kernel: Option to assert on spin lock time

Spin locks held for any lengthy duration prevent interrupts and
in a real time system where interrupts drive tasks this can be
problematic. Add an option to assert if a spin lock is held for
a duration longer than the configurable number of microseconds.

Signed-off-by: Tom Burdick <[email protected]>

Author: teburd

drivers/timer/Kconfig

@@ -54,6 +54,13 @@ config SYSTEM_TIMER_HAS_DISABLE_SUPPORT
 	  This option should be selected by drivers implementing support for
 	  sys_clock_disable() API.
 
+config SYSTEM_CLOCK_LOCK_FREE_COUNT
+	bool
+	help
+	  This option should be selected by drivers implementing a lock free
+	  cycle count accessor. This is needed for instrumenting spin lock
+	  hold times.
+
 source "drivers/timer/Kconfig.altera_avalon"
 source "drivers/timer/Kconfig.apic"
 source "drivers/timer/Kconfig.arcv2"

include/zephyr/spinlock.h

@@ -14,6 +14,7 @@
 
 #include <zephyr/sys/atomic.h>
 #include <zephyr/sys/__assert.h>
+#include <zephyr/sys/time_units.h>
 #include <stdbool.h>
 #include <zephyr/arch/cpu.h>
 
@@ -49,7 +50,12 @@ struct k_spinlock {
 	 * ID in the bottom two bits.
 	 */
 	uintptr_t thread_cpu;
-#endif
+#ifdef CONFIG_SPIN_LOCK_TIME_LIMIT
+	/* Stores the time (in cycles) when a lock was taken
+	 */
+	uint32_t lock_time;
+#endif /* CONFIG_SPIN_LOCK_TIME_LIMIT */
+#endif /* CONFIG_SPIN_VALIDATE */
 
 #if defined(CONFIG_CPLUSPLUS) && !defined(CONFIG_SMP) && \
 	!defined(CONFIG_SPIN_VALIDATE)
@@ -152,7 +158,10 @@ static ALWAYS_INLINE k_spinlock_key_t k_spin_lock(struct k_spinlock *l)
 
 #ifdef CONFIG_SPIN_VALIDATE
 	z_spin_lock_set_owner(l);
-#endif
+#if defined(CONFIG_SPIN_LOCK_TIME_LIMIT) && (CONFIG_SPIN_LOCK_TIME_LIMIT != 0)
+	l->lock_time = sys_clock_cycle_get_32();
+#endif /* CONFIG_SPIN_LOCK_TIME_LIMIT */
+#endif/* CONFIG_SPIN_VALIDATE */
 	return k;
 }
 
@@ -183,7 +192,15 @@ static ALWAYS_INLINE void k_spin_unlock(struct k_spinlock *l,
 	ARG_UNUSED(l);
 #ifdef CONFIG_SPIN_VALIDATE
 	__ASSERT(z_spin_unlock_valid(l), "Not my spinlock %p", l);
-#endif
+
+#if defined(CONFIG_SPIN_LOCK_TIME_LIMIT) && (CONFIG_SPIN_LOCK_TIME_LIMIT != 0)
+	uint32_t delta = sys_clock_cycle_get_32() - l->lock_time;
+
+	__ASSERT(delta < CONFIG_SPIN_LOCK_TIME_LIMIT,
+		 "Spin lock %p held %u cycles, longer than limit of %u cycles",
+		 l, delta, CONFIG_SPIN_LOCK_TIME_LIMIT);
+#endif /* CONFIG_SPIN_LOCK_TIME_LIMIT */
+#endif /* CONFIG_SPIN_VALIDATE */
 
 #ifdef CONFIG_SMP
 	/* Strictly we don't need atomic_clear() here (which is an

include/zephyr/sys/time_units.h

@@ -8,6 +8,7 @@
 #define ZEPHYR_INCLUDE_TIME_UNITS_H_
 
 #include <zephyr/toolchain.h>
+#include <zephyr/sys/util.h>
 
 #ifdef __cplusplus
 extern "C" {

subsys/debug/Kconfig

@@ -261,6 +261,16 @@ config SPIN_VALIDATE
 	  enabled. It adds a relatively hefty overhead (about 3k or so) to
 	  kernel code size, don't use on platforms known to be small.
 
+config SPIN_LOCK_TIME_LIMIT
+	int "Spin lock holding time limit in cycles"
+	default 0
+	depends on SPIN_VALIDATE
+	depends on SYSTEM_CLOCK_LOCK_FREE_COUNT
+	help
+	  Assert at the time of unlocking the number of system clock cycles
+	  the lock has been held is less than the configured value. Requires
+	  the timer driver sys_clock_get_cycles_32() be lock free.
+
 endif # ASSERT
 
 config FORCE_NO_ASSERT

tests/kernel/spinlock/prj.conf

@@ -1,3 +1,4 @@
 CONFIG_ZTEST=y
 CONFIG_SPIN_VALIDATE=y
+CONFIG_SPIN_LOCK_TIME_LIMIT=1000
 CONFIG_ZTEST_NEW_API=y

tests/kernel/spinlock/src/spinlock_error_case.c

@@ -3,6 +3,7 @@
  *
  * SPDX-License-Identifier: Apache-2.0
  */
+#include "zephyr/ztest_test_new.h"
 #include <zephyr/kernel.h>
 #include <zephyr/ztest.h>
 #include <zephyr/spinlock.h>
@@ -119,3 +120,28 @@ ZTEST(spinlock, test_spinlock_release_error)
 
 	ztest_test_fail();
 }
+
+/**
+ * @brief Test unlocking spinlock held over the time limit
+ *
+ * @details Validate unlocking spinlock held past the time limit will trigger
+ * assertion.
+ *
+ * @ingroup kernel_spinlock_tests
+ *
+ * @see k_spin_unlock()
+ */
+ZTEST(spinlock, test_spinlock_lock_time_limit)
+{
+	Z_TEST_SKIP_IFNDEF(CONFIG_SPIN_LOCK_TIME_LIMIT);
+
+	key = k_spin_lock(&lock);
+
+	for (volatile int i = 0; i < 100000; i++) {
+	}
+
+	set_assert_valid(true);
+	k_spin_unlock(&lock, key);
+
+	ztest_test_fail();
+}