[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] misra: add deviation for MISRA C Rule 11.3

To: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>
From: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
Date: Fri, 26 Sep 2025 09:49:08 +0200
Arc-authentication-results: i=1; bugseng.com; arc=none smtp.remote-ip=162.55.131.47
Arc-message-signature: i=1; d=bugseng.com; s=openarc; a=rsa-sha256; c=relaxed/relaxed; t=1758872948; h=DKIM-Signature:MIME-Version:Date:From:To:Cc:Subject:In-Reply-To: References:Message-ID:X-Sender:Organization:Content-Type: Content-Transfer-Encoding; bh=hOX7BXjqXFIc87ZFW5RPol29CzZmaqU6Ty3bcp9Rj24=; b=pG0eS/YCx5btoq7YWTFj8h7cDTnrFfyrb1XNBwuNUzrx4bVhbOLeYkSQfldUr/iD8VMy 0PTLWn930BfE1jGupF7wEqAX/f8Cto8CxA4J7hxha8vXO4jEwNLGQaMCxr3glScnp4Mpf 8kzDobdo1fdJdxa68dDTGxE4ljeqLQp6Va/YyFw2pmNcJbZ7cu3xpG95UK5EbPthtmdVx Gh3/caTsFboDevKMCNPGoWNO3whDJuZrWVgdWLp8taazo7X4zfdVbylJT8+W9wjtxFHwI zHNWH/1GdHvNVRbDetcBhawLgdx930RPmU7q2Q9AWKlJkAkZrarDKQ4woAffnz133gPON etMWvSEUPaJlVbHb3VAUVbCI7kzR1OLWgL87sZz21zlhbMNhJxWTaPu1XAeogi5C4D06R 7nfvxTjbY//sE5DzcywVxdm3MCCZuwKBcxY8F+h0mas6j5hfLAd+/Zb0yHdAoxfiCdOy9 cauuI6nmKMqXmpHG47mqvz4k3nCkXU5bm2zPOeKQHfJifIv5hG6hdB5mveo2HhQvT1lIt CTa8InMXFW3rB/Brp2EQbCmQy82hOm7wjeucVkkCL7L8QW+R/fur12KMtWCzZOr5/m3ds J6YQUQazJ0NptmqJTjVGKcLDcKpQHIl2JzbSi/JvxljlhAxXJBrnkSnFC/5lFXc=
Arc-seal: i=1; d=bugseng.com; s=openarc; a=rsa-sha256; cv=none; t=1758872948; b=hxFbrJg0HD1mrPZrjhJEMHtfhfDkKhaIP4pFSe8syEAicIOsWZEJUvbUPXAn+7nUraXB JaC29VkOzt0h2NV6FWdN5NJRh+HdwOPxYky6nsCoTJCZ+XX3vvqODkfk8rr6NsOcjflqz ls9s36ZmQZ6uUlns5PBtOoGSk7hTK4daNJxxQSuym/CWHaDAvBILvt0Xcbs68eTQe4UOR 4zm/FmNopRKooKo9nbP/J4PzoxXAin9nmFkgc5bKc5ES66X1ahRYnCkAlLIbrbr/nxp3I +z8Z5mmgGoXwbTRrdwGSXKMW7P9fpcEUT7X36txafnWhlvNZ35y/e+KK0fNR+1R3WvGiy 95ofcW9xTWb3WXRbpHdEFwbA7lFinsju8D8i/DkjQP+itHCxvUjad4t8ItkRyZ1bneoP+ QLoC2ExL4YPfRBrAl1gJoLnhKMUKmpMr90LgRxZrzCtRDkn2WRtA4rwi/bqr23DLFrKEH hMGeUQ7H8zfQZ/otN4+Ig6UAwgLRtoehjbR0WKTZvuURpbOkt0+u/Qa4AO6VP3i181hbc lRzl6H8L2JOTNY+wB7ddHt+hfSYBx0yDHRC7iTezvN7DP83cMDaYglngAIQwfadxH+5OA tm5UwmeInxQ1jvZWp+YeInUORXPOhNw3Ou25CTrOU/Q+WR2V/p8PSAFMlpyJ/ls=
Authentication-results: bugseng.com; arc=none smtp.remote-ip=162.55.131.47
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Jan Beulich <jbeulich@xxxxxxxx>
Delivery-date: Fri, 26 Sep 2025 07:49:21 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 2025-09-25 21:11, Dmytro Prokopchuk1 wrote:

On 8/25/25 13:23, Jan Beulich wrote:
On 24.08.2025 19:27, Dmytro Prokopchuk1 wrote:
MISRA C Rule 11.3 states: "A cast shall not be performed between apointer
to object type and a pointer to a different object type."
Violations of this rule arise due to the 'container_of()' macro,which casts
a member of a structure to its containing structure:
     container_of(ptr, type, member) ({                             \
            typeof_field(type, member) *__mptr = (ptr);             \
            (type *)( (char *)__mptr - offsetof(type,member) );})
The 'container_of()' macro is safe because it relies on thestandardized andwell-defined 'offsetof()' macro to calculate the memory address ofthe
containing structure, while assuming proper alignment and ensuring no
undefined behavior, provided that the input pointer is valid andpoints to
the specified member.
I may have said so before: This all reads okay to me, just that I'munsureit would actually be convincing to an assessor. The "provided that..." isa pretty strong requirement, which isn't overly hard to get wrong.Stefano,
Nicola - what's your take here?

Jan
Stefano, Nicola,

gentle reminder.

Dmytro.

The fact that you can't guarantee that the pointer you receive isaligned was the main reason why I didn't already introduce such adeviation in the first place. Now, as Stefano pointed out unalignedaccessed are largely ok on ARM and x86, with the exception on MMIOpointers (hard fault) and some niche cases in x86 which probably don'tmatter for Xen dealing with vectorized data types. So the crucial point(not just for this specific deviation) is ensuring that pointer areproperly aligned when it matters, which in this case is the same asmaking sure that "ptr" indeed points to a struct member. What might be aconvincing argument is to have sufficient testing and sanitizers (ASANmostly helps here) to show that this assumption is met with some degreeof confidence.


--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253

References:
- Re: [PATCH v2] misra: add deviation for MISRA C Rule 11.3
  - From: Dmytro Prokopchuk1

Prev by Date: Re: [PATCH v4 01/18] xen/riscv: detect and initialize G-stage mode
Next by Date: [PATCH v12 0/3] Support hiding capability when its initialization fails
Previous by thread: Re: [PATCH v2] misra: add deviation for MISRA C Rule 11.3
Next by thread: [XEN][PATCH] x86/hvm: mem_sharing: add dependency from CONFIG_INTEL_VMX
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.