fm: handle all CFE_TBL_GetAddress failure codes (not just NEVER_LOADED)#143
Open
nurdymuny wants to merge 7 commits into
Open
fm: handle all CFE_TBL_GetAddress failure codes (not just NEVER_LOADED)#143nurdymuny wants to merge 7 commits into
nurdymuny wants to merge 7 commits into
Conversation
Reset MISSION_REV to 0xFF and build number to 1.
Initiate post v7.0.1 development cycle
…use-updated-static-analysis-workflow Part cFS/workflows#129, Use Updated Static Analysis Workflow
…d() in FM_TableInit()
…fm-table-utils Fix nasa#139, Suppressed ignored return value warning for CFE_TBL_Load() in FM_TableInit()
Per `cfe_tbl.h`, `CFE_TBL_GetAddress` leaves the table pointer *undefined* on any non-success return. The documented return set is: - CFE_SUCCESS -- pointer set - CFE_TBL_INFO_UPDATED -- pointer set (info code) - CFE_TBL_ERR_NEVER_LOADED -- pointer undefined - CFE_TBL_ERR_INVALID_HANDLE -- pointer undefined - CFE_TBL_ERR_NO_ACCESS -- pointer undefined - CFE_ES_ERR_RESOURCEID_NOT_VALID -- pointer undefined - CFE_TBL_BAD_ARGUMENT -- pointer undefined Three call sites in FM check only `Status == CFE_TBL_ERR_NEVER_LOADED` and dereference `FM_AppData.MonitorTablePtr` in the `else` branch. On any of the other four failure codes (e.g. a table handle that became invalid after a registration churn, or an access-denied caused by an ownership change) the dereference reads an undefined pointer. - fm_cmds.c FM_MonitorFilesystemSpaceCmd ( line ~865 ) - fm_cmds.c FM_SetTableStateCmd ( line ~977 ) - fm_table_utils.c FM_AcquireTablePointers ( line ~216 ) Invert the check at all three sites: the only safe states are `CFE_SUCCESS` and `CFE_TBL_INFO_UPDATED`; everything else NULLs the pointer (and for the two command handlers also sets `CommandResult` false and emits the existing `*_TBL_ERR_EID` error event so the ground operator sees the failure). Same defense-in-depth shape as nasa/MM#116 (DataSize switch with no default case). Surfaced by scj-hunt + Gigi ATTEND on a fresh ingest of FM v1.2.0 into the `cfs_apps_fm_v01` fiber bundle. `FM_SetTableStateCmd` was the rank-1 hit at risk_score 8.8; drilling its structural twins via the ATTEND query surfaced the matching pattern in the other two sites. No new tests added -- the trigger path requires injecting a non-NEVER_LOADED error from `CFE_TBL_GetAddress`, which would need either a mock or a test bench that can fault the handle. Happy to add one if reviewers want.
2 tasks
Author
|
FYI to reviewers: while sweeping the other cFS apps for the same shape, I found that if (status < CFE_SUCCESS) { /* error */ }(negative-only check) on the basis that cFE convention is "alt-success codes are positive, errors are negative". If you'd prefer that idiom over the explicit allow-list in this PR ( Sister PR with the same root cause: nasa/SC#170. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three call sites in FM check only
Status == CFE_TBL_ERR_NEVER_LOADEDafterCFE_TBL_GetAddress()and dereferenceFM_AppData.MonitorTablePtrin theelsebranch. Percfe_tbl.h, the pointer is undefined on any of the other four documented failure codes —CFE_TBL_ERR_INVALID_HANDLE,CFE_TBL_ERR_NO_ACCESS,CFE_ES_ERR_RESOURCEID_NOT_VALID,CFE_TBL_BAD_ARGUMENT— so those paths reach an undefined-pointer deref.Affected sites:
NEVER_LOADEDerrorfsw/src/fm_cmds.cFM_MonitorFilesystemSpaceCmd(line 855)FM_AppData.MonitorTablePtr->Entriesfsw/src/fm_cmds.cFM_SetTableStateCmd(line 967)FM_AppData.MonitorTablePtr->Entries[Index].Typeand writes.Enabledfsw/src/fm_table_utils.cFM_AcquireTablePointers(line 206)This is the same defense-in-depth shape as nasa/MM#116 (DataSize switch with no default case) — a
switch/ifthat covers some but not all of the failure modes of an upstream API.Change
At all three sites, invert the predicate: only
CFE_SUCCESSandCFE_TBL_INFO_UPDATEDare documented to set the pointer; everything else NULLs it (and for the two command handlers, also flipsCommandResultfalse and emits the existing*_TBL_ERR_EIDerror event so the ground operator sees the failure).Provenance
Surfaced by scj-hunt + Gigi ATTEND on a fresh ingest of FM
v1.2.0into thecfs_apps_fm_v01fiber bundle.FM_SetTableStateCmdwas the rank-1 hit at risk_score 8.8; drilling its structural twins surfaced the matching pattern in the other two sites. scj-hunt is open source at nurdymuny/shadow-clone-jutsu.Test plan
CFE_TBL_GetAddresswithCFE_TBL_ERR_INVALID_HANDLE, observeFM_SET_TABLE_STATE_TBL_ERR_EID/FM_GET_FREE_SPACE_TBL_ERR_EIDemitted instead of the prior undefined-pointer deref. Happy to add a unit test for this if reviewers want.🤖 Generated with Claude Code