logging: never leaves panic mode on fatal thread exception #11745
Comments
andrewboie
added
bug
|
@andrewboie can you help me with that? Is there a place in code code where we can be sure that system will not recover? |
|
@andrewboie, @nordic-krch any updates on this? |
|
no update. maybe @andrewboie could help me with answering question above. |
Just look at SysFatalErrorHandler, it makes a decision on whether the thread should simply be killed or the whole system taken down. |
|
@nordic-krch ping |
|
error handling has been reworked by @andrewboie and |
With the invocation of LOG_PANIC() moved to k_sys_fatal_error_handler(), I agree. |
Describe the bug
If a thread crashes, the kernel can decide to hang the system, or just kill the offending thread. The log subsystem enters panic mode to flush the logs and emit the exception data synchronously, but if the thread is simply killed the log subsystem never leaves panic mode.
Expected behavior
If the thread is simply killed, an API call is made to leave panic mode immediately before _SysFatalErrorHandler calls k_thread_abort().
Impact
If user mode is not used, low, since a fatal thread exception makes no guarantees on data corruption, the thread could have been executing kernel code leaving shared data structures in a bad state anyway, or blew its stack and messed up adjacent data structures. A supervisor mode thread crashing is always very bad news.
If the crashed thread was a user thread, then we can at least assert the core kernel is in a good state and this becomes more of an issue since the logging subsystem overhead increases greatly.
The text was updated successfully, but these errors were encountered: