base-foc: fix capability index leak

Call the destructor of the thread context object on thread destruction to
remove any contained capability references.

Fixes #393.

base-foc/include/base/cap_alloc.h

@@ -16,6 +16,7 @@
 
 #include <base/cap_map.h>
 #include <base/native_types.h>
+#include <util/assert.h>
 
 namespace Genode {
 
@@ -77,6 +78,7 @@ namespace Genode {
 						return &_indices[i];
 					}
 				}
+				ASSERT(0, "cap index allocation failed");
 				return 0;
 			}
 
@@ -90,8 +92,10 @@ namespace Genode {
 				 */
 				T* obj = reinterpret_cast<T*>(kcap_to_idx(addr));
 
-				if (obj < &_indices[0] || obj >= &_indices[SZ])
+				if (obj < &_indices[0] || obj >= &_indices[SZ]) {
+					ASSERT(0, "cap index out of bounds");
 					throw Index_out_of_bounds();
+				}
 
 				return new (obj) T();
 			}
@@ -103,8 +107,10 @@ namespace Genode {
 				T* obj = static_cast<T*>(idx);
 				for (size_t i = 0; i < cnt; obj++, i++) {
 					/* range check given pointer address */
-					if (obj < &_indices[0] || obj >= &_indices[SZ])
+					if (obj < &_indices[0] || obj >= &_indices[SZ]) {
+						ASSERT(0, "cap index out of bounds");
 						throw Index_out_of_bounds();
+					}
 					delete obj;
 				}
 			}

base-foc/src/base/thread/thread.cc

@@ -89,6 +89,8 @@ void Thread_base::Context_allocator::free(Thread_base *thread_base)
 	Lock::Guard _lock_guard(_threads_lock);
 
 	_threads.remove(&thread_base->_list_element);
+
+	thread_base->_context->~Context();
 }
 
 
@@ -168,9 +170,9 @@ void Thread_base::_free_context()
 {
 	addr_t ds_addr = _context->stack_base - Native_config::context_area_virtual_base();
 	Ram_dataspace_capability ds_cap = _context->ds_cap;
+	_context_allocator()->free(this);
 	Genode::env_context_area_rm_session()->detach((void *)ds_addr);
 	Genode::env_context_area_ram_session()->free(ds_cap);
-	_context_allocator()->free(this);
 }