From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xen.org>
Cc: George Dunlap <george.dunlap@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Tim Deegan <tim@xen.org>, Jan Beulich <JBeulich@suse.com>,
Tamas K Lengyel <tamas.lengyel@zentific.com>
Subject: [PATCH v2 2/2] x86/mm: Annotate gfn_get_* helpers as requiring non-NULL parameters
Date: Mon, 1 Aug 2016 17:59:36 +0100 [thread overview]
Message-ID: <1470070776-19018-1-git-send-email-andrew.cooper3@citrix.com> (raw)
In-Reply-To: <721651f7-8dc1-5c7d-5f26-11902905e2e2@citrix.com>
Introduce and use the nonnull attribute to help the compiler catch NULL
parameters being passed to function which require their parameters not to be
NULL. Experimentally, GCC 4.9 on Debian Jessie only warns of non-NULL-ness
from immediate callers, so propagate the attributes out to all helpers.
A sample error looks like:
mem_sharing.c: In function ‘mem_sharing_nominate_page’:
mem_sharing.c:884:13: error: null argument where non-null required (argument 3) [-Werror=nonnull]
amfn = get_gfn_type_access(ap2m, gfn, NULL, &ap2ma, 0, NULL);
^
As part of this, replace the get_gfn_type_access() macro with an equivalent
static inline function for extra type safety, and the ability to be annotated.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Tim Deegan <tim@xen.org>
CC: George Dunlap <george.dunlap@eu.citrix.com>
CC: Tamas K Lengyel <tamas.lengyel@zentific.com>
v2:
* s/nonnull/__nonnull__/
* Tolerate the p2m parameter being NULL
---
xen/include/asm-x86/p2m.h | 19 +++++++++++--------
xen/include/xen/compiler.h | 1 +
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h
index 194020e..035ca92 100644
--- a/xen/include/asm-x86/p2m.h
+++ b/xen/include/asm-x86/p2m.h
@@ -380,9 +380,9 @@ void p2m_unlock_and_tlb_flush(struct p2m_domain *p2m);
* After calling any of the variants below, caller needs to use
* put_gfn. ****/
-mfn_t __get_gfn_type_access(struct p2m_domain *p2m, unsigned long gfn,
- p2m_type_t *t, p2m_access_t *a, p2m_query_t q,
- unsigned int *page_order, bool_t locked);
+mfn_t __nonnull(3, 4) __get_gfn_type_access(
+ struct p2m_domain *p2m, unsigned long gfn, p2m_type_t *t,
+ p2m_access_t *a, p2m_query_t q, unsigned int *page_order, bool_t locked);
/* Read a particular P2M table, mapping pages as we go. Most callers
* should _not_ call this directly; use the other get_gfn* functions
@@ -391,13 +391,16 @@ mfn_t __get_gfn_type_access(struct p2m_domain *p2m, unsigned long gfn,
* If the lookup succeeds, the return value is != INVALID_MFN and
* *page_order is filled in with the order of the superpage (if any) that
* the entry was found in. */
-#define get_gfn_type_access(p, g, t, a, q, o) \
- __get_gfn_type_access((p), (g), (t), (a), (q), (o), 1)
+static inline mfn_t __nonnull(3, 4) get_gfn_type_access(
+ struct p2m_domain *p2m, unsigned long gfn, p2m_type_t *t,
+ p2m_access_t *a, p2m_query_t q, unsigned int *page_order)
+{
+ return __get_gfn_type_access(p2m, gfn, t, a, q, page_order, true);
+}
/* General conversion function from gfn to mfn */
-static inline mfn_t get_gfn_type(struct domain *d,
- unsigned long gfn, p2m_type_t *t,
- p2m_query_t q)
+static inline mfn_t __nonnull(3) get_gfn_type(
+ struct domain *d, unsigned long gfn, p2m_type_t *t, p2m_query_t q)
{
p2m_access_t a;
return get_gfn_type_access(p2m_get_hostp2m(d), gfn, t, &a, q, NULL);
diff --git a/xen/include/xen/compiler.h b/xen/include/xen/compiler.h
index 892455b..f3e8d95 100644
--- a/xen/include/xen/compiler.h
+++ b/xen/include/xen/compiler.h
@@ -61,6 +61,7 @@
#define __maybe_unused __attribute__((__unused__))
#define __must_check __attribute__((__warn_unused_result__))
+#define __nonnull(...) __attribute__((__nonnull__(__VA_ARGS__)))
#define offsetof(a,b) __builtin_offsetof(a,b)
--
2.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-08-01 16:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-27 18:08 [PATCH 1/2] x86/mm: Avoid NULL dereference when checking altp2m's for shareability Andrew Cooper
2016-07-27 18:08 ` [PATCH 2/2] x86/mm: Annotate gfn_get_* helpers as requiring non-NULL parameters Andrew Cooper
2016-07-28 15:58 ` George Dunlap
2016-07-28 16:11 ` Andrew Cooper
2016-08-01 15:38 ` Jan Beulich
2016-08-01 16:59 ` Andrew Cooper [this message]
2016-08-02 7:18 ` [PATCH v2 " Jan Beulich
2016-08-02 13:14 ` George Dunlap
2016-08-01 15:40 ` [PATCH " Jan Beulich
2016-07-28 15:51 ` [PATCH 1/2] x86/mm: Avoid NULL dereference when checking altp2m's for shareability George Dunlap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1470070776-19018-1-git-send-email-andrew.cooper3@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=george.dunlap@eu.citrix.com \
--cc=tamas.lengyel@zentific.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).