[libc] Replace linker_assert() with build_assert()

We currently implement build-time assertions via a mechanism that
generates a call to an undefined external function that will cause the
link to fail unless the compiler can prove that the asserted condition
is true (and thereby eliminate the undefined function call).

This assertion mechanism can be used for conditions that are not
amenable to the use of static_assert(), since static_assert() will not
allow for proofs via dead code elimination.

Add __attribute__((error(...))) to the undefined external function, so
that the error is raised at compile time rather than at link time.
This allows us to provide a more meaningful error message (which will
include the file name and line number, as with any other compile-time
error), and avoids the need for the caller to specify a unique symbol
name for the external function.

Change the name from linker_assert() to build_assert(), since the
assertion now takes place at compile time rather than at link time.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/crypto/gcm.c b/src/crypto/gcm.c
index 9d8bae824dc8d83f6169ed0dae773f7452153106..c21aad14c9f57d8b7fa7ddf0686a5eed6cbd4be0 100644 (file)
--- a/src/crypto/gcm.c
+++ b/src/crypto/gcm.c
@@ -472,10 +472,10 @@ void gcm_setiv ( struct gcm_context *context, const void *iv, size_t ivlen ) {
        union gcm_block *check = ( ( void * ) context );
 
        /* Sanity checks */
-       linker_assert ( &context->hash == check, gcm_bad_layout );
-       linker_assert ( &context->len == check + 1, gcm_bad_layout );
-       linker_assert ( &context->ctr == check + 2, gcm_bad_layout );
-       linker_assert ( &context->key == check + 3, gcm_bad_layout );
+       build_assert ( &context->hash == check );
+       build_assert ( &context->len == check + 1 );
+       build_assert ( &context->ctr == check + 2 );
+       build_assert ( &context->key == check + 3 );
 
        /* Reset non-key state */
        memset ( context, 0, offsetof ( typeof ( *context ), key ) );

diff --git a/src/crypto/md4.c b/src/crypto/md4.c
index ca5dcc21bff137e054b50791ff9b14f13c97f9ea..dcd86a4281a73337ccfbf7441159018dd3b71638 100644 (file)
--- a/src/crypto/md4.c
+++ b/src/crypto/md4.c
@@ -155,11 +155,11 @@ static void md4_digest ( struct md4_context *context ) {
 
        /* Sanity checks */
        assert ( ( context->len % sizeof ( context->ddd.dd.data ) ) == 0 );
-       linker_assert ( &u.ddd.dd.digest.h[0] == a, md4_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[1] == b, md4_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[2] == c, md4_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[3] == d, md4_bad_layout );
-       linker_assert ( &u.ddd.dd.data.dword[0] == w, md4_bad_layout );
+       build_assert ( &u.ddd.dd.digest.h[0] == a );
+       build_assert ( &u.ddd.dd.digest.h[1] == b );
+       build_assert ( &u.ddd.dd.digest.h[2] == c );
+       build_assert ( &u.ddd.dd.digest.h[3] == d );
+       build_assert ( &u.ddd.dd.data.dword[0] == w );
 
        DBGC ( context, "MD4 digesting:\n" );
        DBGC_HDA ( context, 0, &context->ddd.dd.digest,

diff --git a/src/crypto/md5.c b/src/crypto/md5.c
index bee382e95a4772ec700467399cbf32bedcc06f6d..5c62513e2070b6fbc1fa54a8708512e6bc50a29d 100644 (file)
--- a/src/crypto/md5.c
+++ b/src/crypto/md5.c
@@ -178,11 +178,11 @@ static void md5_digest ( struct md5_context *context ) {
 
        /* Sanity checks */
        assert ( ( context->len % sizeof ( context->ddd.dd.data ) ) == 0 );
-       linker_assert ( &u.ddd.dd.digest.h[0] == a, md5_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[1] == b, md5_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[2] == c, md5_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[3] == d, md5_bad_layout );
-       linker_assert ( &u.ddd.dd.data.dword[0] == w, md5_bad_layout );
+       build_assert ( &u.ddd.dd.digest.h[0] == a );
+       build_assert ( &u.ddd.dd.digest.h[1] == b );
+       build_assert ( &u.ddd.dd.digest.h[2] == c );
+       build_assert ( &u.ddd.dd.digest.h[3] == d );
+       build_assert ( &u.ddd.dd.data.dword[0] == w );
 
        DBGC ( context, "MD5 digesting:\n" );
        DBGC_HDA ( context, 0, &context->ddd.dd.digest,

diff --git a/src/crypto/sha1.c b/src/crypto/sha1.c
index 94fce0029fade06cb24bbd9d56b654d3196ab9f6..8eecc75b3fa2d2648281b3955288300da6fc5b50 100644 (file)
--- a/src/crypto/sha1.c
+++ b/src/crypto/sha1.c
@@ -145,12 +145,12 @@ static void sha1_digest ( struct sha1_context *context ) {
 
        /* Sanity checks */
        assert ( ( context->len % sizeof ( context->ddd.dd.data ) ) == 0 );
-       linker_assert ( &u.ddd.dd.digest.h[0] == a, sha1_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[1] == b, sha1_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[2] == c, sha1_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[3] == d, sha1_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[4] == e, sha1_bad_layout );
-       linker_assert ( &u.ddd.dd.data.dword[0] == w, sha1_bad_layout );
+       build_assert ( &u.ddd.dd.digest.h[0] == a );
+       build_assert ( &u.ddd.dd.digest.h[1] == b );
+       build_assert ( &u.ddd.dd.digest.h[2] == c );
+       build_assert ( &u.ddd.dd.digest.h[3] == d );
+       build_assert ( &u.ddd.dd.digest.h[4] == e );
+       build_assert ( &u.ddd.dd.data.dword[0] == w );
 
        DBGC ( context, "SHA1 digesting:\n" );
        DBGC_HDA ( context, 0, &context->ddd.dd.digest,

diff --git a/src/crypto/sha256.c b/src/crypto/sha256.c
index 6bd727719ae2674f436fc381adcd9bd9ae37af91..c30300eb41a4dc8bc7133d44d130441cbc5e8f9e 100644 (file)
--- a/src/crypto/sha256.c
+++ b/src/crypto/sha256.c
@@ -140,15 +140,15 @@ static void sha256_digest ( struct sha256_context *context ) {
 
        /* Sanity checks */
        assert ( ( context->len % sizeof ( context->ddd.dd.data ) ) == 0 );
-       linker_assert ( &u.ddd.dd.digest.h[0] == a, sha256_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[1] == b, sha256_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[2] == c, sha256_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[3] == d, sha256_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[4] == e, sha256_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[5] == f, sha256_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[6] == g, sha256_bad_layout );
-       linker_assert ( &u.ddd.dd.digest.h[7] == h, sha256_bad_layout );
-       linker_assert ( &u.ddd.dd.data.dword[0] == w, sha256_bad_layout );
+       build_assert ( &u.ddd.dd.digest.h[0] == a );
+       build_assert ( &u.ddd.dd.digest.h[1] == b );
+       build_assert ( &u.ddd.dd.digest.h[2] == c );
+       build_assert ( &u.ddd.dd.digest.h[3] == d );
+       build_assert ( &u.ddd.dd.digest.h[4] == e );
+       build_assert ( &u.ddd.dd.digest.h[5] == f );
+       build_assert ( &u.ddd.dd.digest.h[6] == g );
+       build_assert ( &u.ddd.dd.digest.h[7] == h );
+       build_assert ( &u.ddd.dd.data.dword[0] == w );
 
        DBGC ( context, "SHA256 digesting:\n" );
        DBGC_HDA ( context, 0, &context->ddd.dd.digest,

diff --git a/src/crypto/sha512.c b/src/crypto/sha512.c
index e84895010fad40de4f83cfa60981d4de99c3330a..d7d44b2846d1a37bf318eebd6177b0d632b98da5 100644 (file)
--- a/src/crypto/sha512.c
+++ b/src/crypto/sha512.c
@@ -156,15 +156,15 @@ static void sha512_digest ( struct sha512_context *context ) {
 
        /* Sanity checks */
        assert ( ( context->len % sizeof ( context->ddq.dd.data ) ) == 0 );
-       linker_assert ( &u.ddq.dd.digest.h[0] == a, sha512_bad_layout );
-       linker_assert ( &u.ddq.dd.digest.h[1] == b, sha512_bad_layout );
-       linker_assert ( &u.ddq.dd.digest.h[2] == c, sha512_bad_layout );
-       linker_assert ( &u.ddq.dd.digest.h[3] == d, sha512_bad_layout );
-       linker_assert ( &u.ddq.dd.digest.h[4] == e, sha512_bad_layout );
-       linker_assert ( &u.ddq.dd.digest.h[5] == f, sha512_bad_layout );
-       linker_assert ( &u.ddq.dd.digest.h[6] == g, sha512_bad_layout );
-       linker_assert ( &u.ddq.dd.digest.h[7] == h, sha512_bad_layout );
-       linker_assert ( &u.ddq.dd.data.qword[0] == w, sha512_bad_layout );
+       build_assert ( &u.ddq.dd.digest.h[0] == a );
+       build_assert ( &u.ddq.dd.digest.h[1] == b );
+       build_assert ( &u.ddq.dd.digest.h[2] == c );
+       build_assert ( &u.ddq.dd.digest.h[3] == d );
+       build_assert ( &u.ddq.dd.digest.h[4] == e );
+       build_assert ( &u.ddq.dd.digest.h[5] == f );
+       build_assert ( &u.ddq.dd.digest.h[6] == g );
+       build_assert ( &u.ddq.dd.digest.h[7] == h );
+       build_assert ( &u.ddq.dd.data.qword[0] == w );
 
        DBGC ( context, "SHA512 digesting:\n" );
        DBGC_HDA ( context, 0, &context->ddq.dd.digest,

diff --git a/src/drivers/infiniband/linda.c b/src/drivers/infiniband/linda.c
index 8c59126607b50eb53008b478301e28ff7bcbbcb3..0c8a043a1d664d37b486941bd4d1d734fb9a3c93 100644 (file)
--- a/src/drivers/infiniband/linda.c
+++ b/src/drivers/infiniband/linda.c
@@ -721,7 +721,7 @@ static int linda_init_recv ( struct linda *linda ) {
                eager_array_size_other = LINDA_EAGER_ARRAY_SIZE_17CTX_OTHER;
                break;
        default:
-               linker_assert ( 0, invalid_LINDA_NUM_CONTEXTS );
+               build_assert ( 0 );
                return -EINVAL;
        }
 
@@ -1108,7 +1108,7 @@ static int linda_post_recv ( struct ib_device *ibdev,
        case 16384: bufsize = LINDA_EAGER_BUFFER_16K; break;
        case 32768: bufsize = LINDA_EAGER_BUFFER_32K; break;
        case 65536: bufsize = LINDA_EAGER_BUFFER_64K; break;
-       default:    linker_assert ( 0, invalid_rx_payload_size );
+       default:    build_assert ( 0 );
                    bufsize = LINDA_EAGER_BUFFER_NONE;
        }
 

diff --git a/src/drivers/infiniband/qib7322.c b/src/drivers/infiniband/qib7322.c
index da055b744c378929b3f4a423e5c5fed74e0d5fd8..a011dafc15413858afc9ce9a809d0ca4154dccfd 100644 (file)
--- a/src/drivers/infiniband/qib7322.c
+++ b/src/drivers/infiniband/qib7322.c
@@ -893,7 +893,7 @@ static int qib7322_init_recv ( struct qib7322 *qib7322 ) {
                eager_array_size_user = QIB7322_EAGER_ARRAY_SIZE_18CTX_USER;
                break;
        default:
-               linker_assert ( 0, invalid_QIB7322_NUM_CONTEXTS );
+               build_assert ( 0 );
                return -EINVAL;
        }
 
@@ -1351,7 +1351,7 @@ static int qib7322_post_recv ( struct ib_device *ibdev,
        case 16384: bufsize = QIB7322_EAGER_BUFFER_16K; break;
        case 32768: bufsize = QIB7322_EAGER_BUFFER_32K; break;
        case 65536: bufsize = QIB7322_EAGER_BUFFER_64K; break;
-       default:    linker_assert ( 0, invalid_rx_payload_size );
+       default:    build_assert ( 0 );
                    bufsize = QIB7322_EAGER_BUFFER_NONE;
        }
 

diff --git a/src/include/assert.h b/src/include/assert.h
index 6d0531801f89d9eb32dfcc3a01baea6822d4c540..b3a9b1fe030f96ea0b39fd5377b4f4b2cfa4b151 100644 (file)
--- a/src/include/assert.h
+++ b/src/include/assert.h
@@ -65,19 +65,22 @@ assert_printf ( const char *fmt, ... ) asm ( "printf" );
 #define static_assert(x) _Static_assert( x, #x )
 
 /**
- * Assert a condition at link-time.
+ * Assert a condition at build time (after dead code elimination)
  *
- * If the condition is not true, the link will fail with an unresolved
- * symbol (error_symbol).
+ * If the compiler cannot prove that the condition is true, the build
+ * will fail with an error message.
  *
  * This macro is iPXE-specific.  Do not use this macro in code
  * intended to be portable.
- *
  */
-#define linker_assert( condition, error_symbol )       \
-        if ( ! (condition) ) {                         \
-                extern void error_symbol ( void );     \
-                error_symbol();                                \
-        }
+#define build_assert( condition )                                           \
+       do {                                                                 \
+               if ( ! (condition) ) {                                       \
+                       extern void __attribute__ (( error (                 \
+                               "build_assert(" #condition ") failed"        \
+                       ) )) _C2 ( build_assert_, __LINE__ ) ( void );       \
+                       _C2 ( build_assert_, __LINE__ ) ();                  \
+               }                                                            \
+       } while ( 0 )
 
 #endif /* _ASSERT_H */

diff --git a/src/include/ipxe/asn1.h b/src/include/ipxe/asn1.h
index 77429f3a0a8f7004f7c04094f271469de98979f7..452fcef0b067ef5ddbca3bd0b2482706c9242e92 100644 (file)
--- a/src/include/ipxe/asn1.h
+++ b/src/include/ipxe/asn1.h
@@ -390,10 +390,9 @@ asn1_built ( struct asn1_builder *builder ) {
        } *u = container_of ( builder, typeof ( *u ), builder );
 
        /* Sanity check */
-       linker_assert ( ( ( const void * ) &u->builder.data ) ==
-                       &u->cursor.data, asn1_builder_cursor_data_mismatch );
-       linker_assert ( &u->builder.len == &u->cursor.len,
-                       asn1_builder_cursor_len_mismatch );
+       build_assert ( ( ( const void * ) &u->builder.data ) ==
+                      &u->cursor.data );
+       build_assert ( &u->builder.len == &u->cursor.len );
 
        return &u->cursor;
 }

diff --git a/src/include/ipxe/entropy.h b/src/include/ipxe/entropy.h
index 240feace09ab6518bef69099e8131bd3e8d44815..82bb11826ab4aa628df86174e402b05b9715f365 100644 (file)
--- a/src/include/ipxe/entropy.h
+++ b/src/include/ipxe/entropy.h
@@ -237,8 +237,7 @@ get_entropy_input ( unsigned int min_entropy_bits, void *data, size_t min_len,
        int rc;
 
        /* Sanity check */
-       linker_assert ( ( min_entropy_bits <= ( 8 * max_len ) ),
-                       entropy_buffer_too_small );
+       build_assert ( min_entropy_bits <= ( 8 * max_len ) );
 
        /* Round up minimum entropy to an integral number of bytes */
        min_entropy_bits = ( ( min_entropy_bits + 7 ) & ~7 );
@@ -247,11 +246,11 @@ get_entropy_input ( unsigned int min_entropy_bits, void *data, size_t min_len,
         * meet or exceed the security strength indicated by the
         * min_entropy parameter.
         */
-       linker_assert ( ( ( 8 * ENTROPY_HASH_DF_OUTLEN_BYTES ) >=
-                         min_entropy_bits ), hash_df_algorithm_too_weak );
+       build_assert ( ( 8 * ENTROPY_HASH_DF_OUTLEN_BYTES ) >=
+                      min_entropy_bits );
 
        /* 1.  If ( min_length > max_length ), then return ( FAILURE, Null ) */
-       linker_assert ( ( min_len <= max_len ), min_len_greater_than_max_len );
+       build_assert ( min_len <= max_len );
 
        /* 2.  n = 2 * min_entropy */
        n = ( 2 * min_entropy_bits );
@@ -269,9 +268,8 @@ get_entropy_input ( unsigned int min_entropy_bits, void *data, size_t min_len,
         * (The implementation of these steps is inside the function
         * get_entropy_input_tmp().)
         */
-       linker_assert ( __builtin_constant_p ( tmp_len ),
-                       tmp_len_not_constant );
-       linker_assert ( ( n == ( 8 * tmp_len ) ), tmp_len_mismatch );
+       build_assert ( __builtin_constant_p ( tmp_len ) );
+       build_assert ( n == ( 8 * tmp_len ) );
        if ( ( rc = get_entropy_input_tmp ( MIN_ENTROPY ( min_entropy_bits ),
                                            tmp, tmp_len ) ) != 0 ) {
                return rc;
@@ -283,17 +281,17 @@ get_entropy_input ( unsigned int min_entropy_bits, void *data, size_t min_len,
         */
        if ( tmp_len < min_len ) {
                /* (Data is already in-place.) */
-               linker_assert ( ( data == tmp ), data_not_inplace );
+               build_assert ( data == tmp );
                memset ( ( data + tmp_len ), 0, ( min_len - tmp_len ) );
                return min_len;
        } else if ( tmp_len > max_len ) {
-               linker_assert ( ( tmp == tmp_buf ), data_inplace );
+               build_assert ( tmp == tmp_buf );
                hash_df ( &entropy_hash_df_algorithm, tmp, tmp_len,
                          data, max_len );
                return max_len;
        } else {
                /* (Data is already in-place.) */
-               linker_assert ( ( data == tmp ), data_not_inplace );
+               build_assert ( data == tmp );
                return tmp_len;
        }
 }
@@ -328,15 +326,14 @@ entropy_repetition_count_cutoff ( min_entropy_t min_entropy_per_sample ) {
        cutoff = max_repetitions;
        if ( cutoff < max_repetitions )
                cutoff++;
-       linker_assert ( ( cutoff >= max_repetitions ), rounding_error );
+       build_assert ( cutoff >= max_repetitions );
 
        /* Floating-point operations are not allowed in iPXE since we
         * never set up a suitable environment.  Abort the build
         * unless the calculated number of repetitions is a
         * compile-time constant.
         */
-       linker_assert ( __builtin_constant_p ( cutoff ),
-                       repetition_count_cutoff_not_constant );
+       build_assert ( __builtin_constant_p ( cutoff ) );
 
        return cutoff;
 }
@@ -443,12 +440,10 @@ entropy_adaptive_proportion_cutoff ( min_entropy_t min_entropy_per_sample ) {
        cutoff = entropy_adaptive_proportion_cutoff_lookup ( n, h );
 
        /* Fail unless cutoff value is a compile-time constant */
-       linker_assert ( __builtin_constant_p ( cutoff ),
-                       adaptive_proportion_cutoff_not_constant );
+       build_assert ( __builtin_constant_p ( cutoff ) );
 
        /* Fail if cutoff value is N/A */
-       linker_assert ( ( cutoff != APC_NA ),
-                       adaptive_proportion_cutoff_not_applicable );
+       build_assert ( cutoff != APC_NA );
 
        return cutoff;
 }
@@ -475,8 +470,7 @@ entropy_startup_test_count ( unsigned int repetition_count_cutoff,
        num_samples = repetition_count_cutoff;
        if ( num_samples < adaptive_proportion_cutoff )
                num_samples = adaptive_proportion_cutoff;
-       linker_assert ( __builtin_constant_p ( num_samples ),
-                       startup_test_count_not_constant );
+       build_assert ( __builtin_constant_p ( num_samples ) );
 
        return num_samples;
 }
@@ -499,11 +493,9 @@ entropy_init ( struct entropy_source *source,
        unsigned int startup_test_count;
 
        /* Sanity check */
-       linker_assert ( min_entropy_per_sample > MIN_ENTROPY ( 0 ),
-                       min_entropy_per_sample_is_zero );
-       linker_assert ( ( min_entropy_per_sample <=
-                         MIN_ENTROPY ( 8 * sizeof ( noise_sample_t ) ) ),
-                       min_entropy_per_sample_is_impossibly_high );
+       build_assert ( min_entropy_per_sample > MIN_ENTROPY ( 0 ) );
+       build_assert ( min_entropy_per_sample <=
+                      MIN_ENTROPY ( 8 * sizeof ( noise_sample_t ) ) );
 
        /* Calculate test cutoff values */
        repetition_count_cutoff =

diff --git a/src/include/ipxe/gcm.h b/src/include/ipxe/gcm.h
index 90ef0b522bd7fea529fd196298d53f4a6de2b12f..9653a0a1ac096b2a17d8fcb027e928935b29638b 100644 (file)
--- a/src/include/ipxe/gcm.h
+++ b/src/include/ipxe/gcm.h
@@ -88,13 +88,10 @@ struct _gcm_name ## _context {                                              \
 static int _gcm_name ## _setkey ( void *ctx, const void *key,          \
                                  size_t keylen ) {                     \
        struct _gcm_name ## _context *context = ctx;                    \
-       linker_assert ( _blocksize == sizeof ( context->gcm.key ),      \
-                       _gcm_name ## _unsupported_blocksize );          \
-       linker_assert ( ( ( void * ) &context->gcm ) == ctx,            \
-                       _gcm_name ## _context_layout_error );           \
-       linker_assert ( ( ( void * ) &context->raw ) ==                 \
-                       ( ( void * ) context->gcm.raw_ctx ),            \
-                       _gcm_name ## _context_layout_error );           \
+       build_assert ( _blocksize == sizeof ( context->gcm.key ) );     \
+       build_assert ( ( ( void * ) &context->gcm ) == ctx );           \
+       build_assert ( ( ( void * ) &context->raw ) ==                  \
+                      ( ( void * ) context->gcm.raw_ctx ) );           \
        return gcm_setkey ( &context->gcm, key, keylen, &_raw_cipher ); \
 }                                                                      \
 static void _gcm_name ## _setiv ( void *ctx, const void *iv,           \