1. Patchew
  2. Xen
  3. View series

[XEN PATCH] xen: rework deviation to address varargs MISRA violations

Nicola Vetrini posted 1 patch 6 days, 20 hours ago 
automation/eclair_analysis/ECLAIR/deviations.ecl | 12 +++++-------
docs/misra/deviations.rst                        |  4 ++--
xen/common/libelf/libelf-private.h               |  4 +++-
xen/drivers/char/console.c                       |  4 +++-
4 files changed, 13 insertions(+), 11 deletions(-)
[XEN PATCH] xen: rework deviation to address varargs MISRA violations
Posted by Nicola Vetrini 6 days, 20 hours ago 
MISRA C Rule 17.1 prohibits the use of the features that support
variadic functions. Make the deviation already in place for controlled
use of such features more general, relying on the presence of the
`format' attribute on the function declaration.

Add attributes where missing in order to avoid special-casing
certain functions that use variadic arguments.

Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com>
---
CI pipeline: https://gitlab.com/xen-project/people/bugseng/xen/-/pipelines/2239414827
---
 automation/eclair_analysis/ECLAIR/deviations.ecl | 12 +++++-------
 docs/misra/deviations.rst                        |  4 ++--
 xen/common/libelf/libelf-private.h               |  4 +++-
 xen/drivers/char/console.c                       |  4 +++-
 4 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl
index 219ba6993b90..7dee4a488d45 100644
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -570,13 +570,11 @@ safe."
 # Series 17.
 #
 
--doc_begin="printf()-like functions are allowed to use the variadic features provided by stdarg.h."
--config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(^.*printk\\(.*\\)$)))"}
--config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(^.*printf\\(.*\\)$)))"}
--config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(panic)&&kind(function))))"}
--config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(elf_call_log_callback)&&kind(function))))"}
--config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(vprintk_common)&&kind(function))))"}
--config=MC3A2.R17.1,macros+={hide , "^va_(arg|start|copy|end)$"}
+-doc_begin="printf()-like or scanf()-like functions are allowed to use the variadic features provided by stdarg.h,
+provided that they are declared using the `format' attribute."
+-decl_selector+={format_attr, "property(format)"}
+-config=MC3A2.R17.1,reports+={deliberate, "any_area(^.*va_list.*$&&context(ancestor_or_self(format_attr)))"}
+-config=MC3A2.R17.1,macros+={deliberate , "^va_(arg|start|copy|end)$"}
 -doc_end
 
 -doc_begin="Not using the return value of a function does not endanger safety if it coincides with an actual argument."
diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index b3431ef24e26..584907b048ec 100644
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -570,8 +570,8 @@ Deviations related to MISRA C:2012 Rules:
      - Tagged as `deliberate` for ECLAIR.
 
    * - R17.1
-     - printf()-like functions  are allowed to use the variadic features provided
-       by `stdarg.h`.
+     - printf()-like or scanf()-like functions are allowed to use the variadic
+       features provided by `stdarg.h`.
      - Tagged as `deliberate` for ECLAIR.
 
    * - R17.7
diff --git a/xen/common/libelf/libelf-private.h b/xen/common/libelf/libelf-private.h
index e5c9cc109972..239d000f49d1 100644
--- a/xen/common/libelf/libelf-private.h
+++ b/xen/common/libelf/libelf-private.h
@@ -84,7 +84,9 @@
 #define elf_err(elf, fmt, args ... )                    \
     elf_call_log_callback(elf, 1, fmt , ## args );
 
-void elf_call_log_callback(struct elf_binary*, bool iserr, const char *fmt,...);
+void
+__attribute__ ((format (printf, 3, 4)))
+elf_call_log_callback(struct elf_binary*, bool iserr, const char *fmt, ...);
 
 #define safe_strcpy(d,s)                        \
 do { strncpy((d),(s),sizeof((d))-1);            \
diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c
index a99605103552..2bdb4d5fb417 100644
--- a/xen/drivers/char/console.c
+++ b/xen/drivers/char/console.c
@@ -969,7 +969,9 @@ static void printk_start_of_line(const char *prefix)
     __putstr(tstr);
 }
 
-static void vprintk_common(const char *fmt, va_list args, const char *prefix)
+static void
+__attribute__ ((format (printf, 1, 0)))
+vprintk_common(const char *fmt, va_list args, const char *prefix)
 {
     struct vps {
         bool continued, do_print;
-- 
2.43.0
Re: [XEN PATCH] xen: rework deviation to address varargs MISRA violations
Posted by Jan Beulich 1 day, 17 hours ago 
On 31.12.2025 12:22, Nicola Vetrini wrote:
> --- a/xen/common/libelf/libelf-private.h
> +++ b/xen/common/libelf/libelf-private.h
> @@ -84,7 +84,9 @@
>  #define elf_err(elf, fmt, args ... )                    \
>      elf_call_log_callback(elf, 1, fmt , ## args );
>  
> -void elf_call_log_callback(struct elf_binary*, bool iserr, const char *fmt,...);
> +void
> +__attribute__ ((format (printf, 3, 4)))
> +elf_call_log_callback(struct elf_binary*, bool iserr, const char *fmt, ...);

Just one tiny, nit-like request here: If already you touch this, can the
missing blank ahead of the first * please also be added at this occasion?

Jan
Re: [XEN PATCH] xen: rework deviation to address varargs MISRA violations
Posted by Andrew Cooper 1 day, 17 hours ago 
On 05/01/2026 2:55 pm, Jan Beulich wrote:
> On 31.12.2025 12:22, Nicola Vetrini wrote:
>> --- a/xen/common/libelf/libelf-private.h
>> +++ b/xen/common/libelf/libelf-private.h
>> @@ -84,7 +84,9 @@
>>  #define elf_err(elf, fmt, args ... )                    \
>>      elf_call_log_callback(elf, 1, fmt , ## args );
>>  
>> -void elf_call_log_callback(struct elf_binary*, bool iserr, const char *fmt,...);
>> +void
>> +__attribute__ ((format (printf, 3, 4)))
>> +elf_call_log_callback(struct elf_binary*, bool iserr, const char *fmt, ...);
> Just one tiny, nit-like request here: If already you touch this, can the
> missing blank ahead of the first * please also be added at this occasion?

The parameter also needs a name.  I have both fixed up locally.

~Andrew
Re: [XEN PATCH] xen: rework deviation to address varargs MISRA violations
Posted by Nicola Vetrini 1 day, 16 hours ago 
On 2026-01-05 15:58, Andrew Cooper wrote:
> On 05/01/2026 2:55 pm, Jan Beulich wrote:
>> On 31.12.2025 12:22, Nicola Vetrini wrote:
>>> --- a/xen/common/libelf/libelf-private.h
>>> +++ b/xen/common/libelf/libelf-private.h
>>> @@ -84,7 +84,9 @@
>>>  #define elf_err(elf, fmt, args ... )                    \
>>>      elf_call_log_callback(elf, 1, fmt , ## args );
>>> 
>>> -void elf_call_log_callback(struct elf_binary*, bool iserr, const 
>>> char *fmt,...);
>>> +void
>>> +__attribute__ ((format (printf, 3, 4)))
>>> +elf_call_log_callback(struct elf_binary*, bool iserr, const char 
>>> *fmt, ...);
>> Just one tiny, nit-like request here: If already you touch this, can 
>> the
>> missing blank ahead of the first * please also be added at this 
>> occasion?
> 
> The parameter also needs a name.  I have both fixed up locally.
> 
> ~Andrew

Thanks

-- 
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253
Re: [XEN PATCH] xen: rework deviation to address varargs MISRA violations
Posted by Andrew Cooper 4 days, 22 hours ago 
On 31/12/2025 11:22 am, Nicola Vetrini wrote:
> diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl
> index 219ba6993b90..7dee4a488d45 100644
> --- a/automation/eclair_analysis/ECLAIR/deviations.ecl
> +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
> @@ -570,13 +570,11 @@ safe."
>  # Series 17.
>  #
>  
> --doc_begin="printf()-like functions are allowed to use the variadic features provided by stdarg.h."
> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(^.*printk\\(.*\\)$)))"}
> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(^.*printf\\(.*\\)$)))"}
> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(panic)&&kind(function))))"}
> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(elf_call_log_callback)&&kind(function))))"}
> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(vprintk_common)&&kind(function))))"}
> --config=MC3A2.R17.1,macros+={hide , "^va_(arg|start|copy|end)$"}
> +-doc_begin="printf()-like or scanf()-like functions are allowed to use the variadic features provided by stdarg.h,
> +provided that they are declared using the `format' attribute."
> +-decl_selector+={format_attr, "property(format)"}
> +-config=MC3A2.R17.1,reports+={deliberate, "any_area(^.*va_list.*$&&context(ancestor_or_self(format_attr)))"}
> +-config=MC3A2.R17.1,macros+={deliberate , "^va_(arg|start|copy|end)$"}
>  -doc_end
>  
>  -doc_begin="Not using the return value of a function does not endanger safety if it coincides with an actual argument."
> diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
> index b3431ef24e26..584907b048ec 100644
> --- a/docs/misra/deviations.rst
> +++ b/docs/misra/deviations.rst
> @@ -570,8 +570,8 @@ Deviations related to MISRA C:2012 Rules:
>       - Tagged as `deliberate` for ECLAIR.
>  
>     * - R17.1
> -     - printf()-like functions  are allowed to use the variadic features provided
> -       by `stdarg.h`.
> +     - printf()-like or scanf()-like functions are allowed to use the variadic
> +       features provided by `stdarg.h`.
>       - Tagged as `deliberate` for ECLAIR.

Much nicer.  But don't we want to repeat the part about
__attribute__((format(...))) here?  After all, that is the justification
of why it's safer than nothing.

~Andrew
Re: [XEN PATCH] xen: rework deviation to address varargs MISRA violations
Posted by Nicola Vetrini 4 days, 20 hours ago 
On 2026-01-02 10:42, Andrew Cooper wrote:
> On 31/12/2025 11:22 am, Nicola Vetrini wrote:
>> diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl 
>> b/automation/eclair_analysis/ECLAIR/deviations.ecl
>> index 219ba6993b90..7dee4a488d45 100644
>> --- a/automation/eclair_analysis/ECLAIR/deviations.ecl
>> +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
>> @@ -570,13 +570,11 @@ safe."
>>  # Series 17.
>>  #
>> 
>> --doc_begin="printf()-like functions are allowed to use the variadic 
>> features provided by stdarg.h."
>> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(^.*printk\\(.*\\)$)))"}
>> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(^.*printf\\(.*\\)$)))"}
>> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(panic)&&kind(function))))"}
>> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(elf_call_log_callback)&&kind(function))))"}
>> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(vprintk_common)&&kind(function))))"}
>> --config=MC3A2.R17.1,macros+={hide , "^va_(arg|start|copy|end)$"}
>> +-doc_begin="printf()-like or scanf()-like functions are allowed to 
>> use the variadic features provided by stdarg.h,
>> +provided that they are declared using the `format' attribute."
>> +-decl_selector+={format_attr, "property(format)"}
>> +-config=MC3A2.R17.1,reports+={deliberate, 
>> "any_area(^.*va_list.*$&&context(ancestor_or_self(format_attr)))"}
>> +-config=MC3A2.R17.1,macros+={deliberate , 
>> "^va_(arg|start|copy|end)$"}
>>  -doc_end
>> 
>>  -doc_begin="Not using the return value of a function does not 
>> endanger safety if it coincides with an actual argument."
>> diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
>> index b3431ef24e26..584907b048ec 100644
>> --- a/docs/misra/deviations.rst
>> +++ b/docs/misra/deviations.rst
>> @@ -570,8 +570,8 @@ Deviations related to MISRA C:2012 Rules:
>>       - Tagged as `deliberate` for ECLAIR.
>> 
>>     * - R17.1
>> -     - printf()-like functions  are allowed to use the variadic 
>> features provided
>> -       by `stdarg.h`.
>> +     - printf()-like or scanf()-like functions are allowed to use the 
>> variadic
>> +       features provided by `stdarg.h`.
>>       - Tagged as `deliberate` for ECLAIR.
> 
> Much nicer.  But don't we want to repeat the part about
> __attribute__((format(...))) here?  After all, that is the 
> justification
> of why it's safer than nothing.
> 

Ok, that would be more accurate for sure. I didn't do that to preserve 
the original intention of the deviation, but they are practically 
equivalent with the current codebase, so changing the text makes little 
difference. I'll tweak that.

> ~Andrew

-- 
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253
Re: [XEN PATCH] xen: rework deviation to address varargs MISRA violations
Posted by Andrew Cooper 1 day, 20 hours ago 
On 02/01/2026 11:53 am, Nicola Vetrini wrote:
> On 2026-01-02 10:42, Andrew Cooper wrote:
>> On 31/12/2025 11:22 am, Nicola Vetrini wrote:
>>> diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl
>>> b/automation/eclair_analysis/ECLAIR/deviations.ecl
>>> index 219ba6993b90..7dee4a488d45 100644
>>> --- a/automation/eclair_analysis/ECLAIR/deviations.ecl
>>> +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
>>> @@ -570,13 +570,11 @@ safe."
>>>  # Series 17.
>>>  #
>>>
>>> --doc_begin="printf()-like functions are allowed to use the variadic
>>> features provided by stdarg.h."
>>> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(^.*printk\\(.*\\)$)))"}
>>>
>>> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(^.*printf\\(.*\\)$)))"}
>>>
>>> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(panic)&&kind(function))))"}
>>>
>>> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(elf_call_log_callback)&&kind(function))))"}
>>>
>>> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(vprintk_common)&&kind(function))))"}
>>>
>>> --config=MC3A2.R17.1,macros+={hide , "^va_(arg|start|copy|end)$"}
>>> +-doc_begin="printf()-like or scanf()-like functions are allowed to
>>> use the variadic features provided by stdarg.h,
>>> +provided that they are declared using the `format' attribute."
>>> +-decl_selector+={format_attr, "property(format)"}
>>> +-config=MC3A2.R17.1,reports+={deliberate,
>>> "any_area(^.*va_list.*$&&context(ancestor_or_self(format_attr)))"}
>>> +-config=MC3A2.R17.1,macros+={deliberate , "^va_(arg|start|copy|end)$"}
>>>  -doc_end
>>>
>>>  -doc_begin="Not using the return value of a function does not
>>> endanger safety if it coincides with an actual argument."
>>> diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
>>> index b3431ef24e26..584907b048ec 100644
>>> --- a/docs/misra/deviations.rst
>>> +++ b/docs/misra/deviations.rst
>>> @@ -570,8 +570,8 @@ Deviations related to MISRA C:2012 Rules:
>>>       - Tagged as `deliberate` for ECLAIR.
>>>
>>>     * - R17.1
>>> -     - printf()-like functions  are allowed to use the variadic
>>> features provided
>>> -       by `stdarg.h`.
>>> +     - printf()-like or scanf()-like functions are allowed to use
>>> the variadic
>>> +       features provided by `stdarg.h`.
>>>       - Tagged as `deliberate` for ECLAIR.
>>
>> Much nicer.  But don't we want to repeat the part about
>> __attribute__((format(...))) here?  After all, that is the justification
>> of why it's safer than nothing.
>>
>
> Ok, that would be more accurate for sure. I didn't do that to preserve
> the original intention of the deviation, but they are practically
> equivalent with the current codebase, so changing the text makes
> little difference. I'll tweak that.

I can adjust on commit, if you're happy?  Everything else is fine AFAICT.

In fact, this fixes the x86_64-allcode complaint for
vmcoreinfo_append_str() which is already annotated, and
debugtrace_printk() too (not yet enabled in *-allcode).

~Andrew
Re: [XEN PATCH] xen: rework deviation to address varargs MISRA violations
Posted by Nicola Vetrini 1 day, 16 hours ago 
On 2026-01-05 12:54, Andrew Cooper wrote:
> On 02/01/2026 11:53 am, Nicola Vetrini wrote:
>> On 2026-01-02 10:42, Andrew Cooper wrote:
>>> On 31/12/2025 11:22 am, Nicola Vetrini wrote:
>>>> diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl
>>>> b/automation/eclair_analysis/ECLAIR/deviations.ecl
>>>> index 219ba6993b90..7dee4a488d45 100644
>>>> --- a/automation/eclair_analysis/ECLAIR/deviations.ecl
>>>> +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
>>>> @@ -570,13 +570,11 @@ safe."
>>>>  # Series 17.
>>>>  #
>>>> 
>>>> --doc_begin="printf()-like functions are allowed to use the variadic
>>>> features provided by stdarg.h."
>>>> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(^.*printk\\(.*\\)$)))"}
>>>> 
>>>> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(^.*printf\\(.*\\)$)))"}
>>>> 
>>>> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(panic)&&kind(function))))"}
>>>> 
>>>> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(elf_call_log_callback)&&kind(function))))"}
>>>> 
>>>> --config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(vprintk_common)&&kind(function))))"}
>>>> 
>>>> --config=MC3A2.R17.1,macros+={hide , "^va_(arg|start|copy|end)$"}
>>>> +-doc_begin="printf()-like or scanf()-like functions are allowed to
>>>> use the variadic features provided by stdarg.h,
>>>> +provided that they are declared using the `format' attribute."
>>>> +-decl_selector+={format_attr, "property(format)"}
>>>> +-config=MC3A2.R17.1,reports+={deliberate,
>>>> "any_area(^.*va_list.*$&&context(ancestor_or_self(format_attr)))"}
>>>> +-config=MC3A2.R17.1,macros+={deliberate , 
>>>> "^va_(arg|start|copy|end)$"}
>>>>  -doc_end
>>>> 
>>>>  -doc_begin="Not using the return value of a function does not
>>>> endanger safety if it coincides with an actual argument."
>>>> diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
>>>> index b3431ef24e26..584907b048ec 100644
>>>> --- a/docs/misra/deviations.rst
>>>> +++ b/docs/misra/deviations.rst
>>>> @@ -570,8 +570,8 @@ Deviations related to MISRA C:2012 Rules:
>>>>       - Tagged as `deliberate` for ECLAIR.
>>>> 
>>>>     * - R17.1
>>>> -     - printf()-like functions  are allowed to use the variadic
>>>> features provided
>>>> -       by `stdarg.h`.
>>>> +     - printf()-like or scanf()-like functions are allowed to use
>>>> the variadic
>>>> +       features provided by `stdarg.h`.
>>>>       - Tagged as `deliberate` for ECLAIR.
>>> 
>>> Much nicer.  But don't we want to repeat the part about
>>> __attribute__((format(...))) here?  After all, that is the 
>>> justification
>>> of why it's safer than nothing.
>>> 
>> 
>> Ok, that would be more accurate for sure. I didn't do that to preserve
>> the original intention of the deviation, but they are practically
>> equivalent with the current codebase, so changing the text makes
>> little difference. I'll tweak that.
> 
> I can adjust on commit, if you're happy?  Everything else is fine 
> AFAICT.
> 
> In fact, this fixes the x86_64-allcode complaint for
> vmcoreinfo_append_str() which is already annotated, and
> debugtrace_printk() too (not yet enabled in *-allcode).
> 
> ~Andrew

Yes, sorry for the delay. I forgot I had to respin the patch here.

-- 
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.