1. Patchew
  2. Xen
  3. View series

[PATCH] misra: address Rule 11.3 for NextMemoryDescriptor macro

Dmytro Prokopchuk1 posted 1 patch 3 months, 2 weeks ago
Failed in applying to current master (apply log)
docs/misra/safe.json        | 8 ++++++++
xen/arch/arm/efi/efi-boot.h | 1 +
2 files changed, 9 insertions(+)
[PATCH] misra: address Rule 11.3 for NextMemoryDescriptor macro
Posted by Dmytro Prokopchuk1 3 months, 2 weeks ago 
Given 'NextMemoryDescriptor()' macro is casting (UINT8 *) pointer to the
(EFI_MEMORY_DESCRIPTOR *) pointer, which is not allowed by the MISRA C
Rule 11.3 as they pointed to the different objects types.

This macro is a part of the EFI imported code ('xen/include/efi/') and
is deviated with a SAF comment.

Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@epam.com>
---
 docs/misra/safe.json        | 8 ++++++++
 xen/arch/arm/efi/efi-boot.h | 1 +
 2 files changed, 9 insertions(+)

diff --git a/docs/misra/safe.json b/docs/misra/safe.json
index 3584cb90c6..c5e193e0f7 100644
--- a/docs/misra/safe.json
+++ b/docs/misra/safe.json
@@ -124,6 +124,14 @@
         },
         {
             "id": "SAF-15-safe",
+            "analyser": {
+                "eclair": "MC3A2.R11.3"
+            },
+            "name": "Rule 11.3: casting a pointer to object into a pointer to a different object",
+            "text": "Violation due to the use of 'NextMemoryDescriptor()' macro is allowed, as that is EFI imported code."
+        },
+        {
+            "id": "SAF-16-safe",
             "analyser": {},
             "name": "Sentinel",
             "text": "Next ID to be used"
diff --git a/xen/arch/arm/efi/efi-boot.h b/xen/arch/arm/efi/efi-boot.h
index 7844b9529e..a87004001b 100644
--- a/xen/arch/arm/efi/efi-boot.h
+++ b/xen/arch/arm/efi/efi-boot.h
@@ -227,6 +227,7 @@ static EFI_STATUS __init efi_process_memory_map_bootinfo(EFI_MEMORY_DESCRIPTOR *
             }
         }
 #endif
+        /* SAF-15-safe casting a pointer */
         desc_ptr = NextMemoryDescriptor(desc_ptr, desc_size);
     }
 
-- 
2.43.0
Re: [PATCH] misra: address Rule 11.3 for NextMemoryDescriptor macro
Posted by Stefano Stabellini 2 months ago 
On Thu, 23 Oct 2025, Dmytro Prokopchuk1 wrote:
> Given 'NextMemoryDescriptor()' macro is casting (UINT8 *) pointer to the
> (EFI_MEMORY_DESCRIPTOR *) pointer, which is not allowed by the MISRA C
> Rule 11.3 as they pointed to the different objects types.
> 
> This macro is a part of the EFI imported code ('xen/include/efi/') and
> is deviated with a SAF comment.
> 
> Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@epam.com>

Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>

I saw Jan's comment but I think this is OK


> ---
>  docs/misra/safe.json        | 8 ++++++++
>  xen/arch/arm/efi/efi-boot.h | 1 +
>  2 files changed, 9 insertions(+)
> 
> diff --git a/docs/misra/safe.json b/docs/misra/safe.json
> index 3584cb90c6..c5e193e0f7 100644
> --- a/docs/misra/safe.json
> +++ b/docs/misra/safe.json
> @@ -124,6 +124,14 @@
>          },
>          {
>              "id": "SAF-15-safe",
> +            "analyser": {
> +                "eclair": "MC3A2.R11.3"
> +            },
> +            "name": "Rule 11.3: casting a pointer to object into a pointer to a different object",
> +            "text": "Violation due to the use of 'NextMemoryDescriptor()' macro is allowed, as that is EFI imported code."
> +        },
> +        {
> +            "id": "SAF-16-safe",
>              "analyser": {},
>              "name": "Sentinel",
>              "text": "Next ID to be used"
> diff --git a/xen/arch/arm/efi/efi-boot.h b/xen/arch/arm/efi/efi-boot.h
> index 7844b9529e..a87004001b 100644
> --- a/xen/arch/arm/efi/efi-boot.h
> +++ b/xen/arch/arm/efi/efi-boot.h
> @@ -227,6 +227,7 @@ static EFI_STATUS __init efi_process_memory_map_bootinfo(EFI_MEMORY_DESCRIPTOR *
>              }
>          }
>  #endif
> +        /* SAF-15-safe casting a pointer */
>          desc_ptr = NextMemoryDescriptor(desc_ptr, desc_size);
>      }
>  
> -- 
> 2.43.0
>
Re: [PATCH] misra: address Rule 11.3 for NextMemoryDescriptor macro
Posted by Stefano Stabellini 2 months ago 
On Tue, 9 Dec 2025, Stefano Stabellini wrote:
> On Thu, 23 Oct 2025, Dmytro Prokopchuk1 wrote:
> > Given 'NextMemoryDescriptor()' macro is casting (UINT8 *) pointer to the
> > (EFI_MEMORY_DESCRIPTOR *) pointer, which is not allowed by the MISRA C
> > Rule 11.3 as they pointed to the different objects types.
> > 
> > This macro is a part of the EFI imported code ('xen/include/efi/') and
> > is deviated with a SAF comment.
> > 
> > Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@epam.com>
> 
> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
> 
> I saw Jan's comment but I think this is OK

I take it back I saw Dmytro managed to make a newer and better version
of this following Jan's comment. All good.
Re: [PATCH] misra: address Rule 11.3 for NextMemoryDescriptor macro
Posted by Dmytro Prokopchuk1 1 month, 4 weeks ago 

On 12/10/25 02:54, Stefano Stabellini wrote:
> On Tue, 9 Dec 2025, Stefano Stabellini wrote:
>> On Thu, 23 Oct 2025, Dmytro Prokopchuk1 wrote:
>>> Given 'NextMemoryDescriptor()' macro is casting (UINT8 *) pointer to the
>>> (EFI_MEMORY_DESCRIPTOR *) pointer, which is not allowed by the MISRA C
>>> Rule 11.3 as they pointed to the different objects types.
>>>
>>> This macro is a part of the EFI imported code ('xen/include/efi/') and
>>> is deviated with a SAF comment.
>>>
>>> Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@epam.com>
>>
>> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
>>
>> I saw Jan's comment but I think this is OK
> 
> I take it back I saw Dmytro managed to make a newer and better version
> of this following Jan's comment. All good.

Yes, you are right.
The v2 is here:
https://patchew.org/Xen/212a1ac4ee568f027f6cb7f9437aa42d2f0b6c41.1761599221.git.dmytro._5Fprokopchuk1@epam.com/

Dmytro.
Re: [PATCH] misra: address Rule 11.3 for NextMemoryDescriptor macro
Posted by Jan Beulich 3 months, 2 weeks ago 
On 23.10.2025 20:00, Dmytro Prokopchuk1 wrote:
> --- a/xen/arch/arm/efi/efi-boot.h
> +++ b/xen/arch/arm/efi/efi-boot.h
> @@ -227,6 +227,7 @@ static EFI_STATUS __init efi_process_memory_map_bootinfo(EFI_MEMORY_DESCRIPTOR *
>              }
>          }
>  #endif
> +        /* SAF-15-safe casting a pointer */
>          desc_ptr = NextMemoryDescriptor(desc_ptr, desc_size);
>      }
>  

While at present we have only one use site, needing per-use-site comments
isn't very nice. Putting it into the imported header isn't nice either.
Could Arm perhaps get away without using the macro, just like x86 manages
to?

Jan
Re: [PATCH] misra: address Rule 11.3 for NextMemoryDescriptor macro
Posted by Julien Grall 3 months, 2 weeks ago 
Hi Jan,

On 24/10/2025 08:43, Jan Beulich wrote:
> On 23.10.2025 20:00, Dmytro Prokopchuk1 wrote:
>> --- a/xen/arch/arm/efi/efi-boot.h
>> +++ b/xen/arch/arm/efi/efi-boot.h
>> @@ -227,6 +227,7 @@ static EFI_STATUS __init efi_process_memory_map_bootinfo(EFI_MEMORY_DESCRIPTOR *
>>               }
>>           }
>>   #endif
>> +        /* SAF-15-safe casting a pointer */
>>           desc_ptr = NextMemoryDescriptor(desc_ptr, desc_size);
>>       }
>>   
> 
> While at present we have only one use site, needing per-use-site comments
> isn't very nice. Putting it into the imported header isn't nice either.
> Could Arm perhaps get away without using the macro, just like x86 manages
> to?


IIUC, you mean something like:

EFI_MEMORY_DESCRIPTOR *desc = efi_memmap + i;

If so, this would work for me.

Cheers,

-- 
Julien Grall
Re: [PATCH] misra: address Rule 11.3 for NextMemoryDescriptor macro
Posted by Jan Beulich 3 months, 2 weeks ago 
On 26.10.2025 22:37, Julien Grall wrote:
> Hi Jan,
> 
> On 24/10/2025 08:43, Jan Beulich wrote:
>> On 23.10.2025 20:00, Dmytro Prokopchuk1 wrote:
>>> --- a/xen/arch/arm/efi/efi-boot.h
>>> +++ b/xen/arch/arm/efi/efi-boot.h
>>> @@ -227,6 +227,7 @@ static EFI_STATUS __init efi_process_memory_map_bootinfo(EFI_MEMORY_DESCRIPTOR *
>>>               }
>>>           }
>>>   #endif
>>> +        /* SAF-15-safe casting a pointer */
>>>           desc_ptr = NextMemoryDescriptor(desc_ptr, desc_size);
>>>       }
>>>   
>>
>> While at present we have only one use site, needing per-use-site comments
>> isn't very nice. Putting it into the imported header isn't nice either.
>> Could Arm perhaps get away without using the macro, just like x86 manages
>> to?
> 
> 
> IIUC, you mean something like:
> 
> EFI_MEMORY_DESCRIPTOR *desc = efi_memmap + i;
> 
> If so, this would work for me.

Right, provided that efi_memmap is of type void * or const void *.

Jan
Re: [PATCH] misra: address Rule 11.3 for NextMemoryDescriptor macro
Posted by Dmytro Prokopchuk1 3 months, 2 weeks ago 

On 10/27/25 10:50, Jan Beulich wrote:
> On 26.10.2025 22:37, Julien Grall wrote:
>> Hi Jan,
>>
>> On 24/10/2025 08:43, Jan Beulich wrote:
>>> On 23.10.2025 20:00, Dmytro Prokopchuk1 wrote:
>>>> --- a/xen/arch/arm/efi/efi-boot.h
>>>> +++ b/xen/arch/arm/efi/efi-boot.h
>>>> @@ -227,6 +227,7 @@ static EFI_STATUS __init efi_process_memory_map_bootinfo(EFI_MEMORY_DESCRIPTOR *
>>>>                }
>>>>            }
>>>>    #endif
>>>> +        /* SAF-15-safe casting a pointer */
>>>>            desc_ptr = NextMemoryDescriptor(desc_ptr, desc_size);
>>>>        }
>>>>    
>>>
>>> While at present we have only one use site, needing per-use-site comments
>>> isn't very nice. Putting it into the imported header isn't nice either.
>>> Could Arm perhaps get away without using the macro, just like x86 manages
>>> to?
>>
>>
>> IIUC, you mean something like:
>>
>> EFI_MEMORY_DESCRIPTOR *desc = efi_memmap + i;
>>
>> If so, this would work for me.
> 
> Right, provided that efi_memmap is of type void * or const void *.
> 
> Jan

Thank you for the advice. I'll prepare v2.
Dmytro.

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.