[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Misra R17.1 in Xen

  • To: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Tue, 30 Dec 2025 18:34:36 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Zum6t0ZxTIiMX+9dFGcYgY+OxR75MgTnLxZOCThGZFM=; b=Sf3PYi3AJwOxWoas4MRpP40u/55MV1ANO0HPZJvKmIIBbh9LEwSQ5rGRYgh1j4FrXSOUBb8wLH55SMgZ5hclAez0egVkYHz+F0zX11kTex2Dd0M4y2xpKB70GEeNFlCdo+gNtF30GrZvitP50r576IULCG0qEFT1ZDCbFZh8RuOStXW2D5xCBfaHXMJzZv1qzPnKe91eZkdSoP5rywYVWAcAodVFhHLv27F5rE+27ciL5ao/Hl3RKqTTzx9JU0D9z8kDXZ0rwEWhOka1+w4M1KTNwkwvd7S6kzXKBX6pXsocIAQnHMYMImv2p9ZIHVMIAnHfqeJfoQEhGnmcgvhKkg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=JwncIQ0II8rXNestI4op2tdgidrm2+7z000bJCECSxNdBJX4jsTpaxiY5MnZI6lGXMGjWq+wOEKG2/Y8RXlGlm1nqiDWvuZNdk1If/mzV+H1oSfc8XeG/7FQvYZYG19GGNi+fjcdiWMOYBl5k6HdOuZ/2N2kFmV4+t5EDnMGkunZKtys4ioEFxrFctUlNSk4CxU7PF0vUBEXRxN5obSDisftDYnKvIyl9zPUcVFa+l1snG1W/yEfQm1CL3GMBjEXwUnL1RgGtr0f/jpajJen98JJOlLFtAezl40kjADCe9lcEr9pLx/EXwe18CGxH7XnQQnrsmA6vi/Jm9KR1wk48A==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, consulting@xxxxxxxxxxx, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <Bertrand.Marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>
  • Delivery-date: Tue, 30 Dec 2025 18:34:54 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 30/12/2025 6:28 pm, Nicola Vetrini wrote:
> On 2025-12-30 18:34, Nicola Vetrini wrote:
>> On 2025-12-30 18:05, Andrew Cooper wrote:
>>> Hello,
>>>
>>> The x86_64-allcode run highlights one new violation of R17.1,
>>> vmcoreinfo_append_str().  In writing this email, I've found another in
>>> debugtrace_printk() meaning that we're missing some options in the
>>> -allcode configuration.
>>>
>>> In deviations.ecl we have:
>>>
>>> -doc_begin="printf()-like functions are allowed to use the variadic
>>> features provided by stdarg.h."
>>> -config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(^.*printk\\(.*\\)$)))"}
>>>
>>> -config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(^.*printf\\(.*\\)$)))"}
>>>
>>> -config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(panic)&&kind(function))))"}
>>>
>>> -config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(elf_call_log_callback)&&kind(function))))"}
>>>
>>> -config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(vprintk_common)&&kind(function))))"}
>>>
>>> -config=MC3A2.R17.1,macros+={hide , "^va_(arg|start|copy|end)$"}
>>> -doc_end
>>>
>>>
>>> First, we have no printf() so that row should be removed.
>>>
>>
>> I think it was for other variants of printf that are present in Xen
>> (e.g. vsnprintf). Perhaps it could be restricted a bit to be more
>> explicit.
>>
>>> But, more importantly this is safe if and only if the function
>>> declaration uses __attribute__((__format__(printf, ...))) to cause the
>>> compiler to perform format typechecking.
>>>
>>> Is it possible to encode this attribute requirement in the Eclair
>>> expression, so that e.g. accidentally dropping the attribute causes a
>>> violation to be reported?  This would also be rather safer than
>>> assuming
>>> that any prefix on printk() is safe.
>>>
>>
>> Well, the UBs associated to that rule (to varargs in general) go
>> beyond the formatting issues, but checking that the function decl has
>> the attribute is a good suggestion to harden these deviations. I'll
>> make some experiments and report back on this thread.
>
> Currently it is possible to match on the presence of the attribute
> "format", not on its arguments. Since "printf" is the only archetype
> used with "format" I don't think this is a big issue currently, but
> I'll let you be the judge on that.

There's scanf as the other option to format, but I suppose for the
specifics of a deviation for va_list, not being able to
match/distinguish format from scanf is fine.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.