[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] misra: add ASSERT_UNREACHABLE() in default clauses

To: Jan Beulich <jbeulich@xxxxxxxx>, Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>
From: Julien Grall <julien@xxxxxxx>
Date: Tue, 12 Aug 2025 23:54:45 +0100
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Tue, 12 Aug 2025 22:55:02 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Jan,

On 12/08/2025 08:32, Jan Beulich wrote:

On 11.08.2025 23:21, Julien Grall wrote:

On 11/08/2025 21:30, Dmytro Prokopchuk1 wrote:

--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -330,9 +330,12 @@ shared_entry_header(struct grant_table *t, grant_ref_t ref)
           /* Returned values should be independent of speculative execution */
           block_speculation();
           return &shared_entry_v2(t, ref).hdr;
+
+    default:
+        ASSERT_UNREACHABLE();
+        break;
       }

- ASSERT_UNREACHABLE();

  >       block_speculation();>

       return NULL;


I know you are trying to apply the MISRA rule. But this is odd that you
move the ASSERT_UNREACHABLE() but then code after is still only
reachable from the default. In fact, this is introducing a risk if
someone decides to add a new case but then forgot to return a value.

By moving the two other lines, the compiler should be able to throw an
error if you forgot a return.


I think we did discuss this pattern in the past. While moving everything up
to the "return" into the default: handling will please Eclair / Misra, we'll
then end up with no return statement at the end of a non-void function.
Beyond being good practice (imo) to have such a "main" return statement,
that's actually another rule, just one we apparently didn't accept (15.5).

Reading 15.5, this seems to be about having a single return in thefunction. Unless I misunderstood something, this is different from whatyou suggest.

Anyway, my main problem with this change is that ASSERT_UNREACHABLE() ismoved. I could possibly settle with:


default:
  break;
}

ASSERT_UNREACHABLE();
...

But at least to me, this pattern is more difficult to read because Ihave to look through the switch to understand the patch is only meant otbe used by the "default" case.


Cheers,

--
Julien Grall

Follow-Ups:
- Re: [PATCH] misra: add ASSERT_UNREACHABLE() in default clauses
  - From: Jan Beulich
- Re: [PATCH] misra: add ASSERT_UNREACHABLE() in default clauses
  - From: Dmytro Prokopchuk1

References:
- [PATCH] misra: add ASSERT_UNREACHABLE() in default clauses
  - From: Dmytro Prokopchuk1
- Re: [PATCH] misra: add ASSERT_UNREACHABLE() in default clauses
  - From: Julien Grall
- Re: [PATCH] misra: add ASSERT_UNREACHABLE() in default clauses
  - From: Jan Beulich

Prev by Date: [PATCH v16 4/4] xen/domain: update create_dom0() messages
Next by Date: Re: [ImageBuilder v2] Add config option to use separate load commands for Xen, DOM0 and DOMU binaries
Previous by thread: Re: [PATCH] misra: add ASSERT_UNREACHABLE() in default clauses
Next by thread: Re: [PATCH] misra: add ASSERT_UNREACHABLE() in default clauses
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.