[XEN,09/13] xen/common: address violations of MISRA C:2012 Directive 4.10

Commit Message

Simone Ballarin Aug. 28, 2023, 1:20 p.m. UTC

Add inclusion guards to address violations of
MISRA C:2012 Directive 4.10 ("Precautions shall be taken in order
to prevent the contents of a header file being included more than
once").

Also C files, if included somewhere, need to comply with the guideline.

Mechanical change.

Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com>
---
 xen/common/compat/grant_table.c | 7 +++++++
 xen/common/coverage/gcc_4_7.c   | 5 +++++
 xen/common/decompress.h         | 5 +++++
 xen/common/event_channel.h      | 5 +++++
 xen/common/multicall.c          | 5 +++++
 5 files changed, 27 insertions(+)

Comments

Stefano Stabellini Aug. 28, 2023, 10:41 p.m. UTC | #1

On Mon, 28 Aug 2023, Simone Ballarin wrote:
> Add inclusion guards to address violations of
> MISRA C:2012 Directive 4.10 ("Precautions shall be taken in order
> to prevent the contents of a header file being included more than
> once").
> 
> Also C files, if included somewhere, need to comply with the guideline.
> 
> Mechanical change.
> 
> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com>

Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>


> ---
>  xen/common/compat/grant_table.c | 7 +++++++
>  xen/common/coverage/gcc_4_7.c   | 5 +++++
>  xen/common/decompress.h         | 5 +++++
>  xen/common/event_channel.h      | 5 +++++
>  xen/common/multicall.c          | 5 +++++
>  5 files changed, 27 insertions(+)
> 
> diff --git a/xen/common/compat/grant_table.c b/xen/common/compat/grant_table.c
> index f8177c84c0..614ad71a59 100644
> --- a/xen/common/compat/grant_table.c
> +++ b/xen/common/compat/grant_table.c
> @@ -3,6 +3,10 @@
>   *
>   */
>  
> +
> +#ifndef __COMMON_COMPAT_GRANT_TABLE_C__
> +#define __COMMON_COMPAT_GRANT_TABLE_C__
> +
>  #include <xen/hypercall.h>
>  #include <compat/grant_table.h>
>  
> @@ -331,6 +335,9 @@ int compat_grant_table_op(
>      return rc;
>  }
>  
> +
> +#endif /* __COMMON_COMPAT_GRANT_TABLE_C__ */
> +
>  /*
>   * Local variables:
>   * mode: C
> diff --git a/xen/common/coverage/gcc_4_7.c b/xen/common/coverage/gcc_4_7.c
> index 25b4a8bcdc..12e4ec8cbb 100644
> --- a/xen/common/coverage/gcc_4_7.c
> +++ b/xen/common/coverage/gcc_4_7.c
> @@ -14,6 +14,9 @@
>   *    Wei Liu <wei.liu2@citrix.com>
>   */
>  
> +#ifndef __COMMON_COVERAGE_GCC_4_7_C__
> +#define __COMMON_COVERAGE_GCC_4_7_C__
> +
>  #include <xen/string.h>
>  
>  #include "gcov.h"
> @@ -193,6 +196,8 @@ size_t gcov_info_to_gcda(char *buffer, const struct gcov_info *info)
>      return pos;
>  }
>  
> +#endif /* __COMMON_COVERAGE_GCC_4_7_C__ */
> +
>  /*
>   * Local variables:
>   * mode: C
> diff --git a/xen/common/decompress.h b/xen/common/decompress.h
> index e8195b353a..da3c3abb6a 100644
> --- a/xen/common/decompress.h
> +++ b/xen/common/decompress.h
> @@ -1,3 +1,6 @@
> +#ifndef __COMMON_DECOMPRESS_H__
> +#define __COMMON_DECOMPRESS_H__
> +
>  #ifdef __XEN__
>  
>  #include <xen/cache.h>
> @@ -23,3 +26,5 @@
>  #define large_free free
>  
>  #endif
> +
> +#endif /* __COMMON_DECOMPRESS_H__ */
> diff --git a/xen/common/event_channel.h b/xen/common/event_channel.h
> index 45219ca67c..040bad77f9 100644
> --- a/xen/common/event_channel.h
> +++ b/xen/common/event_channel.h
> @@ -1,5 +1,8 @@
>  /* Event channel handling private header. */
>  
> +#ifndef __COMMON_EVENT_CHANNEL_H__
> +#define __COMMON_EVENT_CHANNEL_H__
> +
>  #include <xen/event.h>
>  
>  static inline unsigned int max_evtchns(const struct domain *d)
> @@ -52,6 +55,8 @@ int evtchn_fifo_init_control(struct evtchn_init_control *init_control);
>  int evtchn_fifo_expand_array(const struct evtchn_expand_array *expand_array);
>  void evtchn_fifo_destroy(struct domain *d);
>  
> +#endif /* __COMMON_EVENT_CHANNEL_H__ */
> +
>  /*
>   * Local variables:
>   * mode: C
> diff --git a/xen/common/multicall.c b/xen/common/multicall.c
> index 1f0cc4cb26..421bb25b70 100644
> --- a/xen/common/multicall.c
> +++ b/xen/common/multicall.c
> @@ -2,6 +2,9 @@
>   * multicall.c
>   */
>  
> +#ifndef __COMMON_MULTICALL_C__
> +#define __COMMON_MULTICALL_C__
> +
>  #include <xen/types.h>
>  #include <xen/lib.h>
>  #include <xen/mm.h>
> @@ -124,6 +127,8 @@ ret_t do_multicall(
>          __HYPERVISOR_multicall, "hi", call_list, nr_calls-i);
>  }
>  
> +#endif /* __COMMON_MULTICALL_C__ */
> +
>  /*
>   * Local variables:
>   * mode: C
> -- 
> 2.34.1
>

Jan Beulich Aug. 29, 2023, 6:50 a.m. UTC | #2

On 28.08.2023 15:20, Simone Ballarin wrote:
> Add inclusion guards to address violations of
> MISRA C:2012 Directive 4.10 ("Precautions shall be taken in order
> to prevent the contents of a header file being included more than
> once").
> 
> Also C files, if included somewhere, need to comply with the guideline.
> 
> Mechanical change.
> 
> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com>
> ---
>  xen/common/compat/grant_table.c | 7 +++++++
>  xen/common/coverage/gcc_4_7.c   | 5 +++++
>  xen/common/decompress.h         | 5 +++++
>  xen/common/event_channel.h      | 5 +++++
>  xen/common/multicall.c          | 5 +++++
>  5 files changed, 27 insertions(+)

As already said in reply to another patch, imo .c files shouldn't gain such
guards. These are commonly referred to as "header guards" for a reason.

> --- a/xen/common/compat/grant_table.c
> +++ b/xen/common/compat/grant_table.c
> @@ -3,6 +3,10 @@
>   *
>   */
>  
> +

Nit: No double blank lines please.

> +#ifndef __COMMON_COMPAT_GRANT_TABLE_C__
> +#define __COMMON_COMPAT_GRANT_TABLE_C__
> +
>  #include <xen/hypercall.h>
>  #include <compat/grant_table.h>
>  
> @@ -331,6 +335,9 @@ int compat_grant_table_op(
>      return rc;
>  }
>  
> +

Again here (at least).

Jan

Simone Ballarin Aug. 31, 2023, 10:08 a.m. UTC | #3

On 29/08/23 08:50, Jan Beulich wrote:
> On 28.08.2023 15:20, Simone Ballarin wrote:
>> Add inclusion guards to address violations of
>> MISRA C:2012 Directive 4.10 ("Precautions shall be taken in order
>> to prevent the contents of a header file being included more than
>> once").
>>
>> Also C files, if included somewhere, need to comply with the guideline.
>>
>> Mechanical change.
>>
>> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com>
>> ---
>>   xen/common/compat/grant_table.c | 7 +++++++
>>   xen/common/coverage/gcc_4_7.c   | 5 +++++
>>   xen/common/decompress.h         | 5 +++++
>>   xen/common/event_channel.h      | 5 +++++
>>   xen/common/multicall.c          | 5 +++++
>>   5 files changed, 27 insertions(+)
> 
> As already said in reply to another patch, imo .c files shouldn't gain such
> guards. These are commonly referred to as "header guards" for a reason.
> 

This is the MISRA's definition of "header file" (MISRA C:2012 Revision 
1, Appendix J):

   "A header file is any file that is the subject of a #include
    directive.
    Note: the filename extension is not significant."

So, the guards are required if we want to comply with the directive, 
otherwise we can raise a deviation.

The danger of multi-inclusion also exists for .c files, why do you want 
to avoid guards for them?

>> --- a/xen/common/compat/grant_table.c
>> +++ b/xen/common/compat/grant_table.c
>> @@ -3,6 +3,10 @@
>>    *
>>    */
>>   
>> +
> 
> Nit: No double blank lines please.
> 
>> +#ifndef __COMMON_COMPAT_GRANT_TABLE_C__
>> +#define __COMMON_COMPAT_GRANT_TABLE_C__
>> +
>>   #include <xen/hypercall.h>
>>   #include <compat/grant_table.h>
>>   
>> @@ -331,6 +335,9 @@ int compat_grant_table_op(
>>       return rc;
>>   }
>>   
>> +
> 
> Again here (at least).
> 
> Jan

Jan Beulich Aug. 31, 2023, 11:10 a.m. UTC | #4

On 31.08.2023 12:08, Simone Ballarin wrote:
> On 29/08/23 08:50, Jan Beulich wrote:
>> On 28.08.2023 15:20, Simone Ballarin wrote:
>>> Add inclusion guards to address violations of
>>> MISRA C:2012 Directive 4.10 ("Precautions shall be taken in order
>>> to prevent the contents of a header file being included more than
>>> once").
>>>
>>> Also C files, if included somewhere, need to comply with the guideline.
>>>
>>> Mechanical change.
>>>
>>> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com>
>>> ---
>>>   xen/common/compat/grant_table.c | 7 +++++++
>>>   xen/common/coverage/gcc_4_7.c   | 5 +++++
>>>   xen/common/decompress.h         | 5 +++++
>>>   xen/common/event_channel.h      | 5 +++++
>>>   xen/common/multicall.c          | 5 +++++
>>>   5 files changed, 27 insertions(+)
>>
>> As already said in reply to another patch, imo .c files shouldn't gain such
>> guards. These are commonly referred to as "header guards" for a reason.
>>
> 
> This is the MISRA's definition of "header file" (MISRA C:2012 Revision 
> 1, Appendix J):
> 
>    "A header file is any file that is the subject of a #include
>     directive.
>     Note: the filename extension is not significant."

That's completely misleading terminology then.

> So, the guards are required if we want to comply with the directive, 
> otherwise we can raise a deviation.
> 
> The danger of multi-inclusion also exists for .c files, why do you want 
> to avoid guards for them?

Counter question: Why only add guards to some of them? (My personal
answer is "Because it's extra clutter.")

Jan

Simone Ballarin Aug. 31, 2023, 12:54 p.m. UTC | #5

On 31/08/23 13:10, Jan Beulich wrote:
> On 31.08.2023 12:08, Simone Ballarin wrote:
>> On 29/08/23 08:50, Jan Beulich wrote:
>>> On 28.08.2023 15:20, Simone Ballarin wrote:
>>>> Add inclusion guards to address violations of
>>>> MISRA C:2012 Directive 4.10 ("Precautions shall be taken in order
>>>> to prevent the contents of a header file being included more than
>>>> once").
>>>>
>>>> Also C files, if included somewhere, need to comply with the guideline.
>>>>
>>>> Mechanical change.
>>>>
>>>> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com>
>>>> ---
>>>>    xen/common/compat/grant_table.c | 7 +++++++
>>>>    xen/common/coverage/gcc_4_7.c   | 5 +++++
>>>>    xen/common/decompress.h         | 5 +++++
>>>>    xen/common/event_channel.h      | 5 +++++
>>>>    xen/common/multicall.c          | 5 +++++
>>>>    5 files changed, 27 insertions(+)
>>>
>>> As already said in reply to another patch, imo .c files shouldn't gain such
>>> guards. These are commonly referred to as "header guards" for a reason.
>>>
>>
>> This is the MISRA's definition of "header file" (MISRA C:2012 Revision
>> 1, Appendix J):
>>
>>     "A header file is any file that is the subject of a #include
>>      directive.
>>      Note: the filename extension is not significant."
> 
> That's completely misleading terminology then.
> 

I might agree with you on this, but either way this is the definition to 
apply when reading the guideline. IMHO here, the best would be to use a 
separate extension for "C files intended to be included" (but that's not 
the point).

>> So, the guards are required if we want to comply with the directive,
>> otherwise we can raise a deviation.
>>
>> The danger of multi-inclusion also exists for .c files, why do you want
>> to avoid guards for them?
> 
> Counter question: Why only add guards to some of them? (My personal
> answer is "Because it's extra clutter.")
> 
> Jan
> 

It's not "some of them", it's exactly the ones used in an #include 
directive, so I'm not getting your objection.

By the way, if the community agrees, I can deviate all C files and
drop the changes.

Jan Beulich Aug. 31, 2023, 1:05 p.m. UTC | #6

On 31.08.2023 14:54, Simone Ballarin wrote:
> On 31/08/23 13:10, Jan Beulich wrote:
>> On 31.08.2023 12:08, Simone Ballarin wrote:
>>> The danger of multi-inclusion also exists for .c files, why do you want
>>> to avoid guards for them?
>>
>> Counter question: Why only add guards to some of them? (My personal
>> answer is "Because it's extra clutter.")
> 
> It's not "some of them", it's exactly the ones used in an #include 
> directive, so I'm not getting your objection.

My point is that by adding guards only for files we presently use in some
#include directive, we set us up for introducing new violations as soon
as another .c file becomes the subject of an #include. The more that it
is unusual to add guards in .c files, i.e. it is to be expected that
people wouldn't think about this extra Misra requirement.

Jan

Simone Ballarin Aug. 31, 2023, 1:30 p.m. UTC | #7

On 31/08/23 15:05, Jan Beulich wrote:
> On 31.08.2023 14:54, Simone Ballarin wrote:
>> On 31/08/23 13:10, Jan Beulich wrote:
>>> On 31.08.2023 12:08, Simone Ballarin wrote:
>>>> The danger of multi-inclusion also exists for .c files, why do you want
>>>> to avoid guards for them?
>>>
>>> Counter question: Why only add guards to some of them? (My personal
>>> answer is "Because it's extra clutter.")
>>
>> It's not "some of them", it's exactly the ones used in an #include
>> directive, so I'm not getting your objection.
> 
> My point is that by adding guards only for files we presently use in some
> #include directive, we set us up for introducing new violations as soon
> as another .c file becomes the subject of an #include.The more that it
> is unusual to add guards in .c files, i.e. it is to be expected that
> people wouldn't think about this extra Misra requirement.
> 
> Jan

I can agree to partially adopt the directive: I will add a deviation for 
C files in rules.txt.

Stefano Stabellini Sept. 5, 2023, 10:18 p.m. UTC | #8

On Thu, 31 Aug 2023, Simone Ballarin wrote:
> On 31/08/23 15:05, Jan Beulich wrote:
> > On 31.08.2023 14:54, Simone Ballarin wrote:
> > > On 31/08/23 13:10, Jan Beulich wrote:
> > > > On 31.08.2023 12:08, Simone Ballarin wrote:
> > > > > The danger of multi-inclusion also exists for .c files, why do you
> > > > > want
> > > > > to avoid guards for them?
> > > > 
> > > > Counter question: Why only add guards to some of them? (My personal
> > > > answer is "Because it's extra clutter.")
> > > 
> > > It's not "some of them", it's exactly the ones used in an #include
> > > directive, so I'm not getting your objection.
> > 
> > My point is that by adding guards only for files we presently use in some
> > #include directive, we set us up for introducing new violations as soon
> > as another .c file becomes the subject of an #include.The more that it
> > is unusual to add guards in .c files, i.e. it is to be expected that
> > people wouldn't think about this extra Misra requirement.
> > 
> > Jan
> 
> I can agree to partially adopt the directive: I will add a deviation for C
> files in rules.txt.

Sorry for the late reply as I was OOO. Please hold on before adding a
deviation for C files.

In general, I think including .c files is not common behavior, and
should be restricted to special cases. We could say that exactly because
they are special, they follow different rules so we can skip the guards.
Or we could say that they are still at risk of double-inclusion, hence
we should be consistent and protect them too. I think we should discuss
the topic during the next MISRA C meeting.

Jan Beulich Sept. 6, 2023, 6:28 a.m. UTC | #9

On 06.09.2023 00:18, Stefano Stabellini wrote:
> On Thu, 31 Aug 2023, Simone Ballarin wrote:
>> On 31/08/23 15:05, Jan Beulich wrote:
>>> On 31.08.2023 14:54, Simone Ballarin wrote:
>>>> On 31/08/23 13:10, Jan Beulich wrote:
>>>>> On 31.08.2023 12:08, Simone Ballarin wrote:
>>>>>> The danger of multi-inclusion also exists for .c files, why do you
>>>>>> want
>>>>>> to avoid guards for them?
>>>>>
>>>>> Counter question: Why only add guards to some of them? (My personal
>>>>> answer is "Because it's extra clutter.")
>>>>
>>>> It's not "some of them", it's exactly the ones used in an #include
>>>> directive, so I'm not getting your objection.
>>>
>>> My point is that by adding guards only for files we presently use in some
>>> #include directive, we set us up for introducing new violations as soon
>>> as another .c file becomes the subject of an #include.The more that it
>>> is unusual to add guards in .c files, i.e. it is to be expected that
>>> people wouldn't think about this extra Misra requirement.
>>
>> I can agree to partially adopt the directive: I will add a deviation for C
>> files in rules.txt.
> 
> Sorry for the late reply as I was OOO. Please hold on before adding a
> deviation for C files.
> 
> In general, I think including .c files is not common behavior, and
> should be restricted to special cases. We could say that exactly because
> they are special, they follow different rules so we can skip the guards.
> Or we could say that they are still at risk of double-inclusion, hence
> we should be consistent and protect them too. I think we should discuss
> the topic during the next MISRA C meeting.

Just one further remark right here: While including a header file a 2nd
time stands a fair chance of working (i.e. the compiler not spitting out
errors), that would be very unusual for a .c file: Every function or
data item it defines would (in the common case) be already defined.

Jan

Simone Ballarin Sept. 6, 2023, 7:35 a.m. UTC | #10

On 06/09/23 00:18, Stefano Stabellini wrote:
> On Thu, 31 Aug 2023, Simone Ballarin wrote:
>> On 31/08/23 15:05, Jan Beulich wrote:
>>> On 31.08.2023 14:54, Simone Ballarin wrote:
>>>> On 31/08/23 13:10, Jan Beulich wrote:
>>>>> On 31.08.2023 12:08, Simone Ballarin wrote:
>>>>>> The danger of multi-inclusion also exists for .c files, why do you
>>>>>> want
>>>>>> to avoid guards for them?
>>>>>
>>>>> Counter question: Why only add guards to some of them? (My personal
>>>>> answer is "Because it's extra clutter.")
>>>>
>>>> It's not "some of them", it's exactly the ones used in an #include
>>>> directive, so I'm not getting your objection.
>>>
>>> My point is that by adding guards only for files we presently use in some
>>> #include directive, we set us up for introducing new violations as soon
>>> as another .c file becomes the subject of an #include.The more that it
>>> is unusual to add guards in .c files, i.e. it is to be expected that
>>> people wouldn't think about this extra Misra requirement.
>>>
>>> Jan
>>
>> I can agree to partially adopt the directive: I will add a deviation for C
>> files in rules.txt.
> 
> Sorry for the late reply as I was OOO. Please hold on before adding a
> deviation for C files.
> 
> In general, I think including .c files is not common behavior, and
> should be restricted to special cases. We could say that exactly because
> they are special, they follow different rules so we can skip the guards.
> Or we could say that they are still at risk of double-inclusion, hence
> we should be consistent and protect them too. I think we should discuss
> the topic during the next MISRA C meeting.
> 
Ok, I will drop changes in C files without adding the deviation.

Patch

diff --git a/xen/common/compat/grant_table.c b/xen/common/compat/grant_table.c
index f8177c84c0..614ad71a59 100644
--- a/xen/common/compat/grant_table.c
+++ b/xen/common/compat/grant_table.c
@@ -3,6 +3,10 @@ 
  *
  */
 
+
+#ifndef __COMMON_COMPAT_GRANT_TABLE_C__
+#define __COMMON_COMPAT_GRANT_TABLE_C__
+
 #include <xen/hypercall.h>
 #include <compat/grant_table.h>
 
@@ -331,6 +335,9 @@  int compat_grant_table_op(
     return rc;
 }
 
+
+#endif /* __COMMON_COMPAT_GRANT_TABLE_C__ */
+
 /*
  * Local variables:
  * mode: C
diff --git a/xen/common/coverage/gcc_4_7.c b/xen/common/coverage/gcc_4_7.c
index 25b4a8bcdc..12e4ec8cbb 100644
--- a/xen/common/coverage/gcc_4_7.c
+++ b/xen/common/coverage/gcc_4_7.c
@@ -14,6 +14,9 @@ 
  *    Wei Liu <wei.liu2@citrix.com>
  */
 
+#ifndef __COMMON_COVERAGE_GCC_4_7_C__
+#define __COMMON_COVERAGE_GCC_4_7_C__
+
 #include <xen/string.h>
 
 #include "gcov.h"
@@ -193,6 +196,8 @@  size_t gcov_info_to_gcda(char *buffer, const struct gcov_info *info)
     return pos;
 }
 
+#endif /* __COMMON_COVERAGE_GCC_4_7_C__ */
+
 /*
  * Local variables:
  * mode: C
diff --git a/xen/common/decompress.h b/xen/common/decompress.h
index e8195b353a..da3c3abb6a 100644
--- a/xen/common/decompress.h
+++ b/xen/common/decompress.h
@@ -1,3 +1,6 @@ 
+#ifndef __COMMON_DECOMPRESS_H__
+#define __COMMON_DECOMPRESS_H__
+
 #ifdef __XEN__
 
 #include <xen/cache.h>
@@ -23,3 +26,5 @@ 
 #define large_free free
 
 #endif
+
+#endif /* __COMMON_DECOMPRESS_H__ */
diff --git a/xen/common/event_channel.h b/xen/common/event_channel.h
index 45219ca67c..040bad77f9 100644
--- a/xen/common/event_channel.h
+++ b/xen/common/event_channel.h
@@ -1,5 +1,8 @@ 
 /* Event channel handling private header. */
 
+#ifndef __COMMON_EVENT_CHANNEL_H__
+#define __COMMON_EVENT_CHANNEL_H__
+
 #include <xen/event.h>
 
 static inline unsigned int max_evtchns(const struct domain *d)
@@ -52,6 +55,8 @@  int evtchn_fifo_init_control(struct evtchn_init_control *init_control);
 int evtchn_fifo_expand_array(const struct evtchn_expand_array *expand_array);
 void evtchn_fifo_destroy(struct domain *d);
 
+#endif /* __COMMON_EVENT_CHANNEL_H__ */
+
 /*
  * Local variables:
  * mode: C
diff --git a/xen/common/multicall.c b/xen/common/multicall.c
index 1f0cc4cb26..421bb25b70 100644
--- a/xen/common/multicall.c
+++ b/xen/common/multicall.c
@@ -2,6 +2,9 @@ 
  * multicall.c
  */
 
+#ifndef __COMMON_MULTICALL_C__
+#define __COMMON_MULTICALL_C__
+
 #include <xen/types.h>
 #include <xen/lib.h>
 #include <xen/mm.h>
@@ -124,6 +127,8 @@  ret_t do_multicall(
         __HYPERVISOR_multicall, "hi", call_list, nr_calls-i);
 }
 
+#endif /* __COMMON_MULTICALL_C__ */
+
 /*
  * Local variables:
  * mode: C