diff mbox

[U-Boot,4/4] ARM: bcm283x: Switch to generic timer

Message ID 1430772877-7301-4-git-send-email-marex@denx.de
State Accepted
Delegated to: Tom Rini
Headers show

Commit Message

Marek Vasut May 4, 2015, 8:54 p.m. UTC 
Switch to generic timer implementation from lib/time.c .
This also fixes a signed overflow which was in __udelay()
implementation.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Stephen Warren <swarren@wwwdotorg.org>
Cc: Tyler Baker <tyler.baker@linaro.org>
---
 arch/arm/mach-bcm283x/Makefile |  2 +-
 arch/arm/mach-bcm283x/timer.c  | 58 ------------------------------------------
 include/configs/rpi-common.h   |  6 +++++
 3 files changed, 7 insertions(+), 59 deletions(-)
 delete mode 100644 arch/arm/mach-bcm283x/timer.c

Comments

Stephen Warren May 5, 2015, 9:46 p.m. UTC | #1 
On 05/04/2015 02:54 PM, Marek Vasut wrote:
> Switch to generic timer implementation from lib/time.c .
> This also fixes a signed overflow which was in __udelay()
> implementation.

Can you explain that a bit more?

> -void __udelay(unsigned long usec)
> -{
> -	ulong endtime;
> -	signed long diff;
> -
> -	endtime = get_timer_us(0) + usec;
> -
> -	do {
> -		ulong now = get_timer_us(0);
> -		diff = endtime - now;
> -	} while (diff >= 0);
> -}

I believe since endtime and now hold micro seconds, there shouldn't be 
any overflow so long as the microsecond difference fits into 31 bits, 
i.e. so long as usec is less than ~36 minutes. I doubt anything is 
calling __udelay() with that large of a value. Perhaps the issue this 
patch fixes is in get_timer_us(0) instead, or something else changed as 
a side-effect?

The other 3 patches in this series,
Acked-by: Stephen Warren <swarren@wwwdotorg.org>
Marek Vasut May 5, 2015, 10:17 p.m. UTC | #2 
On Tuesday, May 05, 2015 at 11:46:56 PM, Stephen Warren wrote:
> On 05/04/2015 02:54 PM, Marek Vasut wrote:
> > Switch to generic timer implementation from lib/time.c .
> > This also fixes a signed overflow which was in __udelay()
> > implementation.
> 
> Can you explain that a bit more?
> 
> > -void __udelay(unsigned long usec)
> > -{
> > -	ulong endtime;
> > -	signed long diff;
> > -
> > -	endtime = get_timer_us(0) + usec;
> > -
> > -	do {
> > -		ulong now = get_timer_us(0);
> > -		diff = endtime - now;
> > -	} while (diff >= 0);
> > -}
> 
> I believe since endtime and now hold micro seconds, there shouldn't be
> any overflow so long as the microsecond difference fits into 31 bits,
> i.e. so long as usec is less than ~36 minutes. I doubt anything is
> calling __udelay() with that large of a value. Perhaps the issue this
> patch fixes is in get_timer_us(0) instead, or something else changed as
> a side-effect?

The generic implementation caters for full 32-bit range, that's all.
Since the argument of this function is unsigned, it can overflow if
you use argument which is bigger than 31 bits. OK like that ?

Best regards,
Marek Vasut
Stephen Warren May 5, 2015, 10:37 p.m. UTC | #3 
On 05/05/2015 04:17 PM, Marek Vasut wrote:
> On Tuesday, May 05, 2015 at 11:46:56 PM, Stephen Warren wrote:
>> On 05/04/2015 02:54 PM, Marek Vasut wrote:
>>> Switch to generic timer implementation from lib/time.c .
>>> This also fixes a signed overflow which was in __udelay()
>>> implementation.
>>
>> Can you explain that a bit more?
>>
>>> -void __udelay(unsigned long usec)
>>> -{
>>> -	ulong endtime;
>>> -	signed long diff;
>>> -
>>> -	endtime = get_timer_us(0) + usec;
>>> -
>>> -	do {
>>> -		ulong now = get_timer_us(0);
>>> -		diff = endtime - now;
>>> -	} while (diff >= 0);
>>> -}
>>
>> I believe since endtime and now hold micro seconds, there shouldn't be
>> any overflow so long as the microsecond difference fits into 31 bits,
>> i.e. so long as usec is less than ~36 minutes. I doubt anything is
>> calling __udelay() with that large of a value. Perhaps the issue this
>> patch fixes is in get_timer_us(0) instead, or something else changed as
>> a side-effect?
>
> The generic implementation caters for full 32-bit range, that's all.
> Since the argument of this function is unsigned, it can overflow if
> you use argument which is bigger than 31 bits. OK like that ?

Sorry, I still don't understand. Both the __udelay() here and in 
lib/time.c take an unsigned long argument. I don't see how switching one 
out for the other can affect anything if the argument type is the issue. 
Besides, what's passing a value >~36 minutes to udelay()?
Marek Vasut May 5, 2015, 10:42 p.m. UTC | #4 
On Wednesday, May 06, 2015 at 12:37:38 AM, Stephen Warren wrote:
> On 05/05/2015 04:17 PM, Marek Vasut wrote:
> > On Tuesday, May 05, 2015 at 11:46:56 PM, Stephen Warren wrote:
> >> On 05/04/2015 02:54 PM, Marek Vasut wrote:
> >>> Switch to generic timer implementation from lib/time.c .
> >>> This also fixes a signed overflow which was in __udelay()
> >>> implementation.
> >> 
> >> Can you explain that a bit more?
> >> 
> >>> -void __udelay(unsigned long usec)
> >>> -{
> >>> -	ulong endtime;
> >>> -	signed long diff;
> >>> -
> >>> -	endtime = get_timer_us(0) + usec;
> >>> -
> >>> -	do {
> >>> -		ulong now = get_timer_us(0);
> >>> -		diff = endtime - now;
> >>> -	} while (diff >= 0);
> >>> -}
> >> 
> >> I believe since endtime and now hold micro seconds, there shouldn't be
> >> any overflow so long as the microsecond difference fits into 31 bits,
> >> i.e. so long as usec is less than ~36 minutes. I doubt anything is
> >> calling __udelay() with that large of a value. Perhaps the issue this
> >> patch fixes is in get_timer_us(0) instead, or something else changed as
> >> a side-effect?
> > 
> > The generic implementation caters for full 32-bit range, that's all.
> > Since the argument of this function is unsigned, it can overflow if
> > you use argument which is bigger than 31 bits. OK like that ?
> 
> Sorry, I still don't understand. Both the __udelay() here and in
> lib/time.c take an unsigned long argument. I don't see how switching one
> out for the other can affect anything if the argument type is the issue.

So, if now is close to 0x7fffffff (which it can), then if endtime is big-ish,
diff will become negative and this udelay() will not perform the correct delay,
right ?

> Besides, what's passing a value >~36 minutes to udelay()?

Nothing, but that doesn't mean we can have a possibly broken implementation, 
right ?

Best regards,
Marek Vasut
Stephen Warren May 5, 2015, 10:57 p.m. UTC | #5 
On 05/05/2015 04:42 PM, Marek Vasut wrote:
> On Wednesday, May 06, 2015 at 12:37:38 AM, Stephen Warren wrote:
>> On 05/05/2015 04:17 PM, Marek Vasut wrote:
>>> On Tuesday, May 05, 2015 at 11:46:56 PM, Stephen Warren wrote:
>>>> On 05/04/2015 02:54 PM, Marek Vasut wrote:
>>>>> Switch to generic timer implementation from lib/time.c .
>>>>> This also fixes a signed overflow which was in __udelay()
>>>>> implementation.
>>>>
>>>> Can you explain that a bit more?
>>>>
>>>>> -void __udelay(unsigned long usec)
>>>>> -{
>>>>> -	ulong endtime;
>>>>> -	signed long diff;
>>>>> -
>>>>> -	endtime = get_timer_us(0) + usec;
>>>>> -
>>>>> -	do {
>>>>> -		ulong now = get_timer_us(0);
>>>>> -		diff = endtime - now;
>>>>> -	} while (diff >= 0);
>>>>> -}
>>>>
>>>> I believe since endtime and now hold micro seconds, there shouldn't be
>>>> any overflow so long as the microsecond difference fits into 31 bits,
>>>> i.e. so long as usec is less than ~36 minutes. I doubt anything is
>>>> calling __udelay() with that large of a value. Perhaps the issue this
>>>> patch fixes is in get_timer_us(0) instead, or something else changed as
>>>> a side-effect?
>>>
>>> The generic implementation caters for full 32-bit range, that's all.
>>> Since the argument of this function is unsigned, it can overflow if
>>> you use argument which is bigger than 31 bits. OK like that ?
>>
>> Sorry, I still don't understand. Both the __udelay() here and in
>> lib/time.c take an unsigned long argument. I don't see how switching one
>> out for the other can affect anything if the argument type is the issue.
>
> So, if now is close to 0x7fffffff (which it can), then if endtime is big-ish,
> diff will become negative and this udelay() will not perform the correct delay,
> right ?

I don't believe so, no.

endtime and now are both unsigned. My (admittedly intuitive rather than 
well-researched) understanding of C math promotion rules means that 
"endtime - now" will be calculated as an unsigned value, then converted 
into a signed value to be stored in the signed diff. As such, I would 
expect the value of diff to be a small value in this case. I wrote a 
test program to validate this; endtime = 0x80000002, now = 0x7ffffffe, 
yields diff=4 as expected.

Perhaps you meant a much larger endtime value than 0x80000002; perhaps 
0xffffffff? This doesn't cause issues either. All that's relevant is the 
difference between endtime and now, not their absolute values, and not 
whether endtime has wrapped but now has or hasn't. For example, endtime 
= 0x00000002, now = 0xfffffff0 yields diff=18 as expected.

>> Besides, what's passing a value >~36 minutes to udelay()?
>
> Nothing, but that doesn't mean we can have a possibly broken implementation,
> right ?

True. However, I'd expect that any specification for udelay would 
disallow such large parameter values, and hence its behaviour wouldn't 
be relevant if such values were passed.
Marek Vasut May 5, 2015, 11:37 p.m. UTC | #6 
On Wednesday, May 06, 2015 at 12:57:54 AM, Stephen Warren wrote:
> On 05/05/2015 04:42 PM, Marek Vasut wrote:
> > On Wednesday, May 06, 2015 at 12:37:38 AM, Stephen Warren wrote:
> >> On 05/05/2015 04:17 PM, Marek Vasut wrote:
> >>> On Tuesday, May 05, 2015 at 11:46:56 PM, Stephen Warren wrote:
> >>>> On 05/04/2015 02:54 PM, Marek Vasut wrote:
> >>>>> Switch to generic timer implementation from lib/time.c .
> >>>>> This also fixes a signed overflow which was in __udelay()
> >>>>> implementation.
> >>>> 
> >>>> Can you explain that a bit more?
> >>>> 
> >>>>> -void __udelay(unsigned long usec)
> >>>>> -{
> >>>>> -	ulong endtime;
> >>>>> -	signed long diff;
> >>>>> -
> >>>>> -	endtime = get_timer_us(0) + usec;
> >>>>> -
> >>>>> -	do {
> >>>>> -		ulong now = get_timer_us(0);
> >>>>> -		diff = endtime - now;
> >>>>> -	} while (diff >= 0);
> >>>>> -}
> >>>> 
> >>>> I believe since endtime and now hold micro seconds, there shouldn't be
> >>>> any overflow so long as the microsecond difference fits into 31 bits,
> >>>> i.e. so long as usec is less than ~36 minutes. I doubt anything is
> >>>> calling __udelay() with that large of a value. Perhaps the issue this
> >>>> patch fixes is in get_timer_us(0) instead, or something else changed
> >>>> as a side-effect?
> >>> 
> >>> The generic implementation caters for full 32-bit range, that's all.
> >>> Since the argument of this function is unsigned, it can overflow if
> >>> you use argument which is bigger than 31 bits. OK like that ?
> >> 
> >> Sorry, I still don't understand. Both the __udelay() here and in
> >> lib/time.c take an unsigned long argument. I don't see how switching one
> >> out for the other can affect anything if the argument type is the issue.
> > 
> > So, if now is close to 0x7fffffff (which it can), then if endtime is
> > big-ish, diff will become negative and this udelay() will not perform
> > the correct delay, right ?
> 
> I don't believe so, no.
> 
> endtime and now are both unsigned. My (admittedly intuitive rather than
> well-researched) understanding of C math promotion rules means that
> "endtime - now" will be calculated as an unsigned value, then converted
> into a signed value to be stored in the signed diff. As such, I would
> expect the value of diff to be a small value in this case. I wrote a
> test program to validate this; endtime = 0x80000002, now = 0x7ffffffe,
> yields diff=4 as expected.
> 
> Perhaps you meant a much larger endtime value than 0x80000002; perhaps
> 0xffffffff? This doesn't cause issues either. All that's relevant is the
> difference between endtime and now, not their absolute values, and not
> whether endtime has wrapped but now has or hasn't. For example, endtime
> = 0x00000002, now = 0xfffffff0 yields diff=18 as expected.

So what if the difference is bigger than 1 << 31 ?

> >> Besides, what's passing a value >~36 minutes to udelay()?
> > 
> > Nothing, but that doesn't mean we can have a possibly broken
> > implementation, right ?
> 
> True. However, I'd expect that any specification for udelay would
> disallow such large parameter values, and hence its behaviour wouldn't
> be relevant if such values were passed.

Do you think you can pick this patch and drop the "fixes overflow" part
or do you need resubmission ?

Best regards,
Marek Vasut
Stephen Warren May 6, 2015, 3:52 p.m. UTC | #7 
On 05/05/2015 05:37 PM, Marek Vasut wrote:
> On Wednesday, May 06, 2015 at 12:57:54 AM, Stephen Warren wrote:
>> On 05/05/2015 04:42 PM, Marek Vasut wrote:
>>> On Wednesday, May 06, 2015 at 12:37:38 AM, Stephen Warren wrote:
>>>> On 05/05/2015 04:17 PM, Marek Vasut wrote:
>>>>> On Tuesday, May 05, 2015 at 11:46:56 PM, Stephen Warren wrote:
>>>>>> On 05/04/2015 02:54 PM, Marek Vasut wrote:
>>>>>>> Switch to generic timer implementation from lib/time.c .
>>>>>>> This also fixes a signed overflow which was in __udelay()
>>>>>>> implementation.
>>>>>>
>>>>>> Can you explain that a bit more?
>>>>>>
>>>>>>> -void __udelay(unsigned long usec)
>>>>>>> -{
>>>>>>> -	ulong endtime;
>>>>>>> -	signed long diff;
>>>>>>> -
>>>>>>> -	endtime = get_timer_us(0) + usec;
>>>>>>> -
>>>>>>> -	do {
>>>>>>> -		ulong now = get_timer_us(0);
>>>>>>> -		diff = endtime - now;
>>>>>>> -	} while (diff >= 0);
>>>>>>> -}
>>>>>>
>>>>>> I believe since endtime and now hold micro seconds, there shouldn't be
>>>>>> any overflow so long as the microsecond difference fits into 31 bits,
>>>>>> i.e. so long as usec is less than ~36 minutes. I doubt anything is
>>>>>> calling __udelay() with that large of a value. Perhaps the issue this
>>>>>> patch fixes is in get_timer_us(0) instead, or something else changed
>>>>>> as a side-effect?
>>>>>
>>>>> The generic implementation caters for full 32-bit range, that's all.
>>>>> Since the argument of this function is unsigned, it can overflow if
>>>>> you use argument which is bigger than 31 bits. OK like that ?
>>>>
>>>> Sorry, I still don't understand. Both the __udelay() here and in
>>>> lib/time.c take an unsigned long argument. I don't see how switching one
>>>> out for the other can affect anything if the argument type is the issue.
>>>
>>> So, if now is close to 0x7fffffff (which it can), then if endtime is
>>> big-ish, diff will become negative and this udelay() will not perform
>>> the correct delay, right ?
>>
>> I don't believe so, no.
>>
>> endtime and now are both unsigned. My (admittedly intuitive rather than
>> well-researched) understanding of C math promotion rules means that
>> "endtime - now" will be calculated as an unsigned value, then converted
>> into a signed value to be stored in the signed diff. As such, I would
>> expect the value of diff to be a small value in this case. I wrote a
>> test program to validate this; endtime = 0x80000002, now = 0x7ffffffe,
>> yields diff=4 as expected.
>>
>> Perhaps you meant a much larger endtime value than 0x80000002; perhaps
>> 0xffffffff? This doesn't cause issues either. All that's relevant is the
>> difference between endtime and now, not their absolute values, and not
>> whether endtime has wrapped but now has or hasn't. For example, endtime
>> = 0x00000002, now = 0xfffffff0 yields diff=18 as expected.
>
> So what if the difference is bigger than 1 << 31 ?

As I said, I don't believe that case is relevant; it can only happen if 
passing ridiculously large delay values into __udelay() (i.e. greater 
than the 1<<31value you mention), and I don't believe there's any need 
to support that.

The implementation in lib/time.c probably has exactly the same problem, 
except that since it uses 64-bit math rather than 32-bit math, so the 
issue happens at 1<<63 rather than 1<<31. It's probably equally 
problematic for delay values as large as 1<<63:-) In practice, given 
1<<31 us is so large, I don't think there's any practical difference.

>>>> Besides, what's passing a value >~36 minutes to udelay()?
>>>
>>> Nothing, but that doesn't mean we can have a possibly broken
>>> implementation, right ?
>>
>> True. However, I'd expect that any specification for udelay would
>> disallow such large parameter values, and hence its behaviour wouldn't
>> be relevant if such values were passed.
>
> Do you think you can pick this patch and drop the "fixes overflow" part
> or do you need resubmission ?

Tom Rini (or in the past Albert Aribaud) actually apply the patches.

Re: the patch description: I'd certainly be happy if it was re-written 
to say something more like "replace bcm2835-specific timer logic with 
common code to reduce the number of different implementations for the 
same thing".

I think you'd mentioned on IRC that this change fixed something 
USB-related for you, and I still don't understand how that could be 
possible. Perhaps there's some intermittent problem, and it just 
happened not to show up when you tested after this patch?
Marek Vasut May 6, 2015, 6:13 p.m. UTC | #8 
On Wednesday, May 06, 2015 at 05:52:37 PM, Stephen Warren wrote:
[...]
> >>> So, if now is close to 0x7fffffff (which it can), then if endtime is
> >>> big-ish, diff will become negative and this udelay() will not perform
> >>> the correct delay, right ?
> >> 
> >> I don't believe so, no.
> >> 
> >> endtime and now are both unsigned. My (admittedly intuitive rather than
> >> well-researched) understanding of C math promotion rules means that
> >> "endtime - now" will be calculated as an unsigned value, then converted
> >> into a signed value to be stored in the signed diff. As such, I would
> >> expect the value of diff to be a small value in this case. I wrote a
> >> test program to validate this; endtime = 0x80000002, now = 0x7ffffffe,
> >> yields diff=4 as expected.
> >> 
> >> Perhaps you meant a much larger endtime value than 0x80000002; perhaps
> >> 0xffffffff? This doesn't cause issues either. All that's relevant is the
> >> difference between endtime and now, not their absolute values, and not
> >> whether endtime has wrapped but now has or hasn't. For example, endtime
> >> = 0x00000002, now = 0xfffffff0 yields diff=18 as expected.
> > 
> > So what if the difference is bigger than 1 << 31 ?
> 
> As I said, I don't believe that case is relevant; it can only happen if
> passing ridiculously large delay values into __udelay() (i.e. greater
> than the 1<<31value you mention), and I don't believe there's any need
> to support that.

So what you say is that it's OK to have a function which is buggy in
corner cases ?

> The implementation in lib/time.c probably has exactly the same problem,
> except that since it uses 64-bit math rather than 32-bit math, so the
> issue happens at 1<<63 rather than 1<<31. It's probably equally
> problematic for delay values as large as 1<<63:-) In practice, given
> 1<<31 us is so large, I don't think there's any practical difference.

The implementation in lib/time.c uses 32bit usec argument though, so
it's not prone to this overflow. Please correct me if I'm wrong.

> >>>> Besides, what's passing a value >~36 minutes to udelay()?
> >>> 
> >>> Nothing, but that doesn't mean we can have a possibly broken
> >>> implementation, right ?
> >> 
> >> True. However, I'd expect that any specification for udelay would
> >> disallow such large parameter values, and hence its behaviour wouldn't
> >> be relevant if such values were passed.
> > 
> > Do you think you can pick this patch and drop the "fixes overflow" part
> > or do you need resubmission ?
> 
> Tom Rini (or in the past Albert Aribaud) actually apply the patches.
> 
> Re: the patch description: I'd certainly be happy if it was re-written
> to say something more like "replace bcm2835-specific timer logic with
> common code to reduce the number of different implementations for the
> same thing".

Tom, do you want a repost ?

> I think you'd mentioned on IRC that this change fixed something
> USB-related for you, and I still don't understand how that could be
> possible. Perhaps there's some intermittent problem, and it just
> happened not to show up when you tested after this patch?

I think Tyler can elaborate on that, but in his test case, he still
triggers the USB issue.
Tyler Baker May 6, 2015, 7:51 p.m. UTC | #9 
On 6 May 2015 at 11:13, Marek Vasut <marex@denx.de> wrote:
> On Wednesday, May 06, 2015 at 05:52:37 PM, Stephen Warren wrote:
> [...]
>> >>> So, if now is close to 0x7fffffff (which it can), then if endtime is
>> >>> big-ish, diff will become negative and this udelay() will not perform
>> >>> the correct delay, right ?
>> >>
>> >> I don't believe so, no.
>> >>
>> >> endtime and now are both unsigned. My (admittedly intuitive rather than
>> >> well-researched) understanding of C math promotion rules means that
>> >> "endtime - now" will be calculated as an unsigned value, then converted
>> >> into a signed value to be stored in the signed diff. As such, I would
>> >> expect the value of diff to be a small value in this case. I wrote a
>> >> test program to validate this; endtime = 0x80000002, now = 0x7ffffffe,
>> >> yields diff=4 as expected.
>> >>
>> >> Perhaps you meant a much larger endtime value than 0x80000002; perhaps
>> >> 0xffffffff? This doesn't cause issues either. All that's relevant is the
>> >> difference between endtime and now, not their absolute values, and not
>> >> whether endtime has wrapped but now has or hasn't. For example, endtime
>> >> = 0x00000002, now = 0xfffffff0 yields diff=18 as expected.
>> >
>> > So what if the difference is bigger than 1 << 31 ?
>>
>> As I said, I don't believe that case is relevant; it can only happen if
>> passing ridiculously large delay values into __udelay() (i.e. greater
>> than the 1<<31value you mention), and I don't believe there's any need
>> to support that.
>
> So what you say is that it's OK to have a function which is buggy in
> corner cases ?
>
>> The implementation in lib/time.c probably has exactly the same problem,
>> except that since it uses 64-bit math rather than 32-bit math, so the
>> issue happens at 1<<63 rather than 1<<31. It's probably equally
>> problematic for delay values as large as 1<<63:-) In practice, given
>> 1<<31 us is so large, I don't think there's any practical difference.
>
> The implementation in lib/time.c uses 32bit usec argument though, so
> it's not prone to this overflow. Please correct me if I'm wrong.
>
>> >>>> Besides, what's passing a value >~36 minutes to udelay()?
>> >>>
>> >>> Nothing, but that doesn't mean we can have a possibly broken
>> >>> implementation, right ?
>> >>
>> >> True. However, I'd expect that any specification for udelay would
>> >> disallow such large parameter values, and hence its behaviour wouldn't
>> >> be relevant if such values were passed.
>> >
>> > Do you think you can pick this patch and drop the "fixes overflow" part
>> > or do you need resubmission ?
>>
>> Tom Rini (or in the past Albert Aribaud) actually apply the patches.
>>
>> Re: the patch description: I'd certainly be happy if it was re-written
>> to say something more like "replace bcm2835-specific timer logic with
>> common code to reduce the number of different implementations for the
>> same thing".
>
> Tom, do you want a repost ?
>
>> I think you'd mentioned on IRC that this change fixed something
>> USB-related for you, and I still don't understand how that could be
>> possible. Perhaps there's some intermittent problem, and it just
>> happened not to show up when you tested after this patch?
>
> I think Tyler can elaborate on that, but in his test case, he still
> triggers the USB issue.

I'll provide some context on the issue I'm fighting...

I recently bought a RPi B+ Model, flashed the latest raspbian image[0]
to an sd card, built the master branch (v2015.05+) u-boot and
overwrote kernel.img with u-boot.bin. U-Boot came right up but I was
unable to obtain a DHCP lease after using 'usb start; dhcp'. I ran
tcpdump and saw the DHCP requests being made, but shortly after the
board was seemly ignoring responses from the DHCP server. Now
sometimes if the response from the DHCP server was quick enough, it
could get a lease, but the tftp transfer would stall. I decided it
would be best to set 'ipaddr, gateway, netmask' to see if this was a
DHCP issue. It turned out that I had no network connectivity even when
I configured the ip address statically.

Could not obtain a lease:

 starting USB...
USB0: Core Release: 2.80a
scanning bus 0 for devices... 3 USB Device(s) found
scanning usb for storage devices... 0 Storage Device(s) found
scanning usb for ethernet devices... 1 Ethernet Device(s) found
Waiting for Ethernet connection... done.
BOOTP broadcast 1
BOOTP broadcast 2
BOOTP broadcast 3
BOOTP broadcast 4
BOOTP broadcast 5
BOOTP broadcast 6
BOOTP broadcast 7
BOOTP broadcast 8
Retry time exceeded; starting again
Bad Linux ARM zImage magic!

Obtains a lease, but stalls on transfer:

 starting USB...
USB0: Core Release: 2.80a
scanning bus 0 for devices... 3 USB Device(s) found
scanning usb for storage devices... 0 Storage Device(s) found
scanning usb for ethernet devices... 1 Ethernet Device(s) found
Waiting for Ethernet connection... done.
BOOTP broadcast 1
DHCP client bound to address 192.168.2.55 (1328 ms)
Waiting for Ethernet connection... done.
Using sms0 device
TFTP from server 192.168.2.2; our IP address is 192.168.2.55
Filename 'tmp2rkX_N/.zImage'.
Load address: 0x1000000
Loading: * T T T T T T T T T T
Retry count exceeded; starting again
Bad Linux ARM zImage magic!

At this point I reached out for help on IRC and that is when Marek and
I starting chatting about this. Hacking around, I found that using
v2015.01 I was able to obtain a lease and transfer files 100% of the
time (although it seems very slow). Thinking that we have a good and
bad commit, this would be easy to bisect. Wrong, we both tried and got
different results. It seems that as you move from v2015.01 -> HEAD
master this issue becomes very intermittent and thus hard to pin down.

So my test case for this issue has become...

* Obtain lease
* Transfer kernel, dtb, ramdisk without stalling/timing out
* Do this 10 times in a row with a power cycle in between

Hope this help clarify the situation in some way,

Tyler

[0] https://www.raspberrypi.org/downloads/
Stephen Warren May 8, 2015, 4:03 p.m. UTC | #10 
On 05/06/2015 12:13 PM, Marek Vasut wrote:
> On Wednesday, May 06, 2015 at 05:52:37 PM, Stephen Warren wrote:
> [...]
>>>>> So, if now is close to 0x7fffffff (which it can), then if endtime is
>>>>> big-ish, diff will become negative and this udelay() will not perform
>>>>> the correct delay, right ?
>>>>
>>>> I don't believe so, no.
>>>>
>>>> endtime and now are both unsigned. My (admittedly intuitive rather than
>>>> well-researched) understanding of C math promotion rules means that
>>>> "endtime - now" will be calculated as an unsigned value, then converted
>>>> into a signed value to be stored in the signed diff. As such, I would
>>>> expect the value of diff to be a small value in this case. I wrote a
>>>> test program to validate this; endtime = 0x80000002, now = 0x7ffffffe,
>>>> yields diff=4 as expected.
>>>>
>>>> Perhaps you meant a much larger endtime value than 0x80000002; perhaps
>>>> 0xffffffff? This doesn't cause issues either. All that's relevant is the
>>>> difference between endtime and now, not their absolute values, and not
>>>> whether endtime has wrapped but now has or hasn't. For example, endtime
>>>> = 0x00000002, now = 0xfffffff0 yields diff=18 as expected.
>>>
>>> So what if the difference is bigger than 1 << 31 ?
>>
>> As I said, I don't believe that case is relevant; it can only happen if
>> passing ridiculously large delay values into __udelay() (i.e. greater
>> than the 1<<31value you mention), and I don't believe there's any need
>> to support that.
>
> So what you say is that it's OK to have a function which is buggy in
> corner cases ?

A corner case (something that's within spec but perhaps hard/unusual) 
should not be buggy.

The behaviour of something outside spec isn't relevant; it's actively 
not specified.

I suppose there is no specification of what range of values this 
function is supposed to accept. I'd argue we should create one, and that 
spec should likely limit the range to much less than the 32-bit 
parameter can actually hold, since some HW timer implementations may 
have well less than 32-bits of range.
Stephen Warren May 8, 2015, 4:06 p.m. UTC | #11 
On 05/06/2015 01:51 PM, Tyler Baker wrote:
> On 6 May 2015 at 11:13, Marek Vasut <marex@denx.de> wrote:
>> On Wednesday, May 06, 2015 at 05:52:37 PM, Stephen Warren wrote:
>> [...]
>>>>>> So, if now is close to 0x7fffffff (which it can), then if endtime is
>>>>>> big-ish, diff will become negative and this udelay() will not perform
>>>>>> the correct delay, right ?
>>>>>
>>>>> I don't believe so, no.
>>>>>
>>>>> endtime and now are both unsigned. My (admittedly intuitive rather than
>>>>> well-researched) understanding of C math promotion rules means that
>>>>> "endtime - now" will be calculated as an unsigned value, then converted
>>>>> into a signed value to be stored in the signed diff. As such, I would
>>>>> expect the value of diff to be a small value in this case. I wrote a
>>>>> test program to validate this; endtime = 0x80000002, now = 0x7ffffffe,
>>>>> yields diff=4 as expected.
>>>>>
>>>>> Perhaps you meant a much larger endtime value than 0x80000002; perhaps
>>>>> 0xffffffff? This doesn't cause issues either. All that's relevant is the
>>>>> difference between endtime and now, not their absolute values, and not
>>>>> whether endtime has wrapped but now has or hasn't. For example, endtime
>>>>> = 0x00000002, now = 0xfffffff0 yields diff=18 as expected.
>>>>
>>>> So what if the difference is bigger than 1 << 31 ?
>>>
>>> As I said, I don't believe that case is relevant; it can only happen if
>>> passing ridiculously large delay values into __udelay() (i.e. greater
>>> than the 1<<31value you mention), and I don't believe there's any need
>>> to support that.
>>
>> So what you say is that it's OK to have a function which is buggy in
>> corner cases ?
>>
>>> The implementation in lib/time.c probably has exactly the same problem,
>>> except that since it uses 64-bit math rather than 32-bit math, so the
>>> issue happens at 1<<63 rather than 1<<31. It's probably equally
>>> problematic for delay values as large as 1<<63:-) In practice, given
>>> 1<<31 us is so large, I don't think there's any practical difference.
>>
>> The implementation in lib/time.c uses 32bit usec argument though, so
>> it's not prone to this overflow. Please correct me if I'm wrong.
>>
>>>>>>> Besides, what's passing a value >~36 minutes to udelay()?
>>>>>>
>>>>>> Nothing, but that doesn't mean we can have a possibly broken
>>>>>> implementation, right ?
>>>>>
>>>>> True. However, I'd expect that any specification for udelay would
>>>>> disallow such large parameter values, and hence its behaviour wouldn't
>>>>> be relevant if such values were passed.
>>>>
>>>> Do you think you can pick this patch and drop the "fixes overflow" part
>>>> or do you need resubmission ?
>>>
>>> Tom Rini (or in the past Albert Aribaud) actually apply the patches.
>>>
>>> Re: the patch description: I'd certainly be happy if it was re-written
>>> to say something more like "replace bcm2835-specific timer logic with
>>> common code to reduce the number of different implementations for the
>>> same thing".
>>
>> Tom, do you want a repost ?
>>
>>> I think you'd mentioned on IRC that this change fixed something
>>> USB-related for you, and I still don't understand how that could be
>>> possible. Perhaps there's some intermittent problem, and it just
>>> happened not to show up when you tested after this patch?
>>
>> I think Tyler can elaborate on that, but in his test case, he still
>> triggers the USB issue.
>
> I'll provide some context on the issue I'm fighting...
>
> I recently bought a RPi B+ Model, flashed the latest raspbian image[0]
> to an sd card, built the master branch (v2015.05+) u-boot and
> overwrote kernel.img with u-boot.bin. U-Boot came right up but I was
> unable to obtain a DHCP lease after using 'usb start; dhcp'. I ran
> tcpdump and saw the DHCP requests being made, but shortly after the
> board was seemly ignoring responses from the DHCP server. Now
> sometimes if the response from the DHCP server was quick enough, it
> could get a lease, but the tftp transfer would stall. I decided it
> would be best to set 'ipaddr, gateway, netmask' to see if this was a
> DHCP issue. It turned out that I had no network connectivity even when
> I configured the ip address statically.
>
> Could not obtain a lease:
>
>   starting USB...
> USB0: Core Release: 2.80a
> scanning bus 0 for devices... 3 USB Device(s) found
> scanning usb for storage devices... 0 Storage Device(s) found
> scanning usb for ethernet devices... 1 Ethernet Device(s) found
> Waiting for Ethernet connection... done.
> BOOTP broadcast 1
> BOOTP broadcast 2
> BOOTP broadcast 3
> BOOTP broadcast 4
> BOOTP broadcast 5
> BOOTP broadcast 6
> BOOTP broadcast 7
> BOOTP broadcast 8
> Retry time exceeded; starting again
> Bad Linux ARM zImage magic!
>
> Obtains a lease, but stalls on transfer:
>
>   starting USB...
> USB0: Core Release: 2.80a
> scanning bus 0 for devices... 3 USB Device(s) found
> scanning usb for storage devices... 0 Storage Device(s) found
> scanning usb for ethernet devices... 1 Ethernet Device(s) found
> Waiting for Ethernet connection... done.
> BOOTP broadcast 1
> DHCP client bound to address 192.168.2.55 (1328 ms)
> Waiting for Ethernet connection... done.
> Using sms0 device
> TFTP from server 192.168.2.2; our IP address is 192.168.2.55
> Filename 'tmp2rkX_N/.zImage'.
> Load address: 0x1000000
> Loading: * T T T T T T T T T T
> Retry count exceeded; starting again
> Bad Linux ARM zImage magic!
>
> At this point I reached out for help on IRC and that is when Marek and
> I starting chatting about this. Hacking around, I found that using
> v2015.01 I was able to obtain a lease and transfer files 100% of the
> time (although it seems very slow). Thinking that we have a good and
> bad commit, this would be easy to bisect. Wrong, we both tried and got
> different results. It seems that as you move from v2015.01 -> HEAD
> master this issue becomes very intermittent and thus hard to pin down.
>
> So my test case for this issue has become...
>
> * Obtain lease
> * Transfer kernel, dtb, ramdisk without stalling/timing out
> * Do this 10 times in a row with a power cycle in between
>
> Hope this help clarify the situation in some way,

OK, but if you apply Marek's change to replace the timer implementation 
with the one in lib/time.c, does that reliably fix the issue when tested 
over a large number of runs with/without that change? With the current 
explanation, I can't see how it possibly could. Equally, I can't see why 
the move from v2015.01 to HEAD would affect the issue if it was caused 
by the timer implementation.

My suspicion is that there's something else entirely going on.
Marek Vasut May 8, 2015, 4:23 p.m. UTC | #12 
On Friday, May 08, 2015 at 06:06:41 PM, Stephen Warren wrote:
[...]

> > * Obtain lease
> > * Transfer kernel, dtb, ramdisk without stalling/timing out
> > * Do this 10 times in a row with a power cycle in between
> > 
> > Hope this help clarify the situation in some way,
> 
> OK, but if you apply Marek's change to replace the timer implementation
> with the one in lib/time.c, does that reliably fix the issue when tested
> over a large number of runs with/without that change? With the current
> explanation, I can't see how it possibly could. Equally, I can't see why
> the move from v2015.01 to HEAD would affect the issue if it was caused
> by the timer implementation.
> 
> My suspicion is that there's something else entirely going on.

It doesn't , there's something else going on.

Best regards,
Marek Vasut
Marek Vasut May 8, 2015, 4:31 p.m. UTC | #13 
On Friday, May 08, 2015 at 06:03:34 PM, Stephen Warren wrote:
> On 05/06/2015 12:13 PM, Marek Vasut wrote:
> > On Wednesday, May 06, 2015 at 05:52:37 PM, Stephen Warren wrote:
> > [...]
> > 
> >>>>> So, if now is close to 0x7fffffff (which it can), then if endtime is
> >>>>> big-ish, diff will become negative and this udelay() will not perform
> >>>>> the correct delay, right ?
> >>>> 
> >>>> I don't believe so, no.
> >>>> 
> >>>> endtime and now are both unsigned. My (admittedly intuitive rather
> >>>> than well-researched) understanding of C math promotion rules means
> >>>> that "endtime - now" will be calculated as an unsigned value, then
> >>>> converted into a signed value to be stored in the signed diff. As
> >>>> such, I would expect the value of diff to be a small value in this
> >>>> case. I wrote a test program to validate this; endtime = 0x80000002,
> >>>> now = 0x7ffffffe, yields diff=4 as expected.
> >>>> 
> >>>> Perhaps you meant a much larger endtime value than 0x80000002; perhaps
> >>>> 0xffffffff? This doesn't cause issues either. All that's relevant is
> >>>> the difference between endtime and now, not their absolute values,
> >>>> and not whether endtime has wrapped but now has or hasn't. For
> >>>> example, endtime = 0x00000002, now = 0xfffffff0 yields diff=18 as
> >>>> expected.
> >>> 
> >>> So what if the difference is bigger than 1 << 31 ?
> >> 
> >> As I said, I don't believe that case is relevant; it can only happen if
> >> passing ridiculously large delay values into __udelay() (i.e. greater
> >> than the 1<<31value you mention), and I don't believe there's any need
> >> to support that.
> > 
> > So what you say is that it's OK to have a function which is buggy in
> > corner cases ?
> 
> A corner case (something that's within spec but perhaps hard/unusual)
> should not be buggy.
> 
> The behaviour of something outside spec isn't relevant; it's actively
> not specified.
> 
> I suppose there is no specification of what range of values this
> function is supposed to accept. I'd argue we should create one, and that
> spec should likely limit the range to much less than the 32-bit
> parameter can actually hold, since some HW timer implementations may
> have well less than 32-bits of range.

Maybe we should just accept this patch and be done with it? It's clearly
and improvement which migrates away from old timer code to generic timer.

Best regards,
Marek Vasut
Stephen Warren May 8, 2015, 4:40 p.m. UTC | #14 
On 05/08/2015 10:31 AM, Marek Vasut wrote:
> On Friday, May 08, 2015 at 06:03:34 PM, Stephen Warren wrote:
>> On 05/06/2015 12:13 PM, Marek Vasut wrote:
>>> On Wednesday, May 06, 2015 at 05:52:37 PM, Stephen Warren wrote:
>>> [...]
>>>
>>>>>>> So, if now is close to 0x7fffffff (which it can), then if endtime is
>>>>>>> big-ish, diff will become negative and this udelay() will not perform
>>>>>>> the correct delay, right ?
>>>>>>
>>>>>> I don't believe so, no.
>>>>>>
>>>>>> endtime and now are both unsigned. My (admittedly intuitive rather
>>>>>> than well-researched) understanding of C math promotion rules means
>>>>>> that "endtime - now" will be calculated as an unsigned value, then
>>>>>> converted into a signed value to be stored in the signed diff. As
>>>>>> such, I would expect the value of diff to be a small value in this
>>>>>> case. I wrote a test program to validate this; endtime = 0x80000002,
>>>>>> now = 0x7ffffffe, yields diff=4 as expected.
>>>>>>
>>>>>> Perhaps you meant a much larger endtime value than 0x80000002; perhaps
>>>>>> 0xffffffff? This doesn't cause issues either. All that's relevant is
>>>>>> the difference between endtime and now, not their absolute values,
>>>>>> and not whether endtime has wrapped but now has or hasn't. For
>>>>>> example, endtime = 0x00000002, now = 0xfffffff0 yields diff=18 as
>>>>>> expected.
>>>>>
>>>>> So what if the difference is bigger than 1 << 31 ?
>>>>
>>>> As I said, I don't believe that case is relevant; it can only happen if
>>>> passing ridiculously large delay values into __udelay() (i.e. greater
>>>> than the 1<<31value you mention), and I don't believe there's any need
>>>> to support that.
>>>
>>> So what you say is that it's OK to have a function which is buggy in
>>> corner cases ?
>>
>> A corner case (something that's within spec but perhaps hard/unusual)
>> should not be buggy.
>>
>> The behaviour of something outside spec isn't relevant; it's actively
>> not specified.
>>
>> I suppose there is no specification of what range of values this
>> function is supposed to accept. I'd argue we should create one, and that
>> spec should likely limit the range to much less than the 32-bit
>> parameter can actually hold, since some HW timer implementations may
>> have well less than 32-bits of range.
>
> Maybe we should just accept this patch and be done with it? It's clearly
> and improvement which migrates away from old timer code to generic timer.

The code change is fine. I have no issues with that.

I just don't think the patch description is appropriate, since the 
version in lib/time.c has exactly the same overflow issue (albeit with a 
64-bit type rather than a 32-bit type).
Marek Vasut May 8, 2015, 6:20 p.m. UTC | #15 
On Friday, May 08, 2015 at 06:40:22 PM, Stephen Warren wrote:
> On 05/08/2015 10:31 AM, Marek Vasut wrote:
> > On Friday, May 08, 2015 at 06:03:34 PM, Stephen Warren wrote:
> >> On 05/06/2015 12:13 PM, Marek Vasut wrote:
> >>> On Wednesday, May 06, 2015 at 05:52:37 PM, Stephen Warren wrote:
> >>> [...]
> >>> 
> >>>>>>> So, if now is close to 0x7fffffff (which it can), then if endtime
> >>>>>>> is big-ish, diff will become negative and this udelay() will not
> >>>>>>> perform the correct delay, right ?
> >>>>>> 
> >>>>>> I don't believe so, no.
> >>>>>> 
> >>>>>> endtime and now are both unsigned. My (admittedly intuitive rather
> >>>>>> than well-researched) understanding of C math promotion rules means
> >>>>>> that "endtime - now" will be calculated as an unsigned value, then
> >>>>>> converted into a signed value to be stored in the signed diff. As
> >>>>>> such, I would expect the value of diff to be a small value in this
> >>>>>> case. I wrote a test program to validate this; endtime = 0x80000002,
> >>>>>> now = 0x7ffffffe, yields diff=4 as expected.
> >>>>>> 
> >>>>>> Perhaps you meant a much larger endtime value than 0x80000002;
> >>>>>> perhaps 0xffffffff? This doesn't cause issues either. All that's
> >>>>>> relevant is the difference between endtime and now, not their
> >>>>>> absolute values, and not whether endtime has wrapped but now has or
> >>>>>> hasn't. For example, endtime = 0x00000002, now = 0xfffffff0 yields
> >>>>>> diff=18 as expected.
> >>>>> 
> >>>>> So what if the difference is bigger than 1 << 31 ?
> >>>> 
> >>>> As I said, I don't believe that case is relevant; it can only happen
> >>>> if passing ridiculously large delay values into __udelay() (i.e.
> >>>> greater than the 1<<31value you mention), and I don't believe there's
> >>>> any need to support that.
> >>> 
> >>> So what you say is that it's OK to have a function which is buggy in
> >>> corner cases ?
> >> 
> >> A corner case (something that's within spec but perhaps hard/unusual)
> >> should not be buggy.
> >> 
> >> The behaviour of something outside spec isn't relevant; it's actively
> >> not specified.
> >> 
> >> I suppose there is no specification of what range of values this
> >> function is supposed to accept. I'd argue we should create one, and that
> >> spec should likely limit the range to much less than the 32-bit
> >> parameter can actually hold, since some HW timer implementations may
> >> have well less than 32-bits of range.
> > 
> > Maybe we should just accept this patch and be done with it? It's clearly
> > and improvement which migrates away from old timer code to generic timer.
> 
> The code change is fine. I have no issues with that.
> 
> I just don't think the patch description is appropriate, since the
> version in lib/time.c has exactly the same overflow issue (albeit with a
> 64-bit type rather than a 32-bit type).

Feel free to tweak the commit message.

Best regards,
Marek Vasut
Tom Rini May 28, 2015, 1:25 p.m. UTC | #16 
On Mon, May 04, 2015 at 10:54:37PM +0200, Marek Vasut wrote:

> Switch to generic timer implementation from lib/time.c .
> This also fixes a signed overflow which was in __udelay()
> implementation.
> 
> Signed-off-by: Marek Vasut <marex at denx.de>
> Cc: Stephen Warren <swarren at wwwdotorg.org>
> Cc: Tyler Baker <tyler.baker at linaro.org>
> Acked-by: Stephen Warren <swarren at wwwdotorg.org>

Applied to u-boot/master, thanks!
diff mbox

Patch

diff --git a/arch/arm/mach-bcm283x/Makefile b/arch/arm/mach-bcm283x/Makefile
index ac27d00..f0dadd0 100644
--- a/arch/arm/mach-bcm283x/Makefile
+++ b/arch/arm/mach-bcm283x/Makefile
@@ -5,4 +5,4 @@ 
 #
 
 obj-$(CONFIG_TARGET_RPI) += lowlevel_init.o
-obj-y	+= init.o reset.o timer.o mbox.o phys2bus.o
+obj-y	+= init.o reset.o mbox.o phys2bus.o
diff --git a/arch/arm/mach-bcm283x/timer.c b/arch/arm/mach-bcm283x/timer.c
deleted file mode 100644
index 017907c..0000000
--- a/arch/arm/mach-bcm283x/timer.c
+++ /dev/null
@@ -1,58 +0,0 @@ 
-/*
- * (C) Copyright 2012 Stephen Warren
- *
- * See file CREDITS for list of people who contributed to this
- * project.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * version 2 as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- */
-
-#include <common.h>
-#include <asm/io.h>
-#include <asm/arch/timer.h>
-
-ulong get_timer_us(ulong base)
-{
-	struct bcm2835_timer_regs *regs =
-		(struct bcm2835_timer_regs *)BCM2835_TIMER_PHYSADDR;
-
-	return readl(&regs->clo) - base;
-}
-
-ulong get_timer(ulong base)
-{
-	ulong us = get_timer_us(0);
-	us /= (1000000 / CONFIG_SYS_HZ);
-	us -= base;
-	return us;
-}
-
-unsigned long long get_ticks(void)
-{
-	return get_timer(0);
-}
-
-ulong get_tbclk(void)
-{
-	return CONFIG_SYS_HZ;
-}
-
-void __udelay(unsigned long usec)
-{
-	ulong endtime;
-	signed long diff;
-
-	endtime = get_timer_us(0) + usec;
-
-	do {
-		ulong now = get_timer_us(0);
-		diff = endtime - now;
-	} while (diff >= 0);
-}
diff --git a/include/configs/rpi-common.h b/include/configs/rpi-common.h
index 3121ac9..b54cf8b 100644
--- a/include/configs/rpi-common.h
+++ b/include/configs/rpi-common.h
@@ -8,12 +8,18 @@ 
 #define _RPI_COMMON_H_
 
 #include <linux/sizes.h>
+#include <asm/arch/timer.h>
 
 /* Architecture, CPU, etc.*/
 #define CONFIG_SYS_GENERIC_BOARD
 #define CONFIG_BCM2835
 #define CONFIG_ARCH_CPU_INIT
 #define CONFIG_SYS_DCACHE_OFF
+
+#define CONFIG_SYS_TIMER_RATE		1000000
+#define CONFIG_SYS_TIMER_COUNTER	\
+	(&((struct bcm2835_timer_regs *)BCM2835_TIMER_PHYSADDR)->clo)
+
 /*
  * 2835 is a SKU in a series for which the 2708 is the first or primary SoC,
  * so 2708 has historically been used rather than a dedicated 2835 ID.