Now that all signedness comparison warnings in the source tree have been
fixed, let's enable the warning option, to avoid them creeping in again.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20210618172030.9684-6-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness in
comparisons in various parts in checks.c.
Fix those by making all affected variables unsigned. This covers return
values of the (unsigned) size_t type, phandles, variables holding sizes
in general and loop counters only ever counting positives values.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20210618172030.9684-5-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In several places we check for a returned phandle value to be valid,
for that it must not be 0 or "-1".
Wrap this check in a static inline function in dtc.h, and use ~0U instead
of -1 on the way, to keep everything in the unsigned realm.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20210618172030.9684-4-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness in
the different legs of the conditional operator, in fdtget.c.
In the questionable expression, we are constructing a 16-bit value out of
two unsigned 8-bit values, however are relying on the compiler's
automatic expansion of the uint8_t to a larger type, to survive the left
shift. This larger type happens to be an "int", so this part of the
expression becomes signed.
Fix this by explicitly blowing up the uint8_t to a larger *unsigned* type,
before doing the left shift. And while we are at it, convert the hardly
readable conditional operator usage into a sane switch/case expression.
This fixes "make fdtget", when compiled with -Wsign-compare.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20210618172030.9684-3-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness in
comparisons in various files in the tests/ directory.
For about half of the cases we can simply change the signed variable to
be of an unsigned type, because they will never need to store negative
values (which is the best fix of the problem).
In the remaining cases we can cast the signed variable to an unsigned
type, provided we know for sure it is not negative.
We see two different scenarios here:
- We either just explicitly checked for this variable to be positive
(if (rc < 0) FAIL();), or
- We rely on a function returning only positive values in the "length"
pointer if the function returned successfully: which we just checked.
At two occassions we compare with a constant "-1" (even though the
variable is unsigned), so we just change this to ~0U to create an
unsigned comparison value.
Since this is about the tests, let's also add explicit tests for those
values really not being negative.
This fixes "make tests" (but not "make check" yet), when compiled
with -Wsign-compare.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20210618172030.9684-2-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness
in comparisons in the function get_node_by_path().
Taking the difference between two pointers results in a signed ptrdiff_t
type, which mismatches the unsigned type returned by strlen().
Since "p" has been returned by a call to strchr() with "path" as its
argument, we know for sure that it's bigger than "path", so the
difference must be positive. So a cast to an unsigned type is valid.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20210611171040.25524-7-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness
in comparisons in code using the "reservednum" variable.
There is obviously little sense in having a negative number of reserved
memory entries, so let's make this variable and all its users unsigned.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20210611171040.25524-6-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness in
comparisons in fdtdump.c.
The "len" parameter to valid_header() refers to a memory size, not a
file offset, so the (unsigned) size_t is better fit, and fixes the
warning nicely.
In the main function we compare the difference between two pointers,
which produces a signed ptrdiff_t type. However the while loop above the
comparison makes sure that "p" always points before "endp" (by virtue of
the limit in the memchr() call). This means "endp - p" is never
negative, so we can safely cast this expression to an unsigned type.
This fixes "make fdtdump", when compiled with -Wsign-compare.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20210611171040.25524-3-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Coverity gets a bit confused by loading fdt_size_dt_strings() and
using it in a memmove(). In fact this is safe because the callers
have verified this information (via FDT_RW_PROBE() in fdt_pack() or
construction in fdt_open_into()).
Passing in strings_size like we already do struct_size seems to get
Coverity to follow what's going on here.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In a number of places we check if one number is a multiple of another,
using a modulus. In some of those cases the divisor is potentially zero,
which needs special handling or we could trigger a divide by zero.
Introduce an is_multiple_of() helper to safely handle this case, and use
it in a bunch of places. This should close Coverity issue 1501687, maybe
others as well.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At least some cpp implementations, in at least some circumstances place
multiple numbers after the file name when they put line number information
into the output. We don't really care what the content of these is, but
we want the dtc lexer not to choke on this, so adjust the rule for handling
cpp line number information accordingly.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With the prior commit, this check is now redundant.
Signed-off-by: Rob Herring <robh@kernel.org>
Message-Id: <20210526010335.860787-4-robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
There's already a check for '#.*-cells' properties, so let's enable it for
all the ones we already know about.
Signed-off-by: Rob Herring <robh@kernel.org>
Message-Id: <20210526010335.860787-3-robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The check for phandle markers is fragile because the phandle marker must
be after a type marker. The only guarantee for markers is they are in
offset order. The order at a specific offset is undefined.
Rework yaml_propval_int() to get the full marker list, so it can find a
phandle marker no matter the ordering.
Signed-off-by: Rob Herring <robh@kernel.org>
Message-Id: <20210526010335.860787-2-robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Clang has -Wself-assign enabled by default under -Wall and so when
building with -Werror we would get an error here. Inspired by Linux
kernel git commit a21151b9d81a ("tools/build: tweak unused value
workaround") make use of the fact that both Clang and GCC support
casting to `void` as the method to note that something is intentionally
unused.
Signed-off-by: Tom Rini <trini@konsulko.com>
Message-Id: <20210524154910.30523-1-trini@konsulko.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Makes the logic more clear
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Message-Id: <20210504035944.8453-4-ilya.lipnitskiy@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Logic is similar to strcmp_suffix in <kernel>/drivers/of/property.c with
the exception that strends allows string length to equal suffix length.
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Message-Id: <20210504035944.8453-3-ilya.lipnitskiy@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
There are no instances of nr-gpio in the Linux kernel tree, only
"[<vendor>,]nr-gpios", so make the check stricter.
nr-gpios without a "vendor," prefix is also invalid, according to the DT
spec[0], and there are no DT files in the Linux kernel tree with
non-vendor nr-gpios. There are some drivers, but they are not DT spec
compliant, so don't suppress the check for them.
[0]:
Link: cb53a16a1e/schemas/gpio/gpio-consumer.yaml (L20)
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Cc: Rob Herring <robh+dt@kernel.org>
Message-Id: <20210504035944.8453-2-ilya.lipnitskiy@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Only checking the FDT alignment in fdt_ro_probe_() means that
fdt_check_header() can pass, but then subsequent API calls fail on
alignment checks. Let's add an alignment check to fdt_check_header() so
alignment errors are found up front.
Cc: Tom Rini <trini@konsulko.com>
Cc: Frank Rowand <frowand.list@gmail.com>
Signed-off-by: Rob Herring <robh@kernel.org>
Message-Id: <20210406190712.2118098-1-robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The root node is supposed to have an empty name, but at present this is
not checked. The behaviour of such a tree is not well defined. Most
software rightly assumes that the root node is at offset 0 and does not
check the name. This oddity was discovered as part of a security
investigation into U-Boot verified boot.
Add a check for this to fdt_check_full().
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Message-Id: <20210323010410.3222701-2-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present it is possible to have two root nodes and even access nodes
in the 'second' root. Such trees should not be considered valid. This
was discovered as part of a security investigation into U-Boot verified
boot.
Add a check for this to fdt_check_full().
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Message-Id: <20210323000926.3210733-1-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This partially reverts 163f0469bf ("dtc: Allow overlays to have
.dtbo extension").
I think accepting "dtbo" as --out-format is strange. This is not
shown by --help, at least.
*.dtb and *.dtbo should have the same format, "dtb".
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Message-Id: <20210311094956.924310-1-masahiroy@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Apparently the unchecked return value of the first fdt_next_tag() call in
fdt_add_subnode_namelen() is tripping Coverity Scan in some circumstances,
although it appears not to for the scan on our project itself.
This fdt_next_tag() should always return FDT_BEGIN_NODE, since otherwise
the fdt_subnode_offset_namelen() above would have returned BADOFFSET or
BADSTRUCTURE.
Still, add a check to shut Coverity up, gated by a can_assume() to avoid
bloat in small builds.
Reported-by: Ryan Long <ryan.long@oarcorp.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Treat a node-name and property name at the same level of tree as
a warning
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Message-Id: <20210210193912.799544-1-kumar.gala@linaro.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The devicetree spec limits the valid character set to:
A-Z
a-z
0-9
,._+-
while property can additionally have '?#'. Change the check to match
the spec.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Message-Id: <20210209184641.63052-1-kumar.gala@linaro.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The gnu_printf format attribute was introduced in gcc 4.4.0
https://gcc.gnu.org/legacy-ml/gcc-help/2012-02/msg00225.html.
Use the printf format attribute on earlier versions of gcc and clang
(which claims to be gcc 4.2.1 in builtin defines) to fix the build with
gcc 4.2.1.
Fixes: 588a29f ("util: use gnu_printf format attribute")
Signed-off-by: Jonathan Gray <jsg@jsg.id.au>
Message-Id: <20210206100110.75228-1-jsg@jsg.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In one place, fdtdump abuses fdt_set_magic(), passing it just a small char
array instead of the full fdt header it expects. That's relying on the
fact that in fact fdt_set_magic() will only actually access the first 4
bytes of the buffer.
This trips a new warning in GCC 11 - and it's entirely possible it was
always UB. So, don't do that.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Some kernels require the MAX_SRCFILE_DEPTH to be bigger than 100, and
since it's just a sanity check to detect infinite recursion it shouldn't
hurt increasing it to 200.
Signed-off-by: Ignacy Kuchciński <ignacykuchcinski@gmail.com>
Message-Id: <CAJq_QG0BHBQYT4RnVi0QSxM_vFK2K-5k1eTpJnwZQtWbKnCBJA@mail.gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Allow the overlays to have .dtbo extension instead of just .dtb. This
allows them to be identified easily by tools as well as humans.
Allow the dtbo outform in dtc.c for the same.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Message-Id: <30fd0e5f2156665c713cf191c5fea9a5548360c0.1609926856.git.viresh.kumar@linaro.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Changes in v3:
- Remove noop version sets
- Set version correctly on loaded fdt in fdt_open_into
Fixes: f1879e1a50 ("Add limited read-only support for older (V2 and V3) device tree to libfdt.")
Signed-off-by: Justin Covell <jujugoboom@gmail.com>
Message-Id: <20201229041749.2187-1-jujugoboom@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This test was accidentally skipped as the wrong test dts file was built.
The fragment numbering in this sugar-free test case needed adjusting to
match the numbering generated by dtc for overlay_overlay.dts.
Signed-off-by: Paul Barker <pbarker@konsulko.com>
Message-Id: <20201219143521.2118-1-pbarker@konsulko.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
There's a small inaccuracy in the comment describing these new helpers.
This corrects it, and reformats while we're there.
Fixes: f98f28ab ("libfdt: Internally perform potentially unaligned loads")
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Commits 6dcb8ba4 "libfdt: Add helpers for accessing unaligned words"
introduced changes to support unaligned reads for ARM platforms and
11738cf01f "libfdt: Don't use memcpy to handle unaligned reads on ARM"
improved the performance of these helpers.
On further discussion, while there are potential cases where we could be
used on platforms that do not fixup unaligned reads for us, making this
choice the default is very expensive in terms of binary size and access
time. To address this, introduce and use new fdt{32,64}_ld_ functions
that call fdt{32,64}_to_cpu() as was done prior to the above mentioned
commits. Leave the existing load functions as unaligned-safe and
include comments in both cases.
Reviewed-by: Rob Herring <robh@kernel.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
Message-Id: <20201211022736.31657-1-trini@konsulko.com>
Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The device tree must be loaded in to memory at an 8-byte aligned
address. Add a check for this condition in fdt_ro_probe_() and a new
error code to return if we are not.
Signed-off-by: Tom Rini <trini@konsulko.com>
Message-Id: <20201104130605.28874-1-trini@konsulko.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The meson build system allows projects to "vendor" dtc easily, thanks to
subproject(). QEMU has recently switched to meson, and adding meson
support to dtc will help to handle the QEMU submodule.
meson rules are arguably simpler to write and maintain than
the hand-crafted/custom Makefile. meson support various backends, and
default build options (including coverage, sanitizer, debug/release
etc, see: https://mesonbuild.com/Builtin-options.html)
Compare to the Makefiles, the same build targets should be built and
installed and the same tests should be run ("meson test" can be provided
extra test arguments for running the equivalent of checkm/checkv).
There is no support EXTRAVERSION/LOCAL_VERSION/CONFIG_LOCALVERSION,
instead the version is simply set with project(), and vcs_tag() is
used for git/dirty version reporting (This is most common and is
hopefully enough. If necessary, configure-time options could be added
for extra versioning.).
libfdt shared library is build following regular naming conventions:
instead of libfdt.so.1 -> libfdt-1.6.0.so (with current build-sys),
libfdt.so.1 -> libfdt.so.1.6.0. I am not sure why the current build
system use an uncommon naming pattern. I also included a libfdt.pc
pkg-config file, as convenience.
Both Linux native build and mingw cross-build pass. CI pass. Tests are
only run on native build.
The current Makefiles are left in-tree, and make/check still work.
Eventually, the Makefiles could be marked as deprecated, to start a
transition period and avoid having to maintain 2 build systems in the
near future.
(run_tests.sh could eventually be replaced by the meson test runner,
which would have several advantages in term of flexibility/features,
but this is left for another day)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20201012073405.1682782-3-marcandre.lureau@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With meson, we have to support out-of-tree build.
Introduce a --top-builddir option, which will default to the current
directory to lookup generated filed such as version_gen.h and output
directories.
Other source paths are derived from the location of the setup.py script
in the source tree.
--build-lib is changed to be relative to the current directory, instead
of relative to setup.py. This has less surprising results!
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20201012073405.1682782-2-marcandre.lureau@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness
in a comparison in dtc's data_copy_file().
Even though maxlen is of an unsigned type, we compare against "-1",
which is passed in from the parser to indicate an unknown size.
Cast the "-1" to an unsigned size to make the comparison match.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20201012161948.23994-9-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness in
comparisons in various parts of dtc.
Many variables are using signed types unnecessarily, as we never use
negative value in them.
Change their types to be unsigned, to prevent issues with comparisons.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20201012161948.23994-7-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness in
comparisons in the generated lexer code.
In this case we walk over an array, and never use negative indicies, so
we can change the loop counter variable to be unsigned.
This fixes "make convert-dtsv0", when compiled with -Wsign-compare.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20201012161948.23994-3-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The API documentation in libfdt.h seems to follow the Linux kernel's
kernel-doc format[1].
Running "scripts/kernel-doc -v -none" on the file reports some problems,
mostly missing return values and missing parameter descriptions.
Fix those up by providing the missing bits, and fixing the other small
issues reported by the script.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/doc-guide/kernel-doc.rst
Message-Id: <20201012165331.25016-1-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Some PCI bridge nodes have child nodes such as an interrupt controller
which are not PCI devices. Allow these nodes which don't have a
unit-address.
Signed-off-by: Rob Herring <robh@kernel.org>
Message-Id: <20200928201942.3242124-1-robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness
in a comparison in fdt_strerror().
Force FDT_ERRTABSIZE to be signed (it's surely small enough to fit), so
that the types match. Also move the minus sign to errval, as this is
actually what we use in the next line.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20201001164630.4980-7-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>