[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/3] xen/keyhandler: add missing noreturn attribute

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
  • Date: Thu, 05 Jun 2025 14:26:33 +0200
  • Arc-authentication-results: i=1; bugseng.com; arc=none smtp.remote-ip=162.55.131.47
  • Arc-message-signature: i=1; d=bugseng.com; s=openarc; a=rsa-sha256; c=relaxed/relaxed; t=1749126393; h=DKIM-Signature:MIME-Version:Date:From:To:Cc:Subject:In-Reply-To: References:Message-ID:X-Sender:Organization:Content-Type: Content-Transfer-Encoding; bh=w/F7qlGB2xLSbeYS44ytj6NIbBauJeItuiKWuUtsa20=; b=I9lJhWJpeBEXjOjeX1QJltfQgf1gde3AkUMjAnyxjdTVH5kCZftkYfXQ4BCFMk8LGik2 PlAVCtcGdPqicAJAAiJ5+ZKjHxv/4hSBwytsyOHMS//fudj3k3U59qdt6fYeVDkI6G0VY y/OLNVx410sYsB0IbK8+f5g707DyGmPNx6wN7nTzpbMJXUVYVs7iytUvuDjAeEa6YUZzi x1NevW6Q4WsuSlEwPq5EZlAry9ao6Q57fOcVTW6WJ4a7nMT8aMs1Hd2Ncb2QlfeBOAaFp ywIc+dl0cj5bEvd5qOW7wIrmYIC5XBr/qb8Et37QbSYSmy01hiMsHwoV8a7aRMQO9boO+ 2xBWxduayDFop9DmPGCToJsJK2jCUah2u+XFrK9Z4c9o8hGA0kAtQfUwo9ZFlEZjARzIl W/AobolllF2gfuREAPOdToHXPhKXBJY3C3FPFA4Wr96xl19NfNzhjRYxTG546BqkglIHT YNcRaHP1gzAAJAzRaBmtFkBOanKGsKxvW/XqLNc7OQSWR8CeJ9HS1IdU4FUTJs6nT/S+r 0DLPZfQr33HP4rS/W5N1BmBJSRAXGMOVU3cfem2tS/3soB22Mx+zouMYTxeuVbQ+GjJPE YfPhhgF/z42ZLyuf1Iw+SYnh/yS/Qx6Iesg8/Z8MmcQ/wdsdN46fZX5FpRTQCY8=
  • Arc-seal: i=1; d=bugseng.com; s=openarc; a=rsa-sha256; cv=none; t=1749126393; b=FrhzzpKN32qEut3nuWE7oxDBe8gLbAeKtAq85VTDAZKA5Qk9FeuYUh5av/j0SkIT8c3p zshRYP3Wr81z0LcUtwj5QuFkLk4OLfviGPUAglNg8bWzNMLl7vZfaWWz9e7XqlxZgJTld 5dnwiSTOldxZbewyroakzTjs/H+NPyYTUcg4OY0JRdwsIiBi9X6RW53L8X38zTZtRh8Bb n0siBqYfrL2vNqVtfWHWYVUapktSzbi6Buw7z425yCdqatD+V23e9U9+oI7RJ/l4HeWXf D+xPFL9KT6fKQQAJ5pckIZFbygRXiSD4QPET0Ea+tPBezCsfjo+3921o1+NU6ilVLJ5Tx zksR+ot4AkWY1UgFgAGNJ0RFUJm3JAxMpWecna6D/qLJ83+FVufdBGaHsBMX6GRdoY3RG 9atdHEUpYLQrCTagCCrvVUTfSHNKCQtJxOMQ/cd03sE/Iw0LXW9m/3K2Ljh2+i9Bzx5GH F0ewYJ6EWuN9D32J1OTUhf7YtXsVJ9vZd07QyJWZpKx4KORwota11cbbgTHuqXlcpZQHj ImKGCwOhmieRDxrio77a7xBOAUHorfJfznG7lcmPQyu2C7LCMgA87AYti/XN3Gy6Ag85K hhabuqteNIWBPbuVICIg/Ofy0zRDEhkbGBQRdUHXvvVIq8Ynrxc0AsRbwDJmFFc=
  • Authentication-results: bugseng.com; arc=none smtp.remote-ip=162.55.131.47
  • Cc: victorm.lira@xxxxxxx, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Federico Serafini <federico.serafini@xxxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 05 Jun 2025 12:26:43 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 2025-06-05 14:22, Nicola Vetrini wrote:

On 2025-06-05 09:17, Jan Beulich wrote:

On 05.06.2025 01:49, victorm.lira@xxxxxxx wrote:

From: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
Function `reboot_machine' does not return, but lacks the `noreturn' attribute, therefore causing a violation of MISRA C Rule 2.1: "A project shall not contain 
unreachable code".


Is this (uniformly) true? Looking at ...


--- a/xen/common/keyhandler.c
+++ b/xen/common/keyhandler.c
@@ -251,7 +251,7 @@ static void cf_check dump_hwdom_registers(unsigned char key) 
     }
 }

-static void cf_check reboot_machine(unsigned char key, bool unused)
+static void noreturn cf_check reboot_machine(unsigned char key, bool unused) 
 {
     printk("'%c' pressed -> rebooting machine\n", key);
     machine_restart(0);
... generated code here, I can see that the compiler is perfectly able to 
leverage the noreturn that machine_restart() has, resulting in no
unreachable code to be generated. That is - neither in source nor in
binary there is any unreachable code. Therefore I'm having a hard time
seeing what the violation is here.
That said, I certainly don't mind the addition of the (seemingly) missing attribute. Otoh I wonder whether an attribute the removal of which has no effect wouldn't count as "dead code" or alike, violating some other rule.
Inlining does not play a role in this case. Here reboot_machine() is marked as a violation because machine_restart() is noreturn and there is no other path upon which reboot_machine() may return, hence any function calling reboot_machine() could have portions that are inadvertently unreachable (as in never executed due to divergence) by not having the annotation. That said, in such trivial cases compilers are typically able to derive the property automatically, but they are not obliged to and, more importantly, the behavior may even differ with the same compiler using different optimization levels.
Just a note: in later revisions of MISRA C this has become a rule of its own [1], which helps reduce confusion, but up to MISRA C:2012 Amendment 2 (currently used by Xen), this is part of Rule 2.1.
[1] Rule 17.11: "A function that never returns should be declared with a _Noreturn function specifier" 

--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.