Fix two concurrency bugs found with ThreadSanitizer:
1. size() and byteSize() read _next_slot/_n_slots without the mutex,
racing with store(). Add AtomicTransaction to both.
2. _grow() with concurrent writers causes buffer overflow: _n_slots is
read outside the lock for malloc sizing but inside the lock for
memcpy, so another thread's growth can make memcpy exceed the
allocation. On POSIX, hold the lock throughout _grow() since
malloc/free work fine under a mutex. Keep the CAS-based approach
on NuttX where malloc can't be called with IRQs disabled.
Add DynamicSparseLayerTest with concurrent stress tests that reproduce
both issues.
This issue was originally found while running the new SIH based CI
tests.
Remove the step that uploaded every version tag to the stable/ S3
directory, which caused QGC users selecting "stable" to receive
pre-release firmware (#26340). The stable/ and beta/ directories
are now controlled exclusively by their respective branch pushes,
while version tags only upload to their versioned archive directory
(e.g., v1.16.1/). Pre-release tags are also correctly marked on
GitHub Releases.
Co-authored-by: Julian Oes <julian@oes.ch>
Fixes#26340
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
* RtlTimeEstimator: Consider minimum ground speed
This fixes an issue seen when the wind is faster than the trim airspeed,
but not faster than the max airspeed.
In that case the RTL time estimator currently assumes that we always fly
at trim airspeed and are thus unable to cover ground in the upwind
direction. The result is a very large RTL time estimate, resulting in
RTL if configured by COM_FLTT_LOW_ACT.
By considering the FW_GND_SPD_MIN parameter, we correct this wrong
assumption. The RTL remaining time estimate now becomes realistic in
this situation.
* RtlTimeEstimator: assume min ground speed of 5 if param unavailable
The previous commit (6b8fd11) gated smbus and smbus_sbs behind
PX4_PLATFORM=="nuttx" to prevent clang-tidy errors on SITL, but these
libraries depend on device::I2C which has a POSIX implementation
(posix/I2C.cpp). Linux boards like bluerobotics_navigator (armhf) and
emlid_navio2 (aarch64) enable CONFIG_DRIVERS_BATT_SMBUS, which depends
on drivers__smbus — causing CMake to fail with "non-existent target".
Move smbus and smbus_sbs back to unconditional add_subdirectory() so
they are available on all platforms. Keep mcp_common gated behind NuttX
since it includes px4_platform/gpio/mcp.hpp (NuttX-only GPIO headers).
Re-add src/lib/drivers/smbus to the Makefile clang-tidy exclude list
since the SITL compilation database lacks the I2C platform headers
needed for analysis.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The failsafe_test target uses CMake Unity Builds (UNITY_BUILD ON),
which merges emscripten.cpp, failsafe.cpp, and framework.cpp into a
single generated file at:
build/.../failsafe_test.dir/Unity/unity_0_cxx.cxx
The run-clang-tidy.py exclude regex operates on compile_commands.json
paths, which reference this generated unity file — not the original
source path. The previous exclude (src/modules/commander/failsafe/
emscripten) only matched the source path and missed the unity file,
causing clang-diagnostic-error: 'emscripten/emscripten.h' not found.
Add failsafe_test\.dir to the exclude regex to catch the unity build
path in addition to the source path.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The clang-tidy CI target builds against the SITL (px4_sitl_default-clang)
compilation database. Three libraries in src/lib/drivers/ were
unconditionally added via add_subdirectory(), causing them to appear in
compile_commands.json despite requiring NuttX-only headers:
- mcp_common: includes px4_platform/gpio/mcp.hpp (NuttX platform GPIO)
- smbus: extends device::I2C which resolves to the NuttX I2C driver
- smbus_sbs: includes smbus/SMBus.hpp, same I2C dependency chain
When clang-tidy analyzed these files it failed on clang-diagnostic-error
(fatal: header not found) since the platform headers don't exist in SITL.
The previous commit worked around this by adding the paths to
CLANG_TIDY_EXCLUDE_EXTRA in the Makefile, but the proper fix is to prevent
these libraries from entering the compilation database at all.
Gate mcp_common, smbus, and smbus_sbs behind
if(PX4_PLATFORM STREQUAL "nuttx") in src/lib/drivers/CMakeLists.txt.
This follows the established pattern already used by the device/ library
in the same directory, which conditionally includes NuttX-specific sources
(CDev.cpp, I2C.cpp, SPI.cpp) while compiling posix stubs for SITL.
The other libraries in the directory (accelerometer, gyroscope, led,
magnetometer, rangefinder) are pure abstractions over uORB topics and
internal utilities with no platform-specific hardware dependencies, so
they compile fine on all platforms without any gating.
Remove the now-unnecessary mcp_common and smbus paths from
CLANG_TIDY_EXCLUDE_EXTRA, keeping only the emscripten failsafe exclusion
(requires the emscripten SDK, not a platform build issue).
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
These files depend on platform headers (px4_platform/gpio/mcp.hpp,
device::I2C, emscripten/emscripten.h) that are unavailable in the
SITL/clang build, causing clang-tidy to report compiler errors:
- src/lib/drivers/mcp_common (NuttX GPIO)
- src/drivers/gpio (MCP23009, MCP23017)
- src/lib/drivers/smbus (I2C bus driver)
- src/modules/commander/failsafe/emscripten (emscripten SDK)
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Replace the two separate echo lines ("Starting" and "(arch)") with a
single line showing architecture and UTC timestamp:
[docker-entrypoint.sh] aarch64 | 2026-02-09T15:23:45Z
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Update the local Docker convenience script to use the unified
px4io/px4-dev image instead of the retired per-toolchain images
(px4-dev-clang, px4-dev-simulation-bionic).
Usage:
./Tools/docker_run.sh make px4_sitl_default
./Tools/docker_run.sh make tests TESTFILTER=ULogMessages
PX4_DOCKER_REPO="px4io/px4-dev:custom" ./Tools/docker_run.sh make px4_fmu-v6x_default
Changes:
- Default to px4io/px4-dev:v1.17.0-beta1, remove conditional image
guessing for clang/tests targets
- Remove stale env passthrough (Travis CI, AWS, Codecov, Coveralls)
- Keep CCACHE_DIR and sanitizer flags (PX4_ASAN/MSAN/TSAN/UBSAN)
- Fix $PWD shadowing by renaming to SCRIPT_DIR
- Use "$@" instead of "$1 $2 $3" for proper argument forwarding
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Rename ULogMessageInfoTest to ULogMessagesTest and add struct-level
coverage for every message type in the ULog spec:
- File header: magic bytes, size, field offsets
- Flag Bits ('B'): size, field offsets, flag masks
- Format ('F'): size, serialization
- Info ('I'): string, int32_t, and float value layouts
- Info Multiple ('M'): string layout, continuation flag, field offsets
- Parameter ('P'): int32_t and float value layouts
- Default Parameter ('Q'): size, type bits, field offsets
- Subscription ('A'): size, field offsets, serialization
- Unsubscription ('R'): size, serialization
- Data ('D'): size, field offset
- Logging ('L'): size, field offsets, serialization
- Logging Tagged ('C'): size, field offsets
- Sync ('S'): size, magic bytes
- Dropout ('O'): size, default msg_size, serialization
- Message header: size, field offsets, ULOG_MSG_HEADER_LEN
- Enum values: all 13 ULogMessageType codes
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Guard the strncpy call with a null check to prevent undefined behavior
if the constructor is ever called with a null path pointer.
Fixes clang-analyzer-core.NonNullParamChecker diagnostic.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The 48-byte struct (6 Vector2f) is only read inside initializePattern,
so passing by value creates an unnecessary copy.
Fixes performance-unnecessary-value-param clang-tidy diagnostic.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Remove using-declarations for math::constrain, math::max, and
math::min that are never used — all call sites use the fully-qualified
form (e.g. math::constrain()).
Fixes misc-unused-using-decls clang-tidy diagnostic.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
FlightTaskManualAcceleration and FlightTaskOrbit both inherit from
FlightTaskManualAltitudeSmoothVel but were calling FlightTask and
FlightTaskManualAltitude respectively, skipping the intermediate
parent's overrides (smoothing velocity init, parameter chain).
Fix the DEFINE_PARAMETERS_CUSTOM_PARENT macro argument and the
activate() call to use FlightTaskManualAltitudeSmoothVel.
Fixes bugprone-parent-virtual-call clang-tidy diagnostic.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
clang-tidy flags the memcpy of vlen bytes as
bugprone-not-null-terminated-result because the destination buffer
region is left unterminated in memory.
Copy vlen + 1 bytes (including the source null terminator) so the
buffer is null-terminated in memory. The ULog msg_size is not
incremented for the extra byte — the null sits in the struct's
key_value_str padding and is never written to the log file, preserving
the ULog wire format which does not include a null terminator for
string values.
The bounds check (vlen < sizeof(msg) - msg_size) guarantees at least
one byte of headroom beyond vlen, so vlen + 1 is always within the
struct.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Add a gtest that validates the exact binary layout of INFO and
INFO_MULTIPLE messages against the ULog spec. This exercises the same
packing logic as write_info/write_info_multiple and will catch any
accidental changes to the wire format (e.g. including a null terminator
in msg_size).
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Rename workflow to "Static Analysis" with job name "Clang-Tidy" for
clearer GitHub Checks UI. Use Title Case action-verb step names.
Switch from runs-on/cache to actions/cache since the runs-on Magic
Cache sidecar transparently handles S3 backing.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
github.ref_name resolves to '26367/merge' for pull_request events,
causing cache misses. Use github.head_ref (PR source branch) with
fallback to github.ref_name for push events.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Use separate cache/restore and cache/save steps with if: always()
on the save step, matching the build_all_targets pattern.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
- Switch from addnab/docker-run-action to native container directive
- Use runs-on 16-core runner with S3 cache (extras=s3-cache)
- Add ccache setup matching build_all_targets pattern
- Run clang-tidy with -j16 to leverage all cores
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The free GitHub runner (4 vCPUs) takes ~22 minutes. Switch to a
16-core runs-on runner and bump parallelism to -j16 to reduce
clang-tidy analysis time.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Pin the container image to v1.17.0-beta1 which includes clang-tidy 18
and all required clang dependencies pre-installed. This removes the
need to install clang-tidy via apt on each workflow run.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Update .clang-tidy configuration to maintain compatibility with
clang-tidy 18 in the new px4io/px4-dev:v1.17.0-alpha1 container.
The previous CI container used clang-tidy 6.0 (2018) with ~213 checks.
The new container has clang-tidy 18 (2024) with ~537 checks - adding
~324 new checks that would fail without configuration changes.
This commit disables the new checks to preserve the existing code
quality baseline. The disabled checks can be evaluated and enabled
incrementally in future PRs as the codebase is updated to comply.
New checks disabled (partial list):
- bugprone-assignment-in-if-condition
- bugprone-casting-through-void
- bugprone-multi-level-implicit-pointer-conversion
- cppcoreguidelines-avoid-do-while
- cppcoreguidelines-avoid-goto
- cppcoreguidelines-avoid-non-const-global-variables
- misc-definitions-in-headers
- misc-header-include-cycle
- misc-no-recursion
- modernize-macro-to-enum
- modernize-type-traits
- performance-enum-size
- readability-avoid-nested-conditional-operator
- readability-convert-member-functions-to-static
- readability-redundant-string-init
- readability-simplify-boolean-expr
- (and ~35 more)
See full list in .clang-tidy. Each check is prefixed with '-' to
disable it while keeping WarningsAsErrors: '*' active for enabled
checks.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Automatically generate the clang-tidy exclusion list from .gitmodules
so new submodules are excluded without manual intervention.
Changes:
- Makefile: Generate CLANG_TIDY_SUBMODULES from .gitmodules paths
- Makefile: Add CLANG_TIDY_EXCLUDE_EXTRA for manual exclusions:
- src/systemcmds/tests (test code, looser style allowed)
- src/examples (educational code, not production)
- src/modules/gyro_fft/CMSIS_5 (vendored ARM DSP library)
- Delete src/systemcmds/tests/.clang-tidy (stale since 2019)
- Delete src/modules/gyro_fft/CMSIS_5/.clang-tidy (redundant)
Rationale: Submodules and vendored code should be linted in their
upstream repositories, not here. This reduces noise and focuses
clang-tidy on code that PX4 maintainers actually edit.
Contributors adding vendored (non-submodule) third-party code should
add their path to CLANG_TIDY_EXCLUDE_EXTRA in the Makefile.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Add regex-based file exclusion to the clang-tidy runner script.
This allows excluding paths (submodules, vendored code, tests) from
static analysis without modifying .clang-tidy files in each directory.
The -exclude argument accepts a regex pattern that is matched against
file paths from the compilation database. Matching files are skipped.
Example: -exclude="src/lib/foo|src/modules/bar"
This prepares for the clang-tidy v6 to v18 migration where we need
to exclude external code that we consume but don't maintain.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Extend the -Wno-asm-operand-widths workaround to include Linux aarch64
in addition to Apple Silicon. CMSIS DSP contains ARM Cortex-M specific
assembly that clang (but not gcc) warns about on 64-bit ARM platforms.
The assembly code is unused on POSIX builds - only the C fallback
implementations are executed in SITL.
This fixes clang-tidy CI failing on arm64 runners.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
- Update "Failed to import Python packages" section to reference
gz_x500 instead of jmavsim, and point to Tools/setup/requirements.txt
instead of listing individual packages
- Fix :::info admonition spacing in Ubuntu dev env docs
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The new px4-dev container replaces the old per-distro container
hierarchy from PX4/PX4-containers. It is:
- Multi-architecture (linux/amd64 + linux/arm64)
- Based on Ubuntu 24.04
- Built from the in-tree Dockerfile via GitHub Actions
- Published to both ghcr.io and Docker Hub
- Tagged with PX4 versions (e.g. px4-dev:v1.16.0)
Mark the legacy per-distro containers (px4-dev-nuttx-jammy,
px4-dev-ros2-humble, etc.) as deprecated, note that px4-sim
is planned for simulation workflows.
Update all examples to use px4-dev instead of legacy containers.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
docker.md:
- Update container hierarchy from focal to jammy
- Replace ROS Noetic/Foxy references with ROS 2 Humble
- Update docker run example to use humble container
- Update SITL example from gazebo-classic to gz_x500
- Update VM tested version from Ubuntu 14.04 to 22.04
vscode.md:
- Remove "Ubuntu 18.04" from inotify troubleshooting header
(this issue is not Ubuntu-version-specific)
dev_env_linux_centos.md:
- Update GCC warning to reference current Ubuntu LTS toolchain
instead of old Focal Docker file
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
- Replace "older version" collapsible with info block stating
supported versions: Ubuntu 24.04 (primary) and 22.04
- Remove Gazebo Classic references (Ubuntu 22.04 section, install step)
- Note that GCC version comes from Ubuntu package manager
- Clarify that GCC version depends on Ubuntu release
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
- Remove Ubuntu 18.04 troubleshooting sections (compile errors,
VSCode inotify) — Ubuntu 18.04 is no longer supported
- Remove Gazebo Classic SITL dropdown from first build section
- Update FMUv2 flash warning to reference gcc-arm-none-eabi from
current Ubuntu LTS instead of vague "CI/docker" reference
- Update flash overflow guidance to point at Ubuntu LTS toolchain
- Simplify "too many open files" error example (remove old GCC 7.2.1
path from 2017)
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Remove Gazebo Classic installation branches for Ubuntu 18.04 and 20.04.
The script now only supports Ubuntu 22.04 and 24.04 with Gazebo Harmonic.
Supported Ubuntu LTS versions going forward:
- Ubuntu 24.04 (primary, used in CI and release builds)
- Ubuntu 22.04 (secondary, still supported)
When Ubuntu 26.04 LTS releases we will bump to 26.04/24.04.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
