Add read_panic_message kipc

Currently, there is no way to programmatically access the panic message
of a task which has faulted due to a Rust panic fron within the Hubris
userspace. This branch adds a new `read_panic_message` kipc that copies
the contents of a panicked task's panic message buffer into the caller.
If the requested task has not panicked, this kipc returns an error
indicating this. This is intended by use by supervisor implementations
or other tasks which wish to report panic messages from userspace.

I've also added a test case that exercises this functionality.

Fixes #2311

Author: hawkw

doc/kipc.adoc

@@ -402,6 +402,47 @@ while let Some(fault) = kipc::find_faulted_task(next_task) {
 }
 ----
 
+=== `read_panic_message` (10)
+
+If the task with the requested index is in the faulted state due to a panic,
+reads the contents of its panic message into the response buffer.
+
+==== Request
+
+[source,rust]
+----
+struct ReadPanicMessageRequest {
+    task_index: u32,
+}
+----
+
+==== Preconditions
+
+`task_index` must be a valid task index for this system.
+
+==== Response
+
+[source,rust]
+----
+Result<&str, abi::ReadPanicMessageError>
+----
+
+==== Notes
+
+If the requested task is not currently in the faulted state due to a panic,
+this KIPC returns the `abi::ReadPanicMessageError::TaskNotPanicked` response code.
+
+If the requested task has panicked, but the buffer containing its panic
+message is invalid, this KIPC returns the
+`abi::ReadPanicMessageError::BadPanicMessage` response code. If the target task
+uses the panic handler provided by the `userlib` crate, this should not be
+possible. However, it may occur if a task calls the `sys_panic` syscall
+directly with invalid arguments.
+
+The panic message is truncated to the length of the response buffer. Since
+Hubris only stores the first 128 bytes of panic messages, a 128-byte response
+buffer will never result in further truncation.
+
 == Receiving from the kernel
 
 The kernel never sends messages to tasks. It's simply not equipped to do so.

sys/abi/src/lib.rs

@@ -512,6 +512,7 @@ pub enum Kipcnum {
     ReadTaskDumpRegion = 7,
     SoftwareIrq = 8,
     FindFaultedTask = 9,
+    ReadPanicMessage = 10,
 }
 
 impl core::convert::TryFrom<u16> for Kipcnum {
@@ -528,6 +529,7 @@ impl core::convert::TryFrom<u16> for Kipcnum {
             7 => Ok(Self::ReadTaskDumpRegion),
             8 => Ok(Self::SoftwareIrq),
             9 => Ok(Self::FindFaultedTask),
+            10 => Ok(Self::ReadPanicMessage),
             _ => Err(()),
         }
     }
@@ -582,3 +584,29 @@ bitflags::bitflags! {
         const CLEAR_PENDING = 1 << 1;
     }
 }
+
+/// Errors returned by [`Kipcnum::ReadPanicMessage`].
+#[derive(Debug, Copy, Clone, Eq, PartialEq)]
+#[repr(u32)]
+pub enum ReadPanicMessageError {
+    /// The task in question has not panicked.
+    TaskNotPanicked = 1,
+    /// The task has panicked, but its panic message buffer is invalid, so the
+    /// kernel has not let us have it.
+    BadPanicMessage = 2,
+}
+
+/// We're using an explicit `TryFrom` impl for `ReadPanicMessageError` instead of
+/// `FromPrimitive` because the kernel doesn't currently depend on `num-traits`
+/// and this seems okay.
+impl core::convert::TryFrom<u32> for ReadPanicMessageError {
+    type Error = ();
+
+    fn try_from(x: u32) -> Result<Self, Self::Error> {
+        match x {
+            1 => Ok(Self::TaskNotPanicked),
+            2 => Ok(Self::BadPanicMessage),
+            _ => Err(()),
+        }
+    }
+}

sys/kern/src/kipc.rs

@@ -11,7 +11,7 @@ use unwrap_lite::UnwrapLite;
 use crate::arch;
 use crate::err::UserError;
 use crate::task::{current_id, ArchState, NextTask, Task};
-use crate::umem::USlice;
+use crate::umem::{safe_copy, USlice};
 
 /// Message dispatcher.
 pub fn handle_kernel_message(
@@ -43,6 +43,9 @@ pub fn handle_kernel_message(
         Ok(Kipcnum::FindFaultedTask) => {
             find_faulted_task(tasks, caller, args.message?, args.response?)
         }
+        Ok(Kipcnum::ReadPanicMessage) => {
+            read_panic_message(tasks, caller, args.message?, args.response?)
+        }
 
         _ => {
             // Task has sent an unknown message to the kernel. That's bad.
@@ -507,3 +510,61 @@ fn find_faulted_task(
         .set_send_response_and_length(0, response_len);
     Ok(NextTask::Same)
 }
+
+fn read_panic_message(
+    tasks: &mut [Task],
+    caller: usize,
+    message: USlice<u8>,
+    response: USlice<u8>,
+) -> Result<NextTask, UserError> {
+    let index: u32 = deserialize_message(&tasks[caller], message)?;
+    let index = index as usize;
+    if index >= tasks.len() {
+        return Err(UserError::Unrecoverable(FaultInfo::SyscallUsage(
+            UsageError::TaskOutOfRange,
+        )));
+    }
+
+    if let TaskState::Faulted {
+        fault: FaultInfo::Panic,
+        ..
+    } = tasks[index].state()
+    {
+        // Okay, good
+    } else {
+        return Err(UserError::Recoverable(
+            abi::ReadPanicMessageError::TaskNotPanicked as u32,
+            NextTask::Same,
+        ));
+    }
+
+    let Ok(message) = tasks[index].save().as_panic_args().message else {
+        // XXX(eliza): should we have a whole error code for this, or just
+        // return length 0?
+        return Err(UserError::Recoverable(
+            abi::ReadPanicMessageError::BadPanicMessage as u32,
+            NextTask::Same,
+        ));
+    };
+
+    match safe_copy(tasks, index, message, caller, response) {
+        Ok(len) => {
+            tasks[caller]
+                .save_mut()
+                .set_send_response_and_length(0, len);
+
+            Ok(NextTask::Same)
+        }
+        Err(crate::err::InteractFault {
+            dst: Some(fault), ..
+        }) => Err(UserError::Unrecoverable(fault)),
+        Err(_) => {
+            // Source region was bad, but it's not the caller's fault; give them
+            // a recoverable error.
+            Err(UserError::Recoverable(
+                abi::ReadPanicMessageError::BadPanicMessage as u32,
+                NextTask::Same,
+            ))
+        }
+    }
+}

sys/userlib/src/kipc.rs

@@ -16,7 +16,7 @@
 
 use core::num::NonZeroUsize;
 
-use abi::{Kipcnum, TaskId};
+use abi::{Kipcnum, ReadPanicMessageError, TaskId};
 use zerocopy::IntoBytes;
 
 use crate::{sys_send, UnwrapLite};
@@ -162,3 +162,37 @@ pub fn software_irq(task: usize, mask: u32) {
         &[],
     );
 }
+
+/// Reads a task's panic message into the provided `buf`, if the task is
+/// panicked.
+///
+/// # Returns
+///
+/// - [`Ok`]`(&[u8])` if the task is panicked. The returned slice is borrowed
+///    from `buf`, and contains the task's panic message as a sequence of
+///   UTF-8 bytes. Note that the slice may be empty, if the task has panicked
+///   but was compiled without panic messages enabled.
+/// - [`Err`]`(`[`ReadPanicMessageError::TaskNotPanicked`]`)` if the task is
+///   not currently faulted due to a panic.
+/// - [`Err`]`(`[`ReadPanicMessageError::BadPanicMessage`]`)` if the task has
+///   panicked but the panic message buffer is invalid to read from.
+pub fn read_panic_message(
+    task: usize,
+    buf: &mut [u8; 128],
+) -> Result<&[u8], ReadPanicMessageError> {
+    let task = task as u32;
+    let (rc, len) = sys_send(
+        TaskId::KERNEL,
+        Kipcnum::ReadPanicMessage as u16,
+        &task.as_bytes(),
+        &mut buf[..],
+        &[],
+    );
+
+    if rc == 0 {
+        Ok(&buf[..len])
+    } else {
+        // If the kernel sent us an unknown response code....i dunno, guess i'll die?
+        Err(ReadPanicMessageError::try_from(rc).unwrap_lite())
+    }
+}

test/test-api/src/lib.rs

@@ -85,3 +85,6 @@ impl TryFrom<u32> for TestResult {
         }
     }
 }
+
+/// Panic message used when asking the test assistant to panic.
+pub const ASSIST_PANIC: &str = "wow this blew up, here's my soundcloud";

test/test-assist/src/main.rs

@@ -24,7 +24,7 @@ fn badread(arg: u32) {
 }
 
 fn panic(_arg: u32) {
-    panic!("wow this blew up, here's my soundcloud");
+    panic!("{}", test_api::ASSIST_PANIC);
 }
 
 #[inline(never)]

test/test-suite/src/main.rs

@@ -134,6 +134,7 @@ test_cases! {
     test_irq_status,
     #[cfg(feature = "fru-id-eeprom")]
     at24csw080::test_at24csw080,
+    test_read_panic_message,
 }
 
 /// Tests that we can send a message to our assistant, and that the assistant
@@ -1553,6 +1554,38 @@ fn test_irq_status() {
     assert_eq!(status, expected_status);
 }
 
+/// Tests that when a task panics, its panic message can be read via the `read_panic_message` kipc.
+fn test_read_panic_message() {
+    set_autorestart(false);
+
+    let mut buf = [0u8; 128];
+
+    match kipc::read_panic_message(ASSIST.get_task_index().into(), &mut buf) {
+        Err(userlib::ReadPanicMessageError::TaskNotPanicked) => {}
+        x => panic!("expected `Err(TaskNotPanicked)`, got: {x:?}"),
+    }
+
+    // Ask the assistant to panic.
+    let assist = assist_task_id();
+    let mut response = 0u32;
+    let (_, _) = userlib::sys_send(
+        assist,
+        AssistOp::Panic as u16,
+        &0u32.to_le_bytes(),
+        response.as_mut_bytes(),
+        &[],
+    );
+
+    let msg =
+        kipc::read_panic_message(ASSIST.get_task_index().into(), &mut buf)
+            .unwrap();
+    // it should look kinda like a panic message (but since the line number may
+    // change, don't make assertions about the entire contents of the string...
+    assert!(core::str::from_utf8(&msg)
+        .expect("string shouldn't be corrupted")
+        .starts_with("panicked at"));
+}
+
 /// Asks the test runner (running as supervisor) to please trigger a software
 /// interrupt for `notifications::TEST_IRQ`, thank you.
 #[track_caller]