2011-12-22 16:19:25 +01:00
|
|
|
/*
|
2012-04-17 18:46:14 +02:00
|
|
|
* \brief Loader service
|
|
|
|
* \author Norman Feske
|
|
|
|
* \date 2012-04-17
|
2011-12-22 16:19:25 +01:00
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
2017-01-13 15:20:30 +01:00
|
|
|
* Copyright (C) 2010-2017 Genode Labs GmbH
|
2011-12-22 16:19:25 +01:00
|
|
|
*
|
|
|
|
* This file is part of the Genode OS framework, which is distributed
|
2017-02-20 13:23:52 +01:00
|
|
|
* under the terms of the GNU Affero General Public License version 3.
|
2011-12-22 16:19:25 +01:00
|
|
|
*/
|
|
|
|
|
|
|
|
/* Genode includes */
|
2016-11-06 14:27:26 +01:00
|
|
|
#include <base/component.h>
|
2012-05-02 14:42:47 +02:00
|
|
|
#include <base/heap.h>
|
2011-12-22 16:19:25 +01:00
|
|
|
#include <base/sleep.h>
|
2012-04-17 18:46:14 +02:00
|
|
|
#include <loader_session/loader_session.h>
|
|
|
|
#include <root/component.h>
|
2016-11-06 14:27:26 +01:00
|
|
|
#include <os/session_policy.h>
|
2011-12-22 16:19:25 +01:00
|
|
|
|
|
|
|
/* local includes */
|
2012-04-17 18:46:14 +02:00
|
|
|
#include <child.h>
|
|
|
|
#include <nitpicker.h>
|
|
|
|
#include <rom.h>
|
|
|
|
|
|
|
|
|
|
|
|
namespace Loader {
|
|
|
|
|
|
|
|
using namespace Genode;
|
|
|
|
|
2014-06-30 17:47:43 +02:00
|
|
|
class Session_component;
|
|
|
|
class Root;
|
|
|
|
}
|
2012-04-17 18:46:14 +02:00
|
|
|
|
|
|
|
|
2014-06-30 17:47:43 +02:00
|
|
|
class Loader::Session_component : public Rpc_object<Session>
|
|
|
|
{
|
|
|
|
private:
|
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
struct Local_rom_factory : Local_service<Rom_session_component>::Factory
|
2014-06-30 17:47:43 +02:00
|
|
|
{
|
2016-11-06 14:27:26 +01:00
|
|
|
Entrypoint &_ep;
|
2014-06-30 17:47:43 +02:00
|
|
|
Allocator &_md_alloc;
|
|
|
|
Rom_module_registry &_rom_modules;
|
2020-02-20 15:47:08 +01:00
|
|
|
Mutex _mutex { };
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
List<Rom_session_component> _rom_sessions { };
|
2014-06-30 17:47:43 +02:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
void _close(Rom_session_component &rom)
|
2012-04-17 18:46:14 +02:00
|
|
|
{
|
2016-11-06 14:27:26 +01:00
|
|
|
_rom_sessions.remove(&rom);
|
|
|
|
Genode::destroy(_md_alloc, &rom);
|
2014-06-30 17:47:43 +02:00
|
|
|
}
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
Local_rom_factory(Entrypoint &ep,
|
2014-06-30 17:47:43 +02:00
|
|
|
Allocator &md_alloc,
|
|
|
|
Rom_module_registry &rom_modules)
|
|
|
|
:
|
2016-11-06 14:27:26 +01:00
|
|
|
_ep(ep), _md_alloc(md_alloc), _rom_modules(rom_modules)
|
2014-06-30 17:47:43 +02:00
|
|
|
{ }
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
~Local_rom_factory()
|
2014-06-30 17:47:43 +02:00
|
|
|
{
|
2020-02-20 15:47:08 +01:00
|
|
|
Mutex::Guard guard(_mutex);
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
while (_rom_sessions.first())
|
|
|
|
_close(*_rom_sessions.first());
|
2014-06-30 17:47:43 +02:00
|
|
|
}
|
2012-04-17 18:46:14 +02:00
|
|
|
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
Rom_session_component &create(Args const &args, Affinity) override
|
2014-06-30 17:47:43 +02:00
|
|
|
{
|
|
|
|
/* try to find ROM module at local ROM service */
|
|
|
|
try {
|
2020-02-20 15:47:08 +01:00
|
|
|
Mutex::Guard guard(_mutex);
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
Session_label const label = label_from_args(args.string());
|
|
|
|
Session_label const name = label.last_element();
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2016-05-12 14:58:51 +02:00
|
|
|
Rom_module &module = _rom_modules.lookup_and_lock(name.string());
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
Rom_session_component *rom = new (_md_alloc)
|
|
|
|
Rom_session_component(_ep, module);
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2014-06-30 17:47:43 +02:00
|
|
|
_rom_sessions.insert(rom);
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
return *rom;
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2014-06-30 17:47:43 +02:00
|
|
|
} catch (...) { }
|
2012-04-17 18:46:14 +02:00
|
|
|
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Service_denied();
|
2014-06-30 17:47:43 +02:00
|
|
|
}
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
void upgrade(Rom_session_component &, Args const &) override { }
|
|
|
|
|
|
|
|
void destroy(Rom_session_component &session) override
|
2014-06-30 17:47:43 +02:00
|
|
|
{
|
2020-02-20 15:47:08 +01:00
|
|
|
Mutex::Guard guard(_mutex);
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
_close(session);
|
2014-06-30 17:47:43 +02:00
|
|
|
}
|
|
|
|
};
|
2013-01-04 15:24:11 +01:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
typedef Local_service<Rom_session_component> Local_rom_service;
|
|
|
|
|
2014-06-30 17:47:43 +02:00
|
|
|
/**
|
2016-04-15 15:19:22 +02:00
|
|
|
* Common base class of 'Local_cpu_service' and 'Local_pd_service'
|
2014-06-30 17:47:43 +02:00
|
|
|
*/
|
2016-11-06 14:27:26 +01:00
|
|
|
struct Intercepted_parent_service : Genode::Parent_service
|
2014-06-30 17:47:43 +02:00
|
|
|
{
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
Signal_context_capability fault_sigh { };
|
2013-01-04 15:24:11 +01:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
Intercepted_parent_service(Env &env, Service::Name const &name)
|
|
|
|
: Parent_service(env, name) { }
|
2014-06-30 17:47:43 +02:00
|
|
|
};
|
2014-06-04 21:01:18 +02:00
|
|
|
|
2014-06-30 17:47:43 +02:00
|
|
|
/**
|
|
|
|
* Intercept CPU session requests to install default exception
|
|
|
|
* handler
|
|
|
|
*/
|
|
|
|
struct Local_cpu_service : Intercepted_parent_service
|
|
|
|
{
|
2016-11-06 14:27:26 +01:00
|
|
|
Local_cpu_service(Env &env) : Intercepted_parent_service(env, "CPU") { }
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
void initiate_request(Session_state &session) override
|
2012-04-17 18:46:14 +02:00
|
|
|
{
|
2016-11-06 14:27:26 +01:00
|
|
|
Intercepted_parent_service::initiate_request(session);
|
2014-11-23 15:48:29 +01:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
if (session.phase != Session_state::AVAILABLE)
|
|
|
|
return;
|
|
|
|
|
|
|
|
Cpu_session_client cpu(reinterpret_cap_cast<Cpu_session>(session.cap));
|
|
|
|
cpu.exception_sigh(fault_sigh);
|
2014-11-23 15:48:29 +01:00
|
|
|
}
|
2014-06-30 17:47:43 +02:00
|
|
|
};
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2014-06-30 17:47:43 +02:00
|
|
|
/**
|
2016-04-15 15:19:22 +02:00
|
|
|
* Intercept PD session requests to install default fault handler
|
2014-06-30 17:47:43 +02:00
|
|
|
*/
|
2016-04-15 15:19:22 +02:00
|
|
|
struct Local_pd_service : Intercepted_parent_service
|
2014-06-30 17:47:43 +02:00
|
|
|
{
|
2016-11-06 14:27:26 +01:00
|
|
|
Local_pd_service(Env &env) : Intercepted_parent_service(env, "PD") { }
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
void initiate_request(Session_state &session) override
|
2012-04-17 18:46:14 +02:00
|
|
|
{
|
2016-11-06 14:27:26 +01:00
|
|
|
Intercepted_parent_service::initiate_request(session);
|
|
|
|
|
|
|
|
if (session.phase != Session_state::AVAILABLE)
|
|
|
|
return;
|
|
|
|
|
|
|
|
Pd_session_client pd(reinterpret_cap_cast<Pd_session>(session.cap));
|
2016-04-15 15:19:22 +02:00
|
|
|
|
|
|
|
Region_map_client(pd.address_space()).fault_handler(fault_sigh);
|
|
|
|
Region_map_client(pd.stack_area()) .fault_handler(fault_sigh);
|
|
|
|
Region_map_client(pd.linker_area()) .fault_handler(fault_sigh);
|
2012-04-17 18:46:14 +02:00
|
|
|
}
|
2014-06-30 17:47:43 +02:00
|
|
|
};
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
struct Local_nitpicker_factory : Local_service<Nitpicker::Session_component>::Factory
|
2014-06-30 17:47:43 +02:00
|
|
|
{
|
2017-05-11 20:03:28 +02:00
|
|
|
Entrypoint &_ep;
|
|
|
|
Env &_env;
|
|
|
|
Region_map &_rm;
|
|
|
|
Ram_allocator &_ram;
|
2012-04-17 18:46:14 +02:00
|
|
|
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
Area _max_size { };
|
|
|
|
Nitpicker::View_capability _parent_view { };
|
2012-04-17 18:46:14 +02:00
|
|
|
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
Signal_context_capability view_ready_sigh { };
|
2012-04-17 18:46:14 +02:00
|
|
|
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
Constructible<Nitpicker::Session_component> session { };
|
2014-06-30 17:47:43 +02:00
|
|
|
|
2017-05-11 20:03:28 +02:00
|
|
|
Local_nitpicker_factory(Entrypoint &ep, Env &env,
|
|
|
|
Region_map &rm, Ram_allocator &ram)
|
2017-01-13 15:20:30 +01:00
|
|
|
: _ep(ep), _env(env), _rm(rm), _ram(ram) { }
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
void constrain_geometry(Area size) { _max_size = size; }
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2014-06-04 21:01:18 +02:00
|
|
|
void parent_view(Nitpicker::View_capability view)
|
|
|
|
{
|
2014-06-30 17:47:43 +02:00
|
|
|
_parent_view = view;
|
2014-06-04 21:01:18 +02:00
|
|
|
}
|
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
Nitpicker::Session_component &create(Args const &args, Affinity) override
|
2012-04-17 18:46:14 +02:00
|
|
|
{
|
2016-11-06 14:27:26 +01:00
|
|
|
if (session.constructed()) {
|
|
|
|
warning("attempt to open more than one nitpicker session");
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Service_denied();
|
2016-11-06 14:27:26 +01:00
|
|
|
}
|
|
|
|
|
2017-01-13 15:20:30 +01:00
|
|
|
session.construct(_ep, _env, _rm, _ram, _max_size,
|
2016-11-06 14:27:26 +01:00
|
|
|
_parent_view, view_ready_sigh, args.string());
|
|
|
|
return *session;
|
2012-04-17 18:46:14 +02:00
|
|
|
}
|
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
void upgrade(Nitpicker::Session_component &, Args const &) override { }
|
|
|
|
void destroy(Nitpicker::Session_component &) override { }
|
2014-06-30 17:47:43 +02:00
|
|
|
};
|
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
typedef Local_service<Nitpicker::Session_component> Local_nitpicker_service;
|
|
|
|
|
2014-06-30 17:47:43 +02:00
|
|
|
enum { STACK_SIZE = 2*4096 };
|
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
Env &_env;
|
|
|
|
Session_label const _label;
|
|
|
|
Xml_node const _config;
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_quota const _cap_quota;
|
2017-05-08 01:33:40 +02:00
|
|
|
Ram_quota const _ram_quota;
|
2019-01-21 10:48:39 +01:00
|
|
|
Cap_quota_guard _cap_guard { _cap_quota };
|
|
|
|
Ram_quota_guard _ram_guard { _ram_quota };
|
|
|
|
Constrained_ram_allocator _local_ram { _env.ram(), _ram_guard, _cap_guard };
|
2016-11-06 14:27:26 +01:00
|
|
|
Heap _md_alloc { _local_ram, _env.rm() };
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
size_t _subsystem_cap_quota_limit = 0;
|
2016-11-06 14:27:26 +01:00
|
|
|
size_t _subsystem_ram_quota_limit = 0;
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
Parent_services _parent_services { };
|
2016-11-06 14:27:26 +01:00
|
|
|
Rom_module_registry _rom_modules { _env, _config, _local_ram, _md_alloc };
|
|
|
|
Local_rom_factory _rom_factory { _env.ep(), _md_alloc, _rom_modules };
|
|
|
|
Local_rom_service _rom_service { _rom_factory };
|
|
|
|
Local_cpu_service _cpu_service { _env };
|
|
|
|
Local_pd_service _pd_service { _env };
|
2017-01-13 15:20:30 +01:00
|
|
|
Local_nitpicker_factory _nitpicker_factory { _env.ep(), _env, _env.rm(), _local_ram };
|
2016-11-06 14:27:26 +01:00
|
|
|
Local_nitpicker_service _nitpicker_service { _nitpicker_factory };
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
Signal_context_capability _fault_sigh { };
|
|
|
|
Constructible<Child> _child { };
|
2014-06-30 17:47:43 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Return virtual nitpicker session component
|
|
|
|
*/
|
2016-11-06 14:27:26 +01:00
|
|
|
Nitpicker::Session_component &_virtual_nitpicker_session()
|
|
|
|
{
|
|
|
|
if (!_nitpicker_factory.session.constructed())
|
|
|
|
throw View_does_not_exist();
|
|
|
|
|
|
|
|
return *_nitpicker_factory.session;
|
|
|
|
}
|
|
|
|
|
|
|
|
Nitpicker::Session_component const &_virtual_nitpicker_session() const
|
2014-06-30 17:47:43 +02:00
|
|
|
{
|
2016-11-06 14:27:26 +01:00
|
|
|
if (!_nitpicker_factory.session.constructed())
|
2014-06-30 17:47:43 +02:00
|
|
|
throw View_does_not_exist();
|
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
return *_nitpicker_factory.session;
|
2014-06-30 17:47:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
public:
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Constructor
|
|
|
|
*/
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Session_component(Env &env, Session_label const &label, Xml_node config,
|
|
|
|
Cap_quota cap_quota, Ram_quota ram_quota)
|
2014-06-30 17:47:43 +02:00
|
|
|
:
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
_env(env), _label(label), _config(config),
|
|
|
|
_cap_quota(cap_quota), _ram_quota(ram_quota)
|
2016-11-06 14:27:26 +01:00
|
|
|
{
|
|
|
|
/* fetch all parent-provided ROMs according to the config */
|
|
|
|
config.for_each_sub_node("parent-rom", [&] (Xml_node rom)
|
|
|
|
{
|
|
|
|
typedef Rom_module::Name Name;
|
|
|
|
Name name = rom.attribute_value("name", Name());
|
|
|
|
_rom_modules.fetch_parent_rom_module(name);
|
|
|
|
});
|
|
|
|
}
|
2014-06-30 17:47:43 +02:00
|
|
|
|
|
|
|
~Session_component()
|
|
|
|
{
|
2016-11-06 14:27:26 +01:00
|
|
|
_child.destruct();
|
2014-06-30 17:47:43 +02:00
|
|
|
|
|
|
|
/*
|
|
|
|
* The parent-service registry is populated by the 'Child'
|
|
|
|
* on demand. Revert those allocations.
|
|
|
|
*/
|
2016-11-06 14:27:26 +01:00
|
|
|
_parent_services.for_each([&] (Parent_service &service) {
|
2017-01-04 15:05:37 +01:00
|
|
|
destroy(_md_alloc, &service); });
|
2014-06-30 17:47:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/******************************
|
|
|
|
** Loader session interface **
|
|
|
|
******************************/
|
|
|
|
|
|
|
|
Dataspace_capability alloc_rom_module(Name const &name, size_t size) override
|
|
|
|
{
|
|
|
|
return _rom_modules.alloc_rom_module(name.string(), size);
|
|
|
|
}
|
|
|
|
|
|
|
|
void commit_rom_module(Name const &name) override
|
|
|
|
{
|
|
|
|
try {
|
|
|
|
_rom_modules.commit_rom_module(name.string()); }
|
|
|
|
catch (Rom_module_registry::Lookup_failed) {
|
|
|
|
throw Rom_module_does_not_exist(); }
|
|
|
|
}
|
|
|
|
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
void cap_quota(Cap_quota caps) override
|
|
|
|
{
|
|
|
|
_subsystem_cap_quota_limit = caps.value;
|
|
|
|
}
|
|
|
|
|
2017-05-08 01:33:40 +02:00
|
|
|
void ram_quota(Ram_quota quantum) override
|
2014-06-30 17:47:43 +02:00
|
|
|
{
|
2017-05-08 01:33:40 +02:00
|
|
|
_subsystem_ram_quota_limit = quantum.value;
|
2014-06-30 17:47:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
void constrain_geometry(Area size) override
|
|
|
|
{
|
2016-11-06 14:27:26 +01:00
|
|
|
_nitpicker_factory.constrain_geometry(size);
|
2014-06-30 17:47:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
void parent_view(Nitpicker::View_capability view) override
|
|
|
|
{
|
2016-11-06 14:27:26 +01:00
|
|
|
_nitpicker_factory.parent_view(view);
|
2014-06-30 17:47:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
void view_ready_sigh(Signal_context_capability sigh) override
|
|
|
|
{
|
2016-11-06 14:27:26 +01:00
|
|
|
_nitpicker_factory.view_ready_sigh = sigh;
|
2014-06-30 17:47:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
void fault_sigh(Signal_context_capability sigh) override
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* CPU exception handler for CPU sessions originating from the
|
|
|
|
* subsystem.
|
|
|
|
*/
|
|
|
|
_cpu_service.fault_sigh = sigh;
|
2013-01-04 15:24:11 +01:00
|
|
|
|
2014-06-30 17:47:43 +02:00
|
|
|
/*
|
2016-04-15 15:19:22 +02:00
|
|
|
* Region-map fault handler for PD sessions originating from the
|
2014-06-30 17:47:43 +02:00
|
|
|
* subsystem.
|
|
|
|
*/
|
2016-04-15 15:19:22 +02:00
|
|
|
_pd_service.fault_sigh = sigh;
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2014-06-30 17:47:43 +02:00
|
|
|
/*
|
|
|
|
* CPU exception and RM fault handler for the immediate child.
|
|
|
|
*/
|
|
|
|
_fault_sigh = sigh;
|
|
|
|
}
|
|
|
|
|
2016-03-08 15:58:05 +01:00
|
|
|
void start(Name const &binary_name, Name const &label) override
|
2014-06-30 17:47:43 +02:00
|
|
|
{
|
2016-11-06 14:27:26 +01:00
|
|
|
if (_child.constructed()) {
|
|
|
|
warning("cannot start subsystem twice");
|
2014-06-30 17:47:43 +02:00
|
|
|
return;
|
2012-04-17 18:46:14 +02:00
|
|
|
}
|
|
|
|
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
size_t const cap_quota = (_subsystem_cap_quota_limit > 0)
|
|
|
|
? min(_subsystem_cap_quota_limit, _cap_quota.value)
|
|
|
|
: _cap_quota.value;
|
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
size_t const ram_quota = (_subsystem_ram_quota_limit > 0)
|
2017-05-08 01:33:40 +02:00
|
|
|
? min(_subsystem_ram_quota_limit, _ram_quota.value)
|
|
|
|
: _ram_quota.value;
|
2014-06-30 17:47:43 +02:00
|
|
|
|
|
|
|
try {
|
2017-01-04 15:05:37 +01:00
|
|
|
_child.construct(_env, _md_alloc, binary_name.string(),
|
2016-11-06 14:27:26 +01:00
|
|
|
prefixed_label(_label, Session_label(label.string())),
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_quota{cap_quota}, Ram_quota{ram_quota},
|
2017-05-08 01:33:40 +02:00
|
|
|
_parent_services, _rom_service,
|
2016-11-06 14:27:26 +01:00
|
|
|
_cpu_service, _pd_service, _nitpicker_service,
|
|
|
|
_fault_sigh);
|
2012-04-17 18:46:14 +02:00
|
|
|
}
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
catch (Genode::Service_denied) {
|
2014-06-30 17:47:43 +02:00
|
|
|
throw Rom_module_does_not_exist(); }
|
|
|
|
}
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2014-06-30 17:47:43 +02:00
|
|
|
void view_geometry(Rect rect, Point offset) override
|
|
|
|
{
|
|
|
|
_virtual_nitpicker_session().loader_view_geometry(rect, offset);
|
|
|
|
}
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2014-06-30 17:47:43 +02:00
|
|
|
Area view_size() const override
|
|
|
|
{
|
|
|
|
return _virtual_nitpicker_session().loader_view_size();
|
|
|
|
}
|
|
|
|
};
|
2012-04-17 18:46:14 +02:00
|
|
|
|
|
|
|
|
2014-06-30 17:47:43 +02:00
|
|
|
class Loader::Root : public Root_component<Session_component>
|
|
|
|
{
|
|
|
|
private:
|
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
Env &_env;
|
|
|
|
Xml_node const _config;
|
2014-06-30 17:47:43 +02:00
|
|
|
|
|
|
|
protected:
|
|
|
|
|
2019-02-14 22:39:08 +01:00
|
|
|
Session_component *_create_session(const char *args) override
|
2014-06-30 17:47:43 +02:00
|
|
|
{
|
2016-11-06 14:27:26 +01:00
|
|
|
Xml_node session_config("<policy/>");
|
|
|
|
|
|
|
|
Session_label const label = label_from_args(args);
|
|
|
|
|
|
|
|
try { session_config = Session_policy(label, _config); }
|
|
|
|
catch (...) { }
|
2014-06-30 17:47:43 +02:00
|
|
|
|
2017-05-08 01:33:40 +02:00
|
|
|
return new (md_alloc()) Session_component(_env, label, session_config,
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
cap_quota_from_args(args),
|
2017-05-08 01:33:40 +02:00
|
|
|
ram_quota_from_args(args));
|
2014-06-30 17:47:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
public:
|
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
Root(Env &env, Xml_node config, Allocator &md_alloc)
|
2014-06-30 17:47:43 +02:00
|
|
|
:
|
2016-11-06 14:27:26 +01:00
|
|
|
Root_component<Session_component>(&env.ep().rpc_ep(), &md_alloc),
|
|
|
|
_env(env), _config(config)
|
2014-06-30 17:47:43 +02:00
|
|
|
{ }
|
|
|
|
};
|
2011-12-22 16:19:25 +01:00
|
|
|
|
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
namespace Loader { struct Main; }
|
2016-04-27 16:04:58 +02:00
|
|
|
|
|
|
|
|
2016-11-06 14:27:26 +01:00
|
|
|
struct Loader::Main
|
2011-12-22 16:19:25 +01:00
|
|
|
{
|
2017-01-04 15:05:37 +01:00
|
|
|
Env &_env;
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2017-01-04 15:05:37 +01:00
|
|
|
Heap _heap { _env.ram(), _env.rm() };
|
2011-12-22 16:19:25 +01:00
|
|
|
|
2017-01-04 15:05:37 +01:00
|
|
|
Attached_rom_dataspace _config { _env, "config" };
|
2012-04-17 18:46:14 +02:00
|
|
|
|
2017-01-04 15:05:37 +01:00
|
|
|
Root _root { _env, _config.xml(), _heap };
|
2011-12-22 16:19:25 +01:00
|
|
|
|
2017-01-04 15:05:37 +01:00
|
|
|
Main(Env &env) : _env(env)
|
2016-11-06 14:27:26 +01:00
|
|
|
{
|
2017-01-04 15:05:37 +01:00
|
|
|
_env.parent().announce(_env.ep().manage(_root));
|
2016-11-06 14:27:26 +01:00
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
void Component::construct(Genode::Env &env) { static Loader::Main main(env); }
|