Xen project Mailing List

Re: [RFC PATCH 2/4] xen/arm64: bitops: justify uninitialized variable inside a macro

To: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>

Date: Mon, 17 Jul 2023 17:46:00 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NpLexldcu4MmDHL8LiHJAOQH6PDsJ6m6CBOmsX8QNS8=; b=Y39lZmJgeBoedPEc4Nrv8iZTXqDUqpEkyqqfBJsLZ9AQImhgOpg0Uiad/mP7Iva12kmrhzvqw0K07RbwuMv7lgEbY+3vx3Vsrg3s3FGVLXpziu38OU/o4mSQ06iJg0XBrkT+4b33il2d97CmYmrTtMEtEY1JK2lXnd1VjX8yXPu4RPqdltpcB6JfAAusRRdvkDBeomeb35adCYD97ZDA3Zx6tpIt+R2CujhMmh7L4/7CayuEfwRqWJSNQ8sesS/zu4w1tz66HIeuqdKZZEZYbRWyRw40/GR60DRzK9ejqRfHL84nFpumHX/+8Ie5dP6OmwnCAwV7eoZJBro7EQHybg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FR3KG2H8uR3HW5K7OV7mF/E7fTF0HW1eTVtl0ZF4bxyCLYKvk0E6SRhdPwxs8vqKcR8RVMqtzw6XfdbE0L56kdN+dpdgVB3xuVO7f80yfPI+gf3nUVcRXS93TXIC4ptOzx8hFn/c60et3OhoMMZhCvYjjUud5hwikQ2xsULcJwrztVzMFbRrn/zOg8RYLCXO8VoZKi3YGoUJwtsvk6kLXMq6OTZIyKGS7W2Q9wKNsRvF+WwpmMe0xUC4A3NDkO1yXSi17WGHaundsPdqeYHq0LTw5bfHpb3tjS/4cLMkjYtfcancHpS5KB1Ce9b5reu63gxSay+jvaHTh76j04AU6Q==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, "michal.orzel@xxxxxxx" <michal.orzel@xxxxxxx>, "xenia.ragiadakou@xxxxxxx" <xenia.ragiadakou@xxxxxxx>, "ayan.kumar.halder@xxxxxxx" <ayan.kumar.halder@xxxxxxx>, "consulting@xxxxxxxxxxx" <consulting@xxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, Bertrand Marquis <Bertrand.Marquis@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Luca Fancellu <Luca.Fancellu@xxxxxxx>

Delivery-date: Mon, 17 Jul 2023 15:46:45 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 17.07.2023 17:28, Nicola Vetrini wrote: > > > On 17/07/23 15:59, Jan Beulich wrote: >> On 14.07.2023 16:20, Luca Fancellu wrote: >>> >>> >>>> On 14 Jul 2023, at 12:49, Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx> >>>> wrote: >>>> >>>> The macro 'testop' expands to a function that declares the local >>>> variable 'oldbit', which is written before being set, but is such a >>>> way that is not amenable to automatic checking. >>>> >>>> Therefore, a deviation comment, is introduced to document this situation. >>>> >>>> A similar reasoning applies to macro 'guest_testop'. >>>> >>>> Signed-off-by: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx> >>>> --- >>>> docs/misra/safe.json | 16 ++++++++++++++++ >>>> xen/arch/arm/arm64/lib/bitops.c | 3 +++ >>>> xen/arch/arm/include/asm/guest_atomics.h | 3 +++ >>>> 3 files changed, 22 insertions(+) >>>> >>>> diff --git a/docs/misra/safe.json b/docs/misra/safe.json >>>> index 244001f5be..4cf7cbf57b 100644 >>>> --- a/docs/misra/safe.json >>>> +++ b/docs/misra/safe.json >>>> @@ -20,6 +20,22 @@ >>>> }, >>>> { >>>> "id": "SAF-2-safe", >>>> + "analyser": { >>>> + "eclair": "MC3R1.R9.1" >>>> + }, >>>> + "name": "Rule 9.1: initializer not needed", >>>> + "text": "The following local variables are possibly subject >>>> to being read before being written, but code inspection ensured that the >>>> control flow in the construct where they appear ensures that no such event >>>> may happen." >>>> + }, >>>> + { >>>> + "id": "SAF-3-safe", >>>> + "analyser": { >>>> + "eclair": "MC3R1.R9.1" >>>> + }, >>>> + "name": "Rule 9.1: initializer not needed", >>>> + "text": "The following local variables are possibly subject >>>> to being read before being written, but code inspection ensured that the >>>> control flow in the construct where they appear ensures that no such event >>>> may happen." >>>> + }, >>> >>> Since the rule and the justification are the same, you can declare only >>> once and use the same tag on top of the offending lines, so /* SAF-2-safe >>> MC3R1.R9.1 */, >> >> +1 >> >> I'm puzzled by the wording vs comment placement though: The comments >> are inserted ahead of the macro invocations, so there are no "following >> local variables". Plus does this imply the comment would suppress the >> checking on _all_ of them, rather than just the one that was confirmed >> to be safe? What if another new one was added, that actually introduces >> a problem? >> >>> also, I remember some maintainers not happy about the misra rule being put >>> after the tag, now I don’t recall who >> >> Me, at least. The annotations should be tool-agnostic imo, or else the >> more tools we use, the longer these comments might get. > > No problem for both: Given the earlier remarks by Julien on patch 1/4, I > think we can devise something along the lines of > > /* SAF-x-safe MISRA:C 2012 Rule 9.1 <Justification> */ > int var; > > and then write a generic justification in docs/misra/safe.json, while > <Justification> contains a specific one (e.g., this loop does so and so > to ensure that no access to unset variables happens). But that still mentions the rule. What if a new MISRA:C 2025 appears, with different rule numbers? I don't mind the comment mentioning, in a sufficiently terse way, what problem is circumvented. But I don't think tools or specifications should be referenced here. That's the purpose of the referenced "database" entry. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.