strat9_kernel/process/

elf.rs

//! ELF64 loader for Strat9-OS.
//!
//! Parses ELF64 headers and loads PT_LOAD segments into a user address space,
//! then creates a kernel task that trampolines into Ring 3 via IRETQ.
//!
//! Supports :
//!   - ET_EXEC
//!   - ET_DYN (PIE/static-PIE)
//!   - ELF64 little-endian x86_64 binaries.

use alloc::{sync::Arc, vec::Vec};
use x86_64::{
    structures::paging::{Mapper, Page, Size4KiB},
    VirtAddr,
};

use crate::{
    capability::Capability,
    memory::address_space::{AddressSpace, VmaFlags, VmaPageSize, VmaType},
    process::{
        task::{CpuContext, KernelStack, ResumeKind, SyncUnsafeCell, Task},
        TaskId, TaskPriority, TaskState,
    },
};

// ---------------------------------------------------------------------------
// ELF64 constants
// ---------------------------------------------------------------------------

const ELF_MAGIC: [u8; 4] = [0x7F, b'E', b'L', b'F'];
const ELFCLASS64: u8 = 2;
const ELFDATA2LSB: u8 = 1;
const ET_EXEC: u16 = 2;
const ET_DYN: u16 = 3;
const EV_CURRENT: u32 = 1;
const EM_X86_64: u16 = 62;
const PT_LOAD: u32 = 1;
const PT_DYNAMIC: u32 = 2;
const PT_INTERP: u32 = 3;
const PT_TLS: u32 = 7;
const PF_X: u32 = 1;
const PF_W: u32 = 2;
const PF_R: u32 = 4;
const DT_NULL: i64 = 0;
const DT_RELA: i64 = 7;
const DT_RELASZ: i64 = 8;
const DT_RELAENT: i64 = 9;
const DT_STRTAB: i64 = 5;
const DT_SYMTAB: i64 = 6;
const DT_SYMENT: i64 = 11;
const DT_JMPREL: i64 = 23;
const DT_PLTRELSZ: i64 = 2;
const DT_PLTREL: i64 = 20;
const DT_RELACOUNT: i64 = 0x6fff_fff9;
const DT_RELR: i64 = 36;
const DT_RELRSZ: i64 = 35;
const DT_RELRENT: i64 = 37;
const R_X86_64_RELATIVE: u32 = 8;
const R_X86_64_64: u32 = 1;
const R_X86_64_COPY: u32 = 5;
const R_X86_64_GLOB_DAT: u32 = 6;
const R_X86_64_JUMP_SLOT: u32 = 7;
const R_X86_64_TPOFF64: u32 = 18;
const R_X86_64_IRELATIVE: u32 = 37;

/// Maximum virtual address we accept for user-space mappings.
pub const USER_ADDR_MAX: u64 = 0x0000_8000_0000_0000;
/// Preferred base when placing ET_DYN (PIE) images.
const PIE_BASE_ADDR: u64 = 0x0000_0001_0000_0000;

/// User stack location (below the non-canonical gap).
pub const USER_STACK_BASE: u64 = 0x0000_7FFF_F000_0000;
/// Number of 4 KiB pages for the user stack (16 pages = 64 KiB).
pub const USER_STACK_PAGES: usize = 16;
/// Top of the user stack (stack grows down).
pub const USER_STACK_TOP: u64 = USER_STACK_BASE + (USER_STACK_PAGES as u64) * 4096;

/// Result of loading an ELF image into an address space.
#[derive(Debug, Clone, Copy)]
pub struct LoadedElfInfo {
    pub runtime_entry: u64,
    pub program_entry: u64,
    pub phdr_vaddr: u64,
    pub phent: u16,
    pub phnum: u16,
    pub interp_base: Option<u64>,
    pub tls_vaddr: u64,
    pub tls_filesz: u64,
    pub tls_memsz: u64,
    pub tls_align: u64,
}

// ---------------------------------------------------------------------------
// ELF64 header structures
// ---------------------------------------------------------------------------

/// ELF64 file header (64 bytes).
#[repr(C, packed)]
#[derive(Debug, Clone, Copy)]
struct Elf64Header {
    e_ident: [u8; 16],
    e_type: u16,
    e_machine: u16,
    e_version: u32,
    e_entry: u64,
    e_phoff: u64,
    e_shoff: u64,
    e_flags: u32,
    e_ehsize: u16,
    e_phentsize: u16,
    e_phnum: u16,
    e_shentsize: u16,
    e_shnum: u16,
    e_shstrndx: u16,
}

/// ELF64 program header (56 bytes).
#[repr(C, packed)]
#[derive(Debug, Clone, Copy)]
struct Elf64Phdr {
    p_type: u32,
    p_flags: u32,
    p_offset: u64,
    p_vaddr: u64,
    p_paddr: u64,
    p_filesz: u64,
    p_memsz: u64,
    p_align: u64,
}

#[repr(C, packed)]
#[derive(Debug, Clone, Copy)]
struct Elf64Dyn {
    d_tag: i64,
    d_val: u64,
}

#[repr(C, packed)]
#[derive(Debug, Clone, Copy)]
struct Elf64Rela {
    r_offset: u64,
    r_info: u64,
    r_addend: i64,
}

#[repr(C, packed)]
#[derive(Debug, Clone, Copy)]
struct Elf64Sym {
    st_name: u32,
    st_info: u8,
    st_other: u8,
    st_shndx: u16,
    st_value: u64,
    st_size: u64,
}

// ---------------------------------------------------------------------------
// Parsing
// ---------------------------------------------------------------------------

/// Parse and validate the ELF64 file header from raw bytes.
fn parse_header(data: &[u8]) -> Result<Elf64Header, &'static str> {
    if data.len() < core::mem::size_of::<Elf64Header>() {
        return Err("ELF data too small for header");
    }

    // SAFETY: data is large enough and Elf64Header is repr(C, packed) with no
    // alignment requirements beyond 1.
    let header: Elf64Header =
        unsafe { core::ptr::read_unaligned(data.as_ptr() as *const Elf64Header) };

    // Validate magic
    if header.e_ident[0..4] != ELF_MAGIC {
        return Err("Bad ELF magic");
    }

    // Class: 64-bit
    if header.e_ident[4] != ELFCLASS64 {
        return Err("Not ELF64");
    }

    // Data: little-endian
    if header.e_ident[5] != ELFDATA2LSB {
        return Err("Not little-endian ELF");
    }

    // Machine: x86_64
    if header.e_machine != EM_X86_64 {
        return Err("Not x86_64 ELF");
    }

    // Type: executable or shared object (PIE/static PIE executable image)
    if header.e_type != ET_EXEC && header.e_type != ET_DYN {
        return Err("Unsupported ELF type (expected ET_EXEC or ET_DYN)");
    }

    // ELF version
    if header.e_version != EV_CURRENT {
        return Err("Unsupported ELF version");
    }

    // Entry point must be canonical user space (for ET_DYN this is relative and
    // validated again after relocation). ET_EXEC must be non-zero.
    if header.e_entry >= USER_ADDR_MAX {
        return Err("Entry point outside user address range");
    }
    // Some toolchains/images can emit ET_EXEC with e_entry=0.
    // We handle this case later by deriving a fallback entry from PT_LOAD|PF_X.

    // Sanity check program headers
    if header.e_phentsize as usize != core::mem::size_of::<Elf64Phdr>() {
        return Err("Unexpected phentsize");
    }

    let ph_end = (header.e_phoff as usize)
        .checked_add((header.e_phnum as usize) * (header.e_phentsize as usize))
        .ok_or("Program header table overflows")?;
    if ph_end > data.len() {
        return Err("Program headers extend past file");
    }

    Ok(header)
}

/// Iterate over program headers in the ELF.
fn program_headers<'a>(
    data: &'a [u8],
    header: &Elf64Header,
) -> impl Iterator<Item = Elf64Phdr> + 'a {
    let phoff = header.e_phoff as usize;
    let phsize = header.e_phentsize as usize;
    let phnum = header.e_phnum as usize;

    (0..phnum).map(move |i| {
        let offset = phoff + i * phsize;
        // SAFETY: parse_header already validated that all program headers fit
        // within `data`, and Elf64Phdr is packed (align 1).
        unsafe { core::ptr::read_unaligned(data.as_ptr().add(offset) as *const Elf64Phdr) }
    })
}

/// Parses interp path.
fn parse_interp_path<'a>(
    elf_data: &'a [u8],
    phdrs: &[Elf64Phdr],
) -> Result<Option<&'a str>, &'static str> {
    let Some(interp) = phdrs.iter().find(|ph| ph.p_type == PT_INTERP) else {
        return Ok(None);
    };
    if interp.p_filesz == 0 {
        return Err("PT_INTERP has empty path");
    }
    let start = interp.p_offset as usize;
    let end = start
        .checked_add(interp.p_filesz as usize)
        .ok_or("PT_INTERP range overflow")?;
    if end > elf_data.len() {
        return Err("PT_INTERP extends past file");
    }
    let raw = &elf_data[start..end];
    let nul = raw
        .iter()
        .position(|&b| b == 0)
        .ok_or("PT_INTERP path is not NUL terminated")?;
    let s = core::str::from_utf8(&raw[..nul]).map_err(|_| "PT_INTERP path is not UTF-8")?;
    if s.is_empty() {
        return Err("PT_INTERP path is empty");
    }
    Ok(Some(s))
}

/// Performs the find relocated phdr vaddr operation.
fn find_relocated_phdr_vaddr(
    header: &Elf64Header,
    phdrs: &[Elf64Phdr],
    load_bias: u64,
) -> Result<u64, &'static str> {
    let phoff = header.e_phoff;
    for ph in phdrs {
        if ph.p_type != PT_LOAD || ph.p_filesz == 0 {
            continue;
        }
        let file_start = ph.p_offset;
        let file_end = ph
            .p_offset
            .checked_add(ph.p_filesz)
            .ok_or("PHDR location overflow")?;
        if phoff >= file_start && phoff < file_end {
            let delta = phoff - file_start;
            let vaddr = ph
                .p_vaddr
                .checked_add(delta)
                .and_then(|v| v.checked_add(load_bias))
                .ok_or("Relocated PHDR address overflow")?;
            if vaddr >= USER_ADDR_MAX {
                return Err("Relocated PHDR outside user address space");
            }
            return Ok(vaddr);
        }
    }
    Err("Program headers are not covered by a PT_LOAD segment")
}

/// Reads elf from vfs.
fn read_elf_from_vfs(path: &str) -> Result<Vec<u8>, &'static str> {
    const MAX_ELF_SIZE: usize = 64 * 1024 * 1024;
    let fd =
        crate::vfs::open(path, crate::vfs::OpenFlags::READ).map_err(|_| "PT_INTERP open failed")?;
    let mut out = Vec::new();
    let mut buf = [0u8; 4096];
    loop {
        let n = match crate::vfs::read(fd, &mut buf) {
            Ok(n) => n,
            Err(_) => {
                let _ = crate::vfs::close(fd);
                return Err("PT_INTERP read failed");
            }
        };
        if n == 0 {
            break;
        }
        if out.len().saturating_add(n) > MAX_ELF_SIZE {
            let _ = crate::vfs::close(fd);
            return Err("PT_INTERP file too large");
        }
        out.extend_from_slice(&buf[..n]);
    }
    let _ = crate::vfs::close(fd);
    if out.is_empty() {
        return Err("PT_INTERP file is empty");
    }
    Ok(out)
}

/// Compute total mapped bounds for all PT_LOAD segments.
fn compute_load_bounds(phdrs: &[Elf64Phdr]) -> Result<(u64, u64), &'static str> {
    let mut min_vaddr = u64::MAX;
    let mut max_vaddr = 0u64;
    let mut saw_load = false;

    for phdr in phdrs {
        if phdr.p_type != PT_LOAD {
            continue;
        }
        if phdr.p_memsz == 0 {
            continue;
        }
        saw_load = true;

        if phdr.p_memsz < phdr.p_filesz {
            return Err("PT_LOAD memsz < filesz");
        }

        // ELF requires p_vaddr % page == p_offset % page for PT_LOAD.
        if ((phdr.p_vaddr ^ phdr.p_offset) & 0xFFF) != 0 {
            return Err("PT_LOAD alignment mismatch (vaddr/offset)");
        }

        let seg_end = phdr
            .p_vaddr
            .checked_add(phdr.p_memsz)
            .ok_or("PT_LOAD vaddr+memsz overflow")?;
        if seg_end > USER_ADDR_MAX {
            return Err("PT_LOAD exceeds user address space");
        }

        let seg_start_page = phdr.p_vaddr & !0xFFF;
        let seg_end_page = (seg_end + 0xFFF) & !0xFFF;
        min_vaddr = min_vaddr.min(seg_start_page);
        max_vaddr = max_vaddr.max(seg_end_page);
    }

    if !saw_load {
        return Err("ELF has no PT_LOAD segments");
    }
    Ok((min_vaddr, max_vaddr))
}

/// Compute load bias and relocated entry for ET_EXEC / ET_DYN.
fn compute_load_bias_and_entry(
    user_as: &AddressSpace,
    header: &Elf64Header,
    phdrs: &[Elf64Phdr],
) -> Result<(u64, u64), &'static str> {
    let (min_vaddr, max_vaddr) = compute_load_bounds(phdrs)?;
    let span = max_vaddr
        .checked_sub(min_vaddr)
        .ok_or("Invalid PT_LOAD bounds")?;

    let load_bias = if header.e_type == ET_EXEC {
        0
    } else {
        let n_pages = (span as usize).div_ceil(4096);
        let load_base = user_as
            .find_free_vma_range(PIE_BASE_ADDR, n_pages, VmaPageSize::Small)
            .or_else(|| {
                user_as.find_free_vma_range(0x0000_0000_1000_0000, n_pages, VmaPageSize::Small)
            })
            .ok_or("No virtual range for ET_DYN image")?;
        load_base
            .checked_sub(min_vaddr)
            .ok_or("ET_DYN load bias underflow")?
    };

    let relocated_end = max_vaddr
        .checked_add(load_bias)
        .ok_or("Relocated PT_LOAD range overflow")?;
    if relocated_end > USER_ADDR_MAX {
        return Err("Relocated PT_LOAD range exceeds user space");
    }

    let entry_raw = if header.e_type == ET_EXEC && header.e_entry == 0 {
        let fallback = phdrs
            .iter()
            .find(|ph| ph.p_type == PT_LOAD && ph.p_memsz != 0 && (ph.p_flags & PF_X) != 0)
            .map(|ph| ph.p_vaddr)
            .ok_or("ET_EXEC has null entry and no executable PT_LOAD")?;
        log::warn!(
            "[elf] ET_EXEC has null entry, using fallback executable segment vaddr={:#x}",
            fallback
        );
        fallback
    } else {
        header.e_entry
    };

    let relocated_entry = entry_raw
        .checked_add(load_bias)
        .ok_or("Relocated entry overflow")?;
    if relocated_entry == 0 || relocated_entry >= USER_ADDR_MAX {
        return Err("Relocated entry outside user space");
    }

    Ok((load_bias, relocated_entry))
}

/// Performs the apply segment permissions operation.
fn apply_segment_permissions(
    user_as: &AddressSpace,
    page_start: u64,
    page_count: usize,
    flags: VmaFlags,
) -> Result<(), &'static str> {
    use x86_64::registers::control::Cr3;

    let pte_flags = flags.to_page_flags();
    // SAFETY: loader owns this AddressSpace during image construction.
    let mut mapper = unsafe { user_as.mapper() };
    for i in 0..page_count {
        let vaddr = page_start
            .checked_add((i as u64) * 4096)
            .ok_or("Permission update address overflow")?;
        let page = Page::<Size4KiB>::from_start_address(VirtAddr::new(vaddr))
            .map_err(|_| "Invalid page while updating segment flags")?;
        // SAFETY: the page is already mapped by map_region for this segment.
        let _ = unsafe {
            mapper
                .update_flags(page, pte_flags)
                .map_err(|_| "Failed to update segment page flags")?
        };
        // We ignore flush here and do a targeted flush decision below.
    }

    // During ELF loading we update a freshly-created user address space that is
    // not active on other CPUs.  Cross-CPU shootdowns here only add boot-time
    // latency and can timeout while APs are not yet servicing IPIs.
    // If this address space is currently active on this CPU, local invalidation
    // is enough for the loader path.
    let (current_cr3, _) = Cr3::read();
    if current_cr3.start_address() == user_as.cr3() {
        let end = page_start + (page_count as u64) * 4096;
        crate::arch::x86_64::tlb::local_range(VirtAddr::new(page_start), VirtAddr::new(end));
    }

    Ok(())
}

/// Reads user mapped bytes.
fn read_user_mapped_bytes(
    user_as: &AddressSpace,
    mut vaddr: u64,
    out: &mut [u8],
) -> Result<(), &'static str> {
    let end = vaddr
        .checked_add(out.len() as u64)
        .ok_or("Read range overflow")?;
    if end > USER_ADDR_MAX {
        return Err("Read range outside user space");
    }
    let mut copied = 0usize;
    while copied < out.len() {
        let page_off = (vaddr & 0xFFF) as usize;
        let chunk = core::cmp::min(out.len() - copied, 4096 - page_off);
        let phys = user_as
            .translate(VirtAddr::new(vaddr))
            .ok_or("Failed to translate mapped user bytes")?;
        let src = crate::memory::phys_to_virt(phys.as_u64()) as *const u8;
        // SAFETY: src points to mapped physical memory via HHDM.
        unsafe { core::ptr::copy_nonoverlapping(src, out.as_mut_ptr().add(copied), chunk) };
        copied += chunk;
        vaddr = vaddr
            .checked_add(chunk as u64)
            .ok_or("Virtual address overflow while reading mapped bytes")?;
    }
    Ok(())
}

/// Writes user mapped bytes.
fn write_user_mapped_bytes(
    user_as: &AddressSpace,
    mut vaddr: u64,
    src: &[u8],
) -> Result<(), &'static str> {
    let end = vaddr
        .checked_add(src.len() as u64)
        .ok_or("Write range overflow")?;
    if end > USER_ADDR_MAX {
        return Err("Write range outside user space");
    }
    let mut written = 0usize;
    while written < src.len() {
        let page_off = (vaddr & 0xFFF) as usize;
        let chunk = core::cmp::min(src.len() - written, 4096 - page_off);
        let phys = user_as
            .translate(VirtAddr::new(vaddr))
            .ok_or("Failed to translate relocation target")?;
        let dst = crate::memory::phys_to_virt(phys.as_u64()) as *mut u8;
        // SAFETY: destination points to mapped user frame through HHDM.
        unsafe { core::ptr::copy_nonoverlapping(src.as_ptr().add(written), dst, chunk) };
        written += chunk;
        vaddr = vaddr
            .checked_add(chunk as u64)
            .ok_or("Virtual address overflow while writing mapped bytes")?;
    }
    Ok(())
}

/// Reads user u64.
fn read_user_u64(user_as: &AddressSpace, vaddr: u64) -> Result<u64, &'static str> {
    let mut raw = [0u8; 8];
    read_user_mapped_bytes(user_as, vaddr, &mut raw)?;
    Ok(u64::from_le_bytes(raw))
}

/// Writes user u64.
fn write_user_u64(user_as: &AddressSpace, vaddr: u64, value: u64) -> Result<(), &'static str> {
    write_user_mapped_bytes(user_as, vaddr, &value.to_le_bytes())
}

/// Performs the apply relr relocations operation.
fn apply_relr_relocations(
    user_as: &AddressSpace,
    load_bias: u64,
    relr_base: u64,
    relr_size: usize,
    relr_ent: usize,
) -> Result<usize, &'static str> {
    if relr_size == 0 {
        return Ok(0);
    }
    if relr_ent != core::mem::size_of::<u64>() {
        return Err("Unsupported DT_RELRENT size");
    }
    if relr_size % relr_ent != 0 {
        return Err("DT_RELR table size is not aligned");
    }

    let count = relr_size / relr_ent;
    let mut applied = 0usize;
    let mut where_addr = 0u64;

    for i in 0..count {
        let entry_addr = relr_base
            .checked_add((i * relr_ent) as u64)
            .ok_or("DT_RELR walk overflow")?;
        let entry = read_user_u64(user_as, entry_addr)?;

        if (entry & 1) == 0 {
            where_addr = load_bias
                .checked_add(entry)
                .ok_or("DT_RELR absolute relocation overflow")?;
            if where_addr >= USER_ADDR_MAX {
                return Err("DT_RELR target outside user space");
            }
            let cur = read_user_u64(user_as, where_addr)?;
            write_user_u64(
                user_as,
                where_addr,
                cur.checked_add(load_bias)
                    .ok_or("DT_RELR relocated value overflow")?,
            )?;
            where_addr = where_addr
                .checked_add(8)
                .ok_or("DT_RELR where pointer overflow")?;
            applied += 1;
        } else {
            let mut bitmap = entry >> 1;
            for bit in 0..63u64 {
                if (bitmap & 1) != 0 {
                    let slot = where_addr
                        .checked_add(bit * 8)
                        .ok_or("DT_RELR bitmap target overflow")?;
                    if slot >= USER_ADDR_MAX {
                        return Err("DT_RELR bitmap target outside user space");
                    }
                    let cur = read_user_u64(user_as, slot)?;
                    write_user_u64(
                        user_as,
                        slot,
                        cur.checked_add(load_bias)
                            .ok_or("DT_RELR bitmap relocated value overflow")?,
                    )?;
                    applied += 1;
                }
                bitmap >>= 1;
                if bitmap == 0 {
                    break;
                }
            }
            where_addr = where_addr
                .checked_add(63 * 8)
                .ok_or("DT_RELR where advance overflow")?;
        }
    }
    Ok(applied)
}

/// Performs the apply dynamic relocations operation.
fn apply_dynamic_relocations(
    user_as: &AddressSpace,
    phdrs: &[Elf64Phdr],
    elf_type: u16,
    load_bias: u64,
) -> Result<(), &'static str> {
    if elf_type != ET_DYN {
        return Ok(());
    }

    let dynamic = phdrs.iter().find(|ph| ph.p_type == PT_DYNAMIC);
    let Some(dynamic_ph) = dynamic else {
        return Ok(());
    };
    if dynamic_ph.p_filesz == 0 {
        return Ok(());
    }

    let dyn_addr = dynamic_ph
        .p_vaddr
        .checked_add(load_bias)
        .ok_or("PT_DYNAMIC relocated address overflow")?;
    let dyn_count = (dynamic_ph.p_filesz as usize) / core::mem::size_of::<Elf64Dyn>();

    let mut rela_addr: Option<u64> = None;
    let mut rela_size: usize = 0;
    let mut rela_ent: usize = core::mem::size_of::<Elf64Rela>();
    let mut jmprel_addr: Option<u64> = None;
    let mut jmprel_size: usize = 0;
    let mut pltrel_kind: Option<u64> = None;
    let mut symtab_addr: Option<u64> = None;
    let mut sym_ent: usize = core::mem::size_of::<Elf64Sym>();
    let _strtab_addr: Option<u64> = None;
    let mut rela_count_hint: Option<usize> = None;
    let mut relr_addr: Option<u64> = None;
    let mut relr_size: usize = 0;
    let mut relr_ent: usize = 0;

    for i in 0..dyn_count {
        let entry_addr = dyn_addr
            .checked_add((i * core::mem::size_of::<Elf64Dyn>()) as u64)
            .ok_or("PT_DYNAMIC walk overflow")?;
        let mut raw = [0u8; core::mem::size_of::<Elf64Dyn>()];
        read_user_mapped_bytes(user_as, entry_addr, &mut raw)?;
        // SAFETY: raw has exact size of Elf64Dyn; read_unaligned handles packing.
        let dyn_entry = unsafe { core::ptr::read_unaligned(raw.as_ptr() as *const Elf64Dyn) };

        match dyn_entry.d_tag {
            DT_NULL => break,
            DT_RELA => {
                rela_addr = Some(
                    dyn_entry
                        .d_val
                        .checked_add(load_bias)
                        .ok_or("DT_RELA relocated address overflow")?,
                )
            }
            DT_RELASZ => rela_size = dyn_entry.d_val as usize,
            DT_RELAENT => rela_ent = dyn_entry.d_val as usize,
            DT_RELACOUNT => rela_count_hint = Some(dyn_entry.d_val as usize),
            DT_JMPREL => {
                jmprel_addr = Some(
                    dyn_entry
                        .d_val
                        .checked_add(load_bias)
                        .ok_or("DT_JMPREL relocated address overflow")?,
                )
            }
            DT_PLTRELSZ => jmprel_size = dyn_entry.d_val as usize,
            DT_PLTREL => pltrel_kind = Some(dyn_entry.d_val),
            DT_SYMTAB => {
                symtab_addr = Some(
                    dyn_entry
                        .d_val
                        .checked_add(load_bias)
                        .ok_or("DT_SYMTAB relocated address overflow")?,
                )
            }
            DT_SYMENT => sym_ent = dyn_entry.d_val as usize,
            DT_STRTAB => {
                let _ = dyn_entry
                    .d_val
                    .checked_add(load_bias)
                    .ok_or("DT_STRTAB relocated address overflow")?;
            }
            DT_RELR => {
                relr_addr = Some(
                    dyn_entry
                        .d_val
                        .checked_add(load_bias)
                        .ok_or("DT_RELR relocated address overflow")?,
                )
            }
            DT_RELRSZ => relr_size = dyn_entry.d_val as usize,
            DT_RELRENT => relr_ent = dyn_entry.d_val as usize,
            _ => {}
        }
    }

    let mut relr_applied = 0usize;
    if let Some(relr_base) = relr_addr {
        relr_applied = apply_relr_relocations(user_as, load_bias, relr_base, relr_size, relr_ent)?;
    } else if relr_size != 0 || relr_ent != 0 {
        return Err("DT_RELR metadata present without DT_RELR base");
    }
    if rela_ent != core::mem::size_of::<Elf64Rela>() {
        return Err("Unsupported DT_RELAENT size");
    }
    if sym_ent != core::mem::size_of::<Elf64Sym>() {
        return Err("Unsupported DT_SYMENT size");
    }
    if pltrel_kind.is_some() && pltrel_kind != Some(DT_RELA as u64) {
        return Err("Only DT_PLTREL=DT_RELA is supported");
    }

    let read_sym_entry = |sym_idx: u32| -> Result<Elf64Sym, &'static str> {
        let symtab = symtab_addr.ok_or("Missing DT_SYMTAB for symbol relocations")?;
        let sym_addr = symtab
            .checked_add((sym_idx as u64) * (sym_ent as u64))
            .ok_or("Symbol table address overflow")?;
        let mut raw = [0u8; core::mem::size_of::<Elf64Sym>()];
        read_user_mapped_bytes(user_as, sym_addr, &mut raw)?;
        Ok(unsafe { core::ptr::read_unaligned(raw.as_ptr() as *const Elf64Sym) })
    };

    let resolve_symbol = |sym_idx: u32| -> Result<u64, &'static str> {
        if sym_idx == 0 {
            return Ok(0);
        }
        let sym = read_sym_entry(sym_idx)?;
        if sym.st_shndx == 0 {
            return Err("Undefined symbol relocation not supported");
        }
        sym.st_value
            .checked_add(load_bias)
            .ok_or("Symbol value relocation overflow")
    };

    let resolve_symbol_raw = |sym_idx: u32| -> Result<u64, &'static str> {
        if sym_idx == 0 {
            return Ok(0);
        }
        let sym = read_sym_entry(sym_idx)?;
        Ok(sym.st_value)
    };

    let resolve_symbol_size = |sym_idx: u32| -> Result<u64, &'static str> {
        if sym_idx == 0 {
            return Ok(0);
        }
        let sym = read_sym_entry(sym_idx)?;
        Ok(sym.st_size)
    };

    let apply_rela_table = |table_base: u64,
                            table_size: usize,
                            count_hint: Option<usize>|
     -> Result<usize, &'static str> {
        if table_size == 0 {
            return Ok(0);
        }
        let mut count = table_size / rela_ent;
        if let Some(hint) = count_hint {
            count = core::cmp::min(count, hint);
        }
        let mut applied = 0usize;
        for i in 0..count {
            let rela_addr_i = table_base
                .checked_add((i * rela_ent) as u64)
                .ok_or("Rela table overflow")?;
            let mut raw = [0u8; core::mem::size_of::<Elf64Rela>()];
            read_user_mapped_bytes(user_as, rela_addr_i, &mut raw)?;
            // SAFETY: raw has exact size of Elf64Rela.
            let rela = unsafe { core::ptr::read_unaligned(raw.as_ptr() as *const Elf64Rela) };

            let r_type = (rela.r_info & 0xffff_ffff) as u32;
            let r_sym = (rela.r_info >> 32) as u32;
            let target = rela
                .r_offset
                .checked_add(load_bias)
                .ok_or("Relocation target overflow")?;
            if target >= USER_ADDR_MAX {
                return Err("Relocation target outside user space");
            }

            let value = match r_type {
                R_X86_64_RELATIVE => {
                    if r_sym != 0 {
                        return Err("R_X86_64_RELATIVE with non-zero symbol");
                    }
                    (load_bias as i128)
                        .checked_add(rela.r_addend as i128)
                        .ok_or("Relocation value overflow")?
                }
                R_X86_64_GLOB_DAT | R_X86_64_JUMP_SLOT | R_X86_64_64 => {
                    let sym_val = resolve_symbol(r_sym)? as i128;
                    sym_val
                        .checked_add(rela.r_addend as i128)
                        .ok_or("Relocation value overflow")?
                }
                R_X86_64_COPY => {
                    let sym_val = resolve_symbol(r_sym)?;
                    if sym_val == 0 {
                        continue;
                    }
                    let sym_sz = resolve_symbol_size(r_sym)?;
                    if sym_sz > 0 && sym_val < USER_ADDR_MAX {
                        let mut tmp = [0u8; 256];
                        let mut off = 0usize;
                        while off < sym_sz as usize {
                            let chunk = core::cmp::min(256, sym_sz as usize - off);
                            read_user_mapped_bytes(
                                user_as,
                                sym_val + off as u64,
                                &mut tmp[..chunk],
                            )?;
                            write_user_mapped_bytes(user_as, target + off as u64, &tmp[..chunk])?;
                            off += chunk;
                        }
                    }
                    applied += 1;
                    continue;
                }
                R_X86_64_TPOFF64 => {
                    let sym_val = if r_sym != 0 {
                        resolve_symbol_raw(r_sym)? as i128
                    } else {
                        0i128
                    };
                    sym_val
                        .checked_add(rela.r_addend as i128)
                        .ok_or("TPOFF64 value overflow")?
                }
                R_X86_64_IRELATIVE => (load_bias as i128)
                    .checked_add(rela.r_addend as i128)
                    .ok_or("IRELATIVE value overflow")?,
                _ => {
                    log::warn!("[elf] Unsupported relocation type {}", r_type);
                    continue;
                }
            };
            if value < 0 || value > u64::MAX as i128 {
                return Err("Relocation value out of range");
            }
            let val_u64 = value as u64;
            // Read back before write for diagnosis
            if applied < 5 {
                let r_addend_copy = rela.r_addend; // copy packed field to local
                let mut before = [0u8; 8];
                let _ = read_user_mapped_bytes(user_as, target, &mut before);
                let before_val = u64::from_le_bytes(before);
                crate::e9_println!(
                    "[reloc] [{i}] r_type={} target={:#x} r_addend={:#x} value={:#x} before={:#x}",
                    r_type,
                    target,
                    r_addend_copy,
                    val_u64,
                    before_val
                );
            }
            write_user_mapped_bytes(user_as, target, &val_u64.to_le_bytes())?;
            // Read back after write for diagnosis
            if applied < 5 {
                let mut after = [0u8; 8];
                let _ = read_user_mapped_bytes(user_as, target, &mut after);
                let after_val = u64::from_le_bytes(after);
                crate::e9_println!(
                    "[reloc] [{i}] after_write={:#x} (expected={:#x})",
                    after_val,
                    val_u64
                );
            }
            // Catch any relocation that writes a kernel-range address into user space.
            if val_u64 >= 0xffff_8000_0000_0000 {
                let r_addend_copy = rela.r_addend;
                crate::e9_println!(
                    "[reloc-KERNEL-ADDR] [{i}] r_type={} target={:#x} r_addend={:#x} val={:#x} bias={:#x}",
                    r_type, target, r_addend_copy, val_u64, load_bias
                );
            }
            applied += 1;
        }
        Ok(applied)
    };

    let mut total_applied = 0usize;
    crate::e9_println!(
        "[reloc] apply_dynamic_relocations: bias={:#x} rela_addr={:?} rela_size={} rela_count={:?}",
        load_bias,
        rela_addr,
        rela_size,
        rela_count_hint
    );
    if let Some(rela_base) = rela_addr {
        total_applied += apply_rela_table(rela_base, rela_size, rela_count_hint)?;
    }
    if let Some(jmprel_base) = jmprel_addr {
        total_applied += apply_rela_table(jmprel_base, jmprel_size, None)?;
    }

    if total_applied > 0 {
        crate::e9_println!(
            "[reloc] applied {} RELA relocations (bias={:#x})",
            total_applied,
            load_bias
        );
    }
    if relr_applied > 0 {
        log::debug!("[elf] Applied {} RELR relocations", relr_applied);
    }
    Ok(())
}

// ---------------------------------------------------------------------------
// Loading
// ---------------------------------------------------------------------------

/// Convert ELF p_flags to VmaFlags.
fn elf_flags_to_vma(p_flags: u32) -> VmaFlags {
    VmaFlags {
        readable: p_flags & PF_R != 0,
        writable: p_flags & PF_W != 0,
        executable: p_flags & PF_X != 0,
        user_accessible: true,
    }
}

/// Load a single PT_LOAD segment into the given address space.
///
/// Allocates physical frames, maps them with appropriate permissions, and
/// copies file data into the mapping. BSS (memsz > filesz) is already
/// zero-filled because `map_region` zeroes newly allocated frames.
fn load_segment(
    user_as: &AddressSpace,
    elf_data: &[u8],
    phdr: &Elf64Phdr,
    load_bias: u64,
) -> Result<(), &'static str> {
    let vaddr = phdr
        .p_vaddr
        .checked_add(load_bias)
        .ok_or("PT_LOAD relocated vaddr overflow")?;
    let memsz = phdr.p_memsz;
    let filesz = phdr.p_filesz;
    let offset = phdr.p_offset;

    // Validate addresses are in user space
    if vaddr >= USER_ADDR_MAX {
        return Err("PT_LOAD vaddr outside user space");
    }
    let end = vaddr
        .checked_add(memsz)
        .ok_or("PT_LOAD vaddr+memsz overflows")?;
    if end > USER_ADDR_MAX {
        return Err("PT_LOAD segment extends past user space");
    }

    // Validate file region
    let file_end = (offset as usize)
        .checked_add(filesz as usize)
        .ok_or("PT_LOAD offset+filesz overflows")?;
    if file_end > elf_data.len() {
        return Err("PT_LOAD file data extends past ELF");
    }

    // Calculate page-aligned mapping
    let page_start = vaddr & !0xFFF;
    let page_end = (end + 0xFFF) & !0xFFF;
    let page_count = ((page_end - page_start) / 4096) as usize;

    // Map writable during copy, then restore final ELF flags.
    let actual_flags = elf_flags_to_vma(phdr.p_flags);
    let load_flags = VmaFlags {
        readable: true,
        writable: true, // Need write access to copy data in
        executable: actual_flags.executable,
        user_accessible: true,
    };

    let vma_type = if actual_flags.executable {
        VmaType::Code
    } else {
        VmaType::Anonymous
    };
    log::debug!(
        "[elf] map PT_LOAD: start={:#x} pages={} filesz={:#x}",
        page_start,
        page_count,
        filesz
    );
    user_as.map_region(
        page_start,
        page_count,
        load_flags,
        vma_type,
        VmaPageSize::Small,
    )?;

    // Copy file data into the mapped pages.
    // We translate each page through the user AS to find its physical frame,
    // then access it via HHDM to write.
    if filesz > 0 {
        let src = &elf_data[offset as usize..file_end];
        let mut copied = 0usize;

        while copied < src.len() {
            let dst_vaddr = vaddr + copied as u64;
            let page_offset = (dst_vaddr & 0xFFF) as usize;
            let chunk = core::cmp::min(src.len() - copied, 4096 - page_offset);

            // Translate user virtual address → physical → HHDM virtual
            let phys = user_as
                .translate(VirtAddr::new(dst_vaddr))
                .ok_or("Failed to translate user page after mapping")?;
            let hhdm_ptr = crate::memory::phys_to_virt(phys.as_u64()) as *mut u8;

            // SAFETY: hhdm_ptr points to a freshly mapped, zeroed frame via HHDM.
            // The source slice is validated above.
            unsafe {
                core::ptr::copy_nonoverlapping(src.as_ptr().add(copied), hhdm_ptr, chunk);
            }

            copied += chunk;
        }
    }

    // Tighten PTE permissions after copy.
    apply_segment_permissions(user_as, page_start, page_count, actual_flags)?;

    log::debug!(
        "  PT_LOAD: {:#x}..{:#x} ({} pages, file {:#x}+{:#x}, flags {:?})",
        page_start,
        page_end,
        page_count,
        offset,
        filesz,
        actual_flags,
    );

    Ok(())
}

// ---------------------------------------------------------------------------
// Task creation with IRETQ trampoline
// ---------------------------------------------------------------------------

/// Parameters for the Ring 3 trampoline, stored in a static so the
/// Trampoline that switches to user address space and does IRETQ to Ring 3.
///
/// Parameters (entry point, stack top, arg0, address space) are read from the
/// *current task* so that each ELF task carries its own copy.  This makes the
/// trampoline safe under SMP: two tasks can run their trampolines concurrently
/// on different CPUs without any shared mutable state.
extern "C" fn elf_ring3_trampoline() -> ! {
    use crate::arch::x86_64::gdt;
    use core::sync::atomic::Ordering;

    crate::e9_println!("[trace][elf] ring3_trampoline before current_task");
    let task = crate::process::scheduler::current_task_clone_spin_debug("ring3_trampoline")
        .expect("elf_ring3_trampoline: no current task");
    crate::e9_println!(
        "[trace][elf] ring3_trampoline enter tid={} name={}",
        task.id.as_u64(),
        task.name
    );
    crate::serial_println!(
        "[trace][elf] ring3_trampoline enter tid={} name={}",
        task.id.as_u64(),
        task.name
    );
    task.set_resume_kind(crate::process::task::ResumeKind::IretFrame);

    let user_rip = task.trampoline_entry.load(Ordering::Acquire);
    let user_rsp = task.trampoline_stack_top.load(Ordering::Acquire);
    let user_arg0 = task.trampoline_arg0.load(Ordering::Acquire);
    crate::e9_println!(
        "[trace][elf] ring3_trampoline args tid={} rip={:#x} rsp={:#x} arg0={:#x}",
        task.id.as_u64(),
        user_rip,
        user_rsp,
        user_arg0
    );
    crate::serial_println!(
        "[trace][elf] ring3_trampoline args tid={} rip={:#x} rsp={:#x}",
        task.id.as_u64(),
        user_rip,
        user_rsp
    );

    // Probe: read GOT entries via HHDM before switching to user AS.
    // This is the last kernel-owned moment before user execution begins.
    // If values here are wrong, the bug is in load/relocation, not in
    // something that happens after this point.
    {
        // SAFETY: Kernel still holds the boot/kernel CR3. HHDM is valid.
        unsafe {
            let as_ref = task.process.address_space_arc();
            let task_name: &str = &task.name;
            for test_off in [0x12920u64, 0x12928u64, 0x12930u64] {
                let vaddr = 0x100000000u64.wrapping_add(test_off);
                if let Some(phys) = as_ref.translate(VirtAddr::new(vaddr)) {
                    let ptr = crate::memory::phys_to_virt(phys.as_u64()) as *const u64;
                    let val = core::ptr::read_unaligned(ptr);
                    crate::e9_println!(
                        "[trampoline-got] tid={} name={} GOT[{:#x}]=phys={:#x} val={:#x}",
                        task.id.as_u64(),
                        task_name,
                        vaddr,
                        phys.as_u64(),
                        val
                    );
                } else {
                    crate::e9_println!(
                        "[trampoline-got] tid={} name={} GOT[{:#x}]=<not mapped>",
                        task.id.as_u64(),
                        task_name,
                        vaddr
                    );
                }
            }
        }
    }

    // Switch to the user address space stored in the task.
    // SAFETY: The address space was set up during task creation and is valid.
    unsafe {
        let as_ref = task.process.address_space_arc();
        as_ref.switch_to();
    }
    crate::e9_println!(
        "[trace][elf] ring3_trampoline switch_to done tid={}",
        task.id.as_u64()
    );
    crate::serial_println!(
        "[trace][elf] ring3_trampoline switch_to done tid={}",
        task.id.as_u64()
    );

    let user_cs = gdt::user_code_selector().0 as u64;
    let user_ss = gdt::user_data_selector().0 as u64;
    let user_rflags: u64 = 0x202; // IF=1, reserved bit 1 = 1
    crate::e9_println!(
        "[trace][elf] ring3_trampoline iret tid={} cs={:#x} ss={:#x} rflags={:#x}",
        task.id.as_u64(),
        user_cs,
        user_ss,
        user_rflags
    );
    crate::serial_println!(
        "[trace][elf] ring3_trampoline iret tid={} rip={:#x} rsp={:#x}",
        task.id.as_u64(),
        user_rip,
        user_rsp
    );

    // ----- Pre-iret LAPIC timer diagnostic -----
    // Verify that the APIC timer is actually running on this CPU before we
    // enter Ring 3 (if it is not, no timer tick = no heartbeat = silent hang).
    unsafe {
        let lvt = crate::arch::x86_64::apic::read_reg(crate::arch::x86_64::apic::REG_LVT_TIMER);
        let init_cnt =
            crate::arch::x86_64::apic::read_reg(crate::arch::x86_64::apic::REG_TIMER_INIT);
        let cur_cnt =
            crate::arch::x86_64::apic::read_reg(crate::arch::x86_64::apic::REG_TIMER_CURRENT);
        let rflags_now: u64;
        core::arch::asm!("pushfq; pop {}", out(reg) rflags_now, options(nostack));
        crate::e9_println!(
            "[trace][elf] pre-iret LAPIC: LVT={:#x} init={} cur={} IF={}",
            lvt,
            init_cnt,
            cur_cnt,
            (rflags_now >> 9) & 1
        );
        if lvt & (1 << 16) != 0 {
            crate::e9_println!(
                "[trace][elf] WARNING: LAPIC timer is MASKED (bit 16 set) : no ticks will fire!"
            );
        }
        if init_cnt == 0 {
            crate::e9_println!(
                "[trace][elf] WARNING: LAPIC timer init_count=0 : timer not started!"
            );
        }
    }

    crate::arch::x86_64::ring3_diag::validate_ring3_state(
        user_rip,
        user_rsp,
        user_cs as u16,
        user_ss as u16,
    );

    crate::e9_println!(
        "[elf] PRE-IRETQ tid={} rip={:#x} rsp={:#x} rflags={:#x}",
        task.id.as_u64(),
        user_rip,
        user_rsp,
        user_rflags
    );

    // Probe E9 Rust : validate_ring3_state passé, on entre dans l'asm.
    // Si '0' est visible mais pas '1', le compilateur a inséré du code entre
    // les deux qui a planté (peu probable, mais élimine cette hypothèse).
    crate::e9_println!(
        "E9[0] pre-asm rip={:#x} rsp={:#x} cs={:#x} ss={:#x}",
        user_rip,
        user_rsp,
        user_cs,
        user_ss,
    );

    // SAFETY: Valid user mappings have been set up. IRETQ switches to Ring 3.
    //
    // Interrupts must be masked in the final kernel instructions before
    // `swapgs ; iretq`. Otherwise a timer IRQ can land after `swapgs` but
    // before `iretq`, with `CS=0x8` and `GS=user`, and the first `gs:[..]`
    // access in the handler faults in the swapgs->iretq window.
    //
    //  E9-hack probes ==========================================================================================================================================================================
    // Each `out 0xe9, al` writes an ASCII character to QEMU's E9 port
    // (visible with `-debugcon stdio` or `-debugcon file:e9.log`).
    // The push/pop rax around each probe protects registers allocated by the
    // compiler for the `in(reg)` constraints; the net effect on RSP is zero.
    //
    //   '1' (0x31): start of the asm block, input registers in place
    //   '2' (0x32): iretq frame fully on stack (5 words)
    //   '3' (0x33): RDI loaded with arg0, just before SWAPGS
    //   '4' (0x34): SWAPGS done : if CPU crashes on iretq the last char is '4'
    //
    // If output stops at:
    //   '1' → RSP/alignment problem before any pushes
    //   '2' → a push faulted (kernel mapping broken?)
    //   '3' → bug in arg0 value or in RDI
    //   '4' → iretq is indeed triple-faulting (GDT/paging/TSS issue)
    //   nothing → E9 port not enabled in QEMU (add `-debugcon stdio`)
    unsafe {
        core::arch::asm!(
            // Close the IRQ window before touching GS. `iretq` restores IF=1
            // from the user RFLAGS frame, so user mode still starts with
            // interrupts enabled.
            "cli",

            //  Probe 1 : entrée dans le bloc asm ================================================================================
            // Les registres d'entrée sont déjà alloués par le compilateur ;
            // push/pop rax les laisse intacts.
            "push rax",
            "mov al, 0x31",     // '1'
            "out 0xe9, al",
            "pop rax",

            //  Construction de la frame iretq ==========================================================================================
            // Ordre requis par IRETQ (dépilé dans l'ordre inverse) :
            //   [RSP+32] SS
            //   [RSP+24] user RSP
            //   [RSP+16] RFLAGS
            //   [RSP+8]  CS
            //   [RSP+0]  RIP  ← RSP ici après les 5 push
            "push {ss}",
            "push {rsp_val}",
            "push {rflags}",
            "push {cs}",
            "push {rip}",

            //  Probe 2 : frame iretq complète ==========================================================================================
            "push rax",
            "mov al, 0x32",     // '2'
            "out 0xe9, al",
            "pop rax",

            //  Chargement de arg0 dans RDI ====================================================================================================
            "mov rdi, {arg0}",

            //  Probe 3 : RDI chargé, juste avant SWAPGS ==================================================
            "push rax",
            "mov al, 0x33",     // '3'
            "out 0xe9, al",
            "pop rax",

            //  SWAPGS : GS.base kernel ↔ GS.base user ============================================================
            // Après cette instruction, GS pointe vers le bloc per-thread user.
            // Le push/pop ci-dessous ne touche pas GS, il est sûr.
            "swapgs",

            //  Probe 4 : SWAPGS réussi, IRETQ imminent ============================================================
            // Si le double-fault survient sur iretq, '4' sera le DERNIER
            // caractère visible dans la console E9.
            "push rax",
            "mov al, 0x34",     // '4'
            "out 0xe9, al",
            "pop rax",

            //  IRETQ : point de non-retour ====================================================================================================
            "iretq",

            ss      = in(reg) user_ss,
            rsp_val = in(reg) user_rsp,
            rflags  = in(reg) user_rflags,
            cs      = in(reg) user_cs,
            rip     = in(reg) user_rip,
            arg0    = in(reg) user_arg0,
            options(noreturn),
        );
    }
}

// ---------------------------------------------------------------------------
// Public API
// ---------------------------------------------------------------------------

/// Load an ELF64 binary and schedule it as a Ring 3 user task.
///
/// # Arguments
/// * `elf_data` - Raw ELF file bytes (must remain valid until load completes).
/// * `name` - Name for the task (debugging purposes).
///
/// # Returns
/// `Ok(())` on success, `Err` with a static error message on failure.
pub fn load_and_run_elf(elf_data: &[u8], name: &'static str) -> Result<TaskId, &'static str> {
    load_and_run_elf_with_caps(elf_data, name, &[])
}

/// Performs the load and run elf with caps operation.
pub fn load_and_run_elf_with_caps(
    elf_data: &[u8],
    name: &'static str,
    seed_caps: &[Capability],
) -> Result<TaskId, &'static str> {
    crate::e9_println!(
        "[trace][elf] load_and_run_elf enter name={} size={}",
        name,
        elf_data.len()
    );
    let task = load_elf_task_with_caps(elf_data, name, seed_caps)?;
    let task_id = task.id;
    let runtime_entry = task
        .trampoline_entry
        .load(core::sync::atomic::Ordering::Acquire);
    crate::e9_println!(
        "[trace][elf] load_and_run_elf add_task begin tid={} entry={:#x}",
        task_id.as_u64(),
        runtime_entry
    );
    crate::process::add_task(task);
    crate::e9_println!(
        "[trace][elf] load_and_run_elf add_task done tid={}",
        task_id.as_u64()
    );

    log::info!(
        "[elf] Task '{}' created: entry={:#x}, stack_top={:#x}",
        name,
        runtime_entry,
        USER_STACK_TOP,
    );

    Ok(task_id)
}

const AT_PHDR: u64 = 3;
const AT_PHENT: u64 = 4;
const AT_PHNUM: u64 = 5;
const AT_PAGESZ: u64 = 6;
const AT_BASE: u64 = 7;
const AT_ENTRY: u64 = 9;
const AT_RANDOM: u64 = 25;

/// Performs the push auxv operation.
fn push_auxv(user_as: &AddressSpace, sp: &mut u64, tag: u64, val: u64) -> Result<(), &'static str> {
    *sp -= 8;
    write_user_u64(user_as, *sp, val)?;
    *sp -= 8;
    write_user_u64(user_as, *sp, tag)?;
    Ok(())
}

/// Performs the setup boot user stack operation.
fn setup_boot_user_stack(
    user_as: &AddressSpace,
    name: &str,
    phdr_vaddr: u64,
    phent: u16,
    phnum: u16,
    program_entry: u64,
    interp_base: Option<u64>,
) -> Result<u64, &'static str> {
    let mut sp = USER_STACK_TOP;

    let name_nul_len = (name.len() + 1) as u64;
    sp -= name_nul_len;
    let argv0_ptr = sp;
    write_user_mapped_bytes(user_as, sp, name.as_bytes())?;
    write_user_mapped_bytes(user_as, sp + name.len() as u64, &[0])?;

    sp -= 16;
    let random_ptr = sp;
    write_user_mapped_bytes(user_as, sp, &[0x42u8; 16])?;

    sp &= !0xF;

    // AT_NULL
    push_auxv(user_as, &mut sp, 0, 0)?;
    push_auxv(user_as, &mut sp, AT_RANDOM, random_ptr)?;
    push_auxv(user_as, &mut sp, AT_ENTRY, program_entry)?;
    if let Some(base) = interp_base {
        push_auxv(user_as, &mut sp, AT_BASE, base)?;
    }
    push_auxv(user_as, &mut sp, AT_PAGESZ, 4096)?;
    push_auxv(user_as, &mut sp, AT_PHNUM, phnum as u64)?;
    push_auxv(user_as, &mut sp, AT_PHENT, phent as u64)?;
    push_auxv(user_as, &mut sp, AT_PHDR, phdr_vaddr)?;

    // envp NULL terminator
    sp -= 8;
    write_user_u64(user_as, sp, 0)?;
    // argv[0], argv NULL terminator
    sp -= 8;
    write_user_u64(user_as, sp, 0)?;
    sp -= 8;
    write_user_u64(user_as, sp, argv0_ptr)?;
    // argc
    sp -= 8;
    write_user_u64(user_as, sp, 1)?;

    // System V ABI: %rsp % 16 == 0 at process entry
    sp &= !0xF;
    Ok(sp)
}

/// Performs the load elf task with caps operation.
pub fn load_elf_task_with_caps(
    elf_data: &[u8],
    name: &'static str,
    seed_caps: &[Capability],
) -> Result<Arc<Task>, &'static str> {
    crate::e9_println!(
        "[trace][elf] load_elf_task enter name={} size={}",
        name,
        elf_data.len()
    );
    log::info!("[elf] Loading ELF '{}'...", name);

    // Step 1: Parse and validate ELF header
    crate::e9_println!("[trace][elf] load_elf_task parse_header begin");
    let header = parse_header(elf_data)?;
    crate::e9_println!(
        "[trace][elf] load_elf_task parse_header ok type={}",
        if header.e_type == ET_DYN {
            "ET_DYN"
        } else {
            "ET_EXEC"
        }
    );
    // Step 2: Create user address space
    crate::e9_println!("[trace][elf] load_elf_task user_as begin");
    let user_as = Arc::new(AddressSpace::new_user()?);
    crate::e9_println!("[trace][elf] load_elf_task user_as done");

    let phdrs: Vec<Elf64Phdr> = program_headers(elf_data, &header).collect();
    let interp_path = parse_interp_path(elf_data, &phdrs)?;
    let (load_bias, entry) = compute_load_bias_and_entry(&user_as, &header, &phdrs)?;
    let phdr_vaddr = find_relocated_phdr_vaddr(&header, &phdrs, load_bias)?;

    let phnum = header.e_phnum;
    crate::e9_println!(
        "[trace][elf] load_elf_task layout entry={:#x} bias={:#x} phdrs={}",
        entry,
        load_bias,
        phnum
    );
    log::info!(
        "[elf] ELF '{}': type={}, entry={:#x}, bias={:#x}, {} program headers",
        name,
        if header.e_type == ET_DYN {
            "ET_DYN"
        } else {
            "ET_EXEC"
        },
        entry,
        load_bias,
        phnum,
    );

    // Step 3: Load all PT_LOAD segments
    let mut load_count = 0u32;
    for phdr in phdrs.iter() {
        if phdr.p_type == PT_LOAD && phdr.p_memsz != 0 {
            load_segment(&user_as, elf_data, phdr, load_bias)?;
            load_count += 1;
        }
    }
    if interp_path.is_none() {
        apply_dynamic_relocations(&user_as, &phdrs, header.e_type, load_bias)?;
    }

    // Diagnostic: read back key GOT entries after relocation to verify they were applied.
    for test_offset in [0x12920u64, 0x12928u64, 0x12930u64] {
        let vaddr = load_bias.wrapping_add(test_offset);
        if vaddr < USER_ADDR_MAX {
            if let Some(phys) = user_as.translate(VirtAddr::new(vaddr)) {
                let ptr = crate::memory::phys_to_virt(phys.as_u64()) as *const u64;
                // SAFETY: HHDM access to a mapped user page, owned exclusively during ELF loading.
                let val = unsafe { core::ptr::read_unaligned(ptr) };
                crate::e9_println!(
                    "[reloc-check] GOT[{:#x}]=phys={:#x} val={:#x} ({})",
                    vaddr,
                    phys.as_u64(),
                    val,
                    name
                );
            } else {
                crate::e9_println!("[reloc-check] GOT[{:#x}] = <not mapped> ({})", vaddr, name);
            }
        }
    }

    crate::e9_println!(
        "[trace][elf] load_elf_task segments_done count={} has_interp={}",
        load_count,
        interp_path.is_some()
    );
    log::info!("[elf] Loaded {} PT_LOAD segment(s)", load_count);

    let mut runtime_entry = entry;
    let mut interp_base: Option<u64> = None;
    if let Some(path) = interp_path {
        let interp_data = read_elf_from_vfs(path)?;
        let interp_header = parse_header(&interp_data)?;
        let interp_phdrs: Vec<Elf64Phdr> = program_headers(&interp_data, &interp_header).collect();
        if parse_interp_path(&interp_data, &interp_phdrs)?.is_some() {
            return Err("Nested PT_INTERP is not supported");
        }
        let (interp_bias, interp_entry) =
            compute_load_bias_and_entry(&user_as, &interp_header, &interp_phdrs)?;
        let (interp_min_vaddr, _) = compute_load_bounds(&interp_phdrs)?;
        let mut interp_load_count = 0u32;
        for phdr in interp_phdrs.iter() {
            if phdr.p_type == PT_LOAD && phdr.p_memsz != 0 {
                load_segment(&user_as, &interp_data, phdr, interp_bias)?;
                interp_load_count += 1;
            }
        }
        apply_dynamic_relocations(&user_as, &interp_phdrs, interp_header.e_type, interp_bias)?;
        runtime_entry = interp_entry;
        interp_base = Some(interp_min_vaddr.saturating_add(interp_bias));
        log::info!(
            "[elf] PT_INTERP '{}' loaded: {} PT_LOAD, entry={:#x}",
            path,
            interp_load_count,
            runtime_entry
        );
    }

    // TLS setup (Variant II: data at negative offsets from FS:0)
    let mut user_fs_base_val = 0u64;
    if let Some(tls) = phdrs.iter().find(|p| p.p_type == PT_TLS) {
        let tls_memsz = tls.p_memsz;
        let tls_filesz = tls.p_filesz;
        let tls_align = core::cmp::max(tls.p_align, 8).next_power_of_two();
        let aligned_memsz = (tls_memsz + tls_align - 1) & !(tls_align - 1);
        let total_size = aligned_memsz + 8;
        let n_tls_pages = ((total_size + 4095) / 4096) as usize;
        let tls_flags = VmaFlags {
            readable: true,
            writable: true,
            executable: false,
            user_accessible: true,
        };
        let tls_base = user_as
            .find_free_vma_range(0x7FFF_E000_0000, n_tls_pages, VmaPageSize::Small)
            .ok_or("No space for TLS block")?;
        user_as.map_region(
            tls_base,
            n_tls_pages,
            tls_flags,
            VmaType::Anonymous,
            VmaPageSize::Small,
        )?;
        if tls_filesz > 0 {
            let src_off = tls.p_offset as usize;
            let src_end = src_off + tls_filesz as usize;
            if src_end <= elf_data.len() {
                write_user_mapped_bytes(&user_as, tls_base, &elf_data[src_off..src_end])?;
            }
        }
        let tp = tls_base + aligned_memsz;
        write_user_u64(&user_as, tp, tp)?;
        user_fs_base_val = tp;
    }

    // Step 4: Map user stack
    let stack_flags = VmaFlags {
        readable: true,
        writable: true,
        executable: false,
        user_accessible: true,
    };
    user_as.map_region(
        USER_STACK_BASE,
        USER_STACK_PAGES,
        stack_flags,
        VmaType::Stack,
        VmaPageSize::Small,
    )?;
    log::debug!(
        "[elf] User stack: {:#x}..{:#x} ({} pages)",
        USER_STACK_BASE,
        USER_STACK_TOP,
        USER_STACK_PAGES,
    );

    let boot_sp = setup_boot_user_stack(
        &user_as,
        name,
        phdr_vaddr,
        header.e_phentsize,
        header.e_phnum,
        entry,
        interp_base,
    )?;

    // Step 5: Create kernel task : trampoline params are stored inside the task
    // itself so that concurrent SMP execution of multiple trampolines is safe.
    crate::e9_println!(
        "[trace][elf] load_elf_task kstack_begin size={}",
        Task::DEFAULT_STACK_SIZE
    );
    let kernel_stack = KernelStack::allocate(Task::DEFAULT_STACK_SIZE)?;
    crate::e9_println!(
        "[trace][elf] load_elf_task kstack_done virt={:#x} top={:#x}",
        kernel_stack.virt_base.as_u64(),
        kernel_stack.virt_base.as_u64() + kernel_stack.size as u64
    );
    let context = CpuContext::new(elf_ring3_trampoline as *const () as u64, &kernel_stack);
    let (pid, tid, tgid) = Task::allocate_process_ids();
    let fpu_state = crate::process::task::ExtendedState::new();
    let xcr0_mask = fpu_state.xcr0_mask;

    let task = Arc::new(Task {
        id: TaskId::new(),
        pid,
        tid,
        tgid,
        pgid: core::sync::atomic::AtomicU32::new(pid),
        sid: core::sync::atomic::AtomicU32::new(pid),
        uid: core::sync::atomic::AtomicU32::new(0),
        euid: core::sync::atomic::AtomicU32::new(0),
        gid: core::sync::atomic::AtomicU32::new(0),
        egid: core::sync::atomic::AtomicU32::new(0),
        state: core::sync::atomic::AtomicU8::new(TaskState::Ready as u8),
        priority: TaskPriority::Normal,
        context: SyncUnsafeCell::new(context),
        resume_kind: SyncUnsafeCell::new(ResumeKind::RetFrame),
        interrupt_rsp: core::sync::atomic::AtomicU64::new(0),
        kernel_stack,
        user_stack: None,
        name,
        process: Arc::new(crate::process::process::Process::new(pid, user_as)),
        pending_signals: super::signal::SignalSet::new(),
        blocked_signals: super::signal::SignalSet::new(),
        irq_signal_delivery_blocked: core::sync::atomic::AtomicBool::new(false),
        signal_stack: SyncUnsafeCell::new(None),
        itimers: super::timer::ITimers::new(),
        wake_pending: core::sync::atomic::AtomicBool::new(false),
        wake_deadline_ns: core::sync::atomic::AtomicU64::new(0),
        trampoline_entry: core::sync::atomic::AtomicU64::new(runtime_entry),
        trampoline_stack_top: core::sync::atomic::AtomicU64::new(boot_sp),
        trampoline_arg0: core::sync::atomic::AtomicU64::new(0),
        ticks: core::sync::atomic::AtomicU64::new(0),
        sched_policy: crate::process::task::SyncUnsafeCell::new(Task::default_sched_policy(
            TaskPriority::Normal,
        )),
        home_cpu: core::sync::atomic::AtomicUsize::new(usize::MAX),
        vruntime: core::sync::atomic::AtomicU64::new(0),
        fair_rq_generation: core::sync::atomic::AtomicU64::new(0),
        fair_on_rq: core::sync::atomic::AtomicBool::new(false),
        clear_child_tid: core::sync::atomic::AtomicU64::new(0),
        user_fs_base: core::sync::atomic::AtomicU64::new(user_fs_base_val),
        fpu_state: crate::process::task::SyncUnsafeCell::new(fpu_state),
        xcr0_mask: core::sync::atomic::AtomicU64::new(xcr0_mask),
        rt_link: intrusive_collections::LinkedListLink::new(),
    });

    crate::e9_println!(
        "[trace][elf] load_elf_task task_built tid={} pid={} entry={:#x} sp={:#x}",
        task.id.as_u64(),
        task.pid,
        runtime_entry,
        boot_sp
    );
    // Seed capabilities into the new task (before scheduling).
    let mut bootstrap_handle: Option<u64> = None;
    if !seed_caps.is_empty() {
        let caps = unsafe { &mut *task.process.capabilities.get() };
        for cap in seed_caps {
            let id = caps.insert(cap.clone());
            if bootstrap_handle.is_none()
                && cap.resource_type == crate::capability::ResourceType::Volume
            {
                bootstrap_handle = Some(id.as_u64());
            }
        }
    }

    // Setup stdin/stdout/stderr (fd 0/1/2) pointing to /dev/console
    // SAFETY: task is not yet scheduled, exclusive access to fd_table
    {
        let fd_table = unsafe { &mut *task.process.fd_table.get() };
        crate::vfs::console_scheme::setup_stdio(fd_table);
    }

    if let Some(h) = bootstrap_handle {
        // Program entry will see this in its first argument register (RDI).
        task.trampoline_arg0
            .store(h, core::sync::atomic::Ordering::Release);
    }

    task.seed_interrupt_frame(crate::syscall::SyscallFrame {
        r15: 0,
        r14: 0,
        r13: 0,
        r12: 0,
        rbp: 0,
        rbx: 0,
        r11: 0x202,
        r10: 0,
        r9: 0,
        r8: 0,
        rsi: 0,
        rdi: task
            .trampoline_arg0
            .load(core::sync::atomic::Ordering::Acquire),
        rdx: 0,
        rcx: runtime_entry,
        rax: 0,
        iret_rip: runtime_entry,
        iret_cs: crate::arch::x86_64::gdt::user_code_selector().0 as u64,
        iret_rflags: 0x202,
        iret_rsp: boot_sp,
        iret_ss: crate::arch::x86_64::gdt::user_data_selector().0 as u64,
    });

    // Bootstrapping: grant Silo Admin capability to the initial userspace task.
    if name == "init"
        || name == "silo-admin"
        || name.starts_with("strate-admin:")
        || name.contains("/strate-admin-")
    {
        let _ = crate::silo::grant_silo_admin_to_task(&task);
    }

    {
        let arc_data_ptr = alloc::sync::Arc::as_ptr(&task) as usize;
        let fpu_ptr = task.fpu_state.get() as usize;
        if let Some(cur) = crate::process::scheduler::current_task_clone() {
            let cur_data_ptr = alloc::sync::Arc::as_ptr(&cur) as usize;
            let cur_strong = alloc::sync::Arc::strong_count(&cur);
            log::info!(
                "[elf] Task '{}' prepared: entry={:#x}, stack_top={:#x} \
                 new_arc={:#x} new_fpu={:#x} cur_arc={:#x} cur_strong={}",
                name,
                runtime_entry,
                boot_sp,
                arc_data_ptr,
                fpu_ptr,
                cur_data_ptr,
                cur_strong,
            );
        } else {
            log::info!(
                "[elf] Task '{}' prepared: entry={:#x}, stack_top={:#x} \
                 new_arc={:#x} new_fpu={:#x} (no current task)",
                name,
                runtime_entry,
                boot_sp,
                arc_data_ptr,
                fpu_ptr,
            );
        }
    }

    Ok(task)
}

/// Load an ELF binary into the provided address space.
/// Returns the entry point address.
pub fn load_elf_image(
    elf_data: &[u8],
    user_as: &AddressSpace,
) -> Result<LoadedElfInfo, &'static str> {
    let header = parse_header(elf_data)?;
    let phdrs: Vec<Elf64Phdr> = program_headers(elf_data, &header).collect();
    let interp_path = parse_interp_path(elf_data, &phdrs)?;
    let (load_bias, entry) = compute_load_bias_and_entry(user_as, &header, &phdrs)?;
    let phdr_vaddr = find_relocated_phdr_vaddr(&header, &phdrs, load_bias)?;

    for phdr in phdrs.iter() {
        if phdr.p_type == PT_LOAD && phdr.p_memsz != 0 {
            load_segment(user_as, elf_data, phdr, load_bias)?;
        }
    }
    if interp_path.is_none() {
        apply_dynamic_relocations(user_as, &phdrs, header.e_type, load_bias)?;
    }

    let (tls_vaddr, tls_filesz, tls_memsz, tls_align) =
        if let Some(tls) = phdrs.iter().find(|ph| ph.p_type == PT_TLS) {
            let align = core::cmp::max(tls.p_align, 1).next_power_of_two();
            (
                tls.p_vaddr.saturating_add(load_bias),
                tls.p_filesz,
                tls.p_memsz,
                align,
            )
        } else {
            (0, 0, 0, 1)
        };

    let mut runtime_entry = entry;
    let mut interp_base = None;
    if let Some(path) = interp_path {
        let interp_data = read_elf_from_vfs(path)?;
        let interp_header = parse_header(&interp_data)?;
        let interp_phdrs: Vec<Elf64Phdr> = program_headers(&interp_data, &interp_header).collect();
        if parse_interp_path(&interp_data, &interp_phdrs)?.is_some() {
            return Err("Nested PT_INTERP is not supported");
        }
        let (interp_bias, interp_entry) =
            compute_load_bias_and_entry(user_as, &interp_header, &interp_phdrs)?;
        let (interp_min_vaddr, _) = compute_load_bounds(&interp_phdrs)?;
        for phdr in interp_phdrs.iter() {
            if phdr.p_type == PT_LOAD && phdr.p_memsz != 0 {
                load_segment(user_as, &interp_data, phdr, interp_bias)?;
            }
        }
        apply_dynamic_relocations(user_as, &interp_phdrs, interp_header.e_type, interp_bias)?;
        runtime_entry = interp_entry;
        interp_base = Some(interp_min_vaddr.saturating_add(interp_bias));
    }

    Ok(LoadedElfInfo {
        runtime_entry,
        program_entry: entry,
        phdr_vaddr,
        phent: header.e_phentsize,
        phnum: header.e_phnum,
        interp_base,
        tls_vaddr,
        tls_filesz,
        tls_memsz,
        tls_align,
    })
}

/// Reads user mapped bytes pub.
pub fn read_user_mapped_bytes_pub(
    user_as: &AddressSpace,
    vaddr: u64,
    out: &mut [u8],
) -> Result<(), &'static str> {
    read_user_mapped_bytes(user_as, vaddr, out)
}

/// Writes user mapped bytes pub.
pub fn write_user_mapped_bytes_pub(
    user_as: &AddressSpace,
    vaddr: u64,
    src: &[u8],
) -> Result<(), &'static str> {
    write_user_mapped_bytes(user_as, vaddr, src)
}

/// Writes user u64 pub.
pub fn write_user_u64_pub(
    user_as: &AddressSpace,
    vaddr: u64,
    value: u64,
) -> Result<(), &'static str> {
    write_user_u64(user_as, vaddr, value)
}