compiler: Provide LIBPLDM_CC_NONNULL{,_ARGS()}

This allows us to elide checks where they're not necessary, and warn
people at compile-time when they're doing things they shouldn't.

Note that this comes with an apparent ABI break. abi-compliance-checker
reports:

```
platform.h, libpldm.so.0.8.0
[−] decode_sensor_op_data ( uint8_t const* sensor_data, size_t sensor_data_length, uint8_t* present_op_state, uint8_t* previous_op_state )
Change: The parameter previous_op_state became passed in r8 register instead of rcx.
Effect Applications will read the wrong memory block instead of the parameter value.
```

It's unclear to me why. The signature hasn't changed, but how the
implementation tests the parameter values has.

Change-Id: Ie8d8bc1641280522532d9b4764bf07c64b1921c8
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
diff --git a/src/msgbuf.h b/src/msgbuf.h
index c3498bb..38c7055 100644
--- a/src/msgbuf.h
+++ b/src/msgbuf.h
@@ -98,6 +98,7 @@
  *         `PLDM_MSGBUF_C_ERRNO`, or the equivalent PLDM completion code if the
  *         error mode is `PLDM_MSGBUF_PLDM_CC`.
  */
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int pldm_msgbuf_status(struct pldm_msgbuf *ctx,
 						unsigned int err)
 {
@@ -150,19 +151,15 @@
  * @return 0 on success, otherwise an error code appropriate for the current
  *         personality.
  */
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int
 // NOLINTNEXTLINE(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp)
 pldm__msgbuf_init(struct pldm_msgbuf *ctx, size_t minsize, const void *buf,
 		  size_t len)
 {
-	assert(ctx);
 	assert(ctx->mode == PLDM_MSGBUF_PLDM_CC ||
 	       ctx->mode == PLDM_MSGBUF_C_ERRNO);
 
-	if (!buf) {
-		return pldm_msgbuf_status(ctx, EINVAL);
-	}
-
 	if ((minsize > len)) {
 		return pldm_msgbuf_status(ctx, EOVERFLOW);
 	}
@@ -197,14 +194,11 @@
  *         otherwise PLDM_ERROR_INVALID_DATA if pointer parameters are invalid,
  *         or PLDM_ERROR_INVALID_LENGTH if length constraints are violated.
  */
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int pldm_msgbuf_init_cc(struct pldm_msgbuf *ctx,
 						 size_t minsize,
 						 const void *buf, size_t len)
 {
-	if (!ctx) {
-		return PLDM_ERROR_INVALID_DATA;
-	}
-
 	ctx->mode = PLDM_MSGBUF_PLDM_CC;
 	return pldm__msgbuf_init(ctx, minsize, buf, len);
 }
@@ -223,14 +217,11 @@
  *         pointer parameters are invalid, or -EOVERFLOW if length constraints
  *         are violated.
  */
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int pldm_msgbuf_init_errno(struct pldm_msgbuf *ctx,
 						    size_t minsize,
 						    const void *buf, size_t len)
 {
-	if (!ctx) {
-		return -EINVAL;
-	}
-
 	ctx->mode = PLDM_MSGBUF_C_ERRNO;
 	return pldm__msgbuf_init(ctx, minsize, buf, len);
 }
@@ -246,9 +237,9 @@
  * PLDM_ERROR_INVALID_DATA indicates that the provided context was not a valid
  * pointer.
  */
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int pldm_msgbuf_validate(struct pldm_msgbuf *ctx)
 {
-	assert(ctx);
 	if (ctx->remaining < 0) {
 		return pldm_msgbuf_status(ctx, EOVERFLOW);
 	}
@@ -267,9 +258,9 @@
  * PLDM_ERROR_INVALID_DATA indicates that the provided context was not a valid
  * pointer.
  */
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int pldm_msgbuf_consumed(struct pldm_msgbuf *ctx)
 {
-	assert(ctx);
 	if (ctx->remaining != 0) {
 		return pldm_msgbuf_status(ctx, EBADMSG);
 	}
@@ -287,11 +278,11 @@
  * PLDM_ERROR_INVALID_LENGTH if prior accesses would have occurred beyond the
  * bounds of the buffer.
  */
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int pldm_msgbuf_destroy(struct pldm_msgbuf *ctx)
 {
 	int valid;
 
-	assert(ctx);
 	valid = pldm_msgbuf_validate(ctx);
 
 	ctx->cursor = NULL;
@@ -311,12 +302,12 @@
  * parameter is invalid, or PLDM_ERROR_INVALID_LENGTH if prior accesses would
  * have occurred byond the bounds of the buffer
  */
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int
 pldm_msgbuf_destroy_consumed(struct pldm_msgbuf *ctx)
 {
 	int consumed;
 
-	assert(ctx);
 	consumed = pldm_msgbuf_consumed(ctx);
 
 	ctx->cursor = NULL;
@@ -425,13 +416,12 @@
 #define pldm_msgbuf_extract_uint8(ctx, dst)                                    \
 	pldm_msgbuf_extract_typecheck(uint8_t, pldm__msgbuf_extract_uint8,     \
 				      dst, ctx, dst)
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int
 // NOLINTNEXTLINE(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp)
 pldm__msgbuf_extract_uint8(struct pldm_msgbuf *ctx, void *dst)
 {
-	assert(ctx);
-
-	if (!ctx->cursor || !dst) {
+	if (!ctx->cursor) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
 
@@ -454,13 +444,12 @@
 #define pldm_msgbuf_extract_int8(ctx, dst)                                     \
 	pldm_msgbuf_extract_typecheck(int8_t, pldm__msgbuf_extract_int8, dst,  \
 				      ctx, dst)
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int
 // NOLINTNEXTLINE(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp)
 pldm__msgbuf_extract_int8(struct pldm_msgbuf *ctx, void *dst)
 {
-	assert(ctx);
-
-	if (!ctx->cursor || !dst) {
+	if (!ctx->cursor) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
 
@@ -482,15 +471,14 @@
 #define pldm_msgbuf_extract_uint16(ctx, dst)                                   \
 	pldm_msgbuf_extract_typecheck(uint16_t, pldm__msgbuf_extract_uint16,   \
 				      dst, ctx, dst)
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int
 // NOLINTNEXTLINE(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp)
 pldm__msgbuf_extract_uint16(struct pldm_msgbuf *ctx, void *dst)
 {
 	uint16_t ldst;
 
-	assert(ctx);
-
-	if (!ctx->cursor || !dst) {
+	if (!ctx->cursor) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
 
@@ -535,15 +523,14 @@
 #define pldm_msgbuf_extract_int16(ctx, dst)                                    \
 	pldm_msgbuf_extract_typecheck(int16_t, pldm__msgbuf_extract_int16,     \
 				      dst, ctx, dst)
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int
 // NOLINTNEXTLINE(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp)
 pldm__msgbuf_extract_int16(struct pldm_msgbuf *ctx, void *dst)
 {
 	int16_t ldst;
 
-	assert(ctx);
-
-	if (!ctx->cursor || !dst) {
+	if (!ctx->cursor) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
 
@@ -573,15 +560,14 @@
 #define pldm_msgbuf_extract_uint32(ctx, dst)                                   \
 	pldm_msgbuf_extract_typecheck(uint32_t, pldm__msgbuf_extract_uint32,   \
 				      dst, ctx, dst)
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int
 // NOLINTNEXTLINE(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp)
 pldm__msgbuf_extract_uint32(struct pldm_msgbuf *ctx, void *dst)
 {
 	uint32_t ldst;
 
-	assert(ctx);
-
-	if (!ctx->cursor || !dst) {
+	if (!ctx->cursor) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
 
@@ -610,15 +596,14 @@
 #define pldm_msgbuf_extract_int32(ctx, dst)                                    \
 	pldm_msgbuf_extract_typecheck(int32_t, pldm__msgbuf_extract_int32,     \
 				      dst, ctx, dst)
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int
 // NOLINTNEXTLINE(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp)
 pldm__msgbuf_extract_int32(struct pldm_msgbuf *ctx, void *dst)
 {
 	int32_t ldst;
 
-	assert(ctx);
-
-	if (!ctx->cursor || !dst) {
+	if (!ctx->cursor) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
 
@@ -647,6 +632,7 @@
 #define pldm_msgbuf_extract_real32(ctx, dst)                                   \
 	pldm_msgbuf_extract_typecheck(real32_t, pldm__msgbuf_extract_real32,   \
 				      dst, ctx, dst)
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int
 // NOLINTNEXTLINE(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp)
 pldm__msgbuf_extract_real32(struct pldm_msgbuf *ctx, void *dst)
@@ -656,9 +642,7 @@
 	static_assert(sizeof(real32_t) == sizeof(ldst),
 		      "Mismatched type sizes for dst and ldst");
 
-	assert(ctx);
-
-	if (!ctx->cursor || !dst) {
+	if (!ctx->cursor) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
 
@@ -725,15 +709,14 @@
 /**
  * @ref pldm_msgbuf_extract_array
  */
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_WARN_UNUSED_RESULT
 LIBPLDM_CC_ALWAYS_INLINE int
 // NOLINTNEXTLINE(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp)
 pldm__msgbuf_extract_array_void(struct pldm_msgbuf *ctx, size_t count,
 				void *dst, size_t dst_count)
 {
-	assert(ctx);
-
-	if (!ctx->cursor || !dst || count > dst_count) {
+	if (!ctx->cursor || count > dst_count) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
 
@@ -765,6 +748,7 @@
 /**
  * @ref pldm_msgbuf_extract_array
  */
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_WARN_UNUSED_RESULT
 LIBPLDM_CC_ALWAYS_INLINE int
 pldm_msgbuf_extract_array_char(struct pldm_msgbuf *ctx, size_t count, char *dst,
@@ -776,6 +760,7 @@
 /**
  * @ref pldm_msgbuf_extract_array
  */
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_WARN_UNUSED_RESULT
 LIBPLDM_CC_ALWAYS_INLINE int
 pldm_msgbuf_extract_array_uint8(struct pldm_msgbuf *ctx, size_t count,
@@ -803,13 +788,12 @@
 		char: pldm_msgbuf_extract_array_char)(ctx, count, dst,         \
 						      dst_count)
 
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int pldm_msgbuf_insert_uint32(struct pldm_msgbuf *ctx,
 						       const uint32_t src)
 {
 	uint32_t val = htole32(src);
 
-	assert(ctx);
-
 	if (!ctx->cursor) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
@@ -834,13 +818,12 @@
 	return 0;
 }
 
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int pldm_msgbuf_insert_uint16(struct pldm_msgbuf *ctx,
 						       const uint16_t src)
 {
 	uint16_t val = htole16(src);
 
-	assert(ctx);
-
 	if (!ctx->cursor) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
@@ -865,11 +848,10 @@
 	return 0;
 }
 
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int pldm_msgbuf_insert_uint8(struct pldm_msgbuf *ctx,
 						      const uint8_t src)
 {
-	assert(ctx);
-
 	if (!ctx->cursor) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
@@ -894,13 +876,12 @@
 	return 0;
 }
 
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int pldm_msgbuf_insert_int32(struct pldm_msgbuf *ctx,
 						      const int32_t src)
 {
 	int32_t val = htole32(src);
 
-	assert(ctx);
-
 	if (!ctx->cursor) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
@@ -925,13 +906,12 @@
 	return 0;
 }
 
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int pldm_msgbuf_insert_int16(struct pldm_msgbuf *ctx,
 						      const int16_t src)
 {
 	int16_t val = htole16(src);
 
-	assert(ctx);
-
 	if (!ctx->cursor) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
@@ -956,11 +936,10 @@
 	return 0;
 }
 
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int pldm_msgbuf_insert_int8(struct pldm_msgbuf *ctx,
 						     const int8_t src)
 {
-	assert(ctx);
-
 	if (!ctx->cursor) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
@@ -997,15 +976,14 @@
 /**
  * @ref pldm_msgbuf_insert_array
  */
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_WARN_UNUSED_RESULT
 LIBPLDM_CC_ALWAYS_INLINE int
 // NOLINTNEXTLINE(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp)
 pldm__msgbuf_insert_array_void(struct pldm_msgbuf *ctx, size_t count,
 			       const void *src, size_t src_count)
 {
-	assert(ctx);
-
-	if (!ctx->cursor || !src || count > src_count) {
+	if (!ctx->cursor || count > src_count) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
 
@@ -1037,6 +1015,7 @@
 /**
  * @ref pldm_msgbuf_insert_array
  */
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_WARN_UNUSED_RESULT
 LIBPLDM_CC_ALWAYS_INLINE int
 pldm_msgbuf_insert_array_char(struct pldm_msgbuf *ctx, size_t count,
@@ -1048,6 +1027,7 @@
 /**
  * @ref pldm_msgbuf_insert_array
  */
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_WARN_UNUSED_RESULT
 LIBPLDM_CC_ALWAYS_INLINE int
 pldm_msgbuf_insert_array_uint8(struct pldm_msgbuf *ctx, size_t count,
@@ -1076,13 +1056,12 @@
 		char: pldm_msgbuf_insert_array_char)(dst, count, src,          \
 						     src_count)
 
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int pldm_msgbuf_span_required(struct pldm_msgbuf *ctx,
 						       size_t required,
 						       void **cursor)
 {
-	assert(ctx);
-
-	if (!ctx->cursor || !cursor || *cursor) {
+	if (!ctx->cursor || *cursor) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
 
@@ -1107,14 +1086,13 @@
 	return 0;
 }
 
+LIBPLDM_CC_NONNULL_ARGS(1)
 LIBPLDM_CC_ALWAYS_INLINE int
 pldm_msgbuf_span_string_ascii(struct pldm_msgbuf *ctx, void **cursor,
 			      size_t *length)
 {
 	intmax_t measured;
 
-	assert(ctx);
-
 	if (!ctx->cursor || (cursor && *cursor)) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
@@ -1162,6 +1140,7 @@
 	return 0;
 }
 
+LIBPLDM_CC_NONNULL_ARGS(1)
 LIBPLDM_CC_ALWAYS_INLINE int
 pldm_msgbuf_span_string_utf16(struct pldm_msgbuf *ctx, void **cursor,
 			      size_t *length)
@@ -1170,8 +1149,6 @@
 	ptrdiff_t measured;
 	void *end;
 
-	assert(ctx);
-
 	if (!ctx->cursor || (cursor && *cursor)) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
@@ -1243,12 +1220,11 @@
 	return 0;
 }
 
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int
 pldm_msgbuf_span_remaining(struct pldm_msgbuf *ctx, void **cursor, size_t *len)
 {
-	assert(ctx);
-
-	if (!ctx->cursor || !cursor || *cursor || !len) {
+	if (!ctx->cursor || *cursor) {
 		return pldm_msgbuf_status(ctx, EINVAL);
 	}
 
@@ -1279,16 +1255,15 @@
  */
 #define pldm_msgbuf_copy(dst, src, type, name)                                 \
 	pldm__msgbuf_copy(dst, src, sizeof(type), #name)
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_ALWAYS_INLINE int
 // NOLINTNEXTLINE(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp)
 pldm__msgbuf_copy(struct pldm_msgbuf *dst, struct pldm_msgbuf *src, size_t size,
-		  const char *description)
+		  const char *description LIBPLDM_CC_UNUSED)
 {
-	assert(src);
-	assert(dst);
 	assert(src->mode == dst->mode);
 
-	if (!src->cursor || !dst->cursor || !description) {
+	if (!src->cursor || !dst->cursor) {
 		return pldm_msgbuf_status(dst, EINVAL);
 	}
 
@@ -1325,6 +1300,7 @@
 	return 0;
 }
 
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_WARN_UNUSED_RESULT
 LIBPLDM_CC_ALWAYS_INLINE int
 pldm_msgbuf_copy_string_ascii(struct pldm_msgbuf *dst, struct pldm_msgbuf *src)
@@ -1341,6 +1317,7 @@
 	return pldm__msgbuf_insert_array_void(dst, len, ascii, len);
 }
 
+LIBPLDM_CC_NONNULL
 LIBPLDM_CC_WARN_UNUSED_RESULT
 LIBPLDM_CC_ALWAYS_INLINE int
 pldm_msgbuf_copy_string_utf16(struct pldm_msgbuf *dst, struct pldm_msgbuf *src)