Stack fault recovery

[Patater]

Recover from stacking and unstacking faults. Reprioritize faults relative to SVC, so we can recover from more faults and also, as a bonus, get better debug messages. (Other miscellaneous fixes are also included.)

Tested on EFM32GG and K64F with a test that fails before this PR's commits are applied and passes after this PR's commits are applied.

@AlessandroA @meriac @niklas-arm

[niklarm]

I believe @meriac wanted this to stay low. This results in (128 + 8 + 31) / 32) = 5 * uint32_t * #boxes (something like 5 * (5 + 1) * 4 = 30 * 4 = 120B).

[meriac]

@Patater Yes, 128 is way too high. Why ?

[Patater]

I didn't want to reduce process stack sizes just for the tiny pages tests, so we need enough pages in the page heap for allocating all the process stacks plus the test secure allocator. The test secure allocator needs to have at least as many pages available as the number of subregions available for the page heap, which is probably around 48 (6 regions * 8 subregions). In practice, this means around 95 pages: I rounded that up to the nearest power of two to get 128.

If we add a page invalidation API, instead of trying to allocate so many pages that old ones get pushed out of the MPU configuration, then we can keep this count as low as we want.

[meriac]

@Patater It's not acceptable to increase the pagecount for everybody.

• either we make that value configurable
• or create alternative uVisor-binaries for testing
• or add the page eviction as an uVisor API

[Patater]

I agree. This doesn't increase the page count for everybody, only the maximum they could configure it to be. (UVISOR_SET_PAGE_HEAP configures the actual pages and their sizes at the platform configuration level).

Is it unacceptable to increase this maximum just because of the 160 bytes? I'm not understanding why it'd be unacceptable to increase this if the only cost were 160 bytes of RAM. What cost are you seeing that I'm not?

If nobody sets the number pages in the page heap to 128, they, as far as I'm aware, only pay the cost of this bitfield (and not any MPU regions or subregions). If this limit is just in place to prevent "stupid" parameters to UVISOR_SET_PAGE_HEAP, the benefit of better tests outweighs preventing the stupid; as platform configuring people are the ones intended to use UVISOR_SET_PAGE_HEAP (not application writers), this seems fine.

For making the test less fragile, I'm already leaning towards making the page eviction API and have been working on that approach today. The test can also test more interesting cases now, with finer control over the pages loaded into the MPU.

[Patater]

Rewrote the test so we don't need to enable many or small pages yet. We can enable those when we need them.

[niklarm]

Good catch!

[AlessandroA]

How about we call this UVISOR_BOX_EXTERN? We know that internally it declares the box cfg ptr, but from the POV of the user it's just extern-declaring the box.

[Patater]

OK

[AlessandroA]

How does this work when we preprocess the linker script? The options for the preprocessing step are the following:

LINKER_CONFIG:=\
    -D$(CONFIGURATION) \
    -I$(PLATFORM_DIR)/$(PLATFORM)/inc \
    -include $(CORE_DIR)/uvisor-config.h

But NDEBUG is not set there.

[Patater]

Good catch. I had a look into the release *.linker files and they are using the large debug limit. I'll have to set NDEBUG in the linker script generation step.

[Patater]

Fixed

[AlessandroA]

How about we call this UVISOR_BOX_EXTERN? We know that internally it declares the box cfg ptr, but from the POV of the user it's just extern-declaring the box.

[Patater]

OK

[mazimkhan]

retest

[mazimkhan]

retest uvisor

[mazimkhan]

build uvisor

[Patater]

Rebased on latest master

[AlessandroA]

If this is meant to stay, please turn into a FIXME.

[Patater]

Yes, will move to a FIXME. We'll refactor when we have another architecture to add support for.

[AlessandroA]

Could you add a comment specifying what the magic numbers mean? I actually always wanted to use the CMSIS symbols for these checks, but it would make them much longer. What do you think?

[Patater]

Added a commit to switch magic numbers to CMSIS symbols for these fault status bits.

[AlessandroA]

Does this line imply that this path is only reachable by a non-recoverable from-privileged MemManage fault? If yes, please specify it as a comment in line 164.

[AlessandroA]

Also, I don't understand the debug_box_enter_from_priv very well. The debug box is a "hidden feature", meaning that it doesn't have visibility from the uVisor core. Instead, halt or print functions internally revert to the debug box if present. What is this function going to do here? I would expect that this function is called from some debug-box-specific function before returning here.

[Patater]

No, debug_box_enter_from_priv (if that's the line you mean) is reachable from a non-privileged MemManage fault as well. debug_box_enter_from_priv does nothing when called from privileged mode, letting the ordinary EXC_RETURN (instead of a forged one) enter the debug box.

[Patater]

debug_box_enter_from_priv never returns if from called with an lr that indicates an exception from privileged mode. It makes a fake EXC_RETURN, to use the psp that debug_deprivilege_and_return made, and executes the EXC_RETURN. When called with an lr that indicates an exception from non-privileged mode, the real EXC_RETURN is used just as before.

[AlessandroA]

I don't like this approach very much, because (i.) it leaves a lr pushed onto the original exception stack frame, and because (ii.) it creates a return shortcut which is not easy to track down (for example if you look at the code from https://github.com/ARMmbed/uvisor/blob/master/core/system/src/system.c#L96).

So after this PR it appears that is not granted anymore that we blindly return to the caller using EXC_RETURN as-is. We can change the isr_default_sys_handler wrapper to do something like:

mov r0, lr \n
mrs r1, MSP \n
bx vmpu_sys_mux_handler \n"

(note: No push of lr, bx instead of blx)

The wrapped function (vmpu_sys_mux_handler) would then do the actual return to lr, either as-is or changed.

@meriac What do you think?

[Patater]

I didn't like it either. I justified it to myself my thinking, "We are halting anyway. We don't care if we leave anything on the stack."

Your suggestion is an improvement in the sense that the stack is cleaned up. I can see the importance of leaving the uVisor stack clean when we support halting individual boxes.

[AlessandroA]

See comments above.

[Patater]

k

[AlessandroA]

See comments above.

[AlessandroA]

Not sure if there's an elegant way to do this, but it seems to me that these hard-coded priority values are too decoupled from the __UVISOR_NVIC_MIN_PRIORITY symbol. For example, at least we should check that the highest priority number used here (1) is lower than the __UVISOR_NVIC_MIN_PRIORITY value.

[Patater]

Done

[Patater]

Responded to Alessandro's comments

[Patater]

Tests pass on EFM32

[Patater]

Tests pass on K64F

[Patater]

Responded to Alessandro's comments and re-ran tests. Tests are passing on EFM32 and K64F.

[AlessandroA]

Isn't this an overkill? The context_validate_exc_sf function does exactly the same check (reads with the t instruction).

[Patater]

Yes, the commit description spells it out as not really necessary, as a non-recoverable fault would happen in context_validate_exc_sf, preventing further progress. As currently written, the unprivileged access instruction is not technically necessary.

However, from the defensive coding perspective, it makes sense to use the unprivileged access instruction. Maybe the context_validate_exc_sf goes away on accident or has a bug introduced on accident. It's also nice to consistently have all places where uVisor accesses unprivileged memory using unprivileged access instructions.

[AlessandroA]

👍

[AlessandroA]

The comment Set DebugMonitor, PendSV, SYSTICK to the same priority as SVC. is outdated now.

[AlessandroA]

Can this happen? If not, maybe it's better to turn it into a debug-only runtime assertion.

[Patater]

OK. Debug makes sense because it'd be a stupid uVisor programmer's fault if this happened. If it does happen with a release build, a usage fault (which uVisor chooses not to recover from) will happen.

[AlessandroA]

Just to make sure that this comment does not become outdated when we change the code, you could turn it into something more general, as "It's the responsibility of the caller to se the PSP to a valid value.".

[Patater]

Updated

[AlessandroA]

s/fake/Fake

[Patater]

Fixed

[AlessandroA]

Is this tested in release mode as well?

[Patater]

Yup. It works even in release mode. Tests pass on both K64F and EFM32GG in release and debug modes.

[AlessandroA]

👍

[AlessandroA]

LGTM