fix(task): fix fork heap inheritance and child_tid handling

Bug 1 - Fork not inheriting heap pointers:
After fork, child's heap_bottom/heap_top were reset to USER_HEAP_BASE
instead of inheriting parent's heap state, causing brk() to fail.
Fix: Copy heap pointers from parent to child in fork path.

Bug 2 - set_child_tid/clear_child_tid NULL pointer issues:
When CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID flags were set but
child_tid was NULL, kernel would access invalid memory.
Fix: Check address is non-NULL before processing, pass as usize,
write using aspace.write() in child's context.

Bug 3 - execve not clearing clear_child_tid:
After execve, clear_child_tid from old address space remained set,
causing invalid memory access on process exit.
Fix: Clear clear_child_tid after execve.

Author: sunhaosheng-kylin

api/src/syscall/task/clone.rs

@@ -127,8 +127,10 @@ pub fn sys_clone(
     }
     new_uctx.set_retval(0);
 
-    let set_child_tid = if flags.contains(CloneFlags::CHILD_SETTID) {
-        Some(UserPtr::<u32>::from(child_tid).get_as_mut()?)
+    // Pass child_tid address instead of pointer reference
+    // Check both the flag and whether the address is non-NULL
+    let set_child_tid = if flags.contains(CloneFlags::CHILD_SETTID) && child_tid != 0 {
+        Some(child_tid)
     } else {
         None
     };
@@ -182,6 +184,9 @@ pub fn sys_clone(
             exit_signal,
         );
         proc_data.set_umask(old_proc_data.umask());
+        // Inherit heap pointers from parent to ensure child's heap state is consistent after fork
+        proc_data.set_heap_bottom(old_proc_data.get_heap_bottom());
+        proc_data.set_heap_top(old_proc_data.get_heap_top());
 
         {
             let mut scope = proc_data.scope.write();
@@ -215,7 +220,7 @@ pub fn sys_clone(
     }
 
     let thr = Thread::new(tid, new_proc_data);
-    if flags.contains(CloneFlags::CHILD_CLEARTID) {
+    if flags.contains(CloneFlags::CHILD_CLEARTID) && child_tid != 0 {
         thr.set_clear_child_tid(child_tid);
     }
     *new_task.task_ext_mut() = Some(unsafe { AxTaskExt::from_impl(thr) });

api/src/syscall/task/execve.rs

@@ -65,6 +65,9 @@ pub fn sys_execve(
 
     *proc_data.signal.actions.lock() = Default::default();
 
+    // Clear set_child_tid after exec since the original address is no longer valid
+    curr.as_thread().set_clear_child_tid(0);
+
     // Close CLOEXEC file descriptors
     let mut fd_table = FD_TABLE.write();
     let cloexec_fds = fd_table

api/src/task.rs

@@ -5,9 +5,9 @@ use axhal::uspace::{ExceptionKind, ReturnReason, UserContext};
 use axtask::{TaskInner, current};
 use bytemuck::AnyBitPattern;
 use linux_raw_sys::general::ROBUST_LIST_LIMIT;
+use memory_addr::VirtAddr;
 use starry_core::{
     futex::FutexKey,
-    mm::access_user_memory,
     shm::SHM_MANAGER,
     task::{
         AsThread, get_process_data, get_task, send_signal_to_process, send_signal_to_thread,
@@ -28,16 +28,26 @@ use crate::{
 pub fn new_user_task(
     name: &str,
     mut uctx: UserContext,
-    set_child_tid: Option<&'static mut Pid>,
+    set_child_tid: Option<usize>, // Pass address instead of pointer
 ) -> TaskInner {
     TaskInner::new(
         move || {
             let curr = axtask::current();
-            access_user_memory(|| {
-                if let Some(tid) = set_child_tid {
-                    *tid = curr.id().as_u64() as Pid;
+
+            // Write set_child_tid in child task's context
+            if let Some(tid_addr) = set_child_tid {
+                if tid_addr != 0 {
+                    let thr = curr.as_thread();
+                    let aspace = thr.proc_data.aspace.lock();
+                    let tid_value = curr.id().as_u64() as u32;
+                    let tid_bytes = tid_value.to_ne_bytes();
+                    // Use address space's write method to directly write to user memory
+                    if let Err(e) = aspace.write(VirtAddr::from_usize(tid_addr), &tid_bytes) {
+                        warn!("Failed to write set_child_tid at {:#x}: {:?}", tid_addr, e);
+                    }
+                    drop(aspace);
                 }
-            });
+            }
 
             info!("Enter user space: ip={:#x}, sp={:#x}", uctx.ip(), uctx.sp());
 
@@ -164,21 +174,31 @@ pub fn do_exit(exit_code: i32, group_exit: bool) {
 
     info!("{} exit with code: {}", curr.id_name(), exit_code);
 
-    let clear_child_tid = thr.clear_child_tid() as *mut u32;
-    if clear_child_tid.vm_write(0).is_ok() {
-        let key = FutexKey::new_current(clear_child_tid as usize);
-        let table = thr.proc_data.futex_table_for(&key);
-        let guard = table.get(&key);
-        if let Some(futex) = guard {
-            futex.wq.wake(1, u32::MAX);
+    let clear_child_tid = thr.clear_child_tid() as usize;
+    // Try to write clear_child_tid, but first check if address is in valid address space.
+    if clear_child_tid != 0 {
+        let aspace = thr.proc_data.aspace.lock();
+        // Check if address is in a valid area
+        let addr_valid = aspace.contains_range(VirtAddr::from_usize(clear_child_tid), 4);
+        drop(aspace);
+
+        if addr_valid {
+            if let Ok(()) = (clear_child_tid as *mut u32).vm_write(0) {
+                let key = FutexKey::new_current(clear_child_tid);
+                let table = thr.proc_data.futex_table_for(&key);
+                let guard = table.get(&key);
+                if let Some(futex) = guard {
+                    futex.wq.wake(1, u32::MAX);
+                }
+                axtask::yield_now();
+            }
         }
-        axtask::yield_now();
     }
     let head = thr.robust_list_head() as *const RobustListHead;
-    if !head.is_null()
-        && let Err(err) = exit_robust_list(head)
-    {
-        warn!("exit robust list failed: {err:?}");
+    if !head.is_null() {
+        if let Err(err) = exit_robust_list(head) {
+            warn!("exit robust list failed: {err:?}");
+        }
     }
 
     let process = &thr.proc_data.proc;
@@ -213,11 +233,18 @@ pub fn raise_signal_fatal(sig: SignalInfo) -> AxResult<()> {
 
     let signo = sig.signo();
     info!("Send fatal signal {signo:?} to the current process");
-    if let Some(tid) = proc_data.signal.send_signal(sig)
-        && let Ok(task) = get_task(tid)
-    {
-        task.interrupt();
+    let handled = if let Some(tid) = proc_data.signal.send_signal(sig) {
+        if let Ok(task) = get_task(tid) {
+            task.interrupt();
+            true
+        } else {
+            false
+        }
     } else {
+        false
+    };
+
+    if !handled {
         // No task wants to handle the signal, abort the task
         do_exit(signo as i32, true);
     }