Rollback partial page allocation on failure

[li041]

Close #268

Summary

• Implement rollback for partial page allocation failures

Motivation

Partial allocation failures previously risked leaving the allocator in an inconsistent state, causing leaks or corruption. Rolling back partial allocations makes failure modes safe and observable without aborting execution.

[Copilot]

Pull request overview

Implements “all-or-nothing” behavior for page-table mapping during MemorySet::insert() to avoid leaving stale partial mappings when frame allocation fails, and adds a regression test that simulates allocation failure.

Changes:

• Add rollback-on-failure logic to GenericPageTable::map() across all supported architectures.
• Add a regression test for MemorySet::insert() that injects a frame allocation failure and verifies no stale mappings remain.
• Add test-only failure injection hooks to Frame::new_zero() and propagate HvResult from aarch64 IVC init.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/arch/aarch64/paging.rs	Roll back already-mapped pages on map_page failure during region mapping.
src/arch/riscv64/paging.rs	Same rollback-on-failure mapping behavior for RISC-V paging.
src/arch/x86_64/paging.rs	Same rollback-on-failure mapping behavior for x86_64 paging.
src/arch/loongarch64/paging.rs	Same rollback-on-failure mapping behavior for LoongArch64 paging.
src/memory/mm.rs	Documents/relies on pt.map() being all-or-nothing before inserting region metadata.
src/memory/frame.rs	Adds test-only failure injection for Frame::new_zero() allocations.
src/tests.rs	Adds regression test verifying stale mappings are not left behind after a forced failure.
src/arch/aarch64/ivc.rs	Changes ivc_init to return HvResult and propagate mapping/insert errors.
src/arch/aarch64/zone.rs	Propagates ivc_init errors via arch_zone_pre_configuration.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[liulog]

Perhaps we need more logic?
For example, if we fail to map all memoryset required by the zonex, zone create should return fail.

[li041]

Perhaps we need more logic? For example, if we fail to map all memoryset required by the zonex, zone create should return fail.

Yeah, that's current error handling. zone_create may panic in the context of ivc_init before, and I've fixed it in this commit. zone_create return a Result, and it let the caller to decide the action when encountering map error. In details, zone0 call zone_create with unwarp in primary_init_early while zoneU is created by hv_zone_start which just pass the error to the upper caller.

[liulog]

It addresses the issue of incomplete mapping in a specific region. Therefore, it mainly targets rollbacks where a region mapping is incomplete.
For the remaining fully mapped portions (in zone.gpm) of the entire memoryset, RAII will automatically perform the unmapping process.