The univerally used exception types Out_of_ram, Out_of_caps, and Denied
used to be defined at quota_guard.h and ram_allocator.h whereas the
types are broadly used. This patch gathers those type definitions at
the central place exception.h instead, to gradually untangle the reliance
on exceptions, i.e., in quota_goard.h, and to make the output of error
messages printing exception types ('abort') more concise.
Issue #5245
The new types in base/ram.h model different allocation scenarios and
error cases by mere C++ types without using exceptions. They are meant
to replace the former 'Ram_allocator' interface. As of now, the
'Unmapped_allocator' closely captures the former 'Ram_allocator'
semantics. The 'Constrained_allocator' is currently an alias for
'Unmapped_allocator' but is designated for eventually allocating
mapped RAM.
In contrast to the 'Ram_allocator' interface, which talked about
dataspace capabilites but left the lifetime management of the
allocated RAM to the caller, the new API represents an allocation
as a guard type 'Allocation', which deallocates on destruction by
default.
Allocation errors are captured by a 'Result' type that follows
the 'Attempt' pattern.
As a transitionary feature, the patch largely maintains API
compatibility with the original 'Ram_allocator' by providing
the original (exception-based) 'Ram_allocator::alloc' and
'Ram_allocator::free' methods as a wrapper around the new
'Ram::Constrained_allocator'. So components can be gradually
updated to the new 'Ram::' interface.
Issue #5502
The 'Allocation' type represents the result of an allocator, which
guards the lifetime of the allocation. The 'Allocation::Attempt' type is
a suitable result type for allocators that need to reflect either an
successful allocation or an error condition.
Issue #5502
The new variant combines the attempt with unique-pointer semantics
and is thereby usable for returning non-copyable objects such as
RAM 'Allocation'.
Issue #5502
After constructed, a 'Thread' object may remain in a dysfunctional state
should the stack allocation have failed. This condition is no longer
reflected as a C++ exception but as result value of 'Thread::info()'.
Keep 'Thread::name' as public constant because the stack is not always
available for storing the name.
The 'stack_top' accessor has been removed because this information is
already provided by 'Thread::info()'.
Issue #5245
With this patch, the 'Pd_session' interface no longer implements the
'Ram_allocator' interface, which allows us to change the
'Genode::Ram_allocator' semantics (as a subsequent step) without
affecting core's PD service.
The patch also replaces the client-local implementation of
'Pd_session_client::dataspace_size' by the proper RPC call 'ram_size' to
core, which mitigates the potential risk of de-referencing a dataspace
cap of an untrusted origin. E.g., in scenarios where the monitor
component requests the size of a dataspace allocated by the debugging
target.
Since 'ram_size' is an RPC call, it cannot be const. Hence, the
'Ram_alloctor::dataspace_size' has become non-const.
The new 'Pd_ram_allocator' implements the 'Ram_allocator' interface by
using a PD session.
Issue #5502
With planned removal of Thread:: exceptions, we need to consider that a
'Thread' object may exist without a valid 'Stack' and therefore without
a valid 'Native_thread', which is hosted as part of the 'Stack'.
This patch reworks the code that accesses the 'Native_thread' to use the
new 'Thread::with_native_thread' interface. Within the local scope,
the native thread is referred to as 'nt'.
The _init_platform_thread and _deinit_platform_thread() have been
replaced by _init_native_thread and _deinit_native_thread, which take
a 'Stack &' as argument.
As a safety caution, 'Native_thread' objects can no longer be copied.
Issue #5245
This patch exposes the formatted K/M/G byte output of 'Number_of_bytes'
as a class template function that accepts different basic types. This
enables the easy creation of a formatted output type for a type larger
than size_t.
Introduced in the context of issue #5489
In Child::deliver_session_cap a signal to wakeup a service after
altering its session ROM was missing when the requesting client
that does not longer exist.
Fixgenodelabs/genode#5435
On x86, the `Vm_session_component` obscured the differences between SVM
and VMX.
Separate the implementations, factor out common functionality and
address a number of long-standing issues in the process:
- Allocate nested page tables from Core_ram_allocator as a more suitable
abstraction and account for the required memory, subtract the
necessary amount of RAM from the session's `Ram_quota` *before*
constructing the session object, to make sure that the memory
allocated from the `Core_ram_allocator` is available from the VMM's
RAM quota.
- Move the allocation of Vcpu_state and Vcpu_data into the Core::Vcpu
class and use the Core RAM Allocator to allocate memory with a known
physical address.
- Remove the fixed number of virtual CPUs and the associated reservation
of memory by using a Registry for a flexible amount of vCPUs.
Issue #5221
This patch allows for the construction of 'Xml_node' objects from a
'Const_byte_range_ptr' argument as a safer alternative to the pair
of addr, max_len arguments.
Issue #5411
The pointer returned by '_logger()' can be a nullptr, in particular
while tracing is (temporarily) inhibited. This patch ensures that
the 'Thread::trace' accessors never operate on a nullptr.
Fixes#5410
If the memory for the designated object is allocated as char[sizeof(T)],
the size of 'Placeable' is expected to equal the size of T. However, in
principle, the compiler has the freedom to inflate the 'Placeable'
object. The static assertion gives us the assurance that the compiler
does not violate our assumption.
This patch adjusts the last remaining callers of 'core_env' and removes
the 'Core_env' interface.
- Core's RAM/cap accounts are now represented by 'Core_account'
implementing the 'Pd_account' interface.
- The former parts of 'Core_env' are now initialized in sequence
in 'bootstrap_component'.
- 'Core_child' has been moved to a header to reduce the code in
'main.cc' to a bare minimum. This as a preparation for the
plan of making 'main.cc' specific for each kernel.
Fixes#5408
Core uses an instance of 'Pd_session_component' as a representative
for RAM/cap quota accounts used whenever session resources are
donated to core's services. All other facets of 'Pd_sesson_component'
remain unused. Core's instance of 'Pd_session_component' is hosted
at 'Core_env'. Upon its construction, all unused facets of
'Pd_session_component' are initialized by dummy arguments in 'Core_env'.
To overcome the need for dummy arguments, this patch splits the
accounting part of the PD-session interface into a separate
'Pd_account' interface. This gives us the prospect of narrowing
core's current use of 'Pd_session_component' by 'Pd_account',
alleviating dead code and the need for any dummy arguments.
Issue #5408
This patch replaces the use of 'core_env()' in 'platform_services.cc' by
the function arguments 'core_ram', 'core_rm', and 'io_port_ranges'.
It also removes the 'Pd_session' argument from 'Io_port_root' and
'Irq_root' to avoid the reliance on the 'Pd_session' interface within
core,
Issue #5408
Replace the use of the global 'core_env()' accessor by the explicit
delegation of interfaces.
- For allocating UTCBs in base-hw, 'Platform_thread' requires
a way to allocate dataspaces ('Ram_allocator') accounted to the
corresponding CPU session, a way to locally map the allocated
dataspaces (core's 'Region_map'), and a way to determine the
physical address (via 'Rpc_entrypoint') used for the initial
UTCB mapping of main threads. Hence those interfaces must be
passed to 'Platform_thread'.
- NOVA's pager code needs to look up 'Cpu_thread_component'
objects using a map item as key. The lookup requires the
'Rpc_entrypoint' that hold the 'Cpu_thread_component' objects.
To make this 'Rpc_entrypoint' available, this patch adds
the 'init_page_fault_handing' function.
- The 'Region_map_mmap' for Linux requires a way to look up
'Linux_dataspace' objects for given dataspace capabilities.
This lookup requires the 'Rpc_entrypoint' holding the dataspaces,
which is now passed to 'platform.cc' via the new Linux-specific
'Core_region_map::init' function.
Issue #5408
`Vm_session_component::create_vcpu()` is present across all supported
kernels, yet until now it was not part of the `Vm_session` interface.
Add the method to the `Vm_session` interface. This unifies calls in the
base library and is the basis to remove the need for a common base class
for separate `Vm_session` implementations for SVM and VMX on x86_64.
Issue #5221
Prevent erratic runtime behavior stemming from accidentally passing a
copy to a `Ram_allocator` by making the interface noncopyable.
In consequence, we had to provide an explicit copy constructor for
`Session_env` in server/nic_router, which will be reconsidered in
issue #5405.
Issue #5221
GCC 12 tree-loop-distribute-patterns generates false warnings of
-Warray-bounds, -Wstringop-overflow, or -Wstringop-overread in memcpy()
and memcpy_cpu() in static/inline cases for code that obviously prevents
its execution by invariant checking. On -O3, even more warnings are
produced.
The operators == and != make the 'Rect' consistent with 'Point' and
'Area'. The patch also adds the 'Rect::clamp' method, which is generally
useful for sanitizing input.
Issue #5352
