kernel: consolidate error handling code

* z_NanoFatalErrorHandler() is now moved to common kernel code and renamed z_fatal_error(). Arches dump arch-specific info before calling. * z_SysFatalErrorHandler() is now moved to common kernel code and renamed k_sys_fatal_error_handler(). It is now much simpler; the default policy is simply to lock interrupts and halt the system. If an implementation of this function returns, then the currently running thread is aborted. * New arch-specific APIs introduced: - z_arch_system_halt() simply powers off or halts the system. * We now have a standard set of fatal exception reason codes, namespaced under K_ERR_* * CONFIG_SIMPLE_FATAL_ERROR_HANDLER deleted * LOG_PANIC() calls moved to k_sys_fatal_error_handler() Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2019-07-11 14:18:28 -07:00 · 2019-07-11 14:18:28 -07:00 · 71ce8ceb18
commit 71ce8ceb18
parent 81245a0193
53 changed files with 397 additions and 1183 deletions
--- a/include/fatal.h
+++ b/include/fatal.h
@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 2019 Intel Corporation.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef ZEPHYR_INCLUDE_FATAL_H
+#define ZEPHYR_INCLUDE_FATAL_H
+
+#include <arch/cpu.h>
+
+/* TODO Items:
+ *
+ * - Delete default_esf everywhere, just pass a NULL pointer around in that
+ * situation
+ *
+ */
+
+enum k_fatal_error_reason {
+	/** Generic CPU exception, not covered by other codes */
+	K_ERR_CPU_EXCEPTION,
+
+	/** Unhandled hardware interrupt */
+	K_ERR_SPURIOUS_IRQ,
+
+	/** Faulting context overflowed its stack buffer */
+	K_ERR_STACK_CHK_FAIL,
+
+	/** Moderate severity software error */
+	K_ERR_KERNEL_OOPS,
+
+	/** High severity software error */
+	K_ERR_KERNEL_PANIC
+
+	/* TODO: add more codes for exception types that are common across
+	 * architectures
+	 */
+};
+
+/**
+ * @brief Fatal error policy handler
+ *
+ * This function is not invoked by application code, but is declared as a
+ * weak symbol so that applications may introduce their own policy.
+ *
+ * The default implementation of this function halts the system
+ * unconditionally. Depending on architecture support, this may be
+ * a simple infinite loop, power off the hardware, or exit an emulator.
+ *
+ * If this function returns, then the currently executing thread will be
+ * aborted.
+ *
+ * A few notes for custom implementations:
+ *
+ * - If the error is determined to be unrecoverable, LOG_PANIC() should be
+ *   invoked to flush any pending logging buffers.
+ * - K_ERR_KERNEL_PANIC indicates a severe unrecoverable error in the kernel
+ *   itself, and should not be considered recoverable. There is an assertion
+ *   in z_fatal_error() to enforce this.
+ * - Even outside of a kernel panic, unless the fault occurred in user mode,
+ *   the kernel itself may be in an inconsistent state, with API calls to
+ *   kernel objects possibly exhibiting undefined behavior or triggering
+ *   another exception.
+ *
+ * @param reason The reason for the fatal error
+ * @param esf Exception context, with details and partial or full register
+ *            state when the error occurred. May in some cases be NULL.
+ */
+void k_sys_fatal_error_handler(unsigned int reason, const NANO_ESF *esf);
+
+/**
+ * Called by architecture code upon a fatal error.
+ *
+ * This function dumps out architecture-agnostic information about the error
+ * and then makes a policy decision on what to do by invoking
+ * k_sys_fatal_error_handler().
+ *
+ * On architectures where k_thread_abort() never returns, this function
+ * never returns either.
+ *
+ * @param reason The reason for the fatal error
+ * @param esf Exception context, with details and partial or full register
+ *            state when the error occurred. May in some cases be NULL.
+ */
+void z_fatal_error(unsigned int reason, const NANO_ESF *esf);
+
+#endif /* ZEPHYR_INCLUDE_FATAL_H */