[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3] docs/misra: add rule 2.1 exceptions


  • To: Stefano Stabellini <sstabellini@xxxxxxxxxx>
  • From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>
  • Date: Thu, 28 Sep 2023 09:11:15 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iAPzE90dL9OQX53OaVeeCgxM9CGdm/CkDpxDOJlfpuw=; b=UbA8OWJrmhGaunMRWZP3SXha3NdIv+U4Aqw2EcmIgQUliJN/9g79TRtieYp5u1UdYoJaWwo8jOU9aUHJ2wKQLLFt1ohFIGqCXBK0ueDfbx2rX7ciQs0BHs5/smHzpMMV7iPdTCOqiJCMHX6oe/JXUiUsFPN8ZVDiTskTshXie4MmbFTGlJhbblDvBNgQ1pNBzb6p9pwqHrZ1LqJsAm5U6qef5leppDkhpFE+e/kpPjCmHfPJ7T7gqhj5L5GjLkpJzB2Q4KBQ3+jM3yl6BArmt/YImyVJ4kHTqTHJHN1dBn/4MHCxRf4qgMe/XShe7O4uS7tCpngZjUU1rLL2rka5lA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IpPywE9jYLAb9yFvCIs3pqdhZSAM1HDh9Zs75oS5r7RJjfTYRZ8ekhaq2vEPeA88axb2j3sQIEuk6tg9GBi6paBuU9/ZKJIPKhbSUnyQfMxiG/pcwoZFZdidOdzcEj+FCPcnCFZwwJqD9gJ6Te3h37EtRtccpsVxCsvhiUeeEFihkmqTOKUhA1qzgXwani0oy/9r9wUuLXXH0LOkcG0th5a8/9TSz5LAWW5QW/Em3bwmnP209Xt0j2pP8egX7PB4Axa/8YkIhtBaFYd2OAMm7l17N06UB9EG2GXGuE5YM28fKo+mCCwOonev1Hkrhc179wX9JcNMHZDcotWH2dbF0Q==
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Cc: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, "andrew.cooper3@xxxxxxxxxx" <andrew.cooper3@xxxxxxxxxx>, "roger.pau@xxxxxxxxxx" <roger.pau@xxxxxxxxxx>, "george.dunlap@xxxxxxxxxx" <george.dunlap@xxxxxxxxxx>, "roberto.bagnara@xxxxxxxxxxx" <roberto.bagnara@xxxxxxxxxxx>, "julien@xxxxxxx" <julien@xxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>
  • Delivery-date: Thu, 28 Sep 2023 09:11:36 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Thread-index: AQHZ4qiwUwH3koR9JUa91LeAyizAArAVxOqAgACZsICAGAuKgIAABdgAgAETh4CAAI6WgA==
  • Thread-topic: [PATCH v3] docs/misra: add rule 2.1 exceptions


> On 28 Sep 2023, at 02:40, Stefano Stabellini <sstabellini@xxxxxxxxxx> wrote:
> 
> On Wed, 27 Sep 2023, Bertrand Marquis wrote:
>>> On 27 Sep 2023, at 09:53, Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx> wrote:
>>> 
>>>>>> diff --git a/xen/arch/arm/psci.c b/xen/arch/arm/psci.c
>>>>>> index 695d2fa1f1..2a8527cacc 100644
>>>>>> --- a/xen/arch/arm/psci.c
>>>>>> +++ b/xen/arch/arm/psci.c
>>>>>> @@ -59,6 +59,7 @@ void call_psci_cpu_off(void)
>>>>>>      }
>>>>>>  }
>>>>>>  +/* SAF-2-safe */
>>>>> I think any use of SAF-2-safe should be accompanied with an attribute...
>>>>>>  void call_psci_system_off(void)
>>>>> ... noreturn for function or ...
>>>>>>  {
>>>>>>      if ( psci_ver > PSCI_VERSION(0, 1) )
>>>>>> diff --git a/xen/arch/x86/shutdown.c b/xen/arch/x86/shutdown.c
>>>>>> index 7619544d14..47e0f59024 100644
>>>>>> --- a/xen/arch/x86/shutdown.c
>>>>>> +++ b/xen/arch/x86/shutdown.c
>>>>>> @@ -118,6 +118,7 @@ static inline void kb_wait(void)
>>>>>>              break;
>>>>>>  }
>>>>>>  +/* SAF-2-safe */
>>>>>>  static void noreturn cf_check __machine_halt(void *unused)
>>>>>>  {
>>>>>>      local_irq_disable();
>>>>>> diff --git a/xen/include/xen/bug.h b/xen/include/xen/bug.h
>>>>>> index e8a4eea71a..d47c54f034 100644
>>>>>> --- a/xen/include/xen/bug.h
>>>>>> +++ b/xen/include/xen/bug.h
>>>>>> @@ -117,6 +117,7 @@ struct bug_frame {
>>>>>>  #endif
>>>>>>    #ifndef BUG
>>>>>> +/* SAF-2-safe */
>>>>>>  #define BUG() do {                                              \
>>>>>>      BUG_FRAME(BUGFRAME_bug,  __LINE__, __FILE__, 0, NULL);      \
>>>>>>      unreachable();                                              \
>>>>> ... unreachable for macros. But the /* SAF-2-safe */ feels a little bit
>>>>> redundant when a function is marked as 'noreturn'.
>>>>> Is there any way to teach eclair about noreturn?
>>>> Actually I had the same thought while writing this patch. If we can
>>>> adopt unreachable and noreturn consistently maybe we don't need
>>>> SAF-2-safe. If the checker can support it.
>>>> Nicola, what do you think?
>>> 
>>> A couple of remarks:
>>> - if you put the noreturn attribute on some functions, then surely the code 
>>> after those is
>>> reported as unreachable. ECLAIR should pick up all forms of noreturn 
>>> automatically; otherwise, a simple configuration can be used.
>>> 
>>> - Note that the cause of unreachability in the vast majority of cases is 
>>> the call to
>>> __builtin_unreachable(), therefore a textual deviation on the definition of 
>>> unreachable, plus
>>> a bit of ECLAIR configuration, can deviate it (to be clear, just the SAF 
>>> comment is not
>>> sufficient, since deviations comments are meant to be applied at the top 
>>> expansion location,
>>> which is not on the macro definition).
>>> This is what it should look like, roughly:
>>> 
>>> -config=MC3R1.R2.1,reports+={deliberate, "any_area(any_loc(text(^<REGEX>$, 
>>> -1)))"}
>>> 
>>> #if (!defined(__clang__) && (__GNUC__ == 4) && (__GNUC_MINOR__ < 5))
>>> /* SAF-2-safe */
>>> #define unreachable() do {} while (1)
>>> #else
>>> /* SAF-2-safe */
>>> #define unreachable() __builtin_unreachable()
>>> #endif
>>> 
>>> where REGEX will match the translation of SAF-2-safe.
>>> 
>>> However, this will then entail that *some* SAF comments are treated 
>>> specially and, moreover,
>>> that some modification to the definition of unreachable won't work
>>> (e.g.
>>> #define M() __builtin_unreachable()
>>> /* SAF-2-safe */
>>> #define unreachable() M()
>>> 
>>> My opinion is that it's far easier for this to be an eclair configuration 
>>> (which has the
>>> advantage not to depend on the exact definition of unreachable) and then 
>>> perhaps a comment
>>> above it explaining the situation.
>> 
>> I agree here and it is easier to make an overall exception where we list the 
>> cases
>> where this is acceptable (ie all flavors of unreacheable) and document that 
>> eclair
>> was configured using "xxxx" to handle this.
> 
> In that case it looks like we all agree that we can go ahead with this
> patch with just the changes to docs/misra/rules.rst to add rule 2.1 and
> remove everything else. Which is v2 of this patch:
> https://marc.info/?l=xen-devel&m=169283027729298
> 
> Henry, can I get one more release-ack for v2 of this patch (only changes
> to docs/misra, no code changes)?
> 
> Also Bertrand can you provide a formal Ack for v2?
> 

Done, you just need to handle the comment from Julien for it.

Cheers
Bertrand

> 
> I do think we should have a document to track this kind of deviations
> that are not managed by safe.json or exclude-list.json. But I think for
> now the rules.rst notes and the ECLAIR config file (which is under
> xen.git) will suffice.




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.