diff mbox series

[XEN,07/11] xen: address MISRA C:2012 Rule 2.1

Message ID 7f8cbd8c8ad64cd3a0d099f31cb4d3fad48aa63b.1690985045.git.nicola.vetrini@bugseng.com (mailing list archive)
State New, archived
Headers show
Series xen: address MISRA C:2012 Rule 2.1 | expand

Commit Message

Nicola Vetrini Aug. 2, 2023, 2:38 p.m. UTC 
Rule 2.1 states: "A project shall not contain unreachable code".

The functions
- machine_halt
- maybe_reboot
- machine_restart
are not supposed to return, hence the following break statement
is marked as intentionally unreachable with the ASSERT_UNREACHABLE()
macro to justify the violation of the rule.

Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com>
---
 xen/common/shutdown.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

Comments

Jan Beulich Aug. 3, 2023, 9:16 a.m. UTC | #1 
On 02.08.2023 16:38, Nicola Vetrini wrote:
> Rule 2.1 states: "A project shall not contain unreachable code".
> 
> The functions
> - machine_halt
> - maybe_reboot
> - machine_restart
> are not supposed to return, hence the following break statement
> is marked as intentionally unreachable with the ASSERT_UNREACHABLE()
> macro to justify the violation of the rule.

During the discussion it was mentioned that this won't help with
release builds, where right now ASSERT_UNREACHABLE() expands to
effectively nothing. You want to clarify here how release builds
are to be taken care of, as those are what eventual certification
will be run against.

Jan
Stefano Stabellini Aug. 3, 2023, 11:50 p.m. UTC | #2 
On Thu, 3 Aug 2023, Jan Beulich wrote:
> On 02.08.2023 16:38, Nicola Vetrini wrote:
> > Rule 2.1 states: "A project shall not contain unreachable code".
> > 
> > The functions
> > - machine_halt
> > - maybe_reboot
> > - machine_restart
> > are not supposed to return, hence the following break statement
> > is marked as intentionally unreachable with the ASSERT_UNREACHABLE()
> > macro to justify the violation of the rule.
> 
> During the discussion it was mentioned that this won't help with
> release builds, where right now ASSERT_UNREACHABLE() expands to
> effectively nothing. You want to clarify here how release builds
> are to be taken care of, as those are what eventual certification
> will be run against.

Something along these lines:

ASSERT_UNREACHABLE(), not only is used in non-release builds to actually
assert and detect errors, but it is also used as a marker to tag
unreachable code. In release builds ASSERT_UNREACHABLE() doesn't resolve
into an assert, but retains its role of a code marker.

Does it work?
Jan Beulich Aug. 4, 2023, 6:42 a.m. UTC | #3 
On 04.08.2023 01:50, Stefano Stabellini wrote:
> On Thu, 3 Aug 2023, Jan Beulich wrote:
>> On 02.08.2023 16:38, Nicola Vetrini wrote:
>>> Rule 2.1 states: "A project shall not contain unreachable code".
>>>
>>> The functions
>>> - machine_halt
>>> - maybe_reboot
>>> - machine_restart
>>> are not supposed to return, hence the following break statement
>>> is marked as intentionally unreachable with the ASSERT_UNREACHABLE()
>>> macro to justify the violation of the rule.
>>
>> During the discussion it was mentioned that this won't help with
>> release builds, where right now ASSERT_UNREACHABLE() expands to
>> effectively nothing. You want to clarify here how release builds
>> are to be taken care of, as those are what eventual certification
>> will be run against.
> 
> Something along these lines:
> 
> ASSERT_UNREACHABLE(), not only is used in non-release builds to actually
> assert and detect errors, but it is also used as a marker to tag
> unreachable code. In release builds ASSERT_UNREACHABLE() doesn't resolve
> into an assert, but retains its role of a code marker.
> 
> Does it work?

Well, it states what is happening, but I'm not convinced it satisfies
rule 2.1. There's then still code there which isn't reachable, and
which a scanner will spot and report.

Jan
Nicola Vetrini Aug. 8, 2023, 9:03 a.m. UTC | #4 
On 04/08/2023 08:42, Jan Beulich wrote:
> On 04.08.2023 01:50, Stefano Stabellini wrote:
>> On Thu, 3 Aug 2023, Jan Beulich wrote:
>>> On 02.08.2023 16:38, Nicola Vetrini wrote:
>>>> Rule 2.1 states: "A project shall not contain unreachable code".
>>>> 
>>>> The functions
>>>> - machine_halt
>>>> - maybe_reboot
>>>> - machine_restart
>>>> are not supposed to return, hence the following break statement
>>>> is marked as intentionally unreachable with the ASSERT_UNREACHABLE()
>>>> macro to justify the violation of the rule.
>>> 
>>> During the discussion it was mentioned that this won't help with
>>> release builds, where right now ASSERT_UNREACHABLE() expands to
>>> effectively nothing. You want to clarify here how release builds
>>> are to be taken care of, as those are what eventual certification
>>> will be run against.
>> 
>> Something along these lines:
>> 
>> ASSERT_UNREACHABLE(), not only is used in non-release builds to 
>> actually
>> assert and detect errors, but it is also used as a marker to tag
>> unreachable code. In release builds ASSERT_UNREACHABLE() doesn't 
>> resolve
>> into an assert, but retains its role of a code marker.
>> 
>> Does it work?
> 
> Well, it states what is happening, but I'm not convinced it satisfies
> rule 2.1. There's then still code there which isn't reachable, and
> which a scanner will spot and report.
> 
> Jan

It's not clear to me whether you dislike the patch itself or the commit
message. If it's the latter, how about:
"ASSERT_UNREACHABLE() is used as a marker for intentionally unreachable 
code, which
constitutes a motivated deviation from Rule 2.1. Additionally, in 
non-release
builds, this macro performs a failing assertion to detect errors."
Nicola Vetrini Aug. 16, 2023, 10:01 a.m. UTC | #5 
Hi,

On 08/08/2023 11:03, Nicola Vetrini wrote:
> On 04/08/2023 08:42, Jan Beulich wrote:
>> On 04.08.2023 01:50, Stefano Stabellini wrote:
>>> On Thu, 3 Aug 2023, Jan Beulich wrote:
>>>> On 02.08.2023 16:38, Nicola Vetrini wrote:
>>>>> Rule 2.1 states: "A project shall not contain unreachable code".
>>>>> 
>>>>> The functions
>>>>> - machine_halt
>>>>> - maybe_reboot
>>>>> - machine_restart
>>>>> are not supposed to return, hence the following break statement
>>>>> is marked as intentionally unreachable with the 
>>>>> ASSERT_UNREACHABLE()
>>>>> macro to justify the violation of the rule.
>>>> 
>>>> During the discussion it was mentioned that this won't help with
>>>> release builds, where right now ASSERT_UNREACHABLE() expands to
>>>> effectively nothing. You want to clarify here how release builds
>>>> are to be taken care of, as those are what eventual certification
>>>> will be run against.
>>> 
>>> Something along these lines:
>>> 
>>> ASSERT_UNREACHABLE(), not only is used in non-release builds to 
>>> actually
>>> assert and detect errors, but it is also used as a marker to tag
>>> unreachable code. In release builds ASSERT_UNREACHABLE() doesn't 
>>> resolve
>>> into an assert, but retains its role of a code marker.
>>> 
>>> Does it work?
>> 
>> Well, it states what is happening, but I'm not convinced it satisfies
>> rule 2.1. There's then still code there which isn't reachable, and
>> which a scanner will spot and report.
>> 
>> Jan
> 
> It's not clear to me whether you dislike the patch itself or the commit
> message. If it's the latter, how about:
> "ASSERT_UNREACHABLE() is used as a marker for intentionally
> unreachable code, which
> constitutes a motivated deviation from Rule 2.1. Additionally, in 
> non-release
> builds, this macro performs a failing assertion to detect errors."

Any feedback on this (with one edit: s/a failing assertion/an 
assertion/)
Jan Beulich Aug. 16, 2023, 10:31 a.m. UTC | #6 
On 16.08.2023 12:01, Nicola Vetrini wrote:
> Hi,
> 
> On 08/08/2023 11:03, Nicola Vetrini wrote:
>> On 04/08/2023 08:42, Jan Beulich wrote:
>>> On 04.08.2023 01:50, Stefano Stabellini wrote:
>>>> On Thu, 3 Aug 2023, Jan Beulich wrote:
>>>>> On 02.08.2023 16:38, Nicola Vetrini wrote:
>>>>>> Rule 2.1 states: "A project shall not contain unreachable code".
>>>>>>
>>>>>> The functions
>>>>>> - machine_halt
>>>>>> - maybe_reboot
>>>>>> - machine_restart
>>>>>> are not supposed to return, hence the following break statement
>>>>>> is marked as intentionally unreachable with the 
>>>>>> ASSERT_UNREACHABLE()
>>>>>> macro to justify the violation of the rule.
>>>>>
>>>>> During the discussion it was mentioned that this won't help with
>>>>> release builds, where right now ASSERT_UNREACHABLE() expands to
>>>>> effectively nothing. You want to clarify here how release builds
>>>>> are to be taken care of, as those are what eventual certification
>>>>> will be run against.
>>>>
>>>> Something along these lines:
>>>>
>>>> ASSERT_UNREACHABLE(), not only is used in non-release builds to 
>>>> actually
>>>> assert and detect errors, but it is also used as a marker to tag
>>>> unreachable code. In release builds ASSERT_UNREACHABLE() doesn't 
>>>> resolve
>>>> into an assert, but retains its role of a code marker.
>>>>
>>>> Does it work?
>>>
>>> Well, it states what is happening, but I'm not convinced it satisfies
>>> rule 2.1. There's then still code there which isn't reachable, and
>>> which a scanner will spot and report.
>>
>> It's not clear to me whether you dislike the patch itself or the commit
>> message. If it's the latter, how about:
>> "ASSERT_UNREACHABLE() is used as a marker for intentionally
>> unreachable code, which
>> constitutes a motivated deviation from Rule 2.1. Additionally, in 
>> non-release
>> builds, this macro performs a failing assertion to detect errors."
> 
> Any feedback on this (with one edit: s/a failing assertion/an 
> assertion/)

The patch here is kind of okay, but I'm afraid I view my earlier question
as not addressed: How will the proposed change prevent the scanner from
spotting issues here in release builds? Just stating in the description
that there's a deviation is not going to help that.

Jan
Nicola Vetrini Aug. 16, 2023, 10:47 a.m. UTC | #7 
On 16/08/2023 12:31, Jan Beulich wrote:
> On 16.08.2023 12:01, Nicola Vetrini wrote:
>> Hi,
>> 
>> On 08/08/2023 11:03, Nicola Vetrini wrote:
>>> On 04/08/2023 08:42, Jan Beulich wrote:
>>>> On 04.08.2023 01:50, Stefano Stabellini wrote:
>>>>> On Thu, 3 Aug 2023, Jan Beulich wrote:
>>>>>> On 02.08.2023 16:38, Nicola Vetrini wrote:
>>>>>>> Rule 2.1 states: "A project shall not contain unreachable code".
>>>>>>> 
>>>>>>> The functions
>>>>>>> - machine_halt
>>>>>>> - maybe_reboot
>>>>>>> - machine_restart
>>>>>>> are not supposed to return, hence the following break statement
>>>>>>> is marked as intentionally unreachable with the
>>>>>>> ASSERT_UNREACHABLE()
>>>>>>> macro to justify the violation of the rule.
>>>>>> 
>>>>>> During the discussion it was mentioned that this won't help with
>>>>>> release builds, where right now ASSERT_UNREACHABLE() expands to
>>>>>> effectively nothing. You want to clarify here how release builds
>>>>>> are to be taken care of, as those are what eventual certification
>>>>>> will be run against.
>>>>> 
>>>>> Something along these lines:
>>>>> 
>>>>> ASSERT_UNREACHABLE(), not only is used in non-release builds to
>>>>> actually
>>>>> assert and detect errors, but it is also used as a marker to tag
>>>>> unreachable code. In release builds ASSERT_UNREACHABLE() doesn't
>>>>> resolve
>>>>> into an assert, but retains its role of a code marker.
>>>>> 
>>>>> Does it work?
>>>> 
>>>> Well, it states what is happening, but I'm not convinced it 
>>>> satisfies
>>>> rule 2.1. There's then still code there which isn't reachable, and
>>>> which a scanner will spot and report.
>>> 
>>> It's not clear to me whether you dislike the patch itself or the 
>>> commit
>>> message. If it's the latter, how about:
>>> "ASSERT_UNREACHABLE() is used as a marker for intentionally
>>> unreachable code, which
>>> constitutes a motivated deviation from Rule 2.1. Additionally, in
>>> non-release
>>> builds, this macro performs a failing assertion to detect errors."
>> 
>> Any feedback on this (with one edit: s/a failing assertion/an
>> assertion/)
> 
> The patch here is kind of okay, but I'm afraid I view my earlier 
> question
> as not addressed: How will the proposed change prevent the scanner from
> spotting issues here in release builds? Just stating in the description
> that there's a deviation is not going to help that.
> 
> Jan

There is a deviation already in place. At the moment it just ignores 
anything below an unreachable ASSERT_UNREACHABLE(), no matter what that 
macro will expand to.
Jan Beulich Aug. 16, 2023, 11:23 a.m. UTC | #8 
On 16.08.2023 12:47, Nicola Vetrini wrote:
> On 16/08/2023 12:31, Jan Beulich wrote:
>> On 16.08.2023 12:01, Nicola Vetrini wrote:
>>> On 08/08/2023 11:03, Nicola Vetrini wrote:
>>>> On 04/08/2023 08:42, Jan Beulich wrote:
>>>>> On 04.08.2023 01:50, Stefano Stabellini wrote:
>>>>>> On Thu, 3 Aug 2023, Jan Beulich wrote:
>>>>>>> On 02.08.2023 16:38, Nicola Vetrini wrote:
>>>>>>>> Rule 2.1 states: "A project shall not contain unreachable code".
>>>>>>>>
>>>>>>>> The functions
>>>>>>>> - machine_halt
>>>>>>>> - maybe_reboot
>>>>>>>> - machine_restart
>>>>>>>> are not supposed to return, hence the following break statement
>>>>>>>> is marked as intentionally unreachable with the
>>>>>>>> ASSERT_UNREACHABLE()
>>>>>>>> macro to justify the violation of the rule.
>>>>>>>
>>>>>>> During the discussion it was mentioned that this won't help with
>>>>>>> release builds, where right now ASSERT_UNREACHABLE() expands to
>>>>>>> effectively nothing. You want to clarify here how release builds
>>>>>>> are to be taken care of, as those are what eventual certification
>>>>>>> will be run against.
>>>>>>
>>>>>> Something along these lines:
>>>>>>
>>>>>> ASSERT_UNREACHABLE(), not only is used in non-release builds to
>>>>>> actually
>>>>>> assert and detect errors, but it is also used as a marker to tag
>>>>>> unreachable code. In release builds ASSERT_UNREACHABLE() doesn't
>>>>>> resolve
>>>>>> into an assert, but retains its role of a code marker.
>>>>>>
>>>>>> Does it work?
>>>>>
>>>>> Well, it states what is happening, but I'm not convinced it 
>>>>> satisfies
>>>>> rule 2.1. There's then still code there which isn't reachable, and
>>>>> which a scanner will spot and report.
>>>>
>>>> It's not clear to me whether you dislike the patch itself or the 
>>>> commit
>>>> message. If it's the latter, how about:
>>>> "ASSERT_UNREACHABLE() is used as a marker for intentionally
>>>> unreachable code, which
>>>> constitutes a motivated deviation from Rule 2.1. Additionally, in
>>>> non-release
>>>> builds, this macro performs a failing assertion to detect errors."
>>>
>>> Any feedback on this (with one edit: s/a failing assertion/an
>>> assertion/)
>>
>> The patch here is kind of okay, but I'm afraid I view my earlier 
>> question
>> as not addressed: How will the proposed change prevent the scanner from
>> spotting issues here in release builds? Just stating in the description
>> that there's a deviation is not going to help that.
> 
> There is a deviation already in place. At the moment it just ignores 
> anything below an unreachable ASSERT_UNREACHABLE(), no matter what that 
> macro will expand to.

What do you mean by "in place"? docs/misra/ has nothing, afaics. And
automation/eclair_analysis/ECLAIR/deviations.ecl is merely filtering
things out of reports, aiui. (Plus of course there should be a single
central place where all deviations are recorded, imo.)

Jan
Nicola Vetrini Aug. 16, 2023, 1:43 p.m. UTC | #9 
On 16/08/2023 13:23, Jan Beulich wrote:
> On 16.08.2023 12:47, Nicola Vetrini wrote:
>> On 16/08/2023 12:31, Jan Beulich wrote:
>>> On 16.08.2023 12:01, Nicola Vetrini wrote:
>>>> On 08/08/2023 11:03, Nicola Vetrini wrote:
>>>>> On 04/08/2023 08:42, Jan Beulich wrote:
>>>>>> On 04.08.2023 01:50, Stefano Stabellini wrote:
>>>>>>> On Thu, 3 Aug 2023, Jan Beulich wrote:
>>>>>>>> On 02.08.2023 16:38, Nicola Vetrini wrote:
>>>>>>>>> Rule 2.1 states: "A project shall not contain unreachable 
>>>>>>>>> code".
>>>>>>>>> 
>>>>>>>>> The functions
>>>>>>>>> - machine_halt
>>>>>>>>> - maybe_reboot
>>>>>>>>> - machine_restart
>>>>>>>>> are not supposed to return, hence the following break statement
>>>>>>>>> is marked as intentionally unreachable with the
>>>>>>>>> ASSERT_UNREACHABLE()
>>>>>>>>> macro to justify the violation of the rule.
>>>>>>>> 
>>>>>>>> During the discussion it was mentioned that this won't help with
>>>>>>>> release builds, where right now ASSERT_UNREACHABLE() expands to
>>>>>>>> effectively nothing. You want to clarify here how release builds
>>>>>>>> are to be taken care of, as those are what eventual 
>>>>>>>> certification
>>>>>>>> will be run against.
>>>>>>> 
>>>>>>> Something along these lines:
>>>>>>> 
>>>>>>> ASSERT_UNREACHABLE(), not only is used in non-release builds to
>>>>>>> actually
>>>>>>> assert and detect errors, but it is also used as a marker to tag
>>>>>>> unreachable code. In release builds ASSERT_UNREACHABLE() doesn't
>>>>>>> resolve
>>>>>>> into an assert, but retains its role of a code marker.
>>>>>>> 
>>>>>>> Does it work?
>>>>>> 
>>>>>> Well, it states what is happening, but I'm not convinced it
>>>>>> satisfies
>>>>>> rule 2.1. There's then still code there which isn't reachable, and
>>>>>> which a scanner will spot and report.
>>>>> 
>>>>> It's not clear to me whether you dislike the patch itself or the
>>>>> commit
>>>>> message. If it's the latter, how about:
>>>>> "ASSERT_UNREACHABLE() is used as a marker for intentionally
>>>>> unreachable code, which
>>>>> constitutes a motivated deviation from Rule 2.1. Additionally, in
>>>>> non-release
>>>>> builds, this macro performs a failing assertion to detect errors."
>>>> 
>>>> Any feedback on this (with one edit: s/a failing assertion/an
>>>> assertion/)
>>> 
>>> The patch here is kind of okay, but I'm afraid I view my earlier
>>> question
>>> as not addressed: How will the proposed change prevent the scanner 
>>> from
>>> spotting issues here in release builds? Just stating in the 
>>> description
>>> that there's a deviation is not going to help that.
>> 
>> There is a deviation already in place. At the moment it just ignores
>> anything below an unreachable ASSERT_UNREACHABLE(), no matter what 
>> that
>> macro will expand to.
> 
> What do you mean by "in place"? docs/misra/ has nothing, afaics. And
> automation/eclair_analysis/ECLAIR/deviations.ecl is merely filtering
> things out of reports, aiui. (Plus of course there should be a single
> central place where all deviations are recorded, imo.)

The second statement is not quite correct, as some of the configurations 
instruct the
checker how to behave.
Jan Beulich Aug. 16, 2023, 3 p.m. UTC | #10 
On 16.08.2023 15:43, Nicola Vetrini wrote:
> On 16/08/2023 13:23, Jan Beulich wrote:
>> On 16.08.2023 12:47, Nicola Vetrini wrote:
>>> On 16/08/2023 12:31, Jan Beulich wrote:
>>>> On 16.08.2023 12:01, Nicola Vetrini wrote:
>>>>> On 08/08/2023 11:03, Nicola Vetrini wrote:
>>>>>> On 04/08/2023 08:42, Jan Beulich wrote:
>>>>>>> On 04.08.2023 01:50, Stefano Stabellini wrote:
>>>>>>>> On Thu, 3 Aug 2023, Jan Beulich wrote:
>>>>>>>>> On 02.08.2023 16:38, Nicola Vetrini wrote:
>>>>>>>>>> Rule 2.1 states: "A project shall not contain unreachable 
>>>>>>>>>> code".
>>>>>>>>>>
>>>>>>>>>> The functions
>>>>>>>>>> - machine_halt
>>>>>>>>>> - maybe_reboot
>>>>>>>>>> - machine_restart
>>>>>>>>>> are not supposed to return, hence the following break statement
>>>>>>>>>> is marked as intentionally unreachable with the
>>>>>>>>>> ASSERT_UNREACHABLE()
>>>>>>>>>> macro to justify the violation of the rule.
>>>>>>>>>
>>>>>>>>> During the discussion it was mentioned that this won't help with
>>>>>>>>> release builds, where right now ASSERT_UNREACHABLE() expands to
>>>>>>>>> effectively nothing. You want to clarify here how release builds
>>>>>>>>> are to be taken care of, as those are what eventual 
>>>>>>>>> certification
>>>>>>>>> will be run against.
>>>>>>>>
>>>>>>>> Something along these lines:
>>>>>>>>
>>>>>>>> ASSERT_UNREACHABLE(), not only is used in non-release builds to
>>>>>>>> actually
>>>>>>>> assert and detect errors, but it is also used as a marker to tag
>>>>>>>> unreachable code. In release builds ASSERT_UNREACHABLE() doesn't
>>>>>>>> resolve
>>>>>>>> into an assert, but retains its role of a code marker.
>>>>>>>>
>>>>>>>> Does it work?
>>>>>>>
>>>>>>> Well, it states what is happening, but I'm not convinced it
>>>>>>> satisfies
>>>>>>> rule 2.1. There's then still code there which isn't reachable, and
>>>>>>> which a scanner will spot and report.
>>>>>>
>>>>>> It's not clear to me whether you dislike the patch itself or the
>>>>>> commit
>>>>>> message. If it's the latter, how about:
>>>>>> "ASSERT_UNREACHABLE() is used as a marker for intentionally
>>>>>> unreachable code, which
>>>>>> constitutes a motivated deviation from Rule 2.1. Additionally, in
>>>>>> non-release
>>>>>> builds, this macro performs a failing assertion to detect errors."
>>>>>
>>>>> Any feedback on this (with one edit: s/a failing assertion/an
>>>>> assertion/)
>>>>
>>>> The patch here is kind of okay, but I'm afraid I view my earlier
>>>> question
>>>> as not addressed: How will the proposed change prevent the scanner 
>>>> from
>>>> spotting issues here in release builds? Just stating in the 
>>>> description
>>>> that there's a deviation is not going to help that.
>>>
>>> There is a deviation already in place. At the moment it just ignores
>>> anything below an unreachable ASSERT_UNREACHABLE(), no matter what 
>>> that
>>> macro will expand to.
>>
>> What do you mean by "in place"? docs/misra/ has nothing, afaics. And
>> automation/eclair_analysis/ECLAIR/deviations.ecl is merely filtering
>> things out of reports, aiui. (Plus of course there should be a single
>> central place where all deviations are recorded, imo.)
> 
> The second statement is not quite correct, as some of the configurations 
> instruct the
> checker how to behave.

Well, I was referring to the one setting relevant here, and I added "aiui"
to indicate that I may be misreading what that file specifies.

Jan
Stefano Stabellini Aug. 16, 2023, 7:28 p.m. UTC | #11 
On Wed, 16 Aug 2023, Jan Beulich wrote:
> On 16.08.2023 12:47, Nicola Vetrini wrote:
> > On 16/08/2023 12:31, Jan Beulich wrote:
> >> On 16.08.2023 12:01, Nicola Vetrini wrote:
> >>> On 08/08/2023 11:03, Nicola Vetrini wrote:
> >>>> On 04/08/2023 08:42, Jan Beulich wrote:
> >>>>> On 04.08.2023 01:50, Stefano Stabellini wrote:
> >>>>>> On Thu, 3 Aug 2023, Jan Beulich wrote:
> >>>>>>> On 02.08.2023 16:38, Nicola Vetrini wrote:
> >>>>>>>> Rule 2.1 states: "A project shall not contain unreachable code".
> >>>>>>>>
> >>>>>>>> The functions
> >>>>>>>> - machine_halt
> >>>>>>>> - maybe_reboot
> >>>>>>>> - machine_restart
> >>>>>>>> are not supposed to return, hence the following break statement
> >>>>>>>> is marked as intentionally unreachable with the
> >>>>>>>> ASSERT_UNREACHABLE()
> >>>>>>>> macro to justify the violation of the rule.
> >>>>>>>
> >>>>>>> During the discussion it was mentioned that this won't help with
> >>>>>>> release builds, where right now ASSERT_UNREACHABLE() expands to
> >>>>>>> effectively nothing. You want to clarify here how release builds
> >>>>>>> are to be taken care of, as those are what eventual certification
> >>>>>>> will be run against.
> >>>>>>
> >>>>>> Something along these lines:
> >>>>>>
> >>>>>> ASSERT_UNREACHABLE(), not only is used in non-release builds to
> >>>>>> actually
> >>>>>> assert and detect errors, but it is also used as a marker to tag
> >>>>>> unreachable code. In release builds ASSERT_UNREACHABLE() doesn't
> >>>>>> resolve
> >>>>>> into an assert, but retains its role of a code marker.
> >>>>>>
> >>>>>> Does it work?
> >>>>>
> >>>>> Well, it states what is happening, but I'm not convinced it 
> >>>>> satisfies
> >>>>> rule 2.1. There's then still code there which isn't reachable, and
> >>>>> which a scanner will spot and report.
> >>>>
> >>>> It's not clear to me whether you dislike the patch itself or the 
> >>>> commit
> >>>> message. If it's the latter, how about:
> >>>> "ASSERT_UNREACHABLE() is used as a marker for intentionally
> >>>> unreachable code, which
> >>>> constitutes a motivated deviation from Rule 2.1. Additionally, in
> >>>> non-release
> >>>> builds, this macro performs a failing assertion to detect errors."
> >>>
> >>> Any feedback on this (with one edit: s/a failing assertion/an
> >>> assertion/)
> >>
> >> The patch here is kind of okay, but I'm afraid I view my earlier 
> >> question
> >> as not addressed: How will the proposed change prevent the scanner from
> >> spotting issues here in release builds? Just stating in the description
> >> that there's a deviation is not going to help that.
> > 
> > There is a deviation already in place. At the moment it just ignores 
> > anything below an unreachable ASSERT_UNREACHABLE(), no matter what that 
> > macro will expand to.
> 
> What do you mean by "in place"? docs/misra/ has nothing, afaics. And
> automation/eclair_analysis/ECLAIR/deviations.ecl is merely filtering
> things out of reports, aiui. (Plus of course there should be a single
> central place where all deviations are recorded, imo.)

Jan has a point: I think we should record all our deviations and unique
ways to interpret the rules under docs/misra. And the Eclair
configuration should reflect that. It is not a good idea to only keep
the information in the Eclair config because, even if it is now upstream
in xen.git, it is still a tool-specific configuration file -- it is not
a proper document. MISRA C and its interpretation is important enough
that we should have a plain English document to cover it (which now is
docs/misra/rules.rst).

Nicola, I volunteer to send patches to make any necessary updates to
docs/misra/rules.rst and other docs. Please send out to me a list of
deviations/configurations and I'll make sure to reflect them under
docs/misra so that they are in sync.

Cheers,

Stefano
Nicola Vetrini Aug. 18, 2023, 12:57 p.m. UTC | #12 
> Jan has a point: I think we should record all our deviations and unique
> ways to interpret the rules under docs/misra. And the Eclair
> configuration should reflect that. It is not a good idea to only keep
> the information in the Eclair config because, even if it is now 
> upstream
> in xen.git, it is still a tool-specific configuration file -- it is not
> a proper document. MISRA C and its interpretation is important enough
> that we should have a plain English document to cover it (which now is
> docs/misra/rules.rst).
> 
> Nicola, I volunteer to send patches to make any necessary updates to
> docs/misra/rules.rst and other docs. Please send out to me a list of
> deviations/configurations and I'll make sure to reflect them under
> docs/misra so that they are in sync.
> 
> Cheers,
> 
> Stefano

Sure, I'll let you know when I have it.
Thanks,
diff mbox series

Patch

diff --git a/xen/common/shutdown.c b/xen/common/shutdown.c
index a933ee001e..88f735a30e 100644
--- a/xen/common/shutdown.c
+++ b/xen/common/shutdown.c
@@ -38,39 +38,45 @@  void hwdom_shutdown(u8 reason)
         printk("Hardware Dom%u halted: halting machine\n",
                hardware_domain->domain_id);
         machine_halt();
-        break; /* not reached */
+        ASSERT_UNREACHABLE();
+        break;
 
     case SHUTDOWN_crash:
         debugger_trap_immediate();
         printk("Hardware Dom%u crashed: ", hardware_domain->domain_id);
         kexec_crash(CRASHREASON_HWDOM);
         maybe_reboot();
-        break; /* not reached */
+        ASSERT_UNREACHABLE();
+        break;
 
     case SHUTDOWN_reboot:
         printk("Hardware Dom%u shutdown: rebooting machine\n",
                hardware_domain->domain_id);
         machine_restart(0);
-        break; /* not reached */
+        ASSERT_UNREACHABLE();
+        break;
 
     case SHUTDOWN_watchdog:
         printk("Hardware Dom%u shutdown: watchdog rebooting machine\n",
                hardware_domain->domain_id);
         kexec_crash(CRASHREASON_WATCHDOG);
         machine_restart(0);
-        break; /* not reached */
+        ASSERT_UNREACHABLE();
+        break;
 
     case SHUTDOWN_soft_reset:
         printk("Hardware domain %d did unsupported soft reset, rebooting.\n",
                hardware_domain->domain_id);
         machine_restart(0);
-        break; /* not reached */
+        ASSERT_UNREACHABLE();
+        break;
 
     default:
         printk("Hardware Dom%u shutdown (unknown reason %u): ",
                hardware_domain->domain_id, reason);
         maybe_reboot();
-        break; /* not reached */
+        ASSERT_UNREACHABLE();
+        break;
     }
 }