Check that the base of every stack object is properly
defined. This can get messed up if K_THREAD_STACK_ARRAY_DEFINE
isn't specified properly.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The core kernel computes the initial stack pointer
for a thread, properly aligning it and subtracting out
any random offsets or thread-local storage areas.
arch_new_thread() no longer needs to make any calculations,
an initial stack frame may be placed at the bounds of
the new 'stack_ptr' parameter passed in. This parameter
replaces 'stack_size'.
thread->stack_info is now set before arch_new_thread()
is invoked, z_new_thread_init() has been removed.
The values populated may need to be adjusted on arches
which carve-out MPU guard space from the actual stack
buffer.
thread->stack_info now has a new member 'delta' which
indicates any offset applied for TLS or random offset.
It's used so the calculations don't need to be repeated
if the thread later drops to user mode.
CONFIG_INIT_STACKS logic is now performed inside
z_setup_new_thread(), before arch_new_thread() is called.
thread->stack_info is now defined as the canonical
user-accessible area within the stack object, including
random offsets and TLS. It will never include any
carved-out memory for MPU guards and must be updated at
runtime if guards are removed.
Available stack space is now optimized. Some arches may
need to significantly round up the buffer size to account
for page-level granularity or MPU power-of-two requirements.
This space is now accounted for and used by virtue of
the Z_THREAD_STACK_SIZE_ADJUST() call in z_setup_new_thread.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
1. Found out that thread tests doesn't test next ideas of requirements,
which I think necessary to be tested and verified:
-the kernel need to prevent user threads creating new threads from
using thread or thread stack objects which are in an initialized state
-Upon thread exit, the kernel need to mark the exiting thread
and thread stack objects as uninitialized
Add new tests to test requirements above, that way we can cover more
features to be tested:
- test_new_user_thread_with_in_use_stack_obj()
- test_mark_thread_exit_uninitialized()
2. Modified test test_create_new_thread_from_user() to verify that
kernel provides new user threads access to their own thread object.
3. Also I added detailed Doxygen tags for each new test and existing
modified test.
4. Added Doxygen tag to the existing test test_stack_buffer, it
covers requirement:
-The kernel need to provide all threads read and write access to their
own stack memory buffer.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
1. Add code change to the test_permission_inheritance() to let it
test that child thread can't access parent thread object. Now that test
tests one more related to it feature.
2. Add new Doxygen tags with informative descriptions about the kernel
objects tests. That will make reading and understanding kernel object
tests code easier.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
1. Doxygen tags updates of the existing tests.
2. Fixed use of API K_MSEC in test_syscall_torture
3. Removed misprints
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Added new doxygen tags for tests:
1. test_mem_domain_destroy
2. test_domain_add_part_drop_to_user
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Reason is that some threads tests have poor description Doxygen
tags. I decided to fix that situation in some tests which understand.
Update Doxygen tags for the next tests:
test_create_new_supervisor_thread_from_user()
test_user_mode_enter()
test_create_new_higher_prio_thread_from_user()
test_create_new_thread_from_user_huge_stacksize()
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Added separator (e.g. comma or semicolon) parameter to FOR_EACH_ family.
Separator is added between macro execution for each argument and not at
the end.
Signed-off-by: Krzysztof Chruscinski <krzysztof.chruscinski@nordicsemi.no>
Reason is that some tests have poor description in Doxygen tags,
decided to fix that situation in some tests which I understand.
Also remove small misprints from some parts of code.
Update Doxygen tags for the next tests:
test_access_kobject_without_init_access
test_thread_without_kobject_permission
test_bad_syscall
test_syscall_invalid_kobject
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Tests should always start with test_, otherwise detection of subtests
will not work through sanitycheck.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Private type, internal to the kernel, not directly associated
with any k_object_* APIs. Is the return value of z_object_find().
Rename to struct z_object.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Extend the bad syscall-ID test case to cover
erroneously supplied larged unsiged syscall-ID
values.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The existing stack_analyze APIs had some problems:
1. Not properly namespaced
2. Accepted the stack object as a parameter, yet the stack object
does not contain the necessary information to get the associated
buffer region, the thread object is needed for this
3. Caused a crash on certain platforms that do not allow inspection
of unused stack space for the currently running thread
4. No user mode access
5. Separately passed in thread name
We deprecate these functions and add a new API
k_thread_stack_space_get() which addresses all of these issues.
A helper API log_stack_usage() also added which resembles
STACK_ANALYZE() in functionality.
Fixes: #17852
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Interrupts should not be locked when servicing a system call,
and the kernel should not think we are in an interrupt handler
either.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Exceptions on x86_64 are incorrectly implemented, and if
a preemptible thread faults, and in its overridden
k_sys_fatal_error_handler() does something which invokes
a scheduling point (such as here where we give semaphores),
the thread will be swapped out on the per-CPU exception stack
and probably explode when it is switched back in.
For now, change the faulting thread priority to co-op so this
doesn't happen.
Workaround for #21462
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This test spawns a child thread and expects it to complete.
Use one CPU for it. Get rid of the useless k_thread_abort()
call and add a k_yield() to ensure the child does its
thing.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
In addition to not assuming all pointers fit in a u32_t,
logic is added to find the privilege mode stack on x86_64
and several error messages now contain more information.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Promote the private z_arch_* namespace, which specifies
the interface between the core kernel and the
architecture code, to a new top-level namespace named
arch_*.
This allows our documentation generation to create
online documentation for this set of interfaces,
and this set of interfaces is worth treating in a
more formal way anyway.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We replace an inline assembly block of code with CMSIS
functions, to make it portable to ARMv6-M architecture.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Re-run with updated script to convert integer literal delay arguments to
k_sleep to use the standard timeout macros.
Signed-off-by: Peter Bigot <peter.bigot@nordicsemi.no>
System call arguments, at the arch layer, are single words. So
passing wider values requires splitting them into two registers at
call time. This gets even more complicated for values (e.g
k_timeout_t) that may have different sizes depending on configuration.
This patch adds a feature to gen_syscalls.py to detect functions with
wide arguments and automatically generates code to split/unsplit them.
Unfortunately the current scheme of Z_SYSCALL_DECLARE_* macros won't
work with functions like this, because for N arguments (our current
maximum N is 10) there are 2^N possible configurations of argument
widths. So this generates the complete functions for each handler and
wrapper, effectively doing in python what was originally done in the
preprocessor.
Another complexity is that traditional the z_hdlr_*() function for a
system call has taken the raw list of word arguments, which does not
work when some of those arguments must be 64 bit types. So instead of
using a single Z_SYSCALL_HANDLER macro, this splits the job of
z_hdlr_*() into two steps: An automatically-generated unmarshalling
function, z_mrsh_*(), which then calls a user-supplied verification
function z_vrfy_*(). The verification function is typesafe, and is a
simple C function with exactly the same argument and return signature
as the syscall impl function. It is also not responsible for
validating the pointers to the extra parameter array or a wide return
value, that code gets automatically generated.
This commit includes new vrfy/msrh handling for all syscalls invoked
during CI runs. Future commits will port the less testable code.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
- k_sys_fatal_error_handler() can return on all platforms,
indicating that the faulting thread should be aborted.
- Hang the system for unexpected faults instead of trying
to keep going, we have no idea whether the system is even
runnable.
Prevents infinite crash loops during tests.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit is a hotfix. It makes sanitycheck happy by fixing
the way we can temporarily exclude some tests in the userspace
test suite for the ARC architecture.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
User mode should be able to successfully induce a kernel
oops, or stack check fail fatal error. The latter is
required by compiler stack canaries.
User mode should not be able to induce a kernel panic, or
fake some other kind of exception.
Currently supported on ARM and x86 platforms.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This is now called z_arch_esf_t, conforming to our naming
convention.
This needs to remain a typedef due to how our offset generation
header mechanism works.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
* z_NanoFatalErrorHandler() is now moved to common kernel code
and renamed z_fatal_error(). Arches dump arch-specific info
before calling.
* z_SysFatalErrorHandler() is now moved to common kernel code
and renamed k_sys_fatal_error_handler(). It is now much simpler;
the default policy is simply to lock interrupts and halt the system.
If an implementation of this function returns, then the currently
running thread is aborted.
* New arch-specific APIs introduced:
- z_arch_system_halt() simply powers off or halts the system.
* We now have a standard set of fatal exception reason codes,
namespaced under K_ERR_*
* CONFIG_SIMPLE_FATAL_ERROR_HANDLER deleted
* LOG_PANIC() calls moved to k_sys_fatal_error_handler()
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
move misc/stack.h to debug/stack.h and
create a shim for backward-compatibility.
No functional changes to the headers.
A warning in the shim can be controlled with CONFIG_COMPAT_INCLUDES.
Related to #16539
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
move misc/util.h to sys/util.h and
create a shim for backward-compatibility.
No functional changes to the headers.
A warning in the shim can be controlled with CONFIG_COMPAT_INCLUDES.
Related to #16539
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
We didn't have code coverage for this function anywhere
except indirectly through some network tests; exercise it
in the suite of userspace tests.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
In ARM architecture z_priv_stack_find() returns the start of a
thread's privilege stack; we do not need to subtract the length
of a (possible) stack guard. This commit corrects the assigning
of the start address of a thread privilege stack in
test/kerne/mem_protect/mem_protect/userspace.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
In the wake of moving the internal API header arm_core_mpu_dev.h
into arch/arm/cortex_m/mpu, we need to explicitly declare the
arm_core_mpu_disable() function in the userspace test. Note that
arm_core_mpu_disable() (as any other function in this internal
API) is not supposed to be called directly by kernel/application
functions; an exception is allowed in this test suite, so we are
able to test the MPU disabling functionality.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This macro is slated for complete removal, as it's not possible
on arches with an MPU stack guard to know the true buffer bounds
without also knowing the runtime state of its associated thread.
As removing this completely would be invasive to where we are
in the 1.14 release, demote to a private kernel Z_ API instead.
The current way that the macro is being used internally will
not cause any undue harm, we just don't want any external code
depending on it.
The final work to remove this (and overhaul stack specification in
general) will take place in 1.15 in the context of #14269Fixes: #14766
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Rename reserved function names in arch/ subdirectory. The Python
script gen_priv_stacks.py was updated to follow the 'z_' prefix
naming.
Signed-off-by: Patrik Flykt <patrik.flykt@intel.com>
The stack information stored in the thread->stack_info
fields need to represent the actual writable area for
its associated thread. Perform various tests to ensure
that the various reported and specified values are in
agreement.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Update reserved function names starting with one underscore, replacing
them as follows:
'_k_' with 'z_'
'_K_' with 'Z_'
'_handler_' with 'z_handl_'
'_Cstart' with 'z_cstart'
'_Swap' with 'z_swap'
This renaming is done on both global and those static function names
in kernel/include and include/. Other static function names in kernel/
are renamed by removing the leading underscore. Other function names
not starting with any prefix listed above are renamed starting with
a 'z_' or 'Z_' prefix.
Function names starting with two or three leading underscores are not
automatcally renamed since these names will collide with the variants
with two or three leading underscores.
Various generator scripts have also been updated as well as perf,
linker and usb files. These are
drivers/serial/uart_handlers.c
include/linker/kobject-text.ld
kernel/include/syscall_handler.h
scripts/gen_kobject_list.py
scripts/gen_syscall_header.py
Signed-off-by: Patrik Flykt <patrik.flykt@intel.com>
We want to show that performing various memory domain
operations, and then either dropping to user mode, or
swapping to a user thread in the same domain, has the
correct memory policy for the user context.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit fixes a test in kernel/mem_protect/userspace,
which was attempting to read from an address that was not
necessarily within the image memory range, causing faults
in ARM TrustZone-enabled builds.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This was never a long-term solution, more of a gross hack
to get test cases working until we could figure out a good
end-to-end solution for memory domains that generated
appropriate linker sections. Now that we have this with
the app shared memory feature, and have converted all tests
to remove it, delete this feature.
To date all userspace APIs have been tagged as 'experimental'
which sidesteps deprecation policies.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
CONFIG_APPLICATION_MEMORY was a stopgap feature that is
being removed from the kernel. Convert tests and samples
to use the application shared memory feature instead,
in most cases using the domain set up by ztest.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
