Re: [PATCH v2] misra: add deviation for MISRA C Rule 11.3

Fri, 26 Sep 2025 00:49:28 -0700 

On 2025-09-25 21:11, Dmytro Prokopchuk1 wrote:

On 8/25/25 13:23, Jan Beulich wrote:

On 24.08.2025 19:27, Dmytro Prokopchuk1 wrote:
MISRA C Rule 11.3 states: "A cast shall not be performed between a pointer 
to object type and a pointer to a different object type."
Violations of this rule arise due to the 'container_of()' macro, which casts 
a member of a structure to its containing structure:
     container_of(ptr, type, member) ({                             \
            typeof_field(type, member) *__mptr = (ptr);             \
            (type *)( (char *)__mptr - offsetof(type,member) );})
The 'container_of()' macro is safe because it relies on the standardized and well-defined 'offsetof()' macro to calculate the memory address of the 
containing structure, while assuming proper alignment and ensuring no
undefined behavior, provided that the input pointer is valid and points to 
the specified member.
I may have said so before: This all reads okay to me, just that I'm unsure it would actually be convincing to an assessor. The "provided that ..." is a pretty strong requirement, which isn't overly hard to get wrong. Stefano, 
Nicola - what's your take here?

Jan


Stefano, Nicola,

gentle reminder.

Dmytro.
The fact that you can't guarantee that the pointer you receive is aligned was the main reason why I didn't already introduce such a deviation in the first place. Now, as Stefano pointed out unaligned accessed are largely ok on ARM and x86, with the exception on MMIO pointers (hard fault) and some niche cases in x86 which probably don't matter for Xen dealing with vectorized data types. So the crucial point (not just for this specific deviation) is ensuring that pointer are properly aligned when it matters, which in this case is the same as making sure that "ptr" indeed points to a struct member. What might be a convincing argument is to have sufficient testing and sanitizers (ASAN mostly helps here) to show that this assumption is met with some degree of confidence. 

--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253

Reply via email to