On 14/05/2025 09:37, Julien Grall wrote:
> Hi Michal,
>
> On 14/05/2025 08:04, Orzel, Michal wrote:
>>
>>
>> On 14/05/2025 08:56, Jan Beulich wrote:
>>> On 14.05.2025 08:31, Orzel, Michal wrote:
>>>> On 14/05/2025 02:07, Stefano Stabellini wrote:
>>>>> On Tue, 13 May 2025, Stewart Hildebrand wrote:
>>>>>> All functions in dom0less-build.c should be __init.
>>>> Why? This patch is first in your series and by that time there is no build
>>>> time
>>>> enforcement. Together with the Fixes tag it implies that this is somehow an
>>>> issue (i.e. build/runtime issue) other than inconsistency for which we
>>>> surely
>>>> don't need Fixes tag.
>>>
>>> I disagree: Code not called post-init should be in .init.*. While not
>>> formally
>>> a Misra violation (and wrongly so, I think), it imo effectively is: Such
>>> code
>>> is otherwise unreachable post-init.
>> You have a point here, I agree. Although I don't think MISRA differentiates
>> between unreachable in general vs pre or post init. It defines it as code
>> that
>> cannot be executed. It does not go into stages of runtime execution.
>>
>> I'm thinking how this is different from a function that is called e.g. only
>> once
>> at specific point at runtime execution for which we did not come up with a
>> separate section?
>
> Along with what Jan said, in general there is some relaxation for the
> boot code. For instance, we could accept if it panic.
>
> There is at least one of the place in domain_build.c which panic() and
> the parsing is not meant to be fully robust. So this code either need to
> be __init (as this was the intention from when the feature was created)
> or you need to fully harden the code.
What is this place?
~Michal
