An independent design review of the notification-backed k_sem (#41) confirmed every code-level trap is handled (give-before-take latch, ISR-side give, timeout-vs-give consume protocol) but found the hard paths have little or no test coverage. The same gaps apply to k_event (#42), which shares the architecture.
An independent design review of the notification-backed k_sem (#41) confirmed every code-level trap is handled (give-before-take latch, ISR-side give, timeout-vs-give consume protocol) but found the hard paths have little or no test coverage. The same gaps apply to k_event (#42), which shares the architecture.
k_sem.cwoken+timed-out branch) has ZERO coverage. Every giver in the suite delays well inside the timeout. Shape: ~100+ iterations ofk_sem_take(K_MSEC(20))with a giver firing at ~20 ms ± jitter (pin the giver to the other core on S3 for true concurrency). Per-iteration invariant:ret == 0 → count == 0;ret == -EAGAIN → count == 1(the give latched). After each iteration drain, then assertk_sem_take(K_NO_WAIT) == -EBUSYAND a short blocking take times out cleanly — proves no stranded notification on the reserved index poisons the task's next blocking call. Mirror fork_event_wait.esp_timerISR dispatch or a GPTimer ISR) to aK_FOREVERwaiter; assert prompt wake (verifies the yield-from-ISR). Onek_sem_take(K_NO_WAIT)from the same ISR (fast path is FreeRTOS-call-free). Same fork_event_postfrom ISR (including the multi-waiter accumulate-yield-once path).>in the pop is what preserves it — pin with a test); (c)k_sem_resetand a singlek_event_postwaking 3+ waiters.k_sem_resetis task-context-only — it uses the task-only notify API, while upstream's reset is ISR-legal. Real divergence; needs the@noteon the declaration.k_thread_priority_seton a blocked waiter leaves wake order using the stale value (upstream re-sorts the pend queue). One-line@noteonk_sem_take/k_event_wait.