Commit Graph

400 Commits

Author SHA1 Message Date
Martin Stein
364f69edad Xml_generator: fix and test missing '\0'
Ensure that a '\0' always appears at the end of the ouput of the XML
generator.  Previously, exceptions during the Node(...) constructor
might have prevented this. This commit also extends the xml_generator
test to drive a harder test on exceptions in the Xml_generator.

Issue #2953
2018-10-29 09:36:20 +01:00
Martin Stein
85d589a49c Xml_generator: fix exception handling in Node(...)
When the functor provided to the Node constructor throws an exception,
do revert all changes in reverse order. Previously, the changes made
to the parent node were not considered by the exception handler which
caused unnecessary characters to remain in the out buffer for each
reverted node.

Issue #2953
2018-10-29 09:36:20 +01:00
Martin Stein
cc4a72243d print_lines: fix bugs in line length calculation
1) The loop for determining the line length read from a character offset
   before checking whether the offset is smaller than the given string
   length. This could have caused access outside the string buffer.

2) The routine for determining the line length first seeked for the
   offset of the last real character of the line and than added one for
   getting the length but only if the following character was '\n'. This
   has to be done for any other line-terminating character too. The only
   case where you don't want to do this is when the end of the whole
   string is reached.

Issue #2967
2018-09-13 15:21:11 +02:00
Norman Feske
ac0562ec18 base: avoid Pd_session::Invalid_session condition
By adding a sanity check for the validity of the PD session targeted by
a transfer_quota operation, the corner case of an incomplete PD session
of a child can no longer trigger an 'Invalid_session' exception.
2018-08-02 14:36:44 +02:00
Norman Feske
4b46abf813 base: rm first-class support for static binaries
This patch removes the detection of statically linked executables from
the base framework. It thereby fixes the corner cases encountered with
Sculpt when obtaining the binaries of the runtime from the depot_rom
service that is hosted within the runtime.

Statically linked binaries and hybrid Linux/Genode (lx_hybrid) binaries
can still be started by relabeling the ROM-session route of "ld.lib.so"
to the binary name, pretending that the binary is the dynamic linker.
This can be achieved via init's label rewriting mechanism:

  <route>
    <service name="ROM" unscoped_label="ld.lib.so">
      <parent label="test-platform"/> </service>
  </route>

However, as this is quite cryptic and would need to be applied for all
lx_hybrid components, the patch adds a shortcut to init's configuration.
One can simply add the 'ld="no"' attribute to the <start> node of the
corresponding component:

  <start name="test-platform" ld="no"/>

Fixes #2866
2018-08-02 14:36:38 +02:00
Martin Stein
fbe9d26c47 trace: initialize trace control in Thread::start
Previously, the trace control of a thread was initialized in its
constructor (which is generic for all components). This has the
disadvantage that the CPU-session-pointer member of the thread might not
be valid at this point. And it cannot be replaced by using the
"deprecated_env" CPU session neither as constructing the deprecated
environment in causes troubles in Core. But as the trace control
shouldn't be needed in Core anyway, the initialization can be moved to
the Thread::start implementation of non-core components. This code
already takes care of the CPU session pointer.

Fixes #2901
2018-08-02 14:36:35 +02:00
Norman Feske
a3858bff3c base: handle cancelation of session creation
This patch improves the handling of the corner case where a client
vanishes while a session request is in flight (CREATE_REQUESTED but
not yet AVAILABLE). This corner case could be sporadically observed with
the init_loop test on base-linux.

In the original version, the session would eventually be delivered but
never picked up by anyone. Such a stale session still uses resources that
should better be released. In the new version, the parent checks for the
liveliness of the client whenever a session is delivered. If there is no
client of the session, a close request is immediately issued to the
server. The session state must be preserved until the close requests has
been answered.
2018-07-03 09:39:32 +02:00
Emery Hemingway
98f1d83194 Automatic session quota upgrades for RM connections
Fix #2838
2018-06-29 10:44:54 +02:00
Martin Stein
fc90c5f8f0 session_label: make typedef String public
Internally, Genode::Session_label has a typedef from String<capacity()> to
String. To have this typedef public is especially useful when reading a
label from an XML node. This can then be written as

! Session_label label = node.attribute_value("label", Session_label::String());

instead of

! Session_label label = node.attribute_value("label", String<160>());

which would be less generic (Session_label cannot be used directly as there
is no appropriate ascii_to implementation).

Issue #2840
2018-06-29 10:40:14 +02:00
Alexander Boettcher
ef482513c4 base: reset unfinished xml nodes in xml_generator
Fixes #2855
2018-06-13 13:50:35 +02:00
Norman Feske
81613afa03 base: fix quota transfer to async env services
Whenever an environment session was provided by an asynchronous service,
e.g., the depot_rom of the sculpt scenario, the session quota was not
transferred to the server at session-creation time. This resulted in a
slow depletion of the server's quota over time. This patch ensures that
the delivery of session quota is consistent with the information
reported to the server as session argument.
2018-06-12 12:11:47 +02:00
Norman Feske
7b6b3a4535 base: fix destruction of async env sessions
When an environment session is provided by a async service such as a
sibling component, the session metadata must be preserved until end of
the lifetime of the session at the server has been acknowledged by the
server. Since the session meta data of env sessions are always part of
the 'Child' object, the destruction of this object must be deferred
until this point.
2018-05-30 13:36:30 +02:00
Alexander Boettcher
e6d20aba93 base: support to attach RAM dataspaces readonly
Fixes #1633
2018-05-30 13:36:27 +02:00
Norman Feske
24e6b677bd util/list_model.h: graceful handling of duplicates
This patch makes the 'List_model' utility robust against duplicated
occurrences of node IDs in the supplied XML data. If two or more XML
nodes correspond to the same model element, the existing element is
updated with the information of the subsequent XML nodes.
2018-05-30 13:36:18 +02:00
Martin Stein
2bd163533b string.h: ascii_to for unsigned char
Issue #2795
2018-05-30 13:36:11 +02:00
Norman Feske
bf0ef1b8eb base: remove unused argument name in list_model.h
Needed to use the utility with -Weffc++.
2018-05-30 13:36:09 +02:00
Johannes Schlatow
9fc3344ee8 trace/buffer: keep "last" entry on wraps
When the former trace buffer implementation wrapped, the last entry
according to commit order couldn't be detected anymore. Now, the last
committed entry is always followed by an entry with length 0.

As a downside of this, there are now two meanings of "last" entry: It
means either that the entry marks the empty padding after the entry with
the highest memory address or that it actually marks the end of the
buffer according to commit order. This is an example state of the buffer
with the two types of "last" entry:

                           last                                     last
+-------------+------------+---+---------+-------------+------------+---+-------+
| len3  data3 | len4 data4 | 0 | empty   | len1  data1 | len2 data2 | 0 | empty |
+-------------+------------+---+---------+-------------+------------+---+-------+

If the entry with the highest memory address fits perfectly, the first
type of "last" entry is not needed:

                                  last
+------------+--------------------+---+-------+-------------+-------------------+
| len3 data3 | len4         data4 | 0 | empty | len1  data1 | len2        data2 |
+------------+--------------------+---+-------+-------------+-------------------+

If the buffer didn't wrap so far, there is only one "last" entry that
has both meanings:

                                                      last
+--------------------------+------------+-------------+---+---------------------+
| len1               data1 | len2 data2 | len3  data3 | 0 | empty               |
+--------------------------+------------+-------------+---+---------------------+

Issue #2735

Co-authored-by: Martin Stein <martin.stein@genode-labs.com>
2018-05-03 15:31:54 +02:00
Stefan Kalkowski
f653be1ebc gpio_drv: add support for i.MX6
Fix #2750
2018-04-19 12:38:24 +02:00
Martin Stein
ff7c378ff9 bit_allocator: alloc specific block of bits
Method to try to allocate specific bits of the Bit_allocator_dynamic.

Ref #2670
2018-03-29 15:16:11 +02:00
Martin Stein
8c65219c96 util/string: add ascii_to for unsigned short
Ref #2670
2018-03-29 15:09:05 +02:00
Martin Stein
eb11e077fc list_model: fix missing include
Ref #2670
2018-03-29 15:07:15 +02:00
Emery Hemingway
ed1c87c8d6 Xml_generator support for floating point values
Ref #2702
2018-03-08 12:05:08 +01:00
Christian Helmuth
d72517e673 Remove replenish error message from quota guard 2018-02-28 11:05:04 +01:00
Martin Stein
abf9557bb5 AVL node/tree: make non-copyable
AVL trees can't be copied with the default copy constructor as the
parent pointer of the first item of both of the resulting trees would
point to the original tree. Copying an AVL node, however, generally
violates the integrity of the corresponding tree. The copy constructor
of Avl_tree is used in some places but in those places it can be
replaced easily. So, this commit deletes the copy constructor of
Avl_node_base which makes Avl_node and Avl_tree non-copyable.

Issue #2654
2018-02-09 13:34:23 +01:00
Martin Stein
c10554851d trace_session: fix exception list in 'trace' RPC
Trace_session::trace might throw Nonexistant_subject which was neither
documented nor declared in the RPC interface.

Issue #2654
2018-02-09 13:34:19 +01:00
Martin Stein
c68d551c41 base/trace/buffer.h: fix circular #include
Previously, base/trace/buffer.h included base/thread.h which includes
base/trace/logger.h which includes base/trace/buffer.h.

Removed the base/thread.h include in base/trace/buffer.h as it is not
needed.

Issue #2654
2018-02-09 13:34:19 +01:00
Johannes Schlatow
bfe0031304 base-hw: enable SMP support for Zynq-7000 boards
Issue #2641
2018-02-09 13:34:19 +01:00
Norman Feske
10f1616c28 base: add util/list_model.h
The new 'List_model' utility helps with the implementation of
component-internal data models created and updated from XML.

Fixes #2653
2018-02-09 13:34:17 +01:00
Alexander Boettcher
a9a8c65f53 base: remove debug message from Allocator_guard 2018-02-09 13:34:15 +01:00
Norman Feske
e0e9b3b32e init: close all sessions of exited children
With this patch, init responds to the exit of a child by closing all
sessions of the child. E.g., if a child is a GUI application, its
nitpicker session is closed at the time of exit, not at the time when
the start node disappears from init's configuration.

Since this change requires a modification of the 'Genode::Child' class,
it takes the chance to make the child-destruction less brutal. The
new version ensures that all threads of the destructed subsystem are
destructed before other sessions, in particular PD sessions. This
eliminates spurious page-fault warnings during the child destruction.

On Fiasco.OC, closing the CPU session of a thread while being called by
the thread causes a deadlock. Hence, we skip the eager destruction of
CPU sessions on this kernel.

Related to issue #2659
2018-02-09 13:31:27 +01:00
Martin Stein
26f65f4996 Xml_node: fix bug in Xml_node::decoded_content
Previously, the dst_len value was not decreased after each character that was
written to the dst buffer. This way, if the content length was greater than
dst_len, decoded_content wrote to memory out of bounds.

Issue #2644
2018-02-09 13:26:02 +01:00
Martin Stein
84e476facb Xml_node: do not consider '0' in decoded_content
Do not leave space for a terminating '0' at the end of the dst buffer in
decoded_content as the method does not write this '0'. The caller of the
method shall take care of it instead.

Issue #2644
2018-02-09 13:26:01 +01:00
Norman Feske
eba9c15746 Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:

* A class with virtual functions can no longer publicly inherit base
  classed without a vtable. The inherited object may either be moved
  to a member variable, or inherited privately. The latter would be
  used for classes that inherit 'List::Element' or 'Avl_node'. In order
  to enable the 'List' and 'Avl_tree' to access the meta data, the
  'List' must become a friend.

* Instead of adding a virtual destructor to abstract base classes,
  we inherit the new 'Interface' class, which contains a virtual
  destructor. This way, single-line abstract base classes can stay
  as compact as they are now. The 'Interface' utility resides in
  base/include/util/interface.h.

* With the new warnings enabled, all member variables must be explicitly
  initialized. Basic types may be initialized with '='. All other types
  are initialized with braces '{ ... }' or as class initializers. If
  basic types and non-basic types appear in a row, it is nice to only
  use the brace syntax (also for basic types) and align the braces.

* If a class contains pointers as members, it must now also provide a
  copy constructor and assignment operator. In the most cases, one
  would make them private, effectively disallowing the objects to be
  copied. Unfortunately, this warning cannot be fixed be inheriting
  our existing 'Noncopyable' class (the compiler fails to detect that
  the inheriting class cannot be copied and still gives the error).
  For now, we have to manually add declarations for both the copy
  constructor and assignment operator as private class members. Those
  declarations should be prepended with a comment like this:

        /*
         * Noncopyable
         */
        Thread(Thread const &);
        Thread &operator = (Thread const &);

  In the future, we should revisit these places and try to replace
  the pointers with references. In the presence of at least one
  reference member, the compiler would no longer implicitly generate
  a copy constructor. So we could remove the manual declaration.

Issue #465
2018-01-17 12:14:35 +01:00
Norman Feske
2a33d9aa76 pthread: prevent copy of Genode::Thread object
This patch also adjusts virtualbox because it relies on pthread-internal
interfaces.

Fixes #2630
2018-01-17 12:14:34 +01:00
Alexander Boettcher
f4aff87e25 make _timer_ticks_to_us 64bit safe
fixes PIT running to fast on seL4 x86_64
2017-11-30 11:23:07 +01:00
Martin Stein
8e80c05be7 signal: organize signal contexts as ring list
Ref #2532
2017-11-30 11:23:02 +01:00
Alexander Boettcher
7ff6e96623 base: avoid pagefault if session creation failed 2017-11-24 09:07:32 +01:00
Christian Helmuth
b1c9db8a0d libc: dispatch pending signals at selective points 2017-11-24 09:02:03 +01:00
Stefan Kalkowski
4e97a6511b hw: switch page-tables only when necessary
* Instead of always re-load page-tables when a thread context is switched
  only do this when another user PD's thread is the next target,
  core-threads are always executed within the last PD's page-table set
* remove the concept of the mode transition
* instead map the exception vector once in bootstrap code into kernel's
  memory segment
* when a new page directory is constructed for a user PD, copy over the
  top-level kernel segment entries on RISCV and X86, on ARM we use a designated
  page directory register for the kernel segment
* transfer the current CPU id from bootstrap to core/kernel in a register
  to ease first stack address calculation
* align cpu context member of threads and vms, because of x86 constraints
  regarding the stack-pointer loading
* introduce Align_at template for members with alignment constraints
* let the x86 hardware do part of the context saving in ISS, by passing
  the thread context into the TSS before leaving to user-land
* use one exception vector for all ARM platforms including Arm_v6

Fix #2091
2017-10-19 13:31:18 +02:00
Stefan Kalkowski
ca60e24ad9 hw: run core threads in privileged mode
* introduce new syscall (core-only) to create privileged threads
* take the privilege level of the thread into account
  when doing a context switch
* map kernel segment as accessable for privileged code only

Ref #2091
2017-10-19 13:31:17 +02:00
Christian Helmuth
0da420c104 Limit max string length in log session for okl4
This commit also adds a test to test-log.
2017-10-19 13:31:16 +02:00
Martin Stein
b811ef4331 signal: fix starvation by fast signal contexts
In the past, a signal context, that was chosen for handling by
'Signal_receiver::pending_signal and always triggered again before
the next call of 'pending_signal', caused all other contexts behind
in the list to starve. This was the case because 'pending_signal'
always took the first pending context in its context list.

We avoid this problem now by handling pending signals in a round-robin
fashion instead.

Ref #2532
2017-10-19 13:29:42 +02:00
Norman Feske
1d56c3d3aa base: remove non-critical quota messages
In nested scenarios like driver_manager.run, the initial session quota
for IO_PORT, IO_PORT, and IRQ sessions is expectedly insufficient.
However, the condition is properly handled by re-attemping the request
with a slightly increased quota. Still, core prints a warning each time
the request is denied for quota reasons, which spams the log. This patch
removes the non-critical message.
2017-10-05 17:39:57 +02:00
Alexander Boettcher
830f6934f9 base: add support to unconstrain virtual space
Issue #2507.
2017-08-30 09:59:57 +02:00
Josef Söntgen
404a82d5ee register_set: do not shift when ITEM_WIDTH is 64
Issue #2507.
2017-08-28 16:49:50 +02:00
Martin Stein
d9073a1848 timer/util: generic TIMER_MIN_TICKS_PER_MS
Ref #2400
2017-08-28 16:49:50 +02:00
Martin Stein
399e1586be timer: generic timer_ticks_to_us implementation
There are hardware timers whose frequency can't be expressed as
ticks-per-microsecond integer-value because only a ticks-per-millisecond
integer-value is precise enough. We don't want to use expensive
floating-point values here but nonetheless want to translate from ticks
to time with microseconds precision. Thus, we split the input in two and
translate both parts separately. This way, we can raise precision by
shifting the values to their optimal bit position. Afterwards, the results
are shifted back and merged together again.

As this algorithm is not so trivial anymore and used by at least three
timer drivers (base-hw/x86_64, base-hw/cortex_a9, timer/pit), move it to a
generic header to avoid redundancy.

Ref #2400
2017-08-28 16:49:49 +02:00
Stefan Kalkowski
3906568908 util: make bit array and allocator copyable
Ref #2091
2017-08-28 16:49:46 +02:00
Martin Stein
b2624be2ad allocator avl: exception if metadata assign fails
The Allocator_avl_tpl::metadata method (assigning variant) may fail
silently. Change this to make debugging easier.

Ref #2490
2017-08-28 16:49:36 +02:00
Alexander Boettcher
58e4f6cf9d core: add map method to pd_session interface
The method can be used to trigger the eager insertion of page frames into
page tables. Intention: to be used for memory used for DMA.

Issue #2209
2017-08-18 10:24:46 +02:00
Christian Prochaska
6a43f3c11a file system: use Id_space instead of Node_handle_registry
Fixes #2436
2017-08-17 10:59:43 +02:00
Christian Helmuth
4d11b7e5a8 sd_card: move defs from wand_quad to imx6 header 2017-06-29 11:59:57 +02:00
Sebastian Sumpf
c3cf7f3c3a riscv: ISA-1.9.1 and GCC-6.3.0 adaptions
Adds 1.9.1 support to base-hw

Note:
* the kernel timer is not working
* dynamic linking is currently not supported
2017-05-31 13:16:24 +02:00
Norman Feske
adb26b5216 API documentation refinements 2017-05-31 13:16:21 +02:00
Norman Feske
53253ba422 base: add reinit functionality to 'Env'
The 'reinit' and 'reinit_main_thread' methods are needed to implement
fork in Noux. Until now, they were provided by the 'Deprecated_env'
only.
2017-05-31 13:16:14 +02:00
Norman Feske
0167d5af50 Integrate core's RAM service into the PD service
Fixes #2407
2017-05-31 13:16:14 +02:00
Norman Feske
a1df4fee44 base: restructure signal-submit initialization
This patch allows core's 'Signal_transmitter' implementation to sidestep
the 'Env::Pd' interface and thereby adhere to a stricter layering within
core. The 'Signal_transmitter' now uses - on kernels that depend on it -
a dedicated (and fairly freestanding) RPC proxy mechanism for signal
deliver, instead of channeling signals through the 'Pd_session::submit'
RPC function.
2017-05-31 13:16:12 +02:00
Norman Feske
2c6729768d base: consider exception during child construction
This patch make sure that a once managed parent RPC object will always be
dissolved if an exception during the remaining child construction
occurs. The original version would miss the dissolve call if one of the
subsequent members throws an exception at construction time.
2017-05-31 13:16:10 +02:00
Norman Feske
433fc6a7f1 base: let 'Local_service' catch all exceptions
This patch eases the debugging of situations where a session-object
constructor wrongly throws an exception type not specified in the
'Local_service::Factory' interface.
2017-05-31 13:16:07 +02:00
Norman Feske
4d442bca30 Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.

Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.

This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-31 13:16:07 +02:00
Norman Feske
1f4f119b1e Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.

Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.

At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.

If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:

  <default-route>
    <service name="PD" unscoped_label="timer">
      <parent diag="yes"/>
    </service>
    ...
  </default-route>

For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.

Fixes #2398
2017-05-31 13:16:06 +02:00
Norman Feske
e44f65f3b2 core: RAM service based on 'Session_object'
This patch reworks the implementation of core's RAM service to make use
of the 'Session_object' and to remove the distinction between the
"metadata" quota and the managed RAM quota. With the new implementation,
the session implicitly allocates its metadata from its own account. So
there is not need to handle 'Out_of_metadata' and 'Quota_exceeded' via
different exceptions. Instead, the new version solely uses the
'Out_of_ram' exception.

Furthermore, the 'Allocator::Out_of_memory' exception has become an alias
for 'Out_of_ram', which simplifies the error handling.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
028e633af4 base: add 'Session_object' class
The 'Session_object' unifies several aspects of server-component
implementations:

* It keeps track of session quotas and is equipped with standardized
  interfaces (Quota_guard) to upgrade (and in the future potentially
  downgrade) session quotas in a uniform way.

* It follows the pattern of modern RPC objects / signal handlers that
  manage/dissolve themselves at the entrypoint given as constructor
  argument. Thereby, the relationship with its entrypoint is always
  coupled with the lifetime of the session-component object.

* It stores the session label, which was previously done manually by
  most but not all server-component implementations.

* It stores the session 'diag' flag.

* It is equipped with output methods 'diag', 'error', and 'warning'.
  All messages printed from the context of a session component is
  automatically prefixed with the session type and client label.
  Messages passed via 'diag' are only printed if the 'diag' flag of
  the session is set.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
aea5d03691 base: add Child_policy::Route::Diag flag
The 'diag' flag can be defined by a target node of a route in init's
configuration. It is propagated as session argument to the server, which
may evaluate the flag to enable diagnostic output for the corresponding
session.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
3670f7735d base: use 'Quota_transfer::Account' for 'Service'
This patch makes use of the new 'Quota_transfer::Account' by the service
types in base/service.h and uses 'Quota_transfer' objects in
base/child.cc and init/server.cc.

Furthermore, it decouples the notion of an 'Async_service' from
'Child_service'. Init's 'Routed_service' is no longer a 'Child_service'
but is based on the new 'Async_service' instead.

With this patch in place, quota transfers do no longer implicitly use
'Ram_session_client' objects. So transfers can in principle originate
from component-local 'Ram_session_component' objects, e.g., as used by
noux. Therefore, this patch removes a strumbling block for turning noux
into a single threaded component in the future.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
f69937deb1 base: new base/quota_transfer.h helper
The 'Quota_transfer' helper facilitated the implementation of quota
transfers between components in a transactional manner. It is designated
for framework-internal use (replacing the 'Transfer' class in child.h).
However, since it is also useful for init, we make it publicly
available.

The 'Quota_transfer::Account' class serves as an interface representing
the donor or receiver of quotas (parent, service, client).

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
f02c8328db init: access Ram_session as const
This is now possible because the new 'used_ram' and 'ram_quota' RPC
functions are declared as const.

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
6609aafb05 Replace Quota_exceeded by Insufficient_ram_quota
This patch replaces the 'Parent::Quota_exceeded',
'Service::Quota_exceeded', and 'Root::Quota_exceeded' exceptions
by the single 'Insufficient_ram_quota' exception type.

Furthermore, the 'Parent' interface distinguished now between
'Out_of_ram' (the child's RAM is exhausted) from
'Insufficient_ram_quota' (the child's RAM donation does not suffice to
establish the session).

This eliminates ambiguities and removes the need to convert exception
types along the path of the session creation.

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
eea493a8ca base: safeguard entrypoint against double manage
This patch adds sanity checks to the RPC entrypoint that detect attempts
to manage or dissolve the same RPC object twice. This is not always a
bug. I.e., if RPC objects are implemented in the modern way where the
object manages/dissolves itself. As the generic framework code (in
particular root/component.h) cannot rely on this pattern, it has to
call manage/dissolve for session objects anyway. For modern session
objects, this double attempt would result in a serious error (double
insertion into the object pool's AVL tree).

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
843dd179d7 base: remove int return types from 'Ram_session'
This patch replaces the existing C-style error codes with C++
exceptions.

Fixes #895
2017-05-31 13:16:04 +02:00
Norman Feske
58f44d39c5 base: use 'Ram_quota' in 'Ram_session' args
This patch replaces the former use of size_t with the use of the
'Ram_quota' type to improve type safety (in particular to avoid
accidentally mixing up RAM quotas with cap quotas).

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
ff68d77c7d base: new 'Ram_allocator' interface
The 'Ram_allocator' interface contains the subset of the RAM session
interface that is needed to satisfy the needs of the 'Heap' and
'Sliced_heap'. Its small size makes it ideal for intercepting memory
allocations as done by the new 'Constrained_ram_allocator' wrapper
class, which is meant to replace the existing 'base/allocator_guard.h'
and 'os/ram_session_guard.h'.

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
5a468919bb base: new session-creation helper types
This patch augments the existing session/session.h with useful types for
the session creation:

* The new 'Insufficient_ram_quota' and 'Insufficient_cap_quota'
  exceptions are meant to supersede the old 'Quota_exceeded' exception
  of the 'Parent' and 'Root' interfaces.

* The 'Session::Resources' struct subsumes the information about the
  session quota provided by the client.

* The boolean 'Session::Diag' type will allow sessions to operate in a
  diagnostic mode.

* The existing 'Session_label' is not also available under the alias
  'Session::Label'.

* A few helper functions ease the extraction of typed session arguments
  from the session-argument string.

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
220890534a base: 'Quota_guard' utility for tracking quotas
* Introduces 'Cap_quota' and 'Ram_quota' types
* Introduces 'Out_of_caps' and 'Out_of_ram' exceptions

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
c1b981ede4 Annotate session interfaces with CAP_QUOTA
The new 'CAP_QUOTA' enum value denotes the capability quota to be
transferred from the client to the server at session-creation time.

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
5b1e3466be base: construct 'Tslab' with allocator reference
The new constructor avoids the use of a pointer.
2017-05-31 13:16:03 +02:00
Norman Feske
f5bdab4518 base: add Slab::avail_entries accessor
This accessor is useful to eagerly expand the slab with new slab blocks,
side stepping the slab's built-in policy for the allocation of new slab
blocks.

This is particularly important when using the slab for allocating the
cap space meta-data for the base-hw kernel. To guarantee that the slab
gets never exhausted in the kernel, it is expanded before entering the
kernel.
2017-05-31 13:16:03 +02:00
Stefan Kalkowski
6106e64aac base: remove include/spec/* other than ISA
This commit moves the headers residing in `repos/base/include/spec/*/drivers`
to `repos/base/include/drivers/defs` or repos/base/include/drivers/uart`
respectively. The first one contains definitions about board-specific MMIO
iand RAM addresses, or IRQ lines. While the latter contains device driver
code for UART devices. Those definitions are used by driver implementations
in `repos/base-hw`, `repos/os`, and `repos/dde-linux`, which now need to
include them more explicitely.

This work is a step in the direction of reducing 'SPEC' identifiers overall.

Ref #2403
2017-05-31 13:16:01 +02:00
Christian Helmuth
1d99e7ede9 base: classify signals as I/O and application level
Fixes #2363
2017-05-31 13:15:58 +02:00
Stefan Kalkowski
67ba7b89a7 hw: separate bootstrap and core strictly
* Introduce Hw namespace and library files under src/lib/hw
* Introduce Bootstrap namespace
* Move all initialization logic into Bootstrap namespace

Ref #2388
2017-05-31 13:15:52 +02:00
Christian Prochaska
742293ab87 Genode::Fifo_element: workaround for compiling with GCC 6
Issue #2383
2017-05-31 13:15:51 +02:00
Christian Prochaska
bf83c07923 Genode::retry(): fix compile error with GCC 6
Fixes #2376
2017-05-31 13:15:50 +02:00
Christian Prochaska
78a9cbf82d Trace::Logger: workaround for compiling with GCC 6
Issue #2375
2017-05-31 13:15:50 +02:00
Edgard Schmidt
e933c7b4d8 Cleanup Call_return encapsulation in call()
~emove the second Call_return encapsulation from the already
encapsulated return type of Capability::call.

Fixes #2180
2017-05-02 15:28:52 +02:00
Christian Helmuth
b35df4578b Check Registered base class provides virtual destructor
The base class of Registered must provide a virtual destructor to enable
safe deletion with just a base class pointer. This requirement can be
lifted by using Registered_no_delete in places where the deletion
property is not needed.

Fixes #2331
2017-03-24 16:20:04 +01:00
Christian Helmuth
cb43e04691 ldso: defer execution of static constructors
Ldso now does not automatically execute static constructors of the
binary and shared libraries the binary depends on. If static
construction is required (e.g., if a shared library with constructor is
used or a compilation unit contains global statics) the component needs
to execute the constructors explicitly in Component::construct() via
Genode::Env::exec_static_constructors().

In the case of libc components this is done by the libc startup code
(i.e., the Component::construct() implementation in the libc).

The loading of shared objects at runtime is not affected by this change
and constructors of those objects are executed immediately.

Fixes #2332
2017-03-24 16:20:04 +01:00
Norman Feske
d56374e4b9 base: handle 0 in Number_of_bytes::print
This patch avoids printing the number 0 as "0G".
2017-03-24 16:19:58 +01:00
Norman Feske
0202048eb6 base: gracefully handle invalid env session routes
This patch addresses the corner cases where an environment session
could not be routed, i.e., if an environment LOG log session is
routed to a non-existing child.
2017-03-24 16:19:56 +01:00
Norman Feske
48174ab974 base: pass separate label to Local_connection
This patch extends the constructor of 'Local_connection' with an
optional 'label' argument, which was previously passed implicitly as
part of the 'args' argument. Keeping the label separate from 'args'
enables us to distinguish the client-specified label from a label that
resulted from a server-side label as it is used when rewriting a label
of an environment session (i.e., the binary name) in init's routing
policy. In principle, this patch eliminates the need for init's
explicite handling of the binary name via the '<binary>' node, or
at least allows us to simplity the binary-node handling.
2017-03-24 16:19:55 +01:00
Alexander Boettcher
391339a4bb base: handle race in Genode::Registry class
The race may happen when element objects get destructed by another thread then
the thread handling the for_each loop. In this case it may happen that the
object is already destructed (left the ~Element destructor) but the thread
handling the loop touches the invalid memory afterwards (the Element lock).

detected during issue #2299

Fixes #2320
2017-03-15 12:32:28 +01:00
Martin Stein
0bb752674f panda: fix timer speed
Previously we had configured the timer for the Panda ES with 700 MHz
CPU clock. But the Panda A6 that we use as reference now runs with
800 MHz.

Fixes #2308
2017-03-15 12:32:24 +01:00
Martin Stein
e744c76bf2 mmio: make base address member private
Ref #2196
2017-03-15 12:32:24 +01:00
Martin Stein
ecbb7534b9 register set: make noncopyable
If a register set gets copied, the '_plain_access' of the copy references
the plain access object of the original object.

Ref #2196
2017-03-15 12:32:23 +01:00
Martin Stein
442c24420d mmio: separate MMIO access and register logic
By separating the plain MMIO access implementation from the generic bit
and offset logic of registers, we can now use the latter also with other
types of register access like I2C. The register and MMIO front-ends have
not changed due to the separation.

Ref #2196
2017-03-15 12:24:42 +01:00
Martin Stein
daaddbd584 base*, os: get rid of all env() calls
Issue #1987
2017-02-28 13:00:42 +01:00
Martin Stein
56cafb3b57 hw: fix race in signal dispatching
There was a race when the component entrypoint wanted to do
'wait_and_dispatch_one_signal'. In this function it raises a flag for
the signal proxy thread to notice that the entrypoint also wants to
block for signals. When the flag is set and the signal proxy wakes up
with a new signal, it tried to cancel the blocking of the entrypoint.
However, if the entrypoint had not reached the signal blocking at this
point, the cancel blocking failed without a solution. Now, the new
Kernel::cancel_next_signal_blocking call solves the problem by storing a
request to cancel the next signal blocking of a thread immediately
without blocking itself.

Ref #2284
2017-02-28 13:00:41 +01:00
Norman Feske
29b8d609c9 Adjust file headers to refer to the AGPLv3 2017-02-28 12:59:29 +01:00
Norman Feske
fcb861689a base: support for re-validating session routes
This patch supplements 'Session_state' with the methods needed to test
the validity of a session with a changed routing policy.
2017-02-28 12:59:26 +01:00
Sebastian Sumpf
553a4222f4 base: entrypoint dissolve signal proxy
If not dissolved in ~Entrypoint, the signal proxy is found within NOVA's
and FOC's object pool upon Rpc_entrypoint destruction. This leads to a
deadlock because the signal proxy is destructed before the RPC EP.

issue #2284
2017-02-28 12:59:24 +01:00
Norman Feske
dfc4c58782 root/component.h: POLICY::release on exception
This patch ensures that the POLICY::release is called whenever the
session creation aborted with an exception. In the original version, an
exception like 'Quota_exceeded' caused a single-session root interface
to deny subsequent session requests.
2017-02-28 12:59:24 +01:00