Panic: Guard against infinite panic loops

Author: andre-richter

01_wait_forever/src/panic_wait.rs

@@ -6,6 +6,10 @@
 
 use core::panic::PanicInfo;
 
+//--------------------------------------------------------------------------------------------------
+// Private Code
+//--------------------------------------------------------------------------------------------------
+
 #[panic_handler]
 fn panic(_info: &PanicInfo) -> ! {
     unimplemented!()

02_runtime_init/README.md

@@ -327,13 +327,16 @@ diff -uNr 01_wait_forever/src/main.rs 02_runtime_init/src/main.rs
 diff -uNr 01_wait_forever/src/panic_wait.rs 02_runtime_init/src/panic_wait.rs
 --- 01_wait_forever/src/panic_wait.rs
 +++ 02_runtime_init/src/panic_wait.rs
-@@ -4,9 +4,10 @@
+@@ -4,6 +4,7 @@
 
  //! A panic handler that infinitely waits.
 
 +use crate::cpu;
  use core::panic::PanicInfo;
 
+ //--------------------------------------------------------------------------------------------------
+@@ -12,5 +13,5 @@
+
  #[panic_handler]
  fn panic(_info: &PanicInfo) -> ! {
 -    unimplemented!()

02_runtime_init/src/panic_wait.rs

@@ -7,6 +7,10 @@
 use crate::cpu;
 use core::panic::PanicInfo;
 
+//--------------------------------------------------------------------------------------------------
+// Private Code
+//--------------------------------------------------------------------------------------------------
+
 #[panic_handler]
 fn panic(_info: &PanicInfo) -> ! {
     cpu::wait_forever()

03_hacky_hello_world/README.md

@@ -238,17 +238,53 @@ diff -uNr 02_runtime_init/src/main.rs 03_hacky_hello_world/src/main.rs
 diff -uNr 02_runtime_init/src/panic_wait.rs 03_hacky_hello_world/src/panic_wait.rs
 --- 02_runtime_init/src/panic_wait.rs
 +++ 03_hacky_hello_world/src/panic_wait.rs
-@@ -4,10 +4,16 @@
+@@ -4,14 +4,52 @@
 
  //! A panic handler that infinitely waits.
 
 -use crate::cpu;
 +use crate::{cpu, println};
  use core::panic::PanicInfo;
 
+ //--------------------------------------------------------------------------------------------------
+ // Private Code
+ //--------------------------------------------------------------------------------------------------
+
++/// Stop immediately if called a second time.
++///
++/// # Note
++///
++/// Using atomics here relieves us from needing to use `unsafe` for the static variable.
++///
++/// On `AArch64`, which is the only implemented architecture at the time of writing this,
++/// [`AtomicBool::load`] and [`AtomicBool::store`] are lowered to ordinary load and store
++/// instructions. They are therefore safe to use even with MMU + caching deactivated.
++///
++/// [`AtomicBool::load`]: core::sync::atomic::AtomicBool::load
++/// [`AtomicBool::store`]: core::sync::atomic::AtomicBool::store
++fn panic_prevent_reenter() {
++    use core::sync::atomic::{AtomicBool, Ordering};
++
++    #[cfg(not(target_arch = "aarch64"))]
++    compile_error!("Add the target_arch to above's check if the following code is safe to use");
++
++    static PANIC_IN_PROGRESS: AtomicBool = AtomicBool::new(false);
++
++    if !PANIC_IN_PROGRESS.load(Ordering::Relaxed) {
++        PANIC_IN_PROGRESS.store(true, Ordering::Relaxed);
++
++        return;
++    }
++
++    cpu::wait_forever()
++}
++
  #[panic_handler]
 -fn panic(_info: &PanicInfo) -> ! {
 +fn panic(info: &PanicInfo) -> ! {
++    // Protect against panic infinite loops if any of the following code panics itself.
++    panic_prevent_reenter();
++
 +    if let Some(args) = info.message() {
 +        println!("\nKernel panic: {}", args);
 +    } else {

03_hacky_hello_world/src/panic_wait.rs

@@ -7,8 +7,44 @@
 use crate::{cpu, println};
 use core::panic::PanicInfo;
 
+//--------------------------------------------------------------------------------------------------
+// Private Code
+//--------------------------------------------------------------------------------------------------
+
+/// Stop immediately if called a second time.
+///
+/// # Note
+///
+/// Using atomics here relieves us from needing to use `unsafe` for the static variable.
+///
+/// On `AArch64`, which is the only implemented architecture at the time of writing this,
+/// [`AtomicBool::load`] and [`AtomicBool::store`] are lowered to ordinary load and store
+/// instructions. They are therefore safe to use even with MMU + caching deactivated.
+///
+/// [`AtomicBool::load`]: core::sync::atomic::AtomicBool::load
+/// [`AtomicBool::store`]: core::sync::atomic::AtomicBool::store
+fn panic_prevent_reenter() {
+    use core::sync::atomic::{AtomicBool, Ordering};
+
+    #[cfg(not(target_arch = "aarch64"))]
+    compile_error!("Add the target_arch to above's check if the following code is safe to use");
+
+    static PANIC_IN_PROGRESS: AtomicBool = AtomicBool::new(false);
+
+    if !PANIC_IN_PROGRESS.load(Ordering::Relaxed) {
+        PANIC_IN_PROGRESS.store(true, Ordering::Relaxed);
+
+        return;
+    }
+
+    cpu::wait_forever()
+}
+
 #[panic_handler]
 fn panic(info: &PanicInfo) -> ! {
+    // Protect against panic infinite loops if any of the following code panics itself.
+    panic_prevent_reenter();
+
     if let Some(args) = info.message() {
         println!("\nKernel panic: {}", args);
     } else {

04_safe_globals/src/panic_wait.rs

@@ -7,8 +7,44 @@
 use crate::{cpu, println};
 use core::panic::PanicInfo;
 
+//--------------------------------------------------------------------------------------------------
+// Private Code
+//--------------------------------------------------------------------------------------------------
+
+/// Stop immediately if called a second time.
+///
+/// # Note
+///
+/// Using atomics here relieves us from needing to use `unsafe` for the static variable.
+///
+/// On `AArch64`, which is the only implemented architecture at the time of writing this,
+/// [`AtomicBool::load`] and [`AtomicBool::store`] are lowered to ordinary load and store
+/// instructions. They are therefore safe to use even with MMU + caching deactivated.
+///
+/// [`AtomicBool::load`]: core::sync::atomic::AtomicBool::load
+/// [`AtomicBool::store`]: core::sync::atomic::AtomicBool::store
+fn panic_prevent_reenter() {
+    use core::sync::atomic::{AtomicBool, Ordering};
+
+    #[cfg(not(target_arch = "aarch64"))]
+    compile_error!("Add the target_arch to above's check if the following code is safe to use");
+
+    static PANIC_IN_PROGRESS: AtomicBool = AtomicBool::new(false);
+
+    if !PANIC_IN_PROGRESS.load(Ordering::Relaxed) {
+        PANIC_IN_PROGRESS.store(true, Ordering::Relaxed);
+
+        return;
+    }
+
+    cpu::wait_forever()
+}
+
 #[panic_handler]
 fn panic(info: &PanicInfo) -> ! {
+    // Protect against panic infinite loops if any of the following code panics itself.
+    panic_prevent_reenter();
+
     if let Some(args) = info.message() {
         println!("\nKernel panic: {}", args);
     } else {

05_drivers_gpio_uart/README.md

@@ -1414,19 +1414,19 @@ diff -uNr 04_safe_globals/src/main.rs 05_drivers_gpio_uart/src/main.rs
 diff -uNr 04_safe_globals/src/panic_wait.rs 05_drivers_gpio_uart/src/panic_wait.rs
 --- 04_safe_globals/src/panic_wait.rs
 +++ 05_drivers_gpio_uart/src/panic_wait.rs
-@@ -4,15 +4,35 @@
+@@ -4,13 +4,29 @@
 
  //! A panic handler that infinitely waits.
 
 -use crate::{cpu, println};
 -use core::panic::PanicInfo;
 +use crate::{bsp, cpu};
 +use core::{fmt, panic::PanicInfo};
-+
-+//--------------------------------------------------------------------------------------------------
-+// Private Code
-+//--------------------------------------------------------------------------------------------------
-+
+
+ //--------------------------------------------------------------------------------------------------
+ // Private Code
+ //--------------------------------------------------------------------------------------------------
+
 +fn _panic_print(args: fmt::Arguments) {
 +    use fmt::Write;
 +
@@ -1442,9 +1442,13 @@ diff -uNr 04_safe_globals/src/panic_wait.rs 05_drivers_gpio_uart/src/panic_wait.
 +        _panic_print(format_args_nl!($($arg)*));
 +    })
 +}
++
+ /// Stop immediately if called a second time.
+ ///
+ /// # Note
+@@ -46,9 +62,9 @@
+     panic_prevent_reenter();
 
- #[panic_handler]
- fn panic(info: &PanicInfo) -> ! {
      if let Some(args) = info.message() {
 -        println!("\nKernel panic: {}", args);
 +        panic_println!("\nKernel panic: {}", args);

05_drivers_gpio_uart/src/panic_wait.rs

@@ -27,8 +27,40 @@ macro_rules! panic_println {
     })
 }
 
+/// Stop immediately if called a second time.
+///
+/// # Note
+///
+/// Using atomics here relieves us from needing to use `unsafe` for the static variable.
+///
+/// On `AArch64`, which is the only implemented architecture at the time of writing this,
+/// [`AtomicBool::load`] and [`AtomicBool::store`] are lowered to ordinary load and store
+/// instructions. They are therefore safe to use even with MMU + caching deactivated.
+///
+/// [`AtomicBool::load`]: core::sync::atomic::AtomicBool::load
+/// [`AtomicBool::store`]: core::sync::atomic::AtomicBool::store
+fn panic_prevent_reenter() {
+    use core::sync::atomic::{AtomicBool, Ordering};
+
+    #[cfg(not(target_arch = "aarch64"))]
+    compile_error!("Add the target_arch to above's check if the following code is safe to use");
+
+    static PANIC_IN_PROGRESS: AtomicBool = AtomicBool::new(false);
+
+    if !PANIC_IN_PROGRESS.load(Ordering::Relaxed) {
+        PANIC_IN_PROGRESS.store(true, Ordering::Relaxed);
+
+        return;
+    }
+
+    cpu::wait_forever()
+}
+
 #[panic_handler]
 fn panic(info: &PanicInfo) -> ! {
+    // Protect against panic infinite loops if any of the following code panics itself.
+    panic_prevent_reenter();
+
     if let Some(args) = info.message() {
         panic_println!("\nKernel panic: {}", args);
     } else {