Comment by mlsu

I am working on a microkernel for arm-m33 microcontrollers. Targeting the RP2350 first.

It’s going to feature a synchronous IPC model where the inter-task ‘call graph’ is known at compilation. Function call semantics to pass data between tasks. Call() recieve() reply()

A build tool that reads TOML will generate the kernel calls so that tasks can be totally isolated — all calls go though supervisor trap so we have true memory isolation.

Preemptions are possible but control is yielded only at IPC boundary so it’s not hard realtime.

So that makes things super robust and auditable behavior at compile time. Total isolation means tasks can crash catastrophically without affecting the rest of the system. Big downsides are huge increase in flash usage, constrained programming model, complex build system, task switching overhead. Just a very different model than what I’m used to at $dayjob.

I want to basically find out, hey what happens when we go full safety!? What’s hard about it? What tradeoffs do we need to make? And also kinda like what’s a different model for multitasking. Written in Rust of course.