1
0
Fork 0
Commit graph

3194 commits

Author SHA1 Message Date
Andy Ross
b2791b0ac8 kernel/sched: Force inlining of some routines within the scheduler guts
GCC 6.2.0 is making frustratingly poor inlining decisions with some of
these routines, resulting in an awful lot of runtime calls for code
that is only ever expanded once or twice within the file.

Treat with targetted ALWAYS_INLINE's to force the issue.  The
scheduler code is a hot path.

Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
2019-02-01 15:57:21 -05:00
Andy Ross
eda4c027da misc/dlist: Swap insertion API for a faster one
The sys_dlist_insert_*() functions had a behavior where a NULL
argument for the insertion position to sys_dlist_insert_after/before()
was interpreted as "the end of the list".  We never used that
convention (except in one spot internal to dlist.h which was not
itself used anywhere), and of course already have an API for appending
and prepending to a list.

In practice this was a performance disaster.  The NULL check is
virtually never provable statically by the compiler, so that test and
branch is present always.  And worse, the check and call to another
function was pushing this beyond the complexity limit for gcc to
inline a function (at -Os optimization anyway), forcing us to use
function calls for what should be a ~8 instruction sequence.  The
upshot is that dlist insertions were 2-3x slower than they needed to
be.

Deprecate these older APIs and introduce a new sys_dlist_insert() call
which can be much better optimized.

Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
2019-02-01 15:57:21 -05:00
Andy Ross
8b583acf23 kernel/timeout: Fix another recursive spinlock()
The fix in commit e664c78b82 ("kernel/timeout: Fix recursive
spinlock in z_set_timeout_expiry()") missed a spot that had also been
introduced with recent locking work.  The new
_get_next_timeout_expiry() implementation takes its own lock, which is
recursive when called from z_clock_announce().  Fix by calling the
wrapped implementation instead.

Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
2019-01-30 13:29:42 -08:00
Anas Nashif
c0ea505b2c kernel: fix typo in kconfig name
CONFIG_MULTITHREDING -> CONFIG_MULTITHREADING

Signed-off-by: Anas Nashif <anas.nashif@intel.com>
2019-01-30 13:30:17 -05:00
Peter A. Bigot
b4ece0ad44 kernel: timeout: detect inactive timeouts using dnode linked state
Whether a timeout is linked into the timeout queue can be determined
from the corresponding sys_dnode_t linked state.  This removes the need
to use a special flag value in dticks to determine that the timeout is
inactive.

Update _abort_timeout to return an error code, rather than the flag
value, when the timeout to be aborted was not active.

Remove the _INACTIVE flag value, and replace its external uses with an
internal API function that checks whether a timeout is inactive.

Signed-off-by: Peter A. Bigot <pab@pabigot.com>
2019-01-23 20:46:49 +01:00
Peter A. Bigot
4863aa809c kernel: poll: fix double-remove of node
k_poll events are registered in a linked list when their signal
condition has been met.  The code to clear event registration did not
account for events that were not registered, resulting in double-removes
that produced core dumps on native-posix sanitycheck.

Signed-off-by: Peter A. Bigot <pab@pabigot.com>
2019-01-23 20:46:49 +01:00
Peter A. Bigot
25fbe7b60d kernel: timeout: remove local fix for double-remove
Use the new generic capability to detect unlinked sys_dnode_t instances.

Signed-off-by: Peter A. Bigot <pab@pabigot.com>
2019-01-23 20:46:49 +01:00
Peter A. Bigot
692e1033e7 kernel: sched: fix empty list detection
CONTAINER_OF() on a NULL pointer returns some offset around NULL and not
another NULL pointer.  We have to check for that ourselves.

This only worked because the dnode happened to be at the start of the
struct.

Signed-off-by: Peter A. Bigot <pab@pabigot.com>
2019-01-23 20:46:49 +01:00
Sebastian Bøe
5a58da57fd Kconfig: STACK_CANARIES: Correct the help text
The help text has been stating that CONFIG_STACK_CANARIES will
silently be ignored when the compiler does not support them. But this
is not the desired behaviour of CONFIG_STACK_CANARIES[1].

This patch corrects the help text to state that an error will occur if
this feature is enabled, but not supported.

[1] "I would much rather see the build break if someone tries to
enable the stack canaries, and the compiler doesn't support
it. Because what happens now is that if someone enables this option,
and there is no support, the build will succeed but there are no
actual stack canaries in place, and unless the user is paying close
attention to the cmake test output they will have no idea."
--
https://github.com/zephyrproject-rtos/zephyr/issues/5019

Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
2019-01-23 09:44:09 +01:00
Sebastian Bøe
1b86fb9da3 cmake: Use variables for target names
There is an effort underway to make most of the Zephyr build script's
reentrant. Meaning, the build scripts can be executed multiple times
during the same CMake invocation.

Reentrancy enables several use-cases, the motivating one is the
ability to build several Zephyr executables, or images, for instance a
bootloader and an application.

For build scripts to be reentrant they cannot be directly referencing
global variables, like target names, but must instead reference
variables, which can vary from entry to entry.

Therefore, in this patch, we replace global targets with variables.

Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
2019-01-19 07:21:55 -05:00
Andy Ross
e664c78b82 kernel/timeout: Fix recursive spinlock in z_set_timeout_expiry()
The z_set_timeout_expiry() function was added in part to simply the
locking strategy, but it missed a case where a function it was calling
was re-locking the same spinlock.  It "works"[1] in uniprocessor
environments, but can be a deadlock in SMP.

Fix this by moving the meat of the function to an unlocked utility,
use that locally, and turn the entry point into one that does locking.
Actually this only gets called from idle now, which is a use case that
will go away when TICKLESS_IDLE is removed as a separate feature (once
you know all timeouts are set tickless, you don't need to set it from
the idle entry at all).

Discovered via lucky inspection.

[1] It doesn't work.  It releases the lock prematurely at the end of
the inner block.  But in practice this wasn't discovered.

Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
2019-01-18 06:48:51 -05:00
Peter A. Bigot
bfad9721d2 kernel: remove k_alert API
This API was used in only one place in non-test code.  See whether we
can remove it.

Closes 

Signed-off-by: Peter A. Bigot <pab@pabigot.com>
2019-01-16 21:34:07 -05:00
Adithya Baglody
76ee02b6b3 Gcov: Added Kconfig changes needed by Gcov.
This patch addes the required changes in the Kconfig files.

Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
2019-01-16 06:12:33 -05:00
Adithya Baglody
71e90f98fd Gcov: Enable Code coverage reporting over UART.
This patch provides support for generating Code coverage reports.
The prj.conf needs to enable CONFIG_COVERAGE. Once enabled, the
code coverage data dump now comes via UART.
This data dump on the UART is triggered once the main
thread exits.

Next step is to save this data dump on file. Then run
scripts/gen_gcov_files.py with the serial console log as argument.

The last step would be be to run the gcovr. Use the following cmd
 gcovr -r . --html -o gcov_report/coverage.html --html-details

Currently supported architectures are ARM and x86.

Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
2019-01-16 06:12:33 -05:00
Andy Ross
7fb8eb57e8 kernel/sched: SWAP_NONATOMIC workaround for timeslicing
Timeslicing works by removing the _current thread from the run queue
and re-adding it at the end of its priority.  On systems with a
_Swap() that can be preempted by a timer interrupt, that means it's
possible for the timeslice to try to slice out a thread that had
already pended itself!

This behavior used to be benign (or at least undetectable) as the
duplicated list operations were idempotent.  But now the dlist code is
stricter about correctness and has exposed the bug -- it will blow up
if you try to remove an already-removed list node.

Fix (on affected platforms) by stashing the _current pointer in
_pend_current_thread() that is checked and cleared in the timer
interrupt.  If we discover we're trying to interrupt a thread that's
already interrupted itself, we can safely exit z_time_slice() as a
noop.  The timeslicing bookeeping was already done for us underneath
the pend code.

Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
2019-01-15 13:06:35 +01:00
Andy Ross
23c5a63aa8 kernel/sched: Predicate SWAP_NONATOMIC workaround properly
This is a refactoring of the fix in commit 6c95dafd82 to limit its
application to affected platforms now that the root cause is
understood.

Note that the bug that fix was addressing was rare and seen only on
after multi-hour sessions on Michael Scott's test rig.  So if
something regresses, this is where to look!

Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
2019-01-15 13:06:35 +01:00
Andy Ross
7f42dbaf48 kernel: Add CONFIG_SWAP_NONATOMIC flag
On ARM, _Swap() isn't atomic and a hardware interrupt can land after
the (irq_locked) caller has entered _Swap() but before the context
switch actually happens.  This will require some platform-specific
workarounds in a few places in the scheduler.

This commit is just the Kconfig and selection on ARM.

Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
2019-01-15 13:06:35 +01:00
Andy Ross
762ff2f428 kernel/swap: Simply/robustify return value handling
The call to _arch_switch is a giant screaming sign inviting optimizer
bugs.  The code that appears before is what happened long ago when we
were switched out, but the version that EXECUTED just now is actually
in a different thread.  So the assignment to _current before the
switch actually assigned OUR thread (the "new_thread" of the old
context!) to _current.

But obviously the optimizer looks at that code and assumes that the
_current which got assigned to the thread we were switching to long
ago is still correct, and used it when retrieving the swap return
value.

Obviously the real bug here is that the _arch_switch() in question
lacked a memory clobber (and it's getting one).

But we can remove two lines, remove code from inside the interrupt
lock and make the implementation more robust by moving the read to
after the irq_unlock() (which generally also has a memory clobber).

Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
2019-01-11 15:18:52 -05:00
Andy Ross
4f911e192f kernel: Add missing include
These files were using z_thread_malloc() without including
kernel_internal.h.  On existing architectures that works due to
transitive includes, but x86_64 has a thinner include layer and
doesn't do it for us.  Include the files required for the APIs we use.

Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
2019-01-11 15:18:52 -05:00
Aurelien Jarno
513cceb5d1 kernel: Fix asynchronous event polling interface
Commit 76b3518ce6 ("kernel: Make statements evaluate boolean
expressions") changed the type of is_polling in the struct _poller
from int to bool. In the conversion a "0" has been changed into "true"
instead of "false". Fix that.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
2019-01-09 17:06:08 -05:00
Flavio Ceolin
6a4a86e413 kernel: Change k_is_in_isr to return bool
Change this function to return a boolean type.

MISRA-C rule 14.4

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
2019-01-07 08:52:07 -05:00
Flavio Ceolin
09e362e0d0 kernel: Change _is_thread_essential to return bool
Change this function to return a boolean type.

MISRA-C rule 14.4

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
2019-01-07 08:52:07 -05:00
Flavio Ceolin
4f2e9a792a kernel: Change is_condition_met signature
Change this function to return a boolean type.

MISRA-C rule 14.4

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
2019-01-07 08:52:07 -05:00
Flavio Ceolin
76b3518ce6 kernel: Make statements evaluate boolean expressions
MISRA-C requires that the if statement has essentially Boolean type.

MISRA-C rule 14.4

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
2019-01-07 08:52:07 -05:00
Flavio Ceolin
8a1481735b kernel: userspace: Change _thread_idx_alloc to return bool
Make this function return an essential boolean type.

MISRA-C rule 14.4

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
2019-01-07 08:52:07 -05:00
Adithya Baglody
392219eab8 kernel: Change the prototype of k_thread_access_grant.
This API was using variable number of arguments. Which is not
allowed according to misra c guidelines(Rule 17.1). Hence making
this API into a macro and using the util macro FOR_EACH_FIXED_ARG
to get the same functionality.

There is one deviation from the old function. The last argument
shouldn't be NULL.

Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
2019-01-03 12:35:14 -08:00
Andy Ross
9eda9350d8 kernel/timeout: Don't reset imminent timeouts
The logic in z_set_timeout_expiry() missed the case where the ticks
argument could be zero (or lower), which can happen naturally due to
timing/interrupt slop.  In those circumstances, it would still try to
reset a timer that was "about to expire at the next tick", which would
run afoul of the drivers' internal decisions about how soon a timer
interrupt could be set, and then get pushed out to the next tick.

Explicitly detect this as an "imminent" predicate to make the logic
clearer.

Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
2019-01-03 12:29:02 -05:00
Andy Ross
bb86f2019c kernel/sched: Remove stale comment
The recent change that added a locked z_set_timeout_expiry() API
obsoleted the subtle note about synchronization above
reset_time_slice().  None of that matters any more, the API is
synchronized internally in a conventional way.

Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
2019-01-03 12:29:02 -05:00
Andy Ross
71f5e56545 kernel/timeout: Fix "not in list" predication in timeout handling
The use of dticks == INACTIVE to tell whether or not a timeout was
already in the list was insufficient.  There is a time period between
the moment a timeout is removed from the list and the end of its
handler where it is not in the list, yet its list node pointers still
point into it.  Doing things like aborting a thread while that is true
(which can be asynchronous too!)  would corrupt the list even though
all the operations on it were "atomic".

Set the timeout node pointers to nulls atomically when removed, and
check for double-remove conditions (which, again, might be perfectly
OK).

Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
2019-01-03 12:29:02 -05:00
Andy Ross
43ab8da953 kernel/timeout: Refactor z_clock_announce() loop
This loop was structured badly, as a while(true) with multiple "exit
if" cases in the body.  It was bad enough that I genuinely fooled
myself into rewriting it, having convinced myself there was a bug in
it when there wasn't.

So keep the rewritten loop which expresses the iteration in a more
invariant way (i.e. "while we have an element to expire" and not "test
if we have to exit the loop").  Shorter and easier.  Also makes the
locking clearer as we can simply release the lock around the callback
in a natural/obvious way.

Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
2019-01-03 12:29:02 -05:00
Sebastian Bøe
204f05b23a kconfig: Minor comments and 'help' text fixes
Minor comments and 'help' text fixes.

Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
2018-12-30 16:24:50 -05:00
Sebastian Bøe
f42ed32dc5 Kconfig: Hide SMP and USE_SWITCH from unsupported platforms
Don't present USE_SWITCH and SMP to user applications that are
configuring for platforms that do not support SMP or USE_SWITCH.

Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
2018-12-30 16:24:50 -05:00
Sebastian Bøe
21d69579f5 kconfig: Have the 'SMP' option depend on 'USE_SWITCH'
SMP requires the new-style '_arch_switch' to be enabled. To prevent
users from creating invalid configurations where SMP is enabled while
_arch_switch is not, we add a dependency from SMP to USE_SWITCH.

Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
2018-12-30 16:24:50 -05:00
Sebastian Bøe
4019bda695 kconfig: Disable 'RETPOLINE' on unsupported platforms
RETPOLINE has been enabled by default on most platforms, but it is
only supported on X86.

Features should only be enabled if they are supported and active on
the given platform. To rectify this we have RETPOLINE depend on X86,
the only platform on which it is implemented.

Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
2018-12-30 16:24:50 -05:00
Anas Nashif
74a74bb6b8 power: rename api sys_soc -> sys_
sys_soc is just redundant, just call APIs with sys_*.

Signed-off-by: Anas Nashif <anas.nashif@intel.com>
2018-12-28 16:16:28 -05:00
Anas Nashif
9151fbebf2 power: rename APIs and removing leading _
Remove leading underscore from PM APIs. _ was used for internal APIs.

Signed-off-by: Anas Nashif <anas.nashif@intel.com>
2018-12-28 16:16:28 -05:00
Andrew Boie
74f114caef userspace: easy checking for specific driver
In general driver system calls are implemented at a subsystem
layer. However, some drivers may have capabilities specific to
the hardware not covered by the subsystem API. Such drivers may
want to define their own system calls.

This macro makes it simple to validate in the driver-specific
system call handlers that not only does the untrusted device
pointer correspond to the expected subsystem, initialization
state, and caller permissions, but also that the device object
is an instance of a specific driver (and not just any driver in
that subsystem).

Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2018-12-27 20:31:58 -05:00
Flavio Ceolin
b82a339813 kernel: init: Add nop instruction in main
The main function is just a weak function that should be override by the
applications if they need. Just adding a nop instructions to explicitly
says that this function does nothing.

MISRA-C rule 2.2

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
2018-12-14 13:17:36 +01:00
Flavio Ceolin
4f6020111c kernel: Use NULL instead of 0
MISRA-C rule 11.9

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
2018-12-11 14:37:10 -08:00
Anas Nashif
69c758436c doc: add kernel version API to doxygen
Put kernel version API into doxygen and make it available as a
documented API.

Fixes 

Signed-off-by: Anas Nashif <anas.nashif@intel.com>
2018-12-08 17:24:53 -05:00
Andrew Boie
a68120de6d kernel: check retval of driver init
If initialization fails, zero the API struct so that
device_get_binding() can't fetch it, and do not mark
the driver object as initialized to user mode.

Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2018-12-07 19:33:23 -05:00
Adithya Baglody
91c5b84cd5 kernel: init.c: Added required hooks for the relocation
This patch splits the text section into 2 parts. The first section
will have some info regarding vector tables and debug info. The
second section will have the complete text section.
This is needed to force the required functions and data variables
the correct locations.
This is due to the behavior of the linker. The linker will only link
once and hence this text section had to be split to make room
for the generated linker script.

Added a new Kconfig CODE_DATA_RELOCATION which when enabled will
invoke the script, which does the required relocation.

Added hooks inside init.c for bss zeroing and data copy operations.
Needed when we have to copy data from ROM to required memory type.

Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
2018-12-07 10:32:41 -05:00
Flavio Ceolin
118715c62d misra: Fixes for MISRA-C rule 8.3
MISRA-C says all declarations of an object or function must use the
same name and qualifiers.

MISRA-C rule 8.3

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
2018-12-07 09:06:34 -05:00
Flavio Ceolin
4b35dd2628 misra: Fixes for MISRA-C rule 8.2
In C90 was introduced function prototype, that allows argument types
to be checked against parameter types, though it is not necessary
specify names for the parameters. MISRA-C requires names for function
prototype parameters, it claims that names can provide useful
information regarding the function interface.

MISRA-C rule 8.2

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
2018-12-07 09:06:34 -05:00
Flavio Ceolin
26be3355ac kernel: sched: Fix undefined behavior
The order of evaluation of function calls in the arguments of a
function. This is undefined (32)/ unspecified(15-18) in C99.

MISRA-C rule 13.2 does not allow that a value of an expression and its
side effects happens in not deterministic order to avoid these
undefined behaviors.

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
2018-12-07 09:06:34 -05:00
Flavio Ceolin
d7271ec9db kernel: poll: Fix switch usage
According with MISRA-C and unconditional break statement must
terminate every switch-clause.

MISRA-C rule 16.1 and 16.3

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
2018-12-07 09:06:34 -05:00
Flavio Ceolin
a42de6466a kernel: queue: Fix MISRA-C violation
MISRA-C requires the right-hand operand of && or || operator does not
contain persistent effect.

MISRA-C rule 13.5

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
2018-12-07 09:06:34 -05:00
Ioannis Glaropoulos
ccf813c22a kernel: mem_domain: remove redundant clearing of mem_partition fields
When a memory partition is removed, it is not required
to clear the start and attr fields, since a free partition
is only indicated by a zero size field. This commit removes
the un-necessary clearing of start and attr fields.

Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
2018-12-05 15:15:07 -05:00
Nicolás Bértolo
258fd2dbeb kernel: mutex: delay setting lock_count = 0.
It is necessary to delay setting lock_count = 0 because an unlocking thread
maybe swapped out when it calls adjust_owner_prio(). If the thread that starts
running sees lock_count = 0 it will successfully acquire the mutex even though
it is not fully unlocked yet.

Fixes .

Signed-off-by: Nicolás Bértolo <nicolasbertolo@gmail.com>
2018-12-05 11:00:10 +01:00
Patrik Flykt
d0d9eb0e38 kernel: Add 'U' to unsigned variable assignments
Add 'U' to a value when assigning it to an unsigned variable.
MISRA-C rule 7.2

Signed-off-by: Patrik Flykt <patrik.flykt@intel.com>
2018-12-04 22:51:56 -05:00