Xen project Mailing List

Re: struct mctelem_cookie missing definition

To: Stefano Stabellini <sstabellini@xxxxxxxxxx>

From: Stefano Stabellini <sstabellini@xxxxxxxxxx>

Date: Thu, 13 Feb 2025 19:00:46 -0800 (PST)

Cc: Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Roger Pau Monné <roger.pau@xxxxxxxxxx>, nicola.vetrini@xxxxxxxxxxx

Delivery-date: Fri, 14 Feb 2025 03:01:12 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, 13 Feb 2025, Stefano Stabellini wrote: > > > diff --git a/xen/arch/x86/cpu/mcheck/mctelem.h > > > b/xen/arch/x86/cpu/mcheck/mctelem.h > > > index f4c5ff848d..2ccd490e5d 100644 > > > --- a/xen/arch/x86/cpu/mcheck/mctelem.h > > > +++ b/xen/arch/x86/cpu/mcheck/mctelem.h > > > @@ -52,7 +52,7 @@ > > > * the element from the processing list. > > > */ > > > > > > -typedef struct mctelem_cookie *mctelem_cookie_t; > > > +typedef uint64_t *mctelem_cookie_t; > > > > Yet that makes it possible to de-reference the pointer. Which, as Andrew > > explained, is intended to be impossible. If this could be properly > > replaced (not exactly what Andrew indicated by "file it in /dev/null"), > > fine. Truly purging the code (i.e. as Andrew suggests) may still be an > > option, with appropriate justification. But simply adjusting the type > > and then moving on is too little, imo. Even if you used void * (to make > > de-referencing impossible) I'd view it as largely papering over an issue; > > then converting to other pointers (without explicit cast, and hence > > without making apparent the badness of doing so) would become possible. > > What about converting to uintptr_t (not a pointer)? > > > In general, there are quite a few MISRA rules that we could mark as > blocking (clean) in our GitLab scan with just a few code changes like > this one. My goal is to make these rules blocking as soon as possible. > If I can improve the code in the process, that is even better, but it is > not mandatory. And I would rather spend one more hour marking a second > rule as blocking instead. > > What I mean is that I believe it would be acceptable to make some > compromises and accept non-perfect changes to the code if it helps us > enforce more rules as blocking in GitLab CI. After briefly speaking with Andrew about this, and re-reading Jan's email above, I think it is best to resolve this as a deviation. Would this deviation work for you? Please suggest a better wording if you prefer. Nicola, in reality I think it would be better to use deviations.rst because the SAF comment below would need to be replicated at every call side, if I am not mistaken. diff --git a/docs/misra/safe.json b/docs/misra/safe.json index b8a4f878ea..d9fbe959d1 100644 --- a/docs/misra/safe.json +++ b/docs/misra/safe.json @@ -92,6 +92,14 @@ }, { "id": "SAF-11-safe", + "analyser": { + "eclair": "MC3A2.R11.2" + }, + "name": "Rule 11.2: purposely impossible to dereference", + "text": "Certain pointers points to incomplete types purposely so that they are impossible to dereference." + }, + { + "id": "SAF-12-safe", "analyser": {}, "name": "Sentinel", "text": "Next ID to be used" diff --git a/xen/arch/x86/cpu/mcheck/mctelem.h b/xen/arch/x86/cpu/mcheck/mctelem.h index f4c5ff848d..e845360c7d 100644 --- a/xen/arch/x86/cpu/mcheck/mctelem.h +++ b/xen/arch/x86/cpu/mcheck/mctelem.h @@ -52,6 +52,7 @@ * the element from the processing list. */ +/* SAF-11-safe: impossible to dereference */ typedef struct mctelem_cookie *mctelem_cookie_t; typedef enum mctelem_class {

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.