The 'build.mk' file checks if the tool chain to be used supports the
'-static' and '-fno-stack-protector' flags, but this check always fails
for the current Genode tool chain because it cannot create executable
files without explicitly specifying the 'crt0' and library files to be
linked, which the check doesn't.
This patch removes the compiler check.
Fixes#358.
The exception initialization and handling in gcc_eh allocates early (_main)
memory before executing main. In Vancouver the virtual
region from [0,VM size) must be reserved. Vancouver fails if the memory
allocated by the exception handling and the static objects was allocated
inside the [0, VM size) area.
To circumvent the situation allocate the first memory pieces for the heap
from the bss.
The first metadata-block, which is inherent part of the allocator object
itself has a fixed size which isn't suitable enough for some 64bit platforms
(e.g. core's RAM-allocator on a 64bit platform with lots of different regions).
This commit let the block size be address-width aware.
Every 64-bit binary is effectively 4M too big currently [0]. The GNU linker ld
aligns the text section of the binary to the maximum page size. On i386
the default section alignment is fixed typically to 4K.
Avoid wasting mainly 4M on x86_64 by telling the linker the max page size to
be 4K.
[0] http://sourceware.org/ml/binutils/2009-04/msg00099.html
This patch introduces the functions 'affinity' and 'num_cpus' to the CPU
session interface. The interface extension will allow the assignment of
individual threads to CPUs. At this point, it is just a stub with no
actual platform support.
This patch adds libstdc++ to libports. With the previous version of the
stdcxx library, the build system used the C++ standard library that
comes with the compiler. This mechanism was prone to inconsistencies of
types defined in the header files used at compile time of the tool chain
and the types provided by our libc. By building the C++ standard library
as part of the Genode build process, such inconsistencies cannot happen
anymore.
Note that the patch changes the meaning of the 'stdcxx' library for
users that happened to rely on 'stdcxx' for hybrid Linux/Genode
applications. For such uses, the original mechanism is still available,
in the renamed form of 'toolchain_stdcxx'.
Let the Fiasco.OC base platform succeed the cap_integrity run-script meaning
that it is not feasible anymore to fake a capability by using a valid one
together with a guessed local_name.
On both 32-bit and 64-bit platforms, 'uint64_t' can be defined as
'unsigned long long', which is the type expected by the %llx
format-string specifier. By unifying the type definitions, we resolve
warnings about unmatching type specifiers. This patch also removes
redundant words from the typedefs.
Avoid the use of deprecated 'MASK' enum in CPU register 'Asid'.
Enable the use of the 'K' bit in MMU translations.
Treat any try to modify existing valid entries in section- and
pagetables when doing 'insert_translation' as error.
Beautify concerned files.
For 64-bit registers we cannot compute MASK and SHIFT values via enums
because enum values are always of type int. But we can use static member
functions instead. Furthermore, the patch fixes the type trait for
64-bit registers. (apparently, this access width was never used so far)
The code intended to stop after the first failed attempt,
however the bool variable to control this was reseted
inside the loop and so it endless loops.
Fixes#51
Rm_client is derived from Pager_object. If the Pager_object is also
derived from Thread_base (which is the case for NOVA) then the
Rm_client object must be destructed without holding the rm_session_object
lock. The native platform specific Thread_base implementation has to take
care that all in-flight page handling requests are finished before
destruction. On NOVA it is done by doing an IPC to the pager thread.
(performed in Pager_object::dissolve() in base-nova). The
called thread than executes its operation until end which also requires
in some cases to take the rm_session_object lock.
Since _client_slab insertion/deletion also must be performed
synchronized but can't be protected by the rm_session_object lock
because of the described dead_lock situation, we have
to use a synchronized allocator object to perform insertion and
deletion of Rm_clients.
If nobody is blocked in a semaphore, nothing can be dequeued. If
the semaphore is used for signalling, there can be somebody in the queue,
but not necessarily.
Without this patch the compilation failed with:
/usr/bin/ld: main.o: relocation R_X86_64_32S against
`vtable for Genode::Dataspace' can not be used when making a shared object;
recompile with -fPIC
main.o: could not read symbols: Bad value
collect2: ld returned 1 exit status
make[6]: *** [init] Error 1
For this patch the use of the hardening tool chain must be indicated
using the "hardening_tool_chain" SPECS entry within the file
<build>/etc/specs.conf
Fixes#79
Use git to get recent kernels from github. Adjust NOVA patch to compile
with recent github version. Patch and use makefile of NOVA microkernel
to avoid duplicated (and outdated) makefile in Genode
Furthermore, this patch adds support for using NOVA on x86_64. The
generic part of the syscall bindings has been moved to
'base-nova/include/nova/syscall-generic.h'. The 32/64-bit specific
parts are located at 'base-nova/include/32bit/nova/syscalls.h' and
'base-nova/include/64bit/nova/syscalls.h' respectively.
On x86_64, the run environment boots qemu using the Pulsar boot loader
because GRUB legacy does not support booting 64bit ELF executables.
In addition to the NOVA-specific changes in base-nova, this patch
rectifies compile-time warnings or build errors in the 'ports' and
'libports' repositories that are related to NOVA x86_64 (i.e., Vancouver
builds for 32bit only and needed an adaptation to NOVAs changed
bindings)
Fixes#233, fixes#234
This patch extends the RAM session interface with the ability to
allocate DMA buffers. The client specifies the type of RAM dataspace to
allocate via the new 'cached' argument of the 'Ram_session::alloc()'
function. By default, 'cached' is true, which correponds to the common
case and the original behavior. When setting 'cached' to 'false', core
takes the precautions needed to register the memory as uncached in the
page table of each process that has the dataspace attached.
Currently, the support for allocating DMA buffers is implemented for
Fiasco.OC only. On x86 platforms, it is generally not needed. But on
platforms with more relaxed cache coherence (such as ARM), user-level
device drivers should always use uncacheable memory for DMA transactions.
When creating a 'Child' object with an already active entrypoint,
session requests may arrive as soon as the '_process' is created. We
have to make sure that at least all parts of the 'Child' object needed
for serving 'session' requests are constructed. This is particularly
important for the '_policy' member.
The new 'genode_envp' variable declared in '_main.cc' allows libc
plugins to supplying custom environment pointers to the main function.
This is needed by 3rd-party software such as GNU make, which expects the
environment pointer as third argument of the main function.
This commit introduces placement new/delete, and a constructor for
Heap::Dataspace objects. It fixes the usage of uninitialized Dataspace
objects when expanding the heap that lead to problems in conjunction
with Native_capability smart-pointer in base-foc. Please refer to
issue #203.
This patch increases the stack size of entrypoint threads in the PCI and
PS/2 drivers, in the Terminal server and in the Signal service for 64-bit
Genode/Fiasco.OC built with -O0.
Fixes#198.
When a portion of the sliced heap gets freed, the corresponding block
gets removed from the list of blocks, and it's dataspace containing the
block gets detached, but it's destructor never gets called. This leads
to leaking capabilities, when Native_capability is implemented as
smart-pointer, because the destructor of Ram_dataspace_capability that
is part of the Block object gets never called.
Whenever Native_capability or its derivation Capaility is memcpy'd no copy-
constructor/assignment-operator is used and thereby implementation of
reference-counting gets impossible for these objects. Use object-oriented
means like e.g. copy-constructor instead.
If any operand of the '?' operator is of an unsigned type, the result
is unsigned by default. Thanks to Julian Stecklina for finding
this out.
Fixes#189.
With this patch clients of the RM service can state if they want a mapping
to be executable or not. This allows dataspaces to be mapped as
non-executable on Linux by default and as executable only if needed.
Partially fixes#176.
This patch introduces support for ROM sessions that update their
provided data during the lifetime of the session. The 'Rom_session'
interface had been extended with the new 'release()' and 'sigh()'
functions, which are needed to support the new protocol. All ROM
services have been updated to the new interface.
Furthermore, the patch changes the child policy of init
with regard to the handling of configuration files. The 'Init::Child'
used to always provide the ROM dataspace with the child's config file
via a locally implemented ROM service. However, for dynamic ROM
sessions, we need to establish a session to the real supplier of the ROM
data. This is achieved by using a new 'Child_policy_redirect_rom_file'
policy to handle the 'configfile' rather than handling the 'configfile'
case entirely within 'Child_config'.
To see the new facility in action, the new 'os/run/dynamic_config.run'
script provides a simple scenario. The config file of the test program
is provided by a service, which generates and updates the config data
at regular intervals.
In addition, new support has been added to let slaves use dynamic
reconfiguration. By using the new 'Child_policy_dynamic_rom_file', the
configuration of a slave can be changed dynamically at runtime via the
new 'configure()' function.
The config is provided as plain null-terminated string (instead of a
dataspace capability) because we need to buffer the config data anyway.
So there is no benefit of using a dataspace. For buffering configuration
data, a 'Ram_session' must be supplied. If no 'Ram_session' is specified
at construction time of a 'Slave_policy', no config is supplied to the
slave (which is still a common case).
An example for dynamically reconfiguring a slave is provided by
'os/run/dynamic_config_slave.run'.
The 'copy_to' function turned out to be not flexible enough to
accommodate the Noux fork mechanism. This patch removes the function,
adds an accessor for the capability destination and a compound type
'Native_capability::Raw' to be used wherever plain capability
information must be communicated.
By commit d287b9d893 the Native_capability
class changed fundamentally in the Fiasco.OC platform code of Genode. Thereby
the cap_integrity test got incompatible with it. This commit introduces a
separate test implementation for Fiasco.OC that does semantically the same
like the old test. Please refer to issue #161.
By using the `compare_output_to` method from the run tool instead of using
regexp in the cap_integrity run-script, the test outputs the undesired lines
instead of just signaling that the test failed.
We cannot trust signal imprints received with signals to represent valid
pointers to signal contexts. After a signal context has been dissolved
from its receiver, a signal corresponding to the context might still be
in flight. Hence, we need a facility to check received signal imprints
against the list of valid contexts at reception time. The new
'Signal_context_registry' is a very simple attempt to create such a
facility.
Introduce a new Noncopyable class, one can derive from to mark a class of
objects to be uncopyable. This way the compiler can check for any violations
for you.
This commit unifies the policy name for the template argument for
Native_capability_tpl to Cap_dst_policy, like suggested by Norman in the
discussion resulting from issue #145. Moreover, it takes the memcpy
operation for copying a Native_capability out of the template, which is
included by a significant bunch of files, and separates it in a library,
analog to the suggestion in issue #145.
Because we use to pass a policy class to 'Native_capability_tpl'
we can pass the dst type as part of the policy instead of as
a separate template argument. This patch also adds documentation
of the POLICY interface as expected by 'Native_capability_tpl'.
This patch unifies the Native_capability classes for the different kernel
platforms by introducing an appropriate template, and eliminating naming
differences. Please refer issue #145.
To give the platform developer more freedom in how the Native_capability
class is internally implemented (e.g. turning it into a smart-pointer),
this patch removes the memcpy operation, when transfering the parent-capability
to a new process from the generic code, and let the implementation of the
platform-specific Native_capability decide how the transfer has to be done.
Please refer to issue #144.
Introduce a factory-, and dereference method for local capabilities. These are
capabilities that reference objects of services, which are known to be used
protection-domain internally only. To support the new Capability class methods
a protected constructor and accessor to the local object's pointer is needed
in the platform's capability base-classes. For further discussion details please
refer issue #139.
Separate spin-lock implementation from lock-implementation and put it into a
non-public header, so it can be re-used by the DDE kit's and Fiasco.OC's
capability-allocator spin lock. Fixes issue #123.
Replace 'Reg_array' in 'Genode::Mmio' by 'Register_array' and 'Subreg'
in 'Genode::Register', 'Genode::Mmio::Register'and
'Genode::Mmio::Register_array' by 'Bitfield'.
Update and beautify comments in the according headers and test programs.
'Reg_array' contains items whose width can be the width of the register
storage type at a max. Nethertheless they can be smaller and iterate all
subregs that are covered by the item width. The array uses as much
successive instances of its storage type as needed.
The test 'run/util_mmio' also tests these new features heavily.
The run script 'run/util_mmio.run' runs a test over basic
functionalities of 'Mmio::Register' and 'Mmio::Register::Subreg'. The
test covers the functions 'read' and 'bits', 'set', 'clear' and 'get'.
Inline function in 'Mmio::Register::Subreg' whose definition otherwise
looks ugly.
To accommodate CPU registers, which have a structured layout but don't
depend on a region base address, this patch introduces the generic
'Genode::Register' and 'Genode::Subreg' to 'register.h'.
'Mmio::Register' and 'Mmio::Subreg' inherit from them.
The MMIO access framework consists of an abstraction for a contiguous
MMIO area with a base address set dynamically. Within this class 'Mmio'
are declarations for 'Register' and 'Subreg'. These two can be
parameterized statically via template parameters to create arbitrary
MMIO structures.
Whereas 'Register' relies to a POD like subregion of 'Mmio', 'Subreg'
relies to a MMIO region within a specific 'Register' and therefore is
smaller or equal then the storage type of its superior 'Register'.
Furthermore with 'Reg_array' and 'Subreg_array', there exists the
possibility to handle arrays of uniform contiguous registers or subregs
by index. 'Subreg_array' therefore abstracts from the width boundary of
its superior 'Register' and handles a steady distance between its
members in addition. Both also check array size limits.
Related to issue #69.
The startup procedure of forked processes differs from Genode's
normal process creation by omitting all steps related to ELF loading
and the start of the main thread. To let the process lib support this
distinction, an invalid ELF-binary capability is handled as valid
argument now.
The 'Child' framework used to perform the transfer of session quota
using 'env()->ram_session()' as hard-wired reference account. When
locally virtualizing the RAM session supplied to the 'Child', this
policy does not work. When closing a session, core would try to transfer
session quota to the virtualized RAM service, which is of course not
possible. This patch makes the reference RAM session configable via the
'Child_policy' interface.
The new function 'Platform_env::reload_parent_cap' triggers a reload
of the parent capability and its respective resources. It is needed
during the bootstrap of a new process forked from an existing Noux
process.
This patch fixes printf errors caused by sign extension of values that
were supposed to be unsigned. Fixes#6. Also handles the case where
sizeof(long long) != sizeof(long).
Until now, the RPC framework did not support const RPC functions. Rather
than being a limitation inherent to the concept, const RPC functions
plainly did not exist. So supporting them was not deemed too important.
However, there are uses of RPC interfaces that would benefit from a way
to declare an RPC function as const. Candidates are functions like
'Framebuffer::Session::mode()' and 'Input::Session::is_pending()'.
This patch clears the way towards declaring such functions as const.
Even though the patch is simple enough, the thorough support for
const-qualified RPC functions would double the number of overloads for
the 'call_member' function template (in 'base/include/util/meta.h'). For
this reason, the patch does support const getter functions with no
arguments only. This appears to be the most common use of such
functions.
This patch implements the support needed to handle exceptions that occur
during the construction of objects dynamically allocated via the
'Allocator' interface. In this case, the compiler automatically invokes
a special delete operator that takes the allocator type (as supplied to
'new') as second argument. The implementation of this delete operator
has been added to the 'cxx' library. Because the operator delete is
called without the size of the object, we can use only those allocators
that ignore the size argument of the free function and print a warning
otherwise. The added 'Allocator::need_size_for_free()' function is used
to distinguish safe and unsafe allocators.
Normally, the build system creates libraries as mere side effects of
building targets. There is no way to explicitly trigger the build of
libraries only. However, in some circumstances (for example for testing
the thorough build of all libraries) a mechanism for explicitly building
libraries would be convenient. This patch implements this feature. It
consists of two changes.
The new pseudo target at 'base/src/lib/target.mk' gathers all libraries
that are available in all repositories specified for the build directory
and makes its target depend on them. This way, by building 'lib', all
libraries would be traversed. However, in the (likely) situation that
those libraries include one or more invalid libraries (libraries with
unsatisfied build requirements), the build system would skip the target.
Hence, the second change introduces a new condition 'FORCE_BUILD_LIBS'
to the build system. By setting this variable to 'yes' in the 'target.mk'
file, we let the build system to traverse library dependencies for
all valid libraries regardless of the presence of any invalid library.
When using an ELF image as returned from the iso9660 server, such an
image is represented as a managed dataspace composed of various portions
of one RAM dataspace, each portion attached with a different offset.
Now, when mapping the text segment of the ELF image (usually starting at
0x1000 within the image), the code mapped at 0x1000 may correspond to
any offset within the RAM dataspace used by the iso9660 server. In
particular, the src-fault address (the one within the RAM dataspace) may
be higher than dst-fault address (somewhere just above 0x1000 where a
page-fault occurred). Thereby, 'curr_rm_base' may become negative
during the reverse lookup of 'Rm_client::pager'. This corner case used
to let the 'Fault_area::constrain' function return an invalid fault
area, and thereby let the reverse lookup fail. The improved version
explicitly checks for the address overflow condition and tries to
constrain the dst fault address to the largest possible log2 page within
the positive address range.
Properly account signal count in the explicit-reply path (when source-
client gets immediately unblocked by 'signal_session_component::submit').
This patch prevents the delivery of superfluous signals with num == 0.
- Let hybrid Linux/Genode programs use POSIX threads for the
implementation of the Thread API.
- Prevent linkage of cxx library to hybrid Linux/Genode programs because
the cxx functionality is covered by glibc.
