Handle PMP access faults with dynamic region loading

HeatCrab · HeatCrab · commit f484ff0aa5af · 2025-11-04T16:30:27.000+08:00
When a task accesses memory that is not currently loaded in a PMP region,
the hardware raises an access fault. Rather than immediately panicking, we
now attempt to recover by dynamically loading the required region. This
enables a task to access more memory than can fit simultaneously in the
16 available hardware regions.

If all regions are in use, we select a victim region and evict it to make
space. This requires exposing internal region management functions in the
public header so the handler can invoke them.

Simplify function documentation at implementation sites since detailed
documentation now resides in headers.

Address register read helpers are marked unused as the current
implementation maintains shadow state in memory rather than reading
hardware registers. They remain available for potential future use cases
requiring hardware state verification.
diff --git a/arch/riscv/hal.c b/arch/riscv/hal.c
@@ -3,6 +3,7 @@
 #include <sys/task.h>
 
 #include "csr.h"
+#include "pmp.h"
 #include "private/stdio.h"
 #include "private/utils.h"
 
@@ -294,6 +295,12 @@ void do_trap(uint32_t cause, uint32_t epc)
         const char *reason = "Unknown exception";
         if (code < ARRAY_SIZE(exc_msg) && exc_msg[code])
             reason = exc_msg[code];
+
+        /* Attempt to recover PMP access faults */
+        if ((code == 5 || code == 7) && pmp_handle_access_fault(epc, code == 7) == 0)
+            return;
+
+        /* All other exceptions are fatal */
         printf("[EXCEPTION] code=%u (%s), epc=%08x, cause=%08x\n", code, reason,
                epc, cause);
         hal_panic();
diff --git a/arch/riscv/pmp.c b/arch/riscv/pmp.c
@@ -5,6 +5,7 @@
 
 #include <hal.h>
 #include <sys/memprot.h>
+#include <sys/task.h>
 #include "csr.h"
 #include "pmp.h"
 #include "private/error.h"
@@ -42,8 +43,13 @@ static void write_pmpcfg(uint8_t idx, uint32_t val)
     }
 }
 
-/* Read PMP address register by index (0-15) */
-static uint32_t read_pmpaddr(uint8_t idx)
+/* Read PMP address register by index (0-15)
+ *
+ * Currently unused as the implementation maintains shadow state in memory
+ * rather than reading hardware registers. Provided for API completeness
+ * and potential future use cases requiring hardware state verification.
+ */
+static uint32_t __attribute__((unused)) read_pmpaddr(uint8_t idx)
 {
     switch (idx) {
     case 0: return read_csr_num(CSR_PMPADDR0);
@@ -382,3 +388,40 @@ int32_t pmp_check_access(const pmp_config_t *config, uint32_t addr,
     /* Access not covered by any region */
     return 0;
 }
+
+int32_t pmp_handle_access_fault(uint32_t epc, uint8_t is_write)
+{
+    if (!kcb || !kcb->task_current || !kcb->task_current->data)
+        return -1;
+
+    memspace_t *mspace = ((tcb_t *)kcb->task_current->data)->mspace;
+    if (!mspace)
+        return -1;
+
+    /* Find flexpage containing faulting address */
+    fpage_t *target_fpage = NULL;
+    for (fpage_t *fp = mspace->first; fp; fp = fp->as_next) {
+        if (epc >= fp->base && epc < (fp->base + fp->size)) {
+            target_fpage = fp;
+            break;
+        }
+    }
+
+    if (!target_fpage || target_fpage->pmp_id != 0)
+        return -1;
+
+    pmp_config_t *config = pmp_get_config();
+    if (!config)
+        return -1;
+
+    /* Load into available region or evict victim */
+    if (config->next_region_idx < PMP_MAX_REGIONS)
+        return pmp_load_fpage(target_fpage, config->next_region_idx);
+
+    fpage_t *victim = select_victim_fpage(mspace);
+    if (!victim)
+        return -1;
+
+    int32_t ret = pmp_evict_fpage(victim);
+    return (ret == 0) ? pmp_load_fpage(target_fpage, victim->pmp_id) : ret;
+}
diff --git a/arch/riscv/pmp.h b/arch/riscv/pmp.h
@@ -107,3 +107,15 @@ int32_t pmp_init_pools(pmp_config_t *config, const mempool_t *pools,
  * Returns 0 on success, or negative error code on failure.
  */
 int32_t pmp_init_kernel(pmp_config_t *config);
+
+/* Handles PMP access violations (exception codes 5 and 7).
+ *
+ * Attempts to recover from PMP access faults by loading the required memory
+ * region into a hardware PMP region. If all 16 regions are in use, selects a
+ * victim for eviction and reuses its region.
+ *
+ * @epc : Program counter where violation occurred
+ * @is_write : 1 for store/AMO access (exception code 7), 0 for load (code 5)
+ * Returns 0 on successful recovery, negative error code on failure.
+ */
+int32_t pmp_handle_access_fault(uint32_t epc, uint8_t is_write);
diff --git a/include/sys/memprot.h b/include/sys/memprot.h
@@ -105,3 +105,26 @@ memspace_t *mo_memspace_create(uint32_t as_id, uint32_t shared);
  * @mspace : Pointer to memory space to destroy
  */
 void mo_memspace_destroy(memspace_t *mspace);
+
+/* PMP Hardware Loading Functions */
+
+/* Loads a flexpage into a PMP hardware region.
+ * @fpage : Pointer to flexpage to load
+ * @region_idx : Hardware PMP region index (0-15)
+ * Returns 0 on success, or negative error code on failure.
+ */
+int32_t pmp_load_fpage(fpage_t *fpage, uint8_t region_idx);
+
+/* Evicts a flexpage from its PMP hardware region.
+ * @fpage : Pointer to flexpage to evict
+ * Returns 0 on success, or negative error code on failure.
+ */
+int32_t pmp_evict_fpage(fpage_t *fpage);
+
+/* Victim Selection for PMP Region Eviction
+ *
+ * Selects a flexpage for eviction using priority-based algorithm.
+ * @mspace : Pointer to memory space
+ * Returns pointer to victim flexpage, or NULL if no evictable page found.
+ */
+fpage_t *select_victim_fpage(memspace_t *mspace);
diff --git a/kernel/memprot.c b/kernel/memprot.c
@@ -42,11 +42,7 @@ void mo_fpage_destroy(fpage_t *fpage)
     free(fpage);
 }
 
-/* Selects victim flexpage for eviction using priority-based algorithm.
- *
- * @mspace : Pointer to memory space
- * Returns pointer to victim flexpage, or NULL if no evictable page found.
- */
+/* Selects victim flexpage for eviction using priority-based algorithm */
 fpage_t *select_victim_fpage(memspace_t *mspace)
 {
     if (!mspace)
@@ -67,12 +63,7 @@ fpage_t *select_victim_fpage(memspace_t *mspace)
     return victim;
 }
 
-/* Loads a flexpage into a PMP hardware region.
- *
- * @fpage : Pointer to flexpage to load
- * @region_idx : Hardware PMP region index (0-15)
- * Returns 0 on success, or negative error code on failure.
- */
+/* Loads a flexpage into a PMP hardware region */
 int32_t pmp_load_fpage(fpage_t *fpage, uint8_t region_idx)
 {
     if (!fpage)
@@ -100,11 +91,7 @@ int32_t pmp_load_fpage(fpage_t *fpage, uint8_t region_idx)
     return ret;
 }
 
-/* Evicts a flexpage from its PMP hardware region.
- *
- * @fpage : Pointer to flexpage to evict
- * Returns 0 on success, or negative error code on failure.
- */
+/* Evicts a flexpage from its PMP hardware region */
 int32_t pmp_evict_fpage(fpage_t *fpage)
 {
     if (!fpage)
@@ -126,12 +113,7 @@ int32_t pmp_evict_fpage(fpage_t *fpage)
     return ret;
 }
 
-/* Creates and initializes a memory space.
- *
- * @as_id : Memory space identifier
- * @shared : Whether this space can be shared across tasks
- * Returns pointer to created memory space, or NULL on failure.
- */
+/* Creates and initializes a memory space */
 memspace_t *mo_memspace_create(uint32_t as_id, uint32_t shared)
 {
     memspace_t *mspace = malloc(sizeof(memspace_t));
@@ -147,10 +129,7 @@ memspace_t *mo_memspace_create(uint32_t as_id, uint32_t shared)
     return mspace;
 }
 
-/* Destroys a memory space and all its flexpages.
- *
- * @mspace : Pointer to memory space to destroy
- */
+/* Destroys a memory space and all its flexpages */
 void mo_memspace_destroy(memspace_t *mspace)
 {
     if (!mspace)
