> Is there some magic (= tool) which detected these "broken windows" > in hw/loader.c, qemu-io.c and vl.c, or was it just a manual code > review or luck?
I used a proprietary static analysis tool called BEAM. http://domino.research.ibm.com/comm/research.nsf/pages/r.da.beam.html It found pages of potential errors, about 80% of which seem valid. Fixing the bugs with obvious fixes seems like a good way for me to learn the qemu code while providing a useful service at the same time. If anybody wants to see the output of the tool (plenty of bugs to go around) please email me off list. Some of the bugs it found, I'm thinking of out of bound array accesses and returning pointers to stack variables, probably have security implications so I'd like to not share those publicly until there are patches to fix them.
