Skip to content

[EXPERIMENTAL]sched/hrtimer: Part 2: refine hrtimer state machine and introduce scheduler support with hrtimer #17573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wangchdo wants to merge 6 commits into
base: master
Choose a base branch
from
Open

[EXPERIMENTAL]sched/hrtimer: Part 2: refine hrtimer state machine and introduce scheduler support with hrtimer #17573

wangchdo wants to merge 6 commits into from

Conversation

@wangchdo
Copy link
Contributor

@wangchdo wangchdo commented Dec 20, 2025
edited
Loading

Summary

This PR introduces high-resolution timer (hrtimer) support as a fully independent and optional module for support of the scheduler, without affecting existing scheduler behavior.

Hrtimer is strictly isolated from the current scheduling logic:

  1. All hrtimer code is enabled only when CONFIG_HRTIMER is set.
  2. If CONFIG_HRTIMER is disabled, the scheduler continues to use the existing tick-based or tickless mechanisms with no changes.
  3. When enabled, hrtimer reuses the existing scheduler logic to drive OS ticks via a dedicated hrtimer instance.

The module does not modify any scheduler data structures or timing paths.
Hrtimer acts solely as an alternative time source. Core scheduler functions (nxsched_process_tick(), nxsched_tick_expiration(), etc.) remain unchanged and are reused as-is.

Additional safeguards:

  1. The scheduler hrtimer is initialized lazily and does not impact system startup.
  2. Existing timer infrastructure is not replaced or bypassed unless explicitly configured.
  3. Any failure or imperfection in hrtimer is confined to the module itself and cannot affect legacy scheduling paths.

Integration benefit

This design enables incremental development and review of hrtimer while ensuring that existing NuttX scheduling behavior remains stable even if the hrtimer feature is explicitly enabled.

Development benefit
With this design, developers interested in optimizing the scheduler and those focused on optimizing hrtimer can work independently on their respective improvements.

One other key update
This PR also includes an improvement(also in a seperate PR #17570) to hrtimer by refining its state machine, this is to fix some issues in SMP mode found by @Fix-Point. The refined state-machine is as shown below, and the corresponding diagram is also added in the hrtimer documentation.

image

Impact

Add hrtimer support to nuttx scheduelr, without altering the existing scheduler behavior.

Testing

Test 1 passed (integrated in ostest):

- test implementation:

/****************************************************************************
 * apps/testing/ostest/hrtimer.c
 *
 * SPDX-License-Identifier: Apache-2.0
 *
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.  The
 * ASF licenses this file to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance with the
 * License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
 * License for the specific language governing permissions and limitations
 * under the License.
 *
 ****************************************************************************/

/****************************************************************************
 * Included Files
 ****************************************************************************/

#include <nuttx/config.h>
#include <nuttx/hrtimer.h>

#include <stdio.h>
#include <sched.h>

#include "ostest.h"

/****************************************************************************
 * Pre-processor Definitions
 ****************************************************************************/

#define NSEC_PER_500MS (500 * NSEC_PER_MSEC)

/* Set a 1ms margin to allow hrtimertest to pass in QEMU.
 *
 * QEMU is a virtual platform, and its timer resolution and scheduling
 * latency may be less precise than on real hardware. Using a larger
 * margin ensures that tests do not fail due to timing inaccuracies.
 *
 * On real hardware (verified on the a2g-tc397-5v-tft board), this
 * margin can be reduced to less than 5 ns because timers are precise
 * and deterministic.
 */

#define NSEC_MARGIN    (NSEC_PER_MSEC)

/* Simple assertion macro for HRTimer test cases */
#define HRTIMER_TEST(expr, value)                                   \
  do                                                                \
    {                                                               \
      ret = (expr);                                                 \
      if (ret != (value))                                           \
        {                                                           \
          printf("ERROR: HRTimer test failed, line=%d ret=%d\n",   \
                 __LINE__, ret);                                    \
          ASSERT(false);                                            \
        }                                                           \
    }                                                               \
  while (0)

/****************************************************************************
 * Private Types
 ****************************************************************************/

/* Structure for HRTimer test tracking */

struct hrtimer_test_s
{
  hrtimer_t timer;    /* HRTimer instance */
  uint64_t  previous; /* Previous timestamp in nanoseconds */
  uint32_t  count;    /* Number of timer expirations */
  uint32_t  period;   /* Expected period between expirations */
  bool      active;   /* True while the test is still running */
};

/****************************************************************************
 * Private Functions
 ****************************************************************************/

/****************************************************************************
 * Name: hrtimer_test_init
 *
 * Description:
 *   Initialize a hrtimer_test_s structure for a new test.
 *
 * Input Parameters:
 *   test_hrtimer - Pointer to the test structure to initialize
 *   period       - Expected timer period in nanoseconds
 *
 * Returned Value:
 *   None
 *
 ****************************************************************************/

static void hrtimer_test_init(FAR struct hrtimer_test_s *test_hrtimer,
                              uint32_t period)
{
  test_hrtimer->previous = 0;
  test_hrtimer->count    = 0;
  test_hrtimer->active   = true;
  test_hrtimer->period   = period;
}

/****************************************************************************
 * Name: test_hrtimer_callback
 *
 * Description:
 *   HRTimer callback function for test.
 *
 *   - Verifies the timer interval is exactly 500ms (nanosecond precision)
 *   - Stops the test after 15 expirations
 *   - Re-arms the timer in absolute mode
 *
 * Input Parameters:
 *   hrtimer - Pointer to the expired HRTimer instance
 *
 * Returned Value:
 *   Timer period in nanoseconds (NSEC_PER_500MS)
 *
 ****************************************************************************/

static uint32_t test_hrtimer_callback(FAR hrtimer_t *hrtimer)
{
  struct timespec ts;
  uint32_t diff;
  uint64_t now;
  int ret;

  FAR struct hrtimer_test_s *test =
    (FAR struct hrtimer_test_s *)hrtimer;

  /* Increment expiration count */

  test->count++;

  /* Get current system time */

  clock_systime_timespec(&ts);
  now = clock_time2nsec(&ts);

  /* Skip comparison for first two invocations */

  if (test->count > 2)
    {
      /* Verify the timer interval is exactly
       * 500ms with nsec resolution
       */

      diff = (uint32_t)(now - test->previous);

      HRTIMER_TEST(NSEC_PER_500MS < diff + NSEC_MARGIN, true);
      HRTIMER_TEST(NSEC_PER_500MS > diff - NSEC_MARGIN, true);
    }

  test->previous = now;

  /* Stop the test after 15 expirations */

  if (test->count  >= 15)
    {
      ret = hrtimer_cancel(hrtimer);
      HRTIMER_TEST(ret, 0);

      test->active = false;
    }

  return test->period;
}

/****************************************************************************
 * Public Functions
 ****************************************************************************/

/****************************************************************************
 * Name: hrtimer_test
 *
 * Description:
 *   Entry point for high-resolution timer functional test.
 *
 *   - Initializes a HRTimer
 *   - Starts it with a 500ms relative timeout
 *   - Verifies subsequent expirations occur at 500ms intervals
 *
 * Input Parameters:
 *   None
 *
 * Returned Value:
 *   None
 *
 ****************************************************************************/

void hrtimer_test(void)
{
  int ret;
  struct hrtimer_test_s test_hrtimer_500ms;

  /* Initialize test structure */

  hrtimer_test_init(&test_hrtimer_500ms, NSEC_PER_500MS);

  /* Initialize the high-resolution timer */

  hrtimer_init(&test_hrtimer_500ms.timer,
               test_hrtimer_callback,
               NULL);

  /* Start the timer with 500ms relative timeout */

  ret = hrtimer_start(&test_hrtimer_500ms.timer,
                      test_hrtimer_500ms.period,
                      HRTIMER_MODE_REL);

  HRTIMER_TEST(ret, OK);

  /* Wait until the test completes */

  while (test_hrtimer_500ms.active)
    {
      usleep(500 * USEC_PER_MSEC);
    }
}

test log on rv-virt:smp64:

NuttShell (NSH)
nsh> 
nsh> uname -a
NuttX 0.0.0 6847a0cc95-dirty Dec 20 2025 12:26:39 risc-v rv-virt
nsh> ostest

(...)

user_main: hrtimer test

End of test memory usage:
VARIABLE  BEFORE   AFTER
======== ======== ========
arena     1fbdec0  1fbdec0
ordblks         9        9
mxordblk  1f73880  1f73880
uordblks    109b0     ff18
fordblks  1fad510  1fadfa8

Final memory usage:
VARIABLE  BEFORE   AFTER
======== ======== ========
arena     1fbdec0  1fbdec0
ordblks         1        9
mxordblk  1fb2cf8  1f73880
uordblks     b1c8     ff18
fordblks  1fb2cf8  1fadfa8
user_main: Exiting
ostest_main: Exiting with status 0

test 2 passed (provided by @Fix-Point )

test implementation

/****************************************************************************
 * apps/examples/hello/hello_main.c
 *
 * SPDX-License-Identifier: Apache-2.0
 *
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.  The
 * ASF licenses this file to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance with the
 * License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
 * License for the specific language governing permissions and limitations
 * under the License.
 *
 ****************************************************************************/

/****************************************************************************
 * Included Files
 ****************************************************************************/

#include <nuttx/config.h>
#include <stdio.h>
#include <unistd.h>

#include <nuttx/hrtimer.h>

#define HRTIMER_TEST_THREAD_NR (1)
#define HRTIMER_TEST_NR        (1000000)

/****************************************************************************
 * Public Functions
 ****************************************************************************/

static int volatile tcount = 0;
static volatile uint32_t next = 0;

static uint32_t test_callback(FAR struct hrtimer_s *hrtimer)
{

  tcount++;
  up_ndelay(hrtimer->expired % (10 * NSEC_PER_USEC));

  return 0;
}

static uint32_t test_callback_background(FAR struct hrtimer_s *hrtimer)
{
  up_ndelay(hrtimer->expired % NSEC_PER_USEC);
  return 0;
}


static void test1(int tid)
{
  hrtimer_t   timer;
  int         count = 0;
  irqstate_t flags;
  spinlock_t lock;

  if (tid == 0)
    {
      hrtimer_init(&timer, test_callback, NULL);
    }
  else
    {
      hrtimer_init(&timer, test_callback_background, NULL);
    }

  while (count++ < HRTIMER_TEST_NR)
    {
      int ret;
      if (tid == 0)
        {
          uint64_t delay = rand() % (10 * NSEC_PER_MSEC);

          /* Simulate the periodical hrtimer.. */

          flags = spin_lock_irqsave(&lock);

          /* Use as periodical timer */

          ret = hrtimer_cancel(&timer);
          ret = hrtimer_start(&timer, 1000, HRTIMER_MODE_REL);

          spin_unlock_irqrestore(&lock, flags);

          up_ndelay(NSEC_PER_MSEC);

          flags = spin_lock_irqsave(&lock);

          ret = hrtimer_cancel_sync(&timer);
          ret = hrtimer_start(&timer, 1000, HRTIMER_MODE_REL);
          spin_unlock_irqrestore(&lock, flags);

          up_ndelay(NSEC_PER_MSEC);

          hrtimer_cancel_sync(&timer); // stucked here????
          printf("???\n");
        }
      else
        {
          /* Simulate the background hrtimer.. */

          uint64_t delay = rand() % (10 * NSEC_PER_MSEC);

          ret = hrtimer_cancel(&timer);
          ret = hrtimer_start(&timer, delay, HRTIMER_MODE_REL);
        }

      UNUSED(ret);
    }
}

static void* test_thread(void *arg)
{
  while (1)
    {
      test1((int)arg);
    }
  return NULL;
}
/****************************************************************************
 * hello_main
 ****************************************************************************/

int main(int argc, FAR char *argv[])
{
  unsigned int   thread_id;
  pthread_attr_t attr;
  pthread_t      pthreads[HRTIMER_TEST_THREAD_NR];

  printf("hrtimer_test start...\n");

  ASSERT(pthread_attr_init(&attr) == 0);

  /* Create wdog test thread */

  for (thread_id = 0; thread_id < HRTIMER_TEST_THREAD_NR; thread_id++)
    {
      ASSERT(pthread_create(&pthreads[thread_id], &attr,
                            test_thread, (void *)thread_id) == 0);
    }

  for (thread_id = 0; thread_id < HRTIMER_TEST_THREAD_NR; thread_id++)
    {
      pthread_join(pthreads[thread_id], NULL);
    }

  ASSERT(pthread_attr_destroy(&attr) == 0);

  printf("hrtimer_test end...\n");
  return 0;
}

test passed log on rv-virt:smp64

nsh> uname -a
NuttX 0.0.0 6847a0cc95-dirty Dec 20 2025 12:26:39 risc-v rv-virt
nsh> 
nsh> hello
???
???
???
(...)

test 3 passed (provided by @Fix-Point )

test implementation

/****************************************************************************
 * apps/examples/hello/hello_main.c
 *
 * SPDX-License-Identifier: Apache-2.0
 *
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.  The
 * ASF licenses this file to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance with the
 * License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
 * License for the specific language governing permissions and limitations
 * under the License.
 *
 ****************************************************************************/

/****************************************************************************
 * Included Files
 ****************************************************************************/

#include <nuttx/config.h>
#include <stdio.h>

#include <nuttx/hrtimer.h>

#define HRTIMER_TEST_THREAD_NR (CONFIG_SMP_NCPUS * 8)

/****************************************************************************
 * Public Functions
 ****************************************************************************/

static uint32_t test_callback(FAR struct hrtimer_s *hrtimer)
{
  printf("test callback ...\n");
  return 0;
}

static void* test_thread(void *arg)
{
  irqstate_t  flags;
  hrtimer_t   timer;
  spinlock_t  lock = SP_UNLOCKED;
  hrtimer_init(&timer, test_callback, NULL);
  while (1)
    {
      uint64_t delay = rand() % NSEC_PER_MSEC;
      int ret;

      /* Simulate the usage of driver->wait_dog. */

      flags = spin_lock_irqsave(&lock);

      /* The driver lock acquired */

      /* First try, failed. Because hrtimer_start can not ensure the timer being started. */

      ret = hrtimer_cancel(&timer);
      // ret = hrtimer_start(&timer, 10 * NSEC_PER_USEC, HRTIMER_MODE_REL); /* May fail */

      /* This try-loop start should be OK. But it failed again.
       * Besides, we can not sleep or spin in the critical sections.
       */

      while (hrtimer_start(&timer, 10 * NSEC_PER_USEC, HRTIMER_MODE_REL) != OK);
      ret = OK;

      /* Second try, Success, but we can not sleep or spin in the critical section. */

      // ret = hrtimer_cancel_sync(&timer); /* Sleep in critical sections */
      // ret = hrtimer_start(&timer, delay, HRTIMER_MODE_REL);


      spin_unlock_irqrestore(&lock, flags);

      if (ret != OK)
        {
          printf("hrtimer_start failed\n");
        }
      up_ndelay(delay);
    }
  return NULL;
}

/****************************************************************************
 * hello_main
 ****************************************************************************/

int main(int argc, FAR char *argv[])
{
  unsigned int   thread_id;
  pthread_attr_t attr;
  pthread_t      pthreads[HRTIMER_TEST_THREAD_NR];

  printf("hrtimer_test start...\n");

  ASSERT(pthread_attr_init(&attr) == 0);

  /* Create wdog test thread */

  for (thread_id = 0; thread_id < HRTIMER_TEST_THREAD_NR; thread_id++)
    {
      ASSERT(pthread_create(&pthreads[thread_id], &attr,
                            test_thread, NULL) == 0);
    }

  for (thread_id = 0; thread_id < HRTIMER_TEST_THREAD_NR; thread_id++)
    {
      pthread_join(pthreads[thread_id], NULL);
    }

  ASSERT(pthread_attr_destroy(&attr) == 0);

  printf("hrtimer_test end...\n");
  return 0;
}

test passed log on rv-virt:smp64

NuttShell (NSH)
nsh> 
nsh> 
nsh> uname -a
NuttX 0.0.0 6847a0cc95-dirty Dec 20 2025 12:33:59 risc-v rv-virt
nsh> hello
test callback ...
test callback ...
test callback ...
test callback ...
test callback ...
test callback ...
test callback ...
test callback ...
test callback ...
test callback ...
test callback ...

(....)

@github-actions github-actions bot added Area: Documentation Improvements or additions to documentation Area: Drivers Drivers issues Area: OS Components OS Components issues Size: M The size of the change in this PR is medium labels Dec 20, 2025
@wangchdo wangchdo force-pushed the add_hrtimer_sched_support branch from 6847a0c to c073a95 Compare December 20, 2025 04:54
@wangchdo wangchdo changed the title sched: add hrtimer support to os scheduler sched/hrtimer: Part2: add hrtimer support to os scheduler Dec 20, 2025
@wangchdo wangchdo mentioned this pull request Dec 20, 2025
Closed
@wangchdo wangchdo changed the title sched/hrtimer: Part2: add hrtimer support to os scheduler sched/hrtimer: Part2: introduce hrtimer support to os scheduler Dec 20, 2025
@wangchdo wangchdo force-pushed the add_hrtimer_sched_support branch from c073a95 to f1e9f9a Compare December 20, 2025 05:52
@wangchdo wangchdo force-pushed the add_hrtimer_sched_support branch from f1e9f9a to e0f1573 Compare December 20, 2025 05:55
@wangchdo wangchdo force-pushed the add_hrtimer_sched_support branch from e0f1573 to 424634c Compare December 20, 2025 06:04
@wangchdo wangchdo force-pushed the add_hrtimer_sched_support branch from 424634c to ba4a61f Compare December 20, 2025 06:11
@wangchdo wangchdo force-pushed the add_hrtimer_sched_support branch from ba4a61f to 9bcc6ae Compare December 20, 2025 06:53
@wangchdo wangchdo changed the title sched/hrtimer: Part2: introduce hrtimer support to os scheduler sched/hrtimer: Part2: introduce hrtimer support for os scheduler Dec 20, 2025
@wangchdo wangchdo changed the title sched/hrtimer: Part2: introduce hrtimer support for os scheduler sched/hrtimer: Part2: introduce hrtimer support for scheduler Dec 20, 2025
@wangchdo wangchdo force-pushed the add_hrtimer_sched_support branch from 9bcc6ae to 2c0c6b0 Compare December 20, 2025 11:21
@wangchdo wangchdo force-pushed the add_hrtimer_sched_support branch from 04f255c to 50ad211 Compare December 31, 2025 09:12
@acassis
Copy link
Contributor

acassis commented Dec 31, 2025

@wangchdo please rebase with current mainline to fix the CI error

@cederom
Copy link
Contributor

cederom commented Dec 31, 2025

We may want to mark this feature with [EXPERIMENTAL] tag in PR and git commit topic as there are some modifications and new features that may need some special attention / testing when already merged? When someone discovers a problem in future they would have a quick pointer on where to look? :-)

@wangchdo wangchdo force-pushed the add_hrtimer_sched_support branch 4 times, most recently from 90a24af to be3ae0e Compare January 1, 2026 23:31
@wangchdo
Copy link
Contributor Author

wangchdo commented Jan 1, 2026

We may want to mark this feature with [EXPERIMENTAL] tag in PR and git commit topic as there are some modifications and new features that may need some special attention / testing when already merged? When someone discovers a problem in future they would have a quick pointer on where to look? :-)

Hi @cederom

[EXPERIMENTAL] tag added, please double check

@wangchdo wangchdo changed the title sched/hrtimer: Part 2: refine hrtimer state machine and introduce scheduler support with hrtimer [EXPERIMENTAL]sched/hrtimer: Part 2: refine hrtimer state machine and introduce scheduler support with hrtimer Jan 1, 2026
@wangchdo
Copy link
Contributor Author

wangchdo commented Jan 1, 2026

@wangchdo please rebase with current mainline to fix the CI error

@acassis
Rebased, please double check

@cederom
Copy link
Contributor

cederom commented Jan 1, 2026

Big thank you @wangchdo !! :-)

@wangchdo wangchdo force-pushed the add_hrtimer_sched_support branch from be3ae0e to b5856ad Compare January 1, 2026 23:39
@wangchdo
[EXPERIMENTAL]sched/hrtimr: Allow running/armed hrtimer to be restarted
a31ee96 
  Allow running/armed hrtimer to be restarted to
  fix hrtimer bug: apache#17567

Signed-off-by: Chengdong Wang <wangchengdong@lixiang.com>
@wangchdo
[EXPERIMENTAL]sched/hrtimr: Add hrtimer_set()
c37bb43 
  Add hrtimer_set() to allow users to change hrtimer callback
  after hrtimer is started or cancelled

Signed-off-by: Chengdong Wang <wangchengdong@lixiang.com>
@wangchdo
[EXPERIMENTAL]sched/hrtimer: update hrtimer document
910651a 
    Update the hrtimer documentation to describe the hrtimer state machine,
    which is introduced to handle safe cancellation and execution in SMP
    environments.

Signed-off-by: Chengdong Wang <wangchengdong@lixiang.com>
@wangchdo
[EXPERIMENTAL]nuttx/drivers: enable timer start function for hrtimer
5df81dd 
Enable the timer start functions when hrtimer is enabled. This allows
hrtimer to set timer expirations with nanosecond resolution.

Signed-off-by: Chengdong Wang <wangchengdong@lixiang.com>
@wangchdo
[EXPERIMENTAL]sched/sched: Add hrtimer support to scheduler
6cc733f 
    This commit add hrtimer support to scheduler
    tick without altering the existing scheduler behavior.

Signed-off-by: Chengdong Wang <wangchengdong@lixiang.com>
@wangchdo
[EXPERIMENTAL]sched/sched: Add hrtimer tickless support
4c34382 
    When hrtimer is enabled, the tickless scheduler should call
    nxsched_hrtimer_start to start the timer, this is because
    the tick system is support by hrtimer

Signed-off-by: Chengdong Wang <wangchengdong@lixiang.com>
@wangchdo wangchdo force-pushed the add_hrtimer_sched_support branch from b5856ad to 4c34382 Compare January 1, 2026 23:53
@wangchdo wangchdo requested a review from Fix-Point January 1, 2026 23:56
@wangchdo
Copy link
Contributor Author

wangchdo commented Jan 2, 2026
edited
Loading

@cederom CI passed, could you please double check?

@xiaoxiang781216 @Fix-Point
I’ve addressed your comments—could you please take another look?

I understand that your main concern with my previous implementation was about potential concurrency issues, or a possible violation of ownership invariants under SMP. This PR resolves those concerns using an approach that I believe is reliable, simple, and efficient. Below, I’ll explain the fix from a code-level perspective:

  1. In hrtimer_process(), I now copy the hrtimer callback, expiration time, and argument into local variables while holding the spinlock:

img_v3_02ti_fc18d9f4-f5dd-4992-bd20-782b39ea245g

  1. Still in hrtimer_process(), the callback is invoked after the spinlock is released, using those local variables. This makes it safe for other cores to update the same hrtimer’s callback or expiration concurrently via hrtimer_set(), hrtimer_cancel(), or hrtimer_start():

img_v3_02ti_b4096580-0945-44f3-959c-6e254a350d6g

  1. In hrtimer_cancel(), hrtimer->expired is set to UINT64_MAX to explicitly mark the hrtimer as cancelled:

img_v3_02ti_aa7370d2-2eb5-4cd4-8821-6b75795abbag

4 In hrtimer_start(), hrtimer->expired is updated directly with the new expiration value:

img_v3_02ti_b6193a60-23f6-4e4b-a318-e067be9a99eg

  1. Also in hrtimer_process(), if period > 0, the hrtimer is only allowed to restart when hrtimer->expired has not been modified concurrently by other cores. Both hrtimer_cancel() (which sets expired to UINT64_MAX) and hrtimer_start() (which sets it to a new value) will cause this check to fail. This guarantees that the hrtimer will not be restarted unexpectedly:

img_v3_02ti_b98e97a2-d688-4b1d-a072-86a4719be23g

  1. Finally, in hrtimer_process(), hrtimer->cpus acts as a reference counter and is automatically incremented and decremented. This allows it to be safely used by hrtimer_cancel_sync() to ensure the hrtimer is fully quiesced before returning:

img_v3_02ti_a2050e68-d10c-4298-868b-7977937ef5dg
img_v3_02ti_8f12799e-ce5e-432f-8dec-1c50d96eeceg

Overall, this design ensures correct behavior under SMP while keeping the logic straightforward and efficient, and it integrates cleanly with the existing hrtimer model in NuttX.

@wangchdo
Copy link
Contributor Author

wangchdo commented Jan 2, 2026
edited
Loading

@Fix-Point @xiaoxiang781216 @GUIDINGLI

As I pointed out in the comments on your PR (#17675), I don’t think the new hrtimer implementation is a better choice.

From my perspective, the way it addresses concurrency issues is not efficient, and it requires updating the entire hrtimer API surface, which I believe makes it less user-friendly compared to my approach.

My API design is as follows:

  1. hrtimer_init() — initializes the hrtimer object and assigns the callback and argument.
  2. hrtimer_start() — sets the expiration time for an hrtimer.
  3. hrtimer_set() — allows the user to update the callback and argument of an hrtimer.
  4. hrtimer_cancel() — cancels an hrtimer asynchronously.
  5. hrtimer_cancel_sync() — cancels an hrtimer synchronously.

My implementation focuses on resolving the concurrency concerns without forcing API-wide changes, keeping the usage model simple while still ensuring correctness under SMP.

Fix-Point
Fix-Point reviewed Jan 4, 2026
View reviewed changes
sched/hrtimer/hrtimer_process.c

/* Re-arm periodic timer if not canceled or re-armed concurrently */

if (period > 0 && hrtimer->expired == expired)
Copy link
Contributor

@Fix-Point Fix-Point Jan 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your latest attempt is almost same the versioning idea I tried before. Sadly, I found it still violated the ownership invariant. In fact, the expired field can not be used as version, since the expired is not monotonic (the newer timer may has same or older expire than the older timer), which is a fundamental assumption regarding the correctness of epoch-based memory reclamation. I believe it is very easy for you to make a test case to trigger the ownership invariant violation.

In my early implmentation, I added another monotonic version field for the hrtimer to do correct versioning (or Epoch-based memory reclamation). However, it will increase the memory footprint of the hrtimer. That's why I eventually gave up on the idea.

Copy link
Contributor

@Fix-Point Fix-Point Jan 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still insist what I stated before:

Designing correct concurrent algorithms requires systematic consideration. As I stated in #17570, after carefully reviewing your implementation, I could not really find a good solution that preserves version information without introducing significant performance or memory overhead.

Copy link
Contributor Author

@wangchdo wangchdo Jan 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your latest attempt is almost same the versioning idea I tried before. Sadly, I found it still violated the ownership invariant. In fact, the expired field can not be used as version, since the expired is not monotonic (the newer timer may has same or older expire than the older timer), which is a fundamental assumption regarding the correctness of epoch-based memory reclamation. I believe it is very easy for you to make a test case to trigger the ownership invariant violation.

In my early implmentation, I added another monotonic version field for the hrtimer to do correct versioning (or Epoch-based memory reclamation). However, it will increase the memory footprint of the hrtimer. That's why I eventually gave up on the idea.

Can you tell the incorrect scenario using the APIs I provided? The new timer has the same expired value? I think the only case is that the user changes the callback concurrently using hrtimer_set, but keep the expired value the same without calling hrtimer_start.

I already thought about this, But I think this is a design choice:

  1. if you think this is a violation of ownership invariant, it can be easily fixed by adding a check whether the func is changed here.

  2. If you think it is not violation of ownership, since the new timer will eventually be executed and the period is updated, the check is not needed here as the current implementation. And if the user do not want this happen, he can call hrtimer_start to update the expired value immediately after calling hrtimer_set updating the callback

At last, If users don't change both the callback and the expired value, we should consider the timer not changed

Copy link
Contributor Author

@wangchdo wangchdo Jan 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still insist what I stated before:

Designing correct concurrent algorithms requires systematic consideration. As I stated in #17570, after carefully reviewing your implementation, I could not really find a good solution that preserves version information without introducing significant performance or memory overhead.

In my opinion, I think your new implementation is not proper due to three reasons:

  1. Your way of protecting timer from concurrency update is not efficient

  2. You totally refactored the existing more user-friendly API design, this is not correct

  3. Your queue abstraction design should be based on the existing hrtimer design.in fact, if you do not provide your way of queue abstraction, i already planned to add mine.And, In my opinion, maybe I am wrong,Nuttx is a RTOS, not a OS as linux, but I found your queue abstraction has a Linux style.

At the last, i also want to make this concurrency systematic consideration illustrated in a more easy to understand way in my opinion:

If you want to fix concurrency issue, you only need to figure out all the data that may be wrongly used in concurrency case, and then find a way to protect them, this is what i think of as systematic thinking for concurrency issues

@cederom
Copy link
Contributor

cederom commented Jan 4, 2026

Thank you @wangchdo! This change builds fine now. @Fix-Point provides some important feedback as he seems to work on this already. I like approach of @wangchdo to keep things compatible and aligned with existing API. Maybe additional checks / protections may be implemented to avoid situations described by @Fix-Point? :-)

@Fix-Point can you please provide exact test scenario steps to verify problems you mentioned on @wangchdo solution? This should confirm if the implementation requires some additional protections? :-)

@xiaoxiang781216
Copy link
Contributor

xiaoxiang781216 commented Jan 4, 2026

@wangchdo let's focus #17642, the subset of this pr.

@wangchdo
Copy link
Contributor Author

wangchdo commented Jan 4, 2026

@wangchdo let's focus #17642, the subset of this pr.

OK

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@acassis acassis acassis approved these changes

@GUIDINGLI GUIDINGLI Awaiting requested review from GUIDINGLI GUIDINGLI is a code owner

@jerpelea jerpelea Awaiting requested review from jerpelea jerpelea is a code owner

@pussuw pussuw Awaiting requested review from pussuw pussuw is a code owner

@hartmannathan hartmannathan Awaiting requested review from hartmannathan hartmannathan is a code owner

@raiden00pl raiden00pl Awaiting requested review from raiden00pl raiden00pl is a code owner

@simbit18 simbit18 Awaiting requested review from simbit18 simbit18 is a code owner

@masayuki2009 masayuki2009 Awaiting requested review from masayuki2009

@cederom cederom Awaiting requested review from cederom

@xiaoxiang781216 xiaoxiang781216 Awaiting requested review from xiaoxiang781216 xiaoxiang781216 is a code owner

@anchao anchao Awaiting requested review from anchao

+1 more reviewer

@Fix-Point Fix-Point Fix-Point left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

Area: Documentation Improvements or additions to documentation Area: Drivers Drivers issues Area: OS Components OS Components issues Size: L The size of the change in this PR is large Size: M The size of the change in this PR is medium

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@wangchdo @cederom @acassis @Fix-Point @xiaoxiang781216 @anchao