mbox series

[0/9] xen: address violations of MISRA C:2012 Rule 11.8

Message ID cover.1702555386.git.maria.celeste.cesario@bugseng.com (mailing list archive)
Headers show
Series xen: address violations of MISRA C:2012 Rule 11.8 | expand

Message

Simone Ballarin Dec. 14, 2023, 12:07 p.m. UTC
From: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com>

The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic
qualification from the type pointed to by a pointer".

This patch amends or removes casts that unnecessarily drop
const and volatile qualifiers.

Example:

 static always_inline bool int_##name(volatile void *p)
 {
    volatile uint32_t *ptr = (uint32_t *)p;             /* Non-compliant */
    volatile uint32_t *ptr = (volatile uint32_t *)p;    /* Compliant, proposed change */
 }

In this example, the volatile qualifier is unnecessarily removed
from the original object, therefore making it non-compliant.


Deviate the following violations:

- removal of const qualifier to comply with function signature
  It is safe to cast away const qualifiers to comply with function
  signature if the function does not modify the pointee.
  A SAF-3-safe comment was added to deviate this violation.

- violations in macro container_of
  Violations caused by this macro are due to pointer arithmetic operations
  with the provided offset. The resulting pointer is then immediately cast back to its
  original type, which preserves the qualifier. This use can be deemed as safe.

- violations in function ERR_CAST
  This function is made to explicitly cast an error-valued pointer to a void
  pointer type to make it clear that's what's going on, so the violation is deliberate.


Maria Celeste Cesario (9):
  xen/arm64: address violations of MISRA C:2012 Rule 11.8
  xen/arm: address violations of MISRA C:2012 Rule 11.8
  xen/efi: address violations of MISRA C:2012 Rule 11.8
  ACPI: address violations of MISRA C:2012 Rule 11.8
  xen/x86: address violations of MISRA C:2012 Rule 11.8
  xen/ppc: address violations of MISRA C:2012 Rule 11.8.
  x86/hvm: address violations of MISRA C:2012 Rule 11.8
  xen: add deviations for Rule 11.8
  xen: add SAF deviation for safe cast removal.

 automation/eclair_analysis/ECLAIR/deviations.ecl | 12 ++++++++++++
 docs/misra/deviations.rst                        | 13 +++++++++++++
 docs/misra/safe.json                             |  8 ++++++++
 xen/arch/arm/arm64/lib/bitops.c                  |  6 ++++--
 xen/arch/arm/bootfdt.c                           |  6 +++---
 xen/arch/arm/include/asm/alternative.h           |  2 +-
 xen/arch/arm/include/asm/arm64/cmpxchg.h         | 10 +++++-----
 xen/arch/ppc/include/asm/atomic.h                |  2 +-
 xen/arch/x86/boot/reloc.c                        |  4 ++--
 xen/arch/x86/hvm/hvm.c                           |  3 ++-
 xen/common/efi/boot.c                            |  6 +++---
 xen/common/version.c                             |  2 +-
 xen/include/acpi/acmacros.h                      |  2 +-
 13 files changed, 56 insertions(+), 20 deletions(-)

Comments

Jan Beulich Dec. 14, 2023, 12:36 p.m. UTC | #1
On 14.12.2023 13:07, Simone Ballarin wrote:
> From: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com>
> 
> The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
> headline states:
> "A conversion shall not remove any const, volatile or _Atomic
> qualification from the type pointed to by a pointer".
> 
> This patch amends or removes casts that unnecessarily drop
> const and volatile qualifiers.
> 
> Example:
> 
>  static always_inline bool int_##name(volatile void *p)
>  {
>     volatile uint32_t *ptr = (uint32_t *)p;             /* Non-compliant */
>     volatile uint32_t *ptr = (volatile uint32_t *)p;    /* Compliant, proposed change */
>  }

Why would you further complicate things when here the cast can simply
be dropped?

Jan
Simone Ballarin Dec. 18, 2023, 2:28 p.m. UTC | #2
On 14/12/23 13:36, Jan Beulich wrote:
> On 14.12.2023 13:07, Simone Ballarin wrote:
>> From: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com>
>>
>> The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
>> headline states:
>> "A conversion shall not remove any const, volatile or _Atomic
>> qualification from the type pointed to by a pointer".
>>
>> This patch amends or removes casts that unnecessarily drop
>> const and volatile qualifiers.
>>
>> Example:
>>
>>   static always_inline bool int_##name(volatile void *p)
>>   {
>>      volatile uint32_t *ptr = (uint32_t *)p;             /* Non-compliant */
>>      volatile uint32_t *ptr = (volatile uint32_t *)p;    /* Compliant, proposed change */
>>   }
> 
> Why would you further complicate things when here the cast can simply
> be dropped?
> 
> Jan

Of course, the example will be improved in v2.