* Fix region_rc to use correct method
* Fix bug in weak reference count
The existing implementation has a bug in promoting a weak reference
count to strong. This address this bug, and
documents the fix, and provides a proof of the properties using
starling.
* GC old code.
* Fix harness for deterministic epoch order
* Add collection of simple tests for debugging.
* Reduce reference count
* Remove a guard variable.
* Enable preventing pre-emption in systematic testing.
It can be useful to force a collection of operations to occur at a
sensitive point in an algorithm. This block systematic testing from
breaking them into smaller operations.
* Disable FPWB in SysTesting
In systematic testing, there is no need to perform
FlushProcessWriteBuffers. The program is executing sequentially
already, so this is not required.
* Fix bug in epoch mechanism
The logic was incorrectly determining if all the threads were in the
correct epoch.
The next commit will document this file.
* Make Asym lock return if it is the rentrant case.
* Add a few methods for checking the asym lock state
* Tidying and documentation of epoch mechanism
* Improve test coverage for noticeboard epoch usage
* Fixup changes to epoch mechanism
* Remove broken assert
* Increase frequency of epoch change
* White space
* Alter teardown to handle external threads.
* Fixup flushing.
* Fix atomic annotation
* Clangformat
* Minor
* CR with Sylvan
* Clangformat
* Improve rejoin protocol.
* Fix teardown leak.
* adding == and != comparison operators for cown_ptr and nullptr
* moving operator with member access inside struct
* adding nullptr assignment to cowns
* adding std to assignment operator
* Remove index as no longer needed.
* GC old code
* Optimise the multimessage body allocation
Prior to this commit the multimessage was composed of three allocations,
the body, the cowns array and the behaviour/closure to execute. This
commit merges the three structures into a single
allocation.
Fixes#552. Their was a sporadic memory leak only observed on Windows. This PR adds some logging that helped diganose the issue, and fixes the issue.
The poller cown is decrefed by the external source, however this decref can occur
after the runtime has executed the teardown, and thus is leads to a memory
leak.
This commit changes the order so the last thing the external event source does
is decrease the event source count, and thus the runtime cannot begin teardown
until the external thread has completed all its actions.
The variable `total_cowns` should be the length of the per-thread cown list.
This is not the case, this commit checks that this is the case, and correctly
updates it.
The `snmalloc::message` function calls `fsync` on `stderr`. With
Capsicum, this is an explicit permission and so tests that hit a code
path that did some logging (specifically, the curl test) in debug builds
during system call emulation would receive the second trap.
The first symptom of this is fixed by adding fsync permission to the
standard out / error file descriptors. With that change, all of the
tests pass but the underlying problem remains: the signal is delivered
*after* return from the first system call, at which point it does not
have a sensible `ucontext` and things break in exciting ways
(sufficiently exciting that a debugger can't tell you anything useful).
The root cause is addressed by adding `SA_NODEFER` when registering the
signal handler. This allows system calls that are used to emulate
other signal handlers to deliver their signals on top of the stack. If
a system call is used in emulating itself, this still goes horribly
wrong, but in a way that's much easier to debug.
At the same time, use the SIGCAP support that is in process of being
upstreamed to FreeBSD. This makes debugging Capsicum failures easier
because the debugger does not try to hide the signal from the
application whose correctness depends on handling it.
* Improved API for CPP
This introduces a namespace for the verona C++ api:
verona::cpp
It also fixes a couple of move/copy constructor/operators.
* Fix assert, now assignment operator is correct.
The sandbox can leave the sockets' buffers full and so in the parent we
should always do non-blocking operations.
This includes some refactoring to avoid code duplication. The new
functions are now marked nodiscard and the resulting errors are fixed.
Fixes#583Fixes#584Fixes#586
* WIP: Add some perf benchmarking
* Try different experiment configs
- Implement optimal scheduling order to break the dining philosophers
causality. Schedule first the even philosophers and then the odd ones.
- Break causality through scheduling an intermediate empty cown. The
results of this configuration are highly variable but always better than
the one with causal order.
- Implement a busy loop for the use of each fork. This removes the OS
scheduling overheads.
* Add pthread experiment
* Break circular dependency
* Add automatic deadlock prevention
* Tidied example. (#5)
* Unified the pthread and verona benchmarks.
* Another benchmark
* Change params
* More changes.
* Add missing file.
* Rename
* Add bank and logger pthread bench
* Unifying next example.
* Updated the bank example.
* WIP
* Added a static assert to help with errors.
* Rearrange
* Clang format
* Copyright
* Fix assert.
* Code review
* Clangformat
* CR
* Remove ref count optimisation for now.
* Clangformat
Co-authored-by: Marios Kogias <marioskogias@gmail.com>
If the sandbox tried writing incomplete messages to the parent, or
not reading responses, it was possible to end up with a blocking read or
write call and either an infinite loop or the parent crashing.
Fixes#566
Includes a test case derived from @saaramar's example.
Also fix another corner case:
The child can set the remote pointer for any allocation, to anywhere in
the shared memory region. This region also includes the memory that
contains the parent's message queue for the sandbox. Not checking this
meant that the sandbox was able to persuade the parent that it owned
a memory chunk, with the metadata pointer completely under the control
of the attacker.
Fixes#562
This function takes a `hint` parameter that uses the same structure as
the return type, but ignores all except for four fields. The others are
required to be null.
It is possible that a buggy implementation of the checker could
try to dereference the pointer fields. By zeroing them at the boundary,
we add some defence in depth.
@saaramar concluded that this was not currently a security issue but the
fact that it showed up on his review at all suggests that the security
properties of the code are insufficiently clear, since the existing code
was safe only in the presence of the specific behaviour of the callee
implementation.
David Chisnall
Matthew Parkinson
Erik Mavrinac
Luke Cheeseman
cui fliter
ghosn adrien
Marios Kogias
Renato Golin
Matthew Parkinson
David Chisnall