By first removing unused ranges, implicitly meta data allocations are freed
up. This leads to more unused slab blocks and freed up meta data allocations
in the avl tree.
Issue #4014
The code in base-hw/src/bootstrap/platform.cc uses segment flags for
identification purposes. Based on this information the code decides
what to do with each segment. Unfortunately the linker script does
not actually ensure the flags for a specific named segment match
expectations. The code relies on implicit linker behaviour.
This implicit behaviour can vary between linkers. This breaks
arm_v7a base-hw builds linked with LLVM's lld linker. The segment
named "ro" ends up having writeable flag set when using LLD.
This patch ensures that all ELF segments in genode.ld have their
required perimssion flags set explicitly.
Fixes#3988
* Remove SPEC declarations from mk/spec
* Remove all board-specific REQUIRE declaratiions left
* Replace [have_spec <board>] run-script declarations with have_board where necessary
* Remove addition of BOARD variable to SPECS in toplevel Makefile
* Move board-specific directories in base-hw out of specs
This commit restores the diag feature for selecting diagnostic output of
services provided by core. This feature became unavailable with commit
"base: remove dependency from deprecated APIs", which hard-wired the
diag flag for core services to false.
To control this feature, three possible policies can be expressed in a
routing target of init's configuration:
* Forcing silence by specifying 'diag="no"'
* Enabling diagnostics by specifying 'diag="yes"'
* Forwarding the preference of the client by omitting the 'diag'
attribute
Fixes#3962
Clang correctly asserts this private member variable is not used
anywhere in the code. I'm not sure what the intention of the code is,
might be this is a part of some unfinished feature. This patch just does
the minimum amount of work to allow the code to build with clang. If
required I can also drop the parent_levels constructor argument and
clean up the call sites.
Issue #3950
The control area is constructed during session creation and the caller can
handle the Out_of_* exception by increasing the quota by the next attempt.
Fixes#3917
This path fixes a void cast used to silence unused return value warning.
Its a common pattern to use void cast to do that. The code uses void *
cast instead. It works for GCC, but clang complains about this.
Issue #3938
Clang is rather picky about this and prints the following warning when
compiling new_delete.cc:
error: function previously declared with an explicit exception
specification redeclared with an implicit exception specification
[-Werror,-Wimplicit-exception-spec-mismatch]
Issue #3938
This was discovered when building the code with clang instead of GCC. In
this setup the run/ping on base-hw/arm_v8a/virt_qemu would crash
on shutdown due to uncaught Deref_unconstructed_object exception thrown
for Genode::Reconstructible<Genode::Account<Genode::Ram_quota>>. The
specific instance throwing this exception was
Pd_session_component::_ram_account. My investigation exposed the
following problem:
1. The Pd_session_component has a _sliced_heap member backed by
_constrained_ram_alloc which in turn uses Pd_session_component itself
as its Ram_allocator.
2. When ~Pd_session_component is called it first destroys _ram_account,
followed by _signal_broker.
3. The signal broker holds a reference to
Pd_session_component::_sliced_heap as Signal_broker::_md_alloc.
4. The base-hw implementation of ~Signal_broker destroys some contexts
and does this by calling Genode::destroy on some slabs using the
_md_alloc (ref to Pd_session_component::_sliced_heap).
5. The Genode::Slab calls the Ram_allocator::free which ends up calling
Pd_session_component::free.
6. The Pd_session_component::free can among other things call replenish
method on Pd_session_component::_ram_account which has already been
freed at this point.
From my POV calling replenish at this point is basically an undefined
behavior. The Genode::Constructible holding the Genode::Account was
already detroyed at this point. GCC builds happen to somehow manage to
go through the -> operator call without raising any alarms, while clang
builds trip on the _check_constructed() call.
This fix moves the _ram_account a bit higher in class declaration to
ensure its destroyed after _sliced_heap. This seems like the simpliest
solution for this problem.
Fixes#3941
At least on some PIT-based platforms (x86_32 + pistachio/okl4/sel4), we run
into trouble with the reworked timeout framework that now proccesses all
pending timeouts before calling their handlers. This order change leads to a
higher rate of handling of short periodic timeouts in the timer driver which
can cause lower prioritized components to starve. Especially, if submitting
signals (from timer to client) isn't cheap (as is the case on qemu + pistachio
for example).
Issue #3884
* get rid of alarm abstraction
* get rid of Timeout::Time type
* get rid of pointer arguments
* get rid of _discard_timeout indirection
* get rid of 65th bit in stored time values
* get rid of Timeout_scheduler interface
* get rid of uninitialized deadlines
* get rid of default arguments
* get rid of Timeout::_periodic
* get rid of Timeout::Raw
* use list abstraction
* only one interface for timeout handlers
* rework locking scheme to be smp safe
* move all method definitions to CC file
* name mutexes more accurate
* fix when & how to set time-source timeout
* fix deadlocks
Fixes#3884
The quota for the argument buffer is already accounted by using the
Attached_ram_dataspace _argument_buffer, which uses the Constraint_ram_allocator
_ram, which uses the Ram_quota_guard from the Session_object. Running on
Sculpt with more than 1000 Subject_info objects/trace IDs the memory
waste become noticeable.
Introduce the managing_system privilege for components like the
platform_driver to allow it to call system management functionality
that is reserved by kernel or special firmware, e.g., ARM Trusted Firmware.
The former RAM resource configuration attribute `constrain_phys`,
which enabled to constrain the region of physical RAM to be used,
gets replaced by the new, broader managing_system configuration
attribute of a `start` node. It gets enforced by the sandbox library.
Ref #3816
This patch untangles the interplay of the base library and the libc
during the exit handling.
- The CXA ABI for the atexit handling is now provided by the libc.
For plain Genode components without libc dependency, __cxa_atexit
is a no-op, which is consistent with Genode's notion of components.
- The 'abort' implementation of the base library no longer calls
'genode_exit' but merely 'sleep_forever'. This way, the cxx library
no longer depends on a 'genode_exit' implementation.
- The libc provides 'atexit' support by storing metadata on the
libc kernel's heap now, thereby eliminating the former bounded
maximum number of atexit handlers.
- Shared-library dtors are no longer called via the atexit mechanism
by explicitly by the dynamic linker. This slightly changes the
call order of destructors (adjustment of the ldso test). Functions
marked as destructors are called after the atexit handlers now.
- The libc executes atexit handlers in the application context,
which supports the I/O operations in those handles, in particular
the closing of file descriptors.
Fixes#3851
This remove the call to Io_progress_handler::handle_io_progress() from
wait_and_dispatch_one_io_signal() to prevent unexpected nesting
I/O-progress handling in case of custom dispatch loops (e.g., in libc).
The original intention of Io_progress_handler was to inform the
entrypoint just before blocking in the entrypoint loop.
Issue #2635
- base/cancelable_lock.h becomes base/lock.h
- all members become private within base/lock.h
- solely Mutex and Blockade are friends to use base/lock.h
Fixes#3819
_timestamp() returns CPU local values which may not be in sync with _ts
taken from another CPU. Be robust and don't produce wraparound/negative
timeout values.
Issue #3657
- Since Genode::strncpy is not 100% compatible with the POSIX
strncpy function, better use a distinct name.
- Remove bogus return value from the function, easing the potential
enforcement of mandatory return-value checks later.
Fixes#3752
The former ldso-startup static library (now called ldso_so_support) is
used to spice each shared object/library with local support code for the
dynamic linker (execution of static constructors and ARM-EABI).
Therefore, the library must be statically linked to each dynamic
library.
As a result recipes for dynamic libraries must always depend on the "so"
API, which makes ldso_so_support.mk and so_support.c available
independent of "base". Additionally, ldso_so_support is also provided in
the libc API to cut the dependency early for libc/posix libraries.
Issue #3720
This patch fixes the handling of the corner case where the allocation of
a trace buffer throws 'Out_of_caps' or 'Out_of_ram'. Under this
circumstance, the '_buffer' would still be flagged with the 'size',
which prevented any subsequent allocation attempt. This patch fixes the
problem by initializing the 'size' after the potentially throwing
allocation.
The problem triggered with the test-trace_logger after the accounting of
core's TRACE service (replacing the 'Allocator_guard' by
'Constrained_ram_allocator') became more accurate.
Related to issue #3750
The 'WHITESPACE' case of the _calc_len method wrongly accessed the
character before checking upper bound of the token. The problem is fixed
by switching the order of both conditions.
Fixes#3756
This patch removes old 'Allocator_guard' utility and replaces its use
with the modern 'Constrained_ram_allocator'.
The adjustment of core in this respect has the side effect of a more
accurate capability accounting in core's CPU, TRACE, and RM services.
In particular, the dataspace capabilities needed for core-internal
allocations via the 'Sliced_heap' are accounted to the client now.
The same goes for nitpicker and nic_dump as other former users of the
allocator guard. Hence, the patch also touches code at the client and
server sides related to these services.
The only remaining user of the 'Allocator_guard' is the Intel GPU
driver. As the adaptation of this component would be too invasive
without testing, this patch leaves this component unchanged by keeping a
copy of the 'allocator_guard.h' locally at the component.
Fixes#3750
