2015-12-23 15:22:33 +01:00
|
|
|
/*
|
|
|
|
* \brief Component bootstrap
|
|
|
|
* \author Norman Feske
|
|
|
|
* \author Christian Helmuth
|
|
|
|
* \date 2016-01-13
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
2017-02-20 13:23:52 +01:00
|
|
|
* Copyright (C) 2016-2017 Genode Labs GmbH
|
2015-12-23 15:22:33 +01:00
|
|
|
*
|
|
|
|
* This file is part of the Genode OS framework, which is distributed
|
2017-02-20 13:23:52 +01:00
|
|
|
* under the terms of the GNU Affero General Public License version 3.
|
2015-12-23 15:22:33 +01:00
|
|
|
*/
|
|
|
|
|
|
|
|
/* Genode includes */
|
base: remove Child::heap
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.
In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping
Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.
For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
2017-02-19 10:31:50 +01:00
|
|
|
#include <util/retry.h>
|
2015-12-23 15:22:33 +01:00
|
|
|
#include <base/component.h>
|
2016-11-06 14:26:34 +01:00
|
|
|
#include <base/connection.h>
|
|
|
|
#include <base/service.h>
|
2015-12-23 15:22:33 +01:00
|
|
|
#include <base/env.h>
|
|
|
|
|
2016-10-30 15:17:24 +01:00
|
|
|
/* base-internal includes */
|
|
|
|
#include <base/internal/globals.h>
|
|
|
|
|
2016-11-06 14:26:34 +01:00
|
|
|
/*
|
|
|
|
* XXX remove this pointer once 'Env_deprecated' is removed
|
|
|
|
*/
|
|
|
|
static Genode::Env *env_ptr = nullptr;
|
2015-12-23 15:22:33 +01:00
|
|
|
|
2017-03-15 15:40:55 +01:00
|
|
|
/**
|
|
|
|
* Excecute pending static constructors
|
|
|
|
*
|
|
|
|
* The weak function is used for statically linked binaries. The dynamic linker
|
|
|
|
* provides the real implementation for dynamically linked components.
|
|
|
|
*/
|
|
|
|
void Genode::exec_static_constructors() __attribute__((weak));
|
|
|
|
void Genode::exec_static_constructors() { }
|
|
|
|
|
2015-12-23 15:22:33 +01:00
|
|
|
namespace {
|
|
|
|
|
2016-11-06 14:26:34 +01:00
|
|
|
using namespace Genode;
|
|
|
|
|
2016-04-27 22:11:38 +02:00
|
|
|
struct Env : Genode::Env
|
2015-12-23 15:22:33 +01:00
|
|
|
{
|
|
|
|
Genode::Entrypoint &_ep;
|
|
|
|
|
2017-01-09 15:18:49 +01:00
|
|
|
Genode::Parent &_parent = *env_deprecated()->parent();
|
2016-11-06 14:26:34 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Lock for serializing 'session' and 'close'
|
|
|
|
*/
|
|
|
|
Genode::Lock _lock;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Utility to used block for single signal
|
|
|
|
*/
|
|
|
|
struct Blockade
|
|
|
|
{
|
|
|
|
Parent &_parent;
|
|
|
|
Genode::Signal_receiver _sig_rec;
|
|
|
|
Genode::Signal_context _sig_ctx;
|
|
|
|
|
|
|
|
Blockade(Parent &parent) : _parent(parent)
|
|
|
|
{
|
|
|
|
_parent.session_sigh(_sig_rec.manage(&_sig_ctx));
|
|
|
|
}
|
|
|
|
|
|
|
|
void block() { _sig_rec.wait_for_signal(); }
|
|
|
|
};
|
2015-12-23 15:22:33 +01:00
|
|
|
|
2016-12-01 17:37:08 +01:00
|
|
|
Constructible<Blockade> _session_blockade;
|
2016-11-06 14:26:34 +01:00
|
|
|
|
|
|
|
Env(Genode::Entrypoint &ep) : _ep(ep) { env_ptr = this; }
|
|
|
|
|
|
|
|
Genode::Parent &parent() override { return _parent; }
|
2017-01-09 15:18:49 +01:00
|
|
|
Genode::Ram_session &ram() override { return *Genode::env_deprecated()->ram_session(); }
|
|
|
|
Genode::Cpu_session &cpu() override { return *Genode::env_deprecated()->cpu_session(); }
|
|
|
|
Genode::Region_map &rm() override { return *Genode::env_deprecated()->rm_session(); }
|
|
|
|
Genode::Pd_session &pd() override { return *Genode::env_deprecated()->pd_session(); }
|
2015-12-23 15:22:33 +01:00
|
|
|
Genode::Entrypoint &ep() override { return _ep; }
|
|
|
|
|
|
|
|
Genode::Ram_session_capability ram_session_cap() override
|
|
|
|
{
|
2017-01-09 15:18:49 +01:00
|
|
|
return Genode::env_deprecated()->ram_session_cap();
|
2015-12-23 15:22:33 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
Genode::Cpu_session_capability cpu_session_cap() override
|
|
|
|
{
|
2017-01-09 15:18:49 +01:00
|
|
|
return Genode::env_deprecated()->cpu_session_cap();
|
2015-12-23 15:22:33 +01:00
|
|
|
}
|
2016-10-30 15:17:24 +01:00
|
|
|
|
|
|
|
Genode::Pd_session_capability pd_session_cap() override
|
|
|
|
{
|
2017-01-09 15:18:49 +01:00
|
|
|
return Genode::env_deprecated()->pd_session_cap();
|
2016-10-30 15:17:24 +01:00
|
|
|
}
|
2016-11-06 14:26:34 +01:00
|
|
|
|
|
|
|
Genode::Id_space<Parent::Client> &id_space() override
|
|
|
|
{
|
|
|
|
return Genode::env_session_id_space();
|
|
|
|
}
|
|
|
|
|
|
|
|
void _block_for_session()
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* Construct blockade lazily be avoid it being used in core where
|
|
|
|
* all session requests are immediately answered.
|
|
|
|
*/
|
|
|
|
if (!_session_blockade.constructed())
|
|
|
|
_session_blockade.construct(_parent);
|
|
|
|
|
|
|
|
_session_blockade->block();
|
|
|
|
}
|
|
|
|
|
|
|
|
Session_capability session(Parent::Service_name const &name,
|
|
|
|
Parent::Client::Id id,
|
|
|
|
Parent::Session_args const &args,
|
|
|
|
Affinity const &affinity) override
|
|
|
|
{
|
|
|
|
Lock::Guard guard(_lock);
|
|
|
|
|
base: remove Child::heap
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.
In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping
Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.
For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
2017-02-19 10:31:50 +01:00
|
|
|
/*
|
|
|
|
* Since we account for the backing store for session meta data on
|
|
|
|
* the route between client and server, the session quota provided
|
|
|
|
* by the client may become successively diminished by intermediate
|
|
|
|
* components, prompting the server to deny the session request.
|
|
|
|
*
|
|
|
|
* If the session creation failed due to insufficient session
|
|
|
|
* quota, we try to repeatedly increase the quota up to
|
|
|
|
* 'NUM_ATTEMPTS'.
|
|
|
|
*/
|
|
|
|
enum { NUM_ATTEMPTS = 10 };
|
|
|
|
|
|
|
|
/* extract session quota as specified by the 'Connection' */
|
|
|
|
char argbuf[Parent::Session_args::MAX_SIZE];
|
|
|
|
strncpy(argbuf, args.string(), sizeof(argbuf));
|
2017-05-08 01:33:40 +02:00
|
|
|
Ram_quota ram_quota = ram_quota_from_args(argbuf);
|
base: remove Child::heap
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.
In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping
Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.
For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
2017-02-19 10:31:50 +01:00
|
|
|
|
2017-05-08 14:32:03 +02:00
|
|
|
return retry<Insufficient_ram_quota>(
|
2017-05-08 01:33:40 +02:00
|
|
|
[&] () {
|
base: remove Child::heap
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.
In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping
Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.
For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
2017-02-19 10:31:50 +01:00
|
|
|
|
2017-05-08 01:33:40 +02:00
|
|
|
Arg_string::set_arg(argbuf, sizeof(argbuf), "ram_quota",
|
|
|
|
String<32>(ram_quota).string());
|
base: remove Child::heap
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.
In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping
Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.
For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
2017-02-19 10:31:50 +01:00
|
|
|
|
2017-05-08 01:33:40 +02:00
|
|
|
Session_capability cap =
|
|
|
|
_parent.session(id, name, Parent::Session_args(argbuf), affinity);
|
base: remove Child::heap
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.
In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping
Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.
For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
2017-02-19 10:31:50 +01:00
|
|
|
|
2017-05-08 01:33:40 +02:00
|
|
|
if (cap.valid())
|
|
|
|
return cap;
|
base: remove Child::heap
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.
In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping
Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.
For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
2017-02-19 10:31:50 +01:00
|
|
|
|
2017-05-08 01:33:40 +02:00
|
|
|
_block_for_session();
|
|
|
|
return _parent.session_cap(id);
|
|
|
|
},
|
|
|
|
[&] () {
|
base: remove Child::heap
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.
In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping
Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.
For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
2017-02-19 10:31:50 +01:00
|
|
|
/*
|
|
|
|
* If our RAM session has less quota available than the
|
|
|
|
* session quota, the session-quota transfer failed. In
|
|
|
|
* this case, we try to recover by issuing a resource
|
|
|
|
* request to the parent.
|
|
|
|
*
|
|
|
|
* Otherwise, the session-quota transfer succeeded but
|
|
|
|
* the request was denied by the server.
|
|
|
|
*/
|
2017-05-08 01:33:40 +02:00
|
|
|
if (ram_quota.value > ram().avail_ram().value) {
|
|
|
|
Parent::Resource_args args(String<64>("ram_quota=", ram_quota));
|
|
|
|
_parent.resource_request(args);
|
base: remove Child::heap
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.
In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping
Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.
For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
2017-02-19 10:31:50 +01:00
|
|
|
} else {
|
2017-05-08 01:33:40 +02:00
|
|
|
ram_quota = Ram_quota { ram_quota.value + 4096 };
|
base: remove Child::heap
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.
In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping
Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.
For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
2017-02-19 10:31:50 +01:00
|
|
|
}
|
2017-05-08 01:33:40 +02:00
|
|
|
},
|
|
|
|
NUM_ATTEMPTS);
|
base: remove Child::heap
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.
In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping
Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.
For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
2017-02-19 10:31:50 +01:00
|
|
|
|
|
|
|
warning("giving up to increase session quota for ", name.string(), " session "
|
|
|
|
"after ", (int)NUM_ATTEMPTS, " attempts");
|
|
|
|
|
2017-05-08 14:32:03 +02:00
|
|
|
throw Insufficient_ram_quota();
|
2016-11-06 14:26:34 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
void upgrade(Parent::Client::Id id, Parent::Upgrade_args const &args) override
|
|
|
|
{
|
|
|
|
Lock::Guard guard(_lock);
|
|
|
|
|
|
|
|
if (_parent.upgrade(id, args) == Parent::UPGRADE_PENDING)
|
|
|
|
_block_for_session();
|
|
|
|
}
|
|
|
|
|
|
|
|
void close(Parent::Client::Id id) override
|
|
|
|
{
|
|
|
|
Lock::Guard guard(_lock);
|
|
|
|
|
|
|
|
if (_parent.close(id) == Parent::CLOSE_PENDING)
|
|
|
|
_block_for_session();
|
|
|
|
}
|
2017-03-15 15:40:55 +01:00
|
|
|
|
|
|
|
void exec_static_constructors() override
|
|
|
|
{
|
|
|
|
Genode::exec_static_constructors();
|
|
|
|
}
|
2015-12-23 15:22:33 +01:00
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
namespace Genode {
|
|
|
|
|
|
|
|
struct Startup;
|
|
|
|
|
|
|
|
extern void bootstrap_component();
|
2016-11-06 14:26:34 +01:00
|
|
|
|
|
|
|
Env &internal_env()
|
|
|
|
{
|
|
|
|
class Env_ptr_not_initialized { };
|
|
|
|
if (!env_ptr)
|
|
|
|
throw Env_ptr_not_initialized();
|
|
|
|
|
|
|
|
return *env_ptr;
|
|
|
|
}
|
2015-12-23 15:22:33 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-12-22 15:01:19 +01:00
|
|
|
Genode::size_t Component::stack_size() __attribute__((weak));
|
|
|
|
Genode::size_t Component::stack_size() { return 64*1024; }
|
|
|
|
|
|
|
|
|
2015-12-23 15:22:33 +01:00
|
|
|
/*
|
|
|
|
* We need to execute the constructor of the main entrypoint from a
|
|
|
|
* class called 'Startup' as 'Startup' is a friend of 'Entrypoint'.
|
|
|
|
*/
|
|
|
|
struct Genode::Startup
|
|
|
|
{
|
2016-04-27 22:11:38 +02:00
|
|
|
::Env env { ep };
|
2015-12-23 15:22:33 +01:00
|
|
|
|
2016-10-30 15:17:24 +01:00
|
|
|
bool const exception_handling = (init_exception_handling(env), true);
|
|
|
|
|
2015-12-23 15:22:33 +01:00
|
|
|
/*
|
|
|
|
* The construction of the main entrypoint does never return.
|
|
|
|
*/
|
|
|
|
Entrypoint ep { env };
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
void Genode::bootstrap_component()
|
|
|
|
{
|
|
|
|
static Startup startup;
|
|
|
|
|
|
|
|
/* never reached */
|
|
|
|
}
|