[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen/arm64: sysreg.h: Fix MISRA C 2012 Rule 20.7 violation


  • To: Julien Grall <julien@xxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Wed, 3 Aug 2022 08:10:44 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=N0/EfWY5CI1823DjxDrE0eqB3qfVwrqfOeDZjs9dr2Y=; b=iePDVNG7syk7DXMpo94PwdjHBgRl6/BwfCEZcbawreFOqeYtDIOqUi4Xr7UlEjBlqn1JAE0hh09xO42oB8uyBrQ2jgMFzLlY+oxYOYrLdfkoylAw3pP04g5R+43CeFDnGcgzk/gcMG7V3vZlzBrSbfGbccAp/o/XFIpVWbj7B8sWcdzzUOUeiRWqcCvoHyevVH0kFBmrZ2uvBD90mCdi5waEOkapMkVPQbjJqEaeHjLTO3joq2h2ePoxyWlAiGZTA/14VsPxArKOC+PENYvwjHavHkmNyb0rUzhqXv/AE57ykFqT6fXywfeP3n1kZdUqHfWalgDU0hjz7WyG/Btqww==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iAgoidF0m8Y86VmSGolboq4tXEMi59gxzkVYiQ9y4EhzC06umWW0ibUeW5RjCfipu8yTc+N4gYJql7Q8hw+uLmViWa1QmUTR/jvEmRSp1lyyWhR6YGUfPJEPmXBombQmnfswWlFQcDPj/XCHFJgqXqB2aPToNChyk5Y+RfSrNI+hPtoqdTnkNdD2tcRQ0l02D5Qq8eWVbS7e4BrqD+UEQ47xcs+0Ghu1pIyCvWH5GnIWCSkyvnyYCYowkUNysa/rO5p7UGlpQfWDshAhP2eaJR5UlP4fVR8wlcNV0djr2tQ+c/Wg1eLsAUOf2Qu7bw5oKS6xfl7Jz0saDJMKtSD8ng==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Bertrand Marquis <bertrand.marquis@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Xenia Ragiadakou <burzalodowa@xxxxxxxxx>
  • Delivery-date: Wed, 03 Aug 2022 06:10:54 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 02.08.2022 19:32, Julien Grall wrote:
> Hi Jan,
> 
> On 29/07/2022 08:22, Jan Beulich wrote:
>> On 29.07.2022 09:01, Xenia Ragiadakou wrote:
>>> On 7/29/22 09:16, Jan Beulich wrote:
>>>> On 29.07.2022 07:23, Xenia Ragiadakou wrote:
>>>>> On 7/29/22 01:56, Stefano Stabellini wrote:
>>>>>> On Thu, 28 Jul 2022, Julien Grall wrote:
>>>>>>> On 28/07/2022 15:20, Jan Beulich wrote:
>>>>>>>> On 28.07.2022 15:56, Julien Grall wrote:
>>>>>>>>> On 28/07/2022 14:49, Xenia Ragiadakou wrote:
>>>>>>>>>> --- a/xen/arch/arm/include/asm/arm64/sysregs.h
>>>>>>>>>> +++ b/xen/arch/arm/include/asm/arm64/sysregs.h
>>>>>>>>>> @@ -461,7 +461,7 @@
>>>>>>>>>>       /* Access to system registers */
>>>>>>>>>>          #define WRITE_SYSREG64(v, name) do {                    \
>>>>>>>>>> -    uint64_t _r = v;                                    \
>>>>>>>>>> +    uint64_t _r = (v);                                              
>>>>>>>>>> \
>>>>>>>>>
>>>>>>>>> I am failing to see why the parentheses are necessary here. Could you
>>>>>>>>> give an example where the lack of them would end up to different code?
>>>>>>>>
>>>>>>>> I think it is merely good practice to parenthesize the right sides of 
>>>>>>>> =.
>>>>>>>> Indeed with assignment operators having second to lowest precedence, 
>>>>>>>> and
>>>>>>>> with comma (the lowest precedence one) requiring parenthesization at 
>>>>>>>> the
>>>>>>>> macro invocation site, there should be no real need for parentheses 
>>>>>>>> here.
>>>>>>>
>>>>>>> I am not really happy with adding those parentheses because they are
>>>>>>> pointless. But if there are a consensus to use it, then the commit 
>>>>>>> message
>>>>>>> should be updated to clarify this is just here to please MISRA (to me 
>>>>>>> "need"
>>>>>>> implies it would be bug).
>>>>>>
>>>>>> Let me premise that I don't know if this counts as a MISRA violation or
>>>>>> not. (Also I haven't checked if cppcheck/eclair report it as violation.)
>>>>>>
>>>>>> But I think the reason for making the change would be to follow our
>>>>>> coding style / coding practices. It makes the code simpler to figure out
>>>>>> that it is correct, to review and maintain if we always add the
>>>>>> parenthesis even in cases like this one where they are not strictly
>>>>>> necessary. We are going to save our future selves some mental cycles.
>>>>>>
>>>>>> So the explanation on the commit message could be along those lines.
>>>>>
>>>>> First, the rule 20.7 states "Expressions resulting from the expansion of
>>>>> macro parameters shall
>>>>>     be enclosed in parentheses". So, here it is a clear violation of the
>>>>> rule because the right side of the assignment operator is an expression.
>>>>>
>>>>> Second, as I stated in a previous email, if v is not enclosed in
>>>>> parentheses, I could write the story of my life in there and compile it
>>>>> :) So, it would be a bug.
>>>>>
>>>>> So, I recommend the title and the explanation i.e
>>>>> "xen/arm64: sysreg.h: Fix MISRA C 2012 Rule 20.7 violation
>>>>>
>>>>> The macro parameter 'v' is used as an expression and needs to be enclosed 
>>>>> in
>>>>>     parentheses."
>>>>> to remain as is because they are accurate.
>>>>
>>>> I'm afraid you're following the MISRA wording too much to the latter.
>>>> Earlier on you agreed that when macro parameters are used as function
>>>> arguments, the parentheses can be omitted. Yet by what you say above
>>>> those are also expressions.
>>>
>>> Yes, those are also expressions (that's why I added parentheses
>>> initially) and I agreed with you that the parentheses there may not be
>>> necessary because I could not think of an example that will produce
>>> different behaviors with and without the parentheses. This will need a
>>> formal deviation I imagine or maybe a MISRA C expert could provide a
>>> justification regarding why parentheses are needed around function
>>> arguments that we may have not think of.
>>>
>>>> As indicated before - I think parentheses
>>>> are wanted here, but it's strictly "wanted", and hence the title
>>>> better wouldn't say "fix" (but e.g. "improve") and the description
>>>> also should be "softened".
>>>>
>>>
>>> Regarding the latter, are you saying that the parentheses are not needed?
>>> In my opinion they are needed to prevent the bug described in the
>>> previous email i.e passing multiple statements to the macro.
>>
>> Any such use would be rejected during review, I'm sure.
>>
>> However I think there's another case which might indeed make this
>> more than just a "want" (and then responses further down are to be
>> viewed only in the context of earlier discussion):
>>
>> #define wr(v) ({ \
>>      unsigned r_ = v; \
>>      asm("" :: "r" (r_)); \
>> })
>>
>> #define M x, y
>>
>> void test(unsigned x) {
>>      wr(M);
>> }
> 
> Interesting. I would have expected the pre-processor to first expand M 
> and then consider wr() is called with 2 parameters.
> 
>>
>> While this would result in an unused variable warning,
> 
> FWIW, in our case, the compiler is going to throw an error.
> 
>> it's surely
>> misleading (and less certain to be noticed during review) - which
> My expectation is we would notice that M is missing the parentheses. If 
> it is really wanted, the name of the macro should be obvious.
> 
>> is what Misra wants to avoid. Let's see what Julien thinks.
> I am struggling to see how this is different from:
> 
> #define wr(v) printf("%u\n", v)
> 
> If I am not mistaken, you have been arguing against adding the 
> parentheses here.

Yes - not the least because we actually use such in our code (at
the very least in hvmloader, see PRIllx_arg()).

> So, AFAIU, this means we will need to rely on the 
> compiler to notice the extra parameters.
> 
> Anyway, I am not against adding the parentheses in your example. 
> However, I think we should be consistent how we use them.

Indeed I, too, am all for consistency.

Jan



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.