[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH][for-4.19 8/9] xen/types: address Rule 10.1 for DECLARE_BITMAP use

To: Julien Grall <julien@xxxxxxx>
From: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
Date: Mon, 09 Oct 2023 09:44:59 +0200
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, sstabellini@xxxxxxxxxx, michal.orzel@xxxxxxx, xenia.ragiadakou@xxxxxxx, ayan.kumar.halder@xxxxxxx, consulting@xxxxxxxxxxx, jbeulich@xxxxxxxx, andrew.cooper3@xxxxxxxxxx, roger.pau@xxxxxxxxxx, Paul Durrant <paul@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
Delivery-date: Mon, 09 Oct 2023 07:45:10 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 06/10/2023 16:47, Julien Grall wrote:

Hi Nicola,

On 06/10/2023 11:10, Nicola Vetrini wrote:

On 06/10/2023 11:34, Julien Grall wrote:

Hi Nicola,

On 06/10/2023 09:26, Nicola Vetrini wrote:

Given its use in the declaration
'DECLARE_BITMAP(features, IOMMU_FEAT_count)' the argument
'bits' has essential type 'enum iommu_feature', which is not
allowed by the Rule as an operand to the addition operator
in macro 'BITS_TO_LONGS'.

A comment in BITS_TO_LONGS is added to make it clear that
values passed are meant to be positive.


I am confused. If the value is meant to be positive. Then...


Signed-off-by: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
---
  xen/include/xen/iommu.h | 2 +-
  xen/include/xen/types.h | 1 +
  2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/xen/include/xen/iommu.h b/xen/include/xen/iommu.h
index 0e747b0bbc1c..34aa0b9b5b81 100644
--- a/xen/include/xen/iommu.h
+++ b/xen/include/xen/iommu.h
@@ -360,7 +360,7 @@ struct domain_iommu {
  #endif
        /* Features supported by the IOMMU */
-    DECLARE_BITMAP(features, IOMMU_FEAT_count);
+    DECLARE_BITMAP(features, (int)IOMMU_FEAT_count);


... why do we cast to (int) rather than (unsigned int)? Also, I think
this cast deserve a comment on top because this is not a very obvious
one.

        /* Does the guest share HAP mapping with the IOMMU? */
      bool hap_pt_share;
diff --git a/xen/include/xen/types.h b/xen/include/xen/types.h
index aea259db1ef2..936e83d333a0 100644
--- a/xen/include/xen/types.h
+++ b/xen/include/xen/types.h
@@ -22,6 +22,7 @@ typedef signed long ssize_t;
    typedef __PTRDIFF_TYPE__ ptrdiff_t;
  +/* Users of this macro are expected to pass a positive value */
  #define BITS_TO_LONGS(bits) \
      (((bits)+BITS_PER_LONG-1)/BITS_PER_LONG)
  #define DECLARE_BITMAP(name,bits) \


Cheers,

See [1] for the reason why I did so. I should have mentioned that inthe commit notes, sorry.In short, making BITS_TO_LONGS essentially unsigned would cause acascade of build errors and

possibly other essential type violations.

Can you share some of the errors?

I don't have that build log at hand, but you can reproduce them bydefining


#define BYTES_PER_LONG (_AC(1,U) << LONG_BYTEORDER)
#define BITS_PER_LONG (BYTES_PER_LONG << 3)

#define BITS_TO_LONGS(bits) \
  (((bits)+BITS_PER_LONG-1U)/BITS_PER_LONG)

and then fiddle a bit with the signedness of the constants in
xen/arch/x86/include/asm/page-bits.h.

They are essentially pointer comparison errors in the instances of 'min'and 'max'that involve those macros or macros derived from those, which make thebuild fail because

they (rightfully) trigger a warning from gcc.

If this is to be fixed that way, the effort required
is far greater. Either way, a comment on top of can be added, alongthe lines of:
Leaving this as an enum would violate MISRA C:2012 Rule 10.1


I read this as you are simply trying to silence your tool. I think
this the wrong approach as you are now making the code confusing for
the reader (you pass a signed int to a function that is supposed to
take a positive number).

I appreciate that this will result to more violations at the
beginning. But the whole point of MISRA is to make the code better.

If this is too complex to solve now, then a possible option is to
deviate for the time being.

Cheers,

You have a point in that is sort of hides a deeper issue that isconstituted by thesignedness of the macro, but I'd suggest adding to this patch a commentexplaining whatneeds to be done, rather than a deviation comment that hides theviolations. The reasonis that in the former case, if you put an unsigned argument too big tofit in an integerit will generate a new report, while if a negative argument is used,there is a warning

comment on the macro definition (not an ideal countermeasure, though).

[1]https://lore.kernel.org/xen-devel/6495ba58bda01eae1f4baa46096424eb@xxxxxxxxxxx/


--
Nicola Vetrini, BSc
Software Engineer, BUGSENG srl (https://bugseng.com)

References:
- [XEN PATCH 0/9] address violations of MISRA C:2012 Rule 10.1
  - From: Nicola Vetrini
- [XEN PATCH][for-4.19 8/9] xen/types: address Rule 10.1 for DECLARE_BITMAP use
  - From: Nicola Vetrini
- Re: [XEN PATCH][for-4.19 8/9] xen/types: address Rule 10.1 for DECLARE_BITMAP use
  - From: Julien Grall
- Re: [XEN PATCH][for-4.19 8/9] xen/types: address Rule 10.1 for DECLARE_BITMAP use
  - From: Nicola Vetrini
- Re: [XEN PATCH][for-4.19 8/9] xen/types: address Rule 10.1 for DECLARE_BITMAP use
  - From: Julien Grall

Prev by Date: Re: [XEN PATCH 7/9] x86/mce: Move MC_NCLASSES into the enum mctelem_class
Next by Date: Re: [XEN PATCH][for-4.19 8/9] xen/types: address Rule 10.1 for DECLARE_BITMAP use
Previous by thread: Re: [XEN PATCH][for-4.19 8/9] xen/types: address Rule 10.1 for DECLARE_BITMAP use
Next by thread: [XEN PATCH 9/9] xen/compat: address Rule 10.1 for macros CHECK_SIZE
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.