Commit Graph

416 Commits

Author SHA1 Message Date
Martin Stein
c70fed29f7 os/timer: interpolate time via timestamps
Previously, the Genode::Timer::curr_time always used the
Timer_session::elapsed_ms RPC as back end.  Now, Genode::Timer reads
this remote time only in a periodic fashion independently from the calls
to Genode::Timer::curr_time. If now one calls Genode::Timer::curr_time,
the function takes the last read remote time value and adapts it using
the timestamp difference since the remote-time read. The conversion
factor from timestamps to time is estimated on every remote-time read
using the last read remote-time value and the timestamp difference since
the last remote time read.

This commit also re-works the timeout test. The test now has two stages.
In the first stage, it tests fast polling of the
Genode::Timer::curr_time. This stage checks the error between locally
interpolated and timer-driver time as well as wether the locally
interpolated time is monotone and sufficiently homogeneous. In the
second stage several periodic and one-shot timeouts are scheduled at
once. This stage checks if the timeouts trigger sufficiently precise.

This commit adds the new Kernel::time syscall to base-hw. The syscall is
solely used by the Genode::Timer on base-hw as substitute for the
timestamp. This is because on ARM, the timestamp function uses the ARM
performance counter that stops counting when the WFI (wait for
interrupt) instruction is active. This instruction, however is used by
the base-hw idle contexts that get active when no user thread needs to
be scheduled.  Thus, the ARM performance counter is not a good choice for
time interpolation and we use the kernel internal time instead.

With this commit, the timeout library becomes a basic library. That means
that it is linked against the LDSO which then provides it to the program it
serves. Furthermore, you can't use the timeout library anymore without the
LDSO because through the kernel-dependent LDSO make-files we can achieve a
kernel-dependent timeout implementation.

This commit introduces a structured Duration type that shall successively
replace the use of Microseconds, Milliseconds, and integer types for duration
values.

Open issues:

* The timeout test fails on Raspberry PI because of precision errors in the
  first stage. However, this does not render the framework unusable in general
  on the RPI but merely is an issue when speaking of microseconds precision.

* If we run on ARM with another Kernel than HW the timestamp speed may
  continuously vary from almost 0 up to CPU speed. The Timer, however,
  only uses interpolation if the timestamp speed remained stable (12.5%
  tolerance) for at least 3 observation periods. Currently, one period is
  100ms, so its 300ms. As long as this is not the case,
  Timer_session::elapsed_ms is called instead.

  Anyway, it might happen that the CPU load was stable for some time so
  interpolation becomes active and now the timestamp speed drops. In the
  worst case, we would now have 100ms of slowed down time. The bad thing
  about it would be, that this also affects the timeout of the period.
  Thus, it might "freeze" the local time for more than 100ms.

  On the other hand, if the timestamp speed suddenly raises after some
  stable time, interpolated time can get too fast. This would shorten the
  period but nonetheless may result in drifting away into the far future.
  Now we would have the problem that we can't deliver the real time
  anymore until it has caught up because the output of Timer::curr_time
  shall be monotone. So, effectively local time might "freeze" again for
  more than 100ms.

  It would be a solution to not use the Trace::timestamp on ARM w/o HW but
  a function whose return value causes the Timer to never use
  interpolation because of its stability policy.

Fixes #2400
2017-05-31 13:16:11 +02:00
Norman Feske
4d442bca30 Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.

Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.

This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-31 13:16:07 +02:00
Norman Feske
1f4f119b1e Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.

Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.

At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.

If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:

  <default-route>
    <service name="PD" unscoped_label="timer">
      <parent diag="yes"/>
    </service>
    ...
  </default-route>

For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.

Fixes #2398
2017-05-31 13:16:06 +02:00
Norman Feske
773e08976d Assign cap quotas in run scripts and recipes
Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
e44f65f3b2 core: RAM service based on 'Session_object'
This patch reworks the implementation of core's RAM service to make use
of the 'Session_object' and to remove the distinction between the
"metadata" quota and the managed RAM quota. With the new implementation,
the session implicitly allocates its metadata from its own account. So
there is not need to handle 'Out_of_metadata' and 'Quota_exceeded' via
different exceptions. Instead, the new version solely uses the
'Out_of_ram' exception.

Furthermore, the 'Allocator::Out_of_memory' exception has become an alias
for 'Out_of_ram', which simplifies the error handling.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
eea493a8ca base: safeguard entrypoint against double manage
This patch adds sanity checks to the RPC entrypoint that detect attempts
to manage or dissolve the same RPC object twice. This is not always a
bug. I.e., if RPC objects are implemented in the modern way where the
object manages/dissolves itself. As the generic framework code (in
particular root/component.h) cannot rely on this pattern, it has to
call manage/dissolve for session objects anyway. For modern session
objects, this double attempt would result in a serious error (double
insertion into the object pool's AVL tree).

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
c1b981ede4 Annotate session interfaces with CAP_QUOTA
The new 'CAP_QUOTA' enum value denotes the capability quota to be
transferred from the client to the server at session-creation time.

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
bc82cce72b core: add Platform::max_caps()
This method returns the kernel-specific system-global limit of the total
number of capabilities.

Issue #2398
2017-05-31 13:16:03 +02:00
Stefan Kalkowski
6106e64aac base: remove include/spec/* other than ISA
This commit moves the headers residing in `repos/base/include/spec/*/drivers`
to `repos/base/include/drivers/defs` or repos/base/include/drivers/uart`
respectively. The first one contains definitions about board-specific MMIO
iand RAM addresses, or IRQ lines. While the latter contains device driver
code for UART devices. Those definitions are used by driver implementations
in `repos/base-hw`, `repos/os`, and `repos/dde-linux`, which now need to
include them more explicitely.

This work is a step in the direction of reducing 'SPEC' identifiers overall.

Ref #2403
2017-05-31 13:16:01 +02:00
Norman Feske
b58fbe5ba5 Depot-archive recipes
Issue #2339
2017-05-31 13:15:56 +02:00
Alexander Boettcher
6513d0ce0f nova: build fixes with GCC 6 of kernel
Fixes #2379
Fixes #2380
2017-05-31 13:15:53 +02:00
Alexander Boettcher
7005e54de2 nova: fix syscall bindings with GCC 6
Fixes #2377
2017-05-31 13:15:52 +02:00
Christian Prochaska
f90a4a85e0 base-nova: workaround for compiling with GCC 6
Issue #2378
2017-05-31 13:15:50 +02:00
Norman Feske
8c4a2a48ca core: install core-<kernel>.o at bin/
By installing the core object to bin/, we follow the same convention as
for regular binaries. This, in turn, enables us to ship core in a
regular binary archive. The patch also adjusts the run tool to pick up
the core object from bin/ for the final linking stage.
2017-05-02 15:29:02 +02:00
Alexander Boettcher
637a54aeb5 nova: fix irq handling for qemu 2.7 and newer
Fixes #2336
2017-03-15 12:33:49 +01:00
Christian Prochaska
ca2871e2e4 nova: use 'Native_cpu' component for thread initialization
Pass the thread type and exception base to core with a 'Native_cpu'
component instead of enhancing the 'Thread_state' class.

Fixes #2298
2017-03-15 12:24:42 +01:00
Norman Feske
29b8d609c9 Adjust file headers to refer to the AGPLv3 2017-02-28 12:59:29 +01:00
Stefan Kalkowski
786a81c846 core: unify log() initialization between kernels
* initialize the log environment implicitly for core
* removing the redundant lock
* unify between base-hw and all others

Ref #2092
2017-02-07 19:20:29 +01:00
Alexander Boettcher
d5d4befab3 nova: avoid !zero assertion in kernel
Fixes #2266
2017-02-07 11:12:25 +01:00
Norman Feske
cd3a5852d6 Warn about the use of deprecated headers
This commit enables compile-time warnings displayed whenever a deprecated
API header is included, and adjusts the existing #include directives
accordingly.

Issue #1987
2017-01-31 12:01:18 +01:00
Norman Feske
a7f40b24ca Warn about the use of deprecated env() function
This patch enables warnings if one of the deprecate functions that rely
in the implicit use of the global Genode::env() accessor are called.

For the time being, some places within the base framework continue
to rely on the global function while omitting the warning by calling
'env_deprecated' instead of 'env'.

Issue #1987
2017-01-13 13:07:13 +01:00
Norman Feske
3d7b92ea50 Generalize ABI mechanism to shared objects
This patch make the ABI mechanism available to shared libraries other
than Genode's dynamic linker. It thereby allows us to introduce
intermediate ABIs at the granularity of shared libraries. This is useful
for slow-moving ABIs such as the libc's interface but it will also
become handy for the package management.

To implement the feature, the build system had to be streamlined a bit.
In particular, archive dependencies and shared-lib dependencies are now
handled separately, and the global list of 'SHARED_LIBS' is no more.
Now, the variable with the same name holds the per-target list of shared
libraries used by the target.
2017-01-13 13:06:54 +01:00
Alexander Boettcher
604a8860de nova: avoid assertion during cross-cpu IPC
Fixes #2198
2017-01-13 13:05:46 +01:00
Norman Feske
253097314c Add unified build directories to create_builddir
This patch makes the benefit of the recently introduced unified Genode
ABI available to developers by enabling the use of multiple kernels from
within a single build directory. The create_builddir tool has gained a
new set of kernel-agnostic platform arguments such as x86_32, or panda.
Most build targets within directories are in principle compatible with
all kernels that support the selected hardware platform. To execute a
scenario via the run tool, one has to select the kernel to use by
setting the 'KERNEL' argument in the build configuration
(etc/build.conf). Alternatively, the 'KERNEL' can be specified as
command-line argument of the Genode build system, e.g.:

  make run/log KERNEL=nova

This allows us to easily switch from one kernel to another without
rebuilding any Genode component except for the very few kernel-specific
ones.

The new version of the 'create_builddir' tool is still compatible with
the old version. The old kernel-specific build directories can still be
created. However, those variants will eventually be removed.

Note that the commit removes the 'ports-foc' repository from the
generated 'build.conf' files. As this is only meaningful for 'foc',
I did not want to include it in the list of regular repositories (as
visible in a 'x86_32' build directory). Hence, the repository must
now be manually added in order to use L4Linux.

Issue #2190
2017-01-13 13:05:44 +01:00
Norman Feske
c450ddcb3d Disambiguate kernel-specific file names
This patch removes possible ambiguities with respect to the naming of
kernel-dependent binaries and libraries. It also removes the use of
kernel-specific global side effects from the build system. The reach of
kernel-specific peculiarities has thereby become limited to the actual
users of the respective 'syscall-<kernel>' libraries.

Kernel-specific build artifacts are no longer generated at magic places
within the build directory (like okl4's includes, or the L4 build
directories of L4/Fiasco and Fiasco.OC, or the build directories of
various kernels). Instead, such artifacts have been largely moved to the
libcache. E.g., the former '<build-dir>/l4/' build directory for the L4
build system resides at '<build-dir>/var/libcache/syscall-foc/build/'.
This way, the location is unique to the kernel. Note that various tools
are still generated somewhat arbitrarily under '<build-dir>/tool/' as
there is no proper formalism for building host tools yet.

As the result of this work, it has become possible to use a joint Genode
build directory that is usable with all kernels of a given hardware
platform. E.g., on x86_32, one can now seamlessly switch between linux,
nova, sel4, okl4, fiasco, foc, and pistachio without rebuilding any
components except for core, the kernel, the dynamic linker, and the timer
driver. At the current stage, such a build directory must still be
created manually. A change of the 'create_builddir' tool will follow to
make this feature easily available.

This patch also simplifies various 'run/boot_dir' plugins by removing
the option for an externally hosted kernel. This option remained unused
for many years now.

Issue #2190
2016-12-23 16:51:32 +01:00
Norman Feske
f54c85e045 Genode application binary interface (ABI)
This patch decouples the kernel-specific implementation of the dynamic
linker from its kernel-agnostic binary interface. The name of the
kernel-specific dynamic linker binary now corresponds to the kernel,
e.g., 'ld-linux.lib.so' or 'ld-nova.lib.so'. Applications are no longer
linked directly against a concrete instance of the dynamic linker but
against a shallow stub called 'ld.lib.so'. This stub contains nothing
but the symbols provided by the dynamic linker. It thereby represents
the Genode ABI.

At system-integration time, the kernel-specific run/boot_dir back ends
integrate the matching the kernel-specific variant of the dynamic linker
as 'ld.lib.so' into the boot image.

The ABI symbol file for the dynamic linker is located at
'base/lib/symbols/ld'. It contains the joint ABI of all supported
architectures. The new utility 'tool/abi_symbols' eases the creation of
such an ABI symbol file for a given shared library. Its result should be
manually inspected and edited as needed.

The patch removes the 'syscall' library from 'base_libs.mk' to avoid
polluting the kernel-agnostic ABI with kernel-specific interfaces.

Issue #2190
Issue #2195
2016-12-23 16:50:28 +01:00
Alexander Boettcher
f613cd2aa9 nova: remove native_cpu interface
Issue #2173
2016-12-14 11:22:29 +01:00
Alexander Boettcher
e93ef168a1 nova: use async. map for thread/pd bootstrap
Fixes #2173
2016-12-14 11:22:29 +01:00
Alexander Boettcher
10ba9c8f20 nova: fix kernel assertion during revoke
Fixes #2191
2016-12-14 11:22:28 +01:00
Norman Feske
ccffbb0dfc Build dynamically linked executables by default
Fixes #2184
2016-12-14 11:22:27 +01:00
Christian Helmuth
53271d8c5f Use default component stack size where appropriate 2016-11-30 13:38:06 +01:00
Alexander Boettcher
d3d4381128 nova: support to run VBox vCPUs within same PD
Issue #2173
2016-11-30 13:38:06 +01:00
Alexander Boettcher
c732aef227 nova: handle oom during assign_pci 2016-11-30 13:38:05 +01:00
Edgard Schmidt
f97e0f3fa0 Allow RPC arguments w/o default constructor
Fixes #2150
2016-11-30 13:38:03 +01:00
Norman Feske
8bafb9d41b Adapt low-level components to new parent interface
This patch adjusts the components of the os repository as well as device
drivers to the new parent interface.

Issue #2120
2016-11-25 16:06:42 +01:00
Norman Feske
cfdbccc5c2 Remove blocking calls from root and parent RPCs
This is a redesign of the root and parent interfaces to eliminate
blocking RPC calls.

- New session representation at the parent (base/session_state.h)
- base-internal root proxy mechanism as migration path
- Redesign of base/service.h
- Removes ancient 'Connection::KEEP_OPEN' feature
- Interface change of 'Child', 'Child_policy', 'Slave', 'Slave_policy'
- New 'Slave::Connection'
- Changed child-construction procedure to be compatible with the
  non-blocking parent interface and to be easier to use
- The child's initial LOG session, its binary ROM session, and the
  linker ROM session have become part of the child's envirenment.
- Session upgrading must now be performed via 'env.upgrade' instead
  of performing a sole RPC call the parent. To make RAM upgrades
  easier, the 'Connection' provides a new 'upgrade_ram' method.

Issue #2120
2016-11-25 16:06:42 +01:00
Alexander Boettcher
57949c2bbb nova: support asynchronous delegate
Issue #2173
2016-11-25 15:30:57 +01:00
Alexander Boettcher
a085b4f536 nova: remap kernel cpu ids to genode cpu ids
to have a predictable order. First all CPU ids with hyper-thread id 0 are taken,
next the hyper-threads with 1 of all cores and so on.

Fixes #2163
2016-11-25 14:06:14 +01:00
Alexander Boettcher
8f4fbce2d6 nova: remove unused debug utility
Issue #2163
2016-11-09 17:14:53 +01:00
Stefan Kalkowski
f60cf697d2 core: simplify Rom_module and Rom_fs
* replace print_fs with Output::print equivalent
* use Avl_tree::for_each instead of own implementation
* extend constness

Ref #2159
2016-11-08 15:45:21 +01:00
Stefan Kalkowski
e1ec39e476 base: replace dump utilities in Allocator_avl
Replace 'dump()' debug utilities within Allocator_avl with Output::print
equivalents, and use the new Avl_tree::for_each utility to simplify
the implementation.

Ref #2159
2016-11-08 15:44:55 +01:00
Alexander Boettcher
94fd5ad3b0 nova: make kernel memory configurable
via the Genode build system. Avoids the need to maintain contrib patches on
nova.

Fixes #2162
2016-11-08 15:26:34 +01:00
Alexander Boettcher
74c0b22066 nova: fix sc kernel assertions
Fixes #2161
2016-11-08 15:26:33 +01:00
Stefan Kalkowski
7e1692d997 core: unify handling of boot modules
Instead of solving the problem to deliver ROM modules to core while booting
differently for the several kernels (multi-boot, elfweaver, core re-linking),
this commit unifies the approaches. It always builds core as a library, and
after all binaries are built from a run-script, the run-tool will link an
ELF image out of the core-library and all boot modules. Thereby, core can
access its ROM modules directly.

This approach now works for all kernels except Linux.

With this solution, there is no [build_dir]/bin/core binary available anymore.
For debugging purposes you will find a core binary without boot modules, but
with debug symbols under [run_dir].core.

Fix #2095
2016-11-08 15:26:27 +01:00
Stefan Kalkowski
2a2e5c2df4 base-*: remove usage of printf
base generic code:
  * Remove unused verbosity code from mmio framework
  * Remove escape sequence end heuristic from LOG
  * replace Core_console with Core_log (no format specifiers)
  * move test/printf to test/log
  * remove `printf()` tests from the log test
  * check for exact match of the log test output
base-fiasco:
  * remove unused Fiasco::print_l4_threadid function
base-nova:
  * remove unused hexdump utility from core
base-hw:
  * remove unused Kernel::Thread::_print_* debug utilities
  * always print resource summary of core during startup
  * remove Kernel::Ipc_node::pd_label (not used anymore)
base*:
  * Turn `printf`,`PWRN`, etc. calls into their log equivalents

Ref #1987
Fix #2119
2016-10-21 12:39:36 +02:00
Alexander Boettcher
4b148d896a nova: fix oom handling in kernel
Fixes #2126
2016-10-21 12:39:35 +02:00
Stefan Kalkowski
3f6e148621 base: remove obsolete _prog_img_data symbol
Fix #2099
2016-10-21 12:39:31 +02:00
Alexander Boettcher
3bd361dfa5 nova: setup exception portals correctly
Fixes #2111
2016-10-21 12:39:30 +02:00
Alexander Boettcher
4d7d4dd2fc nova: fix capability issues in PCID/SMP setups
Kernel fails to lookup a capability it just got delegated, if
the backing store for the destination capability was before backed by a
zero-page. Triggers if PCID (64bit) is in use or in SMP setups.

Fixes #2101
2016-09-30 14:15:22 +02:00
Alexander Boettcher
86e690b7f3 nova: avoid kernel assertion in mdb code
Fixes #2100
2016-09-15 07:17:07 +02:00
Alexander Boettcher
66e9ca12b5 nova: platform test to stress SMP revoke/delegate
Issue #2100
2016-09-15 07:17:05 +02:00
Stefan Kalkowski
4be8c2daa4 build: remove STARTUP_LIB variable (fix #2098) 2016-09-14 12:21:46 +02:00
Alexander Boettcher
e822a36c4e nova: transform platform test to component
and avoid use of deprecated interfaces

Issue #2086
2016-09-14 11:53:04 +02:00
Stefan Kalkowski
2147c42ec6 base: unify page-fault notification for kernels
* Enable page-fault messages for regions not directly managed by core
* Unify output given when a page-fault occurs related to those regions

Fix #2082
2016-09-09 11:49:34 +02:00
Alexander Boettcher
e53ba5ee3e nova: avoid SC kernel warnings in core
Fixes #2073
2016-08-29 17:29:36 +02:00
Alexander Boettcher
fdf41cd08c nova: set max memory mapping supported by nova ABI
Related #2063
2016-08-29 17:29:32 +02:00
Norman Feske
17c79a9e23 base: avoid use of deprecated base/printf.h
Besides adapting the components to the use of base/log.h, the patch
cleans up a few base headers, i.e., it removes unused includes from
root/component.h, specifically base/heap.h and
ram_session/ram_session.h. Hence, components that relied on the implicit
inclusion of those headers have to manually include those headers now.

While adjusting the log messages, I repeatedly stumbled over the problem
that printing char * arguments is ambiguous. It is unclear whether to
print the argument as pointer or null-terminated string. To overcome
this problem, the patch introduces a new type 'Cstring' that allows the
caller to express that the argument should be handled as null-terminated
string. As a nice side effect, with this type in place, the optional len
argument of the 'String' class could be removed. Instead of supplying a
pair of (char const *, size_t), the constructor accepts a 'Cstring'.
This, in turn, clears the way let the 'String' constructor use the new
output mechanism to assemble a string from multiple arguments (and
thereby getting rid of snprintf within Genode in the near future).

To enforce the explicit resolution of the char * ambiguity, the 'char *'
overload of the 'print' function is marked as deleted.

Issue #1987
2016-08-29 17:27:10 +02:00
Alexander Boettcher
b5ff552460 base: extend core_mem_alloc free by phys_addr
required by base-sel4 to turn used page frames back to untyped memory

Issue #2044
2016-08-10 11:07:52 +02:00
Alexander Boettcher
464181b01d base: refactor io_port session implementation
Split port API implementation into separate io_port_session_support.cc file,
so that base-sel4 may implement this part alternatively.

Issue #2044
2016-08-10 11:07:50 +02:00
Alexander Boettcher
5a0bc07d30 demo: make cancel_blocking working
- remove special handling from base-nova
- add to rpc_server where it actually should be applied to
- required to work for sel4 cancel_blocking

Issue #2044
2016-08-10 11:07:50 +02:00
Alexander Boettcher
4783043b5d nova: free up mdb entry if no sub node exists
Issue #1950

Fixes #2048
2016-08-10 11:07:49 +02:00
Norman Feske
62d65d00e0 Remove signal-source headers from public API
Those headers implement a platform-specific mechanism. They are never
used by components directly.

This patch also cleans up a few other remaining platform-specific
artifact such as the Fiasco.OC-specific assert.h.

Issue #1993
2016-07-15 11:38:25 +02:00
Emery Hemingway
f8337b511b Move Session_label from os to base
Session_label constructor now takes a bare string rather than a
serialized argument buffer.
Replace all instances of previous constructor with 'label_from_args'
function.

Issue #1787
2016-07-11 13:09:24 +02:00
Norman Feske
88b358c5ef Unification of native_capability.h
This patch establishes the sole use of generic headers across all
kernels. The common 'native_capability.h' is based on the version of
base-sel4. All traditional L4 kernels and Linux use the same
implementation of the capability-lifetime management. On base-hw, NOVA,
Fiasco.OC, and seL4, custom implementations (based on their original
mechanisms) are used, with the potential to unify them further in the
future.

This change achieves binary compatibility of dynamically linked programs
across all kernels.

Furthermore, the patch introduces a Native_capability::print method,
which allows the easy output of the kernel-specific capability
representation using the base/log.h API.

Issue #1993
2016-07-11 13:07:37 +02:00
Norman Feske
d71f0a9606 Cleanup of parent-cap handling
This patch alleviates the need for a Native_capability::Dst at the API
level. The former use case of this type as argument to
Deprecated_env::reinit uses the opaque Native_capability::Raw type
instead. The 'Raw' type contains the portion of the capability that is
transferred as-is when delegating the capability (i.e., when installing
the parent capability into a new component, or when installing a new
parent capability into a new forked Noux process). This information can
be retrieved via the new Native_capability::raw method.

Furthermore, this patch moves the functions for retriving the parent
capability to base/internal/parent_cap.h, which is meant to be
implemented in platform-specific ways. It replaces the former set of
startup/internal/_main_parent_cap.h headers.

Issue #1993
2016-07-11 13:05:27 +02:00
Norman Feske
f7bdd383e2 Remove base/native_types.h headers
Issue #1993
2016-07-11 12:06:50 +02:00
Christian Prochaska
71183783a2 NOVA: initialize segment and flag registers of local ECs
Make sure that the segment and flag registers of local ECs are initialized
after recall by initializing them at EC creation time.

Fixes #2000
2016-06-28 11:09:28 +02:00
Norman Feske
2030ae678e Supplement base/log.h with raw output function
This patch introduces the Genode::raw function that prints output
directly via a low-level kernel mechanism, if available.

On base-linux, it replaces the former 'raw_write_str' function.
On base-hw, it replaces the former kernel/log.h interface.

Fixes #2012
2016-06-22 12:21:42 +02:00
Alexander Boettcher
56890733af nova: handle cap count error if IPC dst invalid
Fixes #1995
2016-06-06 09:38:30 +02:00
Alexander Boettcher
74030a2e38 nova: kernel fix for more than 4096 processes
Fixes #1951
2016-05-27 09:34:23 +02:00
Alexander Boettcher
66b7a01d58 nova: show pd info during unresolvable faults
Fixes #1977
2016-05-26 15:54:14 +02:00
Alexander Boettcher
b9b8114a4e nova: support fixed ACPI event delivery by kernel
Issue #1962
2016-05-26 15:54:13 +02:00
Christian Prochaska
2cde1d36c1 base: changes for GDB monitor
- add a new function 'binary_ready_hook_for_gdb()' in ldso. GDB can set a
  breakpoint at this function to know when ldso has loaded the binary
  into memory.
- get the thread state from the NOVA kernel immediately on 'pause()'

Fixes #1968
2016-05-23 15:52:49 +02:00
Norman Feske
807be83b1b Remove inconsistent use of 'is_' prefix
Fixes #1963
2016-05-23 15:52:39 +02:00
Norman Feske
a99989af40 Separation of thread operations from CPU session
This patch moves the thread operations from the 'Cpu_session'
to the 'Cpu_thread' interface.

A noteworthy semantic change is the meaning of the former
'exception_handler' function, which used to define both, the default
exception handler or a thread-specific signal handler. Now, the
'Cpu_session::exception_sigh' function defines the CPU-session-wide
default handler whereas the 'Cpu_thread::exception_sigh' function
defines the thread-specific one.

To retain the ability to create 'Child' objects without invoking a
capability, the child's initial thread must be created outside the
'Child::Process'. It is now represented by the 'Child::Initial_thread',
which is passed as argument to the 'Child' constructor.

Fixes #1939
2016-05-23 15:52:39 +02:00
Alexander Boettcher
bb3e9300f6 nova: disable ACPI GPE events during kernel boot
Issue #1962
2016-05-23 15:52:38 +02:00
Alexander Boettcher
dccad4c526 nova: kernel support for more than 4096 processes
Fixes #1951
2016-05-23 15:52:36 +02:00
Alexander Boettcher
77c4510787 nova: support dropping caps just locally
without revocation of all subsequent delegations.

Fixes #1950
2016-05-23 15:52:36 +02:00
Norman Feske
fd401bdf53 Thread API cleanup
This patch cleans up the thread API and comes with the following
noteworthy changes:

- Introduced Cpu_session::Weight type that replaces a formerly used
  plain integer value to prevent the accidental mix-up of
  arguments.
- The enum definition of Cpu_session::DEFAULT_WEIGHT moved to
  Cpu_session::Weight::DEFAULT_WEIGHT
- New Thread constructor that takes a 'Env &' as first argument.
  The original constructors are now marked as deprecated. For the
  common use case where the default 'Weight' and 'Affinity' are
  used, a shortcut is provided. In the long term, those two
  constructors should be the only ones to remain.
- The former 'Thread<>' class template has been renamed to
  'Thread_deprecated'.
- The former 'Thread_base' class is now called 'Thread'.
- The new 'name()' accessor returns the thread's name as 'Name'
  object as centrally defined via 'Cpu_session::Name'. It is meant to
  replace the old-fashioned 'name' method that takes a buffer and size
  as arguments.
- Adaptation of the thread test to the new API

Issue #1954
2016-05-23 15:49:55 +02:00
Norman Feske
1f395ae780 base: new interface for textual output
Issue #1942
2016-05-09 13:25:01 +02:00
Norman Feske
3bceefc9cf Omit superfluous use of "CAP"/"SIGNAL" services
The functionality of the former "CAP" and "SIGNAL" services is now
provided by core's "PD" service.
2016-05-09 13:24:51 +02:00
Norman Feske
40a5af42eb Clean up base-library structure
This patch moves the base library from src/base to src/lib/base,
flattens the library-internal directory structure, and moves the common
parts of the library-description files to base/lib/mk/base.inc and
base/lib/mk/base-common.inc.

Furthermore, the patch fixes a few cosmetic issues (whitespace and
comments only) that I encountered while browsing the result.

Fixes #1952
2016-05-09 13:24:11 +02:00
Norman Feske
7274ca997d Remove Genode::Process from API
This patch makes the former 'Process' class private to the 'Child'
class and changes the constructor of the 'Child' in a way that
principally enables the implementation of single-threaded runtime
environments that virtualize the CPU, PD, and RAM services. The
new interfaces has become free from side effects. I.e., instead
of implicitly using Genode::env()->rm_session(), it takes the reference
to the local region map as argument. Also, the handling of the dynamic
linker via global variables is gone. Now, the linker binary must be
provided as constructor argument.

Fixes #1949
2016-05-09 13:10:52 +02:00
Norman Feske
b49e588c1c Assign threads to PD at its creation time
This patch replaces the former 'Pd_session::bind_thread' function by a
PD-capability argument of the 'Cpu_session::create_thread' function, and
removes the ancient thread-start protocol via 'Rm_session::add_client' and
'Cpu_session::set_pager'. Threads are now bound to PDs at their creation
time and implicitly paged according to the address space of the PD.

Note the API change:

This patch changes the signature of the 'Child' and 'Process' constructors.
There is a new 'address_space' argument, which represents the region map
representing the child's address space. It is supplied separately to the
PD session capability (which principally can be invoked to obtain the
PD's address space) to allow the population of the address space
without relying on an 'Pd_session::address_space' RPC call.
Furthermore, a new (optional) env_pd argument allows the explicit
overriding of the PD capability handed out to the child as part of its
environment. It can be used to intercept the interaction of the child
with its PD session at core. This is used by Noux.

Issue #1938
2016-05-09 13:10:52 +02:00
Norman Feske
511acad507 Consolidate RM service into PD session
This patch integrates three region maps into each PD session to
reduce the session overhead and to simplify the PD creation procedure.
Please refer to the issue cited below for an elaborative discussion.

Note the API change:

With this patch, the semantics of core's RM service have changed. Now,
the service is merely a tool for creating and destroying managed
dataspaces, which are rarely needed. Regular components no longer need a
RM session. For this reason, the corresponding argument for the
'Process' and 'Child' constructors has been removed.

The former interface of the 'Rm_session' is not named 'Region_map'. As a
minor refinement, the 'Fault_type' enum values are now part of the
'Region_map::State' struct.

Issue #1938
2016-05-09 13:10:51 +02:00
Norman Feske
e20bbe7002 base: remove integer return codes from PD-session
The return code of assign_parent remained unused. So this patch
removes it.

The bind_thread function fails only due to platform-specific limitations
such as the exhaustion of ID name spaces, which cannot be sensibly
handled by the PD-session client. If occurred, such conditions used to
be reflected by integer return codes that were used for diagnostic
messages only. The patch removes the return codes and leaves the
diagnostic output to core.

Fixes #1842
2016-05-09 13:09:56 +02:00
Alexander Boettcher
1fc707d9dc nova: fix copy-paste bug in oom code
Fixes #1944
2016-05-09 13:09:54 +02:00
Norman Feske
f186587cab Unify ipc_msgbuf.h across base platforms
Besides unifying the Msgbuf_base classes across all platforms, this
patch merges the Ipc_marshaller functionality into Msgbuf_base, which
leads to several further simplifications. For example, this patch
eventually moves the Native_connection_state and removes all state
from the former Ipc_server to the actual server loop, which not only
makes the flow of control and information much more obvious, but is
also more flexible. I.e., on NOVA, we don't even have the notion of
reply-and-wait. Now, we are no longer forced to pretend otherwise.

Issue #1832
2016-04-25 10:47:59 +02:00
Norman Feske
0c299c5e08 base: separate native CPU from CPU session
This patch unifies the CPU session interface across all platforms. The
former differences are moved to respective "native-CPU" interfaces.

NOVA is not covered by the patch and still relies on a custom version of
the core-internal 'cpu_session_component.h'. However, this will soon be
removed once the ongoing rework of pause/single-step on NOVA is
completed.

Fixes #1922
2016-04-25 10:47:57 +02:00
Norman Feske
051e84c4b4 Move server API concept to base framework
This commit introduces the new `Component` interface in the form of the
headers base/component.h and base/entrypoint.h. The os/server.h API
has become merely a compatibilty wrapper and will eventually be removed.
The same holds true for os/signal_rpc_dispatcher.h. The mechanism has
moved to base/signal.h and is now called 'Signal_handler'.

Since the patch shuffles headers around, please do a 'make clean' in the
build directory.

Issue #1832
2016-04-11 11:51:46 +02:00
Alexander Boettcher
4ac7127f89 nova: avoid memory leak in kernel 2016-04-11 11:51:45 +02:00
Norman Feske
cda07b7da0 base: simplification of the IPC code
This commit replaces the stateful 'Ipc_client' type with the plain
function 'ipc_call' that takes all the needed state as arguments.
The stateful 'Ipc_server' class is retained but it moved from the public
API to the internal ipc_server.h header. The kernel-specific
implementations were cleaned up and simplified. E.g., the 'wait'
function does no longer exist. The badge and exception code are no
longer carried in the message buffers but are handled in kernel-specific
ways.

Issue #610
Issue #1832
2016-04-11 11:51:42 +02:00
Norman Feske
47878bd3e1 Remove 'Ipc_istream' and 'Ipc_ostream' from API
Fixes #610
2016-04-11 11:51:42 +02:00
Norman Feske
4cdfb9bc2f base: remove 'Native_connection_state' from API
Issue #1832
2016-04-11 11:51:42 +02:00
Norman Feske
da5d182ad3 base: remove 'Native_thread' from public API
Issue #1832
2016-04-11 11:51:42 +02:00
Norman Feske
84bfb4c04c base: remove 'Native_thread_id' type
Issue #1832
2016-03-18 22:43:01 +01:00
Stefan Kalkowski
5085ad36c3 tool: remove deprecated 'make prepare' mechanism
Fix #1897
2016-03-17 17:02:04 +01:00
Norman Feske
9b0eb720b0 base: remove 'Native_utcb' from public API
Fixes #1905
2016-03-17 17:02:04 +01:00
Norman Feske
9a3185f8ed base-linux: remove chroot support
Fixes #1903
2016-03-08 17:00:54 +01:00
Norman Feske
76db3b9c06 base: retire 'Native_config'
This commit moves the parameters of the stack area to the base-internal
header 'stack_area.h'.

Issue #1832
2016-03-08 17:00:54 +01:00
Norman Feske
7f73e5e879 base: hide internals of the Thread API
This patch moves details about the stack allocation and organization
the base-internal headers. Thereby, I replaced the notion of "thread
contexts" by "stacks" as this term is much more intuitive. The fact that
we place thread-specific information at the bottom of the stack is not
worth introducing new terminology.

Issue #1832
2016-03-07 12:34:46 +01:00
Norman Feske
3473955212 base-linux/nova: unify include/rm_session/client.h
By moving the stub implementation to rm_session_client.cc, we can use
the generic base/include/rm_session/client.h for base-linux and
base-nova and merely use platform-specific implementations.

Issue #1832
2016-03-07 12:34:45 +01:00
Norman Feske
2e701f9afa base: update include guards
This patch cleans up the include guards, assisted by the
tool/fix_include_ifndef script.
2016-03-07 12:34:45 +01:00
Norman Feske
e6729316ff base: uniform base-internal header structure
This patch establishes a common organization of header files
internal to the base framework. The internal headers are located at
'<repository>/src/include/base/internal/'. This structure has been
choosen to make the nature of those headers immediately clear when
included:

  #include <base/internal/lock_helper.h>

Issue #1832
2016-03-07 12:34:45 +01:00
Norman Feske
be496c6dc1 base: remove kernel-specific base/sleep.h
With this patch, the platform differences reside solely in the
implementation of the base library.

Issue #1832
2016-03-07 12:34:44 +01:00
Norman Feske
62b1c55399 Integrate CAP session into PD session
This patch integrates the functionality of the former CAP session into
the PD session and unifies the approch of supplementing the generic PD
session with kernel-specific functionality. The latter is achieved by
the new 'Native_pd' interface. The kernel-specific interface can be
obtained via the Pd_session::native_pd accessor function. The
kernel-specific interfaces are named Nova_native_pd, Foc_native_pd, and
Linux_native_pd.

The latter change allowed for to deduplication of the
pd_session_component code among the various base platforms.

To retain API compatibility, we keep the 'Cap_session' and
'Cap_connection' around. But those classes have become mere wrappers
around the PD session interface.

Issue #1841
2016-03-07 12:34:44 +01:00
Norman Feske
b1910cdd54 Integrate SIGNAL session into PD session
This patch removes the SIGNAL service from core and moves its
functionality to the PD session. Furthermore, it unifies the PD service
implementation and terminology across the various base platforms.

Issue #1841
2016-03-07 12:34:44 +01:00
Martin Stein
ff10687a6c toolchain: report missing ports at once
Previously, ports that were needed for a scenario and that were not
prepared or outdated, triggered one assertion each during the second
build stage. The commit slots a mechanism in ahead that gathers all
these ports during the first build stage and reports them in form of a
list before the second build stage is entered.  This list can be used
directly as argument for tool/ports/prepare_port to prepare respectively
update the ports. If, however, this mechanism is not available, for
example because a target is build without the first build stage, the old
assertion still prevents the target from running into troubles with a
missing port.

Fixes #1872
2016-03-07 12:34:43 +01:00
Alexander Boettcher
e5eb1000c7 nova: remove obsolete parts of documentation 2016-02-26 12:19:25 +01:00
Alexander Boettcher
f572cf8a05 nova: stop submitting signals on dead sm caps
Fixes #1877
2016-02-05 10:57:04 +01:00
Alexander Boettcher
7598f09295 nova: check for valid platform_pd pointer 2016-01-26 16:20:38 +01:00
Alexander Boettcher
a258caa7ab nova: propagate bdf for assign_pci properly
Now, the right PCI bus:device:function (BDF) is reported to the kernel
during assign_pci syscall - beforehand it was ever 0:0.0. The BDF is
needed to lookup the correct DMAR unit the kernel has to configure. This
was revealed as the DMAR unit for Intel graphics on x201 is not the same
as for all other PCI devices we have drivers for on this platform.

Fixes #1848
2016-01-13 14:57:02 +01:00
Alexander Boettcher
1d5aa4ca7e nova: avoid warnings because of oom handling
Use kernel branch which is more accurate in accounting memory, which avoids
kernel messages of following form:

[0] warning: insufficient resources ...

Fixes #1830
2016-01-08 14:37:57 +01:00
Alexander Boettcher
7ee3e98551 nova: update kernel to fix assertion
Some special pages (0-page, 1-page) in the kernel must not be freed up
during PD destruction.

Fixes #1828
2015-12-18 15:04:25 +01:00
Alexander Boettcher
a73c6470f6 nova: handle hip/mb memory region of size 0
Fixes #1814
2015-12-10 13:16:28 +01:00
Alexander Boettcher
1aa6a2a4a1 nova: fix kernel freezing
Fixes #1815
2015-12-10 13:16:28 +01:00
Alexander Boettcher
5b376188da nova: disable super pages for DMAR units 2015-11-29 18:17:09 +01:00
Alexander Boettcher
18130e3120 nova: limit user virtual address space on 64bit 2015-11-29 18:17:08 +01:00
Alexander Boettcher
f92a6a9594 nova: use kernel with DMAR quirk for Lenovo X250
Issue #1764
2015-11-29 18:17:08 +01:00
Alexander Boettcher
7857e830a3 nova: fix write-combing support
Issue #1764
2015-11-29 18:17:08 +01:00
Christian Prochaska
6bf4fd3340 nova: 64-bit guest support
Issue #1791
2015-11-29 18:17:06 +01:00
Alexander Boettcher
9ada3d3178 nova: sanity check parent pd assignments
Issue #1778
2015-11-18 12:22:09 +01:00
Alexander Boettcher
4b6b759739 nova: handle dissolve of not-activated entrypoints
Dissolve calls on not-yet-activated entrypoints will block forever in the
portal cleanup call without this commit.

Issue #1778
2015-11-18 12:22:08 +01:00
Alexander Boettcher
eb236a1a10 nova: re-add server object IPC cleanup call
Accidentally removed by #1658. We need to make the cleanup call for server
objects - otherwise we may get in capability identifier re-use trouble.

Issue #1778
2015-11-18 12:22:08 +01:00
Alexander Boettcher
91b69edb72 nova: adjust kernel warning/error messages
- extend one overmap message case
- show by default more error messages

Issue #1779
2015-11-18 12:22:08 +01:00
Alexander Boettcher
5c63f7003e nova: evalute pending irqs si->sm association
Fixes ps/2 driver bring-up if already some irqs are pending but not delivered
to the Genode signal(Nova semaphore) - reported by @nfeske.

Fixes #1779
2015-11-18 12:22:08 +01:00
Christian Helmuth
9730c7e333 base-nova: cleanup specific Rm_session_client
- Align implementation to the current generic implementation
- Document NOVA-specific implementation of dataspace() (as in the
  original commit message)
2015-11-04 14:37:55 +01:00
Alexander Boettcher
ffbbf69959 nova: update kernel branch to avoid tlb issues
Following page fault sympton in core gets fixed:

PAGE-FAULT IN CORE (WRITE pf_addr=1000000 pf_ip=14361c from 00 <NULL>)

stack pointer 0xa01fec30, qualifiers 0x6 irUWp

faulter utcb a01ff000, last message item count 1

0 - type=1 rights=0x3 region=0x1000000+0x1000000 hotspot 0(801) - delegated

   1 a01fec30 0014361c
   2 a01fec68 001401d5
2015-10-28 15:06:23 +01:00
Alexander Boettcher
d6bae1a9a3 nova: speedup clearing dataspace in core 2015-10-28 15:06:23 +01:00
Alexander Boettcher
ceb04d3c11 nova: avoid race in pager_object destruction
Don't skip the cleanup call if a pager object is marked as blocked.

It happens that the pager_object is in destruction but it is also used
concurrently by the pager thread. The pager thread handling code may set the
pager object to blocked but still uses the pointer to the pager object. Avoid
locking at the state of the pager object and make the cleanup call everytime.

Error output looks like this, where the pf_ip is within

  void Pager_object::_page_fault_handler(addr_t pager_obj)

method and the pf_addr is the stale pointer to the already released pager_object.

no RM attachment (READ pf_addr=xxx pf_ip=xxx from 00 <NULL>)
static void Genode::Pager_object::_page_fault_handler(Genode::addr_t): page fault, thread '<NULL>', cpu x, ip=xxx, fault address=xxx

PAGE-FAULT IN CORE (READ pf_addr=b10e0090 pf_ip=132dbc from 00 <NULL>)
2015-10-28 15:06:22 +01:00
Alexander Boettcher
6c30bf2667 nova: interpret write page fault correctly
Fixes #1722
2015-10-09 16:38:48 +02:00
Alexander Boettcher
2e62543fdb nova: use remote revoke
Fixes #1733
2015-10-09 16:38:48 +02:00
Alexander Boettcher
c0e88ec69e nova: adjust kernel quota calculation
Too less memory quota for a PD may be calculated, which leads to too early
punishment for a Genode process.

Discovered during Turmvilla scenario #1552 and issue #1733.
2015-10-09 16:38:47 +02:00
Alexander Boettcher
c7195c8652 nova: sanitize cpu during pager assignment
Additionally print warnings about unavailable CPUs if they are tried to be
used during pager object setup.

Discovered during Turmvilla scenario #1552 and issue #1733.
2015-10-09 16:38:47 +02:00
Alexander Boettcher
d7da035115 nova: sanitize priority parameters
threads with prio 0 will not be started and would fail silently.
Happened on Turmvilla for the USBProxy thread in virtualbox.

Discovered during Turmvilla scenario #1552 and issue #1733.
2015-10-09 16:38:47 +02:00
Alexander Boettcher
70a3bb7465 nova: avoid syscall on invalid signal capability
Reduces kernel log message noise when running on kernel-debug branch.
Additionally add a more verbose core message.

Discovered during Turmvilla scenario #1552 and issue #1733.
2015-10-09 16:38:46 +02:00
Alexander Boettcher
94f64ef464 nova: avoid sc_ctrl syscalls on invalid caps
Avoids kernel log messages if TRACE_ERROR is enabled in kernel.

Discovered during Turmvilla scenario #1552 and issue #1733.
2015-10-09 16:38:46 +02:00
Alexander Boettcher
ae12f04354 nova: avoid deadlocks by self-destructing threads
Issue #1687
2015-10-06 12:18:50 +02:00
Alexander Boettcher
ad24b25af0 nova: avoid buddy allocator assertion in kernel
Fixes #1672
2015-09-30 15:48:11 +02:00
Christian Helmuth
985c01116b nova: PIC compatible syscall_5
Addressing must be PC-relative, so adapt the approach from the other
nova_x86_32 syscall bindings (description by @ssumpf):

  Use call to push the current IP on the stack and add the distance of
  label 0 and label 1 in order to determine the return address, which
  NOVA requires in edx.

The bug only showed up with "-O0" in libc.lib.so in form of a unwanted
text relocation.

Fixes #1721
2015-09-30 15:48:10 +02:00
Stefan Kalkowski
b585583ec7 core: do not destroy in object pool's apply scope
Destroying an object within the scope of a lambda/functor executed
in the object pool's apply function leads potentially to memory corruption.
Within the scope the corresponding object is locked and unlocked when
leaving the scope. Therefore, it is illegal to free the object's memory meanwhile.
This commit eliminates several places in core that destroyed wrongly in
the object pool's scope.

Fix #1713
2015-09-30 12:20:40 +02:00
Stefan Kalkowski
ccb968ff7d safeguard the synchronized allocator template
* Move the Synced_interface from os -> base
* Align the naming of "synchronized" helpers to "Synced_*"
* Move Synced_range_allocator to core's private headers
* Remove the raw() and lock() members from Synced_allocator and
  Synced_range_allocator, and re-use the Synced_interface for them
* Make core's Mapped_mem_allocator a friend class of Synced_range_allocator
  to enable the needed "unsafe" access of its physical and virtual allocators

Fix #1697
2015-09-30 12:20:39 +02:00
Stefan Kalkowski
ed52d5a211 Introduce 'spec' subdirectories to outline aspects
Instead of holding SPEC-variable dependent files and directories inline
within the repository structure, move them into 'spec' subdirectories
at the corresponding levels, e.g.:

  repos/base/include/spec
  repos/base/mk/spec
  repos/base/lib/mk/spec
  repos/base/src/core/spec
  ...

Moreover, this commit removes the 'platform' directories. That term was
used in an overloaded sense. All SPEC-relative 'platform' directories are
now named 'spec'. Other files, like for instance those related to the
kernel/architecture specific startup library, where moved from 'platform'
directories to explicit, more meaningful places like e.g.: 'src/lib/startup'.

Fix #1673
2015-09-16 13:58:50 +02:00
Stefan Kalkowski
458b4d6fc4 base: redesign object pool using lambda interface
Instead of returning pointers to locked objects via a lookup function,
the new object pool implementation restricts object access to
functors resp. lambda expressions that are applied to the objects
within the pool itself.

Fix #884
Fix #1658
2015-09-09 15:14:28 +02:00
Alexander Boettcher
6776d6c9a8 nova: extend platform test by PAT test
Issue #1566
2015-08-31 09:09:22 +02:00
Alexander Boettcher
0f2c2a675a nova: support write combining
Fixes #1566
2015-08-31 09:09:22 +02:00
Alexander Boettcher
b438181188 nova: use updated r9 kernel branch
Fixes a kernel regression (because of using builtin_retrun_address)
introduced by the out-of-memory commits.

Issue #1601
2015-08-27 12:02:16 +02:00
Alexander Boettcher
9a326bed2d nova: revoke unused caps after IPC
Fix issue introduced during #905
2015-08-21 11:00:58 +02:00
Alexander Boettcher
df662cc2f3 nova: use kernel branch with quota handling
Fixes #1601
2015-08-21 10:59:45 +02:00
Stefan Kalkowski
eafe5e81e3 core: unify and simplify paging code (Fix #1641)
For most platforms except of NOVA a distinction between pager entrypoint
and pager activation is not needed, and only exists due to historical
reasons. Moreover, the pager thread's execution path is almost identical
between most platforms excluding NOVA, HW, and Fisco.OC. Therefore,
this commit unifies the pager loop for the other platforms, and removes
the pager activation class.
2015-08-21 10:58:59 +02:00
Christian Prochaska
2337dc03f4 nova: use branch supporting changing PDPTE by VMM
Fixes #1637
2015-08-21 10:58:59 +02:00
Alexander Boettcher
f87c573695 nova: increase default capability selector count
The reference count get increase to use 2 bytes, so we need the double amount
of selectors as before.

Additionally print a message if we run out of capabilities in a server. Since
our rpc framework is now clever enough to detect that for a printf we don't
need to setup a receive window, we may use a printf instead of a die call.
Eases debugging.

Issue #1601
2015-08-21 10:58:58 +02:00
Alexander Boettcher
c6943d494b nova: extend platform test to provoke kernel panic
Showcasing the out of memory kernel issue.

One test triggers oom during memory delegation when talking to core pager
thread. Two other test trigger oom during capability delegation in a
server/client scenario for send and reply phase separately.

Issue #1601
2015-08-21 10:58:58 +02:00
Martin Stein
f3e76b3e9a base: use BDA header in base-nova like base-hw
Moves the Bios Data Area header from base-hw to base. Modifies the
base-nova core console that it uses the header as replacement for
the previous BDA bit logic.

Ref #1625
2015-07-21 09:30:12 +02:00
Alexander Boettcher
0b019d0508 base: move x86 uart driver from nova to base
So it can be reused by base-hw-x86 instead of re-writing it.

Fixes #1403
2015-07-21 09:30:11 +02:00
Stefan Kalkowski
0f05fa6fd4 base: resolve dead lock in weak pointer templates
This commit eliminates the mutual interlaced taking of destruction lock,
list lock and weak pointer locks that could lead to a dead-lock situation
when a lock pointer was tried to construct while a weak object is in
destruction progress.
Now, all weak pointers are invalidated and dequeued at the very
beginning of the weak object's destruction. Moreover, before a weak pointer
gets invalidated during destruction of a weak object, it gets dequeued, and
the list lock is freed again to avoid the former dead-lock.

Fix #1607
2015-07-21 09:30:04 +02:00
Alexander Boettcher
c42e770384 detach ds from all rm sessions before destruction
Fixes #1617
2015-07-21 09:28:24 +02:00
Alexander Boettcher
9506c89f88 nova: fix memory leaks / invariant TSCs
- free up kernel memory of empty slabs (if already one empty slab is in
  place)
- free up more page table entries
- handle CPUs with invariant TSCs gracefully

  Genode/Nova running on CPUs without the invariant TSC feature may seem
  to 'hang'. The referenced commit of the nova branch fixes the issue
  for some older Intel CPUs.

Fixes #1615
2015-07-07 19:48:07 +02:00
Alexander Boettcher
4ee8919f29 nova: use 16bit for reference count of caps
Bomb and any server may generate references to capabilities exceeding 256 -
use a 16bit counter until the cap handling in Genode gets unified.

Additionally try to print a warning, instead of dying, if we get cap reference
count under or overflow.

Issue #1615
2015-07-07 19:48:07 +02:00
Norman Feske
503263a8a2 base-nova: consider non-contiguous CPU numbers
This is a follow-up commit to the following two patches:
* base/nova: add idle threads to trace sources
* nova: support to read thread and idle time
2015-07-07 19:48:05 +02:00
Stefan Kalkowski
2a351215f4 base: remove pager code from public API
Fix #1593
2015-07-01 14:46:15 +02:00
Norman Feske
a23ac5f569 base/nova: add idle threads to trace sources
Issue #813
2015-06-22 14:43:39 +02:00
Norman Feske
959572968d core: provide thread exec times via TRACE service
This patch enable clients of core's TRACE service to obtain the
execution times of trace subjects (i.e., threads). The execution time is
delivered as part of the 'Subject_info' structure.

Right now, the feature is available solely on NOVA. On all other base
platforms, the returned execution times are 0.

Issue #813
2015-06-22 14:43:38 +02:00
Alexander Boettcher
fbe44f08d4 nova: support to read thread and idle time
Issue #813
2015-06-22 14:43:38 +02:00
Alexander Boettcher
7b6cd28dcb nova: update to r9
Fixes compiler warnings and re-enables debug commits regarding out of memory
situations.

Fixes #1551
2015-06-03 12:53:48 +02:00
Stefan Kalkowski
28804e2bfb base: remove cap_integrity test (fix #1536) 2015-05-26 09:40:04 +02:00
Stefan Kalkowski
64bfe233d7 base: make CAP session upgradeable
* Introduce 'Out_of_metadata' exception for capability allocation

Ref #1443
2015-05-26 09:40:02 +02:00
Stefan Kalkowski
73c3a81e0b base: make PD session upgradeable
Ref #1443
2015-05-26 09:40:02 +02:00
Alexander Boettcher
3e90542559 nova: use signals with irqs in core
Avoids the need to have per IRQ a thread that blocks synchronously for next
interrupt. Now a thread may wait for multiple IRQs as other signals
simultaneously.

In core no threads are required anymore for IRQs/MSI - the clients (either
the pci_drv or in case of MSI the driver) gets the IRQ delivered directly as
a ordinary Genode signal.

Useful since #1216 and #1487 is now available.
Commit applies feature of #1446 also to IRQ/MSIs.
2015-05-26 09:39:51 +02:00
Alexander Boettcher
e84284c0cd base: remove shared irq from core
Cleanup commit after all relevant drivers got adapted to use the x86 platform
driver (pci_drv).

Issue #1471
2015-05-26 09:39:47 +02:00
Christian Prochaska
e8f82a1da3 nova: delay UTCB revocation on thread destruction
On NOVA, a Genode thread currently cannot destroy itself by destroying its
own 'Thread' object, because in 'Thread_base::_deinit_platform_thread()'
it cannot call 'Cpu_session::kill_thread()' anymore after it has revoked
its own UTCB.

As solution, the revocation of the UTCB can be delayed until its location
in the context area is needed by a new thread.

Fixes #1505
2015-05-26 09:39:46 +02:00
Alexander Boettcher
24a4e486c4 nova: adjust phys and io_mem allocator
Add comments about the way the allocator are filled and make solely acpi
related memory as io_mem available to platform.
2015-05-26 09:39:45 +02:00
Norman Feske
4736488d99 core: change order of _export_ds and _clear_ds
On seL4, we need to convert untyped memory to page frames before being
able to use it as normal memory. There already exists the hook function
'_export_ds' that is principally suitable for such tasks. It is
currently solely used on Linux where we have to create a file for each
dataspace. To make the hook useful also for seL4, we need to call
_export_ds prior _clear_ds. Otherwise, we would try to clear memory that
is still untyped.
2015-05-20 17:52:57 +02:00
Alexander Boettcher
d998df3b7f base: extend irq session to support MSIs
Works on base-nova and base-foc, the other kernels have no MSI support.

Issue #1216
2015-05-20 17:39:14 +02:00
Alexander Boettcher
bc3ba380ae nova: fix check in irq_session destruction
Issue #1456
2015-05-06 10:55:22 +02:00
Christian Helmuth
98def2488a thread: move Thread_base::myself() to separate file
The thread library (thread.cc) in base-foc shared 95% of the code with
the generic implementation except myself(). Therefore, its
implementation is now separated from the other generic sources into
myself.cc, which allows base-foc to use a foc-specific primitive to
enable our base libraries in L4Linux.

Issue #1491
2015-05-06 10:55:17 +02:00
Martin Stein
c9272937e7 CPU session: apply quota via relative weightings
Physical CPU quota was previously given to a thread on construction only
by directly specifying a percentage of the quota of the according CPU
session. Now, a new thread is given a weighting that can be any value.
The physical counter-value of such a weighting depends on the weightings
of the other threads at the CPU session. Thus, the physical quota of all
threads of a CPU session must be updated when a weighting is added or
removed. This is each time the session creates or destroys a thread.

This commit also adapts the "cpu_quota" test in base-hw accordingly.

Ref #1464
2015-05-06 10:55:16 +02:00
Alexander Boettcher
faa25e1df6 base: make irq_session asynchronous
second step

options: factor out common parts of irq_session_component.cc
options: use on foc arm no proxy threads

Fixes #1456
2015-04-23 16:47:58 +02:00
Alexander Boettcher
e2cbc7c5b3 base: unify some irq_session headers
remove repos/base-*/include/irq_session headers and use only a unification
from   repos/base/include/irq_session

first step

Issue #1456
2015-04-23 16:47:57 +02:00
Stefan Kalkowski
b949489641 base: remove local capability from generic base
* Instead of using local capabilities within core's context area implementation
  for stack allocation/attachment, simply do both operations while stack gets
  attached, thereby getting rid of the local capabilities in generic code
* In base-hw the UTCB of core's main thread gets mapped directly instead of
  constructing a dataspace component out of it and hand over its local
  capability
* Remove local capability implementation from all platforms except Linux

Ref #1443
2015-04-17 16:13:20 +02:00
Stefan Kalkowski
a168c9d6ce core: remove global capability id counter
The global capability ID counter is not used by NOVA and Fiasco.OC
and in the future not needed by base-hw too. Thereby, remove the static
counter variable from the generic code base and add it where appropriated.

Ref #1443
2015-04-17 16:13:19 +02:00
Stefan Kalkowski
358380046c base: assign allocator and quota to platform pd
Enable platform specific allocations and ram quota accounting for
protection domains. Needed to allocate object identity references
in the base-hw kernel when delegating capabilities via IPC.
Moreover, it can be used to account translation table entries in the
future.

Ref #1443
2015-04-17 16:13:19 +02:00
Alexander Boettcher
b50d707d5b nova: leverage kernel to implement Genode signals
Fixes #1446
2015-03-27 11:53:11 +01:00
Alexander Boettcher
f5329c23b7 nova: update to kernel branch introducing signals
+ adjust syscall headers accordingly

Issue #1446
2015-03-27 11:53:11 +01:00
Alexander Boettcher
1f8fad8fa1 base: refactor signal_transmitter::submit
Move it to platform specific .cc file, so that it may get re-implemented
platform specifically if needed.

Issue #1446
2015-03-19 09:32:52 +01:00
Alexander Boettcher
2a4b67f90b nova: fix syscall bindings for 32bit
The bindings for 32bit did not consider that in the syscall_3 function
edx changes due to the assembly instructions and that in the syscall_4
function edx and ecx change. So, the compiler wrongly assumed that the
content of these registers stayed unchanged.

Fixes #1447
2015-03-19 09:13:32 +01:00
Norman Feske
99e7f26b99 Remove base/include/base/errno.h, fix #1450 2015-03-19 08:57:20 +01:00
Alexander Boettcher
3279346f80 nova: update kernel (fixes endless loop)
If running multiple VBox VMMs with Windows as guest concurrently then it may
happen that the system seem to hang. It turned out that actually
a VM-exit storm (vmx_exception->handle_exc_nm) causes a endless loop between
kernel and vCPU. Nothing gets scheduled nor interrupts are received anymore.
The referenced kernel commit fixes this issue.

Issue #1343
2015-03-13 12:17:24 +01:00
Alexander Boettcher
d86380d744 nova: provide assessors in utcb for efer register
Issue #1413
2015-02-27 11:48:05 +01:00
Alexander Boettcher
a31378476d nova: use in core one pager per CPU
Fixes #1394
2015-02-27 11:40:58 +01:00
Alexander Boettcher
2b69310adf nova: detect overlapping module regions
Detect overlapping regions which should not overlap and print some meaningful
message instead of dying with some mysterious page fault.

Issue #1402
2015-02-16 14:01:45 +01:00
Josef Söntgen
c706b1c0a7 run: modularize run tool 2015-01-26 12:28:40 +01:00
Norman Feske
a0abb093ed Remove output-section fill from linker scripts
The linker scripts use to fill alignment gaps within the text section
with the magic value 0x90909090, which correponds to the opcodes of four
nop instructions on x86. This patch removes this value because it
apparently solves no problem. If, for some reason (e.g., due to a dangling
pointer) a thread executes instructions within alignment paddings, NOP
instructions are not any better than any other instruction. The program
will eventually execute the instructions after the padding, which is
most likely fatal. It would be more reasonable to fill the padding with
the opcode of an illegal instruction so that such an error can be
immediately detected. That said, I cannot remember a single instance,
where the fill value has helped us during debugging.

Even if the mechanism served a purpose on x86, it is still better to
remove it because it does not equally work on the other architectures
where the linker scripts are used. I.e., on ARM, the opcode 0x90909090
is not a NOP instruction.
2015-01-20 11:25:59 +01:00
Alexander Boettcher
988a7962a8 nova: disable vpid feature
Workaround for issue #1343. By disabling the 'vpid' feature of the nova
kernel several VMs can be used concurrently. Applies for Seoul and VirtualBox.

Issue #1343
2015-01-20 11:23:50 +01:00
Alexander Boettcher
e5b509cabb nova: breakpoint handling
If no one is registered for a breakpoint trap - stop the thread. E.g. used
by virtualbox assertion implementation.
2015-01-09 11:03:29 +01:00
Alexander Boettcher
8842ba2e1c nova: remove timer delay heuristic
The commit uses a fixed kernel branch (r8), which fixes a caching bug
observable in the Genode host. The quirk detecting the circumstance in the
timer service is obsolete now and is removed.

Fixes #1338
2015-01-06 12:39:11 +01:00
Alexander Boettcher
1d920fa1b5 nova: fix usage of portal permission
The commit
- fixes the syscall bindings for using portal permissions
- revokes PT_CTRL permission after pager in core set local badge name
- revokes PT_CTRL permission after server entrypoint code set local badge name

Fixes #1335
2015-01-06 12:39:11 +01:00
Alexander Boettcher
bfa2ad7d47 nova: platform test for portal permission usage
Test and run script showcasing issue #1335.

The test mainly tries out syscalls which should not succeed.
2015-01-06 12:39:11 +01:00
Christian Helmuth
727ac4bc0c Put entry point at start of binary on x86 platforms
Related to #881.
2014-12-19 13:58:47 +01:00
Alexander Boettcher
51489e2f82 vmm: fix overmap attempts by seoul and vbox
If the debug branch of the nova kernel is used, following messages are printed
by the kernel during vCPU setup phase:

[0] overmap attempt OBJ - tree - ...

Fixes #1324
2014-12-19 13:58:46 +01:00
Martin Stein
8f9355b360 thread API & CPU session: accounting of CPU quota
In the init configuration one can configure the donation of CPU time via
'resource' tags that have the attribute 'name' set to "CPU" and the
attribute 'quantum' set to the percentage of CPU quota that init shall
donate. The pattern is the same as when donating RAM quota.

! <start name="test">
!   <resource name="CPU" quantum="75"/>
! </start>

This would cause init to try donating 75% of its CPU quota to the child
"test".  Init and core do not preserve CPU quota for their own
requirements by default as it is done with RAM quota.

The CPU quota that a process owns can be applied through the thread
constructor. The constructor has been enhanced by an argument that
indicates the percentage of the programs CPU quota that shall be granted
to the new thread. So 'Thread(33, "test")' would cause the backing CPU
session to try to grant 33% of the programs CPU quota to the thread
"test". By now, the CPU quota of a thread can't be altered after
construction. Constructing a thread with CPU quota 0 doesn't mean the
thread gets never scheduled but that the thread has no guaranty to receive
CPU time. Such threads have to live with excess CPU time.

Threads that already existed in the official repositories of Genode were
adapted in the way that they receive a quota of 0.

This commit also provides a run test 'cpu_quota' in base-hw (the only
kernel that applies the CPU-quota scheme currently). The test basically
runs three threads with different physical CPU quota. The threads simply
count for 30 seconds each and the test then checks wether the counter
values relate to the CPU-quota distribution.

fix #1275
2014-11-28 12:02:37 +01:00
Martin Stein
ec6c19a487 base: memory barriers in lock implementations
The memory barrier prevents the compiler from changing the program order
of memory accesses in such a way that accesses to the guarded resource
get outside the guarded stage. As cmpxchg() defines the start of the
guarded stage it also represents an effective memory barrier.

On x86, the architecture ensures to not reorder writes with older reads,
writes to memory with other writes (except in cases that are not
relevant for our locks), or read/write instructions with I/O
instructions, locked instructions, and serializing instructions.

However on ARM, the architectural memory model allows not only that
memory accesses take local effect in another order as their program
order but also that different observers (components that can access
memory like data-busses, TLBs and branch predictors) observe these
effects each in another order. Thus, a correct program order isn't
sufficient for a correct observation order. An additional architectural
preservation of the memory barrier is needed to achieve this.

Fixes #692
2014-11-28 12:02:34 +01:00
Alexander Boettcher
eedf3fa413 nova: update to r7 branch
Fixes #1297
2014-11-28 12:00:44 +01:00
Alexander Boettcher
53d471aa22 nova: handle race during signal setup phase
Fixes #1266
2014-10-10 13:02:32 +02:00
Christian Helmuth
976d669253 base-nova: remove special Thread_base::myself()
The weak implementation was added for quite special purposes years ago
and is no longer needed. On the other hand, the weak attribute does not
help if the implementation ends up in a shared library, which first
resolves symbols locally before asking ldso (that includes the acutal
thread library) *shiver*
2014-09-04 14:45:39 +02:00
Christian Helmuth
dc2961338d Bootable GRUB2 disk image with ext2 partition
This provides bootable disk images for x86 platforms via

! RUN_OPT="--target disk"

The resulting disk image contains one ext2 partition with binaries from
the GRUB2 boot loader and the run scenario. The default disk size fits
all binaries, but is configurable via

! --disk-size <size in MiB>

in RUN_OPT.

The feature depends on an grub2-head.img, which is part of the commit,
but may also be generated by executing tool/create_grub2. The script
generates a disk image prepared for one partition, which contains files
for GRUB2. All image preparation steps that need superuser privileges
are conducted by this script.

The final step of writing the entire image to a disk must be executed
later by

  sudo dd if=<image file> of=<device> bs=8M conv=fsync

Fixes #1203.
2014-08-18 13:25:21 +02:00
Christian Prochaska
a46de84f89 Fix race condition in page fault notification
When a page fault cannot be resolved, the GDB monitor can get a hint about
which thread faulted by evaluating the thread state object returned by
'Cpu_session::state()'. Unfortunately, with the current implementation,
the signal which informs GDB monitor about the page fault is sent before
the thread state object of the faulted thread has been updated, so it
can happen that the faulted thread cannot be determined immediately
after receiving the signal.

With this commit, the thread state gets updated before the signal is sent.

At least on base-nova it can also happen that the thread state is not
accessible yet after receiving the page fault notification. For this
reason, GDB monitor needs to retry its query until the state is
accessible.

Fixes #1206.
2014-07-24 10:18:07 +02:00
Alexander Boettcher
e70c13ce1f nova: update to r6 nova kernel branch
- adds general support for semaphore timeouts
- fixes PCID feature (aka tagged TLB) seeen on Lenovo X201

Fixes #1211
2014-07-24 10:18:06 +02:00
Stefan Kalkowski
786fe805da base: introduce caching attributes (fix #1184)
On ARM it's relevant to not only distinguish between ordinary cached memory
and write-combined one, but also having non-cached memory too. To insert the
appropriated page table entries e.g.: in the base-hw kernel, we need to preserve
the information about the kind of memory from allocation until the pager
resolves a page fault. Therefore, this commit introduces a new Cache_attribute
type, and replaces the write_combined boolean with the new type where necessary.
2014-06-26 10:57:26 +02:00
Christian Helmuth
2c3a0bbe1b nova: re-throw uncatched exception of dying thread
If the re-throw works, we will can see which exception type was thrown.
2014-05-27 13:45:20 +02:00
Norman Feske
615830e107 Enable hash checks for ports mechanism 2014-05-27 13:45:03 +02:00
Christian Prochaska
078883fda3 base: interface for D- and I-cache synchronization
On ARM, when machine instructions get written into the data cache
(for example by a JIT compiler), one needs to make sure that the
instructions get written out to memory and read from memory into
the instruction cache before they get executed. This functionality
is usually provided by a kernel syscall and this patch adds a generic
interface for Genode applications to use it.

Fixes #1153.
2014-05-27 11:14:45 +02:00
Norman Feske
05a460c11f Temporarily disable hash checks
...until the transition to the new ports management is complete.
2014-05-27 11:14:44 +02:00
Norman Feske
7d4f8fa746 base-nova: migrate to new ports mechanism
Issue #1082
2014-05-27 11:14:43 +02:00
Norman Feske
9f43aa4363 base-nova: fully qualify Utcb type 2014-05-27 11:14:41 +02:00
Norman Feske
ca971bbfd8 Move repositories to 'repos/' subdirectory
This patch changes the top-level directory layout as a preparatory
step for improving the tools for managing 3rd-party source codes.
The rationale is described in the issue referenced below.

Issue #1082
2014-05-14 16:08:00 +02:00