x86/uaccess: add attribute noreturn to __{get,put}_user_bad()

[XEN PATCH] x86/uaccess: add attribute noreturn to __{get,put}_user_bad()

Posted by Federico Serafini 2 months, 1 week ago

__get_user_bad() and __put_user_bad() are undefined symbols used
to assert the unreachability of a program point:
a call to one of such functions is optimized away if it is considered
unreachable by the compiler. Otherwise, a linker error is reported.

In accordance with the purpose of such constructs:
1) add the attribute noreturn to __get_user_bad() and __put_user_bad();
2) change return type of __get_user_bad() to void (returning long is a
   leftover from the past).

Point (1) meets the requirements to deviate MISRA C:2012 Rule 16.3
("An unconditional break statement shall terminate every switch
clause") since functions with noreturn attribute are considered
as allowed terminals for switch clauses.

Point (2) addresses several violations of MISRA C:2012 Rule 17.7
("The value returned by a function having non-void return type
shall be used").

No functional change.

Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
---
 xen/arch/x86/include/asm/uaccess.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/include/asm/uaccess.h b/xen/arch/x86/include/asm/uaccess.h
index 7443519d5b..c7bafaf10f 100644
--- a/xen/arch/x86/include/asm/uaccess.h
+++ b/xen/arch/x86/include/asm/uaccess.h
@@ -21,8 +21,8 @@ unsigned int copy_from_guest_ll(void *to, const void __user *from, unsigned int
 unsigned int copy_to_unsafe_ll(void *to, const void *from, unsigned int n);
 unsigned int copy_from_unsafe_ll(void *to, const void *from, unsigned int n);
 
-extern long __get_user_bad(void);
-extern void __put_user_bad(void);
+extern void noreturn __get_user_bad(void);
+extern void noreturn __put_user_bad(void);
 
 #define UA_KEEP(args...) args
 #define UA_DROP(args...)
-- 
2.34.1

Re: [XEN PATCH] x86/uaccess: add attribute noreturn to __{get,put}_user_bad()

Posted by Jan Beulich 2 months, 1 week ago

On 20.02.2024 14:35, Federico Serafini wrote:
> __get_user_bad() and __put_user_bad() are undefined symbols used
> to assert the unreachability of a program point:
> a call to one of such functions is optimized away if it is considered
> unreachable by the compiler. Otherwise, a linker error is reported.
> 
> In accordance with the purpose of such constructs:
> 1) add the attribute noreturn to __get_user_bad() and __put_user_bad();
> 2) change return type of __get_user_bad() to void (returning long is a
>    leftover from the past).
> 
> Point (1) meets the requirements to deviate MISRA C:2012 Rule 16.3
> ("An unconditional break statement shall terminate every switch
> clause") since functions with noreturn attribute are considered
> as allowed terminals for switch clauses.
> 
> Point (2) addresses several violations of MISRA C:2012 Rule 17.7
> ("The value returned by a function having non-void return type
> shall be used").
> 
> No functional change.
> 
> Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>

Reviewed-by: Jan Beulich <jbeulich@suse.com>
preferably ...

> --- a/xen/arch/x86/include/asm/uaccess.h
> +++ b/xen/arch/x86/include/asm/uaccess.h
> @@ -21,8 +21,8 @@ unsigned int copy_from_guest_ll(void *to, const void __user *from, unsigned int
>  unsigned int copy_to_unsafe_ll(void *to, const void *from, unsigned int n);
>  unsigned int copy_from_unsafe_ll(void *to, const void *from, unsigned int n);
>  
> -extern long __get_user_bad(void);
> -extern void __put_user_bad(void);
> +extern void noreturn __get_user_bad(void);
> +extern void noreturn __put_user_bad(void);

... with the "extern" dropped at the same time (see other function
decls in context). I'll try to remember to drop them while committing.

Jan