MISRA C Rule 5.5 states that: "Identifiers shall
be distinct from macro names".

Update ECLAIR configuration to deviate clashes:
specify the macros that should be ignored.
Update deviations.rst and rules.rst accordingly.

Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@epam.com>
---
Changes in v3:
- removed deviation for 'pirq_cleanup_check', it will be be addresed in the
https://patchew.org/Xen/20250729223110.3404441-1-andrew.cooper3@citrix.com/
- updated wording of the deviations

Link to v2: https://patchew.org/Xen/7f5223bf37ed42c90e4bd426659eaa87c2c6879f.1753455885.git.dmytro._5Fprokopchuk1@epam.com/
---
 .../eclair_analysis/ECLAIR/deviations.ecl     | 10 +++++++++
 docs/misra/deviations.rst                     | 22 +++++++++++++++++++
 docs/misra/rules.rst                          | 17 ++++++++++++++
 3 files changed, 49 insertions(+)

diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl
index 483507e7b9..f30afd1126 100644
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -117,6 +117,16 @@ it defines would (in the common case) be already defined. Peer reviewed by the c
 -config=MC3A2.R5.5,reports+={deliberate, "any_area(decl(kind(function))||any_loc(macro(name(memcpy||memset||memmove))))&&any_area(any_loc(file(^xen/common/libelf/libelf-private\\.h$)))"}
 -doc_end
 
+-doc_begin="Clashes between bitops function and macro names are deliberate.
+These macros are needed for input validation and error handling."
+-config=MC3A2.R5.5,ignored_macros+="name(__test_and_set_bit||__test_and_clear_bit||__test_and_change_bit||test_bit||set_bit||clear_bit||change_bit||test_and_set_bit||test_and_clear_bit||test_and_change_bit)"
+-doc_end
+
+-doc_begin="Clashes between grant table functions and macros names are deliberate.
+These macros address differences in argument count during compile-time, effectively discarding unused parameters to avoid warnings or errors related to them."
+-config=MC3A2.R5.5,ignored_macros+="name(update_gnttab_par||parse_gnttab_limit)"
+-doc_end
+
 -doc_begin="The type \"ret_t\" is deliberately defined multiple times,
 depending on the guest."
 -config=MC3A2.R5.6,reports+={deliberate,"any_area(any_loc(text(^.*ret_t.*$)))"}
diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index e78179fcb8..96eedd27d5 100644
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -142,6 +142,28 @@ Deviations related to MISRA C:2012 Rules:
        memmove.
      - Tagged as `deliberate` for ECLAIR.
 
+   * - R5.5
+     - Clashes between bitops ('__test_and_set_bit', '__test_and_clear_bit',
+       '__test_and_change_bit', 'test_bit', 'set_bit', 'clear_bit', 'change_bit',
+       'test_and_set_bit', 'test_and_clear_bit', 'test_and_change_bit')
+       functions and macros names are deliberate and are needed for input
+       validation and error handling, ensures that the size of the object being
+       pointed to by 'addr' meets the minimum requirements for the bit operation,
+       preventing unsafe operations on improperly sized data types that could
+       lead to undefined behavior or memory corruption.
+       The macros encapsulate this conditional logic into a single, reusable form;
+       which simplifies the code, avoids redundant function call.
+       Also this bitops API was inherited from Linux and should be kept for familiarity.
+     - ECLAIR has been configured to ignore these macros.
+
+   * - R5.5
+     - Clashes between grant table ('update_gnttab_par', 'parse_gnttab_limit')
+       functions and macros names are deliberate.
+       These macros are used intentionally and address differences in argument count
+       during compile-time, effectively discarding unused 2nd and 3rd parameters
+       to avoid warnings or errors related to them.
+     - ECLAIR has been configured to ignore these macros.
+
    * - R5.6
      - The type ret_t is deliberately defined multiple times depending on the
        type of guest to service.
diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst
index 3e014a6298..431533b1e4 100644
--- a/docs/misra/rules.rst
+++ b/docs/misra/rules.rst
@@ -196,6 +196,23 @@ maintainers if you want to suggest a change.
            #define f(x, y) f(x, y)
            void f(int x, int y);
 
+       Clashes between bitops functions and macros names are allowed
+       because they are used for input validation and error handling.
+       Example::
+
+           static inline void set_bit(int nr, volatile void *addr)
+           {
+               asm volatile ( "lock btsl %1,%0"
+                              : "+m" (ADDR) : "Ir" (nr) : "memory");
+           }
+           #define set_bit(nr, addr) ({                            \
+               if ( bitop_bad_size(addr) ) __bitop_bad_size();     \
+               set_bit(nr, addr);                                  \
+           })
+
+       Clashes between grant table functions and macros names are allowed
+       because the are used for discard unused parameters.
+
    * - `Rule 5.6 <https://gitlab.com/MISRA/MISRA-C/MISRA-C-2012/Example-Suite/-/blob/master/R_05_06.c>`_
      - Required
      - A typedef name shall be a unique identifier
-- 
2.43.0

On 30.07.2025 23:39, Dmytro Prokopchuk1 wrote:
> MISRA C Rule 5.5 states that: "Identifiers shall
> be distinct from macro names".
> 
> Update ECLAIR configuration to deviate clashes:
> specify the macros that should be ignored.
> Update deviations.rst and rules.rst accordingly.
> 
> Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@epam.com>

Nit (along the lines of my comments on the other patch): Make better use of line
capacity here.

> --- a/automation/eclair_analysis/ECLAIR/deviations.ecl
> +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
> @@ -117,6 +117,16 @@ it defines would (in the common case) be already defined. Peer reviewed by the c
>  -config=MC3A2.R5.5,reports+={deliberate, "any_area(decl(kind(function))||any_loc(macro(name(memcpy||memset||memmove))))&&any_area(any_loc(file(^xen/common/libelf/libelf-private\\.h$)))"}
>  -doc_end
>  
> +-doc_begin="Clashes between bitops function and macro names are deliberate.
> +These macros are needed for input validation and error handling."
> +-config=MC3A2.R5.5,ignored_macros+="name(__test_and_set_bit||__test_and_clear_bit||__test_and_change_bit||test_bit||set_bit||clear_bit||change_bit||test_and_set_bit||test_and_clear_bit||test_and_change_bit)"
> +-doc_end

I have no idea whether regular expressions could be used here. If so, shortening
this at least some may be desirable.

> +-doc_begin="Clashes between grant table functions and macros names are deliberate.
> +These macros address differences in argument count during compile-time, effectively discarding unused parameters to avoid warnings or errors related to them."
> +-config=MC3A2.R5.5,ignored_macros+="name(update_gnttab_par||parse_gnttab_limit)"
> +-doc_end

No restriction to common/grant_table.c?

> --- a/docs/misra/deviations.rst
> +++ b/docs/misra/deviations.rst
> @@ -142,6 +142,28 @@ Deviations related to MISRA C:2012 Rules:
>         memmove.
>       - Tagged as `deliberate` for ECLAIR.
>  
> +   * - R5.5
> +     - Clashes between bitops ('__test_and_set_bit', '__test_and_clear_bit',
> +       '__test_and_change_bit', 'test_bit', 'set_bit', 'clear_bit', 'change_bit',
> +       'test_and_set_bit', 'test_and_clear_bit', 'test_and_change_bit')
> +       functions and macros names are deliberate and are needed for input

Nit: "macro names"

> +       validation and error handling, ensures that the size of the object being

s/ensures/to ensure/ ?

> +       pointed to by 'addr' meets the minimum requirements for the bit operation,

'addr' is pretty meaningless here.

> +       preventing unsafe operations on improperly sized data types that could
> +       lead to undefined behavior or memory corruption.
> +       The macros encapsulate this conditional logic into a single, reusable form;
> +       which simplifies the code, avoids redundant function call.

What's "redundant" referring to here?

> +       Also this bitops API was inherited from Linux and should be kept for familiarity.

At least this line is clearly beyond 80 chars.

Jan

On 2025-07-31 09:15, Jan Beulich wrote:
> On 30.07.2025 23:39, Dmytro Prokopchuk1 wrote:
>> MISRA C Rule 5.5 states that: "Identifiers shall
>> be distinct from macro names".
>> 
>> Update ECLAIR configuration to deviate clashes:
>> specify the macros that should be ignored.
>> Update deviations.rst and rules.rst accordingly.
>> 
>> Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@epam.com>
> 
> Nit (along the lines of my comments on the other patch): Make better 
> use of line
> capacity here.
> 
>> --- a/automation/eclair_analysis/ECLAIR/deviations.ecl
>> +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
>> @@ -117,6 +117,16 @@ it defines would (in the common case) be already 
>> defined. Peer reviewed by the c
>>  -config=MC3A2.R5.5,reports+={deliberate, 
>> "any_area(decl(kind(function))||any_loc(macro(name(memcpy||memset||memmove))))&&any_area(any_loc(file(^xen/common/libelf/libelf-private\\.h$)))"}
>>  -doc_end
>> 
>> +-doc_begin="Clashes between bitops function and macro names are 
>> deliberate.
>> +These macros are needed for input validation and error handling."
>> +-config=MC3A2.R5.5,ignored_macros+="name(__test_and_set_bit||__test_and_clear_bit||__test_and_change_bit||test_bit||set_bit||clear_bit||change_bit||test_and_set_bit||test_and_clear_bit||test_and_change_bit)"
>> +-doc_end
> 
> I have no idea whether regular expressions could be used here. If so, 
> shortening
> this at least some may be desirable.
> 

It's possible, without using name(_):  e.g., 
ignored_macros+="^(__)?test_and_(set|clear|change)?_bit$

>> +-doc_begin="Clashes between grant table functions and macros names 
>> are deliberate.
>> +These macros address differences in argument count during 
>> compile-time, effectively discarding unused parameters to avoid 
>> warnings or errors related to them."
>> +-config=MC3A2.R5.5,ignored_macros+="name(update_gnttab_par||parse_gnttab_limit)"
>> +-doc_end
> 
> No restriction to common/grant_table.c?
> 
>> --- a/docs/misra/deviations.rst
>> +++ b/docs/misra/deviations.rst
>> @@ -142,6 +142,28 @@ Deviations related to MISRA C:2012 Rules:
>>         memmove.
>>       - Tagged as `deliberate` for ECLAIR.
>> 
>> +   * - R5.5
>> +     - Clashes between bitops ('__test_and_set_bit', 
>> '__test_and_clear_bit',
>> +       '__test_and_change_bit', 'test_bit', 'set_bit', 'clear_bit', 
>> 'change_bit',
>> +       'test_and_set_bit', 'test_and_clear_bit', 
>> 'test_and_change_bit')
>> +       functions and macros names are deliberate and are needed for 
>> input
> 
> Nit: "macro names"
> 
>> +       validation and error handling, ensures that the size of the 
>> object being
> 
> s/ensures/to ensure/ ?
> 
>> +       pointed to by 'addr' meets the minimum requirements for the 
>> bit operation,
> 
> 'addr' is pretty meaningless here.
> 
>> +       preventing unsafe operations on improperly sized data types 
>> that could
>> +       lead to undefined behavior or memory corruption.
>> +       The macros encapsulate this conditional logic into a single, 
>> reusable form;
>> +       which simplifies the code, avoids redundant function call.
> 
> What's "redundant" referring to here?
> 
>> +       Also this bitops API was inherited from Linux and should be 
>> kept for familiarity.
> 
> At least this line is clearly beyond 80 chars.
> 
> Jan

-- 
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253