arm: cortex_m: make lazy FP stacking enabling dynamic

ioannisg · nashif · commit cafe04558ced · 2021-02-02T17:58:58.000-05:00
Under FPU sharing mode, any thread is allowed to generate
a Floating Point context (use FP registers in FP instructions),
regardless of whether threads are pre-tagged with K_FP_REGS
option when they are created.

When building with MPU stack guard feature enabled,
a large MPU stack guard is required to catch stack
overflows, if lazy FP stacking is enabled. When lazy
FP stacking is not enabled, a default 32 byte guard is
sufficient.

If lazy stacking is enabled by default, all threads may
potentially generate FP context, so they would need to
program a large MPU guard, carved out of their reserved
stack memory.

To avoid this memory waste, we modify the behavior, and make
lazy stacking a dynamically enabled feature, implemented as
follows:
- threads that are not pre-tagged with K_FP_REGS, and have
not generated an FP context use a default MPU guard and disable
lazy stacking. As long as the threads do not have an active FP
context, they won't stack FP registers, anyway, on ISRs and
exceptions, while they will benefit from reserving a small
MPU guard size
- as soon as a thread starts using FP registers, ISR might
temporarily experience some increased ISR latency due to lazy
stacking being disabled. This will be the case until the next
context switch, where the threads that have active FP context
will be tagged with K_FP_REGS, enable lazy stacking, and
program a wide MPU guard.

The implementation is a tradeoff between performance (ISR
latency) and memory consumption.

Note that when MPU STACK GUARD feature is not enabled, lazy
FP stacking is always activated.

Signed-off-by: Ioannis Glaropoulos &lt;Ioannis.Glaropoulos@nordicsemi.no&gt;
diff --git a/arch/arm/core/aarch32/cortex_m/mpu/arm_core_mpu.c b/arch/arm/core/aarch32/cortex_m/mpu/arm_core_mpu.c
@@ -50,6 +50,11 @@ LOG_MODULE_REGISTER(mpu);
 extern K_THREAD_STACK_DEFINE(z_main_stack, CONFIG_MAIN_STACK_SIZE);
 #endif
 
+#if defined(CONFIG_FPU) && defined(CONFIG_FPU_SHARING) \
+	&& defined(CONFIG_MPU_STACK_GUARD)
+uint32_t z_arm_mpu_stack_guard_and_fpu_adjust(struct k_thread *thread);
+#endif
+
 static const struct z_arm_mpu_partition static_regions[] = {
 #if defined(CONFIG_COVERAGE_GCOV) && defined(CONFIG_USERSPACE)
 		{
@@ -247,9 +252,7 @@ void z_arm_configure_dynamic_mpu_regions(struct k_thread *thread)
 	size_t guard_size = MPU_GUARD_ALIGN_AND_SIZE;
 
 #if defined(CONFIG_FPU) && defined(CONFIG_FPU_SHARING)
-	if ((thread->base.user_options & K_FP_REGS) != 0) {
-		guard_size = MPU_GUARD_ALIGN_AND_SIZE_FLOAT;
-	}
+	guard_size = z_arm_mpu_stack_guard_and_fpu_adjust(thread);
 #endif
 
 #if defined(CONFIG_USERSPACE)
diff --git a/arch/arm/core/aarch32/thread.c b/arch/arm/core/aarch32/thread.c
@@ -103,6 +103,11 @@ void arch_new_thread(struct k_thread *thread, k_thread_stack_t *stack,
 
 #if defined(CONFIG_USERSPACE) || defined(CONFIG_FPU_SHARING)
 	thread->arch.mode = 0;
+#if FP_GUARD_EXTRA_SIZE > 0
+	if ((thread->base.user_options & K_FP_REGS) != 0) {
+		thread->arch.mode |= Z_ARM_MODE_MPU_GUARD_FLOAT_Msk;
+	}
+#endif
 #if defined(CONFIG_USERSPACE)
 	thread->arch.priv_stack_start = 0;
 #endif
@@ -113,6 +118,100 @@ void arch_new_thread(struct k_thread *thread, k_thread_stack_t *stack,
 	 */
 }
 
+#if defined(CONFIG_MPU_STACK_GUARD) && defined(CONFIG_FPU) \
+	&& defined(CONFIG_FPU_SHARING)
+
+static inline void z_arm_thread_stack_info_adjust(struct k_thread *thread,
+	bool use_large_guard)
+{
+	if (use_large_guard) {
+		/* Switch to use a large MPU guard if not already. */
+		if ((thread->arch.mode &
+			Z_ARM_MODE_MPU_GUARD_FLOAT_Msk) == 0) {
+			/* Default guard size is used. Update required. */
+			thread->arch.mode |= Z_ARM_MODE_MPU_GUARD_FLOAT_Msk;
+#if defined(CONFIG_USERSPACE)
+			if (thread->arch.priv_stack_start) {
+				/* User thread */
+				thread->arch.priv_stack_start +=
+					FP_GUARD_EXTRA_SIZE;
+			} else
+#endif /* CONFIG_USERSPACE */
+			{
+				/* Privileged thread */
+				thread->stack_info.start +=
+					FP_GUARD_EXTRA_SIZE;
+				thread->stack_info.size -=
+					FP_GUARD_EXTRA_SIZE;
+			}
+		}
+	} else {
+		/* Switch to use the default MPU guard size if not already. */
+		if ((thread->arch.mode &
+			Z_ARM_MODE_MPU_GUARD_FLOAT_Msk) != 0) {
+			/* Large guard size is used. Update required. */
+			thread->arch.mode &= ~Z_ARM_MODE_MPU_GUARD_FLOAT_Msk;
+#if defined(CONFIG_USERSPACE)
+			if (thread->arch.priv_stack_start) {
+				/* User thread */
+				thread->arch.priv_stack_start -=
+					FP_GUARD_EXTRA_SIZE;
+			} else
+#endif /* CONFIG_USERSPACE */
+			{
+				/* Privileged thread */
+				thread->stack_info.start -=
+					FP_GUARD_EXTRA_SIZE;
+				thread->stack_info.size +=
+					FP_GUARD_EXTRA_SIZE;
+			}
+		}
+	}
+}
+
+/*
+ * Adjust the MPU stack guard size together with the FPU
+ * policy and the stack_info values for the thread that is
+ * being switched in.
+ */
+uint32_t z_arm_mpu_stack_guard_and_fpu_adjust(struct k_thread *thread)
+{
+	if (((thread->base.user_options & K_FP_REGS) != 0) ||
+		((thread->arch.mode & CONTROL_FPCA_Msk) != 0)) {
+		/* The thread has been pre-tagged (at creation or later) with
+		 * K_FP_REGS, i.e. it is expected to be using the FPU registers
+		 * (if not already). Activate lazy stacking and program a large
+		 * MPU guard to safely detect privilege thread stack overflows.
+		 *
+		 * OR
+		 * The thread is not pre-tagged with K_FP_REGS, but it has
+		 * generated an FP context. Activate lazy stacking and
+		 * program a large MPU guard to detect privilege thread
+		 * stack overflows.
+		 */
+		FPU->FPCCR |= FPU_FPCCR_LSPEN_Msk;
+
+		z_arm_thread_stack_info_adjust(thread, true);
+
+		/* Tag the thread with K_FP_REGS */
+		thread->base.user_options |= K_FP_REGS;
+
+		return MPU_GUARD_ALIGN_AND_SIZE_FLOAT;
+	}
+
+	/* Thread is not pre-tagged with K_FP_REGS, and it has
+	 * not been using the FPU. Since there is no active FPU
+	 * context, de-activate lazy stacking and program the
+	 * default MPU guard size.
+	 */
+	FPU->FPCCR &= (~FPU_FPCCR_LSPEN_Msk);
+
+	z_arm_thread_stack_info_adjust(thread, false);
+
+	return MPU_GUARD_ALIGN_AND_SIZE;
+}
+#endif
+
 #ifdef CONFIG_USERSPACE
 FUNC_NORETURN void arch_user_mode_enter(k_thread_entry_t user_entry,
 					void *p1, void *p2, void *p3)
@@ -129,7 +228,7 @@ FUNC_NORETURN void arch_user_mode_enter(k_thread_entry_t user_entry,
 	 * which accounted for memory borrowed from the thread stack.
 	 */
 #if FP_GUARD_EXTRA_SIZE > 0
-	if ((_current->base.user_options & K_FP_REGS) != 0) {
+	if ((_current->arch.mode & Z_ARM_MODE_MPU_GUARD_FLOAT_Msk) != 0) {
 		_current->stack_info.start -= FP_GUARD_EXTRA_SIZE;
 		_current->stack_info.size += FP_GUARD_EXTRA_SIZE;
 	}
@@ -144,7 +243,7 @@ FUNC_NORETURN void arch_user_mode_enter(k_thread_entry_t user_entry,
 	 */
 #if defined(CONFIG_FPU) && defined(CONFIG_FPU_SHARING)
 	_current->arch.priv_stack_start +=
-		(_current->base.user_options & K_FP_REGS) ?
+		((_current->arch.mode & Z_ARM_MODE_MPU_GUARD_FLOAT_Msk) != 0) ?
 		MPU_GUARD_ALIGN_AND_SIZE_FLOAT : MPU_GUARD_ALIGN_AND_SIZE;
 #else
 	_current->arch.priv_stack_start += MPU_GUARD_ALIGN_AND_SIZE;
@@ -264,10 +363,16 @@ uint32_t z_check_thread_stack_fail(const uint32_t fault_addr, const uint32_t psp
 	}
 #endif
 
-#if defined(CONFIG_FPU) && defined(CONFIG_FPU_SHARING)
-	uint32_t guard_len = (thread->base.user_options & K_FP_REGS) ?
+#if (defined(CONFIG_FPU) && defined(CONFIG_FPU_SHARING)) && \
+	defined(CONFIG_MPU_STACK_GUARD)
+	uint32_t guard_len =
+		((_current->arch.mode & Z_ARM_MODE_MPU_GUARD_FLOAT_Msk) != 0) ?
 		MPU_GUARD_ALIGN_AND_SIZE_FLOAT : MPU_GUARD_ALIGN_AND_SIZE;
 #else
+	/* If MPU_STACK_GUARD is not enabled, the guard length is
+	 * effectively zero. Stack overflows may be detected only
+	 * for user threads in nPRIV mode.
+	 */
 	uint32_t guard_len = MPU_GUARD_ALIGN_AND_SIZE;
 #endif /* CONFIG_FPU && CONFIG_FPU_SHARING */
 
