[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2] misra: consider conversion from UL or (void*) to function pointer as safe

  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>
  • Date: Thu, 25 Sep 2025 08:04:01 +0000
  • Accept-language: en-US, uk-UA, ru-RU
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=i8V2jw3fijVSbwQ06T/ajwKaq0sDOYQhSJ9TEUxgnxU=; b=lFB+ZT3upn2jmcxFCgW/93gX/Yojxc1SJCMfjqOt7TrvoME3Q4whtoFRJZ5fjONZArZPbFNnKbwXr/+d2Dtu6QGQ7Qvbk3prY0rFT5QIi8gq3+YivhquUf01e3YuoNsTET0nxXU1v6mD1hAvJBbjTIvcmZya3c6OrqMya3C95kfinws/KQbyhHIF2B8P5p9i9zNOqxw2SK/zFmGKptSbZDgiNwVZ6lhR0YAeLcAjh07OuGDFgRTKkP25Iuw3EOttwi4ImyetuEdPmeB1rv7LPSsYKzKCeHN75UcpDt7ehHmnGx/rz9TuC4WgMNLTSnqIxsTUBkZb24DuwrUfGeHfxg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=cwTewvEEZ/X1q11z8iXDr/ETVotq2QsUNbPmMh83/BoUfQwudtIe1pjLLV0HuRzzhaReboBIf3WCSLoU1fM8kyhcjryXhnd9O7OWRt0isBZmOFVBUnxxO3P8izCSMohzEbOrPEKf48Fwqv+xYdEZwECVN3r4pzbqW+9cpXItJJIwJVa5On1aovLlCRycPugjT+5KStId93vDPJ/n3T9s96DHSlwaxua8Uw8Ozzc5VQQN50FOPnadETzJnlyTONm86HTIBUdSohH92r0swwBwCyrJUptzfcZCmHCMBjCQqc7Xcm8wGI8x3O6cfbffTwNddsuR0ANX23p0WjdAmfdyow==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
  • Cc: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>, Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Thu, 25 Sep 2025 08:04:08 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHcLfLzOeq7/eyxK0Kcj9l07Fl9Xw==
  • Thread-topic: [PATCH v2] misra: consider conversion from UL or (void*) to function pointer as safe
Rule 11.1 states as following: "Conversions shall not be performed
between a pointer to a function and any other type."

This deviation from Rule 11.1 relies on both ABI definitions and compiler
implementations supported by Xen. The System V x86_64 ABI and the AArch64
ELF ABI define consistent and compatible representations (i.e., having
the same size and memory layout) for (void *), unsigned long, and function
pointers, enabling safe conversions between these types without data loss
or corruption. Additionally, GCC and Clang, faithfully implement the ABI
specifications, ensuring that the generated machine code conforms to these
guarantees. Developers must note that this behavior is not universal and
depends on platform-specific ABIs and compiler implementations.

Configure Eclair to avoid reporting violations for conversions from
unsigned long or (void *) to a function pointer.

Add a compile-time assertion into the file 'xen/common/version.c' to
confirm this conversion compatibility across all target platforms
(assuming this file is common for all platforms).

References:
- System V x86_64 ABI: 
https://gitlab.com/x86-psABIs/x86-64-ABI/-/jobs/artifacts/master/raw/x86-64-ABI/abi.pdf?job=build
- AArch64 ELF ABI: https://github.com/ARM-software/abi-aa/releases
- GCC: https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
- Clang: https://clang.llvm.org/docs/CrossCompilation.html

Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@xxxxxxxx>
Reviewed-by: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
---
Changes in v2:
- updated commit message and deviation wording
- added Nicola's tag
- replaced "(void \*)" by a quoted form in one place

Link to v1:
https://patchew.org/Xen/9e5e4ff2c7ba0a90a6ac403e2de9318e18949274.1755628705.git.dmytro._5Fprokopchuk1@xxxxxxxx/
---
 automation/eclair_analysis/ECLAIR/deviations.ecl | 10 ++++++++++
 docs/misra/deviations.rst                        | 13 ++++++++++++-
 docs/misra/rules.rst                             |  7 ++++++-
 xen/common/version.c                             | 11 +++++++++++
 4 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl 
b/automation/eclair_analysis/ECLAIR/deviations.ecl
index 7f3fd35a33..432a68ae5a 100644
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -375,6 +375,16 @@ constant expressions are required.\""
 }
 -doc_end
 
+-doc_begin="The conversion from unsigned long or (void *) to a function 
pointer is safe because it relies on both ABI definitions and compiler 
implementations supported by Xen
+which define consistent and compatible representations (i.e., having the same 
size and memory layout) for (void *), unsigned long, and function pointers, 
enabling safe
+conversions between these types without data loss or corruption."
+-config=MC3A2.R11.1,casts+={safe,
+  "from(type(canonical(builtin(unsigned long)||pointer(builtin(void)))))
+   &&to(type(canonical(__function_pointer_types)))
+   &&relation(definitely_preserves_value)"
+}
+-doc_end
+
 -doc_begin="The conversion from a function pointer to a boolean has a 
well-known semantics that do not lead to unexpected behaviour."
 -config=MC3A2.R11.1,casts+={safe,
   "from(type(canonical(__function_pointer_types)))
diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index 3271317206..565e65a6a3 100644
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -366,11 +366,22 @@ Deviations related to MISRA C:2012 Rules:
      - Tagged as `safe` for ECLAIR.
 
    * - R11.1
-     - The conversion from a function pointer to unsigned long or (void \*) 
does
+     - The conversion from a function pointer to unsigned long or '(void *)' 
does
        not lose any information, provided that the target type has enough bits
        to store it.
      - Tagged as `safe` for ECLAIR.
 
+   * - R11.1
+     - The conversion from unsigned long or '(void *)' to a function pointer is
+       safe because it relies on both ABI definitions and compiler 
implementations
+       supported by Xen which define consistent and compatible representations
+       (i.e., having the same size and memory layout) for '(void *)', unsigned
+       long, and function pointers, enabling safe conversions between these 
types
+       without data loss or corruption. The compile-time assertions 
(BUILD_BUG_ON
+       macro) is integrated into 'xen/common/version.c' to confirm conversions
+       compatibility across all target platforms.
+     - Tagged as `safe` for ECLAIR.
+
    * - R11.1
      - The conversion from a function pointer to a boolean has a well-known
        semantics that do not lead to unexpected behaviour.
diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst
index 4388010ec9..4e94251887 100644
--- a/docs/misra/rules.rst
+++ b/docs/misra/rules.rst
@@ -431,7 +431,12 @@ maintainers if you want to suggest a change.
      - All conversions to integer types are permitted if the destination
        type has enough bits to hold the entire value. Conversions to bool
        and void* are permitted. Conversions from 'void noreturn (*)(...)'
-       to 'void (*)(...)' are permitted.
+       to 'void (*)(...)' are permitted. Conversions from unsigned long or
+       '(void *)' to a function pointer are permitted.
+       Example::
+
+           unsigned long func_addr = (unsigned long)&some_function;
+           void (*restored_func)(void) = (void (*)(void))func_addr;
 
    * - `Rule 11.2 
<https://gitlab.com/MISRA/MISRA-C/MISRA-C-2012/Example-Suite/-/blob/master/R_11_02.c>`_
      - Required
diff --git a/xen/common/version.c b/xen/common/version.c
index 553b97ba9b..7091a6d440 100644
--- a/xen/common/version.c
+++ b/xen/common/version.c
@@ -217,6 +217,17 @@ void __init xen_build_init(void)
 #endif /* CONFIG_X86 */
 }
 #endif /* BUILD_ID */
+
+static void __init __maybe_unused build_assertions(void)
+{
+    /*
+     * To confirm conversion compatibility between unsigned long, (void *)
+     * and function pointers for all supported architectures.
+     */
+    BUILD_BUG_ON(sizeof(unsigned long) != sizeof(void (*)(void)));
+    BUILD_BUG_ON(sizeof(void *) != sizeof(void (*)(void)));
+}
+
 /*
  * Local variables:
  * mode: C
-- 
2.43.0

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.