diff mbox series

[v2,3/6] xen: add deviations for Rule 11.8

Message ID 04cdbf21db915634acd49108edab7d6331df35eb.1702982442.git.maria.celeste.cesario@bugseng.com (mailing list archive)
State New, archived
Headers show
Series xen: address violations of MISRA C:2012 Rule 11.8 | expand

Commit Message

Simone Ballarin Dec. 19, 2023, 11:05 a.m. UTC
From: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com>

The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".

The macro 'container_of' violates the Rule because it casts away any
qualifier to do pointer arithmetic, but making the macro definition compliant
would add additional complexity, therefore a deviation is introduced.

Signed-off-by: Maria Celeste Cesario  <maria.celeste.cesario@bugseng.com>
Signed-off-by: Simone Ballarin  <simone.ballarin@bugseng.com>
---
Changes in v2:
- remove deviation for function ERR_CAST;

container_of: Fixing this violation would require the declaration of a new
 macro taking advantage of the return value of the ternary operator ?: :
 its return value preserves qualifiers present on both expression, hence
 returning void* or qualified void* depending on pointer type, like in this macro:
 '#define same_constness_void_ptr(ptr) ((typeof((false ? (void*) 1 : (ptr)))) (ptr))'
 The result could then be used with a Generic to avoid the cast.
---
 automation/eclair_analysis/ECLAIR/deviations.ecl | 7 +++++++
 docs/misra/deviations.rst                        | 7 +++++++
 2 files changed, 14 insertions(+)

Comments

Stefano Stabellini Dec. 20, 2023, 1:04 a.m. UTC | #1
On Tue, 19 Dec 2023, Simone Ballarin wrote:
> From: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com>
> 
> The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
> headline states:
> "A conversion shall not remove any const, volatile or _Atomic qualification
> from the type pointed to by a pointer".
> 
> The macro 'container_of' violates the Rule because it casts away any
> qualifier to do pointer arithmetic, but making the macro definition compliant
> would add additional complexity, therefore a deviation is introduced.
> 
> Signed-off-by: Maria Celeste Cesario  <maria.celeste.cesario@bugseng.com>
> Signed-off-by: Simone Ballarin  <simone.ballarin@bugseng.com>

Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Jan Beulich Dec. 20, 2023, 10:50 a.m. UTC | #2
On 19.12.2023 12:05, Simone Ballarin wrote:
> --- a/docs/misra/deviations.rst
> +++ b/docs/misra/deviations.rst
> @@ -248,6 +248,13 @@ Deviations related to MISRA C:2012 Rules:
>         If no bits are set, 0 is returned.
>       - Tagged as `safe` for ECLAIR.
>  
> +   * - R11.8
> +     - Violations caused by container_of are due to pointer arithmetic operations
> +       with the provided offset. The resulting pointer is then immediately cast back to its
> +       original type, which preserves the qualifier. This use is deemed safe.
> +       Fixing this violation would require to increase code complexity and lower readability.
> +     - Tagged as `safe` for ECLAIR.
> +    

Going forward can you please avoid adding trailing whitespace. "git am"
doesn't really like that, and hence it requires extra steps to clean up.

Jan
Nicola Vetrini Dec. 20, 2023, 11:39 a.m. UTC | #3
On 2023-12-20 11:50, Jan Beulich wrote:
> On 19.12.2023 12:05, Simone Ballarin wrote:
>> --- a/docs/misra/deviations.rst
>> +++ b/docs/misra/deviations.rst
>> @@ -248,6 +248,13 @@ Deviations related to MISRA C:2012 Rules:
>>         If no bits are set, 0 is returned.
>>       - Tagged as `safe` for ECLAIR.
>> 
>> +   * - R11.8
>> +     - Violations caused by container_of are due to pointer 
>> arithmetic operations
>> +       with the provided offset. The resulting pointer is then 
>> immediately cast back to its
>> +       original type, which preserves the qualifier. This use is 
>> deemed safe.
>> +       Fixing this violation would require to increase code 
>> complexity and lower readability.
>> +     - Tagged as `safe` for ECLAIR.
>> +
> 
> Going forward can you please avoid adding trailing whitespace. "git am"
> doesn't really like that, and hence it requires extra steps to clean 
> up.
> 
> Jan

Noted, sorry for the inconvenience.
diff mbox series

Patch

diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl
index 683f2bbfe8..1515378ff1 100644
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -292,6 +292,13 @@  constant expressions are required.\""
 # Series 11
 #
 
+-doc_begin="Violations caused by container_of are due to pointer arithmetic operations
+with the provided offset. The resulting pointer is then immediately cast back to its
+original type, which preserves the qualifier. This use is deemed safe.
+Fixing this violation would require to increase code complexity and lower readability."
+-config=MC3R1.R11.8,reports+={safe,"any_area(any_loc(any_exp(macro(^container_of$))))"}
+-doc_end
+
 -doc_begin="This construct is used to check if the type is scalar, and for this purpose the use of 0 as a null pointer constant is deliberate."
 -config=MC3R1.R11.9,reports+={deliberate, "any_area(any_loc(any_exp(macro(^__ACCESS_ONCE$))))"
 }
diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index eda3c8100c..ccf6e90e87 100644
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -248,6 +248,13 @@  Deviations related to MISRA C:2012 Rules:
        If no bits are set, 0 is returned.
      - Tagged as `safe` for ECLAIR.
 
+   * - R11.8
+     - Violations caused by container_of are due to pointer arithmetic operations
+       with the provided offset. The resulting pointer is then immediately cast back to its
+       original type, which preserves the qualifier. This use is deemed safe.
+       Fixing this violation would require to increase code complexity and lower readability.
+     - Tagged as `safe` for ECLAIR.
+    
    * - R11.9
      - __ACCESS_ONCE uses an integer, which happens to be zero, as a
        compile time check. The typecheck uses a cast. The usage of zero or other