critical: don't let the ceiling token escape the critical section

2 files changed, 14 insertions, 4 deletions

diff --git a/src/lib.rs b/src/lib.rs
index 280c8c20..f84d1d15 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -238,12 +238,12 @@ where
 /// No task can preempt this critical section
 pub fn critical<R, F>(f: F) -> R
 where
-    F: FnOnce(CMAX) -> R,
+    F: FnOnce(&CMAX) -> R,
 {
     let primask = ::cortex_m::register::primask::read();
     ::cortex_m::interrupt::disable();
 
-    let r = f(C { _marker: PhantomData });
+    let r = f(&C { _marker: PhantomData });
 
     // If the interrupts were active before our `disable` call, then re-enable
     // them. Otherwise, keep them disabled
diff --git a/tests/cfail/ceiling.rs b/tests/cfail/ceiling.rs
index 9ddce530..8ca84139 100644
--- a/tests/cfail/ceiling.rs
+++ b/tests/cfail/ceiling.rs
@@ -1,6 +1,6 @@
-extern crate cortex_m_srp;
+extern crate cortex_m_srp as rtfm;
 
-use cortex_m_srp::{C3, P2, Resource};
+use rtfm::{C3, P0, P2, Resource};
 
 static R1: Resource<(), C3> = Resource::new(());
 
@@ -13,3 +13,13 @@ fn j1(prio: P2) {
     // Would be bad: lockless access to a resource with ceiling = 3
     let r2 = R1.borrow(&prio, c3);
 }
+
+fn j2(prio: P0) {
+    let c16 = rtfm::critical(|c16| {
+        // forbidden: ceiling token can't outlive critical section
+        c16  //~ error
+    });
+
+    // Would be bad: lockless access to a resource with ceiling = 16
+    let r1 = R1.borrow(&prio, c16);
+}