[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RFC PATCH] misra: allow conversion from unsigned long to function pointer

  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>
  • Date: Wed, 13 Aug 2025 18:27:45 +0000
  • Accept-language: en-US, uk-UA, ru-RU
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GxwTPniR/EDd6mZM+Z8suKjuq6XIBjf3jY6EcSig0MI=; b=dh3dAMbCx+li4WMdKJVl2x6z7YDM8LGo1/NuaukUfsK6E4D63QM4lJ1pNh3MR5pI/HrX+cJIRPFPFbYzKJ0UlELN6QdzqnSI7h9EyxgLfWtwkdFqgStzfQc4qV6jk32lWC2jr9I/hnt7yw148jW87Q7eYxJ5WNy/Lk/lRaHR2pwZuh/iR5/OEv5PsPKboUMuGq4oO/msCGLz06eD+1QE3grN4baT2vVJ94vDiiYJC/+Da8F8IanJO2QHYsL9g/L7uHRfu+IJlW2mdTnojeSrECikQmc8/teeKqvH8zygG6JeoQjKF3DBumWtwAhxlK4vBidMcI2Ect6eKnAyh4pEvQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=LbYWClpd5Cw+OhWEJE9NdUp248r14j2BeakKxgnbGmlFmfKfVcMxUoXmF+Ttf7HpbIcbSlTtYP3aTC+5AtDrSxYMhNFAn8GxqJ7Zz7pZuW7T4txr37C1cfRY/tpDwiGVD8mGXRutXQaiDeOHdwSnFOtgtLBeiQM6CmLOt3Hm8R1R+ZjI9Zjn4w/Y1vg+WN8hYclSBiWKublo9EPUm/yDq2sYsrzzs7+juhjccoUe8ySPbY1G+1SucPT0pv1CpCpFR+jxcHDmzsp67pYb3J0NF8jS/M6mwR3tAQO+Sx6OV5OxUYFppwTP0sPU+gQJLtmMc6EF11LEPAwUCA24X8WO+Q==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
  • Cc: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>, Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
  • Delivery-date: Wed, 13 Aug 2025 18:27:56 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHcDH/2fJv669AP80eUn9D9WGE5wg==
  • Thread-topic: [RFC PATCH] misra: allow conversion from unsigned long to function pointer
...

from `vaddr_t' (that is `unsigned long') to `switch_ttbr_fn*' (that is 
`void(*)(unsigned long)')

Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@xxxxxxxx>
---
This is just a RFC patch.
The commit message is not important at this stage.

I am seeking comments regarding this case.

Thanks.
---
 automation/eclair_analysis/ECLAIR/deviations.ecl |  8 ++++++++
 docs/misra/deviations.rst                        | 10 ++++++++++
 docs/misra/rules.rst                             |  8 +++++++-
 xen/arch/arm/arm64/mmu/mm.c                      |  2 ++
 4 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl 
b/automation/eclair_analysis/ECLAIR/deviations.ecl
index ebce1ceab9..f9fd6076b7 100644
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -365,6 +365,14 @@ constant expressions are required.\""
 }
 -doc_end
 
+-doc_begin="The conversion from unsigned long to a function pointer does not 
lose any information, provided that the source type has enough bits to restore 
it."
+-config=MC3A2.R11.1,casts+={safe,
+  "from(type(canonical(builtin(unsigned long))))
+   &&to(type(canonical(__function_pointer_types)))
+   &&relation(definitely_preserves_value)"
+}
+-doc_end
+
 -doc_begin="The conversion from a function pointer to a boolean has a 
well-known semantics that do not lead to unexpected behaviour."
 -config=MC3A2.R11.1,casts+={safe,
   "from(type(canonical(__function_pointer_types)))
diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index 3c46a1e47a..27848602f6 100644
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -348,6 +348,16 @@ Deviations related to MISRA C:2012 Rules:
        to store it.
      - Tagged as `safe` for ECLAIR.
 
+   * - R11.1
+     - The conversion from unsigned long to a function pointer does not lose 
any
+       information or violate type safety assumptions if the unsigned long type
+       is guaranteed to be at least as large as a function pointer. This 
ensures
+       that the function pointer address can be fully represented without
+       truncation or corruption. Macro BUILD_BUG_ON can be integrated into the
+       build system to confirm that 'sizeof(unsigned long) >= sizeof(void 
(*)())'
+       on all target platforms.
+     - Tagged as `safe` for ECLAIR.
+
    * - R11.1
      - The conversion from a function pointer to a boolean has a well-known
        semantics that do not lead to unexpected behaviour.
diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst
index 6812eb7e8a..8b97ecf3f4 100644
--- a/docs/misra/rules.rst
+++ b/docs/misra/rules.rst
@@ -414,7 +414,13 @@ maintainers if you want to suggest a change.
      - All conversions to integer types are permitted if the destination
        type has enough bits to hold the entire value. Conversions to bool
        and void* are permitted. Conversions from 'void noreturn (*)(...)'
-       to 'void (*)(...)' are permitted.
+       to 'void (*)(...)' are permitted. Conversions from unsigned long to
+       function pointer are permitted if the unsigned long type has a size
+       and representation sufficient to store the entire function pointer
+       value without truncation or corruption. Example::
+
+           unsigned long func_addr = (unsigned long)&some_function;
+           void (*restored_func)(void) = (void (*)(void))func_addr;
 
    * - `Rule 11.2 
<https://gitlab.com/MISRA/MISRA-C/MISRA-C-2012/Example-Suite/-/blob/master/R_11_02.c>`_
      - Required
diff --git a/xen/arch/arm/arm64/mmu/mm.c b/xen/arch/arm/arm64/mmu/mm.c
index 3e64be6ae6..998d52c162 100644
--- a/xen/arch/arm/arm64/mmu/mm.c
+++ b/xen/arch/arm/arm64/mmu/mm.c
@@ -150,6 +150,7 @@ void __init relocate_and_switch_ttbr(uint64_t ttbr)
     vaddr_t id_addr = virt_to_maddr(relocate_xen);
     relocate_xen_fn *fn = (relocate_xen_fn *)id_addr;
     lpae_t pte;
+    BUILD_BUG_ON(sizeof(unsigned long) < sizeof(fn));
 
     /* Enable the identity mapping in the boot page tables */
     update_identity_mapping(true);
@@ -178,6 +179,7 @@ void __init switch_ttbr(uint64_t ttbr)
     vaddr_t id_addr = virt_to_maddr(switch_ttbr_id);
     switch_ttbr_fn *fn = (switch_ttbr_fn *)id_addr;
     lpae_t pte;
+    BUILD_BUG_ON(sizeof(unsigned long) < sizeof(fn));
 
     /* Enable the identity mapping in the boot page tables */
     update_identity_mapping(true);
-- 
2.43.0

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.