diff mbox series

[v3] docs/misra: document the expected sizes of integer types

Message ID alpine.DEB.2.22.394.2404031806510.2245130@ubuntu-linux-20-04-desktop (mailing list archive)
State Superseded
Headers show
Series [v3] docs/misra: document the expected sizes of integer types | expand

Commit Message

Stefano Stabellini April 4, 2024, 1:12 a.m. UTC
Xen makes assumptions about the size of integer types on the various
architectures. Document these assumptions.

Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com>
---
Changes in v3:
- add links to System V, AAPCS32 and AAPCS64

---
 docs/misra/C-language-toolchain.rst | 69 +++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)

Comments

Bertrand Marquis April 4, 2024, 8:29 a.m. UTC | #1
Hi Stefano,

> On 4 Apr 2024, at 03:12, Stefano Stabellini <sstabellini@kernel.org> wrote:
> 
> Xen makes assumptions about the size of integer types on the various
> architectures. Document these assumptions.
> 
> Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com>
> ---
> Changes in v3:
> - add links to System V, AAPCS32 and AAPCS64
> 
> ---
> docs/misra/C-language-toolchain.rst | 69 +++++++++++++++++++++++++++++
> 1 file changed, 69 insertions(+)
> 
> diff --git a/docs/misra/C-language-toolchain.rst b/docs/misra/C-language-toolchain.rst
> index b7c2000992..84b21992bc 100644
> --- a/docs/misra/C-language-toolchain.rst
> +++ b/docs/misra/C-language-toolchain.rst
> @@ -480,4 +480,73 @@ The table columns are as follows:
>      - See Section "4.13 Preprocessing Directives" of GCC_MANUAL and Section "11.1 Implementation-defined behavior" of CPP_MANUAL.
> 
> 
> +Sizes of Integer types
> +______________________
> +
> +Xen expects System V ABI on x86_64:
> +  https://gitlab.com/x86-psABIs/x86-64-ABI
> +
> +Xen expects AAPCS32 on ARMv8-A AArch32:
> +  https://github.com/ARM-software/abi-aa/blob/main/aapcs32/aapcs32.rst
> +
> +Xen expects AAPCS64 LP64 on ARMv8-A AArch64:
> +  https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst

We still support armv7 somehow so we should add something for it here.

> +
> +A summary table of data types, sizes and alignment is below:
> +
> +.. list-table::
> +   :widths: 10 10 10 45
> +   :header-rows: 1
> +
> +   * - Type
> +     - Size
> +     - Alignment
> +     - Architectures
> +
> +   * - char 
> +     - 8 bits
> +     - 8 bits
> +     - all architectures
> +
> +   * - short
> +     - 16 bits
> +     - 16 bits
> +     - all architectures
> +
> +   * - int
> +     - 32 bits
> +     - 32 bits
> +     - all architectures
> +
> +   * - long
> +     - 32 bits
> +     - 32 bits 
> +     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)

Same here armv7 should be mentioned.

> +
> +   * - long
> +     - 64 bits
> +     - 64 bits 
> +     - 64-bit architectures (x86_64, ARMv8-A AArch64, RV64, PPC64)
> +
> +   * - long long
> +     - 64-bit
> +     - 32-bit
> +     - x86_32
> +
> +   * - long long
> +     - 64-bit
> +     - 64-bit
> +     - 64-bit architectures, ARMv8-A AArch32, ARMv8-R AArch32

Should this be all architecture except x86_32 ?

> +
> +   * - pointer
> +     - 32-bit
> +     - 32-bit
> +     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)

Armv7 missing here.

> +
> +   * - pointer
> +     - 64-bit
> +     - 64-bit
> +     - 64-bit architectures (x86_64, ARMv8-A AArch64, RV64, PPC64)
> +
> +
> END OF DOCUMENT.
> -- 
> 2.25.1
> 

Cheers
Bertrand
Jan Beulich April 4, 2024, 8:36 a.m. UTC | #2
On 04.04.2024 03:12, Stefano Stabellini wrote:
> --- a/docs/misra/C-language-toolchain.rst
> +++ b/docs/misra/C-language-toolchain.rst
> @@ -480,4 +480,73 @@ The table columns are as follows:
>       - See Section "4.13 Preprocessing Directives" of GCC_MANUAL and Section "11.1 Implementation-defined behavior" of CPP_MANUAL.
>  
>  
> +Sizes of Integer types
> +______________________
> +
> +Xen expects System V ABI on x86_64:
> +  https://gitlab.com/x86-psABIs/x86-64-ABI
> +
> +Xen expects AAPCS32 on ARMv8-A AArch32:
> +  https://github.com/ARM-software/abi-aa/blob/main/aapcs32/aapcs32.rst
> +
> +Xen expects AAPCS64 LP64 on ARMv8-A AArch64:
> +  https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst
> +
> +A summary table of data types, sizes and alignment is below:
> +
> +.. list-table::
> +   :widths: 10 10 10 45
> +   :header-rows: 1
> +
> +   * - Type
> +     - Size
> +     - Alignment
> +     - Architectures
> +
> +   * - char 
> +     - 8 bits
> +     - 8 bits
> +     - all architectures

This one _may_ be acceptable, but already feels like going too far.

> +   * - short
> +     - 16 bits
> +     - 16 bits
> +     - all architectures
> +
> +   * - int
> +     - 32 bits
> +     - 32 bits
> +     - all architectures

These two I continue to disagree with. The values are minimum required ones.
Even if code changes may be needed (Misra already helps us here by stopping
undue mixing of e.g. unsigned int and uint32_t in at least some situations),
there's no inherent requirement in Xen for such restrictions.

> +   * - long
> +     - 32 bits
> +     - 32 bits 
> +     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)
> +
> +   * - long
> +     - 64 bits
> +     - 64 bits 
> +     - 64-bit architectures (x86_64, ARMv8-A AArch64, RV64, PPC64)
> +
> +   * - long long
> +     - 64-bit
> +     - 32-bit
> +     - x86_32
> +
> +   * - long long
> +     - 64-bit
> +     - 64-bit
> +     - 64-bit architectures, ARMv8-A AArch32, ARMv8-R AArch32

Along the lines of the above, simply saying "64-bit architectures" here
is too generic. Whereas for long (above) and ...

> +   * - pointer
> +     - 32-bit
> +     - 32-bit
> +     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)
> +
> +   * - pointer
> +     - 64-bit
> +     - 64-bit
> +     - 64-bit architectures (x86_64, ARMv8-A AArch64, RV64, PPC64)

... pointers I agree (and the special mentioning of the architectures
in parentheses could even be omitted imo). To summarize, my counter
proposal:

   * - char 
     - at least 8 bits
     - equaling size
     - all architectures

   * - char
     - 8 bits
     - 8 bits
     - x86, ARM, RISC-V, PPC

   * - short
     - at least 16 bits
     - equaling size
     - all architectures

   * - short
     - 16 bits
     - 16 bits
     - x86, ARM, RISC-V, PPC

   * - int
     - at least 32 bits
     - equaling size
     - all architectures

   * - int
     - 32 bits
     - 32 bits
     - x86, ARM, RISC-V, PPC

   * - long
     - 32 bits
     - 32 bits 
     - 32-bit architectures

   * - long
     - 64 bits
     - 64 bits 
     - 64-bit architectures

   * - long long
     - 64-bit
     - 32-bit
     - x86_32

   * - long long
     - 64-bit
     - 64-bit
     - x86_64, ARMv8-A AArch64, RV64, PPC64, ARMv8-A AArch32, ARMv8-R AArch32

   * - pointer
     - 32-bit
     - 32-bit
     - 32-bit architectures

   * - pointer
     - 64-bit
     - 64-bit
     - 64-bit architectures

Eventually, by properly decoupling pointers from longs (via using {,u}intptr_t
appropriately), the restrictions on "long" could also be lifted.

Note that the generic requirements on char and short also are imposed by C99.
It may therefore not be necessary to state them explicitly, but rather refer
to that standard (just like you're now referencing the SysV psABI-s).

Jan
Stefano Stabellini April 4, 2024, 11:56 p.m. UTC | #3
On Thu, 4 Apr 2024, Jan Beulich wrote:
> On 04.04.2024 03:12, Stefano Stabellini wrote:
> > --- a/docs/misra/C-language-toolchain.rst
> > +++ b/docs/misra/C-language-toolchain.rst
> > @@ -480,4 +480,73 @@ The table columns are as follows:
> >       - See Section "4.13 Preprocessing Directives" of GCC_MANUAL and Section "11.1 Implementation-defined behavior" of CPP_MANUAL.
> >  
> >  
> > +Sizes of Integer types
> > +______________________
> > +
> > +Xen expects System V ABI on x86_64:
> > +  https://gitlab.com/x86-psABIs/x86-64-ABI
> > +
> > +Xen expects AAPCS32 on ARMv8-A AArch32:
> > +  https://github.com/ARM-software/abi-aa/blob/main/aapcs32/aapcs32.rst
> > +
> > +Xen expects AAPCS64 LP64 on ARMv8-A AArch64:
> > +  https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst
> > +
> > +A summary table of data types, sizes and alignment is below:
> > +
> > +.. list-table::
> > +   :widths: 10 10 10 45
> > +   :header-rows: 1
> > +
> > +   * - Type
> > +     - Size
> > +     - Alignment
> > +     - Architectures
> > +
> > +   * - char 
> > +     - 8 bits
> > +     - 8 bits
> > +     - all architectures
> 
> This one _may_ be acceptable, but already feels like going too far.
> 
> > +   * - short
> > +     - 16 bits
> > +     - 16 bits
> > +     - all architectures
> > +
> > +   * - int
> > +     - 32 bits
> > +     - 32 bits
> > +     - all architectures
> 
> These two I continue to disagree with. The values are minimum required ones.

The purpose of the document docs/misra/C-language-toolchain.rst is to
describe the reference safety-supported configuration. In a way, this
document is similar to SUPPORT.md but for safety instead of security.

Here, we need to write down the stable configuration, the one everyone
is aligned and convinced should work correctly.

Now, let's say that I believe you and agree with you that it should be
possible to support int as 64-bit. This configuration is not tested. If
I can draw a comparison, it would be similar to ask for XSM to be
security supported while in fact is marked as experimental in
SUPPORT.md.

If you want, taking inspiration from SUPPORT.md, we can have a
"supported" column and a "experimental" column. In the experimental
column we can write down "at least 32-bit" or "32-bit or larger".


> Even if code changes may be needed (Misra already helps us here by stopping
> undue mixing of e.g. unsigned int and uint32_t in at least some situations),
> there's no inherent requirement in Xen for such restrictions.

I hope that my comparison with XSM and SUPPORT.md helps explain why we
need to clarify the safety supported configuration with the values we
actually validate Xen with.

Your goal is to write down what should work with Xen, which is also OK
but it is a different goal. It is OK to say that we aim for Xen to also
work with other configurations too, and list them. That was not my
intention, but I can expand the scope if you request.

 
> > +   * - long
> > +     - 32 bits
> > +     - 32 bits 
> > +     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)
> > +
> > +   * - long
> > +     - 64 bits
> > +     - 64 bits 
> > +     - 64-bit architectures (x86_64, ARMv8-A AArch64, RV64, PPC64)
> > +
> > +   * - long long
> > +     - 64-bit
> > +     - 32-bit
> > +     - x86_32
> > +
> > +   * - long long
> > +     - 64-bit
> > +     - 64-bit
> > +     - 64-bit architectures, ARMv8-A AArch32, ARMv8-R AArch32
> 
> Along the lines of the above, simply saying "64-bit architectures" here
> is too generic. Whereas for long (above) and ...
> 
> > +   * - pointer
> > +     - 32-bit
> > +     - 32-bit
> > +     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)
> > +
> > +   * - pointer
> > +     - 64-bit
> > +     - 64-bit
> > +     - 64-bit architectures (x86_64, ARMv8-A AArch64, RV64, PPC64)
> 
> ... pointers I agree (and the special mentioning of the architectures
> in parentheses could even be omitted imo). To summarize, my counter
> proposal:
> 
>    * - char 
>      - at least 8 bits

this

>      - equaling size
>      - all architectures
> 
>    * - char
>      - 8 bits
>      - 8 bits
>      - x86, ARM, RISC-V, PPC
> 
>    * - short
>      - at least 16 bits

and this

>      - equaling size
>      - all architectures
> 
>    * - short
>      - 16 bits
>      - 16 bits
>      - x86, ARM, RISC-V, PPC
> 
>    * - int
>      - at least 32 bits

and this, more below


>      - equaling size
>      - all architectures
> 
>    * - int
>      - 32 bits
>      - 32 bits
>      - x86, ARM, RISC-V, PPC
> 
>    * - long
>      - 32 bits
>      - 32 bits 
>      - 32-bit architectures
> 
>    * - long
>      - 64 bits
>      - 64 bits 
>      - 64-bit architectures
> 
>    * - long long
>      - 64-bit
>      - 32-bit
>      - x86_32
> 
>    * - long long
>      - 64-bit
>      - 64-bit
>      - x86_64, ARMv8-A AArch64, RV64, PPC64, ARMv8-A AArch32, ARMv8-R AArch32
> 
>    * - pointer
>      - 32-bit
>      - 32-bit
>      - 32-bit architectures
> 
>    * - pointer
>      - 64-bit
>      - 64-bit
>      - 64-bit architectures
> 
> Eventually, by properly decoupling pointers from longs (via using {,u}intptr_t
> appropriately), the restrictions on "long" could also be lifted.
> 
> Note that the generic requirements on char and short also are imposed by C99.
> It may therefore not be necessary to state them explicitly, but rather refer
> to that standard (just like you're now referencing the SysV psABI-s).

I am OK with the above, except for the three instances of "at least". As
mentioned earlier, we need to specify the supported and validated
configuration. If you want we can also add another field to express what
we aim at getting Xen to work with, but it should be separate.
Stefano Stabellini April 4, 2024, 11:57 p.m. UTC | #4
On Thu, 4 Apr 2024, Bertrand Marquis wrote:
> Hi Stefano,
> 
> > On 4 Apr 2024, at 03:12, Stefano Stabellini <sstabellini@kernel.org> wrote:
> > 
> > Xen makes assumptions about the size of integer types on the various
> > architectures. Document these assumptions.
> > 
> > Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com>
> > ---
> > Changes in v3:
> > - add links to System V, AAPCS32 and AAPCS64
> > 
> > ---
> > docs/misra/C-language-toolchain.rst | 69 +++++++++++++++++++++++++++++
> > 1 file changed, 69 insertions(+)
> > 
> > diff --git a/docs/misra/C-language-toolchain.rst b/docs/misra/C-language-toolchain.rst
> > index b7c2000992..84b21992bc 100644
> > --- a/docs/misra/C-language-toolchain.rst
> > +++ b/docs/misra/C-language-toolchain.rst
> > @@ -480,4 +480,73 @@ The table columns are as follows:
> >      - See Section "4.13 Preprocessing Directives" of GCC_MANUAL and Section "11.1 Implementation-defined behavior" of CPP_MANUAL.
> > 
> > 
> > +Sizes of Integer types
> > +______________________
> > +
> > +Xen expects System V ABI on x86_64:
> > +  https://gitlab.com/x86-psABIs/x86-64-ABI
> > +
> > +Xen expects AAPCS32 on ARMv8-A AArch32:
> > +  https://github.com/ARM-software/abi-aa/blob/main/aapcs32/aapcs32.rst
> > +
> > +Xen expects AAPCS64 LP64 on ARMv8-A AArch64:
> > +  https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst
> 
> We still support armv7 somehow so we should add something for it here.
> 
> > +
> > +A summary table of data types, sizes and alignment is below:
> > +
> > +.. list-table::
> > +   :widths: 10 10 10 45
> > +   :header-rows: 1
> > +
> > +   * - Type
> > +     - Size
> > +     - Alignment
> > +     - Architectures
> > +
> > +   * - char 
> > +     - 8 bits
> > +     - 8 bits
> > +     - all architectures
> > +
> > +   * - short
> > +     - 16 bits
> > +     - 16 bits
> > +     - all architectures
> > +
> > +   * - int
> > +     - 32 bits
> > +     - 32 bits
> > +     - all architectures
> > +
> > +   * - long
> > +     - 32 bits
> > +     - 32 bits 
> > +     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)
> 
> Same here armv7 should be mentioned.
> 
> > +
> > +   * - long
> > +     - 64 bits
> > +     - 64 bits 
> > +     - 64-bit architectures (x86_64, ARMv8-A AArch64, RV64, PPC64)
> > +
> > +   * - long long
> > +     - 64-bit
> > +     - 32-bit
> > +     - x86_32
> > +
> > +   * - long long
> > +     - 64-bit
> > +     - 64-bit
> > +     - 64-bit architectures, ARMv8-A AArch32, ARMv8-R AArch32
> 
> Should this be all architecture except x86_32 ?

yes

> > +
> > +   * - pointer
> > +     - 32-bit
> > +     - 32-bit
> > +     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)
> 
> Armv7 missing here.

What is the formal name I should use for it here? ARMv7 AArch32 ?
Jan Beulich April 5, 2024, 6:05 a.m. UTC | #5
On 05.04.2024 01:56, Stefano Stabellini wrote:
> On Thu, 4 Apr 2024, Jan Beulich wrote:
>> On 04.04.2024 03:12, Stefano Stabellini wrote:
>>> --- a/docs/misra/C-language-toolchain.rst
>>> +++ b/docs/misra/C-language-toolchain.rst
>>> @@ -480,4 +480,73 @@ The table columns are as follows:
>>>       - See Section "4.13 Preprocessing Directives" of GCC_MANUAL and Section "11.1 Implementation-defined behavior" of CPP_MANUAL.
>>>  
>>>  
>>> +Sizes of Integer types
>>> +______________________
>>> +
>>> +Xen expects System V ABI on x86_64:
>>> +  https://gitlab.com/x86-psABIs/x86-64-ABI
>>> +
>>> +Xen expects AAPCS32 on ARMv8-A AArch32:
>>> +  https://github.com/ARM-software/abi-aa/blob/main/aapcs32/aapcs32.rst
>>> +
>>> +Xen expects AAPCS64 LP64 on ARMv8-A AArch64:
>>> +  https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst
>>> +
>>> +A summary table of data types, sizes and alignment is below:
>>> +
>>> +.. list-table::
>>> +   :widths: 10 10 10 45
>>> +   :header-rows: 1
>>> +
>>> +   * - Type
>>> +     - Size
>>> +     - Alignment
>>> +     - Architectures
>>> +
>>> +   * - char 
>>> +     - 8 bits
>>> +     - 8 bits
>>> +     - all architectures
>>
>> This one _may_ be acceptable, but already feels like going too far.
>>
>>> +   * - short
>>> +     - 16 bits
>>> +     - 16 bits
>>> +     - all architectures
>>> +
>>> +   * - int
>>> +     - 32 bits
>>> +     - 32 bits
>>> +     - all architectures
>>
>> These two I continue to disagree with. The values are minimum required ones.
> 
> The purpose of the document docs/misra/C-language-toolchain.rst is to
> describe the reference safety-supported configuration. In a way, this
> document is similar to SUPPORT.md but for safety instead of security.
> 
> Here, we need to write down the stable configuration, the one everyone
> is aligned and convinced should work correctly.
> 
> Now, let's say that I believe you and agree with you that it should be
> possible to support int as 64-bit. This configuration is not tested. If
> I can draw a comparison, it would be similar to ask for XSM to be
> security supported while in fact is marked as experimental in
> SUPPORT.md.
> 
> If you want, taking inspiration from SUPPORT.md, we can have a
> "supported" column and a "experimental" column. In the experimental
> column we can write down "at least 32-bit" or "32-bit or larger".
> 
> 
>> Even if code changes may be needed (Misra already helps us here by stopping
>> undue mixing of e.g. unsigned int and uint32_t in at least some situations),
>> there's no inherent requirement in Xen for such restrictions.
> 
> I hope that my comparison with XSM and SUPPORT.md helps explain why we
> need to clarify the safety supported configuration with the values we
> actually validate Xen with.
> 
> Your goal is to write down what should work with Xen, which is also OK
> but it is a different goal. It is OK to say that we aim for Xen to also
> work with other configurations too, and list them. That was not my
> intention, but I can expand the scope if you request.

To achieve just your goal, would you then please replace all instances
of "all architectures" and "all <N>-bit architectures" by an enumeration
of the specific ones, as you have it elsewhere? This would then allow
architectures I'm thinking about without impacting your goal. FTAOD ...

>>> +   * - long
>>> +     - 32 bits
>>> +     - 32 bits 
>>> +     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)
>>> +
>>> +   * - long
>>> +     - 64 bits
>>> +     - 64 bits 
>>> +     - 64-bit architectures (x86_64, ARMv8-A AArch64, RV64, PPC64)
>>> +
>>> +   * - long long
>>> +     - 64-bit
>>> +     - 32-bit
>>> +     - x86_32
>>> +
>>> +   * - long long
>>> +     - 64-bit
>>> +     - 64-bit
>>> +     - 64-bit architectures, ARMv8-A AArch32, ARMv8-R AArch32
>>
>> Along the lines of the above, simply saying "64-bit architectures" here
>> is too generic. Whereas for long (above) and ...
>>
>>> +   * - pointer
>>> +     - 32-bit
>>> +     - 32-bit
>>> +     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)
>>> +
>>> +   * - pointer
>>> +     - 64-bit
>>> +     - 64-bit
>>> +     - 64-bit architectures (x86_64, ARMv8-A AArch64, RV64, PPC64)
>>
>> ... pointers I agree (and the special mentioning of the architectures
>> in parentheses could even be omitted imo). To summarize, my counter
>> proposal:

... this counter proposal already specifically addressed that aspect, by
e.g. ...

>>    * - char 
>>      - at least 8 bits
> 
> this
> 
>>      - equaling size
>>      - all architectures
>>
>>    * - char
>>      - 8 bits
>>      - 8 bits
>>      - x86, ARM, RISC-V, PPC

... having two sections here: One to address your goal, and one to
address mine. My further suggestion further up merely would mean
dropping the generic parts (for imo no good reason).

Jan

>>    * - short
>>      - at least 16 bits
> 
> and this
> 
>>      - equaling size
>>      - all architectures
>>
>>    * - short
>>      - 16 bits
>>      - 16 bits
>>      - x86, ARM, RISC-V, PPC
>>
>>    * - int
>>      - at least 32 bits
> 
> and this, more below
> 
> 
>>      - equaling size
>>      - all architectures
>>
>>    * - int
>>      - 32 bits
>>      - 32 bits
>>      - x86, ARM, RISC-V, PPC
>>
>>    * - long
>>      - 32 bits
>>      - 32 bits 
>>      - 32-bit architectures
>>
>>    * - long
>>      - 64 bits
>>      - 64 bits 
>>      - 64-bit architectures
>>
>>    * - long long
>>      - 64-bit
>>      - 32-bit
>>      - x86_32
>>
>>    * - long long
>>      - 64-bit
>>      - 64-bit
>>      - x86_64, ARMv8-A AArch64, RV64, PPC64, ARMv8-A AArch32, ARMv8-R AArch32
>>
>>    * - pointer
>>      - 32-bit
>>      - 32-bit
>>      - 32-bit architectures
>>
>>    * - pointer
>>      - 64-bit
>>      - 64-bit
>>      - 64-bit architectures
>>
>> Eventually, by properly decoupling pointers from longs (via using {,u}intptr_t
>> appropriately), the restrictions on "long" could also be lifted.
>>
>> Note that the generic requirements on char and short also are imposed by C99.
>> It may therefore not be necessary to state them explicitly, but rather refer
>> to that standard (just like you're now referencing the SysV psABI-s).
> 
> I am OK with the above, except for the three instances of "at least". As
> mentioned earlier, we need to specify the supported and validated
> configuration. If you want we can also add another field to express what
> we aim at getting Xen to work with, but it should be separate.
Bertrand Marquis April 5, 2024, 7:16 a.m. UTC | #6
Hi Stefano,

> On 5 Apr 2024, at 01:57, Stefano Stabellini <sstabellini@kernel.org> wrote:
> 
> On Thu, 4 Apr 2024, Bertrand Marquis wrote:
>> Hi Stefano,
>> 
>>> On 4 Apr 2024, at 03:12, Stefano Stabellini <sstabellini@kernel.org> wrote:
>>> 
>>> Xen makes assumptions about the size of integer types on the various
>>> architectures. Document these assumptions.
>>> 
>>> Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com>
>>> ---
>>> Changes in v3:
>>> - add links to System V, AAPCS32 and AAPCS64
>>> 
>>> ---
>>> docs/misra/C-language-toolchain.rst | 69 +++++++++++++++++++++++++++++
>>> 1 file changed, 69 insertions(+)
>>> 
>>> diff --git a/docs/misra/C-language-toolchain.rst b/docs/misra/C-language-toolchain.rst
>>> index b7c2000992..84b21992bc 100644
>>> --- a/docs/misra/C-language-toolchain.rst
>>> +++ b/docs/misra/C-language-toolchain.rst
>>> @@ -480,4 +480,73 @@ The table columns are as follows:
>>>     - See Section "4.13 Preprocessing Directives" of GCC_MANUAL and Section "11.1 Implementation-defined behavior" of CPP_MANUAL.
>>> 
>>> 
>>> +Sizes of Integer types
>>> +______________________
>>> +
>>> +Xen expects System V ABI on x86_64:
>>> +  https://gitlab.com/x86-psABIs/x86-64-ABI
>>> +
>>> +Xen expects AAPCS32 on ARMv8-A AArch32:
>>> +  https://github.com/ARM-software/abi-aa/blob/main/aapcs32/aapcs32.rst
>>> +
>>> +Xen expects AAPCS64 LP64 on ARMv8-A AArch64:
>>> +  https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst
>> 
>> We still support armv7 somehow so we should add something for it here.
>> 
>>> +
>>> +A summary table of data types, sizes and alignment is below:
>>> +
>>> +.. list-table::
>>> +   :widths: 10 10 10 45
>>> +   :header-rows: 1
>>> +
>>> +   * - Type
>>> +     - Size
>>> +     - Alignment
>>> +     - Architectures
>>> +
>>> +   * - char 
>>> +     - 8 bits
>>> +     - 8 bits
>>> +     - all architectures
>>> +
>>> +   * - short
>>> +     - 16 bits
>>> +     - 16 bits
>>> +     - all architectures
>>> +
>>> +   * - int
>>> +     - 32 bits
>>> +     - 32 bits
>>> +     - all architectures
>>> +
>>> +   * - long
>>> +     - 32 bits
>>> +     - 32 bits 
>>> +     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)
>> 
>> Same here armv7 should be mentioned.
>> 
>>> +
>>> +   * - long
>>> +     - 64 bits
>>> +     - 64 bits 
>>> +     - 64-bit architectures (x86_64, ARMv8-A AArch64, RV64, PPC64)
>>> +
>>> +   * - long long
>>> +     - 64-bit
>>> +     - 32-bit
>>> +     - x86_32
>>> +
>>> +   * - long long
>>> +     - 64-bit
>>> +     - 64-bit
>>> +     - 64-bit architectures, ARMv8-A AArch32, ARMv8-R AArch32
>> 
>> Should this be all architecture except x86_32 ?
> 
> yes
> 
>>> +
>>> +   * - pointer
>>> +     - 32-bit
>>> +     - 32-bit
>>> +     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)
>> 
>> Armv7 missing here.
> 
> What is the formal name I should use for it here? ARMv7 AArch32 ?

Armv7-A (no need to specify anything more as it was 32bit only).

Cheers
Bertrand
Stefano Stabellini April 5, 2024, 6:37 p.m. UTC | #7
On Fri, 5 Apr 2024, Jan Beulich wrote:
> On 05.04.2024 01:56, Stefano Stabellini wrote:
> > On Thu, 4 Apr 2024, Jan Beulich wrote:
> >> On 04.04.2024 03:12, Stefano Stabellini wrote:
> >>> --- a/docs/misra/C-language-toolchain.rst
> >>> +++ b/docs/misra/C-language-toolchain.rst
> >>> @@ -480,4 +480,73 @@ The table columns are as follows:
> >>>       - See Section "4.13 Preprocessing Directives" of GCC_MANUAL and Section "11.1 Implementation-defined behavior" of CPP_MANUAL.
> >>>  
> >>>  
> >>> +Sizes of Integer types
> >>> +______________________
> >>> +
> >>> +Xen expects System V ABI on x86_64:
> >>> +  https://gitlab.com/x86-psABIs/x86-64-ABI
> >>> +
> >>> +Xen expects AAPCS32 on ARMv8-A AArch32:
> >>> +  https://github.com/ARM-software/abi-aa/blob/main/aapcs32/aapcs32.rst
> >>> +
> >>> +Xen expects AAPCS64 LP64 on ARMv8-A AArch64:
> >>> +  https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst
> >>> +
> >>> +A summary table of data types, sizes and alignment is below:
> >>> +
> >>> +.. list-table::
> >>> +   :widths: 10 10 10 45
> >>> +   :header-rows: 1
> >>> +
> >>> +   * - Type
> >>> +     - Size
> >>> +     - Alignment
> >>> +     - Architectures
> >>> +
> >>> +   * - char 
> >>> +     - 8 bits
> >>> +     - 8 bits
> >>> +     - all architectures
> >>
> >> This one _may_ be acceptable, but already feels like going too far.
> >>
> >>> +   * - short
> >>> +     - 16 bits
> >>> +     - 16 bits
> >>> +     - all architectures
> >>> +
> >>> +   * - int
> >>> +     - 32 bits
> >>> +     - 32 bits
> >>> +     - all architectures
> >>
> >> These two I continue to disagree with. The values are minimum required ones.
> > 
> > The purpose of the document docs/misra/C-language-toolchain.rst is to
> > describe the reference safety-supported configuration. In a way, this
> > document is similar to SUPPORT.md but for safety instead of security.
> > 
> > Here, we need to write down the stable configuration, the one everyone
> > is aligned and convinced should work correctly.
> > 
> > Now, let's say that I believe you and agree with you that it should be
> > possible to support int as 64-bit. This configuration is not tested. If
> > I can draw a comparison, it would be similar to ask for XSM to be
> > security supported while in fact is marked as experimental in
> > SUPPORT.md.
> > 
> > If you want, taking inspiration from SUPPORT.md, we can have a
> > "supported" column and a "experimental" column. In the experimental
> > column we can write down "at least 32-bit" or "32-bit or larger".
> > 
> > 
> >> Even if code changes may be needed (Misra already helps us here by stopping
> >> undue mixing of e.g. unsigned int and uint32_t in at least some situations),
> >> there's no inherent requirement in Xen for such restrictions.
> > 
> > I hope that my comparison with XSM and SUPPORT.md helps explain why we
> > need to clarify the safety supported configuration with the values we
> > actually validate Xen with.
> > 
> > Your goal is to write down what should work with Xen, which is also OK
> > but it is a different goal. It is OK to say that we aim for Xen to also
> > work with other configurations too, and list them. That was not my
> > intention, but I can expand the scope if you request.
> 
> To achieve just your goal, would you then please replace all instances
> of "all architectures" and "all <N>-bit architectures" by an enumeration
> of the specific ones, as you have it elsewhere? This would then allow
> architectures I'm thinking about without impacting your goal. FTAOD ...

Yes, I am fine with that



> >>> +   * - long
> >>> +     - 32 bits
> >>> +     - 32 bits 
> >>> +     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)
> >>> +
> >>> +   * - long
> >>> +     - 64 bits
> >>> +     - 64 bits 
> >>> +     - 64-bit architectures (x86_64, ARMv8-A AArch64, RV64, PPC64)
> >>> +
> >>> +   * - long long
> >>> +     - 64-bit
> >>> +     - 32-bit
> >>> +     - x86_32
> >>> +
> >>> +   * - long long
> >>> +     - 64-bit
> >>> +     - 64-bit
> >>> +     - 64-bit architectures, ARMv8-A AArch32, ARMv8-R AArch32
> >>
> >> Along the lines of the above, simply saying "64-bit architectures" here
> >> is too generic. Whereas for long (above) and ...
> >>
> >>> +   * - pointer
> >>> +     - 32-bit
> >>> +     - 32-bit
> >>> +     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)
> >>> +
> >>> +   * - pointer
> >>> +     - 64-bit
> >>> +     - 64-bit
> >>> +     - 64-bit architectures (x86_64, ARMv8-A AArch64, RV64, PPC64)
> >>
> >> ... pointers I agree (and the special mentioning of the architectures
> >> in parentheses could even be omitted imo). To summarize, my counter
> >> proposal:
> 
> ... this counter proposal already specifically addressed that aspect, by
> e.g. ...
> 
> >>    * - char 
> >>      - at least 8 bits
> > 
> > this
> > 
> >>      - equaling size
> >>      - all architectures
> >>
> >>    * - char
> >>      - 8 bits
> >>      - 8 bits
> >>      - x86, ARM, RISC-V, PPC
> 
> ... having two sections here: One to address your goal, and one to
> address mine. My further suggestion further up merely would mean
> dropping the generic parts (for imo no good reason).
 
I don't mind having two sections, one for my goal and one for yours.
However, I am a bit unsure how to word the generic part in a way that is
clear and unambiguous, so I'll keep only the explicitly listed
architectures in the next version (following your suggestion further
up.)

 
> >>    * - short
> >>      - at least 16 bits
> > 
> > and this
> > 
> >>      - equaling size
> >>      - all architectures
> >>
> >>    * - short
> >>      - 16 bits
> >>      - 16 bits
> >>      - x86, ARM, RISC-V, PPC
> >>
> >>    * - int
> >>      - at least 32 bits
> > 
> > and this, more below
> > 
> > 
> >>      - equaling size
> >>      - all architectures
> >>
> >>    * - int
> >>      - 32 bits
> >>      - 32 bits
> >>      - x86, ARM, RISC-V, PPC
> >>
> >>    * - long
> >>      - 32 bits
> >>      - 32 bits 
> >>      - 32-bit architectures
> >>
> >>    * - long
> >>      - 64 bits
> >>      - 64 bits 
> >>      - 64-bit architectures
> >>
> >>    * - long long
> >>      - 64-bit
> >>      - 32-bit
> >>      - x86_32
> >>
> >>    * - long long
> >>      - 64-bit
> >>      - 64-bit
> >>      - x86_64, ARMv8-A AArch64, RV64, PPC64, ARMv8-A AArch32, ARMv8-R AArch32
> >>
> >>    * - pointer
> >>      - 32-bit
> >>      - 32-bit
> >>      - 32-bit architectures
> >>
> >>    * - pointer
> >>      - 64-bit
> >>      - 64-bit
> >>      - 64-bit architectures
> >>
> >> Eventually, by properly decoupling pointers from longs (via using {,u}intptr_t
> >> appropriately), the restrictions on "long" could also be lifted.
> >>
> >> Note that the generic requirements on char and short also are imposed by C99.
> >> It may therefore not be necessary to state them explicitly, but rather refer
> >> to that standard (just like you're now referencing the SysV psABI-s).
> > 
> > I am OK with the above, except for the three instances of "at least". As
> > mentioned earlier, we need to specify the supported and validated
> > configuration. If you want we can also add another field to express what
> > we aim at getting Xen to work with, but it should be separate.
>
diff mbox series

Patch

diff --git a/docs/misra/C-language-toolchain.rst b/docs/misra/C-language-toolchain.rst
index b7c2000992..84b21992bc 100644
--- a/docs/misra/C-language-toolchain.rst
+++ b/docs/misra/C-language-toolchain.rst
@@ -480,4 +480,73 @@  The table columns are as follows:
      - See Section "4.13 Preprocessing Directives" of GCC_MANUAL and Section "11.1 Implementation-defined behavior" of CPP_MANUAL.
 
 
+Sizes of Integer types
+______________________
+
+Xen expects System V ABI on x86_64:
+  https://gitlab.com/x86-psABIs/x86-64-ABI
+
+Xen expects AAPCS32 on ARMv8-A AArch32:
+  https://github.com/ARM-software/abi-aa/blob/main/aapcs32/aapcs32.rst
+
+Xen expects AAPCS64 LP64 on ARMv8-A AArch64:
+  https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst
+
+A summary table of data types, sizes and alignment is below:
+
+.. list-table::
+   :widths: 10 10 10 45
+   :header-rows: 1
+
+   * - Type
+     - Size
+     - Alignment
+     - Architectures
+
+   * - char 
+     - 8 bits
+     - 8 bits
+     - all architectures
+
+   * - short
+     - 16 bits
+     - 16 bits
+     - all architectures
+
+   * - int
+     - 32 bits
+     - 32 bits
+     - all architectures
+
+   * - long
+     - 32 bits
+     - 32 bits 
+     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)
+
+   * - long
+     - 64 bits
+     - 64 bits 
+     - 64-bit architectures (x86_64, ARMv8-A AArch64, RV64, PPC64)
+
+   * - long long
+     - 64-bit
+     - 32-bit
+     - x86_32
+
+   * - long long
+     - 64-bit
+     - 64-bit
+     - 64-bit architectures, ARMv8-A AArch32, ARMv8-R AArch32
+
+   * - pointer
+     - 32-bit
+     - 32-bit
+     - 32-bit architectures (x86_32, ARMv8-A AArch32, ARMv8-R AArch32)
+
+   * - pointer
+     - 64-bit
+     - 64-bit
+     - 64-bit architectures (x86_64, ARMv8-A AArch64, RV64, PPC64)
+
+
 END OF DOCUMENT.