All of lore.kernel.org
 help / color / mirror / Atom feed
From: Nicola Vetrini <nicola.vetrini@bugseng.com>
To: Jan Beulich <jbeulich@suse.com>
Cc: "Dmytro Prokopchuk1" <dmytro_prokopchuk1@epam.com>,
	"Doug Goldstein" <cardoe@cardoe.com>,
	"Stefano Stabellini" <sstabellini@kernel.org>,
	"Andrew Cooper" <andrew.cooper3@citrix.com>,
	"Anthony PERARD" <anthony.perard@vates.tech>,
	"Michal Orzel" <michal.orzel@amd.com>,
	"Julien Grall" <julien@xen.org>,
	"Roger Pau Monné" <roger.pau@citrix.com>,
	xen-devel@lists.xenproject.org
Subject: Re: [PATCH] misra: consider conversion from UL or (void*) to function pointer as safe
Date: Thu, 21 Aug 2025 10:25:34 +0200	[thread overview]
Message-ID: <e1e2abdf0ef8708097aa78440eeb7147@bugseng.com> (raw)
In-Reply-To: <90fb95a3-4b32-4785-a77c-373e5b9da6ed@suse.com>

On 2025-08-21 10:01, Jan Beulich wrote:
> On 19.08.2025 20:55, Dmytro Prokopchuk1 wrote:
>> Rule 11.1 states as following: "Conversions shall not be performed
>> between a pointer to a function and any other type."
>> 
>> The conversion from unsigned long or (void *) to a function pointer
>> is safe in Xen because the architectures it supports (e.g., x86 and
>> ARM) guarantee compatible representations between these types.
> 
> I think we need to be as precise as possible here. The architectures
> guarantee nothing, they only offer necessary fundamentals. In the
> Windows x86 ABI, for example, you can't convert pointers to/from longs
> without losing data. What we build upon is what respective ABIs say,
> possibly in combination of implementation specifics left to compilers.
> 

+1, a mention of the compilers and targets this deviation relies upon is 
needed.

>> --- a/docs/misra/deviations.rst
>> +++ b/docs/misra/deviations.rst
>> @@ -370,6 +370,16 @@ Deviations related to MISRA C:2012 Rules:
>>         to store it.
>>       - Tagged as `safe` for ECLAIR.
>> 
>> +   * - R11.1
>> +     - The conversion from unsigned long or (void \*) to a function 
>> pointer does
>> +       not lose any information or violate type safety assumptions if 
>> unsigned
>> +       long or (void \*) type is guaranteed to be the same bit size 
>> as a
>> +       function pointer. This ensures that the function pointer can 
>> be fully
>> +       represented without truncation or corruption. The macro 
>> BUILD_BUG_ON is
>> +       integrated into xen/common/version.c to confirm conversion 
>> compatibility
>> +       across all target platforms.
>> +     - Tagged as `safe` for ECLAIR.
> 
> Why the escaping of * here, when ...
> 
>> --- a/docs/misra/rules.rst
>> +++ b/docs/misra/rules.rst
>> @@ -431,7 +431,13 @@ maintainers if you want to suggest a change.
>>       - All conversions to integer types are permitted if the 
>> destination
>>         type has enough bits to hold the entire value. Conversions to 
>> bool
>>         and void* are permitted. Conversions from 'void noreturn 
>> (*)(...)'
>> -       to 'void (*)(...)' are permitted.
>> +       to 'void (*)(...)' are permitted. Conversions from unsigned 
>> long or
>> +       (void \*) to a function pointer are permitted if the source 
>> type has
>> +       enough bits to restore function pointer without truncation or 
>> corruption.
>> +       Example::
>> +
>> +           unsigned long func_addr = (unsigned long)&some_function;
>> +           void (*restored_func)(void) = (void (*)(void))func_addr;
> 
> ... context here suggests they work fine un-escaped, and you even add 
> some un-
> escaped instances as well. Perhaps I'm simply unaware of some 
> peculiarity?
> 

This is a literal rst block, while the other is not (* acts as a bullet 
point in rst iirc)

> Jan

-- 
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253


  reply	other threads:[~2025-08-21  8:25 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-19 18:55 [PATCH] misra: consider conversion from UL or (void*) to function pointer as safe Dmytro Prokopchuk1
2025-08-21  8:01 ` Jan Beulich
2025-08-21  8:25   ` Nicola Vetrini [this message]
2025-08-21  8:43     ` Jan Beulich
2025-08-22 16:34     ` Dmytro Prokopchuk1
2025-08-25  8:39       ` Jan Beulich
2025-08-25 12:53       ` Nicola Vetrini
2025-08-25 13:08         ` Nicola Vetrini
2025-08-28 15:54           ` Dmytro Prokopchuk1
2025-08-29  5:43             ` Nicola Vetrini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e1e2abdf0ef8708097aa78440eeb7147@bugseng.com \
    --to=nicola.vetrini@bugseng.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=anthony.perard@vates.tech \
    --cc=cardoe@cardoe.com \
    --cc=dmytro_prokopchuk1@epam.com \
    --cc=jbeulich@suse.com \
    --cc=julien@xen.org \
    --cc=michal.orzel@amd.com \
    --cc=roger.pau@citrix.com \
    --cc=sstabellini@kernel.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.