[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen master] misra: allow discarding 'noreturn' during conversions

commit b5497ad4a4a2b9a97100ca002cc82b573b198071
Author:     Dmytro Prokopchuk <dmytro_prokopchuk1@xxxxxxxx>
AuthorDate: Tue Aug 5 14:04:34 2025 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Aug 5 14:04:34 2025 +0200

    misra: allow discarding 'noreturn' during conversions
    
    The conversion from a function pointer with the 'noreturn' attribute
    ('void noreturn (*)(...)') to a function pointer type ('void (*)(...)'
    causes type incompatibility according to MISRA C Rule 11.1, which
    forbids conversions between incompatible function pointer types.
    
    The violation occurs at the call site:
        smp_call_function(halt_this_cpu, NULL, 0);
    where 'halt_this_cpu' with type 'void noreturn (*)(void *)' is passed to
    'smp_call_function' expecting function pointer of type 'void (*)(void *)'.
    
    The 'noreturn' attribute does not change the function calling convention
    or parameter handling at runtime, making the conversion safe.
    
    For now, configure Eclair to just treat implicit conversions that lose
    the "noreturn" attribute on a function 'void (*)(void*)' as safe.
    
    Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@xxxxxxxx>
    Acked-by: Jan Beulich <jbeulich@xxxxxxxx> # docs
    Reviewed-by: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx> # ECLAIR
---
 automation/eclair_analysis/ECLAIR/deviations.ecl | 7 +++++++
 docs/misra/deviations.rst                        | 7 +++++++
 docs/misra/rules.rst                             | 9 +++++----
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl 
b/automation/eclair_analysis/ECLAIR/deviations.ecl
index ceecd0093b..ebce1ceab9 100644
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -372,6 +372,13 @@ constant expressions are required.\""
 }
 -doc_end
 
+-doc_begin="The conversion from 'void noreturn (*)(void *)' to 'void (*)(void 
*)' is safe
+because the semantics of the 'noreturn' attribute do not alter the calling 
convention or behavior of the resulting code."
+-config=MC3A2.R11.1,casts+={safe,
+  "kind(bitcast)&&to(type(pointer(inner(return(builtin(void))&&all_param(1, 
pointer(builtin(void)))))))&&from(expr(skip(!syntactic(),
+   ref(property(noreturn)))))"} 
+-doc_end
+
 -doc_begin="The conversion from a pointer to an incomplete type to unsigned 
long does not lose any information, provided that the target type has enough 
bits to store it."
 -config=MC3A2.R11.2,casts+={safe,
   "from(type(any()))
diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index af7a17f96c..3c46a1e47a 100644
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -353,6 +353,13 @@ Deviations related to MISRA C:2012 Rules:
        semantics that do not lead to unexpected behaviour.
      - Tagged as `safe` for ECLAIR.
 
+   * - R11.1
+     - The conversion from 'void noreturn (*)(...)' to 'void (*)(...)' is safe
+       because the semantics of the 'noreturn' attribute do not alter the 
calling
+       convention or behavior of the resulting code, parameters handling remain
+       consistent.
+     - Tagged as `safe` for ECLAIR.
+
    * - R11.2
      - The conversion from a pointer to an incomplete type to unsigned long
        does not lose any information, provided that the target type has enough
diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst
index d9fd92160b..6812eb7e8a 100644
--- a/docs/misra/rules.rst
+++ b/docs/misra/rules.rst
@@ -409,11 +409,12 @@ maintainers if you want to suggest a change.
 
    * - `Rule 11.1 
<https://gitlab.com/MISRA/MISRA-C/MISRA-C-2012/Example-Suite/-/blob/master/R_11_01.c>`_
      - Required
-     - Conversions shall not be performed between a pointer to a
-       function and any other type
+     - Conversions shall not be performed between a pointer to a function
+       and any other type
      - All conversions to integer types are permitted if the destination
-       type has enough bits to hold the entire value. Conversions to
-       bool and void* are permitted.
+       type has enough bits to hold the entire value. Conversions to bool
+       and void* are permitted. Conversions from 'void noreturn (*)(...)'
+       to 'void (*)(...)' are permitted.
 
    * - `Rule 11.2 
<https://gitlab.com/MISRA/MISRA-C/MISRA-C-2012/Example-Suite/-/blob/master/R_11_02.c>`_
      - Required
--
generated by git-patchbot for /home/xen/git/xen.git#master

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.