Commit Graph

347 Commits

Author SHA1 Message Date
Norman Feske
adb26b5216 API documentation refinements 2017-05-31 13:16:21 +02:00
Norman Feske
53253ba422 base: add reinit functionality to 'Env'
The 'reinit' and 'reinit_main_thread' methods are needed to implement
fork in Noux. Until now, they were provided by the 'Deprecated_env'
only.
2017-05-31 13:16:14 +02:00
Norman Feske
0167d5af50 Integrate core's RAM service into the PD service
Fixes #2407
2017-05-31 13:16:14 +02:00
Norman Feske
a1df4fee44 base: restructure signal-submit initialization
This patch allows core's 'Signal_transmitter' implementation to sidestep
the 'Env::Pd' interface and thereby adhere to a stricter layering within
core. The 'Signal_transmitter' now uses - on kernels that depend on it -
a dedicated (and fairly freestanding) RPC proxy mechanism for signal
deliver, instead of channeling signals through the 'Pd_session::submit'
RPC function.
2017-05-31 13:16:12 +02:00
Norman Feske
2c6729768d base: consider exception during child construction
This patch make sure that a once managed parent RPC object will always be
dissolved if an exception during the remaining child construction
occurs. The original version would miss the dissolve call if one of the
subsequent members throws an exception at construction time.
2017-05-31 13:16:10 +02:00
Norman Feske
433fc6a7f1 base: let 'Local_service' catch all exceptions
This patch eases the debugging of situations where a session-object
constructor wrongly throws an exception type not specified in the
'Local_service::Factory' interface.
2017-05-31 13:16:07 +02:00
Norman Feske
4d442bca30 Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.

Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.

This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-31 13:16:07 +02:00
Norman Feske
1f4f119b1e Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.

Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.

At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.

If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:

  <default-route>
    <service name="PD" unscoped_label="timer">
      <parent diag="yes"/>
    </service>
    ...
  </default-route>

For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.

Fixes #2398
2017-05-31 13:16:06 +02:00
Norman Feske
e44f65f3b2 core: RAM service based on 'Session_object'
This patch reworks the implementation of core's RAM service to make use
of the 'Session_object' and to remove the distinction between the
"metadata" quota and the managed RAM quota. With the new implementation,
the session implicitly allocates its metadata from its own account. So
there is not need to handle 'Out_of_metadata' and 'Quota_exceeded' via
different exceptions. Instead, the new version solely uses the
'Out_of_ram' exception.

Furthermore, the 'Allocator::Out_of_memory' exception has become an alias
for 'Out_of_ram', which simplifies the error handling.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
028e633af4 base: add 'Session_object' class
The 'Session_object' unifies several aspects of server-component
implementations:

* It keeps track of session quotas and is equipped with standardized
  interfaces (Quota_guard) to upgrade (and in the future potentially
  downgrade) session quotas in a uniform way.

* It follows the pattern of modern RPC objects / signal handlers that
  manage/dissolve themselves at the entrypoint given as constructor
  argument. Thereby, the relationship with its entrypoint is always
  coupled with the lifetime of the session-component object.

* It stores the session label, which was previously done manually by
  most but not all server-component implementations.

* It stores the session 'diag' flag.

* It is equipped with output methods 'diag', 'error', and 'warning'.
  All messages printed from the context of a session component is
  automatically prefixed with the session type and client label.
  Messages passed via 'diag' are only printed if the 'diag' flag of
  the session is set.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
aea5d03691 base: add Child_policy::Route::Diag flag
The 'diag' flag can be defined by a target node of a route in init's
configuration. It is propagated as session argument to the server, which
may evaluate the flag to enable diagnostic output for the corresponding
session.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
3670f7735d base: use 'Quota_transfer::Account' for 'Service'
This patch makes use of the new 'Quota_transfer::Account' by the service
types in base/service.h and uses 'Quota_transfer' objects in
base/child.cc and init/server.cc.

Furthermore, it decouples the notion of an 'Async_service' from
'Child_service'. Init's 'Routed_service' is no longer a 'Child_service'
but is based on the new 'Async_service' instead.

With this patch in place, quota transfers do no longer implicitly use
'Ram_session_client' objects. So transfers can in principle originate
from component-local 'Ram_session_component' objects, e.g., as used by
noux. Therefore, this patch removes a strumbling block for turning noux
into a single threaded component in the future.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
f69937deb1 base: new base/quota_transfer.h helper
The 'Quota_transfer' helper facilitated the implementation of quota
transfers between components in a transactional manner. It is designated
for framework-internal use (replacing the 'Transfer' class in child.h).
However, since it is also useful for init, we make it publicly
available.

The 'Quota_transfer::Account' class serves as an interface representing
the donor or receiver of quotas (parent, service, client).

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
f02c8328db init: access Ram_session as const
This is now possible because the new 'used_ram' and 'ram_quota' RPC
functions are declared as const.

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
6609aafb05 Replace Quota_exceeded by Insufficient_ram_quota
This patch replaces the 'Parent::Quota_exceeded',
'Service::Quota_exceeded', and 'Root::Quota_exceeded' exceptions
by the single 'Insufficient_ram_quota' exception type.

Furthermore, the 'Parent' interface distinguished now between
'Out_of_ram' (the child's RAM is exhausted) from
'Insufficient_ram_quota' (the child's RAM donation does not suffice to
establish the session).

This eliminates ambiguities and removes the need to convert exception
types along the path of the session creation.

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
eea493a8ca base: safeguard entrypoint against double manage
This patch adds sanity checks to the RPC entrypoint that detect attempts
to manage or dissolve the same RPC object twice. This is not always a
bug. I.e., if RPC objects are implemented in the modern way where the
object manages/dissolves itself. As the generic framework code (in
particular root/component.h) cannot rely on this pattern, it has to
call manage/dissolve for session objects anyway. For modern session
objects, this double attempt would result in a serious error (double
insertion into the object pool's AVL tree).

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
843dd179d7 base: remove int return types from 'Ram_session'
This patch replaces the existing C-style error codes with C++
exceptions.

Fixes #895
2017-05-31 13:16:04 +02:00
Norman Feske
58f44d39c5 base: use 'Ram_quota' in 'Ram_session' args
This patch replaces the former use of size_t with the use of the
'Ram_quota' type to improve type safety (in particular to avoid
accidentally mixing up RAM quotas with cap quotas).

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
ff68d77c7d base: new 'Ram_allocator' interface
The 'Ram_allocator' interface contains the subset of the RAM session
interface that is needed to satisfy the needs of the 'Heap' and
'Sliced_heap'. Its small size makes it ideal for intercepting memory
allocations as done by the new 'Constrained_ram_allocator' wrapper
class, which is meant to replace the existing 'base/allocator_guard.h'
and 'os/ram_session_guard.h'.

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
5a468919bb base: new session-creation helper types
This patch augments the existing session/session.h with useful types for
the session creation:

* The new 'Insufficient_ram_quota' and 'Insufficient_cap_quota'
  exceptions are meant to supersede the old 'Quota_exceeded' exception
  of the 'Parent' and 'Root' interfaces.

* The 'Session::Resources' struct subsumes the information about the
  session quota provided by the client.

* The boolean 'Session::Diag' type will allow sessions to operate in a
  diagnostic mode.

* The existing 'Session_label' is not also available under the alias
  'Session::Label'.

* A few helper functions ease the extraction of typed session arguments
  from the session-argument string.

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
220890534a base: 'Quota_guard' utility for tracking quotas
* Introduces 'Cap_quota' and 'Ram_quota' types
* Introduces 'Out_of_caps' and 'Out_of_ram' exceptions

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
c1b981ede4 Annotate session interfaces with CAP_QUOTA
The new 'CAP_QUOTA' enum value denotes the capability quota to be
transferred from the client to the server at session-creation time.

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
5b1e3466be base: construct 'Tslab' with allocator reference
The new constructor avoids the use of a pointer.
2017-05-31 13:16:03 +02:00
Norman Feske
f5bdab4518 base: add Slab::avail_entries accessor
This accessor is useful to eagerly expand the slab with new slab blocks,
side stepping the slab's built-in policy for the allocation of new slab
blocks.

This is particularly important when using the slab for allocating the
cap space meta-data for the base-hw kernel. To guarantee that the slab
gets never exhausted in the kernel, it is expanded before entering the
kernel.
2017-05-31 13:16:03 +02:00
Stefan Kalkowski
6106e64aac base: remove include/spec/* other than ISA
This commit moves the headers residing in `repos/base/include/spec/*/drivers`
to `repos/base/include/drivers/defs` or repos/base/include/drivers/uart`
respectively. The first one contains definitions about board-specific MMIO
iand RAM addresses, or IRQ lines. While the latter contains device driver
code for UART devices. Those definitions are used by driver implementations
in `repos/base-hw`, `repos/os`, and `repos/dde-linux`, which now need to
include them more explicitely.

This work is a step in the direction of reducing 'SPEC' identifiers overall.

Ref #2403
2017-05-31 13:16:01 +02:00
Christian Helmuth
1d99e7ede9 base: classify signals as I/O and application level
Fixes #2363
2017-05-31 13:15:58 +02:00
Stefan Kalkowski
67ba7b89a7 hw: separate bootstrap and core strictly
* Introduce Hw namespace and library files under src/lib/hw
* Introduce Bootstrap namespace
* Move all initialization logic into Bootstrap namespace

Ref #2388
2017-05-31 13:15:52 +02:00
Christian Prochaska
742293ab87 Genode::Fifo_element: workaround for compiling with GCC 6
Issue #2383
2017-05-31 13:15:51 +02:00
Christian Prochaska
bf83c07923 Genode::retry(): fix compile error with GCC 6
Fixes #2376
2017-05-31 13:15:50 +02:00
Christian Prochaska
78a9cbf82d Trace::Logger: workaround for compiling with GCC 6
Issue #2375
2017-05-31 13:15:50 +02:00
Edgard Schmidt
e933c7b4d8 Cleanup Call_return encapsulation in call()
~emove the second Call_return encapsulation from the already
encapsulated return type of Capability::call.

Fixes #2180
2017-05-02 15:28:52 +02:00
Christian Helmuth
b35df4578b Check Registered base class provides virtual destructor
The base class of Registered must provide a virtual destructor to enable
safe deletion with just a base class pointer. This requirement can be
lifted by using Registered_no_delete in places where the deletion
property is not needed.

Fixes #2331
2017-03-24 16:20:04 +01:00
Christian Helmuth
cb43e04691 ldso: defer execution of static constructors
Ldso now does not automatically execute static constructors of the
binary and shared libraries the binary depends on. If static
construction is required (e.g., if a shared library with constructor is
used or a compilation unit contains global statics) the component needs
to execute the constructors explicitly in Component::construct() via
Genode::Env::exec_static_constructors().

In the case of libc components this is done by the libc startup code
(i.e., the Component::construct() implementation in the libc).

The loading of shared objects at runtime is not affected by this change
and constructors of those objects are executed immediately.

Fixes #2332
2017-03-24 16:20:04 +01:00
Norman Feske
d56374e4b9 base: handle 0 in Number_of_bytes::print
This patch avoids printing the number 0 as "0G".
2017-03-24 16:19:58 +01:00
Norman Feske
0202048eb6 base: gracefully handle invalid env session routes
This patch addresses the corner cases where an environment session
could not be routed, i.e., if an environment LOG log session is
routed to a non-existing child.
2017-03-24 16:19:56 +01:00
Norman Feske
48174ab974 base: pass separate label to Local_connection
This patch extends the constructor of 'Local_connection' with an
optional 'label' argument, which was previously passed implicitly as
part of the 'args' argument. Keeping the label separate from 'args'
enables us to distinguish the client-specified label from a label that
resulted from a server-side label as it is used when rewriting a label
of an environment session (i.e., the binary name) in init's routing
policy. In principle, this patch eliminates the need for init's
explicite handling of the binary name via the '<binary>' node, or
at least allows us to simplity the binary-node handling.
2017-03-24 16:19:55 +01:00
Alexander Boettcher
391339a4bb base: handle race in Genode::Registry class
The race may happen when element objects get destructed by another thread then
the thread handling the for_each loop. In this case it may happen that the
object is already destructed (left the ~Element destructor) but the thread
handling the loop touches the invalid memory afterwards (the Element lock).

detected during issue #2299

Fixes #2320
2017-03-15 12:32:28 +01:00
Martin Stein
0bb752674f panda: fix timer speed
Previously we had configured the timer for the Panda ES with 700 MHz
CPU clock. But the Panda A6 that we use as reference now runs with
800 MHz.

Fixes #2308
2017-03-15 12:32:24 +01:00
Martin Stein
e744c76bf2 mmio: make base address member private
Ref #2196
2017-03-15 12:32:24 +01:00
Martin Stein
ecbb7534b9 register set: make noncopyable
If a register set gets copied, the '_plain_access' of the copy references
the plain access object of the original object.

Ref #2196
2017-03-15 12:32:23 +01:00
Martin Stein
442c24420d mmio: separate MMIO access and register logic
By separating the plain MMIO access implementation from the generic bit
and offset logic of registers, we can now use the latter also with other
types of register access like I2C. The register and MMIO front-ends have
not changed due to the separation.

Ref #2196
2017-03-15 12:24:42 +01:00
Martin Stein
daaddbd584 base*, os: get rid of all env() calls
Issue #1987
2017-02-28 13:00:42 +01:00
Martin Stein
56cafb3b57 hw: fix race in signal dispatching
There was a race when the component entrypoint wanted to do
'wait_and_dispatch_one_signal'. In this function it raises a flag for
the signal proxy thread to notice that the entrypoint also wants to
block for signals. When the flag is set and the signal proxy wakes up
with a new signal, it tried to cancel the blocking of the entrypoint.
However, if the entrypoint had not reached the signal blocking at this
point, the cancel blocking failed without a solution. Now, the new
Kernel::cancel_next_signal_blocking call solves the problem by storing a
request to cancel the next signal blocking of a thread immediately
without blocking itself.

Ref #2284
2017-02-28 13:00:41 +01:00
Norman Feske
29b8d609c9 Adjust file headers to refer to the AGPLv3 2017-02-28 12:59:29 +01:00
Norman Feske
fcb861689a base: support for re-validating session routes
This patch supplements 'Session_state' with the methods needed to test
the validity of a session with a changed routing policy.
2017-02-28 12:59:26 +01:00
Sebastian Sumpf
553a4222f4 base: entrypoint dissolve signal proxy
If not dissolved in ~Entrypoint, the signal proxy is found within NOVA's
and FOC's object pool upon Rpc_entrypoint destruction. This leads to a
deadlock because the signal proxy is destructed before the RPC EP.

issue #2284
2017-02-28 12:59:24 +01:00
Norman Feske
dfc4c58782 root/component.h: POLICY::release on exception
This patch ensures that the POLICY::release is called whenever the
session creation aborted with an exception. In the original version, an
exception like 'Quota_exceeded' caused a single-session root interface
to deny subsequent session requests.
2017-02-28 12:59:24 +01:00
Norman Feske
7d9f68493a base: support for multi-staged child startup
This patch enhances the 'Child' and 'Child_policy' with the ability to
separate the different steps of bootstrapping children. If the
'Child_policy::initiate_env_sessions()' returns false, the child's
environment sessions remain unrouted at construction time. This way,
child objects for many children can be initialized to a state that
allows the children to represent services for other children. Therefore,
session routing can be applied before any child executes.

At this stage, the environment RAM sessions of all children can be
created. Note that this step still has the limitation that RAM sessions
are generally expected to be provided by either the parent or a local
service.

Once all children are equipped with RAM, they can in principle receive
session-quota donations. Hence, all other environment sessions can now
be arbitrarily routed and initiated.

Once the environment of a child is complete, the child's process and
initial thread is created.
2017-02-28 12:59:23 +01:00
Norman Feske
9cba459958 base: remove Child::heap
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.

In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping

Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.

For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
2017-02-28 12:59:23 +01:00
Norman Feske
9d683a56a0 base: add Child_policy::session_state_changed()
This method is a hook to enable a runtime to respond to state changes.
In particular, in init this hook is used to trigger the generation of a
new state report, if configured.

Furthermore, the patch introduces the 'generate_client_side_info' and
'generate_server_side_info' methods to the 'Session_state', which
generates an XML representation of the session states to appear in
reports produced by init.

Issue #2246
2017-02-28 12:59:22 +01:00
Norman Feske
bfdadc55b2 base: Add Number_of_bytes::print method
This method attempts to print the number with a K/M/G unit if possible
and thereby increases the human readability of generated output.
2017-02-28 12:59:20 +01:00
Norman Feske
c0af463b81 base: Add Child_policy::Route
The new return value of 'resolve_session_request' allows the child
policy to define the label used as the policy selector at the server.

Because this patch introduces the distinction of the child-provided
label from the label as presented to the server along with the session
request, the latter is now handled as a dedicated 'Session_state'
argument.

Issue #2248
2017-02-28 12:59:20 +01:00
Sebastian Sumpf
b66716d278 base: entrypoint 'wait_and_dispatch_one_signal'
There existed a race when 'wait_and_dispatch_one_signal' is called form
a RPC context, because the 'signal_proxy' or 'main' will block and the
signal semaphore, when the EP then calls 'wait_and_dispatch_one_signal',
the signal proxy is woken up ands sends an RPC to the EP, leading to a
dead lock if no further signal arrive, because the EP will then remain
blocked in the signal semaphore.

Therefore, for this case, the signal proxy will now perform a semaphore
up operation and does not perform an RPC if the EP is within
'wait_and_dispatch_one_signal'.
2017-02-27 15:37:50 +01:00
Johannes Schlatow
762728fee0 base: remove superfluous line feeds in print_lines
Fixes #2279
2017-02-23 15:03:29 +01:00
Christian Helmuth
6e5f3d432e Post signal-handler hook in entrypoint
A Signal_handler may schedule a hook function that is executed after the
signal handler returned. This can be used if the hook function may
trigger a (nested) signal handler by means of
wait_and_dispatch_one_signal(). Otherwise, an occurrence of the same
signal that triggered the original signal handler results in a dead lock
just before calling the nested handler (due to the Signal_context
destruction lock).
2017-02-23 14:54:51 +01:00
Stefan Kalkowski
cf943dac65 hw: bootstrap into kernel
Put the initialization of the cpu cores, setup of page-tables, enabling of
MMU and caches into a separate component that is only used to bootstrap
the kernel resp. core.

Ref #2092
2017-02-23 14:54:42 +01:00
Stefan Kalkowski
a97e92c7ec base: make Allocator_avl::_avl_tree accessable
This hook allows the export of the allocator's state by a derrived
class. I.e., the final state of the allocator used for bootstrapping
core.

Ref #2092
2017-02-07 19:20:30 +01:00
Stefan Kalkowski
7c8281f2d6 util: turn max, min, and abs into const_expr
Ref #2092
2017-02-07 19:20:29 +01:00
Emery Hemingway
92978933c7 root/component: log error on Out_of_memory
Servers should account and handle this condition locally.
2017-02-07 11:12:24 +01:00
Norman Feske
aa29ebe751 base/shared_object.h: add missing includes 2017-02-07 11:12:23 +01:00
Christian Helmuth
ce3d10465e Mark warnings from the signal dispatcher as such 2017-01-31 14:58:36 +01:00
Christian Helmuth
7386c4e1d1 More robust handling of suspend in entrypoint
First, calls to manage and dissolve signal contexts now check if the
signal receiver was constructed. There is a small window during suspend
where it is destructed before reconstructed again.

Last, we ensure that processing of incoming signal was deblocked by the
suspend signal before entering the suspend operation. This way we ensure
already queued signal are handled.
2017-01-31 14:58:36 +01:00
Alexander Boettcher
dd5592cc50 Fix String(Hex()) usage
- additional add test casye to log.run

Fixes #2265
2017-01-31 12:02:21 +01:00
Norman Feske
cd3a5852d6 Warn about the use of deprecated headers
This commit enables compile-time warnings displayed whenever a deprecated
API header is included, and adjusts the existing #include directives
accordingly.

Issue #1987
2017-01-31 12:01:18 +01:00
Stefan Kalkowski
c76c199f8d hw: enable SMP for Wandboard (fix #2253) 2017-01-31 12:01:16 +01:00
Norman Feske
e43da51bd6 base: handle dangling env sessions in ~Child
This commit addresses the situation where an environment session
outlives the session-providing service. In this case, the env session
got already invaidated at the destruction time of the server. However,
the underlying session-state structure continues to exist until the
client is destructed. During the eventual destruction of such a dangling
environment session, we have to be careful not to interact with the
no-longer existing service.

Ref #2197
2017-01-20 16:47:01 +01:00
Christian Prochaska
ec5dbe66db trace_fs: API transition (fix 'deprecated' warnings)
Issue #1987
2017-01-20 16:46:58 +01:00
Norman Feske
a7f40b24ca Warn about the use of deprecated env() function
This patch enables warnings if one of the deprecate functions that rely
in the implicit use of the global Genode::env() accessor are called.

For the time being, some places within the base framework continue
to rely on the global function while omitting the warning by calling
'env_deprecated' instead of 'env'.

Issue #1987
2017-01-13 13:07:13 +01:00
Norman Feske
73837ef56a init: print error for denied environment sessions
Fixes #2214
2017-01-13 13:07:08 +01:00
Martin Stein
613f4171f3 sd_card: i.MX6 support
The i.MX6 driver shares most of its code with the i.MX53 driver.

Ref #2206
2017-01-13 13:07:06 +01:00
Norman Feske
0d295f75a1 base: apply routing policy to environment sessions
This patch changes the child-construction procedure to allow the routing
of environment sessions to arbitrary servers, not only to the parent.
In particular, it restores the ability to route the LOG session of the
child to a LOG service provided by a child of init. In principle, it
becomes possible to also route the immediate child's PD, CPU, and RAM
environment sessions in arbitrary ways, which simplifies scenarios that
intercept those sessions, e.g., the CPU sampler.

Note that the latter ability should be used with great caution because
init needs to interact with these sessions to create/destruct the child.
Normally, the sessions are provided by the parent. So init is safe at
all times. If they are routed to a child however, init will naturally
become dependent on this particular child. For the LOG session, this is
actually not a problem because even though the parent creates the LOG
session as part of the child's environment, it never interacts with the
session directly.

Fixes #2197
2016-12-23 16:52:08 +01:00
Norman Feske
25a7ea3d40 base: rename 'Volatile_object' to 'Reconstructible'
Fixes #2151
2016-12-01 17:46:50 +01:00
Edgard Schmidt
f97e0f3fa0 Allow RPC arguments w/o default constructor
Fixes #2150
2016-11-30 13:38:03 +01:00
Norman Feske
5a1cef6381 Make label prefixing more strict
This patch unconditionally applies the labeling of sessions and thereby
removes the most common use case of 'Child_policy::filter_session_args'.
Furthermore, the patch removes an ambiguity of the session labels of
sessions created by the parent of behalf of its child, e.g., the PD
session created as part of 'Child' now has the label "<child-name>"
whereas an unlabeled PD-session request originating from the child
has the label "<child-name> -> ". This way, the routing-policy of
'Child_policy::resolve_session_request' can differentiate both cases.

As a consequence, the stricter labeling must now be considered wherever
a precise label was specified as a key for a session route or a server-
side policy selection. The simplest way to adapt those cases is to use a
'label_prefix' instead of the 'label' attribute. Alternatively, the
'label' attribute may used by appending " -> " (note the whitespace).

Fixes #2171
2016-11-30 13:37:07 +01:00
Alexander Boettcher
33b40ec5d9 base: free memory of object throwing exception
in constructor.

Extend test case to verify it and run it by autopilot.
2016-11-30 13:37:05 +01:00
Martin Stein
288c2c50ba base: throw exception on cap-ref-count overflow
Ref #2120
2016-11-30 13:37:04 +01:00
Norman Feske
cfdbccc5c2 Remove blocking calls from root and parent RPCs
This is a redesign of the root and parent interfaces to eliminate
blocking RPC calls.

- New session representation at the parent (base/session_state.h)
- base-internal root proxy mechanism as migration path
- Redesign of base/service.h
- Removes ancient 'Connection::KEEP_OPEN' feature
- Interface change of 'Child', 'Child_policy', 'Slave', 'Slave_policy'
- New 'Slave::Connection'
- Changed child-construction procedure to be compatible with the
  non-blocking parent interface and to be easier to use
- The child's initial LOG session, its binary ROM session, and the
  linker ROM session have become part of the child's envirenment.
- Session upgrading must now be performed via 'env.upgrade' instead
  of performing a sole RPC call the parent. To make RAM upgrades
  easier, the 'Connection' provides a new 'upgrade_ram' method.

Issue #2120
2016-11-25 16:06:42 +01:00
Norman Feske
baf61df0fd base: new 'Registry' data structure
This data structure is meant as a safe alternative for a list wherever
the list is solely used to remember objects and iterate through them in
an unspecified order. One use case is the 'Service_registry'.
2016-11-25 15:30:58 +01:00
Norman Feske
513a3f1d37 base: new 'Id_space' data structure
This data structure allows the association of objects with IDs. IDs are
kept in an AVL tree. So in contrast to a bit allocator, the ID space can be
sparsely populated and does not need to be dimensioned. The lifetime of
an ID is bound to an 'Element' object, which relieves the programmer
from manually allocating/deallocating IDs for objects.

Issue #2120
2016-11-25 15:30:58 +01:00
Norman Feske
82107bef9b base: buffer session args in 'Connection'
This patch is a preparation of the forthcoming async parent interface.
Note that this patch increases the size of connection objects.
Furthermore it adds a diagnostic message whenever a connection fails.

Issue #2166
2016-11-25 15:27:28 +01:00
Norman Feske
ac1794ed7d base: add const operator * to 'Volatile_object' 2016-11-25 15:27:27 +01:00
Norman Feske
0e0f830a14 base: make Volatile_object noncopyable
Unfortunately, the volatile object does not inherit the noncopyable
attribute of the enclosed object. By making all volatile objects
noncopyable, we prevent the accidental copying of a noncopyable object
wrapped in a volatile object.
2016-11-25 15:27:27 +01:00
Norman Feske
b8e98f2355 base: forward args in Output::print
The original version copied the arguments, which does not work for the
output of complex types, in particular non-copyable objects.
2016-11-25 15:27:27 +01:00
Norman Feske
35fa67768f base: add 'Volatile_object::print' method
The method prints the message "<unconstructed>" if the object is not
available. Otherwise, it prints the encapsulated object.
2016-11-25 15:27:26 +01:00
Stefan Kalkowski
e1ec39e476 base: replace dump utilities in Allocator_avl
Replace 'dump()' debug utilities within Allocator_avl with Output::print
equivalents, and use the new Avl_tree::for_each utility to simplify
the implementation.

Ref #2159
2016-11-08 15:44:55 +01:00
Stefan Kalkowski
1542d92165 base: iterator for AVL tree (fix #2159) 2016-11-08 15:43:53 +01:00
Norman Feske
f577c451ef increase stack size of signal-proxy thread
This fixes the warning "small stack of 3996 bytes [...] may break Linux
signal handling" on 32-bit base-linux.
2016-11-08 15:26:33 +01:00
Norman Feske
784e728727 Clean ldso from using deprecated APIs
Issue #1987
2016-11-08 15:26:32 +01:00
Norman Feske
20faa8b84e base: 'String' constructor overload for literals
This overload covers the common case for initializing a string from a
literal without employing the 'Output' mechanism. This way, such
strings can by constructed without calling virtual functions, which in
turn makes the 'String' usable for the 'init_rtld' phase of the dynamic
linker.
2016-11-08 15:26:31 +01:00
Norman Feske
afed9cfd95 base: let string accept multiple arguments
Issue #2064
2016-11-08 15:26:30 +01:00
Norman Feske
9572ff9413 base: remove original PDBG from base/printf.h
This macro is superseded by base/debug.h.

Issue #2125
2016-11-08 15:26:27 +01:00
Emery Hemingway
ef5f36bf4e Redefine PDBG to use new log output function
PDBG is redefined in base/debug.h, an aide to development which is not
to be included in release code.

Fix #2125
2016-10-21 12:45:44 +02:00
Stefan Kalkowski
2a2e5c2df4 base-*: remove usage of printf
base generic code:
  * Remove unused verbosity code from mmio framework
  * Remove escape sequence end heuristic from LOG
  * replace Core_console with Core_log (no format specifiers)
  * move test/printf to test/log
  * remove `printf()` tests from the log test
  * check for exact match of the log test output
base-fiasco:
  * remove unused Fiasco::print_l4_threadid function
base-nova:
  * remove unused hexdump utility from core
base-hw:
  * remove unused Kernel::Thread::_print_* debug utilities
  * always print resource summary of core during startup
  * remove Kernel::Ipc_node::pd_label (not used anymore)
base*:
  * Turn `printf`,`PWRN`, etc. calls into their log equivalents

Ref #1987
Fix #2119
2016-10-21 12:39:36 +02:00
Christian Prochaska
3a1f852318 base: don't use the 'size' argument in 'Heap::free()'
The Heap reports that 'free()' does not rely on a valid 'size' argument,
so it should not use it.

Fixes #2113
2016-10-21 12:39:32 +02:00
Emery Hemingway
80558374f5 base: print support for Xml_node
Ref #1987
2016-10-21 12:39:29 +02:00
Norman Feske
e370e08e01 Define Genode::size_t as unsigned long
Fixes #2105
2016-10-21 12:39:29 +02:00
Christian Helmuth
fcf5bc9187 base: start signal-proxy thread on construction
Thanks @ssumpf for the investigation.
2016-09-09 11:48:43 +02:00
Stefan Kalkowski
e7d5b34fc5 base: String constructor for different lengths
Let the copy constructor compile for different CAPACITYs of
the String<CAPACITY> class.

Fix #2085
2016-09-09 11:48:43 +02:00
Christian Prochaska
d2e246d916 base: allow to set label in Log_connection
Fixes #2074
2016-08-29 17:29:36 +02:00
Norman Feske
17c79a9e23 base: avoid use of deprecated base/printf.h
Besides adapting the components to the use of base/log.h, the patch
cleans up a few base headers, i.e., it removes unused includes from
root/component.h, specifically base/heap.h and
ram_session/ram_session.h. Hence, components that relied on the implicit
inclusion of those headers have to manually include those headers now.

While adjusting the log messages, I repeatedly stumbled over the problem
that printing char * arguments is ambiguous. It is unclear whether to
print the argument as pointer or null-terminated string. To overcome
this problem, the patch introduces a new type 'Cstring' that allows the
caller to express that the argument should be handled as null-terminated
string. As a nice side effect, with this type in place, the optional len
argument of the 'String' class could be removed. Instead of supplying a
pair of (char const *, size_t), the constructor accepts a 'Cstring'.
This, in turn, clears the way let the 'String' constructor use the new
output mechanism to assemble a string from multiple arguments (and
thereby getting rid of snprintf within Genode in the near future).

To enforce the explicit resolution of the char * ambiguity, the 'char *'
overload of the 'print' function is marked as deleted.

Issue #1987
2016-08-29 17:27:10 +02:00