[CH6178] Tracer/checkpoints (rebase)

[avtolstoy]

submission notes

**Important:** Please sanitize/remove any confidential info like usernames, passwords, org names, product names/ids, access tokens, client ids/secrets, or anything else you don't wish to share.

Please Read and Sign the Contributor License Agreement ([Info here](https://github.com/spark/firmware/blob/develop/CONTRIBUTING.md)).

You may also delete this submission notes header if you'd like. Thank you for contributing!

Problem

This is a rebase of #1369 on develop with renaming according to [CH8404] and some additional backup SRAM overflow checks.

Solution

When a device hard faults, crashes, freezes or is otherwise misbehaving, it is presently difficult to know what the last action the device took is and whether the fault lies in application code, system code, peripheral code etc..

A checkpoints API would allow application and system firmware to record their current execution progress and provide an indication of where execution halted prior to the crash. This information is then published to the cloud on next successful connection.

It is also possible to get stack trace of all the threads using a naive stack unwinder, that just scans through the thread stack, looking for flash addresses (within system and user part bounds) and checks if there is a branching instruction at that location.

It would be useful to store per-thread stack traces in addition to checkpoint info whenever the device enters a hardfault, a panic state, or on demand. This will provide a better overview of the system state and help understand the cause of the crash or deadlock for difficult to reproduce issues.

System code may use the following macros defined in tracer_service.h:

• TRACER_CHECKPOINT() - regular instruction address type checkpoint
• TRACER_PANIC_CHECKPOINT() - special instruction address type checkpoint which should only be called from a panic handler, which will prevent further modification of diagnostic data
• TRACER_CRASH_CHECKPOINT(pc) - special instruction address type checkpoint which should only be called from a crash (hardfault) handler, which will prevent further modification of diagnostic data. An instruction address needs to be manually passed as an argument.
• TRACER_UPDATE() - forces a full system state update (including stacktraces).

All LOG statements, except for LOG_DUMP, make a call to TRACER_CHECKPOINT().
Both hardfault and panic handlers make a call to their respective macros: TRACER_CRASH_CHECKPOINT(), TRACER_PANIC_CHECKPOINT()

Application code may use the following macros defined in spark_wiring_tracer.h:

• CHECKPOINT() - a standard variant of CHECKPOINT() macro. Implementation depends on a preprocessor macro TRACER_ELF_AVAILABLE.
  • When defined and equal to 1, CHECKPOINT() macro internally calls TRACER_CHECKPOINT(), making it an instruction address type checkpoint
  • When undefined or set to 0, CHECKPOINT() macro internally makes a call to TRACER_TEXT_CHECKPOINT(), which saves the location of the checkpoint in textual format: __FILENAME__:__LINE__
• CHECKPOINT(text) - a specialized variant of CHECKPOINT() macro, which forces a textual checkpoint with the text passed as an argument

All Logger class calls, except for print, printf, write and dump, internally include a call to _LOG_CHECKPOINT() macro defined in spark_wiring_diagnostic.h, which is only enabled when TRACER_ELF_AVAILABLE == 1. It acquires an address of the calling function and uses that as the checkpoint instruction address.

Steps to Test

• unit tests
• app/checkpoint (see README.md)

Example App

• app/checkpoint

References

• Closes [CH6178] Checkpoints/diagnostics #1369 (supersedes)
• [CH6178]
• [CH8404]

---

Completeness

• User is totes amazing for contributing!
• Contributor has signed CLA (Info here)
• Problem and Solution clearly stated
• Run unit/integration/application tests on device
• Added documentation
• Added to CHANGELOG.md after merging (add links to docs and issues)

[m-mcgowan]

An excellent piece of work and fantastic to have this feature available! We will release it in 0.8.0-rc.2 so please ensure corresponding docs are available. In general, I'd like to see more source code comments describing why we are done - I've added some inline comments for areas that I feel need some explanation.

[m-mcgowan]

do we need a size field here for extensibility?

[avtolstoy]

That's a question in the original PR as well :)

It's currently only used within a single module and is not exported, so that shouldn't be a concern at the moment. If we later decide to export it, the first reserved becomes a version field as usual.

[m-mcgowan]

could you say a few words about the omit-frame-pointer option. is it only an optimization or does it have a functional purpose?

[avtolstoy]

This optimization is already enabled by -Os (actually by -O1, see https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html), but it's better to explicitly specify it.

Disabling this option will lead to increased flash and stack usage (at the very least +16 bytes on each function call without tail-call optimization) and will interfere with stacktracer implemented in this PR. MbedTLS bignum assembly optimizations will also fail to build as R7 is not available and stores the frame pointer.

[m-mcgowan]

Can this be pushed to a FreeRTOS header?

[avtolstoy]

👍

[m-mcgowan]

We should document that the callback is executed in a critical section and should ensure it completes independently of the progress of other threads.

[avtolstoy]

👍
TracerService also only calls it with interrupts disabled.

[m-mcgowan]

black magic! 🤘

[avtolstoy]

Somewhat documented blackmagic :)

[m-mcgowan]

should we use a circular buffer so that the most recent entries are preserved?

[avtolstoy]

That's a good idea, however in theory we should not run out of space easily. There is at least 1k (~700 on Electron) bytes in system retained RAM and we do not have that many threads (especially on Electron).

We do not generate full stacktraces on every call (only when needed, e.g. using USB request or in hardfault/watchdog ISR) and every thread entry only has a header struct (8 bytes) + its name (up to 16 bytes) + a checkpoint stored (4 bytes).

[m-mcgowan]

This is unexpected - could you explain why the gcc platform is brought in for all user apps?

[avtolstoy]

Only for GCC platform: ifeq ($(PLATFORM_ID),3)

[m-mcgowan]

I imagine this is because of the traces in the logs?

[avtolstoy]

Correct. platform_tracer.h mainly.

[m-mcgowan]

what's the 1K reserved for?

[avtolstoy]

At the time of writing system-part3 RAM was overflowing, this change might no longer be needed.

[m-mcgowan]

Can you explain please why we need two distinct callback stores?

[avtolstoy]

One for system-part1, the other for system-part3. Ideally these should be moved into an .inc and built as part of module-specific source files or I guess both should be enabled simultaneously and built as weak, as otherwise these will probably cause issues with non-clean builds. 👍