From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <jbeulich@suse.com>,
Simone Ballarin <simone.ballarin@bugseng.com>
Cc: consulting@bugseng.com, sstabellini@kernel.org,
George Dunlap <george.dunlap@citrix.com>,
Julien Grall <julien@xen.org>, Wei Liu <wl@xen.org>,
xen-devel@lists.xenproject.org
Subject: Re: [XEN PATCH 3/4] xen/include: add pure and const attributes
Date: Mon, 23 Oct 2023 14:51:14 +0100 [thread overview]
Message-ID: <7b28331d-b1d6-4c6b-b299-34de9ba65e0d@citrix.com> (raw)
In-Reply-To: <89778285-5cba-8fb5-70bc-710b6dd30a10@suse.com>
[-- Attachment #1: Type: text/plain, Size: 1869 bytes --]
On 23/10/2023 2:34 pm, Jan Beulich wrote:
> On 18.10.2023 16:18, Simone Ballarin wrote:
>> --- a/xen/include/xen/pdx.h
>> +++ b/xen/include/xen/pdx.h
>> @@ -164,7 +164,7 @@ static inline unsigned long pfn_to_pdx(unsigned long pfn)
>> * @param pdx Page index
>> * @return Obtained pfn after decompressing the pdx
>> */
>> -static inline unsigned long pdx_to_pfn(unsigned long pdx)
>> +static inline __attribute_pure__ unsigned long pdx_to_pfn(unsigned long pdx)
>> {
>> return (pdx & pfn_pdx_bottom_mask) |
>> ((pdx << pfn_pdx_hole_shift) & pfn_top_mask);
> Taking this as an example for what I've said above: The compiler can't
> know that the globals used by the functions won't change value. Even
> within Xen it is only by convention that these variables are assigned
> their values during boot, and then aren't changed anymore. Which makes
> me wonder: Did you check carefully that around the time the variables
> have their values established, no calls to the functions exist (which
> might then be subject to folding)?
I was actually going to point this out, but hadn't found the words.
pdx_to_pfn() is not pure. It violates the requirements for being
declared pure, in a way that the compiler can see.
Right now, this will cause GCC to ignore the attribute, but who's to say
that future GCCs don't start emitting a diagnostic (in which case we'd
have to delete them to make them compile), or start honouring them (at
which point this logic will start to malfunction around the boot time
modification to the masks).
It is undefined behaviour to intentionally lie to the compiler using
attributes. This is intentionally introducing undefined behaviour to
placate Eclair.
So why are we bending over backwards to remove UB in other areas, but
deliberately introducing here? How does that conform with the spirit of
MISRA?
~Andrew
[-- Attachment #2: Type: text/html, Size: 2526 bytes --]
next prev parent reply other threads:[~2023-10-23 13:51 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-18 14:18 [XEN PATCH 0/4][for-4.19] xen: address violations of Rule 13.1 Simone Ballarin
2023-10-18 14:18 ` [XEN PATCH 1/4] xen/arm: address violations of MISRA C:2012 " Simone Ballarin
2023-10-18 15:03 ` Julien Grall
2023-10-19 1:01 ` Stefano Stabellini
2023-10-19 7:34 ` Simone Ballarin
2023-10-19 8:19 ` Julien Grall
2023-10-19 8:43 ` Simone Ballarin
2023-10-19 10:11 ` Julien Grall
2023-10-19 11:10 ` Simone Ballarin
2023-10-19 12:30 ` Julien Grall
2023-10-19 13:24 ` Simone Ballarin
2023-10-19 18:30 ` Stefano Stabellini
2023-10-20 8:28 ` Julien Grall
2023-10-23 15:10 ` Simone Ballarin
2023-10-18 14:18 ` [XEN PATCH 2/4] automation/eclair: add deviations and call properties Simone Ballarin
2023-10-19 0:57 ` Stefano Stabellini
2023-10-19 7:44 ` Simone Ballarin
2023-10-19 8:26 ` Julien Grall
2023-10-19 9:04 ` Simone Ballarin
2023-10-18 14:18 ` [XEN PATCH 3/4] xen/include: add pure and const attributes Simone Ballarin
2023-10-19 1:02 ` Stefano Stabellini
2023-10-19 9:07 ` Simone Ballarin
2023-10-23 13:34 ` Jan Beulich
2023-10-23 13:51 ` Andrew Cooper [this message]
2023-10-23 14:09 ` Jan Beulich
2023-10-23 15:23 ` Simone Ballarin
2023-10-23 15:33 ` Jan Beulich
2023-10-23 22:05 ` Stefano Stabellini
2023-10-23 22:12 ` Stefano Stabellini
2023-10-24 6:24 ` Jan Beulich
2024-02-23 1:32 ` Stefano Stabellini
2024-02-23 7:36 ` Jan Beulich
2024-02-23 22:36 ` Stefano Stabellini
2024-02-26 7:33 ` Jan Beulich
2024-02-26 23:48 ` Stefano Stabellini
2024-02-27 7:23 ` Jan Beulich
2024-02-28 2:14 ` Stefano Stabellini
2023-10-18 14:18 ` [XEN PATCH 4/4] xen: address violations of MISRA C:2012 Rule 13.1 Simone Ballarin
2023-10-19 1:06 ` Stefano Stabellini
2023-10-19 9:18 ` Simone Ballarin
2023-10-19 18:35 ` Stefano Stabellini
2023-10-19 9:35 ` Jan Beulich
2023-10-19 11:12 ` Simone Ballarin
2023-10-19 11:19 ` Jan Beulich
2023-10-19 13:36 ` Simone Ballarin
2023-10-19 18:35 ` Stefano Stabellini
2023-10-23 14:03 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7b28331d-b1d6-4c6b-b299-34de9ba65e0d@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=consulting@bugseng.com \
--cc=george.dunlap@citrix.com \
--cc=jbeulich@suse.com \
--cc=julien@xen.org \
--cc=simone.ballarin@bugseng.com \
--cc=sstabellini@kernel.org \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.