Merge branch '⚡️-sync-mutex' into 🦆

Author: yvt

README.md

@@ -24,7 +24,7 @@ Constance is a proof-of-concept of a static RTOS that utilizes Rust's compile-ti
 | System Topology        | ![Uniprocessor: Supported] ![Homogeneous Multiprocessor: Under Consideration] ![Heterogeneous Multiprocessor: Not Considering] |
 | Kernel Core            | ![Tasks: Supported] ![Hunks: Supported] ![Wait Objects: Supported] ![Timeouts: Supported] ![Timers: Supported] ![Interrupts: Supported] ![Startup Hooks: Supported] ![CPU Exceptions: Under Consideration] ![Panicking: Under Consideration] |
 | Kernel Synchronization | ![Semaphores: Supported] ![Event Groups: Supported] ![Mutexes: Under Consideration] |
-| Library                | ![Mutex: Under Consideration] ![RwLock: Under Consideration] ![Once: Under Consideration] ![C API: Under Consideration] |
+| Library                | ![Mutex: Supported] ![RwLock: Under Consideration] ![Once: Under Consideration] ![C API: Under Consideration] |
 | Port (Simulator)       | ![POSIX: Supported] ![Windows: Under Consideration] |
 | Port (Arm M-Profile)   | ![Armv8-M Mainline (no CMSE): Supported] ![Armv8-M Baseline (no CMSE): Supported] ![Armv7-M: Supported] ![Armv6-M: Supported] |
 | Port (Arm A-Profile)   | ![Armv7-A (no FPU): Supported] |
@@ -47,7 +47,7 @@ Constance is a proof-of-concept of a static RTOS that utilizes Rust's compile-ti
 [CPU Exceptions: Under Consideration]: https://img.shields.io/badge/CPU%20Exceptions-Under%20Consideration-cc7070?style=flat-square
 [Panicking: Under Consideration]: https://img.shields.io/badge/Panicking-Under%20Consideration-cc7070?style=flat-square
 
-[Mutex: Under Consideration]: https://img.shields.io/badge/Mutex-Under%20Consideration-cc7070?style=flat-square
+[Mutex: Supported]: https://img.shields.io/badge/Mutex-Supported-success?style=flat-square
 [RwLock: Under Consideration]: https://img.shields.io/badge/RwLock-Under%20Consideration-cc7070?style=flat-square
 [Once: Under Consideration]: https://img.shields.io/badge/Once-Under%20Consideration-cc7070?style=flat-square
 [C API: Under Consideration]: https://img.shields.io/badge/C%20API-Under%20Consideration-cc7070?style=flat-square

src/constance/src/lib.md

@@ -203,7 +203,7 @@ fn task_body(_: usize) {
 [`KernelCfg2`]: crate::kernel::KernelCfg2
 [`Task`]: crate::kernel::Task
 
-Configuration functions are highly composable as they can call other configuration functions in turn. In some sense, this is a way to attribute a certain semantics to a group of kernel objects, making them behave in a meaningful way as a whole, and expose a whole new, higher-level interface. For example, a mutex object similar to `std::sync::Mutex` can be created by combining a low-level mutex object (not implemented yet) and a [`Hunk`]`<System, UnsafeCell<T>>`.
+Configuration functions are highly composable as they can call other configuration functions in turn. In some sense, this is a way to attribute a certain semantics to a group of kernel objects, making them behave in a meaningful way as a whole, and expose a whole new, higher-level interface. For example, a [mutex object] similar to `std::sync::Mutex` can be created by combining a low-level mutex object (not implemented yet) and a [`Hunk`]`<System, UnsafeCell<T>>`.
 
 ```rust
 # #![feature(const_fn)]
@@ -230,6 +230,7 @@ mod m {
 ```
 
 [`Hunk`]: crate::kernel::Hunk
+[mutex object]: crate::sync::Mutex
 
 The constructors of kernel objects are configuration functions by themselves, but they are different from normal configuration functions in that they can actually mutate the contents of `CfgBuilder` (which `build!` will use to create kernel structures in the final form), ultimately shaping the outcome of the configuration process. Therefore, they are the smallest building blocks of configuration functions.
 

src/constance/src/sync.rs

@@ -1,32 +1,4 @@
 //! Safe synchronization primitives.
-use core::{cell::UnsafeCell, fmt, marker::PhantomData};
-
-use crate::{
-    kernel::{cfg::CfgBuilder, Hunk},
-    prelude::*,
-};
-
-pub struct Mutex<System, T> {
-    hunk: Hunk<System, UnsafeCell<T>>,
-    _phantom: PhantomData<(System, T)>,
-}
-
-impl<System: Kernel, T: fmt::Debug + 'static> fmt::Debug for Mutex<System, T> {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        // TODO: Display the contents if unlocked
-        f.debug_struct("Mutex").field("hunk", &self.hunk).finish()
-    }
-}
-
-impl<System: Kernel, T: 'static + Init> Mutex<System, T> {
-    /// Construct a `Mutex`.
-    ///
-    /// This is a configuration function. Call this method from your app's
-    /// configuration function.
-    pub const fn new(b: &mut CfgBuilder<System>) -> Self {
-        Self {
-            hunk: Hunk::<_, UnsafeCell<T>>::build().finish(b),
-            _phantom: PhantomData,
-        }
-    }
-}
+pub mod mutex;
+#[doc(no_inline)]
+pub use self::mutex::Mutex;

src/constance/src/sync/mutex.rs

@@ -0,0 +1,199 @@
+use core::{cell::UnsafeCell, fmt, marker::PhantomData};
+
+use crate::{
+    kernel::{cfg::CfgBuilder, Hunk, PollSemaphoreError, Semaphore, WaitSemaphoreError},
+    prelude::*,
+};
+
+// TODO: Upgrade `Mutex` to use a real mutex. And then remove the paragraph
+//       in `Mutex` regarding this
+
+/// A mutual exclusion primitive useful for protecting shared data from
+/// concurrent access.
+///
+/// This type is currently implemented using [`Semaphore`]. It will be
+/// upgraded to a real mutex (with priority inversion prevention) in a
+/// future version of Constance.
+///
+/// [`Semaphore`]: crate::kernel::Semaphore
+pub struct Mutex<System, T> {
+    hunk: Hunk<System, UnsafeCell<T>>,
+    sem: Semaphore<System>,
+    _phantom: PhantomData<(System, T)>,
+}
+
+unsafe impl<System: Kernel, T: 'static + Send> Send for Mutex<System, T> {}
+unsafe impl<System: Kernel, T: 'static + Send> Sync for Mutex<System, T> {}
+
+/// An RAII implementation of a "scoped lock" of a mutex. When this structure
+/// is dropped, the lock will be released.
+///
+/// This structure is created by the [`lock`] and [`try_lock`] methods of
+/// [`Mutex`].
+///
+/// [`lock`]: Mutex::lock
+/// [`try_lock`]: Mutex::try_lock
+#[must_use = "if unused the Mutex will immediately unlock"]
+pub struct MutexGuard<'a, System: Kernel, T: 'static> {
+    mutex: &'a Mutex<System, T>,
+    _no_send_sync: PhantomData<*mut ()>,
+}
+
+unsafe impl<System: Kernel, T: 'static + Sync> Sync for MutexGuard<'_, System, T> {}
+
+/// Error type of [`Mutex::lock`].
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, PartialOrd, Ord)]
+#[repr(i8)]
+pub enum LockError {
+    /// CPU Lock is active, the current context is not [waitable], or the
+    /// current context is not [a task context].
+    ///
+    /// [waitable]: crate#contexts
+    /// [a task context]: crate#contexts
+    BadContext = WaitSemaphoreError::BadContext as i8,
+    /// The wait operation was interrupted by [`Task::interrupt`].
+    ///
+    /// [`Task::interrupt`]: crate::kernel::Task::interrupt
+    Interrupted = WaitSemaphoreError::Interrupted as i8,
+}
+
+/// Error type of [`Mutex::try_lock`].
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, PartialOrd, Ord)]
+#[repr(i8)]
+pub enum TryLockError {
+    /// CPU Lock is active.
+    BadContext = PollSemaphoreError::BadContext as i8,
+    /// The lock could not be acquire at this time because the operation would
+    /// otherwise block.
+    WouldBlock = PollSemaphoreError::Timeout as i8,
+}
+
+impl<System: Kernel, T: 'static + Init> Mutex<System, T> {
+    /// Construct a `Mutex`. The content is initialized with [`Init`].
+    ///
+    /// This is a configuration function. Call this method from your app's
+    /// configuration function.
+    pub const fn new(b: &mut CfgBuilder<System>) -> Self {
+        Self {
+            hunk: Hunk::<_, UnsafeCell<T>>::build().finish(b),
+            sem: Semaphore::build().initial(1).maximum(1).finish(b),
+            _phantom: PhantomData,
+        }
+    }
+}
+
+impl<System: Kernel, T: 'static> Mutex<System, T> {
+    /// Acquire the mutex, blocking the current thread until it is able to do
+    /// so.
+    pub fn lock(&self) -> Result<MutexGuard<'_, System, T>, LockError> {
+        self.sem.wait_one().map_err(|e| match e {
+            WaitSemaphoreError::BadId => unreachable!(),
+            WaitSemaphoreError::BadContext => LockError::BadContext,
+            WaitSemaphoreError::Interrupted => LockError::Interrupted,
+        })?;
+        Ok(MutexGuard {
+            mutex: self,
+            _no_send_sync: PhantomData,
+        })
+    }
+
+    /// Attempt to acquire the mutex.
+    pub fn try_lock(&self) -> Result<MutexGuard<'_, System, T>, TryLockError> {
+        // A real mutex can't be locked by an interrupt handler. We emulate it
+        // by a semaphore at this time, so we need to check whether this
+        // condition is violated
+        if !System::is_task_context() {
+            return Err(TryLockError::BadContext);
+        }
+
+        self.sem.poll_one().map_err(|e| match e {
+            PollSemaphoreError::BadId => unreachable!(),
+            PollSemaphoreError::BadContext => TryLockError::BadContext,
+            PollSemaphoreError::Timeout => TryLockError::WouldBlock,
+        })?;
+        Ok(MutexGuard {
+            mutex: self,
+            _no_send_sync: PhantomData,
+        })
+    }
+
+    /// Get a raw pointer to the contained data.
+    #[inline]
+    pub fn get_ptr(&self) -> *mut T {
+        self.hunk.get()
+    }
+}
+
+impl<System: Kernel, T: fmt::Debug + 'static> fmt::Debug for Mutex<System, T> {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        match self.try_lock() {
+            Ok(guard) => f.debug_struct("Mutex").field("data", &&*guard).finish(),
+            Err(TryLockError::BadContext) => {
+                struct BadContextPlaceholder;
+                impl fmt::Debug for BadContextPlaceholder {
+                    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+                        f.write_str("<CPU context active>")
+                    }
+                }
+
+                f.debug_struct("Mutex")
+                    .field("data", &BadContextPlaceholder)
+                    .finish()
+            }
+            Err(TryLockError::WouldBlock) => {
+                struct LockedPlaceholder;
+                impl fmt::Debug for LockedPlaceholder {
+                    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+                        f.write_str("<locked>")
+                    }
+                }
+
+                f.debug_struct("Mutex")
+                    .field("data", &LockedPlaceholder)
+                    .finish()
+            }
+        }
+    }
+}
+
+impl<System: Kernel, T: fmt::Debug + 'static> fmt::Debug for MutexGuard<'_, System, T> {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        fmt::Debug::fmt(&**self, f)
+    }
+}
+
+impl<System: Kernel, T: fmt::Display + 'static> fmt::Display for MutexGuard<'_, System, T> {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        fmt::Display::fmt(&**self, f)
+    }
+}
+
+/// The destructor of `MutexGuard` that releases the lock. It will panic if
+/// CPU Lock is active.
+impl<System: Kernel, T: 'static> Drop for MutexGuard<'_, System, T> {
+    #[inline]
+    fn drop(&mut self) {
+        self.mutex.sem.signal_one().unwrap();
+    }
+}
+
+impl<System: Kernel, T: 'static> core::ops::Deref for MutexGuard<'_, System, T> {
+    type Target = T;
+    #[inline]
+    fn deref(&self) -> &Self::Target {
+        // Safety: `MutexGuard` represents a permit acquired from the semaphore,
+        //         which grants the bearer an exclusive access to the underlying
+        //         data
+        unsafe { &*self.mutex.hunk.get() }
+    }
+}
+
+impl<System: Kernel, T: 'static> core::ops::DerefMut for MutexGuard<'_, System, T> {
+    #[inline]
+    fn deref_mut(&mut self) -> &mut Self::Target {
+        // Safety: `MutexGuard` represents a permit acquired from the semaphore,
+        //         which grants the bearer an exclusive access to the underlying
+        //         data
+        unsafe { &mut *self.mutex.hunk.get() }
+    }
+}

src/constance_test_suite/src/kernel_tests/sync_mutex_lock_and_dispatch.rs

@@ -0,0 +1,77 @@
+//! Checks miscellaneous properties of [`constance::sync::Mutex`].
+use constance::{
+    kernel::{cfg::CfgBuilder, Hunk, Task},
+    prelude::*,
+    sync::mutex::Mutex,
+};
+
+use super::Driver;
+use crate::utils::SeqTracker;
+
+pub struct App<System> {
+    task2: Task<System>,
+    mutex: Mutex<System, u32>,
+    seq: Hunk<System, SeqTracker>,
+}
+
+impl<System: Kernel> App<System> {
+    pub const fn new<D: Driver<Self>>(b: &mut CfgBuilder<System>) -> Self {
+        Task::build()
+            .start(task1_body::<System, D>)
+            .priority(2)
+            .active(true)
+            .finish(b);
+        let task2 = Task::build()
+            .start(task2_body::<System, D>)
+            .priority(1)
+            .active(false)
+            .finish(b);
+
+        let mutex = Mutex::new(b);
+
+        let seq = Hunk::<_, SeqTracker>::build().finish(b);
+
+        App { task2, mutex, seq }
+    }
+}
+
+fn task1_body<System: Kernel, D: Driver<App<System>>>(_: usize) {
+    let app = D::app();
+
+    app.seq.expect_and_replace(0, 1);
+
+    {
+        let mut lock = app.mutex.lock().unwrap();
+        app.task2.activate().unwrap(); // giving the control to `task2`
+
+        // back from `task2`, which is being blocked...
+        app.seq.expect_and_replace(2, 3);
+        *lock = 42;
+
+        // release the lock and let `task2` continue. the control will return to
+        // here when `task2` completes
+    }
+
+    app.seq.expect_and_replace(5, 6);
+
+    assert_eq!(*app.mutex.lock().unwrap(), 56);
+
+    D::success();
+}
+
+fn task2_body<System: Kernel, D: Driver<App<System>>>(_: usize) {
+    let app = D::app();
+
+    app.seq.expect_and_replace(1, 2);
+
+    {
+        let mut lock = app.mutex.lock().unwrap(); // blocks because `task1` has lock
+
+        // preempts `task1` when it releases the lock
+        app.seq.expect_and_replace(3, 4);
+        assert_eq!(*lock, 42);
+        *lock = 56;
+    }
+
+    app.seq.expect_and_replace(4, 5);
+}