Terminate faulting tasks instead of panicking system

The previous panic behavior for unrecoverable faults was intentional
during early development to surface bugs immediately. With the core
functionality now stable, proper task termination is implemented to
uphold the isolation principle.

This change introduces a zombie state for deferred task cleanup. The
fault handler marks the faulting task as terminated and signals the trap
handler to initiate a context switch. The scheduler cleans up terminated
task resources before selecting the next runnable task.

This design addresses the limitation where running tasks cannot be
directly cancelled from interrupt context. By deferring cleanup to the
scheduler, the system ensures proper resource reclamation without
modifying task state during fault handling.

Memory regions are also evicted from hardware protection before being
freed, preventing stale references after task termination.

Author: HeatCrab

arch/riscv/hal.c

@@ -476,15 +476,40 @@ uint32_t do_trap(uint32_t cause, uint32_t epc, uint32_t isr_sp)
             goto trap_exit;
         }
 
-        /* Attempt to recover PMP access faults (code 5 = load fault, 7 = store
-         * fault) */
+        /* Attempt to recover load/store access faults.
+         *
+         * This assumes all U-mode access faults are PMP-related, which holds
+         * for platforms without MMU where PMP is the sole memory protection.
+         * On MCU hardware, bus faults or access to non-existent memory may
+         * also trigger access exceptions, and terminating the task instead
+         * of panicking could hide such hardware issues.
+         */
         if (code == 5 || code == 7) {
             uint32_t mtval = read_csr(mtval);
-            if (pmp_handle_access_fault(mtval, code == 7) == 0) {
+            int32_t pmp_result = pmp_handle_access_fault(mtval, code == 7);
+            if (pmp_result == PMP_FAULT_RECOVERED) {
                 /* PMP fault handled successfully, return current frame */
                 ret_sp = isr_sp;
                 goto trap_exit;
             }
+            if (pmp_result == PMP_FAULT_TERMINATE) {
+                /* Task terminated (marked as zombie), switch to next task.
+                 * Print diagnostic before switching. */
+                trap_puts("[PMP] Task terminated: ");
+                trap_puts(code == 7 ? "Store" : "Load");
+                trap_puts(" access fault at 0x");
+                for (int i = 28; i >= 0; i -= 4) {
+                    uint32_t nibble = (mtval >> i) & 0xF;
+                    _putchar(nibble < 10 ? '0' + nibble : 'A' + nibble - 10);
+                }
+                trap_puts("\r\n");
+
+                /* Force context switch to next task */
+                dispatcher(0);
+                ret_sp =
+                    pending_switch_sp ? (uint32_t) pending_switch_sp : isr_sp;
+                goto trap_exit;
+            }
         }
 
         /* Print exception info via direct UART (safe in trap context) */

arch/riscv/pmp.c

@@ -605,15 +605,16 @@ int32_t pmp_evict_fpage(fpage_t *fpage)
     return 0;
 }
 
-/* Handles PMP access faults */
+/* Handles PMP access faults by loading the required flexpage into hardware. */
 int32_t pmp_handle_access_fault(uint32_t fault_addr, uint8_t is_write)
 {
     if (!kcb || !kcb->task_current || !kcb->task_current->data)
-        return -1;
+        return PMP_FAULT_UNHANDLED;
 
-    memspace_t *mspace = ((tcb_t *) kcb->task_current->data)->mspace;
+    tcb_t *current = (tcb_t *) kcb->task_current->data;
+    memspace_t *mspace = current->mspace;
     if (!mspace)
-        return -1;
+        return PMP_FAULT_UNHANDLED;
 
     /* Find flexpage containing faulting address */
     fpage_t *target_fpage = NULL;
@@ -624,20 +625,24 @@ int32_t pmp_handle_access_fault(uint32_t fault_addr, uint8_t is_write)
         }
     }
 
-    if (!target_fpage || target_fpage->pmp_id != PMP_INVALID_REGION)
-        return -1;
+    /* Cannot recover: address not in task's memory space or already loaded */
+    if (!target_fpage || target_fpage->pmp_id != PMP_INVALID_REGION) {
+        /* Mark task as zombie for deferred cleanup */
+        current->state = TASK_ZOMBIE;
+        return PMP_FAULT_TERMINATE;
+    }
 
     pmp_config_t *config = pmp_get_config();
     if (!config)
-        return -1;
+        return PMP_FAULT_UNHANDLED;
 
     /* Load into available region or evict victim */
     if (config->next_region_idx < PMP_MAX_REGIONS)
         return pmp_load_fpage(target_fpage, config->next_region_idx);
 
     fpage_t *victim = select_victim_fpage(mspace);
     if (!victim)
-        return -1;
+        return PMP_FAULT_UNHANDLED;
 
     uint8_t victim_region = victim->pmp_id;
     int32_t ret = pmp_evict_fpage(victim);

arch/riscv/pmp.h

@@ -155,6 +155,12 @@ int32_t pmp_load_fpage(fpage_t *fpage, uint8_t region_idx);
  */
 int32_t pmp_evict_fpage(fpage_t *fpage);
 
+/* PMP Fault Handler Return Codes */
+#define PMP_FAULT_RECOVERED 0    /* Fault recovered, resume execution */
+#define PMP_FAULT_UNHANDLED (-1) /* Cannot recover, fall through to default */
+#define PMP_FAULT_TERMINATE \
+    (-2) /* Task terminated, caller invokes dispatcher */
+
 /* Handles PMP access violations.
  *
  * Attempts to recover from PMP access faults by loading the required memory
@@ -163,7 +169,7 @@ int32_t pmp_evict_fpage(fpage_t *fpage);
  *
  * @fault_addr : The faulting memory address (from mtval CSR)
  * @is_write : 1 for store/AMO access, 0 for load
- * Returns 0 on successful recovery, negative error code on failure.
+ * Returns PMP_FAULT_RECOVERED, PMP_FAULT_UNHANDLED, or PMP_FAULT_TERMINATE.
  */
 int32_t pmp_handle_access_fault(uint32_t fault_addr, uint8_t is_write);
 

include/sys/task.h

@@ -37,11 +37,12 @@ enum task_priorities {
 
 /* Task Lifecycle States */
 enum task_states {
-    TASK_STOPPED,  /* Task created but not yet scheduled */
-    TASK_READY,    /* Task in ready state, waiting to be scheduled */
-    TASK_RUNNING,  /* Task currently executing on CPU */
-    TASK_BLOCKED,  /* Task waiting for delay timer to expire */
-    TASK_SUSPENDED /* Task paused/excluded from scheduling until resumed */
+    TASK_STOPPED,   /* Task created but not yet scheduled */
+    TASK_READY,     /* Task in ready state, waiting to be scheduled */
+    TASK_RUNNING,   /* Task currently executing on CPU */
+    TASK_BLOCKED,   /* Task waiting for delay timer to expire */
+    TASK_SUSPENDED, /* Task paused/excluded from scheduling until resumed */
+    TASK_ZOMBIE     /* Task terminated, awaiting resource cleanup */
 };
 
 /* Priority Level Constants for Priority-Aware Time Slicing */

kernel/memprot.c

@@ -84,10 +84,13 @@ void mo_memspace_destroy(memspace_t *mspace)
     if (!mspace)
         return;
 
-    /* Free all flexpages in the list */
+    /* Evict and free all flexpages in the list */
     fpage_t *fp = mspace->first;
     while (fp) {
         fpage_t *next = fp->as_next;
+        /* Evict from PMP hardware before freeing to prevent stale references */
+        if (fp->pmp_id != PMP_INVALID_REGION)
+            pmp_evict_fpage(fp);
         mo_fpage_destroy(fp);
         fp = next;
     }

kernel/task.c

@@ -351,6 +351,46 @@ void yield(void);
 void _dispatch(void) __attribute__((weak, alias("dispatch")));
 void _yield(void) __attribute__((weak, alias("yield")));
 
+/* Zombie Task Cleanup
+ *
+ * Scans the task list for terminated (zombie) tasks and frees their resources.
+ * Called from dispatcher to ensure cleanup happens in a safe context.
+ */
+static void task_cleanup_zombies(void)
+{
+    if (!kcb || !kcb->tasks)
+        return;
+
+    list_node_t *node = list_next(kcb->tasks->head);
+    while (node && node != kcb->tasks->tail) {
+        list_node_t *next = list_next(node);
+        tcb_t *tcb = node->data;
+
+        if (tcb && tcb->state == TASK_ZOMBIE) {
+            /* Remove from task list */
+            list_remove(kcb->tasks, node);
+            kcb->task_count--;
+
+            /* Clear from lookup cache */
+            for (int i = 0; i < TASK_CACHE_SIZE; i++) {
+                if (task_cache[i].task == tcb) {
+                    task_cache[i].id = 0;
+                    task_cache[i].task = NULL;
+                }
+            }
+
+            /* Free all resources */
+            if (tcb->mspace)
+                mo_memspace_destroy(tcb->mspace);
+            free(tcb->stack);
+            if (tcb->kernel_stack)
+                free(tcb->kernel_stack);
+            free(tcb);
+        }
+        node = next;
+    }
+}
+
 /* Round-Robin Scheduler Implementation
  *
  * Implements an efficient round-robin scheduler tweaked for small systems.
@@ -531,6 +571,9 @@ void dispatch(void)
     if (unlikely(!kcb || !kcb->task_current || !kcb->task_current->data))
         panic(ERR_NO_TASKS);
 
+    /* Clean up any terminated (zombie) tasks */
+    task_cleanup_zombies();
+
     /* Save current context - only needed for cooperative mode.
      * In preemptive mode, ISR already saved context to stack,
      * so we skip this step to avoid interference.
@@ -915,6 +958,8 @@ int32_t mo_task_cancel(uint16_t id)
     CRITICAL_LEAVE();
 
     /* Free memory outside critical section */
+    if (tcb->mspace)
+        mo_memspace_destroy(tcb->mspace);
     free(tcb->stack);
     if (tcb->kernel_stack)
         free(tcb->kernel_stack);