[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH] xen/arm: optee: provide an initialization for struct arm_smccc_res

To: Julien Grall <julien@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
From: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
Date: Fri, 21 Jul 2023 09:28:19 +0200
Cc: sstabellini@xxxxxxxxxx, michal.orzel@xxxxxxx, xenia.ragiadakou@xxxxxxx, ayan.kumar.halder@xxxxxxx, consulting@xxxxxxxxxxx, Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>
Delivery-date: Fri, 21 Jul 2023 07:28:43 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>



On 20/07/23 17:54, Julien Grall wrote:

Hi Nicola,

On 20/07/2023 15:29, Nicola Vetrini wrote:
The local variables with type 'struct arm_smccc_res' are initialized
just after the declaration to avoid any possible read usage prior
to any write usage, which would constitute a violation of
MISRA C:2012 Rule 9.1.

This is already prevented by suitable checks in the code,
but the correctness of this approach is difficult to prove and
reason about.
So I looked at the implementation of arm_smccc_smc(). For arm64, it is(simplified):
if ( cpus_have_const_cap(ARM_SMCCC_1_1) )
    arm_smccc_1_1_smc(__VA_ARGS__);
else
    arm_smccc_1_0_smc(_VA_ARGS__);

In arm_smccc_1_1_smc(), we will explicitly initialize __res:

if ( ___res )
   *___res = (typeof(*___res)) {r0, r1, r2, r3};
Whereas for arm_smccc_1_0_smc(), we would call assembly function. Iassuming this is the problem?
I think this is similar to the discussion we had on set_interrupts() anddt_set_cells(). If so, couldn't we tell ECLAIR that__arm_smccc_1_0_smc() will always initialize *res?

This is slightly different because of the chained variadic macroexpansions of arm_smccc_smc. I could have stated that arm_smccc_smcinitializes its args, but because it's variadic I can't narrow it downto a specific index, therefore the property is not correct, because theinput arguments are instead expected to be read by the macro. The samereasoning applies for all variadic macros that have some input andoutput parameters, not just this one.

In the end, if these were fixed-argument functions or macros we can aimfor that, and that would obsolete this patch.


Regards,

--
Nicola Vetrini, BSc
Software Engineer, BUGSENG srl (https://bugseng.com)

Follow-Ups:
- Re: [XEN PATCH] xen/arm: optee: provide an initialization for struct arm_smccc_res
  - From: Julien Grall

References:
- [XEN PATCH] xen/arm: optee: provide an initialization for struct arm_smccc_res
  - From: Nicola Vetrini
- Re: [XEN PATCH] xen/arm: optee: provide an initialization for struct arm_smccc_res
  - From: Julien Grall

Prev by Date: Re: [XEN PATCH v10 04/24] xen/arm: tee: add a primitive FF-A mediator
Next by Date: Re: [PATCH v8 02/13] vpci: use per-domain PCI lock to protect vpci structure
Previous by thread: Re: [XEN PATCH] xen/arm: optee: provide an initialization for struct arm_smccc_res
Next by thread: Re: [XEN PATCH] xen/arm: optee: provide an initialization for struct arm_smccc_res
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.