BIT macro uses an unsigned int avoiding implementation-defined behavior
when shifting signed types.
MISRA-C rule 10.1
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
This adds a compiler option -fno-inline for code coverage on
architectures which supports doing code coverage. This also
modifies the ALWAYS_INLINE macro to not do any inlining. This
needs to be done so code coverage can count the number of
executions to the correct lines.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Field stack_info.size is supposed to hold the actual writable
thread stack area, above what is pointed to by stack_info.start.
Therefore, in all MPU architectures we can program the Thread
Stack MPU region as starting from thread->stack_obj and with
size equal to stack_info.size plus the (possible) difference
between stack_obj and stack_info.start.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Consider a stack buffer at address 0x10000 with size 1024.
If a thread is created with this stack object, the resulting
fields in thread.stack_info ended up being a base address of
0x10020 with size 1024. The guard size needed to be subtracted
from the size in order for the bounds to be correct.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
FPU's control and status register (FPCSR) for a thread is not
initialized. Random values are written to this register and this leads
to failure on fp_sharing test.
FPCSR register is set to 0 according to the value of FPDSCR.
Signed-off-by: Andrei Gansari <andrei.gansari@nxp.com>
Fix the type of struct field index to int, to avoid
loss of precision, in case the variable holds the value
-EINVAL (in the case of errors in MPU configuration).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
In arm_core_mpu_mem_partition_config_update() we must fix the
index value of the start of the for loop, to address the case
when dynamic MPU regions are programmed in index values lower
than static_regions_num. (This might occur in ARMv8-M MPU,
depending on the order of programming the map of the
dynamic regions in run-time). We introduce function
_get_dyn_region_min_index(), and provide the implementation in
arm_mpu_v8_internal.h and arm_mpu_v7_internal.h (trivial).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
In this commit we fix the implementation of internal function
_mpu_buffer_validate(), so it can work in the presence of a
security attribution unit (SAU, or IDAU). The fast validation
based on the CMSE address range check intrinsic is performed
first: if it fails, then a second, MPU-only check is performed
for ARMV8-M platforms that have TEE capabilities (i.e. SAU/IDAU
units).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Enhance the documentation for internal ARMv8-M MPU
function _mpu_buffer_validate().
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds an explanatory comment in ARM __swap()
function, stressing when, exactly, context-switch is
expected to occur, when we pend the PendSV exception.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The ARM Cortex-M 321 application note is stressing that if
we disable interrupts by executing CPSID i(f), or by MSR
instructions (on PRIMASK, FAULTMASK registers), there is no
requirement to add barrier instructions after disabling
interupts. However, in ARMv7-M (and ARMv8-M Mainline) we use
BASEPRI, instead. Therefore, if we need the effect of disabling
interrupts to be recongnized immediately we should add barrier
instructions. This commit adds DSB and ISB barriers when
disabling interrupt using BASEPRI in the generic
arm _irq_lock() function as well as in the PendSV handler,
where we need to access kernel globals right after the interrups
are disabled.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The clang ARM assembler is a bit stricter than GNU as. Change mov to
movs for ARMv6 case of z_arch_switch_to_main_thread.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This commit partially reverts the changes introduced in
(bbe1a19786), where the PSP
modification, the interrupt enabling, and the branch to main
thread were refactored in C functions. This introduced an issue
with stack usage when compiling without any optimization.
Reverting to use assembly functions to jump to main thread
ensures, now, that the pointer to main() is preserved intact
while changing the PSP and passed correctly to z_thread_entry().
Fixes#14471.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit simply moves the MPU re-programming of
dynamic regions during initialization to occur right
before switching PSP to the main thread stack. As a
result, the MPU re-programming will execute using
the interrupt stack. No functional changes are
introduced.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The clang ARM assembler is a bit stricter than GNU as, make a few
changes so things build with both
Signed-off-by: Peter Smith <peter.smith@linaro.org>
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Architecture defconfigs are not used anymore and are stale. Remove them
to avoid confusion.
Related to #14442
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Update reserved function names starting with one underscore, replacing
them as follows:
'_k_' with 'z_'
'_K_' with 'Z_'
'_handler_' with 'z_handl_'
'_Cstart' with 'z_cstart'
'_Swap' with 'z_swap'
This renaming is done on both global and those static function names
in kernel/include and include/. Other static function names in kernel/
are renamed by removing the leading underscore. Other function names
not starting with any prefix listed above are renamed starting with
a 'z_' or 'Z_' prefix.
Function names starting with two or three leading underscores are not
automatcally renamed since these names will collide with the variants
with two or three leading underscores.
Various generator scripts have also been updated as well as perf,
linker and usb files. These are
drivers/serial/uart_handlers.c
include/linker/kobject-text.ld
kernel/include/syscall_handler.h
scripts/gen_kobject_list.py
scripts/gen_syscall_header.py
Signed-off-by: Patrik Flykt <patrik.flykt@intel.com>
The commit adds an __ASSERT statement when configuring
the ARMv8-M build-in stack guard for supervisor thread
stack overflow protection, to catch the case when the
stack_info.start does not point to the beginning of the
thread stack allocated area, pointed by stack_obj.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit does the following:
- moves the reservation of the area for local thread data
inside the arch-specific _new_thread() function,
- aligns the end of the thread's stack with the granularity
of the MPU, already at thread's initialization, moving it
out of userspace_enter() function. In this way, the local
thread data are stored inside the thread stack area that
is, later, assigned unprivileged RW permissions (if thread
enters user mode).
- passes the right thread stack size information to function
_new_thread_init(), which stores it into stack_info.start.
As a result, the whole usable User Thread stack area (i.e.
excluding a possible guard area) falls inside the region
programmed as unprivileged RW, during context-switch.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Appears within a menu that already has 'depends on ARM_SECURE_FIRMWARE'.
'depends on FOO' on a menu will add 'depends on FOO' to each item within
it. 'if FOO' work similarly.
Tip: When adding a symbol, check its dependencies in the menuconfig
('ninja menuconfig', then / to jump to the symbol). The menuconfig also
shows how the file with the symbol got included, so if you see
duplicated dependencies, it's easy to hunt down where they come from.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
- The ARC CPU_HAS_MPU dependencies were added within the menu
menu "ARCH MPU Options"
depends on CPU_HAS_MPU
(arch/arc/core/mpu/Kconfig is source'd within it).
- The ARM CPU_HAS_MPU dependencies were redundantly added by
if CPU_HAS_MPU
source "arch/arm/core/cortex_m/mpu/Kconfig"
endif
and by some 'depends on CPU_HAS_MPU' within that file. Remove the
'depends on' and move the 'if' into the file instead.
Tip: Jump to symbols with '/' in the menuconfig and press '?' to check
their dependencies. If there are duplicated dependencies, the
'included via ...' path can be handy to discover where they are added.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
Refactor internal ARM v7m and v8m MPU region re-programming
functions to take as argument a pointer to k_mem_partition
objects, instead of the object itself.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Refactor internal NXP MPU region re-programming functions
to take as argument a pointer to k_mem_partition objects,
instead of the object itself.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit refactors the MPU region re-programming functions,
to take as argument an array of pointers to memory partition
structures, instead of the whole array of the partitions. In
this way the stack usage can be minimized, if the actual
partition information is kept in statically allocated memory.
instead of the map itself.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The "ARM Cortex-M options" menu is already within a 'if CPU_CORTEX_M',
so no need to put 'depends on CPU_CORTEX_M' on it.
Tip: Jump to symbols with '/' in the menuconfig and press '?' to check
their dependencies. If there are duplicated dependencies, the
'included via ...' path can be handy to discover where they are added.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
Based on the definition of _ARCH_THREAD_STACK_DEFINE() macro
for ARM, the MPU Stack Guard region is placed inside the
allocated stack object, only if
CONFIG_MPU_REQUIRES_POWER_OF_TWO_ALIGNMENT and CONFIG_USERSPACE
are both set. For ARM stack objects, allocated using the
_ARCH_THREAD_STACK_DEFINE() macro, such as the threads' stacks
and the interrupt stack, the above must be reflected on how we
set the initial start of the stacks.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
On x86, if a supervisor thread belonging to a memory domain
adds a new partition to that domain, subsequent context switches
to another thread in the same domain, or dropping itself to user
mode, does not have the correct setup in the page tables.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit introduces a generic arch/arm function to evaluate
thread stack corruption. The function shall be used upon
occurrence of MemManage and Bus Faults.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds an explanatory note in the places
where we manually adjust the PSP after stacking Bus
and MemManage errors, stressing that this is due to
the fact that interrupt tail-chaining cannot always
be guaranteed by the processor.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The commit removes a redundant check for imprecise bus fault,
when a precise bus fault has occurred, now that we have
re-worked the BusFault handler to iterate through all possible
bus errors.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit reworks the logic, based on which we assess
thread stack corruptions upon BusFault exceptions triggered
by the NXP MPU module. BusFaults rely on calling external
function to assess whether a thread stack corruption due to
overflow has occurred. Upon detection of stack corruption,
the current stack pointer is manually adjusted upwards, to
prevent un-stacking errors from firing up upon returning from
the exception.
Additionally, the commit allows to be checking for all different
types of BusFault occurrences that are reported through BFSR,
without stopping after having spotted the first BusFault type.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit reworks the logic, based on which we assess
thread stack corruptions upon MemManageFault exceptions.
Furthermore, it takes out all kernel-related logic and relies
on calling external function 'evaluate_thread_stack_corruption'
to assess whether a thread stack overflow has occurred. Upon
detection of stack corruption, the current stack pointer is
manually adjusted upwards, to prevent un-stacking errors from
firing up upon returning from the exception.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit improves the debug message on UsageFaults
related to Stack overflow, stating that the context
area is not valid. An inline comment is added, with
more detailed explanation.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes two Constant Expression Result errors,
in the NXP MPU driver due to incompatible integer types.
Fixes#13836.
Fixes#13865.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes several essential inline comments in the
core assembly code for ARM, improving code readability.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit applies the same fixes, concering the Constant
Expression Result errors identified in the ARMv7-M and the
NXP MPU drivers, into the ARMv8-M MPU implementation.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes two Constant Expression Result errors,
in the ARMv7-M MPU driver due to incompatible integer types.
Fixes#13844.
Fixes#13854.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit aligns the implementation of arm_core_mpu_disable()
function in NXP MPU with the implementation in the ARM MPU
module, by introducing a Data Memory Barrier, (DMB) instead of
a DSB instruction. This is in accordance with the ARM guidelines
of using the memory protection unit.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This is an integral part of userspace and cannot be used
on its own. Fold into the main userspace configuration.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Instead of having to enable ramfunc support manually, just make it
transparently available to users, keeping the MPU region disabled if not
used to not waste a MPU region. This however wastes 24 bytes of code
area when the MPU is disabled and 48 bytes when it is enabled, and
probably a dozen of CPU cycles during boot. I believe it is something
acceptable.
Note that when XIP is used, code is already in RAM, so the __ramfunc
keyword does nothing, but does not generate an error.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
The linker file defines the __ramfunc_ram_size symbols to get the size
of the __ramfunc_ram section. Use that instead of computing the value at
runtime from the start and end symbols. This saves 16 bytes of code with
CONFIG_RAM_FUNCTION=y.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Using __ramfunc to places a function in RAM instead of Flash.
Code that for example reprograms flash at runtime can't execute
from flash, in that case must placing code into RAM.
This commit create a new section named '.ramfunc' in link scripts,
all functions has __ramfunc keyword saved in thats sections and
will load from flash to sram after the system booted.
Fixes: #10253
Signed-off-by: qianfan Zhao <qianfanguijin@163.com>
This commit fixes a bug that was always propagating the
default error reason (_NANO_ERR_HW_EXCEPTION) to the
system fatal error handler for (strictly) Secure and
for Non-Secure FW builds on ARMv8-M.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Include the EXC_RETURN payload flag macro definitions into
compilation when building for Non-Secure firmware, too.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes a bug for ARM builds with no USERSPACE support
where the MPU stack guard had been erroneously placed, i.e. not
at the beginning of the stack object. This was eating 32-bytes
off of the thread stack. In addition to that, the commit adds a
usefull ASSERT statement for builds with USERSPACE, which checks
that the start of the guard matches the beginning of the entire
stack object.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Its possible that memcpy is marked to check that a NULL value is passed
to it. The instance of memcpy in relocate_vector_table its valid that
we're are copying to 0/NULL. So supress the possible warning generated
by gcc -Wnonnull.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
With this commit we clear the BusFault Status Register error
bits, after processing the fault, for all ARM architecture
variants and implementations (not only for ARMv8-M mainline).
That is a fix, since the bits are sticky in the ARMv7-M
variants, as well. The commit fixes, additionally, a typo
in the spelling of BFSR.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
