Commit Graph

1073 Commits

Author SHA1 Message Date
Piotr Tworek
81a49bffee base: exception specification for operator delete
Clang is rather picky about this and prints the following warning when
compiling new_delete.cc:

  error: function previously declared with an explicit exception
  specification redeclared with an implicit exception specification
  [-Werror,-Wimplicit-exception-spec-mismatch]

Issue #3938
2020-11-23 12:02:58 +01:00
Piotr Tworek
53a990579b base: Fix UAF in Genode::Pd_session_component::free
This was discovered when building the code with clang instead of GCC. In
this setup the run/ping on base-hw/arm_v8a/virt_qemu would crash
on shutdown due to uncaught Deref_unconstructed_object exception thrown
for Genode::Reconstructible<Genode::Account<Genode::Ram_quota>>. The
specific instance throwing this exception was
Pd_session_component::_ram_account. My investigation exposed the
following problem:

1. The Pd_session_component has a _sliced_heap member backed by
   _constrained_ram_alloc which in turn uses Pd_session_component itself
   as its Ram_allocator.
2. When ~Pd_session_component is called it first destroys _ram_account,
   followed by _signal_broker.
3. The signal broker holds a reference to
   Pd_session_component::_sliced_heap as Signal_broker::_md_alloc.
4. The base-hw implementation of ~Signal_broker destroys some contexts
   and does this by calling Genode::destroy on some slabs using the
   _md_alloc (ref to Pd_session_component::_sliced_heap).
5. The Genode::Slab calls the Ram_allocator::free which ends up calling
   Pd_session_component::free.
6. The Pd_session_component::free can among other things call replenish
   method on Pd_session_component::_ram_account which has already been
   freed at this point.

From my POV calling replenish at this point is basically an undefined
behavior. The Genode::Constructible holding the Genode::Account was
already detroyed at this point. GCC builds happen to somehow manage to
go through the -> operator call without raising any alarms, while clang
builds trip on the _check_constructed() call.

This fix moves the _ram_account a bit higher in class declaration to
ensure its destroyed after _sliced_heap. This seems like the simpliest
solution for this problem.

Fixes #3941
2020-11-23 12:02:58 +01:00
Stefan Kalkowski
40445d7011 base: extend vm_session API with native vcpu cap
To enable the interaction of a VMM with the kernel directly,
a hidden RPC gets introduced. It allows a kernel-specific
base-library implementation of the Vm_session::Client to request
a kernel-specific capability to address a VCPU, e.g., to
run/stop it.

Ref #3926
2020-11-23 12:02:58 +01:00
Martin Stein
89d28c8222 timeout: no volatile stackvars, better warnings 2020-11-23 12:02:57 +01:00
Christian Prochaska
798beab30e base: support process-local signal submission
Issue #3923
2020-11-23 12:02:53 +01:00
Christian Prochaska
50e0f3b977 base: don't throw exceptions in 'Signal_receiver::pending_signal()'
Issue #3922
2020-11-23 12:02:49 +01:00
Josef Söntgen
4981eb425e ld: add symbols needed by testsuite
Issue #3921
2020-10-23 14:58:01 +02:00
Josef Söntgen
de8411a5e1 cxx: add missing low-level symbols
Issue #3921
2020-10-23 14:56:36 +02:00
Christian Helmuth
5be1c793a5 depot: update recipe hashes 2020-10-23 14:16:38 +02:00
Martin Stein
64487ded7c timeout: don't warn "timestamp value too big" too often
Fixes #3657
2020-10-19 14:26:56 +02:00
Martin Stein
bff624c75a test/entrypoint: extend timeout interval
At least on some PIT-based platforms (x86_32 + pistachio/okl4/sel4), we run
into trouble with the reworked timeout framework that now proccesses all
pending timeouts before calling their handlers. This order change leads to a
higher rate of handling of short periodic timeouts in the timer driver which
can cause lower prioritized components to starve. Especially, if submitting
signals (from timer to client) isn't cheap (as is the case on qemu + pistachio
for example).

Issue #3884
2020-10-09 13:37:14 +02:00
Martin Stein
512be0a52a test/timer_rate: determine lowest accurate period 2020-10-09 13:37:10 +02:00
Christian Helmuth
91f8281618 depot: update recipe hashes 2020-10-09 13:35:57 +02:00
Sebastian Sumpf
b9bd179e54 gpio_drv: remove specs for imx53 and imx6
Also cleanup run scripts and recipes were gpio driver is not required,
update the ones were it is.

issue #3900
2020-10-09 13:35:56 +02:00
Martin Stein
7feea78991 timeout: rework timeout framework
* get rid of alarm abstraction
* get rid of Timeout::Time type
* get rid of pointer arguments
* get rid of _discard_timeout indirection
* get rid of 65th bit in stored time values
* get rid of Timeout_scheduler interface
* get rid of uninitialized deadlines
* get rid of default arguments
* get rid of Timeout::_periodic
* get rid of Timeout::Raw
* use list abstraction
* only one interface for timeout handlers
* rework locking scheme to be smp safe
* move all method definitions to CC file
* name mutexes more accurate
* fix when & how to set time-source timeout
* fix deadlocks

Fixes #3884
2020-10-09 13:35:56 +02:00
Martin Stein
9e5d479d03 timeout: test smp support
Ref #3884
2020-10-09 13:35:56 +02:00
Alexander Boettcher
e61f6cfd38 base: add thread migration test
Issue #3842
2020-10-09 13:35:55 +02:00
Martin Stein
1b41d9db90 base: remove alarm library from base
Ref #3884
2020-10-09 13:33:36 +02:00
Christian Helmuth
c59c266afc depot: update recipe hashes 2020-09-17 14:23:14 +02:00
Alexander Boettcher
f0f8d0e0ca base: add affinity to session creation request
Fixes #3838
2020-09-17 10:13:21 +02:00
Stefan Kalkowski
c1d99630c2 base: reset discarded Alarm object appropriatedly
Fix #3881
2020-09-09 16:57:34 +02:00
Alexander Boettcher
99bdfbe36f trace: don't account argument_buffer 2x
The quota for the argument buffer is already accounted by using the
Attached_ram_dataspace _argument_buffer, which uses the Constraint_ram_allocator
_ram, which uses the Ram_quota_guard from the Session_object. Running on
Sculpt with more than 1000 Subject_info objects/trace IDs the memory
waste become noticeable.
2020-09-01 16:48:29 +02:00
Christian Helmuth
c649307720 depot: update recipe hashes 2020-08-28 08:29:12 +02:00
Piotr Tworek
8d790010bf Xml_generator: Remove unused member variable
This triggers a warning when building the code with clang.

Fixes #3868
2020-08-28 08:28:13 +02:00
Norman Feske
7d0cb9620b depot: update recipe hashes 2020-08-25 11:50:41 +02:00
Stefan Kalkowski
5f5ad41ad3 hw: unify irq enumeration for Raspberri Pi
By now, the enumeration of peripheral interrupts on Raspberry Pi 1 was
different in between base-hw kernel and Fiasco.OC. Therefore, hacks were
needed in every driver to request the correct interrupt number dependent
on the kernel. Before reproducing the same in the platform driver for rpi,
we can more easily use the same enumeration with base-hw.

Ref #3864
2020-08-25 11:50:12 +02:00
Stefan Kalkowski
06edc0d52b base: extend PD session with managing_system call
Introduce the managing_system privilege for components like the
platform_driver to allow it to call system management functionality
that is reserved by kernel or special firmware, e.g., ARM Trusted Firmware.

The former RAM resource configuration attribute `constrain_phys`,
which enabled to constrain the region of physical RAM to be used,
gets replaced by the new, broader managing_system configuration
attribute of a `start` node. It gets enforced by the sandbox library.

Ref #3816
2020-08-25 11:50:11 +02:00
Christian Prochaska
31397d67ae base: increase linker area size
Fixes #3856
2020-08-25 11:50:11 +02:00
Norman Feske
2437d759b6 Xml_node: remove deprecated methods
Issue #3755
2020-08-25 11:50:10 +02:00
Norman Feske
852ab79359 Move atexit handling from base lib to libc
This patch untangles the interplay of the base library and the libc
during the exit handling.

- The CXA ABI for the atexit handling is now provided by the libc.
  For plain Genode components without libc dependency, __cxa_atexit
  is a no-op, which is consistent with Genode's notion of components.

- The 'abort' implementation of the base library no longer calls
  'genode_exit' but merely 'sleep_forever'. This way, the cxx library
  no longer depends on a 'genode_exit' implementation.

- The libc provides 'atexit' support by storing metadata on the
  libc kernel's heap now, thereby eliminating the former bounded
  maximum number of atexit handlers.

- Shared-library dtors are no longer called via the atexit mechanism
  by explicitly by the dynamic linker. This slightly changes the
  call order of destructors (adjustment of the ldso test). Functions
  marked as destructors are called after the atexit handlers now.

- The libc executes atexit handlers in the application context,
  which supports the I/O operations in those handles, in particular
  the closing of file descriptors.

Fixes #3851
2020-08-25 11:50:09 +02:00
Martin Stein
f3eaeb08ef ada/spark: all warnings, warn strict, style checks
* enable all common warnings through default value of CC_ADA_WARN
* treat warnings like errors through default value of CC_ADA_WARN_STRICT
* enable almost all style checks through default value of CC_ADA_WARN_STRICT
* style fixes for aes_cbc_4k
* disable strict warnings and style checks for libsparkcrypto and spark lib

Ref #3848
2020-08-25 11:50:09 +02:00
Christian Prochaska
08ef528577 stdcxx: enable thread features
Issue #2442
2020-08-25 11:49:45 +02:00
Christian Helmuth
a89d61acf2 base: call Io_progress_handler only in signal RPC
This remove the call to Io_progress_handler::handle_io_progress() from
wait_and_dispatch_one_io_signal() to prevent unexpected nesting
I/O-progress handling in case of custom dispatch loops (e.g., in libc).
The original intention of Io_progress_handler was to inform the
entrypoint just before blocking in the entrypoint loop.

Issue #2635
2020-08-25 11:49:44 +02:00
Alexander Boettcher
ed15a46ca4 base: construct child process only once
Fixes #3821
2020-08-25 11:42:36 +02:00
Alexander Boettcher
c55a499009 base: remove delayed dispatch from Rpc_entrypoint
Fixes #3833
2020-08-25 11:42:36 +02:00
Alexander Boettcher
60106ac2c8 base: avoid deadlock and page fault
Fixes #3830
2020-08-25 11:42:29 +02:00
Alexander Boettcher
41380ff769 base: remove Cancelable_lock
- base/cancelable_lock.h becomes base/lock.h
- all members become private within base/lock.h
- solely Mutex and Blockade are friends to use base/lock.h

Fixes #3819
2020-07-30 08:49:23 +02:00
Norman Feske
de795b1a6e depot: update recipe hashes 2020-07-13 11:33:53 +02:00
Alexander Boettcher
21e48a8e12 trace: extend for_each_subject_infos return value
Fixes #3811
2020-07-13 11:33:13 +02:00
Alexander Boettcher
f3efbe50bb base: remove deprecated cancel_blocking() support
for threads.

Fixes #3806
2020-07-13 11:33:12 +02:00
Christian Prochaska
62848b1a68 mk: set soname in abi libraries
Fixes #3793
2020-07-03 11:11:23 +02:00
Norman Feske
4450b37ff5 depot: update recipe hashes 2020-06-29 14:25:28 +02:00
Alexander Boettcher
309597bbda timeout fw: be robust against past _timestamp()
_timestamp() returns CPU local values which may not be in sync with _ts
taken from another CPU. Be robust and don't produce wraparound/negative
timeout values.

Issue #3657
2020-06-29 14:25:27 +02:00
Alexander Boettcher
6119e03081 grub2: avoid hardcoding boot disc
see alex-ab/g2fg#1
2020-06-29 14:22:28 +02:00
Norman Feske
48b4891f6e Rename nit_fb to gui_fb
Issue #3778
2020-06-22 09:39:40 +02:00
Christian Helmuth
6006051fb9 depot: update recipe hashes 2020-05-27 11:56:47 +02:00
Stefan Kalkowski
b915b0adc4 Annotate irq session interface with RAM_QUOTA
Ref #3299
2020-05-27 11:56:46 +02:00
Stefan Kalkowski
6e6b671a66 Annotate io_mem session interface with RAM_QUOTA
Ref #3299
2020-05-27 11:56:46 +02:00
Norman Feske
ab8ef5750d doc: tweaks for updated Genode Foundations book 2020-05-27 11:56:46 +02:00
Norman Feske
b078224753 Replace Genode::strncpy by Genode::copy_cstring
- Since Genode::strncpy is not 100% compatible with the POSIX
  strncpy function, better use a distinct name.

- Remove bogus return value from the function, easing the potential
  enforcement of mandatory return-value checks later.

Fixes #3752
2020-05-27 11:56:45 +02:00