[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] misra: add ASSERT_UNREACHABLE() in default clauses

  • To: Julien Grall <julien@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>
  • Date: Tue, 12 Aug 2025 08:20:48 +0000
  • Accept-language: en-US, uk-UA, ru-RU
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6fj1dvLvEPVg5e8jFlR5BgUA5s9sJwN/DWxxqXvNOSc=; b=epoFqZ4nLpoYj7iI+c4EaUYARRFDKRUg6IPH9EinoFSKgFwj8MADEV+U4BvJvhbeSddUWm/janEwq+qqFXrHrcfPoa8dgAM/5q5MXroHJ+f+Q4EpY179ON1wN/2uu6JtCSs+rwSoJjcORxlPkdlzVHGwVkC7KJ3ll9lKD3e47dPNqvrRlnC4Qk54nByrI9sTwotCAO/Ll2DAqB+opX9EdSEW6GxduHoOZf6meNPOGGhfzodnfhJVPmUGa/F8ZKIEukDJ/f2tBX4J6EW3Z2RC0I3/2GgnoNLVIfegGqECn07Ml1WXTmXTNA4DUUgQlpamClVi5zG5Msy6cNPcbkQdHA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=t/G0ZIQoYXC0oFKAr/zaDuOxiNsUMdfnHbr/ZE32npIcdBufa/wRztqjA5zraaWxzQUxptsKQtwrPSC4miPSzy6Wy4XFVc81eaSESP981wOJOnRbmkpXXYFGKdInhQltPHsWd0catRCN623OtcJW/LStvRY2LxbTOMch2y+o/63WTdGSeNoJxA4GWzSAp2adqZw9tufFCBOOGghgu3Ogfk714/mnCmpd11UddCbSn8uMwkZQT+NXVE8n5eUALxYLAxBp3ZvI8IKex474uyHbKNuKHQQVHXgbqUsojWEc5RZLqqyibSWr2VmQ/28r8cMidlQ14maa0vM6JNvmz3h8eA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Tue, 12 Aug 2025 08:20:56 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHcCv7M4bE5kwDncUeSEAS4rjYqyLRd9fOAgAC4EwA=
  • Thread-topic: [PATCH] misra: add ASSERT_UNREACHABLE() in default clauses

On 8/12/25 00:21, Julien Grall wrote:
> Hi,
> 
> On 11/08/2025 21:30, Dmytro Prokopchuk1 wrote:
>> MISRA Rule 16.4: Every switch statement shall have a default label.
>> The default clause must contain either a statement or a comment
>> prior to its terminating break statement.
>>
>> However, there is a documented rule that apply to the Xen in
>> 'docs/misra/rules.rst':
>> Switch statements with integer types as controlling expression
>> should have a default label:
>>   - if the switch is expected to handle all possible cases
>>    explicitly, then a default label shall be added to handle
>>    unexpected error conditions, using BUG(), ASSERT(), WARN(),
>>    domain_crash(), or other appropriate methods;
>  > > These changes add `ASSERT_UNREACHABLE()` macro to the default 
> clause of
>> switch statements that already explicitly handle all possible cases. This
>> ensures compliance with MISRA, avoids undefined behavior in unreachable
>> paths, and helps detect errors during development.
>>
>> Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@xxxxxxxx>
>> ---
>>   xen/arch/arm/decode.c      |  3 +++
>>   xen/arch/arm/guest_walk.c  |  4 ++++
>>   xen/common/grant_table.c   | 10 ++++++++--
>>   xen/drivers/char/console.c |  3 +++
>>   4 files changed, 18 insertions(+), 2 deletions(-)
>>
>> diff --git a/xen/arch/arm/decode.c b/xen/arch/arm/decode.c
>> index 2537dbebc1..cb64137b3b 100644
>> --- a/xen/arch/arm/decode.c
>> +++ b/xen/arch/arm/decode.c
>> @@ -178,6 +178,9 @@ static int decode_thumb(register_t pc, struct 
>> hsr_dabt *dabt)
>>           case 3: /* Signed byte */
>>               update_dabt(dabt, reg, 0, true);
>>               break;
>> +        default:
>> +            ASSERT_UNREACHABLE();
>> +            break;
> 
> I am not sure about this one. Can't the compiler or even ECLAIR detect 
> that the value we match "opB & 3" and the 4 different values are handled?
> 
>  >           }>

The Eclair can handle such case with enum type.
I'm not sure that we want to apply such changes.

>>           break;
>> diff --git a/xen/arch/arm/guest_walk.c b/xen/arch/arm/guest_walk.c
>> index 09fe486598..9199a29602 100644
>> --- a/xen/arch/arm/guest_walk.c
>> +++ b/xen/arch/arm/guest_walk.c
>> @@ -167,6 +167,10 @@ static bool guest_walk_sd(const struct vcpu *v,
>>               *perms |= GV2M_EXEC;
>>           break;
>> +
>> +        default:
>> +            ASSERT_UNREACHABLE();
>> +            break;
>>       }
>>       return true;
>> diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
>> index cf131c43a1..60fc47f0c8 100644
>> --- a/xen/common/grant_table.c
>> +++ b/xen/common/grant_table.c
>> @@ -330,9 +330,12 @@ shared_entry_header(struct grant_table *t, 
>> grant_ref_t ref)
>>           /* Returned values should be independent of speculative 
>> execution */
>>           block_speculation();
>>           return &shared_entry_v2(t, ref).hdr;
>> +
>> +    default:
>> +        ASSERT_UNREACHABLE();
>> +        break;
>>       }
>> -    ASSERT_UNREACHABLE();
>  >       block_speculation();>
>>       return NULL;
> 
> I know you are trying to apply the MISRA rule. But this is odd that you 
> move the ASSERT_UNREACHABLE() but then code after is still only 
> reachable from the default. In fact, this is introducing a risk if 
> someone decides to add a new case but then forgot to return a value.
> 
> By moving the two other lines, the compiler should be able to throw an 
> error if you forgot a return.
> 
> 
>> @@ -727,10 +730,13 @@ static unsigned int nr_grant_entries(struct 
>> grant_table *gt)
>>           /* Make sure we return a value independently of speculative 
>> execution */
>>           block_speculation();
>>           return f2e(nr_grant_frames(gt), 2);
>> +
>> +    default:
>> +        ASSERT_UNREACHABLE();
>> +        break;
>>   #undef f2e
>>       }
>> -    ASSERT_UNREACHABLE();
>>       block_speculation();
>>       return 0;
> 
> Same remark here.

Yes, 'default' case with appropriate comment will be better, I think.
Anyway, wrong 'gt_version' will be handled below by the 
ASSERT_UNREACHABLE().

> 
>> diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c
>> index 9bd5b4825d..608616f2af 100644
>> --- a/xen/drivers/char/console.c
>> +++ b/xen/drivers/char/console.c
>> @@ -889,6 +889,9 @@ static int cf_check parse_console_timestamps(const 
>> char *s)
>>           opt_con_timestamp_mode = TSM_DATE;
>>           
>> con_timestamp_mode_upd(param_2_parfs(parse_console_timestamps));
>>           return 0;
>> +    default:
>> +        ASSERT_UNREACHABLE();
> 
> Looking at the implementation of parse_bool() it can return -1 if the 
> input provided is incorrect. So I don't think this path should contain 
> ASSERT_UNREACHABLE(). In fact, it should follow this directive:
> 
> "
>         - if the switch is expected to handle a subset of all possible
>           cases, then an empty default label shall be added with an
>           in-code comment on top of the default label with a reason and
>           when possible a more detailed explanation. Example::
> 
>               default:
>                   /* Notifier pattern */
>                   break;
> "

You are right, parse_bool() can return -1.
Approach: 'default' case with appropriate comment.

> 
> Cheers,
> 

Thanks!
Dmytro.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.