threads: Kernel handling of unsafe operations on user memory

[etiaro]

Description

There are some events in kernel code that require operating on user's memory.
There's no good way ensure such memory operations won't trigger a processor exception apart from interrupting all threads that could access that memory fragment.

Inspired by Linux's exception tables and fixup code for managing unsafe operations, this draft introduces a mechanism with semantics similar to try - catch and based on idea similar to setjmp/longjmp by introducing

• hal_setexcjmp (similar to setjmp) and
• threads_setexcjmp (which only swaps pointers in thread_t struct and should be used for cleaning after unsafe section is finished)

	if (!hal_setexcjmp(&excctx, &oldctx)) {
		/* UNSAFE CODE */
	}
	else {
		/* ERROR HANDLING, cleanup etc. */
	}
	threads_setexcjmp(oldctx, NULL);

As an example of usage it solves stack overflow handling on MMU devices: Jira RTOS-1066
phoenix-rtos/phoenix-rtos-project#1200

Motivation and Context

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Chore (refactoring, style fixes, git/CI config, submodule management, no code logic changes)

How Has This Been Tested?

• Already covered by automatic testing.
• New test added: (add PR link here).
• Tested by hand on: (list targets here).

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing linter checks and tests passed.
• My changes generate no new compilation warnings for any of the targets.

Special treatment

• This PR needs additional PRs to work (list the PRs, preferably in merge-order).
• I will merge this PR by myself when appropriate.

[gemini-code-assist]

Summary of Changes

Hello @etiaro, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a robust exception handling mechanism within the kernel, inspired by try-catch blocks and setjmp/longjmp semantics. This mechanism is designed to safely manage operations that interact with user memory, preventing processor exceptions and improving system stability. A key application demonstrated is enhanced stack overflow handling on MMU-enabled devices.

Highlights

• Kernel Exception Handling Framework: Implemented a setjmp/longjmp-like mechanism (hal_setexcjmp, hal_excjmp) at the hardware abstraction layer (HAL) for ARMv7-A and IA32 architectures. This allows kernel code to gracefully recover from processor exceptions (e.g., page faults) that occur during operations on user memory, providing a 'try-catch' semantic.
• Thread-Specific Exception Context: Introduced a new excjmpctx field to the thread_t structure and added threads_setexcjmp/threads_getexcjmp functions. This enables the storage and retrieval of a thread-local exception jump context, ensuring that exception handling is managed on a per-thread basis.
• Safer Signal Handling: Modified hal_cpuPushSignal to utilize the new exception handling framework. This change protects the operations involved in setting up signal contexts against potential memory faults, returning an -EFAULT error if a fault occurs, which then leads to the termination of the affected process in threads_setupUserReturn.
• Internal Code Refactoring: Replaced all internal calls to the static _proc_current function with the public proc_current function across the proc/threads.c file, streamlining access to the current thread's context.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The code changes introduce a mechanism for handling kernel unsafe operations, similar to try-catch, using setjmp/longjmp. It includes functions for setting and getting exception jump contexts, and integrates this mechanism into signal handling. The changes span multiple files, modifying assembly code, header files, and C code to implement this new exception handling feature.

[agkaminski]

Perhaps we could clear old ctx on hal_excjmp

[etiaro]

That's problematic, as it would require putting pointer to oldctx in struct excjmp_context_t (as hal_excjmp doesn't have access to local variables from this context).
And we need to call threads_setexcjmp with oldctx after else anyways.

[agkaminski]

Spinlock does nothing if it's used only for writes - let's just assume atomicity (and make these pointers volatile)

[etiaro]

It's not used only for writes - it's used for reads on other cores.
The idea was that on the i'th core it's not required for reading because it cannot be writing at the same time as it's reading.