feat: Add no-heap static allocation PAL backend for lockstep mode#268
Open
vtz wants to merge 28 commits into
Open
feat: Add no-heap static allocation PAL backend for lockstep mode#268vtz wants to merge 28 commits into
vtz wants to merge 28 commits into
Conversation
Contributor
|
Warning Review limit reached
More reviews will be available in 39 minutes and 54 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR adds a selectable static-allocation backend, introduces platform abstraction headers for buffers, containers, and message pointers, implements static message and byte-buffer pools with intrusive ownership, migrates many APIs from STL types to platform types, and adds documentation, tooling, CI, and tests for no-heap verification. ChangesStatic allocation backend and platform type migration
Estimated code review effort🎯 5 (Critical) | ⏱️ ~120 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 892f880cfb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| uint16_t idx = free_stack[stack_top]; | ||
|
|
||
| auto* msg = new (&message_slab[idx][0]) Message(); | ||
| return MessagePtr(msg, true); |
There was a problem hiding this comment.
When SOMEIP_USE_STATIC_ALLOC is enabled, MessagePtr is still std::shared_ptr<Message> from include/someip/message.h, so this constructs std::shared_ptr<Message>(msg, true) and treats the bool as a deleter. That makes the static allocation backend fail to compile before the new tests can run; compiling src/platform/static/memory.cpp with -DSOMEIP_STATIC_ALLOC hits the shared_ptr deleter static assertion. The static path needs a conditional MessagePtr alias (or this return must use a valid shared_ptr deleter) before the backend is usable.
Useful? React with 👍 / 👎.
Owner
Author
There was a problem hiding this comment.
This is a false positive. memory.cpp is only compiled when SOMEIP_USE_STATIC_ALLOC=ON, which sets SOMEIP_STATIC_ALLOC as a PUBLIC target compile definition on opensomeip. This means MessagePtr resolves to IntrusivePtr<Message> (not shared_ptr), and the IntrusivePtr(T* p, bool add_ref = true) constructor is the correct call. The static build compiles and all 16 tests pass including the Message pool lifecycle tests.
Comment on lines
+83
to
+86
| void ensure_init() { | ||
| if (!pool_initialized.load(std::memory_order_acquire)) { | ||
| init_pool(); | ||
| } |
There was a problem hiding this comment.
On the first concurrent use of the static buffer pool, multiple threads can enter ensure_init() and run init_pool() without holding pool_mutex. One thread can finish initialization, acquire and hand out a slot, while another thread that already entered init_pool() later resets free_stack/stack_top, making that in-use slot available again and allowing duplicate buffer ownership. The message pool uses a double-checked lock for the same pattern; the buffer pool needs similar serialization around initialization.
Useful? React with 👍 / 👎.
Owner
Author
There was a problem hiding this comment.
Valid finding — fixed. Added double-checked locking to ensure_init() in buffer_pool.cpp, matching the pattern already used in memory.cpp. The fix serializes first-time initialization under pool_mutex so concurrent threads cannot race through init_pool() and reset in-use slot metadata.
vtz
force-pushed
the
feature/no-heap-static-alloc
branch
2 times, most recently
from
2b9db83 to
d731466
Compare
…p mode Add a complete static allocation backend for opensomeip enabling deployment on safety-critical lockstep ECUs where dynamic memory violates ISO 26262 freedom-from-interference requirements. Core components: - SOMEIP_USE_STATIC_ALLOC CMake option with ETL FetchContent - Three-tier slab byte-buffer pool (small/medium/large) with free-stacks - ByteBuffer class with std::vector<uint8_t>-compatible API - Static Message pool with placement new and PAL mutex - IntrusivePtr<T> with embedded atomic ref_count_ in Message - ETL container aliases (Vector, String, UnorderedMap, Queue, Function) - Malloc trap for link-time no-heap verification Documentation and safety: - 20 new Sphinx-needs requirements (REQ_ARCH_008, REQ_PAL_*, REQ_PLATFORM_STATIC_*) - FMEA for static allocation failure modes - static_memory_budget.py footprint calculator Testing: - 30+ unit tests covering pools, ByteBuffer, IntrusivePtr, concurrency - All 16 tests pass (static), all 15 tests pass (dynamic) Co-authored-by: Cursor <cursoragent@cursor.com>
vtz
force-pushed
the
feature/no-heap-static-alloc
branch
from
d731466 to
2a04600
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 16
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docs/requirements/implementation/platform.rst (1)
483-485:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRemove the
std::shared_ptrhard-coding.
REQ_PAL_MEM_ALLOCshould stay backend-agnostic. It currently conflicts withREQ_PAL_INTRUSIVE_PTRand the static message-pool requirement, which use intrusive ref-counting instead of a shared_ptr control block.🔧 Proposed fix
- ``MessagePtr`` (``std::shared_ptr<Message>``) owning a fully constructed, usable - ``Message`` object. + ``MessagePtr`` owning a fully constructed, usable ``Message`` object.Also applies to: 966-977
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/requirements/implementation/platform.rst` around lines 483 - 485, REQ_PAL_MEM_ALLOC currently hard-codes std::shared_ptr in the spec: change the wording around someip::platform::allocate_message() and MessagePtr so they do not mandate std::shared_ptr; instead describe MessagePtr as an abstract/opaque smart-pointer type (or "pointer-like handle") owning a fully constructed Message and allow backend choice (e.g., intrusive ref-counting or static pool-backed handles) so it remains compatible with REQ_PAL_INTRUSIVE_PTR and the static message-pool requirement; update all occurrences (including the section referencing lines ~966-977) to remove "std::shared_ptr<Message>" and replace with this backend-agnostic description, while keeping the contract that callers receive an owning MessagePtr with a usable Message instance.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/requirements/implementation/architecture.rst`:
- Around line 202-203: Update the acceptance text that currently instructs
verifying no "malloc"/"new" calls by expanding it to cover deallocations too:
change the verification sentence that references SOMEIP_USE_STATIC_ALLOC and
REQ_PAL_NOOP_HEAP_VERIFY so it requires verifying no "malloc"/"new" or
"free"/"delete" calls during protocol operation and that the heap-interception
check covers both allocation and deallocation failures; keep the existing
guidance to inspect container and pool types for compile-time capacity bounds
and mention the combined allocation/deallocation surface to match the no-heap
trap behavior.
In `@docs/requirements/implementation/platform.rst`:
- Around line 734-817: The requirement names
(StaticVector/StaticString/StaticUnorderedMap/StaticQueue/StaticFunction) do not
match the actual exported API (Vector/String/... in
include/platform/static/containers_impl.h); update the implementation to expose
the public symbols named in the docs (either rename the types in
containers_impl.h to StaticVector, StaticString, StaticUnorderedMap,
StaticQueue, StaticFunction or add clear type aliases with those Static* names
that forward to the existing Vector/String/... types), and update the
corresponding backend requirement text to reference the same Static* symbols so
doc and code agree.
In `@docs/safety/FMEA_STATIC_ALLOCATION.md`:
- Around line 126-170: Residual-risk claims rely on ETL being built with
error-logging enabled and exceptions disabled but the build lacks those defines;
update the build config (CMakeLists.txt) to add the compile definitions
ETL_LOG_ERRORS=1 and ETL_THROW_EXCEPTIONS=0 (use target_compile_definitions or
add_compile_definitions for the relevant targets) and ensure the custom ETL
error handler object/library is linked into safety builds so the handler
registration code is included; after changing, run a safety-build to verify the
ETL handler symbol is present and that overflow paths exercise the custom
handler.
- Line 124: The FMEA claims a saturation check but intrusive_ptr_add_ref in
src/someip/message.cpp (under SOMEIP_STATIC_ALLOC) unconditionally does
p->ref_count_.fetch_add(1...), so fix intrusive_ptr_add_ref to perform an atomic
read/compare-and-swap loop that ensures ref_count_ < UINT16_MAX before
incrementing (or else log an error and refuse to increment/return a
failure/no-op copy), keep a debug-build saturation assertion, and update related
unit test TC_INTRUSIVE_PTR_LIFETIME and any copy sites (e.g., MessagePtr copy
logic) to handle the refused-increment path; alternatively, if you decide not to
implement the guard, update the FMEA entry to match current behavior.
- Around line 78-92: The build is missing the ETL safety compile definitions
described in the FMEA; add target_compile_definitions for ETL_LOG_ERRORS=1 and
ETL_THROW_EXCEPTIONS=0 to the actual CMake target (opensomeip) in
src/CMakeLists.txt so ETL uses non-terminating error propagation, and update the
documentation snippet in docs/safety/FMEA_STATIC_ALLOCATION.md to reference the
real target name opensomeip instead of someip; ensure the compile definitions
are applied PRIVATE to the opensomeip target and include a short comment linking
to the FMEA section for traceability.
In `@include/platform/static/buffer_pool_impl.h`:
- Around line 130-184: The code currently calls ensure_capacity(...) which may
fail to grow the buffer but leaves slot_ non-null, so resize(size_t),
resize(size_t,uint8_t), push_back(uint8_t) and insert(...) can still write past
the slot_'s capacity; after each ensure_capacity(new_size) (or
ensure_capacity(cur + 1) / ensure_capacity(min_capacity) where used) add a
post-check that the reserved capacity is sufficient (e.g., if (!slot_ ||
capacity() < new_size) return; or compare slot_->capacity) and return early to
avoid writing beyond slot_->capacity; apply the same guard to the other affected
sites (the overload resize(size_t,uint8_t), push_back, and insert) and ensure
slot_->size is only updated when the capacity check passes.
- Around line 190-193: end() and the const end() perform pointer arithmetic on
data() which may be nullptr for empty/default-constructed ByteBuffer; change
them to guard against nullptr by returning data() when data() == nullptr instead
of data() + size(). Update iterator end() and const_iterator end() (and keep
begin()/begin() const as-is) to compute: return data() ? data() + size() :
data(); so no nullptr + 0 occurs.
In `@include/platform/static/static_config.h`:
- Around line 35-80: Add compile-time range checks for all macro overrides
(SOMEIP_MESSAGE_POOL_SIZE, SOMEIP_MAX_SESSIONS, SOMEIP_MAX_SD_ENTRIES,
SOMEIP_MAX_MULTICAST_GROUPS, SOMEIP_MAX_CONCURRENT_TP, SOMEIP_MAX_RECEIVE_QUEUE,
SOMEIP_BYTE_POOL_SMALL_COUNT, SOMEIP_BYTE_POOL_MEDIUM_COUNT,
SOMEIP_BYTE_POOL_LARGE_COUNT, SOMEIP_BYTE_POOL_SMALL_SIZE,
SOMEIP_BYTE_POOL_MEDIUM_SIZE, SOMEIP_BYTE_POOL_LARGE_SIZE) so invalid zero or
>UINT16_MAX values cannot silently wrap; implement either preprocessor guards
(`#if` ... `#error`) or constexpr/static_assert immediately after each `#define` to
enforce 1 <= count <= 65535 for pool counts and 1 <= size <= 65535 (or
appropriate max) for byte sizes, matching the uint16_t indices used in
src/platform/static/buffer_pool.cpp and src/platform/static/memory.cpp. Ensure
messages identify the offending macro name in the `#error/static_assert` text so
integrators can fix their -D overrides.
In `@scripts/run_clang_tidy.sh`:
- Around line 67-77: Replace the fragile inline Python invocation with a small
robust script that reads BUILD_DIR and SOURCE_DIR from os.environ (instead of
shell-interpolating paths), opens compile_commands.json using a with open(...,
encoding='utf-8') context manager, wraps json.load in a try/except catching
json.JSONDecodeError and exits non‑zero on failure, and then performs the same
realpath/filter logic for .cpp files; reference the embedded Python block in
scripts/run_clang_tidy.sh and the BUILD_DIR/SOURCE_DIR variables when locating
compile_commands.json and the src directory.
- Around line 64-80: The current selection reads every entry's e['file'] from
compile_commands.json and can pick commands from other CMake configs; change the
filter to only include entries whose e['directory'] (or directory field) belongs
to the active build directory ($BUILD_DIR) and whose realpath file starts with
the project src ($SOURCE_DIR/src) and ends with .cpp, and deduplicate the list
(e.g., via set or sort -u) before assigning SOURCE_FILES; update the python
snippet that populates SOURCE_FILES (references: BUILD_DIR, SOURCE_DIR,
SOURCE_FILES, e['file'], e['directory'], compile_commands.json) to perform this
directory check and de-duplication so clang-tidy only analyzes files from the
active CMake configuration.
In `@scripts/static_memory_budget.py`:
- Around line 25-31: Add an explicit Python minimum-version note so the script
won’t be misused on older runtimes: update the top of the module to include a
module docstring stating "Requires Python 3.10+ (repo uses Python 3.12+)" and
also include the same note in the argparse description/help so command-line
users see it; locate the module header and the argparse setup (the function or
main entry that accepts argv: list[str] | None) and add the short clear version
requirement there.
In `@src/CMakeLists.txt`:
- Around line 51-56: The comment about allocation being "listed before
threading" is misplaced next to the SOMEIP_ALLOC_IMPL_DIR variable and should be
moved to where include ordering is actually set; relocate or duplicate the
comment near the target_include_directories call (the block that adds
${SOMEIP_ALLOC_IMPL_DIR} and threading include dirs) so it clearly documents why
${SOMEIP_ALLOC_IMPL_DIR} must appear before the threading include dirs; keep
references to SOMEIP_USE_STATIC_ALLOC and SOMEIP_ALLOC_IMPL_DIR so future
readers can find the related conditional and include-path logic.
In `@src/platform/static/malloc_trap.cpp`:
- Around line 37-63: The current trap implements malloc/free/calloc/realloc but
misses C++ heap operators so non-placement new bypasses it; add matching global
operator new, operator new[](std::size_t) and their corresponding operator
delete/operator delete[](void*) (and the nothrow/new(size, std::nothrow_t)
overloads if used) to abort with an explanatory fprintf like the existing
functions, referencing the same behavior as malloc/free handlers (e.g.,
implement operator new(std::size_t) and operator new[](std::size_t) to fprintf
"MALLOC TRAP: operator new(%zu) detected" and call std::abort(), and implement
operator delete/operator delete[] to detect frees and abort similarly) so all
non-placement C++ allocations are trapped.
In `@tests/CMakeLists.txt`:
- Around line 110-117: The test target test_static_alloc is not linked against
the someip_malloc_trap OBJECT library so heap-interception won't be enforced;
update the CMake target for test_static_alloc (target name "test_static_alloc")
to add the someip_malloc_trap object library via target_link_libraries (e.g.,
link someip_malloc_trap as a PRIVATE dependency) so the malloc trap defined as
someip_malloc_trap in src/CMakeLists.txt is included at link time and enables
no-heap verification.
- Line 114: Remove the redundant PRIVATE definition of SOMEIP_STATIC_ALLOC from
the test target: delete the line calling
target_compile_definitions(test_static_alloc PRIVATE SOMEIP_STATIC_ALLOC) since
SOMEIP_STATIC_ALLOC is already defined PUBLIC on the opensomeip target and will
propagate to test_static_alloc through linking; ensure opensomeip remains a
PUBLIC-linked target for test_static_alloc so the definition still applies.
In `@tests/test_static_alloc.cpp`:
- Around line 385-411: The test BufferPoolThreadSafety currently uses a weak
smoke assertion (EXPECT_GT(success_count.load(), 0)); replace it with a stronger
correctness check that validates all attempted acquires succeeded by asserting
EXPECT_EQ(success_count.load(), kThreads * kOpsPerThread) (referencing kThreads,
kOpsPerThread, success_count, and the test name) so the test fails if any
acquisition/release under contention is lost; after changing the assertion,
consider enabling ThreadSanitizer in CI for additional race detection.
---
Outside diff comments:
In `@docs/requirements/implementation/platform.rst`:
- Around line 483-485: REQ_PAL_MEM_ALLOC currently hard-codes std::shared_ptr in
the spec: change the wording around someip::platform::allocate_message() and
MessagePtr so they do not mandate std::shared_ptr; instead describe MessagePtr
as an abstract/opaque smart-pointer type (or "pointer-like handle") owning a
fully constructed Message and allow backend choice (e.g., intrusive ref-counting
or static pool-backed handles) so it remains compatible with
REQ_PAL_INTRUSIVE_PTR and the static message-pool requirement; update all
occurrences (including the section referencing lines ~966-977) to remove
"std::shared_ptr<Message>" and replace with this backend-agnostic description,
while keeping the contract that callers receive an owning MessagePtr with a
usable Message instance.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 7022fc2e-e97d-4c07-b656-c9fe3e100de8
📒 Files selected for processing (24)
CMakeLists.txtdocs/requirements/implementation/architecture.rstdocs/requirements/implementation/platform.rstdocs/safety/FMEA_STATIC_ALLOCATION.mdinclude/platform/buffer_pool.hinclude/platform/containers.hinclude/platform/dynamic/buffer_pool_impl.hinclude/platform/dynamic/containers_impl.hinclude/platform/intrusive_ptr.hinclude/platform/static/buffer_pool_impl.hinclude/platform/static/containers_impl.hinclude/platform/static/memory_impl.hinclude/platform/static/static_config.hscripts/run_clang_tidy.shscripts/static_memory_budget.pysrc/CMakeLists.txtsrc/platform/static/buffer_pool.cppsrc/platform/static/malloc_trap.cppsrc/platform/static/memory.cppsrc/someip/message.cpptests/CMakeLists.txttests/fakes/buffer_pool_impl.htests/fakes/containers_impl.htests/test_static_alloc.cpp
Move MessagePtr typedef to PAL dispatch (message_ptr.h -> message_ptr_impl.h) resolved by include-path shadowing, matching the existing PAL pattern. - ref_count_ and intrusive_ptr hooks are now unconditional (2 bytes per Message; negligible overhead, identical class layout across backends) - Dynamic backends gain a trivial release_message() so the unconditional intrusive_ptr_release() compiles and links (dead code in dynamic path) - SOMEIP_STATIC_ALLOC compile definition removed entirely -- no source code references it anymore; backend selection is purely via -I paths Co-authored-by: Cursor <cursoragent@cursor.com>
Blocker: - ByteBuffer: check slot_->capacity >= needed after ensure_capacity() to prevent out-of-bounds writes when pool upgrade fails High: - ByteBuffer: return nullptr from end() when slot_ is null to avoid undefined pointer arithmetic (nullptr + 0) - malloc_trap: add operator new/new[]/delete/delete[] traps alongside C malloc/free/calloc/realloc for complete no-heap verification - Link someip_malloc_trap OBJECT library into test_static_alloc so REQ_PAL_NOOP_HEAP_VERIFY is enforced at test runtime Medium: - static_config.h: add static_assert guards for pool sizes (uint16_t range) and tier size ordering - platform.rst: rename StaticVector/StaticString/StaticUnorderedMap/ StaticQueue/StaticFunction to Vector/String/UnorderedMap/Queue/ Function matching actual containers_impl.h; fix Code Location references to point to containers_impl.h instead of non-existent container_*.h files; update test file references Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src/someip/message.cpp (1)
553-557: 🩺 Stability & Availability | 🟠 Major | 🏗️ Heavy liftMissing overflow protection for reference counter.
The intrusive reference counter uses
uint16_t(max 65,535) with no overflow check. Ifref_count_reaches its maximum andintrusive_ptr_add_refis called again, it will wrap to 0, causing premature deletion when the firstIntrusivePtris destroyed.For ISO 26262 safety-critical deployments, bounded reference counts should either use a wider type or detect overflow and fail safely.
🛡️ Proposed overflow guard
void intrusive_ptr_add_ref(const Message* p) { if (p) { - p->ref_count_.fetch_add(1, std::memory_order_relaxed); + auto old_count = p->ref_count_.fetch_add(1, std::memory_order_relaxed); + // Safety check: detect overflow before it causes wrap-around + if (old_count >= std::numeric_limits<uint16_t>::max()) { + // Overflow: either abort or use a wider type (uint32_t) + std::abort(); // Or log critical error and halt + } } }Alternatively, consider changing
ref_count_tostd::atomic<uint32_t>ininclude/someip/message.hif the 2-byte footprint saving is not critical.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/someip/message.cpp` around lines 553 - 557, intrusive_ptr_add_ref currently increments Message::ref_count_ (a uint16_t atomic) without overflow protection; either widen the atomic to std::atomic<uint32_t> in the Message class (preferred) or add an overflow check in intrusive_ptr_add_ref: load the current value, if it equals std::numeric_limits<uint16_t>::max() fail safely (log/abort/throw) and otherwise increment using compare-exchange or fetch_add with a check to avoid wraparound; update any code using ref_count_ accordingly and preserve the intended memory ordering semantics.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@include/platform/dynamic/message_ptr_impl.h`:
- Around line 10-15: This header declares MessagePtr and MessageConstPtr using
std::shared_ptr (symbols: MessagePtr, MessageConstPtr, namespace someip) but
lacks the required <memory> include; add a direct include of <memory> at the top
of include/platform/dynamic/message_ptr_impl.h so the header no longer relies on
transitive includes for std::shared_ptr and remains robust to include-order
changes.
In `@include/platform/static/message_ptr_impl.h`:
- Around line 10-15: Add a direct include for the intrusive pointer header so
the typedefs compile without relying on transitive includes: include
"platform/intrusive_ptr.h" at the top of message_ptr_impl.h before using
platform::IntrusivePtr; update the file that defines MessagePtr and
MessageConstPtr (the typedefs using platform::IntrusivePtr<Message> and
platform::IntrusivePtr<const Message>) to reference the header explicitly.
In `@tests/fakes/memory_impl.h`:
- Around line 33-35: The current release_message(Message* msg) deletes the raw
pointer while allocate_message() returns std::shared_ptr<Message>, risking
double-free if callers pass ptr.get(); fix by making the ownership contract
explicit: add a clear comment above release_message stating "must never be
called with pointers owned by allocate_message()/std::shared_ptr" and provide a
safe overload release_message(std::shared_ptr<Message> msg) that is a no-op (or
simply consumes the shared_ptr) so accidental calls with shared_ptr objects are
safe; optionally mark the raw-pointer release_message as deprecated in the
comment to discourage use and keep delete behavior only for truly raw-allocated
Message instances.
---
Outside diff comments:
In `@src/someip/message.cpp`:
- Around line 553-557: intrusive_ptr_add_ref currently increments
Message::ref_count_ (a uint16_t atomic) without overflow protection; either
widen the atomic to std::atomic<uint32_t> in the Message class (preferred) or
add an overflow check in intrusive_ptr_add_ref: load the current value, if it
equals std::numeric_limits<uint16_t>::max() fail safely (log/abort/throw) and
otherwise increment using compare-exchange or fetch_add with a check to avoid
wraparound; update any code using ref_count_ accordingly and preserve the
intended memory ordering semantics.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: aaeb92b7-dfc8-4aee-a02f-4686b83d3863
📒 Files selected for processing (14)
include/platform/dynamic/message_ptr_impl.hinclude/platform/message_ptr.hinclude/platform/posix/memory_impl.hinclude/platform/static/message_ptr_impl.hinclude/platform/win32/memory_impl.hinclude/someip/message.hsrc/CMakeLists.txtsrc/someip/message.cpptests/CMakeLists.txttests/fakes/memory_impl.htests/fakes/message_ptr_impl.htests/test_pal_freertos_mock.cpptests/test_pal_threadx_mock.cpptests/test_pal_zephyr_mock.cpp
💤 Files with no reviewable changes (1)
- src/CMakeLists.txt
Comment on lines
+33
to
+35
| inline void release_message(Message* msg) { | ||
| delete msg; | ||
| } |
Contributor
There was a problem hiding this comment.
🩺 Stability & Availability | 🟡 Minor
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Search for patterns that might extract raw pointers from shared_ptr and call release_message
rg -n -C3 'allocate_message|release_message' tests/ --type=cppRepository: vtz/opensomeip
Length of output: 12291
🏁 Script executed:
#!/bin/bash
rg -n -- 'release_message\s*\(' tests/ --type=cppRepository: vtz/opensomeip
Length of output: 416
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Find any call sites (not just definitions) in tests/
rg -n 'release_message\s*\(' tests -g'*.cpp' -g'*.h' -g'*.hpp'
# Look specifically for passing raw pointers extracted via .get()
rg -n 'release_message\s*\(.*\.get\s*\(\s*\)\s*\)' tests -g'*.cpp' -g'*.h' -g'*.hpp'
# Look for qualified calls
rg -n 'someip::platform::release_message\s*\(' tests -g'*.cpp' -g'*.h' -g'*.hpp'
rg -n 'platform::release_message\s*\(' tests -g'*.cpp' -g'*.h' -g'*.hpp'Repository: vtz/opensomeip
Length of output: 347
Make release_message’s contract safe with shared_ptr allocation
tests/fakes/memory_impl.h defines release_message(Message* msg) { delete msg; } while allocate_message() returns std::shared_ptr<Message>. If release_message is ever called with a raw pointer originating from that shared_ptr (e.g., release_message(ptr.get())), it can double-free.
In tests/, release_message(...) is only defined and there are no call sites, so the current tests don’t exercise the mismatch. Add an assertion and/or document the contract (“must never receive allocate_message()/shared_ptr-managed pointers”) to prevent future accidental misuse.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@tests/fakes/memory_impl.h` around lines 33 - 35, The current
release_message(Message* msg) deletes the raw pointer while allocate_message()
returns std::shared_ptr<Message>, risking double-free if callers pass ptr.get();
fix by making the ownership contract explicit: add a clear comment above
release_message stating "must never be called with pointers owned by
allocate_message()/std::shared_ptr" and provide a safe overload
release_message(std::shared_ptr<Message> msg) that is a no-op (or simply
consumes the shared_ptr) so accidental calls with shared_ptr objects are safe;
optionally mark the raw-pointer release_message as deprecated in the comment to
discourage use and keep delete behavior only for truly raw-allocated Message
instances.
- intrusive_ptr.h: suppress hicpp-explicit-conversions for nullptr_t ctor - posix/memory_impl.h: suppress cppcoreguidelines-owning-memory on delete - message.cpp: add <atomic> include, use explicit nullptr comparisons, suppress const_cast and include-cleaner in intrusive_ptr hooks Co-authored-by: Cursor <cursoragent@cursor.com>
The dispatch header message_ptr.h includes message_ptr_impl.h which must be findable from the backend's include directory. For the host CMake build, include/platform/dynamic/ provides it. But standalone build systems (Zephyr west) only add the backend directory to -I, so each backend needs its own message_ptr_impl.h. Fixes Zephyr S32K388 Renode build failure: fatal error: message_ptr_impl.h: No such file or directory Co-authored-by: Cursor <cursoragent@cursor.com>
- CMake: set ETL_LOG_ERRORS=1, ETL_THROW_EXCEPTIONS=0, ETL_NO_STL=1 when SOMEIP_USE_STATIC_ALLOC=ON — enforces FMEA-prescribed ETL error handling (no abort/exception on container overflow) - Add test_pal_static_alloc_mock.cpp: PAL conformance tests exercising the real static message pool + buffer pool with POSIX threading, verifying the static backend satisfies the same contracts as dynamic - Add debug-mode assert in intrusive_ptr_add_ref to detect ref_count_ saturation (uint16_t overflow) — fires only in debug builds, prevents silent wrap-around in development Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
docs/requirements/implementation/platform.rst (2)
840-846: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick winClarify the expected error-handling behavior for capacity exhaustion (line 845).
The parenthetical comment "(ETL container overflow behavior governed by the ETL error handler)" appears incomplete. The requirement text (lines 833–842) states that insertion operations "shall fail gracefully…without crashing, corrupting…or allocating from the heap," but line 845 defers error handling to ETL's handler without explaining what that entails.
For safety-critical contexts, readers need clarity: Does "gracefully" mean ETL logs an error, throws an exception (if
ETL_THROW_EXCEPTIONS=1), or returns a status code? If ETL behavior is externally defined, the requirement should explicitly state the expected outcome (e.g., "insertion returns false on overflow" or "ETL error handler is configured via ETL_LOG_ERRORS=1 and ETL_THROW_EXCEPTIONS=0").📝 Suggested revision
Replace lines 841–845 with explicit expected behavior:
**Error Handling**: Return ``false`` or an error indicator; container - internals remain consistent. + internals remain consistent. When ``SOMEIP_USE_STATIC_ALLOC`` is enabled, + ETL containers are configured with ``ETL_THROW_EXCEPTIONS=0``, + ``ETL_LOG_ERRORS=1``, and ``ETL_NO_STL=1``; insertion failures are + signaled via return codes rather than exceptions. - **Code Location**: ``include/platform/static/containers_impl.h`` + **Code Location**: ``include/platform/static/containers_impl.h``, + ``CMakeLists.txt`` (ETL build flags)🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/requirements/implementation/platform.rst` around lines 840 - 846, Clarify that on capacity exhaustion insertion operations (functions in include/platform/static/containers_impl.h) must return false or an error status without allocating from the heap, crashing, or corrupting state; explicitly state that ETL is used only for diagnostics and must be configured so ETL_THROW_EXCEPTIONS=0 and ETL_LOG_ERRORS=1 (so the container returns false on overflow and ETL logs the event) or otherwise document the alternative configuration and outcome; update the parenthetical to read that the ETL error handler is used only to log diagnostics and must be configured not to throw so container methods (e.g., push/insert/emplace in the static containers) deterministically return false on overflow.
981-982: 📐 Maintainability & Code Quality | 🟡 MinorFix docs “Code Location” for Message intrusive ref-count
docs/requirements/implementation/platform.rstlines 981-982 citeinclude/common/message.hfor the embedded intrusive ref-count, butinclude/common/message.hdoes not exist in the repo;Message’s intrusiveref_count_{0}is ininclude/someip/message.h(withintrusive_ptr_add_ref/intrusive_ptr_release). Update the cited path toinclude/someip/message.h.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/requirements/implementation/platform.rst` around lines 981 - 982, The docs "Code Location" entry currently points to a non-existent header; update the Code Location to cite the header that actually defines Message and its intrusive ref-count (the header that contains class Message, ref_count_{0}, and the intrusive_ptr_add_ref / intrusive_ptr_release implementations) — replace the incorrect include/common/message.h with include/someip/message.h and ensure the text mentions Message, ref_count_{0}, intrusive_ptr_add_ref, and intrusive_ptr_release so readers can find the implementation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/requirements/implementation/platform.rst`:
- Line 740: platform.rst currently references non-existent test files and
TC_CONTAINER_* IDs (e.g., TC_CONTAINER_VECTOR_PUSH_BACK) which are not present;
update the requirement-to-test traceability by editing
docs/requirements/implementation/platform.rst to either (A) replace references
to tests/test_buffer_pool.cpp, tests/test_no_heap.cpp,
tests/test_pimpl_static.cpp, and tests/test_static_memory.cpp with the
consolidated tests/test_static_alloc.cpp and the actual TC IDs found there
(e.g., TC_BUFPOOL_* , TC_INTRUSIVE_PTR_LIFETIME, TC_BYTEBUFFER_API,
TC_PIMPL_NO_HEAP), and adjust the TC mapping entries so
TC_CONTAINER_VECTOR_PUSH_BACK and other TC_CONTAINER_* entries point to the
correct test or are removed, or (B) restore the missing test sources and their
TC_CONTAINER_* mappings if you intend to keep those IDs; ensure the platform.rst
mapping lines reference the exact test file name tests/test_static_alloc.cpp and
the exact TC identifiers present in that file to restore correct traceability.
---
Outside diff comments:
In `@docs/requirements/implementation/platform.rst`:
- Around line 840-846: Clarify that on capacity exhaustion insertion operations
(functions in include/platform/static/containers_impl.h) must return false or an
error status without allocating from the heap, crashing, or corrupting state;
explicitly state that ETL is used only for diagnostics and must be configured so
ETL_THROW_EXCEPTIONS=0 and ETL_LOG_ERRORS=1 (so the container returns false on
overflow and ETL logs the event) or otherwise document the alternative
configuration and outcome; update the parenthetical to read that the ETL error
handler is used only to log diagnostics and must be configured not to throw so
container methods (e.g., push/insert/emplace in the static containers)
deterministically return false on overflow.
- Around line 981-982: The docs "Code Location" entry currently points to a
non-existent header; update the Code Location to cite the header that actually
defines Message and its intrusive ref-count (the header that contains class
Message, ref_count_{0}, and the intrusive_ptr_add_ref / intrusive_ptr_release
implementations) — replace the incorrect include/common/message.h with
include/someip/message.h and ensure the text mentions Message, ref_count_{0},
intrusive_ptr_add_ref, and intrusive_ptr_release so readers can find the
implementation.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 5595ffbc-2a5e-4197-b90c-920c20f33308
📒 Files selected for processing (15)
docs/requirements/implementation/platform.rstinclude/platform/freertos/message_ptr_impl.hinclude/platform/intrusive_ptr.hinclude/platform/posix/memory_impl.hinclude/platform/posix/message_ptr_impl.hinclude/platform/static/buffer_pool_impl.hinclude/platform/static/static_config.hinclude/platform/threadx/message_ptr_impl.hinclude/platform/win32/message_ptr_impl.hinclude/platform/zephyr/message_ptr_impl.hsrc/CMakeLists.txtsrc/platform/static/malloc_trap.cppsrc/someip/message.cpptests/CMakeLists.txttests/test_pal_static_alloc_mock.cpp
- Add TC_CONTAINER_VECTOR_PUSH_BACK, TC_CONTAINER_STRING_APPEND, TC_CONTAINER_MAP_INSERT_LOOKUP, TC_CONTAINER_QUEUE_FIFO, TC_CONTAINER_FUNCTION_INVOKE, TC_CONTAINER_CAPACITY_EXHAUST tests to test_static_alloc.cpp — completes requirement traceability for REQ_PAL_CONTAINER_* in platform.rst - Fix doc references: update Code Location for intrusive ptr to include/someip/message.h, update no-heap test file ref to test_static_alloc.cpp, clarify ETL error handling defines - Remove ETL_NO_STL=1 (conflicts with host STL on non-bare-metal targets; only ETL_LOG_ERRORS and ETL_THROW_EXCEPTIONS needed) Co-authored-by: Cursor <cursoragent@cursor.com>
- architecture.rst: broaden heap-verification scope to include free/delete - FMEA: fix CMake target name (opensomeip, PUBLIC), update refcount saturation entry to match debug-assert implementation, update residual risk assessment Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@tests/test_static_alloc.cpp`:
- Around line 533-547: Extend the ContainerTest::CapacityExhaust test to verify
overflow behavior when capacity is exhausted: after filling Vector<int,4> v and
Queue<int,2> q to capacity (using Vector::push_back and Queue::push), attempt
one more insertion for each and assert the operation fails gracefully (e.g.,
returns a false/error indicator or does not change state) by checking the return
value if push/push_back return status or by asserting size() remains at capacity
and container contents are unchanged; update the test to use Vector, Queue,
push_back, push, full, and size to locate the relevant checks.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 39955ab6-d74f-482d-ac92-8fdd0c7a1d83
📒 Files selected for processing (5)
docs/requirements/implementation/architecture.rstdocs/requirements/implementation/platform.rstdocs/safety/FMEA_STATIC_ALLOCATION.mdsrc/CMakeLists.txttests/test_static_alloc.cpp
💤 Files with no reviewable changes (1)
- src/CMakeLists.txt
Comment on lines
+533
to
+547
| TEST(ContainerTest, CapacityExhaust) { | ||
| Vector<int, 4> v; | ||
| v.push_back(1); | ||
| v.push_back(2); | ||
| v.push_back(3); | ||
| v.push_back(4); | ||
| EXPECT_EQ(v.size(), 4U); | ||
| EXPECT_TRUE(v.full()); | ||
|
|
||
| Queue<int, 2> q; | ||
| q.push(1); | ||
| q.push(2); | ||
| EXPECT_EQ(q.size(), 2U); | ||
| EXPECT_TRUE(q.full()); | ||
| } |
Contributor
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial | ⚡ Quick win
Consider testing overflow behavior beyond just checking full() state.
The test verifies that full() returns true when capacity is reached, but per REQ_PAL_CONTAINER_CAPACITY_E01 (docs/requirements/implementation/platform.rst lines 833-836), insertion operations should "fail gracefully" when capacity is exhausted. Consider adding assertions that verify attempting to push_back() or push() beyond capacity either returns an error indicator or leaves the container state unchanged (size remains at capacity, no corruption).
📋 Example enhancement
TEST(ContainerTest, CapacityExhaust) {
Vector<int, 4> v;
v.push_back(1);
v.push_back(2);
v.push_back(3);
v.push_back(4);
EXPECT_EQ(v.size(), 4U);
EXPECT_TRUE(v.full());
+
+ // Verify overflow attempt doesn't corrupt state
+ size_t size_before = v.size();
+ v.push_back(5); // Should fail gracefully
+ EXPECT_EQ(v.size(), size_before); // Size unchanged
Queue<int, 2> q;
q.push(1);
q.push(2);
EXPECT_EQ(q.size(), 2U);
EXPECT_TRUE(q.full());
+
+ // Verify overflow attempt doesn't corrupt state
+ size_before = q.size();
+ q.push(3); // Should fail gracefully
+ EXPECT_EQ(q.size(), size_before); // Size unchanged
}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@tests/test_static_alloc.cpp` around lines 533 - 547, Extend the
ContainerTest::CapacityExhaust test to verify overflow behavior when capacity is
exhausted: after filling Vector<int,4> v and Queue<int,2> q to capacity (using
Vector::push_back and Queue::push), attempt one more insertion for each and
assert the operation fails gracefully (e.g., returns a false/error indicator or
does not change state) by checking the return value if push/push_back return
status or by asserting size() remains at capacity and container contents are
unchanged; update the test to use Vector, Queue, push_back, push, full, and size
to locate the relevant checks.
Three issues addressed from follow-up review:
1. CI/preset gap: static-alloc backend was never built or tested in CI.
- Add `static-alloc-linux-tests` preset to CMakePresets.json
- Add `build-static` job to host.yml (build + ctest with
SOMEIP_USE_STATIC_ALLOC=ON)
- Register preset in preset-validation.yml
2. Traceability: platform.rst referenced non-existent TC_NO_HEAP_PROTOCOL_RUN.
- Rename to TC_NO_HEAP_VERIFY and update description to reflect
that test_static_alloc links malloc_trap which aborts on any heap
call, so all passing tests implicitly verify no-heap compliance
- Add TC_NO_HEAP_VERIFY and REQ_PAL_NOOP_HEAP_VERIFY to test header
3. Double-release: release_buffer had no guard against returning the
same slot index to the free stack twice.
- Add per-slot `in_use` tracking arrays in buffer_pool.cpp
- Set true on acquire, false on release; reject release if !in_use
- Add DoubleReleaseIsSafe test proving two consumers never get the
same slot after a double-release attempt
Co-authored-by: Cursor <cursoragent@cursor.com>
GCC with -Werror rejects operator new returning nullptr unless declared noexcept/throw(). Since these trap functions always call abort(), the noexcept specification is correct and silences the diagnostic. Co-authored-by: Cursor <cursoragent@cursor.com>
vtz
force-pushed
the
feature/no-heap-static-alloc
branch
from
21f0fc2 to
1dc6696
Compare
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
src/platform/static/buffer_pool.cpp (1)
135-144:⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift
in_usestill allows stale double-release after the slot is reissued.This check only answers whether the slot is leased now; it does not prove the caller owns the current lease. If a slot is released, reacquired, and then an old
BufferSlot*is released again, Line 139 still passes, the live slot is pushed back onto the free stack, and a lateracquire_buffer()can hand the same backing storage to two owners at once. This needs an ownership-carrying handle/token (for example, a generation-bound opaque handle) instead of a per-slot boolean. Please also extendBufferPoolTest.DoubleReleaseIsSafeto reacquire the slot before the second release so this path regresses.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/platform/static/buffer_pool.cpp` around lines 135 - 144, The release path allows stale BufferSlot* double-release because in_use_ptrs[t][i] is a boolean that doesn't prove the caller still owns the lease; replace it with an ownership token (e.g., add a per-slot generation counter and return an opaque handle / generation-bound token from acquire_buffer() or embed a generation field in BufferSlot) and require the release function to verify the token/generation matches the current slot generation before accepting it; on successful release increment the slot generation and mark it free (update in_use_ptrs => ownership state), update free_stack_ptrs/stack_top logic to only run after token verification, and extend BufferPoolTest.DoubleReleaseIsSafe to reacquire the slot before attempting the second release to assert the regression is covered.docs/requirements/implementation/platform.rst (1)
956-956:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winUse the actual static-config knob names.
include/platform/static/static_config.hexposesSOMEIP_MESSAGE_POOL_SIZEandSOMEIP_BYTE_POOL_*; theSOMEIP_STATIC_MESSAGE_POOL_SIZE/SOMEIP_STATIC_BUFPOOL_TIER_*names here do not exist, so this points users at the wrong CMake inputs.Suggested fix
- Configure ``SOMEIP_STATIC_MESSAGE_POOL_SIZE``, ``SOMEIP_STATIC_BUFPOOL_TIER_*`` via CMake + Configure ``SOMEIP_MESSAGE_POOL_SIZE`` and ``SOMEIP_BYTE_POOL_*`` via CMake🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/requirements/implementation/platform.rst` at line 956, The documentation references non-existent CMake knobs `SOMEIP_STATIC_MESSAGE_POOL_SIZE` and `SOMEIP_STATIC_BUFPOOL_TIER_*`; update the text to use the actual static-config symbol names exported in include/platform/static/static_config.h — namely `SOMEIP_MESSAGE_POOL_SIZE` and `SOMEIP_BYTE_POOL_*` (or the exact tiered `SOMEIP_BYTE_POOL_TIER_*` names used in the header) and state that these are configured via CMake so the generated static_config.h reflects those values and pool sizes at runtime without heap allocation.
♻️ Duplicate comments (1)
docs/requirements/implementation/platform.rst (1)
859-859:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winNormalize the remaining traceability refs to the consolidated static suite.
These requirements still point at the pre-consolidation split-test layout. Please retarget the buffer-pool, no-heap, static-memory, and pimpl verifications to
tests/test_static_alloc.cppand the TC IDs that actually live there; the no-heap block should also update its Code Location tosrc/platform/static/malloc_trap.cpp. Same cleanup as the earlier traceability note.Also applies to: 878-878, 896-896, 914-914, 933-933, 1004-1004, 1033-1033, 1056-1056, 1078-1078, 1096-1096
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/requirements/implementation/platform.rst` at line 859, Update the traceability references that still point to the old split-test layout by retargeting the buffer-pool, no-heap, static-memory, and pimpl verification entries to the consolidated static test suite: change their test verification lines to reference tests/test_static_alloc.cpp and the corresponding TC IDs that now live in that file (instead of the old per-component IDs), and update the no-heap Code Location reference to src/platform/static/malloc_trap.cpp; apply the same replacement pattern for the other occurrences listed (lines noted in the comment) so all refs consistently point to tests/test_static_alloc.cpp and the correct TC identifiers and code location.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/host.yml:
- Line 179: The checkout step currently uses actions/checkout@v4 without
disabling credential persistence; update the checkout invocation for the host
workflow (the actions/checkout@v4 usage) to include persist-credentials: false
so it matches the coverage job and minimizes stored credentials—locate the
actions/checkout@v4 step and add the persist-credentials: false key to its
configuration.
In `@src/platform/static/malloc_trap.cpp`:
- Around line 71-75: Add the same unreachable return pattern used in the C
overrides to the C++ allocation overrides: after the std::abort() call in both
operator new(std::size_t) noexcept and operator new[](std::size_t) noexcept, add
a "return nullptr; // unreachable" to suppress potential compiler warnings and
keep consistency with malloc/calloc/realloc overrides.
- Around line 71-81: Add the nothrow allocation overloads and the <new> include
so nothrow allocations cannot bypass the trap: include <new> at the top, and
implement operator new(std::size_t, const std::nothrow_t&) noexcept and operator
new[](std::size_t, const std::nothrow_t&) noexcept matching the existing trap
behavior (print the MALLOC TRAP message including the size with fprintf and
abort), using the same message style as operator new and operator new[] so all
forms of new are covered.
---
Outside diff comments:
In `@docs/requirements/implementation/platform.rst`:
- Line 956: The documentation references non-existent CMake knobs
`SOMEIP_STATIC_MESSAGE_POOL_SIZE` and `SOMEIP_STATIC_BUFPOOL_TIER_*`; update the
text to use the actual static-config symbol names exported in
include/platform/static/static_config.h — namely `SOMEIP_MESSAGE_POOL_SIZE` and
`SOMEIP_BYTE_POOL_*` (or the exact tiered `SOMEIP_BYTE_POOL_TIER_*` names used
in the header) and state that these are configured via CMake so the generated
static_config.h reflects those values and pool sizes at runtime without heap
allocation.
In `@src/platform/static/buffer_pool.cpp`:
- Around line 135-144: The release path allows stale BufferSlot* double-release
because in_use_ptrs[t][i] is a boolean that doesn't prove the caller still owns
the lease; replace it with an ownership token (e.g., add a per-slot generation
counter and return an opaque handle / generation-bound token from
acquire_buffer() or embed a generation field in BufferSlot) and require the
release function to verify the token/generation matches the current slot
generation before accepting it; on successful release increment the slot
generation and mark it free (update in_use_ptrs => ownership state), update
free_stack_ptrs/stack_top logic to only run after token verification, and extend
BufferPoolTest.DoubleReleaseIsSafe to reacquire the slot before attempting the
second release to assert the regression is covered.
---
Duplicate comments:
In `@docs/requirements/implementation/platform.rst`:
- Line 859: Update the traceability references that still point to the old
split-test layout by retargeting the buffer-pool, no-heap, static-memory, and
pimpl verification entries to the consolidated static test suite: change their
test verification lines to reference tests/test_static_alloc.cpp and the
corresponding TC IDs that now live in that file (instead of the old
per-component IDs), and update the no-heap Code Location reference to
src/platform/static/malloc_trap.cpp; apply the same replacement pattern for the
other occurrences listed (lines noted in the comment) so all refs consistently
point to tests/test_static_alloc.cpp and the correct TC identifiers and code
location.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 61c9ea59-ee13-4796-855f-8652ef237dce
📒 Files selected for processing (7)
.github/workflows/host.yml.github/workflows/preset-validation.ymlCMakePresets.jsondocs/requirements/implementation/platform.rstsrc/platform/static/buffer_pool.cppsrc/platform/static/malloc_trap.cpptests/test_static_alloc.cpp
Comment on lines
+71
to
+81
| void* operator new(std::size_t size) noexcept { | ||
| std::fprintf(stderr, | ||
| "MALLOC TRAP: operator new(%zu) detected\n", size); | ||
| std::abort(); | ||
| } | ||
|
|
||
| void* operator new[](std::size_t size) noexcept { | ||
| std::fprintf(stderr, | ||
| "MALLOC TRAP: operator new[](%zu) detected\n", size); | ||
| std::abort(); | ||
| } |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Search for nothrow new usage
rg -n '\bnew\s*\(\s*std::nothrow\s*\)' --type cpp -C3
rg -n '\bnothrow_t\b' --type cpp -C3Repository: vtz/opensomeip
Length of output: 40
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the trap file around the reported lines
sed -n '1,140p' src/platform/static/malloc_trap.cpp
# Search for any nothrow allocation usage patterns (more variants than the original regex)
rg -n 'std::nothrow' --type cpp --type h --glob '*.{cpp,h,hpp,c,hxx}' -S
rg -n '::std::nothrow' --type cpp --type h --glob '*.{cpp,h,hpp,c,hxx}' -S
rg -n '\bnew\s*\(\s*(::)?std::nothrow\s*\)' --type cpp -S
rg -n '\bnew\s*\[\s*\(\s*(::)?std::nothrow\s*\)' --type cpp -S
# Search for any global operator new nothrow overloads already present
rg -n 'operator\s+new\s*\(.*std::nothrow_t' --type cpp --type h -S
rg -n 'operator\s+new\s*\(.*nothrow_t' --type cpp --type h -S
rg -n 'operator\s+new\[\]\s*\(.*nothrow_t' --type cpp --type h -SRepository: vtz/opensomeip
Length of output: 3222
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Broader repo-wide search (not limited to --type cpp) for nothrow usage
rg -n '(::)?std::nothrow|nothrow_t' -S --glob '*.{c,cc,cpp,cxx,h,hh,hpp,hxx}' | head -n 50 || true
# Search for nothrow-new call sites (handle spacing and global:: qualification)
rg -n '\bnew\s*\(\s*(::)?std::nothrow\s*\)' -S --glob '*.{c,cc,cpp,cxx,h,hh,hpp,hxx}' | head -n 50 || true
rg -n '\bnew\s*\[\s*\]\s*\(\s*(::)?std::nothrow\s*\)' -S --glob '*.{c,cc,cpp,cxx,h,hh,hpp,hxx}' | head -n 50 || true
# Reprint the relevant trap file portion to ensure no nothrow overloads are present
sed -n '50,120p' src/platform/static/malloc_trap.cppRepository: vtz/opensomeip
Length of output: 1745
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Check common places for exceptions being disabled
rg -n 'fno-exceptions|no-exceptions|DISABLE_EXCEPTIONS|EXCEPTIONS=OFF' -S \
--glob '{CMakeLists.txt,**/*.cmake,**/*.txt,**/*.mk,**/*.sh}' . || true
# Check for "nothrow" mentioned in build scripts / configs (not just C++ code)
rg -n 'nothrow' -S \
--glob '{CMakeLists.txt,**/*.cmake,**/*.txt,**/*.mk,**/*.sh,**/*.md,**/*.yml,**/*.yaml}' . || trueRepository: vtz/opensomeip
Length of output: 214
Trap coverage gap: add nothrow allocation overloads to malloc_trap.cpp
src/platform/static/malloc_trap.cpp overrides only the throwing operator new(std::size_t) noexcept / operator new[](std::size_t) noexcept; it does not override the nothrow forms (operator new(std::size_t, const std::nothrow_t&) noexcept and operator new[](std::size_t, const std::nothrow_t&) noexcept), so any new(std::nothrow) T / new[](std::nothrow) T usage could bypass the trap and allocate from the heap. No std::nothrow/nothrow_t usages were found in this repo, and the toolchain sets -fno-exceptions, but this remains a real bypass vector for third-party/future code.
- Add the missing
std::nothrow_toverloads to the trap target (and include<new>forstd::nothrow_t).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/platform/static/malloc_trap.cpp` around lines 71 - 81, Add the nothrow
allocation overloads and the <new> include so nothrow allocations cannot bypass
the trap: include <new> at the top, and implement operator new(std::size_t,
const std::nothrow_t&) noexcept and operator new[](std::size_t, const
std::nothrow_t&) noexcept matching the existing trap behavior (print the MALLOC
TRAP message including the size with fprintf and abort), using the same message
style as operator new and operator new[] so all forms of new are covered.
The unconditional malloc_trap aborted during GTest initialization (73728-byte allocation from GTest's own infrastructure). Redesign to arm/disarm model: - malloc_trap_arm() / malloc_trap_disarm(): test code enables the trap only around protocol operations, allowing GTest and std::thread to use the heap normally. - When disarmed, calls pass through to __libc_malloc/free. - When armed, any heap call (malloc/free/new/delete) aborts. - New TC_NO_HEAP_VERIFY test: arms trap, exercises message pool + buffer pool + intrusive ptr lifecycle, then disarms. - Add malloc_trap.h header for test API declarations. - Filter DestructorWithoutJoinSafe from test_pal_static_alloc_mock (POSIX Thread correctly terminates per REQ_PAL_THREAD_DTOR_E01, which is incompatible with this conformance test expectation). Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Replace direct STL container usage throughout the protocol stack with platform-abstracted type aliases (platform::ByteBuffer, platform::Vector, platform::String, platform::UnorderedMap, platform::Queue, platform::Function). Under the dynamic backend these resolve to their STL counterparts (zero overhead). Under the static backend they map to ETL fixed-capacity types enabling no-heap operation. Key changes across 46 files: - message.h/cpp: payload_ and serialize/deserialize use ByteBuffer - serializer.h/cpp: buffer_, array serialization use platform types - Transport (endpoint, tcp, udp): String for addresses, ByteBuffer for wire data, Queue for message queues - SD (types, message, client, server): all entry/option serialization, callbacks, and config strings migrated - TP (types, reassembler, segmenter, manager): segment payloads, reassembly buffers, and callbacks migrated - Events/RPC (types, publisher, subscriber, client, server): event data, filter data, request/response payloads, callbacks migrated - E2E (config, profile, registry, standard_profile): profile names, counter/freshness maps, CRC data buffers migrated - Session manager: sessions map migrated to UnorderedMap Debug-only functions (to_string()) intentionally retain std::string. Smart pointers (shared_ptr, unique_ptr) and std::chrono stay as-is. No #ifdef introduced — PAL include-path shadowing handles dispatch. Closes #174 Co-authored-by: Cursor <cursoragent@cursor.com>
- Fix static-alloc build: use std::hash<string_view> instead of std::hash<platform::String<>> (no std::hash specialization for etl::string); replace std::stoi with std::atoi for ETL compat. - Fix clang-tidy misc-include-cleaner: add IWYU pragma: export to PAL dispatch headers so clang-tidy recognizes them as providers. - Fix clang-tidy readability-implicit-bool-conversion: use explicit nullptr comparison in message.h and message.cpp. - Remove redundant platform includes from .cpp files (already provided through their corresponding .h headers). - Fix Zephyr build: add platform/dynamic include path for buffer_pool_impl.h and containers_impl.h resolution. Co-authored-by: Cursor <cursoragent@cursor.com>
Replace brace-initializer-list ByteBuffer construction from iterator pair with the deserialize(uint8_t*, size_t) overload, which works with both std::vector and ETL static backends. Co-authored-by: Cursor <cursoragent@cursor.com>
- Re-add platform dispatch header includes where clang-tidy's misc-include-cleaner flags "no header providing X". The IWYU export pragma prevents the "not used directly" false positive. - Replace atoi with strtol (cert-err34-c). - Fix UDP transport: use deserialize(ptr, size) overload instead of brace-init-list ByteBuffer construction from iterator pair. Co-authored-by: Cursor <cursoragent@cursor.com>
- Add ByteBuffer(const uint8_t* first, const uint8_t* last) constructor for iterator-pair construction used in TCP transport. - Add erase(const_iterator, const_iterator) for buffer management in TCP transport's message framing and resync logic. Co-authored-by: Cursor <cursoragent@cursor.com>
Config string data (char*) must be reinterpret_cast to uint8_t* when inserting into ByteBuffer, matching the pattern already used in serializer.cpp. Co-authored-by: Cursor <cursoragent@cursor.com>
etl::string::assign() requires char* iterators, not uint8_t*. Use reinterpret_cast when extracting string data from ByteBuffer. Co-authored-by: Cursor <cursoragent@cursor.com>
- Replace string concatenation (operator+) with append() for ETL compatibility in sd_server.cpp. - Change next_unicast_session_id parameter from const std::string& to const platform::String<>& with explicit conversion for map key. - Cast uint8_t* to char* in sd_message.cpp config string deserialization. Co-authored-by: Cursor <cursoragent@cursor.com>
- Change subscriptions_ and field_requests_ from std::unordered_map<platform::String<>> to platform::UnorderedMap (etl::unordered_map uses its own hash, not std::hash). - Replace std::string concatenation (operator+) with append() in make_subscription_key() and make_field_key(). Co-authored-by: Cursor <cursoragent@cursor.com>
The .c_str() calls on std::to_string() results appear redundant under the dynamic backend (std::string accepts std::string) but are required under the static backend (etl::string only accepts const char*). Co-authored-by: Cursor <cursoragent@cursor.com>
Update serialization tests to use platform::ByteBuffer, platform::Vector<T>, and platform::String<> instead of STL types, ensuring compatibility with both dynamic and static backends. Co-authored-by: Cursor <cursoragent@cursor.com>
Avoid the (const char*, size_t) ETL string constructor which may not match on all ETL versions; the (const char*) constructor is sufficient. Co-authored-by: Cursor <cursoragent@cursor.com>
Replace std::vector<uint8_t> with platform::ByteBuffer and std::string with platform::String<> across all test files that interact with the opensomeip API, ensuring static-alloc builds compile cleanly. Also add missing #include headers in message_ptr_impl.h dispatch files (std::shared_ptr for dynamic, IntrusivePtr for static). Co-authored-by: Cursor <cursoragent@cursor.com>
Examples haven't been migrated to platform:: types yet and fail under the static-alloc backend. Match the CMakePresets.json configuration which already sets BUILD_EXAMPLES=OFF. Co-authored-by: Cursor <cursoragent@cursor.com>
- session_manager.h: increase sessions_ map capacity to 256 (was defaulting to 32, tests create 100+ sessions) - tp_types.h: increase received_segments vector capacity to 16384 (per-byte tracking overflowed ETL's 32-entry default capacity) - test_udp_transport.cpp: skip tests with 60KB/65KB payloads when static pool allocation fails (pool has only 4 large slots) Co-authored-by: Cursor <cursoragent@cursor.com>
Add null check after ByteBuffer allocation in receive_loop() to prevent null pointer dereference when buffer pool is exhausted. Skip MaxUdpPayloadSize and MessageExceedsMtu tests under static-alloc (detected via SOMEIP_BYTE_POOL_LARGE_COUNT) since 60-65KB payloads exhaust the 4 available large pool slots during send/serialize/receive/deserialize round-trip. Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
There was a problem hiding this comment.
Actionable comments posted: 16
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (9)
src/platform/static/buffer_pool.cpp (1)
33-37:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAdd compile-time bounds checks for 16-bit pool indices.
Tier counts are
size_tbut are narrowed touint16_tforindex/stack_top. A misconfigured count above65535will truncate and corrupt pool bookkeeping.🛠️ Proposed fix
constexpr size_t kTierCount[kNumTiers] = { SOMEIP_BYTE_POOL_SMALL_COUNT, SOMEIP_BYTE_POOL_MEDIUM_COUNT, SOMEIP_BYTE_POOL_LARGE_COUNT, }; + +static_assert(SOMEIP_BYTE_POOL_SMALL_COUNT <= UINT16_MAX, + "SOMEIP_BYTE_POOL_SMALL_COUNT must fit in uint16_t"); +static_assert(SOMEIP_BYTE_POOL_MEDIUM_COUNT <= UINT16_MAX, + "SOMEIP_BYTE_POOL_MEDIUM_COUNT must fit in uint16_t"); +static_assert(SOMEIP_BYTE_POOL_LARGE_COUNT <= UINT16_MAX, + "SOMEIP_BYTE_POOL_LARGE_COUNT must fit in uint16_t");Also applies to: 80-85
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/platform/static/buffer_pool.cpp` around lines 33 - 37, The kTierCount array elements defined by the macros SOMEIP_BYTE_POOL_SMALL_COUNT, SOMEIP_BYTE_POOL_MEDIUM_COUNT, and SOMEIP_BYTE_POOL_LARGE_COUNT are size_t values that get narrowed to uint16_t for use as index and stack_top variables. Add compile-time static_assert checks immediately after the kTierCount array definition to ensure each tier count does not exceed UINT16_MAX (65535), preventing silent truncation and pool corruption. Apply the same bounds checks to the other related location mentioned at lines 80-85.include/core/session_manager.h (1)
86-87:⚠️ Potential issue | 🔴 CriticalBounded-map exhaustion is not handled in
create_session—insertion will silently fail when full.The
sessions_map is fixed-capacity (256) at line 141, butcreate_session()performs an unconditional insertion at line 45 without checking available space:sessions_[session_id] = session;. When the map reaches capacity, this operation fails silently (standard ETL container behavior). The method returns a session ID that was never actually stored, corrupting session tracking.get_next_session_id()finds available IDs but does not verify insertion capacity.Add capacity verification before insertion or implement a rejection mechanism (error code, exception, or automatic cleanup) to prevent silent failures.
Also applies to: 141-141
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@include/core/session_manager.h` around lines 86 - 87, The create_session method unconditionally inserts into the sessions_ map without verifying if the fixed-capacity map (256 slots) has available space, causing silent insertion failures when full. Modify the create_session method to check if sessions_.size() has reached its capacity limit before attempting insertion via sessions_[session_id] = session;. When capacity is exhausted, implement a rejection mechanism such as returning an invalid session ID (e.g., 0), throwing an exception, or providing an error return code to indicate failure, ensuring the caller knows the session creation failed rather than receiving an invalid ID.src/events/event_subscriber.cpp (2)
168-175:⚠️ Potential issue | 🟠 Major | ⚡ Quick win
unsubscribe_eventgroupreports success even when the unsubscription send fails.The function ignores send failure and still erases local state, which can desynchronize client/server subscription state.
💡 Suggested fix
- const Result result = transport_->send_message(unsubscription_msg, service_endpoint); - if (result != Result::SUCCESS) { - // Log error or handle failure - } - - // Remove subscription - subscriptions_.erase(it); - return true; + const Result result = transport_->send_message(unsubscription_msg, service_endpoint); + if (result != Result::SUCCESS) { + return false; + } + + subscriptions_.erase(it); + return true;🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/events/event_subscriber.cpp` around lines 168 - 175, The unsubscribe_eventgroup function does not properly handle send failures and proceeds to erase the local subscription state even when transport_->send_message returns a failure result. Check if the result from transport_->send_message is SUCCESS before removing the subscription from subscriptions_, and return false (or appropriate error handling) when the send operation fails to prevent desynchronizing the client and server subscription states.
194-209:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAvoid holding
field_requests_mutex_acrosssend_message, and rollback callback state on send failure.The current flow inserts
field_requests_[key]then calls transport I/O while the mutex is held; on failure, the stale callback remains registered. This can leak state and trigger incorrect callbacks later.💡 Suggested fix
- platform::ScopedLock const field_lock(field_requests_mutex_); - const platform::String<> key = make_field_key(service_id, instance_id, event_id); - field_requests_[key] = std::move(callback); + const platform::String<> key = make_field_key(service_id, instance_id, event_id); + { + platform::ScopedLock const field_lock(field_requests_mutex_); + field_requests_[key] = std::move(callback); + } @@ - return transport_->send_message(field_msg, service_endpoint) == Result::SUCCESS; + const bool sent = (transport_->send_message(field_msg, service_endpoint) == Result::SUCCESS); + if (!sent) { + platform::ScopedLock const field_lock(field_requests_mutex_); + field_requests_.erase(key); + } + return sent;🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/events/event_subscriber.cpp` around lines 194 - 209, The field_requests_mutex_ is held across the transport_->send_message() call, which is a blocking I/O operation. If send_message() fails, the callback stored in field_requests_[key] remains registered as stale state. Restructure the code to first create the message and payload outside the lock, then acquire the lock only to insert the callback into field_requests_. Release the mutex (end the ScopedLock scope) before calling transport_->send_message(). If send_message() returns failure, re-acquire the lock and remove the callback entry from field_requests_[key] using the same key that was inserted, then return the failure result. This ensures the mutex is not held during I/O and stale callbacks are cleaned up on send failure.src/sd/sd_server.cpp (1)
758-769:⚠️ Potential issue | 🟠 MajorMigrate
unicast_session_ids_to useplatform::UnorderedMapwithplatform::String<>keys.The
unicast_session_ids_is currently typed asstd::unordered_map<std::string, SdSessionIdCounter>and line 768 constructs a temporarystd::stringfrom theplatform::String<>argument. Both operations allocate heap memory. This pattern is already supported and used elsewhere in the codebase (e.g.,event_subscriber.cpp:392ande2e_profile_registry.h:91), so migrate to:platform::UnorderedMap<platform::String<>, SdSessionIdCounter> unicast_session_ids_;Then simplify line 768 to directly use the peer argument as the key without creating a temporary std::string.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/sd/sd_server.cpp` around lines 758 - 769, The unicast_session_ids_ member variable is currently declared as std::unordered_map<std::string, SdSessionIdCounter>, which causes unnecessary heap memory allocation when the next_unicast_session_id method constructs a temporary std::string from the platform::String<> peer argument on line 768. Change the type of unicast_session_ids_ to use platform::UnorderedMap<platform::String<>, SdSessionIdCounter> instead, which is already used elsewhere in the codebase and supports platform::String<> as keys. Then simplify the implementation of next_unicast_session_id to directly access the map using the peer argument as the key without constructing a temporary std::string.src/rpc/rpc_server.cpp (1)
111-118:⚠️ Potential issue | 🟠 Major | 🏗️ Heavy liftEnforce a registered-method limit before materializing into
platform::Vector.
method_handlers_can grow without a bound, butget_registered_methods()now copies every key into a fixed-capacity vector in static mode. Add a configured max atregister_method()that matches the static capacity, or change this API to report truncation/failure instead of risking overflow/assertion.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/rpc/rpc_server.cpp` around lines 111 - 118, The get_registered_methods() function materializes all keys from method_handlers_ into a platform::Vector without bounds checking, risking overflow when the number of registered methods exceeds the vector's static capacity. Either add a configured maximum limit check in the register_method() function that prevents registering methods beyond the static vector capacity, or modify the get_registered_methods() API to handle and report truncation or failure instead of silently risking overflow. Ensure the registration enforcement or API change prevents the vector from exceeding its capacity.src/rpc/rpc_client.cpp (1)
94-108:⚠️ Potential issue | 🟠 Major | ⚡ Quick winDrain shutdown callbacks without a bounded staging vector.
shutdown_cbsis fixed-capacity in static mode, butpending_calls_has no matching cap. A shutdown with more pending callbacks than the vector capacity can assert or skip cleanup beforetransport_->stop(). Move one pending call out under the mutex, release the mutex, invoke it, and repeat.Proposed refactor
- platform::Vector<std::pair<RpcCallback, RpcResponse>> shutdown_cbs; - { - platform::ScopedLock const lock(pending_calls_mutex_); - for (auto& pair : pending_calls_) { - if (pair.second.callback) { - shutdown_cbs.emplace_back( - pair.second.callback, - RpcResponse(pair.second.service_id, pair.second.method_id, - client_id_, pair.second.session_id, RpcResult::INTERNAL_ERROR)); - } - } - pending_calls_.clear(); - } - for (auto& [cb, resp] : shutdown_cbs) { - cb(resp); - } + for (;;) { + RpcCallback cb; + RpcResponse resp({}, {}, {}, {}, RpcResult::INTERNAL_ERROR); + { + platform::ScopedLock const lock(pending_calls_mutex_); + if (pending_calls_.empty()) { + break; + } + auto it = pending_calls_.begin(); + if (it->second.callback) { + cb = it->second.callback; + resp = RpcResponse(it->second.service_id, it->second.method_id, + client_id_, it->second.session_id, + RpcResult::INTERNAL_ERROR); + } + pending_calls_.erase(it); + } + if (cb) { + cb(resp); + } + }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/rpc/rpc_client.cpp` around lines 94 - 108, The shutdown_cbs vector has fixed capacity in static mode but pending_calls_ can have an unbounded number of elements, causing potential assertion or skipped cleanup. Refactor the shutdown sequence by removing the shutdown_cbs vector and instead use a loop that extracts one pending call from pending_calls_ under the mutex lock, releases the lock, invokes the callback for that single call, and repeats until pending_calls_ is empty. This ensures all pending callbacks are processed without exceeding vector capacity.src/e2e/e2e_profiles/standard_profile.cpp (1)
70-95:⚠️ Potential issue | 🟠 Major | ⚡ Quick winReturn an error when the CRC scratch buffer cannot be fully built.
In static mode,
platform::ByteBuffercapacity can be exhausted; both CRC paths append unchecked and then calculate over whatever was appended. Verify the finalcrc_data.size()matches16 + msg.get_payload().size()and return a buffer/allocation error instead of stamping or validating a CRC over truncated input.Also applies to: 153-179
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/e2e/e2e_profiles/standard_profile.cpp` around lines 70 - 95, The CRC scratch buffer building code performs multiple insert and push_back operations on crc_data without verifying that all data was successfully appended, which is problematic when the platform::ByteBuffer is in static mode with limited capacity. After all the insert operations (for message_id_be, length_be, request_id_be) and push_back calls (for the four header bytes) and the final payload insert, add a validation check that verifies crc_data.size() equals the expected size of 16 + msg.get_payload().size(). If the sizes do not match, return a buffer/allocation error instead of proceeding to the calculate_crc call. This check should be applied to both CRC code paths mentioned in the comment.src/serialization/serializer.cpp (1)
399-417:⚠️ Potential issue | 🟠 MajorUpdate deserialize_string() to return platform::String<> for static-mode compatibility.
The current implementation returns
std::stringinstead ofplatform::String<>, creating asymmetry withserialize_string()which acceptsconst platform::String<>&. In static mode, this allows heap allocation despite platform buffer migration.Change the public API from
DeserializationResult<std::string>toDeserializationResult<platform::String<>>, then update thedeserialize_array<std::string>specialization to match and adjust tests accordingly.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/serialization/serializer.cpp` around lines 399 - 417, The deserialize_string() function returns DeserializationResult<std::string> which is inconsistent with serialize_string() that accepts platform::String<>&, and this asymmetry allows heap allocation in static mode. Change the return type of deserialize_string() from DeserializationResult<std::string> to DeserializationResult<platform::String<>>, update the implementation to construct and return a platform::String<> object instead of std::string, and also update the deserialize_array<std::string> specialization to match the new return type. Adjust all related tests to work with the updated return type.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/host.yml:
- Line 179: The build-static job contains five GitHub Actions references using
floating version tags (`@v4`) instead of pinned commit SHAs, which weakens
supply-chain security. Replace each floating version tag with its corresponding
immutable commit SHA for the actions/checkout reference at line 179 and the four
other unpinned uses references at lines 185, 193, 223, and 231. Look up the
latest commit SHA for each action version and update the uses field from the
format `@vX` to `@COMMIT_SHA` for all five affected lines to ensure workflow
integrity.
In `@docs/requirements/implementation/platform.rst`:
- Around line 994-995: The verification text in the `:verification:` section
overstates the scope by claiming all test cases (pool, container, intrusive-ptr,
concurrency) run under the malloc trap interception. Narrow the wording to
clarify that only the dedicated TC_NO_HEAP_VERIFY scenario runs under the malloc
trap interception and verifies zero heap allocations, rather than implying this
verification applies to all test cases generally.
In `@include/events/event_types.h`:
- Around line 124-129: The EventFilter struct has an uninitialized event_id
member variable that can cause nondeterministic behavior when a
default-constructed EventFilter is used before assignment. Add an in-class
initializer to the event_id member variable in the EventFilter struct to set it
to a defined default value such as zero, ensuring predictable behavior on
default construction.
In `@include/serialization/serializer.h`:
- Around line 313-315: The `deserialize_array` method lacks validation of the
length parameter against the vector's maximum capacity before the
deserialization loop. Add a capacity check immediately after the
`platform::Vector<T> result` declaration that validates whether the requested
`length` exceeds the vector's maximum capacity (obtainable via
`result.max_size()` or similar method depending on the underlying container). If
the length exceeds capacity, return an appropriate deserialization error result
instead of proceeding to the loop where push_back operations would fail. Apply
the same capacity validation fix to the `deserialize_dynamic_array` method which
internally calls `deserialize_array`.
In `@include/tp/tp_segmenter.h`:
- Around line 59-60: The segment_message(), create_multi_segments(), and
segment_data() methods perform push_back() operations on the segments vector
without first validating that it has sufficient capacity (default 32 elements),
which can lead to overflow when segmenting large messages that require many
segments. Calculate the required segment count upfront in each of these methods
based on the message or data size and segment size, then validate that
segments.capacity() is sufficient before any insertions occur. If capacity is
insufficient, define and return a new error code TpResult::CAPACITY_EXCEEDED to
indicate the failure, rather than allowing the vector to overflow.
In `@include/tp/tp_types.h`:
- Around line 96-97: The received_segments vector has a fixed capacity of 16,384
entries, but the current validation only checks message_length against
config.max_message_size which defaults to 1MB. Add an explicit validation check
before accepting a segment to ensure message_length does not exceed 16,384
bytes—either by adding a guard condition that returns false if message_length
exceeds 16,384, or by reducing max_message_size to 16,384 to match the tracking
buffer capacity. This prevents the dangerous behavior where
mark_segment_received() could either throw an exception or silently violate the
intended buffer constraints depending on the backend implementation.
In `@src/e2e/e2e_crc.cpp`:
- Around line 125-127: The temporary `platform::ByteBuffer slice` construction
may fail silently under memory pressure, causing CRC to be computed on
incomplete or wrong data. After constructing the slice with the range (first,
first + length), add an explicit post-construction size check to verify that the
slice's actual size matches the requested length parameter. If the size does not
match the expected length, handle the error appropriately (e.g., log and fail
fast) to prevent incorrect CRC computation.
In `@src/e2e/e2e_header.cpp`:
- Around line 64-65: The bounds check in the condition uses addition (offset +
header_size) which can overflow, potentially allowing unsafe memory reads.
Rearrange the comparison to avoid addition by checking if the remaining
available space (data.size() minus offset) is less than header_size instead.
This prevents integer overflow while maintaining the same logical bounds
validation before memcpy operations.
In `@src/e2e/e2e_profiles/standard_profile.cpp`:
- Around line 293-294: The counters_ and freshness_values_ maps are
fixed-capacity, but the current implementation uses operator[] to insert entries
for arbitrary config.data_id values without checking for capacity limits or
handling insertion failures. Replace the operator[] insertions at the three
locations (around lines 106, 122, and 202) with checked find/emplace operations
that first verify the entry exists or can be safely added, and return an
appropriate error status when a new data ID cannot be stored in a full map.
In `@src/events/event_subscriber.cpp`:
- Around line 195-196: The make_field_key function is called inconsistently
between the request storage at line 195 and the response lookup around line 350.
At line 195, callbacks are stored using the actual instance_id parameter, but at
line 350 the lookup uses a hardcoded 0 for instance_id instead of using the
actual instance_id value. To fix this, ensure that the make_field_key call at
line 350 (in the response path) uses the same instance_id value that was used
when storing the callback at line 195, so that requests with non-zero
instance_ids can correctly match their responses.
In `@src/sd/sd_message.cpp`:
- Around line 43-45: The SdEntry::serialize() method reserves buffer space but
does not validate whether the pool-backed allocation succeeded before derived
serializers write fixed offsets into it. Add validation after the reserve(16)
call to ensure the ByteBuffer is exactly 16 bytes; if allocation fails, return
an empty or error-state buffer. Additionally, update SdMessage::serialize() to
check the returned buffers from child SdEntry::serialize() calls are exactly 16
bytes before writing fixed offsets or using them. Apply this same validation
pattern to all three locations mentioned: the initial SdEntry::serialize()
method, and the other two instances at the corresponding lines in derived
serializers.
- Around line 447-448: The config_len value is controlled by wire data and must
be validated before use. Before calling assign() on config_string_, add a bounds
check to verify that config_len does not exceed the maximum capacity of
config_string_ (check the platform::String<> template to find its capacity
limit). If config_len exceeds the capacity, reject the malformed SD option
appropriately or truncate it safely. This prevents assertions, data corruption,
or parser state issues from untrusted wire-controlled values.
In `@src/sd/sd_server.cpp`:
- Around line 664-670: The code uses std::to_string() to convert client_port and
sender.get_port() to strings, which allocates heap memory and violates the
no-heap guarantee in request-handling paths. Replace the
std::to_string(client_port).c_str() and
std::to_string(sender.get_port()).c_str() calls with a stack-based
integer-to-string conversion mechanism that avoids dynamic memory allocation.
This fix should be applied to both the client_addr construction and the similar
code at lines 675-677 where sender.get_port() is converted.
In `@src/tp/tp_manager.cpp`:
- Around line 82-83: The segments vector declared at line 82 uses a default
capacity of 32 but can require up to 721 segments in worst-case scenarios with
1MB messages, causing buffer overflow in static mode. Before calling
segment_message() on the segments vector, add an explicit reserve() call with a
calculated capacity based on the maximum possible segments needed (computed as
max_message_size divided by max_segment_size minus TP overhead). Additionally,
add a runtime check on the TpResult return value from segment_message() to
detect and handle TpResult::RESOURCE_EXHAUSTED as a fallback error condition if
the segmentation exceeds available capacity.
In `@tests/test_static_alloc.cpp`:
- Around line 579-600: The test ProtocolOperationsUnderTrap arms a malloc trap
with malloc_trap_arm() on line 580 but uses ASSERT_NE statements which can cause
early test exit before malloc_trap_disarm() is called on line 599, leaving the
trap armed for subsequent tests. Wrap the malloc_trap_arm() and
malloc_trap_disarm() calls in a RAII-style scope guard or helper class that
guarantees malloc_trap_disarm() is called even if ASSERT_NE assertions fail,
ensuring proper cleanup in all code paths.
In `@zephyr/CMakeLists.txt`:
- Line 17: The zephyr_include_directories call on line 17 unconditionally
includes the dynamic backend path without respecting a static allocation
configuration option. Modify the CMakeLists.txt to make the include directory
conditional: add logic to check a CONFIG_SOMEIP_USE_STATIC_ALLOC Kconfig option
(similar to the host build's SOMEIP_USE_STATIC_ALLOC), and conditionally include
either the static backend path (${SOMEIP_INC}/platform/static) when enabled or
the dynamic backend path when disabled. Additionally, ensure the corresponding
CONFIG_SOMEIP_USE_STATIC_ALLOC Kconfig option is properly defined in the Zephyr
Kconfig file so users can control backend selection.
---
Outside diff comments:
In `@include/core/session_manager.h`:
- Around line 86-87: The create_session method unconditionally inserts into the
sessions_ map without verifying if the fixed-capacity map (256 slots) has
available space, causing silent insertion failures when full. Modify the
create_session method to check if sessions_.size() has reached its capacity
limit before attempting insertion via sessions_[session_id] = session;. When
capacity is exhausted, implement a rejection mechanism such as returning an
invalid session ID (e.g., 0), throwing an exception, or providing an error
return code to indicate failure, ensuring the caller knows the session creation
failed rather than receiving an invalid ID.
In `@src/e2e/e2e_profiles/standard_profile.cpp`:
- Around line 70-95: The CRC scratch buffer building code performs multiple
insert and push_back operations on crc_data without verifying that all data was
successfully appended, which is problematic when the platform::ByteBuffer is in
static mode with limited capacity. After all the insert operations (for
message_id_be, length_be, request_id_be) and push_back calls (for the four
header bytes) and the final payload insert, add a validation check that verifies
crc_data.size() equals the expected size of 16 + msg.get_payload().size(). If
the sizes do not match, return a buffer/allocation error instead of proceeding
to the calculate_crc call. This check should be applied to both CRC code paths
mentioned in the comment.
In `@src/events/event_subscriber.cpp`:
- Around line 168-175: The unsubscribe_eventgroup function does not properly
handle send failures and proceeds to erase the local subscription state even
when transport_->send_message returns a failure result. Check if the result from
transport_->send_message is SUCCESS before removing the subscription from
subscriptions_, and return false (or appropriate error handling) when the send
operation fails to prevent desynchronizing the client and server subscription
states.
- Around line 194-209: The field_requests_mutex_ is held across the
transport_->send_message() call, which is a blocking I/O operation. If
send_message() fails, the callback stored in field_requests_[key] remains
registered as stale state. Restructure the code to first create the message and
payload outside the lock, then acquire the lock only to insert the callback into
field_requests_. Release the mutex (end the ScopedLock scope) before calling
transport_->send_message(). If send_message() returns failure, re-acquire the
lock and remove the callback entry from field_requests_[key] using the same key
that was inserted, then return the failure result. This ensures the mutex is not
held during I/O and stale callbacks are cleaned up on send failure.
In `@src/platform/static/buffer_pool.cpp`:
- Around line 33-37: The kTierCount array elements defined by the macros
SOMEIP_BYTE_POOL_SMALL_COUNT, SOMEIP_BYTE_POOL_MEDIUM_COUNT, and
SOMEIP_BYTE_POOL_LARGE_COUNT are size_t values that get narrowed to uint16_t for
use as index and stack_top variables. Add compile-time static_assert checks
immediately after the kTierCount array definition to ensure each tier count does
not exceed UINT16_MAX (65535), preventing silent truncation and pool corruption.
Apply the same bounds checks to the other related location mentioned at lines
80-85.
In `@src/rpc/rpc_client.cpp`:
- Around line 94-108: The shutdown_cbs vector has fixed capacity in static mode
but pending_calls_ can have an unbounded number of elements, causing potential
assertion or skipped cleanup. Refactor the shutdown sequence by removing the
shutdown_cbs vector and instead use a loop that extracts one pending call from
pending_calls_ under the mutex lock, releases the lock, invokes the callback for
that single call, and repeats until pending_calls_ is empty. This ensures all
pending callbacks are processed without exceeding vector capacity.
In `@src/rpc/rpc_server.cpp`:
- Around line 111-118: The get_registered_methods() function materializes all
keys from method_handlers_ into a platform::Vector without bounds checking,
risking overflow when the number of registered methods exceeds the vector's
static capacity. Either add a configured maximum limit check in the
register_method() function that prevents registering methods beyond the static
vector capacity, or modify the get_registered_methods() API to handle and report
truncation or failure instead of silently risking overflow. Ensure the
registration enforcement or API change prevents the vector from exceeding its
capacity.
In `@src/sd/sd_server.cpp`:
- Around line 758-769: The unicast_session_ids_ member variable is currently
declared as std::unordered_map<std::string, SdSessionIdCounter>, which causes
unnecessary heap memory allocation when the next_unicast_session_id method
constructs a temporary std::string from the platform::String<> peer argument on
line 768. Change the type of unicast_session_ids_ to use
platform::UnorderedMap<platform::String<>, SdSessionIdCounter> instead, which is
already used elsewhere in the codebase and supports platform::String<> as keys.
Then simplify the implementation of next_unicast_session_id to directly access
the map using the peer argument as the key without constructing a temporary
std::string.
In `@src/serialization/serializer.cpp`:
- Around line 399-417: The deserialize_string() function returns
DeserializationResult<std::string> which is inconsistent with serialize_string()
that accepts platform::String<>&, and this asymmetry allows heap allocation in
static mode. Change the return type of deserialize_string() from
DeserializationResult<std::string> to DeserializationResult<platform::String<>>,
update the implementation to construct and return a platform::String<> object
instead of std::string, and also update the deserialize_array<std::string>
specialization to match the new return type. Adjust all related tests to work
with the updated return type.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 89aeb715-9564-43a0-86f6-a8ce17ff696a
📒 Files selected for processing (70)
.github/workflows/host.yml.github/workflows/preset-validation.ymlCMakePresets.jsondocs/requirements/implementation/platform.rstinclude/core/session_manager.hinclude/e2e/e2e_config.hinclude/e2e/e2e_crc.hinclude/e2e/e2e_header.hinclude/e2e/e2e_profile.hinclude/e2e/e2e_profile_registry.hinclude/events/event_publisher.hinclude/events/event_subscriber.hinclude/events/event_types.hinclude/platform/buffer_pool.hinclude/platform/containers.hinclude/platform/dynamic/message_ptr_impl.hinclude/platform/message_ptr.hinclude/platform/static/buffer_pool_impl.hinclude/platform/static/malloc_trap.hinclude/platform/static/message_ptr_impl.hinclude/rpc/rpc_client.hinclude/rpc/rpc_server.hinclude/rpc/rpc_types.hinclude/sd/sd_client.hinclude/sd/sd_message.hinclude/sd/sd_server.hinclude/sd/sd_types.hinclude/serialization/serializer.hinclude/someip/message.hinclude/someip/types.hinclude/tp/tp_manager.hinclude/tp/tp_reassembler.hinclude/tp/tp_segmenter.hinclude/tp/tp_types.hinclude/transport/endpoint.hinclude/transport/tcp_transport.hinclude/transport/udp_transport.hsrc/e2e/e2e_crc.cppsrc/e2e/e2e_header.cppsrc/e2e/e2e_profile_registry.cppsrc/e2e/e2e_profiles/standard_profile.cppsrc/events/event_publisher.cppsrc/events/event_subscriber.cppsrc/platform/static/buffer_pool.cppsrc/platform/static/malloc_trap.cppsrc/rpc/rpc_client.cppsrc/rpc/rpc_server.cppsrc/sd/sd_client.cppsrc/sd/sd_message.cppsrc/sd/sd_server.cppsrc/serialization/serializer.cppsrc/someip/message.cppsrc/tp/tp_manager.cppsrc/tp/tp_reassembler.cppsrc/tp/tp_segmenter.cppsrc/transport/endpoint.cppsrc/transport/tcp_transport.cppsrc/transport/udp_transport.cpptests/CMakeLists.txttests/test_e2e.cpptests/test_events.cpptests/test_message.cpptests/test_rpc.cpptests/test_sd.cpptests/test_serialization.cpptests/test_static_alloc.cpptests/test_tcp_transport.cpptests/test_tp.cpptests/test_udp_transport.cppzephyr/CMakeLists.txt
💤 Files with no reviewable changes (1)
- include/someip/types.h
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify unpinned uses in this workflow.
# Expected: lines for new build-static steps appear in output.
rg -nP '^\s*-\s*uses:\s*[^@]+@(?![0-9a-fA-F]{40}\b)' .github/workflows/host.ymlRepository: vtz/opensomeip
Length of output: 247
🏁 Script executed:
cat -n .github/workflows/host.yml | sed -n '170,240p'Repository: vtz/opensomeip
Length of output: 2762
Pin newly added GitHub Actions to immutable SHAs.
The new build-static job (lines 174–236) introduces five unpinned uses: references using floating version tags (@v4), which weakens workflow supply-chain integrity. Replace each with a pinned commit SHA.
Affected lines: 179, 185, 193, 223, 231
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 179-179: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 179-179: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/host.yml at line 179, The build-static job contains five
GitHub Actions references using floating version tags (`@v4`) instead of pinned
commit SHAs, which weakens supply-chain security. Replace each floating version
tag with its corresponding immutable commit SHA for the actions/checkout
reference at line 179 and the four other unpinned uses references at lines 185,
193, 223, and 231. Look up the latest commit SHA for each action version and
update the uses field from the format `@vX` to `@COMMIT_SHA` for all five affected
lines to ensure workflow integrity.
Source: Linters/SAST tools
Comment on lines
+994
to
+995
| :verification: Unit test: ``test_static_alloc.cpp`` — TC_NO_HEAP_VERIFY. The ``test_static_alloc`` binary links ``$<TARGET_OBJECTS:someip_malloc_trap>`` which overrides ``malloc``, ``free``, ``operator new``, and ``operator delete`` with traps. All test cases (pool, container, intrusive-ptr, concurrency) run under this interception; any heap call triggers ``abort()``, so a passing test run verifies zero heap allocations. | ||
|
|
Contributor
There was a problem hiding this comment.
Avoid overstating no-heap verification scope in requirement text.
This verification text currently claims all test cases run under interception, but the referenced coverage is a dedicated TC_NO_HEAP_VERIFY scenario. Please narrow wording to the actual verified scope.
📝 Suggested wording adjustment
- :verification: Unit test: ``test_static_alloc.cpp`` — TC_NO_HEAP_VERIFY. The ``test_static_alloc`` binary links ``$<TARGET_OBJECTS:someip_malloc_trap>`` which overrides ``malloc``, ``free``, ``operator new``, and ``operator delete`` with traps. All test cases (pool, container, intrusive-ptr, concurrency) run under this interception; any heap call triggers ``abort()``, so a passing test run verifies zero heap allocations.
+ :verification: Unit test: ``test_static_alloc.cpp`` — TC_NO_HEAP_VERIFY. The ``test_static_alloc`` binary links ``$<TARGET_OBJECTS:someip_malloc_trap>`` which overrides ``malloc``, ``free``, ``operator new``, and ``operator delete`` with traps. The test arms interception around representative protocol operations; any heap call triggers ``abort()``, proving no-heap behavior for that exercised path.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| :verification: Unit test: ``test_static_alloc.cpp`` — TC_NO_HEAP_VERIFY. The ``test_static_alloc`` binary links ``$<TARGET_OBJECTS:someip_malloc_trap>`` which overrides ``malloc``, ``free``, ``operator new``, and ``operator delete`` with traps. All test cases (pool, container, intrusive-ptr, concurrency) run under this interception; any heap call triggers ``abort()``, so a passing test run verifies zero heap allocations. | |
| :verification: Unit test: ``test_static_alloc.cpp`` — TC_NO_HEAP_VERIFY. The ``test_static_alloc`` binary links ``$<TARGET_OBJECTS:someip_malloc_trap>`` which overrides ``malloc``, ``free``, ``operator new``, and ``operator delete`` with traps. The test arms interception around representative protocol operations; any heap call triggers ``abort()``, proving no-heap behavior for that exercised path. |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/requirements/implementation/platform.rst` around lines 994 - 995, The
verification text in the `:verification:` section overstates the scope by
claiming all test cases (pool, container, intrusive-ptr, concurrency) run under
the malloc trap interception. Narrow the wording to clarify that only the
dedicated TC_NO_HEAP_VERIFY scenario runs under the malloc trap interception and
verifies zero heap allocations, rather than implying this verification applies
to all test cases generally.
Comment on lines
124
to
129
| struct EventFilter { | ||
| uint16_t event_id; | ||
| std::vector<uint8_t> filter_data; | ||
| platform::ByteBuffer filter_data; | ||
| bool operator==(const EventFilter& other) const { | ||
| return event_id == other.event_id && filter_data == other.filter_data; | ||
| } |
Contributor
There was a problem hiding this comment.
Initialize EventFilter::event_id to a defined value.
event_id is left uninitialized on default construction, which can produce nondeterministic filter behavior when a default-constructed filter is used before explicit assignment.
🛠️ Proposed fix
struct EventFilter {
- uint16_t event_id;
+ uint16_t event_id{0};
platform::ByteBuffer filter_data;
bool operator==(const EventFilter& other) const {
return event_id == other.event_id && filter_data == other.filter_data;
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| struct EventFilter { | |
| uint16_t event_id; | |
| std::vector<uint8_t> filter_data; | |
| platform::ByteBuffer filter_data; | |
| bool operator==(const EventFilter& other) const { | |
| return event_id == other.event_id && filter_data == other.filter_data; | |
| } | |
| struct EventFilter { | |
| uint16_t event_id{0}; | |
| platform::ByteBuffer filter_data; | |
| bool operator==(const EventFilter& other) const { | |
| return event_id == other.event_id && filter_data == other.filter_data; | |
| } |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@include/events/event_types.h` around lines 124 - 129, The EventFilter struct
has an uninitialized event_id member variable that can cause nondeterministic
behavior when a default-constructed EventFilter is used before assignment. Add
an in-class initializer to the event_id member variable in the EventFilter
struct to set it to a defined default value such as zero, ensuring predictable
behavior on default construction.
Comment on lines
+313
to
315
| DeserializationResult<platform::Vector<T>> Deserializer::deserialize_array(size_t length) { | ||
| platform::Vector<T> result; | ||
|
|
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== platform::Vector alias definitions =="
fd containers_impl.h include/platform -x sh -c 'echo "--- $1"; rg -n "using Vector" "$1"' sh {}
echo
echo "== deserialize_array / deserialize_dynamic_array bounds handling =="
rg -n -C4 'deserialize_array|deserialize_dynamic_array|max_size|push_back' include/serialization/serializer.hRepository: vtz/opensomeip
Length of output: 2146
Add a pre-loop capacity check in deserialize_array to prevent overflow in static mode.
platform::Vector is aliased to etl::vector<T, N> in static mode (bounded) and std::vector<T> in dynamic mode (unbounded). The deserialize_array method creates a platform::Vector<T> result and unconditionally loops through length iterations, pushing elements without validating that length does not exceed the vector's maximum capacity. In static mode, this causes push_back to assert or throw on malformed or oversized payload lengths instead of returning a protocol error.
Suggested fix
template<typename T>
DeserializationResult<platform::Vector<T>> Deserializer::deserialize_array(size_t length) {
platform::Vector<T> result;
+ if (length > result.max_size()) {
+ return DeserializationResult<platform::Vector<T>>::error(Result::MALFORMED_MESSAGE);
+ }
for (size_t i = 0; i < length; ++i) {
DeserializationResult<T> element_result;Also applies to deserialize_dynamic_array (lines 359–377), which calls deserialize_array and thus inherits the same vulnerability.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| DeserializationResult<platform::Vector<T>> Deserializer::deserialize_array(size_t length) { | |
| platform::Vector<T> result; | |
| DeserializationResult<platform::Vector<T>> Deserializer::deserialize_array(size_t length) { | |
| platform::Vector<T> result; | |
| if (length > result.max_size()) { | |
| return DeserializationResult<platform::Vector<T>>::error(Result::MALFORMED_MESSAGE); | |
| } | |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@include/serialization/serializer.h` around lines 313 - 315, The
`deserialize_array` method lacks validation of the length parameter against the
vector's maximum capacity before the deserialization loop. Add a capacity check
immediately after the `platform::Vector<T> result` declaration that validates
whether the requested `length` exceeds the vector's maximum capacity (obtainable
via `result.max_size()` or similar method depending on the underlying
container). If the length exceeds capacity, return an appropriate
deserialization error result instead of proceeding to the loop where push_back
operations would fail. Apply the same capacity validation fix to the
`deserialize_dynamic_array` method which internally calls `deserialize_array`.
Comment on lines
+59
to
60
| TpResult segment_message(const Message& message, platform::Vector<TpSegment>& segments); | ||
|
|
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n -C4 'TpResult\\s+TpSegmenter::segment_data|create_multi_segments|segments\\.(push_back|emplace_back)|max_size\\(|full\\(' src/tp/tp_segmenter.cppRepository: vtz/opensomeip
Length of output: 339
🏁 Script executed:
cat -n include/tp/tp_segmenter.h | head -100Repository: vtz/opensomeip
Length of output: 3506
🏁 Script executed:
rg -n 'segment_message|push_back|emplace_back|full|max_size' src/tp/tp_segmenter.cpp -A 2 -B 2Repository: vtz/opensomeip
Length of output: 1566
🏁 Script executed:
sed -n '45,80p' src/tp/tp_segmenter.cppRepository: vtz/opensomeip
Length of output: 1706
🏁 Script executed:
sed -n '125,145p' src/tp/tp_segmenter.cppRepository: vtz/opensomeip
Length of output: 1014
🏁 Script executed:
sed -n '160,190p' src/tp/tp_segmenter.cppRepository: vtz/opensomeip
Length of output: 1708
🏁 Script executed:
rg -n 'class Vector|max_size|capacity|full' platform/containers.h -A 5Repository: vtz/opensomeip
Length of output: 120
🏁 Script executed:
find . -name "*.h" -type f | xargs grep -l "class Vector\|template.*Vector" | head -10Repository: vtz/opensomeip
Length of output: 40
🏁 Script executed:
rg -n "namespace platform|class Vector|struct Vector" --type h | head -20Repository: vtz/opensomeip
Length of output: 1289
🏁 Script executed:
rg -n "`#include`.*containers" include/Repository: vtz/opensomeip
Length of output: 1370
🏁 Script executed:
rg -n "platform::Vector|Vector<" include/ -A 2 -B 2Repository: vtz/opensomeip
Length of output: 11358
🏁 Script executed:
find include/platform -name "*.h" -exec grep -l "Vector" {} \;Repository: vtz/opensomeip
Length of output: 173
🏁 Script executed:
cat include/platform/containers.hRepository: vtz/opensomeip
Length of output: 1054
🏁 Script executed:
cat include/platform/static/containers_impl.hRepository: vtz/opensomeip
Length of output: 1416
🏁 Script executed:
cat include/platform/static_config.hRepository: vtz/opensomeip
Length of output: 123
🏁 Script executed:
rg -n "SOMEIP_DEFAULT_VECTOR_CAPACITY|max_message_size|max_segment_size" include/ src/ -A 2Repository: vtz/opensomeip
Length of output: 4205
🏁 Script executed:
rg -n "segments\\.size\(\)|segments\\.capacity\(\)|segments\\.max_size\(\)|if.*segments" src/tp/tp_segmenter.cppRepository: vtz/opensomeip
Length of output: 156
🏁 Script executed:
sed -n '100,200p' src/tp/tp_segmenter.cpp | grep -n "while\|for\|push_back"Repository: vtz/opensomeip
Length of output: 813
🏁 Script executed:
rg -n "while.*payload_offset|for.*segment" src/tp/tp_segmenter.cpp -A 30 | head -50Repository: vtz/opensomeip
Length of output: 2729
🏁 Script executed:
cat -n include/platform/static/static_config.h | grep -A5 -B5 "VECTOR_CAPACITY"Repository: vtz/opensomeip
Length of output: 406
Add segment count validation before vector insertion to prevent overflow on bounded capacity.
The default platform::Vector<TpSegment> capacity is 32 elements, but segmentation can produce far more segments. With a 1MB message and 1,392-byte segments, approximately 718 segments would be needed. The implementation calls segments.push_back() at lines 72, 135, and 185 without verifying that the vector has sufficient capacity.
Add a check in segment_message() and create_multi_segments() to calculate the required segment count upfront and return an error code (e.g., TpResult::CAPACITY_EXCEEDED) if segments.capacity() is insufficient before attempting any insertions.
Also applies to: segment_data() (line 68), create_multi_segments() (lines 81-83)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@include/tp/tp_segmenter.h` around lines 59 - 60, The segment_message(),
create_multi_segments(), and segment_data() methods perform push_back()
operations on the segments vector without first validating that it has
sufficient capacity (default 32 elements), which can lead to overflow when
segmenting large messages that require many segments. Calculate the required
segment count upfront in each of these methods based on the message or data size
and segment size, then validate that segments.capacity() is sufficient before
any insertions occur. If capacity is insufficient, define and return a new error
code TpResult::CAPACITY_EXCEEDED to indicate the failure, rather than allowing
the vector to overflow.
Comment on lines
+447
to
+448
| const auto* str_start = reinterpret_cast<const char*>(data.data() + offset); | ||
| config_string_.assign(str_start, str_start + static_cast<std::ptrdiff_t>(config_len)); |
Contributor
There was a problem hiding this comment.
Reject oversized configuration strings before assigning.
config_len is wire-controlled, while platform::String<> is bounded in static mode. Check capacity before assign() so a malformed SD option cannot assert, truncate, or corrupt parser state.
Proposed fix
const uint16_t config_len = length_ - 1;
+
+ if (config_len > config_string_.max_size()) {
+ return false;
+ }
if (offset + config_len > data.size()) {
return false;
}
// Extract configuration string
const auto* str_start = reinterpret_cast<const char*>(data.data() + offset);
- config_string_.assign(str_start, str_start + static_cast<std::ptrdiff_t>(config_len));
+ config_string_.assign(str_start, str_start + config_len);
offset += config_len;🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/sd/sd_message.cpp` around lines 447 - 448, The config_len value is
controlled by wire data and must be validated before use. Before calling
assign() on config_string_, add a bounds check to verify that config_len does
not exceed the maximum capacity of config_string_ (check the platform::String<>
template to find its capacity limit). If config_len exceeds the capacity, reject
the malformed SD option appropriately or truncate it safely. This prevents
assertions, data corruption, or parser state issues from untrusted
wire-controlled values.
Comment on lines
+664
to
670
| platform::String<> client_addr(client_ip); | ||
| client_addr.append(":"); | ||
| client_addr.append(std::to_string(client_port).c_str()); // NOLINT(readability-redundant-string-cstr) ETL compat | ||
| handle_eventgroup_subscription( | ||
| service_id, instance_id, eventgroup_id, | ||
| client_ip + ":" + std::to_string(client_port), | ||
| true, ttl | ||
| client_addr, true, ttl | ||
| ); |
Contributor
There was a problem hiding this comment.
std::to_string() allocates heap memory, violating no-heap guarantee.
The calls to std::to_string(client_port) and std::to_string(sender.get_port()) create temporary std::string objects that heap-allocate. These are in runtime request-handling paths and will trigger the malloc trap when armed in static allocation mode.
Consider using a stack-based integer-to-string converter to avoid heap allocation:
Proposed fix
+ // Helper to convert port number to string without heap allocation
+ static platform::String<6> port_to_string(uint16_t port) {
+ platform::String<6> result;
+ char buf[6];
+ int len = 0;
+ uint16_t val = port;
+ do {
+ buf[len++] = static_cast<char>('0' + (val % 10));
+ val /= 10;
+ } while (val > 0);
+ for (int i = len - 1; i >= 0; --i) {
+ result.push_back(buf[i]);
+ }
+ return result;
+ }
+
// In handle_eventgroup_subscription_request:
platform::String<> client_addr(client_ip);
client_addr.append(":");
- client_addr.append(std::to_string(client_port).c_str()); // NOLINT(readability-redundant-string-cstr) ETL compat
+ client_addr.append(port_to_string(client_port).c_str());
// In handle_stop_subscribe:
platform::String<> client_addr(sender.get_address());
client_addr.append(":");
- client_addr.append(std::to_string(sender.get_port()).c_str()); // NOLINT(readability-redundant-string-cstr) ETL compat
+ client_addr.append(port_to_string(sender.get_port()).c_str());Also applies to: 675-677
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/sd/sd_server.cpp` around lines 664 - 670, The code uses std::to_string()
to convert client_port and sender.get_port() to strings, which allocates heap
memory and violates the no-heap guarantee in request-handling paths. Replace the
std::to_string(client_port).c_str() and
std::to_string(sender.get_port()).c_str() calls with a stack-based
integer-to-string conversion mechanism that avoids dynamic memory allocation.
This fix should be applied to both the client_addr construction and the similar
code at lines 675-677 where sender.get_port() is converted.
Comment on lines
+82
to
83
| platform::Vector<TpSegment> segments; | ||
| TpResult const result = segmenter_->segment_message(message, segments); |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Static vector capacity defaults:"
rg -n -C3 'SOMEIP_DEFAULT_VECTOR_CAPACITY|template <.*Vector|using Vector' include/platform/static/static_config.h include/platform/static/containers_impl.h include/platform/dynamic/containers_impl.h include/platform/containers.h
echo
echo "TP bounds potentially driving vector growth:"
rg -n -C3 'max_concurrent_transfers|max_message_size|max_segment_size|segment_message\(' include/tp src/tp
echo
echo "Affected tp_manager call sites:"
rg -n -C4 'Vector<TpSegment>|timed_out|emplace_back|handle_received_segment|acknowledge_segments' src/tp/tp_manager.cppRepository: vtz/opensomeip
Length of output: 13093
🏁 Script executed:
# Check TpSegment structure definition and size
rg -n 'struct TpSegment|class TpSegment' -A15 include/tp src/tp
echo "---"
echo "Check segmentation loop logic in tp_segmenter:"
rg -n 'segments.emplace_back|segments.push_back|while.*payload_offset' -B2 -A2 src/tp/tp_segmenter.cpp
echo "---"
echo "Verify worst-case segment count calculation:"
python3 << 'PY'
max_message = 1_000_000
max_segment = 1_392
# Based on the code, overhead is 4 bytes for TP header per segment
# (from lines 155-156: segment_capacity = max_segment_size - 4)
tp_overhead = 4
effective_payload_per_segment = max_segment - tp_overhead
segments_needed = (max_message + effective_payload_per_segment - 1) // effective_payload_per_segment
print(f"Max message size: {max_message} bytes")
print(f"Max segment size: {max_segment} bytes")
print(f"TP header overhead: {tp_overhead} bytes")
print(f"Effective payload per segment: {effective_payload_per_segment} bytes")
print(f"Worst-case segments needed: {segments_needed}")
print(f"Default vector capacity: 32")
print(f"Overflow: {segments_needed - 32} segments exceed capacity")
PYRepository: vtz/opensomeip
Length of output: 4474
Fix static backend vector overflow: segments vector defaults to 32 capacity but requires up to 721 segments.
In static mode (SOMEIP_DEFAULT_VECTOR_CAPACITY = 32), the segments vector at line 82 cannot accommodate worst-case segmentation. For a 1MB message segmented at 1,392 bytes per segment with ~4-byte overhead, approximately 721 segments are generated. This exceeds the default capacity of 32 and will cause buffer overflow.
The timed_out vector at line 210 is safe (bounded by max_concurrent_transfers = 10).
Add explicit pre-allocation:
segments.reserve(max_segments_needed)beforesegment_message(), or- Compute required capacity as
max_message_size / (max_segment_size - TP_overhead)and pass to Vector template parameter - Add runtime checks with
TpResult::RESOURCE_EXHAUSTEDfallback
🧰 Tools
🪛 Cppcheck (2.21.0)
[style] 82-82: The function 'set_request_id' is never used.
(unusedFunction)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/tp/tp_manager.cpp` around lines 82 - 83, The segments vector declared at
line 82 uses a default capacity of 32 but can require up to 721 segments in
worst-case scenarios with 1MB messages, causing buffer overflow in static mode.
Before calling segment_message() on the segments vector, add an explicit
reserve() call with a calculated capacity based on the maximum possible segments
needed (computed as max_message_size divided by max_segment_size minus TP
overhead). Additionally, add a runtime check on the TpResult return value from
segment_message() to detect and handle TpResult::RESOURCE_EXHAUSTED as a
fallback error condition if the segmentation exceeds available capacity.
Comment on lines
+579
to
+600
| TEST(NoHeapTest, ProtocolOperationsUnderTrap) { | ||
| malloc_trap_arm(); | ||
|
|
||
| auto msg = allocate_message(); | ||
| ASSERT_NE(msg, nullptr); | ||
| msg->set_service_id(0xABCD); | ||
| EXPECT_EQ(msg->get_service_id(), 0xABCD); | ||
|
|
||
| { | ||
| auto copy = msg; | ||
| EXPECT_EQ(copy->get_service_id(), 0xABCD); | ||
| } | ||
|
|
||
| msg.reset(); | ||
|
|
||
| BufferSlot* slot = acquire_buffer(64); | ||
| ASSERT_NE(slot, nullptr); | ||
| slot->data[0] = 0x42; | ||
| release_buffer(slot); | ||
|
|
||
| malloc_trap_disarm(); | ||
| } |
Contributor
There was a problem hiding this comment.
Ensure malloc trap is always disarmed on assertion failure paths.
Line 580 arms a global trap, but Lines 583/595 use ASSERT_NE; if either assertion fails, the test exits before Line 599 and leaves the trap armed for later tests.
💡 Proposed fix
TEST(NoHeapTest, ProtocolOperationsUnderTrap) {
- malloc_trap_arm();
+ struct TrapGuard {
+ TrapGuard() { malloc_trap_arm(); }
+ ~TrapGuard() { malloc_trap_disarm(); }
+ } trap_guard;
auto msg = allocate_message();
ASSERT_NE(msg, nullptr);
@@
BufferSlot* slot = acquire_buffer(64);
ASSERT_NE(slot, nullptr);
slot->data[0] = 0x42;
release_buffer(slot);
-
- malloc_trap_disarm();
}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@tests/test_static_alloc.cpp` around lines 579 - 600, The test
ProtocolOperationsUnderTrap arms a malloc trap with malloc_trap_arm() on line
580 but uses ASSERT_NE statements which can cause early test exit before
malloc_trap_disarm() is called on line 599, leaving the trap armed for
subsequent tests. Wrap the malloc_trap_arm() and malloc_trap_disarm() calls in a
RAII-style scope guard or helper class that guarantees malloc_trap_disarm() is
called even if ASSERT_NE assertions fail, ensuring proper cleanup in all code
paths.
| set(SOMEIP_SRC ${SOMEIP_ROOT}/src) | ||
|
|
||
| zephyr_include_directories(${SOMEIP_INC}) | ||
| zephyr_include_directories(${SOMEIP_INC}/platform/dynamic) |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== zephyr/CMakeLists.txt include-path setup ==="
nl -ba zephyr/CMakeLists.txt | sed -n '1,130p'
echo
echo "=== Static-alloc option wiring across build files ==="
rg -n -C2 "SOMEIP_USE_STATIC_ALLOC|USE_STATIC_ALLOC" \
CMakeLists.txt src/CMakeLists.txt zephyr/CMakeLists.txt CMakePresets.json .github/workflows/host.yml .github/workflows/preset-validation.yml
echo
echo "=== Dispatch headers that rely on include-path selection ==="
rg -n -C2 "containers_impl.h|message_ptr_impl.h|buffer_pool_impl.h" \
include/platform/containers.h include/platform/message_ptr.h include/platform/buffer_pool.hRepository: vtz/opensomeip
Length of output: 168
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== zephyr/CMakeLists.txt include-path setup (lines 1-50) ==="
cat -n zephyr/CMakeLists.txt | head -50
echo
echo "=== Static-alloc option wiring across build files ==="
rg -n "SOMEIP_USE_STATIC_ALLOC|USE_STATIC_ALLOC" \
CMakeLists.txt src/CMakeLists.txt zephyr/CMakeLists.txt CMakePresets.json .github/workflows/ -t yml || echo "No matches found"
echo
echo "=== Check for dispatch headers ==="
rg -n "containers_impl.h|message_ptr_impl.h|buffer_pool_impl.h" \
include/platform/ || echo "No matches found"
echo
echo "=== Full zephyr/CMakeLists.txt for context ==="
cat zephyr/CMakeLists.txtRepository: vtz/opensomeip
Length of output: 5591
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Check what's in platform directories ==="
find include/platform -type f | head -20
echo
echo "=== Check src/platform structure ==="
find src/platform -type d 2>/dev/null | head -20
echo
echo "=== Search for 'static' in CMake files ==="
rg -i "static.*alloc|alloc.*static" CMakeLists.txt src/CMakeLists.txt zephyr/CMakeLists.txt 2>/dev/null || echo "No static alloc matches"
echo
echo "=== Check for _impl.h files ==="
find . -name "*_impl.h" 2>/dev/null | grep -v ".git"
echo
echo "=== Check containers.h to see how impl is selected ==="
head -30 include/platform/containers.hRepository: vtz/opensomeip
Length of output: 5002
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== How host build handles SOMEIP_USE_STATIC_ALLOC ==="
sed -n '1,200p' src/CMakeLists.txt | grep -A5 -B5 "SOMEIP_USE_STATIC_ALLOC"
echo
echo "=== Top-level CMakeLists.txt option definition ==="
rg -A2 "option.*SOMEIP_USE_STATIC_ALLOC" CMakeLists.txt
echo
echo "=== Check what Zephyr config options exist ==="
find . -name "Kconfig*" -o -name "*kconfig*" 2>/dev/null | head -10
echo
echo "=== Check if zephyr/CMakeLists.txt handles static alloc ==="
rg -n "STATIC_ALLOC|static.*alloc" zephyr/CMakeLists.txt || echo "No matches"Repository: vtz/opensomeip
Length of output: 1821
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== zephyr/Kconfig content ==="
cat zephyr/Kconfig
echo
echo "=== Check if CONFIG_SOMEIP_USE_STATIC_ALLOC or similar exists ==="
rg -r "STATIC.*ALLOC|static.*alloc" zephyr/ 2>/dev/null || echo "No matches"
echo
echo "=== Verify order of zephyr_include_directories in zephyr/CMakeLists.txt ==="
grep -n "zephyr_include_directories" zephyr/CMakeLists.txtRepository: vtz/opensomeip
Length of output: 12698
Add Kconfig option to support static allocation in Zephyr builds.
Line 17 unconditionally adds ${SOMEIP_INC}/platform/dynamic without checking for a static allocation configuration. The host build supports SOMEIP_USE_STATIC_ALLOC to select between static (no heap) and dynamic backends, but Zephyr lacks the corresponding CONFIG_SOMEIP_USE_STATIC_ALLOC Kconfig option. This prevents Zephyr users from enabling static allocation even if desired. The unconditional inclusion of the dynamic backend would shadow any static implementations if the configuration existed.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@zephyr/CMakeLists.txt` at line 17, The zephyr_include_directories call on
line 17 unconditionally includes the dynamic backend path without respecting a
static allocation configuration option. Modify the CMakeLists.txt to make the
include directory conditional: add logic to check a
CONFIG_SOMEIP_USE_STATIC_ALLOC Kconfig option (similar to the host build's
SOMEIP_USE_STATIC_ALLOC), and conditionally include either the static backend
path (${SOMEIP_INC}/platform/static) when enabled or the dynamic backend path
when disabled. Additionally, ensure the corresponding
CONFIG_SOMEIP_USE_STATIC_ALLOC Kconfig option is properly defined in the Zephyr
Kconfig file so users can control backend selection.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #174
Adds a complete no-heap static allocation backend for opensomeip, enabling deployment on safety-critical lockstep ECUs (Cortex-R class) where dynamic memory allocation violates ISO 26262 freedom-from-interference requirements.
This PR goes beyond the investigation scope of #174 and delivers a working implementation of the compile-time ETL-based static allocation strategy, addressing all three investigation phases:
SOMEIP_USE_STATIC_ALLOC) with include-path shadowing — same mechanism as the existing threading/networking PAL axesKey components:
SOMEIP_USE_STATIC_ALLOCCMake option selects betweendynamic/(STL) andstatic/(ETL + slab pools) backends via include-path shadowingByteBufferhandle class providing astd::vector<uint8_t>-compatible APIIntrusivePtr<Message>to avoidstd::shared_ptrcontrol-block heap allocationsref_count_inMessageplatform::Vector,String,UnorderedMap,Queue,Functionresolve to ETL fixed-capacity types under static allocDocumentation & safety:
REQ_ARCH_008,REQ_PAL_*,REQ_PLATFORM_STATIC_*)static_memory_budget.pyscript for computing BSS/data footprint fromstatic_config.hBuild verification:
StaticAllocTest)Follow-up PRs
The following items are scoped for subsequent PRs to keep this one reviewable:
std::vector<uint8_t>withplatform::ByteBufferinmessage.h,serializer.h,tp_types.hunique_ptr<Impl>in 6 public API classes@implements,@tests) + matrix regenerationTest plan
ctestpasses withSOMEIP_USE_STATIC_ALLOC=ON(16/16)ctestpasses with default dynamic config (15/15, zero regression)Summary by CodeRabbit
Release Notes
New Features
SOMEIP_USE_STATIC_ALLOC) enabling heap-free operation using compile-time configured memory pools.Documentation
Tests