2011-12-22 16:19:25 +01:00
|
|
|
/*
|
|
|
|
|
* \brief Generic root component implementation
|
|
|
|
|
* \author Norman Feske
|
|
|
|
|
* \date 2006-05-22
|
|
|
|
|
*
|
|
|
|
|
* This class is there for your convenience. It performs the common actions
|
|
|
|
|
* that must always be taken when creating a new session.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
2017-02-20 13:23:52 +01:00
|
|
|
* Copyright (C) 2006-2017 Genode Labs GmbH
|
2011-12-22 16:19:25 +01:00
|
|
|
*
|
|
|
|
|
* This file is part of the Genode OS framework, which is distributed
|
2017-02-20 13:23:52 +01:00
|
|
|
* under the terms of the GNU Affero General Public License version 3.
|
2011-12-22 16:19:25 +01:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef _INCLUDE__ROOT__COMPONENT_H_
|
|
|
|
|
#define _INCLUDE__ROOT__COMPONENT_H_
|
|
|
|
|
|
|
|
|
|
#include <root/root.h>
|
base: avoid use of deprecated base/printf.h
Besides adapting the components to the use of base/log.h, the patch
cleans up a few base headers, i.e., it removes unused includes from
root/component.h, specifically base/heap.h and
ram_session/ram_session.h. Hence, components that relied on the implicit
inclusion of those headers have to manually include those headers now.
While adjusting the log messages, I repeatedly stumbled over the problem
that printing char * arguments is ambiguous. It is unclear whether to
print the argument as pointer or null-terminated string. To overcome
this problem, the patch introduces a new type 'Cstring' that allows the
caller to express that the argument should be handled as null-terminated
string. As a nice side effect, with this type in place, the optional len
argument of the 'String' class could be removed. Instead of supplying a
pair of (char const *, size_t), the constructor accepts a 'Cstring'.
This, in turn, clears the way let the 'String' constructor use the new
output mechanism to assemble a string from multiple arguments (and
thereby getting rid of snprintf within Genode in the near future).
To enforce the explicit resolution of the char * ambiguity, the 'char *'
overload of the 'print' function is marked as deleted.
Issue #1987
2016-07-13 19:07:09 +02:00
|
|
|
#include <base/allocator.h>
|
2011-12-22 16:19:25 +01:00
|
|
|
#include <base/rpc_server.h>
|
2016-05-20 12:01:50 +02:00
|
|
|
#include <base/entrypoint.h>
|
2016-11-06 14:26:34 +01:00
|
|
|
#include <base/service.h>
|
2011-12-22 16:19:25 +01:00
|
|
|
#include <util/arg_string.h>
|
base: avoid use of deprecated base/printf.h
Besides adapting the components to the use of base/log.h, the patch
cleans up a few base headers, i.e., it removes unused includes from
root/component.h, specifically base/heap.h and
ram_session/ram_session.h. Hence, components that relied on the implicit
inclusion of those headers have to manually include those headers now.
While adjusting the log messages, I repeatedly stumbled over the problem
that printing char * arguments is ambiguous. It is unclear whether to
print the argument as pointer or null-terminated string. To overcome
this problem, the patch introduces a new type 'Cstring' that allows the
caller to express that the argument should be handled as null-terminated
string. As a nice side effect, with this type in place, the optional len
argument of the 'String' class could be removed. Instead of supplying a
pair of (char const *, size_t), the constructor accepts a 'Cstring'.
This, in turn, clears the way let the 'String' constructor use the new
output mechanism to assemble a string from multiple arguments (and
thereby getting rid of snprintf within Genode in the near future).
To enforce the explicit resolution of the char * ambiguity, the 'char *'
overload of the 'print' function is marked as deleted.
Issue #1987
2016-07-13 19:07:09 +02:00
|
|
|
#include <base/log.h>
|
2011-12-22 16:19:25 +01:00
|
|
|
|
|
|
|
|
namespace Genode {
|
|
|
|
|
|
2015-03-04 21:12:14 +01:00
|
|
|
class Single_client;
|
|
|
|
|
class Multiple_clients;
|
|
|
|
|
template <typename, typename POLICY = Multiple_clients> class Root_component;
|
|
|
|
|
}
|
2011-12-22 16:19:25 +01:00
|
|
|
|
|
|
|
|
|
2015-03-04 21:12:14 +01:00
|
|
|
/**
|
|
|
|
|
* Session creation policy for a single-client service
|
|
|
|
|
*/
|
|
|
|
|
class Genode::Single_client
|
|
|
|
|
{
|
|
|
|
|
private:
|
2011-12-22 16:19:25 +01:00
|
|
|
|
2015-03-04 21:12:14 +01:00
|
|
|
bool _used;
|
2011-12-22 16:19:25 +01:00
|
|
|
|
2015-03-04 21:12:14 +01:00
|
|
|
public:
|
2011-12-22 16:19:25 +01:00
|
|
|
|
2015-03-04 21:12:14 +01:00
|
|
|
Single_client() : _used(0) { }
|
2011-12-22 16:19:25 +01:00
|
|
|
|
2015-03-04 21:12:14 +01:00
|
|
|
void aquire(const char *)
|
|
|
|
|
{
|
|
|
|
|
if (_used)
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Service_denied();
|
2011-12-22 16:19:25 +01:00
|
|
|
|
2015-03-04 21:12:14 +01:00
|
|
|
_used = true;
|
|
|
|
|
}
|
2011-12-22 16:19:25 +01:00
|
|
|
|
2015-03-04 21:12:14 +01:00
|
|
|
void release() { _used = false; }
|
|
|
|
|
};
|
2011-12-22 16:19:25 +01:00
|
|
|
|
|
|
|
|
|
2015-03-04 21:12:14 +01:00
|
|
|
/**
|
|
|
|
|
* Session-creation policy for a multi-client service
|
|
|
|
|
*/
|
|
|
|
|
struct Genode::Multiple_clients
|
|
|
|
|
{
|
|
|
|
|
void aquire(const char *) { }
|
|
|
|
|
void release() { }
|
|
|
|
|
};
|
2011-12-22 16:19:25 +01:00
|
|
|
|
|
|
|
|
|
2015-03-04 21:12:14 +01:00
|
|
|
/**
|
|
|
|
|
* Template for implementing the root interface
|
|
|
|
|
*
|
|
|
|
|
* \param SESSION_TYPE session-component type to manage,
|
|
|
|
|
* derived from 'Rpc_object'
|
|
|
|
|
* \param POLICY session-creation policy
|
|
|
|
|
*
|
|
|
|
|
* The 'POLICY' template parameter allows for constraining the session
|
|
|
|
|
* creation to only one instance at a time (using the 'Single_session'
|
|
|
|
|
* policy) or multiple instances (using the 'Multiple_sessions' policy).
|
|
|
|
|
*
|
2015-03-20 17:50:41 +01:00
|
|
|
* The 'POLICY' class must provide the following two methods:
|
2015-03-04 21:12:14 +01:00
|
|
|
*
|
2015-05-13 22:11:46 +02:00
|
|
|
* 'aquire(const char *args)' is called with the session arguments
|
|
|
|
|
* at creation time of each new session. It can therefore implement
|
|
|
|
|
* a session-creation policy taking session arguments into account.
|
|
|
|
|
* If the policy denies the creation of a new session, it throws
|
|
|
|
|
* one of the exceptions defined in the 'Root' interface.
|
2015-03-04 21:12:14 +01:00
|
|
|
*
|
2015-05-13 22:11:46 +02:00
|
|
|
* 'release' is called at the destruction time of a session. It enables
|
|
|
|
|
* the policy to keep track of and impose restrictions on the number
|
|
|
|
|
* of existing sessions.
|
2015-03-04 21:12:14 +01:00
|
|
|
*
|
|
|
|
|
* The default policy 'Multiple_clients' imposes no restrictions on the
|
|
|
|
|
* creation of new sessions.
|
|
|
|
|
*/
|
|
|
|
|
template <typename SESSION_TYPE, typename POLICY>
|
|
|
|
|
class Genode::Root_component : public Rpc_object<Typed_root<SESSION_TYPE> >,
|
2016-11-06 14:26:34 +01:00
|
|
|
public Local_service<SESSION_TYPE>::Factory,
|
2015-03-04 21:12:14 +01:00
|
|
|
private POLICY
|
|
|
|
|
{
|
|
|
|
|
private:
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Entry point that manages the session objects
|
|
|
|
|
* created by this root interface
|
|
|
|
|
*/
|
|
|
|
|
Rpc_entrypoint *_ep;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Allocator for allocating session objects.
|
|
|
|
|
* This allocator must be used by the derived
|
|
|
|
|
* class when calling the 'new' operator for
|
|
|
|
|
* creating a new session.
|
|
|
|
|
*/
|
|
|
|
|
Allocator *_md_alloc;
|
|
|
|
|
|
2016-11-06 14:26:34 +01:00
|
|
|
/*
|
|
|
|
|
* Used by both the legacy 'Root::session' and the new 'Factory::create'
|
|
|
|
|
*/
|
|
|
|
|
SESSION_TYPE &_create(Session_state::Args const &args, Affinity affinity)
|
|
|
|
|
{
|
|
|
|
|
POLICY::aquire(args.string());
|
|
|
|
|
|
2017-02-21 15:17:41 +01:00
|
|
|
/*
|
|
|
|
|
* Guard to ensure that 'release' is called whenever the scope
|
|
|
|
|
* is left with an exception.
|
|
|
|
|
*/
|
|
|
|
|
struct Guard
|
|
|
|
|
{
|
|
|
|
|
bool ack = false;
|
|
|
|
|
Root_component &root;
|
|
|
|
|
Guard(Root_component &root) : root(root) { }
|
|
|
|
|
~Guard() { if (!ack) root.release(); }
|
|
|
|
|
} aquire_guard { *this };
|
|
|
|
|
|
2016-11-06 14:26:34 +01:00
|
|
|
/*
|
|
|
|
|
* We need to decrease 'ram_quota' by
|
|
|
|
|
* the size of the session object.
|
|
|
|
|
*/
|
2017-05-08 01:33:40 +02:00
|
|
|
Ram_quota const ram_quota = ram_quota_from_args(args.string());
|
|
|
|
|
|
2016-11-06 14:26:34 +01:00
|
|
|
size_t needed = sizeof(SESSION_TYPE) + md_alloc()->overhead(sizeof(SESSION_TYPE));
|
|
|
|
|
|
2017-09-06 15:49:36 +02:00
|
|
|
if (needed > ram_quota.value)
|
2017-05-08 14:32:03 +02:00
|
|
|
throw Insufficient_ram_quota();
|
2016-11-06 14:26:34 +01:00
|
|
|
|
2017-05-08 01:33:40 +02:00
|
|
|
Ram_quota const remaining_ram_quota { ram_quota.value - needed };
|
2016-11-06 14:26:34 +01:00
|
|
|
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
/*
|
|
|
|
|
* Validate that the client provided the amount of caps as mandated
|
|
|
|
|
* for the session interface.
|
|
|
|
|
*/
|
|
|
|
|
Cap_quota const cap_quota = cap_quota_from_args(args.string());
|
|
|
|
|
|
|
|
|
|
if (cap_quota.value < SESSION_TYPE::CAP_QUOTA)
|
|
|
|
|
throw Insufficient_cap_quota();
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Account for the dataspace capability needed for allocating the
|
|
|
|
|
* session object from the sliced heap.
|
|
|
|
|
*/
|
|
|
|
|
if (cap_quota.value < 1)
|
|
|
|
|
throw Insufficient_cap_quota();
|
|
|
|
|
|
|
|
|
|
Cap_quota const remaining_cap_quota { cap_quota.value - 1 };
|
|
|
|
|
|
2016-11-06 14:26:34 +01:00
|
|
|
/*
|
|
|
|
|
* Deduce ram quota needed for allocating the session object from the
|
|
|
|
|
* donated ram quota.
|
|
|
|
|
*/
|
|
|
|
|
enum { MAX_ARGS_LEN = 256 };
|
|
|
|
|
char adjusted_args[MAX_ARGS_LEN];
|
|
|
|
|
strncpy(adjusted_args, args.string(), sizeof(adjusted_args));
|
2017-05-08 01:33:40 +02:00
|
|
|
|
2016-11-06 14:26:34 +01:00
|
|
|
Arg_string::set_arg(adjusted_args, sizeof(adjusted_args),
|
2017-05-08 01:33:40 +02:00
|
|
|
"ram_quota", String<64>(remaining_ram_quota).string());
|
2016-11-06 14:26:34 +01:00
|
|
|
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Arg_string::set_arg(adjusted_args, sizeof(adjusted_args),
|
|
|
|
|
"cap_quota", String<64>(remaining_cap_quota).string());
|
|
|
|
|
|
2016-11-06 14:26:34 +01:00
|
|
|
SESSION_TYPE *s = 0;
|
|
|
|
|
try { s = _create_session(adjusted_args, affinity); }
|
2017-05-11 20:03:28 +02:00
|
|
|
catch (Out_of_ram) { throw Insufficient_ram_quota(); }
|
|
|
|
|
catch (Out_of_caps) { throw Insufficient_cap_quota(); }
|
|
|
|
|
catch (Service_denied) { throw; }
|
|
|
|
|
catch (Insufficient_cap_quota) { throw; }
|
|
|
|
|
catch (Insufficient_ram_quota) { throw; }
|
|
|
|
|
catch (...) {
|
|
|
|
|
warning("unexpected exception during ",
|
2017-11-09 11:36:22 +01:00
|
|
|
SESSION_TYPE::service_name(), "-session creation");
|
|
|
|
|
throw Service_denied();
|
|
|
|
|
}
|
2016-11-06 14:26:34 +01:00
|
|
|
|
2017-05-08 12:52:23 +02:00
|
|
|
/*
|
|
|
|
|
* Consider that the session-object constructor may already have
|
|
|
|
|
* called 'manage'.
|
|
|
|
|
*/
|
|
|
|
|
if (!s->cap().valid())
|
|
|
|
|
_ep->manage(s);
|
2016-11-06 14:26:34 +01:00
|
|
|
|
2017-02-21 15:17:41 +01:00
|
|
|
aquire_guard.ack = true;
|
2016-11-06 14:26:34 +01:00
|
|
|
return *s;
|
|
|
|
|
}
|
|
|
|
|
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
/*
|
|
|
|
|
* Noncopyable
|
|
|
|
|
*/
|
|
|
|
|
Root_component(Root_component const &);
|
|
|
|
|
Root_component &operator = (Root_component const &);
|
|
|
|
|
|
2015-03-04 21:12:14 +01:00
|
|
|
protected:
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Create new session (to be implemented by a derived class)
|
|
|
|
|
*
|
|
|
|
|
* Only a derived class knows the constructor arguments of
|
|
|
|
|
* a specific session. Therefore, we cannot unify the call
|
|
|
|
|
* of its 'new' operator and must implement the session
|
|
|
|
|
* creation at a place, where the required knowledge exist.
|
|
|
|
|
*
|
2015-03-20 17:50:41 +01:00
|
|
|
* In the implementation of this method, the heap, provided
|
2015-03-04 21:12:14 +01:00
|
|
|
* by 'Root_component' must be used for allocating the session
|
|
|
|
|
* object.
|
|
|
|
|
*
|
|
|
|
|
* If the server implementation does not evaluate the session
|
|
|
|
|
* affinity, it suffices to override the overload without the
|
|
|
|
|
* affinity argument.
|
|
|
|
|
*
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
* \throw Out_of_ram
|
|
|
|
|
* \throw Out_of_caps
|
|
|
|
|
* \throw Service_denied
|
|
|
|
|
* \throw Insufficient_cap_quota
|
|
|
|
|
* \throw Insufficient_ram_quota
|
2015-03-04 21:12:14 +01:00
|
|
|
*/
|
|
|
|
|
virtual SESSION_TYPE *_create_session(const char *args,
|
|
|
|
|
Affinity const &)
|
|
|
|
|
{
|
|
|
|
|
return _create_session(args);
|
|
|
|
|
}
|
|
|
|
|
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
virtual SESSION_TYPE *_create_session(const char *)
|
2015-03-04 21:12:14 +01:00
|
|
|
{
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Service_denied();
|
2015-03-04 21:12:14 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Inform session about a quota upgrade
|
|
|
|
|
*
|
|
|
|
|
* Once a session is created, its client can successively extend
|
2015-03-20 17:50:41 +01:00
|
|
|
* its quota donation via the 'Parent::transfer_quota' operation.
|
2015-03-04 21:12:14 +01:00
|
|
|
* This will result in the invokation of 'Root::upgrade' at the
|
|
|
|
|
* root interface the session was created with. The root interface,
|
|
|
|
|
* in turn, informs the session about the new resources via the
|
2015-03-20 17:50:41 +01:00
|
|
|
* '_upgrade_session' method. The default implementation is
|
2015-03-04 21:12:14 +01:00
|
|
|
* suited for sessions that use a static amount of resources
|
|
|
|
|
* accounted for at session-creation time. For such sessions, an
|
|
|
|
|
* upgrade is not useful. However, sessions that dynamically
|
|
|
|
|
* allocate resources on behalf of its client, should respond to
|
2015-03-20 17:50:41 +01:00
|
|
|
* quota upgrades by implementing this method.
|
2015-03-04 21:12:14 +01:00
|
|
|
*
|
|
|
|
|
* \param session session to upgrade
|
|
|
|
|
* \param args description of additional resources in the
|
|
|
|
|
* same format as used at session creation
|
|
|
|
|
*/
|
|
|
|
|
virtual void _upgrade_session(SESSION_TYPE *, const char *) { }
|
|
|
|
|
|
|
|
|
|
virtual void _destroy_session(SESSION_TYPE *session) {
|
2016-11-06 14:26:34 +01:00
|
|
|
Genode::destroy(_md_alloc, session); }
|
2015-03-04 21:12:14 +01:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Return allocator to allocate server object in '_create_session()'
|
|
|
|
|
*/
|
2015-03-20 17:50:41 +01:00
|
|
|
Allocator *md_alloc() { return _md_alloc; }
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Return entrypoint that serves the root component
|
|
|
|
|
*/
|
|
|
|
|
Rpc_entrypoint *ep() { return _ep; }
|
2015-03-04 21:12:14 +01:00
|
|
|
|
|
|
|
|
public:
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Constructor
|
|
|
|
|
*
|
2016-05-20 12:01:50 +02:00
|
|
|
* \param ep entry point that manages the sessions of this
|
|
|
|
|
* root interface
|
|
|
|
|
* \param md_alloc meta-data allocator providing the backing store
|
|
|
|
|
* for session objects
|
2015-03-04 21:12:14 +01:00
|
|
|
*/
|
2016-05-20 12:01:50 +02:00
|
|
|
Root_component(Entrypoint &ep, Allocator &md_alloc)
|
|
|
|
|
:
|
|
|
|
|
_ep(&ep.rpc_ep()), _md_alloc(&md_alloc)
|
|
|
|
|
{ }
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Constructor
|
|
|
|
|
*
|
|
|
|
|
* \deprecated use the constructor with the 'Entrypoint &'
|
|
|
|
|
* argument instead
|
|
|
|
|
*/
|
|
|
|
|
Root_component(Rpc_entrypoint *ep, Allocator *md_alloc)
|
|
|
|
|
:
|
|
|
|
|
_ep(ep), _md_alloc(md_alloc)
|
|
|
|
|
{ }
|
2015-03-04 21:12:14 +01:00
|
|
|
|
|
|
|
|
|
2016-11-06 14:26:34 +01:00
|
|
|
/**************************************
|
|
|
|
|
** Local_service::Factory interface **
|
|
|
|
|
**************************************/
|
|
|
|
|
|
|
|
|
|
SESSION_TYPE &create(Session_state::Args const &args,
|
|
|
|
|
Affinity affinity) override
|
|
|
|
|
{
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
try { return _create(args, affinity); }
|
2017-05-08 14:32:03 +02:00
|
|
|
catch (Insufficient_ram_quota) { throw; }
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
catch (Insufficient_cap_quota) { throw; }
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
catch (...) { throw Service_denied(); }
|
2016-11-06 14:26:34 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void upgrade(SESSION_TYPE &session,
|
|
|
|
|
Session_state::Args const &args) override
|
|
|
|
|
{
|
|
|
|
|
_upgrade_session(&session, args.string());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void destroy(SESSION_TYPE &session) override
|
|
|
|
|
{
|
|
|
|
|
close(session.cap());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2015-03-04 21:12:14 +01:00
|
|
|
/********************
|
|
|
|
|
** Root interface **
|
|
|
|
|
********************/
|
|
|
|
|
|
|
|
|
|
Session_capability session(Root::Session_args const &args,
|
|
|
|
|
Affinity const &affinity) override
|
|
|
|
|
{
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
if (!args.valid_string()) throw Service_denied();
|
2016-11-06 14:26:34 +01:00
|
|
|
SESSION_TYPE &session = _create(args.string(), affinity);
|
|
|
|
|
return session.cap();
|
2015-03-04 21:12:14 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void upgrade(Session_capability session, Root::Upgrade_args const &args) override
|
|
|
|
|
{
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
if (!args.valid_string()) throw Service_denied();
|
2015-03-04 21:12:14 +01:00
|
|
|
|
2015-08-10 13:34:16 +02:00
|
|
|
_ep->apply(session, [&] (SESSION_TYPE *s) {
|
|
|
|
|
if (!s) return;
|
2015-03-04 21:12:14 +01:00
|
|
|
|
2015-08-10 13:34:16 +02:00
|
|
|
_upgrade_session(s, args.string());
|
|
|
|
|
});
|
2015-03-04 21:12:14 +01:00
|
|
|
}
|
|
|
|
|
|
2015-08-10 13:34:16 +02:00
|
|
|
void close(Session_capability session_cap) override
|
2015-03-04 21:12:14 +01:00
|
|
|
{
|
2015-08-10 13:34:16 +02:00
|
|
|
SESSION_TYPE * session;
|
2015-03-04 21:12:14 +01:00
|
|
|
|
2015-08-10 13:34:16 +02:00
|
|
|
_ep->apply(session_cap, [&] (SESSION_TYPE *s) {
|
|
|
|
|
session = s;
|
2015-03-04 21:12:14 +01:00
|
|
|
|
2015-08-10 13:34:16 +02:00
|
|
|
/* let the entry point forget the session object */
|
|
|
|
|
if (session) _ep->dissolve(session);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (!session) return;
|
|
|
|
|
|
|
|
|
|
_destroy_session(session);
|
2015-03-04 21:12:14 +01:00
|
|
|
|
|
|
|
|
POLICY::release();
|
|
|
|
|
}
|
|
|
|
|
};
|
2011-12-22 16:19:25 +01:00
|
|
|
|
|
|
|
|
#endif /* _INCLUDE__ROOT__COMPONENT_H_ */
|
