Some platforms have the possibility to cancel the powering off until the
very latest moment (for example if an IRQ is received). Deal with this
kind of failures.
Signed-off-by: Carlo Caione <ccaione@baylibre.com>
A Cortex-M BusFault often arises from the execution of a function
pointer that got corrupted.
The Zephyr Cortex-M fault handler de-references the `$pc` in
`z_arm_is_synchronous_svc()` to determine if the fault was due to a
kernel oops (ARCH_EXCEPT). This can cause a BusFault if the pc itself
was corrupt. A BusFault from a HardFault will trigger ARM Cortex-M
"Lockup" preventing the Zephyr fault handler from running to
completion. This in turn, results in no fault handling information
getting dumped by the Zephyr fault handler.
To fix the issue, we can simply set the `CCR.BFHFNMIGN` bit prior to
the instruction address dereference which will cause the processor to
ignore the BusFault and return a value of 0x0 instead of entering
lockup. After the operation is complete, we clear `CCR.BFHFNMIGN` as
it would be unexpected for any other code in the fault handler to
trigger a fault.
The issue can be reproduced programmatically with:
```
void (*unaligned_func)(void) = (void (*)(void))0x50000001;
unaligned_func();
```
I bumped into this problem while debugging an issue on the nRF9160DK
(`west build --board nrf9160dk_nrf9160ns`) and confirmed that after
making this change I now see the full fault handler print:
```
[00:00:45.582,214] <err> os: Exception occurred in Secure State
[00:00:45.582,244] <err> os: ***** HARD FAULT *****
[...]
[00:00:45.583,984] <err> os: Current thread: 0x2000d340 (shell_uart)
[00:00:45.829,498] <err> fatal_error: Resetting system
```
Signed-off-by: Chris Coleman <chris@memfault.com>
Allow enabling FPU with TF-M with the following limitations:
- Only IPC mode is supported by TF-M.
- Disallow FPU hard ABI when building the NS application, the TF-M build
system does not pass the flags correctly to all dependencies.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Some processors support Dual-redundant Core Lock-step
DCLS) topology but the processor still can be ran in
split-lock mode (by default or changed at flash time).
So, introduce config DCLS that is enabled by default if
config CPU_HAS_DCLS is set, it should be disabled if
processor is used in split-lock mode.
Signed-off-by: Dat Nguyen Duy <dat.nguyenduy@nxp.com>
Execute data and instruction sync barriers after writing to SCTLR
to disable the MPU, to ensure the registers are set before
proceeding and that the new changes are seen by the instructions
that follow.
Signed-off-by: Manuel Arguelles <manuel.arguelles@nxp.com>
Execute data and instruction sync barriers after writing to SCTLR
to enable the MPU, to ensure the registers are set before
proceeding and that the new changes are seen by the instructions
that follow.
Signed-off-by: Manuel Arguelles <manuel.arguelles@nxp.com>
When compiling OpenAMP with Zephyr Cache Management, undefined references
are listed for all functions called with in the cache management
Signed-off-by: Ryan McClelland <ryanmcclelland@fb.com>
MISRA C:2012 Rule 14.4 (The controlling expression of an if statement
and the controlling expression of an iteration-statement shall have
essentially Boolean type.)
Use `do { ... } while (false)' instead of `do { ... } while (0)'.
Use comparisons with zero instead of implicitly testing integers.
Use comparisons with NULL instead of implicitly testing pointers.
Use comparisons with NUL instead of implicitly testing plain chars.
This commit is a subset of the original auditable-branch commit:
5d02614e34a86b549c7707d3d9f0984bc3a5f22a
Signed-off-by: Simon Hein <SHein@baumer.com>
The use of spsr_hyp is "UNPREDICTABLE" for the ARM Cortex-R52.
Some implements choose to implement the behavior, but it
should not be assumed.
Fixes#47330
Signed-off-by: Tobias Röhmel <tobias.roehmel@rwth-aachen.de>
We can use definitions provided by "standard CMSIS" to access
MEMFAULT/BUSFAULT/USGFAULT fields in CFSR.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
This commit adds icache and dcache maintenance functions
for aarch32.
Signed-off-by: Jamie Iles <quic_jiles@quicinc.com>
Signed-off-by: Dave Aldridge <quic_daldridg@quicinc.com>
Buffer size must be decreased by one when non-zero to calculate the
right end address, and this must be checked for overflows.
Variables for region limit renamed for clarity since they may be
understood as the raw register values.
Signed-off-by: Manuel Arguelles <manuel.arguelles@nxp.com>
ARMv8-R aarch32 processor has support for
ARM PMSAv8-32. To add support for ARMv8-R we reuse the
ARMv8-M effort and change access to the different registers
such as rbar, rlar, mair, prselr.
Signed-off-by: Julien Massot <julien.massot@iot.bzh>
Signed-off-by: Manuel Arguelles <manuel.arguelles@nxp.com>
Removes the ability to enable the FPU with TF-M -- added in
PR #45906, and which is causing CI failures -- until a more
robust solution can be implemented for FPU support w/TF-M.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
Allow the application to enable the FPU when TF-M has been enabled.
Pass the correct compilation flags according to the TF-M integration
guide.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
This commit updates all deprecated `K_KERNEL_STACK_ARRAY_EXTERN` macro
usages to use the `K_KERNEL_STACK_ARRAY_DECLARE` macro instead.
Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
This commit corrects all `extern K_THREAD_STACK_DEFINE` macro usages
to use the `K_THREAD_STACK_DECLARE` macro instead.
Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
<soc.h> has been traditionally been used as a proxy to HAL headers,
register definitions, etc. Nowadays, <soc.h> is anarchy. It serves a
different purpose depending on the SoC. In some cases it includes HALs,
in some others it works as a header sink/proxy (for no good reason), as
a register definition when there's no HAL... To make things worse, it is
being included in code that is, in theory, non-SoC specific.
This patch is part of a series intended to improve the situation by
removing <soc.h> usage when not needed, and by eventually removing it.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
Add the ability to have multiple irq priority levels which are not
masked by irq_lock() by adding CONFIG_ZERO_LATENCY_LEVELS.
If CONFIG_ZERO_LATENCY_LEVELS is set to a value > 1 then multiple zero
latency irqs are reserved by the kernel (and not only one). The priority
of the zero-latency interrupt can be configured by IRQ_CONNECT.
To be backwards compatible the prio argument in IRQ_CONNECT is still
ignored and the target prio set to zero if CONFIG_ZERO_LATENCY_LEVELS
is 1 (default).
Implements #45276
Signed-off-by: Christoph Coenen <ccoenen@baumer.com>
Ensure callee registers included in coredump.
Push callee registers onto stack and pass as param to
z_do_kernel_oops for CONFIG_ARMV7_M_ARMV8_M_MAINLINE
when CONFIG_EXTRA_EXCEPTION_INFO enabled.
Signed-off-by: Mark Holden <mholden@fb.com>
Debugger plugins use the `z_sys_post_kernel` variable to detect whether
the kernel is currently running, and hence whether any threads exist. As
this is just a standard variable however, after a reset the initial
value of this variable is whatever it was before reset (true) until the
bss section is zeroed halfway through `z_arm_prep_c`. Debuggers are
therefore unable to differentiate between a normally running application
and the very first stages of the boot process.
Clearing this variable as the first action upon reset allows debuggers
to display the correct thread state after the first 3 instructions have
run.
Signed-off-by: Jordan Yates <jordan.yates@data61.csiro.au>
Assembler files were not migrated with the new <zephyr/...> prefix.
Note that the conversion has been scripted, refer to #45388 for more
details.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
In order to bring consistency in-tree, migrate all arch code to the new
prefix <zephyr/...>. Note that the conversion has been scripted, refer
to zephyrproject-rtos#45388 for more details.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
This adds lazy floating point context switching. On svc/irq entrance,
the VFP is disabled and a pointer to the exception stack frame is saved
away. If the esf pointer is still valid on exception exit, then no
other context used the VFP so the context is still valid and nothing
needs to be restored. If the esf pointer is NULL on exception exit,
then some other context used the VFP and the floating point context is
restored from the esf.
The undefined instruction handler is responsible for saving away the
floating point context if needed. If the handler is in the first
irq/svc context and the current thread uses the VFP, then the float
context needs to be saved. Also, if the handler is in a nested context
and the previous context was using the FVP, save the float context.
Signed-off-by: Bradley Bolen <bbolen@lexmark.com>
This commit updates the Cortex-R reset routine to initialise
(synchronise) the VFP D16-D31 registers when Dual-redundant Core
Lock-step (DCLS) is enabled.
Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
Grouping the FPU registers together will make adding FPU support for
Cortex-A/R easier later. It provides the ability to get the sizeof and
offsetof FPU registers easier.
Signed-off-by: Bradley Bolen <bbolen@lexmark.com>
Cortex-A/R use a descending stack frame and the hardware does not help
with the stacking. This led to some less than desirable workarounds in
the exception code where the basic stack frame was saved twice.
Rearranging the order of the exception stack frame removes that problem
and provides a clearer path to saving CPU context in a fully descending
manner.
Signed-off-by: Bradley Bolen <bbolen@lexmark.com>
This commit adds the unified floating-point configuration symbols for
the ARM architectures.
These configuration symbols allow specification of the floating-point
coprocessors, such as VFP (also known as FP for Cortex-M) and NEON,
for the ARM architectures.
Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
V7-A also supports TPIDRURO, so go ahead and use that for TLS, enabling
thread local storage for the other ARM architectures.
Add __aeabi_read_tp function in case code was compiled to use that.
Signed-off-by: Keith Packard <keithp@keithp.com>
Commit d8f186aa4a ("arch: common: semihost: add semihosting
operations") encapsulated semihosting invocation in a per-arch
semihost_exec() function. There is a fixed register variable declaration
for the return value but this variable is not listed as an output
operand to respective inline assembly segments which is an error.
This is not reported as such by gcc and the generated code is still OK
in those particular instances but this is not guaranteed, and clang
does complain about such cases.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Add an API that utilizes the ARM semihosting mechanism to interact with
the host system when a device is being emulated or run under a debugger.
RISCV is implemented in terms of the ARM implementation, and therefore
the ARM definitions cross enough architectures to be defined 'common'.
Functionality is exposed as a separate API instead of syscall
implementations (`_lseek`, `_open`, etc) due to various quirks with
the ARM mechanisms that means function arguments are not standard.
For more information see:
https://developer.arm.com/documentation/dui0471/m/what-is-semihosting-
Signed-off-by: Jordan Yates <jordan.yates@data61.csiro.au>
impl
With GCC 11 now supporting low overhead branching in ARMv8.1, ASM "LE"
(loop-end) instructions would trigger an INVSTATE hard-fault after
FPSCR was set to 0. This was due to the FPSCR getting a new field in
ARMv8.1. LTPSIZE is now set to it's reset value of Tail predication not
applied.
Signed-off-by: Ryan McClelland <ryanmcclelland@fb.com>
The Cache is an optional configuration of both the ARM Cortex-M7 and
Cortex-M55. Previously, it was just checking that it was just an M7
rather than knowing that the CPU actually was built with the cache.
Signed-off-by: Ryan McClelland <ryanmcclelland@fb.com>
This commit changes the CODE_DATA_RELOCATON dependency by
adding CPU_AARCH32_CORTEX_R next to CPU_CORTEX_M.
Signed-off-by: Mateusz Sierszulski <msierszulski@antmicro.com>
Cortex-M code is the only flavor that supports switching between secure
and non-secure state so make sure this kconfig only applies to it.
Signed-off-by: Bradley Bolen <bbolen@lexmark.com>
Commit a2cfb8431d ("arch: arm: Add code for swapping threads between
secure and non-secure") changed the mode variable in the _thread_arch to
be defined by ARM_STORE_EXC_RETURN or USERSPACE. The generated offset
define for mode was enabled by FPU_SHARING or USERSPACE. This broke
Cortex-R with FPU, but with ARM_STORE_EXC_RETURN disabled. Reconcile
the checks.
Signed-off-by: Bradley Bolen <bbolen@lexmark.com>
This is a strange one: The printing code pushes a floating point
register, and is called during the mpu falt. If the floating point
registers are lazily stacked, this fp push can cause another mpu
fault to be pending during the current mpu fault, and tail chained
without returning to PendSV. Since we're already cleaning up the
fp execption reason, we might as well also clean up thisp pending,
spurious mpu exception.
Signed-off-by: Jimmy Brisson <jimmy.brisson@linaro.org>
If an SVC was pending during the stack overflow, it will run
after the return of the memory manage fault. To the SVC's misfortune of
the SVC handler, the it's invariant, that PSP point to the
hardware-stacked context is no longer valid. When the user has a
k_sys_fatal_error_handler that tries to kill the thread that caused a
stack overflow, this manifests as the svc reading the memory of whatever
is on the stack after being adjusted by the mem manage fault handler, and
that leads to unending, spurious hard faults, locking up the system.
This patch prevents that.
Signed-off-by: Jimmy Brisson <jimmy.brisson@linaro.org>
The incorrect sequence will cause the thread cannot be aborted in the
ISR context. The following test case failed:
tests/kernel/fatal/exception/kernel.common.stack_sentinel.
The stack sentinel detects the stack overflow as normal during a timer
ISR exit. Note that, currently, the stack overflow detection is behind
the context switch checking, and then the detection will call svc to
raise a fatal error resulting in increasing the nested counter(+1). At
this point, it needs a context switch to finally abort the thread.
However, after the fatal error handling, the program cannot do a context
switch either during the svc exit[1], or during the timer ISR exit[2].
[1] is because the svc context is in an interrupt nested state (the
nested counter is 2).
[2] is because the current point (after svc context pop out) is right
behind the switch checking.
Signed-off-by: Jaxson Han <jaxson.han@arm.com>
ARMv8-R allows to set the vector table address using VBAR
register, so there is no need to relocate it.
Move away vector_table setting from reset.S and move it to
relocate vector table function as it's done for Cortex-M
CPU.
Signed-off-by: Julien Massot <julien.massot@iot.bzh>
The ARMv8-R processors always boot into Hyp mode (EL2)
To enter EL1:
Program the HACTLR register because it defaults
to only allowing EL2 accesses. HACTLR controls
whether EL1 can access memory region registers and CPUACTLR.
Program the SPSR before entering EL1.
Other registers default to allowing accesses at EL1 from reset.
Set VBAR to the correct location for the vector table.
Set ELR to point to the entry point of the EL1 code and call ERET.
Signed-off-by: Julien Massot <julien.massot@iot.bzh>