The new 'genode_envp' variable declared in '_main.cc' allows libc
plugins to supplying custom environment pointers to the main function.
This is needed by 3rd-party software such as GNU make, which expects the
environment pointer as third argument of the main function.
This commit introduces placement new/delete, and a constructor for
Heap::Dataspace objects. It fixes the usage of uninitialized Dataspace
objects when expanding the heap that lead to problems in conjunction
with Native_capability smart-pointer in base-foc. Please refer to
issue #203.
This patch increases the stack size of entrypoint threads in the PCI and
PS/2 drivers, in the Terminal server and in the Signal service for 64-bit
Genode/Fiasco.OC built with -O0.
Fixes#198.
When a portion of the sliced heap gets freed, the corresponding block
gets removed from the list of blocks, and it's dataspace containing the
block gets detached, but it's destructor never gets called. This leads
to leaking capabilities, when Native_capability is implemented as
smart-pointer, because the destructor of Ram_dataspace_capability that
is part of the Block object gets never called.
Whenever Native_capability or its derivation Capaility is memcpy'd no copy-
constructor/assignment-operator is used and thereby implementation of
reference-counting gets impossible for these objects. Use object-oriented
means like e.g. copy-constructor instead.
If any operand of the '?' operator is of an unsigned type, the result
is unsigned by default. Thanks to Julian Stecklina for finding
this out.
Fixes#189.
With this patch clients of the RM service can state if they want a mapping
to be executable or not. This allows dataspaces to be mapped as
non-executable on Linux by default and as executable only if needed.
Partially fixes#176.
This patch introduces support for ROM sessions that update their
provided data during the lifetime of the session. The 'Rom_session'
interface had been extended with the new 'release()' and 'sigh()'
functions, which are needed to support the new protocol. All ROM
services have been updated to the new interface.
Furthermore, the patch changes the child policy of init
with regard to the handling of configuration files. The 'Init::Child'
used to always provide the ROM dataspace with the child's config file
via a locally implemented ROM service. However, for dynamic ROM
sessions, we need to establish a session to the real supplier of the ROM
data. This is achieved by using a new 'Child_policy_redirect_rom_file'
policy to handle the 'configfile' rather than handling the 'configfile'
case entirely within 'Child_config'.
To see the new facility in action, the new 'os/run/dynamic_config.run'
script provides a simple scenario. The config file of the test program
is provided by a service, which generates and updates the config data
at regular intervals.
In addition, new support has been added to let slaves use dynamic
reconfiguration. By using the new 'Child_policy_dynamic_rom_file', the
configuration of a slave can be changed dynamically at runtime via the
new 'configure()' function.
The config is provided as plain null-terminated string (instead of a
dataspace capability) because we need to buffer the config data anyway.
So there is no benefit of using a dataspace. For buffering configuration
data, a 'Ram_session' must be supplied. If no 'Ram_session' is specified
at construction time of a 'Slave_policy', no config is supplied to the
slave (which is still a common case).
An example for dynamically reconfiguring a slave is provided by
'os/run/dynamic_config_slave.run'.
The 'copy_to' function turned out to be not flexible enough to
accommodate the Noux fork mechanism. This patch removes the function,
adds an accessor for the capability destination and a compound type
'Native_capability::Raw' to be used wherever plain capability
information must be communicated.
By commit d287b9d893 the Native_capability
class changed fundamentally in the Fiasco.OC platform code of Genode. Thereby
the cap_integrity test got incompatible with it. This commit introduces a
separate test implementation for Fiasco.OC that does semantically the same
like the old test. Please refer to issue #161.
By using the `compare_output_to` method from the run tool instead of using
regexp in the cap_integrity run-script, the test outputs the undesired lines
instead of just signaling that the test failed.
We cannot trust signal imprints received with signals to represent valid
pointers to signal contexts. After a signal context has been dissolved
from its receiver, a signal corresponding to the context might still be
in flight. Hence, we need a facility to check received signal imprints
against the list of valid contexts at reception time. The new
'Signal_context_registry' is a very simple attempt to create such a
facility.
Introduce a new Noncopyable class, one can derive from to mark a class of
objects to be uncopyable. This way the compiler can check for any violations
for you.
This commit unifies the policy name for the template argument for
Native_capability_tpl to Cap_dst_policy, like suggested by Norman in the
discussion resulting from issue #145. Moreover, it takes the memcpy
operation for copying a Native_capability out of the template, which is
included by a significant bunch of files, and separates it in a library,
analog to the suggestion in issue #145.
Because we use to pass a policy class to 'Native_capability_tpl'
we can pass the dst type as part of the policy instead of as
a separate template argument. This patch also adds documentation
of the POLICY interface as expected by 'Native_capability_tpl'.
This patch unifies the Native_capability classes for the different kernel
platforms by introducing an appropriate template, and eliminating naming
differences. Please refer issue #145.
To give the platform developer more freedom in how the Native_capability
class is internally implemented (e.g. turning it into a smart-pointer),
this patch removes the memcpy operation, when transfering the parent-capability
to a new process from the generic code, and let the implementation of the
platform-specific Native_capability decide how the transfer has to be done.
Please refer to issue #144.
Introduce a factory-, and dereference method for local capabilities. These are
capabilities that reference objects of services, which are known to be used
protection-domain internally only. To support the new Capability class methods
a protected constructor and accessor to the local object's pointer is needed
in the platform's capability base-classes. For further discussion details please
refer issue #139.
Separate spin-lock implementation from lock-implementation and put it into a
non-public header, so it can be re-used by the DDE kit's and Fiasco.OC's
capability-allocator spin lock. Fixes issue #123.
Replace 'Reg_array' in 'Genode::Mmio' by 'Register_array' and 'Subreg'
in 'Genode::Register', 'Genode::Mmio::Register'and
'Genode::Mmio::Register_array' by 'Bitfield'.
Update and beautify comments in the according headers and test programs.
'Reg_array' contains items whose width can be the width of the register
storage type at a max. Nethertheless they can be smaller and iterate all
subregs that are covered by the item width. The array uses as much
successive instances of its storage type as needed.
The test 'run/util_mmio' also tests these new features heavily.
The run script 'run/util_mmio.run' runs a test over basic
functionalities of 'Mmio::Register' and 'Mmio::Register::Subreg'. The
test covers the functions 'read' and 'bits', 'set', 'clear' and 'get'.
Inline function in 'Mmio::Register::Subreg' whose definition otherwise
looks ugly.
To accommodate CPU registers, which have a structured layout but don't
depend on a region base address, this patch introduces the generic
'Genode::Register' and 'Genode::Subreg' to 'register.h'.
'Mmio::Register' and 'Mmio::Subreg' inherit from them.
The MMIO access framework consists of an abstraction for a contiguous
MMIO area with a base address set dynamically. Within this class 'Mmio'
are declarations for 'Register' and 'Subreg'. These two can be
parameterized statically via template parameters to create arbitrary
MMIO structures.
Whereas 'Register' relies to a POD like subregion of 'Mmio', 'Subreg'
relies to a MMIO region within a specific 'Register' and therefore is
smaller or equal then the storage type of its superior 'Register'.
Furthermore with 'Reg_array' and 'Subreg_array', there exists the
possibility to handle arrays of uniform contiguous registers or subregs
by index. 'Subreg_array' therefore abstracts from the width boundary of
its superior 'Register' and handles a steady distance between its
members in addition. Both also check array size limits.
Related to issue #69.
The startup procedure of forked processes differs from Genode's
normal process creation by omitting all steps related to ELF loading
and the start of the main thread. To let the process lib support this
distinction, an invalid ELF-binary capability is handled as valid
argument now.
The 'Child' framework used to perform the transfer of session quota
using 'env()->ram_session()' as hard-wired reference account. When
locally virtualizing the RAM session supplied to the 'Child', this
policy does not work. When closing a session, core would try to transfer
session quota to the virtualized RAM service, which is of course not
possible. This patch makes the reference RAM session configable via the
'Child_policy' interface.
The new function 'Platform_env::reload_parent_cap' triggers a reload
of the parent capability and its respective resources. It is needed
during the bootstrap of a new process forked from an existing Noux
process.