Error path tightening: use MBED_NORETURN; add+use core_util_atomic_flag

[kjbracey]

Description

Save some ROM space by putting MBED_NORETURN attributes on error functions and failed asserts.

As part of this, adjust error paths to make sure they don't return.

core_util_atomic_flag added to support the above.

See commit messages for more detail.

Fixes #8496.

Pull request type

[ ] Fix
[X] Refactor
[ ] Target update
[ ] Functionality change
[ ] Breaking change

[kjbracey]

@c1728p9 - you originally put the silent-exit recursion check in. Does this "insta-death" alternative suit as an alternative?

(I also note that mbed_error is reusing error's error_in_progress recursion flag as a buffer spinlock/mutex, which seems problematic - eg if someone called error inside a mbed_warning, it would be missed. Might need another patch to separate that, but worried about opening a can of worms about the spinlock).

[kjbracey]

Measured ROM saving is 464 bytes in a GCC_ARM K64F develop build of mbed-os-mesh-minimal. 604 bytes with ARM compiler.

(My first test saved 200 Kbytes, due to me having an error buffering test for #8076 in my main.cpp, and the attribute meant the compiler realised it didn't need to include any of the networking stuff used by the second half of main.)

[c1728p9]

@kjbracey-arm the recursion check in mbed_halt_system was because in some cases error() led to a call to exit() which triggerd another error() and caused a loop. I think this happened when error() was called in interrupt context, but it has been a while.

It may be safer to leave leave the error_in_progress check in, since if any of the calls in mbed_die call error again this same problem will occur. The functions gpio_write, and gpio_init_out are implemented by the HAL so it would be hard to ensure that they never call error. Also in #8189 the function wait_ms may be changed to trap if called in interrupt context, which would be problematic as well.

One alternative to keeping error_in_progress is to make another function that guarantees no recursion by just spinning. Maybe something like like mbed_die_for_real.

[deepikabhavnani]

If we do mbed_die, previous error in progress will not be captured.

[kjbracey]

The code here is inconsistent - there's no recursion-stopping check on mbed_error, although I guess it tries to sidestep that original "from interrupt" case which originally caused it by not using exit if it thinks it's in IRQ context.

Also in #8189 the function wait_ms may be changed to trap if called in interrupt context, which would be problematic as well.

Good point - that might need a specialised wait function. I also note the mbed_die code has some sort of ifdef fudge which the log justifies as

a disable_irq() exception in common/board.c because the wait function is implemented in a interrupt for both NRF and SiLabs boards

Any idea what that's talking about? Presumably no longer relevant. Really don't want mbed_die leaving interrupts on - it should be stopping the whole system, not just blocking the current thread.

If we do mbed_die, previous error in progress will not be captured.

The previous error presumably has already been recorded. Note that error and mbed_error are using the same variable for two totally different meanings which conflict. error thinks it's an "error has happened" flag, so it's trying to catch recursion from "exit". mbed_error thinks it's an "I'm currently modifying the error buffer" spinlock.

[kjbracey]

Right, started digging a bit deeper into this - separated out the "in progress" flags, and put in a "simple halt" alternative.

[cmonr]

@deepikabhavnani @bulislaw @c1728p9 @SenRamakri When y'all are available for a re-review.

@kjbracey-arm This'll need to be rebased.

[kjbracey]

Rebased. Reviewers - note that the commit message for the 2nd commit lists the changes and reasoning for stuff done to mbed_error exit paths.

[0xc0170]

@SenRamakri @deepikabhavnani Before another rebase, please review. I'll review shortly as well

[deepikabhavnani]

Query - Should atomic operations be extended to 16-bit and 32-bit flags as well?

[kjbracey]

The flag is inherently an opaque 1-bit true/false boolean from an API point of view - the 8-bit storage is an implementation detail.

And I'm using uint8_t because the LDREXB function/intrinsic takes uint8_t *.

It would probably be okay to have a bool there and cast the pointer for LDREXB, but I hate casts. This way makes the code look neater, and means I'm not accidentally invoking undefined behaviour.

Only downside is that the compiler will insist on adding an extra instruction when I assign the _flag to the bool output of test-and-set - it thinks it needs to ensure all values from 1-255 come out as 1, when we know the thing can only be holding 0 or 1 in the first place.

[deepikabhavnani]

Changes look good to me, but PR header and commits do not match. We have 3 commits here and header does not say anything about new atomic API's core_util_atomic_flag_test_and_set and core_util_atomic_flag_clear

@AnotherButler - Handbook update needed as well

[cmonr]

Will start CI since it's quite light at the moment, but this needs a rebase first.

[cmonr]

@bulislaw @SenRamakri Any thoughts?

[cmonr]

@ARMmbed/mbed-os-maintainers

It looks like this PR could come into the next patch release, and would probably help the author(s) of #8496, but this refactor adding new functionality. Thoughts?

[kjbracey]

#8496 arises from #8255 which didn't go to a patch release - they're testing master. This just needs to go in before 5.11.

[mbed-ci]

Exporter Build : FAILURE

Build number : 3078
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/exporter/8328/

[mbed-ci]

Test : FAILURE

Build number : 3248
Test logs :http://mbed-os-logs.s3-website-us-west-1.amazonaws.com/?prefix=logs/8328/3248

[0xc0170]

Pipe closed error, restarting

/morph export-build

However tests - I see there 2-4 tests failing across all targets and toolchains (just one exception)

[cmonr]

Test failures consistently around tests-mbed_hal-sleep_manager. Please take a look.

[kjbracey]

Wow. There are tests that define stub versions of mbed_error that return.

That... won't work...

Might be able to do something with a longjmp?

[mbed-ci]

Exporter Build : SUCCESS

Build number : 3083
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/exporter/8328/

[kjbracey]

Tests adjusted to not deliberately provoke mbed_error while intercepting it.

[0xc0170]

Travis docs fails : test_lock_gt_ushrt_max was removed so also should be from the docs (one more function as well, they are linked there)

[cmonr]

/morph build

[mbed-ci]

Build : SUCCESS

Build number : 3500
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/8328/

Triggering tests

/morph test
/morph export-build
/morph mbed2-build

[mbed-ci]

Exporter Build : SUCCESS

Build number : 3116
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/exporter/8328/

[mbed-ci]

Test : SUCCESS

Build number : 3283
Test logs :http://mbed-os-logs.s3-website-us-west-1.amazonaws.com/?prefix=logs/8328/3283

[mattbrown015]

Hi @kjbracey-arm,

Could/should system_reset also be made MBED_NORETURN?

I tried calling it from our definition of mbed_die and got the following warning:

[Warning] main.cpp@423,1: 'noreturn' function does return

This generates the warning:

MBED_NORETURN void mbed_die() {
    system_reset();
}

but this doesn't:

MBED_NORETURN void mbed_die() {
    NVIC_SystemReset();
}

[kjbracey]

Could/should system_reset also be made MBED_NORETURN?

Yes it should.

[kjbracey]

PR created. The warning you're getting is harmless - you know system_reset doesn't return even if the compiler doesn't.