2017-03-08 10:21:49 +01:00
|
|
|
/*
|
|
|
|
* \brief Server role of init, forwarding session requests to children
|
|
|
|
* \author Norman Feske
|
|
|
|
* \date 2017-03-07
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Copyright (C) 2017 Genode Labs GmbH
|
|
|
|
*
|
|
|
|
* This file is part of the Genode OS framework, which is distributed
|
|
|
|
* under the terms of the GNU Affero General Public License version 3.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* Genode includes */
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
#include <base/quota_transfer.h>
|
2017-03-08 10:21:49 +01:00
|
|
|
#include <os/session_policy.h>
|
|
|
|
|
|
|
|
/* local includes */
|
2017-11-13 16:25:37 +01:00
|
|
|
#include "server.h"
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
|
|
|
|
/***************************
|
|
|
|
** Init::Server::Service **
|
|
|
|
***************************/
|
|
|
|
|
|
|
|
struct Init::Server::Service
|
|
|
|
{
|
|
|
|
Registry<Service>::Element _registry_element;
|
|
|
|
|
|
|
|
Buffered_xml _service_node;
|
|
|
|
|
|
|
|
typedef Genode::Service::Name Name;
|
|
|
|
|
|
|
|
Registry<Routed_service> &_child_services;
|
|
|
|
|
|
|
|
Name const _name { _service_node.xml().attribute_value("name", Name()) };
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Constructor
|
|
|
|
*
|
|
|
|
* \param alloc allocator used for buffering the 'service_node'
|
|
|
|
*/
|
|
|
|
Service(Registry<Service> &services,
|
|
|
|
Allocator &alloc,
|
|
|
|
Xml_node service_node,
|
|
|
|
Registry<Routed_service> &child_services)
|
|
|
|
:
|
|
|
|
_registry_element(services, *this),
|
|
|
|
_service_node(alloc, service_node),
|
|
|
|
_child_services(child_services)
|
|
|
|
{ }
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Determine route to child service for a given label according
|
|
|
|
* to the <service> node policy
|
|
|
|
*
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
* \throw Service_denied
|
2017-03-08 10:21:49 +01:00
|
|
|
*/
|
|
|
|
Route resolve_session_request(Session_label const &);
|
|
|
|
|
|
|
|
Name name() const { return _name; }
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
Init::Server::Route
|
|
|
|
Init::Server::Service::resolve_session_request(Session_label const &label)
|
|
|
|
{
|
|
|
|
try {
|
|
|
|
Session_policy policy(label, _service_node.xml());
|
|
|
|
|
|
|
|
if (!policy.has_sub_node("child"))
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Service_denied();
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
Xml_node target_node = policy.sub_node("child");
|
|
|
|
|
|
|
|
Child_policy::Name const child_name =
|
|
|
|
target_node.attribute_value("name", Child_policy::Name());
|
|
|
|
|
|
|
|
typedef String<Session_label::capacity()> Label;
|
|
|
|
Label const target_label =
|
|
|
|
target_node.attribute_value("label", Label(label.string()));
|
|
|
|
|
|
|
|
Routed_service *match = nullptr;
|
|
|
|
_child_services.for_each([&] (Routed_service &service) {
|
2017-03-31 18:22:24 +02:00
|
|
|
if (service.child_name() == child_name && service.name() == name())
|
2017-03-08 10:21:49 +01:00
|
|
|
match = &service; });
|
|
|
|
|
|
|
|
if (!match || match->abandoned())
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Service_denied();
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
return Route { *match, target_label };
|
|
|
|
}
|
|
|
|
catch (Session_policy::No_policy_defined) {
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Service_denied(); }
|
2017-03-08 10:21:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/******************
|
|
|
|
** Init::Server **
|
|
|
|
******************/
|
|
|
|
|
|
|
|
Init::Server::Route
|
|
|
|
Init::Server::_resolve_session_request(Service::Name const &service_name,
|
|
|
|
Session_label const &label)
|
|
|
|
{
|
|
|
|
Service *matching_service = nullptr;
|
|
|
|
_services.for_each([&] (Service &service) {
|
|
|
|
if (service.name() == service_name)
|
|
|
|
matching_service = &service; });
|
|
|
|
|
|
|
|
if (!matching_service)
|
2017-06-30 15:21:29 +02:00
|
|
|
throw Service_not_present();
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
return matching_service->resolve_session_request(label);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void close_session(Genode::Session_state &session)
|
|
|
|
{
|
|
|
|
session.phase = Genode::Session_state::CLOSE_REQUESTED;
|
|
|
|
session.service().initiate_request(session);
|
|
|
|
session.service().wakeup();
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void Init::Server::session_ready(Session_state &session)
|
|
|
|
{
|
|
|
|
_report_update_trigger.trigger_report_update();
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If 'session_ready' is called as response to a session-quota upgrade,
|
|
|
|
* the 'phase' is set to 'CAP_HANDED_OUT' by 'Child::session_response'.
|
|
|
|
* We just need to forward the state change to our parent.
|
|
|
|
*/
|
|
|
|
if (session.phase == Session_state::CAP_HANDED_OUT) {
|
|
|
|
Parent::Server::Id id { session.id_at_client().value };
|
|
|
|
_env.parent().session_response(id, Parent::SESSION_OK);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (session.phase == Session_state::AVAILABLE) {
|
|
|
|
Parent::Server::Id id { session.id_at_client().value };
|
|
|
|
_env.parent().deliver_session_cap(id, session.cap);
|
|
|
|
session.phase = Session_state::CAP_HANDED_OUT;
|
|
|
|
}
|
2017-10-19 16:07:28 +02:00
|
|
|
|
|
|
|
if (session.phase == Session_state::SERVICE_DENIED)
|
|
|
|
_close_session(session, Parent::SERVICE_DENIED);
|
2017-11-10 15:10:01 +01:00
|
|
|
|
|
|
|
if (session.phase == Session_state::INSUFFICIENT_RAM_QUOTA)
|
|
|
|
_close_session(session, Parent::INSUFFICIENT_RAM_QUOTA);
|
|
|
|
|
|
|
|
if (session.phase == Session_state::INSUFFICIENT_CAP_QUOTA)
|
|
|
|
_close_session(session, Parent::INSUFFICIENT_CAP_QUOTA);
|
2017-03-08 10:21:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2017-10-19 16:07:28 +02:00
|
|
|
void Init::Server::_close_session(Session_state &session,
|
|
|
|
Parent::Session_response response)
|
2017-03-08 10:21:49 +01:00
|
|
|
{
|
|
|
|
_report_update_trigger.trigger_report_update();
|
|
|
|
|
2017-05-08 16:49:00 +02:00
|
|
|
Ram_transfer::Account &service_ram_account = session.service();
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_transfer::Account &service_cap_account = session.service();
|
2017-03-08 10:21:49 +01:00
|
|
|
|
2019-01-21 10:48:39 +01:00
|
|
|
service_ram_account.try_transfer(_env.pd_session_cap(),
|
2017-05-08 16:49:00 +02:00
|
|
|
session.donated_ram_quota());
|
|
|
|
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
service_cap_account.try_transfer(_env.pd_session_cap(),
|
|
|
|
session.donated_cap_quota());
|
|
|
|
|
2017-05-08 16:49:00 +02:00
|
|
|
Parent::Server::Id id { session.id_at_client().value };
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
session.destroy();
|
2017-05-08 16:49:00 +02:00
|
|
|
|
2017-10-19 16:07:28 +02:00
|
|
|
_env.parent().session_response(id, response);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void Init::Server::session_closed(Session_state &session)
|
|
|
|
{
|
|
|
|
_close_session(session, Parent::SESSION_CLOSED);
|
2017-03-08 10:21:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void Init::Server::_handle_create_session_request(Xml_node request,
|
|
|
|
Parent::Client::Id id)
|
|
|
|
{
|
2017-06-30 15:21:29 +02:00
|
|
|
/*
|
|
|
|
* Ignore requests that are already successfully forwarded (by a prior call
|
|
|
|
* of '_handle_create_session_request') but still remain present in the
|
|
|
|
* 'session_requests' ROM because the server child has not responded yet.
|
|
|
|
*/
|
|
|
|
try {
|
|
|
|
_client_id_space.apply<Parent::Client>(id, [&] (Parent::Client const &) { });
|
|
|
|
return;
|
|
|
|
} catch (Id_space<Parent::Client>::Unknown_id) { /* normal case */ }
|
|
|
|
|
2017-03-08 10:21:49 +01:00
|
|
|
if (!request.has_sub_node("args"))
|
|
|
|
return;
|
|
|
|
|
|
|
|
typedef Session_state::Args Args;
|
|
|
|
Args const args = request.sub_node("args").decoded_content<Args>();
|
|
|
|
|
|
|
|
Service::Name const name = request.attribute_value("service", Service::Name());
|
|
|
|
|
|
|
|
Session_label const label = label_from_args(args.string());
|
|
|
|
|
|
|
|
try {
|
|
|
|
Route const route = _resolve_session_request(name, label);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Reduce session quota by local session costs
|
|
|
|
*/
|
|
|
|
char argbuf[Parent::Session_args::MAX_SIZE];
|
|
|
|
strncpy(argbuf, args.string(), sizeof(argbuf));
|
|
|
|
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_quota const cap_quota = cap_quota_from_args(argbuf);
|
2017-05-08 01:33:40 +02:00
|
|
|
Ram_quota const ram_quota = ram_quota_from_args(argbuf);
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
|
2017-03-08 10:21:49 +01:00
|
|
|
size_t const keep_quota = route.service.factory().session_costs();
|
|
|
|
|
2017-05-08 01:33:40 +02:00
|
|
|
if (ram_quota.value < keep_quota)
|
2017-05-08 14:32:03 +02:00
|
|
|
throw Genode::Insufficient_ram_quota();
|
2017-03-08 10:21:49 +01:00
|
|
|
|
2017-05-08 01:33:40 +02:00
|
|
|
Ram_quota const forward_ram_quota { ram_quota.value - keep_quota };
|
2017-03-08 10:21:49 +01:00
|
|
|
|
2017-05-08 01:33:40 +02:00
|
|
|
Arg_string::set_arg(argbuf, sizeof(argbuf), "ram_quota", forward_ram_quota.value);
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
Session_state &session =
|
|
|
|
route.service.create_session(route.service.factory(),
|
2017-05-08 16:49:00 +02:00
|
|
|
_client_id_space, id, route.label,
|
|
|
|
argbuf, Affinity());
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
/* transfer session quota */
|
2017-05-08 16:49:00 +02:00
|
|
|
try {
|
2019-01-21 10:48:39 +01:00
|
|
|
Ram_transfer::Remote_account env_ram_account(_env.pd(), _env.pd_session_cap());
|
|
|
|
Cap_transfer::Remote_account env_cap_account(_env.pd(), _env.pd_session_cap());
|
2017-05-08 16:49:00 +02:00
|
|
|
|
|
|
|
Ram_transfer ram_transfer(forward_ram_quota, env_ram_account, route.service);
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_transfer cap_transfer(cap_quota, env_cap_account, route.service);
|
2017-03-08 10:21:49 +01:00
|
|
|
|
2017-05-08 16:49:00 +02:00
|
|
|
ram_transfer.acknowledge();
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
cap_transfer.acknowledge();
|
2017-05-08 16:49:00 +02:00
|
|
|
}
|
|
|
|
catch (...) {
|
2017-03-08 10:21:49 +01:00
|
|
|
/*
|
|
|
|
* This should never happen unless our parent missed to
|
|
|
|
* transfor the session quota to us prior issuing the session
|
|
|
|
* request.
|
|
|
|
*/
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
warning("unable to transfer session quota "
|
|
|
|
"(", ram_quota, " bytes, ", cap_quota, " caps) "
|
2017-03-08 10:21:49 +01:00
|
|
|
"of forwarded ", name, " session");
|
|
|
|
session.destroy();
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Service_denied();
|
2017-03-08 10:21:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
session.ready_callback = this;
|
|
|
|
session.closed_callback = this;
|
|
|
|
|
|
|
|
/* initiate request */
|
|
|
|
route.service.initiate_request(session);
|
|
|
|
|
|
|
|
/* if request was not handled synchronously, kick off async operation */
|
|
|
|
if (session.phase == Session_state::CREATE_REQUESTED)
|
|
|
|
route.service.wakeup();
|
|
|
|
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
if (session.phase == Session_state::SERVICE_DENIED)
|
|
|
|
throw Service_denied();
|
2017-03-08 10:21:49 +01:00
|
|
|
|
2017-05-08 14:32:03 +02:00
|
|
|
if (session.phase == Session_state::INSUFFICIENT_RAM_QUOTA)
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Insufficient_ram_quota();
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
|
|
|
|
if (session.phase == Session_state::INSUFFICIENT_CAP_QUOTA)
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Insufficient_cap_quota();
|
2017-03-08 10:21:49 +01:00
|
|
|
}
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
catch (Service_denied) {
|
2017-05-08 16:49:00 +02:00
|
|
|
_env.parent().session_response(Parent::Server::Id { id.value },
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
Parent::SERVICE_DENIED); }
|
|
|
|
catch (Insufficient_ram_quota) {
|
2017-05-08 16:49:00 +02:00
|
|
|
_env.parent().session_response(Parent::Server::Id { id.value },
|
|
|
|
Parent::INSUFFICIENT_RAM_QUOTA); }
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
catch (Insufficient_cap_quota) {
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
_env.parent().session_response(Parent::Server::Id { id.value },
|
|
|
|
Parent::INSUFFICIENT_CAP_QUOTA); }
|
2017-06-30 15:21:29 +02:00
|
|
|
catch (Service_not_present) { /* keep request pending */ }
|
2017-03-08 10:21:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void Init::Server::_handle_upgrade_session_request(Xml_node request,
|
|
|
|
Parent::Client::Id id)
|
|
|
|
{
|
|
|
|
_client_id_space.apply<Session_state>(id, [&] (Session_state &session) {
|
|
|
|
|
2017-05-08 01:33:40 +02:00
|
|
|
Ram_quota const ram_quota { request.attribute_value("ram_quota", 0UL) };
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_quota const cap_quota { request.attribute_value("cap_quota", 0UL) };
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
session.phase = Session_state::UPGRADE_REQUESTED;
|
|
|
|
|
2017-05-08 12:33:56 +02:00
|
|
|
try {
|
2019-01-21 10:48:39 +01:00
|
|
|
Ram_transfer::Remote_account env_ram_account(_env.pd(), _env.pd_session_cap());
|
|
|
|
Cap_transfer::Remote_account env_cap_account(_env.pd(), _env.pd_session_cap());
|
2017-05-08 16:49:00 +02:00
|
|
|
|
|
|
|
Ram_transfer ram_transfer(ram_quota, env_ram_account, session.service());
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_transfer cap_transfer(cap_quota, env_cap_account, session.service());
|
2017-05-08 16:49:00 +02:00
|
|
|
|
|
|
|
ram_transfer.acknowledge();
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
cap_transfer.acknowledge();
|
2017-05-08 12:33:56 +02:00
|
|
|
}
|
|
|
|
catch (...) {
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
warning("unable to upgrade session quota "
|
|
|
|
"(", ram_quota, " bytes, ", cap_quota, " caps) "
|
2017-03-08 10:21:49 +01:00
|
|
|
"of forwarded ", session.service().name(), " session");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
session.increase_donated_quota(ram_quota, cap_quota);
|
2017-03-08 10:21:49 +01:00
|
|
|
session.service().initiate_request(session);
|
|
|
|
session.service().wakeup();
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
void Init::Server::_handle_close_session_request(Xml_node, Parent::Client::Id id)
|
2017-03-08 10:21:49 +01:00
|
|
|
{
|
|
|
|
_client_id_space.apply<Session_state>(id, [&] (Session_state &session) {
|
|
|
|
close_session(session); });
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void Init::Server::_handle_session_request(Xml_node request)
|
|
|
|
{
|
|
|
|
if (!request.has_attribute("id"))
|
|
|
|
return;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We use the 'Parent::Server::Id' of the incoming request as the
|
|
|
|
* 'Parent::Client::Id' of the forwarded request.
|
|
|
|
*/
|
|
|
|
Parent::Client::Id const id { request.attribute_value("id", 0UL) };
|
|
|
|
|
|
|
|
if (request.has_type("create"))
|
|
|
|
_handle_create_session_request(request, id);
|
|
|
|
|
|
|
|
if (request.has_type("upgrade"))
|
|
|
|
_handle_upgrade_session_request(request, id);
|
|
|
|
|
|
|
|
if (request.has_type("close"))
|
|
|
|
_handle_close_session_request(request, id);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void Init::Server::_handle_session_requests()
|
|
|
|
{
|
|
|
|
_session_requests->update();
|
|
|
|
|
|
|
|
Xml_node const requests = _session_requests->xml();
|
|
|
|
|
|
|
|
requests.for_each_sub_node([&] (Xml_node request) {
|
2017-10-19 16:07:28 +02:00
|
|
|
_handle_session_request(request); });
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
_report_update_trigger.trigger_report_update();
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void Init::Server::apply_config(Xml_node config)
|
|
|
|
{
|
|
|
|
_services.for_each([&] (Service &service) { destroy(_alloc, &service); });
|
|
|
|
|
|
|
|
config.for_each_sub_node("service", [&] (Xml_node node) {
|
|
|
|
new (_alloc) Service(_services, _alloc, node, _child_services); });
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Construct mechanics for responding to our parent's session requests
|
|
|
|
* on demand.
|
|
|
|
*/
|
|
|
|
bool services_provided = false;
|
|
|
|
_services.for_each([&] (Service const &) { services_provided = true; });
|
|
|
|
|
|
|
|
if (services_provided && !_session_requests.constructed()) {
|
|
|
|
_session_requests.construct(_env, "session_requests");
|
|
|
|
_session_request_handler.construct(_env.ep(), *this,
|
|
|
|
&Server::_handle_session_requests);
|
|
|
|
_session_requests->sigh(*_session_request_handler);
|
|
|
|
}
|
|
|
|
|
2017-06-30 15:21:29 +02:00
|
|
|
/*
|
|
|
|
* Try to resolve pending session requests that may become serviceable with
|
|
|
|
* the new configuration.
|
|
|
|
*/
|
|
|
|
if (services_provided && _session_requests.constructed())
|
|
|
|
_handle_session_requests();
|
|
|
|
|
2017-03-08 10:21:49 +01:00
|
|
|
/*
|
|
|
|
* Re-validate routes of existing sessions, close sessions whose routes
|
|
|
|
* changed.
|
|
|
|
*/
|
|
|
|
_client_id_space.for_each<Session_state>([&] (Session_state &session) {
|
|
|
|
try {
|
|
|
|
Route const route = _resolve_session_request(session.service().name(),
|
|
|
|
session.client_label());
|
|
|
|
|
|
|
|
bool const route_unchanged = (route.service == session.service())
|
|
|
|
&& (route.label == session.label());
|
|
|
|
if (!route_unchanged)
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Service_denied();
|
2017-03-08 10:21:49 +01:00
|
|
|
}
|
2017-06-30 15:21:29 +02:00
|
|
|
catch (Service_denied) { close_session(session); }
|
|
|
|
catch (Service_not_present) { close_session(session); }
|
2017-03-08 10:21:49 +01:00
|
|
|
});
|
|
|
|
}
|