Xen project Mailing List

Re: [PATCH] misra: address MISRA C Rule 18.3 compliance

To: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>

Date: Wed, 23 Jul 2025 15:58:24 +0200

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, George Dunlap <gwd@xxxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Wed, 23 Jul 2025 13:58:43 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 23.07.2025 12:12, Dmytro Prokopchuk1 wrote: > --- a/automation/eclair_analysis/ECLAIR/deviations.ecl > +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl > @@ -568,6 +568,14 @@ C99 Undefined Behaviour 45: Pointers that do not point > into, or just beyond, the > -config=MC3A2.R18.2,reports+={safe, > "any_area(any_loc(any_exp(macro(^page_to_mfn$))))"} > -doc_end > > +-doc_begin="Consider relational pointer comparisons in kernel-related > sections as safe and compliant." > +-config=MC3R1.R18.3,reports+={safe, > "any_area(any_loc(any_exp(macro(name(is_kernel||is_kernel_text||is_kernel_rodata||is_kernel_inittext)))))"} > +-doc_end > + > +-doc_begin="Allow deviations for pointer comparisons in BUG_ON and ASSERT > macros, treating them as safe for debugging and validation." > +-config=MC3R1.R18.3,reports+={safe, > "any_area(any_loc(any_exp(macro(name(BUG_ON||ASSERT)))))"} > +-doc_end Nit: Drop "deviations for" from the verbal description? > --- a/xen/arch/x86/efi/efi-boot.h > +++ b/xen/arch/x86/efi/efi-boot.h > @@ -461,7 +461,8 @@ static void __init efi_arch_edd(void) > params->device_path_info_length = > sizeof(struct edd_device_params) - > offsetof(struct edd_device_params, key); > - for ( p = (const u8 *)&params->key; p < &params->checksum; > ++p ) > + for ( p = (const u8 *)&params->key; > + (uintptr_t)p < (uintptr_t)&params->checksum; ++p ) There mere addition of such casts makes code more fragile imo. What about the alternative of using != instead of < here? I certainly prefer < in such situations, but functionally != ought to be equivalent (and less constrained by C and Misra). As mentioned several times when discussing these rules, it's also not easy to see how "pointers of different objects" could be involved here: It's all within *params, isn't it? Finally, when touching such code it would be nice if u<N> was converted to uint<N>_t. > --- a/xen/common/sched/core.c > +++ b/xen/common/sched/core.c > @@ -360,7 +360,7 @@ static always_inline void sched_spin_lock_double( > { > *flags = _spin_lock_irqsave(lock1); > } > - else if ( lock1 < lock2 ) > + else if ( (uintptr_t)lock1 < (uintptr_t)lock2 ) Similarly, no matter what C or Misra may have to say here, imo such casts are simply dangerous. Especially when open-coded. > --- a/xen/common/virtual_region.c > +++ b/xen/common/virtual_region.c > @@ -83,8 +83,8 @@ const struct virtual_region *find_text_region(unsigned long > addr) > rcu_read_lock(&rcu_virtual_region_lock); > list_for_each_entry_rcu ( iter, &virtual_region_list, list ) > { > - if ( (void *)addr >= iter->text_start && > - (void *)addr < iter->text_end ) > + if ( addr >= (unsigned long)iter->text_start && > + addr < (unsigned long)iter->text_end ) Considering further casts to unsigned long of the same struct fields, was it considered to alter the type of the struct fields instead? Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.