On 8/24/25 18:29, Nicola Vetrini wrote:
> On 2025-08-24 16:56, Dmytro Prokopchuk1 wrote:
>> MISRA C Rule 2.1 states: "A project shall not contain unreachable code".
>> Functions that are non-returning and are not explicitly annotated with
>> the 'noreturn' attribute are considered a violation of this rule.
>>
>> In certain cases, some functions might be non-returning in specific build
>> configurations due to call to '__builtin_unreachable()' in the expansion
>> of the macro 'BUG()':
>> - functions 'gicv3_do_LPI()' and 'gicv3_its_setup_collection()' when the
>> config CONFIG_HAS_ITS is not defined, it is intentionally used to catch
>> and prevent any unintended execution of code that should only run when
>> ITS is available;
>> - function 'prepare_acpi()' when the config CONFIG_ACPI is not defined,
>> to trigger an error if ACPI-related features are used incorrectly.
>>
>> To account for that in specific builds, update the ECLAIR configuration
>> to deviate these violations. Update deviations.rst file accordingly.
>> No functional changes.
>>
>> Signed-off-by: Dmytro Prokopchuk <[email protected]>
>> ---
>> Test CI pipeline:
>> https://eur01.safelinks.protection.outlook.com/?
>> url=https%3A%2F%2Fgitlab.com%2Fxen-
>> project%2Fpeople%2Fdimaprkp4k%2Fxen%2F-
>> %2Fpipelines%2F2000738682&data=05%7C02%7Cdmytro_prokopchuk1%40epam.com%7C08437a04f690436abce108dde323160d%7Cb41b72d04e9f4c268a69f949f367c91d%7C1%7C0%7C638916462021941023%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=MV6luTeth3rosis1dC2kvVvGBEVSkOzyQGe9HDWftaM%3D&reserved=0
>> ---
>
> https://eur01.safelinks.protection.outlook.com/?
> url=https%3A%2F%2Fgitlab.com%2Fxen-
> project%2Fpeople%2Fdimaprkp4k%2Fxen%2F-
> %2Fjobs%2F11119212994&data=05%7C02%7Cdmytro_prokopchuk1%40epam.com%7C08437a04f690436abce108dde323160d%7Cb41b72d04e9f4c268a69f949f367c91d%7C1%7C0%7C638916462021972965%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=J1GNdrIG1ApqIOqsSyygSZbU%2B3H%2BFvHZKxtBMgz2CXY%3D&reserved=0
>
> Build failure here
Restarted the failed job. Finished successfully.
Dmytro.
>
>> automation/eclair_analysis/ECLAIR/deviations.ecl | 11 +++++++++++
>> docs/misra/deviations.rst | 13 +++++++++++++
>> 2 files changed, 24 insertions(+)
>>
>> diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/
>> automation/eclair_analysis/ECLAIR/deviations.ecl
>> index 7f3fd35a33..336aec58c2 100644
>> --- a/automation/eclair_analysis/ECLAIR/deviations.ecl
>> +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl
>> @@ -41,6 +41,17 @@ not executable, and therefore it is safe for them
>> to be unreachable."
>>
>> -
>> call_properties+={"name(__builtin_unreachable)&&stmt(begin(any_exp(macro(name(ASSERT_UNREACHABLE)))))",
>> {"noreturn(false)"}}
>> -doc_end
>>
>> +-doc_begin="The 'BUG()' macro is intentionally used in the
>> 'prepare_acpi()' function in specific build configuration
>> +(when the config CONFIG_ACPI is not defined) to trigger an error if
>> ACPI-related features are used incorrectly."
>> +-config=MC3A2.R2.1,reports+={deliberate, "any_area(any_loc(file(^xen/
>> arch/arm/include/asm/domain_build\\.h$))&&context(name(prepare_acpi)))"}
>> +-doc_end
>> +
>> +-doc_begin="The 'BUG()' macro is intentionally used in
>> 'gicv3_do_LPI'() and 'gicv3_its_setup_collection()' functions
>> +in specific build configuration (when the config CONFIG_HAS_ITS is
>> not defined) to catch and prevent any unintended
>> +execution of code that should only run when ITS is available."
>> +-config=MC3A2.R2.1,reports+={deliberate, "any_area(any_loc(file(^xen/
>> arch/arm/include/asm/gic_v3_its\\.h$))&&context(name(gicv3_do_LPI||
>> gicv3_its_setup_collection)))"}
>> +-doc_end
>> +
>> -doc_begin="Proving compliance with respect to Rule 2.2 is generally
>> impossible:
>> see https://eur01.safelinks.protection.outlook.com/?
>> url=https%3A%2F%2Farxiv.org%2Fabs%2F2212.13933&data=05%7C02%7Cdmytro_prokopchuk1%40epam.com%7C08437a04f690436abce108dde323160d%7Cb41b72d04e9f4c268a69f949f367c91d%7C1%7C0%7C638916462021989821%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=N2i2wigU3ol8M2DsYhb8DcwrIvyYEhlbQrlaMlYoWJw%3D&reserved=0
>> for details. Moreover, peer review gives us
>> confidence that no evidence of errors in the program's logic has been
>> missed due
>> diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst
>> index 2119066531..96eb202502 100644
>> --- a/docs/misra/deviations.rst
>> +++ b/docs/misra/deviations.rst
>> @@ -97,6 +97,19 @@ Deviations related to MISRA C:2012 Rules:
>> Xen expects developers to ensure code remains safe and
>> reliable in builds,
>> even when debug-only assertions like `ASSERT_UNREACHABLE() are
>> removed.
>>
>> + * - R2.1
>> + - The 'BUG()' macro is intentionally used in the
>> 'prepare_acpi()' function
>> + in specific build configuration (when the config CONFIG_ACPI
>> is not
>> + defined) to trigger an error if ACPI-related features are used
>> incorrectly.
>> + - Tagged as `deliberate` for ECLAIR.
>> +
>> + * - R2.1
>> + - The 'BUG()' macro is intentionally used in 'gicv3_do_LPI'() and
>> + 'gicv3_its_setup_collection()' functions in specific build
>> configuration
>> + (when the config CONFIG_HAS_ITS is not defined) to catch and
>> prevent any
>> + unintended execution of code that should only run when ITS is
>> available.
>> + - Tagged as `deliberate` for ECLAIR.
>> +
>> * - R2.2
>> - Proving compliance with respect to Rule 2.2 is generally
>> impossible:
>> see `<https://eur01.safelinks.protection.outlook.com/?
>> url=https%3A%2F%2Farxiv.org%2Fabs%2F2212.13933&data=05%7C02%7Cdmytro_prokopchuk1%40epam.com%7C08437a04f690436abce108dde323160d%7Cb41b72d04e9f4c268a69f949f367c91d%7C1%7C0%7C638916462022006666%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=fT1IM0bnst9%2FkJ2rI7GiMRkbWJVG%2F%2FD%2B82z3QDVyD9s%3D&reserved=0>`_
>> for details. Moreover, peer
>
