misra: address Rule 11.3 for NextMemoryDescriptor macro

[PATCH] misra: address Rule 11.3 for NextMemoryDescriptor macro

Posted by Dmytro Prokopchuk1 6 days, 1 hour ago

Given 'NextMemoryDescriptor()' macro is casting (UINT8 *) pointer to the
(EFI_MEMORY_DESCRIPTOR *) pointer, which is not allowed by the MISRA C
Rule 11.3 as they pointed to the different objects types.

This macro is a part of the EFI imported code ('xen/include/efi/') and
is deviated with a SAF comment.

Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@epam.com>
---
 docs/misra/safe.json        | 8 ++++++++
 xen/arch/arm/efi/efi-boot.h | 1 +
 2 files changed, 9 insertions(+)

diff --git a/docs/misra/safe.json b/docs/misra/safe.json
index 3584cb90c6..c5e193e0f7 100644
--- a/docs/misra/safe.json
+++ b/docs/misra/safe.json
@@ -124,6 +124,14 @@
         },
         {
             "id": "SAF-15-safe",
+            "analyser": {
+                "eclair": "MC3A2.R11.3"
+            },
+            "name": "Rule 11.3: casting a pointer to object into a pointer to a different object",
+            "text": "Violation due to the use of 'NextMemoryDescriptor()' macro is allowed, as that is EFI imported code."
+        },
+        {
+            "id": "SAF-16-safe",
             "analyser": {},
             "name": "Sentinel",
             "text": "Next ID to be used"
diff --git a/xen/arch/arm/efi/efi-boot.h b/xen/arch/arm/efi/efi-boot.h
index 7844b9529e..a87004001b 100644
--- a/xen/arch/arm/efi/efi-boot.h
+++ b/xen/arch/arm/efi/efi-boot.h
@@ -227,6 +227,7 @@ static EFI_STATUS __init efi_process_memory_map_bootinfo(EFI_MEMORY_DESCRIPTOR *
             }
         }
 #endif
+        /* SAF-15-safe casting a pointer */
         desc_ptr = NextMemoryDescriptor(desc_ptr, desc_size);
     }
 
-- 
2.43.0

Re: [PATCH] misra: address Rule 11.3 for NextMemoryDescriptor macro

Posted by Jan Beulich 5 days, 11 hours ago

On 23.10.2025 20:00, Dmytro Prokopchuk1 wrote:
> --- a/xen/arch/arm/efi/efi-boot.h
> +++ b/xen/arch/arm/efi/efi-boot.h
> @@ -227,6 +227,7 @@ static EFI_STATUS __init efi_process_memory_map_bootinfo(EFI_MEMORY_DESCRIPTOR *
>              }
>          }
>  #endif
> +        /* SAF-15-safe casting a pointer */
>          desc_ptr = NextMemoryDescriptor(desc_ptr, desc_size);
>      }
>  

While at present we have only one use site, needing per-use-site comments
isn't very nice. Putting it into the imported header isn't nice either.
Could Arm perhaps get away without using the macro, just like x86 manages
to?

Jan

Re: [PATCH] misra: address Rule 11.3 for NextMemoryDescriptor macro

Posted by Julien Grall 2 days, 21 hours ago

Hi Jan,

On 24/10/2025 08:43, Jan Beulich wrote:
> On 23.10.2025 20:00, Dmytro Prokopchuk1 wrote:
>> --- a/xen/arch/arm/efi/efi-boot.h
>> +++ b/xen/arch/arm/efi/efi-boot.h
>> @@ -227,6 +227,7 @@ static EFI_STATUS __init efi_process_memory_map_bootinfo(EFI_MEMORY_DESCRIPTOR *
>>               }
>>           }
>>   #endif
>> +        /* SAF-15-safe casting a pointer */
>>           desc_ptr = NextMemoryDescriptor(desc_ptr, desc_size);
>>       }
>>   
> 
> While at present we have only one use site, needing per-use-site comments
> isn't very nice. Putting it into the imported header isn't nice either.
> Could Arm perhaps get away without using the macro, just like x86 manages
> to?


IIUC, you mean something like:

EFI_MEMORY_DESCRIPTOR *desc = efi_memmap + i;

If so, this would work for me.

Cheers,

-- 
Julien Grall

Re: [PATCH] misra: address Rule 11.3 for NextMemoryDescriptor macro

Posted by Jan Beulich 2 days, 10 hours ago

On 26.10.2025 22:37, Julien Grall wrote:
> Hi Jan,
> 
> On 24/10/2025 08:43, Jan Beulich wrote:
>> On 23.10.2025 20:00, Dmytro Prokopchuk1 wrote:
>>> --- a/xen/arch/arm/efi/efi-boot.h
>>> +++ b/xen/arch/arm/efi/efi-boot.h
>>> @@ -227,6 +227,7 @@ static EFI_STATUS __init efi_process_memory_map_bootinfo(EFI_MEMORY_DESCRIPTOR *
>>>               }
>>>           }
>>>   #endif
>>> +        /* SAF-15-safe casting a pointer */
>>>           desc_ptr = NextMemoryDescriptor(desc_ptr, desc_size);
>>>       }
>>>   
>>
>> While at present we have only one use site, needing per-use-site comments
>> isn't very nice. Putting it into the imported header isn't nice either.
>> Could Arm perhaps get away without using the macro, just like x86 manages
>> to?
> 
> 
> IIUC, you mean something like:
> 
> EFI_MEMORY_DESCRIPTOR *desc = efi_memmap + i;
> 
> If so, this would work for me.

Right, provided that efi_memmap is of type void * or const void *.

Jan

Re: [PATCH] misra: address Rule 11.3 for NextMemoryDescriptor macro

Posted by Dmytro Prokopchuk1 1 day, 22 hours ago


On 10/27/25 10:50, Jan Beulich wrote:
> On 26.10.2025 22:37, Julien Grall wrote:
>> Hi Jan,
>>
>> On 24/10/2025 08:43, Jan Beulich wrote:
>>> On 23.10.2025 20:00, Dmytro Prokopchuk1 wrote:
>>>> --- a/xen/arch/arm/efi/efi-boot.h
>>>> +++ b/xen/arch/arm/efi/efi-boot.h
>>>> @@ -227,6 +227,7 @@ static EFI_STATUS __init efi_process_memory_map_bootinfo(EFI_MEMORY_DESCRIPTOR *
>>>>                }
>>>>            }
>>>>    #endif
>>>> +        /* SAF-15-safe casting a pointer */
>>>>            desc_ptr = NextMemoryDescriptor(desc_ptr, desc_size);
>>>>        }
>>>>    
>>>
>>> While at present we have only one use site, needing per-use-site comments
>>> isn't very nice. Putting it into the imported header isn't nice either.
>>> Could Arm perhaps get away without using the macro, just like x86 manages
>>> to?
>>
>>
>> IIUC, you mean something like:
>>
>> EFI_MEMORY_DESCRIPTOR *desc = efi_memmap + i;
>>
>> If so, this would work for me.
> 
> Right, provided that efi_memmap is of type void * or const void *.
> 
> Jan

Thank you for the advice. I'll prepare v2.
Dmytro.