Fix UTIL_SEQ_CONF_TASK_NBR overflow guard silently passing (#52)#112
Open
94xhn wants to merge 1 commit into
Open
Fix UTIL_SEQ_CONF_TASK_NBR overflow guard silently passing (#52)#11294xhn wants to merge 1 commit into
94xhn wants to merge 1 commit into
Conversation
…ectronics#52) UTIL_SEQ_CONF_TASK_NBR is frequently redefined in an application's utilities_conf.h to an enum sentinel value, e.g.: #define UTIL_SEQ_CONF_TASK_NBR CFG_SEQ_Task_NBR where CFG_SEQ_Task_Id_t is an enum whose last member (CFG_SEQ_Task_NBR) represents the task count. Per C99 6.10.1p4, an identifier that is not a macro is replaced by 0 when it appears in a preprocessor #if expression, since the preprocessor has no visibility into enum values. The existing guard: #if UTIL_SEQ_CONF_TASK_NBR > 32 #error "UTIL_SEQ_CONF_TASK_NBR must be less than or equal to 32" #endif therefore evaluates as "0 > 32", which is always false, so the #error never fires even when an application defines more than 32 tasks. Since several call sites in this file compute a task's bit position via "1U << CurrentTaskIdx" (e.g. lines building UTIL_SEQ_SetTask_Mask and similar masks), a task index >= 32 causes undefined behavior (shift amount >= width of the shifted type) that this guard was meant to prevent. Replace the preprocessor guard with a compile-time array-size assertion, which is evaluated by the compiler proper during semantic analysis and does see the real (expanded) enum value: typedef char UTIL_SEQ_CONF_TASK_NBR_Assert[(UTIL_SEQ_CONF_TASK_NBR <= 32) ? 1 : -1]; A classic negative-array-size assertion was used instead of _Static_assert/static_assert to avoid depending on C11 support across all toolchains this project ships with (MDK-ARM/EWARM project files still allow selecting pre-C11 dialects). Verified with a standalone host-side reproduction (not on hardware, no board/toolchain access in this environment): a minimal harness mirroring the exact macro-to-enum indirection pattern, compiled with gcc -std=c89. Before the fix, with a 33-member task enum (one over the limit), the file compiles cleanly (exit 0) — confirming the original guard is silently bypassed. After the fix, the same 33-task case fails to compile with "size of array ... is negative" (exit 1), while a normal case (4 tasks, well under the limit) still compiles cleanly (exit 0), confirming no regression for valid configurations. Fixes STMicroelectronics#52 Generative AI (Claude) was used to help investigate this issue, implement, and verify this fix. All changes were reviewed by me before submission. Signed-off-by: yi chen <94xhn1@gmail.com>
Contributor
|
Hello @94xhn, Thank you for the contribution. I will share your proposal with our team and keep you updated. With regards, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Fixes #52.
UTIL_SEQ_CONF_TASK_NBRis commonly redefined in an application'sutilities_conf.hto an enum sentinel value, e.g.:where
CFG_SEQ_Task_Id_tis an enum whose last member (CFG_SEQ_Task_NBR) represents the task count (this exact pattern appears across manyProjects/*/utilities_def.hfiles in this repo).Per C99 §6.10.1p4, an identifier that is not a macro is replaced by
0when it appears in a preprocessor#ifexpression — the preprocessor has no visibility into enum values. The existing guard inUtilities/sequencer/stm32_seq.c:therefore evaluates as
0 > 32, which is always false, so the#errornever fires — even when an application defines more than 32 tasks. This matches the issue's own diagnosis (adding-Wundefshows the identifier is unresolved at preprocessing time).This isn't just a diagnostic-quality issue: several call sites in this file compute a task's bit position via
1U << CurrentTaskIdx(used when building/testing the task bitmask). If the effective task count exceeds 32, an index >= 32 makes that shift amount >= the width of the shifted type, which is undefined behavior in C.Fix
Replace the preprocessor guard with a compile-time assertion evaluated by the compiler proper during semantic analysis, which does see the real (macro-expanded) enum value:
A classic negative-array-size assertion was used instead of
_Static_assert/static_assertto avoid depending on C11 support — this project'sMDK-ARM/EWARMproject files still allow selecting pre-C11 dialects, and I wanted the fix to compile cleanly regardless of which toolchain/dialect a downstream application has configured.Verification
I don't have hardware or the ST toolchains (Keil/IAR) set up in this environment, so I verified the logic with a standalone host-side reproduction mirroring the exact macro-to-enum indirection pattern (33-member enum, one over the limit), compiled with
gcc -std=c89:error: size of array 'UTIL_SEQ_CONF_TASK_NBR_Assert' is negative, exit code 1 — confirming the fix correctly catches the violation.(32)) both still compile cleanly after the fix, exit code 0 — confirming no impact on valid configurations.Disclosure
Generative AI (Claude) was used to help investigate this issue, implement, and verify this fix. All changes were reviewed by me before submission.