[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH 10/11] xen/sched: add ASSERT_UNREACHABLE() to address MISRA C:2012 Rule 2.1

To: Jan Beulich <jbeulich@xxxxxxxx>
From: Julien Grall <julien@xxxxxxx>
Date: Tue, 8 Aug 2023 16:44:02 +0100
Cc: sstabellini@xxxxxxxxxx, michal.orzel@xxxxxxx, xenia.ragiadakou@xxxxxxx, ayan.kumar.halder@xxxxxxx, consulting@xxxxxxxxxxx, George Dunlap <george.dunlap@xxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 08 Aug 2023 15:44:14 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi,

On 08/08/2023 16:36, Jan Beulich wrote:

On 08.08.2023 17:25, Julien Grall wrote:

On 02/08/2023 15:38, Nicola Vetrini wrote:

The break statement after the return statement is definitely unreachable.
As such, an call to the ASSERT_UNREACHABLE() macro is added to signal
the intentionality of such construct.


How about using unreachable() rather than ASSERT_UNREACHABLE()? The main
difference is the later will hint the compiler that the code cannot be
reached and will not crash Xen in debug build (this could be changed).


Isn't using unreachable() in place of ASSERT_UNREACHABLE() unsafe (not
here but in general)?


Yes it is.

 It'll tell the compiler that (in the extreme case)

it can omit the function epilogue, including the return instruction. In
the resulting build, if the code turns out to be reachable, execution
would fall through into whatever follows.

Right, but the problem is somewhat similar with addingASSERT_UNREACHABLE() without proper error path because there is noguarantee the rest of the code will be correct in the unlikely case itis reachable.


In the case here ...

--- a/xen/common/sched/core.c
+++ b/xen/common/sched/core.c
@@ -2233,6 +2233,7 @@ static bool sched_tasklet_check_cpu(unsigned int cpu)
           /* fallthrough */
       case TASKLET_enqueued|TASKLET_scheduled:
           return true;
+        ASSERT_UNREACHABLE();
           break;
       case TASKLET_scheduled:
           clear_bit(_TASKLET_scheduled, tasklet_work);


... "return" alone already tells the compiler that "break" is
unreachable. You don't need unreachable() for that. As said before,
"break" like this simply want purging (and Misra is wrong to demand
"break" everywhere - it should instead demand no [unannotated]
fall-through, which can also be achieved by return, continue, and
goto).

My suggestion was in the context of this series where we addASSERT_UNREACHABLE() before break. From my understanding, we don't havea lot of leeway here because, from what Nicola wrote, rule 16.3 ismandatory.

So I think using unreachable is better if we every decide to use breakafter return.


Cheers,

--
Julien Grall

Follow-Ups:
- Re: [XEN PATCH 10/11] xen/sched: add ASSERT_UNREACHABLE() to address MISRA C:2012 Rule 2.1
  - From: Nicola Vetrini

References:
- [XEN PATCH 00/11] xen: address MISRA C:2012 Rule 2.1
  - From: Nicola Vetrini
- [XEN PATCH 10/11] xen/sched: add ASSERT_UNREACHABLE() to address MISRA C:2012 Rule 2.1
  - From: Nicola Vetrini
- Re: [XEN PATCH 10/11] xen/sched: add ASSERT_UNREACHABLE() to address MISRA C:2012 Rule 2.1
  - From: Julien Grall
- Re: [XEN PATCH 10/11] xen/sched: add ASSERT_UNREACHABLE() to address MISRA C:2012 Rule 2.1
  - From: Jan Beulich

Prev by Date: Re: [XEN PATCH 10/11] xen/sched: add ASSERT_UNREACHABLE() to address MISRA C:2012 Rule 2.1
Next by Date: Re: [XEN PATCH 10/11] xen/sched: add ASSERT_UNREACHABLE() to address MISRA C:2012 Rule 2.1
Previous by thread: Re: [XEN PATCH 10/11] xen/sched: add ASSERT_UNREACHABLE() to address MISRA C:2012 Rule 2.1
Next by thread: Re: [XEN PATCH 10/11] xen/sched: add ASSERT_UNREACHABLE() to address MISRA C:2012 Rule 2.1
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.