On x86, the `Vm_session_component` obscured the differences between SVM
and VMX.
Separate the implementations, factor out common functionality and
address a number of long-standing issues in the process:
- Allocate nested page tables from Core_ram_allocator as a more suitable
abstraction and account for the required memory, subtract the
necessary amount of RAM from the session's `Ram_quota` *before*
constructing the session object, to make sure that the memory
allocated from the `Core_ram_allocator` is available from the VMM's
RAM quota.
- Move the allocation of Vcpu_state and Vcpu_data into the Core::Vcpu
class and use the Core RAM Allocator to allocate memory with a known
physical address.
- Remove the fixed number of virtual CPUs and the associated reservation
of memory by using a Registry for a flexible amount of vCPUs.
Issue #5221
This patch allows for the construction of 'Xml_node' objects from a
'Const_byte_range_ptr' argument as a safer alternative to the pair
of addr, max_len arguments.
Issue #5411
The pointer returned by '_logger()' can be a nullptr, in particular
while tracing is (temporarily) inhibited. This patch ensures that
the 'Thread::trace' accessors never operate on a nullptr.
Fixes#5410
If the memory for the designated object is allocated as char[sizeof(T)],
the size of 'Placeable' is expected to equal the size of T. However, in
principle, the compiler has the freedom to inflate the 'Placeable'
object. The static assertion gives us the assurance that the compiler
does not violate our assumption.
Core uses an instance of 'Pd_session_component' as a representative
for RAM/cap quota accounts used whenever session resources are
donated to core's services. All other facets of 'Pd_sesson_component'
remain unused. Core's instance of 'Pd_session_component' is hosted
at 'Core_env'. Upon its construction, all unused facets of
'Pd_session_component' are initialized by dummy arguments in 'Core_env'.
To overcome the need for dummy arguments, this patch splits the
accounting part of the PD-session interface into a separate
'Pd_account' interface. This gives us the prospect of narrowing
core's current use of 'Pd_session_component' by 'Pd_account',
alleviating dead code and the need for any dummy arguments.
Issue #5408
`Vm_session_component::create_vcpu()` is present across all supported
kernels, yet until now it was not part of the `Vm_session` interface.
Add the method to the `Vm_session` interface. This unifies calls in the
base library and is the basis to remove the need for a common base class
for separate `Vm_session` implementations for SVM and VMX on x86_64.
Issue #5221
Prevent erratic runtime behavior stemming from accidentally passing a
copy to a `Ram_allocator` by making the interface noncopyable.
In consequence, we had to provide an explicit copy constructor for
`Session_env` in server/nic_router, which will be reconsidered in
issue #5405.
Issue #5221
GCC 12 tree-loop-distribute-patterns generates false warnings of
-Warray-bounds, -Wstringop-overflow, or -Wstringop-overread in memcpy()
and memcpy_cpu() in static/inline cases for code that obviously prevents
its execution by invariant checking. On -O3, even more warnings are
produced.
The operators == and != make the 'Rect' consistent with 'Point' and
'Area'. The patch also adds the 'Rect::clamp' method, which is generally
useful for sanitizing input.
Issue #5352
The new bytes() accessor returns a Byte_range_pointer as an alternative
to the 'local_addr' for accessing the content of the dataspace. This
facilitates the safe practice of passing (and validating) the buffer
bounds along with the pointer.
Issue #5351
By default, a 'Connection' donates an amount of caps as declared in
SESSION_TYPE::CAP_QUOTA to the server at session-creation time.
In some situations, however, a client may deliberately want to donate a
larger amount. For example, when opening a GUI session at the wm, the
total amount of needed caps is the sum of those consumed by the wm plus
those consumed by nitpicker. Using this knowledge, the Gui::Connection
may specify a sufficient amount to avoid iterative session-creation
retries. The new 'Connection' constructor accommodates this use case by
accepting an explicit 'cap_quota' argument.
Issue #5340
Add extended FPU state detection and handling (via xsave and friends) to the
kernel, which has to store/load more FPU state (~512 -> 2k++) during context
switching of threads. Additional the referenced nova branch contains various
optimization during VM destruction and cross core IPC resource caching.
This FPU work is based upon upstream NOVA kernel and Hedron commits.
Issue #5314Fixes#3914
This patch replaces the former Child::Process and
Child::Process::Loaded_executable classes by static functions that
return failure conditions as return values.
Issue #5245
- Remove exceptions
- Use 'Attr' struct for attach arguments
- Let 'attach' return 'Range' instead of 'Local_addr'
- Renamed 'Region_map::State' to 'Region_map::Fault'
Issue #5245Fixes#5070
The 'Thread_creation_failed' error is now reflected as
'Thread::Start_result' return value. This change also removes the
use of 'Invalid_thread' within core as this exception is an alias
of Cpu_session::Thread_creation_failed.
Issue #5245
This patch removes the exception formerly thrown by 'Cpu_thread::state'
and turns the 'Thread_state' structure into a plain compound type w/o a
constructor.
Issue #5245Fixes#5250
This patch replaces exceptions of the PD session RPC interface with
result types.
The change of the quota-transfer RPC functions required the adaptation
of base/quota_transfer.h and base/child.h.
The 'alloc_signal_source' method has been renamed to 'signal_source'
to avoid an exceedingly long name of the corresponding result type.
The Pd_session::map function takes a 'Virt_range' instead of basic-type
arguments.
The 'Signal_source_capability' alias for 'Capability<Signal_source>' has
been removed.
Issue #5245
This patch updates the signal API to avoid raw pointers, and
replaces the Context_already_in_use and Context_not_associated
exceptions by diagnostic messages.
Fixes#5247
This exception got introduced as a mere convenience for implementers of
'Child_policy' but required a special case in the base library.
Following the goal of eliminating exceptions from the base system,
this patch removes it by making a server_id_space mandatory.
Issue #5245
This patch allows the use of the 'Id_space' utility without catching
'Unknown_id' exceptions. Instead, the new 'apply' overload takes a
second functor 'missing_fn' as argument, which is called whenever the
lookup fails.
Issue #5244
- Move header to base/include to make it applicable for base types
like 'Affinity' down the road.
- Represent 'Rect' as typle of point and area, which is the most
common form of initialization, creates in valid 'Rect' by default.
- Turn Point, Area, and Rect into compound types, making x, y, w, h, at,
area accessible without a method call
- 'Rect::Compound' function for constructing a 'Rect' from two points,
replacing a former constructor
- Use result type 'Rect::Cut_remainder' instead of out parameters.
Fixes#5239
To make the x86 page table base implementation compatible with the
function signatures used in hw, make the Intel IOMMU specific arguments
optional:
- Make the `flush` parameter default to false.
- Make the `supported_sizes` parameter default to 1GB + 2MB + 4k.
Issue #5217
The Intel IOMMU page table implementation in the pc platform driver uses
a page table allocator that is adapted from the implementation in the hw
kernel.
Move the allocator to base as a first step to consolidate
implementations, fix an Array constructor and re-add the Allocator
constructor working on addresses instead of tables.
Issue #5217
On hw, `Page_flags` is used throughout architectures. At the same time,
it is used by the Intel IOMMU page table implementation in the pc
platform driver.
Consolidate the definition in base so it is available for all users.
Issue #5217
The classes Genode::Mmio, Genode::Register_set, Genode::Attached_mmio, and
Platform::Device::Mmio now receive a template parameter 'size_t SIZE'. In each
type that derives from one of these classes, it is now statically checked that
the range of each Genode::Register::Register- and
Genode::Register_set::Register_array-deriving sub-type is within [0..SIZE).
That said, SIZE is the minimum size of the memory region provided to the above
mentioned Mmio classes in order to avoid page faults or memory corruption when
accessing the registers and register arrays declared inside.
Note, that the range end of a register array is not the end of the last item
but the end of integer access that is used for accessing the last bit in the
last item.
The constructors of Genode::Mmio, Genode::Attached_mmio, and
Platform::Device::Mmio now receive an argument 'Byte_range_ptr range' that is
expected to be the range of the backing memory region. In each type that derives
from on of these classes, it is now dynamically checked that 'range.num_bytes
>= SIZE', thereby implementing the above mention protection against page faults
and memory corruption.
The rest of the commit adapts the code throughout the Genode Labs repositories
regarding the changes. Note that for that code inside Core, the commits mostly
uses a simplified approach by constructing MMIO objects with range
[base..base+SIZE) and not with a mapping- or specification-related range size.
This should be fixed in the future.
Furthermore, there are types that derive from an MMIO class but don't declare
any registers or register arrays (especially with Platform::Device::Mmio). In
this case SIZE is set to 0. This way, the parameters must be actively corrected
by someone who later wants to add registers or register arrays, plus the places
can be easily found by grep'ing for Mmio<0>.
Fix#4081
Per default Tslab checks that 8 slabs incl. overhead fit into one block.
If this is not desired the template parameter 'MIN_SLABS_PER_BLOCK' can
be used to control the minimum number of blocks.
Fixes#3834
