Without a model, Coverity can't know that the result of g_strdup()
needs to be fed to g_free().

One way to get such a model is to scan GLib, build a derived model
file with cov-collect-models, and use that when scanning QEMU.
Unfortunately, the Coverity Scan service we use doesn't support that.

Thus, we're stuck with the other way: write a user model.  Doing that
for all of GLib is hardly practical.  I'm doing it for the "String
Utility Functions" we actually use that return dynamically allocated
strings.

In a local scan, this flags 20 additional RESOURCE_LEAKs.  The ones I
checked look genuine.

It also loses a NULL_RETURNS about ppce500_init() using
qemu_find_file() without error checking.  I don't understand why.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Acked-by: NPaolo Bonzini <pbonzini@redhat.com>

In current versions of GLib, g_new() may expand into g_malloc_n().
When it does, Coverity can't see the memory allocation, because we
don't model g_malloc_n().  Similarly for g_new0(), g_renew(),
g_try_new(), g_try_new0(), g_try_renew().

Model g_malloc_n(), g_malloc0_n(), g_realloc_n().  Model
g_try_malloc_n(), g_try_malloc0_n(), g_try_realloc_n() by adding
indeterminate out of memory conditions on top.

To avoid undue duplication, replace the existing models for g_malloc()
& friends by trivial wrappers around g_malloc_n() & friends.

In a local scan, this flags four additional RESOURCE_LEAKs and one
NULL_RETURNS.

The NULL_RETURNS is a false positive: Coverity can now see that
g_try_malloc(l1_sz * sizeof(uint64_t)) in
qcow2_check_metadata_overlap() may return NULL, but is too stupid to
recognize that a loop executing l1_sz times won't be entered then.

Three out of the four RESOURCE_LEAKs appear genuine.  The false
positive is in ppce500_prep_device_tree(): the pointer dies, but a
pointer to a struct member escapes, and we get the pointer back for
freeing with container_of().  Too funky for Coverity.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Acked-by: NPaolo Bonzini <pbonzini@redhat.com>

s390 translator bug fixes

# gpg: Signature made Tue 03 Feb 2015 20:39:15 GMT using RSA key ID 4DD0279B
# gpg: Good signature from "Richard Henderson <rth7680@gmail.com>"
# gpg:                 aka "Richard Henderson <rth@redhat.com>"
# gpg:                 aka "Richard Henderson <rth@twiddle.net>"

* remotes/rth/tags/pull-tg-s390-20150203:
  target-s390x: fix and optimize slb* and slbg* computation of carry/borrow flag
  target-s390x: support OC and NC in the EX instruction
  disas/s390.c: Remove unused variables
  target-s390x: Mark check_privileged() as !CONFIG_USER_ONLY
  target-s390: Implement ECAG
  target-s390: Implement LURA, LURAG, STURG
  target-s390: Fix STURA
  target-s390: Fix STIDP
  target-s390: Implement EPSW
  target-s390: Implement SAM specification exception
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This patch fixes the bug with borrow_in being set incorrectly, but it
also simplifies the logic to be much more plain, improving speed.  It
fixes both the 32-bit SLB* and 64-bit SLBG*.

The SLBG* change has been well-tested.  I haven't tested the SLB* change
explicitly, but the code was copy-pasted from the tested code.

The error of these functions' current implementations would not likely
be triggered by compiler-generated code, since the only error was in the
state of the carry/borrow flag.  Compilers rarely generate an
instruction sequence such as carry-set -> carry-set-and-use ->
carry-use.

(With Paolo's fix and mine, there are still a couple of failures from
GMP's testsuite, but they are almost surely due to incorrect code
generation from gcc 4.9.  But since this gcc is running under qemu, it
might be qemu bugs.  I intend to investigate this.)
Signed-off-by: NTorbjorn Granlund <torbjorng@google.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NRichard Henderson <rth@twiddle.net>

This is needed to run the GMP testsuite.
Reported-by: NTorbjorn Granlund <torbjorng@google.com>
Tested-by: NTorbjorn Granlund <torbjorng@google.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NRichard Henderson <rth@twiddle.net>

The variables s390_opformats and s390_num_opformats are unused and
provoke clang warnings:

disas/s390.c:849:33: warning: variable 's390_opformats' is not needed and will not be emitted [-Wunneeded-internal-declaration]
static const struct s390_opcode s390_opformats[] =
                                ^
disas/s390.c:875:18: warning: unused variable 's390_num_opformats' [-Wunused-const-variable]
static const int s390_num_opformats =
                 ^

Delete them, since QEMU doesn't use them.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NStefan Weil <sw@weilnetz.de>
Message-id: 1419373100-17690-3-git-send-email-peter.maydell@linaro.org
Signed-off-by: NRichard Henderson <rth@twiddle.net>

The function check_privileged() is only used in the softmmu configs;
wrap it in an #ifndef CONFIG_USER_ONLY to avoid clang warnings on the
linux-user builds.

[rth: Remove inline marker too; it was only there to prevent exactly
this warning in GCC.]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NStefan Weil <sw@weilnetz.de>
Message-id: 1419373100-17690-2-git-send-email-peter.maydell@linaro.org
Signed-off-by: NRichard Henderson <rth@twiddle.net>

Signed-off-by: NRichard Henderson <rth@twiddle.net>

Signed-off-by: NRichard Henderson <rth@twiddle.net>

We were storing 16 bits instead of 32.
Signed-off-by: NRichard Henderson <rth@twiddle.net>

The implementation had been incomplete, as we did not store the
machine type.  Note that the machine_type member is still unset
during initialization, so this has no effect yet.
Signed-off-by: NRichard Henderson <rth@twiddle.net>

Signed-off-by: NRichard Henderson <rth@twiddle.net>

Also, these are user-mode instructions; allow their use
in CONFIG_USER_ONLY.
Signed-off-by: NRichard Henderson <rth@twiddle.net>

Some bugfixes and cleanups for s390x, both in the new pci code and
in old code.

# gpg: Signature made Tue 03 Feb 2015 13:01:04 GMT using RSA key ID C6F02FAF
# gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>"
# gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>"

* remotes/cohuck/tags/s390x-20150203:
  pc-bios/s390-ccw: update binary
  pc-bios/s390-ccw: fix sparse warnings
  s390x/ipl: Improved code indentation in s390_ipl_init()
  s390x/kvm: unknown DIAGNOSE code should give a specification exception
  s390x/kvm: Fix diag-308 register decoding
  s390x/pci: fix dma notifications in rpcit instruction
  s390x/pci: check for invalid function handle
  s390x/pci: avoid sign extension in stpcifc
  s390: Plug memory leak on s390_pci_generate_event() error path
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

Fix some sparse warnings in the s390-ccw bios.
Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

The indentation of the code in s390_ipl_init() can be simplified
a little bit by removing superfluous else-statements.
Suggested-by: NMichael Mueller <mimu@linux.vnet.ibm.com>
Signed-off-by: NThomas Huth <thuth@linux.vnet.ibm.com>
Acked-by: NCornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

As described in CP programming services an unimplemented DIAGNOSE
function should return a specification exception. Today we give the
guest an operation exception.
As both exception types are suppressing and Linux as a guest does not
care about the type of program check in its exception table handler
as long as both types have the same kind of error handling (nullifying,
terminating, suppressing etc.) this was unnoticed.
Reviewed-by: NThomas Huth <thuth@linux.vnet.ibm.com>
Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

Fix the decoding of the r1 register number in the diagnose 308 handler.
Signed-off-by: NThomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: NMichael Mueller <mimu@linux.vnet.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

The virtual I/O address range passed to rpcit instruction might not
map to consecutive physical guest pages. For this we have to translate
and create mapping notifications for each vioa page separately.
Signed-off-by: NYi Min Zhao <zyimin@cn.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

broken guest may provide 0 (invalid) function handle to zpci
instructions. Since we use function handle 0 to indicate an empty
slot in the PHB we have to add an additional check to spot this
kind of error.
Signed-off-by: NFrank Blaschka <blaschka@linux.vnet.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

This patch avoids sign extension and fixes a data conversion
bug in stpcifc. Both issues where found by Coverity.
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NFrank Blaschka <blaschka@linux.vnet.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

The important bits here are the first part of RCU.

v1->v2 changes are the new qemu-thread patch to fix Mac OS X,
and cleaning up warnings.

v2->v3 removed the patch to enable modules by default.

# gpg: Signature made Mon 02 Feb 2015 19:28:03 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream:
  scsi: Fix scsi_req_cancel_async for no aiocb req
  cpu-exec: simplify init_delay_params
  cpu-exec: simplify align_clocks
  memory: avoid ref/unref in memory_region_find
  memory: protect current_map by RCU
  memory: remove assertion on memory_region_destroy
  rcu: add call_rcu
  rcu: allow nesting of rcu_read_lock/rcu_read_unlock
  rcu: add rcutorture
  rcu: add rcu library
  qemu-thread: fix qemu_event without futexes
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

scsi_req_cancel_complete is responsible for releasing the request, so we
shouldn't skip it in any case. This doesn't affect the only existing
caller, virtio-scsi, but is useful for other devices once they use it.
Suggested-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

With the introduction of QEMU_CLOCK_VIRTUAL_RT, the computation of
sc->diff_clk can be simplified nicely:

        qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) -
        qemu_clock_get_ns(QEMU_CLOCK_REALTIME) +
        cpu_get_clock_offset()

     =  qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) -
        (qemu_clock_get_ns(QEMU_CLOCK_REALTIME) - cpu_get_clock_offset())

     =  qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) -
        (qemu_clock_get_ns(QEMU_CLOCK_REALTIME) + timers_state.cpu_clock_offset)

     =  qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) -
        qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL_RT)

Cc: Sebastian Tanase <sebastian.tanase@openwide.fr>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

sc->diff_clk is already equal to sleep_delay (split in a second and a
nanosecond part).  If you subtract sleep_delay - rem_delay, the result
is exactly rem_delay.

Cc: Sebastian Tanase <sebastian.tanase@openwide.fr>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Do the entire lookup under RCU, which avoids atomic operations
in flatview_ref and flatview_unref.
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Replace the flat_view_mutex with RCU, avoiding futex contention for
dataplane on large systems and many iothreads.
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Now that memory_region_destroy can be called from an RCU callback,
checking the BQL-protected global memory_region_transaction_depth
does not make much sense.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Asynchronous callbacks provided by call_rcu are particularly important
for QEMU, because the BQL makes it hard to use synchronize_rcu.

In addition, the current RCU implementation is not particularly friendly
to multiple concurrent synchronize_rcu callers, making call_rcu even
more important.
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

rcutorture is the unit test for rcu.
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This includes a (mangled) copy of the liburcu code.  The main changes
are: 1) removing dependencies on many other header files in liburcu; 2)
removing for simplicity the tentative busy waiting in synchronize_rcu,
which has limited performance effects; 3) replacing futexes in
synchronize_rcu with QemuEvents for Win32 portability.  The API is
the same as liburcu, so it should be possible in the future to require
liburcu on POSIX systems for example and use our copy only on Windows.

Among the various versions available I chose urcu-mb, which is the
least invasive implementation even though it does not have the
fastest rcu_read_{lock,unlock} implementation.  The urcu flavor can
be changed later, after benchmarking.
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This had a possible deadlock that was visible with rcutorture.

    qemu_event_set                    qemu_event_wait
    ----------------------------------------------------------------
                                      cmpxchg reads FREE, writes BUSY
                                      futex_wait: pthread_mutex_lock
                                      futex_wait: value == BUSY
    xchg reads BUSY, writes SET
    futex_wake: pthread_cond_broadcast
                                      futex_wait: pthread_cond_wait
                                      <deadlock>

The fix is simply to avoid condvar tricks and do the obvious locking
around pthread_cond_broadcast:

    qemu_event_set        qemu_event_wait
    ----------------------------------------------------------------
                                      cmpxchg reads FREE, writes BUSY
                                      futex_wait: pthread_mutex_lock
                                      futex_wait: value == BUSY
    xchg reads BUSY, writes SET
    futex_wake: pthread_mutex_lock
    (blocks)
                                      futex_wait: pthread_cond_wait
    (mutex unlocked)
    futex_wake: pthread_cond_broadcast
    futex_wake: pthread_mutex_unlock
                                      futex_wait: pthread_mutex_unlock

Cc: qemu-stable@nongnu.org
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The code in the softfloat source files is under a mixture of
licenses: the original code and many changes from QEMU contributors
are under the base SoftFloat-2a license; changes from Stefan Weil
and RedHat employees are GPLv2-or-later; changes from Fabrice Bellard
are under the BSD license. Clarify this in the comments at the
top of each affected source file, including a statement about
the assumed licensing for future contributions, so we don't need
to remember to ask patch submitters explicitly to pick a license.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Acked-by: NAndreas Färber <afaerber@suse.de>
Acked-by: NAurelien Jarno <aurelien@aurel32.net>
Acked-by: NAvi Kivity <avi.kivity@gmail.com>
Acked-by: NBen Taylor <bentaylor.solx86@gmail.com>
Acked-by: NBlue Swirl <blauwirbel@gmail.com>
Acked-by: NChristophe Lyon <christophe.lyon@st.com>
Acked-by: NFabrice Bellard <fabrice@bellard.org>
Acked-by: NGuan Xuetao <gxt@mprc.pku.edu.cn>
Acked-by: NJuan Quintela <quintela@redhat.com>
Acked-by: NMax Filippov <jcmvbkbc@gmail.com>
Acked-by: NPaul Brook <paul@codesourcery.com>
Acked-by: NPaolo Bonzini <pbonzini@redhat.com>
Acked-by: NPeter Maydell <peter.maydell@linaro.org>
Acked-by: NRichard Henderson <rth@twiddle.net>
Acked-by: NRichard Sandiford <rdsandiford@googlemail.com>
Acked-by: NStefan Weil <sw@weilnetz.de>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Message-id: 1421073508-23909-5-git-send-email-peter.maydell@linaro.org

Revert the parts of commits b645bb48 and 5a6932d5 which are still
in the codebase and under a SoftFloat-2b license.

Reimplement support for architectures where the most significant bit
in the mantissa is 1 for a signaling NaN rather than a quiet NaN,
by adding handling for SNAN_BIT_IS_ONE being set to the functions
which test values for NaN-ness.

This includes restoring the bugfixes lost in the reversion where
some of the float*_is_quiet_nan() functions were returning true
for both signaling and quiet NaNs.

[This is a mechanical squashing together of two separate "revert"
and "reimplement" patches.]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Message-id: 1421073508-23909-4-git-send-email-peter.maydell@linaro.org

Revert the remaining portions of commits 75d62a58 and 3430b0be
which are under a SoftFloat-2b license, ie the functions
uint64_to_float32() and uint64_to_float64(). (The float64_to_uint64()
and float64_to_uint64_round_to_zero() functions were completely
rewritten in commits fb3ea83a and 0a87a310 so can stay.)

Reimplement from scratch the uint64_to_float64() and uint64_to_float32()
conversion functions.

[This is a mechanical squashing together of two separate "revert"
and "reimplement" patches.]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Message-id: 1421073508-23909-3-git-send-email-peter.maydell@linaro.org

This commit applies the changes to master which correspond to
replacing commit 158142c2 with a set of changes made by:
 * taking the SoftFloat-2a release
 * mechanically transforming the block comment style
 * reapplying Fabrice's original changes from 158142c2

This commit was created by:
 diff -u 158142c2 import-sf-2a
 patch  -p1 --fuzz 10 <../relicense-patch.txt
(where import-sf-2a is the branch resulting from the changes above).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Message-id: 1421073508-23909-2-git-send-email-peter.maydell@linaro.org

linux-user updates since last pull request

# gpg: Signature made Tue 27 Jan 2015 20:52:54 GMT using RSA key ID DE3C9BC0
# gpg: Good signature from "Riku Voipio <riku.voipio@iki.fi>"
# gpg:                 aka "Riku Voipio <riku.voipio@linaro.org>"

* remotes/riku/tags/pull-linux-user-20150127:
  linux-user: support target-to-host SCM_CREDENTIALS
  linux-user: Fix broken m68k signal handling on 64 bit hosts
  mips64-linux-user: Fix definition of struct sigaltstack
  linux-user: Fix ioctl cmd type mismatch on 64-bit targets
  linux-user: translate resource also for prlimit64
  linux-user/signal.c: Remove unnecessary wrapper copy_siginfo_to_user
  linux-user/main.c: Mark end_exclusive() as possibly unused
  linux-user/main.c: Call cpu_exec_start/end on all target archs
  linux-user/arm/nwfpe: Delete unused aCC array
  linux-user/alpha: Add define for NR_shmat to enable shmat syscall
  linux-user/signal.c: Remove current_exec_domain_sig()
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>