_FPGA_PROG_FEEDBACK
222 if (ret_val == FPGA_SUCCESS) {
223 puts ("Done.\n");
224 }
225 else {
>>> CID 583149: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "puts("Fail.\n");".
226 puts ("Fail.\n");
227 }
228 #endif
229 (*fn->post) (cookie);
230
231 } else {
** CID 583148: Control flow issues (DEADCODE)
/drivers/fpga/cyclon2.c: 180 in CYC2_ps_load()
_____________________________________________________________________________________________
*** CID 583148: Control flow issues (DEADCODE)
/drivers/fpga/cyclon2.c: 180 in CYC2_ps_load()
174 ret_val = FPGA_SUCCESS;
175
176 #ifdef CONFIG_SYS_FPGA_PROG_FEEDBACK
177 if (ret_val == FPGA_SUCCESS)
178 puts("Done.\n");
179 else
>>> CID 583148: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "puts("Fail.\n");".
180 puts("Fail.\n");
181 #endif
182
183 /*
184 * Run the post configuration function if there is one.
185 */
** CID 583147: Integer handling issues (NEGATIVE_RETURNS)
_____________________________________________________________________________________________
*** CID 583147: Integer handling issues (NEGATIVE_RETURNS)
/cmd/fpga.c: 305 in do_fpga_loadmk()
299 #if defined(CONFIG_GZIP)
300 ulong image_buf = image_get_data(hdr);
301 ulong image_size = ~0UL;
302
303 data = image_get_load(hdr);
304
>>> CID 583147: Integer handling issues (NEGATIVE_RETURNS)
>>> A negative constant "-1" is passed as an argument to a parameter that cannot be negative.
305 if (gunzip((void *)data, ~0U, (void *)image_buf,
306 &image_size) != 0) {
307 log_err("Gunzip error\n");
308 return CMD_RET_FAILURE;
309 }
310 data_size = image_size;
** CID 583146: Control flow issues (DEADCODE)
/drivers/fpga/ivm_core.c: 1306 in ispVMDataCode()
_____________________________________________________________________________________________
*** CID 583146: Control flow issues (DEADCODE)
/drivers/fpga/ivm_core.c: 1306 in ispVMDataCode()
1300 /*
1301 * Encountered invalid opcode.
1302 */
1303
1304 return VME_INVALID_FILE;
1305 } else {
>>> CID 583146: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return 0;".
1306 return 0;
1307 }
1308 }
1309
1310 /*
1311 *
** CID 583145: (INTEGER_OVERFLOW)
/drivers/fpga/ivm_core.c: 1959 in ispVMBitShift()
/drivers/fpga/ivm_core.c: 1974 in ispVMBitShift()
_____________________________________________________________________________________________
*** CID 583145: (INTEGER_OVERFLOW)
/drivers/fpga/ivm_core.c: 1959 in ispVMBitShift()
1953 for (i = 0; i < size; i++) {
1954 if (g_pucInData[i] != 0) {
1955 tmpbits = bits;
1956 while (tmpbits > 0) {
1957 g_pucInData[i] <<= 1;
1958 if (g_pucInData[i] == 0) {
>>> CID 583145: (INTEGER_OVERFLOW)
>>> Expression "i--", where "i" is known to be equal to 0, underflows the type of "i--", which is type "unsigned short".
1959 i--;
1960 g_pucInData[i] = 1;
1961 }
1962 tmpbits--;
1963 }
1964 }
/drivers/fpga/ivm_core.c: 1974 in ispVMBitShift()
1968 for (i = 0; i < size; i++) {
1969 if (g_pucInData[i] != 0) {
1970 tmpbits = bits;
1971 while (tmpbits > 0) {
1972 g_pucInData[i] >>= 1;
1973 if (g_pucInData[i] == 0) {
>>> CID 583145: (INTEGER_OVERFLOW)
>>> Expression "i--", where "i" is known to be equal to 0, underflows the type of "i--", which is type "unsigned short".
1974 i--;
1975 g_pucInData[i] = 8;
1976 }
1977 tmpbits--;
1978 }
1979 }
** CID 583144: Null pointer dereferences (FORWARD_NULL)
/drivers/fpga/ivm_core.c: 2406 in ispVMBypass()
_____________________________________________________________________________________________
*** CID 583144: Null pointer dereferences (FORWARD_NULL)
/drivers/fpga/ivm_core.c: 2406 in ispVMBypass()
2400
2401 iSourceIndex = 0;
2402 cBitState = 0;
2403 for (iIndex = 0; iIndex < Bits - 1; iIndex++) {
2404 /* Scan instruction or bypass register */
2405 if (iIndex % 8 == 0) {
>>> CID 583144: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "pcSource".
2406 cCurByte = pcSource[iSourceIndex++];
2407 }
2408 cBitState = (unsigned char) (((cCurByte << iIndex % 8) & 0x80)
2409 ? 0x01 : 0x00);
2410 writePort(g_ucPinTDI, cBitState);
2411 sclock();
** CID 583143: (OVERRUN)
/drivers/fpga/ivm_core.c: 2455 in ispVMStateMachine()
/drivers/fpga/ivm_core.c: 2458 in ispVMStateMachine()
_____________________________________________________________________________________________
*** CID 583143: (OVERRUN)
/drivers/fpga/ivm_core.c: 2455 in ispVMStateMachine()
2449 g_JTAGTransistions[cStateIndex].NextState)) {
2450 break;
2451 }
2452 }
2453
2454 g_cCurrentJTAGState = cNextJTAGState;
>>> CID 583143: (OVERRUN)
>>> Overrunning array "g_JTAGTransistions" of 25 4-byte elements at element index 25 (byte offset 103) using index "cStateIndex" (which evaluates to 25).
2455 for (cPathIndex = 0;
2456 cPathIndex < g_JTAGTransistions[cStateIndex].Pulses;
2457 cPathIndex++) {
2458 if ((g_JTAGTransistions[cStateIndex].Pattern << cPathIndex)
2459 & 0x80) {
2460 writePort(g_ucPinTMS, (unsigned char) 0x01);
/drivers/fpga/ivm_core.c: 2458 in ispVMStateMachine()
2452 }
2453
2454 g_cCurrentJTAGState = cNextJTAGState;
2455 for (cPathIndex = 0;
2456 cPathIndex < g_JTAGTransistions[cStateIndex].Pulses;
2457 cPathIndex++) {
>>> CID 583143: (OVERRUN)
>>> Overrunning array "g_JTAGTransistions" of 25 4-byte elements at element index 25 (byte offset 103) using index "cStateIndex" (which evaluates to 25).
2458 if ((g_JTAGTransistions[cStateIndex].Pattern << cPathIndex)
2459 & 0x80) {
2460 writePort(g_ucPinTMS, (unsigned char) 0x01);
2461 } else {
2462 writePort(g_ucPinTMS, (unsigned char) 0x00);
2463 }
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20250725/98902dc2/attachment.sig>
More information about the U-Boot
mailing list