The new 'Local_rm' type offers a narrow interface for the interaction
with the component-local address space, managing the lifetime of
attachments by using the 'Allocation' API.
Fixes#5516
This catches bugs early on. E.g., when leaving an 'Allocation'
unused, it gets immediately deallocated, which is most probably not
intended. For regular 'Attempt' objects, this change encourages
the proper propagation of errors, or at least the logging of unexpected
conditions.
Fixes#5513
This patch converts the memory-allocator interfaces ('Allocator',
'Range_allocator') and their implementations ('Heap', 'Sliced heap',
'Slab', 'Allocator_avl', 'Synced_allocator') to the new 'Allocation'
utility. The new interface resides at base/memory.h whereas the
traditional allocators implement the new interface.
Down the road, the traditional allocators can successively be decoupled
from the traditional 'Allocator' and 'Range_allocator' interfaces.
Issue #5502
Issue #5245
The 'Allocation' template clears the way for precisely differentiating
allocators via (a variety of) C++ types. It turns out that this approach
alleviate the need to consider the differentiation between
mapped/unmapped in ram.h.
With the new approach, a mapped allocator can be built as a template
taking a ram allocator (constrained/unconstrained) and a local
region-map (core local_rm, env local_rm) as ingredients.
Since the differentiation between constrained/unconstrained has its
natural place at ram.h, name the current RAM allocator
'Ram::Constrained_allocator', in anticipation of a future
'Ram::Unconstrained_allocator' with weakened error conditions.
Issue #5502
The new 'raise' function can be used instead of 'throw' to keep the
framework headers void of C++ throw statements, which would otherwise
prevent the compilation of the headers with -fno-exceptions.
In the presence of the C++ runtime, the 'raise' implementation reflects
the supplied error value(s) as C++ exceptions of the appropriate type.
In the (future) optional absence of the C++ runtime, 'raise' remains
unresolved, which then gives us the assurance that the binary contains
no code path leading to 'raise', all error conditions must have been
covered in other ways than 'raise'.
For this reason, 'Genode::raise' is not provided by the base library
but the cxx library (C++ runtime). Once we allow components to opt out
of the cxx library, 'raise' will automatically become unresolved for
those strict components.
Issue #5245
The univerally used exception types Out_of_ram, Out_of_caps, and Denied
used to be defined at quota_guard.h and ram_allocator.h whereas the
types are broadly used. This patch gathers those type definitions at
the central place exception.h instead, to gradually untangle the reliance
on exceptions, i.e., in quota_goard.h, and to make the output of error
messages printing exception types ('abort') more concise.
Issue #5245
The new types in base/ram.h model different allocation scenarios and
error cases by mere C++ types without using exceptions. They are meant
to replace the former 'Ram_allocator' interface. As of now, the
'Unmapped_allocator' closely captures the former 'Ram_allocator'
semantics. The 'Constrained_allocator' is currently an alias for
'Unmapped_allocator' but is designated for eventually allocating
mapped RAM.
In contrast to the 'Ram_allocator' interface, which talked about
dataspace capabilites but left the lifetime management of the
allocated RAM to the caller, the new API represents an allocation
as a guard type 'Allocation', which deallocates on destruction by
default.
Allocation errors are captured by a 'Result' type that follows
the 'Attempt' pattern.
As a transitionary feature, the patch largely maintains API
compatibility with the original 'Ram_allocator' by providing
the original (exception-based) 'Ram_allocator::alloc' and
'Ram_allocator::free' methods as a wrapper around the new
'Ram::Constrained_allocator'. So components can be gradually
updated to the new 'Ram::' interface.
Issue #5502
The 'Allocation' type represents the result of an allocator, which
guards the lifetime of the allocation. The 'Allocation::Attempt' type is
a suitable result type for allocators that need to reflect either an
successful allocation or an error condition.
Issue #5502
The new variant combines the attempt with unique-pointer semantics
and is thereby usable for returning non-copyable objects such as
RAM 'Allocation'.
Issue #5502
After constructed, a 'Thread' object may remain in a dysfunctional state
should the stack allocation have failed. This condition is no longer
reflected as a C++ exception but as result value of 'Thread::info()'.
Keep 'Thread::name' as public constant because the stack is not always
available for storing the name.
The 'stack_top' accessor has been removed because this information is
already provided by 'Thread::info()'.
Issue #5245
With this patch, the 'Pd_session' interface no longer implements the
'Ram_allocator' interface, which allows us to change the
'Genode::Ram_allocator' semantics (as a subsequent step) without
affecting core's PD service.
The patch also replaces the client-local implementation of
'Pd_session_client::dataspace_size' by the proper RPC call 'ram_size' to
core, which mitigates the potential risk of de-referencing a dataspace
cap of an untrusted origin. E.g., in scenarios where the monitor
component requests the size of a dataspace allocated by the debugging
target.
Since 'ram_size' is an RPC call, it cannot be const. Hence, the
'Ram_alloctor::dataspace_size' has become non-const.
The new 'Pd_ram_allocator' implements the 'Ram_allocator' interface by
using a PD session.
Issue #5502
With planned removal of Thread:: exceptions, we need to consider that a
'Thread' object may exist without a valid 'Stack' and therefore without
a valid 'Native_thread', which is hosted as part of the 'Stack'.
This patch reworks the code that accesses the 'Native_thread' to use the
new 'Thread::with_native_thread' interface. Within the local scope,
the native thread is referred to as 'nt'.
The _init_platform_thread and _deinit_platform_thread() have been
replaced by _init_native_thread and _deinit_native_thread, which take
a 'Stack &' as argument.
As a safety caution, 'Native_thread' objects can no longer be copied.
Issue #5245
This patch exposes the formatted K/M/G byte output of 'Number_of_bytes'
as a class template function that accepts different basic types. This
enables the easy creation of a formatted output type for a type larger
than size_t.
Introduced in the context of issue #5489
On x86, the `Vm_session_component` obscured the differences between SVM
and VMX.
Separate the implementations, factor out common functionality and
address a number of long-standing issues in the process:
- Allocate nested page tables from Core_ram_allocator as a more suitable
abstraction and account for the required memory, subtract the
necessary amount of RAM from the session's `Ram_quota` *before*
constructing the session object, to make sure that the memory
allocated from the `Core_ram_allocator` is available from the VMM's
RAM quota.
- Move the allocation of Vcpu_state and Vcpu_data into the Core::Vcpu
class and use the Core RAM Allocator to allocate memory with a known
physical address.
- Remove the fixed number of virtual CPUs and the associated reservation
of memory by using a Registry for a flexible amount of vCPUs.
Issue #5221
This patch allows for the construction of 'Xml_node' objects from a
'Const_byte_range_ptr' argument as a safer alternative to the pair
of addr, max_len arguments.
Issue #5411
The pointer returned by '_logger()' can be a nullptr, in particular
while tracing is (temporarily) inhibited. This patch ensures that
the 'Thread::trace' accessors never operate on a nullptr.
Fixes#5410
If the memory for the designated object is allocated as char[sizeof(T)],
the size of 'Placeable' is expected to equal the size of T. However, in
principle, the compiler has the freedom to inflate the 'Placeable'
object. The static assertion gives us the assurance that the compiler
does not violate our assumption.
Core uses an instance of 'Pd_session_component' as a representative
for RAM/cap quota accounts used whenever session resources are
donated to core's services. All other facets of 'Pd_sesson_component'
remain unused. Core's instance of 'Pd_session_component' is hosted
at 'Core_env'. Upon its construction, all unused facets of
'Pd_session_component' are initialized by dummy arguments in 'Core_env'.
To overcome the need for dummy arguments, this patch splits the
accounting part of the PD-session interface into a separate
'Pd_account' interface. This gives us the prospect of narrowing
core's current use of 'Pd_session_component' by 'Pd_account',
alleviating dead code and the need for any dummy arguments.
Issue #5408
`Vm_session_component::create_vcpu()` is present across all supported
kernels, yet until now it was not part of the `Vm_session` interface.
Add the method to the `Vm_session` interface. This unifies calls in the
base library and is the basis to remove the need for a common base class
for separate `Vm_session` implementations for SVM and VMX on x86_64.
Issue #5221
Prevent erratic runtime behavior stemming from accidentally passing a
copy to a `Ram_allocator` by making the interface noncopyable.
In consequence, we had to provide an explicit copy constructor for
`Session_env` in server/nic_router, which will be reconsidered in
issue #5405.
Issue #5221
GCC 12 tree-loop-distribute-patterns generates false warnings of
-Warray-bounds, -Wstringop-overflow, or -Wstringop-overread in memcpy()
and memcpy_cpu() in static/inline cases for code that obviously prevents
its execution by invariant checking. On -O3, even more warnings are
produced.
The operators == and != make the 'Rect' consistent with 'Point' and
'Area'. The patch also adds the 'Rect::clamp' method, which is generally
useful for sanitizing input.
Issue #5352
The new bytes() accessor returns a Byte_range_pointer as an alternative
to the 'local_addr' for accessing the content of the dataspace. This
facilitates the safe practice of passing (and validating) the buffer
bounds along with the pointer.
Issue #5351
By default, a 'Connection' donates an amount of caps as declared in
SESSION_TYPE::CAP_QUOTA to the server at session-creation time.
In some situations, however, a client may deliberately want to donate a
larger amount. For example, when opening a GUI session at the wm, the
total amount of needed caps is the sum of those consumed by the wm plus
those consumed by nitpicker. Using this knowledge, the Gui::Connection
may specify a sufficient amount to avoid iterative session-creation
retries. The new 'Connection' constructor accommodates this use case by
accepting an explicit 'cap_quota' argument.
Issue #5340
Add extended FPU state detection and handling (via xsave and friends) to the
kernel, which has to store/load more FPU state (~512 -> 2k++) during context
switching of threads. Additional the referenced nova branch contains various
optimization during VM destruction and cross core IPC resource caching.
This FPU work is based upon upstream NOVA kernel and Hedron commits.
Issue #5314Fixes#3914
This patch replaces the former Child::Process and
Child::Process::Loaded_executable classes by static functions that
return failure conditions as return values.
Issue #5245
- Remove exceptions
- Use 'Attr' struct for attach arguments
- Let 'attach' return 'Range' instead of 'Local_addr'
- Renamed 'Region_map::State' to 'Region_map::Fault'
Issue #5245Fixes#5070
The 'Thread_creation_failed' error is now reflected as
'Thread::Start_result' return value. This change also removes the
use of 'Invalid_thread' within core as this exception is an alias
of Cpu_session::Thread_creation_failed.
Issue #5245
