Xen project Mailing List

Re: [PATCH v3] misra: consider conversion from UL or (void*) to function pointer as safe

To: Jan Beulich <jbeulich@xxxxxxxx>, Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>

From: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>

Date: Thu, 23 Oct 2025 13:57:04 +0000

Accept-language: en-US, uk-UA, ru-RU

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=38o4BdJnOjDL7sfByaKkxBcCiR1+x8+EfHxbSYRpMzk=; b=mPFitM+cFXIXos4kkEb49cN5GbQUwuhsebZKJyWdroz6+SGP+QHON+zabyG8loEANF6UNvvm2rteRfgjc4WjFXSRLnyVSDywSsRHKF9GshDHGrPUT2qvum6Pk1bRTPiocIFkz6PAau9jJ8Cm9vaao6TGYUWbjnc/kWzvSsnH5jOlypomZc3gMYXxsuiGFrIPEOLgFQqYUyiZPernpSomXSy0JRRhNxVxUlx9mps6rqItIPy2k35D4dezNSZgnLVFI4i+Ns8A3al47mBeYGFfdh3Cjfp70iS6vQYJrwChY9VQVl+ARgqtPxbqiGv2rdXD+3p/Se0C6VejQZutYPawtg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=COnYn1MliNsk2W+hbpPKYXBgOTGKPoOEpgStV8SE0SPxoM6T/zs5YLr7tCzMT0GxgIbRMi07EfZx740EiEBS8sHBd8BltaCzwqZW8c9InOlPvkBLg6rMZkghZN1YuoxGBD9fkk4v2Drtaue3y1Se+jJrvKVVVxP0Ihqzhlf0o9Y1DIyKHW7Ri9vmcmVL3aeXJaE0SJ1w0A2knezjpKWGae2OWRsvSSHkR8ZxM1fQWJjRO5SVBOF3YVJVWzUyPT//TNvwmuNQubGLyEXhaghEnbeq4YoZfo7HN65k6TaL1VRIUxt8ojC1X7OUf6rsBxnvoUsFtDqH7A15T/d7OFDSvA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;

Cc: Doug Goldstein <cardoe@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 23 Oct 2025 13:57:24 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHcPSX2fWa1eZv9x0mRzqs7fz2kjrTCvSwAgAMyXQCACZ3PAIAABnOAgAA7uwA=

Thread-topic: [PATCH v3] misra: consider conversion from UL or (void*) to function pointer as safe

On 10/23/25 13:23, Jan Beulich wrote: > On 23.10.2025 12:00, Dmytro Prokopchuk1 wrote: >> On 10/17/25 10:09, Nicola Vetrini wrote: >>> On 2025-10-15 08:20, Jan Beulich wrote: >>>> On 14.10.2025 18:16, Dmytro Prokopchuk1 wrote: >>>>> --- a/xen/common/version.c >>>>> +++ b/xen/common/version.c >>>>> @@ -217,6 +217,20 @@ void __init xen_build_init(void) >>>>> #endif /* CONFIG_X86 */ >>>>> } >>>>> #endif /* BUILD_ID */ >>>>> + >>>>> +#if defined(__i386__) || defined(__x86_64__) || defined(__arm__) || >>>>> defined(__aarch64__) >>>> >>>> Why __i386__? Also (nit): Line too long. >> >> Well, I copied this line from Xen codebase, >> but yeah, __i386__ is outdated now. >> I'll remove it. >> >>>> >>>> And why this restriction without any comment here or ... >>>> >>>>> +static void __init __maybe_unused build_assertions(void) >>>>> +{ >>>>> + /* >>>>> + * To confirm conversion compatibility between unsigned long, >>>>> (void *) >>>>> + * and function pointers for X86 and ARM architectures only. >>>> >>>> ... explanation here? More generally - how would people know to update >>>> the condition if another port was to be certified? >>>> >>>> Finally, with the v3 addition here, is Nicola's R-b really still >>>> applicable? >>>> >>> >>> I agree with the point you make about i386 (e.g., C-language- >>> toolchain.rst may be mentioned to provide some context about the >>> preprocessor guard); that said, my R-by can be retained >>> >>>> Jan >>>> >>>>> + */ >>>>> + >>>>> + BUILD_BUG_ON(sizeof(unsigned long) != sizeof(void (*)(void))); >>>>> + BUILD_BUG_ON(sizeof(void *) != sizeof(void (*)(void))); >>>>> +} >>>>> +#endif >>>>> + >>>>> /* >>>>> * Local variables: >>>>> * mode: C >>> >> >> And probably v4 can have the following wording: >> >> /* >> * This assertion checks compatibility between 'unsigned long', 'void *', >> * and function pointers. This is true for X86 (x86_64) and ARM (arm, >> aarch64) >> * architectures, which is why the check is restricted to these. >> * >> * For more context on architecture-specific preprocessor guards, see >> * docs/misc/C-language-toolchain.rst. >> * >> * If Xen is ported to a new architecture, verify that this >> compatibility holds >> * before adding its macro to the condition below. If the compatibility >> does not >> * hold, this assertion may need to be revised or removed for that >> architecture. >> */ > > Except that this doesn't address my concern. Imo the checks want to be there > unconditionally, and ports where they're _not_ applicable would then need > excluding (with suitable commentary and/or alternative checks). > > Jan Ok, below is the updated logic: /* * This assertion checks compatibility between 'unsigned long', 'void *', * and function pointers. This is true for most supported architectures, * including X86 (x86_64) and ARM (arm, aarch64). * * For more context on architecture-specific preprocessor guards, see * docs/misc/C-language-toolchain.rst. * * If porting Xen to a new architecture where this compatibility does not hold, * exclude that architecture from these checks and provide suitable commentary * and/or alternative checks as appropriate. */ static void __init __maybe_unused build_assertions(void) { /* * Exclude architectures where function pointers are larger than data pointers: * - IA-64: uses 'fat' function pointers (code address + global pointer) */ #if !defined(__ia64__) BUILD_BUG_ON(sizeof(unsigned long) != sizeof(void (*)(void))); BUILD_BUG_ON(sizeof(void *) != sizeof(void (*)(void))); #endif } Dmytro.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.