Introduce Trusted Firmware M support in Kernel on ARM Cortex M33 (#108)
This port adds the support that FreeRTOS applications can call the secure
services in Trusted Firmware M(TF-M) via PSA Platform Security
Architecture(PSA) API based on Arm Cortex-M33 platform with GCC compiler.
More information:
PSA - https://www.arm.com/why-arm/architecture/platform-security-architecture
TF-M - https://git.trustedfirmware.org/trusted-firmware-m.git/
Simon Beaudoin [Mon, 10 Aug 2020 16:55:04 +0000 (12:55 -0400)]
Update stream_buffer.c (#94)
Add necessary checks when sending data to the stream/message buffer in order to avoid a task deadlock when attempting to write a longer stream/message than the underlying buffer can write.
Simon Beaudoin [Mon, 10 Aug 2020 16:46:39 +0000 (12:46 -0400)]
Fix race condition when tracing is enabled (#95)
* Update port.c
I discovered a very snicky and tricky race condition scenario when integrating tracealyzer code into our project.
A little background on CortexR5 : When the IRQ line (comming from the interrupt controller, to which every peripheral IRQ lines connect) of the processor rises and the IRQ Enable bit in the status register of the CPU permits it, the CPU traps into interrupt mode. Several things happen. First, the CPU finishes the instruction it was performing. Second, it places the content of the CPSR register into the SPSR_irq register. And third, the mode of the CPU is changed to IRQ_Mode and /!\ THE IRQ ENABLE BIT IN CPSR_irq IS AUTOMATICALLY CLEARED /!\. The reason is to ensure that upon landing into IRQ code, we find ourselves automatically in a critical section because we cannot be interrupted again because the bit is cleared. The programmer can, if he wants, re-enable IRQs inside IRQ code itself to allow interrupt nesting. But it has to be wanted and meditated.
Now, inside portASM.S, at the end of 'FreeRTOS_IRQ_Handler' assembly function, a call to 'vTaskSwitchContextConst' is made if the variable 'ulPortYieldRequired' was set by someone while executing the interrupt. Before branching to that function, a 'CPSID i' instruction was placed to ensure that interrupts are disabled in case someone re-enabled it. Inside 'vTaskSwitchContext', there is the macro 'traceTASK_SWITCHED_OUT' that gets populated when tracing is enabled.
The bug is right there.. If the macro is populated and inside that macro there is a matching call to 'ulPortSetInterruptMask' and 'vPortClearInterruptMask', a race condition can occure is there is a OS Tick timer interrupt waiting at the interrupt controller's door. Upon calling 'vTaskSwitchContext', the interrupts are not masked in the interrupt controller, the only barrier against the CPU servicing that tick interrupt while already performing the function is that the IRQ Enable bit cleared. 'ulPortSetInterruptMask'
does what's its supposed to do, but doesn't take into account the IRQ Enable bit in CPSR. Wheter or not the bit was cleared, the function sets it at the end. When calling the matching 'vPortClearInterruptMask', the function clears the interrupt mask in the interrupt controller. Because the IRQ Enable bit (that was cleared) has been set no matter what in 'ulPortSetInterruptMask', the CPU services the OS Tick Interrupt right away.
The bug is there : instead of completing the 'vTaskSwitchContext' function, the CPU re-enters the switch context path right after 'traceTASK_SWITCHED_OUT' thus corrupting the CPU state and eventually triggering either an undefined instruction, data or instruction abort.
* Update port.c
Error on my part, this is the right inline asm code to retreive CPSR register
RichardBarry [Sun, 9 Aug 2020 23:18:57 +0000 (16:18 -0700)]
Fix: Two one line fixes, xTaskCheckForTimeOut() and ulTaskGenericNotifyValueClear(). (#82)
ulTaskGenericNotifyValueClear() returned the notification value of the
currently running task, not the target task. Now it returns the
notification value of the target task.
Some users expected xTaskCheckForTimeOut() to clear the 'last wake time'
value each time a timeout occurred, whereas it only did that in one path.
It now clears the last wake time in all paths that return that a timeout
occurred.
Gaurav-Aggarwal-AWS [Sun, 9 Aug 2020 01:37:14 +0000 (18:37 -0700)]
Allow application to override TEX,S,C and B bits for Flash and RAM (#113)
The TEX, Shareable (S), Cacheable (C) and Bufferable (B) bits define
the memory type, and where necessary the cacheable and shareable
properties of the memory region.
The default values for these bits, as configured in our MPU ports, are
sometimes not suitable for application. One such example is when the MCU
has a cache, the application writer may not want to mark the memory as
shareable to avoid disabling the cache. This change allows the
application writer to override default vales for TEX, S C and B bits for
Flash and RAM in their FreeRTOSConfig.h. The following two new
configurations are introduced:
- configTEX_S_C_B_FLASH
- configTEX_S_C_B_SRAM
If undefined, the default values for the above configurations are
TEX=000, S=1, C=1, B=1. This ensures backward compatibility.
Change the xRunningPrivileged check from "!=true" to "==false" (#109)
The expected behaviour of portIS_PRIVILEGED is:
- return 0 if the processor is not running privileged.
- return 1 if the processor is running privileged.
Some TI ports do not return 1 when the processor is running privileged
causing the following check to fail: if( xRunningPrivileged != pdTRUE )
This commit change the check to: if( xRunningPrivileged == pdFALSE ). It
ensures that the check is successful even on the ports which return incorrect
value from portIS_PRIVILEGED when the processor is running privileged.
See https://forums.freertos.org/t/kernel-bug-nested-mpu-wrapper-calls-generate-an-exception/10391
Add support for 16 MPU regions to Cortex-M4 MPU ports (#96)
ARMv7-M supports 8 or 16 MPU regions. FreeRTOS Cortex-M4 MPU ports so
far assumed 8 regions. This change adds support for 16 MPU regions. The
hardware with 16 MPU regions must define configTOTAL_MPU_REGIONS to 16
in their FreeRTOSConfig.h.
If left undefined, it defaults to 8 for backward compatibility.
Some of the privileged symbols were not being placed in their respective
sections. This commit addresses those and places them in
privileged_functions or privileged_data section.
Add support for privileged heap to ARMV8-M ports (#85)
If xTaskCreate API is used to create a task, the task's stack is
allocated on heap using pvPortMalloc. This places the task's stack
in the privileged data section, if the heap is placed in the
privileged data section.
We use a separate MPU region to grant a task access to its stack.
If the task's stack is in the privileged data section, this results in
overlapping MPU regions as privileged data section is already protected
using a separate MPU region. ARMv8-M does not allow overlapping MPU
regions and this results in a fault. This commit ensures to not use a
separate MPU region for the task's stack if it lies within the
privileged data section.
Note that if the heap memory is placed in the privileged data section,
the xTaskCreate API cannot be used to create an unprivileged task as
the task's stack will be in the privileged data section and the task
won't have access to it. xTaskCreateRestricted and
xTaskCreateRestrictedStatic API should be used to create unprivileged
tasks.
Gaurav-Aggarwal-AWS [Wed, 10 Jun 2020 17:03:11 +0000 (10:03 -0700)]
Fix out of offset errors when LTO is enabled (#71)
When Link Time Optimization (LTO) is enabled, some of the LDR
instructions result in out of range access. The reason is that the
default generated literal pool is too far and not within the permissible
range of 4K.
This commit adds LTORG assembly instructions at required places to
ensure that access to literals remain in the permissible range of 4K.
Yuhui Zheng [Wed, 27 May 2020 21:08:44 +0000 (14:08 -0700)]
Removing vPortEndScheduler() implementation, since it's not implemented according to spec. (#61)
Refer to https://www.freertos.org/a00133.html.
The issue with the implementation is that, if only stop kernel tick the program will keep executing current task.
The desired behavior is to at least return/jump to the next instruction after vTaskStartScheduler().
RichardBarry [Wed, 27 May 2020 19:28:48 +0000 (12:28 -0700)]
Feature/multiple direct to task notifications (#63)
Description
Before this change each task had a single direct to task notification value and state as described here: https://www.FreeRTOS.org/RTOS-task-notifications.html. After this change each task has an array of task notifications, so more than one task notification value and state per task. The new FreeRTOSConfig.h compile time constant configTASK_NOTIFICATION_ARRAY_ENTRIES sets the number of indexes in the array.
Each notification within the array operates independently - a task can only block on one notification within the array at a time and will not be unblocked by a notification sent to any other array index.
Task notifications were introduced as a light weight method for peripheral drivers to pass data and events to tasks without the need for an intermediary object such as a semaphore - for example, to unblock a task from an ISR when the operation of a peripheral completed. That use case only requires a single notification value. Their popularity and resultant expanded use cases have since made the single value a limitation - especially as FreeRTOS stream and message buffers themselves use the notification mechanism. This change resolves that limitation. Stream and message buffers still use the task notification at array index 0, but now application writers can avoid any conflict that might have with their own use of task notifications by using notifications at array indexes other than 0.
The pre-existing task notification API functions work in a backward compatible way by always using the task notification at array index 0. For each such function there is now an equivalent that is postfixed "Indexed" and takes an additional parameter to specify which index within the array it should operate upon. For example, xTaskNotify() is the original that only operates on array index 0. xTaskNotifyIndexed() is the new function that can operate on any array index.
Test Steps
The update is tested using the Win32 demo (PR to be created in the FreeRTOS/FreeRTOS github repo), which has been updated to build and run a new test file FreeRTOS/Demo/Common/Minimal/TaskNotifyArray.c. The tests in that file are in addition to, not a replacement for those in FreeRTOS/Demo/Common/Minimal/TaskNotify.c.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Daniel Glaser [Fri, 22 May 2020 17:26:41 +0000 (19:26 +0200)]
Adding volatile to tasks.c's runtime information to protect against compiler optimization (#62)
As discussed in https://forums.freertos.org/t/make-runtime-stats-working-with-compiler-optimization-enabled/9846 and on lined out on https://blog.the78mole.de/freertos-debugging-on-stm32-cpu-usage/, adding the volatile prevents the run-time stats variable being optimized away when used with compiler optimizations.
RichardBarry [Sat, 2 May 2020 05:35:42 +0000 (22:35 -0700)]
Fix/clear MIE bit in initial RISC-V mstatus register. (#57)
* fix: CLEAR MIE BIT IN INITIAL RISC-V MSTATUS VALUE
The MIE bit in the RISC-V MSTATUS register is used to globally enable
or disable interrupts. It is copied into the MPIE bit and cleared
on entry to an interrupt, and then copied back from the MPIE bit on
exit from an interrupt.
When a task is created it is given an initial MSTATUS value that is
derived from the current MSTATUS value with the MPIE bit force to 1,
but the MIE bit is not forced into any state. This change forces
the MIE bit to 0 (interrupts disabled).
Why:
If a task is created before the scheduler is started the MIE bit
will happen to be 0 (interrupts disabled), which is fine. If a
task is created after the scheduler has been started the MIE bit
is set (interrupts enabled), causing interrupts to unintentionally
become enabled inside the interrupt in which the task is first
moved to the running state - effectively breaking a critical
section which in turn could cause a crash if enabling interrupts
causes interrupts to nest. It is only an issue when starting a
newly created task that was created after the scheduler was started.
Related Issues:
https://forums.freertos.org/t/risc-v-port-pxportinitialisestack-issue-about-mstatus-value-onto-the-stack/9622 Co-authored-by: Cobus van Eeden <35851496+cobusve@users.noreply.github.com>
Add definition of portDONT_DISCARD to ARMv7-M ports (#50)
Enabling Link Time Optimization (LTO) causes some of the functions used
in assembly to be incorrectly stripped off, resulting in linker error.
To avoid this, these functions are marked with portDONT_DISCARD macro,
definition of which is port specific. This commit adds the definition
of portDONT_DISCARD for ARMv7-M ports.
The FreeRTOS kernel sets up the following MPU regions:
* Unprivileged Code - __FLASH_segment_start__ to __FLASH_segment_end__.
* Privileged Code - __FLASH_segment_start__ to __privileged_functions_end__.
The above setup assumes that the FreeRTOS kernel code
(i.e. privileged_functions) is placed at the beginning of the flash and,
therefore, uses __FLASH_segment_start__ as the starting location of the
privileged code. This prevents a user from placing the FreeRTOS kernel
code outside of flash (say to an external RAM) and still have vector
table at the beginning of flash (which is many times a hardware
requirement).
Solution
--------
This commit addresses the above limitation by using a new variable
__privileged_functions_start__ as the starting location of the
privileged code. This enables users to place the FreeRTOS kernel code
wherever they choose.
The FreeRTOS kernel now sets up the following MPU regions:
* Unprivileged Code - __FLASH_segment_start__ to __FLASH_segment_end__.
* Privileged Code - __privileged_functions_start__ to __privileged_functions_end__.
As a result, a user can now place the kernel code to an external RAM. A
possible organization is:
Note that the above configuration places the vector table in an unmapped
region. This is okay because we enable the background region, and so the
vector table will still be accessible to the privileged code and not
accessible to the unprivileged code (vector table is only needed by the
privileged code).
Backward Compatibility
----------------------
The FreeRTOS kernel code now uses a new variable, namely
__privileged_functions_start__, which needs to be exported from linker
script to indicate the starting location of the privileged code. All of
our existing demos already export this variable and therefore, they will
continue to work.
If a user has created a project which does not export this variable,
they will get a linker error for unresolved symbol
__privileged_functions_start__. They need to export a variable
__privileged_functions_start__ with the value equal to
__FLASH_segment_start__.
David Vrabel [Wed, 4 Mar 2020 18:00:41 +0000 (18:00 +0000)]
portable/GCC/Posix: add new port for Posix (Linux) applications
This is similar to the Windows port, allowing FreeRTOS kernel
applications to run as regular applications on Posix (Linux) systems.
You can use this in a 32-bit or 64-bit application (although there are
dynamic memory allocation trace points that do not support 64-bit
addresses).
Many of the same caveats of running an RTOS on a non-real-time system
apply, but this is still very useful for easy debugging/testing
applications in a simulated environment. In particular, it allows easy
use of tools such as valgrind.
You can call standard library functions from tasks but care must be
taken with any that internally take mutexes or block. This includes
malloc()/free() and many stdio functions (e.g., printf()).
Replacement malloc(), free(), realloc(), and calloc() functions are
provided which are safe. printf() needs to be called with a FreeRTOS
mutex help (or called from only a single task).
Each task is run in its own pthread, which makes debugging with
standard tools (such as GDB) easier backtraces for individual tasks
are available. Threads for non-running tasks are blocked in sigwait().
The stack for each task (thread) is allocated when the thread is
created, and the stack provided during task creation is not used. This
is so the stack has guard pages, to help with detecting stack
overflows.
Task switch is done by resuming the thread for the next task by
sending it the resume signal (SIGUSR1) and then suspending the current
thread.
The timer interrupt uses SIGALRM and care is taken to ensure that the
signal handler runs only on the thread for the current task.
The additional data needed per-thread is stored at the top on the
task's stack.
When a running task is being deleted, its thread is marked it as dying
so when we switch away from it it exits instead of suspending. This
ensures that even if the idle task doesn't run, threads are deleted
which allows for more threads to be created (if many tasks are being
created and deleted in rapid succession).
To further aid debugging, SIGINT (^C) is not blocked inside critical
sections. This allows it to be used break into GDB while in a critical
section. This means that care must be taken with any custom SIGINT
handlers as these are like NMIs.
This is somewhat inspired by an existing port by William Davy
(https://www.freertos.org/FreeRTOS-simulator-for-Linux.html) but it
takes a number of different approaches to make it switch tasks
reliableand there's little similarly with the original implementation.
- Critical sections block scheduling/"interrupts" by blocking signals
using pthread_sigmask(). This is more expensive than attempting to
use flags but works reliably and is analogous to the interrupt
enable/disable on real hardware.
- Care is take to ensure that the SIGALRM handler (for the timer tick)
is runnable only on the pthread for the running task. This makes
tasks switches more straight-forward and reliable as we can suspend
the thread while in the signal handler.
- Task switches save/restore the critical nesting on the stack.
- Only uses a single (SIGUSR1) signal which is ignored and thus GDB's
default signal handling options won't trap/print on this signal.
- Extra per-thread data is stored on the task's stack, making it
accessible in O(1) instead of performing a O(n) lookup of the array.
- Uses the task create/delete hooks in a similar way to the Windows
port, rather than overloading trace points.
RichardBarry [Mon, 16 Mar 2020 16:59:32 +0000 (09:59 -0700)]
Fix Coverity warnings: In most cases the return value of xTaskResumeAll() is cast to void when it is not needed. This PR fixes a couple of instances in the heap_n.c implementations where that was not the case.
RichardBarry [Sun, 15 Mar 2020 04:07:41 +0000 (21:07 -0700)]
Improve documentation for the ulTaskNotifyValueClear() and xTaskCatchUpTicks() API functions.
Move the prototype and documentation for xTaskCatchUpTicks() into the correct place in the task.h header file (in the public documentation from the private documentation).
Rename the variable that holds the return value in xTaskCatchUpTicks() to more accurately represent its meaning.
RichardBarry [Sat, 14 Mar 2020 19:09:07 +0000 (12:09 -0700)]
The Windows port layer is built with both MSVC and GCC. GCC generated a warning relating to the variable lWaitForYield being set but not used. This change removes the variable.
WineQ圈9 [Sat, 14 Mar 2020 18:58:19 +0000 (02:58 +0800)]
Update tasks.c (#24)
An error on trace argument.
In "xTaskPriorityDisinherit", the disinherit priority should be "pxTCB->uxBasePriority".
And, in "vTaskPriorityDisinheritAfterTimeout", the disinherit priority should be "uxPriorityToUse", which might not be "pxTCB->uxBasePriority".
Sachin Parekh [Wed, 26 Feb 2020 13:38:26 +0000 (19:08 +0530)]
Xtensa_ESP32: Change _iram_end to _iram_text_end
xtensa_loadstore_handler.S uses _iram_end to prevent modification of IRAM
code. With the LoadStore exception handler in place, IRAM can also be
used for .bss and .data section. Hence the sanity check should be based
upon _iram_text_end and not _iram_end
RichardBarry [Fri, 28 Feb 2020 20:40:11 +0000 (12:40 -0800)]
This change prevents tickless idle mode potentially sleeping for an extra tick in the corer case that a tick interrupt occurred between the scheduler being suspended and the expected idle time being checked for a second time (within the idle task) - as described by the sequence below. Th change updates eTaskConfirmSleepModeStatus() to specifically check if a tick is pending, and if so, abort entering sleep mode.
+ The idle task decides to enter sleep mode on the following line.
```
if( xExpectedIdleTime >= configEXPECTED_IDLE_TIME_BEFORE_SLEEP )
```
+ The scheduler is suspended, preventing any context switches.
[Potentially a tick interrupt could occur here. That could happen if other tasks executing consumed a lot of time since the above code line executed. If a tick interrupt occurs here the interrupt will be entered but the interrupt will not do anything other than increment xPendedTicks.]
+ The expected idle time is checked again. No context switches can occur now so the code will execute until the scheduler is unsuspended. Assuming configEXPECTED_IDLE_TIME_BEFORE_SLEEP is set to a sensible value, a tick interrupt won't occur for some time.
+ portSUPPRESS_TICKS_AND_SLEEP() is called.
+ The default implementation of the tickless function calls eTaskConfirmSleep() - which prior to this change does not return eAbortSleep even though xPendedTicks is not 0, and after this change does return eAbortSleep.
ribarry [Sun, 23 Feb 2020 01:48:22 +0000 (17:48 -0800)]
Updates vCoRoutineSchedule() so it returns without doing anything if if the co-routine internal data structures have not been initialised. The internal data structures are initialised when the first co-routine is created.
NOTE: Co-routines are a deprecated feature. This change was made to close off an old ticket as the source control transitions from SourceForge to Github.
begriffs.com / projects / freertos / log