Refactor bootloader and platform initialization for improved stack handling and GDT management

Author: T. Andrew Davis

Cargo.toml

@@ -44,12 +44,6 @@ iso9660 = { path = "iso9660", package = "iso9660-rs" }
 morpheus-ui = { path = "ui" }
 morpheus-helix = { path = "helix" }
 
-[profile.release]
-opt-level = "z"      # Optimize for size
-lto = true           # Link-time optimization
-codegen-units = 1    # Better optimization
-panic = "abort"      # No unwinding
-strip = true         # Strip symbols
 
 [profile.dev]
 panic = "abort"      # No unwinding in dev either

bootloader/src/baremetal.rs

@@ -264,6 +264,8 @@ pub unsafe fn enter_baremetal(config: BaremetalEntryConfig) -> ! {
         descriptor_version: DESC_VER,
         image_base,
         image_pages,
+        stack_base,
+        stack_pages: STACK_PAGES as u64,
     };
 
     let platform = match morpheus_hwinit::platform_init_selfcontained(hwinit_cfg) {

hwinit/asm/cpu/ap_trampoline.s

@@ -30,10 +30,12 @@ ap_start:
     mov     ss, ax
     xor     sp, sp          ; stack at top of segment (wraps to 0xFFFF)
 
-    ; ── load the GDT pointer from the data area ──────────────────────────
-    ; data area is at this_page + 0xF00.  Our segment base = 0x8000.
-    ; so offset within segment = 0xF00 + 0x20 (TD_GDT_PTR within data area)
-    lgdt    [0xF20]         ; 0x8000 + 0xF20 in linear addressing = offset 0xF20 from segment base
+    ; ── load a TEMPORARY GDT that lives inside this trampoline page ──────
+    ; The BSP's GDT is above 4 GB (PE BSS at 0x140xxxxxx).  In 16-bit
+    ; mode, lgdt only reads a 4-byte base → truncated → wrong GDT → #GP.
+    ; We use a temp GDT at a known sub-1MB address for the mode transition,
+    ; then reload the real 64-bit GDT once we're in long mode.
+    lgdt    [0xE38]         ; segment offset → physical 0x8E38 (temp_gdt_ptr_16)
 
     ; ── enter protected mode ──────────────────────────────────────────────
     mov     eax, cr0
@@ -77,8 +79,10 @@ ap_pm32:
     or      eax, (1 << 31)          ; CR0.PG
     mov     cr0, eax
 
-    ; far jump to 64-bit long mode code
-    jmp     dword 0x08:ap_lm64
+    ; far jump to 64-bit long mode code.
+    ; selector 0x18 = temp GDT's 64-bit code descriptor (L=1, D=0).
+    ; NOT 0x08 — that's the 32-bit code descriptor we used to get here.
+    jmp     dword 0x18:ap_lm64
 
 ; ───────────────────────────────────────────────────────────────────────────
 ; 64-bit long mode
@@ -93,6 +97,25 @@ ap_lm64:
     mov     ss, ax
     ; intentionally skip gs — Rust will set GS base via MSR
 
+    ; ── reload the BSP's ACTUAL 64-bit GDT from the data area ────────────
+    ; In 64-bit mode lgdt reads the full 10-byte descriptor (2+8 base).
+    ; The BSP's GDT is in PE BSS above 4 GB — now we can load it properly.
+    lgdt    [0x8F20]        ; TD_GDT_PTR (flat 64-bit address)
+
+    ; reload data segments again with the real GDT's selectors
+    mov     ax, 0x10
+    mov     ds, ax
+    mov     es, ax
+    mov     fs, ax
+    mov     ss, ax
+
+    ; reload CS via a far return trick — push selector:offset, retfq
+    lea     rax, [rel .cs_reloaded]
+    push    0x08            ; kernel code selector from BSP's GDT
+    push    rax
+    retfq
+.cs_reloaded:
+
     ; ── load the per-AP stack from data area ──────────────────────────────
     mov     rsp, qword [0x8F10]     ; TD_STACK
 
@@ -105,8 +128,68 @@ ap_lm64:
     jmp     rax                     ; ap_rust_entry(core_idx, lapic_id) — never returns
 
 ; ───────────────────────────────────────────────────────────────────────────
-; Pad to keep total code well under 0xF00 (data area starts there)
+; TEMP GDT (offset 0xE00) — used for the real→prot→long mode transition.
+;
+; The BSP's GDT lives in PE BSS above 4 GB.  A 16-bit lgdt can only read
+; a 4-byte base, truncating 0x140xxxxxx → garbage.  This temp GDT at
+; physical 0x8E00 is safely below 1 MB.
+;
+; We need TWO code descriptors:
+;   0x08 — 32-bit code (D=1, L=0): for protected mode transition.
+;          D=1 gives 32-bit default operand size so `bits 32` instructions
+;          decode correctly.  If D=0 the CPU interprets `or eax, imm32`
+;          as `or ax, imm16` and the instruction stream desynchronizes.
+;          yes this is what was causing the triple fault. yes it was that dumb.
+;   0x18 — 64-bit code (L=1, D=0): for the far jump into long mode.
+;          Intel requires L=1 D=0 for 64-bit mode.
+;
+; After reaching 64-bit mode we reload the BSP's real GDT (which has its
+; own code64 at selector 0x08) and retfq to it.
 ; ───────────────────────────────────────────────────────────────────────────
+times (0xE00 - ($ - $$)) db 0
+
+; 0xE00: temp GDT entries
+temp_gdt:
+    ; 0x00: null descriptor
+    dq 0
+
+    ; 0x08: 32-bit code (D=1, L=0, P=1, DPL=0, type=exec+read)
+    ;   used ONLY for the real→protected mode transition.
+    dw 0xFFFF       ; limit low (4GB with G=1)
+    dw 0x0000       ; base low
+    db 0x00         ; base mid
+    db 0x9A         ; P=1, DPL=0, S=1, type=0xA (exec/read)
+    db 0xCF         ; G=1, D=1, L=0, AVL=0, limit_hi=0xF
+    db 0x00         ; base high
+
+    ; 0x10: flat data (P=1, DPL=0, writable, G=1, D=1, 4GB limit)
+    dw 0xFFFF       ; limit low
+    dw 0x0000       ; base low
+    db 0x00         ; base mid
+    db 0x92         ; P=1, DPL=0, S=1, type=0x2 (data/write)
+    db 0xCF         ; G=1, D=1, L=0, AVL=0, limit_hi=0xF
+    db 0x00         ; base high
+
+    ; 0x18: 64-bit code (L=1, D=0, P=1, DPL=0, type=exec+read)
+    ;   used for the far jump into long mode after LME+PG are set.
+    dw 0x0000       ; limit low (ignored in 64-bit mode)
+    dw 0x0000       ; base low
+    db 0x00         ; base mid
+    db 0x9A         ; P=1, DPL=0, S=1, type=0xA (exec/read)
+    db 0x20         ; G=0, L=1, D=0, AVL=0, limit_hi=0x0
+    db 0x00         ; base high
+temp_gdt_end:
+
+; padding to 0xE38
+times (0xE38 - ($ - $$)) db 0
+
+; 0xE38: temp GDT pointer for 16-bit lgdt (6 bytes: limit + 32-bit base)
+;   segment offset 0xE38 → physical 0x8E38.  lgdt reads 6 bytes in 16-bit mode.
+temp_gdt_ptr_16:
+    dw (temp_gdt_end - temp_gdt - 1)    ; limit = 31 (4 entries × 8 - 1)
+    dd 0x00008E00                        ; base = physical address of temp_gdt
+
+; pad to 0xF00
 times (0xF00 - ($ - $$)) db 0
 
 ; ───────────────────────────────────────────────────────────────────────────

hwinit/asm/cpu/context_switch.s

@@ -121,8 +121,11 @@ irq_timer_isr:
 .skip_fxsave:
 
     ; ── ACK LAPIC (write 0 to EOI register) ──────────────────────────────
-    xor     eax, eax
-    mov     dword [LAPIC_EOI_ADDR], eax
+    ; 0xFEE000B0 has bit 31 set. [imm32] in 64-bit mode sign-extends to
+    ; 0xFFFFFFFFFEE000B0. load into r11d: zero-extends, gives correct ptr.
+    ; r11 is already saved at [rsp+0x50] so clobbering it here is safe.
+    mov     r11d, LAPIC_EOI_ADDR        ; r11 = 0x00000000FEE000B0
+    mov     dword [r11], 0              ; EOI
 
     ; ── Call scheduler_tick(current_ctx: *const CpuContext) ──────────────
     ; MS x64 ABI: first arg in RCX.  Need 32-byte shadow space on stack.

hwinit/src/platform.rs

@@ -55,6 +55,12 @@ pub struct SelfContainedConfig {
     pub image_base: u64,
     /// Number of 4 KiB pages the PE image occupies (derived from SizeOfImage).
     pub image_pages: u64,
+    /// Physical base of the boot stack allocated by the bootloader.
+    /// The entire range [stack_base, stack_base + stack_pages * 4096)
+    /// is excluded from the buddy allocator.
+    pub stack_base: u64,
+    /// Number of 4 KiB pages in the boot stack allocation.
+    pub stack_pages: u64,
 }
 
 /// Platform configuration input (legacy - externally allocated).
@@ -184,14 +190,30 @@ pub unsafe fn platform_init_selfcontained(
         puts("\n");
     }
 
-    // 4) Boot stack pages (current RSP ± safety margin)
+    // 4) Boot stack pages — use actual bounds from bootloader, not RSP guess.
+    //    The bootloader passes the exact base + page count it allocated.
+    //    Guessing from RSP missed the bottom of the stack and let the buddy
+    //    write FreeNode headers into live LoaderData pages — OVMF's 0xAF
+    //    scrub then looked like corruption when those nodes were walked.
     let boot_stack_base;
     let boot_stack_top;
-    {
+    if config.stack_base != 0 && config.stack_pages != 0 {
+        boot_stack_base = config.stack_base;
+        boot_stack_top = config.stack_base + config.stack_pages * 4096;
+        let mut p = boot_stack_base;
+        while p < boot_stack_top && hw_count < hw_holes.len() {
+            hw_holes[hw_count] = p;
+            hw_count += 1;
+            p += 4096;
+        }
+    } else {
+        // fallback: RSP-based guess (generous margins)
         let rsp: u64;
-        core::arch::asm!("mov {}, rsp", out(reg) rsp, options(nostack, nomem));
-        boot_stack_base = (rsp & !0xFFF).saturating_sub(128 * 1024);
-        boot_stack_top = (rsp & !0xFFF) + 32 * 1024;
+        unsafe {
+            core::arch::asm!("mov {}, rsp", out(reg) rsp, options(nostack, nomem));
+        }
+        boot_stack_base = (rsp & !0xFFF).saturating_sub(256 * 1024);
+        boot_stack_top = (rsp + 0xFFF) & !0xFFF;
         let mut p = boot_stack_base;
         while p < boot_stack_top && hw_count < hw_holes.len() {
             hw_holes[hw_count] = p;
@@ -451,6 +473,11 @@ pub unsafe fn platform_init_selfcontained(
     }
     checkpoint("phase10.5-reserve-pt");
     crate::paging::reserve_page_table_pages();
+    // second validation: catch corruption introduced by carve_block splits
+    {
+        let reg = global_registry_mut();
+        reg.validate_free_lists();
+    }
     checkpoint("phase10.5-done");
 
     // phase 11: filesystem

hwinit/src/process/scheduler.rs

@@ -741,18 +741,6 @@ pub unsafe extern "C" fn scheduler_tick(current_ctx: &CpuContext) -> &'static Cp
     result
 }
 // USER PROCESS SPAWN
-
-/// Spawn a Ring 3 user thread in the caller's address space.
-///
-/// Shares the parent's CR3 (same page tables, same heap, same mmap state).
-/// Gets its own kernel stack, its own slot in PROCESS_TABLE, and starts
-/// execution at `entry` with `rdi = arg` and `rsp = stack_top`.
-///
-/// The caller must provide a valid, mapped user stack.  Use SYS_MMAP to
-/// allocate one before calling this.
-///
-/// I had fun with this.
-///
 /// Returns the new thread's PID (which also serves as the TID).
 pub unsafe fn spawn_user_thread(entry: u64, stack_top: u64, arg: u64) -> Result<u32, &'static str> {
     use crate::cpu::gdt::{USER_CS, USER_DS};