Xen project Mailing List

Re: [XEN PATCH v2 05/13] x86/traps: address violations of MISRA C Rule 16.3

To: Stefano Stabellini <sstabellini@xxxxxxxxxx>

Date: Wed, 26 Jun 2024 10:11:04 +0200

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, consulting@xxxxxxxxxxx, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Federico Serafini <federico.serafini@xxxxxxxxxxx>

Delivery-date: Wed, 26 Jun 2024 08:11:24 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 26.06.2024 03:11, Stefano Stabellini wrote: > On Tue, 25 Jun 2024, Jan Beulich wrote: >> On 25.06.2024 02:54, Stefano Stabellini wrote: >>> On Mon, 24 Jun 2024, Federico Serafini wrote: >>>> Add break or pseudo keyword fallthrough to address violations of >>>> MISRA C Rule 16.3: "An unconditional `break' statement shall terminate >>>> every switch-clause". >>>> >>>> No functional change. >>>> >>>> Signed-off-by: Federico Serafini <federico.serafini@xxxxxxxxxxx> >>>> --- >>>> xen/arch/x86/traps.c | 3 +++ >>>> 1 file changed, 3 insertions(+) >>>> >>>> diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c >>>> index 9906e874d5..cbcec3fafb 100644 >>>> --- a/xen/arch/x86/traps.c >>>> +++ b/xen/arch/x86/traps.c >>>> @@ -1186,6 +1186,7 @@ void cpuid_hypervisor_leaves(const struct vcpu *v, >>>> uint32_t leaf, >>>> >>>> default: >>>> ASSERT_UNREACHABLE(); >>>> + break; >>> >>> Please add ASSERT_UNREACHABLE to the list of "unconditional flow control >>> statements" that can terminate a case, in addition to break. >> >> Why? Exactly the opposite is part of the subject of a recent patch, iirc. >> Simply because of the rules needing to cover both debug and release builds. > > The reason is that ASSERT_UNREACHABLE() might disappear from the release > build but it can still be used as a marker during static analysis. In > my view, ASSERT_UNREACHABLE() is equivalent to a noreturn function call > which has an empty implementation in release builds. > > The only reason I can think of to require a break; after an > ASSERT_UNREACHABLE() would be if we think the unreachability only apply > to debug build, not release build: > > - debug build: it is unreachable > - release build: it is reachable > > I don't think that is meant to be possible so I think we can use > ASSERT_UNREACHABLE() as a marker. Well. For one such an assumption takes as a prereq that a debug build will be run through full coverage testing, i.e. all reachable paths proven to be taken. I understand that this prereq is intended to somehow be met, even if I'm having difficulty seeing how such a final proof would look like: Full coverage would, to me, mean that _every_ line is reachable. Yet clearly any ASSERT_UNREACHABLE() must never be reached. And then not covering for such cases takes the further assumption that debug and release builds are functionally identical. I'm afraid this would be a wrong assumption to make: 1) We may screw up somewhere, with code wrongly enabled only in one of the two build modes. 2) The compiler may screw up, in particular with optimization. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.