The changes made in the commit for removal of 'Service_denied' from
core's ROM service (#5251) result in an 'Region_conflict' exception
as the Dataspace_component object is constructed even for
non-existing ROM modules and thus leads to an attach attempt with
a dataspace with a size of 0 (see 'Region_map_mmap::attach').
To prevent this from happening the Dataspace_component is destructed
in case the underlying Untyped_capability is invalid. With this change
the behaviour is now in line with other base platforms where attaching
such a dataspace results in an 'Attached_dataspace::Invalid_dataspace'
exception.
Issue #5595.
This commit introduces 'raise(Unexpected_error)' for situations
that were formerly reflected directly as exceptions. Those conditions
still result in an exception but with added diagnostics.
The few parts of the API that strictly rely on C++ exceptions
(Xml_node, GENODE_RPC_THROW) are now guarded via __EXCEPTIONS.
Issue #5245
Genode tool-chain creates calls to delete(void*, unsigned long) on
32-bit targets, because size_t is unsinged long. In contrast the
host-tool chain that links hybrid targets only contains delete(void*,
unsigned) because size_t is unsigned fot these platforms. Hence, we
create a wrapper for delete(*, unsigned long) that calls the unsigned
version.
issue #5560
The '_create_session' method returns now a 'Create_result' instead
of a pointer. This result can either be a reference to the new
session object or an 'Create_error' code.
The '_upgrade_session' and '_destroy_session' method now take a
reference instead of a pointer as argument.
Fixes#5562
This prevents the following warning and configures access to freedesktop
runtime data of the current user for hybrid components, e.g., fb_sdl.
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
Replace try/catch/throw by guard objects.
In panic situations, print an error and sleep forever.
Infinitely block invalid IPC calls.
Weasel out of cap ref count overflows by clamping count to max.
Accept ID-space ambiguities but be verbose about it.
Skip Duration::add when detecting an integer overflow.
Issue #5245
Core's ROM service does not longer reflect a missing ROM module at
session-creation time but delivers an invalid dataspace capability.
This patch also removes the duplication of linux/dataspace_component.cc.
Issue #5251
Replace use of deallocate=false by keeping the IRQ number as guard
object. Don't throw 'Service_denied'. Remove superfluous debug messages.
Issue #5502
Issue #5251
The new 'Local_rm' type offers a narrow interface for the interaction
with the component-local address space, managing the lifetime of
attachments by using the 'Allocation' API.
Fixes#5516
This catches bugs early on. E.g., when leaving an 'Allocation'
unused, it gets immediately deallocated, which is most probably not
intended. For regular 'Attempt' objects, this change encourages
the proper propagation of errors, or at least the logging of unexpected
conditions.
Fixes#5513
This patch converts the memory-allocator interfaces ('Allocator',
'Range_allocator') and their implementations ('Heap', 'Sliced heap',
'Slab', 'Allocator_avl', 'Synced_allocator') to the new 'Allocation'
utility. The new interface resides at base/memory.h whereas the
traditional allocators implement the new interface.
Down the road, the traditional allocators can successively be decoupled
from the traditional 'Allocator' and 'Range_allocator' interfaces.
Issue #5502
Issue #5245
The new 'raise' function can be used instead of 'throw' to keep the
framework headers void of C++ throw statements, which would otherwise
prevent the compilation of the headers with -fno-exceptions.
In the presence of the C++ runtime, the 'raise' implementation reflects
the supplied error value(s) as C++ exceptions of the appropriate type.
In the (future) optional absence of the C++ runtime, 'raise' remains
unresolved, which then gives us the assurance that the binary contains
no code path leading to 'raise', all error conditions must have been
covered in other ways than 'raise'.
For this reason, 'Genode::raise' is not provided by the base library
but the cxx library (C++ runtime). Once we allow components to opt out
of the cxx library, 'raise' will automatically become unresolved for
those strict components.
Issue #5245
The new types in base/ram.h model different allocation scenarios and
error cases by mere C++ types without using exceptions. They are meant
to replace the former 'Ram_allocator' interface. As of now, the
'Unmapped_allocator' closely captures the former 'Ram_allocator'
semantics. The 'Constrained_allocator' is currently an alias for
'Unmapped_allocator' but is designated for eventually allocating
mapped RAM.
In contrast to the 'Ram_allocator' interface, which talked about
dataspace capabilites but left the lifetime management of the
allocated RAM to the caller, the new API represents an allocation
as a guard type 'Allocation', which deallocates on destruction by
default.
Allocation errors are captured by a 'Result' type that follows
the 'Attempt' pattern.
As a transitionary feature, the patch largely maintains API
compatibility with the original 'Ram_allocator' by providing
the original (exception-based) 'Ram_allocator::alloc' and
'Ram_allocator::free' methods as a wrapper around the new
'Ram::Constrained_allocator'. So components can be gradually
updated to the new 'Ram::' interface.
Issue #5502
After constructed, a 'Thread' object may remain in a dysfunctional state
should the stack allocation have failed. This condition is no longer
reflected as a C++ exception but as result value of 'Thread::info()'.
Keep 'Thread::name' as public constant because the stack is not always
available for storing the name.
The 'stack_top' accessor has been removed because this information is
already provided by 'Thread::info()'.
Issue #5245
With this patch, the 'Pd_session' interface no longer implements the
'Ram_allocator' interface, which allows us to change the
'Genode::Ram_allocator' semantics (as a subsequent step) without
affecting core's PD service.
The patch also replaces the client-local implementation of
'Pd_session_client::dataspace_size' by the proper RPC call 'ram_size' to
core, which mitigates the potential risk of de-referencing a dataspace
cap of an untrusted origin. E.g., in scenarios where the monitor
component requests the size of a dataspace allocated by the debugging
target.
Since 'ram_size' is an RPC call, it cannot be const. Hence, the
'Ram_alloctor::dataspace_size' has become non-const.
The new 'Pd_ram_allocator' implements the 'Ram_allocator' interface by
using a PD session.
Issue #5502
With planned removal of Thread:: exceptions, we need to consider that a
'Thread' object may exist without a valid 'Stack' and therefore without
a valid 'Native_thread', which is hosted as part of the 'Stack'.
This patch reworks the code that accesses the 'Native_thread' to use the
new 'Thread::with_native_thread' interface. Within the local scope,
the native thread is referred to as 'nt'.
The _init_platform_thread and _deinit_platform_thread() have been
replaced by _init_native_thread and _deinit_native_thread, which take
a 'Stack &' as argument.
As a safety caution, 'Native_thread' objects can no longer be copied.
Issue #5245
This patch changes the way of how the client-selected sub directory is
communicated to the server. The former opaque session argument is now
passed as last label element, which allows for the flexible tweaking
of this argument by init's session-routing and label-rewriting
mechansims. In particular, it alleviates the need for creating chroot
component instances.
This change requires the following four adaptations at the
configuration level:
- Each file-system session request must now carry a path starting
with / as last session arguments. Hence, <vfs> <fs> nodes that
feature a 'label' attributes must extend the attribute value
with " -> /". For <fs> nodes with no label attribute, "/" is
used as last label argument by default.
- For matching session-routing rules at init's configuration,
the matching of full labels should be replaced by 'label_prefix'
matches, excluding the last (path) argument.
- Wherever a label of a file-system session is rewritten by using
init's 'label' attribute of a <parent> or <child> target node,
the new attribute 'identity' should be used instead. This replaces
the identity part of the label while preserving the client's
directory argument.
- Analogously to the matching of session-routing rules, server-side
policy-selection rules that formerly matched a concrete 'label'
must be changed to match a 'label_prefix' instead.
As a good practice, 'label_prefix' values should end with " ->" if
possible, which clearly delimits the identity part of the label
used by the matching.
Issue #5445
This patch adjusts the last remaining callers of 'core_env' and removes
the 'Core_env' interface.
- Core's RAM/cap accounts are now represented by 'Core_account'
implementing the 'Pd_account' interface.
- The former parts of 'Core_env' are now initialized in sequence
in 'bootstrap_component'.
- 'Core_child' has been moved to a header to reduce the code in
'main.cc' to a bare minimum. This as a preparation for the
plan of making 'main.cc' specific for each kernel.
Fixes#5408
This patch replaces the use of 'core_env()' in 'platform_services.cc' by
the function arguments 'core_ram', 'core_rm', and 'io_port_ranges'.
It also removes the 'Pd_session' argument from 'Io_port_root' and
'Irq_root' to avoid the reliance on the 'Pd_session' interface within
core,
Issue #5408
Replace the use of the global 'core_env()' accessor by the explicit
delegation of interfaces.
- For allocating UTCBs in base-hw, 'Platform_thread' requires
a way to allocate dataspaces ('Ram_allocator') accounted to the
corresponding CPU session, a way to locally map the allocated
dataspaces (core's 'Region_map'), and a way to determine the
physical address (via 'Rpc_entrypoint') used for the initial
UTCB mapping of main threads. Hence those interfaces must be
passed to 'Platform_thread'.
- NOVA's pager code needs to look up 'Cpu_thread_component'
objects using a map item as key. The lookup requires the
'Rpc_entrypoint' that hold the 'Cpu_thread_component' objects.
To make this 'Rpc_entrypoint' available, this patch adds
the 'init_page_fault_handing' function.
- The 'Region_map_mmap' for Linux requires a way to look up
'Linux_dataspace' objects for given dataspace capabilities.
This lookup requires the 'Rpc_entrypoint' holding the dataspaces,
which is now passed to 'platform.cc' via the new Linux-specific
'Core_region_map::init' function.
Issue #5408
This patch replaces the former Child::Process and
Child::Process::Loaded_executable classes by static functions that
return failure conditions as return values.
Issue #5245
