Hi Dhruva,
The fundamental problem here is that uintptr_t is specifically portable storage of object pointers, not function pointers - MISRA is just reflecting that limitation of the language. From §7.18.1.4:
The following type designates an unsigned integer type with the property that any valid pointer to void can be converted to this type, then converted back to pointer to void, and the result will compare equal to the original pointer:
uintptr_t
However, a pointer-to-function cannot be converted to a pointer-to-void (from §6.3.2.3):
1. A pointer to void may be converted to or from a pointer to any incomplete or object type. A pointer to any incomplete or object type may be converted to a pointer to void and back again; the result shall compare equal to the original pointer.
I think the canonical fix in both instances that you referenced is to ensure that the entrypoints are represented using compatible function pointer types (presumably void *(void)), rather than uintptr_t.
Additionally, while pure AArch64 does not architecturally specify a difference between function pointers and object pointers, this is not the case for platforms like Morello where function pointers can encode different capabilities, so this MISRA rule is handy for ensuring these casts do not occur.
Regards, Chris
From: Dhruva Gole via TF-A tf-a@lists.trustedfirmware.org Date: Tuesday, 8 July 2025 at 12:53 To: tf-a@lists.trustedfirmware.org tf-a@lists.trustedfirmware.org Cc: Boyan Karatotev Boyan.Karatotev@arm.com Subject: [TF-A] MISRA Compliance: Request to consider filing deviation for 11.1 (Function Pointer Conversions) in TF-A Hello,
Background & Justification: MISRA C:2012 Rule 11.1 forbids the conversion from a function pointer to any other type. However, in the context of TF-A, we encounter scenarios where this conversion is necessary and performed with full knowledge of the target architecture and toolchain behavior. A prominent example is in low-level platform code, such as transferring control between bootloader stages or passing function entry points for CPU/core bring-up, where the conversion is unavoidable and well-understood.
One such example is the K3 PSCI driver [1] where we pass the k3_sec_entrypoint which is of type uintptr_t, to the ti_sci_proc_set_boot_cfg function where the parameter is of type uint64_t. Another place that triggered the discussions behind this MISRA C issue was the TI AM62L PSCI driver [2] that needs a 16b aligned function pointer.
We don't have to go into specific case by case discussion of solving these issues, but just wanted to share example use cases of function pointer conversion.
Request: I propose we formally document a project-wide MISRA C:2012 Rule 11.1 deviation, reflecting current and future usage throughout the TF-A codebase. This deviation allows us to balance MISRA objectives with the practical and architectural necessities of TF-A development.
Rationale: * Conversions between function pointers and other types are essential in several parts of the TF-A codebase, not limited to one module or file. * Platform-specific code (e.g., power management, bootloader hand-offs) relies on this pattern for correct operation.
References: [1] https://github.com/ARM-software/arm-trusted-firmware/blob/master/plat/ti/k3/... [2] https://github.com/ARM-software/arm-trusted-firmware/blob/master/plat/ti/k3l...
-- Best regards, Dhruva Gole Texas Instruments Incorporated -- TF-A mailing list -- tf-a@lists.trustedfirmware.org To unsubscribe send an email to tf-a-leave@lists.trustedfirmware.org