Merge pull request #554 from tock/hudson.ayers/alloc

Initial memop syscall implementation + tests
tock · Aug 5, 2024 · 1dc6133 · 1dc6133
2 parents f4bd533 + 0b6e7c2
commit 1dc6133
Show file tree

Hide file tree

Showing 15 changed files with 596 additions and 23 deletions.
diff --git a/platform/src/register.rs b/platform/src/register.rs
@@ -8,7 +8,7 @@ use core::mem::transmute;
 /// wraps, but instead use the conversion functions in this module.
 // Register is repr(transparent) so that an upcall's application data can be
 // soundly passed as a Register.
-#[derive(Clone, Copy, Debug)]
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
 #[repr(transparent)]
 pub struct Register(pub *mut ());
 
@@ -28,6 +28,12 @@ impl From<u32> for Register {
     }
 }
 
+impl From<i32> for Register {
+    fn from(value: i32) -> Register {
+        (value as usize).into()
+    }
+}
+
 impl From<usize> for Register {
     fn from(value: usize) -> Register {
         // Note: clippy is wrong here; transmute has different semantics than
@@ -72,6 +78,13 @@ impl Register {
     pub fn as_u32(self) -> u32 {
         self.0 as u32
     }
+
+    /// Casts this register to a i32, truncating it if it is larger than
+    /// 32 bits. This conversion should be avoided in host-based test code; use
+    /// the `TryFrom<Register> for i32` implementation instead.
+    pub fn as_i32(self) -> i32 {
+        self.0 as i32
+    }
 }
 
 impl From<Register> for usize {

diff --git a/platform/src/syscalls.rs b/platform/src/syscalls.rs
@@ -77,7 +77,42 @@ pub trait Syscalls: RawSyscalls + Sized {
     /// `unallow_ro` does nothing.
     fn unallow_ro(driver_num: u32, buffer_num: u32);
 
-    // TODO: Add memop() methods.
+    // -------------------------------------------------------------------------
+    // Memop
+    // -------------------------------------------------------------------------
+
+    /// Changes the location of the program break to the specified address and
+    /// returns an error if it fails to do so.
+    ///
+    /// # Safety
+    /// Callers of this function must ensure that they do not pass an
+    /// address below any address that includes a currently reachable object.
+    unsafe fn memop_brk(addr: *const u8) -> Result<(), ErrorCode>;
+
+    /// Changes the location of the program break by the passed increment,
+    /// and returns the previous break address.
+    ///
+    /// # Safety
+    /// Callers of this function must ensure that they do not pass an
+    /// increment that would deallocate memory containing any currently
+    /// reachable object.
+    unsafe fn memop_sbrk(incr: i32) -> Result<*const u8, ErrorCode>;
+
+    /// Increments the program break by the passed increment,
+    /// and returns the previous break address.
+    fn memop_increment_brk(incr: u32) -> Result<*const u8, ErrorCode>;
+
+    /// Gets the address of the start of this application's RAM allocation.
+    fn memop_app_ram_start() -> Result<*const u8, ErrorCode>;
+
+    /// Tells the kernel where the start of the app stack is, to support
+    /// debugging.
+    fn memop_debug_stack_start(stack_top: *const u8) -> Result<(), ErrorCode>;
+
+    /// Tells the kernel the initial program break, to support debugging.
+    fn memop_debug_heap_start(initial_break: *const u8) -> Result<(), ErrorCode>;
+
+    // TODO: Add remaining memop() methods (3-9).
 
     // -------------------------------------------------------------------------
     // Exit

diff --git a/platform/src/syscalls_impl.rs b/platform/src/syscalls_impl.rs
@@ -352,6 +352,153 @@ impl<S: RawSyscalls> Syscalls for S {
         }
     }
 
+    // -------------------------------------------------------------------------
+    // Memop
+    // -------------------------------------------------------------------------
+
+    // Safety: Callers of this function must ensure that they do not pass an
+    // address below any address that includes a currently reachable object.
+    unsafe fn memop_brk(addr: *const u8) -> Result<(), ErrorCode> {
+        // Safety: syscall2's documentation indicates it can be used to call Memop.
+        let [r0, r1] =
+            unsafe { Self::syscall2::<{ syscall_class::MEMOP }>([0u32.into(), addr.into()]) };
+        let return_variant: ReturnVariant = r0.as_u32().into();
+        // TRD 104 guarantees that memop 0, 10, and 11 return either Success
+        // or Failure. We check the return variant by comparing against Failure
+        // for 2 reasons:
+        //
+        //   1. On RISC-V with compressed instructions, it generates smaller
+        //      code. FAILURE has value 0, which can be loaded into a
+        //      register with a single compressed instruction, whereas
+        //      loading SUCCESS uses an uncompressed instruction.
+        //   2. In the event the kernel malfunctions and returns a different
+        //      return variant, the success path is actually safer than the
+        //      failure path. The failure path assumes that r1 contains an
+        //      ErrorCode, and produces UB if it has an out of range value.
+        if return_variant == return_variant::FAILURE {
+            // Safety: TRD 104 guarantees that if r0 is Failure,
+            // then r1 will contain a valid error code. ErrorCode is
+            // designed to be safely transmuted directly from a kernel error
+            // code.
+            Err(unsafe { core::mem::transmute(r1.as_u32()) })
+        } else {
+            Ok(())
+        }
+    }
+
+    // Safety: Callers of this function must ensure that they do not pass an
+    // increment that would deallocate memory containing any currently
+    // reachable object.
+    unsafe fn memop_sbrk(incr: i32) -> Result<*const u8, ErrorCode> {
+        // Safety: syscall2's documentation indicates it can be used to call Memop.
+        let [r0, r1] =
+            unsafe { Self::syscall2::<{ syscall_class::MEMOP }>([1u32.into(), incr.into()]) };
+        let return_variant: ReturnVariant = r0.as_u32().into();
+        // TRD 104 guarantees that memop 1, returns either Success with U32
+        // or Failure. We check the return variant by comparing against Failure
+        // for 1 reason:
+        //
+        //   1. On RISC-V with compressed instructions, it generates smaller
+        //      code. FAILURE has value 0, which can be loaded into a
+        //      register with a single compressed instruction, whereas
+        //      loading SUCCESS_U32 uses an uncompressed instruction.
+        if return_variant == return_variant::FAILURE {
+            // Safety: TRD 104 guarantees that if r0 is Failure,
+            // then r1 will contain a valid error code. ErrorCode is
+            // designed to be safely transmuted directly from a kernel error
+            // code.
+            Err(unsafe { core::mem::transmute(r1.as_u32()) })
+        } else {
+            Ok(r1.into())
+        }
+    }
+
+    fn memop_increment_brk(incr: u32) -> Result<*const u8, ErrorCode> {
+        // Safety: memop_sbrk is safe if the passed increment is positive
+        unsafe { Self::memop_sbrk(i32::try_from(incr).map_err(|_| ErrorCode::Invalid)?) }
+    }
+
+    fn memop_app_ram_start() -> Result<*const u8, ErrorCode> {
+        // Safety: syscall1's documentation indicates it can be used to call Memop operations
+        // that only accept a memop operation number.
+        let [r0, r1] = unsafe { Self::syscall1::<{ syscall_class::MEMOP }>([2u32.into()]) };
+        let return_variant: ReturnVariant = r0.as_u32().into();
+        // TRD 104 guarantees that memop 2 returns either Success
+        // or Failure. We check the return variant by comparing against Failure
+        // for 1 reason:
+        //
+        //   1. On RISC-V with compressed instructions, it generates smaller
+        //      code. FAILURE has value 0, which can be loaded into a
+        //      register with a single compressed instruction, whereas
+        //      loading SUCCESS_U32 uses an uncompressed instruction.
+        if return_variant == return_variant::FAILURE {
+            // Safety: TRD 104 guarantees that if r0 is Failure,
+            // then r1 will contain a valid error code. ErrorCode is
+            // designed to be safely transmuted directly from a kernel error
+            // code.
+            Err(unsafe { core::mem::transmute(r1.as_u32()) })
+        } else {
+            Ok(r1.into())
+        }
+    }
+
+    fn memop_debug_stack_start(stack_top: *const u8) -> Result<(), ErrorCode> {
+        // Safety: syscall2's documentation indicates it can be used to call Memop.
+        let [r0, r1] =
+            unsafe { Self::syscall2::<{ syscall_class::MEMOP }>([10u32.into(), stack_top.into()]) };
+        let return_variant: ReturnVariant = r0.as_u32().into();
+        // TRD 104 guarantees that memop 0, 10, and 11 return either Success
+        // or Failure. We check the return variant by comparing against Failure
+        // for 2 reasons:
+        //
+        //   1. On RISC-V with compressed instructions, it generates smaller
+        //      code. FAILURE has value 0, which can be loaded into a
+        //      register with a single compressed instruction, whereas
+        //      loading SUCCESS uses an uncompressed instruction.
+        //   2. In the event the kernel malfunctions and returns a different
+        //      return variant, the success path is actually safer than the
+        //      failure path. The failure path assumes that r1 contains an
+        //      ErrorCode, and produces UB if it has an out of range value.
+        if return_variant == return_variant::FAILURE {
+            // Safety: TRD 104 guarantees that if r0 is Failure,
+            // then r1 will contain a valid error code. ErrorCode is
+            // designed to be safely transmuted directly from a kernel error
+            // code.
+            Err(unsafe { core::mem::transmute(r1.as_u32()) })
+        } else {
+            Ok(())
+        }
+    }
+
+    fn memop_debug_heap_start(initial_break: *const u8) -> Result<(), ErrorCode> {
+        // Safety: syscall2's documentation indicates it can be used to call Memop.
+        let [r0, r1] = unsafe {
+            Self::syscall2::<{ syscall_class::MEMOP }>([11u32.into(), initial_break.into()])
+        };
+        let return_variant: ReturnVariant = r0.as_u32().into();
+        // TRD 104 guarantees that memop 0, 10, and 11 return either Success
+        // or Failure. We check the return variant by comparing against Failure
+        // for 2 reasons:
+        //
+        //   1. On RISC-V with compressed instructions, it generates smaller
+        //      code. FAILURE has value 0, which can be loaded into a
+        //      register with a single compressed instruction, whereas
+        //      loading SUCCESS uses an uncompressed instruction.
+        //   2. In the event the kernel malfunctions and returns a different
+        //      return variant, the success path is actually safer than the
+        //      failure path. The failure path assumes that r1 contains an
+        //      ErrorCode, and produces UB if it has an out of range value.
+        if return_variant == return_variant::FAILURE {
+            // Safety: TRD 104 guarantees that if r0 is Failure,
+            // then r1 will contain a valid error code. ErrorCode is
+            // designed to be safely transmuted directly from a kernel error
+            // code.
+            Err(unsafe { core::mem::transmute(r1.as_u32()) })
+        } else {
+            Ok(())
+        }
+    }
+
     // -------------------------------------------------------------------------
     // Exit
     // -------------------------------------------------------------------------

diff --git a/runtime/src/startup/mod.rs b/runtime/src/startup/mod.rs
@@ -1,7 +1,7 @@
 //! Runtime components related to process startup.
 
 use crate::TockSyscalls;
-use libtock_platform::{syscall_class, RawSyscalls, Termination};
+use libtock_platform::{Syscalls, Termination};
 
 // Include the correct `start` symbol (the program entry point) for the
 // architecture.
@@ -85,21 +85,12 @@ extern "C" fn rust_start() -> ! {
         static rt_header: RtHeader;
     }
 
-    // TODO: Implement a safe memop API in libtock_platform and migrate these
-    // calls to that API.
-    //
-    // Safety: Memop operations 10 and 11 are always memory-safe, as they do not
-    // impact the execution of this process.
     #[cfg(not(feature = "no_debug_memop"))]
+    // Safety: rt_header is defined in the linker script, valid for its type,
+    // and not modified anywhere
     unsafe {
-        TockSyscalls::syscall2::<{ syscall_class::MEMOP }>([
-            10u32.into(),
-            rt_header.stack_top.into(),
-        ]);
-        TockSyscalls::syscall2::<{ syscall_class::MEMOP }>([
-            11u32.into(),
-            rt_header.initial_break.into(),
-        ]);
+        let _ = TockSyscalls::memop_debug_stack_start(rt_header.stack_top as *const u8);
+        let _ = TockSyscalls::memop_debug_heap_start(rt_header.initial_break as *const u8);
     }
 
     // Safety: libtock_unsafe_main is defined by the set_main! macro, and its
@@ -108,3 +99,14 @@ extern "C" fn rust_start() -> ! {
         libtock_unsafe_main();
     }
 }
+
+/// Function which an allocator can call to learn the initial
+/// start of the heap region
+pub fn get_heap_start() -> *mut () {
+    extern "Rust" {
+        static rt_header: RtHeader;
+    }
+    // Safety: rt_header is defined in the linker script, valid for its type,
+    // and not modified anywhere
+    unsafe { rt_header.initial_break }
+}
diff --git a/syscalls_tests/src/lib.rs b/syscalls_tests/src/lib.rs
@@ -24,7 +24,8 @@ mod exit_on_drop;
 
 // TODO: Add Exit.
 
-// TODO: Add Memop.
+#[cfg(test)]
+mod memop_tests;
 
 #[cfg(test)]
 mod subscribe_tests;