Add defensive code in unreachable program points.
This also meets the requirements to deviate a violation of MISRA C:2012
Rule 16.3: "An unconditional `break' statement shall terminate every
switch-clause".

Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
---
 xen/drivers/vpci/msix.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/xen/drivers/vpci/msix.c b/xen/drivers/vpci/msix.c
index fbe710ab92..037f9a0449 100644
--- a/xen/drivers/vpci/msix.c
+++ b/xen/drivers/vpci/msix.c
@@ -364,6 +364,8 @@ static int adjacent_read(const struct domain *d, const struct vpci_msix *msix,
 
     default:
         ASSERT_UNREACHABLE();
+        spin_unlock(&vpci->lock);
+        return X86EMUL_UNHANDLEABLE;
     }
     spin_unlock(&vpci->lock);
 
@@ -512,6 +514,8 @@ static int adjacent_write(const struct domain *d, const struct vpci_msix *msix,
 
     default:
         ASSERT_UNREACHABLE();
+        spin_unlock(&vpci->lock);
+        return X86EMUL_UNHANDLEABLE;
     }
     spin_unlock(&vpci->lock);
 
-- 
2.34.1

On 10.09.2024 12:09, Federico Serafini wrote:
> --- a/xen/drivers/vpci/msix.c
> +++ b/xen/drivers/vpci/msix.c
> @@ -364,6 +364,8 @@ static int adjacent_read(const struct domain *d, const struct vpci_msix *msix,
>  
>      default:
>          ASSERT_UNREACHABLE();
> +        spin_unlock(&vpci->lock);
> +        return X86EMUL_UNHANDLEABLE;
>      }
>      spin_unlock(&vpci->lock);
>  
> @@ -512,6 +514,8 @@ static int adjacent_write(const struct domain *d, const struct vpci_msix *msix,
>  
>      default:
>          ASSERT_UNREACHABLE();
> +        spin_unlock(&vpci->lock);
> +        return X86EMUL_UNHANDLEABLE;
>      }
>      spin_unlock(&vpci->lock);

Both functions only ever return X86EMUL_OKAY right now. I expect your
change wants to be simple "break" insertions, yet I wonder why these
functions aren't returning void then.

Jan