MISRA-C Checking function return

[ceolin]

This pr is part of #9884 feature. There still violations that will be addressed in others commits/pr.

Important points about this pr:

• Commit changing signature of __swap()
  • This function can return -EAGAIN but its return value was unsigned int. Nevertheless, this value was being propagate as int.
• Change printk()/vnprintk() signature to void

[codecov-io]

Codecov Report

Merging #9930 into master will decrease coverage by <.01%.
The diff coverage is 79.16%.

@@            Coverage Diff             @@
##           master    #9930      +/-   ##
==========================================
- Coverage    52.5%   52.49%   -0.01%     
==========================================
  Files         213      213              
  Lines       26078    26077       -1     
  Branches     5624     5623       -1     
==========================================
- Hits        13691    13690       -1     
  Misses      10136    10136              
  Partials     2251     2251

Impacted Files	Coverage Δ
subsys/net/lib/coap/coap_link_format.c	15.74% <ø> (ø)	⬆️
subsys/net/lib/app/net_app.c	41.07% <ø> (ø)	⬆️
subsys/bluetooth/host/uuid.c	0% <0%> (ø)	⬆️
subsys/bluetooth/host/hci_core.c	2.56% <0%> (ø)	⬆️
subsys/net/lib/http/http_parser_url.c	72.57% <0%> (ø)	⬆️
kernel/init.c	72.58% <0%> (ø)	⬆️
subsys/net/ip/dhcpv4.c	6.98% <0%> (ø)	⬆️
subsys/net/lib/websocket/websocket.c	17.3% <100%> (ø)	⬆️
lib/posix/fs.c	48.29% <100%> (ø)	⬆️
boards/posix/native_posix/irq_handler.c	84.52% <100%> (ø)	⬆️
... and 42 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 81b2721...282e76c. Read the comment docs.

[pfalcon]

To the best of my knowledge, the MISRA C experiment (or whatever the right name) should have been applied to "kernel/*". This is explicitly stated in #9552

It would be nice to indeed follow that schedule, or otherwise we get these patches with 237 changed files, attempt to looking thru which shows memset, memset... Again, #9552 states "Adhere to MISRA-C 2012 where it makes sense and provide deviations and documentation of rules", and one of obvious solution for memset is not patching it all the way thru, but leaving alone. it would be nice to see that choice be followed/discussed too.

[jhedberg]

Doing a void cast on memset seems rather pointless to me, i.e. sounds like a good exception to be made from the MISRA rules. The return value of memset does not exist to denote error/success (which would be a valid reason to acknowledge it when doing the call) rather it's always the same thing, i.e. a pointer to the given memory area, which is rarely useful.

[jukkar]

I agree with @jhedberg and @pfalcon here. At this first stage we should only concentrate changes in the kernel code. Also changing memset() calls seems quite pointless.

[jhedberg]

I guess we're going to have to agree to disagree on whether this memset cast actually makes the code any more safe or secure :) Btw, has anyone considered using __attribute__((warn_unused_result)) instead to improve the code quality? At least both gcc and llvm supports it.

[nashif]

I guess we're going to have to agree to disagree on whether this memset cast actually makes the code any more safe or secure :)

nobody is saying that. Following a coding standard or guideline does not make the code safer, and I know it looks really bad with all the voids for memset. This is analog to why we have a coding style and why we format the code the way we do, more or less and provides a standard and consistent way for coding that help spot issues and know the original intention of the developer who wrote the code without too much guessing.

[jhedberg]

@nashif understood, but I highly doubt we'd be coming up with this convention (or being blindly strict about it) if it wasn't for MISRA-C

[jhedberg]

Approving, but if CI doesn't start blocking new PRs which don't follow these conventions we'll soon again have violations of them in the tree. E.g. I'm aware of at least one pending PR that adds a memset (without the cast).

[ceolin]

@jhedberg agree, this will need to end up being enforced by our CI. My intention is enforce things using compiler options, Coccinelle scripts (@himanshujha199640 is working to add infra to this), ... It will depend of the guideline. Definitely we need to enforce it.

[ceolin]

@jhedberg #9884 contains more information about it, but yeah, I'll add attribute((warn_unused_result)) in functions that must have their return checked.

[ceolin]

just one more point about using attribute((warn_unused_result)). When we add this for a function we can't ignore its result doing (void), so we can use this only for the functions that we really should handle their return.

[ceolin]

Added one more commit with leftovers. Now, all these cases on kernel are fixed.

[ceolin]

@nashif can we merge it ?