Switch to [[cheriot::interrupt_state]] (#453)

CHERIoT-Platform · Feb 21, 2025 · 4cf1e5b · 4cf1e5b
1 parent ce99c16
commit 4cf1e5b
Show file tree

Hide file tree

Showing 19 changed files with 36 additions and 31 deletions.
diff --git a/docs/LanguageExtensions.md b/docs/LanguageExtensions.md
@@ -37,7 +37,7 @@ This attribute can also be used via the `__cheri_callback` macro, which allows i
 
 ## Interrupt state control
 
-The `cheri_interrupt_state` attribute (commonly used as a C++11 / C23 attribute spelled `cheri::interrupt_state`) is applied to functions and takes an argument that is either:
+The `cheri_interrupt_state` attribute (commonly used as a C++11 / C23 attribute spelled `cheriot::interrupt_state`) is applied to functions and takes an argument that is either:
 
  - `enabled`, to enable interrupts when calling this function.
  - `disabled`, to disable interrupts when calling this function.

diff --git a/examples/02.hello_compartment/README.md b/examples/02.hello_compartment/README.md
@@ -24,7 +24,7 @@ This is the kind of isolation that device drivers typically provide in operating
  - It provides useful interfaces to the underlying hardware that abstract over its implementation.
  - It protects the hardware interfaces from use by arbitrary software on the system.
 
-Note in addition that we've added one more attribute to the function exposed here: `[[cheri::interrupt_state(disabled)]]`.
+Note in addition that we've added one more attribute to the function exposed here: `[[cheriot::interrupt_state(disabled)]]`.
 This means that the uart compartment will write the entire string to the UART, so two different threads writing to it will not interfere.
 This is not ideal for something like a `write` function, which can take a caller-controlled amount of time to complete, because it prevents any other thread from making progress, even ones that don't touch the uart.
 

diff --git a/examples/02.hello_compartment/uart.cc b/examples/02.hello_compartment/uart.cc
@@ -9,7 +9,7 @@
 using Debug = ConditionalDebug<true, "UART compartment">;
 
 /// Write a message to the UART.
-[[cheri::interrupt_state(disabled)]] int write(const char *msg)
+[[cheriot::interrupt_state(disabled)]] int write(const char *msg)
 {
 	// Print the message.
 	Debug::log("{}", msg);

diff --git a/sdk/core/allocator/main.cc b/sdk/core/allocator/main.cc
@@ -1302,7 +1302,7 @@ size_t heap_available()
 	return gm->heapFreeSize;
 }
 
-[[cheri::interrupt_state(disabled)]] int heap_render()
+[[cheriot::interrupt_state(disabled)]] int heap_render()
 {
 #if HEAP_RENDER
 	gm->render();

diff --git a/sdk/core/allocator/software_revoker.h b/sdk/core/allocator/software_revoker.h
@@ -12,7 +12,7 @@
  * (-ENOTENOUGHSTACK, -ENOTENOUGHTRUSTEDSTACK) if it cannot be invoked, or
  * possibly -ECOMPARTMENTFAIL if the software revoker compartment is damaged.
  */
-[[cheri::interrupt_state(disabled)]] __cheri_compartment(
+[[cheriot::interrupt_state(disabled)]] __cheri_compartment(
   "software_revoker") int revoker_tick();
 
 /**

diff --git a/sdk/core/scheduler/main.cc b/sdk/core/scheduler/main.cc
@@ -297,7 +297,7 @@ namespace
 
 } // namespace
 
-[[cheri::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
+[[cheriot::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
   scheduler_entry(const ThreadLoaderInfo *info)
 {
 	Debug::Invariant(Capability{info}.length() ==
@@ -322,7 +322,7 @@ namespace
 	return 0;
 }
 
-[[cheri::interrupt_state(disabled)]] CHERI_SEALED(TrustedStack *)
+[[cheriot::interrupt_state(disabled)]] CHERI_SEALED(TrustedStack *)
   __cheri_compartment("scheduler")
     exception_entry(CHERI_SEALED(TrustedStack *) sealedTStack,
                     size_t mcause,
@@ -715,7 +715,7 @@ namespace
 	};
 } // namespace
 
-[[cheri::interrupt_state(disabled)]] __cheriot_minimum_stack(
+[[cheriot::interrupt_state(disabled)]] __cheriot_minimum_stack(
   0x30) const uint32_t *interrupt_futex_get(InterruptCapability sealed)
 {
 	STACK_CHECK(0x30);
@@ -736,7 +736,7 @@ namespace
 	return result;
 }
 
-[[cheri::interrupt_state(disabled)]] __cheriot_minimum_stack(
+[[cheriot::interrupt_state(disabled)]] __cheriot_minimum_stack(
   0x20) int interrupt_complete(InterruptCapability sealed)
 {
 	STACK_CHECK(0x20);
@@ -757,12 +757,12 @@ uint16_t thread_count()
 }
 
 #ifdef SCHEDULER_ACCOUNTING
-[[cheri::interrupt_state(disabled)]] uint64_t thread_elapsed_cycles_idle()
+[[cheriot::interrupt_state(disabled)]] uint64_t thread_elapsed_cycles_idle()
 {
 	return Thread::idleThreadCycles;
 }
 
-[[cheri::interrupt_state(disabled)]] uint64_t thread_elapsed_cycles_current()
+[[cheriot::interrupt_state(disabled)]] uint64_t thread_elapsed_cycles_current()
 {
 	// Calculate the number of cycles not yet reported to the current thread.
 	uint64_t currentCycles = rdcycle64();

diff --git a/sdk/core/token_library/token_unseal.S b/sdk/core/token_library/token_unseal.S
@@ -111,7 +111,7 @@ __sealingkey_dynamic:
 /**
  * An in-assembler implementation of
  *
- * [[cheri::interrupt_state(disabled)]] void *__cheri_libcall
+ * [[cheriot::interrupt_state(disabled)]] void *__cheri_libcall
  * token_obj_unseal(struct SKeyStruct *, void* __sealed_capability);
  *
  * The name has been manually mangled as per the C++ rules.
@@ -135,7 +135,7 @@ _Z16token_obj_unsealP10SKeyStructU19__sealed_capabilityPv:
 /**
  * An in-assembler implementation of
  *
- * [[cheri::interrupt_state(disabled)]] void *__cheri_libcall
+ * [[cheriot::interrupt_state(disabled)]] void *__cheri_libcall
  * token_obj_unseal_static(struct SKeyStruct *, struct SObjStruct *);
  *
  * The name has been manually mangled as per the C++ rules.
@@ -150,7 +150,7 @@ _Z23token_obj_unseal_staticP10SKeyStructU19__sealed_capabilityPv:
 /**
  * An in-assembler implementation of
  *
- * [[cheri::interrupt_state(disabled)]] void *__cheri_libcall
+ * [[cheriot::interrupt_state(disabled)]] void *__cheri_libcall
  * token_obj_unseal_dynamic(struct SKeyStruct *, struct SObjStruct *);
  *
  * The name has been manually mangled as per the C++ rules.

diff --git a/sdk/include/cdefs.h b/sdk/include/cdefs.h
@@ -141,6 +141,11 @@ using _Bool = bool;
 #	error Your compiler is too old for this version of CHERIoT RTOS, please upgrade to a newer version
 #endif
 
+#if (defined(__CHERIOT__) && __CHERIOT__ < 20250113) ||                        \
+  (defined(__CHERIOT_BAREMETAL__) && __CHERIOT_BAREMETAL__ < 20250113)
+#	error Your compiler is too old for this version of CHERIoT RTOS, please upgrade to a newer version
+#endif
+
 #define CHERIOT_VERSION_TRIPLE(major, minor, patch)                            \
 	((major * 10000) + (minor * 100) + (patch))
 

diff --git a/sdk/include/cheri.hh b/sdk/include/cheri.hh
@@ -1342,7 +1342,7 @@ namespace CHERI
 	 * Invokes the passed callable object with interrupts disabled.
 	 */
 	template<typename T>
-	[[cheri::interrupt_state(disabled)]] auto with_interrupts_disabled(T &&fn)
+	[[cheriot::interrupt_state(disabled)]] auto with_interrupts_disabled(T &&fn)
 	{
 		return fn();
 	}

diff --git a/sdk/include/futex.h b/sdk/include/futex.h
@@ -41,7 +41,7 @@ enum [[clang::flag_enum]] FutexWaitFlags
  *  - `-EINVAL` if the arguments are invalid.
  *  - `-ETIMEOUT` if the timeout expires.
  */
-[[cheri::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
+[[cheriot::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
   futex_timed_wait(Timeout        *ticks,
                    const uint32_t *address,
                    uint32_t        expected,
@@ -75,5 +75,5 @@ __always_inline static int futex_wait(const uint32_t *address,
  * The return value for a successful call is the number of threads that were
  * woken.  `-EINVAL` is returned for invalid arguments.
  */
-[[cheri::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
+[[cheriot::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
   futex_wake(uint32_t *address, uint32_t count);
diff --git a/sdk/include/multiwaiter.h b/sdk/include/multiwaiter.h
@@ -71,7 +71,7 @@ typedef CHERI_SEALED(struct MultiWaiterInternal *) MultiWaiter;
  * Create a multiwaiter object.  This is a stateful object that can wait on at
  * most `maxItems` event sources.
  */
-[[cheri::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
+[[cheriot::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
   multiwaiter_create(Timeout            *timeout,
                      AllocatorCapability heapCapability,
                      MultiWaiter        *ret,
@@ -80,7 +80,7 @@ typedef CHERI_SEALED(struct MultiWaiterInternal *) MultiWaiter;
 /**
  * Destroy a multiwaiter object.
  */
-[[cheri::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
+[[cheriot::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
   multiwaiter_delete(AllocatorCapability heapCapability, MultiWaiter mw);
 
 /**
@@ -95,7 +95,7 @@ typedef CHERI_SEALED(struct MultiWaiterInternal *) MultiWaiter;
  *  - If the timeout is reached without any events being triggered then this
  *    returns -ETIMEOUT.
  */
-[[cheri::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
+[[cheriot::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
   multiwaiter_wait(Timeout                  *timeout,
                    MultiWaiter               waiter,
                    struct EventWaiterSource *events,

diff --git a/sdk/include/simulator.h b/sdk/include/simulator.h
@@ -10,7 +10,7 @@
 /**
  * Exit simulation, reporting the error code given as the argument.
  */
-[[cheri::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
+[[cheriot::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
   scheduler_simulation_exit(uint32_t code __if_cxx(= 0));
 #endif
 

diff --git a/sdk/include/thread.h b/sdk/include/thread.h
@@ -20,7 +20,7 @@ typedef struct
 	/// hi 32 bits
 	uint32_t hi;
 } SystickReturn;
-[[cheri::interrupt_state(disabled)]] SystickReturn
+[[cheriot::interrupt_state(disabled)]] SystickReturn
   __cheri_compartment("scheduler") thread_systemtick_get(void);
 
 enum ThreadSleepFlags : uint32_t
@@ -60,7 +60,7 @@ enum ThreadSleepFlags : uint32_t
  * If you are using `thread_sleep` to elapse real time, pass
  * `ThreadSleepNoEarlyWake` as the flags argument to prevent early wakeups.
  */
-[[cheri::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
+[[cheriot::interrupt_state(disabled)]] int __cheri_compartment("scheduler")
   thread_sleep(struct Timeout *timeout, uint32_t flags __if_cxx(= 0));
 
 /**

diff --git a/sdk/include/token.h b/sdk/include/token.h
@@ -84,7 +84,7 @@ __cheri_compartment("allocator")
  * `token_obj_unseal_dynamic` and returning the result of the first one that
  * succeeds, or null if both fail.
  */
-[[cheri::interrupt_state(disabled)]] void *
+[[cheriot::interrupt_state(disabled)]] void *
   __cheri_libcall token_obj_unseal(SKey, CHERI_SEALED(void *));
 
 /**
@@ -97,7 +97,7 @@ __cheri_compartment("allocator")
  * Returns the unsealed object if the key and object are valid and of the
  * correct type, null otherwise.
  */
-[[cheri::interrupt_state(disabled)]] void *
+[[cheriot::interrupt_state(disabled)]] void *
   __cheri_libcall token_obj_unseal_static(SKey, CHERI_SEALED(void *));
 
 /**
@@ -111,7 +111,7 @@ __cheri_compartment("allocator")
  * Returns the unsealed object if the key and object are valid and of the
  * correct type, null otherwise.
  */
-[[cheri::interrupt_state(disabled)]] void *
+[[cheriot::interrupt_state(disabled)]] void *
   __cheri_libcall token_obj_unseal_dynamic(SKey, CHERI_SEALED(void *));
 
 /**

diff --git a/sdk/lib/atomic/atomic.hh b/sdk/lib/atomic/atomic.hh
@@ -9,7 +9,7 @@
  * inserts calls to them.  Declare them using the asm label extension.
  */
 #define DECLARE_ATOMIC_LIBCALL(name, ret, ...)                                 \
-	[[cheri::interrupt_state(disabled)]] CHERIOT_DECLARE_STANDARD_LIBCALL(     \
+	[[cheriot::interrupt_state(disabled)]] CHERIOT_DECLARE_STANDARD_LIBCALL(   \
 	  name, ret, __VA_ARGS__)
 
 /**

diff --git a/sdk/lib/atomic/atomicn.cc b/sdk/lib/atomic/atomicn.cc
@@ -11,7 +11,7 @@
  * name.
  */
 #define DECLARE_ATOMIC_LIBCALL_ALIAS(name, ret, ...)                           \
-	[[cheri::interrupt_state(disabled)]] __cheri_libcall ret name(             \
+	[[cheriot::interrupt_state(disabled)]] __cheri_libcall ret name(           \
 	  __VA_ARGS__) asm("__" #name);
 
 /**

diff --git a/sdk/lib/cxxrt/guard.cc b/sdk/lib/cxxrt/guard.cc
@@ -14,7 +14,7 @@ using Debug = ConditionalDebug<DEBUG_CXXRT, "cxxrt">;
  * inserts calls to them.  Declare them using the asm label extension.
  */
 #define DECLARE_ATOMIC_LIBCALL(name, ret, ...)                                 \
-	[[cheri::interrupt_state(disabled)]] __cheri_libcall ret name(             \
+	[[cheriot::interrupt_state(disabled)]] __cheri_libcall ret name(           \
 	  __VA_ARGS__) asm(#name);
 
 DECLARE_ATOMIC_LIBCALL(__cxa_guard_acquire, int, uint64_t *)

diff --git a/sdk/lib/stdio/printf.cc b/sdk/lib/stdio/printf.cc
@@ -635,7 +635,7 @@ vsnprintf(char *str, // NOLINT (clang-tidy spuriously thinks this should be
 	return (retval);
 }
 
-[[cheri::interrupt_state(disabled)]] int __cheri_libcall
+[[cheriot::interrupt_state(disabled)]] int __cheri_libcall
 vfprintf(FILE *stream, const char *fmt, va_list ap)
 {
 	return kvprintf(

diff --git a/tests.extra/regress-thread_exit_IRQ/helper.cc b/tests.extra/regress-thread_exit_IRQ/helper.cc
@@ -1,5 +1,5 @@
 #include "helper.h"
-[[cheri::interrupt_state(enabled)]] void *help()
+[[cheriot::interrupt_state(enabled)]] void *help()
 {
 	return __builtin_return_address(0);
 }