[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH v2 2/3] xen/arm: add SAF deviation for debugging and logging effects


  • To: Simone Ballarin <simone.ballarin@xxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 28 Nov 2023 09:42:54 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xSs067g/U8AUue32uACe19Uy8ZzzBUjW5ZDCoo9/bFI=; b=c9V57QXOTj6GIWfrgTvC65ONI3Jd2cryiFyk3BYRcUlOY6gRom/tqMjjbg2daBwK3ZhmMQpKCwMu27PEn2ngEYh4EhWsYk0FYBxcGiZZobB9ItHV/SfHNEnQiQkK5aWhMj1P2Ulm03RbJDg46E0NbIfx2XftSP4pHSCpbHXCin8Bj6FtOmWTgEJuAq91C0ZYs6r3h84/YzIbm8cZlyxzFDgfjWIy3PJ4bd2tk23PtHLf6HkSQhBD29kKr+08e6kmzU5egzO1lUSEVMG+pCY5gvC8urzYc1i8CyRcjaB6jw+wXU9lD0ghGeFhifm1NWFulyVoIPMDXID9J8uxXdbqfQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zx2hOlrh++NtZExKfH1HtXPSyGvtKu1EC0QKg2pyXnDc5kgHGQ/keQroHV8qM5laixAuIu8rQzVSJM31gpl+r86l5+6G7f8xbx+ojVp66wFJcgvj4Hz2uF5wfT18zYctf7/qSVXabRlcCNbGioNLr/fRscb47DezBmnkSOxRn4lELJJ5vKl+a82mDRglIfcdpE71Uf4fafwYCs3SYSYyN7BscRS+gcMGOiOxHsLLIfr7rUNYafIVUribttnwFzvWXhPss72PfIbcWbTBYJDDPkImujEtGteUHW2wpnzPlMv8HXJf2L15QG6t0SxxFb5HMIKnTas8BU2rwe3XSG+4Yw==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL
  • Cc: consulting@xxxxxxxxxxx, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Tue, 28 Nov 2023 08:43:05 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 27.11.2023 18:34, Simone Ballarin wrote:
> On 27/11/23 16:09, Jan Beulich wrote:
>> On 27.11.2023 15:35, Simone Ballarin wrote:
>>> On 27/11/23 11:46, Jan Beulich wrote:
>>>> On 24.11.2023 18:29, Simone Ballarin wrote:
>>>>> --- a/docs/misra/safe.json
>>>>> +++ b/docs/misra/safe.json
>>>>> @@ -28,6 +28,22 @@
>>>>>            },
>>>>>            {
>>>>>                "id": "SAF-3-safe",
>>>>> +            "analyser": {
>>>>> +                "eclair": "MC3R1.R13.1"
>>>>> +            },
>>>>> +            "name": "MC3R1.R13.1: effects for debugging and logging",
>>>>> +            "text": "Effects for debugging and loggings reasons that 
>>>>> crash execution or produce logs are allowed in initializer lists. The 
>>>>> evaluation order in abnormal conditions is not relevant."
>>>>> +        },
>>>>
>>>> I'm wary of this statement. Order may not matter much anymore _after_ an
>>>> abnormal condition was encountered, but in the course of determining 
>>>> whether
>>>> an abnormal condition might have been reached it may very well still 
>>>> matter.
>>>
>>> Do you object to the deviation in general? Or just to the wording?
>>
>> Primarily the wording. Yet the need to adjust the wording also hints at there
>> needing to be care when actually making use of this deviation. Which it turn
>> I'm not convinced is in the spirit of Misra
> 
> The rule is really strict, but imho the only real dangerous situation is
> when an entry performs a persistent side effect that can change the
> behavior of another entry. I.e.:
> 
> int y = 0;
> int x[2] =
> {
>    y=1, /* first element will be always 1 */
>    y    /* second element can be either 0 or 1 */
> };
> 
> Above we have a dependency between the first entry and the second.
> 
> Now let's consider logging effects:
> 
> #define LOG(x) printf("LOG: %s", x);
> 
> int x[2] =
> {
>    ({ LOG("1"); 1; }),
>    ({ LOG("2"); 2; })
> };
> 
> 
> Here the execution can print:
> "LOG: 1LOG: 2" or
> "LOG: 2LOG: 1".
> 
> Do we agree that the evaluation order of prints caused by logging
> functions/macros do not normally cause dependencies between the
> entries? The execution is still non-deterministic, but does it really
> matter?.
> 
> In the case of function that crash execution, no dependencies can exist
> since no further entries will be evaluated.
> 
> In conclusion, I propose the following rewording:
> 
> "text": "Effects that crash execution or produce logs are allowed in 
> initializer lists. Logging effects do not affect the evaluation of 
> subsequent entries. Crash effects are allowed as they represent the
> end of the execution.

Let's assume we have a BUG_ON() (as the "crash effect") the condition of
which depends on where in the sequence of operations it actually executes,
i.e. (potentially) dependent upon another part of the initializer. I hope
we agree that's not something that should be deviated? Yet even the re-
worded statement would - according to my reading - permit doing so.

I guess I should try to remember to bring this up on this afternoon's call.

>>>>> --- a/xen/arch/arm/guestcopy.c
>>>>> +++ b/xen/arch/arm/guestcopy.c
>>>>> @@ -110,18 +110,21 @@ static unsigned long copy_guest(void *buf, uint64_t 
>>>>> addr, unsigned int len,
>>>>>    unsigned long raw_copy_to_guest(void *to, const void *from, unsigned 
>>>>> int len)
>>>>>    {
>>>>>        return copy_guest((void *)from, (vaddr_t)to, len,
>>>>> +                      /* SAF-4-safe No persistent side effects */
>>>>>                          GVA_INFO(current), COPY_to_guest | COPY_linear);
>>>>>    }
>>>>>    
>>>>>    unsigned long raw_copy_to_guest_flush_dcache(void *to, const void 
>>>>> *from,
>>>>>                                                 unsigned int len)
>>>>>    {
>>>>> +    /* SAF-4-safe No persistent side effects */
>>>>>        return copy_guest((void *)from, (vaddr_t)to, len, 
>>>>> GVA_INFO(current),
>>>>>                          COPY_to_guest | COPY_flush_dcache | COPY_linear);
>>>>>    }
>>>>>    
>>>>>    unsigned long raw_clear_guest(void *to, unsigned int len)
>>>>>    {
>>>>> +    /* SAF-4-safe No persistent side effects */
>>>>>        return copy_guest(NULL, (vaddr_t)to, len, GVA_INFO(current),
>>>>>                          COPY_to_guest | COPY_linear);
>>>>>    }
>>>>> @@ -129,6 +132,7 @@ unsigned long raw_clear_guest(void *to, unsigned int 
>>>>> len)
>>>>>    unsigned long raw_copy_from_guest(void *to, const void __user *from,
>>>>>                                      unsigned int len)
>>>>>    {
>>>>> +    /* SAF-4-safe No persistent side effects */
>>>>>        return copy_guest(to, (vaddr_t)from, len, GVA_INFO(current),
>>>>>                          COPY_from_guest | COPY_linear);
>>>>>    }
>>>>
>>>> I can only guess that in all four of these it's the use of "current" which
>>>> requires the comment. Yet imo that either needs making explicit, or such a
>>>> comment shouldn't go on use sites of "current", but on its definition site.
>>>>
>>>
>>> "current" does not contain any violation of R13.1. Its expansion
>>> produces a side-effect, but this is not a problem in itself. The real
>>> problem is that GVA_INFO expands it in an initializer list:
>>> #define GVA_INFO(vcpu) ((copy_info_t) { .gva = { vcpu } })
>>
>> But an initializer list doesn't itself constitute a side effect, does it?
> 
> The side effect should be inside the initializer list. { .gva = 1 } is 
> not a violation.

I'm afraid I don't see what would be constituting a violation here.

Jan



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.