Commit Graph

874 Commits

Author SHA1 Message Date
Alexander Boettcher
8bc4389411 core: support to serve signals by another ep
Issue #2584
2017-11-30 11:23:11 +01:00
Martin Stein
e87f63944f timeout: replace Duration operators by methods
void += (Microseconds) -> void add(Microseconds)
void += (Milliseconds) -> void add(Milliseconds)
bool < (Duration)      -> bool less_than(Duration)

Issue #2581
2017-11-30 11:23:09 +01:00
Martin Stein
26bcd439f7 timeout: fix bug in duration + duration testing
The += operator contained bugs. We now also do some tests on the Duration
type at the beginning of the timeout test.

Fixes #2581
2017-11-30 11:23:09 +01:00
Alexander Boettcher
f4aff87e25 make _timer_ticks_to_us 64bit safe
fixes PIT running to fast on seL4 x86_64
2017-11-30 11:23:07 +01:00
Emery Hemingway
caba2d3021 Enforce use of a custom Nim compiler
Use a custom Nim compiler at '/usr/local/genode-nim' that can be built
with a makefile at 'tool/tool_chain_nim'.

Fix #2545
2017-11-30 11:23:06 +01:00
Alexander Boettcher
9c6de44f98 core: use core mem allocator in Pd_session
Fixes #2563
2017-11-30 11:23:05 +01:00
Martin Stein
8e80c05be7 signal: organize signal contexts as ring list
Ref #2532
2017-11-30 11:23:02 +01:00
Alexander Boettcher
44adc3c404 tool: use grub2 instead of grub1 for iso boot
Fixes #2526
2017-11-30 11:23:01 +01:00
Alexander Boettcher
7ff6e96623 base: avoid pagefault if session creation failed 2017-11-24 09:07:32 +01:00
Christian Helmuth
b1c9db8a0d libc: dispatch pending signals at selective points 2017-11-24 09:02:03 +01:00
Christian Helmuth
491be000ca depot: update recipe hashes 2017-11-09 12:19:59 +01:00
Christian Helmuth
1b4128d3d9 Adapt sub_rm test to current Linux 32-bit
As noted above the former enum for the local-attachment address we
discovered address clashes on current Linux installations, esp. 32-bit
runtime on 64-bit Linux. The local_attach_addr is now configurable in
the run script and the memory maps heuristics were removed.
2017-11-06 13:57:23 +01:00
Alexander Boettcher
9655ebbefe sel4: enable nx bit handling for ARM
Issue #1723
2017-11-01 08:39:49 +01:00
Alexander Boettcher
4dd5e6b266 hw: enable nx bit handling for arm 2017-11-01 08:39:49 +01:00
Alexander Boettcher
aa1d5a7dd1 hw: enable nx bit handling for x86_64
Issue #1723
2017-11-01 08:39:48 +01:00
Alexander Boettcher
8ea584b1d2 foc: enable nx bit handling for x86_64 and arm
Issue #1723
2017-11-01 08:39:48 +01:00
Alexander Boettcher
f2c3225ab6 nova: enable nx bit handling for x86_64
Issue #1723
2017-11-01 08:39:48 +01:00
Alexander Boettcher
db329b02b5 base: enable executable memory fault handling
Fixes #1723
2017-11-01 08:39:48 +01:00
Alexander Boettcher
03b8e70d3f rm_fault: add fault test for exec access violation
Issue #1723
2017-10-20 11:45:21 +02:00
Alexander Boettcher
e3d9f41496 base: provide dst fault address for write fault
Issue #1723
2017-10-20 11:45:20 +02:00
Alexander Boettcher
e6dcdcf277 base: attach executable memory as such
- tracing policy

Issue #1723
2017-10-19 13:47:03 +02:00
Christian Helmuth
ee4ee6a8ac depot: update recipe hashes 2017-10-19 13:31:18 +02:00
Stefan Kalkowski
4e97a6511b hw: switch page-tables only when necessary
* Instead of always re-load page-tables when a thread context is switched
  only do this when another user PD's thread is the next target,
  core-threads are always executed within the last PD's page-table set
* remove the concept of the mode transition
* instead map the exception vector once in bootstrap code into kernel's
  memory segment
* when a new page directory is constructed for a user PD, copy over the
  top-level kernel segment entries on RISCV and X86, on ARM we use a designated
  page directory register for the kernel segment
* transfer the current CPU id from bootstrap to core/kernel in a register
  to ease first stack address calculation
* align cpu context member of threads and vms, because of x86 constraints
  regarding the stack-pointer loading
* introduce Align_at template for members with alignment constraints
* let the x86 hardware do part of the context saving in ISS, by passing
  the thread context into the TSS before leaving to user-land
* use one exception vector for all ARM platforms including Arm_v6

Fix #2091
2017-10-19 13:31:18 +02:00
Stefan Kalkowski
ca60e24ad9 hw: run core threads in privileged mode
* introduce new syscall (core-only) to create privileged threads
* take the privilege level of the thread into account
  when doing a context switch
* map kernel segment as accessable for privileged code only

Ref #2091
2017-10-19 13:31:17 +02:00
Stefan Kalkowski
42db1e112b hw: introduce kernel/user address space split
* introduces central memory map for core/kernel
* on 32-bit platforms the kernel/core starts at 0x80000000
* on 64-bit platforms the kernel/core starts at 0xffffffc000000000
* mark kernel/core mappings as global ones (tagged TLB)
* move the exception vector to begin of core's binary,
  thereby bootstrap knows from where to map it appropriately
* do not map boot modules into core anymore
* constrain core's virtual heap memory area
* differentiate in between user's and core's main thread's UTCB,
  which now resides inside the kernel segment

Ref #2091
2017-10-19 13:31:17 +02:00
Christian Helmuth
0da420c104 Limit max string length in log session for okl4
This commit also adds a test to test-log.
2017-10-19 13:31:16 +02:00
Martin Stein
b811ef4331 signal: fix starvation by fast signal contexts
In the past, a signal context, that was chosen for handling by
'Signal_receiver::pending_signal and always triggered again before
the next call of 'pending_signal', caused all other contexts behind
in the list to starve. This was the case because 'pending_signal'
always took the first pending context in its context list.

We avoid this problem now by handling pending signals in a round-robin
fashion instead.

Ref #2532
2017-10-19 13:29:42 +02:00
Christian Helmuth
28004bc9e6 timer: limit rate of handling timeouts
Ensure that the timer does not handle timeouts again within 1000
microseconds after the last handling of timeouts. This makes denial of
service attacks harder. This commit does not limit the rate of timeout
signals handled inside the timer but it causes the timer to do it less
often. If a client continuously installs a very small timeout at the
timer it still causes a signal to be submitted to the timer each time
and some extra CPU time to be spent in the internal handling method. But
only every 1000 microseconds this internal handling causes user timeouts
to trigger.

If we would want to limit also the call of the internal handling method
to ensure that CPU time is spent beside the RPCs only every 1000
microseconds, things would get more complex. For instance, on NOVA
Time_source::schedule_timeout(0) must be called each time a new timeout
gets installed and becomes head of the scheduling queue. We cannot
simply overwrite the already running timeout with the new one.

Ref #2490
2017-10-05 17:40:05 +02:00
Christian Helmuth
170b532892 Support read-only data symbols in ABI
This also adapts existing symbol files
2017-10-05 17:40:04 +02:00
Norman Feske
bea305aec5 depot: avoid rule aliaing in api/base content.mk
This patch merges two similar rules, which create content at 'include'
into a single rule. This prevents a possible race condition when
creating archives in parallel.
2017-10-05 17:40:01 +02:00
Christian Helmuth
ddfd3c0d7e linux: stack-area handling with recent Linux kernels
We moved the stack-area segment 128 MiB behind text and data to comply
with assumptions in the kernel ELF loader.

This commit also reenables static binaries on linux and removes the
unused stack_area.stdlib.ld script.

Fixes #2521
2017-10-05 17:40:00 +02:00
Norman Feske
1d56c3d3aa base: remove non-critical quota messages
In nested scenarios like driver_manager.run, the initial session quota
for IO_PORT, IO_PORT, and IRQ sessions is expectedly insufficient.
However, the condition is properly handled by re-attemping the request
with a slightly increased quota. Still, core prints a warning each time
the request is denied for quota reasons, which spams the log. This patch
removes the non-critical message.
2017-10-05 17:39:57 +02:00
Emery Hemingway
b20b14de27 support for Nim {.compile.} pragma for C sources
Inject bundled C files into build recipes with the Nim {.compile.}
pragma.

Fix #2516
2017-10-05 17:39:56 +02:00
Johannes Kliemann
d3f5a369a7 ada: implemented add in ada
Fixes #2515
2017-10-05 17:39:55 +02:00
Alexander Boettcher
675e2f062a base: increase stack of entrypoint thread in core
Issue #2514
2017-10-05 17:39:55 +02:00
Christian Helmuth
2ed904faab depot: update recipe hashes 2017-08-30 12:41:43 +02:00
Sebastian Sumpf
991a5a5622 ldso: export symbols required by RISC-V
issue #2423
2017-08-30 09:59:59 +02:00
Alexander Boettcher
830f6934f9 base: add support to unconstrain virtual space
Issue #2507.
2017-08-30 09:59:57 +02:00
Alexander Boettcher
cf2886dc8f core: avoid freeing memory of unknown state
This should actually never happen. However if it happens, be a bit robuster
and don't provide the memory for re-use (which causes tons of other trouble
afterwards).

Issue #2505
2017-08-28 16:49:51 +02:00
Josef Söntgen
404a82d5ee register_set: do not shift when ITEM_WIDTH is 64
Issue #2507.
2017-08-28 16:49:50 +02:00
Martin Stein
d9073a1848 timer/util: generic TIMER_MIN_TICKS_PER_MS
Ref #2400
2017-08-28 16:49:50 +02:00
Martin Stein
399e1586be timer: generic timer_ticks_to_us implementation
There are hardware timers whose frequency can't be expressed as
ticks-per-microsecond integer-value because only a ticks-per-millisecond
integer-value is precise enough. We don't want to use expensive
floating-point values here but nonetheless want to translate from ticks
to time with microseconds precision. Thus, we split the input in two and
translate both parts separately. This way, we can raise precision by
shifting the values to their optimal bit position. Afterwards, the results
are shifted back and merged together again.

As this algorithm is not so trivial anymore and used by at least three
timer drivers (base-hw/x86_64, base-hw/cortex_a9, timer/pit), move it to a
generic header to avoid redundancy.

Ref #2400
2017-08-28 16:49:49 +02:00
Christian Prochaska
ee352abc56 run: add Xen support
When building Genode on a Linux system running in a Xen Dom0, the 'xen'
run target can run a Genode scenario in a Xen DomU.

Usage: in build/x86_*/etc/build.conf, define:

RUN_OPT = --include boot_dir/$(KERNEL) --include image/iso --include power_on/xen --include log/xen --include power_off/xen

The Xen DomU runs in HVM mode and loads Genode from an ISO image. Serial
log output is printed to the console and graphical output is shown in an
SDL window.

The Xen DomU ist managed using the 'xl' command line tool and it is
possible to add configuration options in the 'xen_args' variable in a run
script. Common options are:

- disabling the graphical output:

  append xen_args { sdl="0" }

- configuring a network device:

  append xen_args { vif=\["model=e1000,mac=02:00:00:00:01:01,bridge=xenbr0"\] }

- configuring USB input devices:

  append xen_args { usbdevice=\["mouse","keyboard"\] }

Note: the 'xl' tool requires super-user permissions and interactive
password input can be troublesome in combination with 'expect' and is not
practical for automatic tests. For this reason, the current implementation
assumes that no password input is needed when running 'sudo xl', which can
be achieved by creating a file '/etc/sudoers.d/xl' with the content
'user ALL=(root) NOPASSWD: /usr/sbin/xl'
(where 'user' is the Linux user name).

Fixes #2504
2017-08-28 16:49:48 +02:00
Alexander Boettcher
a63eb3cc37 base: don't free initial slab in destructor
Issue #2505
2017-08-28 16:49:46 +02:00
Stefan Kalkowski
ea46c462a4 base: make stack area base specifiable for core
When running core as the kernel inside every component, a separate
stack area for core is needed that is different from the user-land
component's one.

Ref #2091
2017-08-28 16:49:46 +02:00
Stefan Kalkowski
3906568908 util: make bit array and allocator copyable
Ref #2091
2017-08-28 16:49:46 +02:00
Alexander Boettcher
430bde3636 core: remove unmap from rm_client
The flush/unmap of memory is tied to an address space and not to a thread.
Move the handling from the Rm_client to the Adress_space class.

Issue #2209
2017-08-28 16:49:44 +02:00
Alexander Boettcher
c2950e13eb core: serve parent and core service by one ep
Fixes #2484
2017-08-28 16:49:43 +02:00
Alexander Boettcher
b1a27b417b core: fix deadlock in signal delivery
Acquire Signal_context objects locks via Object_pool::apply() in the
context of the entrpyoint thread, instead in the context of the calling
thread.

Fixes #2485
2017-08-28 16:49:43 +02:00
Emery Hemingway
1e9ad9e3d9 Nim toolchain improvements
- Fix fatal exception handling so that stack traces are dumped
- Add 'include/nim' directories to Nim module search path
- Enable release optimizations for release builds

Fix #2493
2017-08-28 16:49:42 +02:00
Norman Feske
556fec24b1 core-linux: avoid block-for-signal assertion
This patch removes the assertion about the unexpected call of
'block_for_signal' within core. On Linux, this call is actually
expected because of the handling of SIGCHLD signals by core.
2017-08-28 16:49:41 +02:00
Christian Prochaska
b3e039d0b1 base: name initial thread according to child policy
Fixes #2494
2017-08-28 16:49:37 +02:00
Martin Stein
27a608a20a core: ignore boot modules with size 0
A boot module with size 0 previously made Core crash with a page fault in
Region_map_component::attach. This patch prevents the creation of ROM-FS
entries for such modules.

Ref #2490
2017-08-28 16:49:36 +02:00
Martin Stein
23f35370a2 core: generic ROM module initialization
For most base platforms (except linux and sel4), the initialization of
boot modules is the same. Thus, merge this default implementation in the
new unit base/src/core/platform_rom_modules.cc.

Ref #2490
2017-08-28 16:49:36 +02:00
Martin Stein
64377f4b80 core, region map: handle failing metadata assign
In Region_map_component::attach, storing the metadata for a region may
throw an exception. Catch it and throw an Invalid_dataspace exception.

Ref #2490
2017-08-28 16:49:36 +02:00
Martin Stein
b2624be2ad allocator avl: exception if metadata assign fails
The Allocator_avl_tpl::metadata method (assigning variant) may fail
silently. Change this to make debugging easier.

Ref #2490
2017-08-28 16:49:36 +02:00
Martin Stein
0778a0f700 core, region map: more descriptive variable name
In the implementation of Region_map_component::attach
rename variable 'r' 'attach_at'.

Ref #2490
2017-08-28 16:49:36 +02:00
Christian Helmuth
8b073f46df depot: update recipe hashes 2017-08-18 10:25:28 +02:00
Sebastian Sumpf
48134c2a0b ldso/cxx: show symbols names of undefined references
Fixes #2482
2017-08-18 10:24:48 +02:00
Alexander Senier
23db75deff global.mk: Make build messages configurable
This is helpful for disabling messages in etc/tools.conf by
setting it to e.g.

   MSG_LINK = @true ""

This results in much shorter and less cluttered logs in automatic
builds.
2017-08-18 10:24:47 +02:00
Alexander Boettcher
4020766105 sel4: adapt timeouts of run scripts
Issue #2451
2017-08-18 10:24:47 +02:00
Alexander Boettcher
5aab244ce3 sub_rm.run: use config rom for steering test
instead of compile time config enums.
2017-08-18 10:24:47 +02:00
Alexander Boettcher
69e71147ef platform_drv: replace nova specific device_pd
by using generic Pd_session::map instead for eager memory mappings of DMA
memory.

Issue #2209
2017-08-18 10:24:47 +02:00
Alexander Boettcher
fe4bdde687 nova: implement Pd_session::map
- factor out Rm_client::pager lambda code into utility
  Region_map_component::create_map_item
- use utility to find/lookup physical addresses to be mapped eagerly

Issue #2209
2017-08-18 10:24:46 +02:00
Alexander Boettcher
58e4f6cf9d core: add map method to pd_session interface
The method can be used to trigger the eager insertion of page frames into
page tables. Intention: to be used for memory used for DMA.

Issue #2209
2017-08-18 10:24:46 +02:00
Alexander Boettcher
0ddda79511 sel4: add priority support
Issue #2451
2017-08-17 11:04:24 +02:00
Alexander Boettcher
7a8e0e59af sel4: enable smp for x86
Issue #2451
2017-08-17 11:04:24 +02:00
Christian Helmuth
132748a783 Fix location setting in affinity test
This fixes a regression introduced by me in
16914bddc8.
2017-08-17 11:04:22 +02:00
Alexander Boettcher
0743ea87ed rm_fault.run: check for write faults on ROM
Issue #2451
2017-08-17 11:04:21 +02:00
Alexander Boettcher
da5441292a sel4: add Wandboard Quad (iMX6) support
Issue #2451
2017-08-17 11:04:21 +02:00
Alexander Boettcher
c22b60f0c4 base: add initial r0 register to crt0.s for arm
Issue #2451
2017-08-17 11:04:21 +02:00
Alexander Boettcher
51dcf5f7f8 core: destruct platform_pd before ram_ds_factory
Platform_pd "_pd" uses a allocator for, which relies on the mapped RAM
dataspace within core. Unfortunately the RAM dataspaces are already freed up
during _ram_ds_factory destruction, which may lead to trouble if accessed
afterwards.

Issue #2451
2017-08-17 11:04:19 +02:00
Alexander Boettcher
a717e92186 base: set CPP to our custom genode-cpp
Issue #2451
2017-08-17 11:04:18 +02:00
Christian Prochaska
6a43f3c11a file system: use Id_space instead of Node_handle_registry
Fixes #2436
2017-08-17 10:59:43 +02:00
Norman Feske
0d1be4abe2 depot: update recipe hashes 2017-06-29 12:00:04 +02:00
Christian Helmuth
c18dffa9fa base: align metadata allocation in heap at 16 byte
Issue #754
2017-06-29 12:00:03 +02:00
Norman Feske
d2b21d294e base/mk: streamline spec includes for ARM
This patch sets the -march complile flag in spec/arm_v7a.mk, which
enables us to build depot archives for the 'arm_v7a' architecture.

It also removes copy-pasted comments that offer no valuable insights but
contain grammar errors.
2017-06-29 12:00:01 +02:00
Christian Helmuth
4d11b7e5a8 sd_card: move defs from wand_quad to imx6 header 2017-06-29 11:59:57 +02:00
Norman Feske
f95bfddc09 base: simplify handling of session-creation errors
This patch decouples the error handling of the quota transfers
and the actual session creation. In the previous version, an error in
the 'initiate_request' phase would leave the local scope via an
exception without disarming the transfer guard objects. This way,
the guard destructors would attempt the returning of session quota in
addition to the explicit call of '_revert_quota_and_destroy' as done in
the error handling of the 'initiate_request' operation.

In the presence of a session-creation error in the 'initiate_request'
phase, session quota would eventually be returned twice. This patch
removes the intertwined error handling of both phases in a way that the
guards of the first phase (quota transfer) are no longer present in the
second phase (initiate_request).
2017-06-29 11:59:52 +02:00
Norman Feske
f278024e44 core: prevent transfer of static PD session quota
This patch makes sure that the initial PD session limit (as defined by
the client-provided session quota) is preserved over the entire lifetime
of the PD session. That means, it cannot be transferred to other PD
sessions. Otherwise, it may be impossive to hand back all the static
session quota to the PD-session client at session-destruction time
because parts of the initial quota would no longer belong to the
session.

Note that the initial limit can still be used for allocations within the
PD session as those allocations are automatically reverted at
session-destruction time.
2017-06-29 11:59:52 +02:00
Alexander Boettcher
238df4dd58 core: add information about infos provided by core
Issue #2242
2017-06-29 11:59:52 +02:00
Alexander Boettcher
04b2919a1a acpi_drv: use platform_info for rsdt/xsdt lookup
Issue #2242
2017-06-29 11:59:50 +02:00
Christian Helmuth
019528ee6a Disable lock tests on platforms without priorities
The implementations of the lock and C++ guards tests depend on
thread-execution priorities, which produces false negatives of the whole
thread test on platforms without priority support.
2017-06-29 11:59:49 +02:00
Christian Helmuth
d5b85da8de Prevent warning about tiny stack in weak_ptr test 2017-06-19 12:35:57 +02:00
Stefan Kalkowski
a004462096 hw: fix capability accounting of kernel/core
The recently implemented capability resource trading scheme unfortunately
broke the automated capability memory upgrade mechanism needed by base-hw
kernel/core. This commit splits the capability memory upgrade mechanism
from the PD session ram_quota upgrade, and moves that functionality
into a separate Pd_session::Native_pd interface.

Ref #2398
2017-06-19 12:35:55 +02:00
Stefan Kalkowski
6f8dc9054a base: setup parent upgrade mechanism eagerly
Fix #2447
2017-06-19 12:35:55 +02:00
Alexander Boettcher
0f227d5d24 run: adjust virtualbox cap quotas to fit native hw 2017-06-08 11:33:31 +02:00
Alexander Boettcher
77fe0c882b base: check ownership of thread in cpu_session
Fixes #1431
2017-06-08 11:33:06 +02:00
Christian Helmuth
5e1fb42b54 Fix warnings in ADA example 2017-06-02 15:58:22 +02:00
Christian Helmuth
892ede515f depot: update recipe hashes 2017-05-31 16:18:01 +02:00
Norman Feske
7bb8e332a9 depot: adjust base recipe to removed headers
This patch updates the recipes for the base-<kernel> archives to the
recently removed os/config.h and os/timeout.h headers.
2017-05-31 13:16:25 +02:00
Sebastian Sumpf
c3cf7f3c3a riscv: ISA-1.9.1 and GCC-6.3.0 adaptions
Adds 1.9.1 support to base-hw

Note:
* the kernel timer is not working
* dynamic linking is currently not supported
2017-05-31 13:16:24 +02:00
Christian Helmuth
8bd0efced6 Remove obsolete RAM/CAP services from run scripts
Adapted launchpad and also the rm_fault and resource_request tests.

Issue #2407
2017-05-31 13:16:22 +02:00
Stefan Kalkowski
632ef28463 os: removal of deprecated os/config.h (fix #2431) 2017-05-31 13:16:22 +02:00
Norman Feske
adb26b5216 API documentation refinements 2017-05-31 13:16:21 +02:00
Christian Helmuth
e00bd3e45b core: remove PD capability from thread object 2017-05-31 13:16:20 +02:00
Christian Helmuth
ea48f1f1cc core: remove warning about possibly leaking resources
Too many false positives...

Issue #2398
2017-05-31 13:16:20 +02:00
Christian Prochaska
16deaa9a72 timed_semaphore: fix deprecated warning
Fixes #2429
2017-05-31 13:16:19 +02:00
Stefan Kalkowski
0fb672b493 run: use default Qemu memory size for x86
Fix #2428
2017-05-31 13:16:19 +02:00
Emery Hemingway
419da32ee3 lib/ldso: coalesce RPC calls for ROM dataspaces
A dataspace capability request to a ROM service may invalidate any
previously issued dataspace. Therefor no requests should be made while a
session dataspace is mapped. Reducing calls to the session also improves
performance where servicing a ROM request has a significant cost.

Fix #2418
2017-05-31 13:16:16 +02:00
Emery Hemingway
5f27c7b9eb initial Nim compiler and standard library support
https://nim-lang.org/

Fix #1879
2017-05-31 13:16:16 +02:00
Norman Feske
53253ba422 base: add reinit functionality to 'Env'
The 'reinit' and 'reinit_main_thread' methods are needed to implement
fork in Noux. Until now, they were provided by the 'Deprecated_env'
only.
2017-05-31 13:16:14 +02:00
Norman Feske
0167d5af50 Integrate core's RAM service into the PD service
Fixes #2407
2017-05-31 13:16:14 +02:00
Norman Feske
5a3a1c704b base: use 'Ram_allocator' as stack-area back end
The 'Stack_area_ram_session' is now a 'Stack_area_ram_allocator', which
simplifies the code and remove a dependency from the 'Ram_session'
interface, which we want to remove after all.

Issue #2407
2017-05-31 13:16:13 +02:00
Norman Feske
963a6c37a0 core: equip signal-context slab with initial block
By supplying a statically allocated initial block to the slab allocator
for signal contexts, we become able to construct a 'Signal_broker' (the
back end for the PD's signalling API) without any dynamic memory
allocation. This is a precondition for using the PD as meta-data
allocator for its contained signal broker (meta data allocations must
not happen before the PD construction is complete).

Issue #2407
2017-05-31 13:16:13 +02:00
Norman Feske
a96919632e core: unify Pd_session_component across kernels
Issue #2407
2017-05-31 13:16:13 +02:00
Norman Feske
4773707495 core: split RAM dataspace factory from RAM service
By separating the session-interface concerns from the mechanics of the
dataspace creation, the code becomes simpler to follow, and the RAM
session can be more easily merged with the PD session in a subsequent
step.

Issue #2407
2017-05-31 13:16:12 +02:00
Norman Feske
65225a94b1 core: simplify initialization
This patch removes the 'Core_parent' and 'Core_pd_session', and reduces
the 'Core_env'.
2017-05-31 13:16:12 +02:00
Norman Feske
a1df4fee44 base: restructure signal-submit initialization
This patch allows core's 'Signal_transmitter' implementation to sidestep
the 'Env::Pd' interface and thereby adhere to a stricter layering within
core. The 'Signal_transmitter' now uses - on kernels that depend on it -
a dedicated (and fairly freestanding) RPC proxy mechanism for signal
deliver, instead of channeling signals through the 'Pd_session::submit'
RPC function.
2017-05-31 13:16:12 +02:00
Martin Stein
c70fed29f7 os/timer: interpolate time via timestamps
Previously, the Genode::Timer::curr_time always used the
Timer_session::elapsed_ms RPC as back end.  Now, Genode::Timer reads
this remote time only in a periodic fashion independently from the calls
to Genode::Timer::curr_time. If now one calls Genode::Timer::curr_time,
the function takes the last read remote time value and adapts it using
the timestamp difference since the remote-time read. The conversion
factor from timestamps to time is estimated on every remote-time read
using the last read remote-time value and the timestamp difference since
the last remote time read.

This commit also re-works the timeout test. The test now has two stages.
In the first stage, it tests fast polling of the
Genode::Timer::curr_time. This stage checks the error between locally
interpolated and timer-driver time as well as wether the locally
interpolated time is monotone and sufficiently homogeneous. In the
second stage several periodic and one-shot timeouts are scheduled at
once. This stage checks if the timeouts trigger sufficiently precise.

This commit adds the new Kernel::time syscall to base-hw. The syscall is
solely used by the Genode::Timer on base-hw as substitute for the
timestamp. This is because on ARM, the timestamp function uses the ARM
performance counter that stops counting when the WFI (wait for
interrupt) instruction is active. This instruction, however is used by
the base-hw idle contexts that get active when no user thread needs to
be scheduled.  Thus, the ARM performance counter is not a good choice for
time interpolation and we use the kernel internal time instead.

With this commit, the timeout library becomes a basic library. That means
that it is linked against the LDSO which then provides it to the program it
serves. Furthermore, you can't use the timeout library anymore without the
LDSO because through the kernel-dependent LDSO make-files we can achieve a
kernel-dependent timeout implementation.

This commit introduces a structured Duration type that shall successively
replace the use of Microseconds, Milliseconds, and integer types for duration
values.

Open issues:

* The timeout test fails on Raspberry PI because of precision errors in the
  first stage. However, this does not render the framework unusable in general
  on the RPI but merely is an issue when speaking of microseconds precision.

* If we run on ARM with another Kernel than HW the timestamp speed may
  continuously vary from almost 0 up to CPU speed. The Timer, however,
  only uses interpolation if the timestamp speed remained stable (12.5%
  tolerance) for at least 3 observation periods. Currently, one period is
  100ms, so its 300ms. As long as this is not the case,
  Timer_session::elapsed_ms is called instead.

  Anyway, it might happen that the CPU load was stable for some time so
  interpolation becomes active and now the timestamp speed drops. In the
  worst case, we would now have 100ms of slowed down time. The bad thing
  about it would be, that this also affects the timeout of the period.
  Thus, it might "freeze" the local time for more than 100ms.

  On the other hand, if the timestamp speed suddenly raises after some
  stable time, interpolated time can get too fast. This would shorten the
  period but nonetheless may result in drifting away into the far future.
  Now we would have the problem that we can't deliver the real time
  anymore until it has caught up because the output of Timer::curr_time
  shall be monotone. So, effectively local time might "freeze" again for
  more than 100ms.

  It would be a solution to not use the Trace::timestamp on ARM w/o HW but
  a function whose return value causes the Timer to never use
  interpolation because of its stability policy.

Fixes #2400
2017-05-31 13:16:11 +02:00
Alexander Boettcher
6d79d03380 heap: align allocations to 16 byte addresses
Issue #754
2017-05-31 13:16:11 +02:00
Norman Feske
2c6729768d base: consider exception during child construction
This patch make sure that a once managed parent RPC object will always be
dissolved if an exception during the remaining child construction
occurs. The original version would miss the dissolve call if one of the
subsequent members throws an exception at construction time.
2017-05-31 13:16:10 +02:00
Stefan Kalkowski
b58b69515c Remove UART specific SPEC identifiers (Ref #2403) 2017-05-31 13:16:10 +02:00
Norman Feske
433fc6a7f1 base: let 'Local_service' catch all exceptions
This patch eases the debugging of situations where a session-object
constructor wrongly throws an exception type not specified in the
'Local_service::Factory' interface.
2017-05-31 13:16:07 +02:00
Norman Feske
4d442bca30 Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.

Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.

This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-31 13:16:07 +02:00
Norman Feske
1f4f119b1e Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.

Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.

At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.

If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:

  <default-route>
    <service name="PD" unscoped_label="timer">
      <parent diag="yes"/>
    </service>
    ...
  </default-route>

For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.

Fixes #2398
2017-05-31 13:16:06 +02:00
Norman Feske
773e08976d Assign cap quotas in run scripts and recipes
Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
e44f65f3b2 core: RAM service based on 'Session_object'
This patch reworks the implementation of core's RAM service to make use
of the 'Session_object' and to remove the distinction between the
"metadata" quota and the managed RAM quota. With the new implementation,
the session implicitly allocates its metadata from its own account. So
there is not need to handle 'Out_of_metadata' and 'Quota_exceeded' via
different exceptions. Instead, the new version solely uses the
'Out_of_ram' exception.

Furthermore, the 'Allocator::Out_of_memory' exception has become an alias
for 'Out_of_ram', which simplifies the error handling.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
028e633af4 base: add 'Session_object' class
The 'Session_object' unifies several aspects of server-component
implementations:

* It keeps track of session quotas and is equipped with standardized
  interfaces (Quota_guard) to upgrade (and in the future potentially
  downgrade) session quotas in a uniform way.

* It follows the pattern of modern RPC objects / signal handlers that
  manage/dissolve themselves at the entrypoint given as constructor
  argument. Thereby, the relationship with its entrypoint is always
  coupled with the lifetime of the session-component object.

* It stores the session label, which was previously done manually by
  most but not all server-component implementations.

* It stores the session 'diag' flag.

* It is equipped with output methods 'diag', 'error', and 'warning'.
  All messages printed from the context of a session component is
  automatically prefixed with the session type and client label.
  Messages passed via 'diag' are only printed if the 'diag' flag of
  the session is set.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
aea5d03691 base: add Child_policy::Route::Diag flag
The 'diag' flag can be defined by a target node of a route in init's
configuration. It is propagated as session argument to the server, which
may evaluate the flag to enable diagnostic output for the corresponding
session.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
3670f7735d base: use 'Quota_transfer::Account' for 'Service'
This patch makes use of the new 'Quota_transfer::Account' by the service
types in base/service.h and uses 'Quota_transfer' objects in
base/child.cc and init/server.cc.

Furthermore, it decouples the notion of an 'Async_service' from
'Child_service'. Init's 'Routed_service' is no longer a 'Child_service'
but is based on the new 'Async_service' instead.

With this patch in place, quota transfers do no longer implicitly use
'Ram_session_client' objects. So transfers can in principle originate
from component-local 'Ram_session_component' objects, e.g., as used by
noux. Therefore, this patch removes a strumbling block for turning noux
into a single threaded component in the future.

Issue #2398
2017-05-31 13:16:06 +02:00
Norman Feske
5c43074bc6 core: simplify core_env.h
Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
f69937deb1 base: new base/quota_transfer.h helper
The 'Quota_transfer' helper facilitated the implementation of quota
transfers between components in a transactional manner. It is designated
for framework-internal use (replacing the 'Transfer' class in child.h).
However, since it is also useful for init, we make it publicly
available.

The 'Quota_transfer::Account' class serves as an interface representing
the donor or receiver of quotas (parent, service, client).

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
f02c8328db init: access Ram_session as const
This is now possible because the new 'used_ram' and 'ram_quota' RPC
functions are declared as const.

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
6609aafb05 Replace Quota_exceeded by Insufficient_ram_quota
This patch replaces the 'Parent::Quota_exceeded',
'Service::Quota_exceeded', and 'Root::Quota_exceeded' exceptions
by the single 'Insufficient_ram_quota' exception type.

Furthermore, the 'Parent' interface distinguished now between
'Out_of_ram' (the child's RAM is exhausted) from
'Insufficient_ram_quota' (the child's RAM donation does not suffice to
establish the session).

This eliminates ambiguities and removes the need to convert exception
types along the path of the session creation.

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
eea493a8ca base: safeguard entrypoint against double manage
This patch adds sanity checks to the RPC entrypoint that detect attempts
to manage or dissolve the same RPC object twice. This is not always a
bug. I.e., if RPC objects are implemented in the modern way where the
object manages/dissolves itself. As the generic framework code (in
particular root/component.h) cannot rely on this pattern, it has to
call manage/dissolve for session objects anyway. For modern session
objects, this double attempt would result in a serious error (double
insertion into the object pool's AVL tree).

Issue #2398
2017-05-31 13:16:05 +02:00
Norman Feske
843dd179d7 base: remove int return types from 'Ram_session'
This patch replaces the existing C-style error codes with C++
exceptions.

Fixes #895
2017-05-31 13:16:04 +02:00
Norman Feske
58f44d39c5 base: use 'Ram_quota' in 'Ram_session' args
This patch replaces the former use of size_t with the use of the
'Ram_quota' type to improve type safety (in particular to avoid
accidentally mixing up RAM quotas with cap quotas).

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
ff68d77c7d base: new 'Ram_allocator' interface
The 'Ram_allocator' interface contains the subset of the RAM session
interface that is needed to satisfy the needs of the 'Heap' and
'Sliced_heap'. Its small size makes it ideal for intercepting memory
allocations as done by the new 'Constrained_ram_allocator' wrapper
class, which is meant to replace the existing 'base/allocator_guard.h'
and 'os/ram_session_guard.h'.

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
5a468919bb base: new session-creation helper types
This patch augments the existing session/session.h with useful types for
the session creation:

* The new 'Insufficient_ram_quota' and 'Insufficient_cap_quota'
  exceptions are meant to supersede the old 'Quota_exceeded' exception
  of the 'Parent' and 'Root' interfaces.

* The 'Session::Resources' struct subsumes the information about the
  session quota provided by the client.

* The boolean 'Session::Diag' type will allow sessions to operate in a
  diagnostic mode.

* The existing 'Session_label' is not also available under the alias
  'Session::Label'.

* A few helper functions ease the extraction of typed session arguments
  from the session-argument string.

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
220890534a base: 'Quota_guard' utility for tracking quotas
* Introduces 'Cap_quota' and 'Ram_quota' types
* Introduces 'Out_of_caps' and 'Out_of_ram' exceptions

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
c1b981ede4 Annotate session interfaces with CAP_QUOTA
The new 'CAP_QUOTA' enum value denotes the capability quota to be
transferred from the client to the server at session-creation time.

Issue #2398
2017-05-31 13:16:04 +02:00
Norman Feske
bc82cce72b core: add Platform::max_caps()
This method returns the kernel-specific system-global limit of the total
number of capabilities.

Issue #2398
2017-05-31 13:16:03 +02:00
Norman Feske
5b1e3466be base: construct 'Tslab' with allocator reference
The new constructor avoids the use of a pointer.
2017-05-31 13:16:03 +02:00
Norman Feske
f5bdab4518 base: add Slab::avail_entries accessor
This accessor is useful to eagerly expand the slab with new slab blocks,
side stepping the slab's built-in policy for the allocation of new slab
blocks.

This is particularly important when using the slab for allocating the
cap space meta-data for the base-hw kernel. To guarantee that the slab
gets never exhausted in the kernel, it is expanded before entering the
kernel.
2017-05-31 13:16:03 +02:00
Norman Feske
67481fdfc3 base: support exceptions during _new_slab_block
With the introduction of the 'Out_of_caps' exception type, the slab
needs to consider exceptions during the call of '_new_slab_block' by
reverting the 'nested' state.
2017-05-31 13:16:03 +02:00
Christian Helmuth
f41d8d6b14 core: fix compiler warnings 2017-05-31 13:16:01 +02:00
Stefan Kalkowski
6106e64aac base: remove include/spec/* other than ISA
This commit moves the headers residing in `repos/base/include/spec/*/drivers`
to `repos/base/include/drivers/defs` or repos/base/include/drivers/uart`
respectively. The first one contains definitions about board-specific MMIO
iand RAM addresses, or IRQ lines. While the latter contains device driver
code for UART devices. Those definitions are used by driver implementations
in `repos/base-hw`, `repos/os`, and `repos/dde-linux`, which now need to
include them more explicitely.

This work is a step in the direction of reducing 'SPEC' identifiers overall.

Ref #2403
2017-05-31 13:16:01 +02:00
Christian Helmuth
1d99e7ede9 base: classify signals as I/O and application level
Fixes #2363
2017-05-31 13:15:58 +02:00
Norman Feske
b58fbe5ba5 Depot-archive recipes
Issue #2339
2017-05-31 13:15:56 +02:00
Norman Feske
cd5a03758f base: fix bool retval check in heap
Thanks to gcc 6.3 for reporting!
2017-05-31 13:15:55 +02:00
Norman Feske
11aadd4ce8 base: fix gcc-6.3 warning (check null ref)
The check that triggers the warning was solely in place for diagnostic
purposes. We can remove it.
2017-05-31 13:15:55 +02:00
Norman Feske
8e7aa54493 base: drop session states of vanished clients
For asynchronously provided sessions, the parent has to maintain the
session state as long as the server hasn't explicitly responded to a
close request. For this reason, the lifetime of such session states is
bound to the server, not the client.

When the server responds to a close request, the session state gets
freed. The 'session_response' implementation does not immediately
destroy the session state but delegates the destruction to a client-side
callback, which thereby also notifies the client. However, the code did
not consider the case where the client has completely vanished at
session-response time. In this case, we need to drop the session state
immediately.

Fixes #2391
2017-05-31 13:15:52 +02:00
Stefan Kalkowski
67ba7b89a7 hw: separate bootstrap and core strictly
* Introduce Hw namespace and library files under src/lib/hw
* Introduce Bootstrap namespace
* Move all initialization logic into Bootstrap namespace

Ref #2388
2017-05-31 13:15:52 +02:00
Christian Prochaska
742293ab87 Genode::Fifo_element: workaround for compiling with GCC 6
Issue #2383
2017-05-31 13:15:51 +02:00
Christian Prochaska
bf83c07923 Genode::retry(): fix compile error with GCC 6
Fixes #2376
2017-05-31 13:15:50 +02:00
Christian Prochaska
78a9cbf82d Trace::Logger: workaround for compiling with GCC 6
Issue #2375
2017-05-31 13:15:50 +02:00
Christian Prochaska
661a3100b1 stdcxx: update to version 6.3.0
Issue #2372
2017-05-31 13:15:50 +02:00
Christian Prochaska
58f2088d3e gcc: update to version 6.3.0
Issue #2372
2017-05-31 13:15:49 +02:00
Norman Feske
0e06042f81 base/mk: include sub specs from BASE_DIR
Originally, the spec files for less specific SPEC values were include
via the 'select_from_repositories' function. This implies that BASE_DIR
must always be present in the list of 'REPOSITORIES'. Otherwise the
spec files won't be found. By explicitly including sub specs from
'$(BASE_DIR)/mk', we lift this restriction.
2017-05-02 15:29:04 +02:00
Norman Feske
e2fb49ae39 core: avoid using BASE_DIR in vpath
When building core from a source archive, we don't want to incorporate
any source codes from BASE_DIR.
2017-05-02 15:29:03 +02:00
Norman Feske
8f27babf16 mk: strip binaries at <build-dir>/bin/
The <build-dir>/bin/ directory used to contain symbolic links to the
unstripped build results. However, since the upcoming depot tool
extracts the content of binary archives from bin/, the resulting
archives would contain overly large unstripped binaries, which is
undesired. On the other hand, always stripping the build results is not
a good option either because we rely of symbol information during
debugging.

This patch changes the installation of build results such that a new
'debug/' directory is populated besides the existing 'bin/' directory.
The debug directory contains symbolic links to the unstripped build
results whereas the bin directory contains stripped binaries that are
palatable for packaging (depot tool) and for assembling boot images (run
tool).
2017-05-02 15:29:03 +02:00
Norman Feske
8c4a2a48ca core: install core-<kernel>.o at bin/
By installing the core object to bin/, we follow the same convention as
for regular binaries. This, in turn, enables us to ship core in a
regular binary archive. The patch also adjusts the run tool to pick up
the core object from bin/ for the final linking stage.
2017-05-02 15:29:02 +02:00
Norman Feske
da294cb02a mk: obtain 'genode.ld' always form BASE_DIR
This way, the base repository does not need to be present in the
'REPOSITORIES' list when building static executables.
2017-05-02 15:28:54 +02:00
Alexander Boettcher
1c79ba4182 slab: detect corrupted slab and invalid frees
and report about that.

Fixes #2350
2017-05-02 15:28:54 +02:00
Edgard Schmidt
e933c7b4d8 Cleanup Call_return encapsulation in call()
~emove the second Call_return encapsulation from the already
encapsulated return type of Capability::call.

Fixes #2180
2017-05-02 15:28:52 +02:00
Norman Feske
0b30cf0ab6 mk: omit the creation of .lib.so files for ABIs
Furthermore, the patch alleviates the need for providing a library
description file if the library is present in the form of an ABI-symbols
file only.
2017-04-11 15:34:16 +02:00
Norman Feske
6d82dd14d6 mk: access linker scripts via BASE_DIR
The use of 'select_from_repositories' for locating the linker script for
dynamically-linked executables only works if 'BASE_DIR' appears in the
list of 'REPOSITORIES'. This is the case when using the build system in
the traditional way but it is not desired when building binary archives
of individual components.
2017-04-11 15:34:16 +02:00
Christian Helmuth
b35df4578b Check Registered base class provides virtual destructor
The base class of Registered must provide a virtual destructor to enable
safe deletion with just a base class pointer. This requirement can be
lifted by using Registered_no_delete in places where the deletion
property is not needed.

Fixes #2331
2017-03-24 16:20:04 +01:00
Christian Helmuth
cb43e04691 ldso: defer execution of static constructors
Ldso now does not automatically execute static constructors of the
binary and shared libraries the binary depends on. If static
construction is required (e.g., if a shared library with constructor is
used or a compilation unit contains global statics) the component needs
to execute the constructors explicitly in Component::construct() via
Genode::Env::exec_static_constructors().

In the case of libc components this is done by the libc startup code
(i.e., the Component::construct() implementation in the libc).

The loading of shared objects at runtime is not affected by this change
and constructors of those objects are executed immediately.

Fixes #2332
2017-03-24 16:20:04 +01:00
Norman Feske
48d1141917 core: improve formatting of allocator dumps
This patch uses the 'Hex_range' and 'Number_of_bytes' utilities to make
the formatted output of 'Allocator_avl_base' better readable.
2017-03-24 16:19:58 +01:00
Norman Feske
d56374e4b9 base: handle 0 in Number_of_bytes::print
This patch avoids printing the number 0 as "0G".
2017-03-24 16:19:58 +01:00
Norman Feske
d227db4574 base: destruction order of binary/linker ROMs
This patch destructs the environment sessions for the binary and the
dynamic linker along with the other environment sessions to avoid a
warning about reverting quota that occurs when attempting to close
these sessions too late.
2017-03-24 16:19:57 +01:00
Norman Feske
0202048eb6 base: gracefully handle invalid env session routes
This patch addresses the corner cases where an environment session
could not be routed, i.e., if an environment LOG log session is
routed to a non-existing child.
2017-03-24 16:19:56 +01:00
Norman Feske
48174ab974 base: pass separate label to Local_connection
This patch extends the constructor of 'Local_connection' with an
optional 'label' argument, which was previously passed implicitly as
part of the 'args' argument. Keeping the label separate from 'args'
enables us to distinguish the client-specified label from a label that
resulted from a server-side label as it is used when rewriting a label
of an environment session (i.e., the binary name) in init's routing
policy. In principle, this patch eliminates the need for init's
explicite handling of the binary name via the '<binary>' node, or
at least allows us to simplity the binary-node handling.
2017-03-24 16:19:55 +01:00
Alexander Boettcher
391339a4bb base: handle race in Genode::Registry class
The race may happen when element objects get destructed by another thread then
the thread handling the for_each loop. In this case it may happen that the
object is already destructed (left the ~Element destructor) but the thread
handling the loop touches the invalid memory afterwards (the Element lock).

detected during issue #2299

Fixes #2320
2017-03-15 12:32:28 +01:00
Christian Helmuth
b9834bc388 Rename Linux audio driver to linux_audio_drv
Related to #2190
Fixes #2278
2017-03-15 12:32:27 +01:00
Christian Helmuth
43e7cc56a3 Rename Linux NIC driver to linux_nic_drv
Related to #2190
Issue #2278
2017-03-15 12:32:27 +01:00
Stefan Kalkowski
f1b632af68 affinity.run: do not test non-SMP platforms 2017-03-15 12:32:25 +01:00
Martin Stein
0bb752674f panda: fix timer speed
Previously we had configured the timer for the Panda ES with 700 MHz
CPU clock. But the Panda A6 that we use as reference now runs with
800 MHz.

Fixes #2308
2017-03-15 12:32:24 +01:00
Martin Stein
e744c76bf2 mmio: make base address member private
Ref #2196
2017-03-15 12:32:24 +01:00
Martin Stein
ecbb7534b9 register set: make noncopyable
If a register set gets copied, the '_plain_access' of the copy references
the plain access object of the original object.

Ref #2196
2017-03-15 12:32:23 +01:00
Alexander Boettcher
bed28dfe49 base: extend cxa guards to support threads on various priorities
Fixes #2299
2017-03-15 12:32:23 +01:00
Alexander Boettcher
16e6533a0a base: extend thread test to test cxa guards
with various priorities.

Showcases issue #2299
2017-03-15 12:24:45 +01:00
Martin Stein
442c24420d mmio: separate MMIO access and register logic
By separating the plain MMIO access implementation from the generic bit
and offset logic of registers, we can now use the latter also with other
types of register access like I2C. The register and MMIO front-ends have
not changed due to the separation.

Ref #2196
2017-03-15 12:24:42 +01:00
Alexander Boettcher
25ac3cdd86 base: handle twice Lock::lock calls correctly
to avoid loosing threads in the applicants list if lock owner calls 'twice'
Lock::lock().

Fixes #2300
2017-03-15 12:24:42 +01:00
Alexander Boettcher
8102b78d22 base: extend thread test to test locks
Showcase issue #2300
2017-03-15 12:24:42 +01:00
Christian Helmuth
40f319e9e9 Terminate if pure virtual function is called
Fixes #2229
2017-03-15 12:24:41 +01:00
Norman Feske
226ff08304 core: increase stack size of init-child entrypoint
With the commit "init: session-label rewriting", the stack usage
increased due to the handling of session-label strings as local
variables. The stack overrun occurred in the vmm scenario on
base-hw.
2017-02-28 13:00:44 +01:00
Martin Stein
daaddbd584 base*, os: get rid of all env() calls
Issue #1987
2017-02-28 13:00:42 +01:00
Martin Stein
56cafb3b57 hw: fix race in signal dispatching
There was a race when the component entrypoint wanted to do
'wait_and_dispatch_one_signal'. In this function it raises a flag for
the signal proxy thread to notice that the entrypoint also wants to
block for signals. When the flag is set and the signal proxy wakes up
with a new signal, it tried to cancel the blocking of the entrypoint.
However, if the entrypoint had not reached the signal blocking at this
point, the cancel blocking failed without a solution. Now, the new
Kernel::cancel_next_signal_blocking call solves the problem by storing a
request to cancel the next signal blocking of a thread immediately
without blocking itself.

Ref #2284
2017-02-28 13:00:41 +01:00
Norman Feske
29b8d609c9 Adjust file headers to refer to the AGPLv3 2017-02-28 12:59:29 +01:00
Sebastian Sumpf
35d2d582a4 base: free 'Cpu_free_component' from EP construction fails
It can happen that when Cpu_free_component is constructed the insertion
of the object through 'manage' succeeds for the EP put not for the pager
EP, which in turn raises an Out_of_meta_data exception. Because we are
within the constructor, the descstructor is not called, leading to a
dangling object pool entry for the EP.

issue #2289
2017-02-28 12:59:28 +01:00
Norman Feske
fcb861689a base: support for re-validating session routes
This patch supplements 'Session_state' with the methods needed to test
the validity of a session with a changed routing policy.
2017-02-28 12:59:26 +01:00
Sebastian Sumpf
553a4222f4 base: entrypoint dissolve signal proxy
If not dissolved in ~Entrypoint, the signal proxy is found within NOVA's
and FOC's object pool upon Rpc_entrypoint destruction. This leads to a
deadlock because the signal proxy is destructed before the RPC EP.

issue #2284
2017-02-28 12:59:24 +01:00
Norman Feske
dfc4c58782 root/component.h: POLICY::release on exception
This patch ensures that the POLICY::release is called whenever the
session creation aborted with an exception. In the original version, an
exception like 'Quota_exceeded' caused a single-session root interface
to deny subsequent session requests.
2017-02-28 12:59:24 +01:00
Norman Feske
7d9f68493a base: support for multi-staged child startup
This patch enhances the 'Child' and 'Child_policy' with the ability to
separate the different steps of bootstrapping children. If the
'Child_policy::initiate_env_sessions()' returns false, the child's
environment sessions remain unrouted at construction time. This way,
child objects for many children can be initialized to a state that
allows the children to represent services for other children. Therefore,
session routing can be applied before any child executes.

At this stage, the environment RAM sessions of all children can be
created. Note that this step still has the limitation that RAM sessions
are generally expected to be provided by either the parent or a local
service.

Once all children are equipped with RAM, they can in principle receive
session-quota donations. Hence, all other environment sessions can now
be arbitrarily routed and initiated.

Once the environment of a child is complete, the child's process and
initial thread is created.
2017-02-28 12:59:23 +01:00
Norman Feske
9cba459958 base: remove Child::heap
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.

In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping

Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.

For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
2017-02-28 12:59:23 +01:00
Norman Feske
9d683a56a0 base: add Child_policy::session_state_changed()
This method is a hook to enable a runtime to respond to state changes.
In particular, in init this hook is used to trigger the generation of a
new state report, if configured.

Furthermore, the patch introduces the 'generate_client_side_info' and
'generate_server_side_info' methods to the 'Session_state', which
generates an XML representation of the session states to appear in
reports produced by init.

Issue #2246
2017-02-28 12:59:22 +01:00
Martin Stein
d301022fe7 nic_router.run: do not append but concatenate
Makes the script more readable and saves 100 LOC.

Ref #2193
2017-02-28 12:59:22 +01:00
Martin Stein
412c5e5be4 run/platform_drv: add append-free interface
Normally, the platform driver helpers adapt the global run variables directly
via append. But the introduction of a more elegant run script style, that
incorporates dependent strings inline may be a good idea. Thus, we need the
backends of the helpers available as functions that return their string rather
than appending it.

The old interface still exists and uses the new interface as backend.

Ref #2193
2017-02-28 12:59:22 +01:00
Norman Feske
bfdadc55b2 base: Add Number_of_bytes::print method
This method attempts to print the number with a K/M/G unit if possible
and thereby increases the human readability of generated output.
2017-02-28 12:59:20 +01:00
Norman Feske
c0af463b81 base: Add Child_policy::Route
The new return value of 'resolve_session_request' allows the child
policy to define the label used as the policy selector at the server.

Because this patch introduces the distinction of the child-provided
label from the label as presented to the server along with the session
request, the latter is now handled as a dedicated 'Session_state'
argument.

Issue #2248
2017-02-28 12:59:20 +01:00
Norman Feske
8e6306e8e3 base: tolerate nested signal handling (but warn) 2017-02-27 15:37:50 +01:00
Sebastian Sumpf
b66716d278 base: entrypoint 'wait_and_dispatch_one_signal'
There existed a race when 'wait_and_dispatch_one_signal' is called form
a RPC context, because the 'signal_proxy' or 'main' will block and the
signal semaphore, when the EP then calls 'wait_and_dispatch_one_signal',
the signal proxy is woken up ands sends an RPC to the EP, leading to a
dead lock if no further signal arrive, because the EP will then remain
blocked in the signal semaphore.

Therefore, for this case, the signal proxy will now perform a semaphore
up operation and does not perform an RPC if the EP is within
'wait_and_dispatch_one_signal'.
2017-02-27 15:37:50 +01:00
Johannes Schlatow
762728fee0 base: remove superfluous line feeds in print_lines
Fixes #2279
2017-02-23 15:03:29 +01:00
Christian Helmuth
6e5f3d432e Post signal-handler hook in entrypoint
A Signal_handler may schedule a hook function that is executed after the
signal handler returned. This can be used if the hook function may
trigger a (nested) signal handler by means of
wait_and_dispatch_one_signal(). Otherwise, an occurrence of the same
signal that triggered the original signal handler results in a dead lock
just before calling the nested handler (due to the Signal_context
destruction lock).
2017-02-23 14:54:51 +01:00
Stefan Kalkowski
cf943dac65 hw: bootstrap into kernel
Put the initialization of the cpu cores, setup of page-tables, enabling of
MMU and caches into a separate component that is only used to bootstrap
the kernel resp. core.

Ref #2092
2017-02-23 14:54:42 +01:00
Stefan Kalkowski
a97e92c7ec base: make Allocator_avl::_avl_tree accessable
This hook allows the export of the allocator's state by a derrived
class. I.e., the final state of the allocator used for bootstrapping
core.

Ref #2092
2017-02-07 19:20:30 +01:00
Stefan Kalkowski
7c8281f2d6 util: turn max, min, and abs into const_expr
Ref #2092
2017-02-07 19:20:29 +01:00
Stefan Kalkowski
786a81c846 core: unify log() initialization between kernels
* initialize the log environment implicitly for core
* removing the redundant lock
* unify between base-hw and all others

Ref #2092
2017-02-07 19:20:29 +01:00
Josef Söntgen
f26532803f core: use proper size in Trace-Policies Tslab
Issue #2260.
2017-02-07 11:12:26 +01:00
Emery Hemingway
92978933c7 root/component: log error on Out_of_memory
Servers should account and handle this condition locally.
2017-02-07 11:12:24 +01:00
Norman Feske
aa29ebe751 base/shared_object.h: add missing includes 2017-02-07 11:12:23 +01:00
Christian Prochaska
a1b4e905ab Signal_receiver::wait_for_signal(): check for pending signal before blocking
Fixes #2267
2017-02-07 11:12:23 +01:00
Christian Helmuth
ce3d10465e Mark warnings from the signal dispatcher as such 2017-01-31 14:58:36 +01:00
Christian Helmuth
7386c4e1d1 More robust handling of suspend in entrypoint
First, calls to manage and dissolve signal contexts now check if the
signal receiver was constructed. There is a small window during suspend
where it is destructed before reconstructed again.

Last, we ensure that processing of incoming signal was deblocked by the
suspend signal before entering the suspend operation. This way we ensure
already queued signal are handled.
2017-01-31 14:58:36 +01:00
Alexander Boettcher
dd5592cc50 Fix String(Hex()) usage
- additional add test casye to log.run

Fixes #2265
2017-01-31 12:02:21 +01:00
Norman Feske
cd3a5852d6 Warn about the use of deprecated headers
This commit enables compile-time warnings displayed whenever a deprecated
API header is included, and adjusts the existing #include directives
accordingly.

Issue #1987
2017-01-31 12:01:18 +01:00
Stefan Kalkowski
c76c199f8d hw: enable SMP for Wandboard (fix #2253) 2017-01-31 12:01:16 +01:00
Martin Stein
ed62199957 test/reconstructible: move to base
The test uses only stuff from the base repo.

Ref #1987
2017-01-31 12:01:15 +01:00
Martin Stein
d1134644cc test/synced_interface: move to base
The test uses only stuff from the base repo.

Ref #1987
2017-01-31 12:01:15 +01:00
Norman Feske
47a129c6af run/platform_drv.inc: add 'need_usb_hid' function
This function returns the information whether the used platform relies
on USB HID for interactive scenarios by default as is the case for most
ARM platforms. In contrast, for x86 the USB driver can be omitted because
we can use the PS/2 driver (that is readily available in repos/os/).
2017-01-31 12:01:12 +01:00
Alexander Boettcher
f52c44647f core: replace misleading avl warning in detach
If the detach address is not the beginning of the region, one gets:

"virtual void Genode::Allocator_avl_base::free(void*): given
 address (0x180e0) is not the block start address (0x18000)"

Instead, print an explicit warning in front of the detach call.
2017-01-31 12:01:12 +01:00
Norman Feske
02d5efcf3f init: apply routing to environment sessions
The init component used to create the CPU/RAM/PD/ROM sessions (the child
environment) for its children by issuing session requests to its parent,
which is typically core. This policy was hard-wired. This patch enables
the routing of the environment sessions of the children of init
according to the configured routing policy.

Because there is no hard-wired policy regarding the environment sessions
anymore, routes to respective services must be explicitly declared in
the init configuration. For this reason, the patch adjusts several run
scripts in this respect.

This patch removes the outdated '<if-args>' special handling of session
labels. The '<if-args>' feature will eventually be removed completely
(ref #2250)

Issue #2197
Issue #2215
Issue #2233
Issue #2250
2017-01-31 12:01:11 +01:00
Norman Feske
e43da51bd6 base: handle dangling env sessions in ~Child
This commit addresses the situation where an environment session
outlives the session-providing service. In this case, the env session
got already invaidated at the destruction time of the server. However,
the underlying session-state structure continues to exist until the
client is destructed. During the eventual destruction of such a dangling
environment session, we have to be careful not to interact with the
no-longer existing service.

Ref #2197
2017-01-20 16:47:01 +01:00
Norman Feske
21458e6efa base: destruction of env-session-providing child
This patch addresses the corner case of destructing a child that
provides an enviroment session to another child. Before this patch,
this situation could result in an infinite loop.

The problem was introduced as a side effect of issue #2197 "base: apply
routing policy to environment sessions".
2017-01-20 16:47:00 +01:00
Christian Prochaska
ec5dbe66db trace_fs: API transition (fix 'deprecated' warnings)
Issue #1987
2017-01-20 16:46:58 +01:00
Christian Prochaska
7948a7261b ldso: constrain second linker symbol relocation pass on x86_64
Handle only GLOB_DAT relocations in the second relocation pass, like it is
done on x86_32 and ARM.

Fixes #2219
2017-01-20 16:46:55 +01:00
Norman Feske
a7f40b24ca Warn about the use of deprecated env() function
This patch enables warnings if one of the deprecate functions that rely
in the implicit use of the global Genode::env() accessor are called.

For the time being, some places within the base framework continue
to rely on the global function while omitting the warning by calling
'env_deprecated' instead of 'env'.

Issue #1987
2017-01-13 13:07:13 +01:00
Norman Feske
73837ef56a init: print error for denied environment sessions
Fixes #2214
2017-01-13 13:07:08 +01:00
Stefan Kalkowski
aa004cf211 base: transition to new API for tests (ref #1987) 2017-01-13 13:07:07 +01:00
Martin Stein
613f4171f3 sd_card: i.MX6 support
The i.MX6 driver shares most of its code with the i.MX53 driver.

Ref #2206
2017-01-13 13:07:06 +01:00
Stefan Kalkowski
fc273f3840 run: remove vanished kernel/platform specifier 2017-01-13 13:07:01 +01:00
Stefan Kalkowski
3886686b83 hw: get rid of global makefiles specific to hw
This commit mostly removes the globally visible NR_OF_CPUS define
from the global makefile specifiers defined in the base-hw repository.
Whereever necessary it adds platform specific makefiles to the base
repository when they were missing.

Ref #2190
2017-01-13 13:06:55 +01:00
Norman Feske
3d7b92ea50 Generalize ABI mechanism to shared objects
This patch make the ABI mechanism available to shared libraries other
than Genode's dynamic linker. It thereby allows us to introduce
intermediate ABIs at the granularity of shared libraries. This is useful
for slow-moving ABIs such as the libc's interface but it will also
become handy for the package management.

To implement the feature, the build system had to be streamlined a bit.
In particular, archive dependencies and shared-lib dependencies are now
handled separately, and the global list of 'SHARED_LIBS' is no more.
Now, the variable with the same name holds the per-target list of shared
libraries used by the target.
2017-01-13 13:06:54 +01:00
Norman Feske
9745effc53 mk: remove obsolete PRG_LIBS variable 2017-01-13 13:06:53 +01:00
Norman Feske
a360452a10 base: remove platform.mk and syscall.mk
The purpose of those libraries is now covered by the kernel-specific
syscall-<kernel> libraries.
2017-01-13 13:06:53 +01:00
Norman Feske
4da52517c1 Simpify startup of dynamically linked binaries
This patch removes the component_entry_point library, which used to
proved a hook for the libc to intercept the call of the
'Component::construct' function. The mechansim has several shortcomings
(see the discussion in the associated issue) and was complex. So we
eventually discarded the approach in favor of the explicit handling of
the startup.

A regular Genode component provides a 'Component::construct' function,
which is determined by the dynamic linker via a symbol lookup.
For the time being, the dynamic linker falls back to looking up a 'main'
function if no 'Component::construct' function could be found.

The libc provides an implementation of 'Component::construct', which
sets up the libc's task handling and finally call the function
'Libc::Component::construct' from the context of the appllication task.
This function is expected to be provided by the libc-using application.
Consequently, Genode components that use the libc have to implement the
'Libc::Component::construct' function.

The new 'posix' library provides an implementation of
'Libc::Component::construct' that calls a main function. Hence, POSIX
programs that merely use the POSIX API merely have to add 'posix' to the
'LIBS' declaration in their 'target.mk' file. Their execution starts at
'main'.

Issue #2199
2017-01-13 13:06:52 +01:00
Sebastian Sumpf
6e14aa4364 ldso: mark functions used during self relocation
These functions are marked as always inline through the 'SELF_RELOC' macro. This
became necessary because on riscv functions calls are performed through the
global offset table, which is not initialized at this point.

Fixes #2203
2017-01-13 13:05:45 +01:00
Norman Feske
253097314c Add unified build directories to create_builddir
This patch makes the benefit of the recently introduced unified Genode
ABI available to developers by enabling the use of multiple kernels from
within a single build directory. The create_builddir tool has gained a
new set of kernel-agnostic platform arguments such as x86_32, or panda.
Most build targets within directories are in principle compatible with
all kernels that support the selected hardware platform. To execute a
scenario via the run tool, one has to select the kernel to use by
setting the 'KERNEL' argument in the build configuration
(etc/build.conf). Alternatively, the 'KERNEL' can be specified as
command-line argument of the Genode build system, e.g.:

  make run/log KERNEL=nova

This allows us to easily switch from one kernel to another without
rebuilding any Genode component except for the very few kernel-specific
ones.

The new version of the 'create_builddir' tool is still compatible with
the old version. The old kernel-specific build directories can still be
created. However, those variants will eventually be removed.

Note that the commit removes the 'ports-foc' repository from the
generated 'build.conf' files. As this is only meaningful for 'foc',
I did not want to include it in the list of regular repositories (as
visible in a 'x86_32' build directory). Hence, the repository must
now be manually added in order to use L4Linux.

Issue #2190
2017-01-13 13:05:44 +01:00
Norman Feske
9ea4a491d6 ld: generate symbol map from base/lib/symbols/ld
This patch removes the manually maintained symbol map from the dynamic
linker. This way, the symbol map stays in sync with the ABI and - more
importantly - no longer uses wildcards. So the symbols exported by the
dynamic linker are strictly limited by the ABI.

Issue #2190
2016-12-23 16:53:17 +01:00
Norman Feske
0d295f75a1 base: apply routing policy to environment sessions
This patch changes the child-construction procedure to allow the routing
of environment sessions to arbitrary servers, not only to the parent.
In particular, it restores the ability to route the LOG session of the
child to a LOG service provided by a child of init. In principle, it
becomes possible to also route the immediate child's PD, CPU, and RAM
environment sessions in arbitrary ways, which simplifies scenarios that
intercept those sessions, e.g., the CPU sampler.

Note that the latter ability should be used with great caution because
init needs to interact with these sessions to create/destruct the child.
Normally, the sessions are provided by the parent. So init is safe at
all times. If they are routed to a child however, init will naturally
become dependent on this particular child. For the LOG session, this is
actually not a problem because even though the parent creates the LOG
session as part of the child's environment, it never interacts with the
session directly.

Fixes #2197
2016-12-23 16:52:08 +01:00
Norman Feske
c450ddcb3d Disambiguate kernel-specific file names
This patch removes possible ambiguities with respect to the naming of
kernel-dependent binaries and libraries. It also removes the use of
kernel-specific global side effects from the build system. The reach of
kernel-specific peculiarities has thereby become limited to the actual
users of the respective 'syscall-<kernel>' libraries.

Kernel-specific build artifacts are no longer generated at magic places
within the build directory (like okl4's includes, or the L4 build
directories of L4/Fiasco and Fiasco.OC, or the build directories of
various kernels). Instead, such artifacts have been largely moved to the
libcache. E.g., the former '<build-dir>/l4/' build directory for the L4
build system resides at '<build-dir>/var/libcache/syscall-foc/build/'.
This way, the location is unique to the kernel. Note that various tools
are still generated somewhat arbitrarily under '<build-dir>/tool/' as
there is no proper formalism for building host tools yet.

As the result of this work, it has become possible to use a joint Genode
build directory that is usable with all kernels of a given hardware
platform. E.g., on x86_32, one can now seamlessly switch between linux,
nova, sel4, okl4, fiasco, foc, and pistachio without rebuilding any
components except for core, the kernel, the dynamic linker, and the timer
driver. At the current stage, such a build directory must still be
created manually. A change of the 'create_builddir' tool will follow to
make this feature easily available.

This patch also simplifies various 'run/boot_dir' plugins by removing
the option for an externally hosted kernel. This option remained unused
for many years now.

Issue #2190
2016-12-23 16:51:32 +01:00
Norman Feske
3865ee7ccc foc: move base/thread_state.h to include/foc/
The header is foc-specific. It used to shadow the generic one provided
by the base repository, which contradicts with the kernel-agnostic
Genode API. Hence, it had to be moved to a foc-specific location.
2016-12-23 16:51:12 +01:00
Norman Feske
f54c85e045 Genode application binary interface (ABI)
This patch decouples the kernel-specific implementation of the dynamic
linker from its kernel-agnostic binary interface. The name of the
kernel-specific dynamic linker binary now corresponds to the kernel,
e.g., 'ld-linux.lib.so' or 'ld-nova.lib.so'. Applications are no longer
linked directly against a concrete instance of the dynamic linker but
against a shallow stub called 'ld.lib.so'. This stub contains nothing
but the symbols provided by the dynamic linker. It thereby represents
the Genode ABI.

At system-integration time, the kernel-specific run/boot_dir back ends
integrate the matching the kernel-specific variant of the dynamic linker
as 'ld.lib.so' into the boot image.

The ABI symbol file for the dynamic linker is located at
'base/lib/symbols/ld'. It contains the joint ABI of all supported
architectures. The new utility 'tool/abi_symbols' eases the creation of
such an ABI symbol file for a given shared library. Its result should be
manually inspected and edited as needed.

The patch removes the 'syscall' library from 'base_libs.mk' to avoid
polluting the kernel-agnostic ABI with kernel-specific interfaces.

Issue #2190
Issue #2195
2016-12-23 16:50:28 +01:00
Alexander Boettcher
e4a1904456 core: fix deadlock in region_map destruction
Introduced by:

commit 99fbb23ec5
Author: Alexander Boettcher <alexander.boettcher@genode-labs.com>
Date:   Fri Sep 9 17:49:34 2016 +0200

    core: use weak_ptr for Rm_faulter and Region_map

    Issue #2086
2016-12-14 11:22:30 +01:00
Norman Feske
ccffbb0dfc Build dynamically linked executables by default
Fixes #2184
2016-12-14 11:22:27 +01:00
Norman Feske
d882277ce3 base: let ldso use the default stack size 2016-12-14 11:19:38 +01:00
Norman Feske
4e4cdacab3 base: trim main-thread size to 4/8 KiB
The main thread does no longer execute application code. It is solely
responsible for the initialization of the component's entrypoint and for
retrieving asynchronous notifications. Since the stack usage is no
longer dependent on application-specific code, we can significantly
shrink it to reduce the memory footprint of components. In the worst
case - should the stack overrun - we would observe a page fault because
the stack is placed in the stack area, surrounded by guard pages.
2016-12-14 11:19:38 +01:00
Norman Feske
cc98cef770 genode_rel.ld: add .gcc_except_table to RO segment
By moving .gcc_except_table section to the read-only ELF segment, this
patch reduces the size of the dynamically allocated data/bss segment.
2016-12-14 11:19:37 +01:00
Norman Feske
a387d68c2c base: use a default stack size of 64 KiB
This patch replaces the former machine-word-dependent default stack size
by the fixed value of 64 KiB which should suffice for components on both
32 and 64 bit. Previously, the default stack size on 64 bit was 128 KiB,
which is wasteful. If a component needs more stack than 64 KiB, it can
specify a custon stack size by implementing 'Component::stack_size'.
2016-12-14 11:19:37 +01:00
Norman Feske
28f5688dcf base: reduce size of initial stack from 32K to 4K
The initial stack is solely used to initialize the Genode environment
along with the application stack located in the stack area. It never
executes application code. Hence, we can make it small. To check that it
is not dimensioned too small, the patch introduces a sanity check right
before switching to the application stack.
2016-12-02 15:20:31 +01:00
Norman Feske
92460cdab7 base: remove initial heap chunk from heap
This change reduces the BSS segment by 32 KiB (on 64 bit).
2016-12-02 15:20:31 +01:00
Norman Feske
25a7ea3d40 base: rename 'Volatile_object' to 'Reconstructible'
Fixes #2151
2016-12-01 17:46:50 +01:00
Christian Helmuth
53271d8c5f Use default component stack size where appropriate 2016-11-30 13:38:06 +01:00
Edgard Schmidt
f97e0f3fa0 Allow RPC arguments w/o default constructor
Fixes #2150
2016-11-30 13:38:03 +01:00
Norman Feske
6a24d70120 Fix clang compile errors
Thanks Keiko Nakata for reporting!

Fixes #2164
2016-11-30 13:37:07 +01:00
Norman Feske
5a1cef6381 Make label prefixing more strict
This patch unconditionally applies the labeling of sessions and thereby
removes the most common use case of 'Child_policy::filter_session_args'.
Furthermore, the patch removes an ambiguity of the session labels of
sessions created by the parent of behalf of its child, e.g., the PD
session created as part of 'Child' now has the label "<child-name>"
whereas an unlabeled PD-session request originating from the child
has the label "<child-name> -> ". This way, the routing-policy of
'Child_policy::resolve_session_request' can differentiate both cases.

As a consequence, the stricter labeling must now be considered wherever
a precise label was specified as a key for a session route or a server-
side policy selection. The simplest way to adapt those cases is to use a
'label_prefix' instead of the 'label' attribute. Alternatively, the
'label' attribute may used by appending " -> " (note the whitespace).

Fixes #2171
2016-11-30 13:37:07 +01:00
Alexander Boettcher
c83eb515f9 base: sanity check for slab element allocation
Issue #1039
2016-11-30 13:37:06 +01:00
Alexander Boettcher
b8f9f92731 base: remove allocation warning in heap
The heap typically first tries to allocate larger chunks than necessary, and
if it fails the actual minimal one. The first attempt already triggers warnings
which are not critical at all. If the second (critical) allocation fails,
then there are additionally checks and warnings already in place.

Issue #1039
2016-11-30 13:37:06 +01:00
Norman Feske
5ba245f476 base: minor style fixes 2016-11-30 13:37:06 +01:00
Alexander Boettcher
33b40ec5d9 base: free memory of object throwing exception
in constructor.

Extend test case to verify it and run it by autopilot.
2016-11-30 13:37:05 +01:00
Alexander Boettcher
03f0f38567 cxx: avoid warnings about cxx exception memory
Avoids warnings like

Warning: 2 dangling allocations at allocator destruction time

during noux process destruction.
2016-11-30 13:37:05 +01:00
Alexander Boettcher
3c4372210e core: remove redundant datastructure
Avl allocator provides a method to lookup any element, which is sufficient
to find all regions to destruct.

Issue #2173
2016-11-30 13:37:04 +01:00
Martin Stein
82443ddee6 thread test: handle capability ref-count overflow
Triggered by the create-as-many-threads test as it tries to
create as many threads as possible.

Ref #2120
2016-11-30 13:37:04 +01:00
Martin Stein
99f18a2fe6 core: handle cap-ref-cnt overflow in create_thread
The code in Core's Cpu_session_component::create_thread might throw a
capability refernce-count overflow if one creates many threads, which would
kill core if not handled.

Ref #2120
2016-11-30 13:37:04 +01:00
Martin Stein
288c2c50ba base: throw exception on cap-ref-count overflow
Ref #2120
2016-11-30 13:37:04 +01:00
Norman Feske
cfdbccc5c2 Remove blocking calls from root and parent RPCs
This is a redesign of the root and parent interfaces to eliminate
blocking RPC calls.

- New session representation at the parent (base/session_state.h)
- base-internal root proxy mechanism as migration path
- Redesign of base/service.h
- Removes ancient 'Connection::KEEP_OPEN' feature
- Interface change of 'Child', 'Child_policy', 'Slave', 'Slave_policy'
- New 'Slave::Connection'
- Changed child-construction procedure to be compatible with the
  non-blocking parent interface and to be easier to use
- The child's initial LOG session, its binary ROM session, and the
  linker ROM session have become part of the child's envirenment.
- Session upgrading must now be performed via 'env.upgrade' instead
  of performing a sole RPC call the parent. To make RAM upgrades
  easier, the 'Connection' provides a new 'upgrade_ram' method.

Issue #2120
2016-11-25 16:06:42 +01:00
Norman Feske
baf61df0fd base: new 'Registry' data structure
This data structure is meant as a safe alternative for a list wherever
the list is solely used to remember objects and iterate through them in
an unspecified order. One use case is the 'Service_registry'.
2016-11-25 15:30:58 +01:00
Norman Feske
513a3f1d37 base: new 'Id_space' data structure
This data structure allows the association of objects with IDs. IDs are
kept in an AVL tree. So in contrast to a bit allocator, the ID space can be
sparsely populated and does not need to be dimensioned. The lifetime of
an ID is bound to an 'Element' object, which relieves the programmer
from manually allocating/deallocating IDs for objects.

Issue #2120
2016-11-25 15:30:58 +01:00
Alexander Boettcher
81f0cacf66 core: prefer RAM allocation in high memory
We preserve lower RAM for device drivers with physical memory
constraints. If no physical RAM constraint exists, the allocations above
3G (32-bit) or 4G (64-bit) are preferred.
2016-11-25 15:30:57 +01:00
Christian Helmuth
f75f199947 ldso: initialize ELF object before relocating
This fixes a regression on Ubuntu 16.04 (resp. Linux systems with recent
kernel versions) and address-space randomization originating from an
uninitialized relocation base of 0.
2016-11-25 15:27:28 +01:00
Norman Feske
82107bef9b base: buffer session args in 'Connection'
This patch is a preparation of the forthcoming async parent interface.
Note that this patch increases the size of connection objects.
Furthermore it adds a diagnostic message whenever a connection fails.

Issue #2166
2016-11-25 15:27:28 +01:00
Norman Feske
ac1794ed7d base: add const operator * to 'Volatile_object' 2016-11-25 15:27:27 +01:00
Norman Feske
0e0f830a14 base: make Volatile_object noncopyable
Unfortunately, the volatile object does not inherit the noncopyable
attribute of the enclosed object. By making all volatile objects
noncopyable, we prevent the accidental copying of a noncopyable object
wrapped in a volatile object.
2016-11-25 15:27:27 +01:00
Norman Feske
b8e98f2355 base: forward args in Output::print
The original version copied the arguments, which does not work for the
output of complex types, in particular non-copyable objects.
2016-11-25 15:27:27 +01:00
Norman Feske
35fa67768f base: add 'Volatile_object::print' method
The method prints the message "<unconstructed>" if the object is not
available. Otherwise, it prints the encapsulated object.
2016-11-25 15:27:26 +01:00
Stefan Kalkowski
f60cf697d2 core: simplify Rom_module and Rom_fs
* replace print_fs with Output::print equivalent
* use Avl_tree::for_each instead of own implementation
* extend constness

Ref #2159
2016-11-08 15:45:21 +01:00
Stefan Kalkowski
e1ec39e476 base: replace dump utilities in Allocator_avl
Replace 'dump()' debug utilities within Allocator_avl with Output::print
equivalents, and use the new Avl_tree::for_each utility to simplify
the implementation.

Ref #2159
2016-11-08 15:44:55 +01:00
Stefan Kalkowski
1542d92165 base: iterator for AVL tree (fix #2159) 2016-11-08 15:43:53 +01:00
Emery Hemingway
eff90d759f remove global namespacing from internal base headers
Making the Genode namespace global can cause name collisions on
base-linux.

Fix #2158
2016-11-08 15:26:33 +01:00
Norman Feske
f577c451ef increase stack size of signal-proxy thread
This fixes the warning "small stack of 3996 bytes [...] may break Linux
signal handling" on 32-bit base-linux.
2016-11-08 15:26:33 +01:00
Norman Feske
784e728727 Clean ldso from using deprecated APIs
Issue #1987
2016-11-08 15:26:32 +01:00
Norman Feske
20faa8b84e base: 'String' constructor overload for literals
This overload covers the common case for initializing a string from a
literal without employing the 'Output' mechanism. This way, such
strings can by constructed without calling virtual functions, which in
turn makes the 'String' usable for the 'init_rtld' phase of the dynamic
linker.
2016-11-08 15:26:31 +01:00
Norman Feske
b9280678fb base-linux: fix race in region_map_mmap
This patch fixes a race condition triggered by the thread test running
on Linux inside VirtualBox. The 'test_stack_alloc' sporadically produced
one of two errors: A segfault in the 'Thread::deinit_platform_thread' on
the attempt to access the 'native_thread' of the to-be-destructed thread
(this data structure is located on the thread's stack). Or, an error
message about a region conflict within the stack area.

The problem was that two instances of 'Region_map_mmap' issued a
sequence of munmap and mmap each. Even though each instance locked the
attach/detach operations, the lock was held per instance. In a situation
where two instances performed attach/detach operations in parallel, the
syscall sequences could interfere with each other.

In the test scenario, the two region-map instances are the test's
address space and the stack area. When creating a thread, the thread's
trace-control dataspace is attached at an arbitrary place (picked by
the Linux kernel) within the address space whereas the stack is attached
at the stack area. The problem is the following sequence:

Thread A wants to destruct a thread:
1. Remove stack from stack area
   (issue unmap syscall)
2. Preserve virtual address range that was occupied from the stack
   so that Linux won't use it
   (issue mmap syscall)

Thread B wants to construct a thread:
1. Request trace-control dataspace from CPU session
2. Attach trace-control dataspace to address space at a location
   picked by the Linux kernel
   (issue mmap syscall)

The problem occurs when thread B's second step is executed in between
the steps 1 and 2 of thread A and the Linux kernel picks the
just-unmapped address as the location for the new trace-control mapping.
Now, the trace control dataspace is mapped at the virtual address that
was designated for the stack of the to-be-created thread, and the
attempt to map the real stack fails.

The patch fixes the problem by replacing the former region-map-local
locks by a component-global lock.

Furthermore, it cleans up core's implementation of the support function
for the region-map-mmap implementation, eliminating the temporary
unlocking of the region-map lock during RPC.
2016-11-08 15:26:30 +01:00
Norman Feske
afed9cfd95 base: let string accept multiple arguments
Issue #2064
2016-11-08 15:26:30 +01:00
Stefan Kalkowski
7e1692d997 core: unify handling of boot modules
Instead of solving the problem to deliver ROM modules to core while booting
differently for the several kernels (multi-boot, elfweaver, core re-linking),
this commit unifies the approaches. It always builds core as a library, and
after all binaries are built from a run-script, the run-tool will link an
ELF image out of the core-library and all boot modules. Thereby, core can
access its ROM modules directly.

This approach now works for all kernels except Linux.

With this solution, there is no [build_dir]/bin/core binary available anymore.
For debugging purposes you will find a core binary without boot modules, but
with debug symbols under [run_dir].core.

Fix #2095
2016-11-08 15:26:27 +01:00
Norman Feske
9572ff9413 base: remove original PDBG from base/printf.h
This macro is superseded by base/debug.h.

Issue #2125
2016-11-08 15:26:27 +01:00
Emery Hemingway
ef5f36bf4e Redefine PDBG to use new log output function
PDBG is redefined in base/debug.h, an aide to development which is not
to be included in release code.

Fix #2125
2016-10-21 12:45:44 +02:00
Stefan Kalkowski
2a2e5c2df4 base-*: remove usage of printf
base generic code:
  * Remove unused verbosity code from mmio framework
  * Remove escape sequence end heuristic from LOG
  * replace Core_console with Core_log (no format specifiers)
  * move test/printf to test/log
  * remove `printf()` tests from the log test
  * check for exact match of the log test output
base-fiasco:
  * remove unused Fiasco::print_l4_threadid function
base-nova:
  * remove unused hexdump utility from core
base-hw:
  * remove unused Kernel::Thread::_print_* debug utilities
  * always print resource summary of core during startup
  * remove Kernel::Ipc_node::pd_label (not used anymore)
base*:
  * Turn `printf`,`PWRN`, etc. calls into their log equivalents

Ref #1987
Fix #2119
2016-10-21 12:39:36 +02:00
Alexander Boettcher
c99729093a base: fix race in multiple lock.unlock() calls
Fixes #2122
2016-10-21 12:39:34 +02:00
Alexander Boettcher
3449985fdf base: avoid deadlock in region_map destruction
Fixes #2115
2016-10-21 12:39:33 +02:00
Christian Prochaska
3a1f852318 base: don't use the 'size' argument in 'Heap::free()'
The Heap reports that 'free()' does not rely on a valid 'size' argument,
so it should not use it.

Fixes #2113
2016-10-21 12:39:32 +02:00
Stefan Kalkowski
3f6e148621 base: remove obsolete _prog_img_data symbol
Fix #2099
2016-10-21 12:39:31 +02:00
Emery Hemingway
80558374f5 base: print support for Xml_node
Ref #1987
2016-10-21 12:39:29 +02:00
Norman Feske
e370e08e01 Define Genode::size_t as unsigned long
Fixes #2105
2016-10-21 12:39:29 +02:00
Alexander Boettcher
99fbb23ec5 core: use weak_ptr for Rm_faulter and Region_map
Fixes #2086
2016-09-14 11:53:04 +02:00
Stefan Kalkowski
2147c42ec6 base: unify page-fault notification for kernels
* Enable page-fault messages for regions not directly managed by core
* Unify output given when a page-fault occurs related to those regions

Fix #2082
2016-09-09 11:49:34 +02:00
Christian Helmuth
5a92c9b6eb Increase stack size of mp_server test 2016-09-09 11:48:43 +02:00
Christian Helmuth
fcf5bc9187 base: start signal-proxy thread on construction
Thanks @ssumpf for the investigation.
2016-09-09 11:48:43 +02:00
Stefan Kalkowski
e7d5b34fc5 base: String constructor for different lengths
Let the copy constructor compile for different CAPACITYs of
the String<CAPACITY> class.

Fix #2085
2016-09-09 11:48:43 +02:00
Norman Feske
fac69eff48 core: handle out-of-memory in RM service
This patch adds the missing exception handling for depleted RM session
quotas. If core runs out of session quota while creating a new region
map, it now reflects this condition as a Region_map::Out_of_metadata
exception to the RM client. Thanks to Denis Huber for reporting the
issue!
2016-08-29 17:29:37 +02:00
Christian Prochaska
d2e246d916 base: allow to set label in Log_connection
Fixes #2074
2016-08-29 17:29:36 +02:00
Norman Feske
a845bdafeb core: fix regression in sig context ownership test
This patch fixes a problem similar to issue #2065 but for the freeing of
signal contexts.
2016-08-29 17:29:33 +02:00
Norman Feske
8d1cf08b1a core: fix regression in dataspace ownership test
This patch revives our ds_ownership test from 2012, which just revealed
a regression in core where the dataspace-free operation of the RAM
service would unconditionally destroy dataspace objects from foreign
sessions. The patch fixes the bug and adds an updated version of the
test to the autopilot.

Fixes #2065
2016-08-29 17:29:33 +02:00
Alexander Boettcher
9c098752b0 core: fix memory mapping calc. for big regions
Fixes #2063
2016-08-29 17:29:32 +02:00
Norman Feske
17c79a9e23 base: avoid use of deprecated base/printf.h
Besides adapting the components to the use of base/log.h, the patch
cleans up a few base headers, i.e., it removes unused includes from
root/component.h, specifically base/heap.h and
ram_session/ram_session.h. Hence, components that relied on the implicit
inclusion of those headers have to manually include those headers now.

While adjusting the log messages, I repeatedly stumbled over the problem
that printing char * arguments is ambiguous. It is unclear whether to
print the argument as pointer or null-terminated string. To overcome
this problem, the patch introduces a new type 'Cstring' that allows the
caller to express that the argument should be handled as null-terminated
string. As a nice side effect, with this type in place, the optional len
argument of the 'String' class could be removed. Instead of supplying a
pair of (char const *, size_t), the constructor accepts a 'Cstring'.
This, in turn, clears the way let the 'String' constructor use the new
output mechanism to assemble a string from multiple arguments (and
thereby getting rid of snprintf within Genode in the near future).

To enforce the explicit resolution of the char * ambiguity, the 'char *'
overload of the 'print' function is marked as deleted.

Issue #1987
2016-08-29 17:27:10 +02:00
Christian Prochaska
a5d3aa8373 base: increase label length limit of core LOG session
Fixes #2061
2016-08-29 17:27:10 +02:00
Norman Feske
892f21fd54 base: document error-message style conventions 2016-08-29 17:27:10 +02:00