[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] misra: deviate explicit cast for Rule 11.1


  • To: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>
  • From: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
  • Date: Mon, 28 Jul 2025 21:17:03 +0200
  • Arc-authentication-results: i=1; bugseng.com; arc=none smtp.remote-ip=162.55.131.47
  • Arc-message-signature: i=1; d=bugseng.com; s=openarc; a=rsa-sha256; c=relaxed/relaxed; t=1753730223; h=DKIM-Signature:MIME-Version:Date:From:To:Cc:Subject:In-Reply-To: References:Message-ID:X-Sender:Organization:Content-Type: Content-Transfer-Encoding; bh=Ft3jutpObgrGvToJX4AsCETiWBHjNg9rGG95Yvcz4rQ=; b=AEl+GVPFT7nq39oaPr0E6dhb1uWvkFKJI01cagcqLvO58tLHG0EjqHXJbv+IrhknbrfA NzMcLn8SMavV2j3Jc9Bhhl7zsiyNjt6oTLVLC8C9Mtfsoj568wBfEdwSKKNw16+jbGz9q 2Oo8D8jCtzs2KE2HmRPcqfwfXxYErB6U5msh5I5cij/QlGGDBwrnBrNduzV/A2v+tarx5 Fq7fowGlOxoqti4T8JKioaHvr+yOWZ6E+57FUKG3P9JDzvhlYWWFyUJi4DMO4H9s4BU1s EM4NkHkU6sWV5yWhuLsx6k09ohmuA9itTBTq4H9HP9uVfP8xpixpIdvXwfOD2rvj5QF7/ aQzII5n3E2l0l/gv9p7qbdXVCfl0hHlsT/DBezYoC88QjkJt7JIeSFBuio5J9RCgOFHNy GQ94vMQQUszAAAEtWRy9dmOI76uGdl2tgtC5DaEvpwfO2zUiThWiDe+LnOh1gPbL5Pf0c iQgybj91Iautdg+CdJn6pr5s6VO0RRMSEHelviN+0LxSUZ5O7VVlW0Cxk4p0c5FwjRZTy Xb7HxlLWzeMZAardPIp7DpaeOejtOqyR8fCF1ynuccKs8fMEQZWR5oPSmcWjrS8+o9iiW MP/UEcpmVLjDSnvYT01NrOaBovYNW/Fe1SUa2qqe3UrKLkjBAdpmQaN+jHD+p5o=
  • Arc-seal: i=1; d=bugseng.com; s=openarc; a=rsa-sha256; cv=none; t=1753730223; b=UNlA7xqCRK0ZhrAkv9jZEllWy49++lX6wKn0Lp2QFA+05HOjvksFXnTXLaoBZzZIdOar L2B6TcmiG+cPT6FTGZWu1EJ7D5zaFthRuBuOYeEfkT0aO04aFf5xr0LBGXdxtAwdvl3LB QDgUFI1jQ+CH5dyUhHlFXsO1tTzHmdgBxDuqQukkeqBlwb3cpUn/hsGKSspLo1tgi27gC X8z2dfgf9chmzPzMwmB2yQ2bAFs96OKjkzuIGgWEwGE4M8g9AjKcoEKUhOXs26fMUguqN dZ4y2G5NkbPdUp5HvO6fBbVOu9zMo7AMZHIKTjhB0YQlWy9W7NAHke92iaDzME2H9+iPK ZJIHsy80Fk9YALhNDRgBH/LPHZWCjWCozTTrPIxrhVPLxIQbfNEwAV5WXdR2j4g7MlXiw ZASLmA+IZffzyjeOQx4dvwIYfS4cRLmimLIqH2wSyutKZzjm/5WEkchSDYdF3YWPxd3DU U9bhYXpdS/Kxu2q9VLaORy1gihtupC5TKpFouGfHSd0zf+2CQzIme7CAvc8mWvvvhmUYh tiOlNGbikVNso+l3P6Bv/r6bjDed+8/qcuIWb5u+eeTFQSPb5k5ksvyK2j/gqE+o2ZUO3 DBFESoDlFMsLVdOY3wiBpaPO9vSR2E+G+IK8eUiPnF6c1fpCukRQ3au7DTUBYqc=
  • Authentication-results: bugseng.com; arc=none smtp.remote-ip=162.55.131.47
  • Cc: Jan Beulich <jbeulich@xxxxxxxx>, consulting@xxxxxxxxxxx, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Delivery-date: Mon, 28 Jul 2025 19:17:16 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 2025-07-28 20:58, Dmytro Prokopchuk1 wrote:
On 7/28/25 21:03, Dmytro Prokopchuk wrote:


On 7/28/25 20:43, Nicola Vetrini wrote:
On 2025-07-28 12:49, Andrew Cooper wrote:
On 28/07/2025 10:56 am, Jan Beulich wrote:
On 27.07.2025 22:27, Dmytro Prokopchuk1 wrote:
Explicitly cast 'halt_this_cpu' when passing it
to 'smp_call_function' to match the required
function pointer type '(void (*)(void *info))'.

Document and justify a MISRA C R11.1 deviation
(explicit cast).

Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@xxxxxxxx>
All you talk about is the rule that you violate by adding a cast.
But what is
the problem you're actually trying to resolve by adding a cast?

--- a/xen/arch/arm/shutdown.c
+++ b/xen/arch/arm/shutdown.c
@@ -25,7 +25,8 @@ void machine_halt(void)
     watchdog_disable();
     console_start_sync();
     local_irq_enable();
-    smp_call_function(halt_this_cpu, NULL, 0);
+    /* SAF-15-safe */
+    smp_call_function((void (*)(void *))halt_this_cpu, NULL, 0);
Now this is the kind of cast that is very dangerous. The function's
signature
changing will go entirely unnoticed (by the compiler) with such a
cast in place.

I agree.  This code is *far* safer in practice without the cast, than
with it.

If Misra / Eclair are unhappy about such an extra (benign here)
attribute, I'd
be interested to know what their suggestion is to deal with the
situation
without making the code worse (as in: more risky). I first thought
about having
a new helper function that then simply chains to halt_this_cpu(),
yet that
would result in a function which can't return, but has no noreturn
attribute.

I guess that Eclair cannot know what an arbitrary attribute does and
whether it impacts the ABI, but it would be lovely if Eclair could be
told "noreturn is a safe attribute to differ on"?


I'm convinced it can do that. Perhaps something like

-config=MC3A2.R11.1,casts+={safe,
"kind(bitcast)&&to(type(pointer(inner(return(builtin(void))&&all_param(1, pointer(builtin(void)))))))&&from(expr(skip(!syntactic(), ref(property(noreturn)))))"}

which is a mess but decodes to that, more or less.

I haven't tested it yet, though, but on a toy example [1] it works.

[1]
void __attribute__((noreturn)) f(void *p) {
   __builtin_abort();
}

void g(int x, void (*fp)(void *p)) {
   if (x < 3) {
     f((void*)x);
   }
}

int main(int argc, char **argv) {
   g(argc, f);
   return 0;
}

Thanks, Nicola.
I will check this.

Dmytro.
It works.
The violation "non-compliant cast: implicit cast from `void(*)(void*)'
to `void(*)(void*)'" is gone.


Great. Now what would be really useful is a way to abstract this more nicely (I was able to write this only by looking at the AST). However noreturn is probably about the only attribute that has a repercussion on the decl and is safe to cast away, unless I'm mistaken.

Thanks,
 Nicola

--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.