Skip to content

Assert that mutexes and prints are not use in interrupt or critical context #4389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Jun 3, 2017
Merged

Assert that mutexes and prints are not use in interrupt or critical context #4389

merged 9 commits into from
Jun 3, 2017

Conversation

c1728p9
Copy link
Contributor

@c1728p9 c1728p9 commented May 24, 2017

Add a function to determine if you are in ISR context, add asserts for context to mutex and printf usage and increase error buffer size so long asserts are printed correctly.

@c1728p9
Copy link
Contributor Author

c1728p9 commented May 24, 2017

This requires #4388 to pass testing.

@c1728p9 c1728p9 requested review from geky and 0xc0170 May 24, 2017 21:38
@theotherjimmy
Copy link
Contributor

Are the changes to the RTX header files going to conflict with #4294 ?

@c1728p9
Copy link
Contributor Author

c1728p9 commented May 24, 2017

@theotherjimmy I'll hold off a bit on merging this to prevent conflicts with #4294. Worst case, if I need to merge this I'll rebase #4294 myself.

0xc0170
0xc0170 reviewed May 25, 2017
View reviewed changes
Copy link
Contributor

@0xc0170 0xc0170 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we have are_interrupts_enabled, should this new function be is_isr_active or is_in_isr ? The former sounds better.

Regarding changes to RTOS, we are changing RTX internals that works the way that they return rather than assert. What disadvantages were for having asserts in our Mutex class, and keep internals as they are? Whoever touches directly RTX, should know what they are doing, probably same could be said for cmsis os layer.

@0xc0170 0xc0170 requested a review from bulislaw May 25, 2017 07:42
@0xc0170
Copy link
Contributor

0xc0170 commented May 25, 2017

retest uvisor

@bulislaw
Copy link
Member

RTX2 is doing the checks (if isr) by itself eg https://github.com/ARMmbed/mbed-os/blob/feature_cmsis5/rtos/rtx5/TARGET_CORTEX_M/rtx_mutex.c#L457

@0xc0170
Copy link
Contributor

0xc0170 commented May 25, 2017

RTX2 is doing the checks (if isr) by itself eg https://github.com/ARMmbed/mbed-os/blob/feature_cmsis5/rtos/rtx5/TARGET_CORTEX_M/rtx_mutex.c#L457

I forgot that they added events so users should be find out what is with the system. Based on this, should assert be only in C++, and keep RTX as it is (my above comment) ?

@bulislaw
Copy link
Member

I think there's no need to modify RTX5.

@pan-
Copy link
Member

pan- commented May 28, 2017

I'm not sure to understand the purpose of this PR. The functions osMutexWait and osMutexRelease already return the error osErrorISR if they are called from interrupt context.

Adding assertion at this point do break the API. Not running in ISR it not a precondition for calling these function (even if it will fail), with this change, it become one. Users referring to CMSIS RTOS documentation might fall into that trap where a valid code become invalid because of that change.

For low level _read and _write I wonder how much user code it will break and what is the impact on mbed OS 2 application.

@c1728p9
Copy link
Contributor Author

c1728p9 commented May 31, 2017

Hi @pan-, the goal here is to trap on errors immediately if the code is wrong. Using a mutex in an interrupt handler indicates that there is an error in the program. In mbed-os 2 calling _read and _write in an interrupt handler resulted in undefined behavior.

If you have any good use cases in mind where it is valid to use a mutex in an interrupt handler let me know, as that means this PR would be a problematic breaking change to the API.

@sg-
Copy link
Contributor

sg- commented Jun 1, 2017

Looks like this needs a conflict resolved and to only be enabled when in debug build. This change should not modify behavior of default or release builds.

@c1728p9 c1728p9 force-pushed the assert_mutex_not_in_isr branch from 20e20f4 to af7f3c7 Compare June 2, 2017 00:16
@c1728p9
Copy link
Contributor Author

c1728p9 commented Jun 2, 2017

Rebased on top of RTX5, changed core_util_in_isr to core_util_is_isr_active, enabled trapping all supported RTX errors, and added the define MBED_TRAP_ERRORS_ENABLED to enable the trapping behavior. By default error trapping is only enabled in debug builds.

Only top 9 commits are relevent. The rest are are for RTX5. This PR needs to be rebased on top of the main line RTX5 changes before running CI.

@sg- sg- added needs: CI and removed needs: work labels Jun 2, 2017
c1728p9 added 6 commits June 2, 2017 23:50
@c1728p9
Add function to check for ISR context
5ab3de0 
Add the function core_util_in_isr() so code can determine if it is
running in the context of an ISR.
@c1728p9
Assert that file IO is not used in ISRs
b44e6f8 
Trigger an assert if a file is read from or written to from an
interrupt handler or critical section. This includes using printf
from an interrupt handler or critical section. This makes failures
due to use in incorrect context deterministic and easier to locate.

This feature is enabled by defining MBED_TRAP_ERRORS_ENABLED to 1 or
by using the debug profile.
@c1728p9
Fix RTOS function prototypes by adding extern "C"
e48e599 
Wrap the file mbed_rtos_storage.h in extern "C". This allows the
functions inside rtx_lib.h to have correct definitions when included
in a C++ file.

This is required for the RTX5 error trapping.
@c1728p9
Trap on RTX errors if enabled
770ad61 
If MBED_TRAP_ERRORS_ENABLED is defined to 1 then trap on RTX errors.
This includes using mutexes in ISR context.
@c1728p9
Prevent recursive call to error()
a84142f 
Only allow error to be called once. This prevents a loop where error()
calls exit() which in turn triggers another call to exit().
@c1728p9
RTX5: Enable priority inheritance and robust mode
96bd943 
Add the attribute flash to enable priority inheritance and robust mode.
The robust flag allows mutexes held by terminated threads to be
properly released.
c1728p9 added 3 commits June 2, 2017 23:50
@c1728p9
Fix Thread class synchronization
cabc1e0 
Prevent osTheadTerminate from being called on an already terminated
thread. Also make sure the thread termination process is properly
synchronized.
@c1728p9
Ignore deprecated storage test
ee2be3f 
Add a .mbedignore to the storage_abstraction test since this is
deprecated.
@c1728p9
Trap on errors when building with debug profile
737c5a9 
Define MBED_TRAP_ERRORS_ENABLED to 1 for the debug profile so errors
are obvious when building as debug.
@c1728p9 c1728p9 force-pushed the assert_mutex_not_in_isr branch from af7f3c7 to 737c5a9 Compare June 3, 2017 04:52
@sg-
Copy link
Contributor

sg- commented Jun 3, 2017

/morph test

@mbed-bot
Copy link

mbed-bot commented Jun 3, 2017

Result: SUCCESS

Your command has finished executing! Here's what you wrote!

/morph test

Output

mbed Build Number: 426

All builds and test passed!

@sg- sg- merged commit 027843a into ARMmbed:master Jun 3, 2017
@pan- pan- mentioned this pull request Jun 5, 2017
Merged
1 task
@RobMeades RobMeades mentioned this pull request Jun 13, 2017
Closed
@geky geky mentioned this pull request Jun 16, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@0xc0170 0xc0170 0xc0170 left review comments

@geky geky geky approved these changes

@bulislaw bulislaw Awaiting requested review from bulislaw

Assignees
No one assigned
Labels
BREAKING-CHANGE release-version: 5.5.0-rc1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@c1728p9 @theotherjimmy @0xc0170 @bulislaw @pan- @sg- @mbed-bot @geky