Xen project Mailing List

Re: [PATCH v2] misra: consider conversion from UL or (void*) to function pointer as safe

From: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>

Date: Thu, 25 Sep 2025 18:37:21 +0000

Accept-language: en-US, uk-UA, ru-RU

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WFghAQKEJC3l/KiXFTMy1qzVHRKCyUkDxx/3I9yy3Yc=; b=pC/aN7ZeM9Kbz6OlD1MyjttG1EQGNa+HGM4NCw74qntAbaIGgEaqhXV/M2IBpUsUmlQUYPSWdIW7AgWVPIw1W+sF4X0OzWZoy4QiEgOzQEAtU70bTV9CRNA1lpTWIc+Zf/Rq2uB276x48+DN+QVMPJEJxUMuK1Wt2+ed1bCUqQ1FRxLAPULJdjRX/MIUWFG5eOSdjWmZ4UM0eG9dhEB2FkyFHBs9tD2/43SYxIOKiStflIlwVmlbJtrnKkIXIs2zhr9dGFTcTCRp8XFFALrm2ZZcN6i8Ea/xhqeQg8gFlHGQUDDaVHA3Bs4gu5X0qw4oDBwZhf2PywHn0Dy74CTnqQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=U+5HYgaRbNz9sFCJq58tEMH0T4M2pOgq04OV2T/ApPVrmbFT5D20MD8PKJJm8NGU3pjCDOpReHsXKtR0zaYUlSc1zRUCVK7Ah7y9TFR+9gg6+IK9bGmb3hSSKM94dXhWyKydJ9HZUHfx4CCUSs12dsvalVh4GdRkuBFU2jysOLJ14PWDqM87LX+4/vokXqMr90DV+4cXQL4NhrgsAirJoH5O5wfaZHhmx2u9aKknZu46EKcteUPli98UHr1MSxS7eIJu87FWnIkIhvdicToUaxir4FFbcZ7RU9EIhPV7dbE5fi9uNwZweFMRq1nFRJU2CQNg6T6l6DEDArWthbTKuA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;

Cc: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 25 Sep 2025 18:37:45 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHcLfLzOeq7/eyxK0Kcj9l07Fl9X7Sj4/SAgABXAYA=

Thread-topic: [PATCH v2] misra: consider conversion from UL or (void*) to function pointer as safe

On 9/25/25 16:25, Jan Beulich wrote: > On 25.09.2025 10:04, Dmytro Prokopchuk1 wrote: >> --- a/docs/misra/deviations.rst >> +++ b/docs/misra/deviations.rst >> @@ -366,11 +366,22 @@ Deviations related to MISRA C:2012 Rules: >> - Tagged as `safe` for ECLAIR. >> >> * - R11.1 >> - - The conversion from a function pointer to unsigned long or (void \*) >> does >> + - The conversion from a function pointer to unsigned long or '(void >> *)' does >> not lose any information, provided that the target type has enough >> bits >> to store it. >> - Tagged as `safe` for ECLAIR. >> >> + * - R11.1 >> + - The conversion from unsigned long or '(void *)' to a function >> pointer is >> + safe because it relies on both ABI definitions and compiler >> implementations >> + supported by Xen which define consistent and compatible >> representations >> + (i.e., having the same size and memory layout) for '(void *)', >> unsigned >> + long, and function pointers, enabling safe conversions between these >> types >> + without data loss or corruption. The compile-time assertions >> (BUILD_BUG_ON >> + macro) is integrated into 'xen/common/version.c' to confirm >> conversions >> + compatibility across all target platforms. > > As you use (and mean) plural, s/is/are/ ? I also think the "The" at the start > of the sentence wants dropping. Ok. > > Further, why this very dissimilar wording compared to what's said about > conversions _from_ function pointer types? Do you mean the following wording should be placed instead (to be similar with previous one)? "Conversions from unsigned long or (void *) to a function pointer do not lose any information, provided that the source type has enough bits to restore it." And wording about "ABI, compiler..." should be only in commit message? > > And then ... > >> --- a/xen/common/version.c >> +++ b/xen/common/version.c >> @@ -217,6 +217,17 @@ void __init xen_build_init(void) >> #endif /* CONFIG_X86 */ >> } >> #endif /* BUILD_ID */ >> + >> +static void __init __maybe_unused build_assertions(void) >> +{ >> + /* >> + * To confirm conversion compatibility between unsigned long, (void *) >> + * and function pointers for all supported architectures. >> + */ >> + BUILD_BUG_ON(sizeof(unsigned long) != sizeof(void (*)(void))); >> + BUILD_BUG_ON(sizeof(void *) != sizeof(void (*)(void))); >> +} > > ... I'm unconvinced checking merely the sizes is sufficient. On architectures > involving function descriptors (e.g. ia64) converting in this direction is > safe only if earlier on the value was obtained as the result of a conversion > in the opposite direction (and all of this within a single component, which > of course is guaranteed for Xen). As I know mainline Xen doesn't support IA-64 currently (this support was dropped). Why we still need to mention about IA-64 here? Anyway... Yes, this deviation wouldn't work with architectures where the representation of a function involves more than just its address (e.g. IA-64). If not proved that such conversion is symmetric. Probably, additional guard may be added below to exclude such architectures (e.g. IA-64): static void __init __maybe_unused build_assertions(void) { #if defined (__IA64__) || defined (__ia64__) #error "Conversions to function pointer isn't safe - architecture uses function descriptors." #endif BUILD_BUG_ON(sizeof(unsigned long) != sizeof(void (*)(void))); BUILD_BUG_ON(sizeof(void *) != sizeof(void (*)(void))); } But if someone really will try to run Xen on such platform, the build will fail. Or just mention explicitly that other architectures (e.g., IA-64) might not be safe for such conversions? Dmytro.> > Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.