[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen master] misra: add deviations of MISRA C Rule 5.5

commit 212f690aee6c83343a85d4f8fb4770ee789e094d
Author:     Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>
AuthorDate: Thu Jul 31 20:43:48 2025 +0000
Commit:     Stefano Stabellini <stefano.stabellini@xxxxxxx>
CommitDate: Fri Aug 15 12:44:22 2025 -0700

    misra: add deviations of MISRA C Rule 5.5
    
    MISRA C Rule 5.5 states: "Identifiers shall be distinct from macro names".
    
    Update ECLAIR configuration to deviate clashes: specify the macros that
    should be ignored. Update deviations.rst and rules.rst accordingly.
    
    Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@xxxxxxxx>
    Reviewed-by: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
    Acked-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
---
 automation/eclair_analysis/ECLAIR/deviations.ecl | 10 ++++++++++
 docs/misra/deviations.rst                        | 22 ++++++++++++++++++++++
 docs/misra/rules.rst                             | 17 +++++++++++++++++
 3 files changed, 49 insertions(+)

diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl 
b/automation/eclair_analysis/ECLAIR/deviations.ecl
index ebce1ceab9..7f3fd35a33 100644
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -122,6 +122,16 @@ it defines would (in the common case) be already defined. 
Peer reviewed by the c
 -config=MC3A2.R5.5,reports+={deliberate, 
"any_area(decl(kind(function))||any_loc(macro(name(memcpy||memset||memmove))))&&any_area(any_loc(file(^xen/common/libelf/libelf-private\\.h$)))"}
 -doc_end
 
+-doc_begin="Clashes between bitops functions and macro names are deliberate.
+These macros are needed for input validation and error handling."
+-config=MC3A2.R5.5,ignored_macros+="^(__)?(test|set|clear|change|test_and_(set|clear|change))_bit$"
+-doc_end
+
+-doc_begin="Clashes between grant table functions and macro names in 
'xen/common/grant_table.c' are deliberate.
+These macros address differences in argument count during compile-time, 
effectively discarding unused parameters to avoid warnings or errors related to 
them."
+-config=MC3A2.R5.5,ignored_macros+="name(update_gnttab_par||parse_gnttab_limit)&&loc(file(^xen/common/grant_table\\.c$))"
+-doc_end
+
 -doc_begin="The type \"ret_t\" is deliberately defined multiple times,
 depending on the guest."
 -config=MC3A2.R5.6,reports+={deliberate,"any_area(any_loc(text(^.*ret_t.*$)))"}
diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index 3c46a1e47a..2119066531 100644
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -153,6 +153,28 @@ Deviations related to MISRA C:2012 Rules:
        memmove.
      - Tagged as `deliberate` for ECLAIR.
 
+   * - R5.5
+     - Clashes between bitops ('__test_and_set_bit', '__test_and_clear_bit',
+       '__test_and_change_bit', 'test_bit', 'set_bit', 'clear_bit', 
'change_bit',
+       'test_and_set_bit', 'test_and_clear_bit', 'test_and_change_bit')
+       functions and macro names are intentional. These are necessary for error
+       handling and input validation to ensure that the size of the object 
being
+       referenced by the memory address (passed as an argument to the macro)
+       meets the minimum requirements for the bit operation. This prevents 
unsafe
+       operations on improperly sized data types that could lead to undefined
+       behavior or memory corruption. The macros encapsulate this conditional
+       logic into a single, reusable form, simplifying the code and avoiding
+       function call overhead. Also this bit operations API was inherited from
+       Linux and should be kept for familiarity.
+     - ECLAIR has been configured to ignore these macros.
+
+   * - R5.5
+     - Clashes between grant table ('update_gnttab_par', 'parse_gnttab_limit')
+       functions and macro names are intentional. These macros address
+       differences in argument count during compile-time, effectively 
discarding
+       unused 2nd and 3rd parameters to avoid warnings or errors related to 
them.
+     - ECLAIR has been configured to ignore these macros.
+
    * - R5.6
      - The type ret_t is deliberately defined multiple times depending on the
        type of guest to service.
diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst
index 6812eb7e8a..a2e4e9f4ff 100644
--- a/docs/misra/rules.rst
+++ b/docs/misra/rules.rst
@@ -205,6 +205,23 @@ maintainers if you want to suggest a change.
            #define f(x, y) f(x, y)
            void f(int x, int y);
 
+       Clashes between bitops functions and macro names are allowed
+       because they are used for input validation and error handling.
+       Example::
+
+           static inline void set_bit(int nr, volatile void *addr)
+           {
+               asm volatile ( "lock btsl %1,%0"
+                              : "+m" (ADDR) : "Ir" (nr) : "memory");
+           }
+           #define set_bit(nr, addr) ({                            \
+               if ( bitop_bad_size(addr) ) __bitop_bad_size();     \
+               set_bit(nr, addr);                                  \
+           })
+
+       Clashes between grant table functions and macro names are allowed
+       because they are used for discarding unused parameters.
+
    * - `Rule 5.6 
<https://gitlab.com/MISRA/MISRA-C/MISRA-C-2012/Example-Suite/-/blob/master/R_05_06.c>`_
      - Required
      - A typedef name shall be a unique identifier
--
generated by git-patchbot for /home/xen/git/xen.git#master

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.