2017-03-08 10:21:49 +01:00
|
|
|
/*
|
|
|
|
* \brief Server role of init, forwarding session requests to children
|
|
|
|
* \author Norman Feske
|
|
|
|
* \date 2017-03-07
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Copyright (C) 2017 Genode Labs GmbH
|
|
|
|
*
|
|
|
|
* This file is part of the Genode OS framework, which is distributed
|
|
|
|
* under the terms of the GNU Affero General Public License version 3.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* Genode includes */
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
#include <base/quota_transfer.h>
|
2017-03-08 10:21:49 +01:00
|
|
|
#include <os/session_policy.h>
|
|
|
|
|
|
|
|
/* local includes */
|
2017-11-13 16:25:37 +01:00
|
|
|
#include "server.h"
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
|
2020-01-09 21:23:19 +01:00
|
|
|
/******************************
|
|
|
|
** Sandbox::Server::Service **
|
|
|
|
**********...*****************/
|
2017-03-08 10:21:49 +01:00
|
|
|
|
2020-01-09 21:23:19 +01:00
|
|
|
struct Sandbox::Server::Service
|
2017-03-08 10:21:49 +01:00
|
|
|
{
|
|
|
|
Registry<Service>::Element _registry_element;
|
|
|
|
|
|
|
|
Buffered_xml _service_node;
|
|
|
|
|
|
|
|
typedef Genode::Service::Name Name;
|
|
|
|
|
|
|
|
Registry<Routed_service> &_child_services;
|
|
|
|
|
|
|
|
Name const _name { _service_node.xml().attribute_value("name", Name()) };
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Constructor
|
|
|
|
*
|
|
|
|
* \param alloc allocator used for buffering the 'service_node'
|
|
|
|
*/
|
|
|
|
Service(Registry<Service> &services,
|
|
|
|
Allocator &alloc,
|
|
|
|
Xml_node service_node,
|
|
|
|
Registry<Routed_service> &child_services)
|
|
|
|
:
|
|
|
|
_registry_element(services, *this),
|
|
|
|
_service_node(alloc, service_node),
|
|
|
|
_child_services(child_services)
|
|
|
|
{ }
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Determine route to child service for a given label according
|
|
|
|
* to the <service> node policy
|
|
|
|
*
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
* \throw Service_denied
|
2017-03-08 10:21:49 +01:00
|
|
|
*/
|
|
|
|
Route resolve_session_request(Session_label const &);
|
|
|
|
|
|
|
|
Name name() const { return _name; }
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2020-01-09 21:23:19 +01:00
|
|
|
Sandbox::Server::Route
|
|
|
|
Sandbox::Server::Service::resolve_session_request(Session_label const &label)
|
2017-03-08 10:21:49 +01:00
|
|
|
{
|
|
|
|
try {
|
|
|
|
Session_policy policy(label, _service_node.xml());
|
|
|
|
|
|
|
|
if (!policy.has_sub_node("child"))
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Service_denied();
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
Xml_node target_node = policy.sub_node("child");
|
|
|
|
|
|
|
|
Child_policy::Name const child_name =
|
|
|
|
target_node.attribute_value("name", Child_policy::Name());
|
|
|
|
|
|
|
|
typedef String<Session_label::capacity()> Label;
|
|
|
|
Label const target_label =
|
|
|
|
target_node.attribute_value("label", Label(label.string()));
|
|
|
|
|
|
|
|
Routed_service *match = nullptr;
|
|
|
|
_child_services.for_each([&] (Routed_service &service) {
|
2017-03-31 18:22:24 +02:00
|
|
|
if (service.child_name() == child_name && service.name() == name())
|
2017-03-08 10:21:49 +01:00
|
|
|
match = &service; });
|
|
|
|
|
|
|
|
if (!match || match->abandoned())
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Service_denied();
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
return Route { *match, target_label };
|
|
|
|
}
|
|
|
|
catch (Session_policy::No_policy_defined) {
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Service_denied(); }
|
2017-03-08 10:21:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-01-09 21:23:19 +01:00
|
|
|
/*********************
|
|
|
|
** Sandbox::Server **
|
|
|
|
*********************/
|
2017-03-08 10:21:49 +01:00
|
|
|
|
2020-01-09 21:23:19 +01:00
|
|
|
Sandbox::Server::Route
|
|
|
|
Sandbox::Server::_resolve_session_request(Service::Name const &service_name,
|
|
|
|
Session_label const &label)
|
2017-03-08 10:21:49 +01:00
|
|
|
{
|
|
|
|
Service *matching_service = nullptr;
|
|
|
|
_services.for_each([&] (Service &service) {
|
|
|
|
if (service.name() == service_name)
|
|
|
|
matching_service = &service; });
|
|
|
|
|
|
|
|
if (!matching_service)
|
2017-06-30 15:21:29 +02:00
|
|
|
throw Service_not_present();
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
return matching_service->resolve_session_request(label);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void close_session(Genode::Session_state &session)
|
|
|
|
{
|
|
|
|
session.phase = Genode::Session_state::CLOSE_REQUESTED;
|
|
|
|
session.service().initiate_request(session);
|
|
|
|
session.service().wakeup();
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-01-09 21:23:19 +01:00
|
|
|
void Sandbox::Server::session_ready(Session_state &session)
|
2017-03-08 10:21:49 +01:00
|
|
|
{
|
|
|
|
_report_update_trigger.trigger_report_update();
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If 'session_ready' is called as response to a session-quota upgrade,
|
|
|
|
* the 'phase' is set to 'CAP_HANDED_OUT' by 'Child::session_response'.
|
|
|
|
* We just need to forward the state change to our parent.
|
|
|
|
*/
|
|
|
|
if (session.phase == Session_state::CAP_HANDED_OUT) {
|
|
|
|
Parent::Server::Id id { session.id_at_client().value };
|
|
|
|
_env.parent().session_response(id, Parent::SESSION_OK);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (session.phase == Session_state::AVAILABLE) {
|
|
|
|
Parent::Server::Id id { session.id_at_client().value };
|
|
|
|
_env.parent().deliver_session_cap(id, session.cap);
|
|
|
|
session.phase = Session_state::CAP_HANDED_OUT;
|
|
|
|
}
|
2017-10-19 16:07:28 +02:00
|
|
|
|
|
|
|
if (session.phase == Session_state::SERVICE_DENIED)
|
|
|
|
_close_session(session, Parent::SERVICE_DENIED);
|
2017-11-10 15:10:01 +01:00
|
|
|
|
|
|
|
if (session.phase == Session_state::INSUFFICIENT_RAM_QUOTA)
|
|
|
|
_close_session(session, Parent::INSUFFICIENT_RAM_QUOTA);
|
|
|
|
|
|
|
|
if (session.phase == Session_state::INSUFFICIENT_CAP_QUOTA)
|
|
|
|
_close_session(session, Parent::INSUFFICIENT_CAP_QUOTA);
|
2017-03-08 10:21:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-01-09 21:23:19 +01:00
|
|
|
void Sandbox::Server::_close_session(Session_state &session,
|
|
|
|
Parent::Session_response response)
|
2017-03-08 10:21:49 +01:00
|
|
|
{
|
|
|
|
_report_update_trigger.trigger_report_update();
|
|
|
|
|
2017-05-08 16:49:00 +02:00
|
|
|
Ram_transfer::Account &service_ram_account = session.service();
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_transfer::Account &service_cap_account = session.service();
|
2017-03-08 10:21:49 +01:00
|
|
|
|
2019-01-21 10:48:39 +01:00
|
|
|
service_ram_account.try_transfer(_env.pd_session_cap(),
|
2017-05-08 16:49:00 +02:00
|
|
|
session.donated_ram_quota());
|
|
|
|
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
service_cap_account.try_transfer(_env.pd_session_cap(),
|
|
|
|
session.donated_cap_quota());
|
|
|
|
|
2017-05-08 16:49:00 +02:00
|
|
|
Parent::Server::Id id { session.id_at_client().value };
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
session.destroy();
|
2017-05-08 16:49:00 +02:00
|
|
|
|
2017-10-19 16:07:28 +02:00
|
|
|
_env.parent().session_response(id, response);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-01-09 21:23:19 +01:00
|
|
|
void Sandbox::Server::session_closed(Session_state &session)
|
2017-10-19 16:07:28 +02:00
|
|
|
{
|
|
|
|
_close_session(session, Parent::SESSION_CLOSED);
|
2017-03-08 10:21:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-01-09 21:23:19 +01:00
|
|
|
void Sandbox::Server::_handle_create_session_request(Xml_node request,
|
|
|
|
Parent::Client::Id id)
|
2017-03-08 10:21:49 +01:00
|
|
|
{
|
2017-06-30 15:21:29 +02:00
|
|
|
/*
|
|
|
|
* Ignore requests that are already successfully forwarded (by a prior call
|
|
|
|
* of '_handle_create_session_request') but still remain present in the
|
|
|
|
* 'session_requests' ROM because the server child has not responded yet.
|
|
|
|
*/
|
|
|
|
try {
|
|
|
|
_client_id_space.apply<Parent::Client>(id, [&] (Parent::Client const &) { });
|
|
|
|
return;
|
|
|
|
} catch (Id_space<Parent::Client>::Unknown_id) { /* normal case */ }
|
|
|
|
|
2017-03-08 10:21:49 +01:00
|
|
|
if (!request.has_sub_node("args"))
|
|
|
|
return;
|
|
|
|
|
|
|
|
typedef Session_state::Args Args;
|
|
|
|
Args const args = request.sub_node("args").decoded_content<Args>();
|
|
|
|
|
|
|
|
Service::Name const name = request.attribute_value("service", Service::Name());
|
|
|
|
|
|
|
|
Session_label const label = label_from_args(args.string());
|
|
|
|
|
|
|
|
try {
|
|
|
|
Route const route = _resolve_session_request(name, label);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Reduce session quota by local session costs
|
|
|
|
*/
|
|
|
|
char argbuf[Parent::Session_args::MAX_SIZE];
|
|
|
|
strncpy(argbuf, args.string(), sizeof(argbuf));
|
|
|
|
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_quota const cap_quota = cap_quota_from_args(argbuf);
|
2017-05-08 01:33:40 +02:00
|
|
|
Ram_quota const ram_quota = ram_quota_from_args(argbuf);
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
|
2017-03-08 10:21:49 +01:00
|
|
|
size_t const keep_quota = route.service.factory().session_costs();
|
|
|
|
|
2017-05-08 01:33:40 +02:00
|
|
|
if (ram_quota.value < keep_quota)
|
2017-05-08 14:32:03 +02:00
|
|
|
throw Genode::Insufficient_ram_quota();
|
2017-03-08 10:21:49 +01:00
|
|
|
|
2017-05-08 01:33:40 +02:00
|
|
|
Ram_quota const forward_ram_quota { ram_quota.value - keep_quota };
|
2017-03-08 10:21:49 +01:00
|
|
|
|
2017-05-08 01:33:40 +02:00
|
|
|
Arg_string::set_arg(argbuf, sizeof(argbuf), "ram_quota", forward_ram_quota.value);
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
Session_state &session =
|
|
|
|
route.service.create_session(route.service.factory(),
|
2017-05-08 16:49:00 +02:00
|
|
|
_client_id_space, id, route.label,
|
|
|
|
argbuf, Affinity());
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
/* transfer session quota */
|
2017-05-08 16:49:00 +02:00
|
|
|
try {
|
2019-01-21 10:48:39 +01:00
|
|
|
Ram_transfer::Remote_account env_ram_account(_env.pd(), _env.pd_session_cap());
|
|
|
|
Cap_transfer::Remote_account env_cap_account(_env.pd(), _env.pd_session_cap());
|
2017-05-08 16:49:00 +02:00
|
|
|
|
|
|
|
Ram_transfer ram_transfer(forward_ram_quota, env_ram_account, route.service);
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_transfer cap_transfer(cap_quota, env_cap_account, route.service);
|
2017-03-08 10:21:49 +01:00
|
|
|
|
2017-05-08 16:49:00 +02:00
|
|
|
ram_transfer.acknowledge();
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
cap_transfer.acknowledge();
|
2017-05-08 16:49:00 +02:00
|
|
|
}
|
|
|
|
catch (...) {
|
2017-03-08 10:21:49 +01:00
|
|
|
/*
|
|
|
|
* This should never happen unless our parent missed to
|
|
|
|
* transfor the session quota to us prior issuing the session
|
|
|
|
* request.
|
|
|
|
*/
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
warning("unable to transfer session quota "
|
|
|
|
"(", ram_quota, " bytes, ", cap_quota, " caps) "
|
2017-03-08 10:21:49 +01:00
|
|
|
"of forwarded ", name, " session");
|
|
|
|
session.destroy();
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Service_denied();
|
2017-03-08 10:21:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
session.ready_callback = this;
|
|
|
|
session.closed_callback = this;
|
|
|
|
|
|
|
|
/* initiate request */
|
|
|
|
route.service.initiate_request(session);
|
|
|
|
|
|
|
|
/* if request was not handled synchronously, kick off async operation */
|
|
|
|
if (session.phase == Session_state::CREATE_REQUESTED)
|
|
|
|
route.service.wakeup();
|
|
|
|
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
if (session.phase == Session_state::SERVICE_DENIED)
|
|
|
|
throw Service_denied();
|
2017-03-08 10:21:49 +01:00
|
|
|
|
2017-05-08 14:32:03 +02:00
|
|
|
if (session.phase == Session_state::INSUFFICIENT_RAM_QUOTA)
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Insufficient_ram_quota();
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
|
|
|
|
if (session.phase == Session_state::INSUFFICIENT_CAP_QUOTA)
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Insufficient_cap_quota();
|
2017-03-08 10:21:49 +01:00
|
|
|
}
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
catch (Service_denied) {
|
2017-05-08 16:49:00 +02:00
|
|
|
_env.parent().session_response(Parent::Server::Id { id.value },
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
Parent::SERVICE_DENIED); }
|
|
|
|
catch (Insufficient_ram_quota) {
|
2017-05-08 16:49:00 +02:00
|
|
|
_env.parent().session_response(Parent::Server::Id { id.value },
|
|
|
|
Parent::INSUFFICIENT_RAM_QUOTA); }
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
catch (Insufficient_cap_quota) {
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
_env.parent().session_response(Parent::Server::Id { id.value },
|
|
|
|
Parent::INSUFFICIENT_CAP_QUOTA); }
|
2017-06-30 15:21:29 +02:00
|
|
|
catch (Service_not_present) { /* keep request pending */ }
|
2017-03-08 10:21:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-01-09 21:23:19 +01:00
|
|
|
void Sandbox::Server::_handle_upgrade_session_request(Xml_node request,
|
|
|
|
Parent::Client::Id id)
|
2017-03-08 10:21:49 +01:00
|
|
|
{
|
|
|
|
_client_id_space.apply<Session_state>(id, [&] (Session_state &session) {
|
|
|
|
|
2017-05-08 01:33:40 +02:00
|
|
|
Ram_quota const ram_quota { request.attribute_value("ram_quota", 0UL) };
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_quota const cap_quota { request.attribute_value("cap_quota", 0UL) };
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
session.phase = Session_state::UPGRADE_REQUESTED;
|
|
|
|
|
2017-05-08 12:33:56 +02:00
|
|
|
try {
|
2019-01-21 10:48:39 +01:00
|
|
|
Ram_transfer::Remote_account env_ram_account(_env.pd(), _env.pd_session_cap());
|
|
|
|
Cap_transfer::Remote_account env_cap_account(_env.pd(), _env.pd_session_cap());
|
2017-05-08 16:49:00 +02:00
|
|
|
|
|
|
|
Ram_transfer ram_transfer(ram_quota, env_ram_account, session.service());
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
Cap_transfer cap_transfer(cap_quota, env_cap_account, session.service());
|
2017-05-08 16:49:00 +02:00
|
|
|
|
|
|
|
ram_transfer.acknowledge();
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
cap_transfer.acknowledge();
|
2017-05-08 12:33:56 +02:00
|
|
|
}
|
|
|
|
catch (...) {
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
warning("unable to upgrade session quota "
|
|
|
|
"(", ram_quota, " bytes, ", cap_quota, " caps) "
|
2017-03-08 10:21:49 +01:00
|
|
|
"of forwarded ", session.service().name(), " session");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
session.increase_donated_quota(ram_quota, cap_quota);
|
2017-03-08 10:21:49 +01:00
|
|
|
session.service().initiate_request(session);
|
|
|
|
session.service().wakeup();
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-01-09 21:23:19 +01:00
|
|
|
void Sandbox::Server::_handle_close_session_request(Xml_node, Parent::Client::Id id)
|
2017-03-08 10:21:49 +01:00
|
|
|
{
|
|
|
|
_client_id_space.apply<Session_state>(id, [&] (Session_state &session) {
|
|
|
|
close_session(session); });
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-01-09 21:23:19 +01:00
|
|
|
void Sandbox::Server::_handle_session_request(Xml_node request)
|
2017-03-08 10:21:49 +01:00
|
|
|
{
|
|
|
|
if (!request.has_attribute("id"))
|
|
|
|
return;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We use the 'Parent::Server::Id' of the incoming request as the
|
|
|
|
* 'Parent::Client::Id' of the forwarded request.
|
|
|
|
*/
|
|
|
|
Parent::Client::Id const id { request.attribute_value("id", 0UL) };
|
|
|
|
|
|
|
|
if (request.has_type("create"))
|
|
|
|
_handle_create_session_request(request, id);
|
|
|
|
|
|
|
|
if (request.has_type("upgrade"))
|
|
|
|
_handle_upgrade_session_request(request, id);
|
|
|
|
|
|
|
|
if (request.has_type("close"))
|
|
|
|
_handle_close_session_request(request, id);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-01-09 21:23:19 +01:00
|
|
|
void Sandbox::Server::_handle_session_requests()
|
2017-03-08 10:21:49 +01:00
|
|
|
{
|
|
|
|
_session_requests->update();
|
|
|
|
|
|
|
|
Xml_node const requests = _session_requests->xml();
|
|
|
|
|
|
|
|
requests.for_each_sub_node([&] (Xml_node request) {
|
2017-10-19 16:07:28 +02:00
|
|
|
_handle_session_request(request); });
|
2017-03-08 10:21:49 +01:00
|
|
|
|
|
|
|
_report_update_trigger.trigger_report_update();
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-01-09 21:23:19 +01:00
|
|
|
void Sandbox::Server::apply_config(Xml_node config)
|
2017-03-08 10:21:49 +01:00
|
|
|
{
|
|
|
|
_services.for_each([&] (Service &service) { destroy(_alloc, &service); });
|
|
|
|
|
|
|
|
config.for_each_sub_node("service", [&] (Xml_node node) {
|
|
|
|
new (_alloc) Service(_services, _alloc, node, _child_services); });
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Construct mechanics for responding to our parent's session requests
|
|
|
|
* on demand.
|
|
|
|
*/
|
|
|
|
bool services_provided = false;
|
|
|
|
_services.for_each([&] (Service const &) { services_provided = true; });
|
|
|
|
|
|
|
|
if (services_provided && !_session_requests.constructed()) {
|
|
|
|
_session_requests.construct(_env, "session_requests");
|
|
|
|
_session_request_handler.construct(_env.ep(), *this,
|
|
|
|
&Server::_handle_session_requests);
|
|
|
|
_session_requests->sigh(*_session_request_handler);
|
|
|
|
}
|
|
|
|
|
2017-06-30 15:21:29 +02:00
|
|
|
/*
|
|
|
|
* Try to resolve pending session requests that may become serviceable with
|
|
|
|
* the new configuration.
|
|
|
|
*/
|
|
|
|
if (services_provided && _session_requests.constructed())
|
|
|
|
_handle_session_requests();
|
|
|
|
|
2017-03-08 10:21:49 +01:00
|
|
|
/*
|
|
|
|
* Re-validate routes of existing sessions, close sessions whose routes
|
|
|
|
* changed.
|
|
|
|
*/
|
|
|
|
_client_id_space.for_each<Session_state>([&] (Session_state &session) {
|
|
|
|
try {
|
|
|
|
Route const route = _resolve_session_request(session.service().name(),
|
|
|
|
session.client_label());
|
|
|
|
|
|
|
|
bool const route_unchanged = (route.service == session.service())
|
|
|
|
&& (route.label == session.label());
|
|
|
|
if (!route_unchanged)
|
Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-07 22:03:22 +02:00
|
|
|
throw Service_denied();
|
2017-03-08 10:21:49 +01:00
|
|
|
}
|
2017-06-30 15:21:29 +02:00
|
|
|
catch (Service_denied) { close_session(session); }
|
|
|
|
catch (Service_not_present) { close_session(session); }
|
2017-03-08 10:21:49 +01:00
|
|
|
});
|
|
|
|
}
|