The new 'Local_rm' type offers a narrow interface for the interaction
with the component-local address space, managing the lifetime of
attachments by using the 'Allocation' API.
Fixes#5516
This catches bugs early on. E.g., when leaving an 'Allocation'
unused, it gets immediately deallocated, which is most probably not
intended. For regular 'Attempt' objects, this change encourages
the proper propagation of errors, or at least the logging of unexpected
conditions.
Fixes#5513
This patch converts the memory-allocator interfaces ('Allocator',
'Range_allocator') and their implementations ('Heap', 'Sliced heap',
'Slab', 'Allocator_avl', 'Synced_allocator') to the new 'Allocation'
utility. The new interface resides at base/memory.h whereas the
traditional allocators implement the new interface.
Down the road, the traditional allocators can successively be decoupled
from the traditional 'Allocator' and 'Range_allocator' interfaces.
Issue #5502
Issue #5245
The new 'raise' function can be used instead of 'throw' to keep the
framework headers void of C++ throw statements, which would otherwise
prevent the compilation of the headers with -fno-exceptions.
In the presence of the C++ runtime, the 'raise' implementation reflects
the supplied error value(s) as C++ exceptions of the appropriate type.
In the (future) optional absence of the C++ runtime, 'raise' remains
unresolved, which then gives us the assurance that the binary contains
no code path leading to 'raise', all error conditions must have been
covered in other ways than 'raise'.
For this reason, 'Genode::raise' is not provided by the base library
but the cxx library (C++ runtime). Once we allow components to opt out
of the cxx library, 'raise' will automatically become unresolved for
those strict components.
Issue #5245
The new types in base/ram.h model different allocation scenarios and
error cases by mere C++ types without using exceptions. They are meant
to replace the former 'Ram_allocator' interface. As of now, the
'Unmapped_allocator' closely captures the former 'Ram_allocator'
semantics. The 'Constrained_allocator' is currently an alias for
'Unmapped_allocator' but is designated for eventually allocating
mapped RAM.
In contrast to the 'Ram_allocator' interface, which talked about
dataspace capabilites but left the lifetime management of the
allocated RAM to the caller, the new API represents an allocation
as a guard type 'Allocation', which deallocates on destruction by
default.
Allocation errors are captured by a 'Result' type that follows
the 'Attempt' pattern.
As a transitionary feature, the patch largely maintains API
compatibility with the original 'Ram_allocator' by providing
the original (exception-based) 'Ram_allocator::alloc' and
'Ram_allocator::free' methods as a wrapper around the new
'Ram::Constrained_allocator'. So components can be gradually
updated to the new 'Ram::' interface.
Issue #5502
After constructed, a 'Thread' object may remain in a dysfunctional state
should the stack allocation have failed. This condition is no longer
reflected as a C++ exception but as result value of 'Thread::info()'.
Keep 'Thread::name' as public constant because the stack is not always
available for storing the name.
The 'stack_top' accessor has been removed because this information is
already provided by 'Thread::info()'.
Issue #5245
With this patch, the 'Pd_session' interface no longer implements the
'Ram_allocator' interface, which allows us to change the
'Genode::Ram_allocator' semantics (as a subsequent step) without
affecting core's PD service.
The patch also replaces the client-local implementation of
'Pd_session_client::dataspace_size' by the proper RPC call 'ram_size' to
core, which mitigates the potential risk of de-referencing a dataspace
cap of an untrusted origin. E.g., in scenarios where the monitor
component requests the size of a dataspace allocated by the debugging
target.
Since 'ram_size' is an RPC call, it cannot be const. Hence, the
'Ram_alloctor::dataspace_size' has become non-const.
The new 'Pd_ram_allocator' implements the 'Ram_allocator' interface by
using a PD session.
Issue #5502
With planned removal of Thread:: exceptions, we need to consider that a
'Thread' object may exist without a valid 'Stack' and therefore without
a valid 'Native_thread', which is hosted as part of the 'Stack'.
This patch reworks the code that accesses the 'Native_thread' to use the
new 'Thread::with_native_thread' interface. Within the local scope,
the native thread is referred to as 'nt'.
The _init_platform_thread and _deinit_platform_thread() have been
replaced by _init_native_thread and _deinit_native_thread, which take
a 'Stack &' as argument.
As a safety caution, 'Native_thread' objects can no longer be copied.
Issue #5245
This patch changes the way of how the client-selected sub directory is
communicated to the server. The former opaque session argument is now
passed as last label element, which allows for the flexible tweaking
of this argument by init's session-routing and label-rewriting
mechansims. In particular, it alleviates the need for creating chroot
component instances.
This change requires the following four adaptations at the
configuration level:
- Each file-system session request must now carry a path starting
with / as last session arguments. Hence, <vfs> <fs> nodes that
feature a 'label' attributes must extend the attribute value
with " -> /". For <fs> nodes with no label attribute, "/" is
used as last label argument by default.
- For matching session-routing rules at init's configuration,
the matching of full labels should be replaced by 'label_prefix'
matches, excluding the last (path) argument.
- Wherever a label of a file-system session is rewritten by using
init's 'label' attribute of a <parent> or <child> target node,
the new attribute 'identity' should be used instead. This replaces
the identity part of the label while preserving the client's
directory argument.
- Analogously to the matching of session-routing rules, server-side
policy-selection rules that formerly matched a concrete 'label'
must be changed to match a 'label_prefix' instead.
As a good practice, 'label_prefix' values should end with " ->" if
possible, which clearly delimits the identity part of the label
used by the matching.
Issue #5445
This patch adjusts the last remaining callers of 'core_env' and removes
the 'Core_env' interface.
- Core's RAM/cap accounts are now represented by 'Core_account'
implementing the 'Pd_account' interface.
- The former parts of 'Core_env' are now initialized in sequence
in 'bootstrap_component'.
- 'Core_child' has been moved to a header to reduce the code in
'main.cc' to a bare minimum. This as a preparation for the
plan of making 'main.cc' specific for each kernel.
Fixes#5408
This patch replaces the use of 'core_env()' in 'platform_services.cc' by
the function arguments 'core_ram', 'core_rm', and 'io_port_ranges'.
It also removes the 'Pd_session' argument from 'Io_port_root' and
'Irq_root' to avoid the reliance on the 'Pd_session' interface within
core,
Issue #5408
Replace the use of the global 'core_env()' accessor by the explicit
delegation of interfaces.
- For allocating UTCBs in base-hw, 'Platform_thread' requires
a way to allocate dataspaces ('Ram_allocator') accounted to the
corresponding CPU session, a way to locally map the allocated
dataspaces (core's 'Region_map'), and a way to determine the
physical address (via 'Rpc_entrypoint') used for the initial
UTCB mapping of main threads. Hence those interfaces must be
passed to 'Platform_thread'.
- NOVA's pager code needs to look up 'Cpu_thread_component'
objects using a map item as key. The lookup requires the
'Rpc_entrypoint' that hold the 'Cpu_thread_component' objects.
To make this 'Rpc_entrypoint' available, this patch adds
the 'init_page_fault_handing' function.
- The 'Region_map_mmap' for Linux requires a way to look up
'Linux_dataspace' objects for given dataspace capabilities.
This lookup requires the 'Rpc_entrypoint' holding the dataspaces,
which is now passed to 'platform.cc' via the new Linux-specific
'Core_region_map::init' function.
Issue #5408
This patch replaces the former Child::Process and
Child::Process::Loaded_executable classes by static functions that
return failure conditions as return values.
Issue #5245
This patch tightens the coupling of the 'Platform_thread' objects
with their corresponding 'Platform_pd' objects by specifying the
'Platform_pd' as constructor argument, keeping the relationship
as a reference (instead of a pointer), and constraining the
lifetime of 'Platform_pd' objects to the lifetime of the PD.
It thereby clears the way to simplify the thread creation since all
PD-related information (like quota budgets) are now known at the
construction time of the 'Platform_thread'.
The return value of 'Platform_thread::start' has been removed because it
is not evaluated by 'Cpu_thread_component'.
Related to #5256
- Remove exceptions
- Use 'Attr' struct for attach arguments
- Let 'attach' return 'Range' instead of 'Local_addr'
- Renamed 'Region_map::State' to 'Region_map::Fault'
Issue #5245Fixes#5070
The 'Thread_creation_failed' error is now reflected as
'Thread::Start_result' return value. This change also removes the
use of 'Invalid_thread' within core as this exception is an alias
of Cpu_session::Thread_creation_failed.
Issue #5245
This patch removes the exception formerly thrown by 'Cpu_thread::state'
and turns the 'Thread_state' structure into a plain compound type w/o a
constructor.
Issue #5245Fixes#5250
This patch replaces exceptions of the PD session RPC interface with
result types.
The change of the quota-transfer RPC functions required the adaptation
of base/quota_transfer.h and base/child.h.
The 'alloc_signal_source' method has been renamed to 'signal_source'
to avoid an exceedingly long name of the corresponding result type.
The Pd_session::map function takes a 'Virt_range' instead of basic-type
arguments.
The 'Signal_source_capability' alias for 'Capability<Signal_source>' has
been removed.
Issue #5245
With `MAP_FIXED` absent from the mmap(3p) flags, "the implementation uses
addr in an implementation-defined manner to arrive at pa", which may
lead to a mapping at an address diffent to the requested `addr`.
Add `MAP_FIXED` to the mmmap flags to force mapping to the specified
address.
Fixes#5147
