The final hunk is `(struct vcpu *)v` in disguise, expressed using a runtime
pointer chase through memory and a technicality of the C type system to work
around the fact that get_hvm_registers() strictly requires a mutable pointer.

For anyone interested, this is one reason why C cannot optimise any reads
across sequence points, even for a function purporting to take a const object.

Anyway, have the function correctly state that it needs a mutable vcpu.  All
callers have a mutable vCPU to hand, and it removes the runtime pointer chase
in x86.

Make one style adjustment in ARM while adjusting the parameter type.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Anthony PERARD <anthony.perard@vates.tech>
CC: Michal Orzel <michal.orzel@amd.com>
CC: Jan Beulich <jbeulich@suse.com>
CC: Julien Grall <julien@xen.org>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
CC: Bertrand Marquis <bertrand.marquis@arm.com>

RISC-V and PPC don't have this helper yet, not even in stub form.

I expect there will be one objection to this patch.  Since the last time we
fought over this, speculative vulnerabilities have demonstrated how dangerous
pointer chases are, and this is a violation of Misra Rule 11.8, even if it's
not reasonable for Eclair to be able to spot and reject it.
---
 xen/arch/arm/include/asm/domain.h | 2 +-
 xen/arch/arm/traps.c              | 3 ++-
 xen/arch/x86/include/asm/domain.h | 2 +-
 xen/arch/x86/x86_64/traps.c       | 4 ++--
 4 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/xen/arch/arm/include/asm/domain.h b/xen/arch/arm/include/asm/domain.h
index f1d72c6e48df..50b6a4b00982 100644
--- a/xen/arch/arm/include/asm/domain.h
+++ b/xen/arch/arm/include/asm/domain.h
@@ -243,7 +243,7 @@ struct arch_vcpu
 
 }  __cacheline_aligned;
 
-void vcpu_show_registers(const struct vcpu *v);
+void vcpu_show_registers(struct vcpu *v);
 void vcpu_switch_to_aarch64_mode(struct vcpu *v);
 
 /*
diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
index 737f4d65e324..665b17813acb 100644
--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -969,9 +969,10 @@ void show_registers(const struct cpu_user_regs *regs)
     _show_registers(regs, &ctxt, guest_mode(regs), current);
 }
 
-void vcpu_show_registers(const struct vcpu *v)
+void vcpu_show_registers(struct vcpu *v)
 {
     struct reg_ctxt ctxt;
+
     ctxt.sctlr_el1 = v->arch.sctlr;
     ctxt.tcr_el1 = v->arch.ttbcr;
     ctxt.ttbr0_el1 = v->arch.ttbr0;
diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h
index b79d6badd71c..5fc1d1e5d01a 100644
--- a/xen/arch/x86/include/asm/domain.h
+++ b/xen/arch/x86/include/asm/domain.h
@@ -688,7 +688,7 @@ bool update_secondary_system_time(struct vcpu *v,
 void force_update_secondary_system_time(struct vcpu *v,
                                         struct vcpu_time_info *map);
 
-void vcpu_show_registers(const struct vcpu *v);
+void vcpu_show_registers(struct vcpu *v);
 
 static inline struct vcpu_guest_context *alloc_vcpu_guest_context(void)
 {
diff --git a/xen/arch/x86/x86_64/traps.c b/xen/arch/x86/x86_64/traps.c
index 02fdb3637d09..22d4db240b95 100644
--- a/xen/arch/x86/x86_64/traps.c
+++ b/xen/arch/x86/x86_64/traps.c
@@ -170,7 +170,7 @@ void show_registers(const struct cpu_user_regs *regs)
     }
 }
 
-void vcpu_show_registers(const struct vcpu *v)
+void vcpu_show_registers(struct vcpu *v)
 {
     const struct cpu_user_regs *regs = &v->arch.user_regs;
     struct cpu_user_regs aux_regs;
@@ -180,7 +180,7 @@ void vcpu_show_registers(const struct vcpu *v)
     if ( is_hvm_vcpu(v) )
     {
         aux_regs = *regs;
-        get_hvm_registers(v->domain->vcpu[v->vcpu_id], &aux_regs, crs);
+        get_hvm_registers(v, &aux_regs, crs);
         regs = &aux_regs;
         context = CTXT_hvm_guest;
     }
-- 
2.39.5

On 26.02.2025 00:02, Andrew Cooper wrote:
> The final hunk is `(struct vcpu *)v` in disguise, expressed using a runtime
> pointer chase through memory and a technicality of the C type system to work
> around the fact that get_hvm_registers() strictly requires a mutable pointer.
> 
> For anyone interested, this is one reason why C cannot optimise any reads
> across sequence points, even for a function purporting to take a const object.
> 
> Anyway, have the function correctly state that it needs a mutable vcpu.  All
> callers have a mutable vCPU to hand, and it removes the runtime pointer chase
> in x86.
> 
> Make one style adjustment in ARM while adjusting the parameter type.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> ---
> CC: Anthony PERARD <anthony.perard@vates.tech>
> CC: Michal Orzel <michal.orzel@amd.com>
> CC: Jan Beulich <jbeulich@suse.com>
> CC: Julien Grall <julien@xen.org>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
> CC: Bertrand Marquis <bertrand.marquis@arm.com>
> 
> RISC-V and PPC don't have this helper yet, not even in stub form.
> 
> I expect there will be one objection to this patch.  Since the last time we
> fought over this, speculative vulnerabilities have demonstrated how dangerous
> pointer chases are, and this is a violation of Misra Rule 11.8, even if it's
> not reasonable for Eclair to be able to spot and reject it.

On these grounds
Acked-by: Jan Beulich <jbeulich@suse.com>
irrespective of the fact that a function of this name and purpose really, really
should be taking a pointer-to-const.

Considering ...

> --- a/xen/arch/arm/include/asm/domain.h
> +++ b/xen/arch/arm/include/asm/domain.h
> @@ -243,7 +243,7 @@ struct arch_vcpu
>  
>  }  __cacheline_aligned;
>  
> -void vcpu_show_registers(const struct vcpu *v);
> +void vcpu_show_registers(struct vcpu *v);

... this and ...

> --- a/xen/arch/x86/include/asm/domain.h
> +++ b/xen/arch/x86/include/asm/domain.h
> @@ -688,7 +688,7 @@ bool update_secondary_system_time(struct vcpu *v,
>  void force_update_secondary_system_time(struct vcpu *v,
>                                          struct vcpu_time_info *map);
>  
> -void vcpu_show_registers(const struct vcpu *v);
> +void vcpu_show_registers(struct vcpu *v);

... this are the same, and there's nothing different to expect for other
architectures, centralizing the declaration and then adding a comment to
cover the non-const property may be desirable. Else people like me might
forget that there was this change, and try to re-add the seemingly
missing const.

Jan

On 26/02/2025 7:33 am, Jan Beulich wrote:
> On 26.02.2025 00:02, Andrew Cooper wrote:
>> The final hunk is `(struct vcpu *)v` in disguise, expressed using a runtime
>> pointer chase through memory and a technicality of the C type system to work
>> around the fact that get_hvm_registers() strictly requires a mutable pointer.
>>
>> For anyone interested, this is one reason why C cannot optimise any reads
>> across sequence points, even for a function purporting to take a const object.
>>
>> Anyway, have the function correctly state that it needs a mutable vcpu.  All
>> callers have a mutable vCPU to hand, and it removes the runtime pointer chase
>> in x86.
>>
>> Make one style adjustment in ARM while adjusting the parameter type.
>>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>> ---
>> CC: Anthony PERARD <anthony.perard@vates.tech>
>> CC: Michal Orzel <michal.orzel@amd.com>
>> CC: Jan Beulich <jbeulich@suse.com>
>> CC: Julien Grall <julien@xen.org>
>> CC: Roger Pau Monné <roger.pau@citrix.com>
>> CC: Stefano Stabellini <sstabellini@kernel.org>
>> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
>> CC: Bertrand Marquis <bertrand.marquis@arm.com>
>>
>> RISC-V and PPC don't have this helper yet, not even in stub form.
>>
>> I expect there will be one objection to this patch.  Since the last time we
>> fought over this, speculative vulnerabilities have demonstrated how dangerous
>> pointer chases are, and this is a violation of Misra Rule 11.8, even if it's
>> not reasonable for Eclair to be able to spot and reject it.
> On these grounds
> Acked-by: Jan Beulich <jbeulich@suse.com>

Thanks.

> irrespective of the fact that a function of this name and purpose really, really
> should be taking a pointer-to-const.

No - this is a perfect example of why most functions should *not* take
pointer-to-const for complex objects.

There is no such thing as an actually-const vcpu or domain; they are all
mutable.  The reason why x86 needs a strictly-mutable pointer is because
it needs to take a spinlock to negotiate for access to a hardware
resource to read some of the registers it needs.

This is where there is a semantic gap between "logically doesn't modify"
and what the C keyword means.

Anything except the-most-trivial trivial predates may reasonably need to
take a spinlock or some other safety primitive, even just to read
information.


Because this was gratuitously const in the first place, bad code was put
in place of making the prototype match reality.

This demonstrates a bigger failing in how code is reviewed and
maintained.  It is far too frequent that requests to const things don't
even compile.  It is also far too frequent that requests to const things
haven't read the full patch series to realise why not.  Both of these
are a source of friction during review.

But more than that, even if something could technically be const right
now, the request to do so forces churn into a future patch to de-const
it in order to make a clean change.  And for contributors who aren't
comfortable saying a firm no to a maintainer, this turns into a bad hack
instead.

i.e. requests to const accessors for complexity objects are making Xen
worse, not better, and we should stop doing it.

~Andrew

On 03.03.2025 17:52, Andrew Cooper wrote:
> On 26/02/2025 7:33 am, Jan Beulich wrote:
>> On 26.02.2025 00:02, Andrew Cooper wrote:
>>> The final hunk is `(struct vcpu *)v` in disguise, expressed using a runtime
>>> pointer chase through memory and a technicality of the C type system to work
>>> around the fact that get_hvm_registers() strictly requires a mutable pointer.
>>>
>>> For anyone interested, this is one reason why C cannot optimise any reads
>>> across sequence points, even for a function purporting to take a const object.
>>>
>>> Anyway, have the function correctly state that it needs a mutable vcpu.  All
>>> callers have a mutable vCPU to hand, and it removes the runtime pointer chase
>>> in x86.
>>>
>>> Make one style adjustment in ARM while adjusting the parameter type.
>>>
>>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>>> ---
>>> CC: Anthony PERARD <anthony.perard@vates.tech>
>>> CC: Michal Orzel <michal.orzel@amd.com>
>>> CC: Jan Beulich <jbeulich@suse.com>
>>> CC: Julien Grall <julien@xen.org>
>>> CC: Roger Pau Monné <roger.pau@citrix.com>
>>> CC: Stefano Stabellini <sstabellini@kernel.org>
>>> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
>>> CC: Bertrand Marquis <bertrand.marquis@arm.com>
>>>
>>> RISC-V and PPC don't have this helper yet, not even in stub form.
>>>
>>> I expect there will be one objection to this patch.  Since the last time we
>>> fought over this, speculative vulnerabilities have demonstrated how dangerous
>>> pointer chases are, and this is a violation of Misra Rule 11.8, even if it's
>>> not reasonable for Eclair to be able to spot and reject it.
>> On these grounds
>> Acked-by: Jan Beulich <jbeulich@suse.com>
> 
> Thanks.
> 
>> irrespective of the fact that a function of this name and purpose really, really
>> should be taking a pointer-to-const.
> 
> No - this is a perfect example of why most functions should *not* take
> pointer-to-const for complex objects.
> 
> There is no such thing as an actually-const vcpu or domain; they are all
> mutable.  The reason why x86 needs a strictly-mutable pointer is because
> it needs to take a spinlock to negotiate for access to a hardware
> resource to read some of the registers it needs.
> 
> This is where there is a semantic gap between "logically doesn't modify"
> and what the C keyword means.

And hence (in part) why C++ gained "mutable" ages ago.

> Anything except the-most-trivial trivial predates may reasonably need to
> take a spinlock or some other safety primitive, even just to read
> information.
> 
> 
> Because this was gratuitously const in the first place, bad code was put
> in place of making the prototype match reality.
> 
> This demonstrates a bigger failing in how code is reviewed and
> maintained.  It is far too frequent that requests to const things don't
> even compile.  It is also far too frequent that requests to const things
> haven't read the full patch series to realise why not.  Both of these
> are a source of friction during review.
> 
> But more than that, even if something could technically be const right
> now, the request to do so forces churn into a future patch to de-const
> it in order to make a clean change.  And for contributors who aren't
> comfortable saying a firm no to a maintainer, this turns into a bad hack
> instead.
> 
> i.e. requests to const accessors for complexity objects are making Xen
> worse, not better, and we should stop doing it.

Okay, let's agree that we don't agree in our perspectives here.

Jan

On 05/03/2025 7:53 am, Jan Beulich wrote:
> On 03.03.2025 17:52, Andrew Cooper wrote:
>> On 26/02/2025 7:33 am, Jan Beulich wrote:
>>> On 26.02.2025 00:02, Andrew Cooper wrote:
>>>> The final hunk is `(struct vcpu *)v` in disguise, expressed using a runtime
>>>> pointer chase through memory and a technicality of the C type system to work
>>>> around the fact that get_hvm_registers() strictly requires a mutable pointer.
>>>>
>>>> For anyone interested, this is one reason why C cannot optimise any reads
>>>> across sequence points, even for a function purporting to take a const object.
>>>>
>>>> Anyway, have the function correctly state that it needs a mutable vcpu.  All
>>>> callers have a mutable vCPU to hand, and it removes the runtime pointer chase
>>>> in x86.
>>>>
>>>> Make one style adjustment in ARM while adjusting the parameter type.
>>>>
>>>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>>>> ---
>>>> CC: Anthony PERARD <anthony.perard@vates.tech>
>>>> CC: Michal Orzel <michal.orzel@amd.com>
>>>> CC: Jan Beulich <jbeulich@suse.com>
>>>> CC: Julien Grall <julien@xen.org>
>>>> CC: Roger Pau Monné <roger.pau@citrix.com>
>>>> CC: Stefano Stabellini <sstabellini@kernel.org>
>>>> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
>>>> CC: Bertrand Marquis <bertrand.marquis@arm.com>
>>>>
>>>> RISC-V and PPC don't have this helper yet, not even in stub form.
>>>>
>>>> I expect there will be one objection to this patch.  Since the last time we
>>>> fought over this, speculative vulnerabilities have demonstrated how dangerous
>>>> pointer chases are, and this is a violation of Misra Rule 11.8, even if it's
>>>> not reasonable for Eclair to be able to spot and reject it.
>>> On these grounds
>>> Acked-by: Jan Beulich <jbeulich@suse.com>
>> Thanks.
>>
>>> irrespective of the fact that a function of this name and purpose really, really
>>> should be taking a pointer-to-const.
>> No - this is a perfect example of why most functions should *not* take
>> pointer-to-const for complex objects.
>>
>> There is no such thing as an actually-const vcpu or domain; they are all
>> mutable.  The reason why x86 needs a strictly-mutable pointer is because
>> it needs to take a spinlock to negotiate for access to a hardware
>> resource to read some of the registers it needs.
>>
>> This is where there is a semantic gap between "logically doesn't modify"
>> and what the C keyword means.
> And hence (in part) why C++ gained "mutable" ages ago.

Sure.  If we were writing in C++, then an internal splinlock being
mutable would be a fine thing.

But we're writing in a language where there is no such concept.
>> Anything except the-most-trivial trivial predates may reasonably need to
>> take a spinlock or some other safety primitive, even just to read
>> information.
>>
>>
>> Because this was gratuitously const in the first place, bad code was put
>> in place of making the prototype match reality.
>>
>> This demonstrates a bigger failing in how code is reviewed and
>> maintained.  It is far too frequent that requests to const things don't
>> even compile.  It is also far too frequent that requests to const things
>> haven't read the full patch series to realise why not.  Both of these
>> are a source of friction during review.
>>
>> But more than that, even if something could technically be const right
>> now, the request to do so forces churn into a future patch to de-const
>> it in order to make a clean change.  And for contributors who aren't
>> comfortable saying a firm no to a maintainer, this turns into a bad hack
>> instead.
>>
>> i.e. requests to const accessors for complexity objects are making Xen
>> worse, not better, and we should stop doing it.
> Okay, let's agree that we don't agree in our perspectives here.

I'm not saying this to be mean.  If C could do something like C++'s
mutable, then this wouldn't be an issue.

But, I have lost count of the number of times I have had to reject
requests of yours to const a pointer, on the basis that it can't
compile.  Your review feedback cost one of my team-members a week trying
to fulfil a const request before asking me for help, and it was another
impossible example.

Of all feedback given by reviewers (it's not only you), requests to
const are the ones that are most often wrong in my experience.  Probably
only ~50% of requests are correct, yet it takes a very seasoned
developer to come back and say "no, that doesn't compile", because
that's really a "I think you're wrong" needing knowledge in a subtle
part of the language.

My request is to all reviewers.  Please take far more care before asking
for const.  There are absolutely cases where it's right, but a false
request is more problematic than it appears at the surface.

~Andrew

On 07.03.2025 00:17, Andrew Cooper wrote:
> On 05/03/2025 7:53 am, Jan Beulich wrote:
>> On 03.03.2025 17:52, Andrew Cooper wrote:
>>> On 26/02/2025 7:33 am, Jan Beulich wrote:
>>>> On 26.02.2025 00:02, Andrew Cooper wrote:
>>>>> The final hunk is `(struct vcpu *)v` in disguise, expressed using a runtime
>>>>> pointer chase through memory and a technicality of the C type system to work
>>>>> around the fact that get_hvm_registers() strictly requires a mutable pointer.
>>>>>
>>>>> For anyone interested, this is one reason why C cannot optimise any reads
>>>>> across sequence points, even for a function purporting to take a const object.
>>>>>
>>>>> Anyway, have the function correctly state that it needs a mutable vcpu.  All
>>>>> callers have a mutable vCPU to hand, and it removes the runtime pointer chase
>>>>> in x86.
>>>>>
>>>>> Make one style adjustment in ARM while adjusting the parameter type.
>>>>>
>>>>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>>>>> ---
>>>>> CC: Anthony PERARD <anthony.perard@vates.tech>
>>>>> CC: Michal Orzel <michal.orzel@amd.com>
>>>>> CC: Jan Beulich <jbeulich@suse.com>
>>>>> CC: Julien Grall <julien@xen.org>
>>>>> CC: Roger Pau Monné <roger.pau@citrix.com>
>>>>> CC: Stefano Stabellini <sstabellini@kernel.org>
>>>>> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
>>>>> CC: Bertrand Marquis <bertrand.marquis@arm.com>
>>>>>
>>>>> RISC-V and PPC don't have this helper yet, not even in stub form.
>>>>>
>>>>> I expect there will be one objection to this patch.  Since the last time we
>>>>> fought over this, speculative vulnerabilities have demonstrated how dangerous
>>>>> pointer chases are, and this is a violation of Misra Rule 11.8, even if it's
>>>>> not reasonable for Eclair to be able to spot and reject it.
>>>> On these grounds
>>>> Acked-by: Jan Beulich <jbeulich@suse.com>
>>> Thanks.
>>>
>>>> irrespective of the fact that a function of this name and purpose really, really
>>>> should be taking a pointer-to-const.
>>> No - this is a perfect example of why most functions should *not* take
>>> pointer-to-const for complex objects.
>>>
>>> There is no such thing as an actually-const vcpu or domain; they are all
>>> mutable.  The reason why x86 needs a strictly-mutable pointer is because
>>> it needs to take a spinlock to negotiate for access to a hardware
>>> resource to read some of the registers it needs.
>>>
>>> This is where there is a semantic gap between "logically doesn't modify"
>>> and what the C keyword means.
>> And hence (in part) why C++ gained "mutable" ages ago.
> 
> Sure.  If we were writing in C++, then an internal splinlock being
> mutable would be a fine thing.
> 
> But we're writing in a language where there is no such concept.
>>> Anything except the-most-trivial trivial predates may reasonably need to
>>> take a spinlock or some other safety primitive, even just to read
>>> information.
>>>
>>>
>>> Because this was gratuitously const in the first place, bad code was put
>>> in place of making the prototype match reality.
>>>
>>> This demonstrates a bigger failing in how code is reviewed and
>>> maintained.  It is far too frequent that requests to const things don't
>>> even compile.  It is also far too frequent that requests to const things
>>> haven't read the full patch series to realise why not.  Both of these
>>> are a source of friction during review.
>>>
>>> But more than that, even if something could technically be const right
>>> now, the request to do so forces churn into a future patch to de-const
>>> it in order to make a clean change.  And for contributors who aren't
>>> comfortable saying a firm no to a maintainer, this turns into a bad hack
>>> instead.
>>>
>>> i.e. requests to const accessors for complexity objects are making Xen
>>> worse, not better, and we should stop doing it.
>> Okay, let's agree that we don't agree in our perspectives here.
> 
> I'm not saying this to be mean.  If C could do something like C++'s
> mutable, then this wouldn't be an issue.
> 
> But, I have lost count of the number of times I have had to reject
> requests of yours to const a pointer, on the basis that it can't
> compile.  Your review feedback cost one of my team-members a week trying
> to fulfil a const request before asking me for help, and it was another
> impossible example.
> 
> Of all feedback given by reviewers (it's not only you), requests to
> const are the ones that are most often wrong in my experience.

I am entirely certain you're wrong here, unless maybe you mean solely
comments on patches of yours. There are far too many places where we're
still lacking const, and people are copying such instances far too
blindly.

>  Probably
> only ~50% of requests are correct, yet it takes a very seasoned
> developer to come back and say "no, that doesn't compile", because
> that's really a "I think you're wrong" needing knowledge in a subtle
> part of the language.
> 
> My request is to all reviewers.  Please take far more care before asking
> for const.  There are absolutely cases where it's right, but a false
> request is more problematic than it appears at the surface.

I am attempting to be quite careful with such requests, but as for any
review comment mistakes / oversights happen. Furthermore relatively
often I put such comments as questions, in the hope to indicates this
way that the change request depends on the result actually building
fine. In fact things not building doesn't necessarily mean the comment
was outright wrong - it often means code elsewhere isn't properly
constified.

My request to all submitters: Constify your patches properly up front.

Jan

On Mon, 3 Mar 2025, Andrew Cooper wrote:
> On 26/02/2025 7:33 am, Jan Beulich wrote:
> > On 26.02.2025 00:02, Andrew Cooper wrote:
> >> The final hunk is `(struct vcpu *)v` in disguise, expressed using a runtime
> >> pointer chase through memory and a technicality of the C type system to work
> >> around the fact that get_hvm_registers() strictly requires a mutable pointer.
> >>
> >> For anyone interested, this is one reason why C cannot optimise any reads
> >> across sequence points, even for a function purporting to take a const object.
> >>
> >> Anyway, have the function correctly state that it needs a mutable vcpu.  All
> >> callers have a mutable vCPU to hand, and it removes the runtime pointer chase
> >> in x86.
> >>
> >> Make one style adjustment in ARM while adjusting the parameter type.
> >>
> >> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> >> ---
> >> CC: Anthony PERARD <anthony.perard@vates.tech>
> >> CC: Michal Orzel <michal.orzel@amd.com>
> >> CC: Jan Beulich <jbeulich@suse.com>
> >> CC: Julien Grall <julien@xen.org>
> >> CC: Roger Pau Monné <roger.pau@citrix.com>
> >> CC: Stefano Stabellini <sstabellini@kernel.org>
> >> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
> >> CC: Bertrand Marquis <bertrand.marquis@arm.com>
> >>
> >> RISC-V and PPC don't have this helper yet, not even in stub form.
> >>
> >> I expect there will be one objection to this patch.  Since the last time we
> >> fought over this, speculative vulnerabilities have demonstrated how dangerous
> >> pointer chases are, and this is a violation of Misra Rule 11.8, even if it's
> >> not reasonable for Eclair to be able to spot and reject it.
> > On these grounds
> > Acked-by: Jan Beulich <jbeulich@suse.com>

Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>


> Thanks.
> 
> > irrespective of the fact that a function of this name and purpose really, really
> > should be taking a pointer-to-const.
> 
> No - this is a perfect example of why most functions should *not* take
> pointer-to-const for complex objects.
> 
> There is no such thing as an actually-const vcpu or domain; they are all
> mutable.  The reason why x86 needs a strictly-mutable pointer is because
> it needs to take a spinlock to negotiate for access to a hardware
> resource to read some of the registers it needs.
> 
> This is where there is a semantic gap between "logically doesn't modify"
> and what the C keyword means.
> 
> Anything except the-most-trivial trivial predates may reasonably need to
> take a spinlock or some other safety primitive, even just to read
> information.
> 
> 
> Because this was gratuitously const in the first place, bad code was put
> in place of making the prototype match reality.
> 
> This demonstrates a bigger failing in how code is reviewed and
> maintained.  It is far too frequent that requests to const things don't
> even compile.  It is also far too frequent that requests to const things
> haven't read the full patch series to realise why not.  Both of these
> are a source of friction during review.
> 
> But more than that, even if something could technically be const right
> now, the request to do so forces churn into a future patch to de-const
> it in order to make a clean change.  And for contributors who aren't
> comfortable saying a firm no to a maintainer, this turns into a bad hack
> instead.
> 
> i.e. requests to const accessors for complexity objects are making Xen
> worse, not better, and we should stop doing it.
 
In general, functions like vcpu_show_registers, which have a clear
usage pattern, would seem to be ideal candidates for using const
parameters. However, as Andrew explained, when a function takes a
struct vcpu as a parameter, complexities often arise. This example with
the spinlock is a good way to explain the underlying risks.  

I don't know whether any general conclusions can be drawn from this
example, but in this case Andrew's reasoning is correct.