2011-12-22 16:19:25 +01:00
|
|
|
/*
|
2017-05-11 20:03:28 +02:00
|
|
|
* \brief Core implementation of the PD session interface
|
2011-12-22 16:19:25 +01:00
|
|
|
* \author Norman Feske
|
|
|
|
* \date 2006-05-19
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
2017-02-20 13:23:52 +01:00
|
|
|
* Copyright (C) 2006-2017 Genode Labs GmbH
|
2011-12-22 16:19:25 +01:00
|
|
|
*
|
|
|
|
* This file is part of the Genode OS framework, which is distributed
|
2017-02-20 13:23:52 +01:00
|
|
|
* under the terms of the GNU Affero General Public License version 3.
|
2011-12-22 16:19:25 +01:00
|
|
|
*/
|
|
|
|
|
|
|
|
/* Genode includes */
|
base: avoid use of deprecated base/printf.h
Besides adapting the components to the use of base/log.h, the patch
cleans up a few base headers, i.e., it removes unused includes from
root/component.h, specifically base/heap.h and
ram_session/ram_session.h. Hence, components that relied on the implicit
inclusion of those headers have to manually include those headers now.
While adjusting the log messages, I repeatedly stumbled over the problem
that printing char * arguments is ambiguous. It is unclear whether to
print the argument as pointer or null-terminated string. To overcome
this problem, the patch introduces a new type 'Cstring' that allows the
caller to express that the argument should be handled as null-terminated
string. As a nice side effect, with this type in place, the optional len
argument of the 'String' class could be removed. Instead of supplying a
pair of (char const *, size_t), the constructor accepts a 'Cstring'.
This, in turn, clears the way let the 'String' constructor use the new
output mechanism to assemble a string from multiple arguments (and
thereby getting rid of snprintf within Genode in the near future).
To enforce the explicit resolution of the char * ambiguity, the 'char *'
overload of the 'print' function is marked as deleted.
Issue #1987
2016-07-13 19:07:09 +02:00
|
|
|
#include <base/log.h>
|
2011-12-22 16:19:25 +01:00
|
|
|
|
|
|
|
/* core includes */
|
2017-05-11 20:03:28 +02:00
|
|
|
#include <pd_session_component.h>
|
2011-12-22 16:19:25 +01:00
|
|
|
|
|
|
|
using namespace Genode;
|
|
|
|
|
|
|
|
|
2017-05-11 15:03:03 +02:00
|
|
|
Ram_dataspace_capability
|
2017-05-11 20:03:28 +02:00
|
|
|
Pd_session_component::alloc(size_t ds_size, Cache_attribute cached)
|
2011-12-22 16:19:25 +01:00
|
|
|
{
|
|
|
|
/* zero-sized dataspaces are not allowed */
|
|
|
|
if (!ds_size) return Ram_dataspace_capability();
|
|
|
|
|
|
|
|
/* dataspace allocation granularity is page size */
|
|
|
|
ds_size = align_addr(ds_size, 12);
|
|
|
|
|
|
|
|
/*
|
2017-05-08 19:55:54 +02:00
|
|
|
* Track quota usage
|
2011-12-22 16:19:25 +01:00
|
|
|
*
|
2017-05-08 19:55:54 +02:00
|
|
|
* We use a guard to roll back the withdrawal of the quota whenever
|
|
|
|
* we leave the method scope via an exception. The withdrawal is
|
|
|
|
* acknowledge just before successfully leaving the method.
|
|
|
|
*/
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
Ram_quota_guard::Reservation
|
|
|
|
dataspace_ram_costs(_ram_quota_guard(), Ram_quota{ds_size});
|
2017-05-08 19:55:54 +02:00
|
|
|
|
|
|
|
/*
|
2011-12-22 16:19:25 +01:00
|
|
|
* In the worst case, we need to allocate a new slab block for the
|
2017-05-08 19:55:54 +02:00
|
|
|
* meta data of the dataspace to be created. Therefore, we temporarily
|
|
|
|
* withdraw the slab block size here to trigger an exception if the
|
|
|
|
* account does not have enough room for the meta data.
|
2011-12-22 16:19:25 +01:00
|
|
|
*/
|
2017-05-08 19:55:54 +02:00
|
|
|
{
|
2017-05-11 15:03:03 +02:00
|
|
|
Ram_quota const overhead { Ram_dataspace_factory::SLAB_BLOCK_SIZE };
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
Ram_quota_guard::Reservation sbs_ram_costs(_ram_quota_guard(), overhead);
|
2017-05-08 19:55:54 +02:00
|
|
|
}
|
2011-12-22 16:19:25 +01:00
|
|
|
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
/*
|
|
|
|
* Each dataspace is an RPC object and thereby consumes a capability.
|
|
|
|
*/
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
Cap_quota_guard::Reservation
|
|
|
|
dataspace_cap_costs(_cap_quota_guard(), Cap_quota{1});
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
|
2011-12-22 16:19:25 +01:00
|
|
|
/*
|
2017-05-11 15:03:03 +02:00
|
|
|
* Allocate physical dataspace
|
2017-05-08 19:55:54 +02:00
|
|
|
*
|
|
|
|
* \throw Out_of_ram
|
|
|
|
* \throw Out_of_caps
|
|
|
|
*/
|
2017-05-11 15:03:03 +02:00
|
|
|
Ram_dataspace_capability ram_ds = _ram_ds_factory.alloc(ds_size, cached);
|
2013-12-20 14:31:52 +01:00
|
|
|
|
2015-05-07 15:07:57 +02:00
|
|
|
/*
|
2017-05-11 15:03:03 +02:00
|
|
|
* We returned from '_ram_ds_factory.alloc' with a valid dataspace.
|
2015-05-07 15:07:57 +02:00
|
|
|
*/
|
2017-05-08 19:55:54 +02:00
|
|
|
dataspace_ram_costs.acknowledge();
|
Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes #2398
2017-05-08 21:35:43 +02:00
|
|
|
dataspace_cap_costs.acknowledge();
|
2013-01-18 15:10:56 +01:00
|
|
|
|
2017-05-11 15:03:03 +02:00
|
|
|
return ram_ds;
|
2011-12-22 16:19:25 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2017-05-11 20:03:28 +02:00
|
|
|
void Pd_session_component::free(Ram_dataspace_capability ds_cap)
|
2017-05-08 19:55:54 +02:00
|
|
|
{
|
2017-05-11 15:03:03 +02:00
|
|
|
if (this->cap() == ds_cap)
|
|
|
|
return;
|
|
|
|
|
|
|
|
size_t const size = _ram_ds_factory.dataspace_size(ds_cap);
|
|
|
|
if (size == 0)
|
|
|
|
return;
|
|
|
|
|
|
|
|
_ram_ds_factory.free(ds_cap);
|
|
|
|
|
|
|
|
/* physical memory */
|
|
|
|
_ram_account->replenish(Ram_quota{size});
|
|
|
|
|
|
|
|
/* capability of the dataspace RPC object */
|
2017-05-11 20:03:28 +02:00
|
|
|
_released_cap(DS_CAP);
|
2017-05-08 19:55:54 +02:00
|
|
|
}
|
2011-12-22 16:19:25 +01:00
|
|
|
|
|
|
|
|
2017-05-11 20:03:28 +02:00
|
|
|
size_t Pd_session_component::dataspace_size(Ram_dataspace_capability ds_cap) const
|
2017-05-07 23:49:43 +02:00
|
|
|
{
|
|
|
|
if (this->cap() == ds_cap)
|
|
|
|
return 0;
|
|
|
|
|
2017-05-11 15:03:03 +02:00
|
|
|
return _ram_ds_factory.dataspace_size(ds_cap);
|
2017-05-07 23:49:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2017-05-11 20:03:28 +02:00
|
|
|
void Pd_session_component::ref_account(Capability<Pd_session> pd_cap)
|
2011-12-22 16:19:25 +01:00
|
|
|
{
|
2017-05-08 19:55:54 +02:00
|
|
|
/* the reference account can be defined only once */
|
2017-05-11 20:03:28 +02:00
|
|
|
if (_cap_account.constructed())
|
2017-05-08 12:33:56 +02:00
|
|
|
return;
|
|
|
|
|
2017-05-11 20:03:28 +02:00
|
|
|
if (this->cap() == pd_cap)
|
2017-05-08 12:33:56 +02:00
|
|
|
return;
|
2011-12-22 16:19:25 +01:00
|
|
|
|
2017-05-11 20:03:28 +02:00
|
|
|
_ep.apply(pd_cap, [&] (Pd_session_component *pd) {
|
2011-12-22 16:19:25 +01:00
|
|
|
|
2017-05-11 20:03:28 +02:00
|
|
|
if (!pd || !pd->_ram_account.constructed()) {
|
|
|
|
error("invalid PD session specified as ref account");
|
2017-05-08 12:33:56 +02:00
|
|
|
throw Invalid_session();
|
2017-05-08 19:55:54 +02:00
|
|
|
}
|
2011-12-22 16:19:25 +01:00
|
|
|
|
Follow practices suggested by "Effective C++"
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
2017-12-21 15:42:15 +01:00
|
|
|
_cap_account.construct(_cap_quota_guard(), _label, *pd->_cap_account);
|
|
|
|
_ram_account.construct(_ram_quota_guard(), _label, *pd->_ram_account);
|
2017-05-08 19:55:54 +02:00
|
|
|
});
|
2011-12-22 16:19:25 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2017-05-11 20:03:28 +02:00
|
|
|
void Pd_session_component::transfer_quota(Capability<Pd_session> pd_cap,
|
|
|
|
Cap_quota amount)
|
|
|
|
{
|
|
|
|
if (!_cap_account.constructed())
|
|
|
|
throw Undefined_ref_account();
|
|
|
|
|
|
|
|
if (this->cap() == pd_cap)
|
|
|
|
return;
|
|
|
|
|
|
|
|
_ep.apply(pd_cap, [&] (Pd_session_component *pd) {
|
|
|
|
|
|
|
|
if (!pd || !pd->_cap_account.constructed())
|
|
|
|
throw Invalid_session();
|
|
|
|
|
|
|
|
try {
|
|
|
|
_cap_account->transfer_quota(*pd->_cap_account, amount);
|
|
|
|
diag("transferred ", amount, " caps "
|
|
|
|
"to '", pd->_cap_account->label(), "' (", _cap_account, ")");
|
|
|
|
}
|
|
|
|
catch (Account<Cap_quota>::Unrelated_account) {
|
|
|
|
warning("attempt to transfer cap quota to unrelated PD session");
|
|
|
|
throw Invalid_session(); }
|
|
|
|
catch (Account<Cap_quota>::Limit_exceeded) {
|
|
|
|
warning("cap limit (", *_cap_account, ") exceeded "
|
|
|
|
"during transfer_quota(", amount, ")");
|
|
|
|
throw Out_of_caps(); }
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void Pd_session_component::transfer_quota(Capability<Pd_session> pd_cap,
|
|
|
|
Ram_quota amount)
|
2011-12-22 16:19:25 +01:00
|
|
|
{
|
2017-05-08 19:55:54 +02:00
|
|
|
if (!_ram_account.constructed())
|
|
|
|
throw Undefined_ref_account();
|
2016-11-06 14:26:34 +01:00
|
|
|
|
2017-05-11 20:03:28 +02:00
|
|
|
if (this->cap() == pd_cap)
|
2017-05-08 12:33:56 +02:00
|
|
|
return;
|
2016-11-06 14:26:34 +01:00
|
|
|
|
2017-05-11 20:03:28 +02:00
|
|
|
_ep.apply(pd_cap, [&] (Pd_session_component *pd) {
|
2017-05-08 19:55:54 +02:00
|
|
|
|
2017-05-11 20:03:28 +02:00
|
|
|
if (!pd || !pd->_ram_account.constructed())
|
2017-05-08 19:55:54 +02:00
|
|
|
throw Invalid_session();
|
|
|
|
|
|
|
|
try {
|
2017-05-11 20:03:28 +02:00
|
|
|
_ram_account->transfer_quota(*pd->_ram_account, amount); }
|
2017-05-08 19:55:54 +02:00
|
|
|
catch (Account<Ram_quota>::Unrelated_account) {
|
2017-05-11 20:03:28 +02:00
|
|
|
warning("attempt to transfer RAM quota to unrelated PD session");
|
2017-05-08 19:55:54 +02:00
|
|
|
throw Invalid_session(); }
|
|
|
|
catch (Account<Ram_quota>::Limit_exceeded) {
|
|
|
|
warning("RAM limit (", *_ram_account, ") exceeded "
|
|
|
|
"during transfer_quota(", amount, ")");
|
|
|
|
throw Out_of_ram(); }
|
|
|
|
});
|
2011-12-22 16:19:25 +01:00
|
|
|
}
|
|
|
|
|