trampoline functionalty #1106
trampoline functionalty #1106
Conversation
Co-authored-by: Salon <salon64@users.noreply.github.com>
Co-authored-by: Salon <salon64@users.noreply.github.com>
Spooky-Firefox
force-pushed
the
exeption_trampoline
branch
from
c900f83 to
4c855d6
Compare
| //! examples/bouncy_trampoline.rs | ||
| #![no_std] | ||
| #![no_main] | ||
| #![deny(warnings)] | ||
| #![deny(unsafe_code)] | ||
| #![deny(missing_docs)] | ||
|
|
||
| use panic_semihosting as _; | ||
|
|
||
| // `examples/bouncy_trampoline.rs` testing trampoline feature |
There was a problem hiding this comment.
Nitpick: Filename and comment are disagreeing :)
|
|
||
| ### Changed | ||
|
|
||
| - changed (sysclk % timer_hz) == 0 to sysclk.is_multiple_of(timer_hz) to make clippy happy as required to CI. |
There was a problem hiding this comment.
CI always uses latest stable Rust, so new versions bring in new lints/defaults all the time :)
Thank you for dealing with this, could you split out the 'rtic-monotonics' changes into a separate commit? If you want you could even create a separate PR for this, to help your colleague, that can be fast-tracked into master branch that way :)
Great you added to the CHANGELOG, but please add new entries above, building like a stack. Please cleanup the commentary and the double ### Changed headers while you're at it :P
|
Is there some rationale somewhere for why this approach was chosen to solve #1088? Out of the alternatives mentioned in the discussion, trampolines seem to me the most cumbersome. They introduce a new public API which has to be documented and maintained indefinitely, they require a free interrupt to be usable, and they add the extra complexity that the actual code no longer runs in the exception handler, which introduces a number of new edge cases for users (e.g. when reasoning about pending interrupts/exceptions). |
The trampoline approach was chosen because it avoids using a global critical section, which would block higher-priority tasks. I agree that the solution is not ideal—it introduces an additional public API that must be maintained and documented, and it currently requires a free interrupt (something that could be improved later by reusing existing dispatchers). However, I don’t fully agree that it adds complexity for the user. With trampolines, all tasks now adhere to the Stack Resource Policy (SRP), so users no longer need to handle exceptions that violate SRP manually. This makes timing and priority behavior easier to reason about overall. |
Perhaps. I suppose it depends on the specific use case. I'm going to trust the judgement of developers more familiar with the RTIC codebase on this. I wonder what the performance overhead of the trampoline is, but I'm not sure how to best measure it. |
3 participants
Trampoline Feature for Hardware Tasks
This pull request introduces a new trampoline feature for hardware tasks in RTIC.
It allows an interrupt handler to pend another interrupt (the trampoline), which then executes the actual task code.
This approach improves interrupt handling flexibility and source masking safety (as some exceptions cannot be masked through the NVIC).
The implementation includes changes to parsing, code generation, and error checking for correct usage.
It also includes a small CI fix and a minor clippy compliance improvement to the
rtic-monotonicscrate.Overview
Trampoline Behavior
Normally, when using the source masking backend, we expect that a lower-priority exception waits until the higher-priority task finishes:
However, because we artificially raise priority by disabling interrupts (not exceptions), the effective task priority remains unchanged.
This means that lower-priority exceptions can still preempt the task:
The trampoline mechanism solves this by pended interrupts that are properly masked by the source masking backend, preserving the Stack Resource Policy (SRP):
As illustrated, there is a brief priority inversion when pended, but since no critical section is executed during this window, it is not problematic.
We also do not enforce a trampoline when shared resources are not used — these cases still involve a minor priority inversion, but since shared data is untouched, this trade-off was accepted.
For more discussion, see issue #1088.
Implementation Details
trampolineargument in hardware task definitions, allowing an interrupt handler to pend another interrupt that executes the task logic.[1]
[2]
[1]
[2]
[1]
[2]
[3]
Documentation and Changelog Updates
[1]
[2]
Miscellaneous Improvements
is_multiple_of()inrtic-monotonicsfor clippy compliance.[1]
[2]
Summary
These changes collectively enhance the flexibility and safety of interrupt handling in RTIC while improving CI reliability and code linting compliance.