phase 16: no-alloc CI gate

.github/workflows/ci.yml

@@ -65,6 +65,8 @@ jobs:
         with:
           tool: cargo-llvm-cov, cargo-nextest
       - run: cargo test --no-default-features
+      - name: No-alloc witness (explicit gate)
+        run: cargo test --features client,bare_metal --test no_alloc_witness
       - run: cargo llvm-cov nextest --all-features --lcov --output-path ./target/lcov.info
       - name: Upload Coverage report
         uses: codecov/codecov-action@v5

Cargo.toml

@@ -106,6 +106,11 @@ required-features = ["client", "bare_metal"]
 name = "static_channels_alloc_witness"
 required-features = ["client", "bare_metal"]
 
+[[test]]
+name = "no_alloc_witness"
+required-features = ["client", "bare_metal"]
+harness = false
+
 [[test]]
 name = "bare_metal_server"
 required-features = ["server", "bare_metal"]

src/lib.rs

@@ -209,3 +209,5 @@ pub use transport::{
     OneshotCancelled, OneshotRecv, OneshotSend, ReceivedDatagram, SocketOptions, Spawner, Timer,
     TransportError, TransportFactory, TransportSocket, UnboundedRecv, UnboundedSend,
 };
+#[cfg(feature = "bare_metal")]
+pub use transport::{AtomicInterfaceHandle, StaticE2EHandle, StaticE2EStorage};

src/transport.rs

@@ -776,6 +776,156 @@ mod std_handle_impls {
     }
 }
 
+/// Bare-metal no-alloc impls of [`E2ERegistryHandle`] and [`InterfaceHandle`].
+///
+/// These types satisfy `Clone + Send + Sync + 'static` without any heap
+/// allocation. The backing storage lives in a caller-owned `static`; the
+/// handles are thin `&'static` pointers that are trivially `Copy`.
+///
+/// # Production pattern
+///
+/// ```ignore
+/// use core::cell::RefCell;
+/// use core::sync::atomic::{AtomicU32, Ordering};
+/// use embassy_sync::blocking_mutex::Mutex;
+/// use embassy_sync::blocking_mutex::raw::CriticalSectionRawMutex;
+/// use simple_someip::e2e::E2ERegistry;
+/// use simple_someip::transport::{StaticE2EHandle, AtomicInterfaceHandle};
+///
+/// // Initialize once in main() before spawning tasks.
+/// fn init() -> (StaticE2EHandle, AtomicInterfaceHandle) {
+///     static IFACE_ADDR: AtomicU32 = AtomicU32::new(0);
+///     // E2ERegistry::new() is not const so the storage is heap-placed once.
+///     let registry_storage: &'static _ = Box::leak(Box::new(
+///         Mutex::<CriticalSectionRawMutex, RefCell<E2ERegistry>>::new(
+///             RefCell::new(E2ERegistry::new()),
+///         ),
+///     ));
+///     (StaticE2EHandle::new(registry_storage), AtomicInterfaceHandle::new(&IFACE_ADDR))
+/// }
+/// ```
+///
+/// # No-allocator targets
+///
+/// The example above uses `Box::leak` because [`E2ERegistry::new`] is not
+/// currently `const`. On a target with no allocator, swap that for a
+/// `static`-cell pattern (e.g. `static_cell::StaticCell::init`) once the
+/// registry constructor becomes `const`-friendly. The handle layer itself
+/// never allocates — only the one-time storage materialization does.
+#[cfg(feature = "bare_metal")]
+pub mod bare_metal_handle_impls {
+    use super::{E2ERegistryHandle, InterfaceHandle};
+    use crate::e2e::{E2ECheckStatus, E2EKey, E2EProfile, E2ERegistry, Error as E2EError};
+    use core::cell::RefCell;
+    use core::net::Ipv4Addr;
+    use core::sync::atomic::{AtomicU32, Ordering};
+    use embassy_sync::blocking_mutex::Mutex;
+    use embassy_sync::blocking_mutex::raw::CriticalSectionRawMutex;
+
+    /// Convenience type alias for the embassy-sync critical-section mutex
+    /// backing [`StaticE2EHandle`].
+    pub type StaticE2EStorage = Mutex<CriticalSectionRawMutex, RefCell<E2ERegistry>>;
+
+    /// No-alloc [`E2ERegistryHandle`] backed by a `&'static` critical-section
+    /// mutex.
+    ///
+    /// All clones are the same thin pointer. Construct via [`StaticE2EHandle::new`]
+    /// and supply a `&'static StaticE2EStorage` (typically obtained via
+    /// `Box::leak` during system init, since [`E2ERegistry::new`] is not const).
+    #[derive(Clone, Copy)]
+    pub struct StaticE2EHandle(&'static StaticE2EStorage);
+
+    impl StaticE2EHandle {
+        /// Wraps a static reference to the backing mutex.
+        pub const fn new(storage: &'static StaticE2EStorage) -> Self {
+            Self(storage)
+        }
+    }
+
+    // Send + Sync are derived automatically: `&'static StaticE2EStorage`
+    // is `Send + Sync` because `BlockingMutex<CriticalSectionRawMutex,
+    // RefCell<E2ERegistry>>` is `Sync` (the embassy-sync mutex serializes
+    // access to the inner `RefCell`, which is itself `Send`).
+
+    impl E2ERegistryHandle for StaticE2EHandle {
+        fn register(&self, key: E2EKey, profile: E2EProfile) {
+            self.0.lock(|cell| cell.borrow_mut().register(key, profile));
+        }
+
+        fn unregister(&self, key: &E2EKey) {
+            self.0.lock(|cell| cell.borrow_mut().unregister(key));
+        }
+
+        fn contains_key(&self, key: &E2EKey) -> bool {
+            self.0.lock(|cell| cell.borrow().contains_key(key))
+        }
+
+        fn protect(
+            &self,
+            key: E2EKey,
+            payload: &[u8],
+            upper_header: [u8; 8],
+            output: &mut [u8],
+        ) -> Option<Result<usize, E2EError>> {
+            self.0
+                .lock(|cell| cell.borrow_mut().protect(key, payload, upper_header, output))
+        }
+
+        fn check<'a>(
+            &self,
+            key: E2EKey,
+            payload: &'a [u8],
+            upper_header: [u8; 8],
+        ) -> Option<(E2ECheckStatus, &'a [u8])> {
+            self.0.lock(|cell| cell.borrow_mut().check(key, payload, upper_header))
+        }
+    }
+
+    /// No-alloc [`InterfaceHandle`] backed by a `&'static AtomicU32`.
+    ///
+    /// IPv4 addresses are encoded as big-endian `u32` (`Ipv4Addr::into::<u32>`).
+    /// All clones are the same thin pointer. Declare the backing storage in a
+    /// `static`:
+    ///
+    /// ```ignore
+    /// static IFACE_ADDR: AtomicU32 = AtomicU32::new(0);
+    /// let handle = AtomicInterfaceHandle::new(&IFACE_ADDR);
+    /// ```
+    ///
+    /// # Memory ordering
+    ///
+    /// Both `get` and `set` use [`Ordering::Relaxed`]. The address is the
+    /// only synchronized datum — no other memory state is published or
+    /// observed alongside it — so single-location atomicity is sufficient.
+    /// A reader will eventually observe the latest write; there is no
+    /// happens-before relationship to establish with surrounding memory.
+    #[derive(Clone, Copy)]
+    pub struct AtomicInterfaceHandle(&'static AtomicU32);
+
+    impl AtomicInterfaceHandle {
+        /// Wraps a static reference to the backing atomic.
+        pub const fn new(addr: &'static AtomicU32) -> Self {
+            Self(addr)
+        }
+    }
+
+    // Send + Sync are derived automatically: `&'static AtomicU32` is
+    // `Send + Sync` because `AtomicU32` is `Sync`.
+
+    impl InterfaceHandle for AtomicInterfaceHandle {
+        fn get(&self) -> Ipv4Addr {
+            Ipv4Addr::from(self.0.load(Ordering::Relaxed))
+        }
+
+        fn set(&self, addr: Ipv4Addr) {
+            self.0.store(u32::from(addr), Ordering::Relaxed);
+        }
+    }
+}
+
+#[cfg(feature = "bare_metal")]
+pub use bare_metal_handle_impls::{AtomicInterfaceHandle, StaticE2EHandle, StaticE2EStorage};
+
 // ── Channel-handle abstraction ────────────────────────────────────────────
 //
 // `ChannelFactory` and its associated sender / receiver traits abstract over