[XEN,v2,09/13] x86/mm: add defensive return

Message ID	f3adf3d5dac5c4c108207883472f3ebcfa11c685.1719218291.git.federico.serafini@bugseng.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <xen-devel-bounces@lists.xenproject.org> Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org> From: Federico Serafini <federico.serafini@bugseng.com> To: xen-devel@lists.xenproject.org Cc: consulting@bugseng.com, Federico Serafini <federico.serafini@bugseng.com>, Jan Beulich <jbeulich@suse.com>, Andrew Cooper <andrew.cooper3@citrix.com>, =?utf-8?q?Roger_Pau_Monn=C3=A9?= <roger.pau@citrix.com> Subject: [XEN PATCH v2 09/13] x86/mm: add defensive return Date: Mon, 24 Jun 2024 11:04:33 +0200 Message-Id: <f3adf3d5dac5c4c108207883472f3ebcfa11c685.1719218291.git.federico.serafini@bugseng.com> In-Reply-To: <cover.1719218291.git.federico.serafini@bugseng.com> References: <cover.1719218291.git.federico.serafini@bugseng.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	x86: address some violations of MISRA C Rule 16.3 \| expand [XEN,v2,00/13] x86: address some violations of MISRA C Rule 16.3 [XEN,v2,01/13] automation/eclair: fix deviation of MISRA C Rule 16.3 [XEN,v2,02/13] x86/cpuid: use fallthrough pseudo keyword [XEN,v2,03/13] x86/domctl: address a violation of MISRA C Rule 16.3 [XEN,v2,04/13] x86/vpmu: address violations of MISRA C Rule 16.3 [XEN,v2,05/13] x86/traps: address violations of MISRA C Rule 16.3 [XEN,v2,06/13] x86/mce: address violations of MISRA C Rule 16.3 [XEN,v2,07/13] x86/hvm: address violations of MISRA C Rule 16.3 [XEN,v2,08/13] x86/vpt: address a violation of MISRA C Rule 16.3 [XEN,v2,09/13] x86/mm: add defensive return [XEN,v2,10/13] x86/mpparse: address a violation of MISRA C Rule 16.3 [XEN,v2,11/13] x86/pmtimer: address a violation of MISRA C Rule 16.3 [XEN,v2,12/13] x86/vPIC: address a violation of MISRA C Rule 16.3 [XEN,v2,13/13] x86/vlapic: address a violation of MISRA C Rule 16.3

Message ID

f3adf3d5dac5c4c108207883472f3ebcfa11c685.1719218291.git.federico.serafini@bugseng.com (mailing list archive)

State

Superseded

Headers

Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
From: Federico Serafini <federico.serafini@bugseng.com>
To: xen-devel@lists.xenproject.org
Cc: consulting@bugseng.com, Federico Serafini <federico.serafini@bugseng.com>,
 Jan Beulich <jbeulich@suse.com>, Andrew Cooper <andrew.cooper3@citrix.com>,
	=?utf-8?q?Roger_Pau_Monn=C3=A9?= <roger.pau@citrix.com>
Subject: [XEN PATCH v2 09/13] x86/mm: add defensive return
Date: Mon, 24 Jun 2024 11:04:33 +0200
Message-Id: 
 <f3adf3d5dac5c4c108207883472f3ebcfa11c685.1719218291.git.federico.serafini@bugseng.com>
In-Reply-To: <cover.1719218291.git.federico.serafini@bugseng.com>
References: <cover.1719218291.git.federico.serafini@bugseng.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

x86: address some violations of MISRA C Rule 16.3 | expand

Commit Message

Federico Serafini June 24, 2024, 9:04 a.m. UTC

Add defensive return statement at the end of an unreachable
default case. Other than improve safety, this meets the requirements
to deviate a violation of MISRA C Rule 16.3: "An unconditional `break'
statement shall terminate every switch-clause".

Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
---
 xen/arch/x86/mm.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Jan Beulich June 24, 2024, 3:39 p.m. UTC | #1

On 24.06.2024 11:04, Federico Serafini wrote:
> Add defensive return statement at the end of an unreachable
> default case. Other than improve safety,

It is particularly with this in mind that ...

> this meets the requirements
> to deviate a violation of MISRA C Rule 16.3: "An unconditional `break'
> statement shall terminate every switch-clause".
> 
> Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
> ---
>  xen/arch/x86/mm.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
> index 648d6dd475..2e19ced15e 100644
> --- a/xen/arch/x86/mm.c
> +++ b/xen/arch/x86/mm.c
> @@ -916,6 +916,7 @@ get_page_from_l1e(
>                  return 0;
>              default:
>                  ASSERT_UNREACHABLE();
> +                return 0;
>              }

... returning "success" in such a case can't be quite right. As indicated
elsewhere, really we want -EINTERNAL for such cases, just that errno.h
doesn't know anything like this, and I'm also unaware of a somewhat
similar identifier that we might "clone" from elsewhere. Hence we'll want
to settle on some existing error code which we then use here and in
similar situations. EINVAL is the primary example of what I would prefer
to _not_ see used for this.

Jan

Stefano Stabellini June 25, 2024, 12:58 a.m. UTC | #2

On Mon, 24 Jun 2024, Federico Serafini wrote:
> Add defensive return statement at the end of an unreachable
> default case. Other than improve safety, this meets the requirements
> to deviate a violation of MISRA C Rule 16.3: "An unconditional `break'
> statement shall terminate every switch-clause".
> 
> Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
> ---
>  xen/arch/x86/mm.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
> index 648d6dd475..2e19ced15e 100644
> --- a/xen/arch/x86/mm.c
> +++ b/xen/arch/x86/mm.c
> @@ -916,6 +916,7 @@ get_page_from_l1e(
>                  return 0;
>              default:
>                  ASSERT_UNREACHABLE();
> +                return 0;

Let's avoid this

Federico Serafini June 25, 2024, 7:38 a.m. UTC | #3

On 24/06/24 17:39, Jan Beulich wrote:
> On 24.06.2024 11:04, Federico Serafini wrote:
>> Add defensive return statement at the end of an unreachable
>> default case. Other than improve safety,
> 
> It is particularly with this in mind that ...
> 
>> this meets the requirements
>> to deviate a violation of MISRA C Rule 16.3: "An unconditional `break'
>> statement shall terminate every switch-clause".
>>
>> Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
>> ---
>>   xen/arch/x86/mm.c | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
>> index 648d6dd475..2e19ced15e 100644
>> --- a/xen/arch/x86/mm.c
>> +++ b/xen/arch/x86/mm.c
>> @@ -916,6 +916,7 @@ get_page_from_l1e(
>>                   return 0;
>>               default:
>>                   ASSERT_UNREACHABLE();
>> +                return 0;
>>               }
> 
> ... returning "success" in such a case can't be quite right. As indicated
> elsewhere, really we want -EINTERNAL for such cases, just that errno.h
> doesn't know anything like this, and I'm also unaware of a somewhat
> similar identifier that we might "clone" from elsewhere. Hence we'll want
> to settle on some existing error code which we then use here and in
> similar situations. EINVAL is the primary example of what I would prefer
> to _not_ see used for this.

Sorry, I got confused by the ASSERT_UNREACHABLE followed by a
return 0 few lines above.

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 648d6dd475..2e19ced15e 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -916,6 +916,7 @@  get_page_from_l1e(
                 return 0;
             default:
                 ASSERT_UNREACHABLE();
+                return 0;
             }
         }
         else if ( l1f & _PAGE_RW )

[XEN,v2,09/13] x86/mm: add defensive return

Commit Message

Comments

Patch