92 Commits

Author SHA1 Message Date
Norman Feske
f679864c23 trace: C++20 compatibility
With the new standard, volatile variables cannot be incremented,
decremented, or modified by compound assignments (e.g., +=).

Issue #4869
2023-05-30 12:03:29 +02:00
Christian Prochaska
eab8db228b base: fix build errors with gcc 12
Fixes #4829
2023-05-08 15:55:35 +02:00
Norman Feske
61926ebc07 base: introduce platform_init function
The new 'init_platform' function performs the platform-specific
component-local low-level initialization. It allows for the
differentiation between core and regular components as well as
kernel-dependent peculiarities.

This patch introduces a consistent notion of a 'Platform'. Within core,
the 'Platform' contains the kernel-specific initialization. Outside
core, the platform sets up the interplay with the parent component. In
all cases, the platform is constructed while running on the initial
stack.

Issue #4784
2023-03-15 17:05:01 +01:00
Norman Feske
441186468c base: remove env_deprecated from rpc_cap_alloc
Issue #4784
2023-03-13 15:22:00 +01:00
Norman Feske
2e6dd010ae core: introduce 'Core' namespace
The namespace draws a clear line between the base library and the core
component.

It is declared at the new core-local header <types.h>, which is expected
to be included by all code of the core component. It is thereby a
natural place for kernel-agnostic general types like commonly used C++
utilities.

Fixes #4777
2023-03-13 14:32:37 +01:00
Norman Feske
33b038e8a7 Consistent spelling of "writeable"
Fixes #4425
2022-02-15 10:23:58 +01:00
Norman Feske
50c2b0066f Remove 'Env::reinit' and 'Env::reinit_main_thread'
Fixes #4404
2022-02-15 10:17:28 +01:00
Piotr Tworek
d610f9f4f1 Fix some signed/unsigned implicit conversions.
Fix some trivial cases where the signedness of the constant value does
not match the signedness of type the code expects to see. GCC can be
asked to warn about those by passing Wsign-covnersion flag.

Issue #4354
2022-01-19 12:35:48 +01:00
Stefan Kalkowski
2c569953d0 base: replace ELF flags bitfield with booleans
Instead of using a bitfield for storing rwx and skip boolean value,
take a boolean instead. This fixes a note giv]en by GCC 9.1 about
changes semantics of bitfields given as parameter by value on ARM.

Ref #4344
2021-12-17 15:04:48 +01:00
Norman Feske
03047009b1 base: avoid implicit conversions
This patch is a prerequisite for compiling the code with
the warnings -Wconversion enabled.

Issue #23
2021-12-17 15:04:44 +01:00
Norman Feske
231ac187fe base: introduce Ram_allocator::try_alloc
This patch replaces the 'Ram_allocator::alloc' RPC function by a
'try_alloc' function, which reflects errors as 'Attempt' return value
instead of an exception.

Issue #4322
Issue #3612
2021-11-29 15:10:53 +01:00
Norman Feske
4e714d3f3a base: handle cap depletion during session upgrade
When the own cap quota of a client does not suffice for a cap upgrade of
an existing session to a server, the client must issue a cap-resource
request to the parent. This logic was already in place for RAM quota but
was missing for cap quota.

Issue #4072
2021-04-20 12:10:57 +02:00
Norman Feske
468e7a825c base/cache.h: rename Cache_attribute to Cache
The short name is better because the type will become prominently
visible at the API.

Issue #2243
2021-04-20 12:10:31 +02:00
Alexander Boettcher
9b5bedefc7 expanding_pd_session: remove cap warning message
which are caused often when a component runs a bit longer and has dynamic
resource usage, e.g. running Genode's tool chain.
2021-03-12 12:01:39 +01:00
Christian Prochaska
59459e60e7 libc: pthread TLS optimizations
Fixes #4024
2021-02-23 12:07:17 +01:00
Norman Feske
852ab79359 Move atexit handling from base lib to libc
This patch untangles the interplay of the base library and the libc
during the exit handling.

- The CXA ABI for the atexit handling is now provided by the libc.
  For plain Genode components without libc dependency, __cxa_atexit
  is a no-op, which is consistent with Genode's notion of components.

- The 'abort' implementation of the base library no longer calls
  'genode_exit' but merely 'sleep_forever'. This way, the cxx library
  no longer depends on a 'genode_exit' implementation.

- The libc provides 'atexit' support by storing metadata on the
  libc kernel's heap now, thereby eliminating the former bounded
  maximum number of atexit handlers.

- Shared-library dtors are no longer called via the atexit mechanism
  by explicitly by the dynamic linker. This slightly changes the
  call order of destructors (adjustment of the ldso test). Functions
  marked as destructors are called after the atexit handlers now.

- The libc executes atexit handlers in the application context,
  which supports the I/O operations in those handles, in particular
  the closing of file descriptors.

Fixes #3851
2020-08-25 11:50:09 +02:00
Norman Feske
9d67f9fc8e Remove Allocator_guard
This patch removes old 'Allocator_guard' utility and replaces its use
with the modern 'Constrained_ram_allocator'.

The adjustment of core in this respect has the side effect of a more
accurate capability accounting in core's CPU, TRACE, and RM services.
In particular, the dataspace capabilities needed for core-internal
allocations via the 'Sliced_heap' are accounted to the client now.
The same goes for nitpicker and nic_dump as other former users of the
allocator guard. Hence, the patch also touches code at the client and
server sides related to these services.

The only remaining user of the 'Allocator_guard' is the Intel GPU
driver. As the adaptation of this component would be too invasive
without testing, this patch leaves this component unchanged by keeping a
copy of the 'allocator_guard.h' locally at the component.

Fixes #3750
2020-05-18 10:16:12 +02:00
Norman Feske
6f6340644b Hide binary_ready_hook_for_platform from public
The hook is meant to be internal to the framework. So better keep its
declaration in the framework-internal globals.h header.

Issue #3581
2020-04-24 14:37:47 +02:00
Norman Feske
b134867f31 Remove Rpc_entrypoint::Native_context
This patch largely reverts the commit "base: lay groundwork for
base-linux caps change" because the use of 'epoll' instead of 'select'
alleviated the need to allocate large FD sets, which motivated the
introduction of the 'Native_context' hook.

Related to issue #3581
2020-04-21 16:50:37 +02:00
Alexander Boettcher
3956530634 base: use Mutex/Blockade
Issue #3612
2020-04-17 12:40:12 +02:00
Stefan Thöni
a7a9855493 base: lay groundwork for base-linux caps change
Include the necessary hooks to introduce file descriptor
based capabilities in base linux.

Issue #3581
2020-02-27 14:46:58 +01:00
Norman Feske
3897ddea03 cxx: don't rely on global ctors
This patch removes the global variable 'blocker', which was expected to
be constructed via the global ctors. This mechanism, however, is not
used for the base library, which resulted in the use of an unconstructed
object. Specifically, the spinlock of the 'Lock' of the 'Registry'
defaulted to the LOCKED state (value 0), which eventually would lead to
a deadlock in the contention case of the cxa guard.

I could observe this deadlock once on during the component startup on
base-linux during the construction of the 'startup_lock'.

This patch fixes the problem by explicitly initializing the registry
of blockers via an init function.

Issue #2299
Issue #3578
2019-12-19 17:00:48 +01:00
Christian Prochaska
ab017607a2 tool chain: TLS support
Fixes #3418
2019-09-02 16:29:33 +02:00
Norman Feske
2cff12e1fb base: remove debug message 2019-08-28 14:18:44 +02:00
Norman Feske
b113f869bb Use I/O signals for resource-request responses 2019-08-21 13:39:44 +02:00
Norman Feske
6fb7022508 Cap-resource request on Pd_session::transfer_quota
This patch handles the case where a PD's cap quota becomes exhausted
on the attempt to transfer caps via 'Env::pd().transfer_quota'. The
solution mirrors the existing code for RAM quota.

Prior this patch, the 'transfer_quota' operation would trigger an
'Out_of_caps' exception.
2019-08-21 13:38:24 +02:00
Christian Prochaska
67fd77d10a base: catch 'Ipc_error' in 'Expanding_parent_client::exit()'
If a component is being destroyed just before it calls `exit()` at its
parent, the `exit()` call causes an `Ipc_error` exception, which leads to
an `abort()` loop with repeated error messages, because `abort()` calls
`exit()` too. Catching the exception in `Expanding_parent_client::exit()`
avoids this problem.

Fixes #3228
2019-03-18 15:56:59 +01:00
Norman Feske
5ed5fddb7c base/os: remove deprecated APIs
This commit removes APIs that were previously marked as deprecated. This
change has the following implications:

- The use of the global 'env()' accessor is not possible anymore.
- Boolean accessor methods are no longer prefixed with 'is_'. E.g.,
  instead of 'is_valid()', use 'valid()'.
- The last traces of 'Ram_session' are gone now. The 'Env::ram()'
  accessor returns the 'Ram_allocator' interface, which is a subset of
  the 'Pd_session' interface.
- All connection constructors need the 'Env' as argument.
- The 'Reporter' constructor needs an 'Env' argument now because the
  reporter creates a report connection.
- The old overload 'Child_policy::resolve_session_request' that returned
  a 'Service' does not exist anymore.
- The base/printf.h header has been removed, use base/log.h instead.
- The old notion of 'Signal_dispatcher' is gone. Use 'Signal_handler'.
- Transitional headers like os/server.h, cap_session/,
  volatile_object.h, os/attached*_dataspace.h, signal_rpc_dispatcher.h
  have been removed.
- The distinction between 'Thread_state' and 'Thread_state_base' does
  not exist anymore.
- The header cpu_thread/capability.h along with the type definition of
  'Cpu_thread_capability' has been removed. Use the type
  'Thread_capability' define in cpu_session/cpu_session.h instead.
- Several XML utilities (i.e., at os/include/decorator) could be removed
  because their functionality is nowadays covered by util/xml_node.h.
- The 'os/ram_session_guard.h' has been removed.
  Use 'Constrained_ram_allocator' provided by base/ram_allocator.h instead.

Issue #1987
2019-02-26 14:44:15 +01:00
Norman Feske
aa66b5d62f base: remove dependency from deprecated APIs
This patch adjusts the implementation of the base library and core such
that the code no longer relies on deprecated APIs except for very few
cases, mainly to keep those deprecated APIs in tact for now.

The most prominent changes are:

- Removing the use of base/printf.h

- Removing of the log backend for printf. The 'Console' with the
  format-string parser is still there along with 'snprintf.h' because
  the latter is still used at a few places, most prominently the
  'Connection' classes.

- Removing the notion of a RAM session, which does not exist in
  Genode anymore. Still the types were preserved (by typedefs to
  PD session) to keep up compatibility. But this transition should
  come to an end now.

- Slight rennovation of core's tracing service, e.g., the use of an
  Attached_dataspace as the Argument_buffer.

- Reducing the reliance on global accessors like deprecated_env() or
  core_env(). Still there is a longish way to go to eliminate all such
  calls. A useful pattern (or at least a stop-gap solution) is to
  pass the 'Env' to the individual compilation units via init functions.

- Avoiding the use of the old 'Child_policy::resolve_session_request'
  interface that returned a 'Service' instead of a 'Route'.

Issue #1987
2019-02-19 11:08:17 +01:00
Norman Feske
bcb24e316c base: fix warnings reported by LLVM analyzer
The warnings were false positives though.
2019-02-12 10:33:14 +01:00
Christian Prochaska
4b805ccde9 base: move 'Buffered_output' class into public header
Fixes #3128
2019-01-30 13:49:55 +01:00
Norman Feske
97e3d05f37 base-foc: fix placement of utcb area stack area
This commit ensures that UTCB areas of PDs are positioned relative to
the stack areas of regular components, not the one of core.

Fixes #3108
2019-01-14 12:34:41 +01:00
Christian Prochaska
a5547e5b1d base: improve floating point output
Fixes #2876
2019-01-07 12:33:54 +01:00
Alexander Boettcher
7536b665f1 core: avoid null pointer reference warning
Issue #3022
2019-01-07 12:25:44 +01:00
Norman Feske
19d7a488de init: health monitoring of child components
Fixes #3039
2018-11-27 11:36:34 +01:00
Alexander Boettcher
675d31587c base: increase retry in expanding_pd_session 2018-05-30 13:36:27 +02:00
Alexander Boettcher
e6d20aba93 base: support to attach RAM dataspaces readonly
Fixes #1633
2018-05-30 13:36:27 +02:00
Martin Stein
abf9557bb5 AVL node/tree: make non-copyable
AVL trees can't be copied with the default copy constructor as the
parent pointer of the first item of both of the resulting trees would
point to the original tree. Copying an AVL node, however, generally
violates the integrity of the corresponding tree. The copy constructor
of Avl_tree is used in some places but in those places it can be
replaced easily. So, this commit deletes the copy constructor of
Avl_node_base which makes Avl_node and Avl_tree non-copyable.

Issue #2654
2018-02-09 13:34:23 +01:00
Norman Feske
e0e9b3b32e init: close all sessions of exited children
With this patch, init responds to the exit of a child by closing all
sessions of the child. E.g., if a child is a GUI application, its
nitpicker session is closed at the time of exit, not at the time when
the start node disappears from init's configuration.

Since this change requires a modification of the 'Genode::Child' class,
it takes the chance to make the child-destruction less brutal. The
new version ensures that all threads of the destructed subsystem are
destructed before other sessions, in particular PD sessions. This
eliminates spurious page-fault warnings during the child destruction.

On Fiasco.OC, closing the CPU session of a thread while being called by
the thread causes a deadlock. Hence, we skip the eager destruction of
CPU sessions on this kernel.

Related to issue #2659
2018-02-09 13:31:27 +01:00
Norman Feske
eba9c15746 Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:

* A class with virtual functions can no longer publicly inherit base
  classed without a vtable. The inherited object may either be moved
  to a member variable, or inherited privately. The latter would be
  used for classes that inherit 'List::Element' or 'Avl_node'. In order
  to enable the 'List' and 'Avl_tree' to access the meta data, the
  'List' must become a friend.

* Instead of adding a virtual destructor to abstract base classes,
  we inherit the new 'Interface' class, which contains a virtual
  destructor. This way, single-line abstract base classes can stay
  as compact as they are now. The 'Interface' utility resides in
  base/include/util/interface.h.

* With the new warnings enabled, all member variables must be explicitly
  initialized. Basic types may be initialized with '='. All other types
  are initialized with braces '{ ... }' or as class initializers. If
  basic types and non-basic types appear in a row, it is nice to only
  use the brace syntax (also for basic types) and align the braces.

* If a class contains pointers as members, it must now also provide a
  copy constructor and assignment operator. In the most cases, one
  would make them private, effectively disallowing the objects to be
  copied. Unfortunately, this warning cannot be fixed be inheriting
  our existing 'Noncopyable' class (the compiler fails to detect that
  the inheriting class cannot be copied and still gives the error).
  For now, we have to manually add declarations for both the copy
  constructor and assignment operator as private class members. Those
  declarations should be prepended with a comment like this:

        /*
         * Noncopyable
         */
        Thread(Thread const &);
        Thread &operator = (Thread const &);

  In the future, we should revisit these places and try to replace
  the pointers with references. In the presence of at least one
  reference member, the compiler would no longer implicitly generate
  a copy constructor. So we could remove the manual declaration.

Issue #465
2018-01-17 12:14:35 +01:00
Stefan Kalkowski
ea46c462a4 base: make stack area base specifiable for core
When running core as the kernel inside every component, a separate
stack area for core is needed that is different from the user-land
component's one.

Ref #2091
2017-08-28 16:49:46 +02:00
Sebastian Sumpf
48134c2a0b ldso/cxx: show symbols names of undefined references
Fixes #2482
2017-08-18 10:24:48 +02:00
Stefan Kalkowski
6f8dc9054a base: setup parent upgrade mechanism eagerly
Fix #2447
2017-06-19 12:35:55 +02:00
Norman Feske
0167d5af50 Integrate core's RAM service into the PD service
Fixes #2407
2017-05-31 13:16:14 +02:00
Norman Feske
5a3a1c704b base: use 'Ram_allocator' as stack-area back end
The 'Stack_area_ram_session' is now a 'Stack_area_ram_allocator', which
simplifies the code and remove a dependency from the 'Ram_session'
interface, which we want to remove after all.

Issue #2407
2017-05-31 13:16:13 +02:00
Norman Feske
65225a94b1 core: simplify initialization
This patch removes the 'Core_parent' and 'Core_pd_session', and reduces
the 'Core_env'.
2017-05-31 13:16:12 +02:00
Norman Feske
a1df4fee44 base: restructure signal-submit initialization
This patch allows core's 'Signal_transmitter' implementation to sidestep
the 'Env::Pd' interface and thereby adhere to a stricter layering within
core. The 'Signal_transmitter' now uses - on kernels that depend on it -
a dedicated (and fairly freestanding) RPC proxy mechanism for signal
deliver, instead of channeling signals through the 'Pd_session::submit'
RPC function.
2017-05-31 13:16:12 +02:00
Norman Feske
4d442bca30 Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.

Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.

This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-31 13:16:07 +02:00
Norman Feske
1f4f119b1e Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.

Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.

At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.

If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:

  <default-route>
    <service name="PD" unscoped_label="timer">
      <parent diag="yes"/>
    </service>
    ...
  </default-route>

For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.

Fixes #2398
2017-05-31 13:16:06 +02:00
Norman Feske
e44f65f3b2 core: RAM service based on 'Session_object'
This patch reworks the implementation of core's RAM service to make use
of the 'Session_object' and to remove the distinction between the
"metadata" quota and the managed RAM quota. With the new implementation,
the session implicitly allocates its metadata from its own account. So
there is not need to handle 'Out_of_metadata' and 'Quota_exceeded' via
different exceptions. Instead, the new version solely uses the
'Out_of_ram' exception.

Furthermore, the 'Allocator::Out_of_memory' exception has become an alias
for 'Out_of_ram', which simplifies the error handling.

Issue #2398
2017-05-31 13:16:06 +02:00