vm: controller: add an auto-detach flag for vm-objects

CMakeLists.txt

@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 3.13)
+cmake_minimum_required(VERSION 4.0)
 project(mango C ASM)
 
 if (NOT BUILD_TOOLS_DIR)
@@ -28,8 +28,6 @@ file(GLOB_RECURSE arch_sources_c arch/${kernel_arch}/*.c)
 file(GLOB_RECURSE arch_sources_asm arch/${kernel_arch}/*.S)
 file(GLOB_RECURSE arch_headers arch/${kernel_arch}/*.h)
 
-set_property(SOURCE ${arch_sources_asm} PROPERTY LANGUAGE C)
-
 add_executable(${kernel_exe_name}
 	${kernel_sources}
 	${kernel_headers}

arch/x86_64/asm-offset.c

@@ -28,4 +28,6 @@
 static void __used common(void)
 {
 	OFFSET(THREAD_sp, struct thread, tr_sp);
+	OFFSET(THREAD_fsbase, struct thread, tr_ml.tr_fsbase);
+	OFFSET(THREAD_gsbase, struct thread, tr_ml.tr_gsbase);
 }

arch/x86_64/config.cmake

@@ -1,4 +1,5 @@
 target_compile_options(${kernel_exe_name} PRIVATE
 	-z max-page-size=0x1000 -m64 -mcmodel=large -mno-red-zone -mno-mmx
 	-mno-sse -mno-sse2 -D_64BIT -DBYTE_ORDER=1234)
-target_link_libraries(${kernel_exe_name} "-z max-page-size=0x1000" "-T ${CMAKE_CURRENT_SOURCE_DIR}/arch/x86_64/layout.ld")
+target_link_libraries(${kernel_exe_name} "-static -z max-page-size=0x1000" "-T ${CMAKE_CURRENT_SOURCE_DIR}/arch/x86_64/layout.ld")
+

arch/x86_64/include/arch/msr.h

@@ -3,6 +3,7 @@
 
 #include <stdint.h>
 
+#define MSR_FS_BASE        0xC0000100
 #define MSR_GS_BASE        0xC0000101
 #define MSR_KERNEL_GS_BASE 0xC0000102
 

arch/x86_64/include/kernel/machine/thread.h

@@ -3,6 +3,10 @@
 
 #include <kernel/sched.h>
 
+struct ml_thread {
+	virt_addr_t tr_gsbase, tr_fsbase;
+};
+
 struct ml_cpu_context;
 
 /* switch from one thread to another. the stack of the `to` thread must have
@@ -28,4 +32,15 @@ extern kern_status_t ml_thread_prepare_user_context(
 	const uintptr_t *args,
 	size_t nr_args);
 
+extern kern_status_t ml_thread_config_get(
+	struct thread *thread,
+	kern_config_key_t key,
+	void *out,
+	size_t max);
+extern kern_status_t ml_thread_config_set(
+	struct thread *thread,
+	kern_config_key_t key,
+	const void *ptr,
+	size_t len);
+
 #endif

arch/x86_64/init.c

@@ -20,6 +20,8 @@
 #include <kernel/util.h>
 #include <kernel/vm.h>
 
+#undef HARDWARE_RNG
+
 #define PTR32(x)            ((void *)((uintptr_t)(x)))
 
 /* the physical address of the start of the memblock heap.
@@ -125,17 +127,21 @@ int ml_init(uintptr_t arg)
 		reserve_end = bsp.mod_base + bsp.mod_size;
 	}
 
+#if defined(HARDWARE_RNG)
 	if (ml_hwrng_available()) {
 		printk("cpu: ardware RNG available");
 		uint64_t seed = ml_hwrng_generate();
 		printk("cpu: RNG seed=%zx", seed);
 		init_random(seed);
 	} else {
+#endif
 		printk("cpu: hardware RNG unavailable");
 		uint64_t seed = 0xeddc4c8a679dc23f;
 		printk("cpu: RNG seed=%zx", seed);
 		init_random(seed);
+#if defined(HARDWARE_RNG)
 	}
+#endif
 
 	early_vm_init(reserve_end);
 

arch/x86_64/panic.c

@@ -175,7 +175,7 @@ static bool read_stack_frame(
 	struct stack_frame *out)
 {
 	if (bp >= VM_PAGEMAP_BASE) {
-		*out = *(struct stack_frame *)out;
+		*out = *(struct stack_frame *)bp;
 		return true;
 	}
 

arch/x86_64/pmap.c

@@ -100,7 +100,7 @@ static void delete_ptab(phys_addr_t pt)
 		return;
 	}
 
-	pt &= ~VM_PAGE_MASK;
+	pt = ENTRY_TO_PTR(pt);
 	if (!pt) {
 		/* physical address of 0x0, nothing to delete */
 		return;
@@ -117,7 +117,7 @@ static void delete_pdir(phys_addr_t pd)
 		return;
 	}
 
-	pd &= ~0x1FFFFFULL;
+	pd &= ENTRY_TO_PTR(pd);
 	if (!pd) {
 		/* physical address of 0x0, nothing to delete */
 		return;
@@ -241,6 +241,104 @@ static kern_status_t do_pmap_add(
 	return KERN_OK;
 }
 
+static kern_status_t do_pmap_remove(
+	pmap_t pmap,
+	virt_addr_t pv,
+	enum page_size size)
+{
+	unsigned int pml4t_index = BAD_INDEX, pdpt_index = BAD_INDEX,
+		     pd_index = BAD_INDEX, pt_index = BAD_INDEX;
+
+	switch (size) {
+	case PS_4K:
+		pml4t_index = (pv >> 39) & 0x1FF;
+		pdpt_index = (pv >> 30) & 0x1FF;
+		pd_index = (pv >> 21) & 0x1FF;
+		pt_index = (pv >> 12) & 0x1FF;
+		break;
+	case PS_2M:
+		pml4t_index = (pv >> 39) & 0x1FF;
+		pdpt_index = (pv >> 30) & 0x1FF;
+		pd_index = (pv >> 21) & 0x1FF;
+		break;
+	case PS_1G:
+		if (!can_use_gbpages) {
+			return KERN_UNSUPPORTED;
+		}
+		pml4t_index = (pv >> 39) & 0x1FF;
+		pdpt_index = (pv >> 30) & 0x1FF;
+		break;
+	default:
+		return KERN_INVALID_ARGUMENT;
+	}
+
+	/* 1. get PML4T (mandatory) */
+	struct pml4t *pml4t = vm_phys_to_virt(ENTRY_TO_PTR(pmap));
+	if (!pml4t) {
+		return KERN_OK;
+	}
+
+	/* 2. traverse PML4T, get PDPT (mandatory) */
+	struct pdpt *pdpt = NULL;
+	if (!pml4t->p_entries[pml4t_index]) {
+		return KERN_OK;
+	} else {
+		pdpt = vm_phys_to_virt(
+			ENTRY_TO_PTR(pml4t->p_entries[pml4t_index]));
+	}
+
+	/* if we're mapping a 1GiB page, we stop here */
+	if (size == PS_1G) {
+		if (pdpt->p_entries[pdpt_index] != 0) {
+			/* this slot points to a pdir, delete it.
+			   if this slot points to a hugepage, this does nothing
+			 */
+			delete_pdir(pdpt->p_entries[pdpt_index]);
+		}
+
+		pdpt->p_pages[pdpt_index] = 0;
+
+		return KERN_OK;
+	}
+
+	/* 3. traverse PDPT, get PDIR (optional, 4K and 2M only) */
+	struct pdir *pdir = NULL;
+	if (!pdpt->p_entries[pdpt_index]
+	    || pdpt->p_pages[pdpt_index] & PTE_PAGESIZE) {
+		/* entry is null, or points to a hugepage */
+		return KERN_OK;
+	} else {
+		pdir = vm_phys_to_virt(
+			ENTRY_TO_PTR(pdpt->p_entries[pdpt_index]));
+	}
+
+	/* if we're mapping a 2MiB page, we stop here */
+	if (size == PS_2M) {
+		if (pdir->p_entries[pd_index] != 0) {
+			/* this slot points to a ptab, delete it.
+			   if this slot points to a hugepage, this does nothing
+			 */
+			delete_ptab(pdir->p_entries[pd_index]);
+		}
+
+		pdir->p_pages[pd_index] = 0;
+		return KERN_OK;
+	}
+
+	/* 4. traverse PDIR, get PTAB (optional, 4K only) */
+	struct ptab *ptab = NULL;
+	if (!pdir->p_entries[pd_index]
+	    || pdir->p_pages[pd_index] & PTE_PAGESIZE) {
+		/* entry is null, or points to a hugepage */
+		return KERN_OK;
+	} else {
+		ptab = vm_phys_to_virt(ENTRY_TO_PTR(pdir->p_entries[pd_index]));
+	}
+
+	ptab->p_pages[pt_index] = 0;
+	return KERN_OK;
+}
+
 pmap_t get_kernel_pmap(void)
 {
 	return kernel_pmap;
@@ -314,8 +412,46 @@ pmap_t pmap_create(void)
 	return pmap;
 }
 
+static void delete_pdpt(phys_addr_t pd)
+{
+	if (pd & PTE_PAGESIZE) {
+		/* this entry points to a hugepage, nothing to delete */
+		return;
+	}
+
+	pd &= ENTRY_TO_PTR(pd);
+	if (!pd) {
+		/* physical address of 0x0, nothing to delete */
+		return;
+	}
+
+	struct pdpt *pdpt = vm_phys_to_virt(ENTRY_TO_PTR(pd));
+	for (int i = 0; i < 512; i++) {
+		if (pdpt->p_pages[i] & PTE_PAGESIZE) {
+			/* this is a hugepage, there is nothing to delete */
+			continue;
+		}
+
+		if (!pdpt->p_entries[i]) {
+			continue;
+		}
+
+		delete_ptab(pdpt->p_entries[i]);
+	}
+
+	kfree(pdpt);
+}
+
 void pmap_destroy(pmap_t pmap)
 {
+	struct pml4t *pml4t = vm_phys_to_virt(ENTRY_TO_PTR(pmap));
+	for (unsigned int i = 0; i < 256; i++) {
+		if (pml4t->p_entries[i]) {
+			delete_pdpt(pml4t->p_entries[i]);
+		}
+	}
+
+	kfree(pml4t);
 }
 
 static void log_fault(virt_addr_t fault_addr, enum pmap_fault_flags flags)
@@ -404,7 +540,7 @@ kern_status_t pmap_add_block(
 
 kern_status_t pmap_remove(pmap_t pmap, virt_addr_t p)
 {
-	return KERN_OK;
+	return do_pmap_remove(pmap, p, PS_4K);
 }
 
 kern_status_t pmap_remove_range(pmap_t pmap, virt_addr_t p, size_t len)

arch/x86_64/thread.c

@@ -1,5 +1,7 @@
+#include <arch/msr.h>
 #include <kernel/machine/cpu.h>
 #include <kernel/machine/thread.h>
+#include <kernel/thread.h>
 
 #define MAX_REG_ARGS 6
 #define REG_ARG_0    rdi
@@ -77,3 +79,52 @@ extern kern_status_t ml_thread_prepare_user_context(
 
 	return KERN_OK;
 }
+
+kern_status_t ml_thread_config_get(
+	struct thread *thread,
+	kern_config_key_t key,
+	void *out,
+	size_t max)
+{
+	return KERN_OK;
+}
+
+kern_status_t ml_thread_config_set(
+	struct thread *thread,
+	kern_config_key_t key,
+	const void *ptr,
+	size_t len)
+{
+	switch (key) {
+	case THREAD_CFG_FSBASE:
+		if (len != sizeof(thread->tr_ml.tr_fsbase)) {
+			return KERN_INVALID_ARGUMENT;
+		}
+
+		thread->tr_ml.tr_fsbase = *(virt_addr_t *)ptr;
+		if (thread == current_thread()) {
+			wrmsr(MSR_FS_BASE, thread->tr_ml.tr_fsbase);
+		}
+
+		break;
+	case THREAD_CFG_GSBASE:
+		if (len != sizeof(thread->tr_ml.tr_gsbase)) {
+			return KERN_INVALID_ARGUMENT;
+		}
+
+		thread->tr_ml.tr_gsbase = *(virt_addr_t *)ptr;
+		if (thread == current_thread()) {
+			/* we're in the kernel right now, so the user and kernel
+			 * gs-base registers are swapped. when we return to
+			 * usermode, this value will be swapped back into
+			 * the user gs-base register */
+			wrmsr(MSR_KERNEL_GS_BASE, thread->tr_ml.tr_gsbase);
+		}
+
+		break;
+	default:
+		return KERN_INVALID_ARGUMENT;
+	}
+
+	return KERN_OK;
+}

arch/x86_64/thread_switch.S

@@ -13,6 +13,22 @@ ml_thread_switch:
 	push %rax
 	push %rcx
 	push %rdx
+
+	// set fs-base
+	mov $0xC0000100, %rcx
+	movq THREAD_fsbase(%rsi), %rax
+	movq THREAD_fsbase(%rsi), %rdx
+	shr $32, %rdx
+	wrmsr
+
+	// set (kernel) gs-base (it will be swapped back into user-gs-base at
+	// the end of this function)
+	mov $0xC0000102, %rcx
+	movq THREAD_gsbase(%rsi), %rax
+	movq THREAD_gsbase(%rsi), %rdx
+	shr $32, %rdx
+	wrmsr
+
 	push %rbx
 	pushq $0
 	push %rbp

include/kernel/address-space.h

@@ -6,6 +6,7 @@
 #include <kernel/vm.h>
 
 #define ADDRESS_SPACE_COPY_ALL ((size_t)-1)
+#define ADDRESS_SPACE_F_
 
 struct address_space;
 struct vm_object;
@@ -17,6 +18,8 @@ struct vm_area {
 	 * will avoid the area, but fixed address mappings in this area
 	 * will succeed. */
 	struct vm_object *vma_object;
+	/* the address space that this vm_area is a part of */
+	struct address_space *vma_space;
 	/* used to link to vm_object->vo_mappings */
 	struct queue_entry vma_object_entry;
 	/* the memory protection flags applied to this area */
@@ -156,6 +159,12 @@ extern kern_status_t address_space_memmove_v(
 	size_t bytes_to_move,
 	size_t *nr_bytes_moved);
 
+extern kern_status_t address_space_translate(
+	struct address_space *space,
+	virt_addr_t in,
+	phys_addr_t *out,
+	unsigned long *irq_flags);
+
 void address_space_dump(struct address_space *region);
 
 DEFINE_OBJECT_LOCK_FUNCTION(address_space, s_base)

include/kernel/atomic.h

@@ -0,0 +1,66 @@
+#ifndef KERNEL_ATOMIC_H_
+#define KERNEL_ATOMIC_H_
+
+#include <stdbool.h>
+#include <stdint.h>
+
+typedef int64_t atomic_t;
+
+/* load and return the value pointed to by `v` */
+static inline atomic_t atomic_load(atomic_t *v)
+{
+	return __atomic_load_n(v, __ATOMIC_ACQUIRE);
+}
+/* store the value `v` to the pointer `dest` */
+static inline void atomic_store(atomic_t *dest, atomic_t v)
+{
+	__atomic_store_n(dest, v, __ATOMIC_ACQUIRE);
+}
+/* store the value `v` to the pointer `dest`, and return the value previously
+ * stored at `dest` */
+static inline atomic_t atomic_exchange(atomic_t *dest, atomic_t v)
+{
+	return __atomic_exchange_n(dest, v, __ATOMIC_ACQUIRE);
+}
+/* compare the contents of `ptr` to the contents of `expected`.
+ * if they match, store the value `desired` to the pointer `ptr` and return
+ * true. if the do NOT match, store the value `*ptr` to the pointer `desired`
+ * and return false.
+ */
+static inline bool atomic_compare_exchange(
+	atomic_t *ptr,
+	atomic_t *expected,
+	atomic_t desired)
+{
+	return __atomic_compare_exchange_n(
+		ptr,
+		expected,
+		desired,
+		false,
+		__ATOMIC_ACQUIRE,
+		__ATOMIC_ACQUIRE);
+}
+
+/* perform the operation *ptr += val, and return the result */
+static inline atomic_t atomic_add_fetch(atomic_t *ptr, atomic_t val)
+{
+	return __atomic_add_fetch(ptr, val, __ATOMIC_ACQUIRE);
+}
+/* perform the operation *ptr -= val, and return the result */
+static inline atomic_t atomic_sub_fetch(atomic_t *ptr, atomic_t val)
+{
+	return __atomic_sub_fetch(ptr, val, __ATOMIC_ACQUIRE);
+}
+
+/* perform the operation *ptr += val, and return the previous value of *ptr */
+static inline atomic_t atomic_fetch_add(atomic_t *ptr, atomic_t val)
+{
+	return __atomic_fetch_add(ptr, val, __ATOMIC_ACQUIRE);
+}
+/* perform the operation *ptr -= val, and return the previous value of *ptr */
+static inline atomic_t atomic_fetch_sub(atomic_t *ptr, atomic_t val)
+{
+	return __atomic_fetch_sub(ptr, val, __ATOMIC_ACQUIRE);
+}
+
+#endif

include/kernel/futex.h

@@ -0,0 +1,34 @@
+#ifndef KERNEL_FUTEX_H_
+#define KERNEL_FUTEX_H_
+
+#include <kernel/btree.h>
+#include <kernel/wait.h>
+#include <mango/types.h>
+
+struct task;
+struct address_space;
+
+typedef uintptr_t futex_key_t;
+
+struct futex {
+	struct btree_node f_node;
+
+	futex_key_t f_key;
+	struct waitqueue f_waiters;
+};
+
+extern kern_status_t futex_init(void);
+extern kern_status_t futex_get(
+	kern_futex_t *futex,
+	futex_key_t *out,
+	unsigned int flags);
+extern kern_status_t futex_wait(
+	futex_key_t futex,
+	kern_futex_t new_val,
+	unsigned int flags);
+extern kern_status_t futex_wake(
+	futex_key_t futex,
+	size_t nwaiters,
+	unsigned int flags);
+
+#endif

include/kernel/msg.h

@@ -13,6 +13,7 @@ enum kmsg_status {
 	KMSG_WAIT_RECEIVE,
 	KMSG_WAIT_REPLY,
 	KMSG_REPLY_SENT,
+	KMSG_ASYNC,
 };
 
 struct msg {
@@ -20,10 +21,26 @@ struct msg {
 	enum kmsg_status msg_status;
 	struct btree_node msg_node;
 	msgid_t msg_id;
-	kern_status_t msg_result;
 	struct port *msg_sender_port;
 	struct thread *msg_sender_thread;
-	kern_msg_t msg_req, msg_resp;
+	kern_status_t msg_result;
+	kern_msg_type_t msg_type;
+
+	union {
+		/* msg_type = KERN_MSG_TYPE_DATA */
+		struct {
+			kern_msg_t msg_req, msg_resp;
+		};
+
+		/* msg_type = KERN_MSG_TYPE_EVENT */
+		struct {
+			kern_msg_event_type_t msg_event;
+		};
+	};
 };
 
+extern void msg_init(void);
+extern struct msg *msg_alloc(void);
+extern void msg_free(struct msg *msg);
+
 #endif

include/kernel/object.h

@@ -1,6 +1,7 @@
 #ifndef KERNEL_OBJECT_H_
 #define KERNEL_OBJECT_H_
 
+#include <kernel/atomic.h>
 #include <kernel/flags.h>
 #include <kernel/locks.h>
 #include <kernel/vm.h>
@@ -79,10 +80,7 @@ enum object_type_flags {
 };
 
 struct object_ops {
-	kern_status_t (*destroy)(struct object *obj, struct queue *q);
+	kern_status_t (*destroy)(struct object *obj);
-	kern_status_t (*destroy_recurse)(
-		struct queue_entry *entry,
-		struct object **out);
 };
 
 struct object_type {
@@ -101,8 +99,7 @@ struct object {
 	struct object_type *ob_type;
 	spin_lock_t ob_lock;
 	uint32_t ob_signals;
-	unsigned int ob_refcount;
+	atomic_t ob_refcount;
-	unsigned int ob_handles;
 	struct queue_entry ob_list;
 	struct waitqueue ob_wq;
 } __aligned(sizeof(long));
@@ -114,8 +111,6 @@ extern kern_status_t object_type_unregister(struct object_type *p);
 extern struct object *object_create(struct object_type *type);
 extern struct object *object_ref(struct object *obj);
 extern void object_unref(struct object *obj);
-extern void object_add_handle(struct object *obj);
-extern void object_remove_handle(struct object *obj);
 extern void object_lock(struct object *obj);
 extern void object_unlock(struct object *obj);
 extern void object_lock_irqsave(struct object *obj, unsigned long *flags);

include/kernel/syscall.h

@@ -56,8 +56,30 @@ extern kern_status_t sys_task_create_thread(
 extern kern_status_t sys_task_get_address_space(
 	kern_handle_t task,
 	kern_handle_t *out);
+extern kern_status_t sys_task_config_get(
+	kern_handle_t task,
+	kern_config_key_t key,
+	void *ptr,
+	size_t len);
+extern kern_status_t sys_task_config_set(
+	kern_handle_t task,
+	kern_config_key_t key,
+	const void *ptr,
+	size_t len);
 
+extern kern_status_t sys_thread_self(kern_handle_t *out);
 extern kern_status_t sys_thread_start(kern_handle_t thread);
+extern kern_status_t sys_thread_exit(void);
+extern kern_status_t sys_thread_config_get(
+	kern_handle_t thread,
+	kern_config_key_t key,
+	void *ptr,
+	size_t len);
+extern kern_status_t sys_thread_config_set(
+	kern_handle_t thread,
+	kern_config_key_t key,
+	const void *ptr,
+	size_t len);
 
 extern kern_status_t sys_vm_object_create(
 	const char *name,
@@ -197,6 +219,15 @@ extern kern_status_t sys_vm_controller_supply_pages(
 	off_t src_offset,
 	size_t count);
 
+extern kern_status_t sys_futex_wait(
+	kern_futex_t *futex,
+	kern_futex_t new_val,
+	unsigned int flags);
+extern kern_status_t sys_futex_wake(
+	kern_futex_t *futex,
+	unsigned int nr_waiters,
+	unsigned int flags);
+
 extern virt_addr_t syscall_get_function(unsigned int sysid);
 
 #endif

include/kernel/task.h

@@ -27,7 +27,7 @@ struct task {
 	struct address_space *t_address_space;
 	spin_lock_t t_handles_lock;
 	struct handle_table *t_handles;
-	struct btree b_channels;
+	struct btree t_channels, t_futex;
 
 	struct btree_node t_tasklist;
 	struct queue_entry t_child_entry;
@@ -48,6 +48,7 @@ static inline void task_unref(struct task *task)
 {
 	object_unref(&task->t_base);
 }
+extern void task_exit(int status);
 extern kern_status_t task_add_child(struct task *parent, struct task *child);
 extern kern_status_t task_add_channel(
 	struct task *task,

include/kernel/thread.h

@@ -1,6 +1,7 @@
 #ifndef KERNEL_THREAD_H_
 #define KERNEL_THREAD_H_
 
+#include <kernel/machine/thread.h>
 #include <kernel/msg.h>
 #include <kernel/object.h>
 #include <kernel/vm-controller.h>
@@ -22,7 +23,7 @@ enum thread_flags {
 };
 
 struct thread {
-	struct object thr_base;
+	struct object tr_base;
 
 	enum thread_state tr_state;
 	enum thread_flags tr_flags;
@@ -38,15 +39,13 @@ struct thread {
 	virt_addr_t tr_ip, tr_sp, tr_bp;
 	virt_addr_t tr_cpu_user_sp, tr_cpu_kernel_sp;
 
+	struct ml_thread tr_ml;
 	struct runqueue *tr_rq;
-	struct msg tr_msg;
-	struct page_request tr_page_req;
 
 	struct queue_entry tr_parent_entry;
 	struct queue_entry tr_rqentry;
 
 	struct vm_page *tr_kstack;
-	struct vm_object *tr_ustack;
 };
 
 extern struct thread *thread_alloc(void);
@@ -60,8 +59,24 @@ extern kern_status_t thread_init_user(
 	size_t nr_args);
 extern int thread_priority(struct thread *thr);
 extern void thread_awaken(struct thread *thr);
+extern void thread_exit(void);
+extern void thread_join(struct thread *thread, unsigned long *irq_flags);
+extern void thread_kill(struct thread *thread);
 extern void idle(void);
 extern struct thread *create_kernel_thread(void (*fn)(void));
 extern struct thread *create_idle_thread(void);
 
+extern kern_status_t thread_config_get(
+	struct thread *thread,
+	kern_config_key_t key,
+	void *out,
+	size_t max);
+extern kern_status_t thread_config_set(
+	struct thread *thread,
+	kern_config_key_t key,
+	const void *ptr,
+	size_t len);
+
+DEFINE_OBJECT_LOCK_FUNCTION(thread, tr_base)
+
 #endif

include/kernel/vm-controller.h

@@ -13,13 +13,11 @@ enum page_request_status {
 	PAGE_REQUEST_PENDING = 0,
 	PAGE_REQUEST_IN_PROGRESS,
 	PAGE_REQUEST_COMPLETE,
+	PAGE_REQUEST_ASYNC,
 };
 
 struct vm_controller {
 	struct object vc_base;
-	/* tree of struct vm_objects bound to this controller, keyed with the
-	 * equeue_key_t specified when the object(s) were created. */
-	struct btree vc_objects;
 	/* tree of pending page requests */
 	struct btree vc_requests;
 	/* the equeue to send async page requests to */
@@ -36,7 +34,7 @@ struct page_request {
 	enum page_request_status req_status;
 	kern_status_t req_result;
 	spin_lock_t req_lock;
-	struct vm_object *req_object;
+	equeue_key_t req_object;
 	struct thread *req_sender;
 	struct btree_node req_node;
 	off_t req_offset;

include/kernel/vm-object.h

@@ -14,19 +14,25 @@ enum vm_object_flags {
 	VMO_IN_PLACE = 0x01u,
 	/* this vm-object is/was attached to a vm-controller */
 	VMO_CONTROLLER = 0x02u,
+	/* when a vm-object is attached to a controller, and the ref-count of
+	 * the object falls to one (i.e. the last reference is the handle to
+	 * the object held by the server that created it), the object will
+	 * be detached, allowing the server to close the last handle to the
+	 * object and dispose of it. */
+	VMO_AUTO_DETACH = 0x04u,
 
 	/* these flags are for use with vm_object_get_page */
 	/**************************************************/
 
 	/* if the relevant page hasn't been allocated yet, it will be allocated
 	 * and returned. if this flag isn't specified, NULL will be returned. */
-	VMO_ALLOCATE_MISSING_PAGE = 0x04u,
+	VMO_ALLOCATE_MISSING_PAGE = 0x08u,
 	/* if the vm-object is attached to a vm-controller, and the relevant
 	 * page is uncommitted, send a request to the vm-controller to provide
 	 * the missing page. will result in the vm-object being unlocked and
 	 * the current thread sleeping until the request is fulfilled. the
 	 * vm-object will be re-locked before the function returns. */
-	VMO_REQUEST_MISSING_PAGE = 0x08u,
+	VMO_REQUEST_MISSING_PAGE = 0x10u,
 };
 
 struct vm_object {

include/kernel/wait.h

@@ -40,6 +40,15 @@ extern void thread_wait_end_nosleep(
 	struct waitqueue *q);
 extern void wait_on_queue(struct waitqueue *q);
 extern void wakeup_queue(struct waitqueue *q);
+extern void wakeup_n(struct waitqueue *q, size_t n);
 extern void wakeup_one(struct waitqueue *q);
+static inline bool waitqueue_empty(struct waitqueue *wq)
+{
+	unsigned long flags;
+	spin_lock_irqsave(&wq->wq_lock, &flags);
+	bool result = queue_empty(&wq->wq_waiters);
+	spin_unlock_irqrestore(&wq->wq_lock, flags);
+	return result;
+}
 
 #endif

init/main.c

@@ -78,6 +78,7 @@ void kernel_init(uintptr_t arg)
 
 	port_type_init();
 	channel_type_init();
+	msg_init();
 
 	struct boot_module bsp_image = {0};
 	bsp_get_location(&bsp_image);

kernel/channel.c

@@ -98,11 +98,18 @@ static struct msg *get_next_msg(
 	while (cur) {
 		struct msg *msg = BTREE_CONTAINER(struct msg, msg_node, cur);
 		spin_lock_irqsave(&msg->msg_lock, lock_flags);
-		if (msg->msg_status == KMSG_WAIT_RECEIVE) {
+		switch (msg->msg_status) {
+		case KMSG_WAIT_RECEIVE:
 			msg->msg_status = KMSG_WAIT_REPLY;
 			msg->msg_sender_port->p_status = PORT_REPLY_BLOCKED;
 			channel->c_msg_waiting--;
 			return msg;
+		case KMSG_ASYNC:
+			btree_delete(&channel->c_msg, &msg->msg_node);
+			channel->c_msg_waiting--;
+			return msg;
+		default:
+			break;
 		}
 
 		spin_unlock_irqrestore(&msg->msg_lock, *lock_flags);
@@ -146,24 +153,22 @@ extern kern_status_t channel_recv_msg(
 			&channel->c_base,
 			CHANNEL_SIGNAL_MSG_RECEIVED);
 	}
-#if 0
-	wait_item_init(&waiter, self);
-	for (;;) {
-		thread_wait_begin(&waiter, &channel->c_wq);
-		msg = get_next_msg(channel, &msg_lock_flags);
-		if (msg) {
-			break;
-		}
-
-		object_unlock_irqrestore(&channel->c_base, *irq_flags);
-		schedule(SCHED_NORMAL);
-		object_lock_irqsave(&channel->c_base, irq_flags);
-	}
-	thread_wait_end(&waiter, &channel->c_wq);
-#endif
 
 	/* msg is now set to the next message to process */
 
+	if (msg->msg_type != KERN_MSG_TYPE_DATA) {
+		/* event messages as asynchronous */
+		out_msg->msg_id = msg->msg_id;
+		out_msg->msg_type = msg->msg_type;
+		out_msg->msg_event = msg->msg_event;
+		out_msg->msg_sender = msg->msg_sender_thread->tr_parent->t_id;
+		out_msg->msg_endpoint = msg->msg_sender_port->p_base.ob_id;
+		spin_unlock_irqrestore(&msg->msg_lock, msg_lock_flags);
+		msg_free(msg);
+
+		return KERN_OK;
+	}
+
 	struct task *sender = msg->msg_sender_thread->tr_parent;
 	struct task *receiver = self->tr_parent;
 
@@ -218,6 +223,7 @@ extern kern_status_t channel_recv_msg(
 	}
 
 	out_msg->msg_id = msg->msg_id;
+	out_msg->msg_type = msg->msg_type;
 	out_msg->msg_sender = msg->msg_sender_thread->tr_parent->t_id;
 	out_msg->msg_endpoint = msg->msg_sender_port->p_base.ob_id;
 

kernel/futex.c

@@ -0,0 +1,211 @@
+#include <kernel/address-space.h>
+#include <kernel/futex.h>
+#include <kernel/sched.h>
+#include <kernel/task.h>
+#include <mango/status.h>
+
+#define FUTEX_CREATE 0x40u
+
+static struct btree shared_futex_list = {0};
+static spin_lock_t shared_futex_list_lock = SPIN_LOCK_INIT;
+
+static struct vm_cache futex_cache = {
+	.c_name = "futex",
+	.c_obj_size = sizeof(struct futex),
+};
+
+BTREE_DEFINE_SIMPLE_INSERT(struct futex, f_node, f_key, put_futex)
+BTREE_DEFINE_SIMPLE_GET(struct futex, uintptr_t, f_node, f_key, get_futex)
+
+kern_status_t futex_init(void)
+{
+	vm_cache_init(&futex_cache);
+	return KERN_OK;
+}
+
+static kern_status_t get_data(
+	futex_key_t key,
+	unsigned int flags,
+	struct futex **out,
+	spin_lock_t **out_lock,
+	unsigned long *irq_flags)
+{
+	spin_lock_t *lock = NULL;
+	struct btree *futex_list = NULL;
+	if (flags & FUTEX_PRIVATE) {
+		struct task *self = current_task();
+		lock = &self->t_base.ob_lock;
+		futex_list = &self->t_futex;
+	} else if (flags & FUTEX_SHARED) {
+		lock = &shared_futex_list_lock;
+		futex_list = &shared_futex_list;
+	} else {
+		return KERN_INVALID_ARGUMENT;
+	}
+
+	spin_lock_irqsave(lock, irq_flags);
+	struct futex *futex = get_futex(futex_list, key);
+
+	if (!futex && !(flags & FUTEX_CREATE)) {
+		spin_unlock_irqrestore(lock, *irq_flags);
+		return KERN_NO_ENTRY;
+	}
+
+	futex = vm_cache_alloc(&futex_cache, VM_NORMAL);
+	if (!futex) {
+		spin_unlock_irqrestore(lock, *irq_flags);
+		return KERN_NO_MEMORY;
+	}
+
+	futex->f_key = key;
+
+	put_futex(futex_list, futex);
+
+	*out = futex;
+	*out_lock = lock;
+	return KERN_OK;
+}
+
+static kern_status_t cleanup_data(struct futex *futex, unsigned int flags)
+{
+	struct btree *futex_list = NULL;
+	if (flags & FUTEX_PRIVATE) {
+		struct task *self = current_task();
+		futex_list = &self->t_futex;
+	} else if (flags & FUTEX_SHARED) {
+		futex_list = &shared_futex_list;
+	} else {
+		return KERN_INVALID_ARGUMENT;
+	}
+
+	btree_delete(futex_list, &futex->f_node);
+	vm_cache_free(&futex_cache, futex);
+
+	return KERN_OK;
+}
+
+static kern_status_t futex_get_shared(kern_futex_t *futex, futex_key_t *out)
+{
+	struct task *self = current_task();
+	struct address_space *space = self->t_address_space;
+
+	unsigned long flags;
+	address_space_lock_irqsave(space, &flags);
+	kern_status_t status = address_space_translate(
+		space,
+		(virt_addr_t)futex,
+		out,
+		&flags);
+	address_space_unlock_irqrestore(space, flags);
+	return status;
+}
+
+static kern_status_t futex_get_private(kern_futex_t *futex, futex_key_t *out)
+{
+	*out = (futex_key_t)futex;
+	return KERN_OK;
+}
+
+kern_status_t futex_get(
+	kern_futex_t *futex,
+	futex_key_t *out,
+	unsigned int flags)
+{
+	if (flags & FUTEX_PRIVATE) {
+		return futex_get_private(futex, out);
+	}
+
+	if (flags & FUTEX_SHARED) {
+		return futex_get_shared(futex, out);
+	}
+
+	return KERN_INVALID_ARGUMENT;
+}
+
+static kern_status_t futex_read(
+	struct futex *futex,
+	unsigned int flags,
+	kern_futex_t *out)
+{
+	if (flags & FUTEX_PRIVATE) {
+		virt_addr_t addr = futex->f_key;
+		*out = *(kern_futex_t *)addr;
+		return KERN_OK;
+	}
+
+	if (flags & FUTEX_SHARED) {
+		phys_addr_t paddr = futex->f_key;
+		virt_addr_t vaddr = (virt_addr_t)vm_phys_to_virt(paddr);
+		if (!vaddr) {
+			return KERN_MEMORY_FAULT;
+		}
+
+		*out = *(kern_futex_t *)vaddr;
+		return KERN_OK;
+	}
+
+	return KERN_INVALID_ARGUMENT;
+}
+
+kern_status_t futex_wait(
+	futex_key_t key,
+	kern_futex_t new_val,
+	unsigned int flags)
+{
+	spin_lock_t *lock = NULL;
+	unsigned long irq_flags = 0;
+	struct futex *futex = NULL;
+	kern_status_t status = get_data(key, flags, &futex, &lock, &irq_flags);
+	if (status != KERN_OK) {
+		return status;
+	}
+
+	kern_futex_t current_val = 0;
+	status = futex_read(futex, flags, &current_val);
+	if (status != KERN_OK) {
+		spin_unlock_irqrestore(lock, irq_flags);
+		return status;
+	}
+
+	if (current_val != new_val) {
+		spin_unlock_irqrestore(lock, irq_flags);
+		return KERN_BAD_STATE;
+	}
+
+	struct wait_item waiter;
+	thread_wait_begin(&waiter, &futex->f_waiters);
+	spin_unlock_irqrestore(lock, irq_flags);
+
+	schedule(SCHED_NORMAL);
+
+	spin_lock_irqsave(lock, &irq_flags);
+	thread_wait_end(&waiter, &futex->f_waiters);
+
+	if (waitqueue_empty(&futex->f_waiters)) {
+		cleanup_data(futex, flags);
+	}
+
+	spin_unlock_irqrestore(lock, irq_flags);
+
+	return KERN_OK;
+}
+
+kern_status_t futex_wake(futex_key_t key, size_t nwaiters, unsigned int flags)
+{
+	spin_lock_t *lock = NULL;
+	unsigned long irq_flags = 0;
+	struct futex *futex = NULL;
+	kern_status_t status = get_data(key, flags, &futex, &lock, &irq_flags);
+	if (status != KERN_OK) {
+		return status;
+	}
+
+	if (nwaiters == FUTEX_WAKE_ALL) {
+		wakeup_queue(&futex->f_waiters);
+	} else {
+		wakeup_n(&futex->f_waiters, nwaiters);
+	}
+
+	spin_unlock_irqrestore(lock, irq_flags);
+	return KERN_OK;
+}

kernel/handle.c

@@ -12,7 +12,7 @@
 #define RESERVED_HANDLES 64
 
 static struct vm_cache handle_table_cache = {
-	.c_name = "handle_table",
+	.c_name = "handle-table",
 	.c_obj_size = sizeof(struct handle_table),
 };
 
@@ -33,8 +33,48 @@ struct handle_table *handle_table_create(void)
 	return out;
 }
 
+static void do_handle_table_destroy_leaf(struct handle_table *tab)
+{
+	while (1) {
+		unsigned int index = bitmap_lowest_set(
+			tab->t_handles.t_handle_map,
+			HANDLES_PER_TABLE);
+		if (index == BITMAP_NPOS) {
+			break;
+		}
+
+		struct handle *child = &tab->t_handles.t_handle_list[index];
+		bitmap_clear(tab->t_subtables.t_subtable_map, index);
+		if (child->h_object) {
+			object_unref(child->h_object);
+			child->h_object = NULL;
+		}
+	}
+}
+
+static void do_handle_table_destroy(
+	struct handle_table *tab,
+	unsigned int depth)
+{
+	if (depth == MAX_TABLE_DEPTH - 1) {
+		do_handle_table_destroy_leaf(tab);
+		return;
+	}
+
+	for (size_t i = 0; i < REFS_PER_TABLE; i++) {
+		struct handle_table *child
+			= tab->t_subtables.t_subtable_list[i];
+		if (child) {
+			do_handle_table_destroy(child, depth + 1);
+		}
+	}
+
+	vm_cache_free(&handle_table_cache, tab);
+}
+
 void handle_table_destroy(struct handle_table *tab)
 {
+	do_handle_table_destroy(tab, 0);
 }
 
 static kern_status_t decode_handle_indices(
@@ -155,7 +195,7 @@ kern_status_t handle_table_free_handle(
 		= &tab->t_handles.t_handle_list[handle_index];
 
 	if (handle_entry->h_object) {
-		object_remove_handle(handle_entry->h_object);
+		object_unref(handle_entry->h_object);
 	}
 
 	memset(handle_entry, 0x0, sizeof *handle_entry);
@@ -267,7 +307,7 @@ kern_status_t handle_table_transfer(
 
 			dst_entry->h_object = src_entry->h_object;
 			dst_entry->h_flags = src_entry->h_flags;
-			object_add_handle(dst_entry->h_object);
+			object_ref(dst_entry->h_object);
 
 			handle_table_free_handle(src, src_handles[i].hnd_value);
 
@@ -286,7 +326,7 @@ kern_status_t handle_table_transfer(
 
 			dst_entry->h_object = src_entry->h_object;
 			dst_entry->h_flags = src_entry->h_flags;
-			object_add_handle(dst_entry->h_object);
+			object_ref(dst_entry->h_object);
 
 			dst_handle.hnd_mode = src_handles[i].hnd_mode;
 			dst_handle.hnd_value = dst_value;
@@ -331,7 +371,7 @@ kern_status_t handle_table_transfer(
 		struct handle *src_entry
 			= handle_table_get_handle(src, handle.hnd_value);
 		if (src_entry) {
-			object_remove_handle(src_entry->h_object);
+			object_unref(src_entry->h_object);
 			handle_table_free_handle(src, handle.hnd_value);
 		}
 	}

kernel/msg.c

@@ -0,0 +1,22 @@
+#include <kernel/msg.h>
+#include <kernel/vm.h>
+
+static struct vm_cache msg_cache = {
+	.c_name = "msg",
+	.c_obj_size = sizeof(struct msg),
+};
+
+void msg_init(void)
+{
+	vm_cache_init(&msg_cache);
+}
+
+struct msg *msg_alloc(void)
+{
+	return vm_cache_alloc(&msg_cache, VM_NORMAL);
+}
+
+void msg_free(struct msg *msg)
+{
+	vm_cache_free(&msg_cache, msg);
+}

kernel/object.c

@@ -74,90 +74,28 @@ struct object *object_create(struct object_type *type)
 	obj->ob_lock = SPIN_LOCK_INIT;
 	obj->ob_magic = OBJECT_MAGIC;
 	obj->ob_refcount = 1;
-	obj->ob_handles = 0;
 
 	return obj;
 }
 
 struct object *object_ref(struct object *obj)
 {
-	obj->ob_refcount++;
+	atomic_add_fetch(&obj->ob_refcount, 1);
 	return obj;
 }
 
-static void __cleanup(struct object *obj, struct queue *queue)
-{
-	if (HAS_OP(obj, destroy)) {
-		obj->ob_type->ob_ops.destroy(obj, queue);
-	}
-
-	vm_cache_free(&obj->ob_type->ob_cache, obj);
-}
-
-static void object_cleanup(struct object *obj, unsigned long flags)
-{
-	if (obj->ob_refcount > 0 || obj->ob_handles > 0) {
-		spin_unlock_irqrestore(&obj->ob_lock, flags);
-		return;
-	}
-
-	struct queue queue = QUEUE_INIT;
-	__cleanup(obj, &queue);
-
-	if (!HAS_OP(obj, destroy_recurse)) {
-		return;
-	}
-
-	while (!queue_empty(&queue)) {
-		struct queue_entry *entry = queue_pop_front(&queue);
-		struct object *child = NULL;
-		obj->ob_type->ob_ops.destroy_recurse(entry, &child);
-		if (!child) {
-			continue;
-		}
-
-		if (child->ob_refcount > 1) {
-			child->ob_refcount--;
-			continue;
-		}
-
-		if (child->ob_refcount == 0 && child->ob_handles == 0) {
-			__cleanup(child, &queue);
-		}
-	}
-}
-
 void object_unref(struct object *obj)
 {
-	unsigned long flags;
+	int ref = atomic_sub_fetch(&obj->ob_refcount, 1);
-	spin_lock_irqsave(&obj->ob_lock, &flags);
+	if (ref > 0) {
-
-	if (obj->ob_refcount == 0) {
-		spin_unlock_irqrestore(&obj->ob_lock, flags);
 		return;
 	}
 
-	obj->ob_refcount--;
+	if (HAS_OP(obj, destroy)) {
-	object_cleanup(obj, flags);
+		obj->ob_type->ob_ops.destroy(obj);
-}
-
-void object_add_handle(struct object *obj)
-{
-	obj->ob_handles++;
-}
-
-void object_remove_handle(struct object *obj)
-{
-	unsigned long flags;
-	spin_lock_irqsave(&obj->ob_lock, &flags);
-
-	if (obj->ob_handles == 0) {
-		spin_unlock_irqrestore(&obj->ob_lock, flags);
-		return;
 	}
 
-	obj->ob_handles--;
+	vm_cache_free(&obj->ob_type->ob_cache, obj);
-	object_cleanup(obj, flags);
 }
 
 void object_lock(struct object *obj)

kernel/port.c

@@ -1,16 +1,29 @@
 #include <kernel/channel.h>
 #include <kernel/port.h>
+#include <kernel/printk.h>
 #include <kernel/thread.h>
 #include <kernel/util.h>
 
 #define PORT_CAST(p) OBJECT_C_CAST(struct port, p_base, &port_type, p)
 
+static kern_status_t port_cleanup(struct object *obj);
+
 static struct object_type port_type = {
 	.ob_name = "port",
 	.ob_size = sizeof(struct port),
 	.ob_header_offset = offsetof(struct port, p_base),
+	.ob_ops = {
+		.destroy = port_cleanup,
+	},
 };
 
+static kern_status_t port_cleanup(struct object *obj)
+{
+	struct port *port = PORT_CAST(obj);
+	port_disconnect(port);
+	return KERN_OK;
+}
+
 kern_status_t port_type_init(void)
 {
 	return object_type_register(&port_type);
@@ -58,9 +71,26 @@ struct port *port_create(void)
 kern_status_t port_connect(struct port *port, struct channel *remote)
 {
 	if (port->p_status != PORT_OFFLINE) {
+		tracek("port_connect: port in bad state (%d)", port->p_status);
 		return KERN_BAD_STATE;
 	}
 
+	struct msg *msg = msg_alloc();
+	if (!msg) {
+		return KERN_NO_MEMORY;
+	}
+
+	msg->msg_status = KMSG_ASYNC;
+	msg->msg_type = KERN_MSG_TYPE_EVENT;
+	msg->msg_event = KERN_MSG_EVENT_CONNECTION;
+	msg->msg_sender_thread = current_thread();
+	msg->msg_sender_port = port;
+
+	unsigned long flags;
+	channel_lock_irqsave(remote, &flags);
+	channel_enqueue_msg(remote, msg);
+	channel_unlock_irqrestore(remote, flags);
+
 	port->p_remote = remote;
 	port->p_status = PORT_READY;
 	return KERN_OK;
@@ -69,9 +99,27 @@ kern_status_t port_connect(struct port *port, struct channel *remote)
 kern_status_t port_disconnect(struct port *port)
 {
 	if (port->p_status != PORT_READY) {
+		tracek("port_disconnect: port in bad state (%d)",
+		       port->p_status);
 		return KERN_BAD_STATE;
 	}
 
+	struct msg *msg = msg_alloc();
+	if (!msg) {
+		return KERN_NO_MEMORY;
+	}
+
+	msg->msg_status = KMSG_ASYNC;
+	msg->msg_type = KERN_MSG_TYPE_EVENT;
+	msg->msg_event = KERN_MSG_EVENT_DISCONNECTION;
+	msg->msg_sender_thread = current_thread();
+	msg->msg_sender_port = port;
+
+	unsigned long flags;
+	channel_lock_irqsave(port->p_remote, &flags);
+	channel_enqueue_msg(port->p_remote, msg);
+	channel_unlock_irqrestore(port->p_remote, flags);
+
 	port->p_remote = NULL;
 	port->p_status = PORT_OFFLINE;
 	return KERN_OK;
@@ -84,29 +132,31 @@ kern_status_t port_send_msg(
 	unsigned long *lock_flags)
 {
 	if (port->p_status != PORT_READY) {
+		tracek("port_send_msg: port in bad state (%d)", port->p_status);
 		return KERN_BAD_STATE;
 	}
 
 	struct thread *self = current_thread();
-	struct msg *msg = &self->tr_msg;
+	struct msg msg;
-	memset(msg, 0x0, sizeof *msg);
+	memset(&msg, 0x0, sizeof msg);
-	msg->msg_status = KMSG_WAIT_RECEIVE;
+	msg.msg_type = KERN_MSG_TYPE_DATA;
-	msg->msg_sender_thread = self;
+	msg.msg_status = KMSG_WAIT_RECEIVE;
-	msg->msg_sender_port = port;
+	msg.msg_sender_thread = self;
-	memcpy(&msg->msg_req, in_msg, sizeof msg->msg_req);
+	msg.msg_sender_port = port;
-	memcpy(&msg->msg_resp, out_reply, sizeof msg->msg_req);
+	memcpy(&msg.msg_req, in_msg, sizeof msg.msg_req);
+	memcpy(&msg.msg_resp, out_reply, sizeof msg.msg_req);
 
 	unsigned long flags;
 	channel_lock_irqsave(port->p_remote, &flags);
 	port->p_status = PORT_SEND_BLOCKED;
-	channel_enqueue_msg(port->p_remote, msg);
+	channel_enqueue_msg(port->p_remote, &msg);
 	channel_unlock_irqrestore(port->p_remote, flags);
 
-	wait_for_reply(msg, lock_flags);
+	wait_for_reply(&msg, lock_flags);
 
 	channel_lock_irqsave(port->p_remote, &flags);
-	btree_delete(&port->p_remote->c_msg, &msg->msg_node);
+	btree_delete(&port->p_remote->c_msg, &msg.msg_node);
 	channel_unlock_irqrestore(port->p_remote, flags);
 
-	return msg->msg_result;
+	return msg.msg_result;
 }

libmango/CMakeLists.txt

@@ -1,7 +1,6 @@
 file(GLOB headers ${CMAKE_CURRENT_SOURCE_DIR}/include/mango/*.h)
 file(GLOB asm_sources
 	${CMAKE_CURRENT_SOURCE_DIR}/arch/${CMAKE_SYSTEM_PROCESSOR}/*.S)
-set_property(SOURCE ${asm_sources} PROPERTY LANGUAGE C)
 
 set(public_include_dirs
 	${CMAKE_CURRENT_SOURCE_DIR}/include

libmango/arch/x86_64/syscall.S

@@ -56,12 +56,18 @@
 .endm
 
 SYSCALL_GATE task_exit SYS_TASK_EXIT 1
-SYSCALL_GATE task_self SYS_TASK_SELF 0
+SYSCALL_GATE task_self SYS_TASK_SELF 1
 SYSCALL_GATE task_create SYS_TASK_CREATE 5
 SYSCALL_GATE task_create_thread SYS_TASK_CREATE_THREAD 6
 SYSCALL_GATE task_get_address_space SYS_TASK_GET_ADDRESS_SPACE 1
+SYSCALL_GATE task_config_get SYS_TASK_CONFIG_GET 4
+SYSCALL_GATE task_config_set SYS_TASK_CONFIG_SET 4
 
+SYSCALL_GATE thread_self SYS_THREAD_SELF 1
 SYSCALL_GATE thread_start SYS_THREAD_START 1
+SYSCALL_GATE thread_exit SYS_THREAD_EXIT 0
+SYSCALL_GATE thread_config_get SYS_THREAD_CONFIG_GET 4
+SYSCALL_GATE thread_config_set SYS_THREAD_CONFIG_SET 4
 
 SYSCALL_GATE vm_object_create SYS_VM_OBJECT_CREATE 5
 SYSCALL_GATE vm_object_read SYS_VM_OBJECT_READ 5
@@ -100,3 +106,6 @@ SYSCALL_GATE vm_controller_supply_pages SYS_VM_CONTROLLER_SUPPLY_PAGES 6
 
 SYSCALL_GATE kern_object_wait SYS_KERN_OBJECT_WAIT 2
 
+SYSCALL_GATE futex_wait SYS_FUTEX_WAIT 3
+SYSCALL_GATE futex_wake SYS_FUTEX_WAKE 3
+

libmango/include-user/mango/futex.h

@@ -0,0 +1,16 @@
+#ifndef MANGO_FUTEX_H_
+#define MANGO_FUTEX_H_
+
+#include <mango/status.h>
+#include <mango/types.h>
+
+extern kern_status_t futex_wait(
+	kern_futex_t *futex,
+	kern_futex_t new_val,
+	unsigned int flags);
+extern kern_status_t futex_wake(
+	kern_futex_t *futex,
+	unsigned int nr_waiters,
+	unsigned int flags);
+
+#endif

libmango/include-user/mango/task.h

@@ -23,7 +23,29 @@ extern kern_status_t task_create_thread(
 extern kern_status_t task_get_address_space(
 	kern_handle_t task,
 	kern_handle_t *out);
+extern kern_status_t task_config_get(
+	kern_handle_t task,
+	kern_config_key_t key,
+	void *ptr,
+	size_t len);
+extern kern_status_t task_config_set(
+	kern_handle_t task,
+	kern_config_key_t key,
+	const void *ptr,
+	size_t len);
 
+extern kern_status_t thread_self(kern_handle_t *out);
 extern kern_status_t thread_start(kern_handle_t thread);
+extern kern_status_t thread_exit(void);
+extern kern_status_t thread_config_get(
+	kern_handle_t thread,
+	kern_config_key_t key,
+	void *ptr,
+	size_t len);
+extern kern_status_t thread_config_set(
+	kern_handle_t thread,
+	kern_config_key_t key,
+	const void *ptr,
+	size_t len);
 
 #endif

libmango/include/mango/signal.h

@@ -1,6 +1,8 @@
 #ifndef MANGO_SIGNAL_H_
 #define MANGO_SIGNAL_H_
 
+#define THREAD_SIGNAL_STOPPED                 0x01u
+
 #define CHANNEL_SIGNAL_MSG_RECEIVED           0x01u
 
 #define VM_CONTROLLER_SIGNAL_REQUEST_RECEIVED 0x01u

libmango/include/mango/syscall.h

@@ -1,45 +1,53 @@
 #ifndef MANGO_SYSCALL_H_
 #define MANGO_SYSCALL_H_
 
-#define SYS_KERN_LOG                    0x00u
+#define SYS_KERN_LOG                    1
-#define SYS_KERN_HANDLE_CLOSE           0x01u
+#define SYS_KERN_HANDLE_CLOSE           2
-#define SYS_KERN_HANDLE_DUPLICATE       0x02u
+#define SYS_KERN_HANDLE_DUPLICATE       3
-#define SYS_KERN_CONFIG_GET             0x03u
+#define SYS_KERN_CONFIG_GET             4
-#define SYS_KERN_CONFIG_SET             0x04u
+#define SYS_KERN_CONFIG_SET             5
-#define SYS_KERN_OBJECT_WAIT            0x05u
+#define SYS_KERN_OBJECT_WAIT            6
-#define SYS_KERN_OBJECT_WAIT_ASYNC      0x06u
+#define SYS_KERN_OBJECT_WAIT_ASYNC      7
-#define SYS_TASK_EXIT                   0x07u
+#define SYS_TASK_EXIT                   8
-#define SYS_TASK_SELF                   0x08u
+#define SYS_TASK_SELF                   9
-#define SYS_TASK_CREATE                 0x09u
+#define SYS_TASK_CREATE                 10
-#define SYS_TASK_CREATE_THREAD          0x0Au
+#define SYS_TASK_CREATE_THREAD          11
-#define SYS_TASK_GET_ADDRESS_SPACE      0x0Bu
+#define SYS_TASK_GET_ADDRESS_SPACE      12
-#define SYS_THREAD_START                0x0Cu
+#define SYS_TASK_CONFIG_GET             13
-#define SYS_VM_OBJECT_CREATE            0x0Du
+#define SYS_TASK_CONFIG_SET             14
-#define SYS_VM_OBJECT_READ              0x0Eu
+#define SYS_THREAD_SELF                 15
-#define SYS_VM_OBJECT_WRITE             0x0Fu
+#define SYS_THREAD_START                16
-#define SYS_VM_OBJECT_COPY              0x10u
+#define SYS_THREAD_EXIT                 17
-#define SYS_ADDRESS_SPACE_READ          0x11u
+#define SYS_THREAD_CONFIG_GET           18
-#define SYS_ADDRESS_SPACE_WRITE         0x12u
+#define SYS_THREAD_CONFIG_SET           19
-#define SYS_ADDRESS_SPACE_MAP           0x13u
+#define SYS_VM_OBJECT_CREATE            20
-#define SYS_ADDRESS_SPACE_UNMAP         0x14u
+#define SYS_VM_OBJECT_READ              21
-#define SYS_ADDRESS_SPACE_RESERVE       0x15u
+#define SYS_VM_OBJECT_WRITE             22
-#define SYS_ADDRESS_SPACE_RELEASE       0x16u
+#define SYS_VM_OBJECT_COPY              23
-#define SYS_MSG_SEND                    0x17u
+#define SYS_ADDRESS_SPACE_READ          24
-#define SYS_MSG_RECV                    0x18u
+#define SYS_ADDRESS_SPACE_WRITE         25
-#define SYS_MSG_REPLY                   0x19u
+#define SYS_ADDRESS_SPACE_MAP           26
-#define SYS_MSG_READ                    0x1Au
+#define SYS_ADDRESS_SPACE_UNMAP         27
-#define SYS_MSG_WRITE                   0x1Bu
+#define SYS_ADDRESS_SPACE_RESERVE       28
-#define SYS_CHANNEL_CREATE              0x1Cu
+#define SYS_ADDRESS_SPACE_RELEASE       29
-#define SYS_PORT_CREATE                 0x1Du
+#define SYS_MSG_SEND                    30
-#define SYS_PORT_CONNECT                0x1Eu
+#define SYS_MSG_RECV                    31
-#define SYS_PORT_DISCONNECT             0x1Fu
+#define SYS_MSG_REPLY                   32
-#define SYS_EQUEUE_CREATE               0x20u
+#define SYS_MSG_READ                    33
-#define SYS_EQUEUE_DEQUEUE              0x21u
+#define SYS_MSG_WRITE                   34
-#define SYS_VM_CONTROLLER_CREATE        0x22u
+#define SYS_CHANNEL_CREATE              35
-#define SYS_VM_CONTROLLER_RECV          0x23u
+#define SYS_PORT_CREATE                 36
-#define SYS_VM_CONTROLLER_RECV_ASYNC    0x24u
+#define SYS_PORT_CONNECT                37
-#define SYS_VM_CONTROLLER_CREATE_OBJECT 0x25u
+#define SYS_PORT_DISCONNECT             38
-#define SYS_VM_CONTROLLER_DETACH_OBJECT 0x26u
+#define SYS_EQUEUE_CREATE               39
-#define SYS_VM_CONTROLLER_SUPPLY_PAGES  0x27u
+#define SYS_EQUEUE_DEQUEUE              40
+#define SYS_VM_CONTROLLER_CREATE        41
+#define SYS_VM_CONTROLLER_RECV          42
+#define SYS_VM_CONTROLLER_RECV_ASYNC    43
+#define SYS_VM_CONTROLLER_CREATE_OBJECT 44
+#define SYS_VM_CONTROLLER_DETACH_OBJECT 45
+#define SYS_VM_CONTROLLER_SUPPLY_PAGES  46
+#define SYS_FUTEX_WAIT                  47
+#define SYS_FUTEX_WAKE                  48
 
 #endif

libmango/include/mango/types.h

@@ -4,45 +4,71 @@
 #include <stddef.h>
 #include <stdint.h>
 
-#define VM_PROT_READ            0x01u
+#define VM_PROT_READ                 0x01u
-#define VM_PROT_WRITE           0x02u
+#define VM_PROT_WRITE                0x02u
-#define VM_PROT_EXEC            0x04u
+#define VM_PROT_EXEC                 0x04u
-#define VM_PROT_USER            0x08u
+#define VM_PROT_USER                 0x08u
-#define VM_PROT_SVR             0x10u
+#define VM_PROT_SVR                  0x10u
-#define VM_PROT_NOCACHE         0x10u
+#define VM_PROT_NOCACHE              0x10u
-#define VM_PROT_MAP_SPECIFIC    0x40u
+#define VM_PROT_MAP_SPECIFIC         0x40u
 
-#define MAP_ADDRESS_ANY         ((virt_addr_t) - 1)
+#define MAP_ADDRESS_ANY              ((virt_addr_t) - 1)
-#define MAP_ADDRESS_INVALID     ((virt_addr_t)0)
+#define MAP_ADDRESS_INVALID          ((virt_addr_t)0)
-#define KERN_HANDLE_INVALID     ((kern_handle_t)0xFFFFFFFF)
+#define KERN_HANDLE_INVALID          ((kern_handle_t)0xFFFFFFFF)
 
-#define KERN_CFG_INVALID        0x00u
+/* config keys for use with kern_config_get/kern_config_set */
-#define KERN_CFG_PAGE_SIZE      0x01u
+#define KERN_CFG_INVALID             0x00000u
+#define KERN_CFG_PAGE_SIZE           0x00001u
+
+/* config keys for use with task_config_get/task_config_set */
+#define TASK_CFG_INVALID             0x00000u
+
+/* config keys for use with thread_config_get/thread_config_set */
+#define THREAD_CFG_INVALID           0x00000u
+#define THREAD_CFG_FSBASE            0x20001u
+#define THREAD_CFG_GSBASE            0x20002u
 
 /* maximum number of handles that can be sent in a single message */
-#define KERN_MSG_MAX_HANDLES    64
+#define KERN_MSG_MAX_HANDLES         64
 
 /* the corresponding handle should be ignored */
-#define KERN_MSG_HANDLE_IGNORE  0
+#define KERN_MSG_HANDLE_IGNORE       0
 /* the corresponding handle should be moved to the recipient task. the handle
  * will be closed. */
-#define KERN_MSG_HANDLE_MOVE    1
+#define KERN_MSG_HANDLE_MOVE         1
 /* the corresponding handle should be copied to the recipient task. the handle
  * will remain valid for the sending task. */
-#define KERN_MSG_HANDLE_COPY    2
+#define KERN_MSG_HANDLE_COPY         2
 
 /* maximum number of objects that can be waited on in a single call to
  * kern_object_wait */
-#define KERN_WAIT_MAX_ITEMS     64
+#define KERN_WAIT_MAX_ITEMS          64
+
+/* message types */
+#define KERN_MSG_TYPE_NONE           0
+#define KERN_MSG_TYPE_DATA           1
+#define KERN_MSG_TYPE_EVENT          2
+
+/* event message types */
+#define KERN_MSG_EVENT_NONE          0
+#define KERN_MSG_EVENT_CONNECTION    1
+#define KERN_MSG_EVENT_DISCONNECTION 2
 
 /* equeue packet types */
-#define EQUEUE_PKT_PAGE_REQUEST 0x01u
+#define EQUEUE_PKT_PAGE_REQUEST      0x01u
-#define EQUEUE_PKT_ASYNC_SIGNAL 0x02u
+#define EQUEUE_PKT_ASYNC_SIGNAL      0x02u
 
 /* page request types */
-#define PAGE_REQUEST_READ       0x01u
+#define PAGE_REQUEST_READ            0x01u
-#define PAGE_REQUEST_DIRTY      0x02u
+#define PAGE_REQUEST_DIRTY           0x02u
-#define PAGE_REQUEST_DETACH     0x03u
+#define PAGE_REQUEST_DETACH          0x03u
+
+/* futex special values */
+#define FUTEX_WAKE_ALL               ((size_t)-1)
+
+/* futex flags */
+#define FUTEX_PRIVATE                0x01u
+#define FUTEX_SHARED                 0x02u
 
 #define IOVEC(p, len)                                                          \
 	{                                                                      \
@@ -75,6 +101,9 @@ typedef uint32_t kern_handle_t;
 typedef uint32_t kern_config_key_t;
 typedef uint32_t vm_prot_t;
 typedef int64_t ssize_t;
+typedef uint32_t kern_futex_t;
+typedef uint32_t kern_msg_type_t;
+typedef uint32_t kern_msg_event_type_t;
 
 typedef unsigned short equeue_packet_type_t;
 
@@ -105,14 +134,27 @@ typedef struct {
 	tid_t msg_sender;
 	/* the id of the port or channel used to send a particular message. */
 	koid_t msg_endpoint;
-	/* a list of iovecs that point to the buffers that make up the main
+	/* the message type */
-	 * message data. */
+	kern_msg_type_t msg_type;
-	kern_iovec_t *msg_data;
+
-	size_t msg_data_count;
+	union {
-	/* a list of handle entries that contain the kernel handles included
+		/* msg_type = KERN_MSG_TYPE_DATA */
-	 * in a message. */
+		struct {
-	kern_msg_handle_t *msg_handles;
+			/* a list of iovecs that point to the buffers that make
-	size_t msg_handles_count;
+			 * up the main message data. */
+			kern_iovec_t *msg_data;
+			size_t msg_data_count;
+			/* a list of handle entries that contain the kernel
+			 * handles included in a message. */
+			kern_msg_handle_t *msg_handles;
+			size_t msg_handles_count;
+		};
+
+		/* msg_type = KERN_MSG_TYPE_EVENT */
+		struct {
+			kern_msg_event_type_t msg_event;
+		};
+	};
 } kern_msg_t;
 
 typedef struct {

sched/core.c

@@ -123,8 +123,16 @@ void __schedule(enum sched_mode mode)
 
 	enum thread_state prev_state = READ_ONCE(prev->tr_state);
 
-	if ((mode == SCHED_IRQ || prev_state == THREAD_READY)
+	bool reschedule = false;
-	    && prev != rq->rq_idle) {
+	if (prev_state == THREAD_READY || mode == SCHED_IRQ) {
+		reschedule = true;
+	}
+
+	if (prev == rq->rq_idle || prev_state == THREAD_STOPPED) {
+		reschedule = false;
+	}
+
+	if (reschedule) {
 		rq_enqueue(rq, prev);
 	}
 

sched/task.c

@@ -222,13 +222,13 @@ kern_status_t task_add_channel(
 {
 	channel->c_id = id;
 
-	if (!task->b_channels.b_root) {
+	if (!task->t_channels.b_root) {
-		task->b_channels.b_root = &channel->c_node;
+		task->t_channels.b_root = &channel->c_node;
-		btree_insert_fixup(&task->b_channels, &channel->c_node);
+		btree_insert_fixup(&task->t_channels, &channel->c_node);
 		return KERN_OK;
 	}
 
-	struct btree_node *cur = task->b_channels.b_root;
+	struct btree_node *cur = task->t_channels.b_root;
 	while (1) {
 		struct channel *cur_node
 			= BTREE_CONTAINER(struct channel, c_node, cur);
@@ -255,7 +255,7 @@ kern_status_t task_add_channel(
 		cur = next;
 	}
 
-	btree_insert_fixup(&task->b_channels, &channel->c_node);
+	btree_insert_fixup(&task->t_channels, &channel->c_node);
 	return KERN_OK;
 }
 
@@ -268,7 +268,7 @@ BTREE_DEFINE_SIMPLE_GET(
 
 struct channel *task_get_channel(struct task *task, unsigned int id)
 {
-	return get_channel_with_id(&task->b_channels, id);
+	return get_channel_with_id(&task->t_channels, id);
 }
 
 struct task *task_from_tid(tid_t id)
@@ -280,6 +280,71 @@ struct task *task_from_tid(tid_t id)
 	return t;
 }
 
+void task_exit(int status)
+{
+	struct task *self = current_task();
+	unsigned long flags;
+	task_lock_irqsave(self, &flags);
+	struct task *parent = self->t_parent;
+
+	if (parent) {
+		task_unlock_irqrestore(self, flags);
+		task_lock_irqsave(parent, &flags);
+		task_lock(self);
+		queue_delete(&parent->t_children, &self->t_child_entry);
+		task_unlock(parent);
+	}
+
+	struct thread *cur_thread = current_thread();
+
+	self->t_state = TASK_STOPPED;
+	cur_thread->tr_state = THREAD_STOPPED;
+
+	struct queue_entry *cur = queue_first(&self->t_threads);
+	while (cur) {
+		struct queue_entry *next = queue_next(cur);
+		struct thread *thread
+			= QUEUE_CONTAINER(struct thread, tr_parent_entry, cur);
+
+		if (thread == cur_thread) {
+			cur = next;
+			continue;
+		}
+
+		thread_lock(thread);
+		thread_kill(thread);
+		queue_delete(&self->t_threads, cur);
+		thread_unlock(thread);
+
+		cur = next;
+	}
+
+	object_unref(&self->t_address_space->s_base);
+	spin_lock_t *handles_lock = &self->t_handles_lock;
+	struct handle_table *handles = self->t_handles;
+	spin_lock(&self->t_handles_lock);
+
+	pmap_switch(get_kernel_pmap());
+	pmap_destroy(self->t_pmap);
+
+	task_unlock(self);
+	handle_table_destroy(handles);
+
+	tracek("thread %s[%u.%u] killed",
+	       self->t_name,
+	       self->t_id,
+	       cur_thread->tr_id);
+	tracek("task %s[%u] killed (%u)",
+	       self->t_name,
+	       self->t_id,
+	       self->t_base.ob_refcount);
+	spin_unlock_irqrestore(handles_lock, flags);
+
+	while (1) {
+		schedule(SCHED_NORMAL);
+	}
+}
+
 kern_status_t task_open_handle(
 	struct task *task,
 	struct object *obj,
@@ -293,7 +358,7 @@ kern_status_t task_open_handle(
 		return status;
 	}
 
-	object_add_handle(obj);
+	object_ref(obj);
 	handle_data->h_object = obj;
 	handle_data->h_flags = flags;
 

sched/thread.c

@@ -2,15 +2,17 @@
 #include <kernel/cpu.h>
 #include <kernel/machine/thread.h>
 #include <kernel/object.h>
+#include <kernel/printk.h>
 #include <kernel/task.h>
 #include <kernel/thread.h>
+#include <mango/signal.h>
 
-#define THREAD_CAST(p) OBJECT_C_CAST(struct thread, thr_base, &thread_type, p)
+#define THREAD_CAST(p) OBJECT_C_CAST(struct thread, tr_base, &thread_type, p)
 
 static struct object_type thread_type = {
 	.ob_name = "thread",
 	.ob_size = sizeof(struct thread),
-	.ob_header_offset = offsetof(struct thread, thr_base),
+	.ob_header_offset = offsetof(struct thread, tr_base),
 };
 
 kern_status_t thread_object_type_init(void)
@@ -63,9 +65,6 @@ kern_status_t thread_init_user(
 	const uintptr_t *args,
 	size_t nr_args)
 {
-	thr->tr_id = thr->tr_parent->t_next_thread_id++;
-
-	thr->tr_prio = PRIO_NORMAL;
 	thr->tr_state = THREAD_READY;
 	thr->tr_quantum_target = default_quantum();
 
@@ -142,6 +141,55 @@ void thread_awaken(struct thread *thr)
 	rq_unlock(rq, flags);
 }
 
+void thread_exit(void)
+{
+	struct thread *self = current_thread();
+	unsigned long flags;
+	thread_lock_irqsave(self, &flags);
+	self->tr_state = THREAD_STOPPED;
+	object_assert_signal(&self->tr_base, THREAD_SIGNAL_STOPPED);
+	tracek("thread %s[%u.%u] exited",
+	       self->tr_parent->t_name,
+	       self->tr_parent->t_id,
+	       self->tr_id);
+	thread_unlock_irqrestore(self, flags);
+
+	while (1) {
+		schedule(SCHED_NORMAL);
+	}
+}
+
+void thread_join(struct thread *thread, unsigned long *irq_flags)
+{
+	while (1) {
+		if (thread->tr_state == THREAD_STOPPED) {
+			break;
+		}
+
+		object_wait_signal(
+			&thread->tr_base,
+			THREAD_SIGNAL_STOPPED,
+			irq_flags);
+	}
+}
+
+void thread_kill(struct thread *thread)
+{
+	thread->tr_state = THREAD_STOPPED;
+	if (thread->tr_rq) {
+		unsigned long flags;
+		rq_lock(thread->tr_rq, &flags);
+		rq_remove_thread(thread->tr_rq, thread);
+		rq_unlock(thread->tr_rq, flags);
+	}
+
+	object_assert_signal(&thread->tr_base, THREAD_SIGNAL_STOPPED);
+	tracek("thread %s[%u.%u] killed",
+	       thread->tr_parent->t_name,
+	       thread->tr_parent->t_id,
+	       thread->tr_id);
+}
+
 struct thread *create_kernel_thread(void (*fn)(void))
 {
 	struct task *kernel = kernel_task();
@@ -185,3 +233,31 @@ struct thread *create_idle_thread(void)
 
 	return thr;
 }
+
+kern_status_t thread_config_get(
+	struct thread *thread,
+	kern_config_key_t key,
+	void *out,
+	size_t max)
+{
+	switch (key) {
+	default:
+		break;
+	}
+
+	return ml_thread_config_get(thread, key, out, max);
+}
+
+kern_status_t thread_config_set(
+	struct thread *thread,
+	kern_config_key_t key,
+	const void *ptr,
+	size_t len)
+{
+	switch (key) {
+	default:
+		break;
+	}
+
+	return ml_thread_config_set(thread, key, ptr, len);
+}

sched/wait.c

@@ -69,6 +69,24 @@ void wakeup_queue(struct waitqueue *q)
 	spin_unlock_irqrestore(&q->wq_lock, flags);
 }
 
+void wakeup_n(struct waitqueue *q, size_t nr_waiters)
+{
+	unsigned long flags;
+	spin_lock_irqsave(&q->wq_lock, &flags);
+	struct queue_entry *ent = queue_pop_front(&q->wq_waiters);
+	while (ent && nr_waiters > 0) {
+		struct wait_item *waiter
+			= QUEUE_CONTAINER(struct wait_item, w_entry, ent);
+		struct thread *thr = waiter->w_thread;
+		thread_awaken(thr);
+
+		ent = queue_pop_front(&q->wq_waiters);
+		nr_waiters--;
+	}
+
+	spin_unlock_irqrestore(&q->wq_lock, flags);
+}
+
 void wakeup_one(struct waitqueue *q)
 {
 	unsigned long flags;

syscall/dispatch.c

@@ -10,7 +10,11 @@ static const virt_addr_t syscall_table[] = {
 	SYSCALL_TABLE_ENTRY(TASK_CREATE, task_create),
 	SYSCALL_TABLE_ENTRY(TASK_CREATE_THREAD, task_create_thread),
 	SYSCALL_TABLE_ENTRY(TASK_GET_ADDRESS_SPACE, task_get_address_space),
+	SYSCALL_TABLE_ENTRY(THREAD_SELF, thread_self),
 	SYSCALL_TABLE_ENTRY(THREAD_START, thread_start),
+	SYSCALL_TABLE_ENTRY(THREAD_EXIT, thread_exit),
+	SYSCALL_TABLE_ENTRY(THREAD_CONFIG_GET, thread_config_get),
+	SYSCALL_TABLE_ENTRY(THREAD_CONFIG_SET, thread_config_set),
 	SYSCALL_TABLE_ENTRY(VM_OBJECT_CREATE, vm_object_create),
 	SYSCALL_TABLE_ENTRY(VM_OBJECT_READ, vm_object_read),
 	SYSCALL_TABLE_ENTRY(VM_OBJECT_WRITE, vm_object_write),
@@ -48,6 +52,8 @@ static const virt_addr_t syscall_table[] = {
 		VM_CONTROLLER_SUPPLY_PAGES,
 		vm_controller_supply_pages),
 	SYSCALL_TABLE_ENTRY(KERN_OBJECT_WAIT, kern_object_wait),
+	SYSCALL_TABLE_ENTRY(FUTEX_WAIT, futex_wait),
+	SYSCALL_TABLE_ENTRY(FUTEX_WAKE, futex_wake),
 };
 static const size_t syscall_table_count
 	= sizeof syscall_table / sizeof syscall_table[0];

syscall/futex.c

@@ -0,0 +1,37 @@
+#include <kernel/futex.h>
+#include <kernel/sched.h>
+#include <kernel/syscall.h>
+#include <kernel/task.h>
+
+kern_status_t sys_futex_wait(
+	kern_futex_t *futex,
+	kern_futex_t new_val,
+	unsigned int flags)
+{
+	struct task *self = current_task();
+	if (!validate_access_r(self, futex, sizeof *futex)) {
+		return KERN_MEMORY_FAULT;
+	}
+
+	futex_key_t key;
+	kern_status_t status = futex_get(futex, &key, flags);
+	if (status != KERN_OK) {
+		return status;
+	}
+
+	return futex_wait(key, new_val, flags);
+}
+
+kern_status_t sys_futex_wake(
+	kern_futex_t *futex,
+	unsigned int nr_waiters,
+	unsigned int flags)
+{
+	futex_key_t key;
+	kern_status_t status = futex_get(futex, &key, flags);
+	if (status != KERN_OK) {
+		return status;
+	}
+
+	return futex_wake(key, nr_waiters, flags);
+}

syscall/log.c

@@ -1,10 +1,12 @@
 #include <kernel/printk.h>
 #include <kernel/sched.h>
 #include <kernel/task.h>
+#include <kernel/thread.h>
 
 kern_status_t sys_kern_log(const char *s)
 {
 	struct task *task = current_task();
-	printk("%s[%d]: %s", task->t_name, task->t_id, s);
+	struct thread *thread = current_thread();
+	printk("%s[%d.%d]: %s", task->t_name, task->t_id, thread->tr_id, s);
 	return KERN_OK;
 }

syscall/msg.c

@@ -60,9 +60,9 @@ kern_status_t sys_port_create(kern_handle_t *out)
 	kern_status_t status
 		= task_open_handle(self, &port->p_base, 0, &handle);
 	task_unlock_irqrestore(self, irq_flags);
+	object_unref(&port->p_base);
 
 	if (status != KERN_OK) {
-		object_unref(&port->p_base);
 		return status;
 	}
 
@@ -114,6 +114,7 @@ kern_status_t sys_port_connect(
 	status = port_connect(port, remote);
 	port_unlock_irqrestore(port, flags);
 	object_unref(&remote->c_base);
+	object_unref(port_obj);
 
 	return KERN_OK;
 }

syscall/task.c

@@ -8,13 +8,12 @@
 
 extern kern_status_t sys_task_exit(int status)
 {
+#if defined(TRACE)
 	struct task *self = current_task();
 	printk("%s[%d]: task_exit(%d)", self->t_name, self->t_id, status);
-	while (1) {
+#endif
-		milli_sleep(5000);
+	task_exit(status);
-	}
+	return KERN_FATAL_ERROR;
-
-	return KERN_UNIMPLEMENTED;
 }
 
 kern_status_t sys_task_self(kern_handle_t *out)
@@ -39,7 +38,7 @@ kern_status_t sys_task_self(kern_handle_t *out)
 		return status;
 	}
 
-	object_add_handle(&self->t_base);
+	object_ref(&self->t_base);
 	handle_slot->h_object = &self->t_base;
 
 	*out = handle;
@@ -130,8 +129,8 @@ kern_status_t sys_task_create(
 	child_handle_slot->h_object = &child->t_base;
 	space_handle_slot->h_object = &child->t_address_space->s_base;
 
-	object_add_handle(&child->t_base);
+	object_ref(&child->t_base);
-	object_add_handle(&child->t_address_space->s_base);
+	object_ref(&child->t_address_space->s_base);
 
 	object_unref(parent_obj);
 
@@ -179,6 +178,7 @@ kern_status_t sys_task_create_thread(
 		&target_handle,
 		&out_handle);
 	if (status != KERN_OK) {
+		object_unref(target_obj);
 		task_unlock_irqrestore(self, flags);
 		return status;
 	}
@@ -198,10 +198,11 @@ kern_status_t sys_task_create_thread(
 	}
 
 	thread_init_user(thread, ip, sp, args, nr_args);
-	target_handle->h_object = &thread->thr_base;
+	target_handle->h_object = &thread->tr_base;
-	object_add_handle(&thread->thr_base);
+	object_ref(&thread->tr_base);
 
 	task_unlock_irqrestore(target, flags);
+	object_unref(target_obj);
 
 	*out_thread = out_handle;
 	return KERN_OK;
@@ -253,7 +254,7 @@ kern_status_t sys_task_get_address_space(
 	}
 
 	handle_slot->h_object = &task->t_address_space->s_base;
-	object_add_handle(&task->t_address_space->s_base);
+	object_ref(&task->t_address_space->s_base);
 	task_unlock_irqrestore(self, flags);
 	object_unref(task_obj);
 
@@ -261,6 +262,37 @@ kern_status_t sys_task_get_address_space(
 	return KERN_OK;
 }
 
+kern_status_t sys_thread_self(kern_handle_t *out)
+{
+	struct task *self = current_task();
+	if (!validate_access_w(self, out, sizeof *out)) {
+		return KERN_MEMORY_FAULT;
+	}
+
+	struct thread *self_thread = current_thread();
+
+	unsigned long flags;
+	task_lock_irqsave(self, &flags);
+
+	struct handle *handle_slot = NULL;
+	kern_handle_t handle;
+	kern_status_t status = handle_table_alloc_handle(
+		self->t_handles,
+		&handle_slot,
+		&handle);
+	task_unlock_irqrestore(self, flags);
+
+	if (status != KERN_OK) {
+		return status;
+	}
+
+	object_ref(&self_thread->tr_base);
+	handle_slot->h_object = &self_thread->tr_base;
+
+	*out = handle;
+	return KERN_OK;
+}
+
 kern_status_t sys_thread_start(kern_handle_t thread_handle)
 {
 	unsigned long flags;
@@ -287,3 +319,82 @@ kern_status_t sys_thread_start(kern_handle_t thread_handle)
 
 	return KERN_OK;
 }
+
+kern_status_t sys_thread_exit(void)
+{
+	thread_exit();
+	/* unreachable */
+	return KERN_FATAL_ERROR;
+}
+
+kern_status_t sys_thread_config_get(
+	kern_handle_t thread_handle,
+	kern_config_key_t key,
+	void *ptr,
+	size_t len)
+{
+	unsigned long flags;
+	struct task *self = current_task();
+
+	if (!validate_access_w(self, ptr, len)) {
+		return KERN_MEMORY_FAULT;
+	}
+
+	struct object *thread_obj;
+	handle_flags_t thread_flags;
+	task_lock_irqsave(self, &flags);
+	kern_status_t status = task_resolve_handle(
+		self,
+		thread_handle,
+		&thread_obj,
+		&thread_flags);
+	if (status != KERN_OK) {
+		task_unlock_irqrestore(self, flags);
+		return status;
+	}
+
+	struct thread *thread = thread_cast(thread_obj);
+	task_unlock_irqrestore(self, flags);
+
+	status = thread_config_get(thread, key, ptr, len);
+
+	object_unref(thread_obj);
+
+	return status;
+}
+
+kern_status_t sys_thread_config_set(
+	kern_handle_t thread_handle,
+	kern_config_key_t key,
+	const void *ptr,
+	size_t len)
+{
+	unsigned long flags;
+	struct task *self = current_task();
+
+	if (!validate_access_w(self, ptr, len)) {
+		return KERN_MEMORY_FAULT;
+	}
+
+	struct object *thread_obj;
+	handle_flags_t thread_flags;
+	task_lock_irqsave(self, &flags);
+	kern_status_t status = task_resolve_handle(
+		self,
+		thread_handle,
+		&thread_obj,
+		&thread_flags);
+	if (status != KERN_OK) {
+		task_unlock_irqrestore(self, flags);
+		return status;
+	}
+
+	struct thread *thread = thread_cast(thread_obj);
+	task_unlock_irqrestore(self, flags);
+
+	status = thread_config_set(thread, key, ptr, len);
+
+	object_unref(thread_obj);
+
+	return status;
+}

syscall/vm-controller.c

@@ -186,8 +186,6 @@ kern_status_t sys_vm_controller_create_object(
 	}
 
 	out_slot->h_object = &out_vmo->vo_base;
-	object_add_handle(&out_vmo->vo_base);
-	object_unref(&out_vmo->vo_base);
 
 	*out = out_handle;
 	return KERN_OK;

syscall/vm-object.c

@@ -29,12 +29,9 @@ kern_status_t sys_vm_object_create(
 
 	kern_status_t status
 		= task_open_handle(self, &obj->vo_base, 0, out_handle);
-	if (status != KERN_OK) {
+	object_unref(&obj->vo_base);
-		object_unref(&obj->vo_base);
-		return status;
-	}
 
-	return KERN_OK;
+	return status;
 }
 
 kern_status_t sys_vm_object_read(

vm/address-space.c

@@ -4,7 +4,10 @@
 #include <kernel/object.h>
 #include <kernel/panic.h>
 #include <kernel/printk.h>
+#include <kernel/sched.h>
+#include <kernel/task.h>
 #include <kernel/util.h>
+#include <kernel/vm-controller.h>
 #include <kernel/vm-object.h>
 #include <mango/status.h>
 
@@ -34,6 +37,7 @@ struct vm_iterator {
 /* iterates over the areas in an address space */
 struct area_iterator {
 	struct address_space *it_root;
+	struct btree *it_list;
 	struct vm_area *it_area;
 	virt_addr_t it_search_base, it_search_limit;
 	virt_addr_t it_base, it_limit;
@@ -44,12 +48,15 @@ enum search_direction {
 	SEARCH_RIGHT,
 };
 
-static kern_status_t address_space_object_destroy(struct object *obj);
+static kern_status_t address_space_cleanup(struct object *obj);
 
 static struct object_type address_space_type = {
 	.ob_name = "address-space",
 	.ob_size = sizeof(struct address_space),
 	.ob_header_offset = offsetof(struct address_space, s_base),
+	.ob_ops = {
+		.destroy = address_space_cleanup,
+	},
 };
 
 static struct vm_cache vm_area_cache = {
@@ -59,6 +66,10 @@ static struct vm_cache vm_area_cache = {
 
 /*** INTERNAL UTILITY FUNCTION ************************************************/
 
+static kern_status_t delete_area(
+	struct vm_area *mapping,
+	struct address_space *root);
+
 /* this function must be called with `parent` locked */
 static void put_entry(struct btree *tree, struct vm_area *child)
 {
@@ -105,7 +116,7 @@ static void put_entry(struct btree *tree, struct vm_area *child)
 }
 
 static struct vm_area *get_entry(
-	struct address_space *region,
+	struct btree *list,
 	virt_addr_t address,
 	enum get_entry_flags flags)
 {
@@ -114,7 +125,7 @@ static struct vm_area *get_entry(
 	/* `x` must be to the right of `y` */
 #define RIGHT_DIFF(x, y) ((y) ? ((y)->vma_limit - (x)) : ((size_t)-1))
 
-	struct btree_node *cur = region->s_mappings.b_root;
+	struct btree_node *cur = list->b_root;
 	if (!cur) {
 		return NULL;
 	}
@@ -131,16 +142,16 @@ static struct vm_area *get_entry(
 
 		if (address < child->vma_base) {
 			next = btree_left(cur);
-			if (LEFT_DIFF(address, child)
-			    < LEFT_DIFF(address, closest_left)) {
-				closest_left = child;
-			}
-		} else if (address > child->vma_limit) {
-			next = btree_right(cur);
 			if (RIGHT_DIFF(address, child)
 			    < RIGHT_DIFF(address, closest_right)) {
 				closest_right = child;
 			}
+		} else if (address > child->vma_limit) {
+			next = btree_right(cur);
+			if (LEFT_DIFF(address, child)
+			    < LEFT_DIFF(address, closest_left)) {
+				closest_left = child;
+			}
 		} else {
 			result = child;
 			break;
@@ -345,7 +356,7 @@ static void vm_iterator_begin(
 	it->it_region = region;
 	it->it_prot = prot;
 
-	it->it_mapping = get_entry(region, base, GET_ENTRY_EXACT);
+	it->it_mapping = get_entry(&region->s_mappings, base, GET_ENTRY_EXACT);
 	if (!it->it_mapping) {
 		return;
 	}
@@ -409,8 +420,10 @@ static kern_status_t vm_iterator_seek(struct vm_iterator *it, size_t nr_bytes)
 
 	it->it_base += nr_bytes;
 
-	struct vm_area *next_mapping
+	struct vm_area *next_mapping = get_entry(
-		= get_entry(it->it_region, it->it_base, GET_ENTRY_EXACT);
+		&it->it_region->s_mappings,
+		it->it_base,
+		GET_ENTRY_EXACT);
 	if (!next_mapping) {
 		it->it_buf = NULL;
 		it->it_max = 0;
@@ -478,12 +491,14 @@ static void vm_iterator_finish(struct vm_iterator *it)
 static void area_iterator_begin(
 	struct area_iterator *it,
 	struct address_space *space,
+	struct btree *area_list,
 	virt_addr_t base,
 	virt_addr_t limit)
 {
 	memset(it, 0x0, sizeof *it);
 
-	struct vm_area *area = get_entry(space, base, GET_ENTRY_CLOSEST_RIGHT);
+	struct vm_area *area
+		= get_entry(area_list, base, GET_ENTRY_CLOSEST_RIGHT);
 	if (!area) {
 		return;
 	}
@@ -552,8 +567,46 @@ end:
 	return KERN_NO_ENTRY;
 }
 
-static void area_iterator_erase(struct area_iterator *it)
+static kern_status_t area_iterator_erase(struct area_iterator *it)
 {
+	if (!it->it_root || !it->it_area) {
+		return KERN_NO_ENTRY;
+	}
+
+	struct btree_node *next = btree_next(&it->it_area->vma_node);
+	btree_delete(it->it_list, &it->it_area->vma_node);
+	vm_cache_free(&vm_area_cache, it->it_area);
+
+	if (!next) {
+		goto end;
+	}
+
+	struct vm_area *area = BTREE_CONTAINER(struct vm_area, vma_node, next);
+	if (!area) {
+		goto end;
+	}
+
+	if (area->vma_base > it->it_search_limit) {
+		goto end;
+	}
+
+	it->it_area = area;
+	it->it_base = area->vma_base;
+	it->it_limit = area->vma_base;
+
+	if (it->it_base < it->it_search_base) {
+		it->it_base = it->it_search_base;
+	}
+
+	if (it->it_limit > it->it_search_limit) {
+		it->it_limit = it->it_search_limit;
+	}
+
+	return KERN_OK;
+
+end:
+	memset(it, 0x0, sizeof *it);
+	return KERN_NO_ENTRY;
 }
 
 /*** PUBLIC API ***************************************************************/
@@ -602,6 +655,50 @@ kern_status_t address_space_create(
 	return KERN_OK;
 }
 
+static void area_unmap(struct vm_area *area)
+{
+	pmap_t pmap = area->vma_space->s_pmap;
+	virt_addr_t base = area->vma_base;
+	virt_addr_t limit = area->vma_limit;
+	for (virt_addr_t i = base; i < limit; i += VM_PAGE_SIZE) {
+		pmap_remove(pmap, i);
+	}
+}
+
+static kern_status_t address_space_cleanup(struct object *obj)
+{
+	struct address_space *space = ADDRESS_SPACE_CAST(obj);
+	tracek("begin address space cleanup %p", space);
+	struct btree_node *cur = btree_first(&space->s_mappings);
+	while (cur) {
+		struct btree_node *next = btree_next(cur);
+		struct vm_area *area
+			= BTREE_CONTAINER(struct vm_area, vma_node, cur);
+		btree_delete(&space->s_mappings, cur);
+
+		delete_area(area, space);
+		vm_cache_free(&vm_area_cache, area);
+
+		cur = next;
+	}
+
+	cur = btree_first(&space->s_reserved);
+	while (cur) {
+		struct btree_node *next = btree_next(cur);
+		struct vm_area *area
+			= BTREE_CONTAINER(struct vm_area, vma_node, cur);
+		btree_delete(&space->s_reserved, cur);
+
+		delete_area(area, space);
+		vm_cache_free(&vm_area_cache, area);
+
+		cur = next;
+	}
+
+	tracek("end address space cleanup %p", space);
+	return KERN_OK;
+}
+
 kern_status_t address_space_map(
 	struct address_space *root,
 	virt_addr_t map_address,
@@ -625,6 +722,9 @@ kern_status_t address_space_map(
 	}
 
 	tracek("address_space_map(%zx, %zx)", map_address, length);
+	if (map_address == 0xc6a55000) {
+		printk("break");
+	}
 
 	if (!root || !object) {
 		tracek("null pointer");
@@ -659,6 +759,7 @@ kern_status_t address_space_map(
 	}
 
 	object_ref(&object->vo_base);
+	area->vma_space = root;
 	area->vma_object = object;
 	area->vma_prot = prot;
 	area->vma_object_offset = object_offset;
@@ -726,6 +827,7 @@ static kern_status_t split_area(
 	left->vma_base = left_base;
 	left->vma_limit = left_base + left_length - 1;
 
+	right->vma_space = left->vma_space;
 	right->vma_object = left->vma_object;
 	right->vma_prot = left->vma_prot;
 	right->vma_object_offset = right_object_offset;
@@ -740,7 +842,7 @@ static kern_status_t split_area(
 
 	put_entry(&root->s_mappings, right);
 	for (size_t i = unmap_base; i < unmap_limit; i += VM_PAGE_SIZE) {
-		tracek("unmapping %zx", i);
+		tracek("pmap_remove %zx", i);
 		pmap_remove(root->s_pmap, i);
 	}
 
@@ -777,7 +879,7 @@ static kern_status_t left_reduce_area(
 		return KERN_OK;
 	}
 
-	tracek(" unmapping %zx-%zx (%zx bytes)", base, base + length, length);
+	tracek(" pmap_remove %zx-%zx (%zx bytes)", base, base + length, length);
 	for (size_t i = base; i < limit; i += VM_PAGE_SIZE) {
 		pmap_remove(root->s_pmap, i);
 	}
@@ -814,7 +916,7 @@ static kern_status_t right_reduce_area(
 		return KERN_OK;
 	}
 
-	tracek(" unmapping %zx-%zx (%zx bytes)", base, base + length, length);
+	tracek(" pmap_remove %zx-%zx (%zx bytes)", base, base + length, length);
 	for (size_t i = base; i < limit; i += VM_PAGE_SIZE) {
 		pmap_remove(root->s_pmap, i);
 	}
@@ -832,9 +934,10 @@ static kern_status_t delete_area(
 		return KERN_OK;
 	}
 
-	tracek("delete mapping [%zx-%zx]",
+	tracek("delete mapping [%zx-%zx] (%zx bytes)",
 	       mapping->vma_base,
-	       mapping->vma_limit);
+	       mapping->vma_limit,
+	       mapping->vma_limit - mapping->vma_base);
 
 	for (size_t i = mapping->vma_base; i < mapping->vma_limit;
 	     i += VM_PAGE_SIZE) {
@@ -848,7 +951,23 @@ static kern_status_t delete_area(
 		&mapping->vma_object->vo_mappings,
 		&mapping->vma_object_entry);
 	mapping->vma_object = NULL;
-	vm_object_unlock_irqrestore(mapping->vma_object, flags);
+	/* if the object is attached to a controller and the ref-count is 2,
+	 * then the only other remaining reference to this object is held by
+	 * the controller. */
+	struct vm_controller *ctrl = object->vo_ctrl;
+	bool detach = ctrl != NULL && object->vo_base.ob_refcount == 2
+	           && (object->vo_flags & VMO_AUTO_DETACH);
+	vm_object_unlock_irqrestore(object, flags);
+
+	if (detach) {
+		/* TODO find a better way to achieve this, and/or give the
+		 * server that created the object more control over when it
+		 * should be detached */
+		vm_controller_lock_irqsave(ctrl, &flags);
+		vm_controller_detach_object(ctrl, object);
+		vm_controller_unlock_irqrestore(ctrl, flags);
+	}
+
 	object_unref(&object->vo_base);
 
 	/* don't actually delete the mapping yet. that will be done by
@@ -880,7 +999,12 @@ kern_status_t address_space_unmap(
 	virt_addr_t unmap_limit = unmap_base + unmap_length - 1;
 	tracek("unmapping %zx-%zx", unmap_base, unmap_limit);
 
-	area_iterator_begin(&it, region, unmap_base, unmap_limit);
+	area_iterator_begin(
+		&it,
+		region,
+		&region->s_mappings,
+		unmap_base,
+		unmap_limit);
 	while (it.it_area) {
 		struct vm_area *area = it.it_area;
 		virt_addr_t area_base = area->vma_base;
@@ -892,9 +1016,11 @@ kern_status_t address_space_unmap(
 			= (area_base <= unmap_base
 		           && area_limit >= unmap_limit);
 		bool left_reduce
-			= (unmap_base <= area_base && unmap_limit < area_limit);
+			= (unmap_base <= area_base && unmap_limit > area_base
+		           && unmap_limit < area_limit);
 		bool right_reduce
-			= (unmap_base > area_base && unmap_limit >= area_limit);
+			= (unmap_base > area_base && unmap_base < area_limit
+		           && unmap_limit >= area_limit);
 
 		if (split) {
 			status = split_area(
@@ -983,6 +1109,7 @@ kern_status_t address_space_reserve(
 		return KERN_NO_MEMORY;
 	}
 
+	area->vma_space = space;
 	area->vma_base = base;
 	area->vma_limit = base + length - 1;
 
@@ -1012,7 +1139,12 @@ kern_status_t address_space_release(
 	virt_addr_t release_limit = release_base + release_length - 1;
 	tracek("unreserving %zx-%zx", release_base, release_limit);
 
-	area_iterator_begin(&it, space, release_base, release_limit);
+	area_iterator_begin(
+		&it,
+		space,
+		&space->s_reserved,
+		release_base,
+		release_limit);
 	while (it.it_area) {
 		struct vm_area *area = it.it_area;
 		virt_addr_t area_base = area->vma_base;
@@ -1026,9 +1158,10 @@ kern_status_t address_space_release(
 		           && area_limit >= release_limit);
 		bool left_reduce
 			= (release_base <= area_base
+		           && release_limit > area_base
 		           && release_limit < area_limit);
 		bool right_reduce
-			= (release_base > area_base
+			= (release_base > area_base && release_base < area_limit
 		           && release_limit >= area_limit);
 
 		if (split) {
@@ -1099,9 +1232,9 @@ bool address_space_validate_access(
 		limit -= 1;
 	}
 
-	/* TODO improve this to not require a per-page loop */
 	for (virt_addr_t i = base; i < limit;) {
-		struct vm_area *area = get_entry(region, i, GET_ENTRY_EXACT);
+		struct vm_area *area
+			= get_entry(&region->s_mappings, i, GET_ENTRY_EXACT);
 		if (!area) {
 			return false;
 		}
@@ -1110,7 +1243,7 @@ bool address_space_validate_access(
 			return false;
 		}
 
-		i = area->vma_limit;
+		i = area->vma_limit + 1;
 	}
 
 	return true;
@@ -1142,6 +1275,7 @@ static kern_status_t request_missing_page(
 		irq_flags);
 	if (!pg) {
 		vm_object_unlock_irqrestore(object, *irq_flags);
+		printk("page request for %zx failed", addr);
 		return KERN_FATAL_ERROR;
 	}
 
@@ -1172,7 +1306,8 @@ kern_status_t address_space_demand_map(
 	unsigned long irq_flags;
 	address_space_lock_irqsave(region, &irq_flags);
 
-	struct vm_area *area = get_entry(region, addr, GET_ENTRY_EXACT);
+	struct vm_area *area
+		= get_entry(&region->s_mappings, addr, GET_ENTRY_EXACT);
 	if (!area || !area->vma_object) {
 		address_space_unlock_irqrestore(region, irq_flags);
 		return KERN_NO_ENTRY;
@@ -1203,8 +1338,19 @@ kern_status_t address_space_demand_map(
 		object_offset,
 		VMO_ALLOCATE_MISSING_PAGE,
 		NULL);
-	// tracek("vm: mapping %07llx -> %10llx", vm_page_get_paddr(pg),
+#if 0
-	// addr);
+	struct task *self = current_task();
+	printk("vm: %s[%d] mapping %07llx -> %10llx",
+	       self->t_name,
+	       self->t_id,
+	       vm_page_get_paddr(pg),
+	       addr);
+#endif
+
+	if (!pg) {
+		return KERN_FATAL_ERROR;
+	}
+
 	kern_status_t status = pmap_add(
 		region->s_pmap,
 		addr,
@@ -1405,6 +1551,43 @@ extern kern_status_t address_space_memmove_v(
 	return KERN_OK;
 }
 
+kern_status_t address_space_translate(
+	struct address_space *space,
+	virt_addr_t in,
+	phys_addr_t *out,
+	unsigned long *irq_flags)
+{
+	if (in >= VM_KERNEL_BASE) {
+		return vm_virt_to_phys((const void *)in);
+	}
+
+	struct vm_area *area
+		= get_entry(&space->s_mappings, in, GET_ENTRY_EXACT);
+	if (!area || !area->vma_object) {
+		return KERN_NO_ENTRY;
+	}
+
+	off_t offset = in - area->vma_base + area->vma_object_offset;
+	struct vm_object *vmo = area->vma_object;
+	vm_object_lock(vmo);
+	address_space_unlock(space);
+	struct vm_page *pg = vm_object_get_page(
+		vmo,
+		offset,
+		VMO_ALLOCATE_MISSING_PAGE | VMO_REQUEST_MISSING_PAGE,
+		irq_flags);
+	if (!pg) {
+		return KERN_NO_ENTRY;
+	}
+
+	phys_addr_t paddr = vm_page_get_paddr(pg);
+	paddr += (in & VM_PAGE_MASK);
+	vm_object_unlock(vmo);
+	address_space_lock(space);
+
+	return paddr;
+}
+
 #ifdef TRACE
 void address_space_dump(struct address_space *region)
 {

vm/vm-controller.c

@@ -23,8 +23,14 @@ static struct object_type vm_controller_type = {
 	.ob_header_offset = offsetof(struct vm_controller, vc_base),
 };
 
+static struct vm_cache page_request_cache = {
+	.c_name = "page-request",
+	.c_obj_size = sizeof(struct page_request),
+};
+
 kern_status_t vm_controller_type_init(void)
 {
+	vm_cache_init(&page_request_cache);
 	return object_type_register(&vm_controller_type);
 }
 
@@ -52,10 +58,17 @@ static struct page_request *get_next_request(struct vm_controller *ctrl)
 		struct page_request *req
 			= BTREE_CONTAINER(struct page_request, req_node, cur);
 		spin_lock(&req->req_lock);
-		if (req->req_status == PAGE_REQUEST_PENDING) {
+		switch (req->req_status) {
+		case PAGE_REQUEST_PENDING:
 			req->req_status = PAGE_REQUEST_IN_PROGRESS;
 			ctrl->vc_requests_waiting--;
 			return req;
+		case PAGE_REQUEST_ASYNC:
+			btree_delete(&ctrl->vc_requests, &req->req_node);
+			ctrl->vc_requests_waiting--;
+			return req;
+		default:
+			break;
 		}
 
 		spin_unlock(&req->req_lock);
@@ -65,98 +78,6 @@ static struct page_request *get_next_request(struct vm_controller *ctrl)
 	return NULL;
 }
 
-kern_status_t vm_controller_recv(
-	struct vm_controller *ctrl,
-	equeue_packet_page_request_t *out)
-{
-	struct page_request *req = NULL;
-
-	req = get_next_request(ctrl);
-	if (!req) {
-		return KERN_NO_ENTRY;
-	}
-
-	if (ctrl->vc_requests_waiting == 0) {
-		object_clear_signal(
-			&ctrl->vc_base,
-			VM_CONTROLLER_SIGNAL_REQUEST_RECEIVED);
-	}
-
-	out->req_vmo = req->req_object->vo_key;
-	out->req_type = req->req_type;
-	out->req_offset = req->req_offset;
-	out->req_length = req->req_length;
-
-	spin_unlock(&req->req_lock);
-	return KERN_OK;
-}
-
-kern_status_t vm_controller_recv_async(
-	struct vm_controller *ctrl,
-	struct equeue *eq,
-	equeue_key_t key)
-{
-	if (ctrl->vc_eq) {
-		object_unref(&ctrl->vc_eq->eq_base);
-	}
-
-	object_ref(&eq->eq_base);
-	ctrl->vc_eq = eq;
-	ctrl->vc_eq_key = key;
-
-	return KERN_OK;
-}
-
-kern_status_t vm_controller_create_object(
-	struct vm_controller *ctrl,
-	const char *name,
-	size_t name_len,
-	equeue_key_t key,
-	size_t data_len,
-	vm_prot_t prot,
-	struct vm_object **out)
-{
-	struct vm_object *vmo = get_object(&ctrl->vc_objects, key);
-	if (vmo) {
-		return KERN_NAME_EXISTS;
-	}
-
-	vmo = vm_object_create(name, name_len, data_len, prot);
-	if (!vmo) {
-		return KERN_NO_MEMORY;
-	}
-
-	object_ref(&ctrl->vc_base);
-	object_ref(&vmo->vo_base);
-
-	vmo->vo_flags |= VMO_CONTROLLER;
-	vmo->vo_ctrl = ctrl;
-	vmo->vo_key = key;
-
-	put_object(&ctrl->vc_objects, vmo);
-
-	*out = vmo;
-	return KERN_OK;
-}
-
-kern_status_t vm_controller_detach_object(
-	struct vm_controller *ctrl,
-	struct vm_object *vmo)
-{
-	if (vmo->vo_ctrl != ctrl) {
-		return KERN_INVALID_ARGUMENT;
-	}
-
-	vmo->vo_ctrl = NULL;
-	vmo->vo_key = 0;
-	btree_delete(&ctrl->vc_objects, &vmo->vo_ctrl_node);
-
-	object_unref(&ctrl->vc_base);
-	object_unref(&vmo->vo_base);
-
-	return KERN_OK;
-}
-
 static kern_status_t try_enqueue(struct btree *tree, struct page_request *req)
 {
 	if (!tree->b_root) {
@@ -196,6 +117,119 @@ static kern_status_t try_enqueue(struct btree *tree, struct page_request *req)
 	return true;
 }
 
+static kern_status_t send_request_async(
+	struct vm_controller *ctrl,
+	struct page_request *req)
+{
+	fill_random(&req->req_id, sizeof req->req_id);
+	while (!try_enqueue(&ctrl->vc_requests, req)) {
+		req->req_id++;
+	}
+
+	ctrl->vc_requests_waiting++;
+	object_assert_signal(
+		&ctrl->vc_base,
+		VM_CONTROLLER_SIGNAL_REQUEST_RECEIVED);
+
+	return KERN_OK;
+}
+
+kern_status_t vm_controller_recv(
+	struct vm_controller *ctrl,
+	equeue_packet_page_request_t *out)
+{
+	struct page_request *req = NULL;
+
+	req = get_next_request(ctrl);
+	if (!req) {
+		return KERN_NO_ENTRY;
+	}
+
+	if (ctrl->vc_requests_waiting == 0) {
+		object_clear_signal(
+			&ctrl->vc_base,
+			VM_CONTROLLER_SIGNAL_REQUEST_RECEIVED);
+	}
+
+	out->req_vmo = req->req_object;
+	out->req_type = req->req_type;
+	out->req_offset = req->req_offset;
+	out->req_length = req->req_length;
+
+	spin_unlock(&req->req_lock);
+
+	if (req->req_status == PAGE_REQUEST_ASYNC) {
+		vm_cache_free(&page_request_cache, req);
+	}
+
+	return KERN_OK;
+}
+
+kern_status_t vm_controller_recv_async(
+	struct vm_controller *ctrl,
+	struct equeue *eq,
+	equeue_key_t key)
+{
+	if (ctrl->vc_eq) {
+		object_unref(&ctrl->vc_eq->eq_base);
+	}
+
+	object_ref(&eq->eq_base);
+	ctrl->vc_eq = eq;
+	ctrl->vc_eq_key = key;
+
+	return KERN_OK;
+}
+
+kern_status_t vm_controller_create_object(
+	struct vm_controller *ctrl,
+	const char *name,
+	size_t name_len,
+	equeue_key_t key,
+	size_t data_len,
+	vm_prot_t prot,
+	struct vm_object **out)
+{
+	struct vm_object *vmo
+		= vm_object_create(name, name_len, data_len, prot);
+	if (!vmo) {
+		return KERN_NO_MEMORY;
+	}
+
+	object_ref(&ctrl->vc_base);
+
+	/* TODO expose the VMO_AUTO_DETACH flag to userspace */
+	vmo->vo_flags |= VMO_CONTROLLER | VMO_AUTO_DETACH;
+	vmo->vo_ctrl = ctrl;
+	vmo->vo_key = key;
+
+	*out = vmo;
+	return KERN_OK;
+}
+
+kern_status_t vm_controller_detach_object(
+	struct vm_controller *ctrl,
+	struct vm_object *vmo)
+{
+	if (vmo->vo_ctrl != ctrl) {
+		return KERN_INVALID_ARGUMENT;
+	}
+
+	struct page_request *req
+		= vm_cache_alloc(&page_request_cache, VM_NORMAL);
+	req->req_type = PAGE_REQUEST_DETACH;
+	req->req_status = PAGE_REQUEST_ASYNC;
+	req->req_object = vmo->vo_key;
+	req->req_sender = current_thread();
+	send_request_async(ctrl, req);
+
+	vmo->vo_ctrl = NULL;
+	vmo->vo_key = 0;
+	object_unref(&ctrl->vc_base);
+
+	return KERN_OK;
+}
+
 static void wait_for_reply(
 	struct vm_controller *ctrl,
 	struct page_request *req,
@@ -221,7 +255,7 @@ static void wait_for_reply(
 
 static void fulfill_requests(
 	struct vm_controller *ctrl,
-	struct vm_object *obj,
+	equeue_key_t object,
 	off_t offset,
 	size_t length,
 	kern_status_t result)
@@ -242,7 +276,7 @@ static void fulfill_requests(
 			match = true;
 		}
 
-		if (req->req_object != obj) {
+		if (req->req_object != object) {
 			match = false;
 		}
 
@@ -280,7 +314,7 @@ kern_status_t vm_controller_supply_pages(
 		src_offset,
 		count,
 		NULL);
-	fulfill_requests(ctrl, dst, dst_offset, count, status);
+	fulfill_requests(ctrl, dst->vo_key, dst_offset, count, status);
 
 	return status;
 }

vm/vm-object.c

@@ -1,3 +1,4 @@
+#include <kernel/address-space.h>
 #include <kernel/printk.h>
 #include <kernel/sched.h>
 #include <kernel/util.h>
@@ -14,10 +15,37 @@
 		(p) += VM_PAGE_SIZE;                                           \
 	}
 
+static kern_status_t vm_object_cleanup(struct object *obj)
+{
+	struct vm_object *vmo = vm_object_cast(obj);
+	struct btree_node *cur = btree_first(&vmo->vo_pages);
+	while (cur) {
+		struct vm_page *pg
+			= BTREE_CONTAINER(struct vm_page, p_bnode, cur);
+		struct btree_node *next = btree_next(cur);
+		btree_delete(&vmo->vo_pages, cur);
+
+		vm_page_free(pg);
+		cur = next;
+	}
+
+	if (vmo->vo_ctrl) {
+		unsigned long flags;
+		vm_controller_lock_irqsave(vmo->vo_ctrl, &flags);
+		vm_controller_detach_object(vmo->vo_ctrl, vmo);
+		vm_controller_unlock_irqrestore(vmo->vo_ctrl, flags);
+	}
+
+	return KERN_OK;
+}
+
 static struct object_type vm_object_type = {
 	.ob_name = "vm-object",
 	.ob_size = sizeof(struct vm_object),
 	.ob_header_offset = offsetof(struct vm_object, vo_base),
+	.ob_ops = {
+		.destroy = vm_object_cleanup,
+	},
 };
 
 struct object_iterator {
@@ -236,7 +264,6 @@ extern struct vm_object *vm_object_create_in_place(
 	     i += VM_PAGE_SIZE, offset += VM_PAGE_SIZE) {
 		struct vm_page *pg = vm_page_get(i);
 		if (!pg) {
-			printk("vm-object: invalid physical address %08llx", i);
 			object_unref(&vmo->vo_base);
 			return NULL;
 		}
@@ -261,10 +288,12 @@ static struct vm_page *alloc_page(struct vm_object *vo, off_t offset)
 
 		void *page_buf = vm_page_get_vaddr(page);
 		memset(page_buf, 0x0, vm_page_get_size_bytes(page));
-		tracek("vm-object: [%s] alloc offset %zx -> page %zx",
+#if 0
+		printk("vm-object: [%s] alloc offset %zx -> page %zx",
 		       vo->vo_name,
 		       offset,
 		       vm_page_get_paddr(page));
+#endif
 		page->p_vmo_offset = offset;
 		vo->vo_pages.b_root = &page->p_bnode;
 		btree_insert_fixup(&vo->vo_pages, &page->p_bnode);
@@ -344,12 +373,13 @@ static kern_status_t request_page(
 	struct vm_controller *ctrl = vo->vo_ctrl;
 	struct page_request req = {0};
 	req.req_status = PAGE_REQUEST_PENDING;
+	req.req_type = PAGE_REQUEST_READ;
 	req.req_offset = offset;
 	req.req_length = vm_page_order_to_bytes(VM_PAGE_4K);
 	req.req_sender = current_thread();
 
 	object_ref(&vo->vo_base);
-	req.req_object = vo;
+	req.req_object = vo->vo_key;
 
 	vm_object_unlock_irqrestore(vo, *irq_flags);
 	vm_controller_lock_irqsave(ctrl, irq_flags);
@@ -372,6 +402,7 @@ struct vm_page *vm_object_get_page(
 	enum vm_object_flags flags,
 	unsigned long *irq_flags)
 {
+	offset &= ~VM_PAGE_MASK;
 	if (!vo->vo_ctrl && (flags & VMO_ALLOCATE_MISSING_PAGE)) {
 		return alloc_page(vo, offset);
 	}
@@ -871,8 +902,35 @@ kern_status_t vm_object_transfer(
 		moved += VM_PAGE_SIZE;
 	}
 
-	/* TODO evict all page table entries that reference the transferred
+	struct queue_entry *cur = queue_first(&src->vo_mappings);
-	 * pages in `src` */
+	off_t src_limit = src_offset + count - 1;
+	while (cur) {
+		struct vm_area *area = QUEUE_CONTAINER(
+			struct vm_area,
+			vma_object_entry,
+			cur);
+		off_t area_offset = area->vma_object_offset;
+		off_t area_limit
+			= area_offset + (area->vma_limit - area->vma_base);
+
+		if (src_offset > area_limit || src_limit < area_offset) {
+			cur = queue_next(cur);
+			continue;
+		}
+
+		off_t unmap_offset = MAX(area_offset, src_offset);
+		off_t unmap_limit = MIN(area_limit, src_limit);
+
+		virt_addr_t base
+			= area->vma_base + (unmap_offset - area_offset);
+		virt_addr_t limit = base + (unmap_limit - unmap_offset);
+
+		for (virt_addr_t i = base; i < limit; i += VM_PAGE_SIZE) {
+			pmap_remove(area->vma_space->s_pmap, i);
+		}
+
+		cur = queue_next(cur);
+	}
 
 	if (nr_moved) {
 		*nr_moved = moved;