random(4): Translate a comment requirement into a compile-time invariant

In various places, random represents the set of sources as a 32-bit word
bitmask.  It assumes all sources fit within this, i.e., the maximum valid
source number is 31.

There was a comment specifying this limitation, but we can actually refuse
to compile if our assumption is violated instead.  We still have a few spare
random source slots, but sooner or later someone may need to convert the
masks used from raw 32-bit words to bitset(9) APIs.

This prevents some kinds of developer foot-shooting when adding new random
sources.  No functional change.

Reviewed by:	delphij, markm
Approved by:	secteam (delphij)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D16982

1 files changed, 2 insertions, 3 deletions

diff --git a/sys/sys/random.h b/sys/sys/random.h
index 891672a33ec4..073f97ad23c0 100644
--- a/sys/sys/random.h
+++ b/sys/sys/random.h
@@ -57,9 +57,6 @@ read_random(void *a __unused, u_int b __unused)
  * Note: if you add or remove members of random_entropy_source, remember to
  * also update the strings in the static array random_source_descr[] in
  * random_harvestq.c.
- *
- * NOTE: complain loudly to markm@ or on the lists if this enum gets more than 32
- * distinct values (0-31)! ENTROPYSOURCE may be == 32, but not > 32.
  */
 enum random_entropy_source {
 	RANDOM_START = 0,
@@ -92,6 +89,8 @@ enum random_entropy_source {
 	RANDOM_PURE_DARN,
 	ENTROPYSOURCE
 };
+_Static_assert(ENTROPYSOURCE <= 32,
+    "hardcoded assumption that values fit in a typical word-sized bitset");
 
 #define RANDOM_HARVEST_EVERYTHING_MASK ((1 << (RANDOM_ENVIRONMENTAL_END + 1)) - 1)
 #define RANDOM_HARVEST_PURE_MASK (((1 << ENTROPYSOURCE) - 1) & (-1UL << RANDOM_PURE_START))