diff mbox series

[Xen-devel] xen/public: arch-arm: Restrict the visibility of struct vcpu_guest_core_regs

Message ID 20190520181250.17404-1-julien.grall@arm.com
State Superseded
Headers show
Series [Xen-devel] xen/public: arch-arm: Restrict the visibility of struct vcpu_guest_core_regs | expand

Commit Message

Julien Grall May 20, 2019, 6:12 p.m. UTC
Currently, the structure vcpu_guest_core_regs is part of the public API.
This implies that any change in the structure should be backward
compatible.

However, the structure is only needed by the tools and Xen. It is also
not expected to be ever used outside of that context. So we could save us
some headache by only declaring the structure for Xen and tools.

Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Julien Grall <julien.grall@arm.com>

---
    This is a follow-up of the discussion [1].

    As this is now Xen and tools only, I am wondering whether the check on
    GNU_C is still necessary. I am happy to send a follow-up patch (or fold
    in this one) if it can be removed.

    [1] <3c245c5b-51c6-1d0e-ad6c-42414573166f@arm.com>
---
 xen/include/public/arch-arm.h | 3 +++
 1 file changed, 3 insertions(+)

Comments

Jan Beulich May 21, 2019, 9:26 a.m. UTC | #1
>>> On 20.05.19 at 20:12, <julien.grall@arm.com> wrote:
>     As this is now Xen and tools only, I am wondering whether the check on
>     GNU_C is still necessary. I am happy to send a follow-up patch (or fold
>     in this one) if it can be removed.

I think this should be dropped if it can be without breaking any
part of the build.

> --- a/xen/include/public/arch-arm.h
> +++ b/xen/include/public/arch-arm.h
> @@ -197,6 +197,7 @@
>      } while ( 0 )
>  #define set_xen_guest_handle(hnd, val) set_xen_guest_handle_raw(hnd, val)
>  
> +#if defined(__XEN__) || defined(__XEN_TOOLS__)
>  #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
>  /* Anonymous union includes both 32- and 64-bit names (e.g., r0/x0). */
>  # define __DECL_REG(n64, n32) union {          \
> @@ -272,6 +273,8 @@ DEFINE_XEN_GUEST_HANDLE(vcpu_guest_core_regs_t);
>  
>  #undef __DECL_REG
>  
> +#endif

If I was the maintainer of this code, I'd ask for the struct declaration
to be moved (into the existing #if) rather than adding a 2nd #if.

Jan
Julien Grall May 21, 2019, 9:35 a.m. UTC | #2
Hi Jan,

On 5/21/19 10:26 AM, Jan Beulich wrote:
>>>> On 20.05.19 at 20:12, <julien.grall@arm.com> wrote:
>>      As this is now Xen and tools only, I am wondering whether the check on
>>      GNU_C is still necessary. I am happy to send a follow-up patch (or fold
>>      in this one) if it can be removed.
> 
> I think this should be dropped if it can be without breaking any
> part of the build.
This is because all the tools are part of xen.git, right?

>> --- a/xen/include/public/arch-arm.h
>> +++ b/xen/include/public/arch-arm.h
>> @@ -197,6 +197,7 @@
>>       } while ( 0 )
>>   #define set_xen_guest_handle(hnd, val) set_xen_guest_handle_raw(hnd, val)
>>   
>> +#if defined(__XEN__) || defined(__XEN_TOOLS__)
>>   #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
>>   /* Anonymous union includes both 32- and 64-bit names (e.g., r0/x0). */
>>   # define __DECL_REG(n64, n32) union {          \
>> @@ -272,6 +273,8 @@ DEFINE_XEN_GUEST_HANDLE(vcpu_guest_core_regs_t);
>>   
>>   #undef __DECL_REG
>>   
>> +#endif
> 
> If I was the maintainer of this code, I'd ask for the struct declaration
> to be moved (into the existing #if) rather than adding a 2nd #if.

s/2nd/3rd/ ;)

The reason I haven't done that is git will generate a completely 
unrelated diff. So it makes quite difficult to understand the purpose of 
the patch.

Cheers,
Jan Beulich May 21, 2019, 9:43 a.m. UTC | #3
>>> On 21.05.19 at 11:35, <julien.grall@arm.com> wrote:
> On 5/21/19 10:26 AM, Jan Beulich wrote:
>>>>> On 20.05.19 at 20:12, <julien.grall@arm.com> wrote:
>>>      As this is now Xen and tools only, I am wondering whether the check on
>>>      GNU_C is still necessary. I am happy to send a follow-up patch (or fold
>>>      in this one) if it can be removed.
>> 
>> I think this should be dropped if it can be without breaking any
>> part of the build.
> This is because all the tools are part of xen.git, right?

Right - no-one else is supposed to define __XEN_TOOLS__, or
if anyone does, they're on their own.

>>> --- a/xen/include/public/arch-arm.h
>>> +++ b/xen/include/public/arch-arm.h
>>> @@ -197,6 +197,7 @@
>>>       } while ( 0 )
>>>   #define set_xen_guest_handle(hnd, val) set_xen_guest_handle_raw(hnd, val)
>>>   
>>> +#if defined(__XEN__) || defined(__XEN_TOOLS__)
>>>   #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
>>>   /* Anonymous union includes both 32- and 64-bit names (e.g., r0/x0). */
>>>   # define __DECL_REG(n64, n32) union {          \
>>> @@ -272,6 +273,8 @@ DEFINE_XEN_GUEST_HANDLE(vcpu_guest_core_regs_t);
>>>   
>>>   #undef __DECL_REG
>>>   
>>> +#endif
>> 
>> If I was the maintainer of this code, I'd ask for the struct declaration
>> to be moved (into the existing #if) rather than adding a 2nd #if.
> 
> s/2nd/3rd/ ;)
> 
> The reason I haven't done that is git will generate a completely 
> unrelated diff. So it makes quite difficult to understand the purpose of 
> the patch.

Well, as said - you're the maintainer. I wouldn't be bothered overly
much by a strange diff that might result.

Jan
Julien Grall May 21, 2019, 9:55 a.m. UTC | #4
Hi Jan,

On 5/21/19 10:43 AM, Jan Beulich wrote:
>>>> On 21.05.19 at 11:35, <julien.grall@arm.com> wrote:
>> On 5/21/19 10:26 AM, Jan Beulich wrote:
>>>>>> On 20.05.19 at 20:12, <julien.grall@arm.com> wrote:
>>>>       As this is now Xen and tools only, I am wondering whether the check on
>>>>       GNU_C is still necessary. I am happy to send a follow-up patch (or fold
>>>>       in this one) if it can be removed.
>>>
>>> I think this should be dropped if it can be without breaking any
>>> part of the build.
>> This is because all the tools are part of xen.git, right?
> 
> Right - no-one else is supposed to define __XEN_TOOLS__, or
> if anyone does, they're on their own.

Thanks for the information. I will do a full build check.

> 
>>>> --- a/xen/include/public/arch-arm.h
>>>> +++ b/xen/include/public/arch-arm.h
>>>> @@ -197,6 +197,7 @@
>>>>        } while ( 0 )
>>>>    #define set_xen_guest_handle(hnd, val) set_xen_guest_handle_raw(hnd, val)
>>>>    
>>>> +#if defined(__XEN__) || defined(__XEN_TOOLS__)
>>>>    #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
>>>>    /* Anonymous union includes both 32- and 64-bit names (e.g., r0/x0). */
>>>>    # define __DECL_REG(n64, n32) union {          \
>>>> @@ -272,6 +273,8 @@ DEFINE_XEN_GUEST_HANDLE(vcpu_guest_core_regs_t);
>>>>    
>>>>    #undef __DECL_REG
>>>>    
>>>> +#endif
>>>
>>> If I was the maintainer of this code, I'd ask for the struct declaration
>>> to be moved (into the existing #if) rather than adding a 2nd #if.
>>
>> s/2nd/3rd/ ;)
>>
>> The reason I haven't done that is git will generate a completely
>> unrelated diff. So it makes quite difficult to understand the purpose of
>> the patch.
> 
> Well, as said - you're the maintainer. I wouldn't be bothered overly
> much by a strange diff that might result.

I will wait on Stefano's input.


Cheers,
Stefano Stabellini May 21, 2019, 9:06 p.m. UTC | #5
On Tue, 21 May 2019, Julien Grall wrote:
> Hi Jan,
> 
> On 5/21/19 10:43 AM, Jan Beulich wrote:
> > > > > On 21.05.19 at 11:35, <julien.grall@arm.com> wrote:
> > > On 5/21/19 10:26 AM, Jan Beulich wrote:
> > > > > > > On 20.05.19 at 20:12, <julien.grall@arm.com> wrote:
> > > > >       As this is now Xen and tools only, I am wondering whether the
> > > > > check on
> > > > >       GNU_C is still necessary. I am happy to send a follow-up patch
> > > > > (or fold
> > > > >       in this one) if it can be removed.
> > > > 
> > > > I think this should be dropped if it can be without breaking any
> > > > part of the build.
> > > This is because all the tools are part of xen.git, right?
> > 
> > Right - no-one else is supposed to define __XEN_TOOLS__, or
> > if anyone does, they're on their own.
> 
> Thanks for the information. I will do a full build check.
> 
> > 
> > > > > --- a/xen/include/public/arch-arm.h
> > > > > +++ b/xen/include/public/arch-arm.h
> > > > > @@ -197,6 +197,7 @@
> > > > >        } while ( 0 )
> > > > >    #define set_xen_guest_handle(hnd, val)
> > > > > set_xen_guest_handle_raw(hnd, val)
> > > > >    +#if defined(__XEN__) || defined(__XEN_TOOLS__)
> > > > >    #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
> > > > >    /* Anonymous union includes both 32- and 64-bit names (e.g.,
> > > > > r0/x0). */
> > > > >    # define __DECL_REG(n64, n32) union {          \
> > > > > @@ -272,6 +273,8 @@ DEFINE_XEN_GUEST_HANDLE(vcpu_guest_core_regs_t);
> > > > >       #undef __DECL_REG
> > > > >    +#endif
> > > > 
> > > > If I was the maintainer of this code, I'd ask for the struct declaration
> > > > to be moved (into the existing #if) rather than adding a 2nd #if.
> > > 
> > > s/2nd/3rd/ ;)
> > > 
> > > The reason I haven't done that is git will generate a completely
> > > unrelated diff. So it makes quite difficult to understand the purpose of
> > > the patch.
> > 
> > Well, as said - you're the maintainer. I wouldn't be bothered overly
> > much by a strange diff that might result.
> 
> I will wait on Stefano's input.

Yes, please follow Jan's advice, thanks.
Julien Grall May 22, 2019, 12:20 p.m. UTC | #6
On 21/05/2019 10:55, Julien Grall wrote:
> Hi Jan,
> 
> On 5/21/19 10:43 AM, Jan Beulich wrote:
>>>>> On 21.05.19 at 11:35, <julien.grall@arm.com> wrote:
>>> On 5/21/19 10:26 AM, Jan Beulich wrote:
>>>>>>> On 20.05.19 at 20:12, <julien.grall@arm.com> wrote:
>>>>>       As this is now Xen and tools only, I am wondering whether the check on
>>>>>       GNU_C is still necessary. I am happy to send a follow-up patch (or fold
>>>>>       in this one) if it can be removed.
>>>>
>>>> I think this should be dropped if it can be without breaking any
>>>> part of the build.
>>> This is because all the tools are part of xen.git, right?
>>
>> Right - no-one else is supposed to define __XEN_TOOLS__, or
>> if anyone does, they're on their own.
> 
> Thanks for the information. I will do a full build check.

I thought about this again, long term there are an attempt to build xen with 
other compiler not necessarily supporting GNU C extension.

While this would probably not be the only place that need to be reworked, we 
would have to revert part of this change. So I will not drop the #ifdef here.

I will resend the patch next week to give some time for more feedback.


Cheers,
Jan Beulich May 22, 2019, 12:29 p.m. UTC | #7
>>> On 22.05.19 at 14:20, <julien.grall@arm.com> wrote:

> 
> On 21/05/2019 10:55, Julien Grall wrote:
>> Hi Jan,
>> 
>> On 5/21/19 10:43 AM, Jan Beulich wrote:
>>>>>> On 21.05.19 at 11:35, <julien.grall@arm.com> wrote:
>>>> On 5/21/19 10:26 AM, Jan Beulich wrote:
>>>>>>>> On 20.05.19 at 20:12, <julien.grall@arm.com> wrote:
>>>>>>       As this is now Xen and tools only, I am wondering whether the check on
>>>>>>       GNU_C is still necessary. I am happy to send a follow-up patch (or fold
>>>>>>       in this one) if it can be removed.
>>>>>
>>>>> I think this should be dropped if it can be without breaking any
>>>>> part of the build.
>>>> This is because all the tools are part of xen.git, right?
>>>
>>> Right - no-one else is supposed to define __XEN_TOOLS__, or
>>> if anyone does, they're on their own.
>> 
>> Thanks for the information. I will do a full build check.
> 
> I thought about this again, long term there are an attempt to build xen with 
> other compiler not necessarily supporting GNU C extension.
> While this would probably not be the only place that need to be reworked, we 
> would have to revert part of this change. So I will not drop the #ifdef here.

Well, I don't know how it is for Arm, but on x86 we actually use the
"extended" naming quite extensively, so building with a compiler
that doesn't support this extension is not really an option there.

Jan
Julien Grall May 22, 2019, 1 p.m. UTC | #8
(+Artem)

Hi Jan,

On 22/05/2019 13:29, Jan Beulich wrote:
>>>> On 22.05.19 at 14:20, <julien.grall@arm.com> wrote:
> 
>>
>> On 21/05/2019 10:55, Julien Grall wrote:
>>> Hi Jan,
>>>
>>> On 5/21/19 10:43 AM, Jan Beulich wrote:
>>>>>>> On 21.05.19 at 11:35, <julien.grall@arm.com> wrote:
>>>>> On 5/21/19 10:26 AM, Jan Beulich wrote:
>>>>>>>>> On 20.05.19 at 20:12, <julien.grall@arm.com> wrote:
>>>>>>>        As this is now Xen and tools only, I am wondering whether the check on
>>>>>>>        GNU_C is still necessary. I am happy to send a follow-up patch (or fold
>>>>>>>        in this one) if it can be removed.
>>>>>>
>>>>>> I think this should be dropped if it can be without breaking any
>>>>>> part of the build.
>>>>> This is because all the tools are part of xen.git, right?
>>>>
>>>> Right - no-one else is supposed to define __XEN_TOOLS__, or
>>>> if anyone does, they're on their own.
>>>
>>> Thanks for the information. I will do a full build check.
>>
>> I thought about this again, long term there are an attempt to build xen with
>> other compiler not necessarily supporting GNU C extension.
>> While this would probably not be the only place that need to be reworked, we
>> would have to revert part of this change. So I will not drop the #ifdef here.
> 
> Well, I don't know how it is for Arm, but on x86 we actually use the
> "extended" naming quite extensively, so building with a compiler
> that doesn't support this extension is not really an option there.

For the Arm, I think only cpu_user_regs is using "extended" naming. It should be 
possible to remove it without too much trouble here.

@Artem, is there any restriction to use anonymous union in functional safety?

Cheers,
Artem Mygaiev May 22, 2019, 6:05 p.m. UTC | #9
Hello Julien, Jan

On Wed, 2019-05-22 at 14:00 +0100, Julien Grall wrote:
> (+Artem)

> 

> Hi Jan,

> 

> On 22/05/2019 13:29, Jan Beulich wrote:

> > > > > On 22.05.19 at 14:20, <

> > > > > julien.grall@arm.com

> > > > > > wrote:

> > > On 21/05/2019 10:55, Julien Grall wrote:

> > > > Hi Jan,

> > > > 

> > > > On 5/21/19 10:43 AM, Jan Beulich wrote:

> > > > > > > > On 21.05.19 at 11:35, <

> > > > > > > > julien.grall@arm.com

> > > > > > > > > wrote:

> > > > > > 

> > > > > > On 5/21/19 10:26 AM, Jan Beulich wrote:

> > > > > > > > > > On 20.05.19 at 20:12, <

> > > > > > > > > > julien.grall@arm.com

> > > > > > > > > > > wrote:

> > > > > > > > 

> > > > > > > >        As this is now Xen and tools only, I am

> > > > > > > > wondering whether the check on

> > > > > > > >        GNU_C is still necessary. I am happy to send a

> > > > > > > > follow-up patch (or fold

> > > > > > > >        in this one) if it can be removed.

> > > > > > > 

> > > > > > > I think this should be dropped if it can be without

> > > > > > > breaking any

> > > > > > > part of the build.

> > > > > > 

> > > > > > This is because all the tools are part of xen.git, right?

> > > > > 

> > > > > Right - no-one else is supposed to define __XEN_TOOLS__, or

> > > > > if anyone does, they're on their own.

> > > > 

> > > > Thanks for the information. I will do a full build check.

> > > 

> > > I thought about this again, long term there are an attempt to

> > > build xen with

> > > other compiler not necessarily supporting GNU C extension.

> > > While this would probably not be the only place that need to be

> > > reworked, we

> > > would have to revert part of this change. So I will not drop the

> > > #ifdef here.

> > 

> > Well, I don't know how it is for Arm, but on x86 we actually use

> > the

> > "extended" naming quite extensively, so building with a compiler

> > that doesn't support this extension is not really an option there.

> 

> For the Arm, I think only cpu_user_regs is using "extended" naming.

> It should be 

> possible to remove it without too much trouble here.

> 

> @Artem, is there any restriction to use anonymous union in functional

> safety?

> 


In general, unions are not allowed in safety regulated programming,
they always require a "deviation" - e.g. unions use for data packing is
usually accepted disregarding anonymous or not.

Couple of other things I wanted to mention:
1. all protective programming standards e.g. MISRA recommend reducing
visibility of functions and variables to reduce API surface ans thus
need for test coverage and systematic fault probability.
2. current implementation xen tools are very hard to use in safety for
many reasons, I hope to follow up on this soon...

 -- Artem
Julien Grall June 2, 2019, 10:37 a.m. UTC | #10
Hi Artem,

On 5/22/19 7:05 PM, Artem Mygaiev wrote:
> On Wed, 2019-05-22 at 14:00 +0100, Julien Grall wrote:
>> On 22/05/2019 13:29, Jan Beulich wrote:
>>>>>> On 22.05.19 at 14:20, <
>>>>>> julien.grall@arm.com
>>>>>>> wrote:
>>>> On 21/05/2019 10:55, Julien Grall wrote:
>>>>> Hi Jan,
>>>>>
>>>>> On 5/21/19 10:43 AM, Jan Beulich wrote:
>>>>>>>>> On 21.05.19 at 11:35, <
>>>>>>>>> julien.grall@arm.com
>>>>>>>>>> wrote:
>>>>>>>
>>>>>>> On 5/21/19 10:26 AM, Jan Beulich wrote:
>>>>>>>>>>> On 20.05.19 at 20:12, <
>>>>>>>>>>> julien.grall@arm.com
>>>>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>         As this is now Xen and tools only, I am
>>>>>>>>> wondering whether the check on
>>>>>>>>>         GNU_C is still necessary. I am happy to send a
>>>>>>>>> follow-up patch (or fold
>>>>>>>>>         in this one) if it can be removed.
>>>>>>>>
>>>>>>>> I think this should be dropped if it can be without
>>>>>>>> breaking any
>>>>>>>> part of the build
>>>>>>>
>>>>>>> This is because all the tools are part of xen.git, right?
>>>>>>
>>>>>> Right - no-one else is supposed to define __XEN_TOOLS__, or
>>>>>> if anyone does, they're on their own.
>>>>>
>>>>> Thanks for the information. I will do a full build check.
>>>>
>>>> I thought about this again, long term there are an attempt to
>>>> build xen with
>>>> other compiler not necessarily supporting GNU C extension.
>>>> While this would probably not be the only place that need to be
>>>> reworked, we
>>>> would have to revert part of this change. So I will not drop the
>>>> #ifdef here.
>>>
>>> Well, I don't know how it is for Arm, but on x86 we actually use
>>> the
>>> "extended" naming quite extensively, so building with a compiler
>>> that doesn't support this extension is not really an option there.
>>
>> For the Arm, I think only cpu_user_regs is using "extended" naming.
>> It should be
>> possible to remove it without too much trouble here.
>>
>> @Artem, is there any restriction to use anonymous union in functional
>> safety?
>>
> 
> In general, unions are not allowed in safety regulated programming,
> they always require a "deviation" - e.g. unions use for data packing is
> usually accepted disregarding anonymous or not.

That's good to know. I am going to keep for now the two definitions of 
__DECL_REG. We can remove them later on if it is not necessary.

> 
> Couple of other things I wanted to mention:
> 1. all protective programming standards e.g. MISRA recommend reducing
> visibility of functions and variables to reduce API surface ans thus
> need for test coverage and systematic fault probability.

In general, we want to limit the API exposed to guest as this is stable.
Let us know if you see other places where we could potentially reduce 
the API without impacting existing guest.

> 2. current implementation xen tools are very hard to use in safety for
> many reasons, I hope to follow up on this soon...

Thank you for the feedback!

Cheers,
diff mbox series

Patch

diff --git a/xen/include/public/arch-arm.h b/xen/include/public/arch-arm.h
index eb424e8286..e9a86d8eb8 100644
--- a/xen/include/public/arch-arm.h
+++ b/xen/include/public/arch-arm.h
@@ -197,6 +197,7 @@ 
     } while ( 0 )
 #define set_xen_guest_handle(hnd, val) set_xen_guest_handle_raw(hnd, val)
 
+#if defined(__XEN__) || defined(__XEN_TOOLS__)
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 /* Anonymous union includes both 32- and 64-bit names (e.g., r0/x0). */
 # define __DECL_REG(n64, n32) union {          \
@@ -272,6 +273,8 @@  DEFINE_XEN_GUEST_HANDLE(vcpu_guest_core_regs_t);
 
 #undef __DECL_REG
 
+#endif
+
 typedef uint64_t xen_pfn_t;
 #define PRI_xen_pfn PRIx64
 #define PRIu_xen_pfn PRIu64