From nobody Mon Feb  9 22:39:31 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1702555755833186.0394751619483;
 Thu, 14 Dec 2023 04:09:15 -0800 (PST)
Received: from list by lists.xenproject.org with
 outflank-mailman.654525.1021524 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1rDkWK-00021z-72; Thu, 14 Dec 2023 12:08:52 +0000
Received: by outflank-mailman (output) from mailman id 654525.1021524;
 Thu, 14 Dec 2023 12:08:52 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1rDkWJ-00020q-Uo; Thu, 14 Dec 2023 12:08:51 +0000
Received: by outflank-mailman (input) for mailman id 654525;
 Thu, 14 Dec 2023 12:08:50 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=vWU9=HZ=bugseng.com=simone.ballarin@srs-se1.protection.inumbo.net>)
 id 1rDkWI-0000tC-BU
 for xen-devel@lists.xenproject.org; Thu, 14 Dec 2023 12:08:50 +0000
Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 89c53d18-9a79-11ee-98e9-6d05b1d4d9a1;
 Thu, 14 Dec 2023 13:08:49 +0100 (CET)
Received: from beta.station (net-37-182-35-120.cust.vodafonedsl.it
 [37.182.35.120])
 by support.bugseng.com (Postfix) with ESMTPSA id 46A274EE0C81;
 Thu, 14 Dec 2023 13:08:48 +0100 (CET)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 89c53d18-9a79-11ee-98e9-6d05b1d4d9a1
From: Simone Ballarin <simone.ballarin@bugseng.com>
To: xen-devel@lists.xenproject.org
Cc: consulting@bugseng.com,
	Maria Celeste Cesario <maria.celeste.cesario@bugseng.com>,
	Simone Ballarin <simone.ballarin@bugseng.com>,
	Doug Goldstein <cardoe@cardoe.com>,
	Stefano Stabellini <sstabellini@kernel.org>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	George Dunlap <george.dunlap@citrix.com>,
	Jan Beulich <jbeulich@suse.com>,
	Julien Grall <julien@xen.org>,
	Wei Liu <wl@xen.org>
Subject: [PATCH 8/9] xen: add deviations for Rule 11.8
Date: Thu, 14 Dec 2023 13:07:50 +0100
Message-Id: 
 <854747a97c4c7a70bfe1a30a038f2cc6aebfb566.1702555387.git.maria.celeste.cesario@bugseng.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <cover.1702555386.git.maria.celeste.cesario@bugseng.com>
References: <cover.1702555386.git.maria.celeste.cesario@bugseng.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ZM-MESSAGEID: 1702555757665100007
Content-Type: text/plain; charset="utf-8"

From: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com>

The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".

Deviate use of macro container_of.
Deviate use of function ERR_CAST.

Signed-off-by: Maria Celeste Cesario  <maria.celeste.cesario@bugseng.com>
Signed-off-by: Simone Ballarin  <simone.ballarin@bugseng.com>
---
container_of: Fixing this violation would require the declaration of a new
 macro taking advantage of the return value of the ternary operator ?: :
 its return value preserves qualifiers present on both expression, hence
 returning void* or qualified void* depending on pointer type, like in this=
 macro:
 '#define same_constness_void_ptr(ptr) ((typeof((false ? (void*) 1 : (ptr))=
)) (ptr))'
 The result could then be used with a Generic to avoid the cast.
---
 automation/eclair_analysis/ECLAIR/deviations.ecl | 12 ++++++++++++
 docs/misra/deviations.rst                        | 13 +++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/=
eclair_analysis/ECLAIR/deviations.ecl
index 683f2bbfe8..d3e32a6ac8 100644
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -292,6 +292,18 @@ constant expressions are required.\""
 # Series 11
 #
=20
+-doc_begin=3D"Violations caused by container_of are due to pointer arithme=
tic operations
+with the provided offset. The resulting pointer is then immediately cast b=
ack to its
+original type, which preserves the qualifier. This use can be deemed as sa=
fe.
+Fixing this violation would require to increase code complexity and lower =
readability."
+-config=3DMC3R1.R11.8,reports+=3D{safe,"any_area(any_loc(any_exp(macro(^co=
ntainer_of$))))"}
+-doc_end
+
+-doc_begin=3D"This function is made to explicitly cast an error-valued poi=
nter to a void
+pointer type to make it clear that's what's going on, so the violation is =
deliberate."
+-config=3DMC3R1.R11.8,reports+=3D{deliberate,"all_area(context(^ERR_CAST\\=
(.*$))"}
+-doc_end
+
 -doc_begin=3D"This construct is used to check if the type is scalar, and f=
or this purpose the use of 0 as a null pointer constant is deliberate."
 -config=3DMC3R1.R11.9,reports+=3D{deliberate, "any_area(any_loc(any_exp(ma=
cro(^__ACCESS_ONCE$))))"
 }
diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index eda3c8100c..98733d636d 100644
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -248,6 +248,19 @@ Deviations related to MISRA C:2012 Rules:
        If no bits are set, 0 is returned.
      - Tagged as `safe` for ECLAIR.
=20
+   * - R11.8
+     - Violations caused by container_of are due to pointer arithmetic ope=
rations
+       with the provided offset. The resulting pointer is then immediately=
 cast back to its
+       original type, which preserves the qualifier. This use can be deeme=
d as safe.
+       Fixing this violation would require to increase code complexity and=
 lower readability.
+     - Tagged as `safe` for ECLAIR.
+   =20
+   * - R11.8
+     - This function is made to explicitly cast an error-valued pointer to=
 a
+       void pointer type to make it clear that's what's going on, so the
+       violation is deliberate.
+     - Tagged ad `deliberate` for ECLAIR.
+
    * - R11.9
      - __ACCESS_ONCE uses an integer, which happens to be zero, as a
        compile time check. The typecheck uses a cast. The usage of zero or=
 other
--=20
2.40.0