From: Jan Beulich <jbeulich@suse.com>
To: Dmytro Prokopchuk1 <dmytro_prokopchuk1@epam.com>
Cc: "Nicola Vetrini" <nicola.vetrini@bugseng.com>,
"Doug Goldstein" <cardoe@cardoe.com>,
"Stefano Stabellini" <sstabellini@kernel.org>,
"Andrew Cooper" <andrew.cooper3@citrix.com>,
"Anthony PERARD" <anthony.perard@vates.tech>,
"Michal Orzel" <michal.orzel@amd.com>,
"Julien Grall" <julien@xen.org>,
"Roger Pau Monné" <roger.pau@citrix.com>,
"Daniel P. Smith" <dpsmith@apertussolutions.com>,
"Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>,
"Dario Faggioli" <dfaggioli@suse.com>,
"Juergen Gross" <jgross@suse.com>,
"George Dunlap" <gwd@xenproject.org>,
"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Subject: Re: [PATCH] misra: address MISRA C Rule 18.3 compliance
Date: Wed, 23 Jul 2025 15:58:24 +0200 [thread overview]
Message-ID: <6c7341a2-fd49-40de-8ad3-e7980d4e9e42@suse.com> (raw)
In-Reply-To: <c9fb095c43edfedfd6174284bac404ec9ae5523d.1753263957.git.dmytro_prokopchuk1@epam.com>
On 23.07.2025 12:12, Dmytro Prokopchuk1 wrote:
> --- a/automation/eclair_analysis/ECLAIR/deviations.ecl
> +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
> @@ -568,6 +568,14 @@ C99 Undefined Behaviour 45: Pointers that do not point into, or just beyond, the
> -config=MC3A2.R18.2,reports+={safe, "any_area(any_loc(any_exp(macro(^page_to_mfn$))))"}
> -doc_end
>
> +-doc_begin="Consider relational pointer comparisons in kernel-related sections as safe and compliant."
> +-config=MC3R1.R18.3,reports+={safe, "any_area(any_loc(any_exp(macro(name(is_kernel||is_kernel_text||is_kernel_rodata||is_kernel_inittext)))))"}
> +-doc_end
> +
> +-doc_begin="Allow deviations for pointer comparisons in BUG_ON and ASSERT macros, treating them as safe for debugging and validation."
> +-config=MC3R1.R18.3,reports+={safe, "any_area(any_loc(any_exp(macro(name(BUG_ON||ASSERT)))))"}
> +-doc_end
Nit: Drop "deviations for" from the verbal description?
> --- a/xen/arch/x86/efi/efi-boot.h
> +++ b/xen/arch/x86/efi/efi-boot.h
> @@ -461,7 +461,8 @@ static void __init efi_arch_edd(void)
> params->device_path_info_length =
> sizeof(struct edd_device_params) -
> offsetof(struct edd_device_params, key);
> - for ( p = (const u8 *)¶ms->key; p < ¶ms->checksum; ++p )
> + for ( p = (const u8 *)¶ms->key;
> + (uintptr_t)p < (uintptr_t)¶ms->checksum; ++p )
There mere addition of such casts makes code more fragile imo. What about the
alternative of using != instead of < here? I certainly prefer < in such situations,
but functionally != ought to be equivalent (and less constrained by C and Misra).
As mentioned several times when discussing these rules, it's also not easy to see
how "pointers of different objects" could be involved here: It's all within
*params, isn't it?
Finally, when touching such code it would be nice if u<N> was converted to
uint<N>_t.
> --- a/xen/common/sched/core.c
> +++ b/xen/common/sched/core.c
> @@ -360,7 +360,7 @@ static always_inline void sched_spin_lock_double(
> {
> *flags = _spin_lock_irqsave(lock1);
> }
> - else if ( lock1 < lock2 )
> + else if ( (uintptr_t)lock1 < (uintptr_t)lock2 )
Similarly, no matter what C or Misra may have to say here, imo such casts are
simply dangerous. Especially when open-coded.
> --- a/xen/common/virtual_region.c
> +++ b/xen/common/virtual_region.c
> @@ -83,8 +83,8 @@ const struct virtual_region *find_text_region(unsigned long addr)
> rcu_read_lock(&rcu_virtual_region_lock);
> list_for_each_entry_rcu ( iter, &virtual_region_list, list )
> {
> - if ( (void *)addr >= iter->text_start &&
> - (void *)addr < iter->text_end )
> + if ( addr >= (unsigned long)iter->text_start &&
> + addr < (unsigned long)iter->text_end )
Considering further casts to unsigned long of the same struct fields, was it
considered to alter the type of the struct fields instead?
Jan
next prev parent reply other threads:[~2025-07-23 13:58 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-23 10:12 [PATCH] misra: address MISRA C Rule 18.3 compliance Dmytro Prokopchuk1
2025-07-23 13:58 ` Jan Beulich [this message]
2025-07-25 21:34 ` Dmytro Prokopchuk1
2025-07-28 8:06 ` Jan Beulich
2025-07-28 16:07 ` Dmytro Prokopchuk1
2025-07-29 22:09 ` Stefano Stabellini
2025-08-20 9:18 ` Dmytro Prokopchuk1
2025-08-20 9:25 ` Juergen Gross
2025-07-24 7:30 ` Nicola Vetrini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6c7341a2-fd49-40de-8ad3-e7980d4e9e42@suse.com \
--to=jbeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=anthony.perard@vates.tech \
--cc=cardoe@cardoe.com \
--cc=dfaggioli@suse.com \
--cc=dmytro_prokopchuk1@epam.com \
--cc=dpsmith@apertussolutions.com \
--cc=gwd@xenproject.org \
--cc=jgross@suse.com \
--cc=julien@xen.org \
--cc=marmarek@invisiblethingslab.com \
--cc=michal.orzel@amd.com \
--cc=nicola.vetrini@bugseng.com \
--cc=roger.pau@citrix.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.