Commit Graph

610 Commits

Author SHA1 Message Date
Johannes Schlatow
c1caeb7e70 zynq: improve cache handling in nic_drv
Clean and invalidate caches in nic_drv before/after triggering DMA.

Issue #3179
2019-02-26 14:47:02 +01:00
Norman Feske
5ed5fddb7c base/os: remove deprecated APIs
This commit removes APIs that were previously marked as deprecated. This
change has the following implications:

- The use of the global 'env()' accessor is not possible anymore.
- Boolean accessor methods are no longer prefixed with 'is_'. E.g.,
  instead of 'is_valid()', use 'valid()'.
- The last traces of 'Ram_session' are gone now. The 'Env::ram()'
  accessor returns the 'Ram_allocator' interface, which is a subset of
  the 'Pd_session' interface.
- All connection constructors need the 'Env' as argument.
- The 'Reporter' constructor needs an 'Env' argument now because the
  reporter creates a report connection.
- The old overload 'Child_policy::resolve_session_request' that returned
  a 'Service' does not exist anymore.
- The base/printf.h header has been removed, use base/log.h instead.
- The old notion of 'Signal_dispatcher' is gone. Use 'Signal_handler'.
- Transitional headers like os/server.h, cap_session/,
  volatile_object.h, os/attached*_dataspace.h, signal_rpc_dispatcher.h
  have been removed.
- The distinction between 'Thread_state' and 'Thread_state_base' does
  not exist anymore.
- The header cpu_thread/capability.h along with the type definition of
  'Cpu_thread_capability' has been removed. Use the type
  'Thread_capability' define in cpu_session/cpu_session.h instead.
- Several XML utilities (i.e., at os/include/decorator) could be removed
  because their functionality is nowadays covered by util/xml_node.h.
- The 'os/ram_session_guard.h' has been removed.
  Use 'Constrained_ram_allocator' provided by base/ram_allocator.h instead.

Issue #1987
2019-02-26 14:44:15 +01:00
Norman Feske
b24edc1633 Remove residual uses of deprecated APIs
Issue #1987, related also to issue #3163 and issue #3164.
2019-02-19 11:12:12 +01:00
Norman Feske
b3727a9b46 Add missing override annotations
Issue #3159
2019-02-19 11:12:11 +01:00
Norman Feske
00fa48a886 os: new Block::Request_stream API
Issue #3092
2019-02-19 11:12:10 +01:00
Josef Söntgen
f9523c32d5 os: accessor for addr and size of packet stream 2019-02-19 11:08:18 +01:00
Norman Feske
3858e1df51 os: support for deferred packet-stream signals
This patch enhances the packet-stream API with the principle ability to
side-step the built-in implicity data-flow signals and manage the
signals manually. This allows for a more efficient batching of packet
processing.

Issue #3092
2019-02-19 11:08:18 +01:00
Norman Feske
69d6145f5a os: don't hide tx_cap from block-session interface
The 'tx_cap' RPC function is only used at session-creation time. For
this reason, it was not listed in the "official" RPC interface in
'block_session.h'. However, this makes the interface more obscure than
it needs to be. So this patch promotes it to a regular RPC function.

Issue #3092
2019-02-19 11:08:18 +01:00
Emery Hemingway
22327b43ae Refactor terminal for intrinsic Unicode support
Refactor the graphical terminal server to internally represent
characters as 16-bit codepoints and handle the duplex terminal stream as
UTF-8.

- Make the Codepoint class printable to the Output interface
- Decode data received at the Terminal session from UTF-8 to a 16-bit
  character
- Pass 16-bit characters through terminal decoder and char-cell arrays
- Send Unicode through terminal session in a burst of UTF-8 bytes

Fix #3148
2019-02-19 11:08:17 +01:00
Norman Feske
d3759811b6 os/session_policy: warn if no policy exists
The situation where a 'Session_policy' is constructed for a label with
no matching policy is in almost all cases a configuration problem.
A diagnostic message eases pin-pointing such mistaks. By adding the
message to the 'Session_policy', servers don't need to manually handle
the exception to provide diagnostic information. This simplifies the
server code in many components.
2019-01-30 13:49:55 +01:00
Norman Feske
ba2b0b8360 gems: remove the use of deprecated APIs
This patch also updates os/slave.h because the app/launcher cannot be
reasonably updated without it.

Issue #1987
Issue #3125
2019-01-30 13:49:54 +01:00
Norman Feske
6b94e65a95 os: avoid using deprecated APIs
Issue #1987
Issue #3125
2019-01-30 13:49:54 +01:00
Norman Feske
bf62d6b896 Move timer from os to base repository
Since the timer and timeout handling is part of the base library (the
dynamic linker), it belongs to the base repository.

Besides moving the timer and its related infrastructure (alarm, timeout
libs, tests) to the base repository, this patch also moves the timer
from the 'drivers' subdirectory directly to 'src' and disamibuates the
timer's build locations for the various kernels. Otherwise the different
timer implementations could interfere with each other when using one
build directory with multiple kernels.

Note that this patch changes the include paths for the former os/timer,
os/alarm.h, os/duration.h, and os/timed_semaphore.h to base/.

Issue #3101
2019-01-14 12:33:57 +01:00
Norman Feske
76e96e92cb nitpicker: avoid color bleeding
This patch improves the output of opaque pixels in the presence of an
alpha channel by adding a special case for the maximum alpha value.

Fixes #2831
2019-01-07 12:43:23 +01:00
Norman Feske
56cb1885bb decorator: make window-layout updates more robust
This patch improves the window decorators in the following respects:

* Strict warnings are enabled now.
* The use of the 'List_model' makes the application of window-
  layout changes more robust. This is particularly the case for
  the restacking of windows.
* Display-mode changes are now supported by both decorators.

Issue #3094
2019-01-07 12:33:57 +01:00
Josef Söntgen
108034b050 packet_stream: packets w/o payload are still valid
Packets whose data is stored within the Packet_descriptor itself
but not as payload, .e.g Usb::Packet_descriptor, are valid packets
after all. So loosen the packet valid check for zero-sized packets
is reasonable.

Fixes #3076.
2019-01-07 12:33:54 +01:00
Alexander Boettcher
85b998a4af os: nullpointer check in os/path.h
Issue #3022
2019-01-07 12:25:45 +01:00
Alexander Boettcher
dbeb1b82a9 os: avoid warning in ethernet.h
issued by clang/llvm static analyzer
2019-01-07 12:25:45 +01:00
Alexander Boettcher
aa03c4ce9f os: avoid garbage warnings in app/painter
Issue #3022
2019-01-07 12:25:45 +01:00
Alexander Boettcher
5572430ba5 os: avoid ambiguous warnings for vfs/server
between File_system and Vfs::File_system

Issue #3022
2019-01-07 12:25:45 +01:00
Emery Hemingway
9c7d5b2a66 Implement print and min/max for Microseconds and Milliseconds
Ref #3050
2019-01-07 12:25:42 +01:00
Emery Hemingway
a2bdcc68c2 Throw exception for invalid packets at packet streams
Some application code is dereferencing the pointer returned by
'packet_content' at packet streams without checking that it is valid.
Throw an exception rather than return a null pointer, except for
zero-length packets, which have somewhat implicit invalid content and
that we believe to be properly handled in all current cases.

The client-side of a packet stream cannot take corrective action if the
server-side is sending packets with invalid content, but the servers
that provide packet streams should catch this exception to detect
misbehaving clients.

Ref #3059
2018-11-29 11:54:29 +01:00
Johannes Schlatow
74f2954013 packet_stream: improve buffer alignment
The bulk buffer is now 64Byte-aligned so that the allocated
packets get aligned likewise (assumed the packet allocator uses an
appropriately aligned block size). This ensures that each packet
starts at a new cache line on common platforms.

Issue #3053
2018-11-29 11:46:02 +01:00
Christian Prochaska
fd7ab79fe0 vfs: implement 'complete_sync()' in 'Single_file_system'
Fixes #3047
2018-11-27 11:38:13 +01:00
Norman Feske
c60604062c decorator: improve robustness of window restacking
This patch improves the detection of new appearing top-most windows.
Such a window should prompt the decorator to bring the corresponding
nitpicker view(s) to the front of the view stack. The original
implementation relied on hints provided by the layouter (the 'topped'
attribute). With the patch, the decorator tracks the top-most window by
itself, which improves the robustness.

As a second improvement, the patch defers the destruction of windows to
the point when all other window operations are completed. This hides
intermediate states when replacing one window by another in one step,
which is typical for console-like scenarios. Hence, this patch should
eliminate flickering artifacts when switching from one virtual console
to another.

Issue #3031
2018-11-16 14:53:26 +01:00
Christian Prochaska
9a2af89c4e vfs: use correct enum values in 'Dir_file_system::open_composite_dirs()'
Fixes #2968
2018-09-13 15:21:11 +02:00
Josef Söntgen
0603481aaa terminal: remove upper character range check
The more constrained upper limit leads to ommitted characters like
umlauts.

Fixes #2957.
2018-09-03 17:07:00 +02:00
Emery Hemingway
2041f957da Terminal: improved handling of escape sequences
Add additional parsing modes to the sequence decoder to detect and
discard unhandled sequences for ECMA-48, DEC private, and Xterm.

Add new behavior for cursor movement, cursor hiding, character deletion,
and line-wrapping.

Fix #2923
2018-08-08 11:27:41 +02:00
Emery Hemingway
08b774e318 VFS: add an error to to the Sync_result enum
Sync errors can be used to indicate failed writes across the File_system
session.

Ref #2920
2018-08-02 14:36:49 +02:00
Sebastian Sumpf
037a0d6822 usb_drv: add isochronous packet support
Commit extents USB session an driver accordingly.

issue #2910
2018-08-02 14:36:46 +02:00
Christian Prochaska
b2f7a6a934 vfs_lxip: look up path in 'leaf_path()'
Fixes #2913
2018-08-02 14:36:43 +02:00
Christian Prochaska
e3005266b6 vfs: no 'handle_io_response()' in regular VFS functions
Calling 'handle_io_response()' in a regular VFS function (in contrast to a
post-signal hook) can cause problems if the caller of the VFS function holds
a lock which prevents the io response handler from returning.

With this commit, the user of the VFS becomes responsible for unblocking
threads which might be blocking after a failed 'queue_read()', 'queue_sync()'
or 'write()' call.

Fixes #2896
2018-08-02 14:36:43 +02:00
Emery Hemingway
c18bee3d5b Input::Binding for non-C++ language bindings
Quietly insert forward declaration of a Input::Binding class, and make
it a friend of Input::Event and Input::Session_client. This is to allow
non-C++ language bindings (Nim) to access private members by providing
their own implementation of the Binding class.

Fix #2889
2018-07-03 09:39:35 +02:00
Emery Hemingway
e8dc6c84a4 Add missing XML header to vfs/file_system.h
Ref #2870
2018-07-03 09:39:34 +02:00
Emery Hemingway
366913c146 ram_fs: unmark modification from nodes that have been synced
Removed the modified mark from handles that have been written to when
they are synced, otherwise a notification would be sent again when the
handle is closed.

Ref #2839
2018-06-29 10:44:54 +02:00
Norman Feske
87be50c542 os: add Expanding_reporter::generate(Xml_node)
This method allows for the verbatim reporting of an existing XML node.
2018-05-30 13:36:40 +02:00
Martin Stein
734d174f33 net: get rid of unused mac_from_string method
Issue #2815
2018-05-30 13:36:36 +02:00
Martin Stein
342bdaf4a2 net: generic ascii_to for Netaddress template
Issue #2837
2018-05-30 13:36:32 +02:00
Christian Prochaska
c5f1ac615c Usb::Packet_handler: avoid completion handler recursion
Fixes #2828
2018-05-30 13:36:20 +02:00
Emery Hemingway
29c08d4751 Fix types for VFS error printing
Ref #2793
2018-05-30 13:36:14 +02:00
Martin Stein
41dbad13e4 nic_router/nic_bridge: re-work Mac_allocator
The old MAC allocator had several drawbacks:

* the address base was a public static that could and must have been written
  directly from outside the class
* the in-use-flag array was based on unsigned values consuming 4 bytes each
  for only one bit of information
* it was a public header that we actually don't want to expose to all
  components but only to the few networking components
* it used the not-so-safe bit notation for integer members of GCC

The new version fixes all these drawbacks.

Issue #2795
2018-05-30 13:36:11 +02:00
Martin Stein
980f3e9c5c net: use Size_guard for packet-data accessors
Instead of handing over the maximum available size to the packet data
accessors, hand over a size guard that keeps track of the packets
boundaries.

This commit also moves the size-guard utilitiy header of Ping and NIC
Router to the include/net directory making it a part of the net library.
It applies the new approach to all net-lib users in the basic repositories.

Ping looses its configurability regarding the ICMP data size as this would
require an additional method in the size guard which would be used only by
Ping.

The size guard was also re-worked to fit the fact that a packet can
bring a tail as well as a header (Ethernet).

Issue #2788
2018-05-30 13:36:11 +02:00
Emery Hemingway
483d005350 VFS: detect root dir based on config node type
Ref #2782
2018-05-03 15:32:00 +02:00
Norman Feske
8e0cc44e24 terminal: preserve content during resize
This patch eliminates the flickering of the terminal during resize.
2018-05-03 15:31:59 +02:00
Emery Hemingway
0b980073c1 VFS: close handles via handle method
The using pattern 'handle->close' is less error prone than attempting
'handle->ds().close(handle)' or 'fs.close(handle)'.

Ref #2782
2018-05-03 15:31:57 +02:00
Martin Stein
11a297b557 net: consider tail of Ethernet frame
The Ethernet payload may be followed by padding of variable length and
the FCS (Frame Check Sequence). Thus, we should consider the value
"Ethernet-frame size minus Ethernet-header size" to be only the maximum
size of the encapsulated IP packet. But until now, we considered it to
be also the actual size of the encapsulated IP packet. This commit fixes
the problem for all affected components of the Genode base-repository.

Fixes #2775
2018-05-03 15:31:57 +02:00
Martin Stein
841d583678 net: implement Udp_packet::checksum_error
For checking the checksum of a UDP packet.

Issue #2775
2018-05-03 15:31:56 +02:00
Martin Stein
6b55790e73 net: use generic internet checksum
This reduces the redundant implementations of checksum calculation to
one generic implementation, makes the checksum interface conform over
all protocols, and brings performance optimizations. For instance,
the checksum is now calculated directly in big endian which saves us
most of the previously done byte-re-ordering.

Issue #2775
2018-05-03 15:31:56 +02:00
Martin Stein
373134c4e7 net: safer access to packet data
Replace packet method 'T *data' by the new methods 'T &reinterpret_data'
for parsing or modifying existing sub-protocol packets and 'T
&construct_at_data' for composing a new sub-protocol packet. This has
the advantage that, when composing a new packet, the default constructor
that zero-fills the packet is always called first.

Fixes #2751
2018-05-03 15:31:54 +02:00
Norman Feske
afcad2a968 os: new Input::Event representation
This commit changes the 'Input::Event' type to be more safe and to
deliver symbolic character information along with press events.

Issue #2761
Fixes #2786
2018-05-03 15:31:25 +02:00
Norman Feske
1f1302e185 terminal: use VFS-based font handling
This patch replaces the terminal's formerly built-in fonts with the new
VFS-based font handling.

To avoid the copying of the terminal's font configuration across run
scripts, this patch adds the new terminal/pkg runtime package, which
includes everything needed for instantiating a terminal: the actual
terminal component, the library dependencies (vfs_ttf, which in turn
depends on the libc), a font (bitstream-vera), and a reasonable default
configuration.

Fixes #2758
2018-05-03 15:31:17 +02:00
Norman Feske
0011dd1623 terminal: remove built-in keyboard layout handling
Fixes #2757
2018-04-19 13:38:34 +02:00
Norman Feske
8bcf540915 os: add Text_painter::Font::height method
Issue #2716
2018-04-19 13:38:33 +02:00
Norman Feske
0a72b37363 vfs: Simple::env::apply_config 2018-04-19 13:38:33 +02:00
Emery Hemingway
3c07860aad VFS: watch result is ERR_UNACCESSIBLE by default
Ref #2745
2018-04-19 12:38:50 +02:00
Emery Hemingway
97f50e8e15 VFS: dir fs Opendir must open at least one directory to succeed
Ref #2745
2018-04-19 12:38:50 +02:00
Emery Hemingway
82a683eccc VFS: construct file-systems using Vfs::Env object
Reduce the size and forward compatibility of VFS file-system
constructors by passing an object holding accessors for 'Genode::Env',
'Genode::Allocator', response handlers, and the root file-system.

Fix #2742
2018-04-19 12:38:27 +02:00
Martin Stein
f9af0e6f0c net: packed attribute for Icmp_packet 2018-04-10 13:03:26 +02:00
Martin Stein
ca1751528d net: utilities for DHCP parameter-request lists
Issue #2738
2018-04-10 11:20:49 +02:00
Norman Feske
9d233b73a3 nitpicker: improve 'Session::focus' handling
Nitpicker's 'Session:focus' call used to trigger a one-off focus change
at call time. This focus change did not pass the same code paths as a
focus change triggered by a "focus" ROM update, which led to
inconsistencies.

This patch changes the implementation of 'Session::focus' such that the
relationship of the caller and the focused session is preserved after
call time. Whenever the calling session is focused in the future, the
specified session will receive the focus instead. So 'Session::focus'
represents no longer a single operation but propagates the information
about the inter-session relationship. This information is taken into
account whenever the focus is evaluated regardless of how the change is
triggered.

This makes the focus handling in scenarios like the window manager more
robust.

Issue #2746
2018-04-10 11:20:47 +02:00
Martin Stein
6edf9ccf5a net: get rid of static constructors 2018-04-10 11:20:44 +02:00
Norman Feske
97317b0c95 terminal: change term caps from linux to screen
Fixes #2743
2018-04-10 11:20:43 +02:00
Martin Stein
f152e3e9d0 timeout: dequeue all pending alarms before reschedule
This fixes the problem that large timeouts, when rescheduled, are interpreted
to be from the last now_period instead of, what would be right, the next
now_period. This occured if there were multiple pending alarms at the head of
the queue and the reschedule of the first one was done with the other outdated
deadlines still in place.

Issue #2704
2018-04-10 11:11:55 +02:00
Martin Stein
bfb96536da timeout: _setup_alarm calculates deadline itself
Instead of taking the absolute deadline of a timeout as argument from
outside (where it is calculated with a freshly requested now time), we
now take a relative duration as argument and calculate the deadline with
the scheduler-internal now time (which can be a little bit outdated).
This enables us to schedule timeouts without updating the internal now time
and thereby handle all pending timeouts.

Issue #2704
2018-04-10 11:11:55 +02:00
Martin Stein
38dbd59d8a timeout: become independent of the Alarm framework
Integrate the code of the Alarm framework directly into the Timeout
framework.  The former Alarm-framework methods are all private to the
corresponding classes of the Timeout framework and get prefixed with
'_alarm__'. The latter avoids name clashes and makes it easier to
simplify the code later.

Issue #2704
2018-04-10 11:11:54 +02:00
Martin Stein
365bd347a6 net: ICMP protocol
Packet format and common utilities for the Internet Control Message
Protocol.

Issue #2732
2018-04-10 11:11:52 +02:00
Emery Hemingway
9c6b720ec1 Notification support for the VFS library
Add a new 'Vfs_watch_handle' type to the VFS interface. This handle type
will pass a handle context up through the I/O handler to the application
when a notification event occurs.

Watch support implemented for RAM and File_system plugins, all other
file-systems return WATCH_ERR_STATIC by default.

Test at run/fs_rom_update_ram and run/fs_rom_update_fs.

Fix #1934
2018-04-10 11:11:51 +02:00
Emery Hemingway
344d46ce78 Comparision operators for Genode::Path
Ref #1934
2018-04-10 11:11:51 +02:00
Emery Hemingway
8310a94843 os/path: const 'string' accessor
Ref #2160
2018-04-10 11:11:50 +02:00
Norman Feske
3778558608 os: reworked nitpicker_gfx/text_painter.h
This patch improves the `Text_painter` utility that is commonly used by
native Genode components to render text:

- Support for subpixel positioning
- Generic interface for accessing font data
- Basic UTF-8 support

Since the change decouples the font format from the 'Text_painter' and
changes the API to use the sub-pixel accurate 'Text_painter::Position'
type, all users of the utility require an adaptation.

Fixes #2716
2018-04-10 11:09:18 +02:00
Norman Feske
07cd0d5809 vfs: add 'Readonly_value_file_system'
This file system is meant as a building block for pseudo file systems
that host a directory of several small files where each corresponds to
an attribute of the pseudo file system.
2018-04-10 11:09:18 +02:00
Norman Feske
48c5707a0c vfs: relax root_dir argument of 'Dir_file_system'
By letting the 'Dir_file_system' accept an arbitrary 'File_system'
as root directory, we can use the 'Dir_file_system' as a building
block for creating other file-system types.
2018-04-10 11:09:18 +02:00
Norman Feske
b0b92e4ee2 vfs: pass root directory to plugins
This patch enables the use of the VFS from VFS plugins by passing a
reference of the root directory to the constructors of file-system
instances. Since it changes the signature of 'Vfs::Dir_file_system',
any code that uses the VFS directly requires an adaptation.

Fixes #2701
2018-04-10 11:09:17 +02:00
Norman Feske
d59d07b5e3 os: util/utf8.h for UTF-8 string handling
This patch adds a simple UTF-8 decoder at 'os/include/util/utf8.h'
along with a test at 'os/run/utf8.run'.

Fixes #2717, related to issue #2716
2018-03-27 13:44:27 +02:00
Norman Feske
579ca1063c os: support non-int coordinates in 'Point<>' 2018-03-27 13:43:09 +02:00
Emery Hemingway
013eb506a8 Vfs::Dir_file_system: do not use Vfs_handle for opening directories as files
The Dir_file_system uses static cast to convert handles from the
application to a plugin local type. For this reason, only the local
handle type may be returned from 'opendir' or 'open'. This fixes the
unexpected behavior when opening directories as files.

Fix #2533
2018-02-15 10:22:09 +01:00
Alexander Boettcher
e05a708024 os: reset packet_allocator members
Fixes #2632
2018-02-15 10:22:09 +01:00
Emery Hemingway
4a3fc21ada New watch handle mechanism for File_system session
File_system clients may now watch files and directories for changes by
opening a 'Watch_handle' rather than submitting a 'CONTENT_CHANGED'
packet to the server. When a change happens at a node with an open
Watch_handle a CONTENT_CHANGED packet will be sent from the server to
the client. This serializes registration with other handle operations
and separates I/O handle state from notification handle state.

Test at run/fs_rom_update.

Ref #1934
2018-02-14 20:41:09 +01:00
Emery Hemingway
c7d0accac0 VFS: catch Out_of_ram and Out_of_cap exceptions
Catch out of RAM and capability exceptions and return error values.
Abort opening a composite directory at Dir_file_system where an
opendir call on any child file-system returns an OUT_OF_RAM or
OUT_OF_CAPS error.

Ref #2642
2018-02-14 20:41:07 +01:00
Norman Feske
8aa1e349fc terminal session: propagate resize events
The new 'Terminal_session::size_changed_sigh' RPC function registers a
signal handler that is triggered each time when the terminal size
changes. It enables the client to adjust itself to the new size by
subsequently calling the 'size' RPC function. Of all terminal servers,
only the graphical terminal triggers this signal.
2018-02-14 20:41:03 +01:00
Norman Feske
96a068f90a terminal: improve internal structure
This patch reorganizes the terminal's source code to become easier to
extend. It also enables the strict warning level.
2018-02-09 14:04:32 +01:00
Christian Prochaska
12c8e51071 terminal fixes
- handle line wraps in 'ech()'
- take (1,1) origin into account in 'hpa()' and 'vpa()'
- unify handling of SGR escape sequences of different lengths
- accept the '[?2004h' and '[?2004l' escape sequences (used by midnight commander)

Fixes #2671
2018-02-09 14:04:25 +01:00
Norman Feske
66a93d9199 os: add 'Expanding_reporter' to os/reporter.h
The 'Expanding_reporter' wrapper for the 'Reporter' eliminates
the burden of handling 'Xml_generator::Buffer_exceeded' exceptions
from components that generate reports.

Fixes #2655
2018-02-09 14:04:06 +01:00
Norman Feske
cde8163770 os: make 'Buffered_xml' util publicly available
The 'Buffered_xml' utility is used by three components and a fourth is
on the way. To avoid another duplication of the code, this patch makes
it publicly available at 'os/buffered_xml.h'.
2018-02-09 13:34:17 +01:00
Josef Söntgen
4009239328 vfs: skip synced file systems in complete_sync
Fixes #2606.
2018-01-17 12:14:43 +01:00
Martin Stein
fbd545ae70 net: remove unused enums
Issue #465
2018-01-17 12:14:41 +01:00
Martin Stein
4f1d43ce21 net: remove placement new operators
They are not used any more.

Issue #465
2018-01-17 12:14:41 +01:00
Martin Stein
f4a2d932e3 net: check packet data size in accessor
Instead of having a method validate_size in each packet class, check
sizes in the data accessor of the surrounding packet class. This packet
accessor is the one that casts the data pointer to the desired data type
so it is sensible that it also checks whether the desired type would
exceed the available RAM before doing the cast. This also fits nicely
the fact that for the top-level packet-class of a packet, the size must
not be checked (which was previously done).

Issue #465
2018-01-17 12:14:41 +01:00
Norman Feske
eba9c15746 Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:

* A class with virtual functions can no longer publicly inherit base
  classed without a vtable. The inherited object may either be moved
  to a member variable, or inherited privately. The latter would be
  used for classes that inherit 'List::Element' or 'Avl_node'. In order
  to enable the 'List' and 'Avl_tree' to access the meta data, the
  'List' must become a friend.

* Instead of adding a virtual destructor to abstract base classes,
  we inherit the new 'Interface' class, which contains a virtual
  destructor. This way, single-line abstract base classes can stay
  as compact as they are now. The 'Interface' utility resides in
  base/include/util/interface.h.

* With the new warnings enabled, all member variables must be explicitly
  initialized. Basic types may be initialized with '='. All other types
  are initialized with braces '{ ... }' or as class initializers. If
  basic types and non-basic types appear in a row, it is nice to only
  use the brace syntax (also for basic types) and align the braces.

* If a class contains pointers as members, it must now also provide a
  copy constructor and assignment operator. In the most cases, one
  would make them private, effectively disallowing the objects to be
  copied. Unfortunately, this warning cannot be fixed be inheriting
  our existing 'Noncopyable' class (the compiler fails to detect that
  the inheriting class cannot be copied and still gives the error).
  For now, we have to manually add declarations for both the copy
  constructor and assignment operator as private class members. Those
  declarations should be prepended with a comment like this:

        /*
         * Noncopyable
         */
        Thread(Thread const &);
        Thread &operator = (Thread const &);

  In the future, we should revisit these places and try to replace
  the pointers with references. In the presence of at least one
  reference member, the compiler would no longer implicitly generate
  a copy constructor. So we could remove the manual declaration.

Issue #465
2018-01-17 12:14:35 +01:00
Emery Hemingway
ed89f2f7f0 Add millisecond accessor to Genode::Duration value object
Add a 'trunc_to_plain_ms' method to Gende::Duration to make
millisecond-accurate timing safer and more convenient.

Ref #2335
2017-12-21 15:01:51 +01:00
Martin Stein
70c5c31ec9 nic_router: better warnings on bad DHCP requests
Be more descriptive about why the NIC router thinks that a DHCP request
sent to him is bad.

Issue #2534
2017-12-21 15:01:38 +01:00
Martijn Verschoor
8fe0a7514f Nic::Session_component: pass entrypoint in constructor
Added a new constructor that takes the entrypoint as constructor
argument. The original constructor retrieves the entrypoint from the
Genode environment. This does not allow to use a different entrypoint.
2017-12-21 15:01:33 +01:00
Christian Prochaska
dd98bd67a0 pointer: custom pointer shape support
Make the revised 'vbox_pointer' component the new 'pointer' component.

Fixes #2585
2017-11-30 11:23:22 +01:00
Norman Feske
40c9226bb9 os: add Color::print, enhance ascii_to<Color>
This patch adds a 'Color::print' method as counterpart to the 'ascii_to'
function. If the color is opaque (alpha is 255), its output has the form
"#rrggbb". If the color has a distinct alpha value, the output has the
form "#rrggbbaa". The new version of the 'ascii_to' overload for 'Color'
is able to deal with both forms.
2017-11-30 11:23:14 +01:00
Sebastian Sumpf
9c852c750a vfs: handle root directory explicitly
This makes '/' and the actual root of VFS distinguishable. A VFS root
may contain one ore more '/' entries for each file system. 'opendir' for
the VFS root opens all file systems via 'open_composite_dir', while
'opendir' for '/' only returns a VFS handle.

Fixes #2569
2017-11-30 11:23:10 +01:00
Martin Stein
e87f63944f timeout: replace Duration operators by methods
void += (Microseconds) -> void add(Microseconds)
void += (Milliseconds) -> void add(Milliseconds)
bool < (Duration)      -> bool less_than(Duration)

Issue #2581
2017-11-30 11:23:09 +01:00
Martin Stein
26bcd439f7 timeout: fix bug in duration + duration testing
The += operator contained bugs. We now also do some tests on the Duration
type at the beginning of the timeout test.

Fixes #2581
2017-11-30 11:23:09 +01:00
Norman Feske
a255ffaee9 input: disarm obnoxious press/release events
This patch adds a sanity check to the Event::type accessor. If the key
code of a given PRESS or RELEASE event is out of the valid range, it
reports an INVALID event. This way, client side code does not need to
deal with such edge cases. E.g., on Lenovo notebooks, the ps2 driver
reports strange key events when pressing shift-pageup/pagedown,
violating the general assumption that there is a release event for each
press event. By flagging these events as INVALID, the client-side logic
stays intact.
2017-11-30 11:23:07 +01:00
Emery Hemingway
07b36573ea Restrict VFS Dir_filesystem allocations to 'opendir' only
Allocations made at the client-side of the VFS must be contained within
functions that may return errors indicating resource exhaustion.

Fix #2569
2017-11-30 11:23:02 +01:00
Emery Hemingway
a0c0f3d7c9 Print support for VFS errors
Ref #2569
2017-11-30 11:23:02 +01:00
Emery Hemingway
ca0c86e7af Enforce cap quotas at VFS server, increase initial File_system cap donation
Check at the VFS server that the capability cost of sessions do not
exceed the session quota donation. Raise the default initial capability
donation for File_system connections.

Fix #2553
2017-11-30 11:23:02 +01:00
Norman Feske
55dc3abf00 Move gems/bezier.h to util/bezier.h (in repos/os)
This way, os components (i.e., input_filter) can use it for nonlinear
interpolation.
2017-11-09 12:18:43 +01:00
Christian Prochaska
547cc06976 ram_fs: throw exception when unlinked node gets accessed
Fixes #2536
2017-11-09 12:18:05 +01:00
Martin Stein
0ca248551a net: move Ipv4_address_prefix to nic_router
As this tool is not used by any other component make it local to the
NIC router to keep the net-lib interface small.

Ref #2534
2017-11-06 13:57:21 +01:00
Martin Stein
50aba6f21b dhcp: support reading of some further option types
Client ID, maximum message size, IP lease time, and requested address.
All needed for the upcoming DHCP client.

Ref #2534
2017-11-06 13:57:21 +01:00
Norman Feske
dd5b03671d os: don't limit file-systems-session upgrades
The 'File_system::Connection' already performs an on-demand session
upgrade should the server report an 'Out_of_caps' or 'Out_of_ram'
condition. So file-system clients are normally relieved from handling
those exceptions. However, the upgrade was limited to two attempts per
operation (which amounts to 16 KiB). When using the Rump VFS plugin in
the VFS server, this amount does not always suffice. So the exception is
reflected to the client. I observed this problem as a message "unhandled
error" printed by fs_rom. This patch removes the upgrade limit such that
a greedy file-system server becomes iteratively upgraded until it stops
arguing or the client's RAM is exhausted.
2017-11-06 13:57:18 +01:00
Martin Stein
30a96706cb nic_router: dhcp server functionality
One can configure the NIC router to act as DHCP server at interfaces of a
domain by adding the <dhcp> tag to the configuration of the domain like
this:

<domain name="vbox" interface="10.0.1.1/24">
    <dhcp-server ip_first="10.0.1.80"
                 ip_last="10.0.1.100"
                 ip_lease_time_sec="3600"
                 dns_server="10.0.0.2"/>
    ...
</domain>

The attributes ip_first and ip_last define the available IPv4 address
range while ip_lease_time_sec defines the lifetime of an IPv4 address
assignment in seconds. The IPv4 address range must be in the subnet
defined by the interface attribute of the domain tag and must not cover
the IPv4 address in this attribute. The dns_server attribute gives the
IPv4 address of the DNS server that might also be in another subnet.
The lifetime of an offered assignment is the configured round trip time of
the router while the ip_lease_time_sec is applied only if the offer is
requested by the client in time.

The ports/run/virtualbox_nic_router.run script is an example of how to
use the new DHCP server functionality.

Ref #2490
2017-10-19 13:31:15 +02:00
Martin Stein
d63c40af3e dhcp: extend options utilities
Provide utilities for appending new options to an existing DHCP packet
and a utility for finding existing options that returns a typed option
object. Remove old version that return untyped options.

Ref #2490
2017-10-19 13:29:44 +02:00
Martin Stein
791fd9806f ipv4 address: conversion from and to integer
Ref #2490
2017-10-19 13:29:43 +02:00
Martin Stein
d0f5838c61 net: clean up header fields and accessors
Apply the style rule that an accessor is named similar to the the underlying
value. Provide read and write accessors for each mandatory header attribute.
Fix some incorrect structure in the headers like with the flags field
in Ipv4_packet.

Ref #2490
2017-10-19 13:29:43 +02:00
Martin Stein
7b55d4d5d9 ethernet: rework type for ethernet type value
Encapsulate the enum into a struct so that it is named
Ethernet_frame::Type::Enum, give it the correct storage type
uint16_t, and remove those values that are (AFAIK) not used by
now (genode, world).

Ref #2490
2017-10-19 13:29:43 +02:00
Christian Helmuth
f9b3c6d2cf Remove unused os/alarm.h include from loader 2017-10-19 13:29:41 +02:00
Christian Helmuth
28004bc9e6 timer: limit rate of handling timeouts
Ensure that the timer does not handle timeouts again within 1000
microseconds after the last handling of timeouts. This makes denial of
service attacks harder. This commit does not limit the rate of timeout
signals handled inside the timer but it causes the timer to do it less
often. If a client continuously installs a very small timeout at the
timer it still causes a signal to be submitted to the timer each time
and some extra CPU time to be spent in the internal handling method. But
only every 1000 microseconds this internal handling causes user timeouts
to trigger.

If we would want to limit also the call of the internal handling method
to ensure that CPU time is spent beside the RPCs only every 1000
microseconds, things would get more complex. For instance, on NOVA
Time_source::schedule_timeout(0) must be called each time a new timeout
gets installed and becomes head of the scheduling queue. We cannot
simply overwrite the already running timeout with the new one.

Ref #2490
2017-10-05 17:40:05 +02:00
Norman Feske
6d361b337b input/root.h: support re-opening of sessions
This patch fixes an aliasing problem of the 'close' method signature
that prevented the Input::Root_component::close method to be called.
This way, the event-queue state was not reset at session-close time,
which prevented a subsequent session-creation request to succeed. With
the patch, input servers like ps2_drv, usb_drv that rely on the
Input::Root_component support the dynamic re-opening of sessions. This
happens in particular when using a dynamically configured input filter.
2017-10-05 17:40:03 +02:00
Josef Söntgen
e1ada57bfa vfs: use unsigned 64bit for media size ioctl
Fixes #2523.
2017-10-05 17:40:02 +02:00
Norman Feske
6fcf95d536 terminal: cursor-key handling w/o set key layout
This patch applies the handling of cursor keys, function keys, and page
up/down keys even if no keymap is defined. This is the case when using
the terminal with character events produced by the input filter.
2017-10-05 17:39:59 +02:00
Martin Stein
2633ff8661 alarm: fix information loss due to int-cast
When we have two time values of an unsigned integer type and we create
the difference and want to know wether it is positive or negative within
the same value we loose at least one half of the value range for casting
to signed integers. This was the case in the alarm scheduler when
checking wether an alarm already triggered. Even worse, we casted from
'unsigned long' to 'signed int' which caused further loss on at least
x86_64. Thus, big timeouts like ~0UL falsely triggered directly.

Now, we use an extra boolean value to remember in which period of the
time counter we are and to which period of the time counter the deadline
of an alarm belongs. This boolean switches its value each time the time
counter wraps. This way, we can avoid any casting by checking wether the
current time is of the same period as the deadline of the alarm that we
inspect. If so, the alarm is pending if "current time >= alarm
deadline", otherwise it is pending if "current time < alarm deadline".

Ref #2490
2017-10-05 17:39:56 +02:00
Josef Söntgen
198019edca os: add Gpu driver for Intel Gen8 HD graphics
This commit introduces a experimental 3D driver for Intel Gen8 HD
graphics devices as well as the corresponding Gpu session.

Fixes #2507.
2017-08-30 09:59:57 +02:00
Emery Hemingway
1fce8d0d74 default ahci_drv and part_blk Block sessions to read-only
Add a "writeable" policy option to the ahci_drv and part_blk Block
servers and default from writeable to ready-only. Should a policy
permit write acesss the session request argument "writeable" may still
downgrade a session to ready-only.

Fix #2469
2017-08-28 16:49:51 +02:00
Sebastian Sumpf
66db2ee54e libports: Mesa 11.2.2
OpenGL 4.5 with software and i965 rendering back ends.

issue #2488
2017-08-28 16:49:43 +02:00
Norman Feske
cb72784717 os: add template specialization for alpha pixel
The specialization is needed for applying anti-aliased drawing
operations on alpha channels.
2017-08-28 16:49:39 +02:00
Christian Prochaska
b0935ef9b2 VFS: nonblocking interface
The VFS library can be used in single-threaded or multi-threaded
environments and depending on that, signals are handled by the same thread
which uses the VFS library or possibly by a different thread. If a VFS
plugin needs to block to wait for a signal, there is currently no way
which works reliably in both environments.

For this reason, this commit makes the interface of the VFS library
nonblocking, similar to the File_system session interface.

The most important changes are:

- Directories are created and opened with the 'opendir()' function and the
  directory entries are read with the recently introduced 'queue_read()'
  and 'complete_read()' functions.

- Symbolic links are created and opened with the 'openlink()' function and
  the link target is read with the 'queue_read()' and 'complete_read()'
  functions and written with the 'write()' function.

- The 'write()' function does not wait for signals anymore. This can have
  the effect that data written by a VFS library user has not been
  processed by a file system server yet when the library user asks for the
  size of the file or closes it (both done with RPC functions at the file
  system server). For this reason, a user of the VFS library should
  request synchronization before calling 'stat()' or 'close()'. To make
  sure that a file system server has processed all write request packets
  which a client submitted before the synchronization request,
  synchronization is now requested at the file system server with a
  synchronization packet instead of an RPC function. Because of this
  change, the synchronization interface of the VFS library is now split
  into 'queue_sync()' and 'complete_sync()' functions.

Fixes #2399
2017-08-28 16:49:38 +02:00
Martin Stein
b6efa7f6f9 timer connection: fast initial calibration
The calibration of the interpolation parameters was previously only done
periodically every 500 ms. Together with the fact that the parameters
had to be stable for at least 3 calibration steps to enable
interpolation, it took at least 1.5 seconds after establishing a
connection to get microseconds-precise time values.

This is a problem for some drivers that directly start to poll time.
Thus, the timer connection now does a calibration burst as soon as it
switches to the modern mode (the mode with microseconds precision).
During this phase it does several (currently 9) calibration steps
without a delay inbetween. It is assumed that this is fast enough to not
get interrupted by scheduling. Thus, despite being small, the measured
values should be very stable which is why the burst should in most cases
be sufficient to get the interpolation initialized.

Ref #2400
2017-08-23 14:08:37 +02:00
Martin Stein
adaad64fbb timer connection: relax factor shifting
When in modern mode (with local time interpolation), the timer
connection used to maximize the left shifting of its
timestamp-to-microseconds factor. The higher the shift the more precise
is the translation from timestamps to microseconds. If the timestamp
values used for determining the best shift were small - i.e.  the delay
between the calibration steps were small - we may got a pretty big
shift.  If we then used the shift with bigger timestamp values - i.e.
called curr_time seldom or raised calibration delays - the big shift
value became a problem. The framework had to scale down all measured
timestamps and time values temporarily to stay operative until the next
calibration step.

Thus, we now raise the shift only that much that the resulting factor
fullfills a given minimum. This keeps it as low as possible according
to the precision requirement. Currently, this requirement is set to 8
meaning that the shifted factor shall be at least 2^8 = 256.

Ref #2400
2017-08-23 14:08:37 +02:00
Martin Stein
6dfb903bd0 timer connection: always work with microseconds
As the timer session now provides a method 'elapsed_us', there is no more need
for doing any internal calculations with values of milliseconds.

Ref #2400
2017-08-23 14:08:36 +02:00
Martin Stein
8750e373a0 timer session: add elapsed_us method
As timer sessions are not expected to be microseconds precise (because
of RPC latency and scheduling), the session interface provided only a
method 'elapsed_ms' although the back end of this method in the timer
driver works with microseconds.

However, in some cases it makes sense to have a method 'elapsed_us'. The
values it returns might be milliseconds away from the "real" time but it
allows you to work with delays smaller than a millisecond without
getting a zero delta value.

This commit is motivated by the need for fast bursts of calibration
steps for the time interpolation in the new timer connection.

Ref #2400
2017-08-23 14:08:36 +02:00
Norman Feske
0b580628cf file system: track content via version counter
This makes the delivery of CONTENT_CHANGED responses more robust.
2017-08-17 10:59:43 +02:00
Christian Prochaska
6a43f3c11a file system: use Id_space instead of Node_handle_registry
Fixes #2436
2017-08-17 10:59:43 +02:00
Christian Helmuth
78f1fd29f7 Translate buffer-exceeded exception in Session_requester
Session_requester inherits from Dynamic_rom_session::Content_producer
which specifies the Buffer_capacity_exceeded exception which is thrown
on insufficient buffer space.
2017-06-29 12:00:03 +02:00
Martin Stein
9b1c26ab7f timeout lib: dynamic interpolation-factor shift
In the timeout framework, we maintain a translation factor value to
translate between time and timestamps. To raise precision we scale-up
the factor when we calculate it and scale-down the result of its
appliance later again. This up and down scaling is achieved through
left and right shifting. Until now, the shift width was statically
choosen. However, some platforms need a big shift width and others a
smaller one. The one static shift width couldn't cover all platforms
which caused overflows or precision problems.

Now, the shift width is choosen optimally for the actual translation
factor each time it gets re-calculated. This way, we can take care that
the shift always renders the best precision level without the risk for
overflows.

Ref #2400
2017-06-29 11:59:54 +02:00
Josef Söntgen
8f577e9d25 usb: use if-else in packet_handler
Apparently this construct leads to a compiler errors like

  error: second operand to the conditional operator is of type ‘void’, but
  the third operand is neither a throw-expression nor of type ‘void’
2017-06-19 12:35:57 +02:00
Emery Hemingway
1eb37fbe22 VFS: move 'sync' from 'File_system' to 'Directory_service'
The the parent 'Directory_service' interface is reachable from
'Vfs_handle', whereas the 'File_system' interface is not.

Fix #2437
Ref #2422
2017-06-12 14:32:07 +02:00
Sebastian Sumpf
c3cf7f3c3a riscv: ISA-1.9.1 and GCC-6.3.0 adaptions
Adds 1.9.1 support to base-hw

Note:
* the kernel timer is not working
* dynamic linking is currently not supported
2017-05-31 13:16:24 +02:00
Stefan Kalkowski
632ef28463 os: removal of deprecated os/config.h (fix #2431) 2017-05-31 13:16:22 +02:00
Emery Hemingway
16be05e530 Optional session label for Rtc connection constructor
Ref #2410
2017-05-31 13:16:22 +02:00
Norman Feske
adb26b5216 API documentation refinements 2017-05-31 13:16:21 +02:00
Christian Prochaska
16deaa9a72 timed_semaphore: fix deprecated warning
Fixes #2429
2017-05-31 13:16:19 +02:00
Norman Feske
0167d5af50 Integrate core's RAM service into the PD service
Fixes #2407
2017-05-31 13:16:14 +02:00
Norman Feske
71efb59873 terminal: add Cell_array destructor
With the capability-quota mechanism, the terminal-session won't always
be constructed completely on the first try (we may run out of caps in
the middle of the construction). Therefore, all members of the object
must be properly destructable. Furthermore, the patch replaces the
sliced heap by a heap to avoid allocating a new dataspace for each line
of the cell array.
2017-05-31 13:16:12 +02:00
Martin Stein
c70fed29f7 os/timer: interpolate time via timestamps
Previously, the Genode::Timer::curr_time always used the
Timer_session::elapsed_ms RPC as back end.  Now, Genode::Timer reads
this remote time only in a periodic fashion independently from the calls
to Genode::Timer::curr_time. If now one calls Genode::Timer::curr_time,
the function takes the last read remote time value and adapts it using
the timestamp difference since the remote-time read. The conversion
factor from timestamps to time is estimated on every remote-time read
using the last read remote-time value and the timestamp difference since
the last remote time read.

This commit also re-works the timeout test. The test now has two stages.
In the first stage, it tests fast polling of the
Genode::Timer::curr_time. This stage checks the error between locally
interpolated and timer-driver time as well as wether the locally
interpolated time is monotone and sufficiently homogeneous. In the
second stage several periodic and one-shot timeouts are scheduled at
once. This stage checks if the timeouts trigger sufficiently precise.

This commit adds the new Kernel::time syscall to base-hw. The syscall is
solely used by the Genode::Timer on base-hw as substitute for the
timestamp. This is because on ARM, the timestamp function uses the ARM
performance counter that stops counting when the WFI (wait for
interrupt) instruction is active. This instruction, however is used by
the base-hw idle contexts that get active when no user thread needs to
be scheduled.  Thus, the ARM performance counter is not a good choice for
time interpolation and we use the kernel internal time instead.

With this commit, the timeout library becomes a basic library. That means
that it is linked against the LDSO which then provides it to the program it
serves. Furthermore, you can't use the timeout library anymore without the
LDSO because through the kernel-dependent LDSO make-files we can achieve a
kernel-dependent timeout implementation.

This commit introduces a structured Duration type that shall successively
replace the use of Microseconds, Milliseconds, and integer types for duration
values.

Open issues:

* The timeout test fails on Raspberry PI because of precision errors in the
  first stage. However, this does not render the framework unusable in general
  on the RPI but merely is an issue when speaking of microseconds precision.

* If we run on ARM with another Kernel than HW the timestamp speed may
  continuously vary from almost 0 up to CPU speed. The Timer, however,
  only uses interpolation if the timestamp speed remained stable (12.5%
  tolerance) for at least 3 observation periods. Currently, one period is
  100ms, so its 300ms. As long as this is not the case,
  Timer_session::elapsed_ms is called instead.

  Anyway, it might happen that the CPU load was stable for some time so
  interpolation becomes active and now the timestamp speed drops. In the
  worst case, we would now have 100ms of slowed down time. The bad thing
  about it would be, that this also affects the timeout of the period.
  Thus, it might "freeze" the local time for more than 100ms.

  On the other hand, if the timestamp speed suddenly raises after some
  stable time, interpolated time can get too fast. This would shorten the
  period but nonetheless may result in drifting away into the far future.
  Now we would have the problem that we can't deliver the real time
  anymore until it has caught up because the output of Timer::curr_time
  shall be monotone. So, effectively local time might "freeze" again for
  more than 100ms.

  It would be a solution to not use the Trace::timestamp on ARM w/o HW but
  a function whose return value causes the Timer to never use
  interpolation because of its stability policy.

Fixes #2400
2017-05-31 13:16:11 +02:00
Stefan Kalkowski
9b350e7706 os: move private declarations to driver target
Ref #2403
2017-05-31 13:16:09 +02:00
Norman Feske
4d442bca30 Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.

Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.

This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-31 13:16:07 +02:00
Norman Feske
1f4f119b1e Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.

Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.

At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.

If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:

  <default-route>
    <service name="PD" unscoped_label="timer">
      <parent diag="yes"/>
    </service>
    ...
  </default-route>

For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.

Fixes #2398
2017-05-31 13:16:06 +02:00
Norman Feske
e44f65f3b2 core: RAM service based on 'Session_object'
This patch reworks the implementation of core's RAM service to make use
of the 'Session_object' and to remove the distinction between the
"metadata" quota and the managed RAM quota. With the new implementation,
the session implicitly allocates its metadata from its own account. So
there is not need to handle 'Out_of_metadata' and 'Quota_exceeded' via
different exceptions. Instead, the new version solely uses the
'Out_of_ram' exception.

Furthermore, the 'Allocator::Out_of_memory' exception has become an alias
for 'Out_of_ram', which simplifies the error handling.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
3670f7735d base: use 'Quota_transfer::Account' for 'Service'
This patch makes use of the new 'Quota_transfer::Account' by the service
types in base/service.h and uses 'Quota_transfer' objects in
base/child.cc and init/server.cc.

Furthermore, it decouples the notion of an 'Async_service' from
'Child_service'. Init's 'Routed_service' is no longer a 'Child_service'
but is based on the new 'Async_service' instead.

With this patch in place, quota transfers do no longer implicitly use
'Ram_session_client' objects. So transfers can in principle originate
from component-local 'Ram_session_component' objects, e.g., as used by
noux. Therefore, this patch removes a strumbling block for turning noux
into a single threaded component in the future.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
6609aafb05 Replace Quota_exceeded by Insufficient_ram_quota
This patch replaces the 'Parent::Quota_exceeded',
'Service::Quota_exceeded', and 'Root::Quota_exceeded' exceptions
by the single 'Insufficient_ram_quota' exception type.

Furthermore, the 'Parent' interface distinguished now between
'Out_of_ram' (the child's RAM is exhausted) from
'Insufficient_ram_quota' (the child's RAM donation does not suffice to
establish the session).

This eliminates ambiguities and removes the need to convert exception
types along the path of the session creation.

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
843dd179d7 base: remove int return types from 'Ram_session'
This patch replaces the existing C-style error codes with C++
exceptions.

Fixes #895
2017-05-31 13:16:04 +02:00
Norman Feske
58f44d39c5 base: use 'Ram_quota' in 'Ram_session' args
This patch replaces the former use of size_t with the use of the
'Ram_quota' type to improve type safety (in particular to avoid
accidentally mixing up RAM quotas with cap quotas).

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
ff68d77c7d base: new 'Ram_allocator' interface
The 'Ram_allocator' interface contains the subset of the RAM session
interface that is needed to satisfy the needs of the 'Heap' and
'Sliced_heap'. Its small size makes it ideal for intercepting memory
allocations as done by the new 'Constrained_ram_allocator' wrapper
class, which is meant to replace the existing 'base/allocator_guard.h'
and 'os/ram_session_guard.h'.

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
c1b981ede4 Annotate session interfaces with CAP_QUOTA
The new 'CAP_QUOTA' enum value denotes the capability quota to be
transferred from the client to the server at session-creation time.

Issue #2398
2017-05-31 13:16:04 +02:00