Move SensorId validation to clients, and reply fault when invalid
#1683
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hawkw
added a commit
that referenced
this pull request
Mar 26, 2024
The `SensorId` type represents an index into an array of sensors in the `sensors` server task. Currently, this is validated by the sensors server, returning `SensorError::InvalidSensor` if it is out of range. However, the sensor IDs used by firmware code are hard-coded by code generation and should never be out of range, so in most cases, an invalid `SensorId` should not occur and should be considered a bug. Only `host-spc-comms` will ever request sensor IDs that are out of range, if the upstack code requests an ID that doesn't exist on this device. Therefore, we ought to change the sensor API to use reply-fault on receipt of an invalid `SensorId`, rather than returning an error. This commit prepares for such a change by adding client-side validation of `SensorId`s with a `TryFrom` impl, and a panicking `SensorId::new` This way, the tasks that *can* handle sensor IDs from the outside world (`host-sp-comms`) can validate that sensor IDs received from the outside world are valid _before_ calling into the sensor task API, and reject any invalid IDs. In a subsequent PR, `task_sensor_api` will be updated to remove the `InvalidSensor` error type. A nice side benefit of using the panicking `const fn new` in generated code is that...it's const fn, and the code generation mostly uses it in `const` initializers. So, if any of the code generation accidentally emits an invalid sensor ID, we'll actually get a build-time rather than runtime error, which seems nice!
hawkw
added a commit
that referenced
this pull request
Mar 26, 2024
Currently, a number of IPCs in the `Sensor` API return a `SensorApiError` type, which represents either "invalid sensor ID" or "no reading". Since passing an invalid `SensorId` to the sensors API will now result in a reply-fault, there's no reason to return an error type that can represent that case. This commit changes the `Sensor` API to return `Option<T>`s rather than `Result<T, SensorApiError>`, with `None` representing the "no reading" case. Fixes #1680
hawkw
force-pushed
the
eliza/sensors-reply-fault
branch
from
cd6b2b5
to
8e502eb
Compare
hawkw
added a commit
that referenced
this pull request
Mar 26, 2024
Now that we can guarantee all `SensorId`s are valid indices, we can also eliminate all bounds-checked array indexing, and return `RequestError::Fail(ClientError::BadMessageContents)` instead. This shaves off 240B of flash, which is...less than I had hoped.
hawkw
added a commit
that referenced
this pull request
Mar 26, 2024
This shaves off a few more bytes of flash, although we'd also need to get rid of panics in idol-generated code to completely eliminate panic formatting from the sensor task...
hawkw
changed the title
SensorId validation to clients, and reply fault when invalid
hawkw
added a commit
that referenced
this pull request
Mar 26, 2024
The `SensorId` type represents an index into an array of sensors in the `sensors` server task. Currently, this is validated by the sensors server, returning `SensorError::InvalidSensor` if it is out of range. However, the sensor IDs used by firmware code are hard-coded by code generation and should never be out of range, so in most cases, an invalid `SensorId` should not occur and should be considered a bug. Only `host-spc-comms` will ever request sensor IDs that are out of range, if the upstack code requests an ID that doesn't exist on this device. Therefore, we ought to change the sensor API to use reply-fault on receipt of an invalid `SensorId`, rather than returning an error. This commit prepares for such a change by adding client-side validation of `SensorId`s with a `TryFrom` impl, and a panicking `SensorId::new` This way, the tasks that *can* handle sensor IDs from the outside world (`host-sp-comms`) can validate that sensor IDs received from the outside world are valid _before_ calling into the sensor task API, and reject any invalid IDs. In a subsequent PR, `task_sensor_api` will be updated to remove the `InvalidSensor` error type. A nice side benefit of using the panicking `const fn new` in generated code is that...it's const fn, and the code generation mostly uses it in `const` initializers. So, if any of the code generation accidentally emits an invalid sensor ID, we'll actually get a build-time rather than runtime error, which seems nice!
hawkw
added a commit
that referenced
this pull request
Mar 26, 2024
Currently, a number of IPCs in the `Sensor` API return a `SensorApiError` type, which represents either "invalid sensor ID" or "no reading". Since passing an invalid `SensorId` to the sensors API will now result in a reply-fault, there's no reason to return an error type that can represent that case. This commit changes the `Sensor` API to return `Option<T>`s rather than `Result<T, SensorApiError>`, with `None` representing the "no reading" case. Fixes #1680
hawkw
force-pushed
the
eliza/sensors-reply-fault
branch
from
8e502eb
to
0eaefb5
Compare
hawkw
added a commit
that referenced
this pull request
Mar 26, 2024
Now that we can guarantee all `SensorId`s are valid indices, we can also eliminate all bounds-checked array indexing, and return `RequestError::Fail(ClientError::BadMessageContents)` instead. This shaves off 240B of flash, which is...less than I had hoped.
hawkw
added a commit
that referenced
this pull request
Mar 26, 2024
This shaves off a few more bytes of flash, although we'd also need to get rid of panics in idol-generated code to completely eliminate panic formatting from the sensor task...
mkeeter
reviewed
Mar 26, 2024
mkeeter
reviewed
Mar 26, 2024
mkeeter
reviewed
Mar 26, 2024
|
ugh, clippy's mad about some more stuff, gimme a sec... |
mkeeter
reviewed
Mar 27, 2024
mkeeter
reviewed
Mar 27, 2024
mkeeter
reviewed
Mar 27, 2024
|
|
||
| // | ||
| // We pack per-`NoData` counters into a u32. | ||
| // | ||
| let (nbits, shift) = nodata.counter_encoding::<u32>(); | ||
| let mask = (1 << nbits) - 1; | ||
| let mask = (1u32 << nbits).saturating_sub(1); |
There was a problem hiding this comment.
Is this to remove overflow checks?
There was a problem hiding this comment.
Yeah, I was hoping we could completely get rid of panics --- unfortunately, we can't, as the generated idol server code has some potential panic paths, but eliminating overflow checks here does shave a few bytes off the flash size regardless.
mkeeter
approved these changes
Mar 27, 2024
hawkw
added a commit
that referenced
this pull request
Mar 27, 2024
The `SensorId` type represents an index into an array of sensors in the `sensors` server task. Currently, this is validated by the sensors server, returning `SensorError::InvalidSensor` if it is out of range. However, the sensor IDs used by firmware code are hard-coded by code generation and should never be out of range, so in most cases, an invalid `SensorId` should not occur and should be considered a bug. Only `host-spc-comms` will ever request sensor IDs that are out of range, if the upstack code requests an ID that doesn't exist on this device. Therefore, we ought to change the sensor API to use reply-fault on receipt of an invalid `SensorId`, rather than returning an error. This commit prepares for such a change by adding client-side validation of `SensorId`s with a `TryFrom` impl, and a panicking `SensorId::new` This way, the tasks that *can* handle sensor IDs from the outside world (`host-sp-comms`) can validate that sensor IDs received from the outside world are valid _before_ calling into the sensor task API, and reject any invalid IDs. In a subsequent PR, `task_sensor_api` will be updated to remove the `InvalidSensor` error type. The `host-sp-messages` crate is changed to replace the use of `SensorId` with `u32`, as it deals with _un-validated_ sensor indices received from the host over IPCC. `host-sp-comms` will validate these sensor IDs before calling into sensor IPC methods. A nice side benefit of using the panicking `const fn new` in generated code is that...it's const fn, and the code generation mostly uses it in `const` initializers. So, if any of the code generation accidentally emits an invalid sensor ID, we'll actually get a build-time rather than runtime error, which seems nice!
hawkw
added a commit
that referenced
this pull request
Mar 27, 2024
Currently, a number of IPCs in the `Sensor` API return a `SensorApiError` type, which represents either "invalid sensor ID" or "no reading". Since passing an invalid `SensorId` to the sensors API will now result in a reply-fault, there's no reason to return an error type that can represent that case. This commit changes the `Sensor` API to return `Option<T>`s rather than `Result<T, SensorApiError>`, with `None` representing the "no reading" case. Fixes #1680
hawkw
added a commit
that referenced
this pull request
Mar 27, 2024
Now that we can guarantee all `SensorId`s are valid indices, we can also eliminate all bounds-checked array indexing, and return `RequestError::Fail(ClientError::BadMessageContents)` instead. This shaves off 240B of flash, which is...less than I had hoped.
hawkw
added a commit
that referenced
this pull request
Mar 27, 2024
This shaves off a few more bytes of flash, although we'd also need to get rid of panics in idol-generated code to completely eliminate panic formatting from the sensor task...
hawkw
force-pushed
the
eliza/sensors-reply-fault
branch
from
870c320
to
a3878d1
Compare
hawkw
added a commit
that referenced
this pull request
Mar 27, 2024
Now that `host-sp-messages` no longer depends on `task-sensor-types`, there's really no reason for it to be a separate crate. Thus, let's just move the error types into `task-sensor-api`.
hawkw
added a commit
that referenced
this pull request
Mar 27, 2024
The `SensorId` type represents an index into an array of sensors in the `sensors` server task. Currently, this is validated by the sensors server, returning `SensorError::InvalidSensor` if it is out of range. However, the sensor IDs used by firmware code are hard-coded by code generation and should never be out of range, so in most cases, an invalid `SensorId` should not occur and should be considered a bug. Only `host-spc-comms` will ever request sensor IDs that are out of range, if the upstack code requests an ID that doesn't exist on this device. Therefore, we ought to change the sensor API to use reply-fault on receipt of an invalid `SensorId`, rather than returning an error. This commit prepares for such a change by adding client-side validation of `SensorId`s with a `TryFrom` impl, and a panicking `SensorId::new` This way, the tasks that *can* handle sensor IDs from the outside world (`host-sp-comms`) can validate that sensor IDs received from the outside world are valid _before_ calling into the sensor task API, and reject any invalid IDs. In a subsequent PR, `task_sensor_api` will be updated to remove the `InvalidSensor` error type. The `host-sp-messages` crate is changed to replace the use of `SensorId` with `u32`, as it deals with _un-validated_ sensor indices received from the host over IPCC. `host-sp-comms` will validate these sensor IDs before calling into sensor IPC methods. A nice side benefit of using the panicking `const fn new` in generated code is that...it's const fn, and the code generation mostly uses it in `const` initializers. So, if any of the code generation accidentally emits an invalid sensor ID, we'll actually get a build-time rather than runtime error, which seems nice!
hawkw
added a commit
that referenced
this pull request
Mar 27, 2024
Currently, a number of IPCs in the `Sensor` API return a `SensorApiError` type, which represents either "invalid sensor ID" or "no reading". Since passing an invalid `SensorId` to the sensors API will now result in a reply-fault, there's no reason to return an error type that can represent that case. This commit changes the `Sensor` API to return `Option<T>`s rather than `Result<T, SensorApiError>`, with `None` representing the "no reading" case. Fixes #1680
hawkw
added a commit
that referenced
this pull request
Mar 27, 2024
Now that we can guarantee all `SensorId`s are valid indices, we can also eliminate all bounds-checked array indexing, and return `RequestError::Fail(ClientError::BadMessageContents)` instead. This shaves off 240B of flash, which is...less than I had hoped.
hawkw
added a commit
that referenced
this pull request
Mar 27, 2024
This shaves off a few more bytes of flash, although we'd also need to get rid of panics in idol-generated code to completely eliminate panic formatting from the sensor task...
hawkw
added a commit
that referenced
this pull request
Mar 27, 2024
Now that `host-sp-messages` no longer depends on `task-sensor-types`, there's really no reason for it to be a separate crate. Thus, let's just move the error types into `task-sensor-api`.
hawkw
force-pushed
the
eliza/sensors-reply-fault
branch
from
a3878d1
to
de3c75e
Compare
The `SensorId` type represents an index into an array of sensors in the `sensors` server task. Currently, this is validated by the sensors server, returning `SensorError::InvalidSensor` if it is out of range. However, the sensor IDs used by firmware code are hard-coded by code generation and should never be out of range, so in most cases, an invalid `SensorId` should not occur and should be considered a bug. Only `host-spc-comms` will ever request sensor IDs that are out of range, if the upstack code requests an ID that doesn't exist on this device. Therefore, we ought to change the sensor API to use reply-fault on receipt of an invalid `SensorId`, rather than returning an error. This commit prepares for such a change by adding client-side validation of `SensorId`s with a `TryFrom` impl, and a panicking `SensorId::new` This way, the tasks that *can* handle sensor IDs from the outside world (`host-sp-comms`) can validate that sensor IDs received from the outside world are valid _before_ calling into the sensor task API, and reject any invalid IDs. In a subsequent PR, `task_sensor_api` will be updated to remove the `InvalidSensor` error type. The `host-sp-messages` crate is changed to replace the use of `SensorId` with `u32`, as it deals with _un-validated_ sensor indices received from the host over IPCC. `host-sp-comms` will validate these sensor IDs before calling into sensor IPC methods. A nice side benefit of using the panicking `const fn new` in generated code is that...it's const fn, and the code generation mostly uses it in `const` initializers. So, if any of the code generation accidentally emits an invalid sensor ID, we'll actually get a build-time rather than runtime error, which seems nice!
Currently, a number of IPCs in the `Sensor` API return a `SensorApiError` type, which represents either "invalid sensor ID" or "no reading". Since passing an invalid `SensorId` to the sensors API will now result in a reply-fault, there's no reason to return an error type that can represent that case. This commit changes the `Sensor` API to return `Option<T>`s rather than `Result<T, SensorApiError>`, with `None` representing the "no reading" case. Fixes #1680
Now that we can guarantee all `SensorId`s are valid indices, we can also eliminate all bounds-checked array indexing, and return `RequestError::Fail(ClientError::BadMessageContents)` instead. This shaves off 240B of flash, which is...less than I had hoped.
This shaves off a few more bytes of flash, although we'd also need to get rid of panics in idol-generated code to completely eliminate panic formatting from the sensor task...
Now that `host-sp-messages` no longer depends on `task-sensor-types`, there's really no reason for it to be a separate crate. Thus, let's just move the error types into `task-sensor-api`.
hawkw
force-pushed
the
eliza/sensors-reply-fault
branch
from
de3c75e
to
87e314c
Compare
hawkw
added a commit
that referenced
this pull request
Mar 27, 2024
The `SensorId` type represents an index into an array of sensors in the `sensors` server task. Currently, this is validated by the sensors server, returning `SensorError::InvalidSensor` if it is out of range. However, the sensor IDs used by firmware code are hard-coded by code generation and should never be out of range, so in most cases, an invalid `SensorId` should not occur and should be considered a bug. Only `host-spc-comms` will ever request sensor IDs that are out of range, if the upstack code requests an ID that doesn't exist on this device. Therefore, we ought to change the sensor API to use reply-fault on receipt of an invalid `SensorId`, rather than returning an error. This commit prepares for such a change by adding client-side validation of `SensorId`s with a `TryFrom` impl, and a panicking `SensorId::new` This way, the tasks that *can* handle sensor IDs from the outside world (`host-sp-comms`) can validate that sensor IDs received from the outside world are valid _before_ calling into the sensor task API, and reject any invalid IDs. In a subsequent PR, `task_sensor_api` will be updated to remove the `InvalidSensor` error type. The `host-sp-messages` crate is changed to replace the use of `SensorId` with `u32`, as it deals with _un-validated_ sensor indices received from the host over IPCC. `host-sp-comms` will validate these sensor IDs before calling into sensor IPC methods. A nice side benefit of using the panicking `const fn new` in generated code is that...it's const fn, and the code generation mostly uses it in `const` initializers. So, if any of the code generation accidentally emits an invalid sensor ID, we'll actually get a build-time rather than runtime error, which seems nice!
hawkw
added a commit
that referenced
this pull request
Mar 27, 2024
Currently, a number of IPCs in the `Sensor` API return a `SensorApiError` type, which represents either "invalid sensor ID" or "no reading". Since passing an invalid `SensorId` to the sensors API will now result in a reply-fault, there's no reason to return an error type that can represent that case. This commit changes the `Sensor` API to return `Option<T>`s rather than `Result<T, SensorApiError>`, with `None` representing the "no reading" case. Fixes #1680
hawkw
added a commit
that referenced
this pull request
Mar 27, 2024
Now that we can guarantee all `SensorId`s are valid indices, we can also eliminate all bounds-checked array indexing, and return `RequestError::Fail(ClientError::BadMessageContents)` instead. This shaves off 240B of flash, which is...less than I had hoped.
hawkw
added a commit
that referenced
this pull request
Mar 27, 2024
This shaves off a few more bytes of flash, although we'd also need to get rid of panics in idol-generated code to completely eliminate panic formatting from the sensor task...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As described in #1680, the
sensorsAPI currently validatesSensorIDs in the server task and returns an error when they are invalid. We can simplify the IPC interface by doing this validation on the client side, and reply-faulting any clients who send an invalid ID, instead. This branch does that.This PR consists of a sequence of commits which are intended to be reviewed individually.