On 17/07/23 23:15, Julien Grall wrote:
Hi Nicola,
I am currently looking at the code to check if we can avoid some SAF-*.
But I need some clarification on the usage.
On 14/07/2023 12:49, Nicola Vetrini wrote:
@@ -2914,6 +2924,7 @@ static int __init make_vpl011_uart_node(struct
kernel_info *kinfo)
void *fdt = kinfo->fdt;
int res;
gic_interrupt_t intr;
This value will be passed to set_interrupt() which contains the
following code:
__be32 *cells = interrupt;
[...]
dt_set_cells(&cells, ....);
Where gic_interrupt_t is:
typedef __be32 gic_interrupt[3];
This is very similar to the pattern in ...
+ /* SAF-1-safe MC3R1.R9.1*/
__be32 reg[GUEST_ROOT_ADDRESS_CELLS + GUEST_ROOT_SIZE_CELLS];
__be32 *cells;
struct domain *d = kinfo->d;
@@ -3435,6 +3446,7 @@ static void __init initrd_load(struct
kernel_info *kinfo)
paddr_t paddr, len;
int node;
int res;
+ /* SAF-1-safe MC3R1.R9.1 */
__be32 val[2];
... here.
cellp = (__be32 *)val;
dt_set_cell(&cellp, ..., load_addr);
Would you be able to explain why Eclair is complaining for this one but
not the previous one?
Cheers,
It did complain, but I specified an always_write property on the first
parameter of set_interrupt, because dt_set_cell does always write it
trough the argument cells. (there are three calls to dt_set_cell, which
means that the array is fully initialized).
The difference is that initrd_load calls dt_set_cell directly.
dt_set_cell does indeed initialize val[2], but only because it's called
with the appropriate size. If the latter is wrapped in a function or
macro, then I can add the same property as above and avoid the deviation.
Regards,
--
Nicola Vetrini, BSc
Software Engineer, BUGSENG srl (https://bugseng.com)
