For qemu_cortex_a53 on the mem_protect test, the test
test_mem_domain_init_fail() fails due to not having enough
translation tables. However, since ARM64 MMU asserts on such
condition, and k_mem_domain_init() also asserts when fails,
there is no way to distinguish these two assertions at runtime,
thus the test was considered passing. Fix this by allocating
a few more tables so the test will actually fail on
k_mem_domain_init().
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
there is a memory hole from address 0x10000000-0x12150fff
in the ram on up_squared, we don't have access to read/write
this range, so limit the memory range below 0x10000000.
Signed-off-by: Chen Peng1 <peng1.chen@intel.com>
PR #36996 disabled running mem_protect/stack_random test on qemu_riscv32
platform because of this test consistently failing on said platform.
This test starts new threads in equal time intervals, and because of
that we get repeating values after performing the modulus operation when
calculating the stack pointer address.
This can be solved by changing the value of the _RAND32_INC constant
that is used to increase the value returned by the timer-based PRNG.
This commit decreases the value of the mentioned constant from
1000000013U to 1000000003U.
Fixes#37006.
Signed-off-by: Filip Kokosinski <fkokosinski@antmicro.com>
Cleanup and preparation commit for linker script generator.
Zephyr linker scripts provides start and end symbols for each larger
areas in the linker script.
The symbols _image_rom_start and _image_rom_end corresponds to the group
ROMABLE_REGION defined in the ld linker scripts.
The symbols _image_rodata_start and _image_rodata_end is not placed as
independent group but covers common-rom.ld, thread-local-storage.ld,
kobject-rom.ld and snippets-rodata.ld.
This commit align those names and prepares for generation of groups in
linker scripts.
The symbols describing the ROMABLE_REGION will be renamed to:
_image_rom_start -> __rom_region_start
_image_rom_end -> __rom_region_end
The rodata will also use the group symbol notation as:
_image_rodata_start -> __rodata_region_start
_image_rodata_end -> __rodata_region_end
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
This enables qemu_x86_tiny to be used for more general demand
paging testing where non-pinned code and data is not available
in physical memory at boot. This adds a custom linker script to
qemu_x86_tiny for pinning code and data. In the process, a new
kconfig CONFIG_BOARD_QEMU_X86_TINY has to be introduced to
distinguish from other qemu_x86* boards. This linker script
is based on the generic x86-32 one in
include/arch/x86/ia32/linker.ld, with additions to
put symbols into boot and pinned sections.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This pins the test_page in memory for tests about memory
mapping. This is simply to make sure the whole array
is in physical memory for mapping or else the mapping
function would fail due to having nothing to map.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
If pinned section is enabled, _k_neg_eagain should be in pinned
rodata section. So add the check if pinned section is enabled.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This puts the fatal error handler into pinned sections so
it can be used to handle fatal errors without causing
page faults.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Move to CMake 3.20.0.
At the Toolchain WG it was decided to move to CMake 3.20.0.
The main reason for increasing CMake version is better toolchain
support.
Better toolchain support is added in the following CMake versions:
- armclang, CMake 3.15
- Intel oneAPI, CMake 3.20
- IAR, CMake 3.15 and 3.20
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
The default address for FAULTY_ADDRESS is valid on the qemu_cortex_r5
board, so use a value that is not mapped for that board.
Signed-off-by: Bradley Bolen <bbolen@lexmark.com>
In test_kobject_release_null(), dummy is not initialized
before being fed to k_object_release(). So set it.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Test fails consistently in CI but local builds succeed. Puzzling. In
order to keep main green, disabling this test only for qemu_riscv32
until a solution is found.
```
% west build -p always -b qemu_riscv32 -t run \
tests/kernel/mem_protect/stack_random
...
*** Booting Zephyr OS build zephyr-v2.6.0-1039-g523764b3fd75 ***
Running test suite stack_pointer_randomness
===================================================================
START - test_stack_pt_randomization
Test Stack pointer randomization
stack pointer changed 13 times out of 64 tests
PASS - test_stack_pt_randomization in 0.5 seconds
===================================================================
Test suite stack_pointer_randomness succeeded
===================================================================
PROJECT EXECUTION SUCCESSFUL
```
```
*** Booting Zephyr OS build zephyr-v2.6.0-1063-g0106d8f2a391 ***
Running test suite stack_pointer_randomness
===================================================================
START - test_stack_pt_randomization
Test Stack pointer randomization
stack pointer changed 0 times out of 64 tests
Assertion failed at WEST_TOPDIR/zephyr/tests/kernel/mem_protect/\
stack_random/src/main.c:68: test_stack_pt_randomization: \
(sp_changed equal to 0)
Stack pointer is not randomized
FAIL - test_stack_pt_randomization in 0.6 seconds
===================================================================
Test suite stack_pointer_randomness failed.
===================================================================
PROJECT EXECUTION FAILED
```
Signed-off-by: Christopher Friedt <chrisfriedt@gmail.com>
We have some static variables var, zeroed_var and bss_var
in mem_partition.c and we only assert the value of them in
the same file, so the compiler may pre-calculate it in compile
stage, it's fine usually.
But for variable zeroed_var (= 20420), we force to put it in bss
section in link stage, the value will change in bss clean stage, so
we will get a wrong result.
Let's add volatile for these variables to disable pre-calculation.
Signed-off-by: Watson Zeng <zhiwei@synopsys.com>
These functions are those that need be implemented by backing
store outside kernel. Promote them from z_* so these can be
included in documentation.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
These functions and data structures are those that need
to be implemented by eviction algorithm and application
outside kernel. Promote them from z_* so these can be
included in documentation.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
The variable cnt is assigned twice in a row, so remove
the first one.
Coverity-CID: 235962
Fixes#35161
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Remove this intrusive tracing feature in favor of the new object tracing
using the main tracing feature in zephyr. See #33603 for the new tracing
coverage for all objects.
This will allow for support in more tools and less reliance on GDB for
tracing objects.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This adds a test for z_phys_unmap() to make sure that memory
can be unmapped and is no longer accessible.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This waits a bit for NRU eviction algorithm (which is the default)
to work its magic to clear the access bit of physical frames.
This increases the number of clean pages which can be evicted,
to make sure the number of clean pages evicted is not zero, which
would cause an assertion.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
The test itself is highly sensitive to the size of the kernel
image. When the kernel gets larger, the number of pages used by
the backing store needs to shrink. So here this is.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This test fails on qemu_arc_{em|hs} consistently,
due to bug in quem_arc, details:
https://github.com/foss-for-synopsys-dwc-arc-processors/qemu/issues/14.
To get clean results we need to disable this test until the
bug is fixed and fix gets propagated to new Zephyr-SDK.
Signed-off-by: Watson Zeng <zhiwei@synopsys.com>
This adds FPU sharing support with a lazy context switching algorithm.
Every thread is allowed to use FPU/SIMD registers. In fact, the compiler
may insert FPU reg accesses in anycontext to optimize even non-FP code
unless the -mgeneral-regs-only compiler flag is used, but Zephyr
currently doesn't support such a build.
It is therefore possible to do FP access in IRS as well with this patch
although IRQs are then disabled to prevent nested IRQs in such cases.
Because the thread object grows in size, some tests have to be adjusted.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Add a test case to validate when adding a new partition into a memory
domain with over its maximum specified limit number, an assertion
failure happens.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Signed-off-by: Enjia Mai <enjiax.mai@intel.com>
Found out that important requirements are not tested by current
kernel objects tests. Decided to fix that situation
New added tests:
1. test_kobj_assign_perms_on_alloc_obj()
Create kernel object semaphore, dynamically allocate it from the
calling thread's resource pool.
Check that object's address is in bounds of that memory pool.
Then check the requestor thread will implicitly be assigned
permission on the allocated object by using
semaphore API k_sem_init()
2. test_no_ref_dyn_kobj_release_mem()
Dynamically allocated kernel objects whose access is controlled by
the permission system will use object permission as a reference count
If no threads have access to an object, the object's memory released.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
This adds bits to support using timing functions for displaying
paging histograms. Currently on qemu_x86_tiny is supported.
Also shorten the test names.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This adds more bits to gather statistics on demand paging,
e.g. clean vs dirty pages evicted, # page faults with
IRQ locked/unlocked, etc.
Also extends this to gather per-thread demand paging
statistics.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This functions is being called across the tree, no reason why it should
not be a public API.
The current usage violates a few MISRA rules.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Split ARM and ARM64 architectures.
Details:
- CONFIG_ARM64 is decoupled from CONFIG_ARM (not a subset anymore)
- Arch and include AArch64 files are in a dedicated directory
(arch/arm64 and include/arch/arm64)
- AArch64 boards and SoC are moved to soc/arm64 and boards/arm64
- AArch64-specific DTS files are moved to dts/arm64
- The A72 support for the bcm_vk/viper board is moved in the
boards/bcm_vk/viper directory
Signed-off-by: Carlo Caione <ccaione@baylibre.com>
We are setting CONFIG_GEN_PRIV_STACKS when AArch64 actually uses a
statically allocated privileged stack.
This error was not captured by the tests because we only verify whether
a read/write to a privileged stack is failing, but it can fail for a lot
of reasons including when the pointer to the privileged stack is not
initialized at all, like in this case.
With this patch we deselect CONFIG_GEN_PRIV_STACKS and we fix the
mem_protect/userspace test to correctly probe the privileged stack.
Signed-off-by: Carlo Caione <ccaione@baylibre.com>
Add some error test cases for userspace of memory protection module.
This increase the code coverage of testing.
Signed-off-by: Enjia Mai <enjiax.mai@intel.com>
This reverts commit 9de70a78fe.
The tests have been updated so there is no need to skip tests
when the kernel is linked in virtual address space.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Replace *_thread_resource_pool_assign() in the reference with the new
k_thread_heap_assign() since both k_thread_resource_pool_assign() and
z_thread_resource_pool_assign() has been removed prio to v2.5 (by the
commit c770cab1a3 and 3c2c1d85b0 respectively) along with the
k_mem_pool API removal.
For the resource pool inheritance test, the variables with "res_pool"
string has been replaced by "heap_mem" to align with the documentation
fix. No functionality has been changed.
Signed-off-by: Yasushi SHOJI <yashi@spacecubics.com>
This is the same problem as seen for #32053. Refer to that for the
details and propose a similar fix.
Signed-off-by: Carlo Caione <ccaione@baylibre.com>
When the kernel links in virtual address space, the data
structures needed for the z_phys_map() no longer point to physical
addresses (which are required for z_phys_map() to work). So skips
these tests if CONFIG_KERNEL_LINK_IN_VIRT=y.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
When the kernel is TICKLESS, timeouts are set as needed, and drivers
all have some minimum amount of time before which they can reliably
schedule an interrupt. When this happens, drivers will kick the
requested interrupt out by one tick. This means that it's not
reliably possible to get a timeout set for "one tick in the
future"[1].
And attempting to do that is dangerous anyway. If the driver will
delay a one-tick interrupt, then code that repeatedly tries to
schedule an imminent interrupt may end up in a state where it is
constantly pushing the interrupt out into the future, and timer
interrupts stop arriving! The timeout layer actually has protection
against this case.
Finally getting to the point: in recent changes, the timeslice layer
lost its integration with the "imminent" test in the timeout code, so
it's now able to run into this situation: very rapidly context
switching code (or rapidly arriving interrupts) will have the effect
of infinitely[2] delaying timeouts and stalling the whole timeout
subsystem.
Don't try to be fancy. Just clamp timeslice duration such that a
slice is 2 ticks at minimum and we'll never hit the problem. Adjust
the two tests that were explicitly requesting very short slice rates.
[1] Of course, the tradeoff is that the tick rate can be 100x higher
or more, so on balance tickless is a huge win.
[2] Actually it only lasts until a 31 bit signed rollover in the HPET
cycle count in practice.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
The inheritance test first creates a parent thread, and then
creates a child thread inside this parent thread. At the same
time inside the main thread, a resource pool is assigned to
the parent thread. However, when under SMP, it is possible
that the pool assignment is done between both parent/child
threads are getting pointers to the pool, due to multiple
threads are running. So when doing pool pointer comparison,
there is a mismatch between those pointers (like parent has
a null pool pointer while child is pointing to the actual
pool), and thus failing the test. So fix this by delaying
the parent from running under after pool assignment is done.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
When coverage is enabled on x86_64, GCC uses relative addressing
to increment the gcov counters. The generated code of the test
function assumes execution is in the same location where
the linker places the test function. This does not work with
the execution test as it copies the function into another part
of memory and tries to execute from there. When the copied
function starts to run, the instruction pointer is at the newly
copied function. So any relative addressing with regard to
the instruction pointer now is invalid. Instead of
<generated code RIP + offset> for gcov counter as it should be,
now the copied code is trying to access the counter at
<copied code RIP + offset>, which points to incorrect
memory location (and possibly invalid/non-mapped memory).
To fix this, we need to tell GCC not to use relative addressing.
This can be accomplished by telling GCC to use the large memory
model. This is only used for this test as this option increases
code size quite a bit, and should not be used in general.
Fixes#30434
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This puts the transplanted_function into its own section so that
z_phys_map() can correctly map the whole range of memory used
by the function, in case someone decides to expand the function
to be bigger than a MMU page.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
The test_mem_domain_migration test creates a new thread with
different priority based on whether SMP is enabled. This causes
an issue where SMP=y and MP_NUM_CPUS=1 where the spin_entry()
would spin forever (with k_busy_wait()) and not yielding since
it has cooperative priority. Fix this by using MP_NUM_CPUS to
figure out which priority to use, as it is valid configuration
to have SMP=y and MP_NUM_CPUS=1.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Some arches like x86 need all memory mapped so that they can
fetch information placed arbitrarily by firmware, like ACPI
tables.
Ensure that if this is the case, the kernel won't accidentally
clobber it by thinking the relevant virtual memory is unused.
Otherwise this has no effect on page frame management.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
If we evict enough pages to completely fill the backing store,
through APIs like k_mem_map(), z_page_frame_evict(), or
z_mem_page_out(), this will produce a crash the next time we
try to handle a page fault.
The backing store now always reserves a free storage location
for actual page faults.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
More to be added, but for now show that we can map more
anonymous memory than we physically have, and that reading/
writing to it works as expected.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Show we can measure free memory properly and map a page of
anonymous memory, which has been zeroed and is writable.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
If we evict enough pages to completely fill the backing store,
through APIs like k_mem_map(), z_page_frame_evict(), or
z_mem_page_out(), this will produce a crash the next time we
try to handle a page fault.
The backing store now always reserves a free storage location
for actual page faults.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
More to be added, but for now show that we can map more
anonymous memory than we physically have, and that reading/
writing to it works as expected.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Show we can measure free memory properly and map a page of
anonymous memory, which has been zeroed and is writable.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Skip the memory mapping execution test case when code coverage enabled
for qemu_x86_64 platform. See issue #30434.
Signed-off-by: Enjia Mai <enjiax.mai@intel.com>
Renamed to make its semantics clearer; this function maps
*physical* memory addresses and is not equivalent to
posix mmap(), which might confuse people.
mem_map test case remains the same name as other memory
mapping scenarios will be added in the fullness of time.
Parameter names to z_phys_map adjusted slightly to be more
consistent with names used in other memory mapping functions.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Modify test .yaml file, to allow the .gap_filling test
variant to execute only on cortex-m33 platforms with
sufficient number of MPU regions. Copy pasting the
configuration from mem_protect/userspace test.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Skip the test_disable_mmu_mpu test case for
Cortex-M non-secure builds, since the test
may enter a BusFault which is not banked
between security states and the system
may hang.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Skip the scenario of accesing a faulty address
in test_string_nlen for Non-Secure Zephyr builds,
because accessing faulty addresses in this case
triggers SecureFault that may hang the system
completely.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Use the core k_heap API pervasively within our tree instead of the
z_mem_pool wrapper that provided compatibility with the older mempool
implementation.
Almost all of this is straightforward swapping of one alloc/free call
for another. In a few cases where code was holding onto an old-style
"mem_block" a local compatibility struct with a single field has been
swapped in to keep the invasiveness of the changes down.
Note that not all the relevant changes in this patch have in-tree test
coverage, though I validated that it all builds.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
The sys_mem_pool data structure is going away. And this test case
didn't actually do much. All it did was create a sys_mem_pool in the
app data section (I guess that's the "mem_protect" part?) and validate
that it was usable. We have tests for sys_heap to do that already
elsewhere anyway; no point in porting.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
The kernel resource pool is now a k_heap. There is a compatibility
API still, but this is a core test that should be exercising the core
API.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
The k_mem_pool allocator is no more, and the z_mem_pool compatibility
API is going away. The internal allocator should be a k_heap always.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
Mark all k_mem_pool APIs deprecated for future code. Remaining
internal usage now uses equivalent "z_mem_pool" symbols instead.
Fixes#24358
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
When adding the new partition to a memory domain the system must
assert that it does not overlap with any other existing partitions
in the domain.
Test to add new partition which has same start address as an
existing one, after that must happen an assertion error indicating
that new partition overlaps existing one.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Adds a new CONFIG_MPU which is set if an MPU is enabled. This
is a menuconfig will some MPU-specific options moved
under it.
MEMORY_PROTECTION and SRAM_REGION_PERMISSIONS have been merged.
This configuration depends on an MMU or MPU. The protection
test is updated accordingly.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The test reads and writes outside the bounds of an array allocated on
the stack in check_input(). This commit disables the test on SPARC.
Signed-off-by: Martin Åberg <martin.aberg@gaisler.com>
Some platforms may have multiple RAM regions which are
dis-continuous in the physical memory map. We really want
these to be in a continuous virtual region, and we need to
stop assuming that there is just one SRAM region that is
identity-mapped.
We no longer use CONFIG_SRAM_BASE_ADDRESS and CONFIG_SRAM_SIZE
as the bounds of kernel RAM, and no longer assume in the core
kernel that these are identity mapped at boot.
Two new Kconfigs, CONFIG_KERNEL_VM_BASE and
CONFIG_KERNEL_RAM_SIZE now indicate the bounds of this region
in virtual memory.
We are currently only memory-mapping physical device driver
MMIO regions so we do not need virtual-to-physical calculations
to re-map RAM yet. When the time comes an architecture interface
will be defined for this.
Platforms which just have one RAM region may continue to
identity-map it.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Execute tests are disabled for RISC-V because is isn't able
to set an execution restriction. From RISC-V documentation:
"Instruction address-translation and protection are unaffected
by the setting of MPRV"
MPRV is used to apply memory protection restriction when CPU is
running in machine mode (kernel).
Signed-off-by: Alexandre Mergnat <amergnat@baylibre.com>
Add a memory region allocation for RISCV architecture.
Also fix an arbitraty value which can't work with
RISC-V granularity.
Signed-off-by: Alexandre Mergnat <amergnat@baylibre.com>
Add support for the following tests:
- test_write_control
- test_disable_mmu_mpu
- test_read_priv_stack
- test_write_priv_stack
Signed-off-by: Alexandre Mergnat <amergnat@baylibre.com>
We need to make sure that if we migrate a thread to another
memory domain, the migration process doesn't cause the target
thread to explode. This is mostly a concern on SMP systems;
the thread could be running on another CPU at the same time.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
There is a race condition between the child threads
exiting, and the child threads getting re-used in the
next scenario. This reproduces more often on SMP systems.
Close the race by joining on the child threads before
exiting any test scenario.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This suite now uses far less memory and is much simpler.
We still maintain coverage of all the memory domain APIs
and ensure that the maximum number of partitions can be
applied.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The tests test_mem_part_auto_determ_size and
test_mem_part_auto_determ_size_per_mpu are supposed to
just be checking the construction of automatic memory
partitions.
test_mem_part_auto_determ_size had a bunch of extraneous
stuff covered by other test cases and reserved three
different thread stacks.
These two tests have been drastically simplified and
combined.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
test_mem_part_inherity_by_child_thr duplicates logic already
present in test_permission_inheritance. That test puts a
buffer called 'inherit_buf' in 'inherit_memory_partition'
and shows that it is accessible by a child thread by
writing to it.
Delete this unnecessary test.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Tests are now grouped in the C file they occur in.
test_mark_thread_exit_uninitialized no longer occurs twice.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
put all globals only used in this C file in static scope, which
revealed that a few of them were not used at all.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We now just use two memory domains; the default domain and an
'alternate_domain' used for tests that need to handle a memory
domain switch.
Along the way the test code was simplified.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Ensure that both the main thread and any static threads are
properly assigned to the default memory domain.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This test is generating build warnings as it is making
checks that can never be false.
This reverts commit a4f1a5f58f.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Found out that important requirements are not tested by current
kernel objects tests. Decided to fix that situation
New added tests:
1. test_kobj_assign_perms_on_alloc_obj()
Create kernel object semaphore, dynamically allocate it from the
calling thread's resource pool.
Check that object's address is in bounds of that memory pool.
Then check the requestor thread will implicitly be assigned
permission on the allocated object by using
semaphore API k_sem_init()
2. test_no_ref_dyn_kobj_release_mem()
Dynamically allocated kernel objects whose access is controlled by
the permission system will use object permission as a reference count
If no threads have access to an object, the object's memory released.
3. test_krnl_obj_static_alloc_build_time()
Take addresses of the kernel objects which are statically allocated
during the build time and verify that they are not null.
That kernel objects shouldn't require manual
registration by the end user.
4. Clean-up. Removed unused variable from userspace test.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
We don't need 3 different threads/stacks and the stack size
can be smaller, the threads don't do much.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Compiler may optimize away write to RO region and following
readback so we won't trigger fault (that actually happens with
arc MWDT toolchain).
Add volatile to avoid that.
Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
Add new tests to improve of the Zephyr QA testing of the memory
protection for memory domains and partitions.
I created new tests for memory protection->memory partitions for
the requirements which I think necessary to be tested.
I added Doxygen tag for each test to make it clear to understand
what each test is doing and how.
New tests for memory domains and partitions:
-test_mem_domain_api_kernel_thread_only()
By creating that test I wanted to prove that access to memory
domain APIs must be restricted only to supervisor threads.
At the same time I wanted to prove that system can support the
definition of memory domains.
-test_mem_part_auto_determ_size()
By creating that test I want to prove that system can automatically
determine application memory partition base addresses and sizes
at build time, determined by its contents. Also system can support
definition of memory partitions. At the same time test proves that OS
supports adding and removing a thread from its memory domain
assignment.
-test_mem_part_auto_determ_size_per_mmu()
That test is very important and it proves that memory partitions are
automatically sized and aligned per the constraints of the platform's
memory management hardware.
-test_mem_part_inheirt_by_child_thr()
Prove that child thread inherits memory domain assignment of its
parent.
-test_macros_obtain_names_data_bss()
Test system provides tools to obtain the names of the data and BSS
sections related to a particular application memory partition at
build time.
-test_mem_part_assign_bss_vars_zero()
Test that global data and BSS values can be assigned to application
memory partitions using macros at build time. Test that BSS values
will be zeroed at the build time.
1. According to the reviews made changes.
2. Switched test_mem_part_assert_add_overmax
and test_create_new_invalid_prio_thread_from_user
That way I exposed problem (bug) with assertion
in L171 kernel/mem_protect.c
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
We try to invoke `ztest_test_pass()` from inside
a fatal exception in a child thread.
On SMP this can result in the next test case starting
on another CPU, re-using the child thread before it
has a chance to exit.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The implementations of the test cases had the wrong prototype.
The extern declarations (which were in a C file for some reason)
were correct.
I don't want to talk about the subtle code generation and stack
corruption issues that emerged from this which at one point made
me question my own sanity.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
em_starterkit_7d is not capable to generate error when access unmapped
address at kernel mode. So toggle off this part of test.
Signed-off-by: Yuguo Zou <yuguo.zou@synopsys.com>
- No longer call ztest_test_pass() out of a fatal exception,
as if this took place on some child thread, the next test
case could start on another CPU before the child has exited,
leading to issues if the child thread object is recycled
- Get rid of some unnecessary synchronization semaphores.
Use the scheduler and/or k_thread_join() instead.
- Simplify tests for read/write other threads not to spawn
a child thread and then take a fatal fault on the ztest
thread
- Add set_fault() clear_fault() as I do not enjoy typing.
Despite these variables being voliatile, a barrier is
needed to prevent re-ordering around non-volatile memory
access
- Don't call ztest_test_pass() from child thread in
test_user_mode_enter() due to possible races
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Memory mapping, for now, will be a private kernel API
and is not intended to be application-facing at this time.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We no longer plan to support a split address space with
the kernel in high memory and per-process address spaces.
Because of this, we can simplify some things. System RAM
is now always identity mapped at boot.
We no longer require any virtual-to-physical translation
for page tables, and can remove the dual-mapping logic
from the page table generation script since we won't need
to transition the instruction point off of physical
addresses.
CONFIG_KERNEL_VM_BASE and CONFIG_KERNEL_VM_LIMIT
have been removed. The kernel's address space always
starts at CONFIG_SRAM_BASE_ADDRESS, of a fixed size
specified by CONFIG_KERNEL_VM_SIZE.
Driver MMIOs and other uses of k_mem_map() are still
virtually mapped, and the later introduction of demand
paging will result in only a subset of system RAM being
a fixed identity mapping instead of all of it.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Some ARMv8-M platforms may come with only 8 (instead of 16)
MPU regions. In these platforms, by design, a memory domain
may contain up to 2 application memory partitions, when we
build with MPU_GAP_FILLING support. To be able to test this
valid configuration we slightly modify the test code in the
mem_protect suite, and add-remove the second partition (with
index-1) instead of the third (index-2).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
We need to exclude the .gap_filling test from running on
ARMv8-M platforms with 8 MPU regions available, since the
userspace test defines and uses a memory domain whose number
of partitions exceed the maximum number of permitted partitions
in ARMv8-m SoCs with MPU_GAP_FILLING=y.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Adding the first list item in the same line as @details, creates a list
with a single item inside a paragraph, and another list with the
remaining items. What is wanted here is to have a single list with all
items, so the first item needs to be in a new line.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
We don't have use-cases and it introduces complexities with
allocating page tables on MMU systems.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Ancient 2-level IA32 page tables don't support "eXecute Disable".
Skip the test scenarios for them.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
When thread is initialized and running z_object_validate
will return 0 for thread object and its thread stack object.
When thread exit, z_object_validate
will return -1 for thread object and its thread stack object.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Instead of replacing of copyright year with the new one,
necessary to add new to the existing one
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Updated current tests tags to make them more informative.
1. test_mslab updated Doxygen tag
2. test_create_alt_thread updated Doxygen tag
3. test_sys_heap_mem_pool_assign updated Doxygen tag
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Check that the base of every stack object is properly
defined. This can get messed up if K_THREAD_STACK_ARRAY_DEFINE
isn't specified properly.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The core kernel computes the initial stack pointer
for a thread, properly aligning it and subtracting out
any random offsets or thread-local storage areas.
arch_new_thread() no longer needs to make any calculations,
an initial stack frame may be placed at the bounds of
the new 'stack_ptr' parameter passed in. This parameter
replaces 'stack_size'.
thread->stack_info is now set before arch_new_thread()
is invoked, z_new_thread_init() has been removed.
The values populated may need to be adjusted on arches
which carve-out MPU guard space from the actual stack
buffer.
thread->stack_info now has a new member 'delta' which
indicates any offset applied for TLS or random offset.
It's used so the calculations don't need to be repeated
if the thread later drops to user mode.
CONFIG_INIT_STACKS logic is now performed inside
z_setup_new_thread(), before arch_new_thread() is called.
thread->stack_info is now defined as the canonical
user-accessible area within the stack object, including
random offsets and TLS. It will never include any
carved-out memory for MPU guards and must be updated at
runtime if guards are removed.
Available stack space is now optimized. Some arches may
need to significantly round up the buffer size to account
for page-level granularity or MPU power-of-two requirements.
This space is now accounted for and used by virtue of
the Z_THREAD_STACK_SIZE_ADJUST() call in z_setup_new_thread.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
1. Found out that thread tests doesn't test next ideas of requirements,
which I think necessary to be tested and verified:
-the kernel need to prevent user threads creating new threads from
using thread or thread stack objects which are in an initialized state
-Upon thread exit, the kernel need to mark the exiting thread
and thread stack objects as uninitialized
Add new tests to test requirements above, that way we can cover more
features to be tested:
- test_new_user_thread_with_in_use_stack_obj()
- test_mark_thread_exit_uninitialized()
2. Modified test test_create_new_thread_from_user() to verify that
kernel provides new user threads access to their own thread object.
3. Also I added detailed Doxygen tags for each new test and existing
modified test.
4. Added Doxygen tag to the existing test test_stack_buffer, it
covers requirement:
-The kernel need to provide all threads read and write access to their
own stack memory buffer.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Inside function futex_wake() result of k_futex_wait() is not checked.
Coverity-CID: 211508
Fixes: #27149
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Add new standalone futex test that verifies next requirements:
-Futex can be placed in user memory using ZTEST_BMEM
-User thread can write to futex value
-User threads can make wait/wake syscalls on it
Added detailed Doxygen tag with information about the test
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
1. Add code change to the test_permission_inheritance() to let it
test that child thread can't access parent thread object. Now that test
tests one more related to it feature.
2. Add new Doxygen tags with informative descriptions about the kernel
objects tests. That will make reading and understanding kernel object
tests code easier.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Instead of replacing of copyright year with the new one,
necessary to add new to the existing one
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
To improve Zephyr tests, I think that it will necessary to have test,
that verifies a child thread inherits resource pool assignment
of their parent.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
1. Doxygen tags updates of the existing tests.
2. Fixed use of API K_MSEC in test_syscall_torture
3. Removed misprints
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Added new doxygen tags for tests:
1. test_mem_domain_destroy
2. test_domain_add_part_drop_to_user
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Reason is that some threads tests have poor description Doxygen
tags. I decided to fix that situation in some tests which understand.
Update Doxygen tags for the next tests:
test_create_new_supervisor_thread_from_user()
test_user_mode_enter()
test_create_new_higher_prio_thread_from_user()
test_create_new_thread_from_user_huge_stacksize()
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Added separator (e.g. comma or semicolon) parameter to FOR_EACH_ family.
Separator is added between macro execution for each argument and not at
the end.
Signed-off-by: Krzysztof Chruscinski <krzysztof.chruscinski@nordicsemi.no>
Remove all ram restrictions in kernel tests and revisit all tests and
try to make them pass on all platforms.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Reason is that some tests have poor description in Doxygen tags,
decided to fix that situation in some tests which I understand.
Also remove small misprints from some parts of code.
Update Doxygen tags for the next tests:
test_access_kobject_without_init_access
test_thread_without_kobject_permission
test_bad_syscall
test_syscall_invalid_kobject
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Certain types of system call validation may need to be pushed
deeper in the implementation and not performed in the verification
function. If such checks are only pertinent when the caller was
from user mode, we need an API to detect this situation.
This is implemented by having thread->syscall_frame be non-NULL
only while a user system call is in progress. The template for the
system call marshalling functions is changed to clear this value
on exit.
A test is added to prove that this works.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
... because it is (required).
This makes a difference when building with CMake and forgetting
ZEPHYR_BASE or not registering Zephyr in the CMake package registry.
In this particular case, REQUIRED turns this harmless looking log
statement:
-- Could NOT find Zephyr (missing: Zephyr_DIR)
-- The C compiler identification is GNU 9.3.0
-- The CXX compiler identification is GNU 9.3.0
-- Check for working C compiler: /usr/bin/cc
-- ...
-- ...
-- ...
-- Detecting CXX compile features
-- Detecting CXX compile features - done
CMake Error at CMakeLists.txt:8 (target_sources):
Cannot specify sources for target "app" which is not built by
this project.
... into this louder, clearer, faster and (last but not least) final
error:
CMake Error at CMakeLists.txt:5 (find_package):
Could not find a package configuration file provided by "Zephyr" with
any of the following names:
ZephyrConfig.cmake
zephyr-config.cmake
Add the installation prefix of "Zephyr" to CMAKE_PREFIX_PATH or set
"Zephyr_DIR" to a directory containing one of the above files. If
"Zephyr" provides a separate development package or SDK, be sure it
has been installed.
-- Configuring incomplete, errors occurred!
Signed-off-by: Marc Herbert <marc.herbert@intel.com>
Increase the main thread stack size for this test
to 2048; this increase prevents stacking errors in
the main thread, in several Cortex-M platforms.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
On nucleo_f429zi and nucleo_f207zg boards,
0xFFFFFFF0 is not a faulty address.
Instead we can use 0x0FFFFFFFF.
Signed-off-by: Alexandre Bourdiol <alexandre.bourdiol@st.com>
Tests should always start with test_, otherwise detection of subtests
will not work through sanitycheck.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This suite was fairly messy and very unstable on how it re-used
kernel objects.
* Unnecessary ztest_test_pass() or self-aborts removed
* k_thread_join() now used to wait for child thread completion,
instead of a strange use of a semaphore which was effectively
a 10ms sleep
* Barriers simplified
* the number of thread objects in kobject.c is now drastically reduced
* test case function names are now descriptive and made static if
only used in local scope in kobject.c
* SMP no longer disabled
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Add a k_timeout_t type, and use it everywhere that kernel API
functions were accepting a millisecond timeout argument. Instead of
forcing milliseconds everywhere (which are often not integrally
representable as system ticks), do the conversion to ticks at the
point where the timeout is created. This avoids an extra unit
conversion in some application code, and allows us to express the
timeout in units other than milliseconds to achieve greater precision.
The existing K_MSEC() et. al. macros now return initializers for a
k_timeout_t.
The K_NO_WAIT and K_FOREVER constants have now become k_timeout_t
values, which means they cannot be operated on as integers.
Applications which have their own APIs that need to inspect these
vs. user-provided timeouts can now use a K_TIMEOUT_EQ() predicate to
test for equality.
Timer drivers, which receive an integer tick count in ther
z_clock_set_timeout() functions, now use the integer-valued
K_TICKS_FOREVER constant instead of K_FOREVER.
For the initial release, to preserve source compatibility, a
CONFIG_LEGACY_TIMEOUT_API kconfig is provided. When true, the
k_timeout_t will remain a compatible 32 bit value that will work with
any legacy Zephyr application.
Some subsystems present timeout (or timeout-like) values to their own
users as APIs that would re-use the kernel's own constants and
conventions. These will require some minor design work to adapt to
the new scheme (in most cases just using k_timeout_t directly in their
own API), and they have not been changed in this patch, instead
selecting CONFIG_LEGACY_TIMEOUT_API via kconfig. These subsystems
include: CAN Bus, the Microbit display driver, I2S, LoRa modem
drivers, the UART Async API, Video hardware drivers, the console
subsystem, and the network buffer abstraction.
k_sleep() now takes a k_timeout_t argument, with a k_msleep() variant
provided that works identically to the original API.
Most of the changes here are just type/configuration management and
documentation, but there are logic changes in mempool, where a loop
that used a timeout numerically has been reworked using a new
z_timeout_end_calc() predicate. Also in queue.c, a (when POLL was
enabled) a similar loop was needlessly used to try to retry the
k_poll() call after a spurious failure. But k_poll() does not fail
spuriously, so the loop was removed.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
Kernel timeouts have always been a 32 bit integer despite the
existence of generation macros, and existing code has been
inconsistent about using them. Upcoming commits are going to make the
timeout arguments opaque, so fix things up to be rigorously correct.
Changes include:
+ Adding a K_TIMEOUT_EQ() macro for code that needs to compare timeout
values for equality (e.g. with K_FOREVER or K_NO_WAIT).
+ Adding a k_msleep() synonym for k_sleep() which can continue to take
integral arguments as k_sleep() moves away to timeout arguments.
+ Pervasively using the K_MSEC(), K_SECONDS(), et. al. macros to
generate timeout arguments.
+ Removing the usage of K_NO_WAIT as the final argument to
K_THREAD_DEFINE(). This is just a count of milliseconds and we need
to use a zero.
This patch include no logic changes and should not affect generated
code at all.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
Using find_package to locate Zephyr.
Old behavior was to use $ENV{ZEPHYR_BASE} for inclusion of boiler plate
code.
Whenever an automatic run of CMake happend by the build system / IDE
then it was required that ZEPHYR_BASE was defined.
Using ZEPHYR_BASE only to locate the Zephyr package allows CMake to
cache the base variable and thus allowing subsequent invocation even
if ZEPHYR_BASE is not set in the environment.
It also removes the risk of strange build results if a user switchs
between different Zephyr based project folders and forgetting to reset
ZEPHYR_BASE before running ninja / make.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
Private type, internal to the kernel, not directly associated
with any k_object_* APIs. Is the return value of z_object_find().
Rename to struct z_object.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
I've been seeing these cause errors on the more recent versions of
Doxygen which come with Arch Linux for a while now. Fix these:
error: Illegal format for option TCL_SUBST, no equal sign ('=') specified for item 'YES'
$ZEPHYR_BASE/tests/kernel/mem_protect/futex/src/main.c:461: warning: end of file with unbalanced grouping commands
Just trying to get them out of my local output and as preparation for
whenever they start showing up for Ubuntu.
Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no>
* arc supports mpu gap filling now.
* these tests can be used for any arch which supports mpu gap
filling.
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
Extend the bad syscall-ID test case to cover
erroneously supplied larged unsiged syscall-ID
values.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Hammer all CPUs with multiple threads all making system calls
that do memory allocations and buffer validation, in the hopes
that it will help smoke out concurrency issues.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This works around an issue with this emulator's configuration where
there is no memory address that can be poked to generate a fault,
it is simulating memory for the entire address space.
Fixes: #22561
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The existing stack_analyze APIs had some problems:
1. Not properly namespaced
2. Accepted the stack object as a parameter, yet the stack object
does not contain the necessary information to get the associated
buffer region, the thread object is needed for this
3. Caused a crash on certain platforms that do not allow inspection
of unused stack space for the currently running thread
4. No user mode access
5. Separately passed in thread name
We deprecate these functions and add a new API
k_thread_stack_space_get() which addresses all of these issues.
A helper API log_stack_usage() also added which resembles
STACK_ANALYZE() in functionality.
Fixes: #17852
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The "alternate thread" test would spawn a thread and then exit the
test, but on SMP that other thread runs asynchronously and it was
possible for the main thread to exit the test entirely before the test
thread had a chance to run (and overflow its stack), leading to
spurious test case failures.
Obviously we can't exactly synchronize to an async crash, so put a
short delay in after spawning the thread.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
Interrupts should not be locked when servicing a system call,
and the kernel should not think we are in an interrupt handler
either.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Exceptions on x86_64 are incorrectly implemented, and if
a preemptible thread faults, and in its overridden
k_sys_fatal_error_handler() does something which invokes
a scheduling point (such as here where we give semaphores),
the thread will be swapped out on the per-CPU exception stack
and probably explode when it is switched back in.
For now, change the faulting thread priority to co-op so this
doesn't happen.
Workaround for #21462
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Most of the scenarios in this test case spawn child threads
and expect them to complete before execution proceeds.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Nearly all of these cases create a child thread that needs
to complete before the main test proceeds further. If the
child thread runs simultaneously on another CPU, this gets
messed up.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This test spawns a child thread and expects it to complete.
Use one CPU for it. Get rid of the useless k_thread_abort()
call and add a k_yield() to ensure the child does its
thing.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Assignments have no effect on promptless symbols. Flagged by
https://github.com/zephyrproject-rtos/zephyr/pull/20742.
This symbol should already be getting enabled if CONFIG_USERSPACE is
enabled, because CONFIG_ERRNO is default y and has
select THREAD_USERSPACE_LOCAL_DATA if USERSPACE
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
Before introducing the code for ARM64 (AArch64) we need to relocate the
current ARM code to a new AArch32 sub-directory. For now we can assume
that no code is shared between ARM and ARM64.
There are no functional changes. The code is moved to the new location
and the file paths are fixed to reflect this change.
Signed-off-by: Carlo Caione <ccaione@baylibre.com>
tc_number is passed to a child thread as a parameter, which is
void *. We want to treat it as an integer, but a direct cast
to int causes a warning on 64-bit platforms; cast to uintptr_t
first to suppress it.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
In addition to not assuming all pointers fit in a u32_t,
logic is added to find the privilege mode stack on x86_64
and several error messages now contain more information.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This test has a problem, specifically in the scenario for
test_mem_domain_remove_partitions. A low priority thread (10)
is created which is expected to produce an exception. Then
the following happens:
- The thread indeed crashes and ends up in the custom fatal
error handler, on the stack used for exceptions
- The call to ztest_test_pass() is made
- ztest_test_pass() gives the test_end_signal semaphore
- We then context switch to the ztest main thread which is
higher priority, leaving the thread that crashed context
switched out *on the exception stack*
- More tests are run, and some of them also produce exceptions
- Eventually we do a sleep and the original crashed thread is
swapped in again
- Since several other exceptions have taken place on the
exception stack since then, resuming context results in
an unexpected error, causing the test to fail
Only seems to affect arches that have a dedicated stack for
exceptions, like x86_64. For now, increase the priority of
the child thread so it's cleaned up immediately. Longer-term,
this all needs to be re-thought in the test case to make this
less fragile.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Builds of docs with doxygen 1.8.16 has a number of warnings of the form:
'warning: unbalanced grouping commands'. Fix those warnings be either
balancing the group command or removing it.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Fix coverity issue 20534: read the status of a volatile
variable in an ASSERT statement via a stack variable
declared and defined for this purpose.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Entering irq_offload() on multiple CPUs can cause
difficult to debug/reproduce crashes. Demote irq_offload()
to non-inline (it never needed to be inline anyway) and
wrap the arch call in a semaphore.
Some tests which were unnecessarily killing threads
have been fixed; these threads exit by themselves anyway
and we won't leave the semaphore dangling.
The definition of z_arch_irq_offload() moved to
arch_interface.h as it only gets called by kernel C code.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Promote the private z_arch_* namespace, which specifies
the interface between the core kernel and the
architecture code, to a new top-level namespace named
arch_*.
This allows our documentation generation to create
online documentation for this set of interfaces,
and this set of interfaces is worth treating in a
more formal way anyway.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We add a new test-case for the mem_protect and userspace tests,
to test the ARMv8-M MPU driver without the skipping of full SRAM
partitioning (i.e. gap filling).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit refactors kernel and arch headers to establish a boundary
between private and public interface headers.
The refactoring strategy used in this commit is detailed in the issue
This commit introduces the following major changes:
1. Establish a clear boundary between private and public headers by
removing "kernel/include" and "arch/*/include" from the global
include paths. Ideally, only kernel/ and arch/*/ source files should
reference the headers in these directories. If these headers must be
used by a component, these include paths shall be manually added to
the CMakeLists.txt file of the component. This is intended to
discourage applications from including private kernel and arch
headers either knowingly and unknowingly.
- kernel/include/ (PRIVATE)
This directory contains the private headers that provide private
kernel definitions which should not be visible outside the kernel
and arch source code. All public kernel definitions must be added
to an appropriate header located under include/.
- arch/*/include/ (PRIVATE)
This directory contains the private headers that provide private
architecture-specific definitions which should not be visible
outside the arch and kernel source code. All public architecture-
specific definitions must be added to an appropriate header located
under include/arch/*/.
- include/ AND include/sys/ (PUBLIC)
This directory contains the public headers that provide public
kernel definitions which can be referenced by both kernel and
application code.
- include/arch/*/ (PUBLIC)
This directory contains the public headers that provide public
architecture-specific definitions which can be referenced by both
kernel and application code.
2. Split arch_interface.h into "kernel-to-arch interface" and "public
arch interface" divisions.
- kernel/include/kernel_arch_interface.h
* provides private "kernel-to-arch interface" definition.
* includes arch/*/include/kernel_arch_func.h to ensure that the
interface function implementations are always available.
* includes sys/arch_interface.h so that public arch interface
definitions are automatically included when including this file.
- arch/*/include/kernel_arch_func.h
* provides architecture-specific "kernel-to-arch interface"
implementation.
* only the functions that will be used in kernel and arch source
files are defined here.
- include/sys/arch_interface.h
* provides "public arch interface" definition.
* includes include/arch/arch_inlines.h to ensure that the
architecture-specific public inline interface function
implementations are always available.
- include/arch/arch_inlines.h
* includes architecture-specific arch_inlines.h in
include/arch/*/arch_inline.h.
- include/arch/*/arch_inline.h
* provides architecture-specific "public arch interface" inline
function implementation.
* supersedes include/sys/arch_inline.h.
3. Refactor kernel and the existing architecture implementations.
- Remove circular dependency of kernel and arch headers. The
following general rules should be observed:
* Never include any private headers from public headers
* Never include kernel_internal.h in kernel_arch_data.h
* Always include kernel_arch_data.h from kernel_arch_func.h
* Never include kernel.h from kernel_struct.h either directly or
indirectly. Only add the kernel structures that must be referenced
from public arch headers in this file.
- Relocate syscall_handler.h to include/ so it can be used in the
public code. This is necessary because many user-mode public codes
reference the functions defined in this header.
- Relocate kernel_arch_thread.h to include/arch/*/thread.h. This is
necessary to provide architecture-specific thread definition for
'struct k_thread' in kernel.h.
- Remove any private header dependencies from public headers using
the following methods:
* If dependency is not required, simply omit
* If dependency is required,
- Relocate a portion of the required dependencies from the
private header to an appropriate public header OR
- Relocate the required private header to make it public.
This commit supersedes #20047, addresses #19666, and fixes#3056.
Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
There are two set of code supporting x86_64: x86_64 using x32 ABI,
and x86 long mode, and this consolidates both into one x86_64
architecture and SoC supporting truly 64-bit mode.
() Removes the x86_64:x32 architecture and SoC, and replaces
them with the existing x86 long mode arch and SoC.
() Replace qemu_x86_64 with qemu_x86_long as qemu_x86_64.
() Updates samples and tests to remove reference to
qemu_x86_long.
() Renames CONFIG_X86_LONGMODE to CONFIG_X86_64.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
After run Sanitycheck script I found out that some test cases
have the same test case name in the test result .xml file.
To get rid of it, I decided to change test cases names
for the kernel tests.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
We replace an inline assembly block of code with CMSIS
functions, to make it portable to ARMv6-M architecture.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The struct definitions for pdpt, pd, and pt entries has been
removed:
- Bitfield ordering in a struct is implementation dependent,
it can be right-to-left or left-to-right
- The two different structures for page directory entries were
not being used consistently, or when the type of the PDE
was unknown
- Anonymous structs/unions are GCC extensions
Instead these are now u64_t, with bitwise operations used to
get/set fields.
A new set of inline functions for fetcing various page table
structures has been implemented, replacing the older macros.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This hasn't been necessary since we dropped support for 32-bit
non-PAE page tables. Replace it with u64_t and scrub any
unnecessary casts left behind.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This will be used for both 32-bit and 64-bit mode.
This header gets pulled in by x86's arch/cpu.h, so put
it in include/arch/x86/.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Re-run with updated script to convert integer literal delay arguments to
k_sleep to use the standard timeout macros.
Signed-off-by: Peter Bigot <peter.bigot@nordicsemi.no>
This patch is a preparatory step in enabling the MMU in
long mode; no steps are taken to implement long mode support.
We introduce struct x86_page_tables, which represents the
top-level data structure for page tables:
- For 32-bit, this will contain a four-entry page directory
pointer table (PDPT)
- For 64-bit, this will (eventually) contain a page map level 4
table (PML4)
In either case, this pointer value is what gets programmed into
CR3 to activate a set of page tables. There are extra bits in
CR3 to set for long mode, we'll get around to that later.
This abstraction will allow us to use the same APIs that work
with page tables in either mode, rather than hard-coding that
the top level data structure is a PDPT.
z_x86_mmu_validate() has been re-written to make it easier to
add another level of paging for long mode, to support 2MB
PDPT entries, and correctly validate regions which span PDPTE
entries.
Some MMU-related APIs moved out of 32-bit x86's arch.h into
mmustructs.h.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The main and idle threads, and their associated stacks,
were being referenced in various parts of the kernel
with no central definition. Expose these in kernel_internal.h
and namespace with z_ appropriately.
The main and idle threads were being defined statically,
with another variable exposed to contain their pointer
value. This wastes a bit of memory and isn't accessible
to user threads anyway, just expose the actual thread
objects.
Redundance MAIN_STACK_SIZE and IDLE_STACK_SIZE defines
in init.c removed, just use the Kconfigs they derive
from.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
