2013-08-26 12:42:12 +02:00
|
|
|
/*
|
|
|
|
* \brief Mapping of Genode's capability names to kernel capabilities.
|
|
|
|
* \author Alexander Boettcher
|
|
|
|
* \date 2013-08-26
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
2017-02-20 13:23:52 +01:00
|
|
|
* Copyright (C) 2013-2017 Genode Labs GmbH
|
2013-08-26 12:42:12 +02:00
|
|
|
*
|
|
|
|
* This file is part of the Genode OS framework, which is distributed
|
2017-02-20 13:23:52 +01:00
|
|
|
* under the terms of the GNU Affero General Public License version 3.
|
2013-08-26 12:42:12 +02:00
|
|
|
*/
|
|
|
|
|
2016-06-15 15:04:54 +02:00
|
|
|
/* Genode includes */
|
base: avoid use of deprecated base/printf.h
Besides adapting the components to the use of base/log.h, the patch
cleans up a few base headers, i.e., it removes unused includes from
root/component.h, specifically base/heap.h and
ram_session/ram_session.h. Hence, components that relied on the implicit
inclusion of those headers have to manually include those headers now.
While adjusting the log messages, I repeatedly stumbled over the problem
that printing char * arguments is ambiguous. It is unclear whether to
print the argument as pointer or null-terminated string. To overcome
this problem, the patch introduces a new type 'Cstring' that allows the
caller to express that the argument should be handled as null-terminated
string. As a nice side effect, with this type in place, the optional len
argument of the 'String' class could be removed. Instead of supplying a
pair of (char const *, size_t), the constructor accepts a 'Cstring'.
This, in turn, clears the way let the 'String' constructor use the new
output mechanism to assemble a string from multiple arguments (and
thereby getting rid of snprintf within Genode in the near future).
To enforce the explicit resolution of the char * ambiguity, the 'char *'
overload of the 'print' function is marked as deleted.
Issue #1987
2016-07-13 19:07:09 +02:00
|
|
|
#include <base/log.h>
|
2015-07-02 20:28:19 +02:00
|
|
|
|
2016-06-15 15:04:54 +02:00
|
|
|
/* NOVA includes */
|
2013-08-26 12:42:12 +02:00
|
|
|
#include <nova/syscalls.h>
|
2016-06-15 15:04:54 +02:00
|
|
|
#include <nova/cap_map.h>
|
2013-08-26 12:42:12 +02:00
|
|
|
|
|
|
|
using namespace Genode;
|
|
|
|
|
|
|
|
|
base/core: use references instead of pointers
This patch replaces the former prominent use of pointers by references
wherever feasible. This has the following benefits:
* The contract between caller and callee becomes more obvious. When
passing a reference, the contract says that the argument cannot be
a null pointer. The caller is responsible to ensure that. Therefore,
the use of reference eliminates the need to add defensive null-pointer
checks at the callee site, which sometimes merely exist to be on the
safe side. The bottom line is that the code becomes easier to follow.
* Reference members must be initialized via an object initializer,
which promotes a programming style that avoids intermediate object-
construction states. Within core, there are still a few pointers
as member variables left though. E.g., caused by the late association
of 'Platform_thread' objects with their 'Platform_pd' objects.
* If no pointers are present as member variables, we don't need to
manually provide declarations of a private copy constructor and
an assignment operator to avoid -Weffc++ errors "class ... has
pointer data members [-Werror=effc++]".
This patch also changes a few system bindings on NOVA and Fiasco.OC,
e.g., the return value of the global 'cap_map' accessor has become a
reference. Hence, the patch touches a few places outside of core.
Fixes #3135
2019-01-24 22:00:01 +01:00
|
|
|
Capability_map &Genode::cap_map()
|
2015-07-02 20:28:19 +02:00
|
|
|
{
|
2013-08-26 12:42:12 +02:00
|
|
|
static Genode::Capability_map map;
|
base/core: use references instead of pointers
This patch replaces the former prominent use of pointers by references
wherever feasible. This has the following benefits:
* The contract between caller and callee becomes more obvious. When
passing a reference, the contract says that the argument cannot be
a null pointer. The caller is responsible to ensure that. Therefore,
the use of reference eliminates the need to add defensive null-pointer
checks at the callee site, which sometimes merely exist to be on the
safe side. The bottom line is that the code becomes easier to follow.
* Reference members must be initialized via an object initializer,
which promotes a programming style that avoids intermediate object-
construction states. Within core, there are still a few pointers
as member variables left though. E.g., caused by the late association
of 'Platform_thread' objects with their 'Platform_pd' objects.
* If no pointers are present as member variables, we don't need to
manually provide declarations of a private copy constructor and
an assignment operator to avoid -Weffc++ errors "class ... has
pointer data members [-Werror=effc++]".
This patch also changes a few system bindings on NOVA and Fiasco.OC,
e.g., the return value of the global 'cap_map' accessor has become a
reference. Hence, the patch touches a few places outside of core.
Fixes #3135
2019-01-24 22:00:01 +01:00
|
|
|
return map;
|
2013-08-26 12:42:12 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/***********************
|
|
|
|
** Cap_index class **
|
|
|
|
***********************/
|
|
|
|
|
|
|
|
|
|
|
|
Cap_range *Cap_range::find_by_id(addr_t id)
|
|
|
|
{
|
|
|
|
if (_match(id)) return this;
|
|
|
|
|
|
|
|
Cap_range *obj = this->child(id > _base);
|
|
|
|
return obj ? obj->find_by_id(id) : 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-04-19 17:48:04 +02:00
|
|
|
void Cap_range::inc(unsigned id)
|
2015-07-02 20:28:19 +02:00
|
|
|
{
|
|
|
|
bool failure = false;
|
|
|
|
{
|
|
|
|
Lock::Guard guard(_lock);
|
2013-08-26 12:42:12 +02:00
|
|
|
|
2015-07-02 20:28:19 +02:00
|
|
|
if (_cap_array[id] + 1 == 0)
|
|
|
|
failure = true;
|
|
|
|
else
|
|
|
|
_cap_array[id]++;
|
2013-08-26 12:42:12 +02:00
|
|
|
}
|
|
|
|
|
2015-07-02 20:28:19 +02:00
|
|
|
if (failure)
|
base: avoid use of deprecated base/printf.h
Besides adapting the components to the use of base/log.h, the patch
cleans up a few base headers, i.e., it removes unused includes from
root/component.h, specifically base/heap.h and
ram_session/ram_session.h. Hence, components that relied on the implicit
inclusion of those headers have to manually include those headers now.
While adjusting the log messages, I repeatedly stumbled over the problem
that printing char * arguments is ambiguous. It is unclear whether to
print the argument as pointer or null-terminated string. To overcome
this problem, the patch introduces a new type 'Cstring' that allows the
caller to express that the argument should be handled as null-terminated
string. As a nice side effect, with this type in place, the optional len
argument of the 'String' class could be removed. Instead of supplying a
pair of (char const *, size_t), the constructor accepts a 'Cstring'.
This, in turn, clears the way let the 'String' constructor use the new
output mechanism to assemble a string from multiple arguments (and
thereby getting rid of snprintf within Genode in the near future).
To enforce the explicit resolution of the char * ambiguity, the 'char *'
overload of the 'print' function is marked as deleted.
Issue #1987
2016-07-13 19:07:09 +02:00
|
|
|
error("cap reference counting error - reference overflow of cap=", _base + id);
|
2013-08-26 12:42:12 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-09-22 14:39:48 +02:00
|
|
|
void Cap_range::dec(unsigned const id_start, bool revoke, unsigned num_log_2)
|
2015-07-02 20:28:19 +02:00
|
|
|
{
|
|
|
|
bool failure = false;
|
|
|
|
{
|
2015-09-22 14:39:48 +02:00
|
|
|
unsigned const end = min(id_start + (1U << num_log_2), elements());
|
|
|
|
|
2015-07-02 20:28:19 +02:00
|
|
|
Lock::Guard guard(_lock);
|
2013-08-26 12:42:12 +02:00
|
|
|
|
2015-09-22 14:39:48 +02:00
|
|
|
for (unsigned id = id_start; id < end; id++) {
|
|
|
|
if (_cap_array[id] == 0) {
|
|
|
|
failure = true;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2015-07-02 20:28:19 +02:00
|
|
|
if (revoke && _cap_array[id] == 1)
|
2016-04-19 17:48:04 +02:00
|
|
|
Nova::drop(Nova::Obj_crd(_base + id, 0));
|
2013-08-26 12:42:12 +02:00
|
|
|
|
2015-07-02 20:28:19 +02:00
|
|
|
_cap_array[id]--;
|
|
|
|
}
|
|
|
|
}
|
2013-08-26 12:42:12 +02:00
|
|
|
|
2015-07-02 20:28:19 +02:00
|
|
|
if (failure)
|
base: avoid use of deprecated base/printf.h
Besides adapting the components to the use of base/log.h, the patch
cleans up a few base headers, i.e., it removes unused includes from
root/component.h, specifically base/heap.h and
ram_session/ram_session.h. Hence, components that relied on the implicit
inclusion of those headers have to manually include those headers now.
While adjusting the log messages, I repeatedly stumbled over the problem
that printing char * arguments is ambiguous. It is unclear whether to
print the argument as pointer or null-terminated string. To overcome
this problem, the patch introduces a new type 'Cstring' that allows the
caller to express that the argument should be handled as null-terminated
string. As a nice side effect, with this type in place, the optional len
argument of the 'String' class could be removed. Instead of supplying a
pair of (char const *, size_t), the constructor accepts a 'Cstring'.
This, in turn, clears the way let the 'String' constructor use the new
output mechanism to assemble a string from multiple arguments (and
thereby getting rid of snprintf within Genode in the near future).
To enforce the explicit resolution of the char * ambiguity, the 'char *'
overload of the 'print' function is marked as deleted.
Issue #1987
2016-07-13 19:07:09 +02:00
|
|
|
error("cap reference counting error - one counter of cap ",
|
|
|
|
"range ", _base + id_start, "+", 1 << num_log_2, " "
|
|
|
|
"has been already zero");
|
2013-08-26 12:42:12 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
addr_t Cap_range::alloc(size_t const num_log2)
|
|
|
|
{
|
|
|
|
addr_t const step = 1UL << num_log2;
|
|
|
|
|
|
|
|
{
|
|
|
|
Lock::Guard guard(_lock);
|
|
|
|
|
|
|
|
unsigned max = elements();
|
|
|
|
addr_t last = _last;
|
|
|
|
|
|
|
|
do {
|
|
|
|
|
|
|
|
/* align i to num_log2 */
|
|
|
|
unsigned i = ((_base + last + step - 1) & ~(step - 1)) - _base;
|
|
|
|
unsigned j;
|
|
|
|
for (; i + step < max; i += step) {
|
|
|
|
for (j = 0; j < step; j++)
|
|
|
|
if (_cap_array[i+j])
|
|
|
|
break;
|
|
|
|
if (j < step)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
for (j = 0; j < step; j++)
|
|
|
|
_cap_array[i+j] = 1;
|
|
|
|
|
|
|
|
_last = i;
|
|
|
|
return _base + i;
|
|
|
|
}
|
|
|
|
|
|
|
|
max = last;
|
|
|
|
last = 0;
|
|
|
|
|
|
|
|
} while (max);
|
|
|
|
}
|
|
|
|
|
|
|
|
Cap_range *child = this->child(LEFT);
|
|
|
|
if (child) {
|
|
|
|
addr_t res = child->alloc(num_log2);
|
|
|
|
if (res != ~0UL)
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
child = this->child(RIGHT);
|
|
|
|
if (child) {
|
|
|
|
addr_t res = child->alloc(num_log2);
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ~0UL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/****************************
|
|
|
|
** Capability_map class **
|
|
|
|
****************************/
|
|
|
|
|
|
|
|
|
|
|
|
Cap_index Capability_map::find(Genode::addr_t id) {
|
|
|
|
return Cap_index(_tree.first() ? _tree.first()->find_by_id(id) : 0, id); }
|
|
|
|
|
|
|
|
|
|
|
|
addr_t Capability_map::insert(size_t const num_log_2, addr_t const sel)
|
|
|
|
{
|
|
|
|
if (sel == ~0UL)
|
|
|
|
return _tree.first() ? _tree.first()->alloc(num_log_2) : ~0UL;
|
|
|
|
|
|
|
|
Cap_range * range = _tree.first() ? _tree.first()->find_by_id(sel) : 0;
|
|
|
|
if (!range)
|
|
|
|
return ~0UL;
|
|
|
|
|
|
|
|
for (unsigned i = 0; i < 1UL << num_log_2; i++)
|
|
|
|
range->inc(sel + i - range->base());
|
|
|
|
|
|
|
|
return sel;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-09-22 14:39:48 +02:00
|
|
|
void Capability_map::remove(Genode::addr_t const sel, uint8_t num_log_2,
|
|
|
|
bool revoke)
|
2013-08-26 12:42:12 +02:00
|
|
|
{
|
|
|
|
Cap_range * range = _tree.first() ? _tree.first()->find_by_id(sel) : 0;
|
|
|
|
if (!range)
|
|
|
|
return;
|
|
|
|
|
2015-09-22 14:39:48 +02:00
|
|
|
range->dec(sel - range->base(), revoke, num_log_2);
|
|
|
|
|
|
|
|
Genode::addr_t last_sel = sel + (1UL << num_log_2);
|
|
|
|
Genode::addr_t last_range = range->base() + range->elements();
|
|
|
|
|
|
|
|
while (last_sel > last_range) {
|
|
|
|
uint8_t left_log2 = log2(last_sel - last_range);
|
|
|
|
|
2018-10-25 11:42:11 +02:00
|
|
|
/* take care for a case which should not happen */
|
|
|
|
if (left_log2 >= sizeof(last_range)*8) {
|
|
|
|
error("cap remove error");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2015-09-22 14:39:48 +02:00
|
|
|
remove(last_range, left_log2, revoke);
|
|
|
|
|
|
|
|
last_range += 1UL << left_log2;
|
|
|
|
}
|
2013-08-26 12:42:12 +02:00
|
|
|
}
|