From: Peter Maydell Date: Thu, 23 Oct 2025 10:13:39 +0000 (+0100) Subject: target/arm: Add assert to arm_to_core_mmu_idx() X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ac55e58c05241b50f64a4631a722a01db0af05a9;p=thirdparty%2Fqemu.git target/arm: Add assert to arm_to_core_mmu_idx() Before commit f76cee647c ("target/arm: Introduce mmu indexes for GCS") it was impossible for arm_to_core_mmu_idx() to return an invalid core MMU index, because NB_MMU_MODES was 16 and ARM_MMU_IDX_COREIDX_MASK was 0xf. That commit raises ARM_MMU_IDX_COREIDX_MASK to 0x1f and NB_MMU_MODES to 22, so it's now possible for a bogus Arm mmu index to result in an out of range core mmu index (which can then get used as an array index in the CPUTLB struct arrays). Coverity complains that this might result in an out-of-bounds access. The out-of-bounds access can't happen because we construct all the ARMMMUIdx values we will use for TLBs to have valid core MMU indexes in the COREIDX field. But we can add an assert() so that if we ever do end up operating on a corrupted or wrong ARMMMUIdx value we get an assert rather than silently indexing off the end of an array. This should also make Coverity happier. Coverity: CID 1641404 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Richard Henderson Message-id: 20251023101339.1983809-1-peter.maydell@linaro.org --- diff --git a/target/arm/internals.h b/target/arm/internals.h index 6fbf7e1ca4..4c0fa28ef8 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -969,7 +969,9 @@ bool arm_cpu_tlb_fill_align(CPUState *cs, CPUTLBEntryFull *out, vaddr addr, static inline int arm_to_core_mmu_idx(ARMMMUIdx mmu_idx) { - return mmu_idx & ARM_MMU_IDX_COREIDX_MASK; + int coreidx = mmu_idx & ARM_MMU_IDX_COREIDX_MASK; + assert(coreidx < NB_MMU_MODES); + return coreidx; } static inline ARMMMUIdx core_to_arm_mmu_idx(CPUARMState *env, int mmu_idx)