[libc] Replace linker_assert() with build_assert()

We currently implement build-time assertions via a mechanism that
generates a call to an undefined external function that will cause the
link to fail unless the compiler can prove that the asserted condition
is true (and thereby eliminate the undefined function call).

This assertion mechanism can be used for conditions that are not
amenable to the use of static_assert(), since static_assert() will not
allow for proofs via dead code elimination.

Add __attribute__((error(...))) to the undefined external function, so
that the error is raised at compile time rather than at link time.
This allows us to provide a more meaningful error message (which will
include the file name and line number, as with any other compile-time
error), and avoids the need for the caller to specify a unique symbol
name for the external function.

Change the name from linker_assert() to build_assert(), since the
assertion now takes place at compile time rather than at link time.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/crypto/gcm.c

@@ -472,10 +472,10 @@ void gcm_setiv ( struct gcm_context *context, const void *iv, size_t ivlen ) {
 	union gcm_block *check = ( ( void * ) context );
 
 	/* Sanity checks */
-	linker_assert ( &context->hash == check, gcm_bad_layout );
-	linker_assert ( &context->len == check + 1, gcm_bad_layout );
-	linker_assert ( &context->ctr == check + 2, gcm_bad_layout );
-	linker_assert ( &context->key == check + 3, gcm_bad_layout );
+	build_assert ( &context->hash == check );
+	build_assert ( &context->len == check + 1 );
+	build_assert ( &context->ctr == check + 2 );
+	build_assert ( &context->key == check + 3 );
 
 	/* Reset non-key state */
 	memset ( context, 0, offsetof ( typeof ( *context ), key ) );

src/crypto/md4.c

@@ -155,11 +155,11 @@ static void md4_digest ( struct md4_context *context ) {
 
 	/* Sanity checks */
 	assert ( ( context->len % sizeof ( context->ddd.dd.data ) ) == 0 );
-	linker_assert ( &u.ddd.dd.digest.h[0] == a, md4_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[1] == b, md4_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[2] == c, md4_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[3] == d, md4_bad_layout );
-	linker_assert ( &u.ddd.dd.data.dword[0] == w, md4_bad_layout );
+	build_assert ( &u.ddd.dd.digest.h[0] == a );
+	build_assert ( &u.ddd.dd.digest.h[1] == b );
+	build_assert ( &u.ddd.dd.digest.h[2] == c );
+	build_assert ( &u.ddd.dd.digest.h[3] == d );
+	build_assert ( &u.ddd.dd.data.dword[0] == w );
 
 	DBGC ( context, "MD4 digesting:\n" );
 	DBGC_HDA ( context, 0, &context->ddd.dd.digest,

src/crypto/md5.c

@@ -178,11 +178,11 @@ static void md5_digest ( struct md5_context *context ) {
 
 	/* Sanity checks */
 	assert ( ( context->len % sizeof ( context->ddd.dd.data ) ) == 0 );
-	linker_assert ( &u.ddd.dd.digest.h[0] == a, md5_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[1] == b, md5_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[2] == c, md5_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[3] == d, md5_bad_layout );
-	linker_assert ( &u.ddd.dd.data.dword[0] == w, md5_bad_layout );
+	build_assert ( &u.ddd.dd.digest.h[0] == a );
+	build_assert ( &u.ddd.dd.digest.h[1] == b );
+	build_assert ( &u.ddd.dd.digest.h[2] == c );
+	build_assert ( &u.ddd.dd.digest.h[3] == d );
+	build_assert ( &u.ddd.dd.data.dword[0] == w );
 
 	DBGC ( context, "MD5 digesting:\n" );
 	DBGC_HDA ( context, 0, &context->ddd.dd.digest,

src/crypto/sha1.c

@@ -145,12 +145,12 @@ static void sha1_digest ( struct sha1_context *context ) {
 
 	/* Sanity checks */
 	assert ( ( context->len % sizeof ( context->ddd.dd.data ) ) == 0 );
-	linker_assert ( &u.ddd.dd.digest.h[0] == a, sha1_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[1] == b, sha1_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[2] == c, sha1_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[3] == d, sha1_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[4] == e, sha1_bad_layout );
-	linker_assert ( &u.ddd.dd.data.dword[0] == w, sha1_bad_layout );
+	build_assert ( &u.ddd.dd.digest.h[0] == a );
+	build_assert ( &u.ddd.dd.digest.h[1] == b );
+	build_assert ( &u.ddd.dd.digest.h[2] == c );
+	build_assert ( &u.ddd.dd.digest.h[3] == d );
+	build_assert ( &u.ddd.dd.digest.h[4] == e );
+	build_assert ( &u.ddd.dd.data.dword[0] == w );
 
 	DBGC ( context, "SHA1 digesting:\n" );
 	DBGC_HDA ( context, 0, &context->ddd.dd.digest,

src/crypto/sha256.c

@@ -140,15 +140,15 @@ static void sha256_digest ( struct sha256_context *context ) {
 
 	/* Sanity checks */
 	assert ( ( context->len % sizeof ( context->ddd.dd.data ) ) == 0 );
-	linker_assert ( &u.ddd.dd.digest.h[0] == a, sha256_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[1] == b, sha256_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[2] == c, sha256_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[3] == d, sha256_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[4] == e, sha256_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[5] == f, sha256_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[6] == g, sha256_bad_layout );
-	linker_assert ( &u.ddd.dd.digest.h[7] == h, sha256_bad_layout );
-	linker_assert ( &u.ddd.dd.data.dword[0] == w, sha256_bad_layout );
+	build_assert ( &u.ddd.dd.digest.h[0] == a );
+	build_assert ( &u.ddd.dd.digest.h[1] == b );
+	build_assert ( &u.ddd.dd.digest.h[2] == c );
+	build_assert ( &u.ddd.dd.digest.h[3] == d );
+	build_assert ( &u.ddd.dd.digest.h[4] == e );
+	build_assert ( &u.ddd.dd.digest.h[5] == f );
+	build_assert ( &u.ddd.dd.digest.h[6] == g );
+	build_assert ( &u.ddd.dd.digest.h[7] == h );
+	build_assert ( &u.ddd.dd.data.dword[0] == w );
 
 	DBGC ( context, "SHA256 digesting:\n" );
 	DBGC_HDA ( context, 0, &context->ddd.dd.digest,

src/crypto/sha512.c

@@ -156,15 +156,15 @@ static void sha512_digest ( struct sha512_context *context ) {
 
 	/* Sanity checks */
 	assert ( ( context->len % sizeof ( context->ddq.dd.data ) ) == 0 );
-	linker_assert ( &u.ddq.dd.digest.h[0] == a, sha512_bad_layout );
-	linker_assert ( &u.ddq.dd.digest.h[1] == b, sha512_bad_layout );
-	linker_assert ( &u.ddq.dd.digest.h[2] == c, sha512_bad_layout );
-	linker_assert ( &u.ddq.dd.digest.h[3] == d, sha512_bad_layout );
-	linker_assert ( &u.ddq.dd.digest.h[4] == e, sha512_bad_layout );
-	linker_assert ( &u.ddq.dd.digest.h[5] == f, sha512_bad_layout );
-	linker_assert ( &u.ddq.dd.digest.h[6] == g, sha512_bad_layout );
-	linker_assert ( &u.ddq.dd.digest.h[7] == h, sha512_bad_layout );
-	linker_assert ( &u.ddq.dd.data.qword[0] == w, sha512_bad_layout );
+	build_assert ( &u.ddq.dd.digest.h[0] == a );
+	build_assert ( &u.ddq.dd.digest.h[1] == b );
+	build_assert ( &u.ddq.dd.digest.h[2] == c );
+	build_assert ( &u.ddq.dd.digest.h[3] == d );
+	build_assert ( &u.ddq.dd.digest.h[4] == e );
+	build_assert ( &u.ddq.dd.digest.h[5] == f );
+	build_assert ( &u.ddq.dd.digest.h[6] == g );
+	build_assert ( &u.ddq.dd.digest.h[7] == h );
+	build_assert ( &u.ddq.dd.data.qword[0] == w );
 
 	DBGC ( context, "SHA512 digesting:\n" );
 	DBGC_HDA ( context, 0, &context->ddq.dd.digest,

src/drivers/infiniband/linda.c

@@ -721,7 +721,7 @@ static int linda_init_recv ( struct linda *linda ) {
 		eager_array_size_other = LINDA_EAGER_ARRAY_SIZE_17CTX_OTHER;
 		break;
 	default:
-		linker_assert ( 0, invalid_LINDA_NUM_CONTEXTS );
+		build_assert ( 0 );
 		return -EINVAL;
 	}
 
@@ -1108,7 +1108,7 @@ static int linda_post_recv ( struct ib_device *ibdev,
 	case 16384: bufsize = LINDA_EAGER_BUFFER_16K; break;
 	case 32768: bufsize = LINDA_EAGER_BUFFER_32K; break;
 	case 65536: bufsize = LINDA_EAGER_BUFFER_64K; break;
-	default:    linker_assert ( 0, invalid_rx_payload_size );
+	default:    build_assert ( 0 );
 		    bufsize = LINDA_EAGER_BUFFER_NONE;
 	}
 

src/drivers/infiniband/qib7322.c

@@ -893,7 +893,7 @@ static int qib7322_init_recv ( struct qib7322 *qib7322 ) {
 		eager_array_size_user = QIB7322_EAGER_ARRAY_SIZE_18CTX_USER;
 		break;
 	default:
-		linker_assert ( 0, invalid_QIB7322_NUM_CONTEXTS );
+		build_assert ( 0 );
 		return -EINVAL;
 	}
 
@@ -1351,7 +1351,7 @@ static int qib7322_post_recv ( struct ib_device *ibdev,
 	case 16384: bufsize = QIB7322_EAGER_BUFFER_16K; break;
 	case 32768: bufsize = QIB7322_EAGER_BUFFER_32K; break;
 	case 65536: bufsize = QIB7322_EAGER_BUFFER_64K; break;
-	default:    linker_assert ( 0, invalid_rx_payload_size );
+	default:    build_assert ( 0 );
 		    bufsize = QIB7322_EAGER_BUFFER_NONE;
 	}
 

src/include/assert.h

@@ -65,19 +65,22 @@ assert_printf ( const char *fmt, ... ) asm ( "printf" );
 #define static_assert(x) _Static_assert( x, #x )
 
 /**
- * Assert a condition at link-time.
+ * Assert a condition at build time (after dead code elimination)
  *
- * If the condition is not true, the link will fail with an unresolved
- * symbol (error_symbol).
+ * If the compiler cannot prove that the condition is true, the build
+ * will fail with an error message.
  *
  * This macro is iPXE-specific.  Do not use this macro in code
  * intended to be portable.
- *
  */
-#define linker_assert( condition, error_symbol )	\
-        if ( ! (condition) ) {				\
-                extern void error_symbol ( void );	\
-                error_symbol();				\
-        }
+#define build_assert( condition )					     \
+	do { 								     \
+		if ( ! (condition) ) {					     \
+			extern void __attribute__ (( error (		     \
+				"build_assert(" #condition ") failed"	     \
+			) )) _C2 ( build_assert_, __LINE__ ) ( void );	     \
+			_C2 ( build_assert_, __LINE__ ) ();		     \
+		}							     \
+	} while ( 0 )
 
 #endif /* _ASSERT_H */

src/include/ipxe/asn1.h

@@ -390,10 +390,9 @@ asn1_built ( struct asn1_builder *builder ) {
 	} *u = container_of ( builder, typeof ( *u ), builder );
 
 	/* Sanity check */
-	linker_assert ( ( ( const void * ) &u->builder.data ) ==
-			&u->cursor.data, asn1_builder_cursor_data_mismatch );
-	linker_assert ( &u->builder.len == &u->cursor.len,
-			asn1_builder_cursor_len_mismatch );
+	build_assert ( ( ( const void * ) &u->builder.data ) ==
+		       &u->cursor.data );
+	build_assert ( &u->builder.len == &u->cursor.len );
 
 	return &u->cursor;
 }

src/include/ipxe/entropy.h

@@ -237,8 +237,7 @@ get_entropy_input ( unsigned int min_entropy_bits, void *data, size_t min_len,
 	int rc;
 
 	/* Sanity check */
-	linker_assert ( ( min_entropy_bits <= ( 8 * max_len ) ),
-			entropy_buffer_too_small );
+	build_assert ( min_entropy_bits <= ( 8 * max_len ) );
 
 	/* Round up minimum entropy to an integral number of bytes */
 	min_entropy_bits = ( ( min_entropy_bits + 7 ) & ~7 );
@@ -247,11 +246,11 @@ get_entropy_input ( unsigned int min_entropy_bits, void *data, size_t min_len,
 	 * meet or exceed the security strength indicated by the
 	 * min_entropy parameter.
 	 */
-	linker_assert ( ( ( 8 * ENTROPY_HASH_DF_OUTLEN_BYTES ) >=
-			  min_entropy_bits ), hash_df_algorithm_too_weak );
+	build_assert ( ( 8 * ENTROPY_HASH_DF_OUTLEN_BYTES ) >=
+		       min_entropy_bits );
 
 	/* 1.  If ( min_length > max_length ), then return ( FAILURE, Null ) */
-	linker_assert ( ( min_len <= max_len ), min_len_greater_than_max_len );
+	build_assert ( min_len <= max_len );
 
 	/* 2.  n = 2 * min_entropy */
 	n = ( 2 * min_entropy_bits );
@@ -269,9 +268,8 @@ get_entropy_input ( unsigned int min_entropy_bits, void *data, size_t min_len,
 	 * (The implementation of these steps is inside the function
 	 * get_entropy_input_tmp().)
 	 */
-	linker_assert ( __builtin_constant_p ( tmp_len ),
-			tmp_len_not_constant );
-	linker_assert ( ( n == ( 8 * tmp_len ) ), tmp_len_mismatch );
+	build_assert ( __builtin_constant_p ( tmp_len ) );
+	build_assert ( n == ( 8 * tmp_len ) );
 	if ( ( rc = get_entropy_input_tmp ( MIN_ENTROPY ( min_entropy_bits ),
 					    tmp, tmp_len ) ) != 0 ) {
 		return rc;
@@ -283,17 +281,17 @@ get_entropy_input ( unsigned int min_entropy_bits, void *data, size_t min_len,
 	 */
 	if ( tmp_len < min_len ) {
 		/* (Data is already in-place.) */
-		linker_assert ( ( data == tmp ), data_not_inplace );
+		build_assert ( data == tmp );
 		memset ( ( data + tmp_len ), 0, ( min_len - tmp_len ) );
 		return min_len;
 	} else if ( tmp_len > max_len ) {
-		linker_assert ( ( tmp == tmp_buf ), data_inplace );
+		build_assert ( tmp == tmp_buf );
 		hash_df ( &entropy_hash_df_algorithm, tmp, tmp_len,
 			  data, max_len );
 		return max_len;
 	} else {
 		/* (Data is already in-place.) */
-		linker_assert ( ( data == tmp ), data_not_inplace );
+		build_assert ( data == tmp );
 		return tmp_len;
 	}
 }
@@ -328,15 +326,14 @@ entropy_repetition_count_cutoff ( min_entropy_t min_entropy_per_sample ) {
 	cutoff = max_repetitions;
 	if ( cutoff < max_repetitions )
 		cutoff++;
-	linker_assert ( ( cutoff >= max_repetitions ), rounding_error );
+	build_assert ( cutoff >= max_repetitions );
 
 	/* Floating-point operations are not allowed in iPXE since we
 	 * never set up a suitable environment.  Abort the build
 	 * unless the calculated number of repetitions is a
 	 * compile-time constant.
 	 */
-	linker_assert ( __builtin_constant_p ( cutoff ),
-			repetition_count_cutoff_not_constant );
+	build_assert ( __builtin_constant_p ( cutoff ) );
 
 	return cutoff;
 }
@@ -443,12 +440,10 @@ entropy_adaptive_proportion_cutoff ( min_entropy_t min_entropy_per_sample ) {
 	cutoff = entropy_adaptive_proportion_cutoff_lookup ( n, h );
 
 	/* Fail unless cutoff value is a compile-time constant */
-	linker_assert ( __builtin_constant_p ( cutoff ),
-			adaptive_proportion_cutoff_not_constant );
+	build_assert ( __builtin_constant_p ( cutoff ) );
 
 	/* Fail if cutoff value is N/A */
-	linker_assert ( ( cutoff != APC_NA ),
-			adaptive_proportion_cutoff_not_applicable );
+	build_assert ( cutoff != APC_NA );
 
 	return cutoff;
 }
@@ -475,8 +470,7 @@ entropy_startup_test_count ( unsigned int repetition_count_cutoff,
 	num_samples = repetition_count_cutoff;
 	if ( num_samples < adaptive_proportion_cutoff )
 		num_samples = adaptive_proportion_cutoff;
-	linker_assert ( __builtin_constant_p ( num_samples ),
-			startup_test_count_not_constant );
+	build_assert ( __builtin_constant_p ( num_samples ) );
 
 	return num_samples;
 }
@@ -499,11 +493,9 @@ entropy_init ( struct entropy_source *source,
 	unsigned int startup_test_count;
 
 	/* Sanity check */
-	linker_assert ( min_entropy_per_sample > MIN_ENTROPY ( 0 ),
-			min_entropy_per_sample_is_zero );
-	linker_assert ( ( min_entropy_per_sample <=
-			  MIN_ENTROPY ( 8 * sizeof ( noise_sample_t ) ) ),
-			min_entropy_per_sample_is_impossibly_high );
+	build_assert ( min_entropy_per_sample > MIN_ENTROPY ( 0 ) );
+	build_assert ( min_entropy_per_sample <=
+		       MIN_ENTROPY ( 8 * sizeof ( noise_sample_t ) ) );
 
 	/* Calculate test cutoff values */
 	repetition_count_cutoff =

src/include/ipxe/gcm.h

@@ -88,13 +88,10 @@ struct _gcm_name ## _context {						\
 static int _gcm_name ## _setkey ( void *ctx, const void *key,		\
 				  size_t keylen ) {			\
 	struct _gcm_name ## _context *context = ctx;			\
-	linker_assert ( _blocksize == sizeof ( context->gcm.key ),	\
-			_gcm_name ## _unsupported_blocksize );		\
-	linker_assert ( ( ( void * ) &context->gcm ) == ctx,		\
-			_gcm_name ## _context_layout_error );		\
-	linker_assert ( ( ( void * ) &context->raw ) ==			\
-			( ( void * ) context->gcm.raw_ctx ),		\
-			_gcm_name ## _context_layout_error );		\
+	build_assert ( _blocksize == sizeof ( context->gcm.key ) );	\
+	build_assert ( ( ( void * ) &context->gcm ) == ctx );		\
+	build_assert ( ( ( void * ) &context->raw ) ==			\
+		       ( ( void * ) context->gcm.raw_ctx ) );		\
 	return gcm_setkey ( &context->gcm, key, keylen, &_raw_cipher );	\
 }									\
 static void _gcm_name ## _setiv ( void *ctx, const void *iv,		\