[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v3] misra: deviate intentionally unreachable code

  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>
  • Date: Thu, 31 Jul 2025 15:58:35 +0000
  • Accept-language: en-US, uk-UA, ru-RU
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=C9gz472QiKyvCTzTKwbjlfv/Nihk529fJm8T/Qe+nSc=; b=iujE0gU+duyv7wZ2jBYFqZA91FLUDgIp5MWhPZHqs5AIvDuhSNuk6njnuNs53+gA4o04ELlNLNMigJg1L+EtglFDiBjFOUMs1do3kUWsqcz3bP0eWSkOnIOemkr2Pxq7a6n9/T4d6/mvfKGk81ydtkcOcFHuDOYs0696MkTRDqW6WbZTokuMGTuSwto6PXikhBFP4N69YkDa49CVNlQtn6lIZiFAcUJzJ8BGp7h8SbcqcLTRxwuTJ0S8AqPmFr+0pbNgPI8Zv+0rjhojZmyXlZ8Py85df+thtsf9dFsfNSdmo7heOS2KKu01HNYxURvwocvFslsVGtWZRdRP9pktLg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=dZZMxQwVgH2diMXvINosi6JuQbk/vpEXW8FV1kB3kZM1kfBY4k/CO0nYjsidSZ8nZeGpIjHa3g6oOnDu8JWScb+QP8/tguMBdCE79nC3dTxz3qRAe9+jNccOV8/HIadZpX9T8jBjrJnPTcasfsM6wX/sLVmGUta5UKiA/iff/3Q0DJwKPw9bN3oq0yldPurlxzLYH0suJCj70nIJZSNtdTN6DVMWoZKaNvGwNLpbU4e7N/zFEc3rOd4Eos4LLySiKNzEL4SNfobEkqX5WUWNK1wroNHFER/wz/2Fh3f/bnfzYrn1oKAh/V0FXgPn3tv5hq1TsUo59HA9riwORMOvmQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
  • Cc: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>
  • Delivery-date: Thu, 31 Jul 2025 15:58:45 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHcAjP5SP3sHW2Ih066MQex/T0sYA==
  • Thread-topic: [PATCH v3] misra: deviate intentionally unreachable code
From: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>

MISRA C Rule 2.1 states: "A project shall not contain unreachable code".
Functions that are non-returning and are not explicitly annotated with
the `noreturn' attribute are considered a violation of this rule.

In certain cases, some functions might be non-returning in specific build
configurations (when assertions are enabled, i.e., when `NDEBUG' is not
defined). This is due to calls to `__builtin_unreachable()' in the
expansion of the macro `ASSERT_UNREACHABLE()'.

Conversely, in builds where `NDEBUG' is defined (assertions are disabled),
the macro `ASSERT_UNREACHABLE()' expands to an empty construct
(`do { } while (0)'), which does not affect the execution flow. This allows
such functions to return normally in such builds, avoiding unreachable code.

To account for that in specific builds, the `noreturn` property of
`__builtin_unreachable()` is overridden in the ECLAIR configuration to
deviate these violations.

Signed-off-by: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@xxxxxxxx>
---
Changes in v3:
- in subject "automation/eclair" replaced with "misra" (to fit in 50 chars)
- fixed formatting (aligned length chars per line)
- "deemed as" replaced with "considered"

Link to v2:
https://patchew.org/Xen/6e47d071ffdb236642c1e9a70118a86d41487aa0.1753909082.git.dmytro._5Fprokopchuk1@xxxxxxxx/
---
 automation/eclair_analysis/ECLAIR/deviations.ecl |  5 +++++
 docs/misra/deviations.rst                        | 11 +++++++++++
 docs/misra/rules.rst                             |  9 +++++++++
 3 files changed, 25 insertions(+)

diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl 
b/automation/eclair_analysis/ECLAIR/deviations.ecl
index 483507e7b9..ceecd0093b 100644
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -36,6 +36,11 @@ not executable, and therefore it is safe for them to be 
unreachable."
 -config=MC3A2.R2.1,reports+={deliberate, 
"any_area(any_loc(file(C_runtime_failures)))"}
 -doc_end
 
+-doc_begin="Calls to function `__builtin_unreachable()' in the expansion of 
macro
+`ASSERT_UNREACHABLE()' are not considered to have the `noreturn' property."
+-call_properties+={"name(__builtin_unreachable)&&stmt(begin(any_exp(macro(name(ASSERT_UNREACHABLE)))))",
 {"noreturn(false)"}}
+-doc_end
+
 -doc_begin="Proving compliance with respect to Rule 2.2 is generally 
impossible:
 see https://arxiv.org/abs/2212.13933 for details. Moreover, peer review gives 
us
 confidence that no evidence of errors in the program's logic has been missed 
due
diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index e78179fcb8..af7a17f96c 100644
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -86,6 +86,17 @@ Deviations related to MISRA C:2012 Rules:
        generate definitions for asm modules.
      - Tagged as `deliberate` for ECLAIR.
 
+   * - R2.1
+     - Calls to the `__builtin_unreachable()` function inside the expansion of
+       the `ASSERT_UNREACHABLE()` macro may cause a function to be marked as
+       non-returning. This behavior occurs only in configurations where
+       assertions are enabled. To address this, the `noreturn` property for
+       `__builtin_unreachable()` is overridden in these contexts, resulting in
+       the absence of reports that do not have an impact on safety, despite
+       being true positives.
+       Xen expects developers to ensure code remains safe and reliable in 
builds,
+       even when debug-only assertions like `ASSERT_UNREACHABLE() are removed.
+
    * - R2.2
      - Proving compliance with respect to Rule 2.2 is generally impossible:
        see `<https://arxiv.org/abs/2212.13933>`_ for details. Moreover, peer
diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst
index 3e014a6298..d9fd92160b 100644
--- a/docs/misra/rules.rst
+++ b/docs/misra/rules.rst
@@ -124,6 +124,15 @@ maintainers if you want to suggest a change.
            they are used to generate definitions for asm modules
          - Declarations without initializer are safe, as they are not
            executed
+         - Functions that are no-return due to calls to the 
`ASSERT_UNREACHABLE()'
+           macro in debug build configurations are not considered violations::
+
+              static inline bool
+              arch_vcpu_ioreq_completion(enum vio_completion completion)
+              {
+                  ASSERT_UNREACHABLE();
+                  return false;
+              }
 
    * - `Rule 2.6 
<https://gitlab.com/MISRA/MISRA-C/MISRA-C-2012/Example-Suite/-/blob/master/R_02_06.c>`_
      - Advisory
-- 
2.43.0

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.