Fix ISR-safe critical sections and document APIs

[jserv]

The CRITICAL_ENTER/LEAVE macros unconditionally enabled interrupts on leave, which corrupts interrupt state when called from ISR context (where MIE is already 0). Replace with nesting-aware save/restore: CRITICAL_ENTER saves MIE on first entry, CRITICAL_LEAVE restores it on last exit. Add underflow guard to CRITICAL_LEAVE.

This fixes mo_logger_enqueue() to use CRITICAL_ENTER instead of mo_mutex_lock so the [ISR-SAFE] contract is actually honored -- mutex blocks, which deadlocks in ISR context.

It also fixes realloc() missing CRITICAL_ENTER before fast paths that called CRITICAL_LEAVE, and add defensive CRITICAL_LEAVE before panic() in malloc().

ISR Context Safety Guide is added to hal-interrupt.md with function tables, callback patterns, and ISR-to-task communication examples.

---

Summary by cubic

Make critical sections ISR-safe by saving/restoring interrupt state with nesting. Prevents interrupt-state corruption and ISR deadlocks; updates logger/allocator and adds clear ISR safety guidance.

• Bug Fixes

  • CRITICAL_ENTER/LEAVE now track nesting and restore the original MIE; added underflow guard.
  • mo_logger_enqueue uses CRITICAL_ENTER (no mutex), making logging safe in ISR context.
  • Fixed realloc/malloc critical-section pairing; added defensive CRITICAL_LEAVE before panic().
  • Added kernel state for nesting and saved MIE to support correct restore behavior.

• New Features

  • Added ISR-safe UART helpers: isr_puts() and isr_putx() for emergency debug output.
  • Documented ISR safety across APIs with [ISR-SAFE]/[TASK-ONLY] annotations; timer management is ISR-safe and callback rules are explicit.
  • Added an ISR Context Safety Guide with function tables, callback patterns, and ISR-to-task communication examples.
  • Updated examples and comments to show ISR-safe logging from timer callbacks.

^{Written for commit 3474abb. Summary will update on new commits.}

[HeatCrab]

The realloc function drops the critical section before calling malloc(size), opening a race window. For safety, realloc should typically hold the lock throughout the operation, or strictly enforce that shared pointers must be protected by external locks.

[HeatCrab]

I noticed that critical_nesting and critical_saved_mie are implemented as global variables. Is it intended for Single Core? If so, it would be better to store them in TCB, or at least document this limitation in the file. Otherwise, it is not thread-safe. Any future change allowing preemption or yielding within a critical section would corrupt the interrupt state.

[jserv]

Is it intended for Single Core? If so, it would be better to store them in TCB, or at least document this limitation in the file.

The comments were refined to address SMP awareness.

[github-actions]

Linmo CI Test Results

Overall Status: ✅ passed
Timestamp: 2026-01-29T13:18:20+00:00
Commit: a2aedcb

Toolchain Results

Toolchain	Build	Crash Test	Functional
GNU	✅ passed	✅ passed	✅ passed
LLVM	✅ passed	⏭️ skipped	⏭️ skipped

Application Tests

App	GNU	LLVM
cond	✅ passed	⏭️ skipped
coop	✅ passed	⏭️ skipped
cpubench	✅ passed	⏭️ skipped
echo	✅ passed	⏭️ skipped
hello	✅ passed	⏭️ skipped
mqueues	✅ passed	⏭️ skipped
mutex	✅ passed	⏭️ skipped
pipes	✅ passed	⏭️ skipped
pipes_small	✅ passed	⏭️ skipped
pipes_struct	✅ passed	⏭️ skipped
prodcons	✅ passed	⏭️ skipped
progress	✅ passed	⏭️ skipped
rtsched	✅ passed	⏭️ skipped
semaphore	✅ passed	⏭️ skipped
suspend	✅ passed	⏭️ skipped
test64	✅ passed	⏭️ skipped
test_libc	✅ passed	⏭️ skipped
timer	✅ passed	⏭️ skipped
timer_kill	✅ passed	⏭️ skipped
umode	⚠️	⏭️ skipped

Functional Test Details

Test	GNU	LLVM
mutex:data_consistency	✅ passed	⏭️ skipped
mutex:fairness	✅ passed	⏭️ skipped
mutex:mutual_exclusion	✅ passed	⏭️ skipped
mutex:overall	✅ passed	⏭️ skipped
semaphore:overall	✅ passed	⏭️ skipped
umode:[exception]_illegal_instruction	✅ passed	⚠️
umode:pass:_sys_tid()_returned	✅ passed	⚠️
umode:pass:_sys_uptime()_returned	✅ passed	⚠️

---

Report generated from test-summary.toml