[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3] misra: consider conversion from UL or (void*) to function pointer as safe

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>
  • Date: Thu, 23 Oct 2025 16:01:21 +0000
  • Accept-language: en-US, uk-UA, ru-RU
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5+ei4kCdxzuRz9VNw4YKAGQ48mQ5DmteawX2DbpcDGE=; b=jftQnhVvH3tOXYV749agIrkbvAqu0ALHVTBmRiLpK8/L7Nswp3DpkxxxO0p3iyfut5xPYF1fH8cgGH5s/RvOY6abr7XmaKjYNzsSSbS8+w0RGxmeIngU56spHdwKqEDzir8va2h80aYrekcpfxfeFeG+vigkILi2ew1fGiEAev3x+5XXzV8EzwLeqODS44Guas3ytLvvknOaXbgArQccmqfov5FdiJ12dARibC774ksmwOafO9RiYTlwwRrEXnLAUSsfF9FFCN9YlPdZHY8LZSN+G/XFTtubxiWuYiYGB2iHtBMBYIpTl5+8bb+gX/X2tmTtaYPDSo9TrUAP8IpATw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=WmfVv30YZnqP4BwRSTf2poPKUPp1Y043vwCnsXfWq7q0Kz/Ve4R/u/R94n973/Gay8nXoNffnDEZ9yOXZIVTLPLUsflN2wUtA4o3YEWQON/VgjrUVCRk5jXoKAJgQ3XzaDfw4uv4eJD5QaeknLo+/cE6e9LS0SJBuSe4Yi+bJtfIOqkoyzDkxwq7Eob2fzHlRBHWs/dN0I4NdcW8aIlxTVEQiqSf25qvAhP/zEChFpFNui6+mQxbcov/rixdg/ghsZr//n6W+bCOX3JGO57FqWAGf9q4PyxjRU80rdwHfkEht5UVKjHnI2YDDFHaFS5rkSJQyM2TpCp/rGlCbGzq9w==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
  • Cc: Doug Goldstein <cardoe@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
  • Delivery-date: Thu, 23 Oct 2025 16:01:36 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHcPSX2fWa1eZv9x0mRzqs7fz2kjrTCvSwAgAMyXQCACZ3PAIAABnOAgAA7uwCAAAxfAIAAFloA
  • Thread-topic: [PATCH v3] misra: consider conversion from UL or (void*) to function pointer as safe

On 10/23/25 17:41, Jan Beulich wrote:
> On 23.10.2025 15:57, Dmytro Prokopchuk1 wrote:
>>
>>
>> On 10/23/25 13:23, Jan Beulich wrote:
>>> On 23.10.2025 12:00, Dmytro Prokopchuk1 wrote:
>>>> On 10/17/25 10:09, Nicola Vetrini wrote:
>>>>> On 2025-10-15 08:20, Jan Beulich wrote:
>>>>>> On 14.10.2025 18:16, Dmytro Prokopchuk1 wrote:
>>>>>>> --- a/xen/common/version.c
>>>>>>> +++ b/xen/common/version.c
>>>>>>> @@ -217,6 +217,20 @@ void __init xen_build_init(void)
>>>>>>>    #endif /* CONFIG_X86 */
>>>>>>>    }
>>>>>>>    #endif /* BUILD_ID */
>>>>>>> +
>>>>>>> +#if defined(__i386__) || defined(__x86_64__) || defined(__arm__) ||
>>>>>>> defined(__aarch64__)
>>>>>>
>>>>>> Why __i386__? Also (nit): Line too long.
>>>>
>>>> Well, I copied this line from Xen codebase,
>>>> but yeah, __i386__ is outdated now.
>>>> I'll remove it.
>>>>
>>>>>>
>>>>>> And why this restriction without any comment here or ...
>>>>>>
>>>>>>> +static void __init __maybe_unused build_assertions(void)
>>>>>>> +{
>>>>>>> +    /*
>>>>>>> +     * To confirm conversion compatibility between unsigned long,
>>>>>>> (void *)
>>>>>>> +     * and function pointers for X86 and ARM architectures only.
>>>>>>
>>>>>> ... explanation here? More generally - how would people know to update
>>>>>> the condition if another port was to be certified?
>>>>>>
>>>>>> Finally, with the v3 addition here, is Nicola's R-b really still
>>>>>> applicable?
>>>>>>
>>>>>
>>>>> I agree with the point you make about i386 (e.g., C-language-
>>>>> toolchain.rst may be mentioned to provide some context about the
>>>>> preprocessor guard); that said, my R-by can be retained
>>>>>
>>>>>> Jan
>>>>>>
>>>>>>> +     */
>>>>>>> +
>>>>>>> +    BUILD_BUG_ON(sizeof(unsigned long) != sizeof(void (*)(void)));
>>>>>>> +    BUILD_BUG_ON(sizeof(void *) != sizeof(void (*)(void)));
>>>>>>> +}
>>>>>>> +#endif
>>>>>>> +
>>>>>>>    /*
>>>>>>>     * Local variables:
>>>>>>>     * mode: C
>>>>>
>>>>
>>>> And probably v4 can have the following wording:
>>>>
>>>> /*
>>>>     * This assertion checks compatibility between 'unsigned long', 'void 
>>>> *',
>>>>     * and function pointers. This is true for X86 (x86_64) and ARM (arm,
>>>> aarch64)
>>>>     * architectures, which is why the check is restricted to these.
>>>>     *
>>>>     * For more context on architecture-specific preprocessor guards, see
>>>>     * docs/misc/C-language-toolchain.rst.
>>>>     *
>>>>     * If Xen is ported to a new architecture, verify that this
>>>> compatibility holds
>>>>     * before adding its macro to the condition below. If the compatibility
>>>> does not
>>>>     * hold, this assertion may need to be revised or removed for that
>>>> architecture.
>>>>     */
>>>
>>> Except that this doesn't address my concern. Imo the checks want to be there
>>> unconditionally, and ports where they're _not_ applicable would then need
>>> excluding (with suitable commentary and/or alternative checks).
>>>
>>> Jan
>>
>> Ok, below is the updated logic:
>>
>> /*
>>    * This assertion checks compatibility between 'unsigned long', 'void *',
>>    * and function pointers. This is true for most supported architectures,
>>    * including X86 (x86_64) and ARM (arm, aarch64).
>>    *
>>    * For more context on architecture-specific preprocessor guards, see
>>    * docs/misc/C-language-toolchain.rst.
>>    *
>>    * If porting Xen to a new architecture where this compatibility does
>> not hold,
>>    * exclude that architecture from these checks and provide suitable
>> commentary
>>    * and/or alternative checks as appropriate.
>>    */
>> static void __init __maybe_unused build_assertions(void)
>> {
>>       /*
>>        * Exclude architectures where function pointers are larger than
>> data pointers:
>>        * - IA-64: uses 'fat' function pointers (code address + global
>> pointer)
>>        */
>> #if !defined(__ia64__)
>>       BUILD_BUG_ON(sizeof(unsigned long) != sizeof(void (*)(void)));
>>       BUILD_BUG_ON(sizeof(void *) != sizeof(void (*)(void)));
>> #endif
>> }
> 
> I would omit architectures we don't support, though. I gave IA-64 as an
> example where things are more complicated (albeit iirc the checks would still
> succeed there). However, I didn't expect any trace of it to be added to the
> code base (again).
> 
> Jan

Well, looks like only __powerpc__ matches these criterias.
At least, I see it in 'xen/arch'.

But, this assertion didn't trigger build to fail, when I run CI:
https://gitlab.com/xen-project/people/dimaprkp4k/xen/-/jobs/11822940884
because PPC64 pointer size is 64-bits (according to the 
C-language-toolchain.rst).

In any case the __powerpc__ is out of scope of certification, so this 
architecture should be excluded.

Dmytro.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.