[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] automation/eclair: deviate intentionally unreachable code


  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>
  • Date: Wed, 30 Jul 2025 14:06:40 +0000
  • Accept-language: en-US, uk-UA, ru-RU
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=S9pVFRN3tJeSeQJLTWqF2f9Yu8yMxBsg6un1UDXG5dw=; b=x6PgT0ix5gsE8NwMYuUK1CvzA67aZmZV3My9Kei0aUCXY7yKy5p24Kof7mfS0Xiv06tyJxoS5lN9kafowsBzwJUDAMN3+wMwKmkvbiiTFgCIQ0WziMufZWt7P7rStTZWtQ+t9lXFlcRl03UgPAkj1NmcGqoAVFxtywiiikitKd11lZIftFtVWaaq/3Bz4ug9f1UfN8n2gJFmph5dSSFtR5ZKvM32hmJJWbrZmqe10rpBLcOrgSAf9O0pOWZXkgP8ZhWErfmVsqBG6CQystzD2OSaEfauUKp5rso+b8dtm3hlnwcA2H5XpWfgcsWhyhR0//qFuz2Ts5ecGdbMYjLI/w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=YRVcji8JoBtY6Ns6aBLWwHuUZ4an7cOfZDvKQAxurGKGgAJ7U+IiFQa9iMY+9ForcAASHYEKp+f50Wkwn0dUxYLpR6AbnTjBErsAXm2U2mc/L50pa9JSGpYvFoGPi+8dkfU3lsFdzk4ohH0K5HO/yATqR7wXdh8SFphi3FuseQj+2tsdikttGvIAWQ+T6mJc+7poapIWsXNmVhwVzn+FY7kHqWreJmrfelSF3Qyry3K5yFUaJXk0kac+lTehWzKhyUkDQ5bkJOjARypCMP+3Smyazl+go+Gj+lKxZPwt8RBt2GXEA6LG19xQooukl/9f8vkNlx2TfSyMSFvv5A6BaQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
  • Cc: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>
  • Delivery-date: Wed, 30 Jul 2025 14:06:55 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHcAVss8EFecYrbzEuwp3GEEH5uyQ==
  • Thread-topic: [PATCH] automation/eclair: deviate intentionally unreachable code

From: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>

MISRA C Rule 2.1 states: "A project shall not contain unreachable code".
Functions that are non-returning and are not explicitly annotated with
the `noreturn' attribute are considered a violation of this rule.

In certain cases, some functions might be non-returning in debug build
configuration (when `NDEBUG' is not defined), due to calls to
`__builtin_unreachable' in the expansion of the macro `ASSERT_UNREACHABLE()'.

Conversely, in non-debug (release) builds (when `NDEBUG' is defined),
the macro `ASSERT_UNREACHABLE()' expands to an empty construct
(`do { } while (0)'), which does not affect the execution flow.
This allows such functions to return normally in release builds,
avoiding unreachable code.

To account for that in debug build, the `noreturn` property of
`__builtin_unreachable` is overridden in the ECLAIR configuration
to deviate these violations.

Signed-off-by: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@xxxxxxxx>
---
Test CI pipeline:
https://gitlab.com/xen-project/people/dimaprkp4k/xen/-/pipelines/1957211653
---
 automation/eclair_analysis/ECLAIR/deviations.ecl | 5 +++++
 docs/misra/deviations.rst                        | 8 ++++++++
 docs/misra/rules.rst                             | 9 +++++++++
 3 files changed, 22 insertions(+)

diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl 
b/automation/eclair_analysis/ECLAIR/deviations.ecl
index 483507e7b9..8a05e17dac 100644
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -36,6 +36,11 @@ not executable, and therefore it is safe for them to be 
unreachable."
 -config=MC3A2.R2.1,reports+={deliberate, 
"any_area(any_loc(file(C_runtime_failures)))"}
 -doc_end
 
+-doc_begin="Calls to function `__builtin_unreachable' in the expansion of macro
+`ASSERT_UNREACHABLE()' are not considered to have the `noreturn' property."
+-call_properties+={"name(__builtin_unreachable)&&stmt(begin(any_exp(macro(name(ASSERT_UNREACHABLE)))))",
 {"noreturn(false)"}}
+-doc_end
+
 -doc_begin="Proving compliance with respect to Rule 2.2 is generally 
impossible:
 see https://arxiv.org/abs/2212.13933 for details. Moreover, peer review gives 
us
 confidence that no evidence of errors in the program's logic has been missed 
due
diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index e78179fcb8..fba75be2ee 100644
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -86,6 +86,14 @@ Deviations related to MISRA C:2012 Rules:
        generate definitions for asm modules.
      - Tagged as `deliberate` for ECLAIR.
 
+   * - R2.1
+     - Calls to the `__builtin_unreachable` function inside the expansion of
+       the `ASSERT_UNREACHABLE()` macro may cause a function to be marked as
+       non-returning. Since this only happens in debug configurations,
+       the `noreturn` property for `__builtin_unreachable` is overridden in
+       these contexts, resulting in the absence of reports that do not have
+       an impact on safety, despite being true positives.
+
    * - R2.2
      - Proving compliance with respect to Rule 2.2 is generally impossible:
        see `<https://arxiv.org/abs/2212.13933>`_ for details. Moreover, peer
diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst
index 3e014a6298..74badcb616 100644
--- a/docs/misra/rules.rst
+++ b/docs/misra/rules.rst
@@ -124,6 +124,15 @@ maintainers if you want to suggest a change.
            they are used to generate definitions for asm modules
          - Declarations without initializer are safe, as they are not
            executed
+         - Functions that are noreturn due to calls to `ASSERT_UNREACHABLE`
+           macro in debug build configurations are not reported as violations::
+
+              static inline bool
+              arch_vcpu_ioreq_completion(enum vio_completion completion)
+              {
+                  ASSERT_UNREACHABLE();
+                  return false;
+              }
 
    * - `Rule 2.6 
<https://gitlab.com/MISRA/MISRA-C/MISRA-C-2012/Example-Suite/-/blob/master/R_02_06.c>`_
      - Advisory
-- 
2.43.0



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.