The label 'out_unmap' is only reachable after ASSERT_UNREACHABLE,
so the code below is only executed upon erroneously reaching that
program point and calling domain_crash, thus resulting in the
for loop after 'out_unmap' to become unreachable in some configurations.
This is a defensive coding measure to have a safe fallback that is
reachable in non-debug builds, and can thus be deviated with a
comment-based deviation.
No functional change.
Signed-off-by: Nicola Vetrini <nicola.vetr...@bugseng.com>
Reviewed-by: Stefano Stabellini <sstabell...@kernel.org>
---
Changes in v2:
- rebased against current staging
---
docs/misra/safe.json | 8 ++++++++
xen/arch/x86/mm/p2m-pod.c | 1 +
2 files changed, 9 insertions(+)
diff --git a/docs/misra/safe.json b/docs/misra/safe.json
index 3f18ef401c7d..880aef784ea1 100644
--- a/docs/misra/safe.json
+++ b/docs/misra/safe.json
@@ -68,6 +68,14 @@
},
{
"id": "SAF-8-safe",
+ "analyser": {
+ "eclair": "MC3R1.R2.1"
+ },
+ "name": "MC3R1.R2.1: statement unreachable in some configurations",
+ "text": "Every path that can reach this statement is preceded by
statements that make it unreachable in certain configurations (e.g.
ASSERT_UNREACHABLE). This is understood as a means of defensive programming."
+ },
+ {
+ "id": "SAF-9-safe",
"analyser": {},
"name": "Sentinel",
"text": "Next ID to be used"
diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c
index bd84fe9e27ee..736d3ffd1ff6 100644
--- a/xen/arch/x86/mm/p2m-pod.c
+++ b/xen/arch/x86/mm/p2m-pod.c
@@ -1040,6 +1040,7 @@ out_unmap:
* Something went wrong, probably crashing the domain. Unmap
* everything and return.
*/
+ /* SAF-8-safe Rule 2.1: defensive programming */
for ( i = 0; i < count; i++ )
if ( map[i] )
unmap_domain_page(map[i]);
--
2.34.1
