From nobody Mon Nov 3 01:05:36 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=none dis=none) header.from=bugseng.com ARC-Seal: i=1; a=rsa-sha256; t=1733827095; cv=none; d=zohomail.com; s=zohoarc; b=nfzmO9Uy6an6ZJPwqsmgx1vT9RxzhzWWtWiezWAlYHg25mikUVGIAlDXL5CNPBs0MSpJQHUzJxB5PGyK4vDe9+SAyJa2UHyVCqDhLTEQt6iACxfkHde6l6c5cRGhXLHcI+KkmmE9x9YRhwpagr4WSE92Al3KSh3oXU01Npq+xBA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1733827095; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=uZZ92PFFQi0esaJv+436Pp0yS+3DQxislNy9ZTt9ml0=; b=hbAXNUdjXWp5bKb5qqZLpOfsonaQaelwsVa/LX5f4b7YzDetfuw9NPiCZ6A1L1flsi34rX0CPBKwTeCpiNehmpy0RpIyQ8Be2xU3IwTNrh1X17dZy9jseOj/D69lT46QPkUmROUEndeBHZpoJ9o+5xt/xSsY/K/hrhs1oryYcIg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1733827095137803.4041522614094; Tue, 10 Dec 2024 02:38:15 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.852034.1265955 (Exim 4.92) (envelope-from ) id 1tKxcl-0001kg-2U; Tue, 10 Dec 2024 10:37:51 +0000 Received: by outflank-mailman (output) from mailman id 852034.1265955; Tue, 10 Dec 2024 10:37:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1tKxck-0001kZ-W0; Tue, 10 Dec 2024 10:37:50 +0000 Received: by outflank-mailman (input) for mailman id 852034; Tue, 10 Dec 2024 10:37:49 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1tKxci-0001kT-Vt for xen-devel@lists.xenproject.org; Tue, 10 Dec 2024 10:37:49 +0000 Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id cb528a1c-b6e2-11ef-a0d5-8be0dac302b0; Tue, 10 Dec 2024 11:37:46 +0100 (CET) Received: from delta.homenet.telecomitalia.it (host-82-59-161-229.retail.telecomitalia.it [82.59.161.229]) by support.bugseng.com (Postfix) with ESMTPSA id 520A84EE0738; Tue, 10 Dec 2024 11:37:42 +0100 (CET) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: cb528a1c-b6e2-11ef-a0d5-8be0dac302b0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bugseng.com; s=mail; t=1733827065; bh=MbyAmK6EtCdvkh728s5BCk2UUEejS9A5MX8MGgKIuoU=; h=From:To:Cc:Subject:Date:From; b=CH46Vw4/ABdtl27wMiGRcMVLm+VVwf8jTzF/b9ducilOV9UtvAUfG+Om/rdsqh0XX IGO/3ssAv+nhRkfjekXf5x4JgyhPjbHBwc4ukQRApt9TjUkRgAAlXAFtYDJm2v42nf KCm/f8ATef6CkgqsA6HLnOmUYBvF5xvABI4q21n0TyZysbmYaOB7vLn47yVYTtTvz6 jciwv3g/q+wvDxm0DwjECrzLx6VoiLVjaAB9aov3E/u+udO8nKScqHNwm7UkAxFClw FrlyViJfO+naOTdo5p9sSnLEHvTmcK0QXe5z9ByKRAFSdBjJotxbejo4Pt5n7AZ6hR cF9vQah2bSVBQ== From: Alessandro Zucchelli To: xen-devel@lists.xenproject.org Cc: consulting@bugseng.com, Alessandro Zucchelli , Simone Ballarin , Doug Goldstein , Stefano Stabellini , Andrew Cooper , Jan Beulich , Julien Grall Subject: [PATCH] xen: update ECLAIR service identifiers from MC3R1 to MC3A2. Date: Tue, 10 Dec 2024 11:37:23 +0100 Message-ID: X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @bugseng.com) X-ZM-MESSAGEID: 1733827098949116600 Content-Type: text/plain; charset="utf-8" Rename all instances of ECLAIR MISRA C:2012 service identifiers, identified by the prefix MC3R1, to use the prefix MC3A2, which refers to MISRA C:2012 Amendment 2 guidelines. This update is motivated by the need to upgrade ECLAIR GitLab runners that use the new naming scheme for MISRA C:2012 Amendment 2 guidelines. Changes to the docs/misra directory are needed in order to keep comment-based deviation up to date. Signed-off-by: Alessandro Zucchelli Reviewed-by: Stefano Stabellini --- The change was made using the following command: find . -type f -exec sed -i 's/MC3R1/MC3A2/g' {} + In order to avoid CI failures this patch and the ECLAIR runners must be updated at roughly the same time. This backwards-incompatible change is needed to bring to the runners other bugfixes. --- .../eclair_analysis/ECLAIR/B.UNEVALEFF.ecl | 2 +- .../ECLAIR/accepted_guidelines.sh | 2 +- .../eclair_analysis/ECLAIR/analysis.ecl | 6 +- .../eclair_analysis/ECLAIR/deviations.ecl | 244 +++++++++--------- .../eclair_analysis/ECLAIR/monitored.ecl | 208 +++++++-------- automation/eclair_analysis/ECLAIR/tagging.ecl | 176 ++++++------- docs/misra/documenting-violations.rst | 6 +- docs/misra/safe.json | 32 +-- 8 files changed, 338 insertions(+), 338 deletions(-) diff --git a/automation/eclair_analysis/ECLAIR/B.UNEVALEFF.ecl b/automation= /eclair_analysis/ECLAIR/B.UNEVALEFF.ecl index 92d8db8986..fa249b8e36 100644 --- a/automation/eclair_analysis/ECLAIR/B.UNEVALEFF.ecl +++ b/automation/eclair_analysis/ECLAIR/B.UNEVALEFF.ecl @@ -1,4 +1,4 @@ --clone_service=3DMC3R1.R13.6,B.UNEVALEFF +-clone_service=3DMC3A2.R13.6,B.UNEVALEFF =20 -config=3DB.UNEVALEFF,summary=3D"The operand of the `alignof' and `typeof'= operators shall not contain any expression which has potential side effec= ts" -config=3DB.UNEVALEFF,stmt_child_matcher=3D diff --git a/automation/eclair_analysis/ECLAIR/accepted_guidelines.sh b/aut= omation/eclair_analysis/ECLAIR/accepted_guidelines.sh index 368135122c..2c4b339d0d 100755 --- a/automation/eclair_analysis/ECLAIR/accepted_guidelines.sh +++ b/automation/eclair_analysis/ECLAIR/accepted_guidelines.sh @@ -10,6 +10,6 @@ script_dir=3D"$( accepted_rst=3D$1 =20 grep -Eo "\`(Dir|Rule) [0-9]+\.[0-9]+" ${accepted_rst} \ - | sed -e 's/`Rule /MC3R1.R/' -e 's/`Dir /MC3R1.D/' -e 's/.*/-enable= =3D&/' > ${script_dir}/accepted.ecl + | sed -e 's/`Rule /MC3A2.R/' -e 's/`Dir /MC3A2.D/' -e 's/.*/-enable= =3D&/' > ${script_dir}/accepted.ecl =20 echo "-enable=3DB.UNEVALEFF" >> ${script_dir}/accepted.ecl diff --git a/automation/eclair_analysis/ECLAIR/analysis.ecl b/automation/ec= lair_analysis/ECLAIR/analysis.ecl index df0b551812..824283a989 100644 --- a/automation/eclair_analysis/ECLAIR/analysis.ecl +++ b/automation/eclair_analysis/ECLAIR/analysis.ecl @@ -22,15 +22,15 @@ setq(analysis_kind,getenv("ANALYSIS_KIND")) -doc_begin=3D"These configurations serve the purpose of recognizing the 'm= em*' macros as their Standard Library equivalents." =20 --config=3DMC3R1.R21.14,call_select+=3D +-config=3DMC3A2.R21.14,call_select+=3D {"macro(^memcmp$)&&any_arg(1..2, skip(__non_syntactic_paren_cast_stmts, no= de(string_literal)))", "any()", violation, "%{__callslct_any_base_fmt()}", {{arg, "%{__callslct_= arg_fmt()}"}}} =20 --config=3DMC3R1.R21.15,call_args+=3D +-config=3DMC3A2.R21.15,call_args+=3D {"macro(^mem(cmp|move|cpy)$)", {1, 2}, "unqual_pointee_compatible", "%{__argscmpr_culprit_fmt()}", "%{__argscmpr_evidence_fmt()}"} =20 --config=3DMC3R1.R21.16,call_select+=3D +-config=3DMC3A2.R21.16,call_select+=3D {"macro(^memcmp$)&&any_arg(1..2, skip(__non_syntactic_paren_stmts, type(ca= nonical(__memcmp_pte_types))))", "any()", violation, "%{__callslct_any_base_fmt()}", {{arg,"%{__callslct_a= rg_type_fmt()}"}}} =20 diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/= eclair_analysis/ECLAIR/deviations.ecl index 2f58f29203..ae25eeb76a 100644 --- a/automation/eclair_analysis/ECLAIR/deviations.ecl +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl @@ -4,36 +4,36 @@ =20 -doc_begin=3D"The compiler implementation guarantees that the unreachable = code is removed. Constant expressions and unreachable branches of if and switch statements = are expected." --config=3DMC3R1.R2.1,+reports=3D{safe,"first_area(^.*has an invariantly.*$= )"} --config=3DMC3R1.R2.1,+reports=3D{safe,"first_area(^.*incompatible with lab= eled statement$)"} +-config=3DMC3A2.R2.1,+reports=3D{safe,"first_area(^.*has an invariantly.*$= )"} +-config=3DMC3A2.R2.1,+reports=3D{safe,"first_area(^.*incompatible with lab= eled statement$)"} -doc_end =20 -doc_begin=3D"Some functions are intended to be not referenced." --config=3DMC3R1.R2.1,+reports=3D{deliberate,"first_area(^.*is never refere= nced$)"} +-config=3DMC3A2.R2.1,+reports=3D{deliberate,"first_area(^.*is never refere= nced$)"} -doc_end =20 -doc_begin=3D"Unreachability caused by calls to the following functions or= macros is deliberate and there is no risk of code being unexpectedly left = out." --config=3DMC3R1.R2.1,statements+=3D{deliberate,"macro(name(BUG||assert_fai= led))"} --config=3DMC3R1.R2.1,statements+=3D{deliberate, "call(decl(name(__builtin_= unreachable||panic||do_unexpected_trap||machine_halt||machine_restart||rebo= ot_or_halt)))"} +-config=3DMC3A2.R2.1,statements+=3D{deliberate,"macro(name(BUG||assert_fai= led))"} +-config=3DMC3A2.R2.1,statements+=3D{deliberate, "call(decl(name(__builtin_= unreachable||panic||do_unexpected_trap||machine_halt||machine_restart||rebo= ot_or_halt)))"} -doc_end =20 -doc_begin=3D"Unreachability inside an ASSERT_UNREACHABLE() and analogous = macro calls is deliberate and safe." --config=3DMC3R1.R2.1,reports+=3D{deliberate, "any_area(any_loc(any_exp(mac= ro(name(ASSERT_UNREACHABLE||PARSE_ERR_RET||PARSE_ERR||FAIL_MSR||FAIL_CPUID)= ))))"} +-config=3DMC3A2.R2.1,reports+=3D{deliberate, "any_area(any_loc(any_exp(mac= ro(name(ASSERT_UNREACHABLE||PARSE_ERR_RET||PARSE_ERR||FAIL_MSR||FAIL_CPUID)= ))))"} -doc_end =20 -doc_begin=3D"The asm-offset files are not linked deliberately, since they= are used to generate definitions for asm modules." -file_tag+=3D{asm_offsets, "^xen/arch/(arm|x86)/(arm32|arm64|x86_64)/asm-o= ffsets\\.c$"} --config=3DMC3R1.R2.1,reports+=3D{deliberate, "any_area(any_loc(file(asm_of= fsets)))"} +-config=3DMC3A2.R2.1,reports+=3D{deliberate, "any_area(any_loc(file(asm_of= fsets)))"} -doc_end =20 -doc_begin=3D"Pure declarations (i.e., declarations without initialization= ) are not executable, and therefore it is safe for them to be unreachable." --config=3DMC3R1.R2.1,ignored_stmts+=3D{"any()", "pure_decl()"} +-config=3DMC3A2.R2.1,ignored_stmts+=3D{"any()", "pure_decl()"} -doc_end =20 -doc_begin=3D"The following autogenerated file is not linked deliberately." -file_tag+=3D{C_runtime_failures,"^automation/eclair_analysis/C-runtime-fa= ilures\\.rst\\.c$"} --config=3DMC3R1.R2.1,reports+=3D{deliberate, "any_area(any_loc(file(C_runt= ime_failures)))"} +-config=3DMC3A2.R2.1,reports+=3D{deliberate, "any_area(any_loc(file(C_runt= ime_failures)))"} -doc_end =20 -doc_begin=3D"Proving compliance with respect to Rule 2.2 is generally imp= ossible: @@ -42,11 +42,11 @@ confidence that no evidence of errors in the program's = logic has been missed due to undetected violations of Rule 2.2, if any. Testing on time behavior giv= es us confidence on the fact that, should the program contain dead code that is = not removed by the compiler, the resulting slowdown is negligible." --config=3DMC3R1.R2.2,reports+=3D{disapplied,"any()"} +-config=3DMC3A2.R2.2,reports+=3D{disapplied,"any()"} -doc_end =20 -doc_begin=3D"Some labels are unused in certain build configurations, or a= re deliberately marked as unused, so that the compiler is entitled to remov= e them." --config=3DMC3R1.R2.6,reports+=3D{deliberate, "any_area(text(^.*__maybe_unu= sed.*$))"} +-config=3DMC3A2.R2.6,reports+=3D{deliberate, "any_area(text(^.*__maybe_unu= sed.*$))"} -doc_end =20 # @@ -55,7 +55,7 @@ removed by the compiler, the resulting slowdown is neglig= ible." =20 -doc_begin=3D"Comments starting with '/*' and containing hyperlinks are sa= fe as they are not instances of commented-out code." --config=3DMC3R1.R3.1,reports+=3D{safe, "first_area(text(^.*https?://.*$))"} +-config=3DMC3A2.R3.1,reports+=3D{safe, "first_area(text(^.*https?://.*$))"} -doc_end =20 # @@ -63,25 +63,25 @@ they are not instances of commented-out code." # =20 -doc_begin=3D"The directive has been accepted only for the ARM codebase." --config=3DMC3R1.D4.3,reports+=3D{disapplied,"!(any_area(any_loc(file(^xen/= arch/arm/arm64/.*$))))"} +-config=3DMC3A2.D4.3,reports+=3D{disapplied,"!(any_area(any_loc(file(^xen/= arch/arm/arm64/.*$))))"} -doc_end =20 -doc_begin=3D"The inline asm in 'arm64/lib/bitops.c' is tightly coupled wi= th the surronding C code that acts as a wrapper, so it has been decided not= to add an additional encapsulation layer." -file_tag+=3D{arm64_bitops, "^xen/arch/arm/arm64/lib/bitops\\.c$"} --config=3DMC3R1.D4.3,reports+=3D{deliberate, "all_area(any_loc(file(arm64_= bitops)&&any_exp(macro(^(bit|test)op$))))"} --config=3DMC3R1.D4.3,reports+=3D{deliberate, "any_area(any_loc(file(arm64_= bitops))&&context(name(int_clear_mask16)))"} +-config=3DMC3A2.D4.3,reports+=3D{deliberate, "all_area(any_loc(file(arm64_= bitops)&&any_exp(macro(^(bit|test)op$))))"} +-config=3DMC3A2.D4.3,reports+=3D{deliberate, "any_area(any_loc(file(arm64_= bitops))&&context(name(int_clear_mask16)))"} -doc_end =20 -doc_begin=3D"Files that are intended to be included more than once do not= need to conform to the directive." --config=3DMC3R1.D4.10,reports+=3D{safe, "first_area(text(^/\\* This file i= s legitimately included multiple times\\. \\*/$, begin-4))"} --config=3DMC3R1.D4.10,reports+=3D{safe, "first_area(text(^/\\* Generated f= ile, do not edit! \\*/$, begin-3))"} --config=3DMC3R1.D4.10,reports+=3D{safe, "all_area(all_loc(file(^xen/includ= e/generated/autoconf.h$)))"} +-config=3DMC3A2.D4.10,reports+=3D{safe, "first_area(text(^/\\* This file i= s legitimately included multiple times\\. \\*/$, begin-4))"} +-config=3DMC3A2.D4.10,reports+=3D{safe, "first_area(text(^/\\* Generated f= ile, do not edit! \\*/$, begin-3))"} +-config=3DMC3A2.D4.10,reports+=3D{safe, "all_area(all_loc(file(^xen/includ= e/generated/autoconf.h$)))"} -doc_end =20 -doc_begin=3D"Including multiple times a .c file is safe because every fun= ction or data item it defines would (in the common case) be already defined. Peer reviewed by= the community." --config=3DMC3R1.D4.10,reports+=3D{safe, "all_area(all_loc(^.*\\.c$))"} +-config=3DMC3A2.D4.10,reports+=3D{safe, "all_area(all_loc(^.*\\.c$))"} -doc_end =20 # @@ -90,50 +90,50 @@ it defines would (in the common case) be already define= d. Peer reviewed by the c =20 -doc_begin=3D"The project adopted the rule with an exception listed in 'docs/misra/rules.rst'" --config=3DMC3R1.R5.3,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^RE= AD_SYSREG$))&&any_exp(macro(^WRITE_SYSREG$))))"} --config=3DMC3R1.R5.3,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^ma= x(_t)?$))&&any_exp(macro(^min(_t)?$))))"} --config=3DMC3R1.R5.3,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^re= ad[bwlq]$))&&any_exp(macro(^read[bwlq]_relaxed$))))"} --config=3DMC3R1.R5.3,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^pe= r_cpu$))&&any_exp(macro(^this_cpu$))))"} --config=3DMC3R1.R5.3,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^__= emulate_2op$))&&any_exp(macro(^__emulate_2op_nobyte$))))"} --config=3DMC3R1.R5.3,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^re= ad_debugreg$))&&any_exp(macro(^write_debugreg$))))"} +-config=3DMC3A2.R5.3,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^RE= AD_SYSREG$))&&any_exp(macro(^WRITE_SYSREG$))))"} +-config=3DMC3A2.R5.3,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^ma= x(_t)?$))&&any_exp(macro(^min(_t)?$))))"} +-config=3DMC3A2.R5.3,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^re= ad[bwlq]$))&&any_exp(macro(^read[bwlq]_relaxed$))))"} +-config=3DMC3A2.R5.3,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^pe= r_cpu$))&&any_exp(macro(^this_cpu$))))"} +-config=3DMC3A2.R5.3,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^__= emulate_2op$))&&any_exp(macro(^__emulate_2op_nobyte$))))"} +-config=3DMC3A2.R5.3,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^re= ad_debugreg$))&&any_exp(macro(^write_debugreg$))))"} -doc_end =20 -doc_begin=3D"Macros expanding to their own identifier (e.g., \"#define x = x\") are deliberate." --config=3DMC3R1.R5.5,reports+=3D{deliberate, "all_area(macro(same_id_body(= ))||!macro(!same_id_body()))"} +-config=3DMC3A2.R5.5,reports+=3D{deliberate, "all_area(macro(same_id_body(= ))||!macro(!same_id_body()))"} -doc_end =20 -doc_begin=3D"There is no clash between function like macros and not calla= ble objects." --config=3DMC3R1.R5.5,reports+=3D{deliberate, "all_area(macro(function_like= ())||decl(any()))&&all_area(macro(any())||!decl(kind(function))&&!decl(__fu= nction_pointer_decls))"} +-config=3DMC3A2.R5.5,reports+=3D{deliberate, "all_area(macro(function_like= ())||decl(any()))&&all_area(macro(any())||!decl(kind(function))&&!decl(__fu= nction_pointer_decls))"} -doc_end =20 -doc_begin=3D"Clashes between function names and macros are deliberate for= string handling functions since some architectures may want to use their o= wn arch-specific implementation." --config=3DMC3R1.R5.5,reports+=3D{deliberate, "all_area(all_loc(file(^xen/a= rch/x86/string\\.c|xen/include/xen/string\\.h|xen/lib/.*$)))"} +-config=3DMC3A2.R5.5,reports+=3D{deliberate, "all_area(all_loc(file(^xen/a= rch/x86/string\\.c|xen/include/xen/string\\.h|xen/lib/.*$)))"} -doc_end =20 -doc_begin=3D"In libelf, clashes between macros and function names are del= iberate and needed to prevent the use of undecorated versions of memcpy, me= mset and memmove." --config=3DMC3R1.R5.5,reports+=3D{deliberate, "any_area(decl(kind(function)= )||any_loc(macro(name(memcpy||memset||memmove))))&&any_area(any_loc(file(^x= en/common/libelf/libelf-private\\.h$)))"} +-config=3DMC3A2.R5.5,reports+=3D{deliberate, "any_area(decl(kind(function)= )||any_loc(macro(name(memcpy||memset||memmove))))&&any_area(any_loc(file(^x= en/common/libelf/libelf-private\\.h$)))"} -doc_end =20 -doc_begin=3D"The type \"ret_t\" is deliberately defined multiple times, depending on the guest." --config=3DMC3R1.R5.6,reports+=3D{deliberate,"any_area(any_loc(text(^.*ret_= t.*$)))"} +-config=3DMC3A2.R5.6,reports+=3D{deliberate,"any_area(any_loc(text(^.*ret_= t.*$)))"} -doc_end =20 -doc_begin=3D"On X86, the types \"guest_intpte_t\", \"guest_l1e_t\" and \"guest_l2e_t\" are deliberately defined multiple times, depending on the number of guest paging levels." --config=3DMC3R1.R5.6,reports+=3D{deliberate,"any_area(any_loc(file(^xen/ar= ch/x86/include/asm/guest_pt\\.h$)))&&any_area(any_loc(text(^.*(guest_intpte= _t|guest_l[12]e_t).*$)))"} +-config=3DMC3A2.R5.6,reports+=3D{deliberate,"any_area(any_loc(file(^xen/ar= ch/x86/include/asm/guest_pt\\.h$)))&&any_area(any_loc(text(^.*(guest_intpte= _t|guest_l[12]e_t).*$)))"} -doc_end =20 -doc_begin=3D"The following files are imported from the gnu-efi package." -file_tag+=3D{adopted_r5_6,"^xen/include/efi/.*$"} -file_tag+=3D{adopted_r5_6,"^xen/arch/.*/include/asm/.*/efibind\\.h$"} --config=3DMC3R1.R5.6,reports+=3D{deliberate,"any_area(any_loc(file(adopted= _r5_6)))"} +-config=3DMC3A2.R5.6,reports+=3D{deliberate,"any_area(any_loc(file(adopted= _r5_6)))"} -doc_end =20 -doc_begin=3D"The project intentionally reuses tag names in order to have = identifiers matching the applicable external specifications as well as esta= blished internal conventions. As there is little possibility for developer confusion not resulting into = compilation errors, the risk of renaming outweighs the potential advantages= of compliance." --config=3DMC3R1.R5.7,reports+=3D{deliberate,"any()"} +-config=3DMC3A2.R5.7,reports+=3D{deliberate,"any()"} -doc_end =20 # @@ -142,7 +142,7 @@ As there is little possibility for developer confusion = not resulting into compil =20 -doc_begin=3D"It is safe to use certain octal constants the way they are d= efined in specifications, manuals, and algorithm descriptions." --config=3DMC3R1.R7.1,reports+=3D{safe, "any_area(any_loc(any_exp(text(^.*o= ctal-ok.*$))))"} +-config=3DMC3A2.R7.1,reports+=3D{safe, "any_area(any_loc(any_exp(text(^.*o= ctal-ok.*$))))"} -doc_end =20 -doc_begin=3D"Violations in files that maintainers have asked to not modif= y in the @@ -155,17 +155,17 @@ context of R7.2." -file_tag+=3D{adopted_r7_2,"^xen/arch/x86/cpu/intel\\.c$"} -file_tag+=3D{adopted_r7_2,"^xen/arch/x86/cpu/amd\\.c$"} -file_tag+=3D{adopted_r7_2,"^xen/arch/x86/cpu/common\\.c$"} --config=3DMC3R1.R7.2,reports+=3D{deliberate,"any_area(any_loc(file(adopted= _r7_2)))"} +-config=3DMC3A2.R7.2,reports+=3D{deliberate,"any_area(any_loc(file(adopted= _r7_2)))"} -doc_end =20 -doc_begin=3D"Violations caused by __HYPERVISOR_VIRT_START are related to = the particular use of it done in xen_mk_ulong." --config=3DMC3R1.R7.2,reports+=3D{deliberate,"any_area(any_loc(macro(name(B= UILD_BUG_ON))))"} +-config=3DMC3A2.R7.2,reports+=3D{deliberate,"any_area(any_loc(macro(name(B= UILD_BUG_ON))))"} -doc_end =20 -doc_begin=3D"Allow pointers of non-character type as long as the pointee = is const-qualified." --config=3DMC3R1.R7.4,same_pointee=3Dfalse +-config=3DMC3A2.R7.4,same_pointee=3Dfalse -doc_end =20 # @@ -173,7 +173,7 @@ const-qualified." # =20 -doc_begin=3D"The type ret_t is deliberately used and defined as int or lo= ng depending on the architecture." --config=3DMC3R1.R8.3,reports+=3D{deliberate,"any_area(any_loc(text(^.*ret_= t.*$)))"} +-config=3DMC3A2.R8.3,reports+=3D{deliberate,"any_area(any_loc(text(^.*ret_= t.*$)))"} -doc_end =20 -doc_begin=3D"The following files are imported from Linux and decompress.h= defines a unique and documented interface towards all the (adopted) decomp= ress functions." @@ -183,71 +183,71 @@ const-qualified." -file_tag+=3D{adopted_decompress_r8_3,"^xen/common/unlzo\\.c$"} -file_tag+=3D{adopted_decompress_r8_3,"^xen/common/unxz\\.c$"} -file_tag+=3D{adopted_decompress_r8_3,"^xen/common/unzstd\\.c$"} --config=3DMC3R1.R8.3,reports+=3D{deliberate,"any_area(any_loc(file(adopted= _decompress_r8_3)))&&any_area(any_loc(file(^xen/include/xen/decompress\\.h$= )))"} +-config=3DMC3A2.R8.3,reports+=3D{deliberate,"any_area(any_loc(file(adopted= _decompress_r8_3)))&&any_area(any_loc(file(^xen/include/xen/decompress\\.h$= )))"} -doc_end =20 -doc_begin=3D"Parameter name \"unused\" (with an optional numeric suffix) = is deliberate and makes explicit the intention of not using such parameter = within the function." --config=3DMC3R1.R8.3,reports+=3D{deliberate, "any_area(^.*parameter `unuse= d[0-9]*'.*$)"} +-config=3DMC3A2.R8.3,reports+=3D{deliberate, "any_area(^.*parameter `unuse= d[0-9]*'.*$)"} -doc_end =20 -doc_begin=3D"The following file is imported from Linux: ignore for now." -file_tag+=3D{adopted_time_r8_3,"^xen/arch/x86/time\\.c$"} --config=3DMC3R1.R8.3,reports+=3D{deliberate,"any_area(any_loc(file(adopted= _time_r8_3)))&&(any_area(any_loc(file(^xen/include/xen/time\\.h$)))||any_ar= ea(any_loc(file(^xen/arch/x86/include/asm/setup\\.h$))))"} +-config=3DMC3A2.R8.3,reports+=3D{deliberate,"any_area(any_loc(file(adopted= _time_r8_3)))&&(any_area(any_loc(file(^xen/include/xen/time\\.h$)))||any_ar= ea(any_loc(file(^xen/arch/x86/include/asm/setup\\.h$))))"} -doc_end =20 -doc_begin=3D"The following file is imported from Linux: ignore for now." -file_tag+=3D{adopted_cpu_idle_r8_3,"^xen/arch/x86/acpi/cpu_idle\\.c$"} --config=3DMC3R1.R8.3,reports+=3D{deliberate,"any_area(any_loc(file(adopted= _cpu_idle_r8_3)))&&any_area(any_loc(file(^xen/include/xen/pmstat\\.h$)))"} +-config=3DMC3A2.R8.3,reports+=3D{deliberate,"any_area(any_loc(file(adopted= _cpu_idle_r8_3)))&&any_area(any_loc(file(^xen/include/xen/pmstat\\.h$)))"} -doc_end =20 -doc_begin=3D"The following file is imported from Linux: ignore for now." -file_tag+=3D{adopted_mpparse_r8_3,"^xen/arch/x86/mpparse\\.c$"} --config=3DMC3R1.R8.3,reports+=3D{deliberate,"any_area(any_loc(file(adopted= _mpparse_r8_3)))&&any_area(any_loc(file(^xen/arch/x86/include/asm/mpspec\\.= h$)))"} +-config=3DMC3A2.R8.3,reports+=3D{deliberate,"any_area(any_loc(file(adopted= _mpparse_r8_3)))&&any_area(any_loc(file(^xen/arch/x86/include/asm/mpspec\\.= h$)))"} -doc_end =20 -doc_begin=3D"The definitions present in this file are meant to generate d= efinitions for asm modules, and are not called by C code. Therefore the abs= ence of prior declarations is safe." -file_tag+=3D{asm_offsets, "^xen/arch/(arm|x86)/(arm32|arm64|x86_64)/asm-o= ffsets\\.c$"} --config=3DMC3R1.R8.4,reports+=3D{safe, "first_area(any_loc(file(asm_offset= s)))"} +-config=3DMC3A2.R8.4,reports+=3D{safe, "first_area(any_loc(file(asm_offset= s)))"} -doc_end =20 -doc_begin=3D"The functions defined in this file are meant to be called fr= om gcc-generated code in a non-release build configuration. Therefore the absence of prior declarations is safe." -file_tag+=3D{gcov, "^xen/common/coverage/gcov_base\\.c$"} --config=3DMC3R1.R8.4,reports+=3D{safe, "first_area(any_loc(file(gcov)))"} +-config=3DMC3A2.R8.4,reports+=3D{safe, "first_area(any_loc(file(gcov)))"} -doc_end =20 -doc_begin=3D"Recognize the occurrence of current_stack_pointer as a decla= ration." -file_tag+=3D{asm_defns, "^xen/arch/x86/include/asm/asm_defns\\.h$"} --config=3DMC3R1.R8.4,declarations+=3D{safe, "loc(file(asm_defns))&&^curren= t_stack_pointer$"} +-config=3DMC3A2.R8.4,declarations+=3D{safe, "loc(file(asm_defns))&&^curren= t_stack_pointer$"} -doc_end =20 -doc_begin=3D"The function apei_(read|check|clear)_mce are dead code and a= re excluded from non-debug builds, therefore the absence of prior declarati= ons is safe." --config=3DMC3R1.R8.4,declarations+=3D{safe, "^apei_(read|check|clear)_mce\= \(.*$"} +-config=3DMC3A2.R8.4,declarations+=3D{safe, "^apei_(read|check|clear)_mce\= \(.*$"} -doc_end =20 -doc_begin=3D"asmlinkage is a marker to indicate that the function is only= used to interface with asm modules." --config=3DMC3R1.R8.4,declarations+=3D{safe,"loc(text(^(?s).*asmlinkage.*$,= -1..0))"} +-config=3DMC3A2.R8.4,declarations+=3D{safe,"loc(text(^(?s).*asmlinkage.*$,= -1..0))"} -doc_end =20 -doc_begin=3D"Given that bsearch and sort are defined with the attribute '= gnu_inline', it's deliberate not to have a prior declaration. See Section \"6.33.1 Common Function Attributes\" of \"GCC_MANUAL\" for a = full explanation of gnu_inline." -file_tag+=3D{bsearch_sort, "^xen/include/xen/(sort|lib)\\.h$"} --config=3DMC3R1.R8.4,reports+=3D{deliberate, "any_area(any_loc(file(bsearc= h_sort))&&decl(name(bsearch||sort)))"} +-config=3DMC3A2.R8.4,reports+=3D{deliberate, "any_area(any_loc(file(bsearc= h_sort))&&decl(name(bsearch||sort)))"} -doc_end =20 -doc_begin=3D"first_valid_mfn is defined in this way because the current l= ack of NUMA support in Arm and PPC requires it." -file_tag+=3D{first_valid_mfn, "^xen/common/page_alloc\\.c$"} --config=3DMC3R1.R8.4,declarations+=3D{deliberate,"loc(file(first_valid_mfn= ))"} +-config=3DMC3A2.R8.4,declarations+=3D{deliberate,"loc(file(first_valid_mfn= ))"} -doc_end =20 -doc_begin=3D"The following variables are compiled in multiple translation= units belonging to different executables and therefore are safe." --config=3DMC3R1.R8.6,declarations+=3D{safe, "name(current_stack_pointer||b= search||sort)"} +-config=3DMC3A2.R8.6,declarations+=3D{safe, "name(current_stack_pointer||b= search||sort)"} -doc_end =20 -doc_begin=3D"Declarations without definitions are allowed (specifically w= hen the definition is compiled-out or optimized-out by the compiler)" --config=3DMC3R1.R8.6,reports+=3D{deliberate, "first_area(^.*has no definit= ion$)"} +-config=3DMC3A2.R8.6,reports+=3D{deliberate, "first_area(^.*has no definit= ion$)"} -doc_end =20 -doc_begin=3D"The search procedure for Unix linkers is well defined, see l= d(1) @@ -258,11 +258,11 @@ the linker will include the appropriate file(s) from = the archive\". In Xen, thanks to the order in which file names appear in the build comman= ds, if arch-specific definitions are present, they get always linked in before searching in the lib.a archive resulting from xen/lib." --config=3DMC3R1.R8.6,declarations+=3D{deliberate, "loc(file(^xen/lib/.*$))= "} +-config=3DMC3A2.R8.6,declarations+=3D{deliberate, "loc(file(^xen/lib/.*$))= "} -doc_end =20 -doc_begin=3D"The gnu_inline attribute without static is deliberately allo= wed." --config=3DMC3R1.R8.10,declarations+=3D{deliberate,"property(gnu_inline)"} +-config=3DMC3A2.R8.10,declarations+=3D{deliberate,"property(gnu_inline)"} -doc_end =20 # @@ -272,12 +272,12 @@ searching in the lib.a archive resulting from xen/lib= ." -doc_begin=3D"Violations in files that maintainers have asked to not modif= y in the context of R9.1." -file_tag+=3D{adopted_r9_1,"^xen/arch/arm/arm64/lib/find_next_bit\\.c$"} --config=3DMC3R1.R9.1,reports+=3D{deliberate,"any_area(any_loc(file(adopted= _r9_1)))"} +-config=3DMC3A2.R9.1,reports+=3D{deliberate,"any_area(any_loc(file(adopted= _r9_1)))"} -doc_end =20 -doc_begin=3D"The possibility of committing mistakes by specifying an expl= icit dimension is higher than omitting the dimension." --config=3DMC3R1.R9.5,reports+=3D{deliberate, "any()"} +-config=3DMC3A2.R9.5,reports+=3D{deliberate, "any()"} -doc_end =20 # @@ -285,45 +285,45 @@ dimension is higher than omitting the dimension." # =20 -doc_begin=3D"The value-preserving conversions of integer constants are sa= fe" --config=3DMC3R1.R10.1,etypes=3D{safe,"any()","preserved_integer_constant()= "} --config=3DMC3R1.R10.3,etypes=3D{safe,"any()","preserved_integer_constant()= "} --config=3DMC3R1.R10.4,etypes=3D{safe,"any()","preserved_integer_constant()= ||sibling(rhs,preserved_integer_constant())"} +-config=3DMC3A2.R10.1,etypes=3D{safe,"any()","preserved_integer_constant()= "} +-config=3DMC3A2.R10.3,etypes=3D{safe,"any()","preserved_integer_constant()= "} +-config=3DMC3A2.R10.4,etypes=3D{safe,"any()","preserved_integer_constant()= ||sibling(rhs,preserved_integer_constant())"} -doc_end =20 -doc_begin=3D"Shifting non-negative integers to the right is safe." --config=3DMC3R1.R10.1,etypes+=3D{safe, +-config=3DMC3A2.R10.1,etypes+=3D{safe, "stmt(node(binary_operator)&&operator(shr))", "src_expr(definitely_in(0..))"} -doc_end =20 -doc_begin=3D"Shifting non-negative integers to the left is safe if the re= sult is still non-negative." --config=3DMC3R1.R10.1,etypes+=3D{safe, +-config=3DMC3A2.R10.1,etypes+=3D{safe, "stmt(node(binary_operator)&&operator(shl)&&definitely_in(0..))", "src_expr(definitely_in(0..))"} -doc_end =20 -doc_begin=3D"Bitwise logical operations on non-negative integers are safe= ." --config=3DMC3R1.R10.1,etypes+=3D{safe, +-config=3DMC3A2.R10.1,etypes+=3D{safe, "stmt(node(binary_operator)&&operator(and||or||xor))", "src_expr(definitely_in(0..))"} -doc_end =20 -doc_begin=3D"The implicit conversion to Boolean for logical operator argu= ments is well known to all Xen developers to be a comparison with 0" --config=3DMC3R1.R10.1,etypes+=3D{safe, "stmt(operator(logical)||node(condi= tional_operator||binary_conditional_operator))", "dst_type(ebool||boolean)"} +-config=3DMC3A2.R10.1,etypes+=3D{safe, "stmt(operator(logical)||node(condi= tional_operator||binary_conditional_operator))", "dst_type(ebool||boolean)"} -doc_end =20 -doc_begin=3D"The macro ISOLATE_LSB encapsulates a well-known pattern to o= btain a mask where only the lowest bit set in the argument is set, if any, for u= nsigned integers arguments on two's complement architectures (all the architectures supported by Xen satisfy this requirement)." --config=3DMC3R1.R10.1,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^I= SOLATE_LSB$))))"} +-config=3DMC3A2.R10.1,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^I= SOLATE_LSB$))))"} -doc_end =20 -doc_begin=3D"XEN only supports architectures where signed integers are representend using two's complement and all the XEN developers are aware of this." --config=3DMC3R1.R10.1,etypes+=3D{safe, +-config=3DMC3A2.R10.1,etypes+=3D{safe, "stmt(operator(and||or||xor||not||and_assign||or_assign||xor_assign))", "any()"} -doc_end @@ -334,7 +334,7 @@ C language, GCC does not use the latitude given in C99 = and C11 only to treat certain aspects of signed `<<' as undefined. However, -fsanitize=3Dshift (= and -fsanitize=3Dundefined) will diagnose such cases. They are also diagnosed = where constant expressions are required.\"" --config=3DMC3R1.R10.1,etypes+=3D{safe, +-config=3DMC3A2.R10.1,etypes+=3D{safe, "stmt(operator(shl||shr||shl_assign||shr_assign))", "any()"} -doc_end @@ -344,7 +344,7 @@ constant expressions are required.\"" # =20 -doc_begin=3D"The conversion from a function pointer to unsigned long or (= void *) does not lose any information, provided that the target type has en= ough bits to store it." --config=3DMC3R1.R11.1,casts+=3D{safe, +-config=3DMC3A2.R11.1,casts+=3D{safe, "from(type(canonical(__function_pointer_types))) &&to(type(canonical(builtin(unsigned long)||pointer(builtin(void))))) &&relation(definitely_preserves_value)" @@ -352,14 +352,14 @@ constant expressions are required.\"" -doc_end =20 -doc_begin=3D"The conversion from a function pointer to a boolean has a we= ll-known semantics that do not lead to unexpected behaviour." --config=3DMC3R1.R11.1,casts+=3D{safe, +-config=3DMC3A2.R11.1,casts+=3D{safe, "from(type(canonical(__function_pointer_types))) &&kind(pointer_to_boolean)" } -doc_end =20 -doc_begin=3D"The conversion from a pointer to an incomplete type to unsig= ned long does not lose any information, provided that the target type has e= nough bits to store it." --config=3DMC3R1.R11.2,casts+=3D{safe, +-config=3DMC3A2.R11.2,casts+=3D{safe, "from(type(any())) &&to(type(canonical(builtin(unsigned long)))) &&relation(definitely_preserves_value)" @@ -367,20 +367,20 @@ constant expressions are required.\"" -doc_end =20 -doc_begin=3D"Conversions to object pointers that have a pointee type with= a smaller (i.e., less strict) alignment requirement are safe." --config=3DMC3R1.R11.3,casts+=3D{safe, +-config=3DMC3A2.R11.3,casts+=3D{safe, "!relation(more_aligned_pointee)" } -doc_end =20 -doc_begin=3D"Conversions from and to integral types are safe, in the assu= mption that the target type has enough bits to store the value. See also Section \"4.7 Arrays and Pointers\" of \"GCC_MANUAL\"" --config=3DMC3R1.R11.6,casts+=3D{safe, +-config=3DMC3A2.R11.6,casts+=3D{safe, "(from(type(canonical(integral())))||to(type(canonical(integral())))) &&relation(definitely_preserves_value)"} -doc_end =20 -doc_begin=3D"The conversion from a pointer to a boolean has a well-known = semantics that do not lead to unexpected behaviour." --config=3DMC3R1.R11.6,casts+=3D{safe, +-config=3DMC3A2.R11.6,casts+=3D{safe, "from(type(canonical(__pointer_types))) &&kind(pointer_to_boolean)" } @@ -390,11 +390,11 @@ See also Section \"4.7 Arrays and Pointers\" of \"GCC= _MANUAL\"" with the provided offset. The resulting pointer is then immediately cast b= ack to its original type, which preserves the qualifier. This use is deemed safe. Fixing this violation would require to increase code complexity and lower = readability." --config=3DMC3R1.R11.8,reports+=3D{safe,"any_area(any_loc(any_exp(macro(^co= ntainer_of$))))"} +-config=3DMC3A2.R11.8,reports+=3D{safe,"any_area(any_loc(any_exp(macro(^co= ntainer_of$))))"} -doc_end =20 -doc_begin=3D"This construct is used to check if the type is scalar, and f= or this purpose the use of 0 as a null pointer constant is deliberate." --config=3DMC3R1.R11.9,reports+=3D{deliberate, "any_area(any_loc(any_exp(ma= cro(^__ACCESS_ONCE$))))" +-config=3DMC3A2.R11.9,reports+=3D{deliberate, "any_area(any_loc(any_exp(ma= cro(^__ACCESS_ONCE$))))" } -doc_end =20 @@ -404,16 +404,16 @@ Fixing this violation would require to increase code = complexity and lower readab =20 -doc_begin=3D"All developers and reviewers can be safely assumed to be wel= l aware of the short-circuit evaluation strategy of such logical operators." --config=3DMC3R1.R13.5,reports+=3D{disapplied,"any()"} +-config=3DMC3A2.R13.5,reports+=3D{disapplied,"any()"} -doc_end =20 -doc_begin=3D"Macros alternative_v?call[0-9] use sizeof and typeof to chec= k that the argument types match the corresponding parameter ones." --config=3DMC3R1.R13.6,reports+=3D{deliberate,"any_area(any_loc(any_exp(mac= ro(^alternative_vcall[0-9]$))&&file(^xen/arch/x86/include/asm/alternative\\= .h*$)))"} +-config=3DMC3A2.R13.6,reports+=3D{deliberate,"any_area(any_loc(any_exp(mac= ro(^alternative_vcall[0-9]$))&&file(^xen/arch/x86/include/asm/alternative\\= .h*$)))"} -config=3DB.UNEVALEFF,reports+=3D{deliberate,"any_area(any_loc(any_exp(mac= ro(^alternative_v?call[0-9]$))&&file(^xen/arch/x86/include/asm/alterantive\= \.h*$)))"} -doc_end =20 -doc_begin=3D"Anything, no matter how complicated, inside the BUILD_BUG_ON= macro is subject to a compile-time evaluation without relevant side effect= s." --config=3DMC3R1.R13.6,reports+=3D{safe,"any_area(any_loc(any_exp(macro(nam= e(BUILD_BUG_ON)))))"} +-config=3DMC3A2.R13.6,reports+=3D{safe,"any_area(any_loc(any_exp(macro(nam= e(BUILD_BUG_ON)))))"} -config=3DB.UNEVALEFF,reports+=3D{safe,"any_area(any_loc(any_exp(macro(nam= e(BUILD_BUG_ON)))))"} -doc_end =20 @@ -424,31 +424,31 @@ of the short-circuit evaluation strategy of such logi= cal operators." -doc_begin=3D"The severe restrictions imposed by this rule on the use of f= or statements are not balanced by the presumed facilitation of the peer review activity." --config=3DMC3R1.R14.2,reports+=3D{disapplied,"any()"} +-config=3DMC3A2.R14.2,reports+=3D{disapplied,"any()"} -doc_end =20 -doc_begin=3D"The XEN team relies on the fact that invariant conditions of= 'if' statements and conditional operators are deliberate" --config=3DMC3R1.R14.3,statements+=3D{deliberate, "wrapped(any(),node(if_st= mt||conditional_operator||binary_conditional_operator))" } +-config=3DMC3A2.R14.3,statements+=3D{deliberate, "wrapped(any(),node(if_st= mt||conditional_operator||binary_conditional_operator))" } -doc_end =20 -doc_begin=3D"Switches having a 'sizeof' operator as the condition are del= iberate and have limited scope." --config=3DMC3R1.R14.3,statements+=3D{deliberate, "wrapped(any(),node(switc= h_stmt)&&child(cond, operator(sizeof)))" } +-config=3DMC3A2.R14.3,statements+=3D{deliberate, "wrapped(any(),node(switc= h_stmt)&&child(cond, operator(sizeof)))" } -doc_end =20 -doc_begin=3D"The use of an invariant size argument in {put,get}_unsafe_si= ze and array_access_ok, as defined in arch/x86(_64)?/include/asm/uaccess.h = is deliberate and is deemed safe." -file_tag+=3D{x86_uaccess, "^xen/arch/x86(_64)?/include/asm/uaccess\\.h$"} --config=3DMC3R1.R14.3,reports+=3D{deliberate, "any_area(any_loc(file(x86_u= access)&&any_exp(macro(^(put|get)_unsafe_size$))))"} --config=3DMC3R1.R14.3,reports+=3D{deliberate, "any_area(any_loc(file(x86_u= access)&&any_exp(macro(^array_access_ok$))))"} +-config=3DMC3A2.R14.3,reports+=3D{deliberate, "any_area(any_loc(file(x86_u= access)&&any_exp(macro(^(put|get)_unsafe_size$))))"} +-config=3DMC3A2.R14.3,reports+=3D{deliberate, "any_area(any_loc(file(x86_u= access)&&any_exp(macro(^array_access_ok$))))"} -doc_end =20 -doc_begin=3D"A controlling expression of 'if' and iteration statements ha= ving integer, character or pointer type has a semantics that is well-known = to all Xen developers." --config=3DMC3R1.R14.4,etypes+=3D{deliberate, "any()", "src_type(integer||c= haracter)||src_expr(type(desugar(pointer(any()))))"} +-config=3DMC3A2.R14.4,etypes+=3D{deliberate, "any()", "src_type(integer||c= haracter)||src_expr(type(desugar(pointer(any()))))"} -doc_end =20 -doc_begin=3D"The XEN team relies on the fact that the enum is_dying has t= he constant with assigned value 0 act as false and the other ones as true, therefore have the same behavior of a boolean" --config=3DMC3R1.R14.4,etypes+=3D{deliberate, "stmt(child(cond,child(expr,r= ef(^?::is_dying$))))","src_type(enum)"} +-config=3DMC3A2.R14.4,etypes+=3D{deliberate, "stmt(child(cond,child(expr,r= ef(^?::is_dying$))))","src_type(enum)"} -doc_end =20 # @@ -459,58 +459,58 @@ therefore have the same behavior of a boolean" therefore it is deemed better to leave such files as is." -file_tag+=3D{x86_emulate,"^xen/arch/x86/x86_emulate/.*$"} -file_tag+=3D{x86_svm_emulate,"^xen/arch/x86/hvm/svm/emulate\\.c$"} --config=3DMC3R1.R16.2,reports+=3D{deliberate, "any_area(any_loc(file(x86_e= mulate||x86_svm_emulate)))"} +-config=3DMC3A2.R16.2,reports+=3D{deliberate, "any_area(any_loc(file(x86_e= mulate||x86_svm_emulate)))"} -doc_end =20 -doc_begin=3D"Statements that change the control flow (i.e., break, contin= ue, goto, return) and calls to functions that do not return the control bac= k are \"allowed terminal statements\"." -stmt_selector+=3D{r16_3_allowed_terminal, "node(break_stmt||continue_stmt= ||goto_stmt||return_stmt)||call(property(noreturn))"} --config=3DMC3R1.R16.3,terminals+=3D{safe, "r16_3_allowed_terminal"} +-config=3DMC3A2.R16.3,terminals+=3D{safe, "r16_3_allowed_terminal"} -doc_end =20 -doc_begin=3D"An if-else statement having both branches ending with an all= owed terminal statement is itself an allowed terminal statement." -stmt_selector+=3D{r16_3_if, "node(if_stmt)&&(child(then,r16_3_allowed_ter= minal)||child(then,any_stmt(stmt,-1,r16_3_allowed_terminal)))"} -stmt_selector+=3D{r16_3_else, "node(if_stmt)&&(child(else,r16_3_allowed_t= erminal)||child(else,any_stmt(stmt,-1,r16_3_allowed_terminal)))"} -stmt_selector+=3D{r16_3_if_else, "r16_3_if&&r16_3_else"} --config=3DMC3R1.R16.3,terminals+=3D{safe, "r16_3_if_else"} +-config=3DMC3A2.R16.3,terminals+=3D{safe, "r16_3_if_else"} -doc_end =20 -doc_begin=3D"An if-else statement having an always true condition and the= true branch ending with an allowed terminal statement is itself an allowed= terminal statement." -stmt_selector+=3D{r16_3_if_true, "r16_3_if&&child(cond,definitely_in(1..)= )"} --config=3DMC3R1.R16.3,terminals+=3D{safe, "r16_3_if_true"} +-config=3DMC3A2.R16.3,terminals+=3D{safe, "r16_3_if_true"} -doc_end =20 -doc_begin=3D"A switch clause ending with a statement expression which, in= turn, ends with an allowed terminal statement is safe." --config=3DMC3R1.R16.3,terminals+=3D{safe, "node(stmt_expr)&&child(stmt,nod= e(compound_stmt)&&any_stmt(stmt,-1,r16_3_allowed_terminal||r16_3_if_else||r= 16_3_if_true))"} +-config=3DMC3A2.R16.3,terminals+=3D{safe, "node(stmt_expr)&&child(stmt,nod= e(compound_stmt)&&any_stmt(stmt,-1,r16_3_allowed_terminal||r16_3_if_else||r= 16_3_if_true))"} -doc_end =20 -doc_begin=3D"A switch clause ending with a do-while-false the body of whi= ch, in turn, ends with an allowed terminal statement is safe. An exception to that is the macro ASSERT_UNREACHABLE() which is effective = in debug build only: a switch clause ending with ASSERT_UNREACHABLE() is no= t considered safe." --config=3DMC3R1.R16.3,terminals+=3D{safe, "!macro(name(ASSERT_UNREACHABLE)= )&&node(do_stmt)&&child(cond,definitely_in(0))&&child(body,any_stmt(stmt,-1= ,r16_3_allowed_terminal||r16_3_if_else||r16_3_if_true))"} +-config=3DMC3A2.R16.3,terminals+=3D{safe, "!macro(name(ASSERT_UNREACHABLE)= )&&node(do_stmt)&&child(cond,definitely_in(0))&&child(body,any_stmt(stmt,-1= ,r16_3_allowed_terminal||r16_3_if_else||r16_3_if_true))"} -doc_end =20 -doc_begin=3D"Switch clauses ending with pseudo-keyword \"fallthrough\" are safe." --config=3DMC3R1.R16.3,reports+=3D{safe, "any_area(end_loc(any_exp(text(/fa= llthrough;/))))"} +-config=3DMC3A2.R16.3,reports+=3D{safe, "any_area(end_loc(any_exp(text(/fa= llthrough;/))))"} -doc_end =20 -doc_begin=3D"Switch clauses ending with failure method \"BUG()\" are safe= ." --config=3DMC3R1.R16.3,reports+=3D{safe, "any_area(end_loc(any_exp(text(/BU= G\\(\\);/))))"} +-config=3DMC3A2.R16.3,reports+=3D{safe, "any_area(end_loc(any_exp(text(/BU= G\\(\\);/))))"} -doc_end =20 -doc_begin=3D"Switch clauses ending with an explicit comment indicating th= e fallthrough intention are safe." --config=3DMC3R1.R16.3,reports+=3D{safe, "any_area(end_loc(any_exp(text(^(?= s).*/\\* [fF]all ?through\\.? \\*/.*$,0..2))))"} +-config=3DMC3A2.R16.3,reports+=3D{safe, "any_area(end_loc(any_exp(text(^(?= s).*/\\* [fF]all ?through\\.? \\*/.*$,0..2))))"} -doc_end =20 -doc_begin=3D"Switch statements having a controlling expression of enum ty= pe deliberately do not have a default case: gcc -Wall enables -Wswitch whic= h warns (and breaks the build as we use -Werror) if one of the enum labels = is missing from the switch." --config=3DMC3R1.R16.4,reports+=3D{deliberate,'any_area(kind(context)&&^.* = has no `default.*$&&stmt(node(switch_stmt)&&child(cond,skip(__non_syntactic= _paren_stmts,type(canonical(enum_underlying_type(any())))))))'} +-config=3DMC3A2.R16.4,reports+=3D{deliberate,'any_area(kind(context)&&^.* = has no `default.*$&&stmt(node(switch_stmt)&&child(cond,skip(__non_syntactic= _paren_stmts,type(canonical(enum_underlying_type(any())))))))'} -doc_end =20 -doc_begin=3D"A switch statement with a single switch clause and no defaul= t label may be used in place of an equivalent if statement if it is conside= red to improve readability." --config=3DMC3R1.R16.4,switch_clauses+=3D{deliberate,"switch(1)&&default(0)= "} +-config=3DMC3A2.R16.4,switch_clauses+=3D{deliberate,"switch(1)&&default(0)= "} -doc_end =20 -doc_begin=3D"A switch statement with a single switch clause and no defaul= t label may be used in place of an equivalent if statement if it is conside= red to improve readability." --config=3DMC3R1.R16.6,switch_clauses+=3D{deliberate, "default(0)"} +-config=3DMC3A2.R16.6,switch_clauses+=3D{deliberate, "default(0)"} -doc_end =20 # @@ -518,16 +518,16 @@ safe." # =20 -doc_begin=3D"printf()-like functions are allowed to use the variadic feat= ures provided by stdarg.h." --config=3DMC3R1.R17.1,reports+=3D{deliberate,"any_area(^.*va_list.*$&&cont= ext(ancestor_or_self(^.*printk\\(.*\\)$)))"} --config=3DMC3R1.R17.1,reports+=3D{deliberate,"any_area(^.*va_list.*$&&cont= ext(ancestor_or_self(^.*printf\\(.*\\)$)))"} --config=3DMC3R1.R17.1,reports+=3D{deliberate,"any_area(^.*va_list.*$&&cont= ext(ancestor_or_self(name(panic)&&kind(function))))"} --config=3DMC3R1.R17.1,reports+=3D{deliberate,"any_area(^.*va_list.*$&&cont= ext(ancestor_or_self(name(elf_call_log_callback)&&kind(function))))"} --config=3DMC3R1.R17.1,reports+=3D{deliberate,"any_area(^.*va_list.*$&&cont= ext(ancestor_or_self(name(vprintk_common)&&kind(function))))"} --config=3DMC3R1.R17.1,macros+=3D{hide , "^va_(arg|start|copy|end)$"} +-config=3DMC3A2.R17.1,reports+=3D{deliberate,"any_area(^.*va_list.*$&&cont= ext(ancestor_or_self(^.*printk\\(.*\\)$)))"} +-config=3DMC3A2.R17.1,reports+=3D{deliberate,"any_area(^.*va_list.*$&&cont= ext(ancestor_or_self(^.*printf\\(.*\\)$)))"} +-config=3DMC3A2.R17.1,reports+=3D{deliberate,"any_area(^.*va_list.*$&&cont= ext(ancestor_or_self(name(panic)&&kind(function))))"} +-config=3DMC3A2.R17.1,reports+=3D{deliberate,"any_area(^.*va_list.*$&&cont= ext(ancestor_or_self(name(elf_call_log_callback)&&kind(function))))"} +-config=3DMC3A2.R17.1,reports+=3D{deliberate,"any_area(^.*va_list.*$&&cont= ext(ancestor_or_self(name(vprintk_common)&&kind(function))))"} +-config=3DMC3A2.R17.1,macros+=3D{hide , "^va_(arg|start|copy|end)$"} -doc_end =20 -doc_begin=3D"Not using the return value of a function does not endanger s= afety if it coincides with an actual argument." --config=3DMC3R1.R17.7,calls+=3D{safe, "any()", "decl(name(__builtin_memcpy= ||__builtin_memmove||__builtin_memset||cpumask_check))"} +-config=3DMC3A2.R17.7,calls+=3D{safe, "any()", "decl(name(__builtin_memcpy= ||__builtin_memmove||__builtin_memset||cpumask_check))"} -doc_end =20 # @@ -538,16 +538,16 @@ safe." are guaranteed not to be exploited by a compiler that relies on the absenc= e of C99 Undefined Behaviour 45: Pointers that do not point into, or just beyon= d, the same array object are subtracted (6.5.6)." -eval_file=3Dlinker_symbols.ecl --config=3DMC3R1.R18.2,reports+=3D{safe, "any_area(stmt(operator(sub)&&chil= d(lhs||rhs, skip(__non_syntactic_paren_stmts, ref(linker_symbols)))))"} +-config=3DMC3A2.R18.2,reports+=3D{safe, "any_area(stmt(operator(sub)&&chil= d(lhs||rhs, skip(__non_syntactic_paren_stmts, ref(linker_symbols)))))"} -doc_end =20 -doc_begin=3D"The following macro performs a subtraction between pointers = to obtain the mfn, but does not lead to undefined behaviour." --config=3DMC3R1.R18.2,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^p= age_to_mfn$))))"} +-config=3DMC3A2.R18.2,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^p= age_to_mfn$))))"} -doc_end =20 -doc_begin=3D"Flexible array members are deliberately used and XEN develop= ers are aware of the dangers related to them: unexpected result when the structure is given as argument to a sizeof() op= erator and the truncation in assignment between structures." --config=3DMC3R1.R18.7,reports+=3D{deliberate, "any()"} +-config=3DMC3A2.R18.7,reports+=3D{deliberate, "any()"} -doc_end =20 # @@ -558,7 +558,7 @@ unexpected result when the structure is given as argume= nt to a sizeof() operator as function arguments; (2) as macro arguments; (3) as array indices; (4) a= s lhs in assignments; (5) as initializers, possibly designated, in initalizer li= sts; (6) as the constant expression in a switch clause label." --config=3DMC3R1.R20.7,expansion_context=3D +-config=3DMC3A2.R20.7,expansion_context=3D {safe, "context(__call_expr_arg_contexts)"}, {safe, "left_right(^[(,\\[]$,^[),\\]]$)"}, {safe, "context(skip_to(__expr_non_syntactic_contexts, stmt_child(node(arr= ay_subscript_expr), subscript)))"}, @@ -571,62 +571,62 @@ in assignments; (5) as initializers, possibly designa= ted, in initalizer lists; breaking the macro's logic; futhermore, the macro is only ever used in the= context of the IS_ENABLED or STATIC_IF/STATIC_IF_NOT macros, so it always receives= a literal 0 or 1 as input, posing no risk to safety." --config=3DMC3R1.R20.7,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^_= __config_enabled$))))"} +-config=3DMC3A2.R20.7,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^_= __config_enabled$))))"} -doc_end =20 -doc_begin=3D"Violations due to the use of macros defined in files that are not in scope for compliance are allowed, as that is imported code." -file_tag+=3D{gnu_efi_include, "^xen/include/efi/.*$"} -file_tag+=3D{acpi_cpu_idle, "^xen/arch/x86/acpi/cpu_idle\\.c$"} --config=3DMC3R1.R20.7,reports+=3D{safe, "any_area(any_loc(file(gnu_efi_inc= lude)||any_exp(macro(^NextMemoryDescriptor$))))"} --config=3DMC3R1.R20.7,reports+=3D{safe, "any_area(any_loc(file(acpi_cpu_id= le)))"} +-config=3DMC3A2.R20.7,reports+=3D{safe, "any_area(any_loc(file(gnu_efi_inc= lude)||any_exp(macro(^NextMemoryDescriptor$))))"} +-config=3DMC3A2.R20.7,reports+=3D{safe, "any_area(any_loc(file(acpi_cpu_id= le)))"} -doc_end =20 -doc_begin=3D"To avoid compromising readability, the macros alternative_(v= )?call[0-9] are allowed not to parenthesize their arguments." --config=3DMC3R1.R20.7,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^a= lternative_(v)?call[0-9]$))))"} +-config=3DMC3A2.R20.7,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^a= lternative_(v)?call[0-9]$))))"} -doc_end =20 -doc_begin=3D"The argument 'x' of the count_args_ macro can't be parenthes= ized as the rule would require, without breaking the functionality of the macro. T= he uses of this macro do not lead to developer confusion, and can thus be deviated= ." --config=3DMC3R1.R20.7,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^c= ount_args_$))))"} +-config=3DMC3A2.R20.7,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^c= ount_args_$))))"} -doc_end =20 -doc_begin=3D"The argument \"fn\" in macros {COMPILE,RUNTIME}_CHECK is not= parenthesized on purpose, to be able to test function-like macros. Given the specialized= and limited use of this macro, it is deemed ok to deviate them." --config=3DMC3R1.R20.7,reports+=3D{deliberate, "any_area(any_loc(any_exp(ma= cro(^(COMPILE_CHECK|RUNTIME_CHECK)$))))"} +-config=3DMC3A2.R20.7,reports+=3D{deliberate, "any_area(any_loc(any_exp(ma= cro(^(COMPILE_CHECK|RUNTIME_CHECK)$))))"} -doc_end =20 -doc_begin=3D"Problems related to operator precedence can not occur if the= expansion of the macro argument is surrounded by tokens '{', '}' and ';'." --config=3DMC3R1.R20.7,expansion_context+=3D{safe, "left_right(^[\\{;]$,^[;= \\}]$)"} +-config=3DMC3A2.R20.7,expansion_context+=3D{safe, "left_right(^[\\{;]$,^[;= \\}]$)"} -doc_end =20 -doc_begin=3D"Uses of variadic macros that have one of their arguments def= ined as a macro and used within the body for both ordinary parameter expansion and= as an operand to the # or ## operators have a behavior that is well-understood a= nd deliberate." --config=3DMC3R1.R20.12,macros+=3D{deliberate, "variadic()"} +-config=3DMC3A2.R20.12,macros+=3D{deliberate, "variadic()"} -doc_end =20 -doc_begin=3D"Uses of a macro parameter for ordinary expansion and as an o= perand to the # or ## operators within the following macros are deliberate, to pr= ovide useful diagnostic messages to the user." --config=3DMC3R1.R20.12,macros+=3D{deliberate, "name(ASSERT||BUILD_BUG_ON||= BUILD_BUG_ON_ZERO||RUNTIME_CHECK)"} +-config=3DMC3A2.R20.12,macros+=3D{deliberate, "name(ASSERT||BUILD_BUG_ON||= BUILD_BUG_ON_ZERO||RUNTIME_CHECK)"} -doc_end =20 -doc_begin=3D"The helper macro GENERATE_CASE may use a macro parameter for= ordinary expansion and token pasting to improve readability. Only instances where t= his leads to a violation of the Rule are deviated." -file_tag+=3D{deliberate_generate_case, "^xen/arch/arm/vcpreg\\.c$"} --config=3DMC3R1.R20.12,macros+=3D{deliberate, "name(GENERATE_CASE)&&loc(fi= le(deliberate_generate_case))"} +-config=3DMC3A2.R20.12,macros+=3D{deliberate, "name(GENERATE_CASE)&&loc(fi= le(deliberate_generate_case))"} -doc_end =20 -doc_begin=3D"The macro DEFINE is defined and used in excluded files asm-o= ffsets.c. This may still cause violations if entities outside these files are referr= ed to in the expansion." --config=3DMC3R1.R20.12,macros+=3D{deliberate, "name(DEFINE)&&loc(file(asm_= offsets))"} +-config=3DMC3A2.R20.12,macros+=3D{deliberate, "name(DEFINE)&&loc(file(asm_= offsets))"} -doc_end =20 # @@ -636,7 +636,7 @@ in the expansion." -doc_begin=3D"or, and and xor are reserved identifiers because they consti= tute alternate spellings for the corresponding operators (they are defined as macros by i= so646.h). However, Xen doesn't use standard library headers, so there is no risk of = overlap." --config=3DMC3R1.R21.2,reports+=3D{safe, "any_area(stmt(ref(kind(label)&&^(= or|and|xor|not)$)))"} +-config=3DMC3A2.R21.2,reports+=3D{safe, "any_area(stmt(ref(kind(label)&&^(= or|and|xor|not)$)))"} -doc_end =20 -doc_begin=3D"Xen does not use the functions provided by the Standard Libr= ary, but @@ -645,8 +645,8 @@ The implementation of these functions is available in s= ource form, so the undefi or implementation-defined behaviors contemplated by the C Standard do not = apply. If some undefined or unspecified behavior does arise in the implementation= , it falls under the jurisdiction of other MISRA rules." --config=3DMC3R1.R21.9,reports+=3D{deliberate, "any()"} --config=3DMC3R1.R21.10,reports+=3D{deliberate, "any()"} +-config=3DMC3A2.R21.9,reports+=3D{deliberate, "any()"} +-config=3DMC3A2.R21.10,reports+=3D{deliberate, "any()"} -doc_end =20 # @@ -671,7 +671,7 @@ falls under the jurisdiction of other MISRA rules." programmers:no developers' confusion is not possible. In addition, adopted= code is assumed to work as is. Reports that are fully contained in adopted code= are hidden/tagged with the 'adopted' tag." --service_selector=3D{developer_confusion_guidelines,"^(MC3R1\\.R2\\.1|MC3R= 1\\.R2\\.2|MC3R1\\.R2\\.3|MC3R1\\.R2\\.4|MC3R1\\.R2\\.5|MC3R1\\.R2\\.6|MC3R= 1\\.R2\\.7|MC3R1\\.R4\\.1|MC3R1\\.R5\\.3|MC3R1\\.R5\\.6|MC3R1\\.R5\\.7|MC3R= 1\\.R5\\.8|MC3R1\\.R5\\.9|MC3R1\\.R7\\.1|MC3R1\\.R7\\.2|MC3R1\\.R7\\.3|MC3R= 1\\.R8\\.7|MC3R1\\.R8\\.8|MC3R1\\.R8\\.9|MC3R1\\.R8\\.11|MC3R1\\.R8\\.12|MC= 3R1\\.R8\\.13|MC3R1\\.R9\\.3|MC3R1\\.R9\\.4|MC3R1\\.R9\\.5|MC3R1\\.R10\\.2|= MC3R1\\.R10\\.5|MC3R1\\.R10\\.6|MC3R1\\.R10\\.7|MC3R1\\.R10\\.8|MC3R1\\.R11= \\.9|MC3R1\\.R12\\.1|MC3R1\\.R12\\.3|MC3R1\\.R12\\.4|MC3R1\\.R13\\.5|MC3R1\= \.R14\\.1|MC3R1\\.R14\\.2|MC3R1\\.R14\\.3|MC3R1\\.R15\\.1|MC3R1\\.R15\\.2|M= C3R1\\.R15\\.3|MC3R1\\.R15\\.4|MC3R1\\.R15\\.5|MC3R1\\.R15\\.6|MC3R1\\.R15\= \.7|MC3R1\\.R16\\.1|MC3R1\\.R16\\.2|MC3R1\\.R16\\.3|MC3R1\\.R16\\.4|MC3R1\\= .R16\\.5|MC3R1\\.R16\\.6|MC3R1\\.R16\\.7|MC3R1\\.R17\\.7|MC3R1\\.R17\\.8|MC= 3R1\\.R18\\.4|MC3R1\\.R18\\.5)$" +-service_selector=3D{developer_confusion_guidelines,"^(MC3A2\\.R2\\.1|MC3A= 2\\.R2\\.2|MC3A2\\.R2\\.3|MC3A2\\.R2\\.4|MC3A2\\.R2\\.5|MC3A2\\.R2\\.6|MC3A= 2\\.R2\\.7|MC3A2\\.R4\\.1|MC3A2\\.R5\\.3|MC3A2\\.R5\\.6|MC3A2\\.R5\\.7|MC3A= 2\\.R5\\.8|MC3A2\\.R5\\.9|MC3A2\\.R7\\.1|MC3A2\\.R7\\.2|MC3A2\\.R7\\.3|MC3A= 2\\.R8\\.7|MC3A2\\.R8\\.8|MC3A2\\.R8\\.9|MC3A2\\.R8\\.11|MC3A2\\.R8\\.12|MC= 3A2\\.R8\\.13|MC3A2\\.R9\\.3|MC3A2\\.R9\\.4|MC3A2\\.R9\\.5|MC3A2\\.R10\\.2|= MC3A2\\.R10\\.5|MC3A2\\.R10\\.6|MC3A2\\.R10\\.7|MC3A2\\.R10\\.8|MC3A2\\.R11= \\.9|MC3A2\\.R12\\.1|MC3A2\\.R12\\.3|MC3A2\\.R12\\.4|MC3A2\\.R13\\.5|MC3A2\= \.R14\\.1|MC3A2\\.R14\\.2|MC3A2\\.R14\\.3|MC3A2\\.R15\\.1|MC3A2\\.R15\\.2|M= C3A2\\.R15\\.3|MC3A2\\.R15\\.4|MC3A2\\.R15\\.5|MC3A2\\.R15\\.6|MC3A2\\.R15\= \.7|MC3A2\\.R16\\.1|MC3A2\\.R16\\.2|MC3A2\\.R16\\.3|MC3A2\\.R16\\.4|MC3A2\\= .R16\\.5|MC3A2\\.R16\\.6|MC3A2\\.R16\\.7|MC3A2\\.R17\\.7|MC3A2\\.R17\\.8|MC= 3A2\\.R18\\.4|MC3A2\\.R18\\.5)$" } -config=3Ddeveloper_confusion_guidelines,reports+=3D{relied,adopted_report} -doc_end diff --git a/automation/eclair_analysis/ECLAIR/monitored.ecl b/automation/e= clair_analysis/ECLAIR/monitored.ecl index 4e1deef7a7..8351996ec8 100644 --- a/automation/eclair_analysis/ECLAIR/monitored.ecl +++ b/automation/eclair_analysis/ECLAIR/monitored.ecl @@ -1,106 +1,106 @@ -doc_begin=3D"A set of guidelines that are clean or that only have few vio= lations left." --enable=3DMC3R1.D1.1 --enable=3DMC3R1.D2.1 --enable=3DMC3R1.D4.1 --enable=3DMC3R1.D4.3 --enable=3DMC3R1.D4.7 --enable=3DMC3R1.D4.10 --enable=3DMC3R1.D4.11 --enable=3DMC3R1.D4.14 --enable=3DMC3R1.R1.1 --enable=3DMC3R1.R1.3 --enable=3DMC3R1.R1.4 --enable=3DMC3R1.R2.1 --enable=3DMC3R1.R2.6 --enable=3DMC3R1.R3.1 --enable=3DMC3R1.R3.2 --enable=3DMC3R1.R4.1 --enable=3DMC3R1.R4.2 --enable=3DMC3R1.R5.1 --enable=3DMC3R1.R5.2 --enable=3DMC3R1.R5.3 --enable=3DMC3R1.R5.4 --enable=3DMC3R1.R5.5 --enable=3DMC3R1.R5.6 --enable=3DMC3R1.R6.1 --enable=3DMC3R1.R6.2 --enable=3DMC3R1.R7.1 --enable=3DMC3R1.R7.2 --enable=3DMC3R1.R7.3 --enable=3DMC3R1.R7.4 --enable=3DMC3R1.R8.1 --enable=3DMC3R1.R8.2 --enable=3DMC3R1.R8.3 --enable=3DMC3R1.R8.4 --enable=3DMC3R1.R8.5 --enable=3DMC3R1.R8.6 --enable=3DMC3R1.R8.8 --enable=3DMC3R1.R8.10 --enable=3DMC3R1.R8.12 --enable=3DMC3R1.R8.14 --enable=3DMC3R1.R9.2 --enable=3DMC3R1.R9.3 --enable=3DMC3R1.R9.4 --enable=3DMC3R1.R10.1 --enable=3DMC3R1.R10.2 --enable=3DMC3R1.R11.1 --enable=3DMC3R1.R11.2 --enable=3DMC3R1.R11.7 --enable=3DMC3R1.R11.8 --enable=3DMC3R1.R11.9 --enable=3DMC3R1.R12.5 --enable=3DMC3R1.R13.1 --enable=3DMC3R1.R13.2 --enable=3DMC3R1.R13.6 --enable=3DMC3R1.R14.1 --enable=3DMC3R1.R14.4 --enable=3DMC3R1.R16.2 --enable=3DMC3R1.R16.3 --enable=3DMC3R1.R16.4 --enable=3DMC3R1.R16.6 --enable=3DMC3R1.R16.7 --enable=3DMC3R1.R17.1 --enable=3DMC3R1.R17.3 --enable=3DMC3R1.R17.4 --enable=3DMC3R1.R17.5 --enable=3DMC3R1.R17.6 --enable=3DMC3R1.R18.1 --enable=3DMC3R1.R18.2 --enable=3DMC3R1.R18.6 --enable=3DMC3R1.R18.8 --enable=3DMC3R1.R19.1 --enable=3DMC3R1.R20.2 --enable=3DMC3R1.R20.3 --enable=3DMC3R1.R20.4 --enable=3DMC3R1.R20.6 --enable=3DMC3R1.R20.7 --enable=3DMC3R1.R20.9 --enable=3DMC3R1.R20.11 --enable=3DMC3R1.R20.12 --enable=3DMC3R1.R20.13 --enable=3DMC3R1.R20.14 --enable=3DMC3R1.R21.3 --enable=3DMC3R1.R21.4 --enable=3DMC3R1.R21.5 --enable=3DMC3R1.R21.7 --enable=3DMC3R1.R21.8 --enable=3DMC3R1.R21.9 --enable=3DMC3R1.R21.10 --enable=3DMC3R1.R21.12 --enable=3DMC3R1.R21.13 --enable=3DMC3R1.R21.17 --enable=3DMC3R1.R21.18 --enable=3DMC3R1.R21.19 --enable=3DMC3R1.R21.20 --enable=3DMC3R1.R21.21 --enable=3DMC3R1.R22.1 --enable=3DMC3R1.R22.2 --enable=3DMC3R1.R22.3 --enable=3DMC3R1.R22.4 --enable=3DMC3R1.R22.5 --enable=3DMC3R1.R22.6 --enable=3DMC3R1.R22.7 --enable=3DMC3R1.R22.8 --enable=3DMC3R1.R22.9 --enable=3DMC3R1.R22.10 +-enable=3DMC3A2.D1.1 +-enable=3DMC3A2.D2.1 +-enable=3DMC3A2.D4.1 +-enable=3DMC3A2.D4.3 +-enable=3DMC3A2.D4.7 +-enable=3DMC3A2.D4.10 +-enable=3DMC3A2.D4.11 +-enable=3DMC3A2.D4.14 +-enable=3DMC3A2.R1.1 +-enable=3DMC3A2.R1.3 +-enable=3DMC3A2.R1.4 +-enable=3DMC3A2.R2.1 +-enable=3DMC3A2.R2.6 +-enable=3DMC3A2.R3.1 +-enable=3DMC3A2.R3.2 +-enable=3DMC3A2.R4.1 +-enable=3DMC3A2.R4.2 +-enable=3DMC3A2.R5.1 +-enable=3DMC3A2.R5.2 +-enable=3DMC3A2.R5.3 +-enable=3DMC3A2.R5.4 +-enable=3DMC3A2.R5.5 +-enable=3DMC3A2.R5.6 +-enable=3DMC3A2.R6.1 +-enable=3DMC3A2.R6.2 +-enable=3DMC3A2.R7.1 +-enable=3DMC3A2.R7.2 +-enable=3DMC3A2.R7.3 +-enable=3DMC3A2.R7.4 +-enable=3DMC3A2.R8.1 +-enable=3DMC3A2.R8.2 +-enable=3DMC3A2.R8.3 +-enable=3DMC3A2.R8.4 +-enable=3DMC3A2.R8.5 +-enable=3DMC3A2.R8.6 +-enable=3DMC3A2.R8.8 +-enable=3DMC3A2.R8.10 +-enable=3DMC3A2.R8.12 +-enable=3DMC3A2.R8.14 +-enable=3DMC3A2.R9.2 +-enable=3DMC3A2.R9.3 +-enable=3DMC3A2.R9.4 +-enable=3DMC3A2.R10.1 +-enable=3DMC3A2.R10.2 +-enable=3DMC3A2.R11.1 +-enable=3DMC3A2.R11.2 +-enable=3DMC3A2.R11.7 +-enable=3DMC3A2.R11.8 +-enable=3DMC3A2.R11.9 +-enable=3DMC3A2.R12.5 +-enable=3DMC3A2.R13.1 +-enable=3DMC3A2.R13.2 +-enable=3DMC3A2.R13.6 +-enable=3DMC3A2.R14.1 +-enable=3DMC3A2.R14.4 +-enable=3DMC3A2.R16.2 +-enable=3DMC3A2.R16.3 +-enable=3DMC3A2.R16.4 +-enable=3DMC3A2.R16.6 +-enable=3DMC3A2.R16.7 +-enable=3DMC3A2.R17.1 +-enable=3DMC3A2.R17.3 +-enable=3DMC3A2.R17.4 +-enable=3DMC3A2.R17.5 +-enable=3DMC3A2.R17.6 +-enable=3DMC3A2.R18.1 +-enable=3DMC3A2.R18.2 +-enable=3DMC3A2.R18.6 +-enable=3DMC3A2.R18.8 +-enable=3DMC3A2.R19.1 +-enable=3DMC3A2.R20.2 +-enable=3DMC3A2.R20.3 +-enable=3DMC3A2.R20.4 +-enable=3DMC3A2.R20.6 +-enable=3DMC3A2.R20.7 +-enable=3DMC3A2.R20.9 +-enable=3DMC3A2.R20.11 +-enable=3DMC3A2.R20.12 +-enable=3DMC3A2.R20.13 +-enable=3DMC3A2.R20.14 +-enable=3DMC3A2.R21.3 +-enable=3DMC3A2.R21.4 +-enable=3DMC3A2.R21.5 +-enable=3DMC3A2.R21.7 +-enable=3DMC3A2.R21.8 +-enable=3DMC3A2.R21.9 +-enable=3DMC3A2.R21.10 +-enable=3DMC3A2.R21.12 +-enable=3DMC3A2.R21.13 +-enable=3DMC3A2.R21.17 +-enable=3DMC3A2.R21.18 +-enable=3DMC3A2.R21.19 +-enable=3DMC3A2.R21.20 +-enable=3DMC3A2.R21.21 +-enable=3DMC3A2.R22.1 +-enable=3DMC3A2.R22.2 +-enable=3DMC3A2.R22.3 +-enable=3DMC3A2.R22.4 +-enable=3DMC3A2.R22.5 +-enable=3DMC3A2.R22.6 +-enable=3DMC3A2.R22.7 +-enable=3DMC3A2.R22.8 +-enable=3DMC3A2.R22.9 +-enable=3DMC3A2.R22.10 -doc_end diff --git a/automation/eclair_analysis/ECLAIR/tagging.ecl b/automation/ecl= air_analysis/ECLAIR/tagging.ecl index 755ea3271f..b524318591 100644 --- a/automation/eclair_analysis/ECLAIR/tagging.ecl +++ b/automation/eclair_analysis/ECLAIR/tagging.ecl @@ -20,93 +20,93 @@ -doc_begin=3D"Clean guidelines: new violations for these guidelines are no= t accepted." =20 -service_selector=3D{clean_guidelines_common, -"MC3R1.D1.1|| -MC3R1.D2.1|| -MC3R1.D4.1|| -MC3R1.D4.11|| -MC3R1.D4.14|| -MC3R1.R1.1|| -MC3R1.R1.3|| -MC3R1.R1.4|| -MC3R1.R2.6|| -MC3R1.R3.1|| -MC3R1.R3.2|| -MC3R1.R4.1|| -MC3R1.R4.2|| -MC3R1.R5.1|| -MC3R1.R5.2|| -MC3R1.R5.3|| -MC3R1.R5.4|| -MC3R1.R5.6|| -MC3R1.R6.1|| -MC3R1.R6.2|| -MC3R1.R7.1|| -MC3R1.R7.2|| -MC3R1.R7.3|| -MC3R1.R7.4|| -MC3R1.R8.1|| -MC3R1.R8.2|| -MC3R1.R8.3|| -MC3R1.R8.4|| -MC3R1.R8.5|| -MC3R1.R8.6|| -MC3R1.R8.8|| -MC3R1.R8.10|| -MC3R1.R8.12|| -MC3R1.R8.14|| -MC3R1.R9.2|| -MC3R1.R9.3|| -MC3R1.R9.4|| -MC3R1.R10.2|| -MC3R1.R11.6|| -MC3R1.R11.7|| -MC3R1.R11.9|| -MC3R1.R12.5|| -MC3R1.R13.6|| -MC3R1.R14.1|| -MC3R1.R14.3|| -MC3R1.R14.4|| -MC3R1.R16.2|| -MC3R1.R16.3|| -MC3R1.R16.7|| -MC3R1.R17.1|| -MC3R1.R17.3|| -MC3R1.R17.4|| -MC3R1.R17.5|| -MC3R1.R17.6|| -MC3R1.R18.6|| -MC3R1.R18.8|| -MC3R1.R20.2|| -MC3R1.R20.3|| -MC3R1.R20.4|| -MC3R1.R20.6|| -MC3R1.R20.9|| -MC3R1.R20.11|| -MC3R1.R20.12|| -MC3R1.R20.13|| -MC3R1.R20.14|| -MC3R1.R21.3|| -MC3R1.R21.4|| -MC3R1.R21.5|| -MC3R1.R21.7|| -MC3R1.R21.8|| -MC3R1.R21.9|| -MC3R1.R21.10|| -MC3R1.R21.11|| -MC3R1.R21.12|| -MC3R1.R21.13|| -MC3R1.R21.19|| -MC3R1.R21.21|| -MC3R1.R22.1|| -MC3R1.R22.2|| -MC3R1.R22.3|| -MC3R1.R22.4|| -MC3R1.R22.5|| -MC3R1.R22.6|| -MC3R1.R22.7|| -MC3R1.R22.8|| -MC3R1.R22.9|| -MC3R1.R22.10" +"MC3A2.D1.1|| +MC3A2.D2.1|| +MC3A2.D4.1|| +MC3A2.D4.11|| +MC3A2.D4.14|| +MC3A2.R1.1|| +MC3A2.R1.3|| +MC3A2.R1.4|| +MC3A2.R2.6|| +MC3A2.R3.1|| +MC3A2.R3.2|| +MC3A2.R4.1|| +MC3A2.R4.2|| +MC3A2.R5.1|| +MC3A2.R5.2|| +MC3A2.R5.3|| +MC3A2.R5.4|| +MC3A2.R5.6|| +MC3A2.R6.1|| +MC3A2.R6.2|| +MC3A2.R7.1|| +MC3A2.R7.2|| +MC3A2.R7.3|| +MC3A2.R7.4|| +MC3A2.R8.1|| +MC3A2.R8.2|| +MC3A2.R8.3|| +MC3A2.R8.4|| +MC3A2.R8.5|| +MC3A2.R8.6|| +MC3A2.R8.8|| +MC3A2.R8.10|| +MC3A2.R8.12|| +MC3A2.R8.14|| +MC3A2.R9.2|| +MC3A2.R9.3|| +MC3A2.R9.4|| +MC3A2.R10.2|| +MC3A2.R11.6|| +MC3A2.R11.7|| +MC3A2.R11.9|| +MC3A2.R12.5|| +MC3A2.R13.6|| +MC3A2.R14.1|| +MC3A2.R14.3|| +MC3A2.R14.4|| +MC3A2.R16.2|| +MC3A2.R16.3|| +MC3A2.R16.7|| +MC3A2.R17.1|| +MC3A2.R17.3|| +MC3A2.R17.4|| +MC3A2.R17.5|| +MC3A2.R17.6|| +MC3A2.R18.6|| +MC3A2.R18.8|| +MC3A2.R20.2|| +MC3A2.R20.3|| +MC3A2.R20.4|| +MC3A2.R20.6|| +MC3A2.R20.9|| +MC3A2.R20.11|| +MC3A2.R20.12|| +MC3A2.R20.13|| +MC3A2.R20.14|| +MC3A2.R21.3|| +MC3A2.R21.4|| +MC3A2.R21.5|| +MC3A2.R21.7|| +MC3A2.R21.8|| +MC3A2.R21.9|| +MC3A2.R21.10|| +MC3A2.R21.11|| +MC3A2.R21.12|| +MC3A2.R21.13|| +MC3A2.R21.19|| +MC3A2.R21.21|| +MC3A2.R22.1|| +MC3A2.R22.2|| +MC3A2.R22.3|| +MC3A2.R22.4|| +MC3A2.R22.5|| +MC3A2.R22.6|| +MC3A2.R22.7|| +MC3A2.R22.8|| +MC3A2.R22.9|| +MC3A2.R22.10" } =20 -setq=3Dtarget,getenv("XEN_TARGET_ARCH") @@ -116,7 +116,7 @@ if(string_equal(target,"x86_64"), ) =20 if(string_equal(target,"arm64"), - service_selector({"additional_clean_guidelines","MC3R1.R2.1||MC3R1.R5.= 3||MC3.R11.2||MC3R1.R16.6||MC3R1.R20.7"}) + service_selector({"additional_clean_guidelines","MC3A2.R2.1||MC3A2.R5.= 3||MC3.R11.2||MC3A2.R16.6||MC3A2.R20.7"}) ) =20 -reports+=3D{clean:added,"service(clean_guidelines_common||additional_clea= n_guidelines)"} diff --git a/docs/misra/documenting-violations.rst b/docs/misra/documenting= -violations.rst index 8f1cbd83b8..d26377d5aa 100644 --- a/docs/misra/documenting-violations.rst +++ b/docs/misra/documenting-violations.rst @@ -53,7 +53,7 @@ Here is an example to add a new justification in safe.jso= n:: | "analyser": { | "cppcheck": "misra-c2012-20.7", | "coverity": "misra_c_2012_rule_20_7_violation", -| "eclair": "MC3R1.R20.7" +| "eclair": "MC3A2.R20.7" | }, | "name": "R20.7 C macro parameters not used as expression", | "text": "The macro parameters used in this [...]" @@ -138,7 +138,7 @@ for the Rule 8.6: =20 Eclair reports it in its web report, file xen/include/xen/kernel.h, line 6= 8: =20 -| MC3R1.R8.6 for program 'xen/xen-syms', variable '_start' has no definiti= on +| MC3A2.R8.6 for program 'xen/xen-syms', variable '_start' has no definiti= on =20 Also coverity reports it, here is an extract of the finding: =20 @@ -165,7 +165,7 @@ We will prepare our entry in the safe.json database:: | { | "id": "SAF-1-safe", | "analyser": { -| "eclair": "MC3R1.R8.6", +| "eclair": "MC3A2.R8.6", | "coverity": "misra_c_2012_rule_8_6_violation" | }, | "name": "Rule 8.6: linker script defined symbols", diff --git a/docs/misra/safe.json b/docs/misra/safe.json index 684346386e..b8a4f878ea 100644 --- a/docs/misra/safe.json +++ b/docs/misra/safe.json @@ -4,7 +4,7 @@ { "id": "SAF-0-safe", "analyser": { - "eclair": "MC3R1.R8.6", + "eclair": "MC3A2.R8.6", "coverity": "misra_c_2012_rule_8_6_violation" }, "name": "Rule 8.6: linker script defined symbols", @@ -13,7 +13,7 @@ { "id": "SAF-1-safe", "analyser": { - "eclair": "MC3R1.R8.4" + "eclair": "MC3A2.R8.4" }, "name": "Rule 8.4: asm-only definition", "text": "Functions and variables used only by asm modules do n= ot need to have a visible declaration prior to their definition." @@ -21,23 +21,23 @@ { "id": "SAF-2-safe", "analyser": { - "eclair": "MC3R1.R10.1" + "eclair": "MC3A2.R10.1" }, - "name": "MC3R1.R10.1: use of an enumeration constant in an ari= thmetic operation", + "name": "MC3A2.R10.1: use of an enumeration constant in an ari= thmetic operation", "text": "This violation can be fixed with a cast to (int) of t= he enumeration constant, but a deviation was chosen due to code readability= (see also the comment in BITS_TO_LONGS)." }, { "id": "SAF-3-safe", "analyser": { - "eclair": "MC3R1.R20.4" + "eclair": "MC3A2.R20.4" }, - "name": "MC3R1.R20.4: allow the definition of a macro with the= same name as a keyword in some special cases", + "name": "MC3A2.R20.4: allow the definition of a macro with the= same name as a keyword in some special cases", "text": "The definition of a macro with the same name as a key= word can be useful in certain configurations to improve the guarantees that= can be provided by Xen. See docs/misra/deviations.rst for a precise ration= ale for all such cases." }, { "id": "SAF-4-safe", "analyser": { - "eclair": "MC3R1.R17.1" + "eclair": "MC3A2.R17.1" }, "name": "Rule 17.1: internal helper functions made to break lo= ng running hypercalls into multiple calls.", "text": "They need to take a variable number of arguments depe= nding on the original hypercall they are trying to continue." @@ -45,31 +45,31 @@ { "id": "SAF-5-safe", "analyser": { - "eclair": "MC3R1.R16.2" + "eclair": "MC3A2.R16.2" }, - "name": "MC3R1.R16.2: using a case label when the most closely= -enclosing compound statement is not a switch statement", + "name": "MC3A2.R16.2: using a case label when the most closely= -enclosing compound statement is not a switch statement", "text": "A switch label enclosed by some compound statement th= at is not the body of a switch is permitted within local helper macros that= are unlikely to be misused or misunderstood." }, { "id": "SAF-6-safe", "analyser": { - "eclair": "MC3R1.R20.12" + "eclair": "MC3A2.R20.12" }, - "name": "MC3R1.R20.12: use of a macro argument that deliberate= ly violates the Rule", + "name": "MC3A2.R20.12: use of a macro argument that deliberate= ly violates the Rule", "text": "A macro parameter that is itself a macro is intention= ally used within the macro both as a regular parameter and for text replace= ment." }, { "id": "SAF-7-safe", "analyser": { - "eclair": "MC3R1.R20.7" + "eclair": "MC3A2.R20.7" }, - "name": "MC3R1.R20.7: deliberately non-parenthesized macro arg= ument", + "name": "MC3A2.R20.7: deliberately non-parenthesized macro arg= ument", "text": "A macro parameter expands to an expression that is no= n-parenthesized, as doing so would break the functionality." }, { "id": "SAF-8-safe", "analyser": { - "eclair": "MC3R1.D4.10" + "eclair": "MC3A2.D4.10" }, "name": "Dir 4.10: headers that leave it up to the caller to i= nclude them correctly", "text": "Headers that deliberatively leave the responsability = of their correct inclusion to the caller are allowed." @@ -77,7 +77,7 @@ { "id": "SAF-9-safe", "analyser": { - "eclair": "MC3R1.D4.10" + "eclair": "MC3A2.D4.10" }, "name": "Dir 4.10: empty headers", "text": "Empty headers pose no risk if included more than once= ." @@ -85,7 +85,7 @@ { "id": "SAF-10-safe", "analyser": { - "eclair": "MC3R1.D4.10" + "eclair": "MC3A2.D4.10" }, "name": "Dir 4.10: direct inclusion guard before", "text": "Headers with just the direct inclusion guard before t= he inclusion guard are safe." --=20 2.43.0