Several users of the signal API used custom convenience classes to
invoke signal-handling functions on the reception of incoming signals.
The 'Signal_dispatcher' pattern turned out to be particularly useful. To
avoid the duplication of this code across the code base, this patch
adds the interface to 'base/signal.h'.
Furthermore, the patch changes the 'Signal::num()' return type from int
to unsigned because negative numbers are meaningless here.
Fixes#511
Add functionality to lookup an object and lock it. Additional the case is
handled that a object may be already in-destruction and the lookup will deny
returning the object.
The object_pool generalize the lookup and lock functionality of the rpc_server
and serve as base for following up patches to fix dangling pointer issues.
When releasing a lock we must take care that all state is written back to
memory and is not cached in registers. The volatile flag of the lock variable
only means to the compiler that this value must be written immediately.
Other values changed before may be kept by the compiler in registers, which we
don't want here.
Additionally the compiler is free to reorder the code in order to optimize.
That means the code we intend to be executed inside the critical section can
get be reordered and can be executed after we reset the lock variable in the
unlock implementation. The volatile statement of the lock variable doesn't
prevent reordering of instructions which are independent.
By adding a explicit memory barrier, we force the compiler to generate code
that writes back all the register content to memory/cache (and avoid a
bunch of hard to find bugs ...)
The CPU session interfaces comes with the ability to install an
exception handler per thread. This patch enhances the feature with the
provision of a default signal handler that is used if no thread-specific
handler is installed. The default signal handler can be set by
specifying an invalid thread capability and a valid signal context
capability.
Furthermore, this patch relaxes the requirement of the order of the
calls of 'exception_handler' and 'set_pager'. Originally, the exception
handler could be installed not before setting a pager. Now, we remember
the installed exception handler in the 'Cpu_thread' and propagate to to
the platform thread at a later time.
It happens that ram_session and rm_session itself are invoking alloc
respectively free on the very same sliced heap inside core.
Lock only the sliced_heap list implementation and let the session locking to
the session implementation of rm_session and ram_session.
The ram_session and rm_session must take care to proper lock since inside
both implementations already the session handling thread and the service thread
are running parallel.
With commit 1389b63050 in thread.cc for base-foc
a bug was fixed, where the memory of the context got freed up before running
the de-constructor.
Apply the fix also to base and base-mb.
For base-nova thread creation related exception can be thrown, since the
Pager_objects are threads. Catch the exception and re-throw the
expected/documented exception in rm_session.
This commit avoids that core dies with an unhandled exception if a thread
couldn't be created (e.g. because the limit has been reached).
Sanity check that the context area has been attached. Otherwise the code
later tries to access the context area and core dies with a unhandled page
fault.
The Linux version of core used a part of the BSS to simulate access to
physical memory. All dataspaces would refer to a portion of 'some_mem'.
So every time when core would access the dataspace content, it would
access its local BSS. For all processes outside of core, dataspaces were
represented as files. This patch removes the distinction between core
and non-core processes. Now, core uses the same 'Rm_session_mmap'
implementation as regular processes. This way, the 'some_mem' could be
abandoned. We still use BSS variable for allocating core-local meta
data through.
This patch reflects eventual allocation errors in a more specific way to
the caller of 'alloc_aligned', in particular out-of-metadata and
out-of-memory are considered as different conditions.
Related to issue #526.
This patch introduces clean synchronization between the entrypoint
thread and the caller of the 'Rpc_entrypoint' destructor. The most
important change is the handling of the 'Ipc_server' destruction. This
object is in the local scope of the server's entry function. However,
since the server loop used to be an infinite loop, there was hardly any
chance to destruct the object in a clean way. Hence, the
'Rpc_entrypoint' destructor used to explicitly call '~Ipc_server'.
Unfortunately, this approach led to problems because there are indeed
rare cases where the server thread leaves the scope of the entry
function, namely uncaught exceptions. In such a case, the destructor
would have been called twice.
With the new protocol, we make sure to leave the scope of the entry
function and thereby destroy the 'Ipc_server' object as expected. This
is achieved by propagating the exit condition through a local RPC call
to the entrypoint. This way, the blocking state of the entrypoint
becomes unblocked. Furthermore, '~Rpc_entrypoint' makes use of the new
'join' function to wait for the completion of the server thread.
There is no obvious reason for having two different SPEC variables, definitions,
and pathes for the Pandaboard platform. It even lead to problems regarding the
omap4 framebuffer driver (look at issue #505 and #506).
On Linux, we want to attach additional attributes to processes, i.e.,
the chroot location, the designated UID, and GID. Instead of polluting
the generic code with such Linux-specific platform details, I introduced
the new 'Native_pd_args' type, which can be customized for each
platform. The platform-dependent policy of init is factored out in the
new 'pd_args' library.
The new 'base-linux/run/lx_pd_args.run' script can be used to validate
the propagation of those attributes into core.
Note that this patch does not add the interpretation of the new UID and
PID attributes by core. This will be subject of a follow-up patch.
Related to #510.
Using the new 'join()' function, the caller can explicitly block for the
completion of the thread's 'entry()' function. The test case for this
feature can be found at 'os/src/test/thread_join'. For hybrid
Linux/Genode programs, the 'Thread_base::join()' does not map directly
to 'pthread_join'. The latter function gets already called by the
destructor of 'Thread_base'. According to the documentation, subsequent
calls of 'pthread_join' for one thread may result in undefined behaviour.
So we use a 'Genode::Lock' on this platform, which is in line with the
other platforms.
Related to #194, #501
The IPC-server object exists solely on the stack of the entrypoint
thread and, therefore, would never be destructed as the thread is just
killed. Now, the object is explicitly destructed in the entrypoint
destructor. An alternative solution could instruct the entrypoint thread
the terminate, which would automatically cleanup its stack.
The object pool is assumed to be empty on destruction of the entrypoint.
If not, we warn and at least dissolve all RPC objects.
You cannot check an unsigned size_t variable for underflow, so I
changed the code to first check if an underflow would occur before
performing the subtraction.
Fixes#489.
'Core_tlb' ensures that core never throws pagefaults,
in contrast to its base 'Tlb' that is planned to use displacement
in the future.
'Core_tlb' enables the application of differenet memory attributes
in core, according to the board specific partitioning of the physical
address space. This way it enables caching in core.
Implement 'Signal_receiver::pending()'.
Provide display-subsystem MMIO.
Avoid method ambiguousness in 'Irq_context' in
'dde_linux/src/drivers/usb/signal/irq.cc'
(it derives from two list element classes when using 'base_hw').
Enables demo scenario with 'hw_panda_a2'.
Fix bug regarding idle thread in thread scheduling in
'base-hw/src/core/kernel.cc'.
Fix regarding signal submit in signal framework in
'base-hw/src/core/kernel.cc'.
Implies support for the ARMv6 architecture through 'base-hw'.
Get rid of 'base/include/drivers' expect of 'base/include/drivers/uart'.
Merge with the support for trustzone on VEA9X4 that came from
Stefan Kalkowski.
Leave board drivers in 'base/include/platform'.
Rework structure of the other drivers that were moved to
'base_hw/src/core' and those that came with the trustzone support.
Beautify further stuff in 'base_hw'.
Test 'nested_init' with 'hw_imx31' (hardware) and 'hw_panda_a2' (hardware),
'demo' and 'signal' with 'hw_pbxa9' (qemu) and 'hw_vea9x4'
(hardware, no trustzone), and 'vmm' with 'hw_vea9x4'
(hardware, with trustzone).
This patch introduces principal support for extending session interfaces
with specialized functionality in a clean way. For example, an 'Uart'
interface may implement the 'Terminal' interface but also offers
additional functions for setting the baud rate. A service that
implements the 'Uart' service will then automatically announce both the
'Uart' and 'Terminal' services.
Since the recent move of the process creation into core, the original chroot trampoline
mechanism implemented in 'os/src/app/chroot' does not work anymore. A
process could simply escape the chroot environment by spawning a new
process via core's PD service. Therefore, this patch moves the chroot
support into core. So the chroot policy becomes mandatory part of the
process creation. For each process created by core, core checks for
'root' argument of the PD session. If a path is present, core takes the
precautions needed to execute the new process in the specified chroot
environment.
This conceptual change implies minor changes with respect to the Genode
API and the configuration of the init process. The API changes are the
enhancement of the 'Genode::Child' and 'Genode::Process' constructors to
take the root path as argument. Init supports the specification of a
chroot per process by specifying the new 'root' attribute to the
'<start>' node of the process. In line with these changes, the
'Loader::Session::start' function has been enhanced with the additional
(optional) root argument.
On Linux, we use the session label for naming the corresponding Linux
process. When looking up the processes via 'ps', the Genode process
hierarchy becomes immediately visible.
This patch alleviates the need for any non-core process to create Unix
domain sockets locally. All sockets used for RPC communication are
created by core and subsequently passed to the other processes via RPC
or the parent interface. The immediate benefit is that no process other
than core needs to access the 'rpath' directory in order to communicate.
However, access to 'rpath' is still needed for accessing dataspaces.
Core creates one socket pair per thread on demand on the first call of
the 'Linux_cpu_session::server_sd()' or 'Linux_cpu_session::client_sd()'
functions. 'Linux_cpu_session' is a Linux-specific extension to the CPU
session interface. In addition to the socket accessors, the extension
provides a mechanism to register the PID/TID of a thread. Those
information were formerly propagated into core along with the thread
name as argument to 'create_thread()'.
Because core creates socket pairs for entrypoints, it needs to know all
threads that are potential entrypoints. For lx_hybrid programs, we
hadn't had propagated any thread information into core, yet. Hence, this
patch also contains the code for registering threads of hybrid
applications at core.
The bash-builtin 'pwd' command uses the 'st_dev' and 'st_ino' members of
the 'stat' struct to compare the path from the 'PWD' environment variable
with the path returned by 'getcwd()'. These members don't get set
correctly in Noux and therefore the 'pwd' command sometimes returns wrong
results when building Genode in Noux. With this patch the 'CURDIR' make
variable gets used instead of calling 'pwd'.
Fixes#454.
With this patch an error message gets printed in
'Allocator_avl_base::free()' if the given address is not the start address
of the allocated block.
Fixes#459.
* Introduces Schedule_context
* Use fast-interrupts or normal interrupts
* Add mode-transition between secure/non-secure world
* Limit system resources for Genode apps due to non-secure world
This commit implements the newly introduced Vm session interface to be used
on top of TrustZone capable Armv7 CPUs. Therefore a new Schedule_context is
introduced in the kernel. Threads and Vms are both Schedule_contexts used
by the scheduler. In contrast to a thread a vm uses a different assembler
mode switch to the non-secure, virtual world, as well as another exception
is used, when the non-secure world is left. For both worlds to co-exist
the interrupt-controller needs to be configured, so that the secure (Genode)
world uses fast-interrupts only, and the non-secure world only legacy
interrupts.
The only TrustZone capable platform the base-hw kernel works on top of
is the CoreTile Express 9x4 for the Versatile Express motherboard. For a
virtual machine working properly on top some platform resources must be
reserved. Therefore there exist two flavours of this platform now, one with
the 'trustzone' spec-variable enabled, and one without. If 'trustzone' is
specified most platform resources (DDR-RAM, and most IRQs) are reserved
for the Vm and not available to the secure Genode world.
Driver definitions which are used by kernel/core in base-hw, and also by other
drivers (e.g. from the os repository) have to reside in the generic
base-repository, for instance some uart drivers. All drivers which are
interesting for one of the sites only (sp804 for timer driver, or
cortex_a9 cpu driver for base-hw) should reside in the respective repos.
Factorize cpu context out of Cortex A9 specific definitions. Moreover, there
is already a Cpu_state object containing all common ARM registers. We use
this as a base for the cpu context switching done by the base-hw kernel.
The Cpu_state class get extended by a cpu-exception field, that stores the kind
of exception raised when the corresponding context got interrupted. This
information is used not only by the base-hw kernel, but also by the TrustZone
VMM that is build currently.
The 'Cpu_state' in 'base/include/base/cpu_state.h' is not needed anymore.
Moreover, it's inconsistent with the architecture-specific definitions
of 'Cpu_state' that all reside in <cpu/cpu_state.h>.
By now all services in core where created, and registered in the generic
main routine. Although there exists already a x86-specific service (I/O ports)
there was no possibility to announce core-services for certain platforms only.
This commit introduces a hook function in the 'Platform' class, that enables
registration of platform-specific services. Moreover, the io-port service
is offered on x86 platforms only now.
By naming all board declaration (previously in base/include/drivers/board) the
same way, and putting them in platform-specific include-pathes, we save additional
declaration redirection in the base-hw kernel, and in driver definitions.
The 'delete (void *)' operator gets referenced by compiler generated code,
so it must be publicly defined in the 'cxx' library. These compiler
generated calls seem to get executed only subsequently to explicit
'delete (void *)' calls in application code, which are not supported by
the 'cxx' library, so the 'delete (void *)' implementation in the 'cxx'
library does not have to do anything. Applications should use the
'delete (void *)' implementation of the 'stdcxx' library instead. To make
this possible, the 'delete (void *)' implementation in the 'cxx' library
must be 'weak'.
Fixes#419.
Added generic 'Irq_proxy' class to core includes (ported from base-okl4). It can
be used to implement shared IRQ support for various base platforms. It will
generate one thread per IRQ and unblocks waiting clients (IRQ sessions) upon
interrupt receipt.
Issue #390
GCC warns about uninitialized local variables in cases where no
initialization is needed, in particular in the overloads of the
'Capability::call()' function. Prior this patch, we dealt with those
warnings by using an (unreliable) GCC pragma or by disabling the
particular warning altogether (which is a bad idea). This patch removes
the superfluous warnings by telling the compiler that the variable in
question is volatile.
Formerly, GENODE_RELEASE just undef'd PDBG() which concealed bugs in
places PDBG was used, e.g., do to API changes. Unfortunately,
desparately disabling GENODE_RELEASE during bug hunt sometimes
introduced new errors. Now, PDBG is just a branch not taken but seen by
the compiler, which is able to produce warnings/errors when the API is
changed.
Fixes#378.
The 'build.mk' file checks if the tool chain to be used supports the
'-static' and '-fno-stack-protector' flags, but this check always fails
for the current Genode tool chain because it cannot create executable
files without explicitly specifying the 'crt0' and library files to be
linked, which the check doesn't.
This patch removes the compiler check.
Fixes#358.
The exception initialization and handling in gcc_eh allocates early (_main)
memory before executing main. In Vancouver the virtual
region from [0,VM size) must be reserved. Vancouver fails if the memory
allocated by the exception handling and the static objects was allocated
inside the [0, VM size) area.
To circumvent the situation allocate the first memory pieces for the heap
from the bss.
The first metadata-block, which is inherent part of the allocator object
itself has a fixed size which isn't suitable enough for some 64bit platforms
(e.g. core's RAM-allocator on a 64bit platform with lots of different regions).
This commit let the block size be address-width aware.
Every 64-bit binary is effectively 4M too big currently [0]. The GNU linker ld
aligns the text section of the binary to the maximum page size. On i386
the default section alignment is fixed typically to 4K.
Avoid wasting mainly 4M on x86_64 by telling the linker the max page size to
be 4K.
[0] http://sourceware.org/ml/binutils/2009-04/msg00099.html
This patch introduces the functions 'affinity' and 'num_cpus' to the CPU
session interface. The interface extension will allow the assignment of
individual threads to CPUs. At this point, it is just a stub with no
actual platform support.
This patch adds libstdc++ to libports. With the previous version of the
stdcxx library, the build system used the C++ standard library that
comes with the compiler. This mechanism was prone to inconsistencies of
types defined in the header files used at compile time of the tool chain
and the types provided by our libc. By building the C++ standard library
as part of the Genode build process, such inconsistencies cannot happen
anymore.
Note that the patch changes the meaning of the 'stdcxx' library for
users that happened to rely on 'stdcxx' for hybrid Linux/Genode
applications. For such uses, the original mechanism is still available,
in the renamed form of 'toolchain_stdcxx'.
Let the Fiasco.OC base platform succeed the cap_integrity run-script meaning
that it is not feasible anymore to fake a capability by using a valid one
together with a guessed local_name.
On both 32-bit and 64-bit platforms, 'uint64_t' can be defined as
'unsigned long long', which is the type expected by the %llx
format-string specifier. By unifying the type definitions, we resolve
warnings about unmatching type specifiers. This patch also removes
redundant words from the typedefs.
Avoid the use of deprecated 'MASK' enum in CPU register 'Asid'.
Enable the use of the 'K' bit in MMU translations.
Treat any try to modify existing valid entries in section- and
pagetables when doing 'insert_translation' as error.
Beautify concerned files.
For 64-bit registers we cannot compute MASK and SHIFT values via enums
because enum values are always of type int. But we can use static member
functions instead. Furthermore, the patch fixes the type trait for
64-bit registers. (apparently, this access width was never used so far)
The code intended to stop after the first failed attempt,
however the bool variable to control this was reseted
inside the loop and so it endless loops.
Fixes#51
