On 14.05.2024 09:05, Roger Pau Monné wrote:
> On Sat, May 11, 2024 at 04:16:42PM +0100, Andrew Cooper wrote:
>> Architecturally, there's no 64-bit variant of OUTS in x86.
This is the reason why personally ...
>> Leaving an
>> assertion to this effect is enough to satisfy the analyser.
... I view adding such, in particular ...
>> --- a/xen/arch/x86/pv/emul-priv-op.c
>> +++ b/xen/arch/x86/pv/emul-priv-op.c
>> @@ -685,6 +685,8 @@ static int cf_check rep_outs(
>>
>> *reps = 0;
>>
>> + ASSERT(bytes_per_rep <= 4); /* i.e. 'data' being 4 bytes is fine. */
>
> Don't we need this to be a BUG_ON() to satisfy the compiler also on
> non-debug builds?
>
> Or maybe:
>
> if ( bytes_per_rep > 4 )
> {
> ASSERT_UNREACHABLE();
> return X86EMUL_UNHANDLEABLE;
> }
... such a non-debug-build-covering form as dead code. With suitable
information to hand, I guess Eclair / Misra might even say so, too.
Instead I view the analyzer report here as a weakness of how analysis
is (and has to be) done.
Jan
> Would it be possible to add the check to guest_io_okay() itself?
>
> Thanks, Roger.
