From nobody Sat Nov 23 15:10:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1700847061686275.4656065527712; Fri, 24 Nov 2023 09:31:01 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.640860.999612 (Exim 4.92) (envelope-from ) id 1r6a0g-0002rA-6d; Fri, 24 Nov 2023 17:30:34 +0000 Received: by outflank-mailman (output) from mailman id 640860.999612; Fri, 24 Nov 2023 17:30:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1r6a0g-0002qs-0d; Fri, 24 Nov 2023 17:30:34 +0000 Received: by outflank-mailman (input) for mailman id 640860; Fri, 24 Nov 2023 17:30:32 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1r6a0e-0002YK-1z for xen-devel@lists.xenproject.org; Fri, 24 Nov 2023 17:30:32 +0000 Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 288bb92e-8aef-11ee-9b0e-b553b5be7939; Fri, 24 Nov 2023 18:30:27 +0100 (CET) Received: from beta.station (net-37-182-35-120.cust.vodafonedsl.it [37.182.35.120]) by support.bugseng.com (Postfix) with ESMTPSA id 4C8A84EE0740; Fri, 24 Nov 2023 18:30:27 +0100 (CET) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 288bb92e-8aef-11ee-9b0e-b553b5be7939 From: Simone Ballarin To: xen-devel@lists.xenproject.org Cc: consulting@bugseng.com, Simone Ballarin , Doug Goldstein , Stefano Stabellini Subject: [XEN PATCH v2 1/3] automation/eclair: tag function calls to address violations of MISRA C:2012 Rule 13.1 Date: Fri, 24 Nov 2023 18:29:41 +0100 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1700847063291100005 Content-Type: text/plain; charset="utf-8" Rule 13.1: Initializer lists shall not contain persistent side effects Invocations of functions in initializer lists cause violations of rule 13.1 if the called functions are not tagged with __attribute_pure__ or __attribute_const__ as they can produce persistent side effects. Handling these violations with attributes is not always possible: the pure and const attributes may cause unwanted and potentially dangerous optimisations. To avoid this problem ECLAIR allows using the same attributes in the -call_properties setting. Additionally, it adds the noeffect attribute with the following definition: "like pure but can also read volatile variable not triggering side effects" These patch tags some functions used in initializer lists to address violations of Rule 13.1. No functional changes. Signed-off-by: Simone Ballarin Acked-by: Stefano Stabellini --- Changes in v2: New patch partly based on "xen/arm: address violations of MISRA C:2012 Rule= 13.1" and "xen/include: add pure and const attributes". This new patch uses ECL tagging instead of compiler attributes. --- .../ECLAIR/call_properties.ecl | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/automation/eclair_analysis/ECLAIR/call_properties.ecl b/automa= tion/eclair_analysis/ECLAIR/call_properties.ecl index 3f7794bf8b..c2b2a6182e 100644 --- a/automation/eclair_analysis/ECLAIR/call_properties.ecl +++ b/automation/eclair_analysis/ECLAIR/call_properties.ecl @@ -73,6 +73,17 @@ -call_properties+=3D{"macro(^va_start$)", {"pointee_write(1=3Dalways)", "p= ointee_read(1=3Dnever)", "taken()"}} -call_properties+=3D{"macro(^memcmp$)", {"pointee_write(1..2=3Dnever)", "t= aken()"}} -call_properties+=3D{"macro(^memcpy$)", {"pointee_write(1=3Dalways&&2..=3D= never)", "pointee_read(1=3Dnever&&2..=3Dalways)", "taken()"}} +-call_properties+=3D{"name(get_cpu_info)",{pure}} +-call_properties+=3D{"name(pdx_to_pfn)",{pure}} +-call_properties+=3D{"name(is_pci_passthrough_enabled)",{const}} +-call_properties+=3D{"name(get_cycles)", {"noeffect"}} +-call_properties+=3D{"name(msi_gflags)",{const}} +-call_properties+=3D{"name(hvm_save_size)",{pure}} +-call_properties+=3D{"name(cpu_has)",{pure}} +-call_properties+=3D{"name(boot_cpu_has)",{pure}} +-call_properties+=3D{"name(get_cpu_info)",{pure}} +-call_properties+=3D{"name(put_pte_flags)",{const}} +-call_properties+=3D{"name(is_pv_vcpu)",{pure}} =20 -doc_begin=3D"Property inferred as a consequence of the semantics of devic= e_tree_get_reg" -call_properties+=3D{"name(acquire_static_memory_bank)", {"pointee_write(4= ..=3Dalways)", "pointee_read(4..=3Dnever)", "taken()"}} @@ -104,3 +115,14 @@ Furthermore, their uses do initialize the involved var= iables as needed by futher -call_properties+=3D{"macro(^(__)?(raw_)?copy_from_(paddr|guest|compat)(_o= ffset)?$)", {"pointee_write(1=3Dalways)", "pointee_read(1=3Dnever)", "taken= ()"}} -call_properties+=3D{"macro(^(__)?copy_to_(guest|compat)(_offset)?$)", {"p= ointee_write(2=3Dalways)", "pointee_read(2=3Dnever)", "taken()"}} -doc_end + +-doc_begin=3D"Functions generated by build_atomic_read cannot be considere= d pure +since the input pointer is volatile, but they do not produce any persisten= t side +effect." +-call_properties+=3D{"^read_u(8|16|32|64|int)_atomic.*$", {noeffect}} +-doc_end + +-doc_begin=3D"Functions generated by TYPE_SAFE are const." +-call_properties+=3D{"^(mfn|gfn|pfn)_x\\(.*$",{const}} +-call_properties+=3D{"^_(mfn|gfn|pfn)\\(.*$",{const}} +-doc_end --=20 2.34.1 From nobody Sat Nov 23 15:10:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1700847065962866.0429702294427; Fri, 24 Nov 2023 09:31:05 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.640858.999595 (Exim 4.92) (envelope-from ) id 1r6a0d-0002Yh-Kf; Fri, 24 Nov 2023 17:30:31 +0000 Received: by outflank-mailman (output) from mailman id 640858.999595; Fri, 24 Nov 2023 17:30:31 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1r6a0d-0002Ya-I9; Fri, 24 Nov 2023 17:30:31 +0000 Received: by outflank-mailman (input) for mailman id 640858; Fri, 24 Nov 2023 17:30:30 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1r6a0c-0002YN-KP for xen-devel@lists.xenproject.org; Fri, 24 Nov 2023 17:30:30 +0000 Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 2912e1dd-8aef-11ee-98e2-6d05b1d4d9a1; Fri, 24 Nov 2023 18:30:28 +0100 (CET) Received: from beta.station (net-37-182-35-120.cust.vodafonedsl.it [37.182.35.120]) by support.bugseng.com (Postfix) with ESMTPSA id BD4C74EE074E; Fri, 24 Nov 2023 18:30:27 +0100 (CET) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 2912e1dd-8aef-11ee-98e2-6d05b1d4d9a1 From: Simone Ballarin To: xen-devel@lists.xenproject.org Cc: consulting@bugseng.com, Simone Ballarin , Andrew Cooper , George Dunlap , Jan Beulich , Julien Grall , Stefano Stabellini , Wei Liu , Bertrand Marquis , Michal Orzel , Volodymyr Babchuk , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Dario Faggioli Subject: [XEN PATCH v2 2/3] xen/arm: add SAF deviation for debugging and logging effects Date: Fri, 24 Nov 2023 18:29:42 +0100 Message-Id: <761ce615438312ca5d37fb8829a0ba903375392f.1700844359.git.simone.ballarin@bugseng.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1700847067419100001 Content-Type: text/plain; charset="utf-8" Rule 13.1: Initializer lists shall not contain persistent side effects Effects caused by debug/logging macros and functions (like ASSERT, __bad_at= omic_size, LOG, etc ...) that crash execution or produce logs are not dangerous in ini= tializer lists. The evaluation order in abnormal conditions is not relevant. Evaluat= ion order of logging effects is always safe. This patch deviates violations using SAF commits caused by debug/logging ma= cros and functions. Asm volatile statements in initializer lists that do not perform any persis= tent side effect are safe: this patch deviates violations caused by uses of the curre= nt macro (that contains an asm volatile) in initializer lists. No functional changes. Signed-off-by: Simone Ballarin --- Changes in v2: New patch based on the discussion for "xen/arm: address violations of MISRA= C:2012 Rule 13.1". --- docs/misra/safe.json | 16 ++++++++++++++++ xen/arch/arm/device.c | 1 + xen/arch/arm/guestcopy.c | 4 ++++ xen/arch/x86/hvm/hvm.c | 1 + xen/common/sched/core.c | 3 +++ 5 files changed, 25 insertions(+) diff --git a/docs/misra/safe.json b/docs/misra/safe.json index 952324f85c..69ab526084 100644 --- a/docs/misra/safe.json +++ b/docs/misra/safe.json @@ -28,6 +28,22 @@ }, { "id": "SAF-3-safe", + "analyser": { + "eclair": "MC3R1.R13.1" + }, + "name": "MC3R1.R13.1: effects for debugging and logging", + "text": "Effects for debugging and loggings reasons that crash= execution or produce logs are allowed in initializer lists. The evaluation= order in abnormal conditions is not relevant." + }, + { + "id": "SAF-4-safe", + "analyser": { + "eclair": "MC3R1.R13.1" + }, + "name": "MC3R1.R13.1: volatile asm statements that do not perf= orm any persistent side effect", + "text": "Volatile asm statements in an initializer list if do = not perform persistent side effects are safe." + }, + { + "id": "SAF-5-safe", "analyser": {}, "name": "Sentinel", "text": "Next ID to be used" diff --git a/xen/arch/arm/device.c b/xen/arch/arm/device.c index 1f631d3274..fa331f164d 100644 --- a/xen/arch/arm/device.c +++ b/xen/arch/arm/device.c @@ -331,6 +331,7 @@ int handle_device(struct domain *d, struct dt_device_no= de *dev, p2m_type_t p2mt, .p2mt =3D p2mt, .skip_mapping =3D !own_device || (is_pci_passthrough_enabled() && + /* SAF-3-safe effects for debugging/logging reason= s are safe */ (device_get_class(dev) =3D=3D DEVICE_PCI_HOSTBRIDG= E)), .iomem_ranges =3D iomem_ranges, .irq_ranges =3D irq_ranges diff --git a/xen/arch/arm/guestcopy.c b/xen/arch/arm/guestcopy.c index 6716b03561..31b809ea08 100644 --- a/xen/arch/arm/guestcopy.c +++ b/xen/arch/arm/guestcopy.c @@ -110,18 +110,21 @@ static unsigned long copy_guest(void *buf, uint64_t a= ddr, unsigned int len, unsigned long raw_copy_to_guest(void *to, const void *from, unsigned int l= en) { return copy_guest((void *)from, (vaddr_t)to, len, + /* SAF-4-safe No persistent side effects */ GVA_INFO(current), COPY_to_guest | COPY_linear); } =20 unsigned long raw_copy_to_guest_flush_dcache(void *to, const void *from, unsigned int len) { + /* SAF-4-safe No persistent side effects */ return copy_guest((void *)from, (vaddr_t)to, len, GVA_INFO(current), COPY_to_guest | COPY_flush_dcache | COPY_linear); } =20 unsigned long raw_clear_guest(void *to, unsigned int len) { + /* SAF-4-safe No persistent side effects */ return copy_guest(NULL, (vaddr_t)to, len, GVA_INFO(current), COPY_to_guest | COPY_linear); } @@ -129,6 +132,7 @@ unsigned long raw_clear_guest(void *to, unsigned int le= n) unsigned long raw_copy_from_guest(void *to, const void __user *from, unsigned int len) { + /* SAF-4-safe No persistent side effects */ return copy_guest(to, (vaddr_t)from, len, GVA_INFO(current), COPY_from_guest | COPY_linear); } diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 35a30df3b1..24fd02b363 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -1700,6 +1700,7 @@ void hvm_hlt(unsigned int eflags) =20 do_sched_op(SCHEDOP_block, guest_handle_from_ptr(NULL, void)); =20 + /* SAF-3-safe effects for debugging/logging reasons are safe */ HVMTRACE_1D(HLT, /* pending =3D */ vcpu_runnable(curr)); } =20 diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index eba0cea4bb..b1b94c8689 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -1517,6 +1517,7 @@ long vcpu_yield(void) =20 SCHED_STAT_CRANK(vcpu_yield); =20 + /* SAF-4-safe No persistent side effects */ TRACE_2D(TRC_SCHED_YIELD, current->domain->domain_id, current->vcpu_id= ); raise_softirq(SCHEDULE_SOFTIRQ); return 0; @@ -1895,6 +1896,7 @@ ret_t do_sched_op(int cmd, XEN_GUEST_HANDLE_PARAM(voi= d) arg) if ( copy_from_guest(&sched_shutdown, arg, 1) ) break; =20 + /* SAF-4-safe No persistent side effects */ TRACE_3D(TRC_SCHED_SHUTDOWN, current->domain->domain_id, current->vcpu_id, sched_shutdown.reason); @@ -1912,6 +1914,7 @@ ret_t do_sched_op(int cmd, XEN_GUEST_HANDLE_PARAM(voi= d) arg) if ( copy_from_guest(&sched_shutdown, arg, 1) ) break; =20 + /* SAF-4-safe No persistent side effects */ TRACE_3D(TRC_SCHED_SHUTDOWN_CODE, d->domain_id, current->vcpu_id, sched_shutdown.reason); =20 --=20 2.34.1 From nobody Sat Nov 23 15:10:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1700847059850554.6569921433428; Fri, 24 Nov 2023 09:30:59 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.640861.999617 (Exim 4.92) (envelope-from ) id 1r6a0g-0002wB-FB; Fri, 24 Nov 2023 17:30:34 +0000 Received: by outflank-mailman (output) from mailman id 640861.999617; Fri, 24 Nov 2023 17:30:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1r6a0g-0002vB-7a; Fri, 24 Nov 2023 17:30:34 +0000 Received: by outflank-mailman (input) for mailman id 640861; Fri, 24 Nov 2023 17:30:32 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1r6a0e-0002YK-97 for xen-devel@lists.xenproject.org; Fri, 24 Nov 2023 17:30:32 +0000 Received: from support.bugseng.com (mail.bugseng.com [162.55.131.47]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 29794bea-8aef-11ee-9b0e-b553b5be7939; Fri, 24 Nov 2023 18:30:29 +0100 (CET) Received: from beta.station (net-37-182-35-120.cust.vodafonedsl.it [37.182.35.120]) by support.bugseng.com (Postfix) with ESMTPSA id 9D7834EE0747; Fri, 24 Nov 2023 18:30:28 +0100 (CET) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 29794bea-8aef-11ee-9b0e-b553b5be7939 From: Simone Ballarin To: xen-devel@lists.xenproject.org Cc: consulting@bugseng.com, Simone Ballarin , Andrew Cooper , George Dunlap , Jan Beulich , Julien Grall , Stefano Stabellini , Wei Liu , Maria Celeste Cesario Subject: [XEN PATCH v2 3/3] xen: address violations of MISRA C:2012 Rule 13.1 Date: Fri, 24 Nov 2023 18:29:43 +0100 Message-Id: <771a6f804f4e7dda3897359b57d1d14c2878ea16.1700844359.git.simone.ballarin@bugseng.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1700847061757100001 Content-Type: text/plain; charset="utf-8" Rule 13.1: Initializer lists shall not contain persistent side effects The assignment operation in: .irq =3D rc =3D uart->irq, is a persistent side effect in a struct initializer list. This patch avoids rc assignment and directly uses uart->irq in the following if statement. No functional changes. Signed-off-by: Maria Celeste Cesario Signed-off-by: Simone Ballarin --- Changes in v2: - avoid assignment of rc; - drop changes in vcpu_yield(void). --- xen/drivers/char/ns16550.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/xen/drivers/char/ns16550.c b/xen/drivers/char/ns16550.c index ddf2a48be6..644a3192bb 100644 --- a/xen/drivers/char/ns16550.c +++ b/xen/drivers/char/ns16550.c @@ -445,11 +445,13 @@ static void __init cf_check ns16550_init_postirq(stru= ct serial_port *port) struct msi_info msi =3D { .sbdf =3D PCI_SBDF(0, uart->ps_bdf[0], uart->ps_bdf[1], uart->ps_bdf[2]), - .irq =3D rc =3D uart->irq, + .irq =3D uart->irq, .entry_nr =3D 1 }; =20 - if ( rc > 0 ) + rc =3D 0; + + if ( uart->irq > 0 ) { struct msi_desc *msi_desc =3D NULL; =20 --=20 2.34.1