2011-12-22 16:19:25 +01:00
|
|
|
/*
|
|
|
|
* \brief Connection to ROM file service
|
|
|
|
* \author Norman Feske
|
|
|
|
* \date 2008-08-22
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
2017-02-20 13:23:52 +01:00
|
|
|
* Copyright (C) 2008-2017 Genode Labs GmbH
|
2011-12-22 16:19:25 +01:00
|
|
|
*
|
|
|
|
* This file is part of the Genode OS framework, which is distributed
|
2017-02-20 13:23:52 +01:00
|
|
|
* under the terms of the GNU Affero General Public License version 3.
|
2011-12-22 16:19:25 +01:00
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _INCLUDE__ROM_SESSION__CONNECTION_H_
|
|
|
|
#define _INCLUDE__ROM_SESSION__CONNECTION_H_
|
|
|
|
|
|
|
|
#include <rom_session/client.h>
|
|
|
|
#include <base/connection.h>
|
2016-05-12 14:58:51 +02:00
|
|
|
#include <base/log.h>
|
2011-12-22 16:19:25 +01:00
|
|
|
|
2015-03-04 21:12:14 +01:00
|
|
|
namespace Genode { class Rom_connection; }
|
|
|
|
|
|
|
|
|
|
|
|
class Genode::Rom_connection : public Connection<Rom_session>,
|
|
|
|
public Rom_session_client
|
|
|
|
{
|
|
|
|
public:
|
2011-12-22 16:19:25 +01:00
|
|
|
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
class Rom_connection_failed : public Parent::Service_denied { };
|
2015-03-04 21:12:14 +01:00
|
|
|
|
base: remove Child::heap
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.
In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping
Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.
For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
2017-02-19 10:31:50 +01:00
|
|
|
enum { RAM_QUOTA = 6*1024UL };
|
2016-11-06 14:26:34 +01:00
|
|
|
|
2015-03-04 21:12:14 +01:00
|
|
|
private:
|
|
|
|
|
2016-05-12 14:58:51 +02:00
|
|
|
Rom_session_capability _session(Parent &parent, char const *label)
|
2015-03-04 21:12:14 +01:00
|
|
|
{
|
2017-05-07 22:03:25 +02:00
|
|
|
return session("ram_quota=%ld, cap_quota=%ld, label=\"%s\"",
|
|
|
|
RAM_QUOTA, CAP_QUOTA, label);
|
2015-03-04 21:12:14 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
public:
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Constructor
|
|
|
|
*
|
2016-05-12 14:58:51 +02:00
|
|
|
* \param label request label and name of ROM module
|
2015-03-04 21:12:14 +01:00
|
|
|
*
|
|
|
|
* \throw Rom_connection_failed
|
|
|
|
*/
|
2016-05-12 14:58:51 +02:00
|
|
|
Rom_connection(Env &env, const char *label)
|
2016-11-08 16:37:27 +01:00
|
|
|
try :
|
2016-05-12 14:58:51 +02:00
|
|
|
Connection<Rom_session>(env, _session(env.parent(), label)),
|
2016-05-09 15:55:12 +02:00
|
|
|
Rom_session_client(cap())
|
|
|
|
{ }
|
2016-11-08 16:37:27 +01:00
|
|
|
catch (...) {
|
|
|
|
error("Could not open ROM session for \"", label, "\"");
|
|
|
|
throw Rom_connection_failed();
|
|
|
|
}
|
2016-05-09 15:55:12 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Constructor
|
|
|
|
*
|
|
|
|
* \noapi
|
|
|
|
* \deprecated Use the constructor with 'Env &' as first
|
|
|
|
* argument instead
|
|
|
|
*/
|
2017-01-09 15:18:49 +01:00
|
|
|
Rom_connection(const char *label) __attribute__((deprecated))
|
2016-11-08 16:37:27 +01:00
|
|
|
try :
|
2017-01-09 15:18:49 +01:00
|
|
|
Connection<Rom_session>(_session(*env_deprecated()->parent(), label)),
|
|
|
|
Rom_session_client(cap())
|
|
|
|
{ }
|
|
|
|
catch (...) {
|
|
|
|
error("Could not open ROM session for \"", label, "\"");
|
|
|
|
throw Rom_connection_failed();
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Constructor
|
|
|
|
*
|
|
|
|
* \noapi
|
|
|
|
* \deprecated Use the constructor with 'Env &' as first
|
|
|
|
* argument instead
|
|
|
|
*
|
|
|
|
* This version is deliberately used by functions that are marked as
|
|
|
|
* deprecated. If such a function called directly the
|
|
|
|
* __attribute__((deprecate)) version, we would always get a warning,
|
|
|
|
* even if the outer deprecated function is not called.
|
|
|
|
*
|
|
|
|
* It will be removed as soon as they are gone.
|
|
|
|
*/
|
|
|
|
Rom_connection(bool, const char *label)
|
|
|
|
try :
|
|
|
|
Connection<Rom_session>(_session(*env_deprecated()->parent(), label)),
|
2015-03-04 21:12:14 +01:00
|
|
|
Rom_session_client(cap())
|
|
|
|
{ }
|
2016-11-08 16:37:27 +01:00
|
|
|
catch (...) {
|
|
|
|
error("Could not open ROM session for \"", label, "\"");
|
|
|
|
throw Rom_connection_failed();
|
|
|
|
}
|
2015-03-04 21:12:14 +01:00
|
|
|
};
|
2011-12-22 16:19:25 +01:00
|
|
|
|
|
|
|
#endif /* _INCLUDE__ROM_SESSION__CONNECTION_H_ */
|