If qemu supports multi function PCI device, the format of the PCI address passed
to qemu is "bus=pci.0,multifunction=on,addr=slot.function".

If qemu does not support multi function PCI device, the format of the PCI address
passed to qemu is "bus=pci.0,addr=slot".

Hot pluging/unpluging multi PCI device is not supported now. So the function
of hotplugged PCI device must be 0. When we hot unplug it, we should set release
all functions in the slot.

If user does not specify the PCI address, we should auto assign an unused slot.

We will support multi function PCI device. So we should reserve all functions in
the slot if we want to reserve a slot.

We save all used PCI address in the hash table. The key is generated by domain,
bus and slot now. We will support multi function PCI device, so the key should
be generated by domain, bus, slot and function.

We do not support to hot unplug multi function PCI device now. If the device is
one function of multi function PCI device, we shoul not allow to hot unplugg
it.

qemu supports multi function PCI device at least version 0.13.0.

XenAPI session login can fail for a number of reasons, but currently no
specific
reason is displayed to the user, e.g.:

virsh -c XenAPI://citrix-xen.example.com/
Enter username for citrix-xen.example.com: root
Enter root's password for citrix-xen.example.com:
error: authentication failed: (null)
error: failed to connect to the hypervisor

This patch displays the session error description on failure.

s/hostdevwork/hostdev/

The VMware driver works like the OpenVZ driver by using a commandline
tool for management. It dosen't use it's own remote protocol.

Regression introduced in commit 02e86910.

* src/security/virt-aa-helper.c (includes): Reflect move of virRun.

Detected by Coverity.  Commit ef21beda was incomplete; it solved
a leak one one path, but not on the other.

* daemon/libvirtd.c (qemudSetLogging): Avoid leak on success.

As long as I was already touching the function...

* src/qemu/qemu_hotplug.c (qemuDomainChangeGraphics): Line wrap.

Detected by Coverity.  Bug introduced in commit 9d73efdb (v0.8.8).

* src/qemu/qemu_hotplug.c (qemuDomainChangeGraphics): Don't report
error on success.

Coverity complained about these intentional fallthrough cases, but
not about other cases that were explicitly marked with nice comments.

For some reason, Coverity doesn't seem smart enough to parse the
up-front English comment in virsh about intentional fallthrough :)

* tools/virsh.c (cmdVolSize): Mark fallthrough in a more typical
fashion.
* src/conf/nwfilter_conf.c (virNWFilterRuleDefDetailsFormat)
(virNWFilterRuleDetailsParse): Mark explicit fallthrough.

Detected by Coverity.  The beginning of the function already filtered
out NULL objectContentList as invalid.  Further investigation shows:

esxVI_RetrieveProperties is generated and returns a list of objects
that match the given propertyFilterSpec.
esxVI_LookupObjectContentByType then tests whether the result
corresponds to the expected occurrence and reports an error otherwise.
This simplifies the callers of  esxVI_LookupObjectContentByType, but
due to the missing dereference the check was never performed because
the code thought that at least one item was obtained. NULL represents
an empty list. This is a potential segfault fix because callers of
esxVI_LookupObjectContentByType that specified "required" occurrence
assume *objectContentList to be non-NULL when
esxVI_LookupObjectContentByType succeeds.

* src/esx/esx_vi.c (esxVI_LookupObjectContentByType): Check
correct pointer.

Detected by Coverity.  The only ways to get to the cleanup label
were by an early abort (list still unassigned) or after successfully
transferring list to dest, so there is no list to clean up.

* src/secret/secret_driver.c (loadSecrets): Kill dead code.

Detected by Coverity.  All existing callers happen to be in
range, so this isn't too serious.

* src/qemu/qemu_cgroup.c (qemuCgroupControllerActive): Check
bounds before dereference.

Coverity already saw through a NULL dereference without these
annotations, and gcc is still too puny to do good NULL analysis.
But clang still benefits (and is easier to run than coverity),
not to mention that adding this bit of documentation to the code
may help future developers remember the constraints.

* src/util/uuid.h (virGetHostUUID, virUUIDFormat): Document
restrictions, for improved static analysis.

Detected by Coverity.  Commit a98d8f0d tried to make uuid debugging
more robust, but missed some APIs.  And on the APIs that it visited,
the mere act of preparing the debug message ends up dereferencing
uuid prior to the null check.  Which means the APIs which are supposed
to gracefully reject NULL arguments now end up with SIGSEGV.

* src/libvirt.c (VIR_UUID_DEBUG): New macro.
(virDomainLookupByUUID, virDomainLookupByUUIDString)
(virNetworkLookupByUUID, virNetworkLookupByUUIDString)
(virStoragePoolLookupByUUID, virStoragePoolLookupByUUIDString)
(virSecretLookupByUUID, virSecretLookupByUUIDString)
(virNWFilterLookupByUUID, virNWFilterLookupByUUIDString): Avoid
null dereference.

Detected by Coverity.  cpumap was allocated with a value of
(unsigned short)*(int), which is an int computation, and then
promotes to size_t.  On a 64-bit platform, this fails if bit
32 of the product is set (because of sign extension giving
a HUGE value to malloc), even though a naive programmer would
assume that since the first value is unsigned, the product
is also unsigned and at most 4GB would be allocated.

Won't bite in practice (the product should never be that large),
but worth using the right types to begin with, so that we are
now computing (unsigned short)*(size_t).

* python/libvirt-override.c (libvirt_virDomainGetVcpus): Use
correct type.

Similar in nature to commit fd21ecfd, which shut up valgrind.

sigaction is apparently a nasty interface for analyzer tools,
at least for how many false positives it generates.

* src/util/command.c (virExecWithHook): Initialize entire var, since
coverity gripes about the (unused and non-standard) sa_restorer.

Detected by Coverity.  The code was doing math on shifted unsigned
char (which promotes to int), then promoting that to unsigned long
during assignment to size.  On 64-bit platforms, this risks sign
extending values of size > 2GiB.  Bug present since commit
489fd3 (v0.6.0).

I'm not sure if a specially-crafted bogus qcow2 image could
exploit this, although it's probably not possible, since we
were already checking for the computed results being within
range of our fixed-size buffer.

* src/util/storage_file.c (qcowXGetBackingStore): Avoid sign
extension.

Coverity 5.3.0 still outputs lots of COVERITY_* variables, but no
longer modifies COVERITY_BUILD_COMMAND in the environment.  Pick
one that seems likely to stay around.

* configure.ac (STATIC_ANALYSIS): Detect newer Coverity.

API virDomainMigrateSetMaxSpeed was introduced since 0.9.0, but
no command in virsh yet.

Since we can't really get useful error reporting from virCommandExec since
it needs to be the last thing we do.

Otherwise the following virFileMakePath will create the directory for
us and fail further ahead, which probably isn't intended.

Add a handshake with the cloned container process to try and detect
if it fails to start.

Add a simple handshake with the lxc_controller process so we can detect
process startup failures. We do this by adding a new --handshake cli arg
to lxc_controller for passing a file descriptor. If the process fails to
launch, we scrape all output from the logfile and report it to the user.

Arranges things similar to the qemu driver. Will allow us to more easily
report command error output.

We will reuse these shortly, and each use should have a different error
message.

Makes it more likely we get useful error output in the logs

Seems reasonable to have all command wrappers in the same place

v2:
    Dont move SetInherit

v3:
    Comment spelling fix
    Adjust WARN0 comment
    Remove spurious #include movement
    Don't include sys/types.h
    Combine virExec enums
Signed-off-by: NCole Robinson <crobinso@redhat.com>

v2:
    Simplify command building
    Handle command building failure

v3:
    Remove unneeded NULL check
Signed-off-by: NCole Robinson <crobinso@redhat.com>

v3:
    Remove obsolete comment
Signed-off-by: NCole Robinson <crobinso@redhat.com>

v2:
    Have virCommand cleanup intermediate process for us

v3:
    Preserve original FD closing behavior
Signed-off-by: NCole Robinson <crobinso@redhat.com>

Those checks are already performed at the public API level.

For backwards compatibility, if no <video> is set but there is a
<graphics> tag, then we add a default <video> according to the
guest type. Add docs to tell the user about this to not make
them confused. Especially if they remove the video (such as via
"virsh edit"), it will be surprised for them to see the video
element is still in domain XML.