Hi,
Please find the latest report on new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan.
49 new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan.
13 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 49 defect(s)
** CID 457912: Concurrent data access violations (MISSING_LOCK)
/services/std_svc/sdei/sdei_event.c: 117 in sdei_get_registered_event_count()
________________________________________________________________________________________________________
*** CID 457912: Concurrent data access violations (MISSING_LOCK)
/services/std_svc/sdei/sdei_event.c: 117 in sdei_get_registered_event_count()
111 unsigned int j;
112 int count = 0;
113
114 /* Add up reg counts for each mapping. */
115 for_each_mapping_type(i, mapping) {
116 iterate_mapping(mapping, j, map) {
>>> CID 457912: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "map->reg_count" without holding lock "sdei_ev_map.lock". Elsewhere, "sdei_ev_map.reg_count" is written to with "sdei_ev_map.lock" held 2 out of 3 times.
117 count += map->reg_count;
118 }
119 }
120
121 return count;
** CID 457911: Null pointer dereferences (REVERSE_INULL)
/plat/mediatek/drivers/cpu_pm/cpcv5_4/mt_cpu_pm.c: 801 in cpupm_invoke()
________________________________________________________________________________________________________
*** CID 457911: Null pointer dereferences (REVERSE_INULL)
/plat/mediatek/drivers/cpu_pm/cpcv5_4/mt_cpu_pm.c: 801 in cpupm_invoke()
795 ret = MTK_CPUPM_E_ERR;
796 break;
797 #endif /* CPU_PM_SUSPEND_NOTIFY */
798
799 #ifdef CPU_PM_PWR_REQ
800 case CPUPM_INVOKE_PWR_REQ_ACTIVE:
>>> CID 457911: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "priv" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
801 if (priv) {
802 if (req->stat.uid == CPUPM_PWR_REQ_UID_MAGIC)
803 req->stat.uid = CPUPM_PWR_STAT_REQ_UID_MAGIC;
804 else
805 ret = MTK_CPUPM_E_ERR;
806 } else
** CID 457910: Integer handling issues (INTEGER_OVERFLOW)
/lib/libc/strtoll.c: 128 in strtoll()
________________________________________________________________________________________________________
*** CID 457910: Integer handling issues (INTEGER_OVERFLOW)
/lib/libc/strtoll.c: 128 in strtoll()
122 any = 1;
123 acc *= base;
124 acc += c;
125 }
126 }
127 if (any < 0) {
>>> CID 457910: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "acc", where "neg ? -9223372036854775808LL : 9223372036854775807LL" is known to be equal to -9223372036854775808, underflows the type of "acc", which is type "unsigned long long".
128 acc = neg ? LLONG_MIN : LLONG_MAX;
129 } else if (neg)
130 acc = -acc;
131 if (endptr != NULL)
132 *endptr = (char *)(any ? s - 1 : nptr);
133 return (acc);
** CID 457909: (INTEGER_OVERFLOW)
/drivers/nxp/ddr/nxp-ddr/regs.c: 159 in cal_timing_cfg()
/drivers/nxp/ddr/nxp-ddr/regs.c: 128 in cal_timing_cfg()
________________________________________________________________________________________________________
*** CID 457909: (INTEGER_OVERFLOW)
/drivers/nxp/ddr/nxp-ddr/regs.c: 159 in cal_timing_cfg()
153 const unsigned int ext_acttopre = picos_to_mclk(clk,
154 pdimm->tras_ps) >> 4U;
155 const unsigned int ext_acttorw = picos_to_mclk(clk,
156 pdimm->trcd_ps) >> 4U;
157 const unsigned int ext_caslat = (2U * cas_latency - 1U) >> 4U;
158 const unsigned int ext_add_lat = additive_latency >> 4U;
>>> CID 457909: (INTEGER_OVERFLOW)
>>> Expression "picos_to_mclk(clk, pdimm->trfc1_ps) - 8U", where "picos_to_mclk(clk, pdimm->trfc1_ps)" is known to be equal to 0, underflows the type of "picos_to_mclk(clk, pdimm->trfc1_ps) - 8U", which is type "unsigned int".
159 const unsigned int ext_refrec = (picos_to_mclk(clk,
160 pdimm->trfc1_ps) - 8U) >> 4U;
161 const unsigned int ext_wrrec = (picos_to_mclk(clk, pdimm->twr_ps) +
162 (popts->otf_burst_chop_en ? 2U : 0U)) >> 4U;
163 const unsigned int rwt_same_cs = 0U;
164 const unsigned int wrt_same_cs = 0U;
/drivers/nxp/ddr/nxp-ddr/regs.c: 128 in cal_timing_cfg()
122 const int acttorw_mclk = picos_to_mclk(clk, pdimm->trcd_ps);
123 const int caslat_ctrl = (cas_latency - 1) << 1;
124 const int trfc1_min = pdimm->die_density >= 0x3 ? 16000 :
125 (pdimm->die_density == 0x4 ? 26000 :
126 (pdimm->die_density == 0x5 ? 35000 :
127 55000));
>>> CID 457909: (INTEGER_OVERFLOW)
>>> Expression "refrec_ctrl", where "picos_to_mclk(clk, pdimm->trfc1_ps) - 8U" is known to be equal to 4294967288, overflows the type of "refrec_ctrl", which is type "int const".
128 const int refrec_ctrl = picos_to_mclk(clk,
129 pdimm->trfc1_ps) - 8;
130 int wrrec_mclk = picos_to_mclk(clk, pdimm->twr_ps);
131 const int acttoact_mclk = max(picos_to_mclk(clk,
132 pdimm->trrds_ps),
133 4U);
** CID 457908: (INTEGER_OVERFLOW)
/drivers/marvell/amb_adec.c: 70 in amb_check_win()
/drivers/marvell/amb_adec.c: 60 in amb_check_win()
________________________________________________________________________________________________________
*** CID 457908: (INTEGER_OVERFLOW)
/drivers/marvell/amb_adec.c: 70 in amb_check_win()
64 }
65
66 /* size parameter validity check */
67 if (!IS_POWER_OF_2(win->win_size)) {
68 WARN("Window %d: window size is not power of 2 (0x%" PRIx64 ")\n",
69 win_num, win->win_size);
>>> CID 457908: (INTEGER_OVERFLOW)
>>> Expression "win->win_size - 1UL", where "win->win_size" is known to be equal to 0, underflows the type of "win->win_size - 1UL", which is type "unsigned long".
70 win->win_size = ROUND_UP_TO_POW_OF_2(win->win_size);
71 WARN("Rounding size to 0x%" PRIx64 "\n", win->win_size);
72 }
73 }
74
75 static void amb_enable_win(struct addr_map_win *win, uint32_t win_num)
/drivers/marvell/amb_adec.c: 60 in amb_check_win()
54 }
55
56 base_addr = win->base_addr << AMB_BASE_OFFSET;
57 /* for AMB The base is always 1M aligned */
58 /* check if address is aligned to 1M */
59 if (IS_NOT_ALIGN(base_addr, AMB_WIN_ALIGNMENT_1M)) {
>>> CID 457908: (INTEGER_OVERFLOW)
>>> Expression "base_addr + 1048576U", where "base_addr" is known to be equal to 4294901760, overflows the type of "base_addr + 1048576U", which is type "unsigned int".
60 win->base_addr = ALIGN_UP(base_addr, AMB_WIN_ALIGNMENT_1M);
61 WARN("Window %d: base address unaligned to 0x%x\n",
62 win_num, AMB_WIN_ALIGNMENT_1M);
63 WARN("Align up the base address to 0x%" PRIx64 "\n", win->base_addr);
64 }
65
** CID 457907: Control flow issues (DEADCODE)
/plat/mediatek/drivers/spm/mt8196/mt_spm_internal.c: 774 in __spm_set_pcm_wdt()
________________________________________________________________________________________________________
*** CID 457907: Control flow issues (DEADCODE)
/plat/mediatek/drivers/spm/mt8196/mt_spm_internal.c: 774 in __spm_set_pcm_wdt()
768 /* Enable PCM WDT (normal mode) to start count if needed */
769 if (en) {
770 mmio_clrsetbits_32(PCM_CON1, REG_PCM_WDT_WAKE_LSB,
771 SPM_REGWR_CFG_KEY);
772
773 if (mmio_read_32(PCM_TIMER_VAL) > PCM_TIMER_MAX)
>>> CID 457907: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "mmio_write_32(469779860UL, ...".
774 mmio_write_32(PCM_TIMER_VAL, PCM_TIMER_MAX);
775 mmio_write_32(PCM_WDT_VAL, mmio_read_32(PCM_TIMER_VAL) +
776 PCM_WDT_TIMEOUT);
777 mmio_setbits_32(PCM_CON1, SPM_REGWR_CFG_KEY |
778 REG_PCM_WDT_EN_LSB);
779 } else {
** CID 457906: Integer handling issues (INTEGER_OVERFLOW)
/plat/intel/soc/common/soc/socfpga_reset_manager.c: 1274 in socfpga_cpurstrelease()
________________________________________________________________________________________________________
*** CID 457906: Integer handling issues (INTEGER_OVERFLOW)
/plat/intel/soc/common/soc/socfpga_reset_manager.c: 1274 in socfpga_cpurstrelease()
1268 cpurstrelease_status = mmio_read_32(SOCFPGA_RSTMGR(CPURSTRELEASE));
1269
1270 if ((cpurstrelease_status & RSTMGR_CPUSTRELEASE_CPUx) == cpu_id) {
1271 return RSTMGR_RET_OK;
1272 }
1273 udelay(1000);
>>> CID 457906: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "timeout--", where "timeout" is known to be equal to 0, underflows the type of "timeout--", which is type "unsigned int".
1274 } while (timeout-- > 0);
1275
1276 return RSTMGR_RET_ERROR;
** CID 457905: Parse warnings (PARSE_ERROR)
/mbedtls/library/common.h: 23 in ()
________________________________________________________________________________________________________
*** CID 457905: Parse warnings (PARSE_ERROR)
/mbedtls/library/common.h: 23 in ()
17 #include <assert.h>
18 #include <stddef.h>
19 #include <stdint.h>
20 #include <stddef.h>
21
22 #if defined(__ARM_NEON)
>>> CID 457905: Parse warnings (PARSE_ERROR)
>>> cannot open source file "arm_neon.h"
23 #include <arm_neon.h>
24 #define MBEDTLS_HAVE_NEON_INTRINSICS
25 #elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
26 #include <arm64_neon.h>
27 #define MBEDTLS_HAVE_NEON_INTRINSICS
28 #endif
** CID 457904: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/plat/rockchip/rk3576/scmi/rk3576_clk.c: 517 in rk3576_lpll_get_rate()
________________________________________________________________________________________________________
*** CID 457904: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/plat/rockchip/rk3576/scmi/rk3576_clk.c: 517 in rk3576_lpll_get_rate()
511
512 rate64 *= m;
513 rate64 = rate64 / p;
514
515 if (k != 0) {
516 /* fractional mode */
>>> CID 457904: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "24000000U * k" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
517 uint64_t frac_rate64 = 24000000 * k;
518
519 postdiv = p * 65536;
520 frac_rate64 = frac_rate64 / postdiv;
521 rate64 += frac_rate64;
522 }
** CID 457903: Integer handling issues (INTEGER_OVERFLOW)
/drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 1905 in mv_ddr_load_dm_pattern_to_odpg()
________________________________________________________________________________________________________
*** CID 457903: Integer handling issues (INTEGER_OVERFLOW)
/drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 1905 in mv_ddr_load_dm_pattern_to_odpg()
1899 data_low = pattern_table_get_word(0, pattern, (u8)(pattern_len * 2));
1900 data_high = pattern_table_get_word(0, pattern, (u8)(pattern_len * 2 + 1));
1901 }
1902
1903 /* odpg mbus dm definition is opposite to ddr4 protocol */
1904 if (dm_dir == DM_DIR_INVERSE)
>>> CID 457903: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "dm_data", where "~((data_low & 0xfU) | (data_high & 0xf0U))" is known to be equal to 255, overflows the type of "dm_data", which is type "u8".
1905 dm_data = ~((data_low & LOW_NIBBLE_BYTE_MASK) | (data_high & HIGH_NIBBLE_BYTE_MASK));
1906 else
1907 dm_data = (data_low & LOW_NIBBLE_BYTE_MASK) | (data_high & HIGH_NIBBLE_BYTE_MASK);
1908
1909 ddr3_tip_if_write(0, access_type, 0, ODPG_DATA_WR_DATA_LOW_REG, data_low, MASK_ALL_BITS);
1910 ddr3_tip_if_write(0, access_type, 0, ODPG_DATA_WR_DATA_HIGH_REG, data_high, MASK_ALL_BITS);
** CID 457902: Insecure data handling (INTEGER_OVERFLOW)
________________________________________________________________________________________________________
*** CID 457902: Insecure data handling (INTEGER_OVERFLOW)
/lib/libfdt/fdt_rw.c: 495 in fdt_pack()
489 int mem_rsv_size;
490
491 FDT_RW_PROBE(fdt);
492
493 mem_rsv_size = (fdt_num_mem_rsv(fdt)+1)
494 * sizeof(struct fdt_reserve_entry);
>>> CID 457902: Insecure data handling (INTEGER_OVERFLOW)
>>> "mem_rsv_size", which might have overflowed, is passed to "fdt_packblocks_(fdt, fdt, mem_rsv_size, fdt32_ld(&((struct fdt_header const *)fdt)->size_dt_struct), fdt32_ld(&((struct fdt_header const *)fdt)->size_dt_strings))".
495 fdt_packblocks_(fdt, fdt, mem_rsv_size, fdt_size_dt_struct(fdt),
496 fdt_size_dt_strings(fdt));
497 fdt_set_totalsize(fdt, fdt_data_size_(fdt));
498
499 return 0;
** CID 457901: Integer handling issues (INTEGER_OVERFLOW)
/plat/mediatek/drivers/spmi/pmif_common.c: 111 in pmif_spmi_read_cmd()
________________________________________________________________________________________________________
*** CID 457901: Integer handling issues (INTEGER_OVERFLOW)
/plat/mediatek/drivers/spmi/pmif_common.c: 111 in pmif_spmi_read_cmd()
105 ret = pmif_check_idle(arb->mstid);
106 if (ret)
107 goto done;
108
109 /* Send the command. */
110 offset = arb->regs[PMIF_SWINF_3_ACC];
>>> CID 457901: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "opc << 30", where "opc" is known to be equal to 2, overflows the type of "opc << 30", which is type "int".
111 mmio_write_32((uintptr_t)(arb->base + offset), PMIF_RW_CMD_SET(opc, 0, sid, bc, addr));
112 /*
113 * Wait for Software Interface FSM state to be WFVLDCLR,
114 * read the data and clear the valid flag.
115 */
116 ret = pmif_check_vldclr(arb->mstid);
** CID 457900: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/lib/extensions/amu/aarch32/amu.c: 51 in amu_enable()
________________________________________________________________________________________________________
*** CID 457900: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/lib/extensions/amu/aarch32/amu.c: 51 in amu_enable()
45 /* Enable all architected counters by default */
46 write_amcntenset0(AMCNTENSET0_Pn_MASK);
47 if (is_feat_amu_aux_supported()) {
48 unsigned int core_pos = plat_my_core_pos();
49
50 /* Something went wrong if we're trying to write higher bits */
>>> CID 457900: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "get_amu_aux_enables(core_pos) & 4294901760U /* ~0xffffU */" is always 0 regardless of the values of its operands. This occurs as a value.
51 assert((get_amu_aux_enables(core_pos) & ~AMCNTENSET1_Pn_MASK) == 0);
52 write_amcntenset1(get_amu_aux_enables(core_pos));
53 }
54
55 /* Bail out if FEAT_AMUv1p1 features are not present. */
56 if (!is_feat_amuv1p1_supported()) {
** CID 457899: (INTEGER_OVERFLOW)
/lib/libfdt/fdt_rw.c: 476 in fdt_open_into()
________________________________________________________________________________________________________
*** CID 457899: (INTEGER_OVERFLOW)
/lib/libfdt/fdt_rw.c: 474 in fdt_open_into()
468 /* Try right after the old tree instead */
469 tmp = (char *)(uintptr_t)fdtend;
470 if ((tmp + newsize) > ((char *)buf + bufsize))
471 return -FDT_ERR_NOSPACE;
472 }
473
>>> CID 457899: (INTEGER_OVERFLOW)
>>> "mem_rsv_size", which might have overflowed, is passed to "fdt_packblocks_(fdt, tmp, mem_rsv_size, struct_size, fdt32_ld(&((struct fdt_header const *)fdt)->size_dt_strings))".
474 fdt_packblocks_(fdt, tmp, mem_rsv_size, struct_size,
475 fdt_size_dt_strings(fdt));
476 memmove(buf, tmp, newsize);
477
478 fdt_set_magic(buf, FDT_MAGIC);
479 fdt_set_totalsize(buf, bufsize);
/lib/libfdt/fdt_rw.c: 476 in fdt_open_into()
470 if ((tmp + newsize) > ((char *)buf + bufsize))
471 return -FDT_ERR_NOSPACE;
472 }
473
474 fdt_packblocks_(fdt, tmp, mem_rsv_size, struct_size,
475 fdt_size_dt_strings(fdt));
>>> CID 457899: (INTEGER_OVERFLOW)
>>> "newsize", which might have underflowed, is passed to "memmove(buf, tmp, newsize)". [Note: The source code implementation of the function has been overridden by a builtin model.]
476 memmove(buf, tmp, newsize);
477
478 fdt_set_magic(buf, FDT_MAGIC);
479 fdt_set_totalsize(buf, bufsize);
480 fdt_set_version(buf, 17);
481 fdt_set_last_comp_version(buf, 16);
** CID 457898: Control flow issues (UNREACHABLE)
/plat/socionext/synquacer/sq_psci.c: 142 in sq_system_off()
________________________________________________________________________________________________________
*** CID 457898: Control flow issues (UNREACHABLE)
/plat/socionext/synquacer/sq_psci.c: 142 in sq_system_off()
136 gpio[1] |= 0x2; /* set high */
137 dmbst();
138
139 mdelay(100);
140 }
141
>>> CID 457898: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "wfi();".
142 wfi();
143 ERROR("SQ System Off: operation not handled.\n");
144 panic();
145 #endif
146 }
147
** CID 457897: Integer handling issues (INTEGER_OVERFLOW)
/drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 640 in ddr3_tip_ip_training()
________________________________________________________________________________________________________
*** CID 457897: Integer handling issues (INTEGER_OVERFLOW)
/drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 640 in ddr3_tip_ip_training()
634 CHECK_STATUS(ddr3_tip_configure_odpg
635 (dev_num, access_type, interface_num, direction,
636 pattern_table[pattern].num_of_phases_tx, tx_burst_size,
637 pattern_table[pattern].num_of_phases_rx,
638 delay_between_burst, rd_mode, effective_cs, STRESS_NONE,
639 DURATION_SINGLE));
>>> CID 457897: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "reg_data", where "(direction == OPER_READ) ? 0 : -1073741824" is known to be equal to -1073741824, overflows the type of "reg_data", which is type "u32".
640 reg_data = (direction == OPER_READ) ? 0 : (0x3 << 30);
641 reg_data |= (direction == OPER_READ) ? 0x60 : 0xfa;
642 CHECK_STATUS(ddr3_tip_if_write
643 (dev_num, access_type, interface_num,
644 ODPG_WR_RD_MODE_ENA_REG, reg_data,
645 MASK_ALL_BITS));
** CID 457896: Integer handling issues (INTEGER_OVERFLOW)
/plat/mediatek/mt8183/drivers/devapc/devapc.c: 69 in set_master_domain_remap_infra()
________________________________________________________________________________________________________
*** CID 457896: Integer handling issues (INTEGER_OVERFLOW)
/plat/mediatek/mt8183/drivers/devapc/devapc.c: 69 in set_master_domain_remap_infra()
63 domain_emi_view = domain_emi_view - DOMAIN_11;
64 clr_bit = 0x7 << (domain_emi_view * 3 + 1);
65 set_bit = domain_infra_view << (domain_emi_view * 3 + 1);
66 mmio_clrsetbits_32(base, clr_bit, set_bit);
67 } else {
68 base = DEVAPC_INFRA_DOM_RMP_0;
>>> CID 457896: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "clr_bit", where "3 << domain_emi_view * 3U" is known to be equal to -1073741824, overflows the type of "clr_bit", which is type "uint32_t".
69 clr_bit = 0x3 << (domain_emi_view * 3);
70 set_bit = domain_infra_view << (domain_emi_view * 3);
71 mmio_clrsetbits_32(base, clr_bit, set_bit);
72
73 base = DEVAPC_INFRA_DOM_RMP_1;
74 set_bit = (domain_infra_view & 0x4) >> 2;
** CID 457895: (DEADCODE)
/drivers/nxp/ddr/phy-gen2/phy.c: 296 in get_cdd_val()
/drivers/nxp/ddr/phy-gen2/phy.c: 241 in get_cdd_val()
/drivers/nxp/ddr/phy-gen2/phy.c: 270 in get_cdd_val()
________________________________________________________________________________________________________
*** CID 457895: (DEADCODE)
/drivers/nxp/ddr/phy-gen2/phy.c: 296 in get_cdd_val()
290 }
291
292 tmp = rwmax;
293 c = &cdd[25];
294 rwmax = findmax(c, 16U);
295 if (tmp > rwmax) {
>>> CID 457895: (DEADCODE)
>>> Execution cannot reach this statement: "rwmax = tmp;".
296 rwmax = tmp;
297 }
298
299 wrmax = wwmax;
300
301 break;
/drivers/nxp/ddr/phy-gen2/phy.c: 241 in get_cdd_val()
235
236 switch (rank) {
237 case 1U:
238 tmp = rwmax;
239 rwmax = cdd[40];
240 if (tmp > rwmax) {
>>> CID 457895: (DEADCODE)
>>> Execution cannot reach this statement: "rwmax = tmp;".
241 rwmax = tmp;
242 }
243
244 break;
245
246 case 2U:
/drivers/nxp/ddr/phy-gen2/phy.c: 270 in get_cdd_val()
264 buf[1] = cdd[39];
265 buf[2] = cdd[36];
266 buf[3] = cdd[35];
267 tmp = rwmax;
268 rwmax = findmax(buf, 4U);
269 if (tmp > rwmax) {
>>> CID 457895: (DEADCODE)
>>> Execution cannot reach this statement: "rwmax = tmp;".
270 rwmax = tmp;
271 }
272
273 wrmax = wwmax;
274
275 break;
** CID 457894: Integer handling issues (INTEGER_OVERFLOW)
/lib/libc/strtol.c: 127 in strtol()
________________________________________________________________________________________________________
*** CID 457894: Integer handling issues (INTEGER_OVERFLOW)
/lib/libc/strtol.c: 127 in strtol()
121 any = 1;
122 acc *= base;
123 acc += c;
124 }
125 }
126 if (any < 0) {
>>> CID 457894: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "acc", where "neg ? -9223372036854775808L : 9223372036854775807L" is known to be equal to -9223372036854775808, underflows the type of "acc", which is type "unsigned long".
127 acc = neg ? LONG_MIN : LONG_MAX;
128 } else if (neg)
129 acc = -acc;
130 if (endptr != NULL)
131 *endptr = (char *)(any ? s - 1 : nptr);
132 return (acc);
** CID 457893: (INTEGER_OVERFLOW)
/plat/rockchip/rk3399/drivers/dram/dfs.c: 973 in gen_rk3399_ctl_params_f1()
/plat/rockchip/rk3399/drivers/dram/dfs.c: 976 in gen_rk3399_ctl_params_f1()
________________________________________________________________________________________________________
*** CID 457893: (INTEGER_OVERFLOW)
/plat/rockchip/rk3399/drivers/dram/dfs.c: 973 in gen_rk3399_ctl_params_f1()
967 tmp = 0;
968 else if (tmp1 < 5)
969 tmp = tmp1 - 1;
970 else
971 tmp = tmp1 - 5;
972 } else {
>>> CID 457893: (INTEGER_OVERFLOW)
>>> Expression "tmp1 - 2U", where "tmp1" is known to be equal to 0, underflows the type of "tmp1 - 2U", which is type "unsigned int".
973 tmp = tmp1 - 2;
974 }
975
976 mmio_clrsetbits_32(CTL_REG(i, 314), 0xffu << 24, tmp << 24);
977
978 /* CTL_314 TDFI_RDCSLAT_F1:RW:16:8 */
/plat/rockchip/rk3399/drivers/dram/dfs.c: 976 in gen_rk3399_ctl_params_f1()
970 else
971 tmp = tmp1 - 5;
972 } else {
973 tmp = tmp1 - 2;
974 }
975
>>> CID 457893: (INTEGER_OVERFLOW)
>>> Expression "tmp << 24", where "tmp" is known to be equal to 4294967294, overflows the type of "tmp << 24", which is type "uint32_t".
976 mmio_clrsetbits_32(CTL_REG(i, 314), 0xffu << 24, tmp << 24);
977
978 /* CTL_314 TDFI_RDCSLAT_F1:RW:16:8 */
979 if ((timing_config->freq <= TDFI_LAT_THRESHOLD_FREQ) &&
980 (pdram_timing->cl >= 5))
981 tmp = pdram_timing->cl - 5;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://scan.coverity.com/projects/arm-software-arm-trusted-firmware?tab=overview
--
TF-A mailing list -- tf-a@lists.trustedfirmware.org
To unsubscribe send an email to tf-a-leave@lists.trustedfirmware.org