[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH 07/11] xen: address MISRA C:2012 Rule 2.1

To: Jan Beulich <jbeulich@xxxxxxxx>
From: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
Date: Wed, 16 Aug 2023 12:01:04 +0200
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, michal.orzel@xxxxxxx, xenia.ragiadakou@xxxxxxx, ayan.kumar.halder@xxxxxxx, consulting@xxxxxxxxxxx, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 16 Aug 2023 10:01:17 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi,

On 08/08/2023 11:03, Nicola Vetrini wrote:

On 04/08/2023 08:42, Jan Beulich wrote:

On 04.08.2023 01:50, Stefano Stabellini wrote:

On Thu, 3 Aug 2023, Jan Beulich wrote:

On 02.08.2023 16:38, Nicola Vetrini wrote:

Rule 2.1 states: "A project shall not contain unreachable code".

The functions
- machine_halt
- maybe_reboot
- machine_restart
are not supposed to return, hence the following break statement

is marked as intentionally unreachable with theASSERT_UNREACHABLE()

macro to justify the violation of the rule.


During the discussion it was mentioned that this won't help with
release builds, where right now ASSERT_UNREACHABLE() expands to
effectively nothing. You want to clarify here how release builds
are to be taken care of, as those are what eventual certification
will be run against.


Something along these lines:

ASSERT_UNREACHABLE(), not only is used in non-release builds toactually

assert and detect errors, but it is also used as a marker to tag

unreachable code. In release builds ASSERT_UNREACHABLE() doesn'tresolve

into an assert, but retains its role of a code marker.

Does it work?


Well, it states what is happening, but I'm not convinced it satisfies
rule 2.1. There's then still code there which isn't reachable, and
which a scanner will spot and report.

Jan


It's not clear to me whether you dislike the patch itself or the commit
message. If it's the latter, how about:
"ASSERT_UNREACHABLE() is used as a marker for intentionally
unreachable code, which

constitutes a motivated deviation from Rule 2.1. Additionally, innon-release

builds, this macro performs a failing assertion to detect errors."

Any feedback on this (with one edit: s/a failing assertion/anassertion/)


--
Nicola Vetrini, BSc
Software Engineer, BUGSENG srl (https://bugseng.com)

Follow-Ups:
- Re: [XEN PATCH 07/11] xen: address MISRA C:2012 Rule 2.1
  - From: Jan Beulich

References:
- [XEN PATCH 00/11] xen: address MISRA C:2012 Rule 2.1
  - From: Nicola Vetrini
- [XEN PATCH 07/11] xen: address MISRA C:2012 Rule 2.1
  - From: Nicola Vetrini
- Re: [XEN PATCH 07/11] xen: address MISRA C:2012 Rule 2.1
  - From: Jan Beulich
- Re: [XEN PATCH 07/11] xen: address MISRA C:2012 Rule 2.1
  - From: Stefano Stabellini
- Re: [XEN PATCH 07/11] xen: address MISRA C:2012 Rule 2.1
  - From: Jan Beulich
- Re: [XEN PATCH 07/11] xen: address MISRA C:2012 Rule 2.1
  - From: Nicola Vetrini

Prev by Date: Re: [PATCH v3 02/10] xen/version: Introduce non-truncating deterministically-signed XENVER_* subops
Next by Date: [xen-unstable test] 182342: tolerable FAIL - PUSHED
Previous by thread: Re: [XEN PATCH 07/11] xen: address MISRA C:2012 Rule 2.1
Next by thread: Re: [XEN PATCH 07/11] xen: address MISRA C:2012 Rule 2.1
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.