2011-12-22 15:19:25 +00:00
|
|
|
/*
|
|
|
|
* \brief Parent interface
|
|
|
|
* \author Norman Feske
|
|
|
|
* \date 2006-05-10
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
2017-02-20 12:23:52 +00:00
|
|
|
* Copyright (C) 2006-2017 Genode Labs GmbH
|
2011-12-22 15:19:25 +00:00
|
|
|
*
|
|
|
|
* This file is part of the Genode OS framework, which is distributed
|
2017-02-20 12:23:52 +00:00
|
|
|
* under the terms of the GNU Affero General Public License version 3.
|
2011-12-22 15:19:25 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _INCLUDE__PARENT__PARENT_H_
|
|
|
|
#define _INCLUDE__PARENT__PARENT_H_
|
|
|
|
|
|
|
|
#include <base/exception.h>
|
|
|
|
#include <base/rpc.h>
|
|
|
|
#include <base/rpc_args.h>
|
2012-10-10 11:54:46 +00:00
|
|
|
#include <base/thread.h>
|
2016-11-06 13:26:34 +00:00
|
|
|
#include <base/id_space.h>
|
2011-12-22 15:19:25 +00:00
|
|
|
#include <session/capability.h>
|
|
|
|
#include <root/capability.h>
|
|
|
|
|
2016-11-06 13:26:34 +00:00
|
|
|
namespace Genode {
|
|
|
|
|
|
|
|
class Session_state;
|
|
|
|
class Parent;
|
|
|
|
}
|
2015-03-04 20:12:14 +00:00
|
|
|
|
|
|
|
|
|
|
|
class Genode::Parent
|
|
|
|
{
|
|
|
|
private:
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Recursively announce inherited service interfaces
|
|
|
|
*
|
|
|
|
* At compile time, the 'ROOT' type is inspected for the presence
|
|
|
|
* of the 'Rpc_inherited_interface' type in the corresponding
|
|
|
|
* session interface. If present, the session type gets announced.
|
|
|
|
* This works recursively.
|
|
|
|
*/
|
|
|
|
template <typename ROOT>
|
|
|
|
void _announce_base(Capability<ROOT> const &, Meta::Bool_to_type<false> *) { }
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This overload gets selected if the ROOT interface corresponds to
|
|
|
|
* an inherited session type.
|
|
|
|
*/
|
|
|
|
template <typename ROOT>
|
|
|
|
inline void _announce_base(Capability<ROOT> const &, Meta::Bool_to_type<true> *);
|
|
|
|
|
|
|
|
public:
|
|
|
|
|
|
|
|
typedef Rpc_in_buffer<64> Service_name;
|
|
|
|
typedef Rpc_in_buffer<160> Session_args;
|
|
|
|
typedef Rpc_in_buffer<160> Upgrade_args;
|
|
|
|
|
2016-11-06 13:26:34 +00:00
|
|
|
struct Client { typedef Id_space<Client>::Id Id; };
|
|
|
|
struct Server { typedef Id_space<Server>::Id Id; };
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Predefined session IDs corresponding to the environment sessions
|
|
|
|
* created by the parent at the component-construction time
|
|
|
|
*/
|
|
|
|
struct Env
|
|
|
|
{
|
|
|
|
static Client::Id ram() { return { 1 }; }
|
|
|
|
static Client::Id cpu() { return { 2 }; }
|
|
|
|
static Client::Id pd() { return { 3 }; }
|
|
|
|
static Client::Id log() { return { 4 }; }
|
|
|
|
static Client::Id binary() { return { 5 }; }
|
|
|
|
static Client::Id linker() { return { 6 }; }
|
|
|
|
|
|
|
|
/**
|
|
|
|
* True if session ID refers to an environment session
|
|
|
|
*/
|
|
|
|
static bool session_id(Client::Id id) {
|
|
|
|
return id.value >= 1 && id.value <= 6; }
|
|
|
|
};
|
|
|
|
|
2015-03-04 20:12:14 +00:00
|
|
|
/**
|
|
|
|
* Use 'String' instead of 'Rpc_in_buffer' because 'Resource_args'
|
|
|
|
* is used as both in and out parameter.
|
|
|
|
*/
|
|
|
|
typedef String<160> Resource_args;
|
|
|
|
|
|
|
|
virtual ~Parent() { }
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Tell parent to exit the program
|
|
|
|
*/
|
|
|
|
virtual void exit(int exit_value) = 0;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Announce service to the parent
|
|
|
|
*/
|
2016-11-06 13:26:34 +00:00
|
|
|
virtual void announce(Service_name const &service_name) = 0;
|
2015-03-04 20:12:14 +00:00
|
|
|
|
2016-11-06 13:26:34 +00:00
|
|
|
/**
|
|
|
|
* Emulation of the original synchronous root interface
|
|
|
|
*
|
|
|
|
* This function transparently spawns a proxy "root" entrypoint that
|
|
|
|
* dispatches asynchronous session-management operations (as issued
|
|
|
|
* by the parent) to the local root interfaces via component-local
|
|
|
|
* RPC calls.
|
|
|
|
*
|
|
|
|
* The function solely exists for API compatibility.
|
|
|
|
*/
|
|
|
|
static void announce(Service_name const &service_name,
|
|
|
|
Root_capability service_root);
|
2015-03-04 20:12:14 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Announce service to the parent
|
|
|
|
*
|
|
|
|
* \param service_root root capability
|
|
|
|
*
|
|
|
|
* The type of the specified 'service_root' capability match with
|
|
|
|
* an interface that provides a 'Session_type' type (i.e., a
|
|
|
|
* 'Typed_root' interface). This 'Session_type' is expected to
|
2015-03-20 16:50:41 +00:00
|
|
|
* host a class function called 'service_name' returning the
|
2015-03-04 20:12:14 +00:00
|
|
|
* name of the provided interface as null-terminated string.
|
|
|
|
*/
|
|
|
|
template <typename ROOT_INTERFACE>
|
|
|
|
void announce(Capability<ROOT_INTERFACE> const &service_root)
|
|
|
|
{
|
|
|
|
typedef typename ROOT_INTERFACE::Session_type Session;
|
|
|
|
announce(Session::service_name(), service_root);
|
2012-10-29 11:18:24 +00:00
|
|
|
|
|
|
|
/*
|
2015-03-04 20:12:14 +00:00
|
|
|
* Announce inherited session types
|
2012-10-29 11:18:24 +00:00
|
|
|
*
|
2015-03-04 20:12:14 +00:00
|
|
|
* Select the overload based on the presence of the type
|
|
|
|
* 'Rpc_inherited_interface' within the session type.
|
2013-09-19 18:39:35 +00:00
|
|
|
*/
|
2015-03-04 20:12:14 +00:00
|
|
|
_announce_base(service_root,
|
|
|
|
(Meta::Bool_to_type<Rpc_interface_is_inherited<Session>::VALUE> *)0);
|
|
|
|
}
|
|
|
|
|
2016-11-06 13:26:34 +00:00
|
|
|
/**
|
|
|
|
* Register signal handler for session notifications
|
|
|
|
*/
|
|
|
|
virtual void session_sigh(Signal_context_capability) = 0;
|
|
|
|
|
2015-03-04 20:12:14 +00:00
|
|
|
/**
|
|
|
|
* Create session to a service
|
|
|
|
*
|
2016-11-06 13:26:34 +00:00
|
|
|
* \param id client-side ID of new session
|
2015-03-04 20:12:14 +00:00
|
|
|
* \param service_name name of the requested interface
|
|
|
|
* \param args session constructor arguments
|
|
|
|
* \param affinity preferred CPU affinity for the session
|
|
|
|
*
|
2017-05-08 12:32:03 +00:00
|
|
|
* \throw Service_denied parent denies session request
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 19:35:43 +00:00
|
|
|
* \throw Insufficient_cap_quota donated cap quota does not suffice
|
2017-05-08 12:32:03 +00:00
|
|
|
* \throw Insufficient_ram_quota donated RAM quota does not suffice
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 19:35:43 +00:00
|
|
|
* \throw Out_of_caps session CAP quota exceeds our resources
|
2017-05-08 12:32:03 +00:00
|
|
|
* \throw Out_of_ram session RAM quota exceeds our resources
|
2015-03-04 20:12:14 +00:00
|
|
|
*
|
2016-11-06 13:26:34 +00:00
|
|
|
* \return session capability of the new session is immediately
|
|
|
|
* available, or an invalid capability
|
|
|
|
*
|
|
|
|
* If the returned capability is invalid, the request is pending at the
|
|
|
|
* server. The parent delivers a signal to the handler as registered
|
|
|
|
* via 'session_sigh' once the server responded to the request. Now the
|
|
|
|
* session capability can be picked up by calling 'session_cap'.
|
2015-03-04 20:12:14 +00:00
|
|
|
*/
|
2016-11-06 13:26:34 +00:00
|
|
|
virtual Session_capability session(Client::Id id,
|
|
|
|
Service_name const &service_name,
|
2015-03-04 20:12:14 +00:00
|
|
|
Session_args const &args,
|
|
|
|
Affinity const &affinity = Affinity()) = 0;
|
|
|
|
|
|
|
|
/**
|
2016-11-06 13:26:34 +00:00
|
|
|
* Request session capability
|
2015-03-04 20:12:14 +00:00
|
|
|
*
|
2016-11-06 13:26:34 +00:00
|
|
|
* \throw Service_denied
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 19:35:43 +00:00
|
|
|
* \throw Insufficient_cap_quota
|
2017-05-08 12:32:03 +00:00
|
|
|
* \throw Insufficient_ram_quota
|
2015-03-04 20:12:14 +00:00
|
|
|
*
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 19:35:43 +00:00
|
|
|
* See 'session' for more documentation.
|
|
|
|
*
|
2016-11-06 13:26:34 +00:00
|
|
|
* In the exception case, the parent implicitly closes the session.
|
2015-03-04 20:12:14 +00:00
|
|
|
*/
|
2016-11-06 13:26:34 +00:00
|
|
|
virtual Session_capability session_cap(Client::Id id) = 0;
|
|
|
|
|
|
|
|
enum Upgrade_result { UPGRADE_DONE, UPGRADE_PENDING };
|
2015-03-04 20:12:14 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Transfer our quota to the server that provides the specified session
|
|
|
|
*
|
2016-11-06 13:26:34 +00:00
|
|
|
* \param id ID of recipient session
|
2015-03-04 20:12:14 +00:00
|
|
|
* \param args description of the amount of quota to transfer
|
|
|
|
*
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 19:35:43 +00:00
|
|
|
* \throw Out_of_caps
|
2017-05-08 12:32:03 +00:00
|
|
|
* \throw Out_of_ram
|
2015-03-04 20:12:14 +00:00
|
|
|
*
|
|
|
|
* The 'args' argument has the same principle format as the 'args'
|
2015-03-20 16:50:41 +00:00
|
|
|
* argument of the 'session' operation.
|
2015-03-04 20:12:14 +00:00
|
|
|
*/
|
2016-11-06 13:26:34 +00:00
|
|
|
virtual Upgrade_result upgrade(Client::Id to_session,
|
|
|
|
Upgrade_args const &args) = 0;
|
|
|
|
|
|
|
|
enum Close_result { CLOSE_DONE, CLOSE_PENDING };
|
2015-03-04 20:12:14 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Close session
|
|
|
|
*/
|
2016-11-06 13:26:34 +00:00
|
|
|
virtual Close_result close(Client::Id) = 0;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Interface for providing services
|
|
|
|
*/
|
|
|
|
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 20:03:22 +00:00
|
|
|
enum Session_response { SESSION_OK, SESSION_CLOSED, SERVICE_DENIED,
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 19:35:43 +00:00
|
|
|
INSUFFICIENT_RAM_QUOTA, INSUFFICIENT_CAP_QUOTA };
|
2016-11-06 13:26:34 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Set state of a session provided by the child service
|
|
|
|
*/
|
|
|
|
virtual void session_response(Server::Id, Session_response) = 0;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Deliver capability for a new session provided by the child service
|
|
|
|
*/
|
|
|
|
virtual void deliver_session_cap(Server::Id, Session_capability) = 0;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Dynamic resource balancing
|
|
|
|
*/
|
2015-03-04 20:12:14 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Provide thread_cap of main thread
|
|
|
|
*/
|
|
|
|
virtual Thread_capability main_thread_cap() const = 0;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Register signal handler for resource notifications
|
|
|
|
*/
|
|
|
|
virtual void resource_avail_sigh(Signal_context_capability sigh) = 0;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Request additional resources
|
|
|
|
*
|
2015-03-20 16:50:41 +00:00
|
|
|
* By invoking this method, a process is able to inform its
|
2015-03-04 20:12:14 +00:00
|
|
|
* parent about the need for additional resources. The argument
|
|
|
|
* string contains a resource description in the same format as
|
|
|
|
* used for session-construction arguments. In particular, for
|
|
|
|
* requesting additional RAM quota, the argument looks like
|
|
|
|
* "ram_quota=<amount>" where 'amount' is the amount of additional
|
|
|
|
* resources expected from the parent. If the parent complies with
|
|
|
|
* the request, it submits a resource-available signal to the
|
|
|
|
* handler registered via 'resource_avail_sigh()'. On the reception
|
|
|
|
* of such a signal, the process can re-evaluate its resource quota
|
|
|
|
* and resume execution.
|
|
|
|
*/
|
|
|
|
virtual void resource_request(Resource_args const &args) = 0;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Register signal handler for resource yield notifications
|
|
|
|
*
|
|
|
|
* Using the yield signal, the parent is able to inform the process
|
|
|
|
* about its wish to regain resources.
|
|
|
|
*/
|
|
|
|
virtual void yield_sigh(Signal_context_capability sigh) = 0;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Obtain information about the amount of resources to free
|
|
|
|
*
|
2015-03-20 16:50:41 +00:00
|
|
|
* The amount of resources returned by this method is the
|
2015-03-04 20:12:14 +00:00
|
|
|
* goal set by the parent. It is not commanded but merely meant
|
|
|
|
* as a friendly beg to cooperate. The process is not obligated
|
|
|
|
* to comply. If the process decides to take action to free
|
|
|
|
* resources, it can inform its parent about the availability
|
|
|
|
* of freed up resources by calling 'yield_response()'.
|
|
|
|
*/
|
|
|
|
virtual Resource_args yield_request() = 0;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Notify the parent about a response to a yield request
|
|
|
|
*/
|
|
|
|
virtual void yield_response() = 0;
|
|
|
|
|
|
|
|
|
|
|
|
/*********************
|
|
|
|
** RPC declaration **
|
|
|
|
*********************/
|
|
|
|
|
|
|
|
GENODE_RPC(Rpc_exit, void, exit, int);
|
|
|
|
GENODE_RPC(Rpc_announce, void, announce,
|
2016-11-06 13:26:34 +00:00
|
|
|
Service_name const &);
|
|
|
|
GENODE_RPC(Rpc_session_sigh, void, session_sigh, Signal_context_capability);
|
2015-03-04 20:12:14 +00:00
|
|
|
GENODE_RPC_THROW(Rpc_session, Session_capability, session,
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 19:35:43 +00:00
|
|
|
GENODE_TYPE_LIST(Service_denied, Out_of_caps,
|
|
|
|
Out_of_ram, Insufficient_cap_quota,
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 20:03:22 +00:00
|
|
|
Insufficient_ram_quota),
|
2016-11-06 13:26:34 +00:00
|
|
|
Client::Id, Service_name const &, Session_args const &,
|
|
|
|
Affinity const &);
|
|
|
|
GENODE_RPC_THROW(Rpc_session_cap, Session_capability, session_cap,
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 19:35:43 +00:00
|
|
|
GENODE_TYPE_LIST(Service_denied, Insufficient_cap_quota,
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 20:03:22 +00:00
|
|
|
Insufficient_ram_quota),
|
2016-11-06 13:26:34 +00:00
|
|
|
Client::Id);
|
|
|
|
GENODE_RPC_THROW(Rpc_upgrade, Upgrade_result, upgrade,
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 19:35:43 +00:00
|
|
|
GENODE_TYPE_LIST(Out_of_ram, Out_of_caps),
|
2016-11-06 13:26:34 +00:00
|
|
|
Client::Id, Upgrade_args const &);
|
|
|
|
GENODE_RPC(Rpc_close, Close_result, close, Client::Id);
|
|
|
|
GENODE_RPC(Rpc_session_response, void, session_response,
|
|
|
|
Server::Id, Session_response);
|
|
|
|
GENODE_RPC(Rpc_deliver_session_cap, void, deliver_session_cap,
|
|
|
|
Server::Id, Session_capability);
|
2015-03-04 20:12:14 +00:00
|
|
|
GENODE_RPC(Rpc_main_thread, Thread_capability, main_thread_cap);
|
|
|
|
GENODE_RPC(Rpc_resource_avail_sigh, void, resource_avail_sigh,
|
|
|
|
Signal_context_capability);
|
|
|
|
GENODE_RPC(Rpc_resource_request, void, resource_request,
|
|
|
|
Resource_args const &);
|
|
|
|
GENODE_RPC(Rpc_yield_sigh, void, yield_sigh, Signal_context_capability);
|
|
|
|
GENODE_RPC(Rpc_yield_request, Resource_args, yield_request);
|
|
|
|
GENODE_RPC(Rpc_yield_response, void, yield_response);
|
|
|
|
|
2016-11-06 13:26:34 +00:00
|
|
|
GENODE_RPC_INTERFACE(Rpc_exit, Rpc_announce, Rpc_session_sigh,
|
|
|
|
Rpc_session, Rpc_session_cap, Rpc_upgrade,
|
|
|
|
Rpc_close, Rpc_session_response, Rpc_main_thread,
|
|
|
|
Rpc_deliver_session_cap, Rpc_resource_avail_sigh,
|
|
|
|
Rpc_resource_request, Rpc_yield_sigh,
|
|
|
|
Rpc_yield_request, Rpc_yield_response);
|
2015-03-04 20:12:14 +00:00
|
|
|
};
|
2011-12-22 15:19:25 +00:00
|
|
|
|
2012-10-29 11:18:24 +00:00
|
|
|
|
|
|
|
template <typename ROOT_INTERFACE>
|
|
|
|
void
|
|
|
|
Genode::Parent::_announce_base(Genode::Capability<ROOT_INTERFACE> const &service_root,
|
|
|
|
Genode::Meta::Bool_to_type<true> *)
|
|
|
|
{
|
|
|
|
/* shortcut for inherited session type */
|
|
|
|
typedef typename ROOT_INTERFACE::Session_type::Rpc_inherited_interface
|
|
|
|
Session_type_inherited;
|
|
|
|
|
|
|
|
/* shortcut for root interface type matching the inherited session type */
|
|
|
|
typedef Typed_root<Session_type_inherited> Root_inherited;
|
|
|
|
|
|
|
|
/* convert root capability to match the inherited session type */
|
|
|
|
Capability<Root> root = service_root;
|
|
|
|
Capability<Root_inherited> root_inherited = static_cap_cast<Root_inherited>(root);
|
|
|
|
|
|
|
|
/* announce inherited service type */
|
|
|
|
announce(Session_type_inherited::service_name(), root_inherited);
|
|
|
|
|
|
|
|
/* recursively announce further inherited session types */
|
|
|
|
_announce_base(root_inherited,
|
|
|
|
(Meta::Bool_to_type<Rpc_interface_is_inherited<Session_type_inherited>::VALUE> *)0);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-12-22 15:19:25 +00:00
|
|
|
#endif /* _INCLUDE__PARENT__PARENT_H_ */
|