Compiler may optimize away write to RO region and following
readback so we won't trigger fault (that actually happens with
arc MWDT toolchain).
Add volatile to avoid that.
Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
Add new tests to improve of the Zephyr QA testing of the memory
protection for memory domains and partitions.
I created new tests for memory protection->memory partitions for
the requirements which I think necessary to be tested.
I added Doxygen tag for each test to make it clear to understand
what each test is doing and how.
New tests for memory domains and partitions:
-test_mem_domain_api_kernel_thread_only()
By creating that test I wanted to prove that access to memory
domain APIs must be restricted only to supervisor threads.
At the same time I wanted to prove that system can support the
definition of memory domains.
-test_mem_part_auto_determ_size()
By creating that test I want to prove that system can automatically
determine application memory partition base addresses and sizes
at build time, determined by its contents. Also system can support
definition of memory partitions. At the same time test proves that OS
supports adding and removing a thread from its memory domain
assignment.
-test_mem_part_auto_determ_size_per_mmu()
That test is very important and it proves that memory partitions are
automatically sized and aligned per the constraints of the platform's
memory management hardware.
-test_mem_part_inheirt_by_child_thr()
Prove that child thread inherits memory domain assignment of its
parent.
-test_macros_obtain_names_data_bss()
Test system provides tools to obtain the names of the data and BSS
sections related to a particular application memory partition at
build time.
-test_mem_part_assign_bss_vars_zero()
Test that global data and BSS values can be assigned to application
memory partitions using macros at build time. Test that BSS values
will be zeroed at the build time.
1. According to the reviews made changes.
2. Switched test_mem_part_assert_add_overmax
and test_create_new_invalid_prio_thread_from_user
That way I exposed problem (bug) with assertion
in L171 kernel/mem_protect.c
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
We try to invoke `ztest_test_pass()` from inside
a fatal exception in a child thread.
On SMP this can result in the next test case starting
on another CPU, re-using the child thread before it
has a chance to exit.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The implementations of the test cases had the wrong prototype.
The extern declarations (which were in a C file for some reason)
were correct.
I don't want to talk about the subtle code generation and stack
corruption issues that emerged from this which at one point made
me question my own sanity.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
em_starterkit_7d is not capable to generate error when access unmapped
address at kernel mode. So toggle off this part of test.
Signed-off-by: Yuguo Zou <yuguo.zou@synopsys.com>
- No longer call ztest_test_pass() out of a fatal exception,
as if this took place on some child thread, the next test
case could start on another CPU before the child has exited,
leading to issues if the child thread object is recycled
- Get rid of some unnecessary synchronization semaphores.
Use the scheduler and/or k_thread_join() instead.
- Simplify tests for read/write other threads not to spawn
a child thread and then take a fatal fault on the ztest
thread
- Add set_fault() clear_fault() as I do not enjoy typing.
Despite these variables being voliatile, a barrier is
needed to prevent re-ordering around non-volatile memory
access
- Don't call ztest_test_pass() from child thread in
test_user_mode_enter() due to possible races
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Memory mapping, for now, will be a private kernel API
and is not intended to be application-facing at this time.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We no longer plan to support a split address space with
the kernel in high memory and per-process address spaces.
Because of this, we can simplify some things. System RAM
is now always identity mapped at boot.
We no longer require any virtual-to-physical translation
for page tables, and can remove the dual-mapping logic
from the page table generation script since we won't need
to transition the instruction point off of physical
addresses.
CONFIG_KERNEL_VM_BASE and CONFIG_KERNEL_VM_LIMIT
have been removed. The kernel's address space always
starts at CONFIG_SRAM_BASE_ADDRESS, of a fixed size
specified by CONFIG_KERNEL_VM_SIZE.
Driver MMIOs and other uses of k_mem_map() are still
virtually mapped, and the later introduction of demand
paging will result in only a subset of system RAM being
a fixed identity mapping instead of all of it.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Some ARMv8-M platforms may come with only 8 (instead of 16)
MPU regions. In these platforms, by design, a memory domain
may contain up to 2 application memory partitions, when we
build with MPU_GAP_FILLING support. To be able to test this
valid configuration we slightly modify the test code in the
mem_protect suite, and add-remove the second partition (with
index-1) instead of the third (index-2).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
We need to exclude the .gap_filling test from running on
ARMv8-M platforms with 8 MPU regions available, since the
userspace test defines and uses a memory domain whose number
of partitions exceed the maximum number of permitted partitions
in ARMv8-m SoCs with MPU_GAP_FILLING=y.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Adding the first list item in the same line as @details, creates a list
with a single item inside a paragraph, and another list with the
remaining items. What is wanted here is to have a single list with all
items, so the first item needs to be in a new line.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
We don't have use-cases and it introduces complexities with
allocating page tables on MMU systems.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Ancient 2-level IA32 page tables don't support "eXecute Disable".
Skip the test scenarios for them.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
When thread is initialized and running z_object_validate
will return 0 for thread object and its thread stack object.
When thread exit, z_object_validate
will return -1 for thread object and its thread stack object.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Instead of replacing of copyright year with the new one,
necessary to add new to the existing one
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Updated current tests tags to make them more informative.
1. test_mslab updated Doxygen tag
2. test_create_alt_thread updated Doxygen tag
3. test_sys_heap_mem_pool_assign updated Doxygen tag
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Check that the base of every stack object is properly
defined. This can get messed up if K_THREAD_STACK_ARRAY_DEFINE
isn't specified properly.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The core kernel computes the initial stack pointer
for a thread, properly aligning it and subtracting out
any random offsets or thread-local storage areas.
arch_new_thread() no longer needs to make any calculations,
an initial stack frame may be placed at the bounds of
the new 'stack_ptr' parameter passed in. This parameter
replaces 'stack_size'.
thread->stack_info is now set before arch_new_thread()
is invoked, z_new_thread_init() has been removed.
The values populated may need to be adjusted on arches
which carve-out MPU guard space from the actual stack
buffer.
thread->stack_info now has a new member 'delta' which
indicates any offset applied for TLS or random offset.
It's used so the calculations don't need to be repeated
if the thread later drops to user mode.
CONFIG_INIT_STACKS logic is now performed inside
z_setup_new_thread(), before arch_new_thread() is called.
thread->stack_info is now defined as the canonical
user-accessible area within the stack object, including
random offsets and TLS. It will never include any
carved-out memory for MPU guards and must be updated at
runtime if guards are removed.
Available stack space is now optimized. Some arches may
need to significantly round up the buffer size to account
for page-level granularity or MPU power-of-two requirements.
This space is now accounted for and used by virtue of
the Z_THREAD_STACK_SIZE_ADJUST() call in z_setup_new_thread.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
1. Found out that thread tests doesn't test next ideas of requirements,
which I think necessary to be tested and verified:
-the kernel need to prevent user threads creating new threads from
using thread or thread stack objects which are in an initialized state
-Upon thread exit, the kernel need to mark the exiting thread
and thread stack objects as uninitialized
Add new tests to test requirements above, that way we can cover more
features to be tested:
- test_new_user_thread_with_in_use_stack_obj()
- test_mark_thread_exit_uninitialized()
2. Modified test test_create_new_thread_from_user() to verify that
kernel provides new user threads access to their own thread object.
3. Also I added detailed Doxygen tags for each new test and existing
modified test.
4. Added Doxygen tag to the existing test test_stack_buffer, it
covers requirement:
-The kernel need to provide all threads read and write access to their
own stack memory buffer.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Inside function futex_wake() result of k_futex_wait() is not checked.
Coverity-CID: 211508
Fixes: #27149
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Add new standalone futex test that verifies next requirements:
-Futex can be placed in user memory using ZTEST_BMEM
-User thread can write to futex value
-User threads can make wait/wake syscalls on it
Added detailed Doxygen tag with information about the test
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
1. Add code change to the test_permission_inheritance() to let it
test that child thread can't access parent thread object. Now that test
tests one more related to it feature.
2. Add new Doxygen tags with informative descriptions about the kernel
objects tests. That will make reading and understanding kernel object
tests code easier.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Instead of replacing of copyright year with the new one,
necessary to add new to the existing one
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
To improve Zephyr tests, I think that it will necessary to have test,
that verifies a child thread inherits resource pool assignment
of their parent.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
1. Doxygen tags updates of the existing tests.
2. Fixed use of API K_MSEC in test_syscall_torture
3. Removed misprints
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Added new doxygen tags for tests:
1. test_mem_domain_destroy
2. test_domain_add_part_drop_to_user
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Reason is that some threads tests have poor description Doxygen
tags. I decided to fix that situation in some tests which understand.
Update Doxygen tags for the next tests:
test_create_new_supervisor_thread_from_user()
test_user_mode_enter()
test_create_new_higher_prio_thread_from_user()
test_create_new_thread_from_user_huge_stacksize()
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Added separator (e.g. comma or semicolon) parameter to FOR_EACH_ family.
Separator is added between macro execution for each argument and not at
the end.
Signed-off-by: Krzysztof Chruscinski <krzysztof.chruscinski@nordicsemi.no>
Remove all ram restrictions in kernel tests and revisit all tests and
try to make them pass on all platforms.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Reason is that some tests have poor description in Doxygen tags,
decided to fix that situation in some tests which I understand.
Also remove small misprints from some parts of code.
Update Doxygen tags for the next tests:
test_access_kobject_without_init_access
test_thread_without_kobject_permission
test_bad_syscall
test_syscall_invalid_kobject
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Certain types of system call validation may need to be pushed
deeper in the implementation and not performed in the verification
function. If such checks are only pertinent when the caller was
from user mode, we need an API to detect this situation.
This is implemented by having thread->syscall_frame be non-NULL
only while a user system call is in progress. The template for the
system call marshalling functions is changed to clear this value
on exit.
A test is added to prove that this works.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
... because it is (required).
This makes a difference when building with CMake and forgetting
ZEPHYR_BASE or not registering Zephyr in the CMake package registry.
In this particular case, REQUIRED turns this harmless looking log
statement:
-- Could NOT find Zephyr (missing: Zephyr_DIR)
-- The C compiler identification is GNU 9.3.0
-- The CXX compiler identification is GNU 9.3.0
-- Check for working C compiler: /usr/bin/cc
-- ...
-- ...
-- ...
-- Detecting CXX compile features
-- Detecting CXX compile features - done
CMake Error at CMakeLists.txt:8 (target_sources):
Cannot specify sources for target "app" which is not built by
this project.
... into this louder, clearer, faster and (last but not least) final
error:
CMake Error at CMakeLists.txt:5 (find_package):
Could not find a package configuration file provided by "Zephyr" with
any of the following names:
ZephyrConfig.cmake
zephyr-config.cmake
Add the installation prefix of "Zephyr" to CMAKE_PREFIX_PATH or set
"Zephyr_DIR" to a directory containing one of the above files. If
"Zephyr" provides a separate development package or SDK, be sure it
has been installed.
-- Configuring incomplete, errors occurred!
Signed-off-by: Marc Herbert <marc.herbert@intel.com>
Increase the main thread stack size for this test
to 2048; this increase prevents stacking errors in
the main thread, in several Cortex-M platforms.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
On nucleo_f429zi and nucleo_f207zg boards,
0xFFFFFFF0 is not a faulty address.
Instead we can use 0x0FFFFFFFF.
Signed-off-by: Alexandre Bourdiol <alexandre.bourdiol@st.com>
Tests should always start with test_, otherwise detection of subtests
will not work through sanitycheck.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This suite was fairly messy and very unstable on how it re-used
kernel objects.
* Unnecessary ztest_test_pass() or self-aborts removed
* k_thread_join() now used to wait for child thread completion,
instead of a strange use of a semaphore which was effectively
a 10ms sleep
* Barriers simplified
* the number of thread objects in kobject.c is now drastically reduced
* test case function names are now descriptive and made static if
only used in local scope in kobject.c
* SMP no longer disabled
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Add a k_timeout_t type, and use it everywhere that kernel API
functions were accepting a millisecond timeout argument. Instead of
forcing milliseconds everywhere (which are often not integrally
representable as system ticks), do the conversion to ticks at the
point where the timeout is created. This avoids an extra unit
conversion in some application code, and allows us to express the
timeout in units other than milliseconds to achieve greater precision.
The existing K_MSEC() et. al. macros now return initializers for a
k_timeout_t.
The K_NO_WAIT and K_FOREVER constants have now become k_timeout_t
values, which means they cannot be operated on as integers.
Applications which have their own APIs that need to inspect these
vs. user-provided timeouts can now use a K_TIMEOUT_EQ() predicate to
test for equality.
Timer drivers, which receive an integer tick count in ther
z_clock_set_timeout() functions, now use the integer-valued
K_TICKS_FOREVER constant instead of K_FOREVER.
For the initial release, to preserve source compatibility, a
CONFIG_LEGACY_TIMEOUT_API kconfig is provided. When true, the
k_timeout_t will remain a compatible 32 bit value that will work with
any legacy Zephyr application.
Some subsystems present timeout (or timeout-like) values to their own
users as APIs that would re-use the kernel's own constants and
conventions. These will require some minor design work to adapt to
the new scheme (in most cases just using k_timeout_t directly in their
own API), and they have not been changed in this patch, instead
selecting CONFIG_LEGACY_TIMEOUT_API via kconfig. These subsystems
include: CAN Bus, the Microbit display driver, I2S, LoRa modem
drivers, the UART Async API, Video hardware drivers, the console
subsystem, and the network buffer abstraction.
k_sleep() now takes a k_timeout_t argument, with a k_msleep() variant
provided that works identically to the original API.
Most of the changes here are just type/configuration management and
documentation, but there are logic changes in mempool, where a loop
that used a timeout numerically has been reworked using a new
z_timeout_end_calc() predicate. Also in queue.c, a (when POLL was
enabled) a similar loop was needlessly used to try to retry the
k_poll() call after a spurious failure. But k_poll() does not fail
spuriously, so the loop was removed.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
