Commit Graph

303 Commits

Author SHA1 Message Date
Norman Feske
1aba1fe8b1 heap: diagnostic message on alloc(0) 2018-08-28 17:10:53 +02:00
Norman Feske
4b46abf813 base: rm first-class support for static binaries
This patch removes the detection of statically linked executables from
the base framework. It thereby fixes the corner cases encountered with
Sculpt when obtaining the binaries of the runtime from the depot_rom
service that is hosted within the runtime.

Statically linked binaries and hybrid Linux/Genode (lx_hybrid) binaries
can still be started by relabeling the ROM-session route of "ld.lib.so"
to the binary name, pretending that the binary is the dynamic linker.
This can be achieved via init's label rewriting mechanism:

  <route>
    <service name="ROM" unscoped_label="ld.lib.so">
      <parent label="test-platform"/> </service>
  </route>

However, as this is quite cryptic and would need to be applied for all
lx_hybrid components, the patch adds a shortcut to init's configuration.
One can simply add the 'ld="no"' attribute to the <start> node of the
corresponding component:

  <start name="test-platform" ld="no"/>

Fixes #2866
2018-08-02 14:36:38 +02:00
Martin Stein
fbe9d26c47 trace: initialize trace control in Thread::start
Previously, the trace control of a thread was initialized in its
constructor (which is generic for all components). This has the
disadvantage that the CPU-session-pointer member of the thread might not
be valid at this point. And it cannot be replaced by using the
"deprecated_env" CPU session neither as constructing the deprecated
environment in causes troubles in Core. But as the trace control
shouldn't be needed in Core anyway, the initialization can be moved to
the Thread::start implementation of non-core components. This code
already takes care of the CPU session pointer.

Fixes #2901
2018-08-02 14:36:35 +02:00
Norman Feske
a3858bff3c base: handle cancelation of session creation
This patch improves the handling of the corner case where a client
vanishes while a session request is in flight (CREATE_REQUESTED but
not yet AVAILABLE). This corner case could be sporadically observed with
the init_loop test on base-linux.

In the original version, the session would eventually be delivered but
never picked up by anyone. Such a stale session still uses resources that
should better be released. In the new version, the parent checks for the
liveliness of the client whenever a session is delivered. If there is no
client of the session, a close request is immediately issued to the
server. The session state must be preserved until the close requests has
been answered.
2018-07-03 09:39:32 +02:00
Norman Feske
ddff89d43e base: close PD on 'close_all_sessions'
This patch moves the closing of a child's PD session from the 'Child'
destructor to the 'close_all_sessions' method. This way, the child's
PD quota is immediately returned as soon as init flags a child as
'abandoned', which removes jitter from init's RAM-state reports.

The patch is supposed to make the 'init_loop.run' test much happier.
2018-07-03 09:39:32 +02:00
Norman Feske
a9183da87b base: create-after-close session-request order
This patch ensures that session-create requests are handled after close
requests, which solves the corner case where one single-session server
receives a close and create request at the same time. E.g., when
expanding a partition with Sculpt, the gpt-write tool is removed and
part_blk is started (to execute resize2fs on top) in one step. Both
interact with the USB-block driver, which is a single-session server.

Fixes #2877
2018-06-29 10:44:58 +02:00
Norman Feske
578bec11ac base: fix quota reversing when clients vanish
The 'Child::_revert_quota_and_destroy' assumes to be called from the
client's context, which is normally the case when destroying sessions.
However, if a client's session outlives the client (because the
asynchronous close request to the server is still pending), the session
cleanup is performed in the context of the server. Here, the
'session_response' implementation wrongly called
'_revert_quota_and_destroy' to the effect that the session quota was
withdrawn from the server (good) but subsequently transferred back to
the server (bad). The patch replaces the call of
'_revert_quota_and_destroy' with only the first - correct - part of the
transaction.
2018-06-12 12:11:46 +02:00
Norman Feske
7b6b3a4535 base: fix destruction of async env sessions
When an environment session is provided by a async service such as a
sibling component, the session metadata must be preserved until end of
the lifetime of the session at the server has been acknowledged by the
server. Since the session meta data of env sessions are always part of
the 'Child' object, the destruction of this object must be deferred
until this point.
2018-05-30 13:36:30 +02:00
Alexander Boettcher
e6d20aba93 base: support to attach RAM dataspaces readonly
Fixes #1633
2018-05-30 13:36:27 +02:00
Christian Helmuth
cbfec0deed ldso: check ctors sections of shared-object deps
The sole existence of shared-object dependencies lead to fatal
static-constructor errors before. Now, ldso checks if the ctors section
of objects in the init list are non-empty before whining.

Issue #2759
2018-05-30 12:26:18 +02:00
Christian Helmuth
92edcb17e5 Warn on redundant call to exec_static_constructors() 2018-04-10 11:20:43 +02:00
Norman Feske
e0e9b3b32e init: close all sessions of exited children
With this patch, init responds to the exit of a child by closing all
sessions of the child. E.g., if a child is a GUI application, its
nitpicker session is closed at the time of exit, not at the time when
the start node disappears from init's configuration.

Since this change requires a modification of the 'Genode::Child' class,
it takes the chance to make the child-destruction less brutal. The
new version ensures that all threads of the destructed subsystem are
destructed before other sessions, in particular PD sessions. This
eliminates spurious page-fault warnings during the child destruction.

On Fiasco.OC, closing the CPU session of a thread while being called by
the thread causes a deadlock. Hence, we skip the eager destruction of
CPU sessions on this kernel.

Related to issue #2659
2018-02-09 13:31:27 +01:00
Norman Feske
eba9c15746 Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:

* A class with virtual functions can no longer publicly inherit base
  classed without a vtable. The inherited object may either be moved
  to a member variable, or inherited privately. The latter would be
  used for classes that inherit 'List::Element' or 'Avl_node'. In order
  to enable the 'List' and 'Avl_tree' to access the meta data, the
  'List' must become a friend.

* Instead of adding a virtual destructor to abstract base classes,
  we inherit the new 'Interface' class, which contains a virtual
  destructor. This way, single-line abstract base classes can stay
  as compact as they are now. The 'Interface' utility resides in
  base/include/util/interface.h.

* With the new warnings enabled, all member variables must be explicitly
  initialized. Basic types may be initialized with '='. All other types
  are initialized with braces '{ ... }' or as class initializers. If
  basic types and non-basic types appear in a row, it is nice to only
  use the brace syntax (also for basic types) and align the braces.

* If a class contains pointers as members, it must now also provide a
  copy constructor and assignment operator. In the most cases, one
  would make them private, effectively disallowing the objects to be
  copied. Unfortunately, this warning cannot be fixed be inheriting
  our existing 'Noncopyable' class (the compiler fails to detect that
  the inheriting class cannot be copied and still gives the error).
  For now, we have to manually add declarations for both the copy
  constructor and assignment operator as private class members. Those
  declarations should be prepended with a comment like this:

        /*
         * Noncopyable
         */
        Thread(Thread const &);
        Thread &operator = (Thread const &);

  In the future, we should revisit these places and try to replace
  the pointers with references. In the presence of at least one
  reference member, the compiler would no longer implicitly generate
  a copy constructor. So we could remove the manual declaration.

Issue #465
2018-01-17 12:14:35 +01:00
Alexander Boettcher
dd463d3014 base: signal ref count independent of signal count 2017-12-21 15:01:40 +01:00
Alexander Boettcher
bf74c1694d base: catch ipc error in signal proxy
actually do what the comments says ...

Issue #2584
2017-12-21 15:01:39 +01:00
Alexander Boettcher
a38ec2854a base: fix lock issue in signal context destruction
Issue #2584
2017-12-21 15:01:39 +01:00
Martin Stein
b812179e82 signal: fix race in Signal_receiver pending_signal
In the past, we had the lock of the context we found for the rest of the scope
of pending_signal. Now we use for_each_locked to find the context and the
lock is released as soon as we return from for_each_locked. Thus, we need to
lock the context again before returning it to avoid that the copy constructor
during the return reads values that are currently changing.

Fixes #2532
2017-12-21 15:01:34 +01:00
Norman Feske
44977e3519 base: increase initial stack size on x86_64 2017-11-30 11:23:12 +01:00
Martin Stein
8e80c05be7 signal: organize signal contexts as ring list
Ref #2532
2017-11-30 11:23:02 +01:00
Christian Helmuth
b1c9db8a0d libc: dispatch pending signals at selective points 2017-11-24 09:02:03 +01:00
Alexander Boettcher
e6dcdcf277 base: attach executable memory as such
- tracing policy

Issue #1723
2017-10-19 13:47:03 +02:00
Martin Stein
b811ef4331 signal: fix starvation by fast signal contexts
In the past, a signal context, that was chosen for handling by
'Signal_receiver::pending_signal and always triggered again before
the next call of 'pending_signal', caused all other contexts behind
in the list to starve. This was the case because 'pending_signal'
always took the first pending context in its context list.

We avoid this problem now by handling pending signals in a round-robin
fashion instead.

Ref #2532
2017-10-19 13:29:42 +02:00
Alexander Boettcher
a63eb3cc37 base: don't free initial slab in destructor
Issue #2505
2017-08-28 16:49:46 +02:00
Stefan Kalkowski
ea46c462a4 base: make stack area base specifiable for core
When running core as the kernel inside every component, a separate
stack area for core is needed that is different from the user-land
component's one.

Ref #2091
2017-08-28 16:49:46 +02:00
Christian Prochaska
b3e039d0b1 base: name initial thread according to child policy
Fixes #2494
2017-08-28 16:49:37 +02:00
Sebastian Sumpf
48134c2a0b ldso/cxx: show symbols names of undefined references
Fixes #2482
2017-08-18 10:24:48 +02:00
Alexander Boettcher
c22b60f0c4 base: add initial r0 register to crt0.s for arm
Issue #2451
2017-08-17 11:04:21 +02:00
Christian Helmuth
c18dffa9fa base: align metadata allocation in heap at 16 byte
Issue #754
2017-06-29 12:00:03 +02:00
Norman Feske
f95bfddc09 base: simplify handling of session-creation errors
This patch decouples the error handling of the quota transfers
and the actual session creation. In the previous version, an error in
the 'initiate_request' phase would leave the local scope via an
exception without disarming the transfer guard objects. This way,
the guard destructors would attempt the returning of session quota in
addition to the explicit call of '_revert_quota_and_destroy' as done in
the error handling of the 'initiate_request' operation.

In the presence of a session-creation error in the 'initiate_request'
phase, session quota would eventually be returned twice. This patch
removes the intertwined error handling of both phases in a way that the
guards of the first phase (quota transfer) are no longer present in the
second phase (initiate_request).
2017-06-29 11:59:52 +02:00
Stefan Kalkowski
6f8dc9054a base: setup parent upgrade mechanism eagerly
Fix #2447
2017-06-19 12:35:55 +02:00
Christian Prochaska
16deaa9a72 timed_semaphore: fix deprecated warning
Fixes #2429
2017-05-31 13:16:19 +02:00
Emery Hemingway
419da32ee3 lib/ldso: coalesce RPC calls for ROM dataspaces
A dataspace capability request to a ROM service may invalidate any
previously issued dataspace. Therefor no requests should be made while a
session dataspace is mapped. Reducing calls to the session also improves
performance where servicing a ROM request has a significant cost.

Fix #2418
2017-05-31 13:16:16 +02:00
Norman Feske
53253ba422 base: add reinit functionality to 'Env'
The 'reinit' and 'reinit_main_thread' methods are needed to implement
fork in Noux. Until now, they were provided by the 'Deprecated_env'
only.
2017-05-31 13:16:14 +02:00
Norman Feske
0167d5af50 Integrate core's RAM service into the PD service
Fixes #2407
2017-05-31 13:16:14 +02:00
Norman Feske
5a3a1c704b base: use 'Ram_allocator' as stack-area back end
The 'Stack_area_ram_session' is now a 'Stack_area_ram_allocator', which
simplifies the code and remove a dependency from the 'Ram_session'
interface, which we want to remove after all.

Issue #2407
2017-05-31 13:16:13 +02:00
Norman Feske
65225a94b1 core: simplify initialization
This patch removes the 'Core_parent' and 'Core_pd_session', and reduces
the 'Core_env'.
2017-05-31 13:16:12 +02:00
Norman Feske
a1df4fee44 base: restructure signal-submit initialization
This patch allows core's 'Signal_transmitter' implementation to sidestep
the 'Env::Pd' interface and thereby adhere to a stricter layering within
core. The 'Signal_transmitter' now uses - on kernels that depend on it -
a dedicated (and fairly freestanding) RPC proxy mechanism for signal
deliver, instead of channeling signals through the 'Pd_session::submit'
RPC function.
2017-05-31 13:16:12 +02:00
Alexander Boettcher
6d79d03380 heap: align allocations to 16 byte addresses
Issue #754
2017-05-31 13:16:11 +02:00
Norman Feske
2c6729768d base: consider exception during child construction
This patch make sure that a once managed parent RPC object will always be
dissolved if an exception during the remaining child construction
occurs. The original version would miss the dissolve call if one of the
subsequent members throws an exception at construction time.
2017-05-31 13:16:10 +02:00
Norman Feske
4d442bca30 Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.

Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.

This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-31 13:16:07 +02:00
Norman Feske
1f4f119b1e Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.

Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.

At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.

If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:

  <default-route>
    <service name="PD" unscoped_label="timer">
      <parent diag="yes"/>
    </service>
    ...
  </default-route>

For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.

Fixes #2398
2017-05-31 13:16:06 +02:00
Norman Feske
e44f65f3b2 core: RAM service based on 'Session_object'
This patch reworks the implementation of core's RAM service to make use
of the 'Session_object' and to remove the distinction between the
"metadata" quota and the managed RAM quota. With the new implementation,
the session implicitly allocates its metadata from its own account. So
there is not need to handle 'Out_of_metadata' and 'Quota_exceeded' via
different exceptions. Instead, the new version solely uses the
'Out_of_ram' exception.

Furthermore, the 'Allocator::Out_of_memory' exception has become an alias
for 'Out_of_ram', which simplifies the error handling.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
aea5d03691 base: add Child_policy::Route::Diag flag
The 'diag' flag can be defined by a target node of a route in init's
configuration. It is propagated as session argument to the server, which
may evaluate the flag to enable diagnostic output for the corresponding
session.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
3670f7735d base: use 'Quota_transfer::Account' for 'Service'
This patch makes use of the new 'Quota_transfer::Account' by the service
types in base/service.h and uses 'Quota_transfer' objects in
base/child.cc and init/server.cc.

Furthermore, it decouples the notion of an 'Async_service' from
'Child_service'. Init's 'Routed_service' is no longer a 'Child_service'
but is based on the new 'Async_service' instead.

With this patch in place, quota transfers do no longer implicitly use
'Ram_session_client' objects. So transfers can in principle originate
from component-local 'Ram_session_component' objects, e.g., as used by
noux. Therefore, this patch removes a strumbling block for turning noux
into a single threaded component in the future.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
6609aafb05 Replace Quota_exceeded by Insufficient_ram_quota
This patch replaces the 'Parent::Quota_exceeded',
'Service::Quota_exceeded', and 'Root::Quota_exceeded' exceptions
by the single 'Insufficient_ram_quota' exception type.

Furthermore, the 'Parent' interface distinguished now between
'Out_of_ram' (the child's RAM is exhausted) from
'Insufficient_ram_quota' (the child's RAM donation does not suffice to
establish the session).

This eliminates ambiguities and removes the need to convert exception
types along the path of the session creation.

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
eea493a8ca base: safeguard entrypoint against double manage
This patch adds sanity checks to the RPC entrypoint that detect attempts
to manage or dissolve the same RPC object twice. This is not always a
bug. I.e., if RPC objects are implemented in the modern way where the
object manages/dissolves itself. As the generic framework code (in
particular root/component.h) cannot rely on this pattern, it has to
call manage/dissolve for session objects anyway. For modern session
objects, this double attempt would result in a serious error (double
insertion into the object pool's AVL tree).

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
843dd179d7 base: remove int return types from 'Ram_session'
This patch replaces the existing C-style error codes with C++
exceptions.

Fixes #895
2017-05-31 13:16:04 +02:00
Norman Feske
58f44d39c5 base: use 'Ram_quota' in 'Ram_session' args
This patch replaces the former use of size_t with the use of the
'Ram_quota' type to improve type safety (in particular to avoid
accidentally mixing up RAM quotas with cap quotas).

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
ff68d77c7d base: new 'Ram_allocator' interface
The 'Ram_allocator' interface contains the subset of the RAM session
interface that is needed to satisfy the needs of the 'Heap' and
'Sliced_heap'. Its small size makes it ideal for intercepting memory
allocations as done by the new 'Constrained_ram_allocator' wrapper
class, which is meant to replace the existing 'base/allocator_guard.h'
and 'os/ram_session_guard.h'.

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
67481fdfc3 base: support exceptions during _new_slab_block
With the introduction of the 'Out_of_caps' exception type, the slab
needs to consider exceptions during the call of '_new_slab_block' by
reverting the 'nested' state.
2017-05-31 13:16:03 +02:00
Christian Helmuth
1d99e7ede9 base: classify signals as I/O and application level
Fixes #2363
2017-05-31 13:15:58 +02:00
Norman Feske
cd5a03758f base: fix bool retval check in heap
Thanks to gcc 6.3 for reporting!
2017-05-31 13:15:55 +02:00
Norman Feske
8e7aa54493 base: drop session states of vanished clients
For asynchronously provided sessions, the parent has to maintain the
session state as long as the server hasn't explicitly responded to a
close request. For this reason, the lifetime of such session states is
bound to the server, not the client.

When the server responds to a close request, the session state gets
freed. The 'session_response' implementation does not immediately
destroy the session state but delegates the destruction to a client-side
callback, which thereby also notifies the client. However, the code did
not consider the case where the client has completely vanished at
session-response time. In this case, we need to drop the session state
immediately.

Fixes #2391
2017-05-31 13:15:52 +02:00
Christian Prochaska
78a9cbf82d Trace::Logger: workaround for compiling with GCC 6
Issue #2375
2017-05-31 13:15:50 +02:00
Alexander Boettcher
1c79ba4182 slab: detect corrupted slab and invalid frees
and report about that.

Fixes #2350
2017-05-02 15:28:54 +02:00
Christian Helmuth
b35df4578b Check Registered base class provides virtual destructor
The base class of Registered must provide a virtual destructor to enable
safe deletion with just a base class pointer. This requirement can be
lifted by using Registered_no_delete in places where the deletion
property is not needed.

Fixes #2331
2017-03-24 16:20:04 +01:00
Christian Helmuth
cb43e04691 ldso: defer execution of static constructors
Ldso now does not automatically execute static constructors of the
binary and shared libraries the binary depends on. If static
construction is required (e.g., if a shared library with constructor is
used or a compilation unit contains global statics) the component needs
to execute the constructors explicitly in Component::construct() via
Genode::Env::exec_static_constructors().

In the case of libc components this is done by the libc startup code
(i.e., the Component::construct() implementation in the libc).

The loading of shared objects at runtime is not affected by this change
and constructors of those objects are executed immediately.

Fixes #2332
2017-03-24 16:20:04 +01:00
Norman Feske
d227db4574 base: destruction order of binary/linker ROMs
This patch destructs the environment sessions for the binary and the
dynamic linker along with the other environment sessions to avoid a
warning about reverting quota that occurs when attempting to close
these sessions too late.
2017-03-24 16:19:57 +01:00
Alexander Boettcher
391339a4bb base: handle race in Genode::Registry class
The race may happen when element objects get destructed by another thread then
the thread handling the for_each loop. In this case it may happen that the
object is already destructed (left the ~Element destructor) but the thread
handling the loop touches the invalid memory afterwards (the Element lock).

detected during issue #2299

Fixes #2320
2017-03-15 12:32:28 +01:00
Alexander Boettcher
bed28dfe49 base: extend cxa guards to support threads on various priorities
Fixes #2299
2017-03-15 12:32:23 +01:00
Alexander Boettcher
25ac3cdd86 base: handle twice Lock::lock calls correctly
to avoid loosing threads in the applicants list if lock owner calls 'twice'
Lock::lock().

Fixes #2300
2017-03-15 12:24:42 +01:00
Christian Helmuth
40f319e9e9 Terminate if pure virtual function is called
Fixes #2229
2017-03-15 12:24:41 +01:00
Martin Stein
56cafb3b57 hw: fix race in signal dispatching
There was a race when the component entrypoint wanted to do
'wait_and_dispatch_one_signal'. In this function it raises a flag for
the signal proxy thread to notice that the entrypoint also wants to
block for signals. When the flag is set and the signal proxy wakes up
with a new signal, it tried to cancel the blocking of the entrypoint.
However, if the entrypoint had not reached the signal blocking at this
point, the cancel blocking failed without a solution. Now, the new
Kernel::cancel_next_signal_blocking call solves the problem by storing a
request to cancel the next signal blocking of a thread immediately
without blocking itself.

Ref #2284
2017-02-28 13:00:41 +01:00
Norman Feske
29b8d609c9 Adjust file headers to refer to the AGPLv3 2017-02-28 12:59:29 +01:00
Norman Feske
7d9f68493a base: support for multi-staged child startup
This patch enhances the 'Child' and 'Child_policy' with the ability to
separate the different steps of bootstrapping children. If the
'Child_policy::initiate_env_sessions()' returns false, the child's
environment sessions remain unrouted at construction time. This way,
child objects for many children can be initialized to a state that
allows the children to represent services for other children. Therefore,
session routing can be applied before any child executes.

At this stage, the environment RAM sessions of all children can be
created. Note that this step still has the limitation that RAM sessions
are generally expected to be provided by either the parent or a local
service.

Once all children are equipped with RAM, they can in principle receive
session-quota donations. Hence, all other environment sessions can now
be arbitrarily routed and initiated.

Once the environment of a child is complete, the child's process and
initial thread is created.
2017-02-28 12:59:23 +01:00
Norman Feske
9cba459958 base: remove Child::heap
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.

In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping

Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.

For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
2017-02-28 12:59:23 +01:00
Norman Feske
9d683a56a0 base: add Child_policy::session_state_changed()
This method is a hook to enable a runtime to respond to state changes.
In particular, in init this hook is used to trigger the generation of a
new state report, if configured.

Furthermore, the patch introduces the 'generate_client_side_info' and
'generate_server_side_info' methods to the 'Session_state', which
generates an XML representation of the session states to appear in
reports produced by init.

Issue #2246
2017-02-28 12:59:22 +01:00
Norman Feske
c0af463b81 base: Add Child_policy::Route
The new return value of 'resolve_session_request' allows the child
policy to define the label used as the policy selector at the server.

Because this patch introduces the distinction of the child-provided
label from the label as presented to the server along with the session
request, the latter is now handled as a dedicated 'Session_state'
argument.

Issue #2248
2017-02-28 12:59:20 +01:00
Norman Feske
8e6306e8e3 base: tolerate nested signal handling (but warn) 2017-02-27 15:37:50 +01:00
Sebastian Sumpf
b66716d278 base: entrypoint 'wait_and_dispatch_one_signal'
There existed a race when 'wait_and_dispatch_one_signal' is called form
a RPC context, because the 'signal_proxy' or 'main' will block and the
signal semaphore, when the EP then calls 'wait_and_dispatch_one_signal',
the signal proxy is woken up ands sends an RPC to the EP, leading to a
dead lock if no further signal arrive, because the EP will then remain
blocked in the signal semaphore.

Therefore, for this case, the signal proxy will now perform a semaphore
up operation and does not perform an RPC if the EP is within
'wait_and_dispatch_one_signal'.
2017-02-27 15:37:50 +01:00
Christian Prochaska
a1b4e905ab Signal_receiver::wait_for_signal(): check for pending signal before blocking
Fixes #2267
2017-02-07 11:12:23 +01:00
Christian Helmuth
ce3d10465e Mark warnings from the signal dispatcher as such 2017-01-31 14:58:36 +01:00
Christian Helmuth
7386c4e1d1 More robust handling of suspend in entrypoint
First, calls to manage and dissolve signal contexts now check if the
signal receiver was constructed. There is a small window during suspend
where it is destructed before reconstructed again.

Last, we ensure that processing of incoming signal was deblocked by the
suspend signal before entering the suspend operation. This way we ensure
already queued signal are handled.
2017-01-31 14:58:36 +01:00
Norman Feske
cd3a5852d6 Warn about the use of deprecated headers
This commit enables compile-time warnings displayed whenever a deprecated
API header is included, and adjusts the existing #include directives
accordingly.

Issue #1987
2017-01-31 12:01:18 +01:00
Norman Feske
e43da51bd6 base: handle dangling env sessions in ~Child
This commit addresses the situation where an environment session
outlives the session-providing service. In this case, the env session
got already invaidated at the destruction time of the server. However,
the underlying session-state structure continues to exist until the
client is destructed. During the eventual destruction of such a dangling
environment session, we have to be careful not to interact with the
no-longer existing service.

Ref #2197
2017-01-20 16:47:01 +01:00
Norman Feske
21458e6efa base: destruction of env-session-providing child
This patch addresses the corner case of destructing a child that
provides an enviroment session to another child. Before this patch,
this situation could result in an infinite loop.

The problem was introduced as a side effect of issue #2197 "base: apply
routing policy to environment sessions".
2017-01-20 16:47:00 +01:00
Christian Prochaska
7948a7261b ldso: constrain second linker symbol relocation pass on x86_64
Handle only GLOB_DAT relocations in the second relocation pass, like it is
done on x86_32 and ARM.

Fixes #2219
2017-01-20 16:46:55 +01:00
Norman Feske
a7f40b24ca Warn about the use of deprecated env() function
This patch enables warnings if one of the deprecate functions that rely
in the implicit use of the global Genode::env() accessor are called.

For the time being, some places within the base framework continue
to rely on the global function while omitting the warning by calling
'env_deprecated' instead of 'env'.

Issue #1987
2017-01-13 13:07:13 +01:00
Norman Feske
4da52517c1 Simpify startup of dynamically linked binaries
This patch removes the component_entry_point library, which used to
proved a hook for the libc to intercept the call of the
'Component::construct' function. The mechansim has several shortcomings
(see the discussion in the associated issue) and was complex. So we
eventually discarded the approach in favor of the explicit handling of
the startup.

A regular Genode component provides a 'Component::construct' function,
which is determined by the dynamic linker via a symbol lookup.
For the time being, the dynamic linker falls back to looking up a 'main'
function if no 'Component::construct' function could be found.

The libc provides an implementation of 'Component::construct', which
sets up the libc's task handling and finally call the function
'Libc::Component::construct' from the context of the appllication task.
This function is expected to be provided by the libc-using application.
Consequently, Genode components that use the libc have to implement the
'Libc::Component::construct' function.

The new 'posix' library provides an implementation of
'Libc::Component::construct' that calls a main function. Hence, POSIX
programs that merely use the POSIX API merely have to add 'posix' to the
'LIBS' declaration in their 'target.mk' file. Their execution starts at
'main'.

Issue #2199
2017-01-13 13:06:52 +01:00
Sebastian Sumpf
6e14aa4364 ldso: mark functions used during self relocation
These functions are marked as always inline through the 'SELF_RELOC' macro. This
became necessary because on riscv functions calls are performed through the
global offset table, which is not initialized at this point.

Fixes #2203
2017-01-13 13:05:45 +01:00
Norman Feske
9ea4a491d6 ld: generate symbol map from base/lib/symbols/ld
This patch removes the manually maintained symbol map from the dynamic
linker. This way, the symbol map stays in sync with the ABI and - more
importantly - no longer uses wildcards. So the symbols exported by the
dynamic linker are strictly limited by the ABI.

Issue #2190
2016-12-23 16:53:17 +01:00
Norman Feske
0d295f75a1 base: apply routing policy to environment sessions
This patch changes the child-construction procedure to allow the routing
of environment sessions to arbitrary servers, not only to the parent.
In particular, it restores the ability to route the LOG session of the
child to a LOG service provided by a child of init. In principle, it
becomes possible to also route the immediate child's PD, CPU, and RAM
environment sessions in arbitrary ways, which simplifies scenarios that
intercept those sessions, e.g., the CPU sampler.

Note that the latter ability should be used with great caution because
init needs to interact with these sessions to create/destruct the child.
Normally, the sessions are provided by the parent. So init is safe at
all times. If they are routed to a child however, init will naturally
become dependent on this particular child. For the LOG session, this is
actually not a problem because even though the parent creates the LOG
session as part of the child's environment, it never interacts with the
session directly.

Fixes #2197
2016-12-23 16:52:08 +01:00
Norman Feske
ccffbb0dfc Build dynamically linked executables by default
Fixes #2184
2016-12-14 11:22:27 +01:00
Norman Feske
d882277ce3 base: let ldso use the default stack size 2016-12-14 11:19:38 +01:00
Norman Feske
4e4cdacab3 base: trim main-thread size to 4/8 KiB
The main thread does no longer execute application code. It is solely
responsible for the initialization of the component's entrypoint and for
retrieving asynchronous notifications. Since the stack usage is no
longer dependent on application-specific code, we can significantly
shrink it to reduce the memory footprint of components. In the worst
case - should the stack overrun - we would observe a page fault because
the stack is placed in the stack area, surrounded by guard pages.
2016-12-14 11:19:38 +01:00
Norman Feske
a387d68c2c base: use a default stack size of 64 KiB
This patch replaces the former machine-word-dependent default stack size
by the fixed value of 64 KiB which should suffice for components on both
32 and 64 bit. Previously, the default stack size on 64 bit was 128 KiB,
which is wasteful. If a component needs more stack than 64 KiB, it can
specify a custon stack size by implementing 'Component::stack_size'.
2016-12-14 11:19:37 +01:00
Norman Feske
28f5688dcf base: reduce size of initial stack from 32K to 4K
The initial stack is solely used to initialize the Genode environment
along with the application stack located in the stack area. It never
executes application code. Hence, we can make it small. To check that it
is not dimensioned too small, the patch introduces a sanity check right
before switching to the application stack.
2016-12-02 15:20:31 +01:00
Norman Feske
25a7ea3d40 base: rename 'Volatile_object' to 'Reconstructible'
Fixes #2151
2016-12-01 17:46:50 +01:00
Norman Feske
6a24d70120 Fix clang compile errors
Thanks Keiko Nakata for reporting!

Fixes #2164
2016-11-30 13:37:07 +01:00
Norman Feske
5a1cef6381 Make label prefixing more strict
This patch unconditionally applies the labeling of sessions and thereby
removes the most common use case of 'Child_policy::filter_session_args'.
Furthermore, the patch removes an ambiguity of the session labels of
sessions created by the parent of behalf of its child, e.g., the PD
session created as part of 'Child' now has the label "<child-name>"
whereas an unlabeled PD-session request originating from the child
has the label "<child-name> -> ". This way, the routing-policy of
'Child_policy::resolve_session_request' can differentiate both cases.

As a consequence, the stricter labeling must now be considered wherever
a precise label was specified as a key for a session route or a server-
side policy selection. The simplest way to adapt those cases is to use a
'label_prefix' instead of the 'label' attribute. Alternatively, the
'label' attribute may used by appending " -> " (note the whitespace).

Fixes #2171
2016-11-30 13:37:07 +01:00
Alexander Boettcher
c83eb515f9 base: sanity check for slab element allocation
Issue #1039
2016-11-30 13:37:06 +01:00
Alexander Boettcher
b8f9f92731 base: remove allocation warning in heap
The heap typically first tries to allocate larger chunks than necessary, and
if it fails the actual minimal one. The first attempt already triggers warnings
which are not critical at all. If the second (critical) allocation fails,
then there are additionally checks and warnings already in place.

Issue #1039
2016-11-30 13:37:06 +01:00
Norman Feske
5ba245f476 base: minor style fixes 2016-11-30 13:37:06 +01:00
Alexander Boettcher
03f0f38567 cxx: avoid warnings about cxx exception memory
Avoids warnings like

Warning: 2 dangling allocations at allocator destruction time

during noux process destruction.
2016-11-30 13:37:05 +01:00
Norman Feske
cfdbccc5c2 Remove blocking calls from root and parent RPCs
This is a redesign of the root and parent interfaces to eliminate
blocking RPC calls.

- New session representation at the parent (base/session_state.h)
- base-internal root proxy mechanism as migration path
- Redesign of base/service.h
- Removes ancient 'Connection::KEEP_OPEN' feature
- Interface change of 'Child', 'Child_policy', 'Slave', 'Slave_policy'
- New 'Slave::Connection'
- Changed child-construction procedure to be compatible with the
  non-blocking parent interface and to be easier to use
- The child's initial LOG session, its binary ROM session, and the
  linker ROM session have become part of the child's envirenment.
- Session upgrading must now be performed via 'env.upgrade' instead
  of performing a sole RPC call the parent. To make RAM upgrades
  easier, the 'Connection' provides a new 'upgrade_ram' method.

Issue #2120
2016-11-25 16:06:42 +01:00
Norman Feske
baf61df0fd base: new 'Registry' data structure
This data structure is meant as a safe alternative for a list wherever
the list is solely used to remember objects and iterate through them in
an unspecified order. One use case is the 'Service_registry'.
2016-11-25 15:30:58 +01:00
Christian Helmuth
f75f199947 ldso: initialize ELF object before relocating
This fixes a regression on Ubuntu 16.04 (resp. Linux systems with recent
kernel versions) and address-space randomization originating from an
uninitialized relocation base of 0.
2016-11-25 15:27:28 +01:00
Emery Hemingway
eff90d759f remove global namespacing from internal base headers
Making the Genode namespace global can cause name collisions on
base-linux.

Fix #2158
2016-11-08 15:26:33 +01:00
Norman Feske
784e728727 Clean ldso from using deprecated APIs
Issue #1987
2016-11-08 15:26:32 +01:00
Norman Feske
b9280678fb base-linux: fix race in region_map_mmap
This patch fixes a race condition triggered by the thread test running
on Linux inside VirtualBox. The 'test_stack_alloc' sporadically produced
one of two errors: A segfault in the 'Thread::deinit_platform_thread' on
the attempt to access the 'native_thread' of the to-be-destructed thread
(this data structure is located on the thread's stack). Or, an error
message about a region conflict within the stack area.

The problem was that two instances of 'Region_map_mmap' issued a
sequence of munmap and mmap each. Even though each instance locked the
attach/detach operations, the lock was held per instance. In a situation
where two instances performed attach/detach operations in parallel, the
syscall sequences could interfere with each other.

In the test scenario, the two region-map instances are the test's
address space and the stack area. When creating a thread, the thread's
trace-control dataspace is attached at an arbitrary place (picked by
the Linux kernel) within the address space whereas the stack is attached
at the stack area. The problem is the following sequence:

Thread A wants to destruct a thread:
1. Remove stack from stack area
   (issue unmap syscall)
2. Preserve virtual address range that was occupied from the stack
   so that Linux won't use it
   (issue mmap syscall)

Thread B wants to construct a thread:
1. Request trace-control dataspace from CPU session
2. Attach trace-control dataspace to address space at a location
   picked by the Linux kernel
   (issue mmap syscall)

The problem occurs when thread B's second step is executed in between
the steps 1 and 2 of thread A and the Linux kernel picks the
just-unmapped address as the location for the new trace-control mapping.
Now, the trace control dataspace is mapped at the virtual address that
was designated for the stack of the to-be-created thread, and the
attempt to map the real stack fails.

The patch fixes the problem by replacing the former region-map-local
locks by a component-global lock.

Furthermore, it cleans up core's implementation of the support function
for the region-map-mmap implementation, eliminating the temporary
unlocking of the region-map lock during RPC.
2016-11-08 15:26:30 +01:00
Stefan Kalkowski
7e1692d997 core: unify handling of boot modules
Instead of solving the problem to deliver ROM modules to core while booting
differently for the several kernels (multi-boot, elfweaver, core re-linking),
this commit unifies the approaches. It always builds core as a library, and
after all binaries are built from a run-script, the run-tool will link an
ELF image out of the core-library and all boot modules. Thereby, core can
access its ROM modules directly.

This approach now works for all kernels except Linux.

With this solution, there is no [build_dir]/bin/core binary available anymore.
For debugging purposes you will find a core binary without boot modules, but
with debug symbols under [run_dir].core.

Fix #2095
2016-11-08 15:26:27 +01:00
Stefan Kalkowski
2a2e5c2df4 base-*: remove usage of printf
base generic code:
  * Remove unused verbosity code from mmio framework
  * Remove escape sequence end heuristic from LOG
  * replace Core_console with Core_log (no format specifiers)
  * move test/printf to test/log
  * remove `printf()` tests from the log test
  * check for exact match of the log test output
base-fiasco:
  * remove unused Fiasco::print_l4_threadid function
base-nova:
  * remove unused hexdump utility from core
base-hw:
  * remove unused Kernel::Thread::_print_* debug utilities
  * always print resource summary of core during startup
  * remove Kernel::Ipc_node::pd_label (not used anymore)
base*:
  * Turn `printf`,`PWRN`, etc. calls into their log equivalents

Ref #1987
Fix #2119
2016-10-21 12:39:36 +02:00
Alexander Boettcher
c99729093a base: fix race in multiple lock.unlock() calls
Fixes #2122
2016-10-21 12:39:34 +02:00
Christian Prochaska
3a1f852318 base: don't use the 'size' argument in 'Heap::free()'
The Heap reports that 'free()' does not rely on a valid 'size' argument,
so it should not use it.

Fixes #2113
2016-10-21 12:39:32 +02:00
Norman Feske
e370e08e01 Define Genode::size_t as unsigned long
Fixes #2105
2016-10-21 12:39:29 +02:00
Norman Feske
17c79a9e23 base: avoid use of deprecated base/printf.h
Besides adapting the components to the use of base/log.h, the patch
cleans up a few base headers, i.e., it removes unused includes from
root/component.h, specifically base/heap.h and
ram_session/ram_session.h. Hence, components that relied on the implicit
inclusion of those headers have to manually include those headers now.

While adjusting the log messages, I repeatedly stumbled over the problem
that printing char * arguments is ambiguous. It is unclear whether to
print the argument as pointer or null-terminated string. To overcome
this problem, the patch introduces a new type 'Cstring' that allows the
caller to express that the argument should be handled as null-terminated
string. As a nice side effect, with this type in place, the optional len
argument of the 'String' class could be removed. Instead of supplying a
pair of (char const *, size_t), the constructor accepts a 'Cstring'.
This, in turn, clears the way let the 'String' constructor use the new
output mechanism to assemble a string from multiple arguments (and
thereby getting rid of snprintf within Genode in the near future).

To enforce the explicit resolution of the char * ambiguity, the 'char *'
overload of the 'print' function is marked as deleted.

Issue #1987
2016-08-29 17:27:10 +02:00
Johannes Schlatow
acd2a40076 base: print() functions for floating point types
Fixes #2055
2016-08-29 17:23:19 +02:00
Alexander Boettcher
027e89f91a base: catch uncaught exceptions of threads
and show some message about. On sel4 sometimes exceptions are thrown and no
message is shown, it just seems to hang. With this patch at least you get
an idea that something bad happened.

Issue #2044
2016-08-10 11:07:50 +02:00
Norman Feske
62d65d00e0 Remove signal-source headers from public API
Those headers implement a platform-specific mechanism. They are never
used by components directly.

This patch also cleans up a few other remaining platform-specific
artifact such as the Fiasco.OC-specific assert.h.

Issue #1993
2016-07-15 11:38:25 +02:00
Norman Feske
88b358c5ef Unification of native_capability.h
This patch establishes the sole use of generic headers across all
kernels. The common 'native_capability.h' is based on the version of
base-sel4. All traditional L4 kernels and Linux use the same
implementation of the capability-lifetime management. On base-hw, NOVA,
Fiasco.OC, and seL4, custom implementations (based on their original
mechanisms) are used, with the potential to unify them further in the
future.

This change achieves binary compatibility of dynamically linked programs
across all kernels.

Furthermore, the patch introduces a Native_capability::print method,
which allows the easy output of the kernel-specific capability
representation using the base/log.h API.

Issue #1993
2016-07-11 13:07:37 +02:00
Norman Feske
d71f0a9606 Cleanup of parent-cap handling
This patch alleviates the need for a Native_capability::Dst at the API
level. The former use case of this type as argument to
Deprecated_env::reinit uses the opaque Native_capability::Raw type
instead. The 'Raw' type contains the portion of the capability that is
transferred as-is when delegating the capability (i.e., when installing
the parent capability into a new component, or when installing a new
parent capability into a new forked Noux process). This information can
be retrieved via the new Native_capability::raw method.

Furthermore, this patch moves the functions for retriving the parent
capability to base/internal/parent_cap.h, which is meant to be
implemented in platform-specific ways. It replaces the former set of
startup/internal/_main_parent_cap.h headers.

Issue #1993
2016-07-11 13:05:27 +02:00
Norman Feske
f7bdd383e2 Remove base/native_types.h headers
Issue #1993
2016-07-11 12:06:50 +02:00
Christian Prochaska
29a12ab9a2 base: add 'Thread::mystack() function
The static 'Thread::mystack()' function returns the stack boundaries of
the calling thread. It is useful when a thread uses a diffent stack than
the primary one.

Fixes #2037
2016-07-11 12:06:05 +02:00
Norman Feske
2030ae678e Supplement base/log.h with raw output function
This patch introduces the Genode::raw function that prints output
directly via a low-level kernel mechanism, if available.

On base-linux, it replaces the former 'raw_write_str' function.
On base-hw, it replaces the former kernel/log.h interface.

Fixes #2012
2016-06-22 12:21:42 +02:00
Stefan Kalkowski
1e5c08bb1a base: invert hex value padding to correct meaning
Fix #1996
2016-06-06 09:38:29 +02:00
Josef Söntgen
941a71346a base: add print method for unsigned long long
Fixes #1991.
2016-06-04 13:45:27 +02:00
Alexander Boettcher
5c10653d8a slab: throw exception if initial allocation fails
Issue #1983
2016-05-31 12:02:04 +02:00
Sebastian Sumpf
ee05fb9259 base: Remove dynamic segment check from Elf_binary
Don't check for supported segment types of dynamic binaries, it is to
restrictive. If something goes wrong the dynamic linker will throw an error.
2016-05-23 15:52:51 +02:00
Christian Prochaska
44648bb5c7 tool_chain/cxx: use '__cxa_demangle()' for exception names
Fixes #1976
2016-05-23 15:52:50 +02:00
Christian Prochaska
2cde1d36c1 base: changes for GDB monitor
- add a new function 'binary_ready_hook_for_gdb()' in ldso. GDB can set a
  breakpoint at this function to know when ldso has loaded the binary
  into memory.
- get the thread state from the NOVA kernel immediately on 'pause()'

Fixes #1968
2016-05-23 15:52:49 +02:00
Norman Feske
807be83b1b Remove inconsistent use of 'is_' prefix
Fixes #1963
2016-05-23 15:52:39 +02:00
Norman Feske
a99989af40 Separation of thread operations from CPU session
This patch moves the thread operations from the 'Cpu_session'
to the 'Cpu_thread' interface.

A noteworthy semantic change is the meaning of the former
'exception_handler' function, which used to define both, the default
exception handler or a thread-specific signal handler. Now, the
'Cpu_session::exception_sigh' function defines the CPU-session-wide
default handler whereas the 'Cpu_thread::exception_sigh' function
defines the thread-specific one.

To retain the ability to create 'Child' objects without invoking a
capability, the child's initial thread must be created outside the
'Child::Process'. It is now represented by the 'Child::Initial_thread',
which is passed as argument to the 'Child' constructor.

Fixes #1939
2016-05-23 15:52:39 +02:00
Christian Helmuth
3ba61a2ddf Move rust support to libports
Issue #1899
2016-05-23 15:52:38 +02:00
Norman Feske
3361651e9e base: remove dependency from deprecated config lib
Issue #1959
2016-05-23 15:52:37 +02:00
Norman Feske
f6dec901bb base: remove Component::name from API
It turns out that the name function does not have much use in practice
except for naming the thread of the component's initial entrypoint. For
dynamically linked components, this thread is created by the dynamic
linker. It is named "ep" in these cases. Considering that we will
eventually turn all regular components into dynamically linked
executables, the additional information provided by the
Component::name() function remains unused. So it is better to not bother
the component developers with adding boilerplate code.
2016-05-23 15:49:56 +02:00
Waylon Cude
1e95af5bab Fixed linking and memory allocation for rust
Now rlibs are actually linked to programs. Target files have been
modified to not generate code that requires compiler-rt. Added a target
for libstd-rust, but it's very broken right now. Moved alloc_system to
the libports folder because either a memory allocator needs to be
written in rust or posix_memalign needs to be implemented. Changed
liblibc to use freebsd as the OS instead of netbsd. Added a library with
unwind dummy functions.

Rust relies on atomic builtins, which are not implemented in libgcc for
ARM. One was implemented in rust, which was sufficient to get the
current rust test to run. Rust libs were added into the group of libs
for the linker so order no longer matters. The raspberry pi now uses an
armv6 target.
2016-05-23 15:49:56 +02:00
Norman Feske
fd401bdf53 Thread API cleanup
This patch cleans up the thread API and comes with the following
noteworthy changes:

- Introduced Cpu_session::Weight type that replaces a formerly used
  plain integer value to prevent the accidental mix-up of
  arguments.
- The enum definition of Cpu_session::DEFAULT_WEIGHT moved to
  Cpu_session::Weight::DEFAULT_WEIGHT
- New Thread constructor that takes a 'Env &' as first argument.
  The original constructors are now marked as deprecated. For the
  common use case where the default 'Weight' and 'Affinity' are
  used, a shortcut is provided. In the long term, those two
  constructors should be the only ones to remain.
- The former 'Thread<>' class template has been renamed to
  'Thread_deprecated'.
- The former 'Thread_base' class is now called 'Thread'.
- The new 'name()' accessor returns the thread's name as 'Name'
  object as centrally defined via 'Cpu_session::Name'. It is meant to
  replace the old-fashioned 'name' method that takes a buffer and size
  as arguments.
- Adaptation of the thread test to the new API

Issue #1954
2016-05-23 15:49:55 +02:00
Norman Feske
1f395ae780 base: new interface for textual output
Issue #1942
2016-05-09 13:25:01 +02:00
Norman Feske
dc8690ae37 Modularize base-internal headers
Issue #1952
2016-05-09 13:24:39 +02:00
Norman Feske
40a5af42eb Clean up base-library structure
This patch moves the base library from src/base to src/lib/base,
flattens the library-internal directory structure, and moves the common
parts of the library-description files to base/lib/mk/base.inc and
base/lib/mk/base-common.inc.

Furthermore, the patch fixes a few cosmetic issues (whitespace and
comments only) that I encountered while browsing the result.

Fixes #1952
2016-05-09 13:24:11 +02:00
Norman Feske
4f69772ecc Replace 'Env' interface with modern one
The original 'Env' interface as returned by 'Genode::env()' has been
renamed to 'Env_deprecated' and moved to deprecated/env.h. The new version
of base/env.h contains the interface passed to modern components that
use the component API via base/component.h.

Issue #1832
2016-05-09 13:10:52 +02:00
Norman Feske
511acad507 Consolidate RM service into PD session
This patch integrates three region maps into each PD session to
reduce the session overhead and to simplify the PD creation procedure.
Please refer to the issue cited below for an elaborative discussion.

Note the API change:

With this patch, the semantics of core's RM service have changed. Now,
the service is merely a tool for creating and destroying managed
dataspaces, which are rarely needed. Regular components no longer need a
RM session. For this reason, the corresponding argument for the
'Process' and 'Child' constructors has been removed.

The former interface of the 'Rm_session' is not named 'Region_map'. As a
minor refinement, the 'Fault_type' enum values are now part of the
'Region_map::State' struct.

Issue #1938
2016-05-09 13:10:51 +02:00
Christian Helmuth
7a64e0bb80 ldso: dump link map of loaded shared objects
Also log the link-map information of shared objects loaded after startup
if 'ld_verbose' is configured.
2016-04-25 10:48:01 +02:00
Martin Stein
9508f397a2 ldso: use get_page_size_log2 instead of "12"
Ref #1941
2016-04-25 10:48:01 +02:00
Norman Feske
051e84c4b4 Move server API concept to base framework
This commit introduces the new `Component` interface in the form of the
headers base/component.h and base/entrypoint.h. The os/server.h API
has become merely a compatibilty wrapper and will eventually be removed.
The same holds true for os/signal_rpc_dispatcher.h. The mechanism has
moved to base/signal.h and is now called 'Signal_handler'.

Since the patch shuffles headers around, please do a 'make clean' in the
build directory.

Issue #1832
2016-04-11 11:51:46 +02:00
Waylon Cude
28117fee12 Added rust support
Rust relies on atomic builtins, which are not implemented in libgcc for
ARM. One is implemented in rust, which is sufficient to get the
current rust test to run.

Issue #1899
2016-03-17 17:02:04 +01:00
Norman Feske
76db3b9c06 base: retire 'Native_config'
This commit moves the parameters of the stack area to the base-internal
header 'stack_area.h'.

Issue #1832
2016-03-08 17:00:54 +01:00
Josef Söntgen
2490e399dc ldso: check binary pointer before lookup
Check if the binary pointer is valid before attempting to lookup the
symbol. Shared objects with unresolved symbols and missing depencies,
e.g a library that references 'errno' but is not linked against libc,
will now produce an error message when they are loaded by the dynamic
linker.

Fixes #1904.
2016-03-08 17:07:36 +01:00
Norman Feske
7f73e5e879 base: hide internals of the Thread API
This patch moves details about the stack allocation and organization
the base-internal headers. Thereby, I replaced the notion of "thread
contexts" by "stacks" as this term is much more intuitive. The fact that
we place thread-specific information at the bottom of the stack is not
worth introducing new terminology.

Issue #1832
2016-03-07 12:34:46 +01:00
Norman Feske
6e7f7bdad4 base: move crt0.h and elf.h to base/internal
Those headers remained unused outside the internal framework. So it is
better to remove them from the public API.

Issue #1832
2016-03-07 12:34:45 +01:00
Norman Feske
e6729316ff base: uniform base-internal header structure
This patch establishes a common organization of header files
internal to the base framework. The internal headers are located at
'<repository>/src/include/base/internal/'. This structure has been
choosen to make the nature of those headers immediately clear when
included:

  #include <base/internal/lock_helper.h>

Issue #1832
2016-03-07 12:34:45 +01:00
Sebastian Sumpf
d17134baef ldso: Support for RISC-V
issue #1880
2016-02-26 11:36:51 +01:00
Sebastian Sumpf
41b9f6bd03 ldso: Make truly self relocatable
On Linux the linker can now be loaded at arbitrary addresses, this became
necessary for newer kernel versions. The 'linux_arm' target is not supported.

Issue #1728
2015-12-10 13:16:25 +01:00
Stefan Kalkowski
ed52d5a211 Introduce 'spec' subdirectories to outline aspects
Instead of holding SPEC-variable dependent files and directories inline
within the repository structure, move them into 'spec' subdirectories
at the corresponding levels, e.g.:

  repos/base/include/spec
  repos/base/mk/spec
  repos/base/lib/mk/spec
  repos/base/src/core/spec
  ...

Moreover, this commit removes the 'platform' directories. That term was
used in an overloaded sense. All SPEC-relative 'platform' directories are
now named 'spec'. Other files, like for instance those related to the
kernel/architecture specific startup library, where moved from 'platform'
directories to explicit, more meaningful places like e.g.: 'src/lib/startup'.

Fix #1673
2015-09-16 13:58:50 +02:00
Adrian-Ken Rueegsegger
c2ff0ae9d4 Minor cleanup fixes
- Fix spelling errors
- Remove extra semicolons
- Remove extra spaces

Fixes #1650
2015-08-21 11:00:59 +02:00
Norman Feske
0cd93c64aa ldso: add lx_environ to symbol map
This symbol must be exported to build dynamically-linked executables on
the lx_hybrid_x86 base platform.
2015-07-07 19:48:07 +02:00
Norman Feske
ef9c745e42 ldso: add memcpy and memset to symbol.map
On ARM, the compiler generates calls to memcpy and memset. Most
dynamically linked programs use the libc, which provides these
functions. However, if a dynamically linked program does not use the
libc (e.g., noux/minimal or the new version of cli_monitor), those
symbols remain unresolved. By adding them to ldso's symbol.map, the
dynamic linker will resolve them with the functions of the cxx
library, which is part of the dynamic linker.

Issue #1561
2015-06-09 11:00:11 +02:00
Sebastian Sumpf
36e01b720e ldso: Refactor dynamic linker
Issue #1349
2015-03-19 08:57:22 +01:00
Sebastian Sumpf
1a26f33469 ldso: shared-object lock and ctor test
This has to be used during shared object creation and destruction because global
lists are manipulated. We cannot use the 'Elf_object::lock' here because there
may be jump-slot relocations during object initialization.

Fixes #1350
2015-01-09 11:31:21 +01:00
Alexander Boettcher
9c0ced0a85 ldso: add __L4_ThreadSwitch to ldso symbol.map
This wasn't necessary before because we built an l4 library for
Pistachio and linked it against each application. With the new linker,
we compile the required files from within Genode and create a syscall
library that is only linked to ldso. If a program uses system calls
directly, for example, DDE kit's spinlock implementation, the required
symbols must be made globally accessible.

Fixes #1306
2014-12-01 16:32:35 +01:00
Sebastian Sumpf
038a7999bf ldso: Disallow recursive initialization
Do not support the global construction from of objects from within a global
constructor of another object. This can happen if, for example, dlopen is called
from a global constructor. The construction will be post-boned until the current
constructor has finished.
2014-11-28 12:02:37 +01:00
Sebastian Sumpf
5a821d4c92 base: Genode's dynamic linker
Issue #1280
2014-11-12 14:44:15 +01:00
Norman Feske
ca971bbfd8 Move repositories to 'repos/' subdirectory
This patch changes the top-level directory layout as a preparatory
step for improving the tools for managing 3rd-party source codes.
The rationale is described in the issue referenced below.

Issue #1082
2014-05-14 16:08:00 +02:00