From: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com>
The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
The macro 'container_of' violates the Rule because it casts away any
qualifier to do pointer arithmetic, but making the macro definition compliant
would add additional complexity, therefore a deviation is introduced.
Signed-off-by: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com>
Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com>
---
Changes in v2:
- remove deviation for function ERR_CAST;
container_of: Fixing this violation would require the declaration of a new
macro taking advantage of the return value of the ternary operator ?: :
its return value preserves qualifiers present on both expression, hence
returning void* or qualified void* depending on pointer type, like in this macro:
'#define same_constness_void_ptr(ptr) ((typeof((false ? (void*) 1 : (ptr)))) (ptr))'
The result could then be used with a Generic to avoid the cast.
---
automation/eclair_analysis/ECLAIR/deviations.ecl | 7 +++++++
docs/misra/deviations.rst | 7 +++++++
2 files changed, 14 insertions(+)
diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl
index 683f2bbfe8..1515378ff1 100644
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -292,6 +292,13 @@ constant expressions are required.\""
# Series 11
#
+-doc_begin="Violations caused by container_of are due to pointer arithmetic operations
+with the provided offset. The resulting pointer is then immediately cast back to its
+original type, which preserves the qualifier. This use is deemed safe.
+Fixing this violation would require to increase code complexity and lower readability."
+-config=MC3R1.R11.8,reports+={safe,"any_area(any_loc(any_exp(macro(^container_of$))))"}
+-doc_end
+
-doc_begin="This construct is used to check if the type is scalar, and for this purpose the use of 0 as a null pointer constant is deliberate."
-config=MC3R1.R11.9,reports+={deliberate, "any_area(any_loc(any_exp(macro(^__ACCESS_ONCE$))))"
}
diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index eda3c8100c..ccf6e90e87 100644
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -248,6 +248,13 @@ Deviations related to MISRA C:2012 Rules:
If no bits are set, 0 is returned.
- Tagged as `safe` for ECLAIR.
+ * - R11.8
+ - Violations caused by container_of are due to pointer arithmetic operations
+ with the provided offset. The resulting pointer is then immediately cast back to its
+ original type, which preserves the qualifier. This use is deemed safe.
+ Fixing this violation would require to increase code complexity and lower readability.
+ - Tagged as `safe` for ECLAIR.
+
* - R11.9
- __ACCESS_ONCE uses an integer, which happens to be zero, as a
compile time check. The typecheck uses a cast. The usage of zero or other
--
2.40.0On 19.12.2023 12:05, Simone Ballarin wrote: > --- a/docs/misra/deviations.rst > +++ b/docs/misra/deviations.rst > @@ -248,6 +248,13 @@ Deviations related to MISRA C:2012 Rules: > If no bits are set, 0 is returned. > - Tagged as `safe` for ECLAIR. > > + * - R11.8 > + - Violations caused by container_of are due to pointer arithmetic operations > + with the provided offset. The resulting pointer is then immediately cast back to its > + original type, which preserves the qualifier. This use is deemed safe. > + Fixing this violation would require to increase code complexity and lower readability. > + - Tagged as `safe` for ECLAIR. > + Going forward can you please avoid adding trailing whitespace. "git am" doesn't really like that, and hence it requires extra steps to clean up. Jan
On 2023-12-20 11:50, Jan Beulich wrote: > On 19.12.2023 12:05, Simone Ballarin wrote: >> --- a/docs/misra/deviations.rst >> +++ b/docs/misra/deviations.rst >> @@ -248,6 +248,13 @@ Deviations related to MISRA C:2012 Rules: >> If no bits are set, 0 is returned. >> - Tagged as `safe` for ECLAIR. >> >> + * - R11.8 >> + - Violations caused by container_of are due to pointer >> arithmetic operations >> + with the provided offset. The resulting pointer is then >> immediately cast back to its >> + original type, which preserves the qualifier. This use is >> deemed safe. >> + Fixing this violation would require to increase code >> complexity and lower readability. >> + - Tagged as `safe` for ECLAIR. >> + > > Going forward can you please avoid adding trailing whitespace. "git am" > doesn't really like that, and hence it requires extra steps to clean > up. > > Jan Noted, sorry for the inconvenience. -- Nicola Vetrini, BSc Software Engineer, BUGSENG srl (https://bugseng.com)
On Tue, 19 Dec 2023, Simone Ballarin wrote: > From: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com> > > The xen sources contain violations of MISRA C:2012 Rule 11.8 whose > headline states: > "A conversion shall not remove any const, volatile or _Atomic qualification > from the type pointed to by a pointer". > > The macro 'container_of' violates the Rule because it casts away any > qualifier to do pointer arithmetic, but making the macro definition compliant > would add additional complexity, therefore a deviation is introduced. > > Signed-off-by: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com> > Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
© 2016 - 2025 Red Hat, Inc.