Fix spelling mistakes using codespell

This commit corrects various spelling mistakes throughout the
repository. The corrections were made automatically using `codespell`[1]
tool.

[1]: https://githu

Fix spelling mistakes using codespell

This commit corrects various spelling mistakes throughout the
repository. The corrections were made automatically using `codespell`[1]
tool.

[1]: https://github.com/codespell-project/codespell

Change-Id: I25415165df192cfc3bd1405aca81bfa5bf2f7a63
Signed-off-by: Manojkiran Eda <manojkiran.eda@gmail.com>

show more ...

dsp: base: Rework {un,}pack_pldm_header() error handling

The current preference is that library APIs return negative errno values
to signal implementation errors. That doesn't jive with existing sta

dsp: base: Rework {un,}pack_pldm_header() error handling

The current preference is that library APIs return negative errno values
to signal implementation errors. That doesn't jive with existing stable
APIs returning PLDM completion codes, so provide a means to translate
between the two.

The first users are the {un,}pack_pldm_header() functions.

Change-Id: I7b7cb97a1d8b96ec0fec1c0a5fbd8503da834d86
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>

show more ...

msgbuf: Add error code personalities

libpldm is in a bit of a transitional period with respect to returned
error codes. A historical choice was to return PLDM completion codes
from the library API t

msgbuf: Add error code personalities

libpldm is in a bit of a transitional period with respect to returned
error codes. A historical choice was to return PLDM completion codes
from the library API to indicate errors. This is unfortunate because
we're now constrained to errors that are specified by the PLDM protocol,
which is much less expressive than the set of errors that might be
produced by a run-time environment for the library.

The choice going forward is to return C's errno codes. However at this
point we step on another rake in the libpldm design, which is that some
internal data structures are very much the wire format of corresponding
PLDM messages (such as the PDR repository implementation). Working with
wire-format buffers is most safely done via the msgbuf APIs, however we
then hit the conflict of different error code styles in various parts of
the API surface.

Do a bit of surgery to provide different error code personalities for
msgbuf, such that the caller can pick the style of error code they need
it to return to maintain consistency.

Note that like the previous patch marking all msgbuf APIs as
__attribute__((always_inline)), the rework here makes another small
impact on the argument register allocation of several stable APIs. The
ABI dump is updated accordingly.

Change-Id: Id59c39c5c822f514f546dab88575317071a97c96
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>

show more ...

msgbuf: Always inline all functions

The intent of the msgbuf APIs is that they are glorified wrappers
around singular load/store sequences. Given this, mark all of them as
`__attribute__((always_inl

msgbuf: Always inline all functions

The intent of the msgbuf APIs is that they are glorified wrappers
around singular load/store sequences. Given this, mark all of them as
`__attribute__((always_inline))`.

Note that this apparently impacts the library ABI of the following
functions:

- `decode_get_state_sensor_readings_resp`
- `decode_platform_event_message_req`
- `decode_pldm_pdr_repository_change_record_data`
- `decode_pldm_pdr_repository_chg_event_data`
- `decode_sensor_op_data`
- `decode_set_event_receiver_resp`
- `decode_state_sensor_data`

On x86_64 the argument register selection is rearranged, for example:

```diff
'Reg' => {
- '2' => 'rbx'
+ '0' => 'rdi',
+ '1' => 'rsi',
+ '2' => 'rdx'
},
'Return' => '100',
'ShortName' => 'decode_set_event_receiver_resp'
```

I'm yet to understand how we ended up with argument 2 being passed
in `rbx`, as the psABI[1][2] v1.0 does not define `rbx` as an
argument-passing register (see Figure 3.4 on page 26). Possibly because
it's callee-saved it can be exploited this way. The previously recorded
registers of other functions appear to have the same concern. By
contrast, `rdi`, `rsi` and `rdx` are defined as the 1st, 2nd and 3rd
argument-passing registers respectively, which with respect to the
function at hand seems reasonable.

[1]: https://gitlab.com/x86-psABIs/x86-64-ABI/-/jobs/artifacts/master/raw/x86-64-ABI/abi.pdf?job=build
[2]: https://gitlab.com/x86-psABIs/x86-64-ABI

Change-Id: I38c2d36d254bbd54012848b2b5c5ab52c0f04003
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>

show more ...

msgbuf: Add copy API

pldm_msgbuf_copy API allows copy of data from one msg buffer
to another. This was done earlier with a pldm_msgbuf_extract()
followed by pldm_msgbuf_insert().

Change-Id: I159792

msgbuf: Add copy API

pldm_msgbuf_copy API allows copy of data from one msg buffer
to another. This was done earlier with a pldm_msgbuf_extract()
followed by pldm_msgbuf_insert().

Change-Id: I159792f726916761894aefb0a8795f1f0dc84114
Signed-off-by: Varsha Kaverappa <vkaverap@in.ibm.com>

show more ...

msgbuf: Remove use of ssize_t for overflow tracking

There are a few concerns with the use of ssize_t in this context:

1. It's defined by POSIX and not C, and I'd prefer we not require POSIX
conc

msgbuf: Remove use of ssize_t for overflow tracking

There are a few concerns with the use of ssize_t in this context:

1. It's defined by POSIX and not C, and I'd prefer we not require POSIX
concepts where we can avoid it
2. ssize_t is defined over [-1, SSIZE_MAX] - it is not defined to have
the range of a regular signed type.

The source of both these statements is The Open Group Base
Specifications Issue 7, 2018 edition. IEEE Std 1003.1-2017 (Revision of
IEEE Std 1003.1-2008)

The second point directly contradicts how I was trying to use ssize_t in
the msgbuf implementation. As a result, switch the type of `remaining`
to intmax_t. Usually intmax_t is a problem child, but it's not used in
any public API, and it has the semantics I wanted by contrast to the
definition of ssize_t.

Note that we add assert() calls where we know the value of remaining
must be negative. Without the addition of the `assert()` calls in the
underflow checks, clang-analyzer gets tripped up by not being able to
prove `INTMAX_MIN + (intmax_t)sizeof(uint16_t) < 0`:

```
../src/platform.c:17:18: error: The left operand of '+' is a garbage value [clang-analyzer-core.UndefinedBinaryOperatorResult,-warnings-as-errors]
17 | if (ctx->length + sizeof(*ctx) < lower) {
| ^
../src/platform.c:2445:6: note: 'rc' is 0
2445 | if (rc) {
| ^~
../src/platform.c:2445:2: note: Taking false branch
2445 | if (rc) {
| ^
../src/platform.c:2449:7: note: Calling 'pldm_msgbuf_extract_value_pdr_hdr'
2449 | rc = pldm_msgbuf_extract_value_pdr_hdr(buf, &hdr);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/msgbuf/platform.h:17:2: note: Calling 'pldm__msgbuf_extract_uint16'
17 | pldm_msgbuf_extract(ctx, hdr->length);
| ^
../src/msgbuf/../msgbuf.h:517:2: note: expanded from macro 'pldm_msgbuf_extract'
517 | _Generic((dst), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
518 | uint8_t: pldm__msgbuf_extract_uint8, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
519 | int8_t: pldm__msgbuf_extract_int8, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
520 | uint16_t: pldm__msgbuf_extract_uint16, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
521 | int16_t: pldm__msgbuf_extract_int16, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
522 | uint32_t: pldm__msgbuf_extract_uint32, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
523 | int32_t: pldm__msgbuf_extract_int32, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
524 | real32_t: pldm__msgbuf_extract_real32)(ctx, (void *)&(dst))
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/msgbuf/../msgbuf.h:341:7: note: 'ctx' is non-null
341 | if (!ctx || !ctx->cursor || !dst) {
| ^~~
../src/msgbuf/../msgbuf.h:341:6: note: Left side of '||' is false
341 | if (!ctx || !ctx->cursor || !dst) {
| ^
../src/msgbuf/../msgbuf.h:341:20: note: Field 'cursor' is non-null
341 | if (!ctx || !ctx->cursor || !dst) {
| ^
../src/msgbuf/../msgbuf.h:341:6: note: Left side of '||' is false
341 | if (!ctx || !ctx->cursor || !dst) {
| ^
../src/msgbuf/../msgbuf.h:341:31: note: 'dst' is non-null
341 | if (!ctx || !ctx->cursor || !dst) {
| ^~~
../src/msgbuf/../msgbuf.h:341:2: note: Taking false branch
341 | if (!ctx || !ctx->cursor || !dst) {
| ^
../src/msgbuf/../msgbuf.h:347:2: note: Taking true branch
347 | if (ctx->remaining < INTMAX_MIN + (intmax_t)sizeof(ldst)) {
| ^
../src/msgbuf/../msgbuf.h:348:3: note: Returning without writing to '*dst'
348 | return PLDM_ERROR_INVALID_LENGTH;
| ^
../src/msgbuf/platform.h:17:2: note: Returning from 'pldm__msgbuf_extract_uint16'
17 | pldm_msgbuf_extract(ctx, hdr->length);
| ^
../src/msgbuf/../msgbuf.h:517:2: note: expanded from macro 'pldm_msgbuf_extract'
517 | _Generic((dst), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
518 | uint8_t: pldm__msgbuf_extract_uint8, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
519 | int8_t: pldm__msgbuf_extract_int8, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
520 | uint16_t: pldm__msgbuf_extract_uint16, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
521 | int16_t: pldm__msgbuf_extract_int16, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
522 | uint32_t: pldm__msgbuf_extract_uint32, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
523 | int32_t: pldm__msgbuf_extract_int32, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
524 | real32_t: pldm__msgbuf_extract_real32)(ctx, (void *)&(dst))
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/msgbuf/platform.h:19:2: note: Returning without writing to 'hdr->length'
19 | return pldm_msgbuf_validate(ctx);
| ^
../src/platform.c:2449:7: note: Returning from 'pldm_msgbuf_extract_value_pdr_hdr'
2449 | rc = pldm_msgbuf_extract_value_pdr_hdr(buf, &hdr);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/platform.c:2450:6: note: 'rc' is 0
2450 | if (rc) {
| ^~
../src/platform.c:2450:2: note: Taking false branch
2450 | if (rc) {
| ^
../src/platform.c:2454:7: note: Calling 'pldm_platform_pdr_hdr_validate'
2454 | rc = pldm_platform_pdr_hdr_validate(
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2455 | &hdr, PLDM_PDR_NUMERIC_EFFECTER_PDR_MIN_LENGTH,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2456 | pdr_data_length);
| ~~~~~~~~~~~~~~~~
../src/platform.c:17:18: note: The left operand of '+' is a garbage value
17 | if (ctx->length + sizeof(*ctx) < lower) {
| ~~~~~~~~~~~ ^
```

Change-Id: Idbe5a14455ad677a39c8f535eddd9c2ce471c783
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>

show more ...

msgbuf: Rework detection of invalid memory regions

From Annex J.2 of N2176 (C17 draft specification):

> Addition or subtraction of a pointer into, or just beyond, an array
> object and an integer t

msgbuf: Rework detection of invalid memory regions

From Annex J.2 of N2176 (C17 draft specification):

> Addition or subtraction of a pointer into, or just beyond, an array
> object and an integer type produces a result that does not point into,
> or just beyond, the same array object (6.5.6).

Instead we can lean on uintptr_t from 7.20.1.4, and from there the
defined behavior of unsigned overflow.

Change-Id: Ia1b47b87efeb9c96057d294a3e38e90bfdba5386
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>

show more ...

msgbuf: Enable pldm_msgbuf_extract() into packed members

`pldm_msgbuf_extract()` should work correctly regardless of whether the
`dst` argument is a member of a packed or padded struct.

To get ther

msgbuf: Enable pldm_msgbuf_extract() into packed members

`pldm_msgbuf_extract()` should work correctly regardless of whether the
`dst` argument is a member of a packed or padded struct.

To get there while still achieving type safety we have to jump through
some hoops. Commentary in the patch hopefully captures many of them, but
a side-effect of the hoop-jumping is a couple of changes to ergonomics
of the msgbuf API:

1. `pldm_msgbuf_extract()` no-longer requires that the `dst`
argument be a pointer. Instead, it must be an lvalue, removing all
the `&<lvalue>` noise from the call-sites.

2. However, unfortunately the generic extraction macro has been split in
two. We now have:

2.1 `pldm_msgbuf_extract()`, and
2.2 `pldm_msgbuf_extract_p()`, for when the reference we already have
for the `dst` object is a pointer and not an lvalue.

The split was necessary because I couldn't get GCC and Clang to play
nice with differences required in the assignment expression for lvalue
and pointer type-names in the one macro. Whilst it causes a bunch of
churn it isn't a great concern as the APIs are purely internal to the
library implementation.

Change-Id: Ifc5440a5b838a48bb84c881ec334d9e145365edb
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Thu Nguyen <thu@os.amperecomputing.com>

show more ...

msgbuf: Drop unnecessary buffer size arithmetic in array helpers

If we're going to multiply we need to guard against the result
overflowing. However, we don't need to multiply to derive `len` as the

msgbuf: Drop unnecessary buffer size arithmetic in array helpers

If we're going to multiply we need to guard against the result
overflowing. However, we don't need to multiply to derive `len` as the
sizeof() expression always evaluates to 1 by definition, yielding
`count`.

Drop the derivation of `len` to clarify that overflow can't occur.

Change-Id: I47b8804663518cdbcc70efa2bce14e4edf6702a2
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>

show more ...

libpldm: Fix header use

The headers need to work whether we're building libpldm in the repo or
we're building another project depending on the headers in the system
include directory.

Tidy up the p

libpldm: Fix header use

The headers need to work whether we're building libpldm in the repo or
we're building another project depending on the headers in the system
include directory.

Tidy up the paths involved and switch to defining the public headers as
system headers for the purpose of the build.

Change-Id: I49413988c94d393ea5761bc4684edcd2c2482a98
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>

show more ...

license: add spdx identifier to all files

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ifddd07cc0eb5edeb2dcb410747073d68c6631cb1

msgbuf: Remove duplicate fixup of _Static_assert() for C++

Not entirely sure how we didn't catch this previously.

Fixes: 062c8762c7eb ("msgbuf: Add insert and span APIs")
Signed-off-by: Andrew Jeff

msgbuf: Remove duplicate fixup of _Static_assert() for C++

Not entirely sure how we didn't catch this previously.

Fixes: 062c8762c7eb ("msgbuf: Add insert and span APIs")
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: I1fcff90cb9f31fb3f5036393201a8ab5e27724b7

show more ...

clang-format: copy latest and re-format

clang-format-16 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest

clang-format: copy latest and re-format

clang-format-16 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest .clang-format from the docs repository[1] and reformat
the repository.

[1] https://gerrit.openbmc.org/c/openbmc/docs/+/63441

Further, shift the fixup for C's `_Static_assert` into src/msgbuf.h to
prevent a clang-tidy-16 error:

```
/data0/jenkins/workspace/ci-repository/openbmc/libpldm/src/msgbuf.h:315:2: error: '_Static_assert' is a C11 extension [clang-diagnostic-c11-extensions,-warnings-as-errors]
_Static_assert(sizeof(*dst) == sizeof(ldst),
^
```

And fix up the function prototype in the definition of `pldm_open()`:

```
../src/requester/pldm.c:128:16: error: a function declaration without a prototype is deprecated in all versions of C [clang-diagnostic-strict-prototypes,-warnings-as-errors]
void pldm_close()
^
void
```

Change-Id: I57b53f51914e39237e733d024e62ab41b3d306c1
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>

show more ...

msgbuf: Add insert and span APIs

pldm_msgbuf_insert() is generic APIs to insert data to a pointer.
It automatically calls the correct insertor API for the type of the
packing data.
pldm_msgbuf_span_

msgbuf: Add insert and span APIs

pldm_msgbuf_insert() is generic APIs to insert data to a pointer.
It automatically calls the correct insertor API for the type of the
packing data.
pldm_msgbuf_span_required() spans the input number of bytes from
buffer to the input double pointer.
pldm_msgbuf_span_remaining() extracts the remaining number of bytes
from buffer to the input double pointer.

Signed-off-by: Thu Nguyen <thu@os.amperecomputing.com>
Change-Id: Ide7dbf735f69a8288e6f39a0b7b5c33aad38a98e

show more ...

msgbuf: Add pldm_msgbuf_consumed()

pldm_msgbuf_consumed() only returns PLDM_SUCCESS if a message buffer has
been exactly exhausted - all bytes read and no overflow has occurred.

The decode_* functi

msgbuf: Add pldm_msgbuf_consumed()

pldm_msgbuf_consumed() only returns PLDM_SUCCESS if a message buffer has
been exactly exhausted - all bytes read and no overflow has occurred.

The decode_* functions have a mix of behaviour, some lenient like the
behaviour provided by pldm_msgbuf_validate() and others strict like
pldm_msgbuf_consumed().

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: If058ed3748dcc7cb366f4c31344c9bbfba1c5939

show more ...

msgbuf: Add pldm_msgbuf_extract_array() for uint8

This is required for converting the
decode_get_pdr_repository_info_resp() function to pldm_msgbuf.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>

msgbuf: Add pldm_msgbuf_extract_array() for uint8

This is required for converting the
decode_get_pdr_repository_info_resp() function to pldm_msgbuf.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: If9afcaa83872969bcf8e4d0ecdeae2971e12248b

show more ...

msgbuf: Handle pointer-overflow sanitization

The implementation explicitly checks for overflow, so don't trigger
ubsan on the fact that test suite explicitly exercises the explicit
overflow check.

msgbuf: Handle pointer-overflow sanitization

The implementation explicitly checks for overflow, so don't trigger
ubsan on the fact that test suite explicitly exercises the explicit
overflow check.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: Ifce702a08804e6ad715a6b28c6c8102ee903d060

show more ...

Introduce a small msgbuf abstraction

Tidy up how we extract data from wire-format buffers.

The API achieves the following:

1. Abstracts the buffer tracking to improve clarity in the calling code

Introduce a small msgbuf abstraction

Tidy up how we extract data from wire-format buffers.

The API achieves the following:

1. Abstracts the buffer tracking to improve clarity in the calling code

2. Prevents buffer overflows during data extraction

3. Handles type conversions while avoiding undefined behaviour

4. Handles alignment concerns with packed data and removes the need for
`__attribute__((packed))` structs in the public ABI

5. Handles the endianness conversions required by the PLDM
specification(s)

6. Batches error checks such that you mostly only have to do `return
pldm_msgbuf_destroy();` at the end of the decode_* function for error
handling, no error handling required on every `pldm_msgbuf_extract()`
call

7. pldm_msgbuf_extract() is generic over the type of the data pointer
(automatically calls the correct extractor for the type of the
pointer)

8. Generates optimal code (where the optimiser can prove the accesses
are in-bounds we generate straight-line load/store pairs and no
function calls)

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: I7e727cbd26c43aae2815ababe0e6ca4c8e629766
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>

show more ...