.../eclair_analysis/ECLAIR/deviations.ecl | 28 +++++++++++++++---- automation/eclair_analysis/ECLAIR/tagging.ecl | 2 +- docs/misra/deviations.rst | 28 +++++++++++++++++-- 3 files changed, 48 insertions(+), 10 deletions(-)
Update ECLAIR configuration to deviate more cases where an
unintentional fallthrough cannot happen.
Tag Rule 16.3 as clean for arm.
Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
---
Hi, v4 of this patch has been on hold due to discussion on whether or not
to consider switch clauses ending with ASSERT_UNREACHABLE() as safe;
I propose the patch again to continue the discussion and maybe reach an
agreement.
---
Changes from v4:
- rebase against staging.
---
Changes from v3:
- do not add the rule to the monitored set (it is already there).
---
Changes from v2:
- fixed grammar;
- reprhased deviations regarding do-while-false and ASSERT_UNREACHABLE().
---
.../eclair_analysis/ECLAIR/deviations.ecl | 28 +++++++++++++++----
automation/eclair_analysis/ECLAIR/tagging.ecl | 2 +-
docs/misra/deviations.rst | 28 +++++++++++++++++--
3 files changed, 48 insertions(+), 10 deletions(-)
diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl
index 1aa8277066..9051f41602 100644
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -461,14 +461,30 @@ therefore it is deemed better to leave such files as is."
-config=MC3R1.R16.2,reports+={deliberate, "any_area(any_loc(file(x86_emulate||x86_svm_emulate)))"}
-doc_end
--doc_begin="Switch clauses ending with continue, goto, return statements are
-safe."
--config=MC3R1.R16.3,terminals+={safe, "node(continue_stmt||goto_stmt||return_stmt)"}
+-doc_begin="Statements that change the control flow (i.e., break, continue, goto, return) and calls to functions that do not return the control back are \"allowed terminal statements\"."
+-stmt_selector+={r16_3_allowed_terminal, "node(break_stmt||continue_stmt||goto_stmt||return_stmt)||call(property(noreturn))"}
+-config=MC3R1.R16.3,terminals+={safe, "r16_3_allowed_terminal"}
+-doc_end
+
+-doc_begin="An if-else statement having both branches ending with an allowed terminal statement is itself an allowed terminal statement."
+-stmt_selector+={r16_3_if, "node(if_stmt)&&(child(then,r16_3_allowed_terminal)||child(then,any_stmt(stmt,-1,r16_3_allowed_terminal)))"}
+-stmt_selector+={r16_3_else, "node(if_stmt)&&(child(else,r16_3_allowed_terminal)||child(else,any_stmt(stmt,-1,r16_3_allowed_terminal)))"}
+-stmt_selector+={r16_3_if_else, "r16_3_if&&r16_3_else"}
+-config=MC3R1.R16.3,terminals+={safe, "r16_3_if_else"}
+-doc_end
+
+-doc_begin="An if-else statement having an always true condition and the true branch ending with an allowed terminal statement is itself an allowed terminal statement."
+-stmt_selector+={r16_3_if_true, "r16_3_if&&child(cond,definitely_in(1..))"}
+-config=MC3R1.R16.3,terminals+={safe, "r16_3_if_true"}
+-doc_end
+
+-doc_begin="A switch clause ending with a statement expression which, in turn, ends with an allowed terminal statement is safe."
+-config=MC3R1.R16.3,terminals+={safe, "node(stmt_expr)&&child(stmt,node(compound_stmt)&&any_stmt(stmt,-1,r16_3_allowed_terminal||r16_3_if_else||r16_3_if_true))"}
-doc_end
--doc_begin="Switch clauses ending with a call to a function that does not give
-the control back (i.e., a function with attribute noreturn) are safe."
--config=MC3R1.R16.3,terminals+={safe, "call(property(noreturn))"}
+-doc_begin="A switch clause ending with a do-while-false the body of which, in turn, ends with an allowed terminal statement is safe.
+An exception to that is the macro ASSERT_UNREACHABLE() which is effective in debug build only: a switch clause ending with ASSERT_UNREACHABLE() is not considered safe."
+-config=MC3R1.R16.3,terminals+={safe, "!macro(name(ASSERT_UNREACHABLE))&&node(do_stmt)&&child(cond,definitely_in(0))&&child(body,any_stmt(stmt,-1,r16_3_allowed_terminal||r16_3_if_else||r16_3_if_true))"}
-doc_end
-doc_begin="Switch clauses ending with pseudo-keyword \"fallthrough\" are
diff --git a/automation/eclair_analysis/ECLAIR/tagging.ecl b/automation/eclair_analysis/ECLAIR/tagging.ecl
index 4d0ac94848..b8448938e6 100644
--- a/automation/eclair_analysis/ECLAIR/tagging.ecl
+++ b/automation/eclair_analysis/ECLAIR/tagging.ecl
@@ -112,7 +112,7 @@ if(string_equal(target,"x86_64"),
)
if(string_equal(target,"arm64"),
- service_selector({"additional_clean_guidelines","MC3R1.R16.6||MC3R1.R2.1||MC3R1.R5.3||MC3R1.R7.3"})
+ service_selector({"additional_clean_guidelines","MC3R1.R2.1||MC3R1.R5.3||MC3R1.R7.3||MC3R1.R16.3||MC3R1.R16.6"})
)
-reports+={clean:added,"service(clean_guidelines_common||additional_clean_guidelines)"}
diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index d51aa422b5..b66c271c4e 100644
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -415,12 +415,34 @@ Deviations related to MISRA C:2012 Rules:
- Tagged as `deliberate` for ECLAIR.
* - R16.3
- - Switch clauses ending with continue, goto, return statements are safe.
+ - Statements that change the control flow (i.e., break, continue, goto,
+ return) and calls to functions that do not return the control back are
+ \"allowed terminal statements\".
- Tagged as `safe` for ECLAIR.
* - R16.3
- - Switch clauses ending with a call to a function that does not give
- the control back (i.e., a function with attribute noreturn) are safe.
+ - An if-else statement having both branches ending with one of the allowed
+ terminal statemets is itself an allowed terminal statements.
+ - Tagged as `safe` for ECLAIR.
+
+ * - R16.3
+ - An if-else statement having an always true condition and the true
+ branch ending with an allowed terminal statement is itself an allowed
+ terminal statement.
+ - Tagged as `safe` for ECLAIR.
+
+ * - R16.3
+ - A switch clause ending with a statement expression which, in turn, ends
+ with an allowed terminal statement (e.g., the expansion of
+ generate_exception()) is safe.
+ - Tagged as `safe` for ECLAIR.
+
+ * - R16.3
+ - A switch clause ending with a do-while-false the body of which, in turn,
+ ends with an allowed terminal statement (e.g., PARSE_ERR_RET()) is safe.
+ An exception to that is the macro ASSERT_UNREACHABLE() which is
+ effective in debug build only: a switch clause ending with
+ ASSERT_UNREACHABLE() is not considered safe.
- Tagged as `safe` for ECLAIR.
* - R16.3
--
2.34.1
On Tue, 20 Aug 2024, Federico Serafini wrote: > Update ECLAIR configuration to deviate more cases where an > unintentional fallthrough cannot happen. > > Tag Rule 16.3 as clean for arm. > > Signed-off-by: Federico Serafini <federico.serafini@bugseng.com> > --- > Hi, v4 of this patch has been on hold due to discussion on whether or not > to consider switch clauses ending with ASSERT_UNREACHABLE() as safe; > I propose the patch again to continue the discussion and maybe reach an > agreement. Yes this makes sense and reflect the agreement reached on the other thread Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> > --- > Changes from v4: > - rebase against staging. > --- > Changes from v3: > - do not add the rule to the monitored set (it is already there). > --- > Changes from v2: > - fixed grammar; > - reprhased deviations regarding do-while-false and ASSERT_UNREACHABLE(). > --- > .../eclair_analysis/ECLAIR/deviations.ecl | 28 +++++++++++++++---- > automation/eclair_analysis/ECLAIR/tagging.ecl | 2 +- > docs/misra/deviations.rst | 28 +++++++++++++++++-- > 3 files changed, 48 insertions(+), 10 deletions(-) > > diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl > index 1aa8277066..9051f41602 100644 > --- a/automation/eclair_analysis/ECLAIR/deviations.ecl > +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl > @@ -461,14 +461,30 @@ therefore it is deemed better to leave such files as is." > -config=MC3R1.R16.2,reports+={deliberate, "any_area(any_loc(file(x86_emulate||x86_svm_emulate)))"} > -doc_end > > --doc_begin="Switch clauses ending with continue, goto, return statements are > -safe." > --config=MC3R1.R16.3,terminals+={safe, "node(continue_stmt||goto_stmt||return_stmt)"} > +-doc_begin="Statements that change the control flow (i.e., break, continue, goto, return) and calls to functions that do not return the control back are \"allowed terminal statements\"." > +-stmt_selector+={r16_3_allowed_terminal, "node(break_stmt||continue_stmt||goto_stmt||return_stmt)||call(property(noreturn))"} > +-config=MC3R1.R16.3,terminals+={safe, "r16_3_allowed_terminal"} > +-doc_end > + > +-doc_begin="An if-else statement having both branches ending with an allowed terminal statement is itself an allowed terminal statement." > +-stmt_selector+={r16_3_if, "node(if_stmt)&&(child(then,r16_3_allowed_terminal)||child(then,any_stmt(stmt,-1,r16_3_allowed_terminal)))"} > +-stmt_selector+={r16_3_else, "node(if_stmt)&&(child(else,r16_3_allowed_terminal)||child(else,any_stmt(stmt,-1,r16_3_allowed_terminal)))"} > +-stmt_selector+={r16_3_if_else, "r16_3_if&&r16_3_else"} > +-config=MC3R1.R16.3,terminals+={safe, "r16_3_if_else"} > +-doc_end > + > +-doc_begin="An if-else statement having an always true condition and the true branch ending with an allowed terminal statement is itself an allowed terminal statement." > +-stmt_selector+={r16_3_if_true, "r16_3_if&&child(cond,definitely_in(1..))"} > +-config=MC3R1.R16.3,terminals+={safe, "r16_3_if_true"} > +-doc_end > + > +-doc_begin="A switch clause ending with a statement expression which, in turn, ends with an allowed terminal statement is safe." > +-config=MC3R1.R16.3,terminals+={safe, "node(stmt_expr)&&child(stmt,node(compound_stmt)&&any_stmt(stmt,-1,r16_3_allowed_terminal||r16_3_if_else||r16_3_if_true))"} > -doc_end > > --doc_begin="Switch clauses ending with a call to a function that does not give > -the control back (i.e., a function with attribute noreturn) are safe." > --config=MC3R1.R16.3,terminals+={safe, "call(property(noreturn))"} > +-doc_begin="A switch clause ending with a do-while-false the body of which, in turn, ends with an allowed terminal statement is safe. > +An exception to that is the macro ASSERT_UNREACHABLE() which is effective in debug build only: a switch clause ending with ASSERT_UNREACHABLE() is not considered safe." > +-config=MC3R1.R16.3,terminals+={safe, "!macro(name(ASSERT_UNREACHABLE))&&node(do_stmt)&&child(cond,definitely_in(0))&&child(body,any_stmt(stmt,-1,r16_3_allowed_terminal||r16_3_if_else||r16_3_if_true))"} > -doc_end > > -doc_begin="Switch clauses ending with pseudo-keyword \"fallthrough\" are > diff --git a/automation/eclair_analysis/ECLAIR/tagging.ecl b/automation/eclair_analysis/ECLAIR/tagging.ecl > index 4d0ac94848..b8448938e6 100644 > --- a/automation/eclair_analysis/ECLAIR/tagging.ecl > +++ b/automation/eclair_analysis/ECLAIR/tagging.ecl > @@ -112,7 +112,7 @@ if(string_equal(target,"x86_64"), > ) > > if(string_equal(target,"arm64"), > - service_selector({"additional_clean_guidelines","MC3R1.R16.6||MC3R1.R2.1||MC3R1.R5.3||MC3R1.R7.3"}) > + service_selector({"additional_clean_guidelines","MC3R1.R2.1||MC3R1.R5.3||MC3R1.R7.3||MC3R1.R16.3||MC3R1.R16.6"}) > ) > > -reports+={clean:added,"service(clean_guidelines_common||additional_clean_guidelines)"} > diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst > index d51aa422b5..b66c271c4e 100644 > --- a/docs/misra/deviations.rst > +++ b/docs/misra/deviations.rst > @@ -415,12 +415,34 @@ Deviations related to MISRA C:2012 Rules: > - Tagged as `deliberate` for ECLAIR. > > * - R16.3 > - - Switch clauses ending with continue, goto, return statements are safe. > + - Statements that change the control flow (i.e., break, continue, goto, > + return) and calls to functions that do not return the control back are > + \"allowed terminal statements\". > - Tagged as `safe` for ECLAIR. > > * - R16.3 > - - Switch clauses ending with a call to a function that does not give > - the control back (i.e., a function with attribute noreturn) are safe. > + - An if-else statement having both branches ending with one of the allowed > + terminal statemets is itself an allowed terminal statements. > + - Tagged as `safe` for ECLAIR. > + > + * - R16.3 > + - An if-else statement having an always true condition and the true > + branch ending with an allowed terminal statement is itself an allowed > + terminal statement. > + - Tagged as `safe` for ECLAIR. > + > + * - R16.3 > + - A switch clause ending with a statement expression which, in turn, ends > + with an allowed terminal statement (e.g., the expansion of > + generate_exception()) is safe. > + - Tagged as `safe` for ECLAIR. > + > + * - R16.3 > + - A switch clause ending with a do-while-false the body of which, in turn, > + ends with an allowed terminal statement (e.g., PARSE_ERR_RET()) is safe. > + An exception to that is the macro ASSERT_UNREACHABLE() which is > + effective in debug build only: a switch clause ending with > + ASSERT_UNREACHABLE() is not considered safe. > - Tagged as `safe` for ECLAIR. > > * - R16.3 > -- > 2.34.1 >
© 2016 - 2024 Red Hat, Inc.