Handle syscall failures #488
Description
Requires: #281
In the course of implementing #487, it was discovered that we are not properly handling syscall failures. Syscalls originate from the vat (specifically the supervisor), and are handled by the kernel. By design, they should never fail, but because we are fallible, they could fail due to programmer error.
Because syscalls have to be synchronous at the callsite, we were already "lying" to the vat supervisor and synchronously returning an ok result for every syscall. However, the idea was that we would still handle any errors on the kernel-side. This will probably include "rolling back" the current crank, which will in turn involve some messages to the vat, perhaps merely telling the vat to shut down so the kernel can restart it from the previous crank.