Re: [PATCH] radix-tree: don't left-shift negative values

[Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>]

On 2025-02-13 15:22, Jan Beulich wrote:
> Any (signed) integer is okay to pass into radix_tree_int_to_ptr(), yet
> left shifting negative values is UB. Use an unsigned intermediate type,
> reducing the impact to implementation defined behavior (for the
> unsigned->signed conversion).
>
> Also please Misra C:2012 rule 7.3 by dropping the lower case numeric 
> 'l'
> tag.
>
> No difference in generated code, at least on x86.
>
> Fixes: b004883e29bb ("Simplify and build-fix (for some gcc versions) 
> radix_tree_int_to_ptr()")
> Reported-by: Teddy Astie <teddy.astie@xxxxxxxxxx>
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> ---
> Bugseng: Why was the 7.3 violation not spotted by Eclair? According to
>          tagging.ecl the codebase is clean for this rule, aiui.
radix-tree.{c,h} is out of scope:

automation/eclair_analysis/ECLAIR/out_of_scope.ecl:32:-file_tag+={out_of_scope,"^xen/include/xen/radix-tree\\.h$"}
docs/misra/exclude-list.json:153:            "rel_path": 
"common/radix-tree.c",
We are in the process of setting up a wider analysis (i.e. with a 
different exclusion set) with a broader configuration that may catch 
these issues.
> --- a/xen/include/xen/radix-tree.h
> +++ b/xen/include/xen/radix-tree.h
> @@ -172,7 +172,7 @@ static inline void radix_tree_replace_sl
>   */
>  static inline void *radix_tree_int_to_ptr(int val)
>  {
> -    long _ptr = ((long)val << 2) | 0x2l;
> +    long _ptr = ((unsigned long)val << 2) | 2;
>      ASSERT((_ptr >> 2) == val);
>      return (void *)_ptr;
>  }
--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253