[PATCH v2 3/6] xen: add deviations for Rule 11.8

From: Simone Ballarin <simone.ballarin@bugseng.com>
To: xen-devel@lists.xenproject.org
Cc: consulting@bugseng.com,
	Maria Celeste Cesario <maria.celeste.cesario@bugseng.com>,
	Simone Ballarin <simone.ballarin@bugseng.com>,
	Doug Goldstein <cardoe@cardoe.com>,
	Stefano Stabellini <sstabellini@kernel.org>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	George Dunlap <george.dunlap@citrix.com>,
	Jan Beulich <jbeulich@suse.com>, Julien Grall <julien@xen.org>,
	Wei Liu <wl@xen.org>
Subject: [PATCH v2 3/6] xen: add deviations for Rule 11.8
Date: Tue, 19 Dec 2023 12:05:11 +0100	[thread overview]
Message-ID: <04cdbf21db915634acd49108edab7d6331df35eb.1702982442.git.maria.celeste.cesario@bugseng.com> (raw)
In-Reply-To: <cover.1702982442.git.maria.celeste.cesario@bugseng.com>

From: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com>

The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".

The macro 'container_of' violates the Rule because it casts away any
qualifier to do pointer arithmetic, but making the macro definition compliant
would add additional complexity, therefore a deviation is introduced.

Signed-off-by: Maria Celeste Cesario  <maria.celeste.cesario@bugseng.com>
Signed-off-by: Simone Ballarin  <simone.ballarin@bugseng.com>
---
Changes in v2:
- remove deviation for function ERR_CAST;

container_of: Fixing this violation would require the declaration of a new
 macro taking advantage of the return value of the ternary operator ?: :
 its return value preserves qualifiers present on both expression, hence
 returning void* or qualified void* depending on pointer type, like in this macro:
 '#define same_constness_void_ptr(ptr) ((typeof((false ? (void*) 1 : (ptr)))) (ptr))'
 The result could then be used with a Generic to avoid the cast.
---
 automation/eclair_analysis/ECLAIR/deviations.ecl | 7 +++++++
 docs/misra/deviations.rst                        | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl
index 683f2bbfe8..1515378ff1 100644
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -292,6 +292,13 @@ constant expressions are required.\""
 # Series 11
 #
 
+-doc_begin="Violations caused by container_of are due to pointer arithmetic operations
+with the provided offset. The resulting pointer is then immediately cast back to its
+original type, which preserves the qualifier. This use is deemed safe.
+Fixing this violation would require to increase code complexity and lower readability."
+-config=MC3R1.R11.8,reports+={safe,"any_area(any_loc(any_exp(macro(^container_of$))))"}
+-doc_end
+
 -doc_begin="This construct is used to check if the type is scalar, and for this purpose the use of 0 as a null pointer constant is deliberate."
 -config=MC3R1.R11.9,reports+={deliberate, "any_area(any_loc(any_exp(macro(^__ACCESS_ONCE$))))"
 }
diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index eda3c8100c..ccf6e90e87 100644
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -248,6 +248,13 @@ Deviations related to MISRA C:2012 Rules:
        If no bits are set, 0 is returned.
      - Tagged as `safe` for ECLAIR.
 
+   * - R11.8
+     - Violations caused by container_of are due to pointer arithmetic operations
+       with the provided offset. The resulting pointer is then immediately cast back to its
+       original type, which preserves the qualifier. This use is deemed safe.
+       Fixing this violation would require to increase code complexity and lower readability.
+     - Tagged as `safe` for ECLAIR.
+    
    * - R11.9
      - __ACCESS_ONCE uses an integer, which happens to be zero, as a
        compile time check. The typecheck uses a cast. The usage of zero or other
-- 
2.40.0


