[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH 1/4] xen/arm: address violations of MISRA C:2012 Rule 13.1

To: Julien Grall <julien@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
From: Simone Ballarin <simone.ballarin@xxxxxxxxxxx>
Date: Thu, 19 Oct 2023 13:10:21 +0200
Cc: consulting@xxxxxxxxxxx, sstabellini@xxxxxxxxxx, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
Delivery-date: Thu, 19 Oct 2023 11:10:26 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 19/10/23 12:11, Julien Grall wrote:

Hi,

On 19/10/2023 09:43, Simone Ballarin wrote:
On 19/10/23 10:19, Julien Grall wrote:
Hi Simone,

On 19/10/2023 08:34, Simone Ballarin wrote:
On 18/10/23 17:03, Julien Grall wrote:
Hi,

On 18/10/2023 15:18, Simone Ballarin wrote:
Rule 13.1: Initializer lists shall not contain persistent sideeffects
This patch moves expressions with side-effects into new variablesbefore
the initializer lists.
Looking at the code, I feel the commit message should be a bit moreverbose because they are no apparent side-effects.
Function calls do not necessarily have side-effects, in thesecases the
GCC pure or const attributes are added when possible.
You are only adding pure in this patch.
No functional changes.

Signed-off-by: Simone Ballarin <simone.ballarin@xxxxxxxxxxx>

---
Function attributes pure and const do not need to be added as GCC
attributes, they can be added using ECLAIR configurations.
---
  xen/arch/arm/device.c              |  6 +++---
  xen/arch/arm/guestcopy.c           | 12 ++++++++----
  xen/arch/arm/include/asm/current.h |  2 +-
  3 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/xen/arch/arm/device.c b/xen/arch/arm/device.c
index 1f631d3274..e9be078415 100644
--- a/xen/arch/arm/device.c
+++ b/xen/arch/arm/device.c
@@ -319,6 +319,8 @@ int handle_device(struct domain *d, structdt_device_node *dev, p2m_type_t p2mt,
      int res;
      paddr_t addr, size;
      bool own_device = !dt_device_for_passthrough(dev);
+    bool dev_is_hostbridge = is_pci_passthrough_enabled() &&
+ device_get_class(dev) ==DEVICE_PCI_HOSTBRIDGE;
The commit message suggests that the code is moved because thereare side-effects. But none of them should have any side-effects.
device_get_class contains an 'ASSERT(dev != NULL)' which is definitely
a side-effect.
Just to confirm my understanding, the side-effect here would be thefact that it traps and then panic(). IOW, if the trap washypothetically replaced by a while (1), then it would not be anissue. is it correct? >
No, it isn't. A infinite loop is a side effect.
I am not sure why. There are no change of state here.
I can see two solutions:
1) Remove the ASSERT(). It is only here to make the NULLdereference obvious in debug build. That said, the stack trace for aNULL dereference would still be as clear.
Removing the ASSERT just to make MISRA happy does not sound good to me.
I didn't suggest the ASSERT() just ot make MISRA happy. I suggested itbecause it has no value here (we still have stack track if there are anyissue).
2) Replace the ASSERT with a proper check if ( !dev ) returnDEVICE_UNKONWN. AFAIU, we would not be able to add aASSERT_UNREACHABLE() because this would be again a perceivedside-effect.
Replacing it with a proper check can be a solution, but I still preferto add a deviation or move the invocation outside the initializer list.
In general, I am not in favor of adding deviation if we can avoid thembecause the code can changed and therefore either moot the deviation orhide any other issue.


Ok, I will proceed with option 1.

[...]

Yes, sorry I was looking to the wrong definition.
In ARM the problem is the presence of a *volatile* ASM.
Please take a look here:

https://saas.eclairit.com:3787/fs/var/local/eclair/XEN.ecdf/ECLAIR_normal/arm/for-4.19/ARM64-Set2/latest/PROJECT.ecd;/by_service/MC3R1.R13.1.html#{"select":true,"selection":{"hiddenAreaKinds":[],"hiddenSubareaKinds":[],"show":true,"selector":{"enabled":true,"negated":false,"kind":0,"domain":"fingerprint","inputs":[{"enabled":true,"text":"0da7f0c9aea5491eba343618f965c81f5d7aed3c"}]}}}

Ok. So the problem is the READ_SYSREG(...). Is there a way we canencapsulate the call so we don't need to use your propose trick ordeviate at every use of 'current'?


The point is that we need to move "READ_SYSREG(TPIDR_EL2)" outside
the initializer (there are no advantages in wrapping it on a function
if the function cannot be declared pure).

The proposed solution seems to me the cleanest way do to it. I do notsee any other acceptable solutions.

Cheers,


--
Simone Ballarin, M.Sc.

Field Application Engineer, BUGSENG (https://bugseng.com)

Follow-Ups:
- Re: [XEN PATCH 1/4] xen/arm: address violations of MISRA C:2012 Rule 13.1
  - From: Julien Grall

References:
- [XEN PATCH 0/4][for-4.19] xen: address violations of Rule 13.1
  - From: Simone Ballarin
- [XEN PATCH 1/4] xen/arm: address violations of MISRA C:2012 Rule 13.1
  - From: Simone Ballarin
- Re: [XEN PATCH 1/4] xen/arm: address violations of MISRA C:2012 Rule 13.1
  - From: Julien Grall
- Re: [XEN PATCH 1/4] xen/arm: address violations of MISRA C:2012 Rule 13.1
  - From: Simone Ballarin
- Re: [XEN PATCH 1/4] xen/arm: address violations of MISRA C:2012 Rule 13.1
  - From: Julien Grall
- Re: [XEN PATCH 1/4] xen/arm: address violations of MISRA C:2012 Rule 13.1
  - From: Simone Ballarin
- Re: [XEN PATCH 1/4] xen/arm: address violations of MISRA C:2012 Rule 13.1
  - From: Julien Grall

Prev by Date: Re: [PATCH v1 04/29] xen/asm-generic: introduce stub header device.h
Next by Date: Re: [PATCH v1 20/29] xen/asm-generic: introduce stub header div64.h
Previous by thread: Re: [XEN PATCH 1/4] xen/arm: address violations of MISRA C:2012 Rule 13.1
Next by thread: Re: [XEN PATCH 1/4] xen/arm: address violations of MISRA C:2012 Rule 13.1
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.