[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: struct mctelem_cookie missing definition

  • To: Stefano Stabellini <sstabellini@xxxxxxxxxx>
  • From: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
  • Date: Sat, 15 Feb 2025 09:59:03 +0100
  • Arc-authentication-results: i=1; bugseng.com; arc=none smtp.remote-ip=162.55.131.47
  • Arc-message-signature: i=1; d=bugseng.com; s=openarc; a=rsa-sha256; c=relaxed/relaxed; t=1739609943; h=DKIM-Signature:MIME-Version:Date:From:To:Cc:Subject:In-Reply-To: References:Message-ID:X-Sender:Organization:Content-Type: Content-Transfer-Encoding; bh=lkY8kyDQzyQeMpy3rpBkmNJE+hjbxpHlAu41cDMfb68=; b=LW+wRkWVV6Eg7GImfRHP0EVNhIZ0Et/7r2HfEfiG8OIf84ZDydraulW9ReKQNIZCP7El RJYW2qoRN0Kn4030oIkbSwQMHNaRwwG5i6K26+I9mnEZX2cjVgL/mGofz6yRPmqOlzUM+ jwwf5FdAn/n84FuSrKILEjJBksY270uxhZ0k7/fxAJKOKPWaIIeBnLIFhZdKoqYzuRpmf yXeowjDxspP8GKU8KmKFt/bX8tCE50b9PnAKPf+aq/HE0PkEr2p5Q0/rpfuhwtGOUX8mg dI8uefEIjK0Bh7GGY0wdp7n62wLRFDhSnR8Hmq8FAYEMer0kncm3shtTLC+lQOgsiLBQB 4+9cP/t0pWGhang1aHbtLyE5I5JFE8OlbIfTMh8NC7xNDfBowT+H1iFZgcORzrlZKIeC3 iGR7ea92O/j0lEVpANIrBhNitYO+UGMb+xetrx5bBRFQhfmsTSQLHT3hLThvmJ9Lr/oW1 hfa51RC40DKDtVr3IU/GExanWnK3A6ATDjdT9EYFyXzcKt+k664aJkY/kzaftw12Fi8br p/S6sZ3OlPBo19jzCJk2+NiXUYQTBhc7K4mU72ehdia+OYdzOE23a5387aILm0MEvpJ2h Zjwy1H9oJ62H10qcxzugdEPslELx7FnhdavudvtWP53OUI8OKpwuG5LUdECrads=
  • Arc-seal: i=1; d=bugseng.com; s=openarc; a=rsa-sha256; cv=none; t=1739609943; b=Y0i6CLCunPXEOwEW+Trs0zDsLnUH90Hml09Vye0P6yh0fLViPtqq1in5HkCCZPIzErzb 55ZNz0X3TU0q7zs8vw2/okxTI3aozt+0x62FM3ZsHxweY4LReDwCIwSaIQbETZmhp8tq+ 5eZF9Yio8yoXPwmPiR4rkmU5XZyDeOuMKcOz4PfUaHGDjTSN8AdIzo2C17vHWo7HsHLDQ FrsaGrreBFXOOHMk26BCep/CMIn2LrTP3Hgz+GMeEsdTiAH+AQKvzkBvqrZ9VlWrM3Fvb zfg7ovzgVZQcc18PSb0OvhVyNFNJuc5S6r9OH1O/kdwZCWltza4OrozezVor+n2fmPlbA jNpSLQCgPub6DS4KiPwv1kpBJIdnMiOdnKqf/W5piH7C8lEbh8EYXFC6qC4g2I3oIN0pe H4SqM2BDONO93iALACtlw+Jna0s03YSPkF5j+LfinhLNAyXiKw/dGxWs1LTuYr/4tmmEf TrSu32NzBMw7H1TJn3mzScuFUzpBvBvue5v/TD9/OH6m1jUhJDFfQ7CoEy4Z7behMf1iB oacUT8Ub+m/U8erGHYWCmCBXBcFHq6ojmZCDAqCqeo+HC5q+5s9MzKCvShIddfaYvwEV/ Cp3ynCcsf+HyQPCB7nEUav+BFU0ys/8X+JZifgmfirYhGR60PkM5nbrohpxvQ4I=
  • Authentication-results: bugseng.com; arc=none smtp.remote-ip=162.55.131.47
  • Cc: Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Sat, 15 Feb 2025 08:59:31 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 2025-02-15 00:04, Stefano Stabellini wrote:

On Fri, 14 Feb 2025, Jan Beulich wrote:

> Would deviating macros "COOKIE2MCTE" and "MCTE2COOKIE" work?
If it did, COOKIE2ID and ID2COOKIE would likely need including as well. 

I wrote this patch. Nicola, can you please check the changes to
deviations.ecl, this is the first time I try to write the deviation
myself :-)

---
misra: add 11.2 deviation for incomplete types

struct mctelem_cookie* is used exactly because it is an incomplete type
so the pointer cannot be dereferenced. This is deliberate. So add a
deviation for it.
In deviations.ecl, add the list of macros that do the conversions to and 
from struct mctelem_cookie*.

Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxx>
diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl 
index a28eb0ae76..87bfd2160c 100644
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -366,6 +366,14 @@ constant expressions are required.\""
 }
 -doc_end
+-doc_begin="Certain pointers point to incomplete types purposely so that they are impossible to dereference." +-config=MC3A2.R11.2,reports+={deliberate, "any_area(any_loc(any_exp(macro(^COOKIE2MCTE$))))"} +-config=MC3A2.R11.2,reports+={deliberate, "any_area(any_loc(any_exp(macro(^MCTE2COOKIE$))))"} +-config=MC3A2.R11.2,reports+={deliberate, "any_area(any_loc(any_exp(macro(^COOKIE2ID$))))"} +-config=MC3A2.R11.2,reports+={deliberate, "any_area(any_loc(any_exp(macro(^ID2COOKIE$))))"} 
+}
-config=MC3A2.R11.2,reports+={deliberate, "any_area(any_loc(any_exp(macro(name(COOKIE2MCTE||MCTE2COOKIE||COOKIE2ID||ID2COOKIE)))))"} 

Note however that there is also this deviation in place
-doc_begin="The conversion from a pointer to an incomplete type to unsigned long does not lose any information, provided that the target type has enough bits to store it." 
-config=MC3A2.R11.2,casts+={safe,
  "from(type(any()))
   &&to(type(canonical(builtin(unsigned long))))
   &&relation(definitely_preserves_value)"
}
-doc_end
I was a bit confused by Jan's remark, which seemed correct, but I couldn't see any violations in the report, so I dug a bit deeper. ID2COOKIE and COOKIE2ID, which operate to/from unsigned long are already excluded due to being safe. If you envision those macros to be used with other types, then your deviation should mention them, otherwise they are already handled. 


+-doc_end
+
-doc_begin="Conversions to object pointers that have a pointee type with a smaller (i.e., less strict) alignment requirement are safe." 
 -config=MC3A2.R11.3,casts+={safe,
   "!relation(more_aligned_pointee)"
diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index fe0b1e10a2..f3004d6023 100644
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -324,6 +324,12 @@ Deviations related to MISRA C:2012 Rules:
        semantics that do not lead to unexpected behaviour.
      - Tagged as `safe` for ECLAIR.

+   * - R11.2
+ - Certain pointers point to incomplete types purposely so that they 
+       are impossible to dereference.
+     - Tagged as `deliberate` for ECLAIR. Such pointer is struct
+       mctelem_cookie \*.
+
I think here (or above in the deviation text) the concern raised by the rationale of the rule should be addressed; namely, the rule states: "Conversions shall not be performed between a pointer to an incomplete type and any other type" because the resulting pointer might be misaligned, therefore there should be an argument as to why such thing is not possible. 


    * - R11.2
- The conversion from a pointer to an incomplete type to unsigned long does not lose any information, provided that the target type has enough 

Thanks,
 Nicola

--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.