-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MISRA-C Checking function return #9930
Conversation
Codecov Report
@@ Coverage Diff @@
## master #9930 +/- ##
==========================================
- Coverage 52.5% 52.49% -0.01%
==========================================
Files 213 213
Lines 26078 26077 -1
Branches 5624 5623 -1
==========================================
- Hits 13691 13690 -1
Misses 10136 10136
Partials 2251 2251
Continue to review full report at Codecov.
|
To the best of my knowledge, the MISRA C experiment (or whatever the right name) should have been applied to "kernel/*". This is explicitly stated in #9552 It would be nice to indeed follow that schedule, or otherwise we get these patches with 237 changed files, attempt to looking thru which shows memset, memset... Again, #9552 states "Adhere to MISRA-C 2012 where it makes sense and provide deviations and documentation of rules", and one of obvious solution for memset is not patching it all the way thru, but leaving alone. it would be nice to see that choice be followed/discussed too. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doing a void cast on memset seems rather pointless to me, i.e. sounds like a good exception to be made from the MISRA rules. The return value of memset does not exist to denote error/success (which would be a valid reason to acknowledge it when doing the call) rather it's always the same thing, i.e. a pointer to the given memory area, which is rarely useful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
282e76c
to
c832dae
Compare
I guess we're going to have to agree to disagree on whether this memset cast actually makes the code any more safe or secure :) Btw, has anyone considered using |
nobody is saying that. Following a coding standard or guideline does not make the code safer, and I know it looks really bad with all the voids for memset. This is analog to why we have a coding style and why we format the code the way we do, more or less and provides a standard and consistent way for coding that help spot issues and know the original intention of the developer who wrote the code without too much guessing. |
@nashif understood, but I highly doubt we'd be coming up with this convention (or being blindly strict about it) if it wasn't for MISRA-C |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving, but if CI doesn't start blocking new PRs which don't follow these conventions we'll soon again have violations of them in the tree. E.g. I'm aware of at least one pending PR that adds a memset (without the cast).
@jhedberg agree, this will need to end up being enforced by our CI. My intention is enforce things using compiler options, Coccinelle scripts (@himanshujha199640 is working to add infra to this), ... It will depend of the guideline. Definitely we need to enforce it. |
just one more point about using |
The result of both printk and vprintk are not used in any place. MISRA-C says that the return of every non void function must be checked. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Some syscacll return value through parameters and for these functions the return of _arch_syscall_invoke* are not used. MISRA requires that all return values be checked. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
__swap function was returning -EAGAIN in some case, though its return value was declared as unsigned int. This commit changes this function to return int since it can return a negative value and its return was already been propagate as int. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Ignoring _Swap return where there is no treatment or nothing to do. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
The return of memset is never checked. This patch explicitly ignore the return to avoid MISRA-C violations. The only directory excluded directory was ext/* since it contains only imported code. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
There are some cases that there is nothing to do with _pend_current_thread() return (that is _Swap return value). As MISRA-C requires that all non-void functions have their return value checked, we are explicitly ignoring it when there is nothing to do. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Ignoring the return of _abort_timeout when there is nothing to do. Either because the condition to return something different from 0 was prior checked or because it was called during come cleanup. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
There are some cases where atomic_and/or don't need to be checked. Actively acknowledge these cases. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
_reschedule return's value is not used anywhere, except erroneously by pthread_barrier_wait. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
A lot of times this API is called during some cleanup even if the timeout was not set to make the code simpler. In these cases it's not necessary checking the return. Adding a cast to acknowledge it. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
k_thread_create is used only in k_word_q_start that has no error handling, so the return of that function is not used. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Checking the return of some scattered functions across kernel. MISRA-C requires that all non-void functions have their return value checked, though, in some cases there is nothing to do. Just acknowledging it. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
c832dae
to
cde5ff0
Compare
Added one more commit with leftovers. Now, all these cases on kernel are fixed. |
@nashif can we merge it ? |
This pr is part of #9884 feature. There still violations that will be addressed in others commits/pr.
Important points about this pr: