sca: eclair: add Xen deviations
Import some useful Xen deviations that apply to Zephyr as well. Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This commit is contained in:
parent
43971ea0d5
commit
bffb3f63fe
2 changed files with 463 additions and 0 deletions
462
cmake/sca/eclair/ECL/deviations.ecl
Normal file
462
cmake/sca/eclair/ECL/deviations.ecl
Normal file
|
@ -0,0 +1,462 @@
|
|||
#
|
||||
# Series 2.
|
||||
#
|
||||
|
||||
-doc_begin="The compiler implementation guarantees that the unreachable code is removed.
|
||||
Constant expressions and unreachable branches of if and switch statements are expected."
|
||||
-config=MC3A2.R2.1,+reports={safe,"first_area(^.*has an invariantly.*$)"}
|
||||
-config=MC3A2.R2.1,+reports={safe,"first_area(^.*incompatible with labeled statement$)"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Unreachability caused by calls to the following functions or macros is deliberate and there is no risk of code being unexpectedly left out."
|
||||
-config=MC3A2.R2.1,statements+={deliberate,"macro(name(BUG||assert_failed))"}
|
||||
-config=MC3A2.R2.1,statements+={deliberate, "call(decl(name(__builtin_unreachable||panic||do_unexpected_trap||machine_halt||machine_restart||reboot_or_halt)))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Unreachability inside an ASSERT_UNREACHABLE() and analogous macro calls is deliberate and safe."
|
||||
-config=MC3A2.R2.1,reports+={deliberate, "any_area(any_loc(any_exp(macro(name(ASSERT_UNREACHABLE||PARSE_ERR_RET||PARSE_ERR||FAIL_MSR||FAIL_CPUID)))))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Pure declarations (i.e., declarations without initialization) are
|
||||
not executable, and therefore it is safe for them to be unreachable."
|
||||
-config=MC3A2.R2.1,ignored_stmts+={"any()", "pure_decl()"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="The following autogenerated file is not linked deliberately."
|
||||
-file_tag+={C_runtime_failures,"^automation/eclair_analysis/C-runtime-failures\\.rst\\.c$"}
|
||||
-config=MC3A2.R2.1,reports+={deliberate, "any_area(any_loc(file(C_runtime_failures)))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Proving compliance with respect to Rule 2.2 is generally impossible:
|
||||
see https://arxiv.org/abs/2212.13933 for details. Moreover, peer review gives us
|
||||
confidence that no evidence of errors in the program's logic has been missed due
|
||||
to undetected violations of Rule 2.2, if any. Testing on time behavior gives us
|
||||
confidence on the fact that, should the program contain dead code that is not
|
||||
removed by the compiler, the resulting slowdown is negligible."
|
||||
-config=MC3A2.R2.2,reports+={disapplied,"any()"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Some labels are unused in certain build configurations, or are deliberately marked as unused, so that the compiler is entitled to remove them."
|
||||
-config=MC3A2.R2.6,reports+={deliberate, "any_area(text(^.*__maybe_unused.*$))"}
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Series 3.
|
||||
#
|
||||
|
||||
-doc_begin="Comments starting with '/*' and containing hyperlinks are safe as
|
||||
they are not instances of commented-out code."
|
||||
-config=MC3A2.R3.1,reports+={safe, "first_area(text(^.*https?://.*$))"}
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Series 4.
|
||||
#
|
||||
|
||||
-doc_begin="Files that are intended to be included more than once do not need to
|
||||
conform to the directive."
|
||||
-config=MC3A2.D4.10,reports+={safe, "first_area(text(^/\\* This file is intended to be included multiple times\\. \\*/$, begin-4))"}
|
||||
-config=MC3A2.D4.10,reports+={safe, "first_area(text(^/\\* Generated file, do not edit! \\*/$, begin-3))"}
|
||||
-config=MC3A2.D4.10,reports+={safe, "all_area(all_loc(file(^zephyr/build/zephyr/include/generated/autoconf\\.h$)))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Including multiple times a .c file is safe because every function or data item
|
||||
it defines would (in the common case) be already defined. Peer reviewed by the community."
|
||||
-config=MC3A2.D4.10,reports+={safe, "all_area(all_loc(^.*\\.c$))"}
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Series 5.
|
||||
#
|
||||
|
||||
-doc_begin="The project adopted the rule with an exception listed in
|
||||
'docs/misra/rules.rst'"
|
||||
-config=MC3A2.R5.3,reports+={safe, "any_area(any_loc(any_exp(macro(^READ_SYSREG$))&&any_exp(macro(^WRITE_SYSREG$))))"}
|
||||
-config=MC3A2.R5.3,reports+={safe, "any_area(any_loc(any_exp(macro(^max(_t)?$))&&any_exp(macro(^min(_t)?$))))"}
|
||||
-config=MC3A2.R5.3,reports+={safe, "any_area(any_loc(any_exp(macro(^read[bwlq]$))&&any_exp(macro(^read[bwlq]_relaxed$))))"}
|
||||
-config=MC3A2.R5.3,reports+={safe, "any_area(any_loc(any_exp(macro(^per_cpu$))&&any_exp(macro(^this_cpu$))))"}
|
||||
-config=MC3A2.R5.3,reports+={safe, "any_area(any_loc(any_exp(macro(^__emulate_2op$))&&any_exp(macro(^__emulate_2op_nobyte$))))"}
|
||||
-config=MC3A2.R5.3,reports+={safe, "any_area(any_loc(any_exp(macro(^read_debugreg$))&&any_exp(macro(^write_debugreg$))))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Macros expanding to their own identifier (e.g., \"#define x x\") are deliberate."
|
||||
-config=MC3A2.R5.5,reports+={deliberate, "all_area(macro(same_id_body())||!macro(!same_id_body()))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="There is no clash between function like macros and not callable objects."
|
||||
-config=MC3A2.R5.5,reports+={deliberate, "all_area(macro(function_like())||decl(any()))&&all_area(macro(any())||!decl(kind(function))&&!decl(__function_pointer_decls))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="The project intentionally reuses tag names in order to have identifiers matching the applicable external specifications as well as established internal conventions.
|
||||
As there is little possibility for developer confusion not resulting into compilation errors, the risk of renaming outweighs the potential advantages of compliance."
|
||||
-config=MC3A2.R5.7,reports+={deliberate,"any()"}
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Series 7.
|
||||
#
|
||||
|
||||
-doc_begin="It is safe to use certain octal constants the way they are defined
|
||||
in specifications, manuals, and algorithm descriptions."
|
||||
-config=MC3A2.R7.1,reports+={safe, "any_area(any_loc(any_exp(text(^.*octal-ok.*$))))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Allow pointers of non-character type as long as the pointee is
|
||||
const-qualified."
|
||||
-config=MC3A2.R7.4,same_pointee=false
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Series 8.
|
||||
#
|
||||
|
||||
-doc_begin="Parameter name \"unused\" (with an optional numeric suffix) is deliberate and makes explicit the intention of not using such parameter within the function."
|
||||
-config=MC3A2.R8.3,reports+={deliberate, "any_area(^.*parameter `unused[0-9]*'.*$)"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="asmlinkage is a marker to indicate that the function is only used to interface with asm modules."
|
||||
-config=MC3A2.R8.4,declarations+={safe,"loc(text(^(?s).*asmlinkage.*$, -1..0))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Declarations without definitions are allowed (specifically when the
|
||||
definition is compiled-out or optimized-out by the compiler)"
|
||||
-config=MC3A2.R8.6,reports+={deliberate, "first_area(^.*has no definition$)"}
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Series 9.
|
||||
#
|
||||
|
||||
-doc_begin="The possibility of committing mistakes by specifying an explicit
|
||||
dimension is higher than omitting the dimension."
|
||||
-config=MC3A2.R9.5,reports+={deliberate, "any()"}
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Series 10.
|
||||
#
|
||||
|
||||
-doc_begin="The value-preserving conversions of integer constants are safe"
|
||||
-config=MC3A2.R10.1,etypes={safe,"any()","preserved_integer_constant()"}
|
||||
-config=MC3A2.R10.3,etypes={safe,"any()","preserved_integer_constant()"}
|
||||
-config=MC3A2.R10.4,etypes={safe,"any()","preserved_integer_constant()||sibling(rhs,preserved_integer_constant())"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Shifting non-negative integers to the right is safe."
|
||||
-config=MC3A2.R10.1,etypes+={safe,
|
||||
"stmt(node(binary_operator)&&operator(shr))",
|
||||
"src_expr(definitely_in(0..))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Shifting non-negative integers to the left is safe if the result is
|
||||
still non-negative."
|
||||
-config=MC3A2.R10.1,etypes+={safe,
|
||||
"stmt(node(binary_operator)&&operator(shl)&&definitely_in(0..))",
|
||||
"src_expr(definitely_in(0..))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Bitwise logical operations on non-negative integers are safe."
|
||||
-config=MC3A2.R10.1,etypes+={safe,
|
||||
"stmt(node(binary_operator)&&operator(and||or||xor))",
|
||||
"src_expr(definitely_in(0..))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="The implicit conversion to Boolean for logical operator arguments is well known to all Zephyr developers to be a comparison with 0"
|
||||
-config=MC3A2.R10.1,etypes+={safe, "stmt(operator(logical)||node(conditional_operator||binary_conditional_operator))", "dst_type(ebool||boolean)"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Zephyr only supports architectures where signed integers are
|
||||
representend using two's complement and all the Xephyr developers are aware of
|
||||
this."
|
||||
-config=MC3A2.R10.1,etypes+={safe,
|
||||
"stmt(operator(and||or||xor||not||and_assign||or_assign||xor_assign))",
|
||||
"any()"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="See Section \"4.5 Integers\" of \"GCC_MANUAL\", where it says that
|
||||
\"Signed `>>' acts on negative numbers by sign extension. As an extension to the
|
||||
C language, GCC does not use the latitude given in C99 and C11 only to treat
|
||||
certain aspects of signed `<<' as undefined. However, -fsanitize=shift (and
|
||||
-fsanitize=undefined) will diagnose such cases. They are also diagnosed where
|
||||
constant expressions are required.\""
|
||||
-config=MC3A2.R10.1,etypes+={safe,
|
||||
"stmt(operator(shl||shr||shl_assign||shr_assign))",
|
||||
"any()"}
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Series 11
|
||||
#
|
||||
|
||||
-doc_begin="The conversion from a function pointer to unsigned long or (void *) does not lose any information, provided that the target type has enough bits to store it."
|
||||
-config=MC3A2.R11.1,casts+={safe,
|
||||
"from(type(canonical(__function_pointer_types)))
|
||||
&&to(type(canonical(builtin(unsigned long)||pointer(builtin(void)))))
|
||||
&&relation(definitely_preserves_value)"
|
||||
}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="The conversion from a function pointer to a boolean has a well-known semantics that do not lead to unexpected behaviour."
|
||||
-config=MC3A2.R11.1,casts+={safe,
|
||||
"from(type(canonical(__function_pointer_types)))
|
||||
&&kind(pointer_to_boolean)"
|
||||
}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="The conversion from a pointer to an incomplete type to unsigned long does not lose any information, provided that the target type has enough bits to store it."
|
||||
-config=MC3A2.R11.2,casts+={safe,
|
||||
"from(type(any()))
|
||||
&&to(type(canonical(builtin(unsigned long))))
|
||||
&&relation(definitely_preserves_value)"
|
||||
}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Conversions to object pointers that have a pointee type with a smaller (i.e., less strict) alignment requirement are safe."
|
||||
-config=MC3A2.R11.3,casts+={safe,
|
||||
"!relation(more_aligned_pointee)"
|
||||
}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Conversions from and to integral types are safe, in the assumption that the target type has enough bits to store the value.
|
||||
See also Section \"4.7 Arrays and Pointers\" of \"GCC_MANUAL\""
|
||||
-config=MC3A2.R11.6,casts+={safe,
|
||||
"(from(type(canonical(integral())))||to(type(canonical(integral()))))
|
||||
&&relation(definitely_preserves_value)"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="The conversion from a pointer to a boolean has a well-known semantics that do not lead to unexpected behaviour."
|
||||
-config=MC3A2.R11.6,casts+={safe,
|
||||
"from(type(canonical(__pointer_types)))
|
||||
&&kind(pointer_to_boolean)"
|
||||
}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Violations caused by container_of are due to pointer arithmetic operations
|
||||
with the provided offset. The resulting pointer is then immediately cast back to its
|
||||
original type, which preserves the qualifier. This use is deemed safe.
|
||||
Fixing this violation would require to increase code complexity and lower readability."
|
||||
-config=MC3A2.R11.8,reports+={safe,"any_area(any_loc(any_exp(macro(^container_of$))))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="This construct is used to check if the type is scalar, and for this purpose the use of 0 as a null pointer constant is deliberate."
|
||||
-config=MC3A2.R11.9,reports+={deliberate, "any_area(any_loc(any_exp(macro(^__ACCESS_ONCE$))))"
|
||||
}
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Series 13
|
||||
#
|
||||
|
||||
-doc_begin="All developers and reviewers can be safely assumed to be well aware
|
||||
of the short-circuit evaluation strategy of such logical operators."
|
||||
-config=MC3A2.R13.5,reports+={disapplied,"any()"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Anything, no matter how complicated, inside the BUILD_ASSERT macro is subject to a compile-time evaluation without relevant side effects."
|
||||
-config=MC3A2.R13.6,reports+={safe,"any_area(any_loc(any_exp(macro(name(BUILD_ASSERT)))))"}
|
||||
-config=B.UNEVALEFF,reports+={safe,"any_area(any_loc(any_exp(macro(name(BUILD_ASSERT)))))"}
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Series 14
|
||||
#
|
||||
|
||||
-doc_begin="The severe restrictions imposed by this rule on the use of for
|
||||
statements are not balanced by the presumed facilitation of the peer review
|
||||
activity."
|
||||
-config=MC3A2.R14.2,reports+={disapplied,"any()"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="The Zephyr team relies on the fact that invariant conditions of 'if' statements and conditional operators are deliberate"
|
||||
-config=MC3A2.R14.3,statements+={deliberate, "wrapped(any(),node(if_stmt||conditional_operator||binary_conditional_operator))" }
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Switches having a 'sizeof' operator as the condition are deliberate and have limited scope."
|
||||
-config=MC3A2.R14.3,statements+={deliberate, "wrapped(any(),node(switch_stmt)&&child(cond, operator(sizeof)))" }
|
||||
-doc_end
|
||||
|
||||
-doc_begin="A controlling expression of 'if' and iteration statements having integer, character or pointer type has a semantics that is well-known to all Zephyr developers."
|
||||
-config=MC3A2.R14.4,etypes+={deliberate, "any()", "src_type(integer||character)||src_expr(type(desugar(pointer(any()))))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="The Zephyr team relies on the fact that the enum is_dying has the
|
||||
constant with assigned value 0 act as false and the other ones as true,
|
||||
therefore have the same behavior of a boolean"
|
||||
-config=MC3A2.R14.4,etypes+={deliberate, "stmt(child(cond,child(expr,ref(^<?domain>?::is_dying$))))","src_type(enum)"}
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Series 16.
|
||||
#
|
||||
|
||||
-doc_begin="Statements that change the control flow (i.e., break, continue, goto, return) and calls to functions that do not return the control back are \"allowed terminal statements\"."
|
||||
-stmt_selector+={r16_3_allowed_terminal, "node(break_stmt||continue_stmt||goto_stmt||return_stmt)||call(property(noreturn))"}
|
||||
-config=MC3A2.R16.3,terminals+={safe, "r16_3_allowed_terminal"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="An if-else statement having both branches ending with an allowed terminal statement is itself an allowed terminal statement."
|
||||
-stmt_selector+={r16_3_if, "node(if_stmt)&&(child(then,r16_3_allowed_terminal)||child(then,any_stmt(stmt,-1,r16_3_allowed_terminal)))"}
|
||||
-stmt_selector+={r16_3_else, "node(if_stmt)&&(child(else,r16_3_allowed_terminal)||child(else,any_stmt(stmt,-1,r16_3_allowed_terminal)))"}
|
||||
-stmt_selector+={r16_3_if_else, "r16_3_if&&r16_3_else"}
|
||||
-config=MC3A2.R16.3,terminals+={safe, "r16_3_if_else"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="An if-else statement having an always true condition and the true branch ending with an allowed terminal statement is itself an allowed terminal statement."
|
||||
-stmt_selector+={r16_3_if_true, "r16_3_if&&child(cond,definitely_in(1..))"}
|
||||
-config=MC3A2.R16.3,terminals+={safe, "r16_3_if_true"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="A switch clause ending with a statement expression which, in turn, ends with an allowed terminal statement is safe."
|
||||
-config=MC3A2.R16.3,terminals+={safe, "node(stmt_expr)&&child(stmt,node(compound_stmt)&&any_stmt(stmt,-1,r16_3_allowed_terminal||r16_3_if_else||r16_3_if_true))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="A switch clause ending with a do-while-false the body of which, in turn, ends with an allowed terminal statement is safe.
|
||||
An exception to that is the macro ASSERT_UNREACHABLE() which is effective in debug build only: a switch clause ending with ASSERT_UNREACHABLE() is not considered safe."
|
||||
-config=MC3A2.R16.3,terminals+={safe, "!macro(name(ASSERT_UNREACHABLE))&&node(do_stmt)&&child(cond,definitely_in(0))&&child(body,any_stmt(stmt,-1,r16_3_allowed_terminal||r16_3_if_else||r16_3_if_true))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Switch clauses ending with pseudo-keyword \"fallthrough\" are
|
||||
safe."
|
||||
-config=MC3A2.R16.3,reports+={safe, "any_area(end_loc(any_exp(text(/fallthrough;/))))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Switch clauses ending with failure method \"BUG()\" are safe."
|
||||
-config=MC3A2.R16.3,reports+={safe, "any_area(end_loc(any_exp(text(/BUG\\(\\);/))))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Switch clauses ending with an explicit comment indicating the fallthrough intention are safe."
|
||||
-config=MC3A2.R16.3,reports+={safe, "any_area(end_loc(any_exp(text(^(?s).*/\\* [fF]all ?through\\.? \\*/.*$,0..2))))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Switch statements having a controlling expression of enum type deliberately do not have a default case: gcc -Wall enables -Wswitch which warns (and breaks the build as we use -Werror) if one of the enum labels is missing from the switch."
|
||||
-config=MC3A2.R16.4,reports+={deliberate,'any_area(kind(context)&&^.* has no `default.*$&&stmt(node(switch_stmt)&&child(cond,skip(__non_syntactic_paren_stmts,type(canonical(enum_underlying_type(any())))))))'}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="A switch statement with a single switch clause and no default label may be used in place of an equivalent if statement if it is considered to improve readability."
|
||||
-config=MC3A2.R16.4,switch_clauses+={deliberate,"switch(1)&&default(0)"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="A switch statement with a single switch clause and no default label may be used in place of an equivalent if statement if it is considered to improve readability."
|
||||
-config=MC3A2.R16.6,switch_clauses+={deliberate, "default(0)"}
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Series 17.
|
||||
#
|
||||
|
||||
-doc_begin="printf()-like functions are allowed to use the variadic features provided by stdarg.h."
|
||||
-config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(^.*printk\\(.*\\)$)))"}
|
||||
-config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(^.*printf\\(.*\\)$)))"}
|
||||
-config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(panic)&&kind(function))))"}
|
||||
-config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(elf_call_log_callback)&&kind(function))))"}
|
||||
-config=MC3A2.R17.1,reports+={deliberate,"any_area(^.*va_list.*$&&context(ancestor_or_self(name(vprintk_common)&&kind(function))))"}
|
||||
-config=MC3A2.R17.1,macros+={hide , "^va_(arg|start|copy|end)$"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Not using the return value of a function does not endanger safety if it coincides with an actual argument."
|
||||
-config=MC3A2.R17.7,calls+={safe, "any()", "decl(name(__builtin_memcpy||__builtin_memmove||__builtin_memset||cpumask_check))"}
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Series 18.
|
||||
#
|
||||
|
||||
|
||||
-doc_begin="The following macro performs a subtraction between pointers to obtain the mfn, but does not lead to undefined behaviour."
|
||||
-config=MC3A2.R18.2,reports+={safe, "any_area(any_loc(any_exp(macro(^page_to_mfn$))))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Flexible array members are deliberately used and Zephyr developers are aware of the dangers related to them:
|
||||
unexpected result when the structure is given as argument to a sizeof() operator and the truncation in assignment between structures."
|
||||
-config=MC3A2.R18.7,reports+={deliberate, "any()"}
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Series 20.
|
||||
#
|
||||
|
||||
-doc_begin="Code violating Rule 20.7 is safe when macro parameters are used: (1)
|
||||
as function arguments; (2) as macro arguments; (3) as array indices; (4) as lhs
|
||||
in assignments; (5) as initializers, possibly designated, in initalizer lists;
|
||||
(6) as the constant expression in a switch clause label."
|
||||
-config=MC3A2.R20.7,expansion_context=
|
||||
{safe, "context(__call_expr_arg_contexts)"},
|
||||
{safe, "left_right(^[(,\\[]$,^[),\\]]$)"},
|
||||
{safe, "context(skip_to(__expr_non_syntactic_contexts, stmt_child(node(array_subscript_expr), subscript)))"},
|
||||
{safe, "context(skip_to(__expr_non_syntactic_contexts, stmt_child(operator(assign), lhs)))"},
|
||||
{safe, "context(skip_to(__expr_non_syntactic_contexts, stmt_child(node(init_list_expr||designated_init_expr), init)))"},
|
||||
{safe, "context(skip_to(__expr_non_syntactic_contexts, stmt_child(node(case_stmt), lower||upper)))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Violations involving the __config_enabled macros cannot be fixed without
|
||||
breaking the macro's logic; furthermore, the macro is only ever used in the context
|
||||
of the IS_ENABLED or STATIC_IF/STATIC_IF_NOT macros, so it always receives a literal
|
||||
0 or 1 as input, posing no risk to safety."
|
||||
-config=MC3A2.R20.7,reports+={safe, "any_area(any_loc(any_exp(macro(^___config_enabled$))))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="To avoid compromising readability, the macros alternative_(v)?call[0-9] are allowed
|
||||
not to parenthesize their arguments."
|
||||
-config=MC3A2.R20.7,reports+={safe, "any_area(any_loc(any_exp(macro(^alternative_(v)?call[0-9]$))))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="The argument 'x' of the count_args_ macro can't be parenthesized as
|
||||
the rule would require, without breaking the functionality of the macro. The uses
|
||||
of this macro do not lead to developer confusion, and can thus be deviated."
|
||||
-config=MC3A2.R20.7,reports+={safe, "any_area(any_loc(any_exp(macro(^count_args_$))))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="The argument \"fn\" in macros {COMPILE,RUNTIME}_CHECK is not parenthesized
|
||||
on purpose, to be able to test function-like macros. Given the specialized and limited
|
||||
use of this macro, it is deemed ok to deviate them."
|
||||
-config=MC3A2.R20.7,reports+={deliberate, "any_area(any_loc(any_exp(macro(^(COMPILE_CHECK|RUNTIME_CHECK)$))))"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Problems related to operator precedence can not occur if the expansion of the macro argument is surrounded by tokens '{', '}' and ';'."
|
||||
-config=MC3A2.R20.7,expansion_context+={safe, "left_right(^[\\{;]$,^[;\\}]$)"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Uses of variadic macros that have one of their arguments defined as
|
||||
a macro and used within the body for both ordinary parameter expansion and as an
|
||||
operand to the # or ## operators have a behavior that is well-understood and
|
||||
deliberate."
|
||||
-config=MC3A2.R20.12,macros+={deliberate, "variadic()"}
|
||||
-doc_end
|
||||
|
||||
-doc_begin="Uses of a macro parameter for ordinary expansion and as an operand
|
||||
to the # or ## operators within the following macros are deliberate, to provide
|
||||
useful diagnostic messages to the user."
|
||||
-config=MC3A2.R20.12,macros+={deliberate, "name(__ASSERT||__ASSERT_NO_MSG||BUILD_ASSERT"}
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Series 21.
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
# General
|
||||
#
|
||||
|
||||
-doc_begin="do-while-[01] is a well recognized loop idiom by the Zephyr community."
|
||||
-loop_idioms={do_stmt, "literal(0)||literal(1)"}
|
||||
-doc_end
|
||||
-doc_begin="while-[01] is a well recognized loop idiom by the Zephyr community."
|
||||
-loop_idioms+={while_stmt, "literal(0)||literal(1)"}
|
||||
-doc_end
|
||||
|
||||
#
|
||||
# Developer confusion
|
||||
#
|
||||
|
||||
-doc="Selection for reports that are fully contained in adopted code."
|
||||
-report_selector+={adopted_report,"all_area(!kind(culprit||evidence)||all_loc(all_exp(adopted||pseudo)))"}
|
||||
|
||||
-doc_begin="Adopted code is not meant to be read, reviewed or modified by human
|
||||
programmers:no developers' confusion is not possible. In addition, adopted code
|
||||
is assumed to work as is. Reports that are fully contained in adopted code are
|
||||
hidden/tagged with the 'adopted' tag."
|
||||
-service_selector={developer_confusion_guidelines,"^(MC3A2\\.R2\\.1|MC3A2\\.R2\\.2|MC3A2\\.R2\\.3|MC3A2\\.R2\\.4|MC3A2\\.R2\\.5|MC3A2\\.R2\\.6|MC3A2\\.R2\\.7|MC3A2\\.R4\\.1|MC3A2\\.R5\\.3|MC3A2\\.R5\\.6|MC3A2\\.R5\\.7|MC3A2\\.R5\\.8|MC3A2\\.R5\\.9|MC3A2\\.R7\\.1|MC3A2\\.R7\\.2|MC3A2\\.R7\\.3|MC3A2\\.R8\\.7|MC3A2\\.R8\\.8|MC3A2\\.R8\\.9|MC3A2\\.R8\\.11|MC3A2\\.R8\\.12|MC3A2\\.R8\\.13|MC3A2\\.R9\\.3|MC3A2\\.R9\\.4|MC3A2\\.R9\\.5|MC3A2\\.R10\\.2|MC3A2\\.R10\\.5|MC3A2\\.R10\\.6|MC3A2\\.R10\\.7|MC3A2\\.R10\\.8|MC3A2\\.R11\\.9|MC3A2\\.R12\\.1|MC3A2\\.R12\\.3|MC3A2\\.R12\\.4|MC3A2\\.R13\\.5|MC3A2\\.R14\\.1|MC3A2\\.R14\\.2|MC3A2\\.R14\\.3|MC3A2\\.R15\\.1|MC3A2\\.R15\\.2|MC3A2\\.R15\\.3|MC3A2\\.R15\\.4|MC3A2\\.R15\\.5|MC3A2\\.R15\\.6|MC3A2\\.R15\\.7|MC3A2\\.R16\\.1|MC3A2\\.R16\\.2|MC3A2\\.R16\\.3|MC3A2\\.R16\\.4|MC3A2\\.R16\\.5|MC3A2\\.R16\\.6|MC3A2\\.R16\\.7|MC3A2\\.R17\\.7|MC3A2\\.R17\\.8|MC3A2\\.R18\\.4|MC3A2\\.R18\\.5)$"
|
||||
}
|
||||
-config=developer_confusion_guidelines,reports+={relied,adopted_report}
|
||||
-doc_end
|
|
@ -101,6 +101,7 @@
|
|||
|
||||
-eval_file=adopted_code.ecl
|
||||
-eval_file=adopted_deviations.ecl
|
||||
-eval_file=deviations.ecl
|
||||
|
||||
-doc="Hide reports marked as compliant."
|
||||
-remap_rtag={compliant,hide}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue