MISRA C Directive 4.10 states that "Precautions shall be taken in order
to prevent the contents of a header file being included more than
once".
Add a SAF tag and update the comment on top of cpufeatures.h.
Add a header inclusion guard to compile.h.
Generate header guards for hypercall-defs.h
Update ECLAIR configuration to:
- extend existing deviation to other comments explicitly saying a file
is intended for multiple inclusion;
- extend existing deviation to other autogenerated files;
- tag the guidelines as clean.
Update deviations.rst accordingly.
Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com>
---
Changes in v6:
- remove in-code comment and use SAF-8-safe instead
- add header guards for hypercall-defs.h
Successful pipeline:
https://gitlab.com/xen-project/people/sstabellini/xen/-/pipelines/1885561040
---
diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl
index 9c67358d46..3b5bc87e1d 100644
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -72,11 +72,14 @@ they are not instances of commented-out code."
-config=MC3A2.D4.3,reports+={deliberate, "any_area(any_loc(file(arm64_bitops))&&context(name(int_clear_mask16)))"}
-doc_end
--doc_begin="Files that are intended to be included more than once do not need to
-conform to the directive."
+-doc_begin="Files that are intended to be included more than once (and have
+a comment that says this explicitly) do not need to conform to the directive."
-config=MC3A2.D4.10,reports+={safe, "first_area(text(^/\\* This file is intended to be included multiple times\\. \\*/$, begin-4))"}
--config=MC3A2.D4.10,reports+={safe, "first_area(text(^/\\* Generated file, do not edit! \\*/$, begin-3))"}
--config=MC3A2.D4.10,reports+={safe, "all_area(all_loc(file(^xen/include/generated/autoconf.h$)))"}
+-config=MC3A2.D4.10,reports+={safe, "first_area(text(^/\\* Generated file, do not edit! \\*/$, begin-3...begin-2))"}
+-doc_end
+
+-doc_begin="Autogenerated files that do not need to conform to the directive."
+-config=MC3A2.D4.10,reports+={safe, "all_area(all_loc(file(^xen/include/generated/autoconf\\.h$)))"}
-doc_end
-doc_begin="Including multiple times a .c file is safe because every function or data item
diff --git a/automation/eclair_analysis/ECLAIR/tagging.ecl b/automation/eclair_analysis/ECLAIR/tagging.ecl
index f9da5d5f4d..b95f07feb0 100644
--- a/automation/eclair_analysis/ECLAIR/tagging.ecl
+++ b/automation/eclair_analysis/ECLAIR/tagging.ecl
@@ -23,6 +23,7 @@
"MC3A2.D1.1||
MC3A2.D2.1||
MC3A2.D4.1||
+MC3A2.D4.10||
MC3A2.D4.11||
MC3A2.D4.14||
MC3A2.R1.1||
diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index fe0b1e10a2..63caa8f4a2 100644
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -30,6 +30,18 @@ Deviations related to MISRA C:2012 Directives:
not to add an additional encapsulation layer.
- Tagged as `deliberate` for ECLAIR.
+ * - D4.10
+ - Files that are intended to be included more than once (and have
+ a comment that says this explicitly) do not need to conform to the
+ directive.
+ - Tagged as `safe` for ECLAIR.
+
+ * - D4.10
+ - There are autogenerated files that do not need to comply to the
+ directive.
+ - Tagged as `safe` for ECLAIR. Such files are:
+ - xen/include/generated/autoconf.h
+
* - D4.10
- Including multiple times a .c file is safe because every function or data item
it defines would in (the common case) be already defined.
diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h
index 9e3ed21c02..dce0713adf 100644
--- a/xen/arch/x86/include/asm/cpufeatures.h
+++ b/xen/arch/x86/include/asm/cpufeatures.h
@@ -1,7 +1,6 @@
-/*
- * Explicitly intended for multiple inclusion.
- */
+/* This file is intended to be included multiple times. */
+/* SAF-8-safe */
#include <xen/lib/x86/cpuid-autogen.h>
/* Number of capability words covered by the featureset words. */
diff --git a/xen/include/xen/compile.h.in b/xen/include/xen/compile.h.in
index 3151d1e7d1..9206341ba6 100644
--- a/xen/include/xen/compile.h.in
+++ b/xen/include/xen/compile.h.in
@@ -1,3 +1,6 @@
+#ifndef XEN_COMPILE_H
+#define XEN_COMPILE_H
+
#define XEN_COMPILE_DATE "@@date@@"
#define XEN_COMPILE_TIME "@@time@@"
#define XEN_COMPILE_BY "@@whoami@@"
diff --git a/xen/scripts/gen_hypercall.awk b/xen/scripts/gen_hypercall.awk
index 1a7e051fde..47a18cd75e 100644
--- a/xen/scripts/gen_hypercall.awk
+++ b/xen/scripts/gen_hypercall.awk
@@ -2,6 +2,8 @@
# the calls of the handlers inside a switch() statement.
BEGIN {
+ printf("#ifndef XEN_HYPERCALL_DEFS_H\n");
+ printf("#define XEN_HYPERCALL_DEFS_H\n\n");
printf("/* Generated file, do not edit! */\n\n");
e = 0;
n = 0;
@@ -311,4 +313,5 @@ END {
printf("[__HYPERVISOR_%s] = %d, \\\n", fn[call_fn[i]], n_args[call_fn[i]]);
printf("}\n");
}
+ printf("\n#endif /* XEN_HYPERCALL_DEFS_H */\n");
}
diff --git a/xen/tools/process-banner.sed b/xen/tools/process-banner.sed
index 56c76558bc..4cf3f9a116 100755
--- a/xen/tools/process-banner.sed
+++ b/xen/tools/process-banner.sed
@@ -12,3 +12,8 @@ s_(.*)_"\1\\n"_
# Trailing \ on all but the final line.
$!s_$_ \\_
+
+# Append closing header guard
+$a\
+\
+#endif /* XEN_COMPILE_H */On Mon, Jun 23, 2025 at 06:19:27PM -0700, Stefano Stabellini wrote:
> diff --git a/xen/include/xen/compile.h.in b/xen/include/xen/compile.h.in
> index 3151d1e7d1..9206341ba6 100644
> --- a/xen/include/xen/compile.h.in
> +++ b/xen/include/xen/compile.h.in
> @@ -1,3 +1,6 @@
> +#ifndef XEN_COMPILE_H
> +#define XEN_COMPILE_H
> +
> #define XEN_COMPILE_DATE "@@date@@"
> #define XEN_COMPILE_TIME "@@time@@"
> #define XEN_COMPILE_BY "@@whoami@@"
> diff --git a/xen/tools/process-banner.sed b/xen/tools/process-banner.sed
> index 56c76558bc..4cf3f9a116 100755
> --- a/xen/tools/process-banner.sed
> +++ b/xen/tools/process-banner.sed
> @@ -12,3 +12,8 @@ s_(.*)_"\1\\n"_
>
> # Trailing \ on all but the final line.
> $!s_$_ \\_
> +
> +# Append closing header guard
> +$a\
> +\
> +#endif /* XEN_COMPILE_H */
Is it wise to put the closing header guard in a file call
"process-banner" ? It's not call compile.h-footer.sed.
There's a few way to make this better:
- simple add the header guard from the Makefile, both opening and
closing.
- Do some more sed with something like:
sed -rf process-banner.sed < .banner >> .banner.processed.tmp
sed -e 's/@@date@@/$(XEN_BUILD_DATE)/g' \
... \
-e '/XEN_BANNER/r .banner.processed.tmp'
# and having the closing header guard in "compile.h.in"
This will add the outpot of process-banner.sed in the lines after
"#define XEN_BANNER", and so before the closing header guard.
- rename the sed command file
(- a forth option would be to use filechk make macro, but the check for
if [ ! -r $@ -o -O $@ ] would be annoying to reproduce.)
Another thing, this could be done in a patch that isn't called
"automation/eclair: update configuration of D4.10".
Cheers,
--
Anthony Perard | Vates XCP-ng Developer
XCP-ng & Xen Orchestra - Vates solutions
web: https://vates.tech
On Mon, Jul 07, 2025 at 12:48:06PM +0000, Anthony PERARD wrote: > On Mon, Jun 23, 2025 at 06:19:27PM -0700, Stefano Stabellini wrote: > > diff --git a/xen/include/xen/compile.h.in b/xen/include/xen/compile.h.in > > index 3151d1e7d1..9206341ba6 100644 > > --- a/xen/include/xen/compile.h.in > > +++ b/xen/include/xen/compile.h.in > > @@ -1,3 +1,6 @@ > > +#ifndef XEN_COMPILE_H > > +#define XEN_COMPILE_H > > + > > #define XEN_COMPILE_DATE "@@date@@" > > #define XEN_COMPILE_TIME "@@time@@" > > #define XEN_COMPILE_BY "@@whoami@@" > > diff --git a/xen/tools/process-banner.sed b/xen/tools/process-banner.sed > > index 56c76558bc..4cf3f9a116 100755 > > --- a/xen/tools/process-banner.sed > > +++ b/xen/tools/process-banner.sed > > @@ -12,3 +12,8 @@ s_(.*)_"\1\\n"_ > > > > # Trailing \ on all but the final line. > > $!s_$_ \\_ > > + > > +# Append closing header guard > > +$a\ > > +\ > > +#endif /* XEN_COMPILE_H */ > > Is it wise to put the closing header guard in a file call > "process-banner" ? It's not call compile.h-footer.sed. > > There's a few way to make this better: > - simple add the header guard from the Makefile, both opening and > closing. > - Do some more sed with something like: > sed -rf process-banner.sed < .banner >> .banner.processed.tmp > sed -e 's/@@date@@/$(XEN_BUILD_DATE)/g' \ > ... \ > -e '/XEN_BANNER/r .banner.processed.tmp' > # and having the closing header guard in "compile.h.in" > This will add the outpot of process-banner.sed in the lines after > "#define XEN_BANNER", and so before the closing header guard. > - rename the sed command file > (- a forth option would be to use filechk make macro, but the check for > if [ ! -r $@ -o -O $@ ] would be annoying to reproduce.) > > Another thing, this could be done in a patch that isn't called > "automation/eclair: update configuration of D4.10". Sorry, I failed to notice the patch was already commited. I guess it's good enough like that. -- Anthony Perard | Vates XCP-ng Developer XCP-ng & Xen Orchestra - Vates solutions web: https://vates.tech
Hello, All!
Do you have any comments on this patch?
Вoes it need any improvement?
BR, Dmytro.
On 6/24/25 04:19, Stefano Stabellini wrote:
> MISRA C Directive 4.10 states that "Precautions shall be taken in order
> to prevent the contents of a header file being included more than
> once".
>
> Add a SAF tag and update the comment on top of cpufeatures.h.
> Add a header inclusion guard to compile.h.
> Generate header guards for hypercall-defs.h
>
> Update ECLAIR configuration to:
> - extend existing deviation to other comments explicitly saying a file
> is intended for multiple inclusion;
> - extend existing deviation to other autogenerated files;
> - tag the guidelines as clean.
>
> Update deviations.rst accordingly.
>
> Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
> Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com>
> Acked-by: Jan Beulich <jbeulich@suse.com> # x86
> ---
> Changes in v6:
> - remove in-code comment and use SAF-8-safe instead
> - add header guards for hypercall-defs.h
>
> Successful pipeline:
> https://gitlab.com/xen-project/people/sstabellini/xen/-/pipelines/1885561040
> ---
>
> diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl
> index 9c67358d46..3b5bc87e1d 100644
> --- a/automation/eclair_analysis/ECLAIR/deviations.ecl
> +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
> @@ -72,11 +72,14 @@ they are not instances of commented-out code."
> -config=MC3A2.D4.3,reports+={deliberate, "any_area(any_loc(file(arm64_bitops))&&context(name(int_clear_mask16)))"}
> -doc_end
>
> --doc_begin="Files that are intended to be included more than once do not need to
> -conform to the directive."
> +-doc_begin="Files that are intended to be included more than once (and have
> +a comment that says this explicitly) do not need to conform to the directive."
> -config=MC3A2.D4.10,reports+={safe, "first_area(text(^/\\* This file is intended to be included multiple times\\. \\*/$, begin-4))"}
> --config=MC3A2.D4.10,reports+={safe, "first_area(text(^/\\* Generated file, do not edit! \\*/$, begin-3))"}
> --config=MC3A2.D4.10,reports+={safe, "all_area(all_loc(file(^xen/include/generated/autoconf.h$)))"}
> +-config=MC3A2.D4.10,reports+={safe, "first_area(text(^/\\* Generated file, do not edit! \\*/$, begin-3...begin-2))"}
> +-doc_end
> +
> +-doc_begin="Autogenerated files that do not need to conform to the directive."
> +-config=MC3A2.D4.10,reports+={safe, "all_area(all_loc(file(^xen/include/generated/autoconf\\.h$)))"}
> -doc_end
>
> -doc_begin="Including multiple times a .c file is safe because every function or data item
> diff --git a/automation/eclair_analysis/ECLAIR/tagging.ecl b/automation/eclair_analysis/ECLAIR/tagging.ecl
> index f9da5d5f4d..b95f07feb0 100644
> --- a/automation/eclair_analysis/ECLAIR/tagging.ecl
> +++ b/automation/eclair_analysis/ECLAIR/tagging.ecl
> @@ -23,6 +23,7 @@
> "MC3A2.D1.1||
> MC3A2.D2.1||
> MC3A2.D4.1||
> +MC3A2.D4.10||
> MC3A2.D4.11||
> MC3A2.D4.14||
> MC3A2.R1.1||
> diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
> index fe0b1e10a2..63caa8f4a2 100644
> --- a/docs/misra/deviations.rst
> +++ b/docs/misra/deviations.rst
> @@ -30,6 +30,18 @@ Deviations related to MISRA C:2012 Directives:
> not to add an additional encapsulation layer.
> - Tagged as `deliberate` for ECLAIR.
>
> + * - D4.10
> + - Files that are intended to be included more than once (and have
> + a comment that says this explicitly) do not need to conform to the
> + directive.
> + - Tagged as `safe` for ECLAIR.
> +
> + * - D4.10
> + - There are autogenerated files that do not need to comply to the
> + directive.
> + - Tagged as `safe` for ECLAIR. Such files are:
> + - xen/include/generated/autoconf.h
> +
> * - D4.10
> - Including multiple times a .c file is safe because every function or data item
> it defines would in (the common case) be already defined.
> diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h
> index 9e3ed21c02..dce0713adf 100644
> --- a/xen/arch/x86/include/asm/cpufeatures.h
> +++ b/xen/arch/x86/include/asm/cpufeatures.h
> @@ -1,7 +1,6 @@
> -/*
> - * Explicitly intended for multiple inclusion.
> - */
> +/* This file is intended to be included multiple times. */
>
> +/* SAF-8-safe */
> #include <xen/lib/x86/cpuid-autogen.h>
>
> /* Number of capability words covered by the featureset words. */
> diff --git a/xen/include/xen/compile.h.in b/xen/include/xen/compile.h.in
> index 3151d1e7d1..9206341ba6 100644
> --- a/xen/include/xen/compile.h.in
> +++ b/xen/include/xen/compile.h.in
> @@ -1,3 +1,6 @@
> +#ifndef XEN_COMPILE_H
> +#define XEN_COMPILE_H
> +
> #define XEN_COMPILE_DATE "@@date@@"
> #define XEN_COMPILE_TIME "@@time@@"
> #define XEN_COMPILE_BY "@@whoami@@"
> diff --git a/xen/scripts/gen_hypercall.awk b/xen/scripts/gen_hypercall.awk
> index 1a7e051fde..47a18cd75e 100644
> --- a/xen/scripts/gen_hypercall.awk
> +++ b/xen/scripts/gen_hypercall.awk
> @@ -2,6 +2,8 @@
> # the calls of the handlers inside a switch() statement.
>
> BEGIN {
> + printf("#ifndef XEN_HYPERCALL_DEFS_H\n");
> + printf("#define XEN_HYPERCALL_DEFS_H\n\n");
> printf("/* Generated file, do not edit! */\n\n");
> e = 0;
> n = 0;
> @@ -311,4 +313,5 @@ END {
> printf("[__HYPERVISOR_%s] = %d, \\\n", fn[call_fn[i]], n_args[call_fn[i]]);
> printf("}\n");
> }
> + printf("\n#endif /* XEN_HYPERCALL_DEFS_H */\n");
> }
> diff --git a/xen/tools/process-banner.sed b/xen/tools/process-banner.sed
> index 56c76558bc..4cf3f9a116 100755
> --- a/xen/tools/process-banner.sed
> +++ b/xen/tools/process-banner.sed
> @@ -12,3 +12,8 @@ s_(.*)_"\1\\n"_
>
> # Trailing \ on all but the final line.
> $!s_$_ \\_
> +
> +# Append closing header guard
> +$a\
> +\
> +#endif /* XEN_COMPILE_H */
On 24.06.2025 03:19, Stefano Stabellini wrote: > MISRA C Directive 4.10 states that "Precautions shall be taken in order > to prevent the contents of a header file being included more than > once". > > Add a SAF tag and update the comment on top of cpufeatures.h. > Add a header inclusion guard to compile.h. > Generate header guards for hypercall-defs.h > > Update ECLAIR configuration to: > - extend existing deviation to other comments explicitly saying a file > is intended for multiple inclusion; > - extend existing deviation to other autogenerated files; > - tag the guidelines as clean. > > Update deviations.rst accordingly. > > Signed-off-by: Federico Serafini <federico.serafini@bugseng.com> > Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com> Acked-by: Jan Beulich <jbeulich@suse.com> # x86
© 2016 - 2025 Red Hat, Inc.