[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH 3/4] xen/include: add pure and const attributes



On 23/10/23 15:34, Jan Beulich wrote:
On 18.10.2023 16:18, Simone Ballarin wrote:
Add const and pure attributes to address reports
of MISRA C:2012 Rule 13.1: Initializer lists shall
not contain persistent side effects

Add pure attribute to function pdx_to_pfn.
Add const attribute to functions generated by TYPE_SAFE.

These functions are used in initializer lists: adding
the attributes ensures that no effect will be performed
by them.

Adding the attribute does, according to my understanding, ensure nothing
The compiler may (but isn't required to) diagnose wrong uses of the
attributes, but it may also make use of the attributes (on the
declaration) without regard to the attribute potentially being wrongly
applied. Since further for inline functions the compiler commonly infers
attributes from the expanded code (discarding the attribute), the only
thing achieved here is a documentation aspect, I think.

Yes, you're right. I will rephrase the commit message.



--- a/xen/include/xen/pdx.h
+++ b/xen/include/xen/pdx.h
@@ -164,7 +164,7 @@ static inline unsigned long pfn_to_pdx(unsigned long pfn)
   * @param pdx Page index
   * @return Obtained pfn after decompressing the pdx
   */
-static inline unsigned long pdx_to_pfn(unsigned long pdx)
+static inline __attribute_pure__ unsigned long pdx_to_pfn(unsigned long pdx)
  {
      return (pdx & pfn_pdx_bottom_mask) |
             ((pdx << pfn_pdx_hole_shift) & pfn_top_mask);

Taking this as an example for what I've said above: The compiler can't
know that the globals used by the functions won't change value. Even
within Xen it is only by convention that these variables are assigned
their values during boot, and then aren't changed anymore. Which makes
me wonder: Did you check carefully that around the time the variables
have their values established, no calls to the functions exist (which
might then be subject to folding)?

There is no need to check that, the GCC documentation explicitly says:

However, functions declared with the pure attribute *can safely read any non-volatile objects*, and modify the value of objects in a way that does not affect their return value or the observable state of the program.

https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html

Additionally - what about the sibling function pfn_to_pdx()?

Jan

I will add the attribute also to the sibling.

--
Simone Ballarin, M.Sc.

Field Application Engineer, BUGSENG (https://bugseng.com)




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.