commit | 2ff8cf89f9ecf10fec4e7c81c626e9831bea3c3b | [log] [tgz] |
---|---|---|
author | Andrew Jeffery <andrew@codeconstruct.com.au> | Fri May 17 15:20:46 2024 +0930 |
committer | vkaverap@in.ibm.com <vkaverap@in.ibm.com> | Mon May 20 05:06:25 2024 -0500 |
tree | 55cd4e09cd994b1607df092dde3020d79d12da58 | |
parent | 07febdbb456f6baa55852cc31ef8fca233bdea2c [diff] |
msgbuf: Remove use of ssize_t for overflow tracking There are a few concerns with the use of ssize_t in this context: 1. It's defined by POSIX and not C, and I'd prefer we not require POSIX concepts where we can avoid it 2. ssize_t is defined over [-1, SSIZE_MAX] - it is not defined to have the range of a regular signed type. The source of both these statements is The Open Group Base Specifications Issue 7, 2018 edition. IEEE Std 1003.1-2017 (Revision of IEEE Std 1003.1-2008) The second point directly contradicts how I was trying to use ssize_t in the msgbuf implementation. As a result, switch the type of `remaining` to intmax_t. Usually intmax_t is a problem child, but it's not used in any public API, and it has the semantics I wanted by contrast to the definition of ssize_t. Note that we add assert() calls where we know the value of remaining must be negative. Without the addition of the `assert()` calls in the underflow checks, clang-analyzer gets tripped up by not being able to prove `INTMAX_MIN + (intmax_t)sizeof(uint16_t) < 0`: ``` ../src/platform.c:17:18: error: The left operand of '+' is a garbage value [clang-analyzer-core.UndefinedBinaryOperatorResult,-warnings-as-errors] 17 | if (ctx->length + sizeof(*ctx) < lower) { | ^ ../src/platform.c:2445:6: note: 'rc' is 0 2445 | if (rc) { | ^~ ../src/platform.c:2445:2: note: Taking false branch 2445 | if (rc) { | ^ ../src/platform.c:2449:7: note: Calling 'pldm_msgbuf_extract_value_pdr_hdr' 2449 | rc = pldm_msgbuf_extract_value_pdr_hdr(buf, &hdr); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../src/msgbuf/platform.h:17:2: note: Calling 'pldm__msgbuf_extract_uint16' 17 | pldm_msgbuf_extract(ctx, hdr->length); | ^ ../src/msgbuf/../msgbuf.h:517:2: note: expanded from macro 'pldm_msgbuf_extract' 517 | _Generic((dst), \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 518 | uint8_t: pldm__msgbuf_extract_uint8, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 519 | int8_t: pldm__msgbuf_extract_int8, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 520 | uint16_t: pldm__msgbuf_extract_uint16, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 521 | int16_t: pldm__msgbuf_extract_int16, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 522 | uint32_t: pldm__msgbuf_extract_uint32, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 523 | int32_t: pldm__msgbuf_extract_int32, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 524 | real32_t: pldm__msgbuf_extract_real32)(ctx, (void *)&(dst)) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../src/msgbuf/../msgbuf.h:341:7: note: 'ctx' is non-null 341 | if (!ctx || !ctx->cursor || !dst) { | ^~~ ../src/msgbuf/../msgbuf.h:341:6: note: Left side of '||' is false 341 | if (!ctx || !ctx->cursor || !dst) { | ^ ../src/msgbuf/../msgbuf.h:341:20: note: Field 'cursor' is non-null 341 | if (!ctx || !ctx->cursor || !dst) { | ^ ../src/msgbuf/../msgbuf.h:341:6: note: Left side of '||' is false 341 | if (!ctx || !ctx->cursor || !dst) { | ^ ../src/msgbuf/../msgbuf.h:341:31: note: 'dst' is non-null 341 | if (!ctx || !ctx->cursor || !dst) { | ^~~ ../src/msgbuf/../msgbuf.h:341:2: note: Taking false branch 341 | if (!ctx || !ctx->cursor || !dst) { | ^ ../src/msgbuf/../msgbuf.h:347:2: note: Taking true branch 347 | if (ctx->remaining < INTMAX_MIN + (intmax_t)sizeof(ldst)) { | ^ ../src/msgbuf/../msgbuf.h:348:3: note: Returning without writing to '*dst' 348 | return PLDM_ERROR_INVALID_LENGTH; | ^ ../src/msgbuf/platform.h:17:2: note: Returning from 'pldm__msgbuf_extract_uint16' 17 | pldm_msgbuf_extract(ctx, hdr->length); | ^ ../src/msgbuf/../msgbuf.h:517:2: note: expanded from macro 'pldm_msgbuf_extract' 517 | _Generic((dst), \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 518 | uint8_t: pldm__msgbuf_extract_uint8, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 519 | int8_t: pldm__msgbuf_extract_int8, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 520 | uint16_t: pldm__msgbuf_extract_uint16, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 521 | int16_t: pldm__msgbuf_extract_int16, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 522 | uint32_t: pldm__msgbuf_extract_uint32, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 523 | int32_t: pldm__msgbuf_extract_int32, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 524 | real32_t: pldm__msgbuf_extract_real32)(ctx, (void *)&(dst)) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../src/msgbuf/platform.h:19:2: note: Returning without writing to 'hdr->length' 19 | return pldm_msgbuf_validate(ctx); | ^ ../src/platform.c:2449:7: note: Returning from 'pldm_msgbuf_extract_value_pdr_hdr' 2449 | rc = pldm_msgbuf_extract_value_pdr_hdr(buf, &hdr); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../src/platform.c:2450:6: note: 'rc' is 0 2450 | if (rc) { | ^~ ../src/platform.c:2450:2: note: Taking false branch 2450 | if (rc) { | ^ ../src/platform.c:2454:7: note: Calling 'pldm_platform_pdr_hdr_validate' 2454 | rc = pldm_platform_pdr_hdr_validate( | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2455 | &hdr, PLDM_PDR_NUMERIC_EFFECTER_PDR_MIN_LENGTH, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2456 | pdr_data_length); | ~~~~~~~~~~~~~~~~ ../src/platform.c:17:18: note: The left operand of '+' is a garbage value 17 | if (ctx->length + sizeof(*ctx) < lower) { | ~~~~~~~~~~~ ^ ``` Change-Id: Idbe5a14455ad677a39c8f535eddd9c2ce471c783 Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
This is a library which deals with the encoding and decoding of PLDM messages. It should be possible to use this library by projects other than OpenBMC, and hence certain constraints apply to it:
Source files are named according to the PLDM Type, for eg base.[h/c], fru.[h/c], etc.
Given a PLDM command "foo", the library will provide the following API: For the Requester function:
encode_foo_req() - encode a foo request decode_foo_resp() - decode a response to foo
For the Responder function:
decode_foo_req() - decode a foo request encode_foo_resp() - encode a response to foo
The library also provides API to pack and unpack PLDM headers.
Need meson
and ninja
. Alternatively, source an OpenBMC ARM/x86 SDK.
meson setup builddir && ninja -C builddir
The simplest way of running the tests is as described by the meson man page:
meson setup builddir && meson test -C builddir
libpldm
The ABIs (symbols, generally functions) exposed by the library are separated into three categories:
Applications depending on libpldm
should aim to only use functions from the stable category. However, this may not always be possible. What to do when required functions fall into the deprecated or testing categories is outlined below.
Marking a function as stable makes the following promise to users of the library:
We will not remove or change the symbol name, argument count, argument types, return type, or interpretation of relevant values for the function before first marking it as
LIBPLDM_ABI_DEPRECATED
and then subsequently creating a tagged release
Marking a function as stable does not promise that it is free of implementation bugs. It is just a promise that the prototype won't change without notice.
Given this, it is always okay to implement functions marked stable in terms of functions marked testing inside of libpldm. If we remove or change the prototype of a function marked testing the only impact is that we need to fix up any call sites of that function in the same patch.
--- title: libpldm symbol lifecycle --- stateDiagram-v2 direction LR [*] --> Testing: Add Testing --> Testing: Change Testing --> [*]: Remove Testing --> Stable: Stabilise Stable --> Deprecated: Deprecate Deprecated --> [*]: Remove
The ABI of the library produced by the build is controlled using the abi
meson option. The following use cases determine how the abi
option should be specified:
Use Case | Meson Configuration |
---|---|
Production | -Dabi=deprecated,stable |
Maintenance | -Dabi=stable |
Development | -Dabi=deprecated,stable,testing |
Applications and libraries that depend on libpldm
can identify how to migrate off of deprecated APIs by constraining the library ABI to the stable category. This will force the compiler identify any call-sites that try to link against deprecated symbols.
Applications and libraries often require functionality that doesn't yet exist in libpldm
. The work is thus in two parts:
libpldm
libpldm
in the dependent application or libraryAdding APIs to a library is a difficult task. Generally, once an API is exposed in the library's ABI, any changes to the API risk breaking applications already making use of it. To make sure we have more than one shot at getting an API right, all new APIs must first be exposed in the testing category. Concretely:
Patches adding new APIs MUST mark them as testing and MUST NOT mark them as stable.
Three macros are provided through config.h
(automatically included for all translation units) to mark functions as testing, stable or deprecated:
LIBPLDM_ABI_TESTING
LIBPLDM_ABI_STABLE
LIBPLDM_ABI_DEPRECATED
These annotations go immediately before your function signature:
LIBPLDM_ABI_TESTING pldm_requester_rc_t pldm_transport_send_msg(struct pldm_transport *transport, pldm_tid_t tid, const void *pldm_req_msg, size_t req_msg_len) { ... }
As mentioned above, all new functions must first be added in the testing category (using the LIBPLDM_ABI_TESTING
annotation).
To move a function from the testing category to the stable category, its required that patches demonstrating use of the function in a dependent application or library be linked in the commit message of the stabilisation change. We require this to demonstrate that the implementer has considered its use in context before preventing us from making changes to the API.
Meson is broadly used in the OpenBMC ecosystem, the historical home of libpldm
. Meson's subprojects are a relatively painless way of managing dependencies for the purpose of developing complex applications and libraries. Use of libpldm
as a subproject is both supported and encouraged.
libpldm
's ABI can be controlled from a parent project through meson's subproject configuration syntax:
$ meson setup ... -Dlibpldm:abi=deprecated,stable,testing ...
This will support OEM or vendor-specific functions and semantic information. Following directory structure has to be used:
libpldm |---- include/libpldm | |---- oem/<oem_name>/libpldm | |----<oem based .h files> |---- src | |---- oem/<oem_name> | |----<oem based .c files> |---- tests | |---- oem/<oem_name> | |----<oem based test files>
<oem_name> - This folder must be created with the name of the OEM/vendor in lower case.
Header files & source files having the oem functionality for the libpldm library should be placed under the respective folder hierarchy as mentioned in the above figure. They must be adhering to the rules mentioned under the libpldm section above.
Once the above is done a meson option has to be created in meson.options
with its mapped compiler flag to enable conditional compilation.
For consistency would recommend using "oem-<oem_name>".
The meson.build
and the corresponding source file(s) will need to incorporate the logic of adding its mapped compiler flag to allow conditional compilation of the code.
The pldm requester API's are present in src/requester
folder and they are intended to provide API's to interact with the desired underlying transport layer to send/receive pldm messages.
NOTE : In the current state, the requester API's in the repository only works with specific transport mechanism & these are going to change in future & probably aren't appropriate to be writing code against.