Update cmsis/rtx to version 5.3

[bulislaw]

Description

Update CMSIS and RTX to version 5.3.

Pull request type

• Fix
• Refactor
• New target
• Feature
• Breaking change

@deepikabhavnani could you have a look at the v8 integration.

[bulislaw]

@c1728p9 we need to review this critical section. RTX5.3 marks the svcRtxKernelSuspend/Resume as static so we can't use it here and I'd rather not modify RTX again. Can you remember why are we entering the critical section before suspending the kernel?

[c1728p9]

The general problem is that the check that it is safe to enter sleep and the act of entering sleep need to be done atomically. If this is not done an interrupt could change state by waking a thread before WFI or WFE has been called.

This problem is visible this Tick-less Low-Power Operation code:

void osRtxIdleThread (void) {
    for (;;) {
        tc_wakeup = osKernelSuspend();
        /* Is there some time to sleep? */                                            
        if (tc_wakeup > 0) {
        tc = 0;
        /* Enter the low power state */
        MSP432_LP_Entry();
                                                //<- If an interrupt signals a thread to wake up at this point will the call to WFE() won't wake because of it. There is a thread that should be running now but won’t be able to until tc_wakeup ticks have passed.
        __WFE();
        }
        /* Adjust the kernel ticks with the amount of ticks slept */
        osKernelResume (tc);
    }
}

[bulislaw]

@JonatanAntoni I don't think it's currently possible to protect against this race using RTX APIs, do you guys have a way of dealing with it?

[JonatanAntoni]

__WFE should not have a race here, only __WFI would be problematic to my knowledge.
To my understanding each interrupt that is enabled to set the event register should do so. __WFE returns immediately if the event register is already set. Otherwise it puts the device to sleep until the event flag is set by any active event source. __WFE clears the event register on return.

For instance refer to http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0553a/CHDEAAHJ.html

[bulislaw]

That sounds good to me, I had a look at the Architecture Reference and couple of manuals for specific designs from partners and it seems that no one does anything weird. Anyone against replacing WFI with WFE? @c1728p9 @0xc0170

[c1728p9]

That solution sounds good to me as well as long as we don't have any devices with the errata mentioned here. I was under the impression that __WFE required any interrupt that could wake the system to call __SEV, which is not the case. This should be set by hardware automatically and its just errata that caused it not to be set for some devices.

[0xc0170]

Lets change it then and resolve this internal API usage

[bulislaw]

Updated to use WFE

[bulislaw]

@c1728p9 @0xc0170 I've replaced the WFI with WFE now.

[0xc0170]

Looks fine

I checked the wfe changes, found that few drivers are used in our codebase (I identified silicon labs, freescale, maxim, nuvoton - they invoke their driver sleep functions that use WFI by default, I could not locate WFE counterparts, thus have to change their driver code or implement sleep API without driver invocation).

[0xc0170]

why are these changed? github does not show the characters properly now?

[bulislaw]

Weird, must be some encoding issue with the file or they are not " but some weird unicode and my editor went crazy seeing that. I'll revert that.

[kjbracey]

I recently posted a bit of a "WFI/WFE for dummies" here:

https://os.mbed.com/forum/mbed/topic/29547/?page=1#comment-55419

The normal thing for an idle/sleeping OS to do is disable interrupts, shut down hardware, WFI, restart hardware, enable interrupts. And that's a privileged operation. You must disable interrupts around WFI. It's an OS instruction, and the interrupt disable makes the entire thing atomic, including whatever special hardware shutdown you're doing.

WFE is an unprivileged instruction for applications, who can't disable interrupts and just need to wait for something like a spinlock to be released, but don't want to yield back to the OS. I don't think it's what you should be doing here.

[kjbracey]

I'm not convinced the WFE change is conceptually right.

[kjbracey]

As I've been discussing this sort of thing with @c1728p9 - the logic of WFI is similar to that of a condition variable. The condition variable wait assumes you must be holding a mutex to be inspecting the condition you're monitoring without a race, so incorporates that mutex to make it atomic.

Similarly WFI assumes you must be in a critical section to be doing hardware shutdown without a race, and thus is designed to wake for an interrupt source even though you're in that critical section.

It's not clear to me how removing the critical section you have is safe.

[kjbracey]

This change also effectively changes the unspecified API of sleep() by no longer calling it from a critical section.

Stared at the RTX implementation a bit more - the suspend call to RTX is notionally atomic, and designed to work when called from normal thread context. After exit, the OS is suspended, with its timers stopped.

But interrupts are still enabled so device drivers could be queuing stuff for RTX post-processing - this could potentially quite rapidly hit ISR queue overflow, as the post-processing is suspended.

And this post-processing is a race - if an interrupt decides to release a semaphore after osKernelSuspend, osRtxPostProcess will set osRtxInfo.kernel.pendSV. We need to make sure we don't sleep if that happens. Now, using WFE could maybe avoid that - the interrupt setting pendSV would set the event flag. But the catch is that WFE must be used with interrupts enabled (always on ARMv7A, and unless a special config flag is set on ARMv7M) - a masked interrupt doesn't cause an event. If a hardware shutdown is (as seems likely) wants to shut off interrupts as part of the hardware shutdown, they can't portably use WFE.

To make this atomic and not change sleep semantics, I would suggest:

osKernelSuspend();              // outside critical section only because we're forced to be
critical_section_enter();       // to stop any more device activity
if (!osRtxInfo.kernel.pendSV) { // check devices didn't run any interrupt handlers kicking the OS between suspend and critical section
    sleep();                    // uses WFI - will wake as soon as any pending interrupts
}
critical_section_exit();        // lets pending interrupt handlers run (adding to ISR queue again!)
osKernelResume();               // off we go - finally empties the ISR queue

[c1728p9]

It may be safest to stick with WFI for now, as it doesn't require changing all the existing ports. I have a patch which updates the idle loop as @kjbracey-arm suggested in #6534.

[cmonr]

@bulislaw Are there any updates on your side with this PR?

[bulislaw]

Yes, once i find some time ;)

[bulislaw]

Updates:

• Rebased on master
• WFE removed and the idle loop updated as suggested by @kjbracey-arm

@c1728p9 @0xc0170 @kjbracey-arm please review

[kjbracey]

I think this ISB is overkill - we have SVC calls to osKernelResume and osKernelSuspend before our next disable, and SVC calls will allow interrupts to trigger according to the ARM ARM. (But then again, is it defined behaviour that these are SVC calls?)

[c1728p9]

SysTimer (os_timer) was serialized to a critical section, but no longer is with this change. You'll either need to update SysTimer to add the additional synchronization or wait for #6534 to get merged.

[bulislaw]

Rebased on top of #6534

[deepikabhavnani]

Flag name is changed by CMSIS, will have to check Mbed OS and change the flag name everywhere.

[JonatanAntoni]

Sorry for that inconvenience. The double underscore prefix is "reserved" for compiler intrinsic. Hence we removed this prefix to clarify that DOMAIN_NS is a user define and not a compiler one.

There are two "versions" of the IRQ assembly file for Armv8-M: irq_armv8mbl.s and irq_armv8mbl_ns.s. The former one contains the actual implementation. The second one just sets this define and includes the former one. There should be no need to know about this define anywhere else than locally within those two files.

[deepikabhavnani]

Locally within this file (at the top) we have added pre-preprocessor directives, as Mbed OS does not support multiple assembly files. Those are not updated in this PR.
Also build tools enable this flag when building for NS core.

[bulislaw]

Nice catch! Will change that.

[deepikabhavnani]

@bulislaw - New PR which might have small clash here is in "ready to merge" stage. https://github.com/ARMmbed/mbed-os/pull/6747/files

This PR might need a rebase.

[bulislaw]

/morph build

[orenc17]

/morph uvisor-test

[mbed-ci]

Build : ABORTED

Build number : 2105
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/6273/

[cmonr]

Fyi, we're sorting through some things with the CI. As soon as it's resolved, we'll restart the builds.

[cmonr]

/morph build

[mbed-ci]

Build : SUCCESS

Build number : 2109
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/6273/

Triggering tests

/morph test
/morph uvisor-test
/morph export-build
/morph mbed2-build

[mbed-ci]

Test : SUCCESS

Build number : 1910
Test logs :http://mbed-os-logs.s3-website-us-west-1.amazonaws.com/?prefix=logs/6273/1910

[mbed-ci]

Exporter Build : SUCCESS

Build number : 1742
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/exporter/6273/

[0xc0170]

I can't find this question but recall seeing it earlier, why are theres commits on this branch - looking at them on master, at least that import v0.30.0 does not match - the file added here is not there (46f9d46).

@Patater
@bulislaw
RTX5: uVisor: Add OsEventObserver  …
32d04a0
 @Patater
@bulislaw
RTX5: uVisor: Extend thread control block with context  …
86b91be
 @Patater
@bulislaw
RTX5: uVisor: Defer to uVisor for SVCall priority  …
2f7a841
 @Patater
@bulislaw
RTX5: uVisor: Switch threads very carefully  …
73a9579
 @Patater
@bulislaw
CMSIS/RTX: uVisor: Import v0.30.0
cb2b91c

[0xc0170]

This PR should be now ready for integration, please last round of review and get this in for 5.9!

[cmonr]

@JonatanAntoni @c1728p9 @kjbracey-arm @orenc17 @deepikabhavnani Final re-review?

[cmonr]

@bulislaw Mind answering @0xc0170's question?

[bulislaw]

I'm guessing rest of the files were already in the sources so rebase picked up only the file that had to be added.