[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen: address violation of MISRA C Rule 11.1

  • To: alessandro.zucchelli@xxxxxxxxxxx
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Mon, 16 Dec 2024 08:26:28 +0100
  • Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, consulting@xxxxxxxxxxx, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Mon, 16 Dec 2024 07:26:38 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 13.12.2024 15:02, Alessandro Zucchelli wrote:
> On 2024-12-13 11:08, Jan Beulich wrote:
>> On 13.12.2024 01:53, Stefano Stabellini wrote:
>>> On Thu, 12 Dec 2024, Jan Beulich wrote:
>>>> On 12.12.2024 03:27, Stefano Stabellini wrote:
>>>>> On Wed, 11 Dec 2024, Jan Beulich wrote:
>>>>>> On 11.12.2024 12:02, Alessandro Zucchelli wrote:
>>>>>>> Rule 11.1 states as following: "Conversions shall not be performed
>>>>>>> between a pointer to a function and any other type".
>>>>>>>
>>>>>>> Functions "__machine_restart" and "__machine_halt" in 
>>>>>>> "x86/shutdown.c"
>>>>>>> and "halt_this_cpu" in "arm/shutdown.c" are defined as noreturn
>>>>>>> functions and subsequently passed as parameters to function calls.
>>>>>>> This violates the rule in Clang, where the "noreturn" attribute is
>>>>>>> considered part of the function"s type.
>>>>>>
>>>>>> I'm unaware of build issues with Clang, hence can you clarify how 
>>>>>> Clang's
>>>>>> view comes into play here? In principle various attributes ought to 
>>>>>> be
>>>>>> part of a function's type; iirc that's also the case for gcc. Yet 
>>>>>> how
>>>>>> that matters to Eclair is still entirely unclear to me.
>>>>>>
>>>>>>> By removing the "noreturn"
>>>>>>> attribbute and replacing it with uses of the ASSERT_UNREACHABLE 
>>>>>>> macro,
>>>>>>> these violations are addressed.
>>>>>>
>>>>>> Papered over, I'd say. What about release builds, for example?
>>>>>>
>>>>>> Deleting the attribute also has a clear downside 
>>>>>> documentation-wise. If
>>>>>> we really mean to remove them from what the compiler gets to see, I 
>>>>>> think
>>>>>> we ought to still retain them in commented-out shape.
>>>>>
>>>>> Another option would be to #define noreturn to nothing for ECLAIR 
>>>>> builds ?
>>>>
>>>> That again would feel like papering over things. Plus I don't know if 
>>>> that's
>>>> an option at all.
>>>
>>> What is "papering over" and what is a "nice solution" is often up to 
>>> the
>>> personal opinions.
>>>
>>> From my point of view, Alessandro's patch doesn't make the code worse.
>>> The ASSERT_UNREACHABLE solution is OK. I do agree with you that it
>>> should not be required for us to remove "noreturn", but I don't think 
>>> we
>>> have used it consistently anyway across the Xen codebase.
>>> ASSERT_UNREACHABLE is also a form of documentation that the function
>>> does not return.
>>>
>>> In conclusion, I think all three options are acceptable:
>>> 1) this patch as is
>>> 2) this patch plus /* noreturn */ as a comment
>>> 3) #define noreturn to nothing just for ECLAIR builds
>>>
>>> I don't mind either way, maybe option 2) is the best compromise.
>>
>> The variant with least impact on what we currently have (generated code
>> wise) is 3), though, which hence would be my preference (well, not 
>> exactly
>> a preference, but the least bad one).
> 
> Another option could be to encapsulate these function pointer casts as 
> follows:
> #define REMOVE_NORETURN(x) (void(*)(void*))(x)
> This approach allows us to retain the noreturn attribute and the 
> associated optimizations;
> note that the encapsulating macro will need to be deviated then.

And then have one such macro for every attribute that may need zapping?
What if there are multiple? Any macro may do, yet which one to use would
be unclear. What if only some attributes need zapping, and some need
retaining?

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.