From nobody Sat May 18 11:26:05 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 169686633440428.25303518005842; Mon, 9 Oct 2023 08:45:34 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.614402.955446 (Exim 4.92) (envelope-from ) id 1qpsRJ-00038X-NG; Mon, 09 Oct 2023 15:45:01 +0000 Received: by outflank-mailman (output) from mailman id 614402.955446; Mon, 09 Oct 2023 15:45:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpsRJ-00038P-K5; Mon, 09 Oct 2023 15:45:01 +0000 Received: by outflank-mailman (input) for mailman id 614402; Mon, 09 Oct 2023 15:45:01 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpsRI-00034W-U5 for xen-devel@lists.xenproject.org; Mon, 09 Oct 2023 15:45:01 +0000 Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id cd31f109-66ba-11ee-98d3-6d05b1d4d9a1; Mon, 09 Oct 2023 17:44:59 +0200 (CEST) Received: from nico.bugseng.com (unknown [147.123.100.131]) by support.bugseng.com (Postfix) with ESMTPSA id C1DD64EE0742; Mon, 9 Oct 2023 17:44:57 +0200 (CEST) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: cd31f109-66ba-11ee-98d3-6d05b1d4d9a1 From: Nicola Vetrini To: xen-devel@lists.xenproject.org Cc: sstabellini@kernel.org, michal.orzel@amd.com, xenia.ragiadakou@amd.com, ayan.kumar.halder@amd.com, consulting@bugseng.com, jbeulich@suse.com, andrew.cooper3@citrix.com, roger.pau@citrix.com, Simone Ballarin , Doug Goldstein Subject: [XEN PATCH][for-4.19 v2 1/2] automation/eclair: update deviations and accepted guidelines Date: Mon, 9 Oct 2023 17:44:28 +0200 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1696866336616100005 Content-Type: text/plain; charset="utf-8" From: Simone Ballarin Remove deviations for ERROR_EXIT, ERROR_EXIT_DOM and PIN_FAIL: the aforementioned macros have been removed. Add deviation for Rule 2.1 for pure declarations. Remove legacy text-based deviations: these are now implemented with SAF comments. Add deviations for Rules 8.4, 10.1, 13.5, 14.2, 14.3. Remove deviations for guidelines not yet accepted or rejected. Add MC3R1.R11.7, MC3R1.R11.8, MC3R1.R11.9, MC3R1.R15.3 and MC3R1.R14.2 to the accepted guidelines selector. Update clean guidelines selector. Signed-off-by: Simone Ballarin Acked-by: Stefano Stabellini --- .../eclair_analysis/ECLAIR/deviations.ecl | 135 ++++++++---------- automation/eclair_analysis/ECLAIR/tagging.ecl | 4 +- 2 files changed, 64 insertions(+), 75 deletions(-) diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/= eclair_analysis/ECLAIR/deviations.ecl index d8170106b449..fa56e5c00a27 100644 --- a/automation/eclair_analysis/ECLAIR/deviations.ecl +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl @@ -15,14 +15,19 @@ Constant expressions and unreachable branches of if and= switch statements are ex -doc_end =20 -doc_begin=3D"Unreachability caused by calls to the following functions or= macros is deliberate and there is no risk of code being unexpectedly left = out." --config=3DMC3R1.R2.1,statements+=3D{deliberate,"macro(name(BUG||assert_fai= led||ERROR_EXIT||ERROR_EXIT_DOM||PIN_FAIL))"} +-config=3DMC3R1.R2.1,statements+=3D{deliberate,"macro(name(BUG||assert_fai= led))"} -config=3DMC3R1.R2.1,statements+=3D{deliberate, "call(decl(name(__builtin_= unreachable||panic||do_unexpected_trap||machine_halt||machine_restart||mayb= e_reboot)))"} -doc_end =20 --doc_begin=3D"Unreachability of an ASSERT_UNREACHABLE() and analogous macr= o calls is deliberate and safe." +-doc_begin=3D"Unreachability inside an ASSERT_UNREACHABLE() and analogous = macro calls is deliberate and safe." -config=3DMC3R1.R2.1,reports+=3D{deliberate, "any_area(any_loc(any_exp(mac= ro(name(ASSERT_UNREACHABLE||PARSE_ERR_RET||PARSE_ERR||FAIL_MSR||FAIL_CPUID)= ))))"} -doc_end =20 +-doc_begin=3D"Pure declarations (i.e., declarations without initialization= ) are +not executable, and therefore it is safe for them to be unreachable." +-config=3DMC3R1.R2.1,ignored_stmts+=3D{"any()", "pure_decl()"} +-doc_end + -doc_begin=3D"Proving compliance with respect to Rule 2.2 is generally imp= ossible: see https://arxiv.org/abs/2212.13933 for details. Moreover, peer review gi= ves us confidence that no evidence of errors in the program's logic has been miss= ed due @@ -49,35 +54,6 @@ they are not instances of commented-out code." -config=3DMC3R1.D4.3,reports+=3D{disapplied,"!(any_area(any_loc(file(^xen/= arch/arm/arm64/.*$))))"} -doc_end =20 --doc_begin=3D"Depending on the compiler, rewriting the following function-= like -macros as inline functions is not guaranteed to have the same effect." --config=3DMC3R1.D4.9,macros+=3D{deliberate,"name(likely)"} --config=3DMC3R1.D4.9,macros+=3D{deliberate,"name(unlikely)"} --config=3DMC3R1.D4.9,macros+=3D{deliberate,"name(unreachable)"} --doc_end - --doc_begin=3D"These macros can be used on both pointers and unsigned long = type values." --config=3DMC3R1.D4.9,macros+=3D{safe,"name(virt_to_maddr)"} --config=3DMC3R1.D4.9,macros+=3D{safe,"name(virt_to_mfn)"} --doc_end - --doc_begin=3D"Rewriting variadic macros as variadic functions might have a= negative impact on safety." --config=3DMC3R1.D4.9,macros+=3D{deliberate,"variadic()"} --doc_end - --doc_begin=3D"Rewriting macros with arguments that are, in turn, arguments= of -__builtin_constant_p() can change the behavior depending on the optimizati= on -level." --config=3DMC3R1.D4.9,macro_argument_context+=3D"skip_to(class(type||expr||= decl,any), - call(name(__builtin_constant_p= )))" --doc_end - --doc_begin=3D"Function-like macros defined in public headers are meant to = be -usable in C89 mode without any extensions. Hence they cannot be replaced by -inline functions." --config=3DMC3R1.D4.9,macros+=3D{deliberate, "loc(file(api:public))"} --doc_end - -doc_begin=3D"This header file is autogenerated or empty, therefore it pos= es no risk if included more than once." -file_tag+=3D{empty_header, "^xen/arch/arm/efi/runtime\\.h$"} @@ -105,29 +81,6 @@ conform to the directive." -config=3DMC3R1.R5.3,reports+=3D{safe, "any_area(any_loc(any_exp(macro(^re= ad_debugreg$))&&any_exp(macro(^write_debugreg$))))"} -doc_end =20 --doc_begin=3D"Function-like macros cannot be confused with identifiers tha= t are -neither functions nor pointers to functions." --config=3DMC3R1.R5.5,reports=3D{safe,"all_area(decl(node(enum_decl||record= _decl||field_decl||param_decl||var_decl)&&!type(canonical(address((node(fun= ction||function_no_proto))))))||macro(function_like()))"} --doc_end - --doc_begin=3D"The use of these identifiers for both macro names and other = entities -is deliberate and does not generate developer confusion." --config=3DMC3R1.R5.5,reports+=3D{safe, "any_area(text(^\\s*/\\*\\s+SAF-[0-= 9]+-safe\\s+MC3R1\\.R5\\.5.*$, begin-1))"} --doc_end - --doc_begin=3D"The definition of macros and functions ending in '_bit' that= use the -same identifier in 'bitops.h' is deliberate and safe." --file_tag+=3D{bitops_h, "^xen/arch/x86/include/asm/bitops\\.h$"} --config=3DMC3R1.R5.5,reports+=3D{safe, "all_area((decl(^.*_bit\\(.*$)||mac= ro(^.*_bit$))&&all_loc(file(bitops_h)))"} --doc_end - --doc_begin=3D"The definition of macros and functions beginning in 'str' or= 'mem' -that use the same identifier in 'xen/include/xen/string.h' is deliberate a= nd -safe." --file_tag+=3D{string_h, "^xen/include/xen/string\\.h$"} --config=3DMC3R1.R5.5,reports+=3D{safe, "any_area((decl(^(mem|str).*$)||mac= ro(^(mem|str).*$))&&all_loc(file(string_h)))"} --doc_end - # # Series 7. # @@ -156,11 +109,6 @@ particular use of it done in xen_mk_ulong." -config=3DMC3R1.R7.2,reports+=3D{deliberate,"any_area(any_loc(macro(name(B= UILD_BUG_ON))))"} -doc_end =20 --doc_begin=3D"The following string literals are assigned to pointers to non -const-qualified char." --config=3DMC3R1.R7.4,reports+=3D{safe, "any_area(text(^\\s*/\\*\\s+SAF-[0-= 9]+-safe\\s+MC3R1\\.R7\\.4.*$, begin-1))"} --doc_end - -doc_begin=3D"Allow pointers of non-character type as long as the pointee = is const-qualified." -config=3DMC3R1.R7.4,same_pointee=3Dfalse @@ -204,6 +152,17 @@ const-qualified." -config=3DMC3R1.R8.3,reports+=3D{deliberate,"any_area(any_loc(file(adopted= _mpparse_r8_3)))&&any_area(any_loc(file(^xen/arch/x86/include/asm/mpspec\\.= h$)))"} -doc_end =20 +-doc_begin=3D"The definitions present in this file are meant to generate d= efinitions for asm modules, and are not called by C code. Therefore the abs= ence of prior declarations is safe." +-file_tag+=3D{asm_offsets, "^xen/arch/(arm|x86)/(arm32|arm64|x86_64)/asm-o= ffsets\\.c$"} +-config=3DMC3R1.R8.4,reports+=3D{safe, "first_area(any_loc(file(asm_offset= s)))"} +-doc_end + +-doc_begin=3D"The functions defined in this file are meant to be called fr= om gcc-generated code in a non-release build configuration. +Therefore the absence of prior declarations is safe." +-file_tag+=3D{gcov, "^xen/common/coverage/gcov_base\\.c$"} +-config=3DMC3R1.R8.4,reports+=3D{safe, "first_area(any_loc(file(gcov)))"} +-doc_end + -doc_begin=3D"The following variables are compiled in multiple translation= units belonging to different executables and therefore are safe." -config=3DMC3R1.R8.6,declarations+=3D{safe, "name(current_stack_pointer||b= search||sort)"} @@ -222,12 +181,6 @@ definition is compiled-out or optimized-out by the com= piler)" # Series 9. # =20 --doc_begin=3D"The following variables are written before being set, theref= ore no -access to uninitialized memory locations happens, as explained in the devi= ation -comment." --config=3DMC3R1.R9.1,reports+=3D{safe, "any_area(text(^\\s*/\\*\\s+SAF-[0-= 9]+-safe\\s+MC3R1\\.R9\\.1.*$, begin-1))"} --doc_end - -doc_begin=3D"Violations in files that maintainers have asked to not modif= y in the context of R9.1." -file_tag+=3D{adopted_r9_1,"^xen/arch/arm/arm64/lib/find_next_bit\\.c$"} @@ -274,22 +227,47 @@ still non-negative." -config=3DMC3R1.R10.1,etypes+=3D{safe, "stmt(operator(logical)||node(condi= tional_operator||binary_conditional_operator))", "dst_type(ebool||boolean)"} -doc_end =20 -### Set 3 ### +-doc_begin=3D"XEN only supports architectures where signed integers are +representend using two's complement and all the XEN developers are aware of +this." +-config=3DMC3R1.R10.1,etypes+=3D{safe, + "stmt(operator(and||or||xor||not||and_assign||or_assign||xor_assign))", + "any()"} +-doc_end + +-doc_begin=3D"See Section \"4.5 Integers\" of \"GCC_MANUAL\", where it say= s that +\"Signed `>>' acts on negative numbers by sign extension. As an extension = to the +C language, GCC does not use the latitude given in C99 and C11 only to tre= at +certain aspects of signed `<<' as undefined. However, -fsanitize=3Dshift (= and +-fsanitize=3Dundefined) will diagnose such cases. They are also diagnosed = where +constant expressions are required.\"" +-config=3DMC3R1.R10.1,etypes+=3D{safe, + "stmt(operator(shl||shr||shl_assign||shr_assign))", + "any()"} +-doc_end =20 # -# Series 18. +# Series 13 # =20 --doc_begin=3D"FIXME: explain why pointer differences involving this macro = are safe." --config=3DMC3R1.R18.2,reports+=3D{safe,"all_area(all_loc(any_exp(macro(^AC= PI_PTR_DIFF$))))"} +-doc_begin=3D"All developers and reviewers can be safely assumed to be wel= l aware +of the short-circuit evaluation strategy of such logical operators." +-config=3DMC3R1.R13.5,reports+=3D{disapplied,"any()"} -doc_end =20 --doc_begin=3D"FIXME: explain why pointer differences involving this macro = are safe." --config=3DMC3R1.R18.2,reports+=3D{safe,"all_area(all_loc(any_exp(macro(^pa= ge_to_mfn$))))"} +# +# Series 14 +# + +-doc_begin=3D"The severe restrictions imposed by this rule on the use of f= or +statements are not balanced by the presumed facilitation of the peer review +activity." +-config=3DMC3R1.R14.2,reports+=3D{disapplied,"any()"} -doc_end =20 --doc_begin=3D"FIXME: explain why pointer differences involving this macro = are safe." --config=3DMC3R1.R18.2,reports+=3D{safe,"all_area(all_loc(any_exp(macro(^pa= ge_to_pdx$))))"} +-doc_begin=3D"The XEN team relies on the fact that invariant conditions of= 'if' +statements are deliberate" +-config=3DMC3R1.R14.3,statements=3D{deliberate , "wrapped(any(),node(if_st= mt))" } -doc_end =20 # @@ -306,6 +284,17 @@ in assignments." {safe, "left_right(^[(,\\[]$,^[),\\]]$)"} -doc_end =20 +# +# General +# + +-doc_begin=3D"do-while-0 is a well recognized loop idiom by the xen commun= ity." +-loop_idioms=3D{do_stmt, "literal(0)"} +-doc_end +-doc_begin=3D"while-[01] is a well recognized loop idiom by the xen commun= ity." +-loop_idioms+=3D{while_stmt, "literal(0)||literal(1)"} +-doc_end + # # Developer confusion # diff --git a/automation/eclair_analysis/ECLAIR/tagging.ecl b/automation/ecl= air_analysis/ECLAIR/tagging.ecl index 78a0bc948ba5..e82277fea3c1 100644 --- a/automation/eclair_analysis/ECLAIR/tagging.ecl +++ b/automation/eclair_analysis/ECLAIR/tagging.ecl @@ -19,7 +19,7 @@ =20 -doc=3D"Accepted guidelines as reported in XEN/docs/misra/rules.rst" -service_selector=3D{accepted_guidelines, - "MC3R1.D1.1||MC3R1.D2.1||MC3R1.D4.1||MC3R1.D4.3||MC3R1.D4.7||MC3R1.D4.= 10||MC3R1.D4.11||MC3R1.D4.14||MC3R1.R1.1||MC3R1.R1.3||MC3R1.R1.4||MC3R1.R2.= 1||MC3R1.R2.2||MC3R1.R2.6||MC3R1.R2.2||MC3R1.R3.1||MC3R1.R3.2||MC3R1.R4.1||= MC3R1.R4.2||MC3R1.R5.1||MC3R1.R5.2||MC3R1.R5.3||MC3R1.R5.4||MC3R1.R5.6||MC3= R1.R6.1||MC3R1.R6.2||MC3R1.R7.1||MC3R1.R7.2||MC3R1.R7.3||MC3R1.R7.4||MC3R1.= R8.1||MC3R1.R8.2||MC3R1.R8.3||MC3R1.R8.4||MC3R1.R8.5||MC3R1.R8.6||MC3R1.R8.= 8||MC3R1.R8.10||MC3R1.R8.12||MC3R1.R8.14||MC3R1.R9.1||MC3R1.R9.2||MC3R1.R9.= 3||MC3R1.R9.4||MC3R1.R9.5||MC3R1.R10.1||MC3R1.R10.2||MC3R1.R10.3||MC3R1.R10= .4||MC3R1.R12.5||MC3R1.R13.6||MC3R1.R13.1||MC3R1.R14.1||MC3R1.R14.3||MC3R1.= R16.7||MC3R1.R17.3||MC3R1.R17.4||MC3R1.R17.6||MC3R1.R18.3||MC3R1.R19.1||MC3= R1.R20.7||MC3R1.R20.13||MC3R1.R20.14||MC3R1.R21.13||MC3R1.R21.17||MC3R1.R21= .18||MC3R1.R21.19||MC3R1.R21.20||MC3R1.R21.21||MC3R1.R22.2||MC3R1.R22.4||MC= 3R1.R22.5||MC3R1.R22.6" + "MC3R1.D1.1||MC3R1.D2.1||MC3R1.D4.1||MC3R1.D4.3||MC3R1.D4.7||MC3R1.D4.= 10||MC3R1.D4.11||MC3R1.D4.14||MC3R1.R1.1||MC3R1.R1.3||MC3R1.R1.4||MC3R1.R2.= 1||MC3R1.R2.2||MC3R1.R2.6||MC3R1.R3.1||MC3R1.R3.2||MC3R1.R4.1||MC3R1.R4.2||= MC3R1.R5.1||MC3R1.R5.2||MC3R1.R5.3||MC3R1.R5.4||MC3R1.R5.6||MC3R1.R6.1||MC3= R1.R6.2||MC3R1.R7.1||MC3R1.R7.2||MC3R1.R7.3||MC3R1.R7.4||MC3R1.R8.1||MC3R1.= R8.2||MC3R1.R8.3||MC3R1.R8.4||MC3R1.R8.5||MC3R1.R8.6||MC3R1.R8.8||MC3R1.R8.= 10||MC3R1.R8.12||MC3R1.R8.14||MC3R1.R9.1||MC3R1.R9.2||MC3R1.R9.3||MC3R1.R9.= 4||MC3R1.R9.5||MC3R1.R10.1||MC3R1.R10.2||MC3R1.R10.3||MC3R1.R10.4||MC3R1.R1= 1.7||MC3R1.R11.8||MC3R1.R11.9||MC3R1.R12.5||MC3R1.R13.1||MC3R1.R13.5||MC3R1= .R13.6||MC3R1.R14.1||MC3R1.R14.2||MC3R1.R14.3||MC3R1.R16.7||MC3R1.R17.3||MC= 3R1.R17.4||MC3R1.R17.6||MC3R1.R18.3||MC3R1.R19.1||MC3R1.R20.7||MC3R1.R20.13= ||MC3R1.R20.14||MC3R1.R21.13||MC3R1.R21.17||MC3R1.R21.18||MC3R1.R21.19||MC3= R1.R21.20||MC3R1.R21.21||MC3R1.R22.2||MC3R1.R22.4||MC3R1.R22.5||MC3R1.R22.6" } -doc=3D"All reports of accepted guidelines are tagged as accepted." -reports+=3D{status:accepted,"service(accepted_guidelines)"} @@ -30,7 +30,7 @@ =20 -doc_begin=3D"Clean guidelines: new violations for these guidelines are no= t accepted." =20 --service_selector=3D{clean_guidelines_common,"MC3R1.D1.1||MC3R1.D2.1||MC3R= 1.D4.11||MC3R1.D4.14||MC3R1.R1.1||MC3R1.R1.3||MC3R1.R1.4||MC3R1.R2.2||MC3R1= .R3.1||MC3R1.R3.2||MC3R1.R4.1||MC3R1.R5.1||MC3R1.R5.2||MC3R1.R5.4||MC3R1.R6= .1||MC3R1.R6.2||MC3R1.R7.1||MC3R1.R8.1||MC3R1.R8.5||MC3R1.R8.8||MC3R1.R8.10= ||MC3R1.R8.12||MC3R1.R8.14||MC3R1.R9.2||MC3R1.R9.4||MC3R1.R9.5||MC3R1.R12.5= ||MC3R1.R17.3||MC3R1.R17.4||MC3R1.R17.6||MC3R1.R21.13||MC3R1.R21.19||MC3R1.= R21.21||MC3R1.R22.2||MC3R1.R22.4||MC3R1.R22.5||MC3R1.R22.6" +-service_selector=3D{clean_guidelines_common,"MC3R1.D1.1||MC3R1.D2.1||MC3R= 1.D4.11||MC3R1.D4.14||MC3R1.R1.1||MC3R1.R1.3||MC3R1.R1.4||MC3R1.R2.2||MC3R1= .R3.1||MC3R1.R3.2||MC3R1.R4.1||MC3R1.R4.2||MC3R1.R5.1||MC3R1.R5.2||MC3R1.R5= .4||MC3R1.R6.1||MC3R1.R6.2||MC3R1.R7.1||MC3R1.R8.1||MC3R1.R8.5||MC3R1.R8.8|= |MC3R1.R8.10||MC3R1.R8.12||MC3R1.R8.14||MC3R1.R9.2||MC3R1.R9.4||MC3R1.R9.5|= |MC3R1.R12.5||MC3R1.R17.3||MC3R1.R17.4||MC3R1.R17.6||MC3R1.R20.13||MC3R1.R2= 0.14||MC3R1.R21.13||MC3R1.R21.19||MC3R1.R21.21||MC3R1.R22.2||MC3R1.R22.4||M= C3R1.R22.5||MC3R1.R22.6" } =20 -setq=3Dtarget,getenv("XEN_TARGET_ARCH") --=20 2.34.1 From nobody Sat May 18 11:26:05 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1696866333435225.2746716480293; Mon, 9 Oct 2023 08:45:33 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.614403.955456 (Exim 4.92) (envelope-from ) id 1qpsRM-0003OZ-VG; Mon, 09 Oct 2023 15:45:04 +0000 Received: by outflank-mailman (output) from mailman id 614403.955456; Mon, 09 Oct 2023 15:45:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpsRM-0003OQ-Sd; Mon, 09 Oct 2023 15:45:04 +0000 Received: by outflank-mailman (input) for mailman id 614403; Mon, 09 Oct 2023 15:45:03 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpsRL-00034W-Jm for xen-devel@lists.xenproject.org; Mon, 09 Oct 2023 15:45:03 +0000 Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id cf78e4c0-66ba-11ee-98d3-6d05b1d4d9a1; Mon, 09 Oct 2023 17:45:02 +0200 (CEST) Received: from nico.bugseng.com (unknown [147.123.100.131]) by support.bugseng.com (Postfix) with ESMTPSA id 6679A4EE0743; Mon, 9 Oct 2023 17:45:01 +0200 (CEST) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: cf78e4c0-66ba-11ee-98d3-6d05b1d4d9a1 From: Nicola Vetrini To: xen-devel@lists.xenproject.org Cc: sstabellini@kernel.org, michal.orzel@amd.com, xenia.ragiadakou@amd.com, ayan.kumar.halder@amd.com, consulting@bugseng.com, jbeulich@suse.com, andrew.cooper3@citrix.com, roger.pau@citrix.com, Nicola Vetrini , George Dunlap , Julien Grall , Wei Liu Subject: [XEN PATCH][for-4.19 v2 2/2] docs/misra: add deviations.rst to document additional deviations. Date: Mon, 9 Oct 2023 17:44:29 +0200 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1696866334821100003 Content-Type: text/plain; charset="utf-8" This file contains the deviation that are not marked by a deviation comment, as specified in docs/misra/documenting-violations.rst. Suggested-by: Stefano Stabellini Signed-off-by: Nicola Vetrini --- docs/index.rst | 1 + docs/misra/deviations.rst | 240 ++++++++++++++++++++++++++++++++++++++ docs/misra/rules.rst | 2 +- 3 files changed, 242 insertions(+), 1 deletion(-) create mode 100644 docs/misra/deviations.rst diff --git a/docs/index.rst b/docs/index.rst index 2c47cfa999f2..f3f779f89ce5 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -63,6 +63,7 @@ Xen hypervisor code. :maxdepth: 2 misra/rules + misra/deviations Miscellanea diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst new file mode 100644 index 000000000000..19743e34ce03 --- /dev/null +++ b/docs/misra/deviations.rst @@ -0,0 +1,240 @@ +.. SPDX-License-Identifier: CC-BY-4.0 + +MISRA C deviations for Xen +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D + +The following is the list of MISRA C:2012 deviations for the Xen codebase = that +are not covered by a `SAF-x-safe` or `SAF-x-false-positive-` comment= , as +specified in docs/misra/documenting-violations.rst; the lack of +such comments is usually due to the excessive clutter they would bring to = the +codebase or the impossibility to express such a deviation (e.g., if it's +composed of several conditions). + +Deviations related to MISRA C:2012 Directives: +---------------------------------------------- + +.. list-table:: + :header-rows: 1 + + * - Directive identifier + - Justification + - Notes + + * - D4.3 + - Accepted for the ARM64 codebase + - Tagged as `disapplied` for ECLAIR on any other violation report. + + * - D4.3 + - The inline asm in 'xen/arch/arm/arm64/lib/bitops.c' is tightly coup= led + with the surronding C code that acts as a wrapper, so it has been d= ecided + not to add an additional encapsulation layer. + - Tagged as `deliberate` for ECLAIR. + +Deviations related to MISRA C:2012 Rules: +----------------------------------------- + +.. list-table:: + :header-rows: 1 + + * - Rule identifier + - Justification + - Notes + + * - R2.1 + - The compiler implementation guarantees that the unreachable code is + removed. Constant expressions and unreachable branches of if and sw= itch + statements are expected. + - Tagged as `safe` for ECLAIR. + + * - R2.1 + - Some functions are intended not to be referenced. + - Tagged as `deliberate` for ECLAIR. + + * - R2.1 + - Unreachability caused by calls to the following functions or macros= is + deliberate and there is no risk of code being unexpectedly left out. + - Tagged as `deliberate` for ECLAIR. Such macros are: + - BUG + - assert_failed + - __builtin_unreachable + - ASSERT_UNREACHABLE + + * - R2.1 + - Pure declarations, that is, declarations without initializations ar= e not + executable, and therefore it is safe for them to be unreachable. Th= e most + notable example of such a pattern being used in the codebase is tha= t of + a variable declaration that should be available in all the clauses = of a + switch statement. + - ECLAIR has been configured to ignore those statements. + + * - R2.2 + - Proving compliance with respect to Rule 2.2 is generally impossible: + see ``_ for details. Moreover, pe= er + review gives us confidence that no evidence of errors in the progra= m's + logic has been missed due to undetected violations of Rule 2.2, if = any. + Testing on time behavior gives us confidence on the fact that, shou= ld the + program contain dead code that is not removed by the compiler, the + resulting slowdown is negligible. + - Project-wide deviation, tagged as `disapplied` for ECLAIR. + + * - R3.1 + - Comments starting with '/\*' and containing hyperlinks are safe as = they + are not instances of commented-out code. + - Tagged as `safe` for ECLAIR. + + * - R5.3 + - As specified in rules.rst, shadowing due to macros being used as ma= cro + arguments is allowed, as it's deemed not at risk of causing develop= er + confusion. + - Tagged as `safe` for ECLAIR. So far, the following macros are devia= ted: + - READ_SYSREG and WRITE_SYSREG + - max_{t}? and min_{t}? + - read_[bwlq] and read_[bwlq]_relaxed + - per_cpu and this_cpu + - __emulate_2op and __emulate_2op_nobyte + - read_debugreg and write_debugreg + + * - R7.2 + - Violations caused by __HYPERVISOR_VIRT_START are related to the + particular use of it done in xen_mk_ulong. + - Tagged as `deliberate` for ECLAIR. + + * - R7.4 + - Allow pointers of non-character type as long as the pointee is + const-qualified. + - ECLAIR has been configured to ignore these assignments. + + * - R8.3 + - The type ret_t is deliberately used and defined as int or long depe= nding + on the architecture. + - Tagged as `deliberate` for ECLAIR. + + * - R8.3 + - Some files are not subject to respect MISRA rules at + the moment, but some entity from a file in scope is used; therefore + ECLAIR does report a violation, since not all the files involved in= the + violation are excluded from the analysis. + - Tagged as `deliberate` for ECLAIR. Such excluded files are: + - xen/arch/x86/time.c + - xen/arch/x86/acpi/cpu_idle.c + - xen/arch/x86/mpparse.c + - xen/common/bunzip2.c + - xen/common/unlz4.c + - xen/common/unlzma.c + - xen/common/unlzo.c + - xen/common/unxz.c + - xen/common/unzstd.c + + * - R8.4 + - The definitions present in the files 'asm-offsets.c' for any archit= ecture + are used to generate definitions for asm modules, and are not calle= d by + C code. Therefore the absence of prior declarations is safe. + - Tagged as `safe` for ECLAIR. + + * - R8.4 + - The functions defined in the file xen/common/coverage/gcov_base.c a= re + meant to be called from gcc-generated code in a non-release build + configuration. Therefore, the absence of prior declarations is safe. + - Tagged as `safe` for ECLAIR. + + * - R8.6 + - The following variables are compiled in multiple translation units + belonging to different executables and therefore are safe. + + - current_stack_pointer + - bsearch + - sort + - Tagged as `safe` for ECLAIR. + + * - R8.6 + - Declarations without definitions are allowed (specifically when the + definition is compiled-out or optimized-out by the compiler). + - Tagged as `deliberate` in ECLAIR. + + * - R8.10 + - The gnu_inline attribute without static is deliberately allowed. + - Tagged as `deliberate` for ECLAIR. + + * - R9.5 + - The possibility of committing mistakes by specifying an explicit + dimension is higher than omitting the dimension, therefore all such + instances of violations are deviated. + - Project-wide deviation, tagged as `deliberate` for ECLAIR. + + * - R10.1, R10.3, R10.4 + - The value-preserving conversions of integer constants are safe. + - Tagged as `safe` for ECLAIR. + + * - R10.1 + - Shifting non-negative integers to the right is safe. + - Tagged as `safe` for ECLAIR. + + * - R10.1 + - Shifting non-negative integers to the left is safe if the result is= still + non-negative. + - Tagged as `safe` for ECLAIR. + + * - R10.1 + - Bitwise logical operations on non-negative integers are safe. + - Tagged as `safe` for ECLAIR. + + * - R10.1 + - The implicit conversion to Boolean for logical operator arguments is + well-known to all Xen developers to be a comparison with 0. + - Tagged as `safe` for ECLAIR. + + * - R10.1 + - Xen only supports architectures where signed integers are represent= end + using two's complement and all the Xen developers are aware of this= . For + this reason, bitwise operations are safe. + - Tagged as `safe` for ECLAIR. + + * - R10.1 + - Given the assumptions on the toolchain detailed in + docs/misra/C-language-toolchain.rst and the build flags used by the + project, it is deemed safe to use bitwise shift operators. + See automation/eclair_analysis/deviations.ecl for the full explanat= ion. + - Tagged as `safe` for ECLAIR. + + * - R13.5 + - All developers and reviewers can be safely assumed to be well aware= of + the short-circuit evaluation strategy for logical operators. + - Project-wide deviation; tagged as `disapplied` for ECLAIR. + + * - R14.2 + - The severe restrictions imposed by this rule on the use of 'for' + statements are not counterbalanced by the presumed facilitation of = the + peer review activity. + - Project-wide deviation; tagged as `disapplied` for ECLAIR. + + * - R14.3 + - The Xen team relies on the fact that invariant conditions of 'if' + statements are deliberate. + - Project-wide deviation; tagged as `disapplied` for ECLAIR. + + * - R20.7 + - Code violating Rule 20.7 is safe when macro parameters are used: + (1) as function arguments; + (2) as macro arguments; + (3) as array indices; + (4) as lhs in assignments. + - Tagged as `safe` for ECLAIR. + +Other deviations: +----------------- + +.. list-table:: + :header-rows: 1 + + * - Deviation + - Justification + + * - do-while-0 loops + - The do-while-0 is a well-recognized loop idiom used by the Xen comm= unity + and can therefore be used, even though it would cause a number of + violations in some instances. + + * - while-0 and while-1 loops + - while-0 and while-1 are well-recognized loop idioms used by the Xen + community and can therefore be used, even though they would cause a + number of violations in some instances. diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst index 3139ca7ae6dd..6efe66195de3 100644 --- a/docs/misra/rules.rst +++ b/docs/misra/rules.rst @@ -18,7 +18,7 @@ It is possible that in specific circumstances it is best = not to follow a rule because it is not possible or because the alternative leads to better code quality. Those cases are called "deviations". They are permissible as long as they are documented. For details, please refer to -docs/misra/documenting-violations.rst +docs/misra/documenting-violations.rst and docs/misra/deviations.rst Other documentation mechanisms are work-in-progress. -- 2.34.1