Apologies the Coverity scan was failing in the CI since late January but the issue has been addressed. The below is the results of a manual run so the large number of new issues are for changes between late January and today.

Please review if you have submitted and had merged  patches during that period. 

As mentioned below this is run on https://scan.coverity.com/projects/arm-software-arm-trusted-firmware?tab=overview which is a service offered to opensource projects like TF-A. Unfortunately we only have a limited number of runs each week and we have configured the OpenCI to run daily  which does mean its a test run after the patched merged that day. We would of course like to have run while in review state but the limited number of runs mean we cannot do that.

Joanna



From: scan-admin--- via TF-A <tf-a@lists.trustedfirmware.org>
Date: Thursday, 20 March 2025 at 00:08
To: tf-a@lists.trustedfirmware.org <tf-a@lists.trustedfirmware.org>
Subject: [TF-A] New Defects reported by Coverity Scan for ARM-software/arm-trusted-firmware

Hi,

Please find the latest report on new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan.

49 new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan.
13 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 49 defect(s)


** CID 457912:  Concurrent data access violations  (MISSING_LOCK)
/services/std_svc/sdei/sdei_event.c: 117 in sdei_get_registered_event_count()


________________________________________________________________________________________________________
*** CID 457912:  Concurrent data access violations  (MISSING_LOCK)
/services/std_svc/sdei/sdei_event.c: 117 in sdei_get_registered_event_count()
111      unsigned int j;
112      int count = 0;
113    
114      /* Add up reg counts for each mapping. */
115      for_each_mapping_type(i, mapping) {
116              iterate_mapping(mapping, j, map) {
>>>     CID 457912:  Concurrent data access violations  (MISSING_LOCK)
>>>     Accessing "map->reg_count" without holding lock "sdei_ev_map.lock". Elsewhere, "sdei_ev_map.reg_count" is written to with "sdei_ev_map.lock" held 2 out of 3 times.
117                      count += map->reg_count;
118              }
119      }
120    
121      return count;

** CID 457911:  Null pointer dereferences  (REVERSE_INULL)
/plat/mediatek/drivers/cpu_pm/cpcv5_4/mt_cpu_pm.c: 801 in cpupm_invoke()


________________________________________________________________________________________________________
*** CID 457911:  Null pointer dereferences  (REVERSE_INULL)
/plat/mediatek/drivers/cpu_pm/cpcv5_4/mt_cpu_pm.c: 801 in cpupm_invoke()
795                      ret = MTK_CPUPM_E_ERR;
796              break;
797     #endif /* CPU_PM_SUSPEND_NOTIFY */
798    
799     #ifdef CPU_PM_PWR_REQ
800      case CPUPM_INVOKE_PWR_REQ_ACTIVE:
>>>     CID 457911:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "priv" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
801              if (priv) {
802                      if (req->stat.uid == CPUPM_PWR_REQ_UID_MAGIC)
803                              req->stat.uid = CPUPM_PWR_STAT_REQ_UID_MAGIC;
804                      else
805                              ret = MTK_CPUPM_E_ERR;
806              } else

** CID 457910:  Integer handling issues  (INTEGER_OVERFLOW)
/lib/libc/strtoll.c: 128 in strtoll()


________________________________________________________________________________________________________
*** CID 457910:  Integer handling issues  (INTEGER_OVERFLOW)
/lib/libc/strtoll.c: 128 in strtoll()
122                      any = 1;
123                      acc *= base;
124                      acc += c;
125              }
126      }
127      if (any < 0) {
>>>     CID 457910:  Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "acc", where "neg ? -9223372036854775808LL : 9223372036854775807LL" is known to be equal to -9223372036854775808, underflows the type of "acc", which is type "unsigned long long".
128              acc = neg ? LLONG_MIN : LLONG_MAX;
129      } else if (neg)
130              acc = -acc;
131      if (endptr != NULL)
132              *endptr = (char *)(any ? s - 1 : nptr);
133      return (acc);

** CID 457909:    (INTEGER_OVERFLOW)
/drivers/nxp/ddr/nxp-ddr/regs.c: 159 in cal_timing_cfg()
/drivers/nxp/ddr/nxp-ddr/regs.c: 128 in cal_timing_cfg()


________________________________________________________________________________________________________
*** CID 457909:    (INTEGER_OVERFLOW)
/drivers/nxp/ddr/nxp-ddr/regs.c: 159 in cal_timing_cfg()
153      const unsigned int ext_acttopre = picos_to_mclk(clk,
154                                                      pdimm->tras_ps) >> 4U;
155      const unsigned int ext_acttorw = picos_to_mclk(clk,
156                                                     pdimm->trcd_ps) >> 4U;
157      const unsigned int ext_caslat = (2U * cas_latency - 1U) >> 4U;
158      const unsigned int ext_add_lat = additive_latency >> 4U;
>>>     CID 457909:    (INTEGER_OVERFLOW)
>>>     Expression "picos_to_mclk(clk, pdimm->trfc1_ps) - 8U", where "picos_to_mclk(clk, pdimm->trfc1_ps)" is known to be equal to 0, underflows the type of "picos_to_mclk(clk, pdimm->trfc1_ps) - 8U", which is type "unsigned int".
159      const unsigned int ext_refrec = (picos_to_mclk(clk,
160                                             pdimm->trfc1_ps) - 8U) >> 4U;
161      const unsigned int ext_wrrec = (picos_to_mclk(clk, pdimm->twr_ps) +
162                                (popts->otf_burst_chop_en ? 2U : 0U)) >> 4U;
163      const unsigned int rwt_same_cs = 0U;
164      const unsigned int wrt_same_cs = 0U;
/drivers/nxp/ddr/nxp-ddr/regs.c: 128 in cal_timing_cfg()
122      const int acttorw_mclk = picos_to_mclk(clk, pdimm->trcd_ps);
123      const int caslat_ctrl = (cas_latency - 1) << 1;
124      const int trfc1_min = pdimm->die_density >= 0x3 ? 16000 :
125                            (pdimm->die_density == 0x4 ? 26000 :
126                             (pdimm->die_density == 0x5 ? 35000 :
127                              55000));
>>>     CID 457909:    (INTEGER_OVERFLOW)
>>>     Expression "refrec_ctrl", where "picos_to_mclk(clk, pdimm->trfc1_ps) - 8U" is known to be equal to 4294967288, overflows the type of "refrec_ctrl", which is type "int const".
128      const int refrec_ctrl = picos_to_mclk(clk,
129                                                      pdimm->trfc1_ps) - 8;
130      int wrrec_mclk = picos_to_mclk(clk, pdimm->twr_ps);
131      const int acttoact_mclk = max(picos_to_mclk(clk,
132                                                            pdimm->trrds_ps),
133                                              4U);

** CID 457908:    (INTEGER_OVERFLOW)
/drivers/marvell/amb_adec.c: 70 in amb_check_win()
/drivers/marvell/amb_adec.c: 60 in amb_check_win()


________________________________________________________________________________________________________
*** CID 457908:    (INTEGER_OVERFLOW)
/drivers/marvell/amb_adec.c: 70 in amb_check_win()
64       }
65    
66       /* size parameter validity check */
67       if (!IS_POWER_OF_2(win->win_size)) {
68               WARN("Window %d: window size is not power of 2 (0x%" PRIx64 ")\n",
69                      win_num, win->win_size);
>>>     CID 457908:    (INTEGER_OVERFLOW)
>>>     Expression "win->win_size - 1UL", where "win->win_size" is known to be equal to 0, underflows the type of "win->win_size - 1UL", which is type "unsigned long".
70               win->win_size = ROUND_UP_TO_POW_OF_2(win->win_size);
71               WARN("Rounding size to 0x%" PRIx64 "\n", win->win_size);
72       }
73     }
74    
75     static void amb_enable_win(struct addr_map_win *win, uint32_t win_num)
/drivers/marvell/amb_adec.c: 60 in amb_check_win()
54       }
55    
56       base_addr  = win->base_addr << AMB_BASE_OFFSET;
57       /* for AMB The base is always 1M aligned */
58       /* check if address is aligned to 1M */
59       if (IS_NOT_ALIGN(base_addr, AMB_WIN_ALIGNMENT_1M)) {
>>>     CID 457908:    (INTEGER_OVERFLOW)
>>>     Expression "base_addr + 1048576U", where "base_addr" is known to be equal to 4294901760, overflows the type of "base_addr + 1048576U", which is type "unsigned int".
60               win->base_addr = ALIGN_UP(base_addr, AMB_WIN_ALIGNMENT_1M);
61               WARN("Window %d: base address unaligned to 0x%x\n",
62                      win_num, AMB_WIN_ALIGNMENT_1M);
63               WARN("Align up the base address to 0x%" PRIx64 "\n", win->base_addr);
64       }
65    

** CID 457907:  Control flow issues  (DEADCODE)
/plat/mediatek/drivers/spm/mt8196/mt_spm_internal.c: 774 in __spm_set_pcm_wdt()


________________________________________________________________________________________________________
*** CID 457907:  Control flow issues  (DEADCODE)
/plat/mediatek/drivers/spm/mt8196/mt_spm_internal.c: 774 in __spm_set_pcm_wdt()
768      /* Enable PCM WDT (normal mode) to start count if needed */
769      if (en) {
770              mmio_clrsetbits_32(PCM_CON1, REG_PCM_WDT_WAKE_LSB,
771                                 SPM_REGWR_CFG_KEY);
772    
773              if (mmio_read_32(PCM_TIMER_VAL) > PCM_TIMER_MAX)
>>>     CID 457907:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "mmio_write_32(469779860UL, ...".
774                      mmio_write_32(PCM_TIMER_VAL, PCM_TIMER_MAX);
775              mmio_write_32(PCM_WDT_VAL, mmio_read_32(PCM_TIMER_VAL) +
776                            PCM_WDT_TIMEOUT);
777              mmio_setbits_32(PCM_CON1, SPM_REGWR_CFG_KEY |
778                              REG_PCM_WDT_EN_LSB);
779      } else {

** CID 457906:  Integer handling issues  (INTEGER_OVERFLOW)
/plat/intel/soc/common/soc/socfpga_reset_manager.c: 1274 in socfpga_cpurstrelease()


________________________________________________________________________________________________________
*** CID 457906:  Integer handling issues  (INTEGER_OVERFLOW)
/plat/intel/soc/common/soc/socfpga_reset_manager.c: 1274 in socfpga_cpurstrelease()
1268                     cpurstrelease_status = mmio_read_32(SOCFPGA_RSTMGR(CPURSTRELEASE));
1269    
1270                     if ((cpurstrelease_status & RSTMGR_CPUSTRELEASE_CPUx) == cpu_id) {
1271                             return RSTMGR_RET_OK;
1272                     }
1273                     udelay(1000);
>>>     CID 457906:  Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "timeout--", where "timeout" is known to be equal to 0, underflows the type of "timeout--", which is type "unsigned int".
1274             } while (timeout-- > 0);
1275    
1276             return RSTMGR_RET_ERROR;

** CID 457905:  Parse warnings  (PARSE_ERROR)
/mbedtls/library/common.h: 23 in ()


________________________________________________________________________________________________________
*** CID 457905:  Parse warnings  (PARSE_ERROR)
/mbedtls/library/common.h: 23 in ()
17     #include <assert.h>
18     #include <stddef.h>
19     #include <stdint.h>
20     #include <stddef.h>
21    
22     #if defined(__ARM_NEON)
>>>     CID 457905:  Parse warnings  (PARSE_ERROR)
>>>     cannot open source file "arm_neon.h"
23     #include <arm_neon.h>
24     #define MBEDTLS_HAVE_NEON_INTRINSICS
25     #elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
26     #include <arm64_neon.h>
27     #define MBEDTLS_HAVE_NEON_INTRINSICS
28     #endif

** CID 457904:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/plat/rockchip/rk3576/scmi/rk3576_clk.c: 517 in rk3576_lpll_get_rate()


________________________________________________________________________________________________________
*** CID 457904:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/plat/rockchip/rk3576/scmi/rk3576_clk.c: 517 in rk3576_lpll_get_rate()
511    
512      rate64 *= m;
513      rate64 = rate64 / p;
514    
515      if (k != 0) {
516              /* fractional mode */
>>>     CID 457904:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "24000000U * k" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
517              uint64_t frac_rate64 = 24000000 * k;
518    
519              postdiv = p * 65536;
520              frac_rate64 = frac_rate64 / postdiv;
521              rate64 += frac_rate64;
522      }

** CID 457903:  Integer handling issues  (INTEGER_OVERFLOW)
/drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 1905 in mv_ddr_load_dm_pattern_to_odpg()


________________________________________________________________________________________________________
*** CID 457903:  Integer handling issues  (INTEGER_OVERFLOW)
/drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 1905 in mv_ddr_load_dm_pattern_to_odpg()
1899                             data_low = pattern_table_get_word(0, pattern, (u8)(pattern_len * 2));
1900                             data_high = pattern_table_get_word(0, pattern, (u8)(pattern_len * 2 + 1));
1901                     }
1902    
1903                     /* odpg mbus dm definition is opposite to ddr4 protocol */
1904                     if (dm_dir == DM_DIR_INVERSE)
>>>     CID 457903:  Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "dm_data", where "~((data_low & 0xfU) | (data_high & 0xf0U))" is known to be equal to 255, overflows the type of "dm_data", which is type "u8".
1905                             dm_data = ~((data_low & LOW_NIBBLE_BYTE_MASK) | (data_high & HIGH_NIBBLE_BYTE_MASK));
1906                     else
1907                             dm_data = (data_low & LOW_NIBBLE_BYTE_MASK) | (data_high & HIGH_NIBBLE_BYTE_MASK);
1908    
1909                     ddr3_tip_if_write(0, access_type, 0, ODPG_DATA_WR_DATA_LOW_REG, data_low, MASK_ALL_BITS);
1910                     ddr3_tip_if_write(0, access_type, 0, ODPG_DATA_WR_DATA_HIGH_REG, data_high, MASK_ALL_BITS);

** CID 457902:  Insecure data handling  (INTEGER_OVERFLOW)


________________________________________________________________________________________________________
*** CID 457902:  Insecure data handling  (INTEGER_OVERFLOW)
/lib/libfdt/fdt_rw.c: 495 in fdt_pack()
489      int mem_rsv_size;
490    
491      FDT_RW_PROBE(fdt);
492    
493      mem_rsv_size = (fdt_num_mem_rsv(fdt)+1)
494              * sizeof(struct fdt_reserve_entry);
>>>     CID 457902:  Insecure data handling  (INTEGER_OVERFLOW)
>>>     "mem_rsv_size", which might have overflowed, is passed to "fdt_packblocks_(fdt, fdt, mem_rsv_size, fdt32_ld(&((struct fdt_header const *)fdt)->size_dt_struct), fdt32_ld(&((struct fdt_header const *)fdt)->size_dt_strings))".
495      fdt_packblocks_(fdt, fdt, mem_rsv_size, fdt_size_dt_struct(fdt),
496                      fdt_size_dt_strings(fdt));
497      fdt_set_totalsize(fdt, fdt_data_size_(fdt));
498    
499      return 0;

** CID 457901:  Integer handling issues  (INTEGER_OVERFLOW)
/plat/mediatek/drivers/spmi/pmif_common.c: 111 in pmif_spmi_read_cmd()


________________________________________________________________________________________________________
*** CID 457901:  Integer handling issues  (INTEGER_OVERFLOW)
/plat/mediatek/drivers/spmi/pmif_common.c: 111 in pmif_spmi_read_cmd()
105      ret = pmif_check_idle(arb->mstid);
106      if (ret)
107              goto done;
108    
109      /* Send the command. */
110      offset = arb->regs[PMIF_SWINF_3_ACC];
>>>     CID 457901:  Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "opc << 30", where "opc" is known to be equal to 2, overflows the type of "opc << 30", which is type "int".
111      mmio_write_32((uintptr_t)(arb->base + offset), PMIF_RW_CMD_SET(opc, 0, sid, bc, addr));
112      /*
113       * Wait for Software Interface FSM state to be WFVLDCLR,
114       * read the data and clear the valid flag.
115       */
116      ret = pmif_check_vldclr(arb->mstid);

** CID 457900:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/lib/extensions/amu/aarch32/amu.c: 51 in amu_enable()


________________________________________________________________________________________________________
*** CID 457900:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/lib/extensions/amu/aarch32/amu.c: 51 in amu_enable()
45       /* Enable all architected counters by default */
46       write_amcntenset0(AMCNTENSET0_Pn_MASK);
47       if (is_feat_amu_aux_supported()) {
48               unsigned int core_pos = plat_my_core_pos();
49    
50               /* Something went wrong if we're trying to write higher bits */
>>>     CID 457900:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "get_amu_aux_enables(core_pos) & 4294901760U /* ~0xffffU */" is always 0 regardless of the values of its operands. This occurs as a value.
51               assert((get_amu_aux_enables(core_pos) & ~AMCNTENSET1_Pn_MASK) == 0);
52               write_amcntenset1(get_amu_aux_enables(core_pos));
53       }
54    
55       /* Bail out if FEAT_AMUv1p1 features are not present. */
56       if (!is_feat_amuv1p1_supported()) {

** CID 457899:    (INTEGER_OVERFLOW)
/lib/libfdt/fdt_rw.c: 476 in fdt_open_into()


________________________________________________________________________________________________________
*** CID 457899:    (INTEGER_OVERFLOW)
/lib/libfdt/fdt_rw.c: 474 in fdt_open_into()
468              /* Try right after the old tree instead */
469              tmp = (char *)(uintptr_t)fdtend;
470              if ((tmp + newsize) > ((char *)buf + bufsize))
471                      return -FDT_ERR_NOSPACE;
472      }
473    
>>>     CID 457899:    (INTEGER_OVERFLOW)
>>>     "mem_rsv_size", which might have overflowed, is passed to "fdt_packblocks_(fdt, tmp, mem_rsv_size, struct_size, fdt32_ld(&((struct fdt_header const *)fdt)->size_dt_strings))".
474      fdt_packblocks_(fdt, tmp, mem_rsv_size, struct_size,
475                      fdt_size_dt_strings(fdt));
476      memmove(buf, tmp, newsize);
477    
478      fdt_set_magic(buf, FDT_MAGIC);
479      fdt_set_totalsize(buf, bufsize);
/lib/libfdt/fdt_rw.c: 476 in fdt_open_into()
470              if ((tmp + newsize) > ((char *)buf + bufsize))
471                      return -FDT_ERR_NOSPACE;
472      }
473    
474      fdt_packblocks_(fdt, tmp, mem_rsv_size, struct_size,
475                      fdt_size_dt_strings(fdt));
>>>     CID 457899:    (INTEGER_OVERFLOW)
>>>     "newsize", which might have underflowed, is passed to "memmove(buf, tmp, newsize)". [Note: The source code implementation of the function has been overridden by a builtin model.]
476      memmove(buf, tmp, newsize);
477    
478      fdt_set_magic(buf, FDT_MAGIC);
479      fdt_set_totalsize(buf, bufsize);
480      fdt_set_version(buf, 17);
481      fdt_set_last_comp_version(buf, 16);

** CID 457898:  Control flow issues  (UNREACHABLE)
/plat/socionext/synquacer/sq_psci.c: 142 in sq_system_off()


________________________________________________________________________________________________________
*** CID 457898:  Control flow issues  (UNREACHABLE)
/plat/socionext/synquacer/sq_psci.c: 142 in sq_system_off()
136              gpio[1] |= 0x2;         /* set high */
137              dmbst();
138    
139              mdelay(100);
140      }
141    
>>>     CID 457898:  Control flow issues  (UNREACHABLE)
>>>     This code cannot be reached: "wfi();".
142      wfi();
143      ERROR("SQ System Off: operation not handled.\n");
144      panic();
145     #endif
146     }
147    

** CID 457897:  Integer handling issues  (INTEGER_OVERFLOW)
/drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 640 in ddr3_tip_ip_training()


________________________________________________________________________________________________________
*** CID 457897:  Integer handling issues  (INTEGER_OVERFLOW)
/drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 640 in ddr3_tip_ip_training()
634      CHECK_STATUS(ddr3_tip_configure_odpg
635                   (dev_num, access_type, interface_num, direction,
636                    pattern_table[pattern].num_of_phases_tx, tx_burst_size,
637                    pattern_table[pattern].num_of_phases_rx,
638                    delay_between_burst, rd_mode, effective_cs, STRESS_NONE,
639                    DURATION_SINGLE));
>>>     CID 457897:  Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "reg_data", where "(direction == OPER_READ) ? 0 : -1073741824" is known to be equal to -1073741824, overflows the type of "reg_data", which is type "u32".
640      reg_data = (direction == OPER_READ) ? 0 : (0x3 << 30);
641      reg_data |= (direction == OPER_READ) ? 0x60 : 0xfa;
642      CHECK_STATUS(ddr3_tip_if_write
643                   (dev_num, access_type, interface_num,
644                    ODPG_WR_RD_MODE_ENA_REG, reg_data,
645                    MASK_ALL_BITS));

** CID 457896:  Integer handling issues  (INTEGER_OVERFLOW)
/plat/mediatek/mt8183/drivers/devapc/devapc.c: 69 in set_master_domain_remap_infra()


________________________________________________________________________________________________________
*** CID 457896:  Integer handling issues  (INTEGER_OVERFLOW)
/plat/mediatek/mt8183/drivers/devapc/devapc.c: 69 in set_master_domain_remap_infra()
63               domain_emi_view = domain_emi_view - DOMAIN_11;
64               clr_bit = 0x7 << (domain_emi_view * 3 + 1);
65               set_bit = domain_infra_view << (domain_emi_view * 3 + 1);
66               mmio_clrsetbits_32(base, clr_bit, set_bit);
67       } else {
68               base = DEVAPC_INFRA_DOM_RMP_0;
>>>     CID 457896:  Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "clr_bit", where "3 << domain_emi_view * 3U" is known to be equal to -1073741824, overflows the type of "clr_bit", which is type "uint32_t".
69               clr_bit = 0x3 << (domain_emi_view * 3);
70               set_bit = domain_infra_view << (domain_emi_view * 3);
71               mmio_clrsetbits_32(base, clr_bit, set_bit);
72    
73               base = DEVAPC_INFRA_DOM_RMP_1;
74               set_bit = (domain_infra_view & 0x4) >> 2;

** CID 457895:    (DEADCODE)
/drivers/nxp/ddr/phy-gen2/phy.c: 296 in get_cdd_val()
/drivers/nxp/ddr/phy-gen2/phy.c: 241 in get_cdd_val()
/drivers/nxp/ddr/phy-gen2/phy.c: 270 in get_cdd_val()


________________________________________________________________________________________________________
*** CID 457895:    (DEADCODE)
/drivers/nxp/ddr/phy-gen2/phy.c: 296 in get_cdd_val()
290                      }
291    
292                      tmp = rwmax;
293                      c = &cdd[25];
294                      rwmax = findmax(c, 16U);
295                      if (tmp > rwmax) {
>>>     CID 457895:    (DEADCODE)
>>>     Execution cannot reach this statement: "rwmax = tmp;".
296                              rwmax = tmp;
297                      }
298    
299                      wrmax = wwmax;
300    
301                      break;
/drivers/nxp/ddr/phy-gen2/phy.c: 241 in get_cdd_val()
235    
236              switch (rank) {
237              case 1U:
238                      tmp = rwmax;
239                      rwmax = cdd[40];
240                      if (tmp > rwmax) {
>>>     CID 457895:    (DEADCODE)
>>>     Execution cannot reach this statement: "rwmax = tmp;".
241                              rwmax = tmp;
242                      }
243    
244                      break;
245    
246              case 2U:
/drivers/nxp/ddr/phy-gen2/phy.c: 270 in get_cdd_val()
264                      buf[1] = cdd[39];
265                      buf[2] = cdd[36];
266                      buf[3] = cdd[35];
267                      tmp = rwmax;
268                      rwmax = findmax(buf, 4U);
269                      if (tmp > rwmax) {
>>>     CID 457895:    (DEADCODE)
>>>     Execution cannot reach this statement: "rwmax = tmp;".
270                              rwmax = tmp;
271                      }
272    
273                      wrmax = wwmax;
274    
275                      break;

** CID 457894:  Integer handling issues  (INTEGER_OVERFLOW)
/lib/libc/strtol.c: 127 in strtol()


________________________________________________________________________________________________________
*** CID 457894:  Integer handling issues  (INTEGER_OVERFLOW)
/lib/libc/strtol.c: 127 in strtol()
121                      any = 1;
122                      acc *= base;
123                      acc += c;
124              }
125      }
126      if (any < 0) {
>>>     CID 457894:  Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "acc", where "neg ? -9223372036854775808L : 9223372036854775807L" is known to be equal to -9223372036854775808, underflows the type of "acc", which is type "unsigned long".
127              acc = neg ? LONG_MIN : LONG_MAX;
128      } else if (neg)
129              acc = -acc;
130      if (endptr != NULL)
131              *endptr = (char *)(any ? s - 1 : nptr);
132      return (acc);

** CID 457893:    (INTEGER_OVERFLOW)
/plat/rockchip/rk3399/drivers/dram/dfs.c: 973 in gen_rk3399_ctl_params_f1()
/plat/rockchip/rk3399/drivers/dram/dfs.c: 976 in gen_rk3399_ctl_params_f1()


________________________________________________________________________________________________________
*** CID 457893:    (INTEGER_OVERFLOW)
/plat/rockchip/rk3399/drivers/dram/dfs.c: 973 in gen_rk3399_ctl_params_f1()
967                              tmp = 0;
968                      else if (tmp1 < 5)
969                              tmp = tmp1 - 1;
970                      else
971                              tmp = tmp1 - 5;
972              } else {
>>>     CID 457893:    (INTEGER_OVERFLOW)
>>>     Expression "tmp1 - 2U", where "tmp1" is known to be equal to 0, underflows the type of "tmp1 - 2U", which is type "unsigned int".
973                      tmp = tmp1 - 2;
974              }
975    
976              mmio_clrsetbits_32(CTL_REG(i, 314), 0xffu << 24, tmp << 24);
977    
978              /* CTL_314 TDFI_RDCSLAT_F1:RW:16:8 */
/plat/rockchip/rk3399/drivers/dram/dfs.c: 976 in gen_rk3399_ctl_params_f1()
970                      else
971                              tmp = tmp1 - 5;
972              } else {
973                      tmp = tmp1 - 2;
974              }
975    
>>>     CID 457893:    (INTEGER_OVERFLOW)
>>>     Expression "tmp << 24", where "tmp" is known to be equal to 4294967294, overflows the type of "tmp << 24", which is type "uint32_t".
976              mmio_clrsetbits_32(CTL_REG(i, 314), 0xffu << 24, tmp << 24);
977    
978              /* CTL_314 TDFI_RDCSLAT_F1:RW:16:8 */
979              if ((timing_config->freq <= TDFI_LAT_THRESHOLD_FREQ) &&
980                  (pdram_timing->cl >= 5))
981                      tmp = pdram_timing->cl - 5;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/arm-software-arm-trusted-firmware?tab=overview

--
TF-A mailing list -- tf-a@lists.trustedfirmware.org
To unsubscribe send an email to tf-a-leave@lists.trustedfirmware.org