TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / f055ad751246215a9760f6b053fd763470842b3a^! / .
commitf055ad751246215a9760f6b053fd763470842b3a[log] [tgz]
authorGilles Peskine <Gilles.Peskine@arm.com>Mon Dec 17 23:18:00 2018 +0100
committerGilles Peskine <Gilles.Peskine@arm.com>Thu Dec 20 18:47:52 2018 +0100
tree7f2feb5ee1af9752f58d720b0a47d6ee3e31548e
parent3d2f949c86914616d974dbe2de56a162cc7b61f5 [diff]
Add a safety check to ARRAY_LENGTH

Cause a compilation error on ARRAY_LENGTH(p) where p is a pointer as
opposed to an array. This only works under GCC and compatible
compilers such as Clang. On other compilers, ARRAY_LENGTH works but
doesn't check the type of its argument.

diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function
index 38c16ad..4a9d2a3 100644
--- a/tests/suites/helpers.function
+++ b/tests/suites/helpers.function

@@ -150,9 +150,41 @@
     mbedtls_exit( 1 );                                             \
 }
 
-/** Return the number of elements of a static or stack array. */
-#define ARRAY_LENGTH( array )                   \
+#if defined(__GNUC__)
+/* Test if arg and &(arg)[0] have the same type. This is true if arg is
+ * an array but not if it's a pointer. */
+#define IS_ARRAY_NOT_POINTER( arg )                                     \
+    ( ! __builtin_types_compatible_p( __typeof__( arg ),                \
+                                      __typeof__( &( arg )[0] ) ) )
+#else
+/* On platforms where we don't know how to implement this check,
+ * omit it. Oh well, a non-portable check is better than nothing. */
+#define IS_ARRAY_NOT_POINTER( arg ) 1
+#endif
+
+/* A compile-time constant with the value 0. If `const_expr` is not a
+ * compile-time constant with a nonzero value, cause a compile-time error. */
+#define STATIC_ASSERT_EXPR( const_expr )                                \
+    ( 0 && sizeof( struct { int STATIC_ASSERT : 1 - 2 * ! ( const_expr ); } ) )
+/* Return the scalar value `value` (possibly promoted). This is a compile-time
+ * constant if `value` is. `condition` must be a compile-time constant.
+ * If `condition` is false, arrange to cause a compile-time error. */
+#define STATIC_ASSERT_THEN_RETURN( condition, value )   \
+    ( STATIC_ASSERT_EXPR( condition ) ? 0 : ( value ) )
+
+#define ARRAY_LENGTH_UNSAFE( array )            \
     ( sizeof( array ) / sizeof( *( array ) ) )
+/** Return the number of elements of a static or stack array.
+ *
+ * \param array         A value of array (not pointer) type.
+ *
+ * \return The number of elements of the array.
+ */
+#define ARRAY_LENGTH( array )                                           \
+    ( STATIC_ASSERT_THEN_RETURN( IS_ARRAY_NOT_POINTER( array ),         \
+                                 ARRAY_LENGTH_UNSAFE( array ) ) )
+
+
 /*
  * 32-bit integer manipulation macros (big endian)
  */