The metairq feature exposed the fact that all of our arch code (and a
few mistaken spots in the scheduler too) was trying to interpret
"preemptible" threads independently.
As of the scheduler rewrite, that logic is entirely within sched.c and
doing it externally is redundant. And now that "cooperative" threads
can be preempted, it's wrong and produces test failures when used with
metairq threads.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
Refactor the _FaultDump of the default debug-level (2) to
provide the error code that indicates the fatal error reason.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Refactor FAULT_DUMP macro to obtain and store the fatal error
reason. Make non-default version of FAULT_DUMP (i.e. with
CONFIG_FAULT_DUMP level 1) to retrieve the default reason
for fatal errors (_NANO_ERR_HW_EXCEPTION).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Document that execution does not return from
_NanoFatalErrorHandler and _SysFatalErrorHandler.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Remove unused context switch code from the helper assembly file that
manages the SuperVisor Call invocations (SVCs). This is no longer in use
in the code, since all calls to __swap() now go through PendSV directly.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
The initial user stack pointer gets rounded to STACK_ALIGN_SIZE,
which can be much finer granularity than MPU regions. With
certain stack size values passed to k_thread_create(), the stack
pointer can be set past the defined region for the user thread's
stack, causing an immediate MPU fault.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Upon return from a syscall handlers, the r1, r2, and r3 registers
could contain random kernel data that should not be leaked to user
mode. Zero these out before returning from _arm_do_syscall().
Fixes#7753.
The invocation macros need a clobber if r1, r2, or r3 are not used
to carry syscall arguments. This is a partial fix for #7754 but
there appear to be other issues.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit contributes the implementation of the
CMSE address range permission checks based on the
ARMv8-M address range check intrinsics.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Select CPU_CORTEX_M_HAS_CMSE in ARMV8_M arhitectures.
Option ARMV8_M_BASELINE is introduced for this purpose,
so that CMSE API is enabled for both Cortex-M23 and
Cortex-M33 MCUs.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit defines and implements an internal ARMv8-M API
that allows the user to evaluate access permissions of memory
locations, based on the ARMv8-M Test Target (TT) instruction
support.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Add the ability to call platform specific code as the first thing we do.
This is needed because on some platforms we might have to figure out how
to deal with starting up secondary cores and need to do that as the
first thing we do.
Signed-off-by: Stanislav Poboril <stanislav.poboril@nxp.com>
Normally a syscall would check the current privilege level and then
decide to go to _impl_<syscall> directly or go through a
_handler_<syscall>.
__ZEPHYR_SUPERVISOR__ is a compiler optimization flag which will
make all the system calls from the arch files directly link
to the _impl_<syscall>. Thereby reducing the overhead of checking the
privileges.
In the previous implementation all the source files would be compiled
by zephyr_source() rule. This means that zephyr_* is a catchall CMake
library for source files that can be built purely with the include
paths, defines, and other compiler flags that all zephyr source
files uses. This states that adding one extra compiler flag for only
one complete directory would fail.
This limitation can be overcome by using zephyr_libray* APIs. This
creates a library for the required directories and it also supports
directory level properties.
Hence we use zephyr_library* to create a new library with
macro _ZEPHYR_SUPERVISOR_ for the optimization.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Distinguish between the integrity signatures depending on whether the
ARM MCU implements the Floating-Point Extension or not.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit partially reworks the fault dump implementation
of faults in non-secure state that target Secure state. In
particular, the return address to secure state is logged along
with the non-secure address which caused the non-secure fault
(that targets the Secure state).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit implements consistency checks for the core registers
in ARMv6-M, ARMv7-M, and ARMv8-M architectures, ensuring that
the user cannot accidentally select registers that are not
implemented by the selected Cortex-M processor.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The commit improves the help text of the ARMV7_M_ARMV8_M_MAINLINE
K-config option.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds a Context Synchronization Point immediately
after the reset handler switches to use the Process Stack
Pointer, during initialization.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The loop that checks the MPU region permissions incorrectly
iterates from (num_region + 1) to 1. This should be
(num_region - 1) to 0. This results in the wrong regions
being checked and possible overflow for any implementation
that uses the max region value of 0xFF.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit activates the built-in stack guard on the main_thread
before jumping to it upon system initialization. Stack guard is
activated if BUILTIN_STACK_GUARD is enabled by the user. The
commit also activates built-in thread stack guards at every
context switch, if BUILTIN_STACK_GUARD enabled by the user.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Ignore stack pointer limit checking during a HardFault or NMI
exception, to allow for the Fault handling function to execute
properly.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit implements the build-in interrupt stack protection
via the native MSPLIM register in ARMv8-M MCUs that support the
Main Extension. Main stack pointer overflows will cause Stack
Overflow UsageFaults. In addition, the commit introduces a new
config option, BUILTIN_STACK_GUARD, allowing the user to enable
and use the built-in stack protection in ARMv8-M firmware.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Improve the help text of ARM k-config option
CPU_CORTEX_M_HAS_PROGRAMMABLE_FAULT_PRIOS.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Now that other work has eliminated the two cases where we had to do a
reschedule "but yield even if we are cooperative", we can squash both
down to a single _reschedule() function which does almost exactly what
legacy _Swap() did, but wrapped as a proper scheduler API.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
There was a somewhat promiscuous pattern in the kernel where IPC
mechanisms would do something that might effect the current thread
choice, then check _must_switch_threads() (or occasionally
__must_switch_threads -- don't ask, the distinction is being replaced
by real English words), sometimes _is_in_isr() (but not always, even
in contexts where that looks like it would be a mistake), and then
call _Swap() if everything is OK, otherwise releasing the irq_lock().
Sometimes this was done directly, sometimes via the inverted test,
sometimes (poll, heh) by doing the test when the thread state was
modified and then needlessly passing the result up the call stack to
the point of the _Swap().
And some places were just calling _reschedule_threads(), which did all
this already.
Unify all this madness. The old _reschedule_threads() function has
split into two variants: _reschedule_yield() and
_reschedule_noyield(). The latter is the "normal" one that respects
the cooperative priority of the current thread (i.e. it won't switch
out even if there is a higher priority thread ready -- the current
thread has to pend itself first), the former is used in the handful of
places where code was doing a swap unconditionally, just to preserve
precise behavior across the refactor. I'm not at all convinced it
should exist...
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
Contrary to ARMv7-M, in ARMv8-M MCUs with the Main Extension,
BusFault Status Register bits are sticky and must be cleared.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This patch changes the ARM system calls to use registers for passing
or arguments. This removes the possibility of stack issues when
callers do not adhere to the AAPCS.
Fixes#6802
Signed-off-by: Andy Gross <andy.gross@linaro.org>
During the transition of privilege levels while performing syscalls,
the ARM documentation recommends flushing the pipeline to avoid
pre-fetched instructions from being executed with the previous
privilege level.
The manual says:
4.16 CONTROL register
(...) after programming the CONTROL register, an ISB instruction
should be used.
(...) This is not implemented in the Cortex M0 processor.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
srd bits start at bit 8, not bit 5.
To date we are not using sub-regions so this problem was
undetected.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Upcoming Nordic ICs that share many of the peripherals and architecture
with the currently supported nRF5x ones are no longer part of the nRF5
family. In order to accomodate that, rename the SoC family from nrf5 to
nrf, so that it can contain all of the members of the wider Nordic
family.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
This commit introduces the ARM_SECURE_FIRMWARE k-option,
which indicates that we are building an ARM Secure application.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contributes the implementation of the SecureFault
handling for ARMv8-M-based Cortex-M33. The implementation is
compiled conditionally with compile-time directive
CONFIG_ARM_SECURE_FIRMWARE, which is to signify the intention to
build a Secure image on ARMv8-M with Security Extensions.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit conditionally selects the ARMV7_M_ARMV8_M_FP option
in ARMv7-M/ARMv8-M Mainline processors, when the Floating Point
Extension is implemented (CPU_HAS_FPU is selected).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contributes the Stack Overflow UsageFault dumping
for ARMv8-M implementations that support the Main Extension.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces the ARMV8_M_MAINLINE K-config option. The
option signifies the use of an ARMv8-M CPU supporting the Main
Extension. ARMv8-M Main Extension includes additional features
that are not present in the ARMv7-M architecture.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit forces CPU_CORTEX_M_HAS_PROGRAMMABLE_FAULT_PRIOS to
depend on ARMV7_M_ARMV8_M_MAINLINE. This allows the user to get
a build warning if he manually selects
CPU_CORTEX_M_HAS_PROGRAMMABLE_FAULT_PRIOS for a CPU that does
not implement either ARMv7-M or ARMv8-M Mainline.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Clean up Kconfig so each SoC just selects the specific Cortex-M
implementaiton rather than having to select both CORTEX_M and
CORTEX_{M0, M3, M4, etc.}.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This commit adds the missing fault dumping for MemManage or Bus
fault occuring during floating-point lazy state preservation. In
addition, it introduces a Kconfig option for the ARMv7-M/ARMv8-M
Floating Point Extension.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes the macros for ARM fault flags from
include/arch/arm/cortex_m/cmsis.h header, since they are
defined in the respective core_cmXX.h header files. It also
modifies fault.c to use the updated fault macros taken directly
from ARM CMSIS headers.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This patch reworks the current ARM __swap() function into a C function.
Due to some issues with using svc calls withing fault handlers, we
needed to change the way we initiate a swap by removing the dependence
on svc #0.
Before __swap() is called, the system has already done an irq_lock().
Upon return from __swap(), the equivalent of an irq_lock() is done due
to restoration of the key value from the irq_lock preceeding the call.
For ARM V6M (M0/M0+), the pendsv bit is toggled and the irqs are
enabled. There is no priority masking in v6m, so it's just a global
enable. For ARM V7M, the priority mask has to be set to 0x0 to allow
for the pendsv IRQ to be taken. This is done for both via a call to
irq_unlock(0).
After this unlock, a pendsv irq will be taken, either at the tail end
of the current irq handling if we are in handler mode, or immediately
due to the pendsv being asserted (no other outstanding irqs). The next
thread will be scheduled.
Upon return from the context switch to the original
thread, the priority mask will already be correct due to the pendsv
processing.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
MPU_STACK_GUARD option has a direct dependence on ARM_CORE_MPU.
Therefore, it is not required to have a conditional selection
of the option (if ARM_CORE_MPU) in ARM_STACK_PROTECTION.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
In ARMv7-M (and ARMv8-M) architecture it is
implementation defined whether separate MMFAR and BFAR are
implemented. This commit ensures that we always get the true
faulting address displayed in case of MemManage- or BusFault.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The xtensa-asm2 work included a patch that added nano_internal.h
includes in lots of places that needed to have _Swap defined, because
it had to break a cycle and this no longer got pulled in from the arch
headers.
Unfortunately those new includes created new and more amusing cycles
elsewhere which led to breakage on other platforms.
Break out the _Swap definition (only) into a separate header and use
that instead. Cleaner. Seems not to have any more hidden gotchas.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
The old ARMV6_M Kconfig option has been removed, and so to correctly set
the dependencies for SW_VECTOR_RELAY we need to use the new
ARMV6_M_ARMV8_M_BASELINE.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
Andy Ross