[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86: remove memcmp calls non-compliant with Rule 21.16.


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
  • Date: Fri, 06 Jun 2025 09:32:52 +0200
  • Arc-authentication-results: i=1; bugseng.com; arc=none smtp.remote-ip=162.55.131.47
  • Arc-message-signature: i=1; d=bugseng.com; s=openarc; a=rsa-sha256; c=relaxed/relaxed; t=1749195172; h=DKIM-Signature:MIME-Version:Date:From:To:Cc:Subject:In-Reply-To: References:Message-ID:X-Sender:Organization:Content-Type: Content-Transfer-Encoding; bh=HgPNedsYlwbOc7cUQmy6ljCINsFGRyE9RhUOFRSvwDE=; b=rayagchkWZa5wJp/ziT8Wd069P2HYSBQdZzEUwyzUDmHcYLvne/jYeXUE4SepzCzzQlC /g2WH5KDgCTiuXUkpXajOa108jQ0Q/CDwKRfxXsn/BIotPEazE5cV4JIA/BsffWcSKNzT 14//7y2IzyafGMNPUJyKMxRotxjp8TgPkwP6SoVG4AAnsAYN/q2CVkGO3me3TpoDMeHsQ Q9Ms6sKlkgLSbcqaTZphB5NMYg/sANp9k9cvpqCbsJeyaeoyS0pUOb4iEo7mgslnXZOuL HV3f49izBXYcRlivPGUFW00TWQssMiEyp1VqkIdIfyqNzimwQMwLGUaEQq6K319Cs132n DBIrLSZrpLkPVU2aDJt+NNX/wezL5yahKOHuyFK1HVKFT4Z91NP7R0M/8tLyvObse+oaM rlTeDXFZFTx0/Qf3gwAw+l1EkrPrf6c4hJfqiJXOxtFYVmYrXXXOLMxieNXeUu7MClGW1 e0HFTXRZgOs1smRY3vyzNoIPa9OciDuQhw6Jx67t92IvhdkuIdNpqv1rxXu4NHncLvVTs TjCqqRBU7BD0t1A7A0Ci/RJkQKxO3wsg+BWwLccjAr8ZkyL0ihOQWmrMxwGOUot2xrovo LRwDK0J4o9nO5JTYtcY3UUpGNM0zoNAkAVIKCX8oFoAWd5H1qp6Jki+5sgwyJcQ=
  • Arc-seal: i=1; d=bugseng.com; s=openarc; a=rsa-sha256; cv=none; t=1749195172; b=OjcHRYvUB2s1PuOMSOma4wzlzxwgkam1pXi3/uhpybt/wG3KIU6cWC9Ey0blJYeJ4zw3 HtZk72AzWvsBozyrkHO8aN8fkb4d3GY5xCrEeAK+omqu2/5tc8qgc/G+lW/EDhlcVCD8D ZO6NoconcRMJNDO/vnhy8IIsBAXw2fDqn7H2MwgRFTdGt6zRxrL7hRXa0xX0wS7lVMD+U qOpHS2gfikqm9y69+puBT5Hl4Deo9BcVz5SFA1EqTe5eJqDt79pfFn3Nl6lItEtwlglKM qtvGIJP2hpwrYjL8bKV5e+LAUw5n9o4RUdP7dGJVuHlL2oSBexxtIV32nnE6WsMZ5H9wq ct8l23CADPQT82WoJLa6T6kg3e4zCEZULfbZoMbj7KeBGS41drnTJhDvClfgppJW1OL/5 gmB/jzVaKOz8/x4nG2JpAOm1FlGiRCUck7585Bh7AcJCoOqfALiYbF/bUvQcoDIPxnNmW k29ThVtDDj8V2A8mfWED5QItZbcI6nWlDUQGzu4zLPUfBCO7dsH9hZUJ+12REwYL3xOv9 lTTbsDTbRM3oCB2DXqAKonsMsMYeqpoi1DgpoP3PeKCnuj1PHOPhcn3dawRVjz0dYkAtQ F1j6XlwvyFcr/UhtCscDDvA9tUWYbK2FVAhhtFmvmdLQC8VL9jv3ZHxXyR/GIRw=
  • Authentication-results: bugseng.com; arc=none smtp.remote-ip=162.55.131.47
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Alessandro Zucchelli <alessandro.zucchelli@xxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, federico.serafini@xxxxxxxxxxx
  • Delivery-date: Fri, 06 Jun 2025 07:33:01 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 2025-06-06 09:26, Jan Beulich wrote:
On 06.06.2025 09:12, Nicola Vetrini wrote:
On 2025-06-06 01:39, Stefano Stabellini wrote:
On Thu, 5 Jun 2025, Jan Beulich wrote:
On 05.06.2025 01:35, Stefano Stabellini wrote:
From: Alessandro Zucchelli <alessandro.zucchelli@xxxxxxxxxxx>

MISRA C Rule 21.16 states the following: "The pointer arguments to
the Standard Library function `memcmp' shall point to either a pointer
type, an essentially signed type, an essentially unsigned type, an
essentially Boolean type or an essentially enum type".

Comparing string literals with char arrays is more appropriately
done via strncmp.

More appropriately - maybe. Yet less efficiently. IOW I view ...

No functional change.

... this as at the edge of not being true.


Then our views of what constitutes a functional change clearly differ.
If you are concerned about performance the patch may be dropped, but
then does it make sense to apply the rule at all? An alternative
suggestion might be that of deviating the rule for memcmp applied to
string literals in either the first or second argument, or both).

FTAOD (since Stefano also said it like this) - it's not just "string
literal". The additional requirement is that the last argument passed
must equal sizeof(<string literal>) for the comparison to work
correctly.

Jan


That is due to another (mandatory) rule to prevent UB: Rule 21.18 "The size_t argument passed to any function in <string.h> shall have an appropriate value", which is also true for memcmp

Signed-off-by: Alessandro Zucchelli <alessandro.zucchelli@xxxxxxxxxxx>

Missing your own S-o-b.

Also (nit) may I ask that you drop the full stop from the patch
subject?

I'll add the S-o-B and fix the subject


--- a/xen/arch/x86/dmi_scan.c
+++ b/xen/arch/x86/dmi_scan.c
@@ -233,7 +233,7 @@ void __init dmi_efi_get_table(const void *smbios, const void *smbios3)
        const struct smbios_eps *eps = smbios;
        const struct smbios3_eps *eps3 = smbios3;

-       if (eps3 && memcmp(eps3->anchor, "_SM3_", 5) == 0 &&
+       if (eps3 && strncmp(eps3->anchor, "_SM3_", 5) == 0 &&

Unlike the last example given in the doc, this does not pose the risk
of
false "not equal" returns. Considering there's no example there
exactly
matching this situation, I'm not convinced a change is actually
needed.
(Applies to all other changes here, too.)

If we consider string literals "pointer types", then I think you are
right that this would fall under what is permitted by 21.16. Nicola,
what do you think?


While I agree that the result of the comparison is correct either way in
these cases, the rule is written to be simple to apply (i.e., not
limited only to those cases that may differ), and in particular in the
rationale it is indicated that using memcmp to compare string *may*
indicate a mistake. As written above, deviating the string literal
comparisons is an option, which can be justified with efficiency
concerns, but it goes a bit against the rationale of the rule itself.


@@ -302,7 +302,7 @@ const char *__init dmi_get_table(paddr_t *base, u32 *len)
                                continue;
                        memcpy_fromio(&eps.dmi + 1, q + sizeof(eps.dmi),
                                      sizeof(eps.smbios3) - sizeof(eps.dmi));
-                       if (!memcmp(eps.smbios3.anchor, "_SM3_", 5) &&
+                       if (strncmp(eps.smbios3.anchor, "_SM3_", 5) == 0 &&

Here and below there's a further (style) change, moving from ! to "==
0"
(or from implicit boolean to "!= 0"). As we use the original style in
many
other places, some justification for this extra change would be needed
in
the description (or these extra adjustments be dropped).

The adjustments can be dropped


@@ -720,10 +720,10 @@ static void __init efi_check_config(void)
        __set_fixmap(FIX_EFI_MPF, PFN_DOWN(efi.mps), __PAGE_HYPERVISOR);
        mpf = fix_to_virt(FIX_EFI_MPF) + ((long)efi.mps & (PAGE_SIZE-1));

-       if (memcmp(mpf->mpf_signature, "_MP_", 4) == 0 &&
-           mpf->mpf_length == 1 &&
-           mpf_checksum((void *)mpf, 16) &&
- (mpf->mpf_specification == 1 || mpf->mpf_specification == 4)) {
+       if (strncmp(mpf->mpf_signature, "_MP_", 4) == 0 &&
+            mpf->mpf_length == 1 &&
+            mpf_checksum((void *)mpf, 16) &&
+ (mpf->mpf_specification == 1 || mpf->mpf_specification == 4)) {
                smp_found_config = true;
                printk(KERN_INFO "SMP MP-table at %08lx\n", efi.mps);
                mpf_found = mpf;

There are extra (indentation) changes here which ought to be dropped.

Yes


--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.