ehmry/genode
ehmry
/
genode
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
genode/repos/base-foc/src/base/ipc/ipc.cc

370 lines
9.2 KiB
C++
Raw Normal View History

Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/*
* \brief Implementation of the IPC API for Fiasco.OC
* \author Stefan Kalkowski
* \date 2009-12-03
*/
/*
Update copyright headers to 2013
2013-01-10 21:44:47 +01:00
* Copyright (C) 2009-2013 Genode Labs GmbH
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU General Public License version 2.
*/
/*
* l4_msgtag_t (size == 1 mword) format:
*
* --------------------------------------------------------------
* | label | 4 Bit flags | 6 Bit items | 6 Bit word count |
* --------------------------------------------------------------
*/
/* Genode includes */
#include <base/blocking.h>
#include <base/ipc.h>
#include <base/ipc_msgbuf.h>
#include <base/thread.h>
Unify 'ipc.h' and 'ipc_generic.h' across platforms The distinction between 'ipc.h' and 'ipc_generic.h' is no more. The only use case for platform-specific extensions of the IPC support was the marshalling of capabilities. However, this case is accommodated by a function interface ('_marshal_capability', '_unmarshal_capability'). By moving the implementation of these functions from the headers into the respective ipc libraries, we can abandon the platform-specific 'ipc.h' headers.
2013-02-13 22:41:07 +01:00
#include <util/assert.h>
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
base: uniform base-internal header structure This patch establishes a common organization of header files internal to the base framework. The internal headers are located at '<repository>/src/include/base/internal/'. This structure has been choosen to make the nature of those headers immediately clear when included: #include <base/internal/lock_helper.h> Issue #1832
2016-01-20 18:27:18 +01:00
/* base-internal includes */
#include <base/internal/lock_helper.h> /* for 'thread_get_my_native_id()' */
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/* Fiasco.OC includes */
namespace Fiasco {
#include <l4/sys/consts.h>
#include <l4/sys/ipc.h>
#include <l4/sys/types.h>
#include <l4/sys/utcb.h>
#include <l4/sys/kdebug.h>
}
using namespace Genode;
using namespace Fiasco;
Unify 'ipc.h' and 'ipc_generic.h' across platforms The distinction between 'ipc.h' and 'ipc_generic.h' is no more. The only use case for platform-specific extensions of the IPC support was the marshalling of capabilities. However, this case is accommodated by a function interface ('_marshal_capability', '_unmarshal_capability'). By moving the implementation of these functions from the headers into the respective ipc libraries, we can abandon the platform-specific 'ipc.h' headers.
2013-02-13 22:41:07 +01:00
/*****************************
** IPC marshalling support **
*****************************/
void Ipc_ostream::_marshal_capability(Native_capability const &cap)
{
if (cap.valid()) {
if (!l4_msgtag_label(l4_task_cap_valid(L4_BASE_TASK_CAP, cap.dst()))) {
_write_to_buf(0);
return;
}
}
/* transfer capability id */
_write_to_buf(cap.local_name());
/* only transfer kernel-capability if it's a valid one */
if (cap.valid())
_snd_msg->snd_append_cap_sel(cap.dst());
ASSERT(!cap.valid() ||
l4_msgtag_label(l4_task_cap_valid(L4_BASE_TASK_CAP, cap.dst())),
"Send invalid cap");
}
void Ipc_istream::_unmarshal_capability(Native_capability &cap)
{
long value = 0;
/* extract capability id from message buffer */
_read_from_buf(value);
/* if id is zero an invalid capability was transfered */
if (!value) {
cap = Native_capability();
return;
}
/* try to insert received capability in the map and return it */
cap = Native_capability(cap_map()->insert_map(value, _rcv_msg->rcv_cap_sel()));
}
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/***************
** Utilities **
***************/
enum Debug {
DEBUG_MSG = 0,
HALT_ON_ERROR = 0
};
Fiasco.OC: introduce Cap_index (fixes #149, #112) This commit introduces a Cap_index class for Fiasco.OC's capabilities. A Cap_index is a combination of the global capability id, that is used by Genode to correctly identify a kernel-object, and a corresponding entry in a protection-domain's (kernel-)capability-space. The cap-indices are non-copyable, unique objects, that are held in a Cap_map. The Cap_map is used to re-find capabilities already present in the protection-domain, when a capability is received via IPC. The retrieval of capabilities effectively fixes issue #112, meaning the waste of capability-space entries. Because Cap_index objects are non-copyable (their address indicates the position in the capability-space of the pd), they are inappropriate to use as Native_capability. Therefore, Native_capability is implemented as a reference to Cap_index objects. This design seems to be a good pre-condition to implement smart-pointers for entries in the capability-space, and thereby closing existing leaks (please refer to issue #32). Cap_index, Cap_map, and the allocator for Cap_index objects are designed in a way, that it should be relatively easy to apply the same concept to NOVA also. By now, these classes are located in the `base-foc` repository, but they intentionally contain no Fiasco.OC specific elements. The previously explained changes had extensive impact on the whole Fiasco.OC platform implementation, due to various dependencies. The following things had to be changed: * The Thread object's startup and destruction routine is re-arranged, to enable another thread (that calls the Thread destructor) gaining the capability id of the thread's gate to remove it from the Cap_map, the thread's UTCB had to be made available to the caller, because there is the current location of that id. After having the UTCB available in the Thread object for that reason, the whole thread bootstrapping could be simplified. * In the course of changing the Native_capability's semantic, a new Cap_mapping class was introduced in core, that facilitates the establishment and destruction of capability mappings between core and it's client's, especially mappings related to Platform_thread and Platform_task, that are relevant to task and thread creation and destruction. Thereby, the destruction of threads had to be reworked, which effectively removed a bug (issue #149) where some threads weren't destroyed properly. * In the quick fix for issue #112, something similar to the Cap_map was introduced available in all processes. Moreover, some kind of a capability map already existed in core, to handle cap-session request properly. The introduction of the Cap_map unified both structures, so that the cap-session component code in core had to be reworked too. * The platform initialization code had to be changed sligthly due to the changes in Native_capability * The vcpu initialization in the L4Linux support library had to be adapted according to the already mentioned changes in the Thread object's bootstrap code.
2012-03-15 12:41:24 +01:00
static inline bool ipc_error(l4_msgtag_t tag, bool print)
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
{
int ipc_error = l4_ipc_error(tag, l4_utcb());
if (ipc_error) {
if (print) {
outstring("Ipc error: ");
outhex32(ipc_error);
outstring(" occurred!\n");
}
if (HALT_ON_ERROR)
enter_kdebug("Ipc error");
return true;
}
return false;
}
/**
* Copy message registers from UTCB to destination message buffer
*/
static void copy_utcb_to_msgbuf(l4_msgtag_t tag, Msgbuf_base *rcv_msg)
{
unsigned num_msg_words = l4_msgtag_words(tag);
unsigned num_cap_sel = l4_msgtag_items(tag);
if (num_msg_words == 0 && num_cap_sel == 0)
return;
/* look up and validate destination message buffer to receive the payload */
l4_mword_t *msg_buf = (l4_mword_t *)rcv_msg->buf;
if (num_msg_words*sizeof(l4_mword_t) > rcv_msg->size()) {
if (DEBUG_MSG)
outstring("receive message buffer too small");
num_msg_words = rcv_msg->size()/sizeof(l4_mword_t);
}
/* read message payload into destination message buffer */
l4_mword_t *src = (l4_mword_t *)l4_utcb_mr();
l4_mword_t *dst = (l4_mword_t *)&msg_buf[0];
for (unsigned i = 0; i < num_msg_words; i++)
*dst++ = *src++;
rcv_msg->rcv_reset();
}
/**
* Copy message registers from message buffer to UTCB and create message tag.
*/
static l4_msgtag_t copy_msgbuf_to_utcb(Msgbuf_base *snd_msg, unsigned offset,
Native_capability dst)
{
l4_mword_t *msg_buf = (l4_mword_t *)snd_msg->buf;
unsigned num_msg_words = offset/sizeof(l4_mword_t);
unsigned num_cap_sel = snd_msg->snd_cap_sel_cnt();
if (num_msg_words + 2 * num_cap_sel > L4_UTCB_GENERIC_DATA_SIZE) {
if (DEBUG_MSG)
outstring("receive message buffer too small");
throw Ipc_error();
}
/* first copy target label to message buffer */
msg_buf[0] = dst.local_name();
/* store message into UTCB message registers */
for (unsigned i = 0; i < num_msg_words; i++)
l4_utcb_mr()->mr[i] = msg_buf[i];
/* setup flexpages of capabilities to send */
for (unsigned i = 0; i < num_cap_sel; i++) {
unsigned idx = num_msg_words + 2*i;
l4_utcb_mr()->mr[idx] = L4_ITEM_MAP/* | L4_ITEM_CONT*/;
l4_utcb_mr()->mr[idx + 1] = l4_obj_fpage(snd_msg->snd_cap_sel(i),
0, L4_FPAGE_RWX).raw;
}
/* we have consumed capability selectors, reset message buffer */
snd_msg->snd_reset();
return l4_msgtag(0, num_msg_words, num_cap_sel, 0);
}
/*****************
** Ipc_ostream **
*****************/
void Ipc_ostream::_send()
{
l4_msgtag_t tag = copy_msgbuf_to_utcb(_snd_msg, _write_offset, _dst);
Rename tid() to dst() in Native_capability. As suggested by Norman in the discussion of issue #145, this commit renames the tid() accessor in Native_capability to dst().
2012-03-09 12:25:11 +01:00
tag = l4_ipc_send(_dst.dst(), l4_utcb(), tag, L4_IPC_NEVER);
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
if (ipc_error(tag, DEBUG_MSG))
throw Ipc_error();
_write_offset = sizeof(l4_mword_t);
}
Ipc_ostream::Ipc_ostream(Native_capability dst, Msgbuf_base *snd_msg)
:
Ipc_marshaller(&snd_msg->buf[0], snd_msg->size()),
_snd_msg(snd_msg), _dst(dst)
{
_write_offset = sizeof(l4_mword_t);
}
/*****************
** Ipc_istream **
*****************/
gdb_monitor: improve the backtrace test With this patch, functions which execute blocking syscalls on Fiasco.OC are built with frame pointers to get a correct backtrace shown in GDB. Also, the backtrace test for a thread currently executing a syscall now traces the 'Genode::Thread_base::join()' function instead of 'Genode::sleep_forever()', because base-nova has a custom implementation of 'Genode::sleep_forever()' with a different backtrace than on Fiasco.OC. Fixes #1061.
2014-03-03 19:45:53 +01:00
/* Build with frame pointer to make GDB backtraces work. See issue #1061. */
__attribute__((optimize("-fno-omit-frame-pointer")))
__attribute__((noinline))
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
void Ipc_istream::_wait()
{
l4_umword_t label = 0;
addr_t rcv_cap_sel = _rcv_msg->rcv_cap_sel_base();
for (int i = 0; i < Msgbuf_base::MAX_CAP_ARGS; i++) {
l4_utcb_br()->br[i] = rcv_cap_sel | L4_RCV_ITEM_SINGLE_CAP;
rcv_cap_sel += L4_CAP_SIZE;
}
l4_utcb_br()->bdr = 0;
l4_msgtag_t tag;
do {
tag = l4_ipc_wait(l4_utcb(), &label, L4_IPC_NEVER);
} while (ipc_error(tag, DEBUG_MSG));
Fiasco.OC: check invoked capability (fix #341) Let the Fiasco.OC base platform succeed the cap_integrity run-script meaning that it is not feasible anymore to fake a capability by using a valid one together with a guessed local_name.
2012-06-05 16:11:28 +02:00
/* copy received label into message buffer */
_rcv_msg->label(label);
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/* copy message from the UTCBs message registers to the receive buffer */
copy_utcb_to_msgbuf(tag, _rcv_msg);
/* reset unmarshaller */
_read_offset = sizeof(l4_mword_t);
}
Ipc_istream::Ipc_istream(Msgbuf_base *rcv_msg)
:
Ipc_unmarshaller(&rcv_msg->buf[0], rcv_msg->size()),
Fiasco.OC: several capability ref-counter fixes. This commit fixes several issues that were triggered e.g. by the 'noux_tool_chain' run-script (fix #208 in part). The following problems are tackled: * Don't reference count capability selectors within a task that are actually controlled by core (all beneath 0x200000), because it's undecideable which "version" of a capability selector we currently use, e.g. a thread gets destroyed and a new one gets created immediately some other thread might have a Native_capability pointing to the already destroyed thread's gate capability-slot, that is now a new valid one (the one of the new thread) * In core we cannot invalidate and remove a capability from the so called Cap_map before each reference to it is destroyed, so don't do this in Cap_session_component::free, but only reference-decrement within there, the actual removal can only be done in Cap_map::remove. Because core also has to invalidate a capability to be removed in all protection-domains we have to implement a core specific Cap_map::remove method * When a capability gets inserted into the Cap_map, and we detect an old invalid entry with the dame id in the tree, don't just overmap that invalid entry (as there exist remaining references to it), but just remove it from the tree and allocate an new entry. * Use the Cap_session_component interface to free a Pager_object when it gets dissolved, as its also used for allocation
2012-08-29 15:52:18 +02:00
Native_capability((Cap_index*)Fiasco::l4_utcb_tcr()->user[Fiasco::UTCB_TCR_BADGE]),
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
_rcv_msg(rcv_msg)
{
_read_offset = sizeof(l4_mword_t);
}
Ipc_istream::~Ipc_istream() { }
/****************
** Ipc_client **
****************/
void Ipc_client::_call()
{
/* copy call message to the UTCBs message registers */
l4_msgtag_t tag = copy_msgbuf_to_utcb(_snd_msg, _write_offset, _dst);
addr_t rcv_cap_sel = _rcv_msg->rcv_cap_sel_base();
for (int i = 0; i < Msgbuf_base::MAX_CAP_ARGS; i++) {
l4_utcb_br()->br[i] = rcv_cap_sel | L4_RCV_ITEM_SINGLE_CAP;
rcv_cap_sel += L4_CAP_SIZE;
}
Rename tid() to dst() in Native_capability. As suggested by Norman in the discussion of issue #145, this commit renames the tid() accessor in Native_capability to dst().
2012-03-09 12:25:11 +01:00
tag = l4_ipc_call(_dst.dst(), l4_utcb(), tag, L4_IPC_NEVER);
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
if (l4_ipc_error(tag, l4_utcb()) == L4_IPC_RECANCELED)
throw Genode::Blocking_canceled();
if (ipc_error(tag, DEBUG_MSG))
throw Genode::Ipc_error();
/* copy request message from the UTCBs message registers */
copy_utcb_to_msgbuf(tag, _rcv_msg);
_write_offset = _read_offset = sizeof(umword_t);
}
base: count caps replied by a rpc function Issue #905
2013-09-16 10:50:15 +02:00
Ipc_client::Ipc_client(Native_capability const &srv, Msgbuf_base *snd_msg,
Msgbuf_base *rcv_msg, unsigned short)
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
: Ipc_istream(rcv_msg), Ipc_ostream(srv, snd_msg), _result(0) { }
/****************
** Ipc_server **
****************/
void Ipc_server::_prepare_next_reply_wait()
{
/* now we have a request to reply */
_reply_needed = true;
/* leave space for return value at the beginning of the msgbuf */
_write_offset = 2*sizeof(umword_t);
/* receive buffer offset */
_read_offset = sizeof(umword_t);
}
void Ipc_server::_wait()
{
/* wait for new server request */
try { Ipc_istream::_wait(); } catch (Blocking_canceled) { }
/* we only have an unknown implicit reply capability */
/* _dst = ???; */
_prepare_next_reply_wait();
}
void Ipc_server::_reply()
{
l4_msgtag_t tag = copy_msgbuf_to_utcb(_snd_msg, _write_offset, _dst);
tag = l4_ipc_send(L4_SYSF_REPLY, l4_utcb(), tag, L4_IPC_SEND_TIMEOUT_0);
Fiasco.OC: introduce Cap_index (fixes #149, #112) This commit introduces a Cap_index class for Fiasco.OC's capabilities. A Cap_index is a combination of the global capability id, that is used by Genode to correctly identify a kernel-object, and a corresponding entry in a protection-domain's (kernel-)capability-space. The cap-indices are non-copyable, unique objects, that are held in a Cap_map. The Cap_map is used to re-find capabilities already present in the protection-domain, when a capability is received via IPC. The retrieval of capabilities effectively fixes issue #112, meaning the waste of capability-space entries. Because Cap_index objects are non-copyable (their address indicates the position in the capability-space of the pd), they are inappropriate to use as Native_capability. Therefore, Native_capability is implemented as a reference to Cap_index objects. This design seems to be a good pre-condition to implement smart-pointers for entries in the capability-space, and thereby closing existing leaks (please refer to issue #32). Cap_index, Cap_map, and the allocator for Cap_index objects are designed in a way, that it should be relatively easy to apply the same concept to NOVA also. By now, these classes are located in the `base-foc` repository, but they intentionally contain no Fiasco.OC specific elements. The previously explained changes had extensive impact on the whole Fiasco.OC platform implementation, due to various dependencies. The following things had to be changed: * The Thread object's startup and destruction routine is re-arranged, to enable another thread (that calls the Thread destructor) gaining the capability id of the thread's gate to remove it from the Cap_map, the thread's UTCB had to be made available to the caller, because there is the current location of that id. After having the UTCB available in the Thread object for that reason, the whole thread bootstrapping could be simplified. * In the course of changing the Native_capability's semantic, a new Cap_mapping class was introduced in core, that facilitates the establishment and destruction of capability mappings between core and it's client's, especially mappings related to Platform_thread and Platform_task, that are relevant to task and thread creation and destruction. Thereby, the destruction of threads had to be reworked, which effectively removed a bug (issue #149) where some threads weren't destroyed properly. * In the quick fix for issue #112, something similar to the Cap_map was introduced available in all processes. Moreover, some kind of a capability map already existed in core, to handle cap-session request properly. The introduction of the Cap_map unified both structures, so that the cap-session component code in core had to be reworked too. * The platform initialization code had to be changed sligthly due to the changes in Native_capability * The vcpu initialization in the L4Linux support library had to be adapted according to the already mentioned changes in the Thread object's bootstrap code.
2012-03-15 12:41:24 +01:00
ipc_error(tag, DEBUG_MSG);
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
}
void Ipc_server::_reply_wait()
{
if (_reply_needed) {
l4_umword_t label;
addr_t rcv_cap_sel = _rcv_msg->rcv_cap_sel_base();
for (int i = 0; i < Msgbuf_base::MAX_CAP_ARGS; i++) {
l4_utcb_br()->br[i] = rcv_cap_sel | L4_RCV_ITEM_SINGLE_CAP;
rcv_cap_sel += L4_CAP_SIZE;
}
l4_utcb_br()->bdr &= ~L4_BDR_OFFSET_MASK;
l4_msgtag_t tag = copy_msgbuf_to_utcb(_snd_msg, _write_offset, _dst);
tag = l4_ipc_reply_and_wait(l4_utcb(), tag, &label, L4_IPC_SEND_TIMEOUT_0);
if (ipc_error(tag, false)) {
/*
* The error conditions could be a message cut (which
* we want to ignore on the server side) or a reply failure
* (for example, if the caller went dead during the call.
* In both cases, we do not reflect the error condition to
* the user but want to wait for the next proper incoming
* message. So let's just wait now.
*/
_wait();
} else {
Fiasco.OC: check invoked capability (fix #341) Let the Fiasco.OC base platform succeed the cap_integrity run-script meaning that it is not feasible anymore to fake a capability by using a valid one together with a guessed local_name.
2012-06-05 16:11:28 +02:00
/* copy received label into message buffer */
_rcv_msg->label(label);
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/* copy request message from the UTCBs message registers */
copy_utcb_to_msgbuf(tag, _rcv_msg);
}
} else
_wait();
/* reply capability is implicit in fiasco.oc and unknown to us */
/* _dst = ???; */
_prepare_next_reply_wait();
}
Ipc_server::Ipc_server(Msgbuf_base *snd_msg,
Msgbuf_base *rcv_msg)
: Ipc_istream(rcv_msg),
Ipc_ostream(Native_capability(), snd_msg),
_reply_needed(false)
{ }