CS452 - Real-Time Programming - Spring 2012

Lecture 5 - Tasks & Kernels

Pubilc Service Annoucements

  1. Due date for assignment 1
  2. Partners

Kernel of a Real-time Operating System


What is a task?

  1. A set of instructions
  2. Current state, which is changed by executing instructions, which includes

Two tasks can use the same set of instructions, but

The kernel keeps track of every task's state

The TD normally contains

  1. The task's stack pointer, which points to a private stack, in the memory of the task, containing

    all ready to be reloaded whenever the task next runs.

  2. Possibly the return value for when the task is next activated
  3. Possibly something to support a Destroy primitive
  4. The task's state
  5. Links to queues on which the task is located

Possible states of the task

  1. Active: running or about to run
  2. Ready: can run if scheduled
  3. Blocked: waiting for something to happen
  4. Zombie

Kernel Structure

The kernel is just a function like any other, but which runs forever.

kernel( ) {
  initialize( );  // includes starting the first user task
    request = getNextRequest( );
    handle( request );

Where is the OS?

All the interesting stuff inside done by the kernel is hidden inside getNextRequest.

int getNextRequest( ) {
  active = schedule( ... );
  return activate( active );

What's inside activate( active )?

  1. transfer of control to the active task
  2. execution to completion of the active task
  3. transfer of control back to the kernel
  4. getting the request

The hard part to get right is `transfer of control'

ARM 920T

What is it?

Two modes of labelling

  1. By architecture (now up to v7)
    Architecture Instruction








    ARMv1 1 no no no Obsolete
    ARMv2 2 no no no Obsolete
    ARMv3 3 no no no
    ARMv3M 3 no yes no
    ARMv4 4 no yes no
    ARMv4T 4 yes yes no This is the one in the box.
    ARMv5 5 no yes no Has CLZ
    ARMv5T 5 yes yes no
    ARMv5TE 5 yes yes yes

    Thumb instructions are 16 bit, and accelerated.

  2. By processor core






    ARM7TDMI v4T v1 Most of the ARM7xx processors
    ARM9TDMI v4T v1 ARM[920|922|940]T:
    920T is the one in the box.

    `T' means includes thumb instructions

    `DMI' means direct memory interface

    StrongARM v4 n/a Intel SA-110. Found in Compaq versions of IPAQ.
    ARM9E v5TE v2
    ARM10E v5TE v2
    XScale v5TE v2 Manufactured by Intel. HP versions of IPAQ.


  1. 16 32-bit registers

    partially separate register sets different modes

    link register (lr), program counter (pc) are special, but not very special

  2. Processor modes. In the table below `special' means that the mode has ia separate copy of the registers.
    M[4:0] Mode Registers accessible
    10000 User r0-r15
    10001 FIQ (Fast interrupt processing) r0-r7, r15

    cpsr, spsr_fiq

    10010 IRQ (Interrupt processing) r0-r12, r15

    cpsr, spsr_irq

    10011 Supervisor r0-r12, r15

    cpsr, sprs_svc

    10111 Abort r0-r12, r15

    cpsr, spsr_abt

    11011 Undefined r0-r12, r15

    cpsr, spsr_und

    11111 System r0-r15


  3. Program status register, which you will find in two places CPSR and SPSR
    Bit Mnemonic Meaning
    31 N Negative
    30 Z Zero
    29 C Carry
    28 V Overflow
    8-27 DNM Does not matter in v4
    7 I Interrupts disabled
    6 F Fast interrupts disabled
    5 T Thumb execution
    4 M4 Five processor mode bits
    3 M3
    2 M2
    1 M1
    0 M0

  4. Exceptions



    Called from

    Mode at




    Reset hardware supervisor 0x00
    Undefined instruction any undefined 0x04
    Software interrupt any supervisor 0x08
    Prefetch abort any abort 0x0c
    Data abort any abort 0x10
    Ordinary interrupt any IRQ 0x18
    Fast interrupt any FIQ 0x1c

    1. You are concerned right now with Reset and Software Interrupt.
    2. The first instruction executed by the CPU after reset is the one at location 0x00000000. Usually it is
          ldr  pc, [pc, #0x18] ; 0xe590f018 is the binary encoding

      which you will normally find in addresses 0x00 to 0x1c. Just executing an instruction, rather than having an address that is specially processed saves transistors, which is good.

    3. RedBoot puts entry points of RedBoot into addresses 0x20 to 0x3c.This makes it possible to jump to any location in the 32 bit address space.
    4. Note endianness of RedBoot output when examining these locations.
  5. Three data types

General Comments

  1. each instruction is exactly one word
  2. load and store RISC architecture
  3. rich set of addressing modes, based on barrel shifting
  4. allows you to keep any partial computation it makes

Context Switch


Function Call (gcc calling conventions)

; In calling code
                      ; store values of r0-r3
                      ; load arguments into r0-r3
   bl  <entry point>  ; this treats the pc and lr specially
                      ; lr <- pc, pc <- <entry point>
                      ; r0 has the return value
                      ; r1-r3 have useless junk

; In called code
entry point:
   mov     ip, sp
   stmdb   sp!, {fp, ip, lr} ; and usually others, 
                             ; determined by the registers the function uses
   ldmia   sp, {fp, sp, pc} ; and whatever others
                            ; exact inverse of stmdb

Note the role of the index pointer (ip), link register (lr) and stack pointer (sp).

The final instruction could be

   ldmia   sp, {fp, sp, lr}
   mov     pc, lr

The sequence

   bl   junk
   mov   pc, lr

is a NOP.

Software Interrupt

The software interrupt instruction ( SWI{cond} <immed_24> ). What happens when it is executed?

  1. r14_svc <- address of the following instruction. This is where the kernel will return to.
  2. SPSR_svc <- CPSR. This saves the mode, condition codes, etc.
  3. CPSR[0:4] <- 0b10011. Supervisor mode.
  4. CPSR[5] <- 0. ARM (not Thumb) state.
  5. CPSR[7] <- 1. Normal interrupts disabled.
  6. PC <- 0x08

The CPU ignores the 24-bit immediate value, which can be used by the programmer as an argument identifying the system call, for example.

; In calling code
                          ; Store r0-r3
                          ; Put arguments into r0-r3
                          ; 0x08 holds the kernel entry point
   swi  n                 ; n identifies which system call you are calling
                          ; retrieve return value from r0
                          ; r1-r3 have even more useless junk

; In kernel
kernel entry:
; Change to system mode
; Save user state on user stack
; Return to supervisor mode
   ldr    r4, [lr, #-4]    ; gets the request type
                           ; at this point you can get the arguments
                           ; Where are they?
; Retrieve kernel state from kernel stack
; Do kernel work

The sequence

   swi   n
kernel entry:
   movs   pc, lr

is a NOP.


  1. What is above kernel entry?
  2. If you put swi in a wrapper or stub what happens before and after it?
  3. If the request had arguments, how would you get them into the kernel?

    Hint. How does gcc pass arguments into a function?

  4. It might be important that there are two link registers. Which two link registers? Why?
  5. In practice it isn't important. Why not?


  1. Try this first on paper drawing the stack, registers, etc after each instruction
  2. Try coding in baby steps, which is usually a good idea in assembly language.

Try reading this.

Return to: