Xen project Mailing List

Re: Violations of mandatory MISRA C:2012 Rule 19.1 in X86_64 build

To: Roberto Bagnara <roberto.bagnara@xxxxxxxxxxx>

Date: Wed, 12 Jul 2023 17:09:14 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wm70FUsX5KjiAsWaedna3TwjjujG0aJ9RtEpykIh6i4=; b=fiPhUIHJ3NxIU8Vg4JF8GdHXsrw/dLlsWx6CLeNbkjW4xFhatUW09uTd1JgogDDrf9k8bYpK1PDMwsdussXaTsCei8dO9/XqLlaOz4NaC6Xb+1YMe8afkRcozuDOpWTv2u0lQw1wrJStfNxzTRi0l+slmFWBJQh2L50zOCAkkcXxDgjhrbQ/V7ofKvSsGYyDbROHZocTTPWOv5f4zG/ETFQ081S9qGVK+ntC81CLeUVOU5Z7TQICFuP8tTGN7mOZhR2r0UbEbicUzRUwy73jHC7Mp93SMVigrCeSrHxO5DzArjb6sTdixcTKcn0bbbtyDB6vkCdevAfklH1fTJLRBw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jBPmDsZzX+DSJUC/QwnX5jJok1095aEuOiuBf9RcrJWTiYpxrnYrrG86VhivrwXVLZoZYW7k3AH5e9F19wrZWzOkcFT3Cgka/5ZkF/4wOwBpsUuHzH8aRXv9llCkT9ytvTjnX9Vc2cy/uyXYyRhEngfbFmlZjYaAVQNg1Nwm0+7Z2jvHIn4a84L4DA5oi5ajPow476a06IgfpKZTi2x1Fo7p5ernPNNjai4aVcmX7fDESvj4warGJ46nKz13KrnzGggyUAgJx/aYl0hQboI97aNMw7+DmdISF++2sCCjw+EMm1xnLwF4fesCpQUcNYvum3DB9nDcvXrtIvJPTFWvng==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Wed, 12 Jul 2023 15:09:39 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 11.07.2023 18:40, Roberto Bagnara wrote: > Mandatory Rule 19.1 (An object shall not be assigned or copied to an > overlapping object) is directly targeted at two undefined behaviors, > one of which is the subject of 6.5.16.1p3, namely: > > If the value being stored in an object is read from another object > that overlaps in any way the storage of the first object, then the > overlap shall be exact and the two objects shall have qualified or > unqualified versions of a compatible type; otherwise, the behavior > is undefined. > > You can see a number of definite violations in the X86_64 build > at this link: > > > https://saas.eclairit.com:3787/fs/var/local/eclair/XEN.ecdf/ECLAIR_normal/origin/staging/X86_64-Set1/149/PROJECT.ecd;/by_service/MC3R1.R19.1.html Just to summarize: Except for one instance, all follow the same pattern of extending in-place a (guest) register value. Sometimes in straight line code (typically eip -> rip), otherwise in get_rep_prefix() (esi -> rsi and edi -> rdi). I continue to think that the way we have it is the best way for it to be written; as per an earlier reply I also can't see how even a "malicious" compiler (still aiming at generating correct code, just not necessarily doing things the "obvious" way) could break those cases. (I understand none of this is going to help, yet I'd like to clarify that sometimes overly strict rules are getting in the way, like here forcing use to e.g. switch to using casts when we'd like to avoid doing so.) The one other instance is in compat multicall handling. There I guess the compiler could indeed do things "the wrong way". Any solution there that I can think of would involve an auxiliary on-stack array, to first copy into and then out of. That's not very efficient, so I wonder what your suggestion would be how to deal with such a case. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.