This test needs just a tiny bit of extra stack. 512 bytes isn't
enough on x86 with the most recent set of timer patches.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
The system tick count is a 64 bit quantity that gets updated from
interrupt context, meaning that it's dangerously non-atomic and has to
be locked. The core kernel clock code did this right.
But the value was also exposed to the rest of the universe as a global
variable, and virtually nothing else was doing this correctly. Even
in the timer ISRs themselves, the interrupts may be themselves
preempted (most of our architectures support nested interrupts) by
code that wants to set timeouts and inspect system uptime.
Define a z_tick_{get,set}() API, eliminate the old variable, and make
sure everyone uses the right mechanism.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
bat_commit is an old and obsolete tag that has not been maintained over
time and was supposed to serve a purpose that is obsolete now. Also
rename core tag with kernel.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This commit updates the mem_domain_apis_test sample and the
mem_protect test, so they can compile and execute in ARMv8-M
platforms, which do not support the P_RW_U_RO access permissions
combination (privileged read/write, unprivileged read-only). The
modification consists of, simply, selecting a different access
permission (P_RO_U_RO) when building for ARMv8-M MPUs with the
unmodified ARM MPU architecture.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Under GNU C, sizeof(void) = 1. This commit merely makes it explicit u8.
Pointer arithmetics over void types is:
* A GNU C extension
* Not supported by Clang
* Illegal across all ISO C standards
See also: https://gcc.gnu.org/onlinedocs/gcc/Pointer-Arith.html
Signed-off-by: Mark Ruvald Pedersen <mped@oticon.com>
The test case was supposed to access the privileged stack area
but instead it was accessing the stack guard region.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
This patch updates the alignment for the memory domain partitions.
Also update the stack size for qemu_cortex_m3.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Set CONFIG_USERSPACE in the prj.conf to ensure its set, right now
getting CONFIG_USERSPACE depends on tests/Kconfig setting it.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
For ARC MPU version 3, the defined partitions are not added to MPU
when appmem_init_app_memory is doning app_bss_zero().
So need to disable mpu first to allow appmem_init_app_memory to
access all partitions.
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
Prepend the text 'cmake_minimum_required(VERSION 3.8.2)' into the
application and test build scripts.
Modern versions of CMake will spam users with a deprecation warning
when the toplevel CMakeLists.txt does not specify a CMake
version. This is documented in bug #8355.
To resolve this we include a cmake_minimum_required() line into the
toplevel build scripts. Additionally, cmake_minimum_required is
invoked from within boilerplate.cmake. The highest version will be
enforced.
This patch allows us to afterwards change CMake policy CMP000 from OLD
to NEW which in turn finally rids us of the verbose warning.
The extra boilerplate is considered more acceptable than the verbosity
of the CMP0000 policy.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The test read_kobject_user_pipe() is called twice in
the test suite. There is no need of calling same test
twice. Removing the extra call.
Signed-off-by: Spoorthi K <spoorthi.k@intel.com>
Add descriptions and doxygen groups for app_memory,
stack_protection, stack_randomization and
obj_validation.
Signed-off-by: Spoorthi K <spoorthi.k@intel.com>
Test that we can define our own system calls in application code
and that fault handling works properly.
Additional tests for base system call infrastructure, outside of
specific system calls, go here.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Summary: revised attempt at addressing issue 6290. The
following provides an alternative to using
CONFIG_APPLICATION_MEMORY by compartmentalizing data into
Memory Domains. Dependent on MPU limitations, supports
compartmentalized Memory Domains for 1...N logical
applications. This is considered an initial attempt at
designing flexible compartmentalized Memory Domains for
multiple logical applications and, with the provided python
script and edited CMakeLists.txt, provides support for power
of 2 aligned MPU architectures.
Overview: The current patch uses qualifiers to group data into
subsections. The qualifier usage allows for dynamic subsection
creation and affords the developer a large amount of flexibility
in the grouping, naming, and size of the resulting partitions and
domains that are built on these subsections. By additional macro
calls, functions are created that help calculate the size,
address, and permissions for the subsections and enable the
developer to control application data in specified partitions and
memory domains.
Background: Initial attempts focused on creating a single
section in the linker script that then contained internally
grouped variables/data to allow MPU/MMU alignment and protection.
This did not provide additional functionality beyond
CONFIG_APPLICATION_MEMORY as we were unable to reliably group
data or determine their grouping via exported linker symbols.
Thus, the resulting decision was made to dynamically create
subsections using the current qualifier method. An attempt to
group the data by object file was tested, but found that this
broke applications such as ztest where two object files are
created: ztest and main. This also creates an issue of grouping
the two object files together in the same memory domain while
also allowing for compartmenting other data among threads.
Because it is not possible to know a) the name of the partition
and thus the symbol in the linker, b) the size of all the data
in the subsection, nor c) the overall number of partitions
created by the developer, it was not feasible to align the
subsections at compile time without using dynamically generated
linker script for MPU architectures requiring power of 2
alignment.
In order to provide support for MPU architectures that require a
power of 2 alignment, a python script is run at build prior to
when linker_priv_stacks.cmd is generated. This script scans the
built object files for all possible partitions and the names given
to them. It then generates a linker file (app_smem.ld) that is
included in the main linker.ld file. This app_smem.ld allows the
compiler and linker to then create each subsection and align to
the next power of 2.
Usage:
- Requires: app_memory/app_memdomain.h .
- _app_dmem(id) marks a variable to be placed into a data
section for memory partition id.
- _app_bmem(id) marks a variable to be placed into a bss
section for memory partition id.
- These are seen in the linker.map as "data_smem_id" and
"data_smem_idb".
- To create a k_mem_partition, call the macro
app_mem_partition(part0) where "part0" is the name then used to
refer to that partition. This macro only creates a function and
necessary data structures for the later "initialization".
- To create a memory domain for the partition, the macro
app_mem_domain(dom0) is called where "dom0" is the name then
used for the memory domain.
- To initialize the partition (effectively adding the partition
to a linked list), init_part_part0() is called. This is followed
by init_app_memory(), which walks all partitions in the linked
list and calculates the sizes for each partition.
- Once the partition is initialized, the domain can be
initialized with init_domain_dom0(part0) which initializes the
domain with partition part0.
- After the domain has been initialized, the current thread
can be added using add_thread_dom0(k_current_get()).
- The code used in ztests ans kernel/init has been added under
a conditional #ifdef to isolate the code from other tests.
The userspace test CMakeLists.txt file has commands to insert
the CONFIG_APP_SHARED_MEM definition into the required build
targets.
Example:
/* create partition at top of file outside functions */
app_mem_partition(part0);
/* create domain */
app_mem_domain(dom0);
_app_dmem(dom0) int var1;
_app_bmem(dom0) static volatile int var2;
int main()
{
init_part_part0();
init_app_memory();
init_domain_dom0(part0);
add_thread_dom0(k_current_get());
...
}
- If multiple partitions are being created, a variadic
preprocessor macro can be used as provided in
app_macro_support.h:
FOR_EACH(app_mem_partition, part0, part1, part2);
or, for multiple domains, similarly:
FOR_EACH(app_mem_domain, dom0, dom1);
Similarly, the init_part_* can also be used in the macro:
FOR_EACH(init_part, part0, part1, part2);
Testing:
- This has been successfully tested on qemu_x86 and the
ARM frdm_k64f board. It compiles and builds power of 2
aligned subsections for the linker script on the 96b_carbon
boards. These power of 2 alignments have been checked by
hand and are viewable in the zephyr.map file that is
produced during build. However, due to a shortage of
available MPU regions on the 96b_carbon board, we are unable
to test this.
- When run on the 96b_carbon board, the test suite will
enter execution, but each individaul test will fail due to
an MPU FAULT. This is expected as the required number of
MPU regions exceeds the number allowed due to the static
allocation. As the MPU driver does not detect this issue,
the fault occurs because the data being accessed has been
placed outside the active MPU region.
- This now compiles successfully for the ARC boards
em_starterkit_em7d and em_starterkit_em7d_v22. However,
as we lack ARC hardware to run this build on, we are unable
to test this build.
Current known issues:
1) While the script and edited CMakeLists.txt creates the
ability to align to the next power of 2, this does not
address the shortage of available MPU regions on certain
devices (e.g. 96b_carbon). In testing the APB and PPB
regions were commented out.
2) checkpatch.pl lists several issues regarding the
following:
a) Complex macros. The FOR_EACH macros as defined in
app_macro_support.h are listed as complex macros needing
parentheses. Adding parentheses breaks their
functionality, and we have otherwise been unable to
resolve the reported error.
b) __aligned() preferred. The _app_dmem_pad() and
_app_bmem_pad() macros give warnings that __aligned()
is preferred. Prior iterations had this implementation,
which resulted in errors due to "complex macros".
c) Trailing semicolon. The macro init_part(name) has
a trailing semicolon as the semicolon is needed for the
inlined macro call that is generated when this macro
expands.
Update: updated to alternative CONFIG_APPLCATION_MEMORY.
Added config option CONFIG_APP_SHARED_MEM to enable a new section
app_smem to contain the shared memory component. This commit
seperates the Kconfig definition from the definition used for the
conditional code. The change is in response to changes in the
way the build system treats definitions. The python script used
to generate a linker script for app_smem was also midified to
simplify the alignment directives. A default linker script
app_smem.ld was added to remove the conditional includes dependency
on CONFIG_APP_SHARED_MEM. By addining the default linker script
the prebuild stages link properly prior to the python script running
Signed-off-by: Joshua Domagalski <jedomag@tycho.nsa.gov>
Signed-off-by: Shawn Mosley <smmosle@tycho.nsa.gov>
When adding the nRF52810, which has 24KB of RAM, some of the tests don't
compile anymore due to lack of SRAM. Address this by either filtering
the test out or reducing the amount of memory allocation.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
True stack sizes may be rounded up, instead of using a multiplier
just fetch the true stack size and add one to it, just one byte
over should produce an error.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
A test was trying to add the maximum number of partitions,
but when the domain was initialized there was already one
added which needed to be accounted for to avoid an
assertion failing.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Dynamic kernel objects no longer is hard-coded to use the kernel
heap. Instead, objects will now be drawn from the calling thread's
resource pool.
Since we now have a reference counting mechanism, if an object
loses all its references and it was dynamically allocated, it will
be automatically freed.
A parallel dlist is added for efficient iteration over the set of
all dynamic objects, allowing deletion during iteration.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Forthcoming patches will dual-purpose an object's permission
bitfield as also reference tracking for kernel objects, used to
handle automatic freeing of resources.
We do not want to allow user thread A to revoke thread B's access
to some object O if B is in the middle of an API call using O.
However we do want to allow threads to revoke their own access to
an object, so introduce a new API and syscall for that.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
If a variable is declared extern first, the name and type
information is stored in a special DW_DIE_variable which
is then referenced by the actual instances via the
tag DW_AT_specification.
We now place extern variable instances in an extern environment
and use this data to fetch the name/type of the instances,
which do not have it (which is why they were being skipped).
As it turns out, the gross hack for the system workqueue was
due to this problem because of the extern declaration in
kernel.h.
Fixes: #6992
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Add few tests to check access permissions of memory partitions
of a memory domain, validate memory domain destroy.
Signed-off-by: Spoorthi K <spoorthi.k@intel.com>
The testcases presented here will test the following functionality
1. Inheritance of permission from parent thread to child.
2. Memory domain implementation.
3. Access permission for k objects.
The combinations of these test cases will cover some of the basic
usecases of the userspace mode.
These test cases are meant to be executed by any board with has
CONFIG_USERSPACE enabled.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Instead of completely excluding those tests, mark them as skipped and
provide an noop function that marks the test as skipped where test is
not supported.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
A red-black tree is maintained containing the metadata for all
dynamically created kernel objects, which are allocated out of the
system heap.
Currently, k_object_alloc() and k_object_free() are supervisor-only.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Remove arduino_101 from platform whitelist in testcase.yaml as all the
test cases are not meant to run on Arduino_101.
Signed-off-by: Spoorthi K <spoorthi.k@intel.com>
This is a component of address space layout randomization that we can
implement even though we have a physical address space.
Support for upward-growing stacks omitted for now, it's not done
currently on any of our current or planned architectures.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The read/write_kernel_stack tests are confusingly named and incorrectly
implemented for ARM; they are intended to test that user mode threads
cannot read or write their privileged stacks. The privileged stacks
on ARM are not relative to the user stack, and thus their location
cannot be computed from the user stack. To find the privileged stack on
ARM, we have to use _k_priv_stack_find(), which we do during setup
in test_main() rather than from the usermode thread itself. Accessing
thread_stack directly from the test function requires making it
non-static in ztest, so we also give it a ztest_ prefix to avoid
collisions with other test programs. Rename the test functions and
global pointer variable to more accurately reflect their purpose.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This patch adjusts the calculation of the overflow size for the kernel
stack tests which read/write to areas below the current user stack.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
Check the fault reason against the expected value.
This is presently architecture-specific, and possibly
reflects a bug on ARM (all faults end up with reason 0,
even though ARM does define a separate value for Oops).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Previously we were handling any fault during test execution as
a pass condition. Explicitly indicate when a fault is expected
and fail the test if we encounter an unexpected fault.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
