From patchwork Fri Nov 24 17:29:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simone Ballarin X-Patchwork-Id: 13468063 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B0AACC636CB for ; Fri, 24 Nov 2023 17:30:52 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.640860.999612 (Exim 4.92) (envelope-from ) id 1r6a0g-0002rA-6d; Fri, 24 Nov 2023 17:30:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 640860.999612; Fri, 24 Nov 2023 17:30:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1r6a0g-0002qs-0d; Fri, 24 Nov 2023 17:30:34 +0000 Received: by outflank-mailman (input) for mailman id 640860; Fri, 24 Nov 2023 17:30:32 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1r6a0e-0002YK-1z for xen-devel@lists.xenproject.org; Fri, 24 Nov 2023 17:30:32 +0000 Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 288bb92e-8aef-11ee-9b0e-b553b5be7939; Fri, 24 Nov 2023 18:30:27 +0100 (CET) Received: from beta.station (net-37-182-35-120.cust.vodafonedsl.it [37.182.35.120]) by support.bugseng.com (Postfix) with ESMTPSA id 4C8A84EE0740; Fri, 24 Nov 2023 18:30:27 +0100 (CET) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 288bb92e-8aef-11ee-9b0e-b553b5be7939 From: Simone Ballarin To: xen-devel@lists.xenproject.org Cc: consulting@bugseng.com, Simone Ballarin , Doug Goldstein , Stefano Stabellini Subject: [XEN PATCH v2 1/3] automation/eclair: tag function calls to address violations of MISRA C:2012 Rule 13.1 Date: Fri, 24 Nov 2023 18:29:41 +0100 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 Rule 13.1: Initializer lists shall not contain persistent side effects Invocations of functions in initializer lists cause violations of rule 13.1 if the called functions are not tagged with __attribute_pure__ or __attribute_const__ as they can produce persistent side effects. Handling these violations with attributes is not always possible: the pure and const attributes may cause unwanted and potentially dangerous optimisations. To avoid this problem ECLAIR allows using the same attributes in the -call_properties setting. Additionally, it adds the noeffect attribute with the following definition: "like pure but can also read volatile variable not triggering side effects" These patch tags some functions used in initializer lists to address violations of Rule 13.1. No functional changes. Signed-off-by: Simone Ballarin Acked-by: Stefano Stabellini --- Changes in v2: New patch partly based on "xen/arm: address violations of MISRA C:2012 Rule 13.1" and "xen/include: add pure and const attributes". This new patch uses ECL tagging instead of compiler attributes. --- .../ECLAIR/call_properties.ecl | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/automation/eclair_analysis/ECLAIR/call_properties.ecl b/automation/eclair_analysis/ECLAIR/call_properties.ecl index 3f7794bf8b..c2b2a6182e 100644 --- a/automation/eclair_analysis/ECLAIR/call_properties.ecl +++ b/automation/eclair_analysis/ECLAIR/call_properties.ecl @@ -73,6 +73,17 @@ -call_properties+={"macro(^va_start$)", {"pointee_write(1=always)", "pointee_read(1=never)", "taken()"}} -call_properties+={"macro(^memcmp$)", {"pointee_write(1..2=never)", "taken()"}} -call_properties+={"macro(^memcpy$)", {"pointee_write(1=always&&2..=never)", "pointee_read(1=never&&2..=always)", "taken()"}} +-call_properties+={"name(get_cpu_info)",{pure}} +-call_properties+={"name(pdx_to_pfn)",{pure}} +-call_properties+={"name(is_pci_passthrough_enabled)",{const}} +-call_properties+={"name(get_cycles)", {"noeffect"}} +-call_properties+={"name(msi_gflags)",{const}} +-call_properties+={"name(hvm_save_size)",{pure}} +-call_properties+={"name(cpu_has)",{pure}} +-call_properties+={"name(boot_cpu_has)",{pure}} +-call_properties+={"name(get_cpu_info)",{pure}} +-call_properties+={"name(put_pte_flags)",{const}} +-call_properties+={"name(is_pv_vcpu)",{pure}} -doc_begin="Property inferred as a consequence of the semantics of device_tree_get_reg" -call_properties+={"name(acquire_static_memory_bank)", {"pointee_write(4..=always)", "pointee_read(4..=never)", "taken()"}} @@ -104,3 +115,14 @@ Furthermore, their uses do initialize the involved variables as needed by futher -call_properties+={"macro(^(__)?(raw_)?copy_from_(paddr|guest|compat)(_offset)?$)", {"pointee_write(1=always)", "pointee_read(1=never)", "taken()"}} -call_properties+={"macro(^(__)?copy_to_(guest|compat)(_offset)?$)", {"pointee_write(2=always)", "pointee_read(2=never)", "taken()"}} -doc_end + +-doc_begin="Functions generated by build_atomic_read cannot be considered pure +since the input pointer is volatile, but they do not produce any persistent side +effect." +-call_properties+={"^read_u(8|16|32|64|int)_atomic.*$", {noeffect}} +-doc_end + +-doc_begin="Functions generated by TYPE_SAFE are const." +-call_properties+={"^(mfn|gfn|pfn)_x\\(.*$",{const}} +-call_properties+={"^_(mfn|gfn|pfn)\\(.*$",{const}} +-doc_end From patchwork Fri Nov 24 17:29:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simone Ballarin X-Patchwork-Id: 13468062 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A0CEDC636BD for ; Fri, 24 Nov 2023 17:30:52 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.640858.999595 (Exim 4.92) (envelope-from ) id 1r6a0d-0002Yh-Kf; Fri, 24 Nov 2023 17:30:31 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 640858.999595; Fri, 24 Nov 2023 17:30:31 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1r6a0d-0002Ya-I9; Fri, 24 Nov 2023 17:30:31 +0000 Received: by outflank-mailman (input) for mailman id 640858; Fri, 24 Nov 2023 17:30:30 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1r6a0c-0002YN-KP for xen-devel@lists.xenproject.org; Fri, 24 Nov 2023 17:30:30 +0000 Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 2912e1dd-8aef-11ee-98e2-6d05b1d4d9a1; Fri, 24 Nov 2023 18:30:28 +0100 (CET) Received: from beta.station (net-37-182-35-120.cust.vodafonedsl.it [37.182.35.120]) by support.bugseng.com (Postfix) with ESMTPSA id BD4C74EE074E; Fri, 24 Nov 2023 18:30:27 +0100 (CET) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 2912e1dd-8aef-11ee-98e2-6d05b1d4d9a1 From: Simone Ballarin To: xen-devel@lists.xenproject.org Cc: consulting@bugseng.com, Simone Ballarin , Andrew Cooper , George Dunlap , Jan Beulich , Julien Grall , Stefano Stabellini , Wei Liu , Bertrand Marquis , Michal Orzel , Volodymyr Babchuk , =?utf-8?q?Roger_Pau_Monn?= =?utf-8?q?=C3=A9?= , Dario Faggioli Subject: [XEN PATCH v2 2/3] xen/arm: add SAF deviation for debugging and logging effects Date: Fri, 24 Nov 2023 18:29:42 +0100 Message-Id: <761ce615438312ca5d37fb8829a0ba903375392f.1700844359.git.simone.ballarin@bugseng.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 Rule 13.1: Initializer lists shall not contain persistent side effects Effects caused by debug/logging macros and functions (like ASSERT, __bad_atomic_size, LOG, etc ...) that crash execution or produce logs are not dangerous in initializer lists. The evaluation order in abnormal conditions is not relevant. Evaluation order of logging effects is always safe. This patch deviates violations using SAF commits caused by debug/logging macros and functions. Asm volatile statements in initializer lists that do not perform any persistent side effect are safe: this patch deviates violations caused by uses of the current macro (that contains an asm volatile) in initializer lists. No functional changes. Signed-off-by: Simone Ballarin --- Changes in v2: New patch based on the discussion for "xen/arm: address violations of MISRA C:2012 Rule 13.1". --- docs/misra/safe.json | 16 ++++++++++++++++ xen/arch/arm/device.c | 1 + xen/arch/arm/guestcopy.c | 4 ++++ xen/arch/x86/hvm/hvm.c | 1 + xen/common/sched/core.c | 3 +++ 5 files changed, 25 insertions(+) diff --git a/docs/misra/safe.json b/docs/misra/safe.json index 952324f85c..69ab526084 100644 --- a/docs/misra/safe.json +++ b/docs/misra/safe.json @@ -28,6 +28,22 @@ }, { "id": "SAF-3-safe", + "analyser": { + "eclair": "MC3R1.R13.1" + }, + "name": "MC3R1.R13.1: effects for debugging and logging", + "text": "Effects for debugging and loggings reasons that crash execution or produce logs are allowed in initializer lists. The evaluation order in abnormal conditions is not relevant." + }, + { + "id": "SAF-4-safe", + "analyser": { + "eclair": "MC3R1.R13.1" + }, + "name": "MC3R1.R13.1: volatile asm statements that do not perform any persistent side effect", + "text": "Volatile asm statements in an initializer list if do not perform persistent side effects are safe." + }, + { + "id": "SAF-5-safe", "analyser": {}, "name": "Sentinel", "text": "Next ID to be used" diff --git a/xen/arch/arm/device.c b/xen/arch/arm/device.c index 1f631d3274..fa331f164d 100644 --- a/xen/arch/arm/device.c +++ b/xen/arch/arm/device.c @@ -331,6 +331,7 @@ int handle_device(struct domain *d, struct dt_device_node *dev, p2m_type_t p2mt, .p2mt = p2mt, .skip_mapping = !own_device || (is_pci_passthrough_enabled() && + /* SAF-3-safe effects for debugging/logging reasons are safe */ (device_get_class(dev) == DEVICE_PCI_HOSTBRIDGE)), .iomem_ranges = iomem_ranges, .irq_ranges = irq_ranges diff --git a/xen/arch/arm/guestcopy.c b/xen/arch/arm/guestcopy.c index 6716b03561..31b809ea08 100644 --- a/xen/arch/arm/guestcopy.c +++ b/xen/arch/arm/guestcopy.c @@ -110,18 +110,21 @@ static unsigned long copy_guest(void *buf, uint64_t addr, unsigned int len, unsigned long raw_copy_to_guest(void *to, const void *from, unsigned int len) { return copy_guest((void *)from, (vaddr_t)to, len, + /* SAF-4-safe No persistent side effects */ GVA_INFO(current), COPY_to_guest | COPY_linear); } unsigned long raw_copy_to_guest_flush_dcache(void *to, const void *from, unsigned int len) { + /* SAF-4-safe No persistent side effects */ return copy_guest((void *)from, (vaddr_t)to, len, GVA_INFO(current), COPY_to_guest | COPY_flush_dcache | COPY_linear); } unsigned long raw_clear_guest(void *to, unsigned int len) { + /* SAF-4-safe No persistent side effects */ return copy_guest(NULL, (vaddr_t)to, len, GVA_INFO(current), COPY_to_guest | COPY_linear); } @@ -129,6 +132,7 @@ unsigned long raw_clear_guest(void *to, unsigned int len) unsigned long raw_copy_from_guest(void *to, const void __user *from, unsigned int len) { + /* SAF-4-safe No persistent side effects */ return copy_guest(to, (vaddr_t)from, len, GVA_INFO(current), COPY_from_guest | COPY_linear); } diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 35a30df3b1..24fd02b363 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -1700,6 +1700,7 @@ void hvm_hlt(unsigned int eflags) do_sched_op(SCHEDOP_block, guest_handle_from_ptr(NULL, void)); + /* SAF-3-safe effects for debugging/logging reasons are safe */ HVMTRACE_1D(HLT, /* pending = */ vcpu_runnable(curr)); } diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index eba0cea4bb..b1b94c8689 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -1517,6 +1517,7 @@ long vcpu_yield(void) SCHED_STAT_CRANK(vcpu_yield); + /* SAF-4-safe No persistent side effects */ TRACE_2D(TRC_SCHED_YIELD, current->domain->domain_id, current->vcpu_id); raise_softirq(SCHEDULE_SOFTIRQ); return 0; @@ -1895,6 +1896,7 @@ ret_t do_sched_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) if ( copy_from_guest(&sched_shutdown, arg, 1) ) break; + /* SAF-4-safe No persistent side effects */ TRACE_3D(TRC_SCHED_SHUTDOWN, current->domain->domain_id, current->vcpu_id, sched_shutdown.reason); @@ -1912,6 +1914,7 @@ ret_t do_sched_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) if ( copy_from_guest(&sched_shutdown, arg, 1) ) break; + /* SAF-4-safe No persistent side effects */ TRACE_3D(TRC_SCHED_SHUTDOWN_CODE, d->domain_id, current->vcpu_id, sched_shutdown.reason); From patchwork Fri Nov 24 17:29:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simone Ballarin X-Patchwork-Id: 13468061 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7173AC61D97 for ; Fri, 24 Nov 2023 17:30:51 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.640861.999617 (Exim 4.92) (envelope-from ) id 1r6a0g-0002wB-FB; Fri, 24 Nov 2023 17:30:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 640861.999617; Fri, 24 Nov 2023 17:30:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1r6a0g-0002vB-7a; Fri, 24 Nov 2023 17:30:34 +0000 Received: by outflank-mailman (input) for mailman id 640861; Fri, 24 Nov 2023 17:30:32 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1r6a0e-0002YK-97 for xen-devel@lists.xenproject.org; Fri, 24 Nov 2023 17:30:32 +0000 Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 29794bea-8aef-11ee-9b0e-b553b5be7939; Fri, 24 Nov 2023 18:30:29 +0100 (CET) Received: from beta.station (net-37-182-35-120.cust.vodafonedsl.it [37.182.35.120]) by support.bugseng.com (Postfix) with ESMTPSA id 9D7834EE0747; Fri, 24 Nov 2023 18:30:28 +0100 (CET) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 29794bea-8aef-11ee-9b0e-b553b5be7939 From: Simone Ballarin To: xen-devel@lists.xenproject.org Cc: consulting@bugseng.com, Simone Ballarin , Andrew Cooper , George Dunlap , Jan Beulich , Julien Grall , Stefano Stabellini , Wei Liu , Maria Celeste Cesario Subject: [XEN PATCH v2 3/3] xen: address violations of MISRA C:2012 Rule 13.1 Date: Fri, 24 Nov 2023 18:29:43 +0100 Message-Id: <771a6f804f4e7dda3897359b57d1d14c2878ea16.1700844359.git.simone.ballarin@bugseng.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 Rule 13.1: Initializer lists shall not contain persistent side effects The assignment operation in: .irq = rc = uart->irq, is a persistent side effect in a struct initializer list. This patch avoids rc assignment and directly uses uart->irq in the following if statement. No functional changes. Signed-off-by: Maria Celeste Cesario Signed-off-by: Simone Ballarin --- Changes in v2: - avoid assignment of rc; - drop changes in vcpu_yield(void). --- xen/drivers/char/ns16550.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/xen/drivers/char/ns16550.c b/xen/drivers/char/ns16550.c index ddf2a48be6..644a3192bb 100644 --- a/xen/drivers/char/ns16550.c +++ b/xen/drivers/char/ns16550.c @@ -445,11 +445,13 @@ static void __init cf_check ns16550_init_postirq(struct serial_port *port) struct msi_info msi = { .sbdf = PCI_SBDF(0, uart->ps_bdf[0], uart->ps_bdf[1], uart->ps_bdf[2]), - .irq = rc = uart->irq, + .irq = uart->irq, .entry_nr = 1 }; - if ( rc > 0 ) + rc = 0; + + if ( uart->irq > 0 ) { struct msi_desc *msi_desc = NULL;