extmod/zephyr_kernel: Override arch_irq_lock to use PRIMASK for complete interrupt masking.

pi-anl · pi-anl · commit d018d8480c44 · 2025-11-18T06:56:56.000+11:00
Zephyr's default arch_irq_lock() uses BASEPRI register on Cortex-M4/M7, which
masks only interrupts with priority &gt;= threshold (0x10). This allows priority 0
interrupts to fire during critical sections, potentially corrupting thread state
during mutex operations, context switches, and scheduler operations.

This commit overrides arch_irq_lock() and arch_irq_unlock() to use PRIMASK
register, which masks ALL configurable interrupts (except NMI and HardFault).

Implementation:
- Created arch_irq_primask.h header with PRIMASK-based implementations
- Included after Zephyr headers to override BASEPRI versions
- Uses __get_PRIMASK/__disable_irq for complete masking
- Matches MicroPython's disable_irq() approach in ports/stm32/irq.h

Trade-offs:
- Slightly longer interrupt latency for priority 0 interrupts during critical sections
- Eliminates race conditions from high-priority interrupts during critical sections
- More conservative approach: complete masking vs threshold-based masking

Testing: 23/34 thread tests passing (same as before). Override doesn't improve
pass rate but provides architectural correctness - eliminates potential corruption
vector from priority 0 interrupts.

Signed-off-by: Andrew Leech &lt;andrew.leech@planetinnovation.com.au&gt;
diff --git a/extmod/zephyr_kernel/arch/cortex_m/cortex_m_arch.c b/extmod/zephyr_kernel/arch/cortex_m/cortex_m_arch.c
@@ -47,6 +47,10 @@ extern int mp_printf(const mp_print_t *print, const char *fmt, ...);
 #include <zephyr/kernel_structs.h>
 #include <zephyr/arch/cpu.h>
 
+// Override arch_irq_lock() to use PRIMASK for complete interrupt masking
+// Must be included AFTER Zephyr headers to override BASEPRI-based implementation
+#include "arch_irq_primask.h"
+
 // Forward declarations for Zephyr functions we provide
 void sys_clock_announce(int32_t ticks);
 
diff --git a/extmod/zephyr_kernel/include/arch_irq_primask.h b/extmod/zephyr_kernel/include/arch_irq_primask.h
@@ -0,0 +1,60 @@
+/*
+ * This file is part of the MicroPython project, http://micropython.org/
+ *
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2025 Damien P. George
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+#ifndef MICROPY_INCLUDED_EXTMOD_ZEPHYR_KERNEL_ARCH_IRQ_PRIMASK_H
+#define MICROPY_INCLUDED_EXTMOD_ZEPHYR_KERNEL_ARCH_IRQ_PRIMASK_H
+
+// Override Zephyr's BASEPRI-based arch_irq_lock() with PRIMASK-based version
+// for complete interrupt masking in critical sections.
+//
+// ISSUE: Zephyr's default arch_irq_lock() uses BASEPRI register on Cortex-M4/M7,
+// which masks only interrupts with priority >= threshold (0x10). This allows
+// priority 0 interrupts to fire during critical sections, potentially corrupting
+// thread state during mutex operations, context switches, and scheduler operations.
+//
+// FIX: Use PRIMASK register which masks ALL configurable interrupts (except NMI
+// and HardFault), providing complete interrupt masking in critical sections.
+//
+// TRADE-OFF: Slightly longer interrupt latency for priority 0 interrupts during
+// critical sections, but eliminates race conditions and memory corruption.
+
+#undef arch_irq_lock
+#undef arch_irq_unlock
+
+static ALWAYS_INLINE unsigned int arch_irq_lock(void) {
+    unsigned int key = __get_PRIMASK();
+    __disable_irq();  // Sets PRIMASK=1, disables ALL configurable interrupts
+    return key;
+}
+
+static ALWAYS_INLINE void arch_irq_unlock(unsigned int key) {
+    if (key != 0U) {
+        return;  // Interrupts were already disabled, don't re-enable
+    }
+    __enable_irq();  // Sets PRIMASK=0, enables interrupts
+    __ISB();
+}
+
+#endif // MICROPY_INCLUDED_EXTMOD_ZEPHYR_KERNEL_ARCH_IRQ_PRIMASK_H
