xen: address violations of Rule 11.9

The constant 0 is used instead of NULL in '__ACCESS_ONCE' as a
compile-time check to detect non-scalar types; its usage for this
purpose is deviated.

Furthermore, the 'typeof_field' macro is introduced as a general way
to access the type of a struct member without declaring a variable
of struct type. Both this macro and 'sizeof_field' are moved to
'xen/macros.h'.

No functional change intended.

Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>

diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl
index 279b2821090ab0715643943e54522a83dc2b14bc..b7c6d85fbf12bb9fe5fdd950b5a8521d77badf86 100644 (file)
--- a/automation/eclair_analysis/ECLAIR/deviations.ecl
+++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
@@ -253,6 +253,15 @@ constant expressions are required.\""
   "any()"}
 -doc_end
 
+#
+# Series 11
+#
+
+-doc_begin="This construct is used to check if the type is scalar, and for this purpose the use of 0 as a null pointer constant is deliberate."
+-config=MC3R1.R11.9,reports+={deliberate, "any_area(any_loc(any_exp(macro(^__ACCESS_ONCE$))))"
+}
+-doc_end
+
 #
 # Series 13
 #

diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
index 949840b96663a5b7a1fed805f40e515bf12828a3..b5a46f7f8775ddd3ff83ddc47fbe9eab93a7c36a 100644 (file)
--- a/docs/misra/deviations.rst
+++ b/docs/misra/deviations.rst
@@ -206,6 +206,12 @@ Deviations related to MISRA C:2012 Rules:
        If no bits are set, 0 is returned.
      - Tagged as `safe` for ECLAIR.
 
+   * - R11.9
+     - __ACCESS_ONCE uses an integer, which happens to be zero, as a
+       compile time check. The typecheck uses a cast. The usage of zero or other
+       integers for this purpose is allowed.
+     - Tagged as `deliberate` for ECLAIR.
+
    * - R13.5
      - All developers and reviewers can be safely assumed to be well aware of
        the short-circuit evaluation strategy for logical operators.

diff --git a/xen/include/xen/compiler.h b/xen/include/xen/compiler.h
index dd99e573083f16d83eb6d83b34afeb00c0a92683..a8be1f19cfc2485297b85141b890e568daa9a83e 100644 (file)
--- a/xen/include/xen/compiler.h
+++ b/xen/include/xen/compiler.h
@@ -109,14 +109,6 @@
 
 #define offsetof(a,b) __builtin_offsetof(a,b)
 
-/**
- * sizeof_field(TYPE, MEMBER)
- *
- * @TYPE: The structure containing the field of interest
- * @MEMBER: The field to return the size of
- */
-#define sizeof_field(TYPE, MEMBER) sizeof((((TYPE *)0)->MEMBER))
-
 #if !defined(__STDC_VERSION__) || __STDC_VERSION__ < 201112L
 #define alignof __alignof__
 #endif

diff --git a/xen/include/xen/kernel.h b/xen/include/xen/kernel.h
index 46b3c9c026258a3371cf554e683bf36ce5fd68eb..2c5ed7736c994d341035b447fa35007b9a9c9c7f 100644 (file)
--- a/xen/include/xen/kernel.h
+++ b/xen/include/xen/kernel.h
@@ -51,7 +51,7 @@
  *
  */
 #define container_of(ptr, type, member) ({                      \
-        typeof( ((type *)0)->member ) *__mptr = (ptr);          \
+        typeof_field(type, member) *__mptr = (ptr);             \
         (type *)( (char *)__mptr - offsetof(type,member) );})
 
 /*

diff --git a/xen/include/xen/macros.h b/xen/include/xen/macros.h
index f943319ab2478edad6859411bbf9e664f118d507..18842cd8a511d09badf19024edab25acf6256e79 100644 (file)
--- a/xen/include/xen/macros.h
+++ b/xen/include/xen/macros.h
@@ -60,6 +60,22 @@
 
 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]) + __must_be_array(x))
 
+/**
+ * typeof_field(type, member)
+ *
+ * @type: The structure containing the field of interest
+ * @member: The field whose type is returned
+ */
+#define typeof_field(type, member) typeof(((type *)NULL)->member)
+
+/**
+ * sizeof_field(type, member)
+ *
+ * @type: The structure containing the field of interest
+ * @member: The field to return the size of
+ */
+#define sizeof_field(type, member) sizeof(((type *)NULL)->member)
+
 #endif /* __ASSEMBLY__ */
 
 #endif /* __MACROS_H__ */