Currently, on the Arndale platform, core uses a different thread context
area base address than the other tasks (0x20000000 vs. 0x40000000). This
is problematic, because core calculates the location of the UTCB area of a
new thread relatively to core's own thread context area base. So, the UTCB
area of non-core threads ends up in a virtual address range which is
outside of the task's thread context area and not marked as used in the
task's RM session.
With this patch, the same thread context area base address gets used in
core and in the other tasks.
Fixes#779.
Originally, a thread was created at core not before calling the 'start'
function. In order to configure the thread affinity before starting the
thread, we have to make the thread known at core right at construction
time. This patch moves the needed thread-creation sequence from the
'start' function to the '_init_platform_thread' function.
With this patch, the 'futex' syscall gets used for blocking and unblocking
of threads in the Linux-specific lock implementation.
The 'Native_thread_id' type, which was previously used in the
lock-internal 'Applicant' class to identify a thread to be woken up,
was not suitable anymore for implementing this change. With this patch,
the 'Thread_base*' type gets used instead, which also has the positive
effect of making the public 'cancelable_lock.h' header file
platform-independent.
Fixes#646.
Make 'context_area_virtual_base' platform configurable. On Arndale, we
need to move the context area to a location that does not interfere with
the address range of physical memory.
The distinction between 'ipc.h' and 'ipc_generic.h' is no more. The only
use case for platform-specific extensions of the IPC support was the
marshalling of capabilities. However, this case is accommodated by a
function interface ('_marshal_capability', '_unmarshal_capability'). By
moving the implementation of these functions from the headers into the
respective ipc libraries, we can abandon the platform-specific 'ipc.h'
headers.
Add functionality to lookup an object and lock it. Additional the case is
handled that a object may be already in-destruction and the lookup will deny
returning the object.
The object_pool generalize the lookup and lock functionality of the rpc_server
and serve as base for following up patches to fix dangling pointer issues.
If no platform thread was created before somebody destroys a thread object,
there is no valid UTCB available. Thereby, we've to check this before accessing
the UTCB when destroying a thread object.
The generic 'sleep_forever()' function creates an Ipc_server object which
might not get cleaned up correctly when the thread gets destroyed and
unneeded capability references could remain and drain the capability index
allocator. With this patch a lock gets used on thread exit instead of
calling 'sleep_forever()'.
Fixes#538.
This patch introduces clean synchronization between the entrypoint
thread and the caller of the 'Rpc_entrypoint' destructor. The most
important change is the handling of the 'Ipc_server' destruction. This
object is in the local scope of the server's entry function. However,
since the server loop used to be an infinite loop, there was hardly any
chance to destruct the object in a clean way. Hence, the
'Rpc_entrypoint' destructor used to explicitly call '~Ipc_server'.
Unfortunately, this approach led to problems because there are indeed
rare cases where the server thread leaves the scope of the entry
function, namely uncaught exceptions. In such a case, the destructor
would have been called twice.
With the new protocol, we make sure to leave the scope of the entry
function and thereby destroy the 'Ipc_server' object as expected. This
is achieved by propagating the exit condition through a local RPC call
to the entrypoint. This way, the blocking state of the entrypoint
becomes unblocked. Furthermore, '~Rpc_entrypoint' makes use of the new
'join' function to wait for the completion of the server thread.
Using the new 'join()' function, the caller can explicitly block for the
completion of the thread's 'entry()' function. The test case for this
feature can be found at 'os/src/test/thread_join'. For hybrid
Linux/Genode programs, the 'Thread_base::join()' does not map directly
to 'pthread_join'. The latter function gets already called by the
destructor of 'Thread_base'. According to the documentation, subsequent
calls of 'pthread_join' for one thread may result in undefined behaviour.
So we use a 'Genode::Lock' on this platform, which is in line with the
other platforms.
Related to #194, #501
Implies support for the ARMv6 architecture through 'base-hw'.
Get rid of 'base/include/drivers' expect of 'base/include/drivers/uart'.
Merge with the support for trustzone on VEA9X4 that came from
Stefan Kalkowski.
Leave board drivers in 'base/include/platform'.
Rework structure of the other drivers that were moved to
'base_hw/src/core' and those that came with the trustzone support.
Beautify further stuff in 'base_hw'.
Test 'nested_init' with 'hw_imx31' (hardware) and 'hw_panda_a2' (hardware),
'demo' and 'signal' with 'hw_pbxa9' (qemu) and 'hw_vea9x4'
(hardware, no trustzone), and 'vmm' with 'hw_vea9x4'
(hardware, with trustzone).
This commit fixes several issues that were triggered e.g. by the
'noux_tool_chain' run-script (fix#208 in part). The following problems
are tackled:
* Don't reference count capability selectors within a task that are actually
controlled by core (all beneath 0x200000), because it's undecideable which
"version" of a capability selector we currently use, e.g. a thread gets
destroyed and a new one gets created immediately some other thread might
have a Native_capability pointing to the already destroyed thread's gate
capability-slot, that is now a new valid one (the one of the new thread)
* In core we cannot invalidate and remove a capability from the so called
Cap_map before each reference to it is destroyed, so don't do this in
Cap_session_component::free, but only reference-decrement within there,
the actual removal can only be done in Cap_map::remove. Because core also
has to invalidate a capability to be removed in all protection-domains
we have to implement a core specific Cap_map::remove method
* When a capability gets inserted into the Cap_map, and we detect an old
invalid entry with the dame id in the tree, don't just overmap that
invalid entry (as there exist remaining references to it), but just remove
it from the tree and allocate an new entry.
* Use the Cap_session_component interface to free a Pager_object when it
gets dissolved, as its also used for allocation
Let the Fiasco.OC base platform succeed the cap_integrity run-script meaning
that it is not feasible anymore to fake a capability by using a valid one
together with a guessed local_name.
This patch extends the RAM session interface with the ability to
allocate DMA buffers. The client specifies the type of RAM dataspace to
allocate via the new 'cached' argument of the 'Ram_session::alloc()'
function. By default, 'cached' is true, which correponds to the common
case and the original behavior. When setting 'cached' to 'false', core
takes the precautions needed to register the memory as uncached in the
page table of each process that has the dataspace attached.
Currently, the support for allocating DMA buffers is implemented for
Fiasco.OC only. On x86 platforms, it is generally not needed. But on
platforms with more relaxed cache coherence (such as ARM), user-level
device drivers should always use uncacheable memory for DMA transactions.
Introduce process global spin-lock for Cap_index's reference-counter
to avoid non-atomic increment/decrement of the counter. Here, we don't
use a static Spinlock object, because it's constructor wouldn't be
initialized before used for the first time.
The following fixes partly solve the problems triggered by the noux stress
test introduced by nfeske in issue #208.
* The check whether a capability exists in the Cap_map, and its insertion,
has to be done atomically
* While removing a capability it is looked up in the Cap_map via its id,
check whether the found capability pointer is the same like the looked up,
otherwise the wrong capability gets freed
* When a local capability is un- resp. marshalled, only the local pointer
gets transfered, not the redundant capability id
* Introduce several assertions and warnings to facilitate debugging
When unmarshalling capabilities it is checked, whether a capability with the
id was leaking, but this isn't done when creating a thread. Here the capability
is transfered indirectly via the thread state object. This patch checks for
old leakage capabilities while thread creation.
Implements Native_capability as smart-pointer type referencing Cap_index
objects. Whenever capabilities are copied, assigned, constructed, or destructed
the reference-counter of the Cap_index is incremented/decremented. When it
reaches zero the Cap_index is removed from the process-global cap_map and
gets freed. Fix for issue #32.
When the pager gets a pagefault, exception, pause, or wakeup request it's
always possible, that the corresponding thread gets destroyed between
receiving the message and looking up the thread's pager_object. This commit
unifies the check for a valid pager_object for each kind of requests to the
pager, thereby adds currently missing checks.
When constructing a thread object its capability is inserted into the
capability map. Normally this is done by the ipc-unmarshalling code, but
in this case the thread-capability isn't transfered via normal IPC, but in
a special form via the thread_state object. In contrast to the unmarshalling
code, the thread-startup code doesn't check, whether the capability-map
already contains a deprecated entry with the same capability id before
inserting the thread's capability. This commit add the necessary check.
Moreover, a check is added to the insertion methods of the capability-map
to verify that capability-allocation didn't failed.
Removing a Cap_index from Capability_map in core can happen twice, via
Cap_session_component or destructor of a Cap_mapping. That it's checked
whether the index is part of the map before removing it. This patch puts
the check into the remove method, so both operations are within the same
lock context, to remove a race condition.
This is a follow up fix for commit d287b9d893
This commit introduces a Cap_index class for Fiasco.OC's capabilities.
A Cap_index is a combination of the global capability id, that is used by Genode
to correctly identify a kernel-object, and a corresponding entry in a
protection-domain's (kernel-)capability-space. The cap-indices are non-copyable,
unique objects, that are held in a Cap_map. The Cap_map is used to re-find
capabilities already present in the protection-domain, when a capability is
received via IPC. The retrieval of capabilities effectively fixes issue #112,
meaning the waste of capability-space entries.
Because Cap_index objects are non-copyable (their address indicates the position
in the capability-space of the pd), they are inappropriate to use as
Native_capability. Therefore, Native_capability is implemented as a reference
to Cap_index objects. This design seems to be a good pre-condition to implement
smart-pointers for entries in the capability-space, and thereby closing existing
leaks (please refer to issue #32).
Cap_index, Cap_map, and the allocator for Cap_index objects are designed in a way,
that it should be relatively easy to apply the same concept to NOVA also. By now,
these classes are located in the `base-foc` repository, but they intentionally
contain no Fiasco.OC specific elements.
The previously explained changes had extensive impact on the whole Fiasco.OC
platform implementation, due to various dependencies. The following things had to
be changed:
* The Thread object's startup and destruction routine is re-arranged, to
enable another thread (that calls the Thread destructor) gaining the
capability id of the thread's gate to remove it from the Cap_map, the
thread's UTCB had to be made available to the caller, because there
is the current location of that id. After having the UTCB available
in the Thread object for that reason, the whole thread bootstrapping
could be simplified.
* In the course of changing the Native_capability's semantic, a new Cap_mapping
class was introduced in core, that facilitates the establishment and
destruction of capability mappings between core and it's client's, especially
mappings related to Platform_thread and Platform_task, that are relevant to
task and thread creation and destruction. Thereby, the destruction of
threads had to be reworked, which effectively removed a bug (issue #149)
where some threads weren't destroyed properly.
* In the quick fix for issue #112, something similar to the Cap_map was
introduced available in all processes. Moreover, some kind of a capability
map already existed in core, to handle cap-session request properly. The
introduction of the Cap_map unified both structures, so that the
cap-session component code in core had to be reworked too.
* The platform initialization code had to be changed sligthly due to the
changes in Native_capability
* The vcpu initialization in the L4Linux support library had to be adapted
according to the already mentioned changes in the Thread object's bootstrap
code.
This commit unifies the policy name for the template argument for
Native_capability_tpl to Cap_dst_policy, like suggested by Norman in the
discussion resulting from issue #145. Moreover, it takes the memcpy
operation for copying a Native_capability out of the template, which is
included by a significant bunch of files, and separates it in a library,
analog to the suggestion in issue #145.
This patch unifies the Native_capability classes for the different kernel
platforms by introducing an appropriate template, and eliminating naming
differences. Please refer issue #145.
Separate spin-lock implementation from lock-implementation and put it into a
non-public header, so it can be re-used by the DDE kit's and Fiasco.OC's
capability-allocator spin lock. Fixes issue #123.
The old variant provided 8K capability slots to all processes on core,
which increased binaries by 180 KB for the static allocator. I reduced it
to 4K capabilities stay under 100 KB overhead for the allocator.
Anyway, pci_drv and pl11x_drv need more RAM quota now: 2M for pl11x_drv
and 1M for pci_drv.
This is an interim fix for issue #112. This patch extends the
'Capability_allocator' class with the ability to register the global
ID of a Genode capability so that the ID gets associated with a
process-local kernel capability. Whenever a Genode capability gets
unmarshalled from an IPC message, the capability-allocator is asked,
with the global ID as key, whether the kernel-cap already exists.
This significantly reduces the waste of kernel-capability slots.
To circumvent problems of having one and the same ID for different kernel
objects, the following problems had to be solved:
* Replace pseudo IDs with unique ones from core's badge allocator
* When freeing a session object, free the global ID _after_ unmapping
the kernel object, otherwise the global ID might get re-used in some
process and the registry will find a valid but wrong capability
for the ID
Because core aggregates all capabilities of all different processes, its
capability registry needs much more memory compared to a regular process.
By parametrizing capability allocators differently for core and non-core
processes, the global memory overhead for capability registries is kept
at a reasonable level.
Norman Feske
Christian Prochaska
Sebastian Sumpf
Alexander Boettcher
Stefan Kalkowski
Martin Stein
Christian Helmuth
Genode Labs