From nobody Wed May 15 05:54:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1695808413748495.9901295572438; Wed, 27 Sep 2023 02:53:33 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.608803.947535 (Exim 4.92) (envelope-from ) id 1qlRE7-0008Nl-40; Wed, 27 Sep 2023 09:53:03 +0000 Received: by outflank-mailman (output) from mailman id 608803.947535; Wed, 27 Sep 2023 09:53:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qlRE7-0008Nd-0c; Wed, 27 Sep 2023 09:53:03 +0000 Received: by outflank-mailman (input) for mailman id 608803; Wed, 27 Sep 2023 09:53:01 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qlRE5-0008Lo-4J for xen-devel@lists.xenproject.org; Wed, 27 Sep 2023 09:53:01 +0000 Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id a3c3d07b-5d1b-11ee-9b0d-b553b5be7939; Wed, 27 Sep 2023 11:52:59 +0200 (CEST) Received: from nico.bugseng.com (unknown [147.123.100.131]) by support.bugseng.com (Postfix) with ESMTPSA id 111C04EE073C; Wed, 27 Sep 2023 11:52:56 +0200 (CEST) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: a3c3d07b-5d1b-11ee-9b0d-b553b5be7939 From: Nicola Vetrini To: xen-devel@lists.xenproject.org Cc: sstabellini@kernel.org, michal.orzel@amd.com, xenia.ragiadakou@amd.com, ayan.kumar.halder@amd.com, consulting@bugseng.com, jbeulich@suse.com, andrew.cooper3@citrix.com, roger.pau@citrix.com, Nicola Vetrini , George Dunlap , Julien Grall , Wei Liu , Henry Wang Subject: [XEN PATCH v2 1/3] docs/misra: add documentation skeleton for MISRA C:2012 Dir 4.1 Date: Wed, 27 Sep 2023 11:52:30 +0200 Message-Id: <5bb4dea2f48d0ef9a48a06c1b11c0dfcbd991aaf.1695801813.git.nicola.vetrini@bugseng.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1695808415795100001 Content-Type: text/plain; charset="utf-8" The aforementioned directive requires the project to supply documentation on the measures taken towards the minimization of run-time failures. The actual content of the documentation still needs feedback from the community. The 'rules.rst' file is updated accordingly to mention the newly added documentation. Signed-off-by: Nicola Vetrini --- Changes in v2: - Incorporated suggestions from Stefano. --- docs/misra/C-runtime-failures.rst | 200 ++++++++++++++++++++++++++++++ docs/misra/rules.rst | 8 +- 2 files changed, 207 insertions(+), 1 deletion(-) create mode 100644 docs/misra/C-runtime-failures.rst diff --git a/docs/misra/C-runtime-failures.rst b/docs/misra/C-runtime-failu= res.rst new file mode 100644 index 000000000000..325d3fab1fa5 --- /dev/null +++ b/docs/misra/C-runtime-failures.rst @@ -0,0 +1,200 @@ +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +Measures taken towards the minimization of Run-time failures in Xen +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +This document specifies which procedures and techinques are used troughout= the +Xen codebase to prevent or minimize the impact of certain classes of run-t= ime +errors that can occurr in the execution of a C program, due to the very mi= nimal +built-in checks that are present in the language. + +The presence of such documentation is requested by MISRA C:2012 Directive = 4.1, +whose headline states: "Run-time failures shall be minimized". + + +Documentation for MISRA C:2012 Dir 4.1: overflow +________________________________________________ + +Pervasive use of assertions and extensive test suite. + + +Documentation for MISRA C:2012 Dir 4.1: unexpected wrapping +___________________________________________________________ + +The only wrapping the is present in the code concerns +unsigned integers and they are all expected. + + +Documentation for MISRA C:2012 Dir 4.1: invalid shift +_____________________________________________________ + +Pervasive use of assertions and extensive test suite. + + +Documentation for MISRA C:2012 Dir 4.1: division/remainder by zero +__________________________________________________________________ + +The division or remainder operations in the project code ensure that +their second argument is never zero. + + +Documentation for MISRA C:2012 Dir 4.1: unsequenced side effects +________________________________________________________________ + +Code executed in interrupt handlers uses spinlocks or disables interrupts +at the right locations to avoid unsequenced side effects. + + +Documentation for MISRA C:2012 Dir 4.1: read from uninitialized automatic = object +__________________________________________________________________________= ______ + +The amount of dynamically allocated objects is limited at runtime in +static configurations. We make sure to initialize dynamically allocated +objects before reading them, and we utilize static analysis tools to +help check for that. + + +Documentation for MISRA C:2012 Dir 4.1: read from uninitialized allocated = object +__________________________________________________________________________= ______ + +Dynamically allocated storage is used in a controlled manner, to prevent t= he +access to uninitialized allocated storage. + + +Documentation for MISRA C:2012 Dir 4.1: write to string literal or const o= bject +__________________________________________________________________________= _____ + +The toolchain puts every string literal and const object into a read-only +section of memory. The hardware exception raised when a write is attempted +on such a memory section is correctly handled. + + +Documentation for MISRA C:2012 Dir 4.1: non-volatile access to volatile ob= ject +__________________________________________________________________________= ____ + +Volatile access is limited to registers that are always accessed +through macros or inline functions, or by limited code chunks that are onl= y used +to access a register. + + +Documentation for MISRA C:2012 Dir 4.1: access to dead allocated object +_______________________________________________________________________ + +Although dynamically allocated storage is used in the project, in safety +configurations its usage is very limited at runtime (it is "almost" only u= sed +at boot time). Coverity is regularly used to scan the code to detect non-f= reed +allocated objects. + + +Documentation for MISRA C:2012 Dir 4.1: access to dead automatic object +_______________________________________________________________________ + +Pointers to automatic variables are never returned, nor stored in +wider-scoped objects. No function does the same on any pointer +received as a parameter. + + +Documentation for MISRA C:2012 Dir 4.1: access to dead thread object +____________________________________________________________________ + +The program does not use per-thread variables. + + +Documentation for MISRA C:2012 Dir 4.1: access using null pointer +_________________________________________________________________ + +All possibly null pointers are checked before access. + + +Documentation for MISRA C:2012 Dir 4.1: access using invalid pointer +____________________________________________________________________ + +Usage of pointers is limited. Pointers passed as parameters are +always checked for validity. + + +Documentation for MISRA C:2012 Dir 4.1: access using out-of-bounds pointer +__________________________________________________________________________ + +Pointers are never used to access arrays without checking for the array si= ze +first. + + +Documentation for MISRA C:2012 Dir 4.1: access using unaligned pointer +______________________________________________________________________ + +Pointer conversion that may result in unaligned pointers are never used. + + +Documentation for MISRA C:2012 Dir 4.1: mistyped access to object +_________________________________________________________________ + +Pointer conversions that may result in mistyped accesses to objects +are never used. + + +Documentation for MISRA C:2012 Dir 4.1: mistyped access to function +___________________________________________________________________ + +The code never uses function pointers. + + +Documentation for MISRA C:2012 Dir 4.1: invalid pointer arithmetic +__________________________________________________________________ + +Pointer arithmetic is never used without checking object boundaries. + + +Documentation for MISRA C:2012 Dir 4.1: invalid pointer comparison +__________________________________________________________________ + +Pointers to different objects are never compared (except for pointers that= are +actually linker symbols, but those cases are deviated with a justification= ). + + +Documentation for MISRA C:2012 Dir 4.1: overlapping copy +________________________________________________________ + +The code never uses memcpy() to copy overlapping objects. The instances of +assignments involving overlapping objects are very limited and motivated. + + +Documentation for MISRA C:2012 Dir 4.1: invalid arguments to function +_____________________________________________________________________ + +Many parameters to functions are checked for validity; there is ongoing wo= rk to +make this true for all parameters. + + +Documentation for MISRA C:2012 Dir 4.1: returned function error +_______________________________________________________________ + +Many functions that may produce an error, do return a suitable status code +that is checked at each call site. There is ongoing work to make this true= for +all such functions. + + +Documentation for MISRA C:2012 Dir 4.1: tainted input +_____________________________________________________ + +All parameters of all functions in the extenal ABI are checked before being +used. + + +Documentation for MISRA C:2012 Dir 4.1: data race +_________________________________________________ + +Data that can be accessed concurrently from multiple threads and code exec= uted +by interrupt handlers is protected using spinlocks and other forms of lock= ing, +as appropriate. + + +Documentation for MISRA C:2012 Dir 4.1: invariant violation +___________________________________________________________ + +To be written. + + +Documentation for MISRA C:2012 Dir 4.1: communication error +___________________________________________________________ + +This project does not involve any external communication. diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst index 8e7d17d242a0..dd71fbe87f43 100644 --- a/docs/misra/rules.rst +++ b/docs/misra/rules.rst @@ -47,7 +47,13 @@ maintainers if you want to suggest a change. * - `Dir 2.1 `_ - Required - All source files shall compile without any compilation errors - - + + * - `Dir 4.1 `_ + - Required + - Run-time failures shall be minimized + - The strategies adopted by Xen to prevent certain classes of runtime + failures is be documented by + `C-runtime-failures.rst `_ =20 * - `Dir 4.7 `_ - Required --=20 2.34.1 From nobody Wed May 15 05:54:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 16958084091483.2891922198676866; Wed, 27 Sep 2023 02:53:29 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.608805.947549 (Exim 4.92) (envelope-from ) id 1qlRE8-00008N-18; Wed, 27 Sep 2023 09:53:04 +0000 Received: by outflank-mailman (output) from mailman id 608805.947549; Wed, 27 Sep 2023 09:53:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qlRE7-00005b-Np; Wed, 27 Sep 2023 09:53:03 +0000 Received: by outflank-mailman (input) for mailman id 608805; Wed, 27 Sep 2023 09:53:03 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qlRE7-0008Lo-0z for xen-devel@lists.xenproject.org; Wed, 27 Sep 2023 09:53:03 +0000 Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id a5138742-5d1b-11ee-9b0d-b553b5be7939; Wed, 27 Sep 2023 11:53:01 +0200 (CEST) Received: from nico.bugseng.com (unknown [147.123.100.131]) by support.bugseng.com (Postfix) with ESMTPSA id 196E64EE073A; Wed, 27 Sep 2023 11:52:58 +0200 (CEST) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: a5138742-5d1b-11ee-9b0d-b553b5be7939 From: Nicola Vetrini To: xen-devel@lists.xenproject.org Cc: sstabellini@kernel.org, michal.orzel@amd.com, xenia.ragiadakou@amd.com, ayan.kumar.halder@amd.com, consulting@bugseng.com, jbeulich@suse.com, andrew.cooper3@citrix.com, roger.pau@citrix.com, Nicola Vetrini , Wei Liu , Anthony PERARD , George Dunlap , Julien Grall , Henry Wang Subject: [XEN PATCH v2 2/3] docs: make the docs for MISRA C:2012 Dir 4.1 visible to ECLAIR Date: Wed, 27 Sep 2023 11:52:31 +0200 Message-Id: <4e25395c844a312556303e3484a915e875e0e5a7.1695801813.git.nicola.vetrini@bugseng.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1695808410247100003 Content-Type: text/plain; charset="utf-8" To be able to check for the existence of the necessary subsections in the documentation for MISRA C:2012 Dir 4.1, ECLAIR needs to have a source file that is built. This file is generated from 'C-runtime-failures.rst' in docs/misra and the configuration is updated accordingly. Signed-off-by: Nicola Vetrini Reviewed-by: Anthony PERARD Reviewed-by: Stefano Stabellini --- Changes from RFC: - Dropped unused/useless code - Revised the sed command - Revised the clean target Changes in v2: - Added explanative comment to the makefile - printf instead of echo --- docs/Makefile | 7 ++++++- docs/misra/Makefile | 22 ++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 docs/misra/Makefile diff --git a/docs/Makefile b/docs/Makefile index 966a104490ac..ff991a0c3ca2 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -43,7 +43,7 @@ DOC_PDF :=3D $(patsubst %.pandoc,pdf/%.pdf,$(PANDOCSRC-y= )) \ all: build =20 .PHONY: build -build: html txt pdf man-pages figs +build: html txt pdf man-pages figs misra =20 .PHONY: sphinx-html sphinx-html: @@ -66,9 +66,14 @@ endif .PHONY: pdf pdf: $(DOC_PDF) =20 +.PHONY: misra +misra: + $(MAKE) -C misra + .PHONY: clean clean: clean-man-pages $(MAKE) -C figs clean + $(MAKE) -C misra clean rm -rf .word_count *.aux *.dvi *.bbl *.blg *.glo *.idx *~ rm -rf *.ilg *.log *.ind *.toc *.bak *.tmp core rm -rf html txt pdf sphinx/html diff --git a/docs/misra/Makefile b/docs/misra/Makefile new file mode 100644 index 000000000000..8fd89404e96b --- /dev/null +++ b/docs/misra/Makefile @@ -0,0 +1,22 @@ +TARGETS :=3D C-runtime-failures.o + +all: $(TARGETS) + +# This Makefile will generate the object files indicated in TARGETS by tak= ing +# the corresponding .rst file, converting its content to a C block comment= and +# then compiling the resulting .c file. This is needed for the file's cont= ent to +# be available when performing static analysis with ECLAIR on the project. + +# sed is used in place of cat to prevent occurrences of '*/' +# in the .rst from breaking the compilation +$(TARGETS:.o=3D.c): %.c: %.rst + printf "/*\n\n" > $@.tmp + sed -e 's|\*/|*//*|g' $< >> $@.tmp + printf "\n\n*/" >> $@.tmp + mv $@.tmp $@ + +%.o: %.c + $(CC) -c $< -o $@ + +clean: + rm -f C-runtime-failures.c *.o *.tmp --=20 2.34.1 From nobody Wed May 15 05:54:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1695808408210391.1598042544159; Wed, 27 Sep 2023 02:53:28 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.608804.947543 (Exim 4.92) (envelope-from ) id 1qlRE7-0008Ua-Kx; Wed, 27 Sep 2023 09:53:03 +0000 Received: by outflank-mailman (output) from mailman id 608804.947543; Wed, 27 Sep 2023 09:53:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qlRE7-0008Rq-DF; Wed, 27 Sep 2023 09:53:03 +0000 Received: by outflank-mailman (input) for mailman id 608804; Wed, 27 Sep 2023 09:53:02 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qlRE6-0007w0-Fu for xen-devel@lists.xenproject.org; Wed, 27 Sep 2023 09:53:02 +0000 Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id a58a12d9-5d1b-11ee-878a-cb3800f73035; Wed, 27 Sep 2023 11:53:01 +0200 (CEST) Received: from nico.bugseng.com (unknown [147.123.100.131]) by support.bugseng.com (Postfix) with ESMTPSA id 1A4824EE0739; Wed, 27 Sep 2023 11:53:01 +0200 (CEST) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: a58a12d9-5d1b-11ee-878a-cb3800f73035 From: Nicola Vetrini To: xen-devel@lists.xenproject.org Cc: sstabellini@kernel.org, michal.orzel@amd.com, xenia.ragiadakou@amd.com, ayan.kumar.halder@amd.com, consulting@bugseng.com, jbeulich@suse.com, andrew.cooper3@citrix.com, roger.pau@citrix.com, Nicola Vetrini , Simone Ballarin , Doug Goldstein , Henry Wang Subject: [XEN PATCH v2 3/3] automation/eclair: build docs/misra to address MISRA C:2012 Dir 4.1 Date: Wed, 27 Sep 2023 11:52:32 +0200 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1695808410627100005 Content-Type: text/plain; charset="utf-8" The documentation pertaining Directive 4.1 is contained in docs/misra. The build script driving the analysis is amended to allow ECLAIR to analyze such file. Signed-off-by: Nicola Vetrini --- Changes in v2: - removed useless make flags --- automation/eclair_analysis/build.sh | 6 +++--- automation/eclair_analysis/prepare.sh | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/automation/eclair_analysis/build.sh b/automation/eclair_analys= is/build.sh index ec087dd822fa..ea7a1e5a59b0 100755 --- a/automation/eclair_analysis/build.sh +++ b/automation/eclair_analysis/build.sh @@ -34,11 +34,11 @@ else fi =20 ( - cd xen - + make -C docs misra make "-j${PROCESSORS}" "-l${PROCESSORS}.0" \ "CROSS_COMPILE=3D${CROSS_COMPILE}" \ "CC=3D${CROSS_COMPILE}gcc-12" \ "CXX=3D${CROSS_COMPILE}g++-12" \ - "XEN_TARGET_ARCH=3D${XEN_TARGET_ARCH}" + "XEN_TARGET_ARCH=3D${XEN_TARGET_ARCH}" \ + -C xen ) diff --git a/automation/eclair_analysis/prepare.sh b/automation/eclair_anal= ysis/prepare.sh index 0cac5eba00ae..ebd5a2dde676 100755 --- a/automation/eclair_analysis/prepare.sh +++ b/automation/eclair_analysis/prepare.sh @@ -35,8 +35,8 @@ else fi =20 ( - cd xen - cp "${CONFIG_FILE}" .config + ./configure + cp "${CONFIG_FILE}" xen/.config make clean find . -type f -name "*.safparse" -print -delete make -f ${script_dir}/Makefile.prepare prepare --=20 2.34.1