2017-03-03 16:57:41 +01:00
|
|
|
/*
|
|
|
|
|
* \brief Child representation
|
|
|
|
|
* \author Norman Feske
|
|
|
|
|
* \date 2010-05-04
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Copyright (C) 2010-2017 Genode Labs GmbH
|
|
|
|
|
*
|
|
|
|
|
* This file is part of the Genode OS framework, which is distributed
|
|
|
|
|
* under the terms of the GNU Affero General Public License version 3.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef _SRC__INIT__CHILD_H_
|
|
|
|
|
#define _SRC__INIT__CHILD_H_
|
|
|
|
|
|
|
|
|
|
/* Genode includes */
|
|
|
|
|
#include <base/log.h>
|
|
|
|
|
#include <base/child.h>
|
|
|
|
|
#include <os/session_requester.h>
|
|
|
|
|
#include <os/session_policy.h>
|
2018-01-23 14:40:34 +01:00
|
|
|
#include <os/buffered_xml.h>
|
2017-03-03 16:57:41 +01:00
|
|
|
|
|
|
|
|
/* local includes */
|
2019-10-03 20:30:26 +02:00
|
|
|
#include "types.h"
|
|
|
|
|
#include "verbose.h"
|
|
|
|
|
#include "report.h"
|
|
|
|
|
#include "name_registry.h"
|
|
|
|
|
#include "service.h"
|
|
|
|
|
#include "utils.h"
|
2017-03-03 16:57:41 +01:00
|
|
|
|
|
|
|
|
namespace Init { class Child; }
|
|
|
|
|
|
2017-05-08 16:49:00 +02:00
|
|
|
class Init::Child : Child_policy, Routed_service::Wakeup
|
2017-03-03 16:57:41 +01:00
|
|
|
{
|
|
|
|
|
public:
|
|
|
|
|
|
2019-03-12 17:55:17 +01:00
|
|
|
typedef String<80> Version;
|
|
|
|
|
|
2017-03-03 16:57:41 +01:00
|
|
|
/**
|
|
|
|
|
* Exception types
|
|
|
|
|
*/
|
|
|
|
|
struct Child_name_is_not_unique : Exception { };
|
|
|
|
|
struct Missing_name_attribute : Exception { };
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Unique ID of the child, solely used for diagnostic purposes
|
|
|
|
|
*/
|
|
|
|
|
struct Id { unsigned value; };
|
|
|
|
|
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
struct Default_route_accessor : Interface { virtual Xml_node default_route() = 0; };
|
|
|
|
|
struct Default_caps_accessor : Interface { virtual Cap_quota default_caps() = 0; };
|
2018-06-04 15:49:29 +02:00
|
|
|
|
|
|
|
|
template <typename QUOTA>
|
|
|
|
|
struct Resource_limit_accessor : Interface
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* The argument is unused. It exists solely as an overload selector.
|
|
|
|
|
*/
|
|
|
|
|
virtual QUOTA resource_limit(QUOTA const &) const = 0;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
typedef Resource_limit_accessor<Ram_quota> Ram_limit_accessor;
|
|
|
|
|
typedef Resource_limit_accessor<Cap_quota> Cap_limit_accessor;
|
2017-03-03 16:57:41 +01:00
|
|
|
|
|
|
|
|
private:
|
|
|
|
|
|
|
|
|
|
friend class Child_registry;
|
|
|
|
|
|
|
|
|
|
Env &_env;
|
|
|
|
|
|
|
|
|
|
Allocator &_alloc;
|
|
|
|
|
|
|
|
|
|
Verbose const &_verbose;
|
|
|
|
|
|
|
|
|
|
Id const _id;
|
|
|
|
|
|
|
|
|
|
enum State { STATE_INITIAL, STATE_RAM_INITIALIZED, STATE_ALIVE,
|
|
|
|
|
STATE_ABANDONED };
|
|
|
|
|
|
|
|
|
|
State _state = STATE_INITIAL;
|
|
|
|
|
|
|
|
|
|
Report_update_trigger &_report_update_trigger;
|
|
|
|
|
|
|
|
|
|
List_element<Child> _list_element;
|
|
|
|
|
|
|
|
|
|
Reconstructible<Buffered_xml> _start_node;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Version attribute of the start node, used to force child restarts.
|
|
|
|
|
*/
|
|
|
|
|
Version _version { _start_node->xml().attribute_value("version", Version()) };
|
|
|
|
|
|
2018-07-04 18:48:04 +02:00
|
|
|
/*
|
|
|
|
|
* True if the binary is loaded with ld.lib.so
|
|
|
|
|
*/
|
|
|
|
|
bool const _use_ld = _start_node->xml().attribute_value("ld", true);
|
|
|
|
|
|
2017-03-03 16:57:41 +01:00
|
|
|
Default_route_accessor &_default_route_accessor;
|
2018-06-04 15:49:29 +02:00
|
|
|
Default_caps_accessor &_default_caps_accessor;
|
|
|
|
|
Ram_limit_accessor &_ram_limit_accessor;
|
|
|
|
|
Cap_limit_accessor &_cap_limit_accessor;
|
2017-03-03 16:57:41 +01:00
|
|
|
|
|
|
|
|
Name_registry &_name_registry;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Read name from XML and check for name confict with other children
|
|
|
|
|
*
|
|
|
|
|
* \throw Missing_name_attribute
|
|
|
|
|
*/
|
|
|
|
|
static Name _name_from_xml(Xml_node start_node)
|
|
|
|
|
{
|
|
|
|
|
Name const name = start_node.attribute_value("name", Name());
|
|
|
|
|
if (name.valid())
|
|
|
|
|
return name;
|
|
|
|
|
|
2018-06-04 15:49:29 +02:00
|
|
|
warning("missint 'name' attribute in '<start>' entry");
|
2017-03-03 16:57:41 +01:00
|
|
|
throw Missing_name_attribute();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
typedef String<64> Name;
|
|
|
|
|
Name const _unique_name { _name_from_xml(_start_node->xml()) };
|
|
|
|
|
|
|
|
|
|
static Binary_name _binary_from_xml(Xml_node start_node,
|
|
|
|
|
Name const &unique_name)
|
|
|
|
|
{
|
|
|
|
|
if (!start_node.has_sub_node("binary"))
|
|
|
|
|
return unique_name;
|
|
|
|
|
|
|
|
|
|
return start_node.sub_node("binary").attribute_value("name", Name());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* updated on configuration update */
|
|
|
|
|
Binary_name _binary_name { _binary_from_xml(_start_node->xml(), _unique_name) };
|
|
|
|
|
|
2018-11-14 16:19:30 +01:00
|
|
|
/* initialized in constructor, updated by 'apply_config' */
|
|
|
|
|
bool _heartbeat_enabled;
|
|
|
|
|
|
2018-12-18 14:35:14 +01:00
|
|
|
/*
|
|
|
|
|
* Number of skipped heartbeats when last checked
|
|
|
|
|
*
|
|
|
|
|
* This variable is used for the triggering of state-report updates
|
|
|
|
|
* due to heartbeat events.
|
|
|
|
|
*/
|
|
|
|
|
unsigned _last_skipped_heartbeats = 0;
|
|
|
|
|
|
|
|
|
|
/* return true if heartbeat tracking is active */
|
|
|
|
|
bool _heartbeat_expected() const
|
|
|
|
|
{
|
|
|
|
|
/* don't expect heartbeats from a child that is not yet complete */
|
|
|
|
|
return _heartbeat_enabled && (_state == STATE_ALIVE);
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-03 16:57:41 +01:00
|
|
|
/**
|
|
|
|
|
* Resources assigned to the child
|
|
|
|
|
*/
|
|
|
|
|
struct Resources
|
|
|
|
|
{
|
|
|
|
|
long prio_levels_log2;
|
|
|
|
|
long priority;
|
|
|
|
|
Affinity affinity;
|
|
|
|
|
Ram_quota assigned_ram_quota;
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_quota assigned_cap_quota;
|
2017-03-03 16:57:41 +01:00
|
|
|
size_t cpu_quota_pc;
|
|
|
|
|
bool constrain_phys;
|
2017-03-06 15:19:35 +01:00
|
|
|
|
|
|
|
|
Ram_quota effective_ram_quota() const
|
|
|
|
|
{
|
2017-05-08 01:33:40 +02:00
|
|
|
return Genode::Child::effective_quota(assigned_ram_quota);
|
2017-03-06 15:19:35 +01:00
|
|
|
}
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
|
|
|
|
|
Cap_quota effective_cap_quota() const
|
|
|
|
|
{
|
|
|
|
|
/* capabilities consumed by 'Genode::Child' */
|
|
|
|
|
Cap_quota const effective =
|
|
|
|
|
Genode::Child::effective_quota(assigned_cap_quota);
|
|
|
|
|
|
|
|
|
|
/* capabilities additionally consumed by init */
|
|
|
|
|
enum {
|
|
|
|
|
STATIC_COSTS = 1 /* possible heap backing-store
|
|
|
|
|
allocation for session object */
|
|
|
|
|
+ 1 /* buffered XML start node */
|
|
|
|
|
+ 2 /* dynamic ROM for config */
|
|
|
|
|
+ 2 /* dynamic ROM for session requester */
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
if (effective.value < STATIC_COSTS)
|
|
|
|
|
return Cap_quota{0};
|
|
|
|
|
|
|
|
|
|
return Cap_quota{effective.value - STATIC_COSTS};
|
|
|
|
|
}
|
2017-03-03 16:57:41 +01:00
|
|
|
};
|
|
|
|
|
|
2017-03-06 15:42:30 +01:00
|
|
|
Resources _resources_from_start_node(Xml_node start_node, Prio_levels prio_levels,
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Affinity::Space const &affinity_space,
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
Cap_quota default_cap_quota, Cap_quota)
|
2017-03-03 16:57:41 +01:00
|
|
|
{
|
|
|
|
|
size_t cpu_quota_pc = 0;
|
|
|
|
|
bool constrain_phys = false;
|
|
|
|
|
Number_of_bytes ram_bytes = 0;
|
|
|
|
|
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
size_t caps = start_node.attribute_value("caps", default_cap_quota.value);
|
|
|
|
|
|
2017-03-03 16:57:41 +01:00
|
|
|
start_node.for_each_sub_node("resource", [&] (Xml_node rsc) {
|
|
|
|
|
|
|
|
|
|
typedef String<8> Name;
|
|
|
|
|
Name const name = rsc.attribute_value("name", Name());
|
|
|
|
|
|
|
|
|
|
if (name == "RAM") {
|
|
|
|
|
ram_bytes = rsc.attribute_value("quantum", ram_bytes);
|
|
|
|
|
constrain_phys = rsc.attribute_value("constrain_phys", false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (name == "CPU") {
|
|
|
|
|
cpu_quota_pc = rsc.attribute_value("quantum", 0UL);
|
|
|
|
|
}
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
|
|
|
|
|
if (name == "CAP") {
|
|
|
|
|
caps = rsc.attribute_value("quantum", 0UL);
|
|
|
|
|
}
|
2017-03-03 16:57:41 +01:00
|
|
|
});
|
|
|
|
|
|
2017-03-06 15:42:30 +01:00
|
|
|
return Resources { log2(prio_levels.value),
|
|
|
|
|
priority_from_xml(start_node, prio_levels),
|
|
|
|
|
Affinity(affinity_space,
|
|
|
|
|
affinity_location_from_xml(affinity_space, start_node)),
|
|
|
|
|
Ram_quota { ram_bytes },
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_quota { caps },
|
2017-03-06 15:42:30 +01:00
|
|
|
cpu_quota_pc,
|
|
|
|
|
constrain_phys };
|
2017-03-03 16:57:41 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Resources _resources;
|
|
|
|
|
|
2018-06-04 15:49:29 +02:00
|
|
|
/**
|
|
|
|
|
* Print diagnostic information on misconfiguration
|
|
|
|
|
*/
|
|
|
|
|
void _clamp_resources(Ram_quota ram_limit, Cap_quota cap_limit)
|
2017-03-03 16:57:41 +01:00
|
|
|
{
|
|
|
|
|
if (_resources.assigned_ram_quota.value > ram_limit.value) {
|
2018-06-04 15:49:29 +02:00
|
|
|
warning(name(), " assigned RAM (", _resources.assigned_ram_quota, ") "
|
|
|
|
|
"exceeds available RAM (", ram_limit, ")");
|
|
|
|
|
_resources.assigned_ram_quota = ram_limit;
|
2017-03-03 16:57:41 +01:00
|
|
|
}
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
|
|
|
|
|
if (_resources.assigned_cap_quota.value > cap_limit.value) {
|
2018-06-04 15:49:29 +02:00
|
|
|
warning(name(), " assigned caps (", _resources.assigned_cap_quota, ") "
|
|
|
|
|
"exceed available caps (", cap_limit, ")");
|
|
|
|
|
_resources.assigned_cap_quota = cap_limit;
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-04 15:49:29 +02:00
|
|
|
Ram_quota _configured_ram_quota() const;
|
|
|
|
|
Cap_quota _configured_cap_quota() const;
|
|
|
|
|
|
|
|
|
|
bool const _resources_clamped_to_limit;
|
2017-03-03 16:57:41 +01:00
|
|
|
|
|
|
|
|
Registry<Parent_service> &_parent_services;
|
|
|
|
|
Registry<Routed_service> &_child_services;
|
|
|
|
|
|
|
|
|
|
struct Inline_config_rom_service : Abandonable, Dynamic_rom_session::Content_producer
|
|
|
|
|
{
|
|
|
|
|
typedef Local_service<Dynamic_rom_session> Service;
|
|
|
|
|
|
|
|
|
|
Child &_child;
|
|
|
|
|
|
|
|
|
|
Dynamic_rom_session _session { _child._env.ep().rpc_ep(),
|
2017-05-11 20:03:28 +02:00
|
|
|
_child.ref_pd(), _child._env.rm(),
|
2017-03-03 16:57:41 +01:00
|
|
|
*this };
|
|
|
|
|
|
|
|
|
|
Service::Single_session_factory _factory { _session };
|
|
|
|
|
Service _service { _factory };
|
|
|
|
|
|
|
|
|
|
Inline_config_rom_service(Child &child) : _child(child) { }
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Dynamic_rom_session::Content_producer interface
|
|
|
|
|
*/
|
|
|
|
|
void produce_content(char *dst, Genode::size_t dst_len) override
|
|
|
|
|
{
|
|
|
|
|
Xml_node config = _child._start_node->xml().has_sub_node("config")
|
|
|
|
|
? _child._start_node->xml().sub_node("config")
|
|
|
|
|
: Xml_node("<config/>");
|
|
|
|
|
|
|
|
|
|
size_t const config_len = config.size();
|
|
|
|
|
|
|
|
|
|
if (config_len + 1 /* null termination */ >= dst_len)
|
|
|
|
|
throw Buffer_capacity_exceeded();
|
|
|
|
|
|
2019-01-21 10:48:39 +01:00
|
|
|
config.with_raw_node([&] (char const *start, size_t length) {
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The 'length' is the number of bytes of the config-node
|
|
|
|
|
* content, which is not null-terminated. Since
|
|
|
|
|
* 'Genode::strncpy' always null-terminates the result, the
|
|
|
|
|
* last byte of the source string is not copied. Hence, it
|
|
|
|
|
* is safe to add '1' to 'length' and thereby include the
|
|
|
|
|
* last actual config-content character in the result.
|
|
|
|
|
*/
|
|
|
|
|
Genode::strncpy(dst, start, length + 1);
|
|
|
|
|
});
|
2017-03-03 16:57:41 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void trigger_update() { _session.trigger_update(); }
|
|
|
|
|
|
|
|
|
|
Service &service() { return _service; }
|
|
|
|
|
};
|
|
|
|
|
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
Constructible<Inline_config_rom_service> _config_rom_service { };
|
2017-03-03 16:57:41 +01:00
|
|
|
|
|
|
|
|
Session_requester _session_requester;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* CPU-session priority parameters
|
|
|
|
|
*/
|
|
|
|
|
long const _prio_levels_log2 { _resources.prio_levels_log2 };
|
|
|
|
|
long const _priority { _resources.priority };
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* If set to true, the child is allowed to constrain physical RAM
|
|
|
|
|
* allocations.
|
|
|
|
|
*/
|
|
|
|
|
bool const _constrain_phys { _resources.constrain_phys };
|
|
|
|
|
|
2017-03-06 18:04:10 +01:00
|
|
|
/**
|
|
|
|
|
* Resource request initiated by the child
|
|
|
|
|
*/
|
|
|
|
|
struct Requested_resources
|
|
|
|
|
{
|
|
|
|
|
Ram_quota const ram;
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_quota const caps;
|
2017-05-08 16:49:00 +02:00
|
|
|
|
2017-03-06 18:04:10 +01:00
|
|
|
Requested_resources(Parent::Resource_args const &args)
|
|
|
|
|
:
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
ram (ram_quota_from_args(args.string())),
|
|
|
|
|
caps(cap_quota_from_args(args.string()))
|
2017-03-06 18:04:10 +01:00
|
|
|
{ }
|
|
|
|
|
};
|
|
|
|
|
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
Constructible<Requested_resources> _requested_resources { };
|
2017-03-06 18:04:10 +01:00
|
|
|
|
2017-03-03 16:57:41 +01:00
|
|
|
Genode::Child _child { _env.rm(), _env.ep().rpc_ep(), *this };
|
|
|
|
|
|
2019-01-21 10:48:39 +01:00
|
|
|
struct Pd_accessor : Routed_service::Pd_accessor
|
2017-03-03 16:57:41 +01:00
|
|
|
{
|
|
|
|
|
Genode::Child &_child;
|
2017-05-08 16:49:00 +02:00
|
|
|
|
2019-01-21 10:48:39 +01:00
|
|
|
Pd_accessor(Genode::Child &child) : _child(child) { }
|
2017-05-08 16:49:00 +02:00
|
|
|
|
2019-01-21 10:48:39 +01:00
|
|
|
Pd_session &pd() override { return _child.pd(); }
|
|
|
|
|
Pd_session_capability pd_cap() const override { return _child.pd_session_cap(); }
|
2017-05-08 16:49:00 +02:00
|
|
|
|
2019-01-21 10:48:39 +01:00
|
|
|
} _pd_accessor { _child };
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
|
2019-01-21 10:48:39 +01:00
|
|
|
struct Ram_accessor : Routed_service::Ram_accessor
|
|
|
|
|
{
|
|
|
|
|
Genode::Child &_child;
|
|
|
|
|
|
|
|
|
|
Ram_accessor(Genode::Child &child) : _child(child) { }
|
|
|
|
|
|
|
|
|
|
Pd_session &ram() override { return _child.pd(); }
|
|
|
|
|
Pd_session_capability ram_cap() const override { return _child.pd_session_cap(); }
|
|
|
|
|
|
|
|
|
|
} _ram_accessor { _child };
|
2017-03-03 16:57:41 +01:00
|
|
|
|
|
|
|
|
/**
|
2017-05-08 16:49:00 +02:00
|
|
|
* Async_service::Wakeup callback
|
2017-03-03 16:57:41 +01:00
|
|
|
*/
|
2017-05-08 16:49:00 +02:00
|
|
|
void wakeup_async_service() override
|
2017-03-03 16:57:41 +01:00
|
|
|
{
|
|
|
|
|
_session_requester.trigger_update();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Return true if the policy results in the current route of the session
|
|
|
|
|
*
|
|
|
|
|
* This method is used to check if a policy change affects an existing
|
|
|
|
|
* client session of a child, i.e., to determine whether the child must
|
|
|
|
|
* be restarted.
|
|
|
|
|
*/
|
|
|
|
|
bool _route_valid(Session_state const &session)
|
|
|
|
|
{
|
|
|
|
|
try {
|
|
|
|
|
Route const route =
|
|
|
|
|
resolve_session_request(session.service().name(),
|
|
|
|
|
session.client_label());
|
|
|
|
|
|
|
|
|
|
return (session.service() == route.service)
|
|
|
|
|
&& (route.label == session.label());
|
|
|
|
|
}
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
catch (Service_denied) { return false; }
|
2017-03-03 16:57:41 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static Xml_node _provides_sub_node(Xml_node start_node)
|
|
|
|
|
{
|
|
|
|
|
return start_node.has_sub_node("provides")
|
|
|
|
|
? start_node.sub_node("provides") : Xml_node("<provides/>");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Return true if service is provided by this child
|
|
|
|
|
*/
|
2017-04-24 11:25:54 +02:00
|
|
|
bool _provided_by_this(Routed_service const &service) const
|
2017-03-03 16:57:41 +01:00
|
|
|
{
|
|
|
|
|
return service.has_id_space(_session_requester.id_space());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Return true if service of specified <provides> sub node is known
|
|
|
|
|
*/
|
|
|
|
|
bool _service_exists(Xml_node node) const
|
|
|
|
|
{
|
|
|
|
|
bool exists = false;
|
|
|
|
|
_child_services.for_each([&] (Routed_service const &service) {
|
|
|
|
|
if (_provided_by_this(service) &&
|
|
|
|
|
service.name() == node.attribute_value("name", Service::Name()))
|
|
|
|
|
exists = true; });
|
|
|
|
|
|
2018-05-22 11:32:36 +02:00
|
|
|
return exists && !abandoned();
|
2017-03-03 16:57:41 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void _add_service(Xml_node service)
|
|
|
|
|
{
|
|
|
|
|
Service::Name const name =
|
|
|
|
|
service.attribute_value("name", Service::Name());
|
|
|
|
|
|
|
|
|
|
if (_verbose.enabled())
|
|
|
|
|
log(" provides service ", name);
|
|
|
|
|
|
|
|
|
|
new (_alloc)
|
2017-05-08 16:49:00 +02:00
|
|
|
Routed_service(_child_services, this->name(),
|
2019-01-21 10:48:39 +01:00
|
|
|
_pd_accessor, _ram_accessor,
|
2017-03-03 16:57:41 +01:00
|
|
|
_session_requester.id_space(),
|
|
|
|
|
_child.session_factory(),
|
|
|
|
|
name, *this);
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-26 16:04:58 +02:00
|
|
|
/*
|
|
|
|
|
* Exit state of the child set when 'exit()' is executed
|
|
|
|
|
* and reported afterwards through the state report.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
bool _exited { false };
|
|
|
|
|
int _exit_value { -1 };
|
|
|
|
|
|
2018-05-22 11:32:36 +02:00
|
|
|
void _destroy_services();
|
|
|
|
|
|
2017-03-03 16:57:41 +01:00
|
|
|
public:
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Constructor
|
|
|
|
|
*
|
2017-03-06 15:19:35 +01:00
|
|
|
* \param alloc allocator solely used for configuration-
|
|
|
|
|
* dependent allocations. It is not used for
|
|
|
|
|
* allocations on behalf of the child's
|
|
|
|
|
* behavior.
|
|
|
|
|
*
|
|
|
|
|
* \param ram_limit maximum amount of RAM to be consumed at
|
|
|
|
|
* creation time.
|
|
|
|
|
*
|
|
|
|
|
* \param ram_limit_accessor interface for querying the available
|
|
|
|
|
* RAM, used for dynamic RAM balancing at
|
|
|
|
|
* runtime.
|
2017-03-03 16:57:41 +01:00
|
|
|
*
|
2017-03-06 15:19:35 +01:00
|
|
|
* \throw Allocator::Out_of_memory could not buffer the XML start node
|
2017-03-03 16:57:41 +01:00
|
|
|
*/
|
|
|
|
|
Child(Env &env,
|
|
|
|
|
Allocator &alloc,
|
|
|
|
|
Verbose const &verbose,
|
|
|
|
|
Id id,
|
|
|
|
|
Report_update_trigger &report_update_trigger,
|
|
|
|
|
Xml_node start_node,
|
|
|
|
|
Default_route_accessor &default_route_accessor,
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Default_caps_accessor &default_caps_accessor,
|
2017-03-03 16:57:41 +01:00
|
|
|
Name_registry &name_registry,
|
2017-03-06 15:19:35 +01:00
|
|
|
Ram_quota ram_limit,
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_quota cap_limit,
|
2017-03-03 16:57:41 +01:00
|
|
|
Ram_limit_accessor &ram_limit_accessor,
|
2018-06-04 15:49:29 +02:00
|
|
|
Cap_limit_accessor &cap_limit_accessor,
|
2017-03-06 15:42:30 +01:00
|
|
|
Prio_levels prio_levels,
|
2017-03-03 16:57:41 +01:00
|
|
|
Affinity::Space const &affinity_space,
|
|
|
|
|
Registry<Parent_service> &parent_services,
|
|
|
|
|
Registry<Routed_service> &child_services);
|
|
|
|
|
|
|
|
|
|
virtual ~Child();
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Return true if the child has the specified name
|
|
|
|
|
*/
|
|
|
|
|
bool has_name(Child_policy::Name const &str) const { return str == name(); }
|
|
|
|
|
|
2019-03-12 17:55:17 +01:00
|
|
|
bool has_version(Version const &version) const { return version == _version; }
|
|
|
|
|
|
2017-03-03 16:57:41 +01:00
|
|
|
Ram_quota ram_quota() const { return _resources.assigned_ram_quota; }
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_quota cap_quota() const { return _resources.assigned_cap_quota; }
|
2017-03-03 16:57:41 +01:00
|
|
|
|
2019-01-21 10:48:39 +01:00
|
|
|
void initiate_env_pd_session()
|
2017-03-03 16:57:41 +01:00
|
|
|
{
|
|
|
|
|
if (_state == STATE_INITIAL) {
|
2019-01-30 17:14:33 +01:00
|
|
|
_child.initiate_env_pd_session();
|
2017-03-03 16:57:41 +01:00
|
|
|
_state = STATE_RAM_INITIALIZED;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void initiate_env_sessions()
|
|
|
|
|
{
|
|
|
|
|
if (_state == STATE_RAM_INITIALIZED) {
|
|
|
|
|
|
|
|
|
|
_child.initiate_env_sessions();
|
|
|
|
|
|
|
|
|
|
/* check for completeness of the child's environment */
|
|
|
|
|
if (_verbose.enabled())
|
|
|
|
|
_child.for_each_session([&] (Session_state const &session) {
|
|
|
|
|
if (!session.alive())
|
|
|
|
|
warning(name(), ": incomplete environment ",
|
|
|
|
|
session.service().name(), " session "
|
|
|
|
|
"(", session.label(), ")"); });
|
|
|
|
|
|
|
|
|
|
_state = STATE_ALIVE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void abandon()
|
|
|
|
|
{
|
|
|
|
|
_state = STATE_ABANDONED;
|
|
|
|
|
|
|
|
|
|
_child_services.for_each([&] (Routed_service &service) {
|
|
|
|
|
if (service.has_id_space(_session_requester.id_space()))
|
|
|
|
|
service.abandon(); });
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-22 11:32:36 +02:00
|
|
|
void destroy_services();
|
|
|
|
|
|
|
|
|
|
void close_all_sessions() { _child.close_all_sessions(); }
|
|
|
|
|
|
2017-03-03 16:57:41 +01:00
|
|
|
bool abandoned() const { return _state == STATE_ABANDONED; }
|
|
|
|
|
|
2018-05-22 11:32:36 +02:00
|
|
|
bool env_sessions_closed() const { return _child.env_sessions_closed(); }
|
|
|
|
|
|
2017-03-03 16:57:41 +01:00
|
|
|
enum Apply_config_result { MAY_HAVE_SIDE_EFFECTS, NO_SIDE_EFFECTS };
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Apply new configuration to child
|
|
|
|
|
*
|
|
|
|
|
* \throw Allocator::Out_of_memory unable to allocate buffer for new
|
|
|
|
|
* config
|
|
|
|
|
*/
|
|
|
|
|
Apply_config_result apply_config(Xml_node start_node);
|
|
|
|
|
|
2018-06-04 15:49:29 +02:00
|
|
|
/* common code for upgrading RAM and caps */
|
|
|
|
|
template <typename QUOTA, typename LIMIT_ACCESSOR>
|
|
|
|
|
void _apply_resource_upgrade(QUOTA &, QUOTA, LIMIT_ACCESSOR const &);
|
|
|
|
|
|
|
|
|
|
template <typename QUOTA, typename CHILD_AVAIL_QUOTA_FN>
|
|
|
|
|
void _apply_resource_downgrade(QUOTA &, QUOTA, QUOTA,
|
|
|
|
|
CHILD_AVAIL_QUOTA_FN const &);
|
|
|
|
|
|
|
|
|
|
void apply_upgrade();
|
|
|
|
|
void apply_downgrade();
|
2017-03-06 15:19:35 +01:00
|
|
|
|
2018-11-14 16:19:30 +01:00
|
|
|
void heartbeat()
|
|
|
|
|
{
|
2018-12-18 14:35:14 +01:00
|
|
|
if (_heartbeat_expected())
|
2018-11-14 16:19:30 +01:00
|
|
|
_child.heartbeat();
|
2018-12-18 14:35:14 +01:00
|
|
|
|
|
|
|
|
unsigned const skipped_heartbeats = _child.skipped_heartbeats();
|
|
|
|
|
|
|
|
|
|
if (_last_skipped_heartbeats != skipped_heartbeats)
|
|
|
|
|
_report_update_trigger.trigger_report_update();
|
|
|
|
|
|
|
|
|
|
_last_skipped_heartbeats = skipped_heartbeats;
|
|
|
|
|
|
2018-11-14 16:19:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
unsigned skipped_heartbeats() const
|
|
|
|
|
{
|
2018-12-18 14:35:14 +01:00
|
|
|
return _heartbeat_expected() ? _child.skipped_heartbeats() : 0;
|
2018-11-14 16:19:30 +01:00
|
|
|
}
|
|
|
|
|
|
2017-03-03 16:57:41 +01:00
|
|
|
void report_state(Xml_generator &xml, Report_detail const &detail) const;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/****************************
|
|
|
|
|
** Child-policy interface **
|
|
|
|
|
****************************/
|
|
|
|
|
|
|
|
|
|
Child_policy::Name name() const override { return _unique_name; }
|
|
|
|
|
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Pd_session &ref_pd() override { return _env.pd(); }
|
|
|
|
|
Pd_session_capability ref_pd_cap() const override { return _env.pd_session_cap(); }
|
|
|
|
|
|
|
|
|
|
void init(Pd_session &, Pd_session_capability) override;
|
2017-03-03 16:57:41 +01:00
|
|
|
void init(Cpu_session &, Cpu_session_capability) override;
|
|
|
|
|
|
|
|
|
|
Id_space<Parent::Server> &server_id_space() override {
|
|
|
|
|
return _session_requester.id_space(); }
|
|
|
|
|
|
|
|
|
|
Route resolve_session_request(Service::Name const &,
|
|
|
|
|
Session_label const &) override;
|
|
|
|
|
|
|
|
|
|
void filter_session_args(Service::Name const &, char *, size_t) override;
|
|
|
|
|
Affinity filter_session_affinity(Affinity const &) override;
|
|
|
|
|
void announce_service(Service::Name const &) override;
|
|
|
|
|
void resource_request(Parent::Resource_args const &) override;
|
|
|
|
|
|
|
|
|
|
void exit(int exit_value) override
|
|
|
|
|
{
|
|
|
|
|
try {
|
|
|
|
|
if (_start_node->xml().sub_node("exit").attribute_value("propagate", false)) {
|
|
|
|
|
_env.parent().exit(exit_value);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
} catch (...) { }
|
|
|
|
|
|
2017-10-26 16:04:58 +02:00
|
|
|
/*
|
|
|
|
|
* Trigger a new report for exited children so that any management
|
|
|
|
|
* component may react upon it.
|
|
|
|
|
*/
|
|
|
|
|
_exited = true;
|
|
|
|
|
_exit_value = exit_value;
|
2018-01-12 14:10:47 +01:00
|
|
|
|
|
|
|
|
_child.close_all_sessions();
|
|
|
|
|
|
2017-10-26 16:04:58 +02:00
|
|
|
_report_update_trigger.trigger_report_update();
|
|
|
|
|
|
2017-03-03 16:57:41 +01:00
|
|
|
/*
|
|
|
|
|
* Print a message as the exit is not handled otherwise. There are
|
|
|
|
|
* a number of automated tests that rely on this message. It is
|
|
|
|
|
* printed by the default implementation of 'Child_policy::exit'.
|
|
|
|
|
*/
|
|
|
|
|
Child_policy::exit(exit_value);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void session_state_changed() override
|
|
|
|
|
{
|
|
|
|
|
_report_update_trigger.trigger_report_update();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool initiate_env_sessions() const override { return false; }
|
2017-03-06 15:19:35 +01:00
|
|
|
|
|
|
|
|
void yield_response() override
|
|
|
|
|
{
|
2018-06-04 15:49:29 +02:00
|
|
|
apply_downgrade();
|
2017-03-06 15:19:35 +01:00
|
|
|
_report_update_trigger.trigger_report_update();
|
|
|
|
|
}
|
2017-03-03 16:57:41 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
#endif /* _SRC__INIT__CHILD_H_ */
|
