This patch introduces the functions 'affinity' and 'num_cpus' to the CPU
session interface. The interface extension will allow the assignment of
individual threads to CPUs. At this point, it is just a stub with no
actual platform support.
Let the Fiasco.OC base platform succeed the cap_integrity run-script meaning
that it is not feasible anymore to fake a capability by using a valid one
together with a guessed local_name.
Rm_client is derived from Pager_object. If the Pager_object is also
derived from Thread_base (which is the case for NOVA) then the
Rm_client object must be destructed without holding the rm_session_object
lock. The native platform specific Thread_base implementation has to take
care that all in-flight page handling requests are finished before
destruction. On NOVA it is done by doing an IPC to the pager thread.
(performed in Pager_object::dissolve() in base-nova). The
called thread than executes its operation until end which also requires
in some cases to take the rm_session_object lock.
Since _client_slab insertion/deletion also must be performed
synchronized but can't be protected by the rm_session_object lock
because of the described dead_lock situation, we have
to use a synchronized allocator object to perform insertion and
deletion of Rm_clients.
Use git to get recent kernels from github. Adjust NOVA patch to compile
with recent github version. Patch and use makefile of NOVA microkernel
to avoid duplicated (and outdated) makefile in Genode
Furthermore, this patch adds support for using NOVA on x86_64. The
generic part of the syscall bindings has been moved to
'base-nova/include/nova/syscall-generic.h'. The 32/64-bit specific
parts are located at 'base-nova/include/32bit/nova/syscalls.h' and
'base-nova/include/64bit/nova/syscalls.h' respectively.
On x86_64, the run environment boots qemu using the Pulsar boot loader
because GRUB legacy does not support booting 64bit ELF executables.
In addition to the NOVA-specific changes in base-nova, this patch
rectifies compile-time warnings or build errors in the 'ports' and
'libports' repositories that are related to NOVA x86_64 (i.e., Vancouver
builds for 32bit only and needed an adaptation to NOVAs changed
bindings)
Fixes#233, fixes#234
This patch extends the RAM session interface with the ability to
allocate DMA buffers. The client specifies the type of RAM dataspace to
allocate via the new 'cached' argument of the 'Ram_session::alloc()'
function. By default, 'cached' is true, which correponds to the common
case and the original behavior. When setting 'cached' to 'false', core
takes the precautions needed to register the memory as uncached in the
page table of each process that has the dataspace attached.
Currently, the support for allocating DMA buffers is implemented for
Fiasco.OC only. On x86 platforms, it is generally not needed. But on
platforms with more relaxed cache coherence (such as ARM), user-level
device drivers should always use uncacheable memory for DMA transactions.
The new 'genode_envp' variable declared in '_main.cc' allows libc
plugins to supplying custom environment pointers to the main function.
This is needed by 3rd-party software such as GNU make, which expects the
environment pointer as third argument of the main function.
This commit introduces placement new/delete, and a constructor for
Heap::Dataspace objects. It fixes the usage of uninitialized Dataspace
objects when expanding the heap that lead to problems in conjunction
with Native_capability smart-pointer in base-foc. Please refer to
issue #203.
This patch increases the stack size of entrypoint threads in the PCI and
PS/2 drivers, in the Terminal server and in the Signal service for 64-bit
Genode/Fiasco.OC built with -O0.
Fixes#198.
When a portion of the sliced heap gets freed, the corresponding block
gets removed from the list of blocks, and it's dataspace containing the
block gets detached, but it's destructor never gets called. This leads
to leaking capabilities, when Native_capability is implemented as
smart-pointer, because the destructor of Ram_dataspace_capability that
is part of the Block object gets never called.
If any operand of the '?' operator is of an unsigned type, the result
is unsigned by default. Thanks to Julian Stecklina for finding
this out.
Fixes#189.
With this patch clients of the RM service can state if they want a mapping
to be executable or not. This allows dataspaces to be mapped as
non-executable on Linux by default and as executable only if needed.
Partially fixes#176.
This patch introduces support for ROM sessions that update their
provided data during the lifetime of the session. The 'Rom_session'
interface had been extended with the new 'release()' and 'sigh()'
functions, which are needed to support the new protocol. All ROM
services have been updated to the new interface.
Furthermore, the patch changes the child policy of init
with regard to the handling of configuration files. The 'Init::Child'
used to always provide the ROM dataspace with the child's config file
via a locally implemented ROM service. However, for dynamic ROM
sessions, we need to establish a session to the real supplier of the ROM
data. This is achieved by using a new 'Child_policy_redirect_rom_file'
policy to handle the 'configfile' rather than handling the 'configfile'
case entirely within 'Child_config'.
To see the new facility in action, the new 'os/run/dynamic_config.run'
script provides a simple scenario. The config file of the test program
is provided by a service, which generates and updates the config data
at regular intervals.
In addition, new support has been added to let slaves use dynamic
reconfiguration. By using the new 'Child_policy_dynamic_rom_file', the
configuration of a slave can be changed dynamically at runtime via the
new 'configure()' function.
The config is provided as plain null-terminated string (instead of a
dataspace capability) because we need to buffer the config data anyway.
So there is no benefit of using a dataspace. For buffering configuration
data, a 'Ram_session' must be supplied. If no 'Ram_session' is specified
at construction time of a 'Slave_policy', no config is supplied to the
slave (which is still a common case).
An example for dynamically reconfiguring a slave is provided by
'os/run/dynamic_config_slave.run'.
The 'copy_to' function turned out to be not flexible enough to
accommodate the Noux fork mechanism. This patch removes the function,
adds an accessor for the capability destination and a compound type
'Native_capability::Raw' to be used wherever plain capability
information must be communicated.
By commit d287b9d893 the Native_capability
class changed fundamentally in the Fiasco.OC platform code of Genode. Thereby
the cap_integrity test got incompatible with it. This commit introduces a
separate test implementation for Fiasco.OC that does semantically the same
like the old test. Please refer to issue #161.
We cannot trust signal imprints received with signals to represent valid
pointers to signal contexts. After a signal context has been dissolved
from its receiver, a signal corresponding to the context might still be
in flight. Hence, we need a facility to check received signal imprints
against the list of valid contexts at reception time. The new
'Signal_context_registry' is a very simple attempt to create such a
facility.
This commit unifies the policy name for the template argument for
Native_capability_tpl to Cap_dst_policy, like suggested by Norman in the
discussion resulting from issue #145. Moreover, it takes the memcpy
operation for copying a Native_capability out of the template, which is
included by a significant bunch of files, and separates it in a library,
analog to the suggestion in issue #145.
To give the platform developer more freedom in how the Native_capability
class is internally implemented (e.g. turning it into a smart-pointer),
this patch removes the memcpy operation, when transfering the parent-capability
to a new process from the generic code, and let the implementation of the
platform-specific Native_capability decide how the transfer has to be done.
Please refer to issue #144.
Introduce a factory-, and dereference method for local capabilities. These are
capabilities that reference objects of services, which are known to be used
protection-domain internally only. To support the new Capability class methods
a protected constructor and accessor to the local object's pointer is needed
in the platform's capability base-classes. For further discussion details please
refer issue #139.
Separate spin-lock implementation from lock-implementation and put it into a
non-public header, so it can be re-used by the DDE kit's and Fiasco.OC's
capability-allocator spin lock. Fixes issue #123.
Replace 'Reg_array' in 'Genode::Mmio' by 'Register_array' and 'Subreg'
in 'Genode::Register', 'Genode::Mmio::Register'and
'Genode::Mmio::Register_array' by 'Bitfield'.
Update and beautify comments in the according headers and test programs.
'Reg_array' contains items whose width can be the width of the register
storage type at a max. Nethertheless they can be smaller and iterate all
subregs that are covered by the item width. The array uses as much
successive instances of its storage type as needed.
The test 'run/util_mmio' also tests these new features heavily.
The run script 'run/util_mmio.run' runs a test over basic
functionalities of 'Mmio::Register' and 'Mmio::Register::Subreg'. The
test covers the functions 'read' and 'bits', 'set', 'clear' and 'get'.
Inline function in 'Mmio::Register::Subreg' whose definition otherwise
looks ugly.
The MMIO access framework consists of an abstraction for a contiguous
MMIO area with a base address set dynamically. Within this class 'Mmio'
are declarations for 'Register' and 'Subreg'. These two can be
parameterized statically via template parameters to create arbitrary
MMIO structures.
Whereas 'Register' relies to a POD like subregion of 'Mmio', 'Subreg'
relies to a MMIO region within a specific 'Register' and therefore is
smaller or equal then the storage type of its superior 'Register'.
Furthermore with 'Reg_array' and 'Subreg_array', there exists the
possibility to handle arrays of uniform contiguous registers or subregs
by index. 'Subreg_array' therefore abstracts from the width boundary of
its superior 'Register' and handles a steady distance between its
members in addition. Both also check array size limits.
Related to issue #69.
The startup procedure of forked processes differs from Genode's
normal process creation by omitting all steps related to ELF loading
and the start of the main thread. To let the process lib support this
distinction, an invalid ELF-binary capability is handled as valid
argument now.
The new function 'Platform_env::reload_parent_cap' triggers a reload
of the parent capability and its respective resources. It is needed
during the bootstrap of a new process forked from an existing Noux
process.
This patch fixes printf errors caused by sign extension of values that
were supposed to be unsigned. Fixes#6. Also handles the case where
sizeof(long long) != sizeof(long).
This patch implements the support needed to handle exceptions that occur
during the construction of objects dynamically allocated via the
'Allocator' interface. In this case, the compiler automatically invokes
a special delete operator that takes the allocator type (as supplied to
'new') as second argument. The implementation of this delete operator
has been added to the 'cxx' library. Because the operator delete is
called without the size of the object, we can use only those allocators
that ignore the size argument of the free function and print a warning
otherwise. The added 'Allocator::need_size_for_free()' function is used
to distinguish safe and unsafe allocators.
Normally, the build system creates libraries as mere side effects of
building targets. There is no way to explicitly trigger the build of
libraries only. However, in some circumstances (for example for testing
the thorough build of all libraries) a mechanism for explicitly building
libraries would be convenient. This patch implements this feature. It
consists of two changes.
The new pseudo target at 'base/src/lib/target.mk' gathers all libraries
that are available in all repositories specified for the build directory
and makes its target depend on them. This way, by building 'lib', all
libraries would be traversed. However, in the (likely) situation that
those libraries include one or more invalid libraries (libraries with
unsatisfied build requirements), the build system would skip the target.
Hence, the second change introduces a new condition 'FORCE_BUILD_LIBS'
to the build system. By setting this variable to 'yes' in the 'target.mk'
file, we let the build system to traverse library dependencies for
all valid libraries regardless of the presence of any invalid library.
When using an ELF image as returned from the iso9660 server, such an
image is represented as a managed dataspace composed of various portions
of one RAM dataspace, each portion attached with a different offset.
Now, when mapping the text segment of the ELF image (usually starting at
0x1000 within the image), the code mapped at 0x1000 may correspond to
any offset within the RAM dataspace used by the iso9660 server. In
particular, the src-fault address (the one within the RAM dataspace) may
be higher than dst-fault address (somewhere just above 0x1000 where a
page-fault occurred). Thereby, 'curr_rm_base' may become negative
during the reverse lookup of 'Rm_client::pager'. This corner case used
to let the 'Fault_area::constrain' function return an invalid fault
area, and thereby let the reverse lookup fail. The improved version
explicitly checks for the address overflow condition and tries to
constrain the dst fault address to the largest possible log2 page within
the positive address range.
Properly account signal count in the explicit-reply path (when source-
client gets immediately unblocked by 'signal_session_component::submit').
This patch prevents the delivery of superfluous signals with num == 0.
