xref: /titanic_50/usr/src/uts/common/os/clock.c (revision 0f2c99a46e005b1add7df43157ee8516e585157a)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
22 /*	  All Rights Reserved	*/
23 
24 
25 /*
26  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
27  * Use is subject to license terms.
28  */
29 
30 #pragma ident	"%Z%%M%	%I%	%E% SMI"
31 
32 #include <sys/param.h>
33 #include <sys/t_lock.h>
34 #include <sys/types.h>
35 #include <sys/tuneable.h>
36 #include <sys/sysmacros.h>
37 #include <sys/systm.h>
38 #include <sys/cpuvar.h>
39 #include <sys/lgrp.h>
40 #include <sys/user.h>
41 #include <sys/proc.h>
42 #include <sys/callo.h>
43 #include <sys/kmem.h>
44 #include <sys/var.h>
45 #include <sys/cmn_err.h>
46 #include <sys/swap.h>
47 #include <sys/vmsystm.h>
48 #include <sys/class.h>
49 #include <sys/time.h>
50 #include <sys/debug.h>
51 #include <sys/vtrace.h>
52 #include <sys/spl.h>
53 #include <sys/atomic.h>
54 #include <sys/dumphdr.h>
55 #include <sys/archsystm.h>
56 #include <sys/fs/swapnode.h>
57 #include <sys/panic.h>
58 #include <sys/disp.h>
59 #include <sys/msacct.h>
60 #include <sys/mem_cage.h>
61 
62 #include <vm/page.h>
63 #include <vm/anon.h>
64 #include <vm/rm.h>
65 #include <sys/cyclic.h>
66 #include <sys/cpupart.h>
67 #include <sys/rctl.h>
68 #include <sys/task.h>
69 #include <sys/sdt.h>
70 
71 #ifdef __sparc
72 #include <sys/wdt.h>
73 #endif
74 
75 /*
76  * for NTP support
77  */
78 #include <sys/timex.h>
79 #include <sys/inttypes.h>
80 
81 /*
82  * clock is called straight from
83  * the real time clock interrupt.
84  *
85  * Functions:
86  *	reprime clock
87  *	schedule callouts
88  *	maintain date
89  *	jab the scheduler
90  */
91 
92 extern kcondvar_t	fsflush_cv;
93 extern sysinfo_t	sysinfo;
94 extern vminfo_t	vminfo;
95 extern int	idleswtch;	/* flag set while idle in pswtch() */
96 
97 /*
98  * high-precision avenrun values.  These are needed to make the
99  * regular avenrun values accurate.
100  */
101 static uint64_t hp_avenrun[3];
102 int	avenrun[3];		/* FSCALED average run queue lengths */
103 time_t	time;	/* time in seconds since 1970 - for compatibility only */
104 
105 static struct loadavg_s loadavg;
106 /*
107  * Phase/frequency-lock loop (PLL/FLL) definitions
108  *
109  * The following variables are read and set by the ntp_adjtime() system
110  * call.
111  *
112  * time_state shows the state of the system clock, with values defined
113  * in the timex.h header file.
114  *
115  * time_status shows the status of the system clock, with bits defined
116  * in the timex.h header file.
117  *
118  * time_offset is used by the PLL/FLL to adjust the system time in small
119  * increments.
120  *
121  * time_constant determines the bandwidth or "stiffness" of the PLL.
122  *
123  * time_tolerance determines maximum frequency error or tolerance of the
124  * CPU clock oscillator and is a property of the architecture; however,
125  * in principle it could change as result of the presence of external
126  * discipline signals, for instance.
127  *
128  * time_precision is usually equal to the kernel tick variable; however,
129  * in cases where a precision clock counter or external clock is
130  * available, the resolution can be much less than this and depend on
131  * whether the external clock is working or not.
132  *
133  * time_maxerror is initialized by a ntp_adjtime() call and increased by
134  * the kernel once each second to reflect the maximum error bound
135  * growth.
136  *
137  * time_esterror is set and read by the ntp_adjtime() call, but
138  * otherwise not used by the kernel.
139  */
140 int32_t time_state = TIME_OK;	/* clock state */
141 int32_t time_status = STA_UNSYNC;	/* clock status bits */
142 int32_t time_offset = 0;		/* time offset (us) */
143 int32_t time_constant = 0;		/* pll time constant */
144 int32_t time_tolerance = MAXFREQ;	/* frequency tolerance (scaled ppm) */
145 int32_t time_precision = 1;	/* clock precision (us) */
146 int32_t time_maxerror = MAXPHASE;	/* maximum error (us) */
147 int32_t time_esterror = MAXPHASE;	/* estimated error (us) */
148 
149 /*
150  * The following variables establish the state of the PLL/FLL and the
151  * residual time and frequency offset of the local clock. The scale
152  * factors are defined in the timex.h header file.
153  *
154  * time_phase and time_freq are the phase increment and the frequency
155  * increment, respectively, of the kernel time variable.
156  *
157  * time_freq is set via ntp_adjtime() from a value stored in a file when
158  * the synchronization daemon is first started. Its value is retrieved
159  * via ntp_adjtime() and written to the file about once per hour by the
160  * daemon.
161  *
162  * time_adj is the adjustment added to the value of tick at each timer
163  * interrupt and is recomputed from time_phase and time_freq at each
164  * seconds rollover.
165  *
166  * time_reftime is the second's portion of the system time at the last
167  * call to ntp_adjtime(). It is used to adjust the time_freq variable
168  * and to increase the time_maxerror as the time since last update
169  * increases.
170  */
171 int32_t time_phase = 0;		/* phase offset (scaled us) */
172 int32_t time_freq = 0;		/* frequency offset (scaled ppm) */
173 int32_t time_adj = 0;		/* tick adjust (scaled 1 / hz) */
174 int32_t time_reftime = 0;		/* time at last adjustment (s) */
175 
176 /*
177  * The scale factors of the following variables are defined in the
178  * timex.h header file.
179  *
180  * pps_time contains the time at each calibration interval, as read by
181  * microtime(). pps_count counts the seconds of the calibration
182  * interval, the duration of which is nominally pps_shift in powers of
183  * two.
184  *
185  * pps_offset is the time offset produced by the time median filter
186  * pps_tf[], while pps_jitter is the dispersion (jitter) measured by
187  * this filter.
188  *
189  * pps_freq is the frequency offset produced by the frequency median
190  * filter pps_ff[], while pps_stabil is the dispersion (wander) measured
191  * by this filter.
192  *
193  * pps_usec is latched from a high resolution counter or external clock
194  * at pps_time. Here we want the hardware counter contents only, not the
195  * contents plus the time_tv.usec as usual.
196  *
197  * pps_valid counts the number of seconds since the last PPS update. It
198  * is used as a watchdog timer to disable the PPS discipline should the
199  * PPS signal be lost.
200  *
201  * pps_glitch counts the number of seconds since the beginning of an
202  * offset burst more than tick/2 from current nominal offset. It is used
203  * mainly to suppress error bursts due to priority conflicts between the
204  * PPS interrupt and timer interrupt.
205  *
206  * pps_intcnt counts the calibration intervals for use in the interval-
207  * adaptation algorithm. It's just too complicated for words.
208  */
209 struct timeval pps_time;	/* kernel time at last interval */
210 int32_t pps_tf[] = {0, 0, 0};	/* pps time offset median filter (us) */
211 int32_t pps_offset = 0;		/* pps time offset (us) */
212 int32_t pps_jitter = MAXTIME;	/* time dispersion (jitter) (us) */
213 int32_t pps_ff[] = {0, 0, 0};	/* pps frequency offset median filter */
214 int32_t pps_freq = 0;		/* frequency offset (scaled ppm) */
215 int32_t pps_stabil = MAXFREQ;	/* frequency dispersion (scaled ppm) */
216 int32_t pps_usec = 0;		/* microsec counter at last interval */
217 int32_t pps_valid = PPS_VALID;	/* pps signal watchdog counter */
218 int32_t pps_glitch = 0;		/* pps signal glitch counter */
219 int32_t pps_count = 0;		/* calibration interval counter (s) */
220 int32_t pps_shift = PPS_SHIFT;	/* interval duration (s) (shift) */
221 int32_t pps_intcnt = 0;		/* intervals at current duration */
222 
223 /*
224  * PPS signal quality monitors
225  *
226  * pps_jitcnt counts the seconds that have been discarded because the
227  * jitter measured by the time median filter exceeds the limit MAXTIME
228  * (100 us).
229  *
230  * pps_calcnt counts the frequency calibration intervals, which are
231  * variable from 4 s to 256 s.
232  *
233  * pps_errcnt counts the calibration intervals which have been discarded
234  * because the wander exceeds the limit MAXFREQ (100 ppm) or where the
235  * calibration interval jitter exceeds two ticks.
236  *
237  * pps_stbcnt counts the calibration intervals that have been discarded
238  * because the frequency wander exceeds the limit MAXFREQ / 4 (25 us).
239  */
240 int32_t pps_jitcnt = 0;		/* jitter limit exceeded */
241 int32_t pps_calcnt = 0;		/* calibration intervals */
242 int32_t pps_errcnt = 0;		/* calibration errors */
243 int32_t pps_stbcnt = 0;		/* stability limit exceeded */
244 
245 /* The following variables require no explicit locking */
246 volatile clock_t lbolt;		/* time in Hz since last boot */
247 volatile int64_t lbolt64;	/* lbolt64 won't wrap for 2.9 billion yrs */
248 
249 kcondvar_t lbolt_cv;
250 int one_sec = 1; /* turned on once every second */
251 static int fsflushcnt;	/* counter for t_fsflushr */
252 int	dosynctodr = 1;	/* patchable; enable/disable sync to TOD chip */
253 int	tod_needsync = 0;	/* need to sync tod chip with software time */
254 static int tod_broken = 0;	/* clock chip doesn't work */
255 time_t	boot_time = 0;		/* Boot time in seconds since 1970 */
256 cyclic_id_t clock_cyclic;	/* clock()'s cyclic_id */
257 cyclic_id_t deadman_cyclic;	/* deadman()'s cyclic_id */
258 
259 static int lgrp_ticks;		/* counter to schedule lgrp load calcs */
260 
261 /*
262  * for tod fault detection
263  */
264 #define	TOD_REF_FREQ		((longlong_t)(NANOSEC))
265 #define	TOD_STALL_THRESHOLD	(TOD_REF_FREQ * 3 / 2)
266 #define	TOD_JUMP_THRESHOLD	(TOD_REF_FREQ / 2)
267 #define	TOD_FILTER_N		4
268 #define	TOD_FILTER_SETTLE	(4 * TOD_FILTER_N)
269 static int tod_faulted = TOD_NOFAULT;
270 static int tod_fault_reset_flag = 0;
271 
272 /* patchable via /etc/system */
273 int tod_validate_enable = 1;
274 
275 /*
276  * On non-SPARC systems, TOD validation must be deferred until gethrtime
277  * returns non-zero values (after mach_clkinit's execution).
278  * On SPARC systems, it must be deferred until after hrtime_base
279  * and hres_last_tick are set (in the first invocation of hres_tick).
280  * Since in both cases the prerequisites occur before the invocation of
281  * tod_get() in clock(), the deferment is lifted there.
282  */
283 static boolean_t tod_validate_deferred = B_TRUE;
284 
285 /*
286  * tod_fault_table[] must be aligned with
287  * enum tod_fault_type in systm.h
288  */
289 static char *tod_fault_table[] = {
290 	"Reversed",			/* TOD_REVERSED */
291 	"Stalled",			/* TOD_STALLED */
292 	"Jumped",			/* TOD_JUMPED */
293 	"Changed in Clock Rate"		/* TOD_RATECHANGED */
294 	/*
295 	 * no strings needed for TOD_NOFAULT
296 	 */
297 };
298 
299 /*
300  * test hook for tod broken detection in tod_validate
301  */
302 int tod_unit_test = 0;
303 time_t tod_test_injector;
304 
305 #define	CLOCK_ADJ_HIST_SIZE	4
306 
307 static int	adj_hist_entry;
308 
309 int64_t clock_adj_hist[CLOCK_ADJ_HIST_SIZE];
310 
311 static void clock_tick(kthread_t *);
312 static void calcloadavg(int, uint64_t *);
313 static int genloadavg(struct loadavg_s *);
314 static void loadavg_update();
315 
316 void (*cmm_clock_callout)() = NULL;
317 
318 #ifdef	KSLICE
319 int kslice = KSLICE;
320 #endif
321 
322 static void
323 clock(void)
324 {
325 	kthread_t	*t;
326 	kmutex_t	*plockp;	/* pointer to thread's process lock */
327 	int	pinned_intr = 0;
328 	uint_t	nrunnable, nrunning;
329 	uint_t	w_io;
330 	cpu_t	*cp;
331 	cpupart_t *cpupart;
332 	int	exiting;
333 	extern void set_anoninfo();
334 	extern	void	set_freemem();
335 	void	(*funcp)();
336 	int32_t ltemp;
337 	int64_t lltemp;
338 	int s;
339 	int do_lgrp_load;
340 	int i;
341 
342 	if (panicstr)
343 		return;
344 
345 	set_anoninfo();
346 	/*
347 	 * Make sure that 'freemem' do not drift too far from the truth
348 	 */
349 	set_freemem();
350 
351 
352 	/*
353 	 * Before the section which is repeated is executed, we do
354 	 * the time delta processing which occurs every clock tick
355 	 *
356 	 * There is additional processing which happens every time
357 	 * the nanosecond counter rolls over which is described
358 	 * below - see the section which begins with : if (one_sec)
359 	 *
360 	 * This section marks the beginning of the precision-kernel
361 	 * code fragment.
362 	 *
363 	 * First, compute the phase adjustment. If the low-order bits
364 	 * (time_phase) of the update overflow, bump the higher order
365 	 * bits (time_update).
366 	 */
367 	time_phase += time_adj;
368 	if (time_phase <= -FINEUSEC) {
369 		ltemp = -time_phase / SCALE_PHASE;
370 		time_phase += ltemp * SCALE_PHASE;
371 		s = hr_clock_lock();
372 		timedelta -= ltemp * (NANOSEC/MICROSEC);
373 		hr_clock_unlock(s);
374 	} else if (time_phase >= FINEUSEC) {
375 		ltemp = time_phase / SCALE_PHASE;
376 		time_phase -= ltemp * SCALE_PHASE;
377 		s = hr_clock_lock();
378 		timedelta += ltemp * (NANOSEC/MICROSEC);
379 		hr_clock_unlock(s);
380 	}
381 
382 	/*
383 	 * End of precision-kernel code fragment which is processed
384 	 * every timer interrupt.
385 	 *
386 	 * Continue with the interrupt processing as scheduled.
387 	 *
388 	 * Did we pin another interrupt thread?  Need to check this before
389 	 * grabbing any adaptive locks, since if we block on a lock the
390 	 * pinned thread could escape.  Note that this is just a heuristic;
391 	 * if we take multiple laps though clock() without returning from
392 	 * the interrupt because we have another clock tick pending, then
393 	 * the pinned interrupt could be released by one of the previous
394 	 * laps.  The only consequence is that the CPU will be counted as
395 	 * in idle (or wait) state once the pinned interrupt is released.
396 	 * Since this accounting is inaccurate by nature, this isn't a big
397 	 * deal --- but we should try to get it right in the common case
398 	 * where we only call clock() once per interrupt.
399 	 */
400 	if (curthread->t_intr != NULL)
401 		pinned_intr = (curthread->t_intr->t_flag & T_INTR_THREAD);
402 
403 	/*
404 	 * Count the number of runnable threads and the number waiting
405 	 * for some form of I/O to complete -- gets added to
406 	 * sysinfo.waiting.  To know the state of the system, must add
407 	 * wait counts from all CPUs.  Also add up the per-partition
408 	 * statistics.
409 	 */
410 	w_io = 0;
411 	nrunnable = 0;
412 
413 	/*
414 	 * keep track of when to update lgrp/part loads
415 	 */
416 
417 	do_lgrp_load = 0;
418 	if (lgrp_ticks++ >= hz / 10) {
419 		lgrp_ticks = 0;
420 		do_lgrp_load = 1;
421 	}
422 
423 	if (one_sec)
424 		loadavg_update();
425 
426 	/*
427 	 * First count the threads waiting on kpreempt queues in each
428 	 * CPU partition.
429 	 */
430 
431 	cpupart = cp_list_head;
432 	do {
433 		uint_t cpupart_nrunnable = cpupart->cp_kp_queue.disp_nrunnable;
434 
435 		cpupart->cp_updates++;
436 		nrunnable += cpupart_nrunnable;
437 		cpupart->cp_nrunnable_cum += cpupart_nrunnable;
438 		if (one_sec) {
439 			cpupart->cp_nrunning = 0;
440 			cpupart->cp_nrunnable = cpupart_nrunnable;
441 		}
442 	} while ((cpupart = cpupart->cp_next) != cp_list_head);
443 
444 
445 	/* Now count the per-CPU statistics. */
446 	cp = cpu_list;
447 	do {
448 		uint_t cpu_nrunnable = cp->cpu_disp->disp_nrunnable;
449 
450 		nrunnable += cpu_nrunnable;
451 		cpupart = cp->cpu_part;
452 		cpupart->cp_nrunnable_cum += cpu_nrunnable;
453 		if (one_sec) {
454 			cpupart->cp_nrunnable += cpu_nrunnable;
455 			/*
456 			 * w_io is used to update sysinfo.waiting during
457 			 * one_second processing below.  Only gather w_io
458 			 * information when we walk the list of cpus if we're
459 			 * going to perform one_second processing.
460 			 */
461 			w_io += CPU_STATS(cp, sys.iowait);
462 
463 		}
464 		if (do_lgrp_load &&
465 		    (cp->cpu_flags & CPU_EXISTS)) {
466 			/*
467 			 * When updating the lgroup's load average,
468 			 * account for the thread running on the CPU.
469 			 * If the CPU is the current one, then we need
470 			 * to account for the underlying thread which
471 			 * got the clock interrupt not the thread that is
472 			 * handling the interrupt and caculating the load
473 			 * average
474 			 */
475 			t = cp->cpu_thread;
476 			if (CPU == cp)
477 				t = t->t_intr;
478 
479 			/*
480 			 * Account for the load average for this thread if
481 			 * it isn't the idle thread or it is on the interrupt
482 			 * stack and not the current CPU handling the clock
483 			 * interrupt
484 			 */
485 			if ((t && t != cp->cpu_idle_thread) || (CPU != cp &&
486 			    CPU_ON_INTR(cp))) {
487 				if (t->t_lpl == cp->cpu_lpl) {
488 					/* local thread */
489 					cpu_nrunnable++;
490 				} else {
491 					/*
492 					 * This is a remote thread, charge it
493 					 * against its home lgroup.  Note that
494 					 * we notice that a thread is remote
495 					 * only if it's currently executing.
496 					 * This is a reasonable approximation,
497 					 * since queued remote threads are rare.
498 					 * Note also that if we didn't charge
499 					 * it to its home lgroup, remote
500 					 * execution would often make a system
501 					 * appear balanced even though it was
502 					 * not, and thread placement/migration
503 					 * would often not be done correctly.
504 					 */
505 					lgrp_loadavg(t->t_lpl,
506 					    LGRP_LOADAVG_IN_THREAD_MAX, 0);
507 				}
508 			}
509 			lgrp_loadavg(cp->cpu_lpl,
510 			    cpu_nrunnable * LGRP_LOADAVG_IN_THREAD_MAX, 1);
511 		}
512 	} while ((cp = cp->cpu_next) != cpu_list);
513 
514 	/*
515 	 * Do tick processing for all the active threads running in
516 	 * the system.
517 	 */
518 	cp = cpu_list;
519 	nrunning = 0;
520 	do {
521 		klwp_id_t lwp;
522 		int intr;
523 		int thread_away;
524 
525 		/*
526 		 * Don't do any tick processing on CPUs that
527 		 * aren't even in the system or aren't up yet.
528 		 */
529 		if ((cp->cpu_flags & CPU_EXISTS) == 0) {
530 			continue;
531 		}
532 
533 		/*
534 		 * The locking here is rather tricky.  We use
535 		 * thread_free_lock to keep the currently running
536 		 * thread from being freed or recycled while we're
537 		 * looking at it.  We can then check if the thread
538 		 * is exiting and get the appropriate p_lock if it
539 		 * is not.  We have to be careful, though, because
540 		 * the _process_ can still be freed while we're
541 		 * holding thread_free_lock.  To avoid touching the
542 		 * proc structure we put a pointer to the p_lock in the
543 		 * thread structure.  The p_lock is persistent so we
544 		 * can acquire it even if the process is gone.  At that
545 		 * point we can check (again) if the thread is exiting
546 		 * and either drop the lock or do the tick processing.
547 		 */
548 		mutex_enter(&thread_free_lock);
549 		/*
550 		 * We cannot hold the cpu_lock to prevent the
551 		 * cpu_list from changing in the clock interrupt.
552 		 * As long as we don't block (or don't get pre-empted)
553 		 * the cpu_list will not change (all threads are paused
554 		 * before list modification). If the list does change
555 		 * any deleted cpu structures will remain with cpu_next
556 		 * set to NULL, hence the following test.
557 		 */
558 		if (cp->cpu_next == NULL) {
559 			mutex_exit(&thread_free_lock);
560 			break;
561 		}
562 		t = cp->cpu_thread;	/* Current running thread */
563 		if (CPU == cp) {
564 			/*
565 			 * 't' will be the clock interrupt thread on this
566 			 * CPU.  Use the pinned thread (if any) on this CPU
567 			 * as the target of the clock tick.  If we pinned
568 			 * an interrupt, though, just keep using the clock
569 			 * interrupt thread since the formerly pinned one
570 			 * may have gone away.  One interrupt thread is as
571 			 * good as another, and this means we don't have
572 			 * to continue to check pinned_intr in subsequent
573 			 * code.
574 			 */
575 			ASSERT(t == curthread);
576 			if (t->t_intr != NULL && !pinned_intr)
577 				t = t->t_intr;
578 		}
579 
580 		intr = t->t_flag & T_INTR_THREAD;
581 		lwp = ttolwp(t);
582 		if (lwp == NULL || (t->t_proc_flag & TP_LWPEXIT) || intr) {
583 			/*
584 			 * Thread is exiting (or uninteresting) so don't
585 			 * do tick processing or grab p_lock.  Once we
586 			 * drop thread_free_lock we can't look inside the
587 			 * thread or lwp structure, since the thread may
588 			 * have gone away.
589 			 */
590 			exiting = 1;
591 		} else {
592 			/*
593 			 * OK, try to grab the process lock.  See
594 			 * comments above for why we're not using
595 			 * ttoproc(t)->p_lockp here.
596 			 */
597 			plockp = t->t_plockp;
598 			mutex_enter(plockp);
599 			/* See above comment. */
600 			if (cp->cpu_next == NULL) {
601 				mutex_exit(plockp);
602 				mutex_exit(&thread_free_lock);
603 				break;
604 			}
605 			/*
606 			 * The thread may have exited between when we
607 			 * checked above, and when we got the p_lock.
608 			 */
609 			if (t->t_proc_flag & TP_LWPEXIT) {
610 				mutex_exit(plockp);
611 				exiting = 1;
612 			} else {
613 				exiting = 0;
614 			}
615 		}
616 		/*
617 		 * Either we have the p_lock for the thread's process,
618 		 * or we don't care about the thread structure any more.
619 		 * Either way we can drop thread_free_lock.
620 		 */
621 		mutex_exit(&thread_free_lock);
622 
623 		/*
624 		 * Update user, system, and idle cpu times.
625 		 */
626 		if (one_sec) {
627 			nrunning++;
628 			cp->cpu_part->cp_nrunning++;
629 		}
630 		/*
631 		 * If we haven't done tick processing for this
632 		 * lwp, then do it now. Since we don't hold the
633 		 * lwp down on a CPU it can migrate and show up
634 		 * more than once, hence the lbolt check.
635 		 *
636 		 * Also, make sure that it's okay to perform the
637 		 * tick processing before calling clock_tick.
638 		 * Setting thread_away to a TRUE value (ie. not 0)
639 		 * results in tick processing not being performed for
640 		 * that thread.  Or, in other words, keeps the thread
641 		 * away from clock_tick processing.
642 		 */
643 		thread_away = ((cp->cpu_flags & CPU_QUIESCED) ||
644 		    CPU_ON_INTR(cp) || intr ||
645 		    (cp->cpu_dispthread == cp->cpu_idle_thread) || exiting);
646 
647 		if ((!thread_away) && (lbolt - t->t_lbolt != 0)) {
648 			t->t_lbolt = lbolt;
649 			clock_tick(t);
650 		}
651 
652 #ifdef KSLICE
653 		/*
654 		 * Ah what the heck, give this kid a taste of the real
655 		 * world and yank the rug out from under it.
656 		 * But, only if we are running UniProcessor.
657 		 */
658 		if ((kslice) && (ncpus == 1)) {
659 			aston(t);
660 			cp->cpu_runrun = 1;
661 			cp->cpu_kprunrun = 1;
662 		}
663 #endif
664 		if (!exiting)
665 			mutex_exit(plockp);
666 	} while ((cp = cp->cpu_next) != cpu_list);
667 
668 	/*
669 	 * bump time in ticks
670 	 *
671 	 * We rely on there being only one clock thread and hence
672 	 * don't need a lock to protect lbolt.
673 	 */
674 	lbolt++;
675 	atomic_add_64((uint64_t *)&lbolt64, (int64_t)1);
676 
677 	/*
678 	 * Check for a callout that needs be called from the clock
679 	 * thread to support the membership protocol in a clustered
680 	 * system.  Copy the function pointer so that we can reset
681 	 * this to NULL if needed.
682 	 */
683 	if ((funcp = cmm_clock_callout) != NULL)
684 		(*funcp)();
685 
686 	/*
687 	 * Wakeup the cageout thread waiters once per second.
688 	 */
689 	if (one_sec)
690 		kcage_tick();
691 
692 	/*
693 	 * Schedule timeout() requests if any are due at this time.
694 	 */
695 	callout_schedule();
696 
697 	if (one_sec) {
698 
699 		int drift, absdrift;
700 		timestruc_t tod;
701 		int s;
702 
703 		/*
704 		 * Beginning of precision-kernel code fragment executed
705 		 * every second.
706 		 *
707 		 * On rollover of the second the phase adjustment to be
708 		 * used for the next second is calculated.  Also, the
709 		 * maximum error is increased by the tolerance.  If the
710 		 * PPS frequency discipline code is present, the phase is
711 		 * increased to compensate for the CPU clock oscillator
712 		 * frequency error.
713 		 *
714 		 * On a 32-bit machine and given parameters in the timex.h
715 		 * header file, the maximum phase adjustment is +-512 ms
716 		 * and maximum frequency offset is (a tad less than)
717 		 * +-512 ppm. On a 64-bit machine, you shouldn't need to ask.
718 		 */
719 		time_maxerror += time_tolerance / SCALE_USEC;
720 
721 		/*
722 		 * Leap second processing. If in leap-insert state at
723 		 * the end of the day, the system clock is set back one
724 		 * second; if in leap-delete state, the system clock is
725 		 * set ahead one second. The microtime() routine or
726 		 * external clock driver will insure that reported time
727 		 * is always monotonic. The ugly divides should be
728 		 * replaced.
729 		 */
730 		switch (time_state) {
731 
732 		case TIME_OK:
733 			if (time_status & STA_INS)
734 				time_state = TIME_INS;
735 			else if (time_status & STA_DEL)
736 				time_state = TIME_DEL;
737 			break;
738 
739 		case TIME_INS:
740 			if (hrestime.tv_sec % 86400 == 0) {
741 				s = hr_clock_lock();
742 				hrestime.tv_sec--;
743 				hr_clock_unlock(s);
744 				time_state = TIME_OOP;
745 			}
746 			break;
747 
748 		case TIME_DEL:
749 			if ((hrestime.tv_sec + 1) % 86400 == 0) {
750 				s = hr_clock_lock();
751 				hrestime.tv_sec++;
752 				hr_clock_unlock(s);
753 				time_state = TIME_WAIT;
754 			}
755 			break;
756 
757 		case TIME_OOP:
758 			time_state = TIME_WAIT;
759 			break;
760 
761 		case TIME_WAIT:
762 			if (!(time_status & (STA_INS | STA_DEL)))
763 				time_state = TIME_OK;
764 		default:
765 			break;
766 		}
767 
768 		/*
769 		 * Compute the phase adjustment for the next second. In
770 		 * PLL mode, the offset is reduced by a fixed factor
771 		 * times the time constant. In FLL mode the offset is
772 		 * used directly. In either mode, the maximum phase
773 		 * adjustment for each second is clamped so as to spread
774 		 * the adjustment over not more than the number of
775 		 * seconds between updates.
776 		 */
777 		if (time_offset == 0)
778 			time_adj = 0;
779 		else if (time_offset < 0) {
780 			lltemp = -time_offset;
781 			if (!(time_status & STA_FLL)) {
782 				if ((1 << time_constant) >= SCALE_KG)
783 					lltemp *= (1 << time_constant) /
784 					    SCALE_KG;
785 				else
786 					lltemp = (lltemp / SCALE_KG) >>
787 					    time_constant;
788 			}
789 			if (lltemp > (MAXPHASE / MINSEC) * SCALE_UPDATE)
790 				lltemp = (MAXPHASE / MINSEC) * SCALE_UPDATE;
791 			time_offset += lltemp;
792 			time_adj = -(lltemp * SCALE_PHASE) / hz / SCALE_UPDATE;
793 		} else {
794 			lltemp = time_offset;
795 			if (!(time_status & STA_FLL)) {
796 				if ((1 << time_constant) >= SCALE_KG)
797 					lltemp *= (1 << time_constant) /
798 					    SCALE_KG;
799 				else
800 					lltemp = (lltemp / SCALE_KG) >>
801 					    time_constant;
802 			}
803 			if (lltemp > (MAXPHASE / MINSEC) * SCALE_UPDATE)
804 				lltemp = (MAXPHASE / MINSEC) * SCALE_UPDATE;
805 			time_offset -= lltemp;
806 			time_adj = (lltemp * SCALE_PHASE) / hz / SCALE_UPDATE;
807 		}
808 
809 		/*
810 		 * Compute the frequency estimate and additional phase
811 		 * adjustment due to frequency error for the next
812 		 * second. When the PPS signal is engaged, gnaw on the
813 		 * watchdog counter and update the frequency computed by
814 		 * the pll and the PPS signal.
815 		 */
816 		pps_valid++;
817 		if (pps_valid == PPS_VALID) {
818 			pps_jitter = MAXTIME;
819 			pps_stabil = MAXFREQ;
820 			time_status &= ~(STA_PPSSIGNAL | STA_PPSJITTER |
821 			    STA_PPSWANDER | STA_PPSERROR);
822 		}
823 		lltemp = time_freq + pps_freq;
824 
825 		if (lltemp)
826 			time_adj += (lltemp * SCALE_PHASE) / (SCALE_USEC * hz);
827 
828 		/*
829 		 * End of precision kernel-code fragment
830 		 *
831 		 * The section below should be modified if we are planning
832 		 * to use NTP for synchronization.
833 		 *
834 		 * Note: the clock synchronization code now assumes
835 		 * the following:
836 		 *   - if dosynctodr is 1, then compute the drift between
837 		 *	the tod chip and software time and adjust one or
838 		 *	the other depending on the circumstances
839 		 *
840 		 *   - if dosynctodr is 0, then the tod chip is independent
841 		 *	of the software clock and should not be adjusted,
842 		 *	but allowed to free run.  this allows NTP to sync.
843 		 *	hrestime without any interference from the tod chip.
844 		 */
845 
846 		tod_validate_deferred = B_FALSE;
847 		mutex_enter(&tod_lock);
848 		tod = tod_get();
849 		drift = tod.tv_sec - hrestime.tv_sec;
850 		absdrift = (drift >= 0) ? drift : -drift;
851 		if (tod_needsync || absdrift > 1) {
852 			int s;
853 			if (absdrift > 2) {
854 				if (!tod_broken && tod_faulted == TOD_NOFAULT) {
855 					s = hr_clock_lock();
856 					hrestime = tod;
857 					membar_enter();	/* hrestime visible */
858 					timedelta = 0;
859 					hrestime_isvalid = 1;
860 					tod_needsync = 0;
861 					hr_clock_unlock(s);
862 				}
863 			} else {
864 				if (tod_needsync || !dosynctodr) {
865 					gethrestime(&tod);
866 					tod_set(tod);
867 					s = hr_clock_lock();
868 					if (timedelta == 0)
869 						tod_needsync = 0;
870 					hr_clock_unlock(s);
871 				} else {
872 					/*
873 					 * If the drift is 2 seconds on the
874 					 * money, then the TOD is adjusting
875 					 * the clock;  record that.
876 					 */
877 					clock_adj_hist[adj_hist_entry++ %
878 					    CLOCK_ADJ_HIST_SIZE] = lbolt64;
879 					s = hr_clock_lock();
880 					timedelta = (int64_t)drift*NANOSEC;
881 					hr_clock_unlock(s);
882 				}
883 			}
884 		}
885 		one_sec = 0;
886 		time = gethrestime_sec();  /* for crusty old kmem readers */
887 		mutex_exit(&tod_lock);
888 
889 		/*
890 		 * Some drivers still depend on this... XXX
891 		 */
892 		cv_broadcast(&lbolt_cv);
893 
894 		sysinfo.updates++;
895 		vminfo.freemem += freemem;
896 		{
897 			pgcnt_t maxswap, resv, free;
898 			pgcnt_t avail =
899 			    MAX((spgcnt_t)(availrmem - swapfs_minfree), 0);
900 
901 			maxswap = k_anoninfo.ani_mem_resv
902 					+ k_anoninfo.ani_max +avail;
903 			free = k_anoninfo.ani_free + avail;
904 			resv = k_anoninfo.ani_phys_resv +
905 			    k_anoninfo.ani_mem_resv;
906 
907 			vminfo.swap_resv += resv;
908 			/* number of reserved and allocated pages */
909 #ifdef	DEBUG
910 			if (maxswap < free)
911 				cmn_err(CE_WARN, "clock: maxswap < free");
912 			if (maxswap < resv)
913 				cmn_err(CE_WARN, "clock: maxswap < resv");
914 #endif
915 			vminfo.swap_alloc += maxswap - free;
916 			vminfo.swap_avail += maxswap - resv;
917 			vminfo.swap_free += free;
918 		}
919 		if (nrunnable) {
920 			sysinfo.runque += nrunnable;
921 			sysinfo.runocc++;
922 		}
923 		if (nswapped) {
924 			sysinfo.swpque += nswapped;
925 			sysinfo.swpocc++;
926 		}
927 		sysinfo.waiting += w_io;
928 
929 		/*
930 		 * Wake up fsflush to write out DELWRI
931 		 * buffers, dirty pages and other cached
932 		 * administrative data, e.g. inodes.
933 		 */
934 		if (--fsflushcnt <= 0) {
935 			fsflushcnt = tune.t_fsflushr;
936 			cv_signal(&fsflush_cv);
937 		}
938 
939 		vmmeter();
940 		calcloadavg(genloadavg(&loadavg), hp_avenrun);
941 		for (i = 0; i < 3; i++)
942 			/*
943 			 * At the moment avenrun[] can only hold 31
944 			 * bits of load average as it is a signed
945 			 * int in the API. We need to ensure that
946 			 * hp_avenrun[i] >> (16 - FSHIFT) will not be
947 			 * too large. If it is, we put the largest value
948 			 * that we can use into avenrun[i]. This is
949 			 * kludgey, but about all we can do until we
950 			 * avenrun[] is declared as an array of uint64[]
951 			 */
952 			if (hp_avenrun[i] < ((uint64_t)1<<(31+16-FSHIFT)))
953 				avenrun[i] = (int32_t)(hp_avenrun[i] >>
954 				    (16 - FSHIFT));
955 			else
956 				avenrun[i] = 0x7fffffff;
957 
958 		cpupart = cp_list_head;
959 		do {
960 			calcloadavg(genloadavg(&cpupart->cp_loadavg),
961 			    cpupart->cp_hp_avenrun);
962 		} while ((cpupart = cpupart->cp_next) != cp_list_head);
963 
964 		/*
965 		 * Wake up the swapper thread if necessary.
966 		 */
967 		if (runin ||
968 		    (runout && (avefree < desfree || wake_sched_sec))) {
969 			t = &t0;
970 			thread_lock(t);
971 			if (t->t_state == TS_STOPPED) {
972 				runin = runout = 0;
973 				wake_sched_sec = 0;
974 				t->t_whystop = 0;
975 				t->t_whatstop = 0;
976 				t->t_schedflag &= ~TS_ALLSTART;
977 				THREAD_TRANSITION(t);
978 				setfrontdq(t);
979 			}
980 			thread_unlock(t);
981 		}
982 	}
983 
984 	/*
985 	 * Wake up the swapper if any high priority swapped-out threads
986 	 * became runable during the last tick.
987 	 */
988 	if (wake_sched) {
989 		t = &t0;
990 		thread_lock(t);
991 		if (t->t_state == TS_STOPPED) {
992 			runin = runout = 0;
993 			wake_sched = 0;
994 			t->t_whystop = 0;
995 			t->t_whatstop = 0;
996 			t->t_schedflag &= ~TS_ALLSTART;
997 			THREAD_TRANSITION(t);
998 			setfrontdq(t);
999 		}
1000 		thread_unlock(t);
1001 	}
1002 }
1003 
1004 void
1005 clock_init(void)
1006 {
1007 	cyc_handler_t hdlr;
1008 	cyc_time_t when;
1009 
1010 	hdlr.cyh_func = (cyc_func_t)clock;
1011 	hdlr.cyh_level = CY_LOCK_LEVEL;
1012 	hdlr.cyh_arg = NULL;
1013 
1014 	when.cyt_when = 0;
1015 	when.cyt_interval = nsec_per_tick;
1016 
1017 	mutex_enter(&cpu_lock);
1018 	clock_cyclic = cyclic_add(&hdlr, &when);
1019 	mutex_exit(&cpu_lock);
1020 }
1021 
1022 /*
1023  * Called before calcloadavg to get 10-sec moving loadavg together
1024  */
1025 
1026 static int
1027 genloadavg(struct loadavg_s *avgs)
1028 {
1029 	int avg;
1030 	int spos; /* starting position */
1031 	int cpos; /* moving current position */
1032 	int i;
1033 	int slen;
1034 	hrtime_t hr_avg;
1035 
1036 	/* 10-second snapshot, calculate first positon */
1037 	if (avgs->lg_len == 0) {
1038 		return (0);
1039 	}
1040 	slen = avgs->lg_len < S_MOVAVG_SZ ? avgs->lg_len : S_MOVAVG_SZ;
1041 
1042 	spos = (avgs->lg_cur - 1) >= 0 ? avgs->lg_cur - 1 :
1043 	    S_LOADAVG_SZ + (avgs->lg_cur - 1);
1044 	for (i = hr_avg = 0; i < slen; i++) {
1045 		cpos = (spos - i) >= 0 ? spos - i : S_LOADAVG_SZ + (spos - i);
1046 		hr_avg += avgs->lg_loads[cpos];
1047 	}
1048 
1049 	hr_avg = hr_avg / slen;
1050 	avg = hr_avg / (NANOSEC / LGRP_LOADAVG_IN_THREAD_MAX);
1051 
1052 	return (avg);
1053 }
1054 
1055 /*
1056  * Run every second from clock () to update the loadavg count available to the
1057  * system and cpu-partitions.
1058  *
1059  * This works by sampling the previous usr, sys, wait time elapsed,
1060  * computing a delta, and adding that delta to the elapsed usr, sys,
1061  * wait increase.
1062  */
1063 
1064 static void
1065 loadavg_update()
1066 {
1067 	cpu_t *cp;
1068 	cpupart_t *cpupart;
1069 	hrtime_t cpu_total;
1070 	int prev;
1071 
1072 	cp = cpu_list;
1073 	loadavg.lg_total = 0;
1074 
1075 	/*
1076 	 * first pass totals up per-cpu statistics for system and cpu
1077 	 * partitions
1078 	 */
1079 
1080 	do {
1081 		struct loadavg_s *lavg;
1082 
1083 		lavg = &cp->cpu_loadavg;
1084 
1085 		cpu_total = cp->cpu_acct[CMS_USER] +
1086 		    cp->cpu_acct[CMS_SYSTEM] + cp->cpu_waitrq;
1087 		/* compute delta against last total */
1088 		scalehrtime(&cpu_total);
1089 		prev = (lavg->lg_cur - 1) >= 0 ? lavg->lg_cur - 1 :
1090 		    S_LOADAVG_SZ + (lavg->lg_cur - 1);
1091 		if (lavg->lg_loads[prev] <= 0) {
1092 			lavg->lg_loads[lavg->lg_cur] = cpu_total;
1093 			cpu_total = 0;
1094 		} else {
1095 			lavg->lg_loads[lavg->lg_cur] = cpu_total;
1096 			cpu_total = cpu_total - lavg->lg_loads[prev];
1097 			if (cpu_total < 0)
1098 				cpu_total = 0;
1099 		}
1100 
1101 		lavg->lg_cur = (lavg->lg_cur + 1) % S_LOADAVG_SZ;
1102 		lavg->lg_len = (lavg->lg_len + 1) < S_LOADAVG_SZ ?
1103 		    lavg->lg_len + 1 : S_LOADAVG_SZ;
1104 
1105 		loadavg.lg_total += cpu_total;
1106 		cp->cpu_part->cp_loadavg.lg_total += cpu_total;
1107 
1108 	} while ((cp = cp->cpu_next) != cpu_list);
1109 
1110 	loadavg.lg_loads[loadavg.lg_cur] = loadavg.lg_total;
1111 	loadavg.lg_cur = (loadavg.lg_cur + 1) % S_LOADAVG_SZ;
1112 	loadavg.lg_len = (loadavg.lg_len + 1) < S_LOADAVG_SZ ?
1113 	    loadavg.lg_len + 1 : S_LOADAVG_SZ;
1114 	/*
1115 	 * Second pass updates counts
1116 	 */
1117 	cpupart = cp_list_head;
1118 
1119 	do {
1120 		struct loadavg_s *lavg;
1121 
1122 		lavg = &cpupart->cp_loadavg;
1123 		lavg->lg_loads[lavg->lg_cur] = lavg->lg_total;
1124 		lavg->lg_total = 0;
1125 		lavg->lg_cur = (lavg->lg_cur + 1) % S_LOADAVG_SZ;
1126 		lavg->lg_len = (lavg->lg_len + 1) < S_LOADAVG_SZ ?
1127 		    lavg->lg_len + 1 : S_LOADAVG_SZ;
1128 
1129 	} while ((cpupart = cpupart->cp_next) != cp_list_head);
1130 
1131 }
1132 
1133 /*
1134  * clock_update() - local clock update
1135  *
1136  * This routine is called by ntp_adjtime() to update the local clock
1137  * phase and frequency. The implementation is of an
1138  * adaptive-parameter, hybrid phase/frequency-lock loop (PLL/FLL). The
1139  * routine computes new time and frequency offset estimates for each
1140  * call.  The PPS signal itself determines the new time offset,
1141  * instead of the calling argument.  Presumably, calls to
1142  * ntp_adjtime() occur only when the caller believes the local clock
1143  * is valid within some bound (+-128 ms with NTP). If the caller's
1144  * time is far different than the PPS time, an argument will ensue,
1145  * and it's not clear who will lose.
1146  *
1147  * For uncompensated quartz crystal oscillatores and nominal update
1148  * intervals less than 1024 s, operation should be in phase-lock mode
1149  * (STA_FLL = 0), where the loop is disciplined to phase. For update
1150  * intervals greater than this, operation should be in frequency-lock
1151  * mode (STA_FLL = 1), where the loop is disciplined to frequency.
1152  *
1153  * Note: mutex(&tod_lock) is in effect.
1154  */
1155 void
1156 clock_update(int offset)
1157 {
1158 	int ltemp, mtemp, s;
1159 
1160 	ASSERT(MUTEX_HELD(&tod_lock));
1161 
1162 	if (!(time_status & STA_PLL) && !(time_status & STA_PPSTIME))
1163 		return;
1164 	ltemp = offset;
1165 	if ((time_status & STA_PPSTIME) && (time_status & STA_PPSSIGNAL))
1166 		ltemp = pps_offset;
1167 
1168 	/*
1169 	 * Scale the phase adjustment and clamp to the operating range.
1170 	 */
1171 	if (ltemp > MAXPHASE)
1172 		time_offset = MAXPHASE * SCALE_UPDATE;
1173 	else if (ltemp < -MAXPHASE)
1174 		time_offset = -(MAXPHASE * SCALE_UPDATE);
1175 	else
1176 		time_offset = ltemp * SCALE_UPDATE;
1177 
1178 	/*
1179 	 * Select whether the frequency is to be controlled and in which
1180 	 * mode (PLL or FLL). Clamp to the operating range. Ugly
1181 	 * multiply/divide should be replaced someday.
1182 	 */
1183 	if (time_status & STA_FREQHOLD || time_reftime == 0)
1184 		time_reftime = hrestime.tv_sec;
1185 
1186 	mtemp = hrestime.tv_sec - time_reftime;
1187 	time_reftime = hrestime.tv_sec;
1188 
1189 	if (time_status & STA_FLL) {
1190 		if (mtemp >= MINSEC) {
1191 			ltemp = ((time_offset / mtemp) * (SCALE_USEC /
1192 			    SCALE_UPDATE));
1193 			if (ltemp)
1194 				time_freq += ltemp / SCALE_KH;
1195 		}
1196 	} else {
1197 		if (mtemp < MAXSEC) {
1198 			ltemp *= mtemp;
1199 			if (ltemp)
1200 				time_freq += (int)(((int64_t)ltemp *
1201 				    SCALE_USEC) / SCALE_KF)
1202 				    / (1 << (time_constant * 2));
1203 		}
1204 	}
1205 	if (time_freq > time_tolerance)
1206 		time_freq = time_tolerance;
1207 	else if (time_freq < -time_tolerance)
1208 		time_freq = -time_tolerance;
1209 
1210 	s = hr_clock_lock();
1211 	tod_needsync = 1;
1212 	hr_clock_unlock(s);
1213 }
1214 
1215 /*
1216  * ddi_hardpps() - discipline CPU clock oscillator to external PPS signal
1217  *
1218  * This routine is called at each PPS interrupt in order to discipline
1219  * the CPU clock oscillator to the PPS signal. It measures the PPS phase
1220  * and leaves it in a handy spot for the clock() routine. It
1221  * integrates successive PPS phase differences and calculates the
1222  * frequency offset. This is used in clock() to discipline the CPU
1223  * clock oscillator so that intrinsic frequency error is cancelled out.
1224  * The code requires the caller to capture the time and hardware counter
1225  * value at the on-time PPS signal transition.
1226  *
1227  * Note that, on some Unix systems, this routine runs at an interrupt
1228  * priority level higher than the timer interrupt routine clock().
1229  * Therefore, the variables used are distinct from the clock()
1230  * variables, except for certain exceptions: The PPS frequency pps_freq
1231  * and phase pps_offset variables are determined by this routine and
1232  * updated atomically. The time_tolerance variable can be considered a
1233  * constant, since it is infrequently changed, and then only when the
1234  * PPS signal is disabled. The watchdog counter pps_valid is updated
1235  * once per second by clock() and is atomically cleared in this
1236  * routine.
1237  *
1238  * tvp is the time of the last tick; usec is a microsecond count since the
1239  * last tick.
1240  *
1241  * Note: In Solaris systems, the tick value is actually given by
1242  *       usec_per_tick.  This is called from the serial driver cdintr(),
1243  *	 or equivalent, at a high PIL.  Because the kernel keeps a
1244  *	 highresolution time, the following code can accept either
1245  *	 the traditional argument pair, or the current highres timestamp
1246  *       in tvp and zero in usec.
1247  */
1248 void
1249 ddi_hardpps(struct timeval *tvp, int usec)
1250 {
1251 	int u_usec, v_usec, bigtick;
1252 	time_t cal_sec;
1253 	int cal_usec;
1254 
1255 	/*
1256 	 * An occasional glitch can be produced when the PPS interrupt
1257 	 * occurs in the clock() routine before the time variable is
1258 	 * updated. Here the offset is discarded when the difference
1259 	 * between it and the last one is greater than tick/2, but not
1260 	 * if the interval since the first discard exceeds 30 s.
1261 	 */
1262 	time_status |= STA_PPSSIGNAL;
1263 	time_status &= ~(STA_PPSJITTER | STA_PPSWANDER | STA_PPSERROR);
1264 	pps_valid = 0;
1265 	u_usec = -tvp->tv_usec;
1266 	if (u_usec < -(MICROSEC/2))
1267 		u_usec += MICROSEC;
1268 	v_usec = pps_offset - u_usec;
1269 	if (v_usec < 0)
1270 		v_usec = -v_usec;
1271 	if (v_usec > (usec_per_tick >> 1)) {
1272 		if (pps_glitch > MAXGLITCH) {
1273 			pps_glitch = 0;
1274 			pps_tf[2] = u_usec;
1275 			pps_tf[1] = u_usec;
1276 		} else {
1277 			pps_glitch++;
1278 			u_usec = pps_offset;
1279 		}
1280 	} else
1281 		pps_glitch = 0;
1282 
1283 	/*
1284 	 * A three-stage median filter is used to help deglitch the pps
1285 	 * time. The median sample becomes the time offset estimate; the
1286 	 * difference between the other two samples becomes the time
1287 	 * dispersion (jitter) estimate.
1288 	 */
1289 	pps_tf[2] = pps_tf[1];
1290 	pps_tf[1] = pps_tf[0];
1291 	pps_tf[0] = u_usec;
1292 	if (pps_tf[0] > pps_tf[1]) {
1293 		if (pps_tf[1] > pps_tf[2]) {
1294 			pps_offset = pps_tf[1];		/* 0 1 2 */
1295 			v_usec = pps_tf[0] - pps_tf[2];
1296 		} else if (pps_tf[2] > pps_tf[0]) {
1297 			pps_offset = pps_tf[0];		/* 2 0 1 */
1298 			v_usec = pps_tf[2] - pps_tf[1];
1299 		} else {
1300 			pps_offset = pps_tf[2];		/* 0 2 1 */
1301 			v_usec = pps_tf[0] - pps_tf[1];
1302 		}
1303 	} else {
1304 		if (pps_tf[1] < pps_tf[2]) {
1305 			pps_offset = pps_tf[1];		/* 2 1 0 */
1306 			v_usec = pps_tf[2] - pps_tf[0];
1307 		} else  if (pps_tf[2] < pps_tf[0]) {
1308 			pps_offset = pps_tf[0];		/* 1 0 2 */
1309 			v_usec = pps_tf[1] - pps_tf[2];
1310 		} else {
1311 			pps_offset = pps_tf[2];		/* 1 2 0 */
1312 			v_usec = pps_tf[1] - pps_tf[0];
1313 		}
1314 	}
1315 	if (v_usec > MAXTIME)
1316 		pps_jitcnt++;
1317 	v_usec = (v_usec << PPS_AVG) - pps_jitter;
1318 	pps_jitter += v_usec / (1 << PPS_AVG);
1319 	if (pps_jitter > (MAXTIME >> 1))
1320 		time_status |= STA_PPSJITTER;
1321 
1322 	/*
1323 	 * During the calibration interval adjust the starting time when
1324 	 * the tick overflows. At the end of the interval compute the
1325 	 * duration of the interval and the difference of the hardware
1326 	 * counters at the beginning and end of the interval. This code
1327 	 * is deliciously complicated by the fact valid differences may
1328 	 * exceed the value of tick when using long calibration
1329 	 * intervals and small ticks. Note that the counter can be
1330 	 * greater than tick if caught at just the wrong instant, but
1331 	 * the values returned and used here are correct.
1332 	 */
1333 	bigtick = (int)usec_per_tick * SCALE_USEC;
1334 	pps_usec -= pps_freq;
1335 	if (pps_usec >= bigtick)
1336 		pps_usec -= bigtick;
1337 	if (pps_usec < 0)
1338 		pps_usec += bigtick;
1339 	pps_time.tv_sec++;
1340 	pps_count++;
1341 	if (pps_count < (1 << pps_shift))
1342 		return;
1343 	pps_count = 0;
1344 	pps_calcnt++;
1345 	u_usec = usec * SCALE_USEC;
1346 	v_usec = pps_usec - u_usec;
1347 	if (v_usec >= bigtick >> 1)
1348 		v_usec -= bigtick;
1349 	if (v_usec < -(bigtick >> 1))
1350 		v_usec += bigtick;
1351 	if (v_usec < 0)
1352 		v_usec = -(-v_usec >> pps_shift);
1353 	else
1354 		v_usec = v_usec >> pps_shift;
1355 	pps_usec = u_usec;
1356 	cal_sec = tvp->tv_sec;
1357 	cal_usec = tvp->tv_usec;
1358 	cal_sec -= pps_time.tv_sec;
1359 	cal_usec -= pps_time.tv_usec;
1360 	if (cal_usec < 0) {
1361 		cal_usec += MICROSEC;
1362 		cal_sec--;
1363 	}
1364 	pps_time = *tvp;
1365 
1366 	/*
1367 	 * Check for lost interrupts, noise, excessive jitter and
1368 	 * excessive frequency error. The number of timer ticks during
1369 	 * the interval may vary +-1 tick. Add to this a margin of one
1370 	 * tick for the PPS signal jitter and maximum frequency
1371 	 * deviation. If the limits are exceeded, the calibration
1372 	 * interval is reset to the minimum and we start over.
1373 	 */
1374 	u_usec = (int)usec_per_tick << 1;
1375 	if (!((cal_sec == -1 && cal_usec > (MICROSEC - u_usec)) ||
1376 	    (cal_sec == 0 && cal_usec < u_usec)) ||
1377 	    v_usec > time_tolerance || v_usec < -time_tolerance) {
1378 		pps_errcnt++;
1379 		pps_shift = PPS_SHIFT;
1380 		pps_intcnt = 0;
1381 		time_status |= STA_PPSERROR;
1382 		return;
1383 	}
1384 
1385 	/*
1386 	 * A three-stage median filter is used to help deglitch the pps
1387 	 * frequency. The median sample becomes the frequency offset
1388 	 * estimate; the difference between the other two samples
1389 	 * becomes the frequency dispersion (stability) estimate.
1390 	 */
1391 	pps_ff[2] = pps_ff[1];
1392 	pps_ff[1] = pps_ff[0];
1393 	pps_ff[0] = v_usec;
1394 	if (pps_ff[0] > pps_ff[1]) {
1395 		if (pps_ff[1] > pps_ff[2]) {
1396 			u_usec = pps_ff[1];		/* 0 1 2 */
1397 			v_usec = pps_ff[0] - pps_ff[2];
1398 		} else if (pps_ff[2] > pps_ff[0]) {
1399 			u_usec = pps_ff[0];		/* 2 0 1 */
1400 			v_usec = pps_ff[2] - pps_ff[1];
1401 		} else {
1402 			u_usec = pps_ff[2];		/* 0 2 1 */
1403 			v_usec = pps_ff[0] - pps_ff[1];
1404 		}
1405 	} else {
1406 		if (pps_ff[1] < pps_ff[2]) {
1407 			u_usec = pps_ff[1];		/* 2 1 0 */
1408 			v_usec = pps_ff[2] - pps_ff[0];
1409 		} else  if (pps_ff[2] < pps_ff[0]) {
1410 			u_usec = pps_ff[0];		/* 1 0 2 */
1411 			v_usec = pps_ff[1] - pps_ff[2];
1412 		} else {
1413 			u_usec = pps_ff[2];		/* 1 2 0 */
1414 			v_usec = pps_ff[1] - pps_ff[0];
1415 		}
1416 	}
1417 
1418 	/*
1419 	 * Here the frequency dispersion (stability) is updated. If it
1420 	 * is less than one-fourth the maximum (MAXFREQ), the frequency
1421 	 * offset is updated as well, but clamped to the tolerance. It
1422 	 * will be processed later by the clock() routine.
1423 	 */
1424 	v_usec = (v_usec >> 1) - pps_stabil;
1425 	if (v_usec < 0)
1426 		pps_stabil -= -v_usec >> PPS_AVG;
1427 	else
1428 		pps_stabil += v_usec >> PPS_AVG;
1429 	if (pps_stabil > MAXFREQ >> 2) {
1430 		pps_stbcnt++;
1431 		time_status |= STA_PPSWANDER;
1432 		return;
1433 	}
1434 	if (time_status & STA_PPSFREQ) {
1435 		if (u_usec < 0) {
1436 			pps_freq -= -u_usec >> PPS_AVG;
1437 			if (pps_freq < -time_tolerance)
1438 				pps_freq = -time_tolerance;
1439 			u_usec = -u_usec;
1440 		} else {
1441 			pps_freq += u_usec >> PPS_AVG;
1442 			if (pps_freq > time_tolerance)
1443 				pps_freq = time_tolerance;
1444 		}
1445 	}
1446 
1447 	/*
1448 	 * Here the calibration interval is adjusted. If the maximum
1449 	 * time difference is greater than tick / 4, reduce the interval
1450 	 * by half. If this is not the case for four consecutive
1451 	 * intervals, double the interval.
1452 	 */
1453 	if (u_usec << pps_shift > bigtick >> 2) {
1454 		pps_intcnt = 0;
1455 		if (pps_shift > PPS_SHIFT)
1456 			pps_shift--;
1457 	} else if (pps_intcnt >= 4) {
1458 		pps_intcnt = 0;
1459 		if (pps_shift < PPS_SHIFTMAX)
1460 			pps_shift++;
1461 	} else
1462 		pps_intcnt++;
1463 
1464 	/*
1465 	 * If recovering from kmdb, then make sure the tod chip gets resynced.
1466 	 * If we took an early exit above, then we don't yet have a stable
1467 	 * calibration signal to lock onto, so don't mark the tod for sync
1468 	 * until we get all the way here.
1469 	 */
1470 	{
1471 		int s = hr_clock_lock();
1472 
1473 		tod_needsync = 1;
1474 		hr_clock_unlock(s);
1475 	}
1476 }
1477 
1478 /*
1479  * Handle clock tick processing for a thread.
1480  * Check for timer action, enforce CPU rlimit, do profiling etc.
1481  */
1482 void
1483 clock_tick(kthread_t *t)
1484 {
1485 	struct proc *pp;
1486 	klwp_id_t    lwp;
1487 	struct as *as;
1488 	clock_t	utime;
1489 	clock_t	stime;
1490 	int	poke = 0;		/* notify another CPU */
1491 	int	user_mode;
1492 	size_t	 rss;
1493 
1494 	/* Must be operating on a lwp/thread */
1495 	if ((lwp = ttolwp(t)) == NULL) {
1496 		panic("clock_tick: no lwp");
1497 		/*NOTREACHED*/
1498 	}
1499 
1500 	CL_TICK(t);	/* Class specific tick processing */
1501 	DTRACE_SCHED1(tick, kthread_t *, t);
1502 
1503 	pp = ttoproc(t);
1504 
1505 	/* pp->p_lock makes sure that the thread does not exit */
1506 	ASSERT(MUTEX_HELD(&pp->p_lock));
1507 
1508 	user_mode = (lwp->lwp_state == LWP_USER);
1509 
1510 	/*
1511 	 * Update process times. Should use high res clock and state
1512 	 * changes instead of statistical sampling method. XXX
1513 	 */
1514 	if (user_mode) {
1515 		pp->p_utime++;
1516 		pp->p_task->tk_cpu_time++;
1517 	} else {
1518 		pp->p_stime++;
1519 		pp->p_task->tk_cpu_time++;
1520 	}
1521 	as = pp->p_as;
1522 
1523 	/*
1524 	 * Update user profiling statistics. Get the pc from the
1525 	 * lwp when the AST happens.
1526 	 */
1527 	if (pp->p_prof.pr_scale) {
1528 		atomic_add_32(&lwp->lwp_oweupc, 1);
1529 		if (user_mode) {
1530 			poke = 1;
1531 			aston(t);
1532 		}
1533 	}
1534 
1535 	utime = pp->p_utime;
1536 	stime = pp->p_stime;
1537 
1538 	/*
1539 	 * If CPU was in user state, process lwp-virtual time
1540 	 * interval timer.
1541 	 */
1542 	if (user_mode &&
1543 	    timerisset(&lwp->lwp_timer[ITIMER_VIRTUAL].it_value) &&
1544 	    itimerdecr(&lwp->lwp_timer[ITIMER_VIRTUAL], usec_per_tick) == 0) {
1545 		poke = 1;
1546 		sigtoproc(pp, t, SIGVTALRM);
1547 	}
1548 
1549 	if (timerisset(&lwp->lwp_timer[ITIMER_PROF].it_value) &&
1550 	    itimerdecr(&lwp->lwp_timer[ITIMER_PROF], usec_per_tick) == 0) {
1551 		poke = 1;
1552 		sigtoproc(pp, t, SIGPROF);
1553 	}
1554 
1555 	/*
1556 	 * Enforce CPU resource controls:
1557 	 *   (a) process.max-cpu-time resource control
1558 	 */
1559 	(void) rctl_test(rctlproc_legacy[RLIMIT_CPU], pp->p_rctls, pp,
1560 	    (utime + stime)/hz, RCA_UNSAFE_SIGINFO);
1561 
1562 	/*
1563 	 *   (b) task.max-cpu-time resource control
1564 	 */
1565 	(void) rctl_test(rc_task_cpu_time, pp->p_task->tk_rctls, pp, 1,
1566 	    RCA_UNSAFE_SIGINFO);
1567 
1568 	/*
1569 	 * Update memory usage for the currently running process.
1570 	 */
1571 	rss = rm_asrss(as);
1572 	PTOU(pp)->u_mem += rss;
1573 	if (rss > PTOU(pp)->u_mem_max)
1574 		PTOU(pp)->u_mem_max = rss;
1575 
1576 	/*
1577 	 * Notify the CPU the thread is running on.
1578 	 */
1579 	if (poke && t->t_cpu != CPU)
1580 		poke_cpu(t->t_cpu->cpu_id);
1581 }
1582 
1583 void
1584 profil_tick(uintptr_t upc)
1585 {
1586 	int ticks;
1587 	proc_t *p = ttoproc(curthread);
1588 	klwp_t *lwp = ttolwp(curthread);
1589 	struct prof *pr = &p->p_prof;
1590 
1591 	do {
1592 		ticks = lwp->lwp_oweupc;
1593 	} while (cas32(&lwp->lwp_oweupc, ticks, 0) != ticks);
1594 
1595 	mutex_enter(&p->p_pflock);
1596 	if (pr->pr_scale >= 2 && upc >= pr->pr_off) {
1597 		/*
1598 		 * Old-style profiling
1599 		 */
1600 		uint16_t *slot = pr->pr_base;
1601 		uint16_t old, new;
1602 		if (pr->pr_scale != 2) {
1603 			uintptr_t delta = upc - pr->pr_off;
1604 			uintptr_t byteoff = ((delta >> 16) * pr->pr_scale) +
1605 			    (((delta & 0xffff) * pr->pr_scale) >> 16);
1606 			if (byteoff >= (uintptr_t)pr->pr_size) {
1607 				mutex_exit(&p->p_pflock);
1608 				return;
1609 			}
1610 			slot += byteoff / sizeof (uint16_t);
1611 		}
1612 		if (fuword16(slot, &old) < 0 ||
1613 		    (new = old + ticks) > SHRT_MAX ||
1614 		    suword16(slot, new) < 0) {
1615 			pr->pr_scale = 0;
1616 		}
1617 	} else if (pr->pr_scale == 1) {
1618 		/*
1619 		 * PC Sampling
1620 		 */
1621 		model_t model = lwp_getdatamodel(lwp);
1622 		int result;
1623 #ifdef __lint
1624 		model = model;
1625 #endif
1626 		while (ticks-- > 0) {
1627 			if (pr->pr_samples == pr->pr_size) {
1628 				/* buffer full, turn off sampling */
1629 				pr->pr_scale = 0;
1630 				break;
1631 			}
1632 			switch (SIZEOF_PTR(model)) {
1633 			case sizeof (uint32_t):
1634 				result = suword32(pr->pr_base, (uint32_t)upc);
1635 				break;
1636 #ifdef _LP64
1637 			case sizeof (uint64_t):
1638 				result = suword64(pr->pr_base, (uint64_t)upc);
1639 				break;
1640 #endif
1641 			default:
1642 				cmn_err(CE_WARN, "profil_tick: unexpected "
1643 				    "data model");
1644 				result = -1;
1645 				break;
1646 			}
1647 			if (result != 0) {
1648 				pr->pr_scale = 0;
1649 				break;
1650 			}
1651 			pr->pr_base = (caddr_t)pr->pr_base + SIZEOF_PTR(model);
1652 			pr->pr_samples++;
1653 		}
1654 	}
1655 	mutex_exit(&p->p_pflock);
1656 }
1657 
1658 static void
1659 delay_wakeup(void *arg)
1660 {
1661 	kthread_t *t = arg;
1662 
1663 	mutex_enter(&t->t_delay_lock);
1664 	cv_signal(&t->t_delay_cv);
1665 	mutex_exit(&t->t_delay_lock);
1666 }
1667 
1668 void
1669 delay(clock_t ticks)
1670 {
1671 	kthread_t *t = curthread;
1672 	clock_t deadline = lbolt + ticks;
1673 	clock_t timeleft;
1674 	timeout_id_t id;
1675 
1676 	if (panicstr && ticks > 0) {
1677 		/*
1678 		 * Timeouts aren't running, so all we can do is spin.
1679 		 */
1680 		drv_usecwait(TICK_TO_USEC(ticks));
1681 		return;
1682 	}
1683 
1684 	while ((timeleft = deadline - lbolt) > 0) {
1685 		mutex_enter(&t->t_delay_lock);
1686 		id = timeout(delay_wakeup, t, timeleft);
1687 		cv_wait(&t->t_delay_cv, &t->t_delay_lock);
1688 		mutex_exit(&t->t_delay_lock);
1689 		(void) untimeout(id);
1690 	}
1691 }
1692 
1693 /*
1694  * Like delay, but interruptible by a signal.
1695  */
1696 int
1697 delay_sig(clock_t ticks)
1698 {
1699 	clock_t deadline = lbolt + ticks;
1700 	clock_t rc;
1701 
1702 	mutex_enter(&curthread->t_delay_lock);
1703 	do {
1704 		rc = cv_timedwait_sig(&curthread->t_delay_cv,
1705 		    &curthread->t_delay_lock, deadline);
1706 	} while (rc > 0);
1707 	mutex_exit(&curthread->t_delay_lock);
1708 	if (rc == 0)
1709 		return (EINTR);
1710 	return (0);
1711 }
1712 
1713 #define	SECONDS_PER_DAY 86400
1714 
1715 /*
1716  * Initialize the system time based on the TOD chip.  approx is used as
1717  * an approximation of time (e.g. from the filesystem) in the event that
1718  * the TOD chip has been cleared or is unresponsive.  An approx of -1
1719  * means the filesystem doesn't keep time.
1720  */
1721 void
1722 clkset(time_t approx)
1723 {
1724 	timestruc_t ts;
1725 	int spl;
1726 	int set_clock = 0;
1727 
1728 	mutex_enter(&tod_lock);
1729 	ts = tod_get();
1730 
1731 	if (ts.tv_sec > 365 * SECONDS_PER_DAY) {
1732 		/*
1733 		 * If the TOD chip is reporting some time after 1971,
1734 		 * then it probably didn't lose power or become otherwise
1735 		 * cleared in the recent past;  check to assure that
1736 		 * the time coming from the filesystem isn't in the future
1737 		 * according to the TOD chip.
1738 		 */
1739 		if (approx != -1 && approx > ts.tv_sec) {
1740 			cmn_err(CE_WARN, "Last shutdown is later "
1741 			    "than time on time-of-day chip; check date.");
1742 		}
1743 	} else {
1744 		/*
1745 		 * If the TOD chip isn't giving correct time, then set it to
1746 		 * the time that was passed in as a rough estimate.  If we
1747 		 * don't have an estimate, then set the clock back to a time
1748 		 * when Oliver North, ALF and Dire Straits were all on the
1749 		 * collective brain:  1987.
1750 		 */
1751 		timestruc_t tmp;
1752 		if (approx == -1)
1753 			ts.tv_sec = (1987 - 1970) * 365 * SECONDS_PER_DAY;
1754 		else
1755 			ts.tv_sec = approx;
1756 		ts.tv_nsec = 0;
1757 
1758 		/*
1759 		 * Attempt to write the new time to the TOD chip.  Set spl high
1760 		 * to avoid getting preempted between the tod_set and tod_get.
1761 		 */
1762 		spl = splhi();
1763 		tod_set(ts);
1764 		tmp = tod_get();
1765 		splx(spl);
1766 
1767 		if (tmp.tv_sec != ts.tv_sec && tmp.tv_sec != ts.tv_sec + 1) {
1768 			tod_broken = 1;
1769 			dosynctodr = 0;
1770 			cmn_err(CE_WARN, "Time-of-day chip unresponsive;"
1771 			    " dead batteries?");
1772 		} else {
1773 			cmn_err(CE_WARN, "Time-of-day chip had "
1774 			    "incorrect date; check and reset.");
1775 		}
1776 		set_clock = 1;
1777 	}
1778 
1779 	if (!boot_time) {
1780 		boot_time = ts.tv_sec;
1781 		set_clock = 1;
1782 	}
1783 
1784 	if (set_clock)
1785 		set_hrestime(&ts);
1786 
1787 	mutex_exit(&tod_lock);
1788 }
1789 
1790 int	hrestime_isvalid = 0;
1791 
1792 void
1793 set_hrestime(timestruc_t *ts)
1794 {
1795 	int spl = hr_clock_lock();
1796 	hrestime = *ts;
1797 	/*
1798 	 * hrestime must be visible before hrestime_isvalid
1799 	 * is set to 1
1800 	 */
1801 	membar_enter();
1802 	timedelta = 0;
1803 	hrestime_isvalid = 1;
1804 	hr_clock_unlock(spl);
1805 }
1806 
1807 static uint_t deadman_seconds;
1808 static uint32_t deadman_panics;
1809 static int deadman_enabled = 0;
1810 static int deadman_panic_timers = 1;
1811 
1812 static void
1813 deadman(void)
1814 {
1815 	if (panicstr) {
1816 		/*
1817 		 * During panic, other CPUs besides the panic
1818 		 * master continue to handle cyclics and some other
1819 		 * interrupts.  The code below is intended to be
1820 		 * single threaded, so any CPU other than the master
1821 		 * must keep out.
1822 		 */
1823 		if (CPU->cpu_id != panic_cpu.cpu_id)
1824 			return;
1825 
1826 		/*
1827 		 * If we're panicking, the deadman cyclic continues to increase
1828 		 * lbolt in case the dump device driver relies on this for
1829 		 * timeouts.  Note that we rely on deadman() being invoked once
1830 		 * per second, and credit lbolt and lbolt64 with hz ticks each.
1831 		 */
1832 		lbolt += hz;
1833 		lbolt64 += hz;
1834 
1835 #ifdef __sparc
1836 		watchdog_pat();
1837 #endif
1838 
1839 		if (!deadman_panic_timers)
1840 			return; /* allow all timers to be manually disabled */
1841 
1842 		/*
1843 		 * If we are generating a crash dump or syncing filesystems and
1844 		 * the corresponding timer is set, decrement it and re-enter
1845 		 * the panic code to abort it and advance to the next state.
1846 		 * The panic states and triggers are explained in panic.c.
1847 		 */
1848 		if (panic_dump) {
1849 			if (dump_timeleft && (--dump_timeleft == 0)) {
1850 				panic("panic dump timeout");
1851 				/*NOTREACHED*/
1852 			}
1853 		} else if (panic_sync) {
1854 			if (sync_timeleft && (--sync_timeleft == 0)) {
1855 				panic("panic sync timeout");
1856 				/*NOTREACHED*/
1857 			}
1858 		}
1859 
1860 		return;
1861 	}
1862 
1863 	if (lbolt != CPU->cpu_deadman_lbolt) {
1864 		CPU->cpu_deadman_lbolt = lbolt;
1865 		CPU->cpu_deadman_countdown = deadman_seconds;
1866 		return;
1867 	}
1868 
1869 	if (CPU->cpu_deadman_countdown-- > 0)
1870 		return;
1871 
1872 	/*
1873 	 * Regardless of whether or not we actually bring the system down,
1874 	 * bump the deadman_panics variable.
1875 	 *
1876 	 * N.B. deadman_panics is incremented once for each CPU that
1877 	 * passes through here.  It's expected that all the CPUs will
1878 	 * detect this condition within one second of each other, so
1879 	 * when deadman_enabled is off, deadman_panics will
1880 	 * typically be a multiple of the total number of CPUs in
1881 	 * the system.
1882 	 */
1883 	atomic_add_32(&deadman_panics, 1);
1884 
1885 	if (!deadman_enabled) {
1886 		CPU->cpu_deadman_countdown = deadman_seconds;
1887 		return;
1888 	}
1889 
1890 	/*
1891 	 * If we're here, we want to bring the system down.
1892 	 */
1893 	panic("deadman: timed out after %d seconds of clock "
1894 	    "inactivity", deadman_seconds);
1895 	/*NOTREACHED*/
1896 }
1897 
1898 /*ARGSUSED*/
1899 static void
1900 deadman_online(void *arg, cpu_t *cpu, cyc_handler_t *hdlr, cyc_time_t *when)
1901 {
1902 	cpu->cpu_deadman_lbolt = 0;
1903 	cpu->cpu_deadman_countdown = deadman_seconds;
1904 
1905 	hdlr->cyh_func = (cyc_func_t)deadman;
1906 	hdlr->cyh_level = CY_HIGH_LEVEL;
1907 	hdlr->cyh_arg = NULL;
1908 
1909 	/*
1910 	 * Stagger the CPUs so that they don't all run deadman() at
1911 	 * the same time.  Simplest reason to do this is to make it
1912 	 * more likely that only one CPU will panic in case of a
1913 	 * timeout.  This is (strictly speaking) an aesthetic, not a
1914 	 * technical consideration.
1915 	 *
1916 	 * The interval must be one second in accordance with the
1917 	 * code in deadman() above to increase lbolt during panic.
1918 	 */
1919 	when->cyt_when = cpu->cpu_id * (NANOSEC / NCPU);
1920 	when->cyt_interval = NANOSEC;
1921 }
1922 
1923 
1924 void
1925 deadman_init(void)
1926 {
1927 	cyc_omni_handler_t hdlr;
1928 
1929 	if (deadman_seconds == 0)
1930 		deadman_seconds = snoop_interval / MICROSEC;
1931 
1932 	if (snooping)
1933 		deadman_enabled = 1;
1934 
1935 	hdlr.cyo_online = deadman_online;
1936 	hdlr.cyo_offline = NULL;
1937 	hdlr.cyo_arg = NULL;
1938 
1939 	mutex_enter(&cpu_lock);
1940 	deadman_cyclic = cyclic_add_omni(&hdlr);
1941 	mutex_exit(&cpu_lock);
1942 }
1943 
1944 /*
1945  * tod_fault() is for updating tod validate mechanism state:
1946  * (1) TOD_NOFAULT: for resetting the state to 'normal'.
1947  *     currently used for debugging only
1948  * (2) The following four cases detected by tod validate mechanism:
1949  *       TOD_REVERSED: current tod value is less than previous value.
1950  *       TOD_STALLED: current tod value hasn't advanced.
1951  *       TOD_JUMPED: current tod value advanced too far from previous value.
1952  *       TOD_RATECHANGED: the ratio between average tod delta and
1953  *       average tick delta has changed.
1954  */
1955 enum tod_fault_type
1956 tod_fault(enum tod_fault_type ftype, int off)
1957 {
1958 	ASSERT(MUTEX_HELD(&tod_lock));
1959 
1960 	if (tod_faulted != ftype) {
1961 		switch (ftype) {
1962 		case TOD_NOFAULT:
1963 			plat_tod_fault(TOD_NOFAULT);
1964 			cmn_err(CE_NOTE, "Restarted tracking "
1965 					"Time of Day clock.");
1966 			tod_faulted = ftype;
1967 			break;
1968 		case TOD_REVERSED:
1969 		case TOD_JUMPED:
1970 			if (tod_faulted == TOD_NOFAULT) {
1971 				plat_tod_fault(ftype);
1972 				cmn_err(CE_WARN, "Time of Day clock error: "
1973 				    "reason [%s by 0x%x]. -- "
1974 				    " Stopped tracking Time Of Day clock.",
1975 				    tod_fault_table[ftype], off);
1976 				tod_faulted = ftype;
1977 			}
1978 			break;
1979 		case TOD_STALLED:
1980 		case TOD_RATECHANGED:
1981 			if (tod_faulted == TOD_NOFAULT) {
1982 				plat_tod_fault(ftype);
1983 				cmn_err(CE_WARN, "Time of Day clock error: "
1984 				    "reason [%s]. -- "
1985 				    " Stopped tracking Time Of Day clock.",
1986 				    tod_fault_table[ftype]);
1987 				tod_faulted = ftype;
1988 			}
1989 			break;
1990 		default:
1991 			break;
1992 		}
1993 	}
1994 	return (tod_faulted);
1995 }
1996 
1997 void
1998 tod_fault_reset()
1999 {
2000 	tod_fault_reset_flag = 1;
2001 }
2002 
2003 
2004 /*
2005  * tod_validate() is used for checking values returned by tod_get().
2006  * Four error cases can be detected by this routine:
2007  *   TOD_REVERSED: current tod value is less than previous.
2008  *   TOD_STALLED: current tod value hasn't advanced.
2009  *   TOD_JUMPED: current tod value advanced too far from previous value.
2010  *   TOD_RATECHANGED: the ratio between average tod delta and
2011  *   average tick delta has changed.
2012  */
2013 time_t
2014 tod_validate(time_t tod)
2015 {
2016 	time_t diff_tod;
2017 	hrtime_t diff_tick;
2018 
2019 	long dtick;
2020 	int dtick_delta;
2021 
2022 	int off = 0;
2023 	enum tod_fault_type tod_bad = TOD_NOFAULT;
2024 
2025 	static int firsttime = 1;
2026 
2027 	static time_t prev_tod = 0;
2028 	static hrtime_t prev_tick = 0;
2029 	static long dtick_avg = TOD_REF_FREQ;
2030 
2031 	hrtime_t tick = gethrtime();
2032 
2033 	ASSERT(MUTEX_HELD(&tod_lock));
2034 
2035 	/*
2036 	 * tod_validate_enable is patchable via /etc/system.
2037 	 * If TOD is already faulted, or if TOD validation is deferred,
2038 	 * there is nothing to do.
2039 	 */
2040 	if ((tod_validate_enable == 0) || (tod_faulted != TOD_NOFAULT) ||
2041 	    tod_validate_deferred) {
2042 		return (tod);
2043 	}
2044 
2045 	/*
2046 	 * Update prev_tod and prev_tick values for first run
2047 	 */
2048 	if (firsttime) {
2049 		firsttime = 0;
2050 		prev_tod = tod;
2051 		prev_tick = tick;
2052 		return (tod);
2053 	}
2054 
2055 	/*
2056 	 * For either of these conditions, we need to reset ourself
2057 	 * and start validation from zero since each condition
2058 	 * indicates that the TOD will be updated with new value
2059 	 * Also, note that tod_needsync will be reset in clock()
2060 	 */
2061 	if (tod_needsync || tod_fault_reset_flag) {
2062 		firsttime = 1;
2063 		prev_tod = 0;
2064 		prev_tick = 0;
2065 		dtick_avg = TOD_REF_FREQ;
2066 
2067 		if (tod_fault_reset_flag)
2068 			tod_fault_reset_flag = 0;
2069 
2070 		return (tod);
2071 	}
2072 
2073 	/* test hook */
2074 	switch (tod_unit_test) {
2075 	case 1: /* for testing jumping tod */
2076 		tod += tod_test_injector;
2077 		tod_unit_test = 0;
2078 		break;
2079 	case 2:	/* for testing stuck tod bit */
2080 		tod |= 1 << tod_test_injector;
2081 		tod_unit_test = 0;
2082 		break;
2083 	case 3:	/* for testing stalled tod */
2084 		tod = prev_tod;
2085 		tod_unit_test = 0;
2086 		break;
2087 	case 4:	/* reset tod fault status */
2088 		(void) tod_fault(TOD_NOFAULT, 0);
2089 		tod_unit_test = 0;
2090 		break;
2091 	default:
2092 		break;
2093 	}
2094 
2095 	diff_tod = tod - prev_tod;
2096 	diff_tick = tick - prev_tick;
2097 
2098 	ASSERT(diff_tick >= 0);
2099 
2100 	if (diff_tod < 0) {
2101 		/* ERROR - tod reversed */
2102 		tod_bad = TOD_REVERSED;
2103 		off = (int)(prev_tod - tod);
2104 	} else if (diff_tod == 0) {
2105 		/* tod did not advance */
2106 		if (diff_tick > TOD_STALL_THRESHOLD) {
2107 			/* ERROR - tod stalled */
2108 			tod_bad = TOD_STALLED;
2109 		} else {
2110 			/*
2111 			 * Make sure we don't update prev_tick
2112 			 * so that diff_tick is calculated since
2113 			 * the first diff_tod == 0
2114 			 */
2115 			return (tod);
2116 		}
2117 	} else {
2118 		/* calculate dtick */
2119 		dtick = diff_tick / diff_tod;
2120 
2121 		/* update dtick averages */
2122 		dtick_avg += ((dtick - dtick_avg) / TOD_FILTER_N);
2123 
2124 		/*
2125 		 * Calculate dtick_delta as
2126 		 * variation from reference freq in quartiles
2127 		 */
2128 		dtick_delta = (dtick_avg - TOD_REF_FREQ) /
2129 			(TOD_REF_FREQ >> 2);
2130 
2131 		/*
2132 		 * Even with a perfectly functioning TOD device,
2133 		 * when the number of elapsed seconds is low the
2134 		 * algorithm can calculate a rate that is beyond
2135 		 * tolerance, causing an error.  The algorithm is
2136 		 * inaccurate when elapsed time is low (less than
2137 		 * 5 seconds).
2138 		 */
2139 		if (diff_tod > 4) {
2140 			if (dtick < TOD_JUMP_THRESHOLD) {
2141 				/* ERROR - tod jumped */
2142 				tod_bad = TOD_JUMPED;
2143 				off = (int)diff_tod;
2144 			} else if (dtick_delta) {
2145 				/* ERROR - change in clock rate */
2146 				tod_bad = TOD_RATECHANGED;
2147 			}
2148 		}
2149 	}
2150 
2151 	if (tod_bad != TOD_NOFAULT) {
2152 		(void) tod_fault(tod_bad, off);
2153 
2154 		/*
2155 		 * Disable dosynctodr since we are going to fault
2156 		 * the TOD chip anyway here
2157 		 */
2158 		dosynctodr = 0;
2159 
2160 		/*
2161 		 * Set tod to the correct value from hrestime
2162 		 */
2163 		tod = hrestime.tv_sec;
2164 	}
2165 
2166 	prev_tod = tod;
2167 	prev_tick = tick;
2168 	return (tod);
2169 }
2170 
2171 static void
2172 calcloadavg(int nrun, uint64_t *hp_ave)
2173 {
2174 	static int64_t f[3] = { 135, 27, 9 };
2175 	uint_t i;
2176 	int64_t q, r;
2177 
2178 	/*
2179 	 * Compute load average over the last 1, 5, and 15 minutes
2180 	 * (60, 300, and 900 seconds).  The constants in f[3] are for
2181 	 * exponential decay:
2182 	 * (1 - exp(-1/60)) << 13 = 135,
2183 	 * (1 - exp(-1/300)) << 13 = 27,
2184 	 * (1 - exp(-1/900)) << 13 = 9.
2185 	 */
2186 
2187 	/*
2188 	 * a little hoop-jumping to avoid integer overflow
2189 	 */
2190 	for (i = 0; i < 3; i++) {
2191 		q = (hp_ave[i]  >> 16) << 7;
2192 		r = (hp_ave[i]  & 0xffff) << 7;
2193 		hp_ave[i] += ((nrun - q) * f[i] - ((r * f[i]) >> 16)) >> 4;
2194 	}
2195 }
2196