Xen project Mailing List

Re: [PATCH] xen/arm64: sysreg.h: Fix MISRA C 2012 Rule 20.7 violation

Date: Wed, 3 Aug 2022 08:10:44 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=N0/EfWY5CI1823DjxDrE0eqB3qfVwrqfOeDZjs9dr2Y=; b=iePDVNG7syk7DXMpo94PwdjHBgRl6/BwfCEZcbawreFOqeYtDIOqUi4Xr7UlEjBlqn1JAE0hh09xO42oB8uyBrQ2jgMFzLlY+oxYOYrLdfkoylAw3pP04g5R+43CeFDnGcgzk/gcMG7V3vZlzBrSbfGbccAp/o/XFIpVWbj7B8sWcdzzUOUeiRWqcCvoHyevVH0kFBmrZ2uvBD90mCdi5waEOkapMkVPQbjJqEaeHjLTO3joq2h2ePoxyWlAiGZTA/14VsPxArKOC+PENYvwjHavHkmNyb0rUzhqXv/AE57ykFqT6fXywfeP3n1kZdUqHfWalgDU0hjz7WyG/Btqww==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iAgoidF0m8Y86VmSGolboq4tXEMi59gxzkVYiQ9y4EhzC06umWW0ibUeW5RjCfipu8yTc+N4gYJql7Q8hw+uLmViWa1QmUTR/jvEmRSp1lyyWhR6YGUfPJEPmXBombQmnfswWlFQcDPj/XCHFJgqXqB2aPToNChyk5Y+RfSrNI+hPtoqdTnkNdD2tcRQ0l02D5Qq8eWVbS7e4BrqD+UEQ47xcs+0Ghu1pIyCvWH5GnIWCSkyvnyYCYowkUNysa/rO5p7UGlpQfWDshAhP2eaJR5UlP4fVR8wlcNV0djr2tQ+c/Wg1eLsAUOf2Qu7bw5oKS6xfl7Jz0saDJMKtSD8ng==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Bertrand Marquis <bertrand.marquis@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Xenia Ragiadakou <burzalodowa@xxxxxxxxx>

Delivery-date: Wed, 03 Aug 2022 06:10:54 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 02.08.2022 19:32, Julien Grall wrote: > Hi Jan, > > On 29/07/2022 08:22, Jan Beulich wrote: >> On 29.07.2022 09:01, Xenia Ragiadakou wrote: >>> On 7/29/22 09:16, Jan Beulich wrote: >>>> On 29.07.2022 07:23, Xenia Ragiadakou wrote: >>>>> On 7/29/22 01:56, Stefano Stabellini wrote: >>>>>> On Thu, 28 Jul 2022, Julien Grall wrote: >>>>>>> On 28/07/2022 15:20, Jan Beulich wrote: >>>>>>>> On 28.07.2022 15:56, Julien Grall wrote: >>>>>>>>> On 28/07/2022 14:49, Xenia Ragiadakou wrote: >>>>>>>>>> --- a/xen/arch/arm/include/asm/arm64/sysregs.h >>>>>>>>>> +++ b/xen/arch/arm/include/asm/arm64/sysregs.h >>>>>>>>>> @@ -461,7 +461,7 @@ >>>>>>>>>> /* Access to system registers */ >>>>>>>>>> #define WRITE_SYSREG64(v, name) do { \ >>>>>>>>>> - uint64_t _r = v; \ >>>>>>>>>> + uint64_t _r = (v); >>>>>>>>>> \ >>>>>>>>> >>>>>>>>> I am failing to see why the parentheses are necessary here. Could you >>>>>>>>> give an example where the lack of them would end up to different code? >>>>>>>> >>>>>>>> I think it is merely good practice to parenthesize the right sides of >>>>>>>> =. >>>>>>>> Indeed with assignment operators having second to lowest precedence, >>>>>>>> and >>>>>>>> with comma (the lowest precedence one) requiring parenthesization at >>>>>>>> the >>>>>>>> macro invocation site, there should be no real need for parentheses >>>>>>>> here. >>>>>>> >>>>>>> I am not really happy with adding those parentheses because they are >>>>>>> pointless. But if there are a consensus to use it, then the commit >>>>>>> message >>>>>>> should be updated to clarify this is just here to please MISRA (to me >>>>>>> "need" >>>>>>> implies it would be bug). >>>>>> >>>>>> Let me premise that I don't know if this counts as a MISRA violation or >>>>>> not. (Also I haven't checked if cppcheck/eclair report it as violation.) >>>>>> >>>>>> But I think the reason for making the change would be to follow our >>>>>> coding style / coding practices. It makes the code simpler to figure out >>>>>> that it is correct, to review and maintain if we always add the >>>>>> parenthesis even in cases like this one where they are not strictly >>>>>> necessary. We are going to save our future selves some mental cycles. >>>>>> >>>>>> So the explanation on the commit message could be along those lines. >>>>> >>>>> First, the rule 20.7 states "Expressions resulting from the expansion of >>>>> macro parameters shall >>>>> be enclosed in parentheses". So, here it is a clear violation of the >>>>> rule because the right side of the assignment operator is an expression. >>>>> >>>>> Second, as I stated in a previous email, if v is not enclosed in >>>>> parentheses, I could write the story of my life in there and compile it >>>>> :) So, it would be a bug. >>>>> >>>>> So, I recommend the title and the explanation i.e >>>>> "xen/arm64: sysreg.h: Fix MISRA C 2012 Rule 20.7 violation >>>>> >>>>> The macro parameter 'v' is used as an expression and needs to be enclosed >>>>> in >>>>> parentheses." >>>>> to remain as is because they are accurate. >>>> >>>> I'm afraid you're following the MISRA wording too much to the latter. >>>> Earlier on you agreed that when macro parameters are used as function >>>> arguments, the parentheses can be omitted. Yet by what you say above >>>> those are also expressions. >>> >>> Yes, those are also expressions (that's why I added parentheses >>> initially) and I agreed with you that the parentheses there may not be >>> necessary because I could not think of an example that will produce >>> different behaviors with and without the parentheses. This will need a >>> formal deviation I imagine or maybe a MISRA C expert could provide a >>> justification regarding why parentheses are needed around function >>> arguments that we may have not think of. >>> >>>> As indicated before - I think parentheses >>>> are wanted here, but it's strictly "wanted", and hence the title >>>> better wouldn't say "fix" (but e.g. "improve") and the description >>>> also should be "softened". >>>> >>> >>> Regarding the latter, are you saying that the parentheses are not needed? >>> In my opinion they are needed to prevent the bug described in the >>> previous email i.e passing multiple statements to the macro. >> >> Any such use would be rejected during review, I'm sure. >> >> However I think there's another case which might indeed make this >> more than just a "want" (and then responses further down are to be >> viewed only in the context of earlier discussion): >> >> #define wr(v) ({ \ >> unsigned r_ = v; \ >> asm("" :: "r" (r_)); \ >> }) >> >> #define M x, y >> >> void test(unsigned x) { >> wr(M); >> } > > Interesting. I would have expected the pre-processor to first expand M > and then consider wr() is called with 2 parameters. > >> >> While this would result in an unused variable warning, > > FWIW, in our case, the compiler is going to throw an error. > >> it's surely >> misleading (and less certain to be noticed during review) - which > My expectation is we would notice that M is missing the parentheses. If > it is really wanted, the name of the macro should be obvious. > >> is what Misra wants to avoid. Let's see what Julien thinks. > I am struggling to see how this is different from: > > #define wr(v) printf("%u\n", v) > > If I am not mistaken, you have been arguing against adding the > parentheses here. Yes - not the least because we actually use such in our code (at the very least in hvmloader, see PRIllx_arg()). > So, AFAIU, this means we will need to rely on the > compiler to notice the extra parameters. > > Anyway, I am not against adding the parentheses in your example. > However, I think we should be consistent how we use them. Indeed I, too, am all for consistency. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.