Integrate the code of the Alarm framework directly into the Timeout
framework. The former Alarm-framework methods are all private to the
corresponding classes of the Timeout framework and get prefixed with
'_alarm__'. The latter avoids name clashes and makes it easier to
simplify the code later.
Issue #2704
Switch port I/O based PCI config space access to memory-mapped IO. The
base address of the PCI configuration space is acquired by mapping the
ACPI ROM and reading the first <bdf> node. An exception is thrown if the
first <bdf> node is not for PCI domain zero or if multiple <bdf> nodes
exist. This is to reduce complexity and also because multiple PCI
domains are rare.
The PCI configuration space is accessed via I/O mem dataspace which is
created in the platform_drv root and then passed on to the PCI session,
device components and finally to the actual PCI config access instances.
The memory access code is implemented in a way to make it work with Muen
subject monitor (SM) device emulation and also general x86 targets. On
Muen, the simplified device emulation code (which works also for Linux)
always returns 0xffff in EAX to indicate a non-existing device.
Therefore, EAX is enforced in the assembly templates.
Fixes#2547
AVL trees can't be copied with the default copy constructor as the
parent pointer of the first item of both of the resulting trees would
point to the original tree. Copying an AVL node, however, generally
violates the integrity of the corresponding tree. The copy constructor
of Avl_tree is used in some places but in those places it can be
replaced easily. So, this commit deletes the copy constructor of
Avl_node_base which makes Avl_node and Avl_tree non-copyable.
Issue #2654
On platforms without nic or audio driver support, the corresponding
functions to return the correct names should return a meaningful
name instead of an empty list. Otherwise, in an erroneous run-script
that calls those functions to append names to the boot modules
the whole 'bin' directory is appended instead, which leads to big
image files or errors when linking the boot modules to core.
Previously, base/trace/buffer.h included base/thread.h which includes
base/trace/logger.h which includes base/trace/buffer.h.
Removed the base/thread.h include in base/trace/buffer.h as it is not
needed.
Issue #2654
With this patch, init responds to the exit of a child by closing all
sessions of the child. E.g., if a child is a GUI application, its
nitpicker session is closed at the time of exit, not at the time when
the start node disappears from init's configuration.
Since this change requires a modification of the 'Genode::Child' class,
it takes the chance to make the child-destruction less brutal. The
new version ensures that all threads of the destructed subsystem are
destructed before other sessions, in particular PD sessions. This
eliminates spurious page-fault warnings during the child destruction.
On Fiasco.OC, closing the CPU session of a thread while being called by
the thread causes a deadlock. Hence, we skip the eager destruction of
CPU sessions on this kernel.
Related to issue #2659
Previously, the dst_len value was not decreased after each character that was
written to the dst buffer. This way, if the content length was greater than
dst_len, decoded_content wrote to memory out of bounds.
Issue #2644
Do not leave space for a terminating '0' at the end of the dst buffer in
decoded_content as the method does not write this '0'. The caller of the
method shall take care of it instead.
Issue #2644
This patch enables the warnings -Wextra, -Weffc++, and -Werror for
compiling Genode components. It thereby helps us to detect bugs like
uninitialized member variables or missing virtual destructors at compile
time. The warning level is defined via the new 'CC_CXX_WARN_STRICT'
variable. For targets that compile 3rd-party code where this warning
level is not applicable, the variable may be explictly set to an empty
value in the corresponding build-description file.
Issue #465
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
The run tool now by default checks configurations with target-specific
XML schemata. Each component may define a config schema file in its
target.mk via the CONFIG_XSD variable. When the run tool has checked an
configuration of an init instance, it additionally goes through the
start nodes of the config. For each start node it checks whether there
is an XSD file that matches. If so, the run tool also checks the config
of the start node (if existant). This is done recursively. I.e., also
the child configs of a sub-init of a sub-init of the top-level init
receive a config check.
Issue #2600
In the past, we had the lock of the context we found for the rest of the scope
of pending_signal. Now we use for_each_locked to find the context and the
lock is released as soon as we return from for_each_locked. Thus, we need to
lock the context again before returning it to avoid that the copy constructor
during the return reads values that are currently changing.
Fixes#2532
As noted above the former enum for the local-attachment address we
discovered address clashes on current Linux installations, esp. 32-bit
runtime on 64-bit Linux. The local_attach_addr is now configurable in
the run script and the memory maps heuristics were removed.
* Instead of always re-load page-tables when a thread context is switched
only do this when another user PD's thread is the next target,
core-threads are always executed within the last PD's page-table set
* remove the concept of the mode transition
* instead map the exception vector once in bootstrap code into kernel's
memory segment
* when a new page directory is constructed for a user PD, copy over the
top-level kernel segment entries on RISCV and X86, on ARM we use a designated
page directory register for the kernel segment
* transfer the current CPU id from bootstrap to core/kernel in a register
to ease first stack address calculation
* align cpu context member of threads and vms, because of x86 constraints
regarding the stack-pointer loading
* introduce Align_at template for members with alignment constraints
* let the x86 hardware do part of the context saving in ISS, by passing
the thread context into the TSS before leaving to user-land
* use one exception vector for all ARM platforms including Arm_v6
Fix#2091
* introduce new syscall (core-only) to create privileged threads
* take the privilege level of the thread into account
when doing a context switch
* map kernel segment as accessable for privileged code only
Ref #2091
* introduces central memory map for core/kernel
* on 32-bit platforms the kernel/core starts at 0x80000000
* on 64-bit platforms the kernel/core starts at 0xffffffc000000000
* mark kernel/core mappings as global ones (tagged TLB)
* move the exception vector to begin of core's binary,
thereby bootstrap knows from where to map it appropriately
* do not map boot modules into core anymore
* constrain core's virtual heap memory area
* differentiate in between user's and core's main thread's UTCB,
which now resides inside the kernel segment
Ref #2091
In the past, a signal context, that was chosen for handling by
'Signal_receiver::pending_signal and always triggered again before
the next call of 'pending_signal', caused all other contexts behind
in the list to starve. This was the case because 'pending_signal'
always took the first pending context in its context list.
We avoid this problem now by handling pending signals in a round-robin
fashion instead.
Ref #2532
Ensure that the timer does not handle timeouts again within 1000
microseconds after the last handling of timeouts. This makes denial of
service attacks harder. This commit does not limit the rate of timeout
signals handled inside the timer but it causes the timer to do it less
often. If a client continuously installs a very small timeout at the
timer it still causes a signal to be submitted to the timer each time
and some extra CPU time to be spent in the internal handling method. But
only every 1000 microseconds this internal handling causes user timeouts
to trigger.
If we would want to limit also the call of the internal handling method
to ensure that CPU time is spent beside the RPCs only every 1000
microseconds, things would get more complex. For instance, on NOVA
Time_source::schedule_timeout(0) must be called each time a new timeout
gets installed and becomes head of the scheduling queue. We cannot
simply overwrite the already running timeout with the new one.
Ref #2490
This patch merges two similar rules, which create content at 'include'
into a single rule. This prevents a possible race condition when
creating archives in parallel.
We moved the stack-area segment 128 MiB behind text and data to comply
with assumptions in the kernel ELF loader.
This commit also reenables static binaries on linux and removes the
unused stack_area.stdlib.ld script.
Fixes#2521
In nested scenarios like driver_manager.run, the initial session quota
for IO_PORT, IO_PORT, and IRQ sessions is expectedly insufficient.
However, the condition is properly handled by re-attemping the request
with a slightly increased quota. Still, core prints a warning each time
the request is denied for quota reasons, which spams the log. This patch
removes the non-critical message.
This should actually never happen. However if it happens, be a bit robuster
and don't provide the memory for re-use (which causes tons of other trouble
afterwards).
Issue #2505
There are hardware timers whose frequency can't be expressed as
ticks-per-microsecond integer-value because only a ticks-per-millisecond
integer-value is precise enough. We don't want to use expensive
floating-point values here but nonetheless want to translate from ticks
to time with microseconds precision. Thus, we split the input in two and
translate both parts separately. This way, we can raise precision by
shifting the values to their optimal bit position. Afterwards, the results
are shifted back and merged together again.
As this algorithm is not so trivial anymore and used by at least three
timer drivers (base-hw/x86_64, base-hw/cortex_a9, timer/pit), move it to a
generic header to avoid redundancy.
Ref #2400
When building Genode on a Linux system running in a Xen Dom0, the 'xen'
run target can run a Genode scenario in a Xen DomU.
Usage: in build/x86_*/etc/build.conf, define:
RUN_OPT = --include boot_dir/$(KERNEL) --include image/iso --include power_on/xen --include log/xen --include power_off/xen
The Xen DomU runs in HVM mode and loads Genode from an ISO image. Serial
log output is printed to the console and graphical output is shown in an
SDL window.
The Xen DomU ist managed using the 'xl' command line tool and it is
possible to add configuration options in the 'xen_args' variable in a run
script. Common options are:
- disabling the graphical output:
append xen_args { sdl="0" }
- configuring a network device:
append xen_args { vif=\["model=e1000,mac=02:00:00:00:01:01,bridge=xenbr0"\] }
- configuring USB input devices:
append xen_args { usbdevice=\["mouse","keyboard"\] }
Note: the 'xl' tool requires super-user permissions and interactive
password input can be troublesome in combination with 'expect' and is not
practical for automatic tests. For this reason, the current implementation
assumes that no password input is needed when running 'sudo xl', which can
be achieved by creating a file '/etc/sudoers.d/xl' with the content
'user ALL=(root) NOPASSWD: /usr/sbin/xl'
(where 'user' is the Linux user name).
Fixes#2504
When running core as the kernel inside every component, a separate
stack area for core is needed that is different from the user-land
component's one.
Ref #2091
Acquire Signal_context objects locks via Object_pool::apply() in the
context of the entrpyoint thread, instead in the context of the calling
thread.
Fixes#2485
- Fix fatal exception handling so that stack traces are dumped
- Add 'include/nim' directories to Nim module search path
- Enable release optimizations for release builds
Fix#2493
This patch removes the assertion about the unexpected call of
'block_for_signal' within core. On Linux, this call is actually
expected because of the handling of SIGCHLD signals by core.
A boot module with size 0 previously made Core crash with a page fault in
Region_map_component::attach. This patch prevents the creation of ROM-FS
entries for such modules.
Ref #2490
For most base platforms (except linux and sel4), the initialization of
boot modules is the same. Thus, merge this default implementation in the
new unit base/src/core/platform_rom_modules.cc.
Ref #2490
In Region_map_component::attach, storing the metadata for a region may
throw an exception. Catch it and throw an Invalid_dataspace exception.
Ref #2490
This is helpful for disabling messages in etc/tools.conf by
setting it to e.g.
MSG_LINK = @true ""
This results in much shorter and less cluttered logs in automatic
builds.
- factor out Rm_client::pager lambda code into utility
Region_map_component::create_map_item
- use utility to find/lookup physical addresses to be mapped eagerly
Issue #2209
Platform_pd "_pd" uses a allocator for, which relies on the mapped RAM
dataspace within core. Unfortunately the RAM dataspaces are already freed up
during _ram_ds_factory destruction, which may lead to trouble if accessed
afterwards.
Issue #2451
This patch sets the -march complile flag in spec/arm_v7a.mk, which
enables us to build depot archives for the 'arm_v7a' architecture.
It also removes copy-pasted comments that offer no valuable insights but
contain grammar errors.
This patch decouples the error handling of the quota transfers
and the actual session creation. In the previous version, an error in
the 'initiate_request' phase would leave the local scope via an
exception without disarming the transfer guard objects. This way,
the guard destructors would attempt the returning of session quota in
addition to the explicit call of '_revert_quota_and_destroy' as done in
the error handling of the 'initiate_request' operation.
In the presence of a session-creation error in the 'initiate_request'
phase, session quota would eventually be returned twice. This patch
removes the intertwined error handling of both phases in a way that the
guards of the first phase (quota transfer) are no longer present in the
second phase (initiate_request).
This patch makes sure that the initial PD session limit (as defined by
the client-provided session quota) is preserved over the entire lifetime
of the PD session. That means, it cannot be transferred to other PD
sessions. Otherwise, it may be impossive to hand back all the static
session quota to the PD-session client at session-destruction time
because parts of the initial quota would no longer belong to the
session.
Note that the initial limit can still be used for allocations within the
PD session as those allocations are automatically reverted at
session-destruction time.
The implementations of the lock and C++ guards tests depend on
thread-execution priorities, which produces false negatives of the whole
thread test on platforms without priority support.
The recently implemented capability resource trading scheme unfortunately
broke the automated capability memory upgrade mechanism needed by base-hw
kernel/core. This commit splits the capability memory upgrade mechanism
from the PD session ram_quota upgrade, and moves that functionality
into a separate Pd_session::Native_pd interface.
Ref #2398
A dataspace capability request to a ROM service may invalidate any
previously issued dataspace. Therefor no requests should be made while a
session dataspace is mapped. Reducing calls to the session also improves
performance where servicing a ROM request has a significant cost.
Fix#2418
The 'Stack_area_ram_session' is now a 'Stack_area_ram_allocator', which
simplifies the code and remove a dependency from the 'Ram_session'
interface, which we want to remove after all.
Issue #2407
By supplying a statically allocated initial block to the slab allocator
for signal contexts, we become able to construct a 'Signal_broker' (the
back end for the PD's signalling API) without any dynamic memory
allocation. This is a precondition for using the PD as meta-data
allocator for its contained signal broker (meta data allocations must
not happen before the PD construction is complete).
Issue #2407
By separating the session-interface concerns from the mechanics of the
dataspace creation, the code becomes simpler to follow, and the RAM
session can be more easily merged with the PD session in a subsequent
step.
Issue #2407
