New Defects reported by Coverity Scan for RTEMS
scan-admin at coverity.com
scan-admin at coverity.com
Tue Mar 5 01:50:08 UTC 2024
Hi,
Please find the latest report on new defect(s) introduced to RTEMS found with Coverity Scan.
13 new defect(s) introduced to RTEMS found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 13 of 13 defect(s)
** CID 1592935: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1592935: Memory - corruptions (OVERRUN)
/cpukit/score/src/objectgetinfoid.c: 48 in _Objects_Get_information_id()
42 #include <rtems/score/objectimpl.h>
43
44 Objects_Information *_Objects_Get_information_id(
45 Objects_Id id
46 )
47 {
>>> CID 1592935: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 4 by passing argument "_Objects_Get_API(id)" (which evaluates to 7) in call to "_Objects_Get_information".
48 return _Objects_Get_information(
49 _Objects_Get_API( id ),
50 _Objects_Get_class( id )
51 );
** CID 1592934: Concurrent data access violations (MISSING_LOCK)
/cpukit/posix/src/aio_misc.c: 90 in rtems_aio_init()
________________________________________________________________________________________________________
*** CID 1592934: Concurrent data access violations (MISSING_LOCK)
/cpukit/posix/src/aio_misc.c: 90 in rtems_aio_init()
84 }
85
86 rtems_chain_initialize_empty (&aio_request_queue.work_req);
87 rtems_chain_initialize_empty (&aio_request_queue.idle_req);
88
89 aio_request_queue.active_threads = 0;
>>> CID 1592934: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "aio_request_queue.idle_threads" without holding lock "rtems_aio_queue.mutex". Elsewhere, "rtems_aio_queue.idle_threads" is written to with "rtems_aio_queue.mutex" held 3 out of 4 times.
90 aio_request_queue.idle_threads = 0;
91 aio_request_queue.initialized = AIO_QUEUE_INITIALIZED;
92
93 return result;
94 }
95
** CID 1592933: Code maintainability issues (UNUSED_VALUE)
/cpukit/libmisc/capture/capture_support.c: 471 in rtems_capture_print_watch_list()
________________________________________________________________________________________________________
*** CID 1592933: Code maintainability issues (UNUSED_VALUE)
/cpukit/libmisc/capture/capture_support.c: 471 in rtems_capture_print_watch_list()
465 {
466 if (rtems_capture_control_by_valid (control, f))
467 {
468 if (lf && ((fshowed % 3) == 0))
469 {
470 fprintf (stdout, "\n");
>>> CID 1592933: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "0" to "lf" here, but that stored value is overwritten before it can be used.
471 lf = 0;
472 }
473
474 fprintf (stdout, " %2i:", f);
475 rtems_monitor_dump_name (rtems_capture_control_by_name (control, f));
476 fprintf (stdout, "/");
** CID 1592932: Code maintainability issues (UNUSED_VALUE)
/cpukit/libmisc/shell/hexdump-parse.c: 432 in rtems_shell_hexdump_rewrite()
________________________________________________________________________________________________________
*** CID 1592932: Code maintainability issues (UNUSED_VALUE)
/cpukit/libmisc/shell/hexdump-parse.c: 432 in rtems_shell_hexdump_rewrite()
426 if (!fu->bcnt)
427 for (pr = fu->nextpr; pr; pr = pr->nextpr)
428 fu->bcnt += pr->bcnt;
429 }
430 if (pr) {
431 free(pr);
>>> CID 1592932: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "NULL" to "pr" here, but that stored value is overwritten before it can be used.
432 pr = NULL;
433 }
434 /*
435 * If the format string interprets any data at all, and it's
436 * not the same as the blocksize, and its last format unit
437 * interprets any data at all, and has no iteration count,
** CID 1592931: Resource leaks (RESOURCE_LEAK)
/cpukit/libfs/src/jffs2/src/wbuf.c: 748 in jffs2_flush_wbuf_gc()
________________________________________________________________________________________________________
*** CID 1592931: Resource leaks (RESOURCE_LEAK)
/cpukit/libfs/src/jffs2/src/wbuf.c: 748 in jffs2_flush_wbuf_gc()
742
743 ret = jffs2_garbage_collect_pass(c);
744 if (ret) {
745 /* GC failed. Flush it with padding instead */
746 mutex_lock(&c->alloc_sem);
747 down_write(&c->wbuf_sem);
>>> CID 1592931: Resource leaks (RESOURCE_LEAK)
>>> Overwriting "ret" in "ret = __jffs2_flush_wbuf(c, 2)" leaks the storage that "ret" points to.
748 ret = __jffs2_flush_wbuf(c, PAD_ACCOUNTING);
749 /* retry flushing wbuf in case jffs2_wbuf_recover
750 left some data in the wbuf */
751 if (ret)
752 ret = __jffs2_flush_wbuf(c, PAD_ACCOUNTING);
753 up_write(&c->wbuf_sem);
** CID 1592930: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 1592930: Integer handling issues (NEGATIVE_RETURNS)
/cpukit/ftpd/ftpd.c: 687 in data_socket()
681 }
682 }
683 }
684 }
685 info->data_socket = s;
686 info->use_default = 1;
>>> CID 1592930: Integer handling issues (NEGATIVE_RETURNS)
>>> "s" is passed to a parameter that cannot be negative.
687 set_socket_timeout(s, info->idle);
688 return s;
689 }
690
691 /*
692 * close_data_socket
** CID 1592929: Error handling issues (CHECKED_RETURN)
/cpukit/mghttpd/mongoose.c: 2883 in remove_directory()
________________________________________________________________________________________________________
*** CID 1592929: Error handling issues (CHECKED_RETURN)
/cpukit/mghttpd/mongoose.c: 2883 in remove_directory()
2877 }
2878 }
2879
2880 }
2881 (void) closedir(dirp);
2882
>>> CID 1592929: Error handling issues (CHECKED_RETURN)
>>> Calling "rmdir" without checking return value (as is done elsewhere 6 out of 7 times).
2883 rmdir(dir);
2884 }
2885
2886 return 1;
2887 }
2888
** CID 1592928: Code maintainability issues (UNUSED_VALUE)
/cpukit/posix/src/psignalclearsignals.c: 110 in _POSIX_signals_Clear_signals()
________________________________________________________________________________________________________
*** CID 1592928: Code maintainability issues (UNUSED_VALUE)
/cpukit/posix/src/psignalclearsignals.c: 110 in _POSIX_signals_Clear_signals()
104 *info = psiginfo->Info;
105 _Chain_Append_unprotected(
106 &_POSIX_signals_Inactive_siginfo,
107 &psiginfo->Node
108 );
109 } else
>>> CID 1592928: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "false" to "do_callout" here, but that stored value is overwritten before it can be used.
110 do_callout = false;
111 }
112 _POSIX_signals_Clear_process_signals( signo );
113 do_callout = true;
114 }
115 } else {
** CID 1592927: Program hangs (BAD_CHECK_OF_WAIT_COND)
/cpukit/posix/src/aio_misc.c: 525 in rtems_aio_handle()
________________________________________________________________________________________________________
*** CID 1592927: Program hangs (BAD_CHECK_OF_WAIT_COND)
/cpukit/posix/src/aio_misc.c: 525 in rtems_aio_handle()
519
520 if (rtems_chain_is_empty (chain))
521 {
522 clock_gettime (CLOCK_REALTIME, &timeout);
523 timeout.tv_sec += 3;
524 timeout.tv_nsec = 0;
>>> CID 1592927: Program hangs (BAD_CHECK_OF_WAIT_COND)
>>> The wait condition prompting the wait upon "rtems_aio_queue.mutex" is not checked correctly. This code can wait for a condition that has already been satisfied, which can cause a never-ending wait. [Note: The source code implementation of the function has been overridden by a builtin model.]
525 result = pthread_cond_timedwait (&r_chain->cond,
526 &aio_request_queue.mutex,
527 &timeout);
528
529 /* If no requests were added to the chain we delete the fd chain from
530 the queue and start working with idle fd chains */
** CID 1592926: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 1592926: Integer handling issues (NEGATIVE_RETURNS)
/cpukit/ftpd/ftpd.c: 687 in data_socket()
681 }
682 }
683 }
684 }
685 info->data_socket = s;
686 info->use_default = 1;
>>> CID 1592926: Integer handling issues (NEGATIVE_RETURNS)
>>> "s" is passed to a parameter that cannot be negative.
687 set_socket_timeout(s, info->idle);
688 return s;
689 }
690
691 /*
692 * close_data_socket
** CID 1592925: Resource leaks (RESOURCE_LEAK)
/cpukit/librtemscxx/thread.cpp: 435 in rtems::thread::thread::start_thread(std::unique_ptr<rtems::thread::thread::state_base, std::default_delete<rtems::thread::thread::state_base>>)()
________________________________________________________________________________________________________
*** CID 1592925: Resource leaks (RESOURCE_LEAK)
/cpukit/librtemscxx/thread.cpp: 435 in rtems::thread::thread::start_thread(std::unique_ptr<rtems::thread::thread::state_base, std::default_delete<rtems::thread::thread::state_base>>)()
429 system_error_check(::pthread_setname_np(id_.id_,
430 attr.get_name().c_str()),
431 "setting thread name");
432
433 ::pthread_attr_destroy(&pattr);
434
>>> CID 1592925: Resource leaks (RESOURCE_LEAK)
>>> Ignoring storage allocated by "s.release()" leaks it.
435 s.release();
436 };
437 };
** CID 1592924: Concurrent data access violations (MISSING_LOCK)
/cpukit/posix/src/aio_misc.c: 89 in rtems_aio_init()
________________________________________________________________________________________________________
*** CID 1592924: Concurrent data access violations (MISSING_LOCK)
/cpukit/posix/src/aio_misc.c: 89 in rtems_aio_init()
83 pthread_attr_destroy (&aio_request_queue.attr);
84 }
85
86 rtems_chain_initialize_empty (&aio_request_queue.work_req);
87 rtems_chain_initialize_empty (&aio_request_queue.idle_req);
88
>>> CID 1592924: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "aio_request_queue.active_threads" without holding lock "rtems_aio_queue.mutex". Elsewhere, "rtems_aio_queue.active_threads" is written to with "rtems_aio_queue.mutex" held 3 out of 4 times.
89 aio_request_queue.active_threads = 0;
90 aio_request_queue.idle_threads = 0;
91 aio_request_queue.initialized = AIO_QUEUE_INITIALIZED;
92
93 return result;
94 }
** CID 1592923: Uninitialized variables (UNINIT)
/cpukit/librtemscxx/thread.cpp: 387 in rtems::thread::thread::start_thread(std::unique_ptr<rtems::thread::thread::state_base, std::default_delete<rtems::thread::thread::state_base>>)()
________________________________________________________________________________________________________
*** CID 1592923: Uninitialized variables (UNINIT)
/cpukit/librtemscxx/thread.cpp: 387 in rtems::thread::thread::start_thread(std::unique_ptr<rtems::thread::thread::state_base, std::default_delete<rtems::thread::thread::state_base>>)()
381
382 system_error_check(::pthread_attr_init(&pattr),
383 "attribute init");
384
385 struct sched_param param;
386 param.sched_priority = attr.get_priority();
>>> CID 1592923: Uninitialized variables (UNINIT)
>>> Using uninitialized value "param". Field "param.sched_ss_low_priority" is uninitialized when calling "pthread_attr_setschedparam". [Note: The source code implementation of the function has been overridden by a builtin model.]
387 system_error_check(::pthread_attr_setschedparam(&pattr, ¶m),
388 "set sched param");
389
390 int spolicy;
391 switch (attr.get_scheduler_policy()) {
392 case attributes::sched_other:
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu5GLWnGNEwbhcanGyCDC8W1qxs1XK9M9KkPO5PqDYA-2Faw-3D-3DOTux_hOQomnwXvo7ZPjrovRgF1EWfSixaZuumKeNh4wRoLrkvvPUI9K8EUcrheLwm9ECj76NJOFoKGPfGZKSVsaLFekCZKp8g2rmOdwMWxmRJiJyg0dfI5QTWxprNcai0gnuEEAVw-2FOVPW-2FGxChr0T0-2BX7EVxsdL3-2FsJpgxmvvHS4Pu8LvGzmWhOD2LrF9yPDRiH0uyybPynA4EKkFLhWng-2Fi-2BA-3D-3D
More information about the build
mailing list