From patchwork Mon Aug 21 16:54:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicola Vetrini X-Patchwork-Id: 13359672 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id DD8DEEE49A6 for ; Mon, 21 Aug 2023 16:55:26 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.587724.919101 (Exim 4.92) (envelope-from ) id 1qY8BH-0002je-JP; Mon, 21 Aug 2023 16:55:07 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 587724.919101; Mon, 21 Aug 2023 16:55:07 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qY8BH-0002jX-Ey; Mon, 21 Aug 2023 16:55:07 +0000 Received: by outflank-mailman (input) for mailman id 587724; Mon, 21 Aug 2023 16:55:06 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qY8BG-0002jB-7h for xen-devel@lists.xenproject.org; Mon, 21 Aug 2023 16:55:06 +0000 Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 79982c8e-4043-11ee-8782-cb3800f73035; Mon, 21 Aug 2023 18:55:04 +0200 (CEST) Received: from nico.bugseng.com (unknown [147.123.100.131]) by support.bugseng.com (Postfix) with ESMTPSA id 75C424EE073C; Mon, 21 Aug 2023 18:55:03 +0200 (CEST) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 79982c8e-4043-11ee-8782-cb3800f73035 From: Nicola Vetrini To: xen-devel@lists.xenproject.org Cc: sstabellini@kernel.org, michal.orzel@amd.com, xenia.ragiadakou@amd.com, ayan.kumar.halder@amd.com, consulting@bugseng.com, Nicola Vetrini , Andrew Cooper , George Dunlap , Jan Beulich , Julien Grall , Wei Liu Subject: [RFC PATCH 1/3] docs/misra: add documentation for MISRA C:2012 Dir 4.1 Date: Mon, 21 Aug 2023 18:54:37 +0200 Message-Id: <3635c6896e8c31a9b3bf12e0c8f0718ce0b7ee77.1692636338.git.nicola.vetrini@bugseng.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 The aforementioned directive requires the project to supply documentation on the measures taken towards the minimization of run-time failures. The 'rules.rst' file is updated accordingly to mention the newly added documentation. Signed-off-by: Nicola Vetrini --- docs/misra/C-runtime-failures.rst | 239 ++++++++++++++++++++++++++++++ docs/misra/rules.rst | 7 +- 2 files changed, 245 insertions(+), 1 deletion(-) create mode 100644 docs/misra/C-runtime-failures.rst diff --git a/docs/misra/C-runtime-failures.rst b/docs/misra/C-runtime-failures.rst new file mode 100644 index 000000000000..f72385b08417 --- /dev/null +++ b/docs/misra/C-runtime-failures.rst @@ -0,0 +1,239 @@ +=================================================================== +Measures taken towards the minimization of Run-time failures in Xen +=================================================================== + +This document specifies which procedures and techinques are used troughout the +Xen codebase to prevent or minimize the impact of certain classes of run-time +errors that can occurr in the execution of a C program, due to the very minimal +built-in checks that are present in the language. + +The presence of such documentation is requested by MISRA C:2012 Directive 4.1, +whose headline states: "Run-time failures shall be minimized". + + +Documentation for MISRA C:2012 Dir 4.1: overflow +________________________________________________ + +To be written. +Example: Pervasive use of assertions and extensive test suite. + + +Documentation for MISRA C:2012 Dir 4.1: unexpected wrapping +___________________________________________________________ + +To be written. +Example: The only wrapping the is present in the code concerns +unsigned integers and they are all expected. + + +Documentation for MISRA C:2012 Dir 4.1: invalid shift +_____________________________________________________ + +To be written. +Example: Pervasive use of assertions and extensive test suite. + + +Documentation for MISRA C:2012 Dir 4.1: division/remainder by zero +__________________________________________________________________ + +To be written. +Example: +There division or remainder operations in the project code ensure that +their second argument is never zero. + + +Documentation for MISRA C:2012 Dir 4.1: unsequenced side effects +________________________________________________________________ + +To be written. +Example: +No function in this project is meant to be executed from interrupt handlers +or in multi-threading environments. + + +Documentation for MISRA C:2012 Dir 4.1: read from uninitialized automatic object +________________________________________________________________________________ + +To be written. +Example: +Automatic variables are used to store temporary parameters and they +are always initialized to either a default value or a proper value +before usage. + + +Documentation for MISRA C:2012 Dir 4.1: read from uninitialized allocated object +________________________________________________________________________________ + +To be written. +Example: +The code does not use dynamically allocated storage. + + +Documentation for MISRA C:2012 Dir 4.1: write to string literal or const object +_______________________________________________________________________________ + +To be written. +Example: +The toolchain puts every string literal and const object into a read-only +section of memory. The hardware exception raised when a write is attempted +on such a memory section is correctly handled. + + +Documentation for MISRA C:2012 Dir 4.1: non-volatile access to volatile object +______________________________________________________________________________ + +To be written. +Example: +Volatile access is limited to registers that are always accessed +through macros or inline functions. + + +Documentation for MISRA C:2012 Dir 4.1: access to dead allocated object +_______________________________________________________________________ + +To be written. +Example: +The code does not use dynamically allocated storage. + + +Documentation for MISRA C:2012 Dir 4.1: access to dead automatic object +_______________________________________________________________________ + +To be written. +Example: +Pointers to automatic variables are never returned, nor stored in +wider-scoped objects. No function does the same on any pointer +received as a parameter. + + +Documentation for MISRA C:2012 Dir 4.1: access to dead thread object +____________________________________________________________________ + +To be written. +Example: +The program does not use per-thread variables. + + +Documentation for MISRA C:2012 Dir 4.1: access using null pointer +_________________________________________________________________ + +To be written. +Example: +All possibly null pointers are checked before access. + + +Documentation for MISRA C:2012 Dir 4.1: access using invalid pointer +____________________________________________________________________ + +To be written. +Example: +Usage of pointers is limited. Pointers passed as parameters are +always checked for validity. + + +Documentation for MISRA C:2012 Dir 4.1: access using out-of-bounds pointer +__________________________________________________________________________ + +To be written. +Example: +Pointers are never uses to access arrays: indices are always used +instead. + + +Documentation for MISRA C:2012 Dir 4.1: access using unaligned pointer +______________________________________________________________________ + +To be written. +Example: +Pointer conversion that may result in unaligned pointers are never used. + + +Documentation for MISRA C:2012 Dir 4.1: mistyped access to object +----------------------------------------------------------------- + +To be written. +Example: +Pointer conversions that may result in mistyped accesses to objects +are never used. + + +Documentation for MISRA C:2012 Dir 4.1: mistyped access to function +___________________________________________________________________ + +To be written. +Example: +The code never uses function pointers. + + +Documentation for MISRA C:2012 Dir 4.1: invalid pointer arithmetic +__________________________________________________________________ + +To be written. +Example: +Pointer arithmetic is never used. + + +Documentation for MISRA C:2012 Dir 4.1: invalid pointer comparison +__________________________________________________________________ + +To be written. +Example: +Arrays are always accessed using indices instead of pointers. Pointers +are only compared to NULL. + + +Documentation for MISRA C:2012 Dir 4.1: overlapping copy +________________________________________________________ + +To be written. +Example: +The code never uses memcpy() and does not perform assignment of +overlapping objects (which is doable only via pointers). + + +Documentation for MISRA C:2012 Dir 4.1: invalid arguments to function +_____________________________________________________________________ + +To be written. +Example: +All parameters to functions are checked for validity. + + +Documentation for MISRA C:2012 Dir 4.1: returned function error +_______________________________________________________________ + +To be written. +Example: +All functions that may produce an error, do returns a suitable status code +that is checked at each call site. + + +Documentation for MISRA C:2012 Dir 4.1: tainted input +_____________________________________________________ + +To be written. +Example: +All parameters of all functions in the API are checked before being used. + + +Documentation for MISRA C:2012 Dir 4.1: data race +_________________________________________________ + +To be written. +Example: +No function in this code is meant to be executed from interrupt handlers or +in a multi-threading environment. + + +Documentation for MISRA C:2012 Dir 4.1: invariant violation +___________________________________________________________ + +To be written. + + +Documentation for MISRA C:2012 Dir 4.1: communication error +___________________________________________________________ + +To be written. +Example: +This project does not involve any external communication. diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst index 8f0e4d3f25f4..cebff854a95c 100644 --- a/docs/misra/rules.rst +++ b/docs/misra/rules.rst @@ -47,7 +47,12 @@ maintainers if you want to suggest a change. * - `Dir 2.1 `_ - Required - All source files shall compile without any compilation errors - - + + * - `Dir 4.1 `_ + - Required + - Run-time failures shall be minimized + - The strategies adopted by Xen to prevent certain classes of runtime + failures are documented by `C-runtime-failures.rst `_ * - `Dir 4.7 `_ - Required From patchwork Mon Aug 21 16:54:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicola Vetrini X-Patchwork-Id: 13359670 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 2581BEE4996 for ; Mon, 21 Aug 2023 16:55:21 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.587727.919121 (Exim 4.92) (envelope-from ) id 1qY8BI-00037m-KL; Mon, 21 Aug 2023 16:55:08 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 587727.919121; Mon, 21 Aug 2023 16:55:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qY8BI-000369-FV; Mon, 21 Aug 2023 16:55:08 +0000 Received: by outflank-mailman (input) for mailman id 587727; Mon, 21 Aug 2023 16:55:07 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qY8BH-0002jC-6V for xen-devel@lists.xenproject.org; Mon, 21 Aug 2023 16:55:07 +0000 Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 7a1648ec-4043-11ee-9b0c-b553b5be7939; Mon, 21 Aug 2023 18:55:05 +0200 (CEST) Received: from nico.bugseng.com (unknown [147.123.100.131]) by support.bugseng.com (Postfix) with ESMTPSA id 3B28C4EE073D; Mon, 21 Aug 2023 18:55:04 +0200 (CEST) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 7a1648ec-4043-11ee-9b0c-b553b5be7939 From: Nicola Vetrini To: xen-devel@lists.xenproject.org Cc: sstabellini@kernel.org, michal.orzel@amd.com, xenia.ragiadakou@amd.com, ayan.kumar.halder@amd.com, consulting@bugseng.com, Nicola Vetrini , Wei Liu , Anthony PERARD , Andrew Cooper , George Dunlap , Jan Beulich , Julien Grall Subject: [RFC PATCH 2/3] docs: make the docs for MISRA C:2012 Dir 4.1 visible to ECLAIR Date: Mon, 21 Aug 2023 18:54:38 +0200 Message-Id: <857dd398240accabea73e5660ae77f3925727ee9.1692636338.git.nicola.vetrini@bugseng.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 To be able to check for the existence of the necessary subsections in the documentation for MISRA C:2012 Dir 4.1, ECLAIR needs to have a source file that is built. This file is generated from 'C-runtime-failures.rst' in docs/misra and the configuration is updated accordingly. Signed-off-by: Nicola Vetrini --- docs/Makefile | 7 ++++++- docs/misra/Makefile | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 docs/misra/Makefile diff --git a/docs/Makefile b/docs/Makefile index 966a104490ac..ff991a0c3ca2 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -43,7 +43,7 @@ DOC_PDF := $(patsubst %.pandoc,pdf/%.pdf,$(PANDOCSRC-y)) \ all: build .PHONY: build -build: html txt pdf man-pages figs +build: html txt pdf man-pages figs misra .PHONY: sphinx-html sphinx-html: @@ -66,9 +66,14 @@ endif .PHONY: pdf pdf: $(DOC_PDF) +.PHONY: misra +misra: + $(MAKE) -C misra + .PHONY: clean clean: clean-man-pages $(MAKE) -C figs clean + $(MAKE) -C misra clean rm -rf .word_count *.aux *.dvi *.bbl *.blg *.glo *.idx *~ rm -rf *.ilg *.log *.ind *.toc *.bak *.tmp core rm -rf html txt pdf sphinx/html diff --git a/docs/misra/Makefile b/docs/misra/Makefile new file mode 100644 index 000000000000..f62cd936bfcc --- /dev/null +++ b/docs/misra/Makefile @@ -0,0 +1,36 @@ +XEN_ROOT=$(CURDIR)/../.. +include $(XEN_ROOT)/Config.mk +-include $(XEN_ROOT)/config/Docs.mk + + +TARGETS := $(addprefix C-runtime-failures,.c .o) + +all: $(TARGETS) + +define MISRA_HEADER +/* + +endef + +define MISRA_FOOTER + +*/ + +endef +export MISRA_HEADER +export MISRA_FOOTER + +C-runtime-failures.c: C-runtime-failures.rst +# sed is used in place of cat to prevent occurrences of '*/' +# in the .rst from breaking the compilation + ( \ + echo "$${MISRA_HEADER}"; \ + sed -e 's|*/|*//*|' $<; \ + echo "$${MISRA_FOOTER}" \ + ) > $@ + +%.o: %.c + $(CC) -c $< -o $@ + +clean: + rm -f *.c *.o From patchwork Mon Aug 21 16:54:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicola Vetrini X-Patchwork-Id: 13359671 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9DCAEEE4996 for ; Mon, 21 Aug 2023 16:55:26 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.587726.919114 (Exim 4.92) (envelope-from ) id 1qY8BI-0002vF-72; Mon, 21 Aug 2023 16:55:08 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 587726.919114; Mon, 21 Aug 2023 16:55:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qY8BI-0002ue-0r; Mon, 21 Aug 2023 16:55:08 +0000 Received: by outflank-mailman (input) for mailman id 587726; Mon, 21 Aug 2023 16:55:06 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qY8BG-0002jB-SF for xen-devel@lists.xenproject.org; Mon, 21 Aug 2023 16:55:06 +0000 Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 7a82cf48-4043-11ee-8782-cb3800f73035; Mon, 21 Aug 2023 18:55:05 +0200 (CEST) Received: from nico.bugseng.com (unknown [147.123.100.131]) by support.bugseng.com (Postfix) with ESMTPSA id 1AABD4EE073E; Mon, 21 Aug 2023 18:55:05 +0200 (CEST) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 7a82cf48-4043-11ee-8782-cb3800f73035 From: Nicola Vetrini To: xen-devel@lists.xenproject.org Cc: sstabellini@kernel.org, michal.orzel@amd.com, xenia.ragiadakou@amd.com, ayan.kumar.halder@amd.com, consulting@bugseng.com, Nicola Vetrini , Simone Ballarin , Doug Goldstein Subject: [RFC PATCH 3/3] automation/eclair: build docs/misra to address MISRA C:2012 Dir 4.1 Date: Mon, 21 Aug 2023 18:54:39 +0200 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 The documentation pertaining Directive 4.1 is contained in docs/misra. The build script driving the analysis is amended to allow ECLAIR to find it and thus resolving violations of the directive. Signed-off-by: Nicola Vetrini Acked-by: Stefano Stabellini --- automation/eclair_analysis/build.sh | 10 ++++++++-- automation/eclair_analysis/prepare.sh | 1 + 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/automation/eclair_analysis/build.sh b/automation/eclair_analysis/build.sh index ec087dd822fa..a0433eedeb4d 100755 --- a/automation/eclair_analysis/build.sh +++ b/automation/eclair_analysis/build.sh @@ -34,8 +34,14 @@ else fi ( - cd xen - + cd docs + make "-j${PROCESSORS}" "-l${PROCESSORS}.0" \ + "CROSS_COMPILE=${CROSS_COMPILE}" \ + "CC=${CROSS_COMPILE}gcc-12" \ + "CXX=${CROSS_COMPILE}g++-12" \ + "XEN_TARGET_ARCH=${XEN_TARGET_ARCH}" \ + misra + cd ../xen make "-j${PROCESSORS}" "-l${PROCESSORS}.0" \ "CROSS_COMPILE=${CROSS_COMPILE}" \ "CC=${CROSS_COMPILE}gcc-12" \ diff --git a/automation/eclair_analysis/prepare.sh b/automation/eclair_analysis/prepare.sh index 275a1a3f517c..10854741790e 100755 --- a/automation/eclair_analysis/prepare.sh +++ b/automation/eclair_analysis/prepare.sh @@ -35,6 +35,7 @@ else fi ( + ./configure cd xen cp "${CONFIG_FILE}" .config make clean