On Fri, 10 Oct 2025 at 14:05, Peter Maydell <[email protected]> wrote: > > From: Richard Henderson <[email protected]> > > Reviewed-by: Pierrick Bouvier <[email protected]> > Signed-off-by: Richard Henderson <[email protected]> > Message-id: [email protected] > Signed-off-by: Peter Maydell <[email protected]> > ---
> /* > - * Fix the number of mmu modes to 16. > + * Fix the number of mmu modes across all targets. > + * Current maximum is target/arm/. > */ > -#define NB_MMU_MODES 16 > +#define NB_MMU_MODES 22 > -#define ARM_MMU_IDX_COREIDX_MASK 0xf > +#define ARM_MMU_IDX_COREIDX_MASK 0x1f This change makes Coverity complain about a potential array overrun when we use arm_to_core_mmu_idx(something) as an MMU index that eventually gets used as an array index into the CPUTLB struct arrays. It used to be the case that (mmu_idx & ARM_MMU_IDX_COREIDX_MASK) could never be larger than NB_MMU_MODES, but now it can be. This is a false positive because we won't try to pass a bogus mmu_idx and all our real ARMMMUIdx_* values have in-range values for the COREIDX_MASK bits. But is it worth adding an assert() to arm_to_core_mmu_idx() that its return value is less than NB_MMU_MODES ? It might catch future bugs where we forget to bump NB_MMU_MODES. thanks -- PMM
