[kernel] Use "status != ZX_OK" pattern instead of "status < 0"

"status != ZX_OK" is the preferred and most common pattern for
checking for an error status. "status < 0" is less common and not
preferred, so convert instances of that in kernel/ to use the
preferred pattern.

Bug: none
Test: runtests
Change-Id: I4c014be288d2378d8698f8d748de99c03020f2da

[syscalls] Change vmar_... calls

- Create zx_vm_option_t type
- Change ZX_VM_FLAG_... to ZX_VM_... and make them new type.
- Change int32_t flags parameters to zx_vm_option_t options
- Make the options parameter be second.

- Modify vmar_..._old functions to keep other repos working.
Once they've all been updated these functions will go away.

ZX-2264
Test:CQ

Change-Id: I1faf4cc4e1e4dabf3d8ef680e398d83a545b0f09

[kernel][rsrc] Change ResourceDispatcher model

In general, this change moves resources to a model of
"resource allocation" and "resource validation" as separate
but related concepts. On resource creation, an allocation
against physical address space is made. On resource validation,
a syscall checks that the resource provided has the correct
allocation to permit the call asked. This means that the ROOT
resource /can/ allocate resources, but does not have to if it
simply wants to pass syscall validation. This is important
so that the ROOT resource can create specific resources that
are then passed out to drivers and used to validate access
to their hardware resources.

- Change low/high to base/length and change logic to match.
- Wire in usage of PhysicalAspaceManager so MMIO/IOPORT/IRQ
resources try to allocate from the global address space.
- Change resource access so that only the root resource can
create sub-resources.
- Track ResourceDispatchers created across the system.
- Define ZX_RSRC_KIND_ROOT as a privileged resource that will
pass all validation so that platform bus implementations
like ACPI can behave as they may.
- Initialize the allocators after the heap is initialized.
- Reserve regions marked as memory by the bootloader for x86.
- Reserve regions marked as memory in the zbi structures for ARM.
- zx_vmo_create_physical calls validate_resource_mmio
- zx_ioports_request calls validate_resource_ioports
- zx_interrupt_create calls validate_resource_irq

Test: For kernel tests, 'k ut resources'.
Syscall tests are run as part of core-tests.

ZX-971 #done

Change-Id: Iac6c4aa9e95718a0a0768ef8e3036353e73de8dd

[zircon] non-resizable VMOS

This CL introduces the first option for VMO creation
ZX_VMO_NOT_RESIZABLE that 'locks' the size of a root (non-clone) VMO

Also enables the same for COW clones via ZX_VMO_CLONE_NON_RESIZEABLE

This is meant to answer safety hazards of having a client pass
VMOs to servers which the client can resize while the server is
copying data into via a memory map.

Today this is done via ZX_INFO_HANDLE_COUNT but that turns out
is racy.

This CL also cleans up vmo-tests so they using proble_for_read
and probe_for_write instead of using unrelated syscalls to test
memory mappings.

TEST=added unittests in vmo_tests

ZX-2279 #comment progress

Change-Id: If69ce772dcccd92db83f5bda313ae2343ebb448e

[syscall][vmo] removal of zx_vmo_{read,write}() actual parameter 16/n

Plumb removal of actual further down.
Still need to plumb into sys_process_{read,write}_memory

ZX-1802

Change-Id: Ibba8ce14815f34a9ca08abf854996418a25d1a87

[syscall][mexec] Append LAST_CRASHLOG bootdata if we have a crashlog

Also make crashlog VMO readonly in userspace.

ZX-1485 #done

Change-Id: Ifd54e3d38065d295c4aaef79ad39929e27f26711

[kernel][userboot] Stash crashlog for mexec to maybe use later

Change-Id: Icebaade38d33f08a63482c6a928ba0593d06ae9d

[kernel][object] Clean up Handle implementation

This moves everything into the Handle class. The code that was in
global functions before is now in class and instance methods, and
there's miscellaneous refactoring to make the code tighter.

Almost all the public API functions now use the HandleOwner smart
pointer type rather than raw Handle* pointers.

The <object/handle_owner.h> header is gone and now HandleOwner is
defined directly in <object/handle.h>, which simplifies things.

Change-Id: I578c948c347e1ffa74c3a254738387303610da79

Clean up sloppy zx_handle_t/integer conflation

Change-Id: I5659232efa8531ef97261639cc65f211ee9f0cc8

[kernel][cmdline] do some additional bounds check on indexes

It was possible to end up with a case where the index went negative,
causing an early kernel crash.

Change-Id: I9ac3dcdb07b9cd1464da8833ab9dc5d1291d1731

[kernel] Remove kernel/app module

This is no longer used at all.
The kernel/app/tests code doesn't use the "app" infrastructure.
So move it to kernel/tests.

Change-Id: I6cd8ec1bf569fd95940e5ebf4dc5f640b265eb69

[kernel][shell] remove app/shell, move the functionality into lib/console

Will add the ability to conditionally enable the kernel shell in an
upcoming commit.

Change-Id: I28b4ca17d66677ee76bfe38c0aa3fe88206b55c4

[zx] Magenta -> Zircon

The Great Renaming is here!

Change-Id: I3229bdeb2a3d0e40fb4db6fec8ca7d971fbffb94

[zircon][mxtl->fbl] Rename mxtl to fbl

Change-Id: Ie21b6498e1bfb0a7fa0315e40b9e5c3ee78646be

[libobject] Split magenta.h handle fns into handles.h

Change-Id: Ic1ad6964128d34c206df3f3f325ed6c115ec5e0e

[kernel][vm] move kernel/kernel/vm to just kernel/vm

Change-Id: I8f724a9f8a61415712661d1fdd3dc4e1c70cf620

[lib/magenta] Rename kernel/lib/magenta to kernel/object

TODO: Rename magenta.{cpp,h} and other instances of "magenta" in this
module.

For MG-1091 "Rename kernel/lib/magenta"

Change-Id: I2abc316f543798e00d3a4d1c2c83195da26e6836

[kernel][status] Convert the rest of kernel/lib to mx_status_t

Change-Id: Iba1bb7024bcefa7c5e3ee58b02d0be758c6545ae

[kernel][channel] Remove unused flags/options argument in channel creation

Change-Id: I1c2a68566e63b36214691e52a97e5b03cd1b6015

[kernel][entropy] Add entropy collector class

Introduce a new type to represent entropy collectors. Currently, the
kernel has a few functions that read entropy into a buffer, e.g.
hw_rng_get_entropy.

This commit basically just wraps hw_rng_get_entropy in a C++ object. The
main advantage will come once there are more sources, so that we can use
virtual functions to provide a common interface and use class instances
to save state (e.g. hardware configuration, for some entropy sources).

Change-Id: I17d9e6a0146faae2b56a7fb3031bea4d64f8a011

[userboot][devmgr][crashlog] wire up platform_recover_crashlog()

Pass a vmo with the crashlog contents through userboot to devmgr
so it can be installed in /boot/log/last-panic.txt

Change-Id: I07c1b01c642e60a095736b34beffd5b04bb55a24

[kernel][entropy] Move entropy collector test

Before this commit, the entropy collector quality test code was mixed
into global_prng.cpp. After this commit, it gets its own file.

The actual test code was very minimally modified. In particular:
- lines 11--93 of the new entropy/quality_test.cpp are almost an exact
cut/paste of lines 86--168 of the old global_prng.cpp, except:
* the namespace was changed from "internal" to "test"
* "static" was removed from the definition of TestEntropyCollector()
- declarations were moved from global_prng.h to entropy/quality_test.h
- namespaces and includes were updated in various places

Magenta still builds and boots both with and without
ENABLE_ENTROPY_COLLECTOR_TEST, and runs as expected with the ENABLE.

Change-Id: I00c25fa14c93401ca91ee92c2f35c7e21ac42896

[kernel][userboot] Remove obsolete ARM32 Thumb hack

This is no longer relevant since ARM32 support is gone.

Change-Id: Idfa1e4963c9e0b029482613f349f5cba8b31fae3

[kernel] make handles unsigned

The kernel was already 99.999% unsigned-handle-clean.

The bulk of this change is updating a ton of trace printfs.

Change-Id: Ief1dd6344fdccbd6da47fb1174961ca080eaf5e8

[magenta][userthread] Collapse UserThread and ThreadDispatcher

Change-Id: Ib4ff94acf0f25d08d13073e7f7ce0fea4f943e0c

[kernel][rng] Add entropy collector test

Add a special build of Magenta that will pause during boot to test
entropy collectors. It gathers approximately 1 Mbit of random data into
a buffer, then proceeds with boot. Later the data will be copied to a
VMO and exposed in the filesystem as /boot/kernel/debug/entropy.bin.

To build the entropy collector test system, set the
ENABLE_ENTROPY_COLLECTOR_TEST preprocessor flag, either by adding
EXTERNAL_DEFINES := ENABLE_ENTROPY_COLLECTOR_TEST=1
to local.mk, or by adding
EXTERNAL_DEFINES=ENABLE_ENTROPY_COLLECTOR_TEST=1
to the call to make.

When ENABLE_ENTROPY_COLLECTOR_TEST is not set, no extra kernel memory is
allocated and no debug file is produced.

Change-Id: I55e6d5bb6323b5434e407b12ca14ddc79fe9237d

[kernel][vm] flip the VmObject::Create() calls to returning an error and taking a ref ptr as an arg

Lets us more easily check errors inside the create function and return the right thing instead
of just MX_ERR_NO_MEMORY

Change-Id: I20f6e9453204a8d0f6ce2eabf735451c8d10d952

[magenta][channels] Hide the internals of MessagePacket

Will make it easier to switch to using mbuf-style data buffers.

Also, avoid ktracing when sys_channel_write fails.

Change-Id: I5d7f0c2e771e7d3c84c592c1b26f868470f0f6e1

[resources] massively simplify resources

Resources now are simple access tokens with a 32bit "kind" and
a 64bit "range". If you have the WRITE right, you can create
a child resource, provided that child is of the same kind and
of a range that fits within the parent's range.

The kernel gives userspace a single "root" resource which may
be used to create any kind of resource.

Change-Id: I4817b7b787386059e02a36ee235723bfb1244934

Remove some unnecessary semicolons

Change-Id: I0ae2824f1aeae1af977a9e213963706d02186bb4

[kernel][lib] Use the new MX_OK and MX_ERR_* names

Change-Id: I436bb0728838729bef6e20a6db0e8ce6a96b5534

[kernel][userboot][system][core][userboot] Name remaining VMOs

Make the kernel give the userboot process's initial VMOs (stack
and raw RAM disk) names. Make userboot give its child's initial
stack VMO a name.

Change-Id: I30f87603ce25c30f5aa3e29729c054d38f7d8bfb

[kernel][vdso][userboot][devmgr] Machinery for variant vDSOs

This provides machinery to implement multiple variants of the vDSO.
Each variant can blacklist some of the functions so their symbols
are not visible to dynamic linking and their code gets blacked out
so there's no secret jump targets to use.

Because all the variants are just subsets of the full-featured vDSO,
all the code addresses still match across all variants and the
syscall entry enforcement machinery doesn't need to care which
variant is being used.

All the available vDSO VMOs are attached at /boot/vdso/<name>, where
<name> is "full" for the primary vDSO and other names will be used
for variants. Currently, only some test variants are implemented.

Each variant can blacklist one or more category of syscalls. A
category is any attribute name used in syscalls.sysgen. A new
variant is added by adding an element to the VDso::Variant enum and
adding a case for that to VDso::CreateVariant that sets the name
and calls blacklist_<category>_syscalls for each category to be
blacklisted in that variant.

Change-Id: I32e5ee658a903365fff234e22738f7127622ed33

[mxcpp][mxalloc] Split mxcpp into mxcpp and mxalloc

mxcpp used to provide three things.

(1) is a very minimal C++ runtime environment. This means essentially
the definition of __cxa_pure_virtual, which is a function the compiler
expects to have ambient. This functionality is necessary for code
written in environments which cannot link the standard library (the
kernel and a handful of initial userspace processes).

(2) is the definitions of the standard new and delete
overloads. Again, these are needed for code that wants to call them
but to not link the standard library, but this time only in userspace
(the kernel does not want certain behavior stemming from the standard
overloads). The behavior is slightly different than the standard ones
in failure cases, but not in a way particularly interesting to the
rest of this email.

(3) is the userspace version of our special AllocChecker new
overloads. This mechanism exists for kernelspace, where allocation
failure is real and needs to be handled. This mechanism works
perfectly well in userspace, in that it compiles, even though the
underlying allocator is unlikely to ever return nullptr. It's
therefore essentially harmless in userspace. A handful of small
libraries are used in both userspace and in the kernel, and also use
this mechanism. Note that this feature is essentially copy-pasted
between the kernel and userspace.

This all works perfectly well for the kernel.

Some userspace code also uses these mechanisms, as mentioned. As long
as the standard library isn't linked, there are again no issues.

But as soon as you want both (3) and std::vector, which is a
reasonable thing to want!, there are issues because (1) and (3) come
in the same static library. This causes link failures due to duplicate
__cxa_pure_virtual symbols. This issue is exacerbated by different
behavior in Linux, OS X, and target linkage, in terms of confusion and
it-works-on-my-machine sort of issues.

This patch splits mxcpp into: mxcpp, containing (1) __cxa_pure_virtual
and (2) only if in userspace, the standard new and delete overloads;
and mxalloc, containing (3) AllocChecker. mxcpp is mutually exclusive
of the standard library. mxalloc can be linked against both code using
the standard library, and against code using mxcpp.

This patch also deduplicates the AllocChecker between userspace and
kernel, and moves the InlineArray class into the kernel (its only
callsites are in the kernel).

Change-Id: Id42d5d019ee977d44d6cb89ce7ab6884f7a56cd1

[hypervisor] Add e820 to guest_create_bootdata.

Add e820 tables to guest_create_bootdata so that we can describe the
memory map to the guest.

Change-Id: Ifafe50297c549d04fc6050902587076628e5cb99

[kernel][vm] Track and restrict each process's mapping of the vDSO

Executable mappings from the vDSO VMO are limited to one per process
and must map exactly the whole code segment from the VMO.

NOTE: The "one per process" rule is not actually enforced yet.
It breaks thread-injection-test, which tries to load the vDSO
twice. That will be fixed by later changes.

Change-Id: Id99b567e9381d6e2941dde7851e13a582ef5d331

[processargs] tidy up naming and numbering

This cleans stuff up ahead of the addition of string tables for
the upcoming PA_NS_DIR and PA_NS_REQ types and the eventual
flattening of PA_MXIO_* to a single type, using subtypes for
protocol.

- Align names with current-day usage
- Organize numbering / ordering around subsystem usage
- Reduce "type" field to 8 bits
- Reserve space for "subtype" field
- Use PA_ namespace and shorter a lot of very long names

Change-Id: I5e59f412c3b9bd79d90f921a248a6d98d4b703bc

[core][userboot] Clean up bootdata-scanning code

Functions do it with more fun.

Change-Id: I3ddbc0cbc4e156570d2c42dafd36323d9ef4a258

[kernel][vm] split the vm_object.h file into three separate files

No functional change.

Change-Id: I0407497936a716c0fa38417b4ef732774e7ff5fa

[process] Have CreateUserThread return a ThreadDispatcher directly

All existing callers ignored the UserThread and just created a
ThreadDisptacher anyway.

Change-Id: Idf707d24697c39760d5ee406d413575987e5818c

[kernel] remove last bits of bootfs embedding

Change-Id: Ia0a6a7efcb587c1931f7b9e5b216962e42957a65

[kernel][style] Use nullptr rather than NULL in kernel C++ code

Change-Id: I7feea6a42c00531be28a98c820b2c234484bfe3b

[userboot] Fix command line corruption problem

Reserve an extra slot in bootstrap_message handle_info array for
uncompressed bootfs handle. Otherwise we overwrite the first 4 bytes
of the kernel command line.

Change-Id: Ifd8af2440eb250cda990f094c0c5b04ddeb94a8c

[userboot] cleanup and prep for multi-bootdata world

- enable the system to boot when EMBED_USER_BOOTFS is false
(a valid primary bootfs image must be in the ramdisk in this case)
- kernel passes bootdata containers to userboot as TYPE_BOOTDATA
- userboot passes decompressed bootfs to devmgr as TYPE_BOOTFS
- bootdata/decompress is more general purpose, can decompress
a single bootdata section from a vmo, doesn't depend on userboot's
fail() and print() interfaces

Change-Id: Ibfe0ebdb8000030bd10162967e6687db02d0604d

[handles] Allow MapHandleToValue to use a HandleOwner

This obviates a bunch of needless .get() calls.

Change-Id: Ib3e6df10def8b5b63e97602d0d44f62a6ab5a552

[magenta] Rename HandleUniquePtr -> HandleOwner and make it safer

This renames HandleUniquePtr to HandleOwner now that it is no longer a
specialization of unique_ptr and also restricts visibility for ~Handle
so that only DeleteHandle can be used to cause a Handle's destruction.

Change-Id: I25556a87a7038ca6fd72b210bff5f4e1ea55a8d0

[kernel][userboot] Use a VMAR for the userboot+vDSO image

Change-Id: I0d3e60e884f8a7a564e762f07e5ca884ab4ebada

[magenta] Remove Dispatch::get_specific() and solidify DownCastDispatcher

get_specific() returned a raw pointer to a reference counted object
which is tricky to use correctly without leaks, as evidenced by the
leak in DownCastDispatcher. With our RefPtr and C++ move semantics
there is no need to escape to raw pointers - it is fine and preferable
to remain in RefPtr<> objects and move when appropriate to avoid
reference counting churn. This implements a non-leaking version of
DownCastDispatcher and transforms calls of the form

mxtl::RefPtr<Dispatcher> dispatcher = ....;
DispatcherSubclass* disp_subclass =
dispatcher.get_specific<DispatcherSubclass>();

(with disp_subclass normally hidden in 'auto') to this:

mxtl::RefPtr<Dispatcher> dispatcher = ....;
mxtl::RefPtr<DispatcherSubclass> disp_subclass =
DownCastDispatcher<DispatcherSubclass>(&dispatcher);

This moves the reference count into the subclass object when the type
check succeeds.

Change-Id: I950a46273bd513d7c178016a7d222ca59669cd9b

[kernel] Make ProcessDispatcher::Create return a VmAddressRegionDispatcher

All (both) callers ProcessDispatcher::Create immediately set up a
VmAddressRegionDispatcher for the root VMAR, so roll it into Create.

Change-Id: I8f81b9390f1a66f90b3f357107c0b57aab75c572

[vm] Implement new VM Address Region syscall interface

For compatibility, allow passing a process handle instead of a VMAR
to the vmar_map/unmap/protect calls and add usermode shims that
translate the old syscalls into the new ones.

Change-Id: I9ba29921d45f47d0d068e46e113dac1d139fce52

[userboot] Move UserThread into ThreadDispatcher

Change-Id: I3f7c7fa4dfee11f28f88d17c7cb20178eefa076f

[kernel][resources] wire up get-children and get-records

Change-Id: I523f05b4549897a573745d2d1c8a913c98660c3b

[kernel] Fix race between AddThread() and Kill()/Exit()

AddThread() checks state_ and refuses to add a thread if the process
is DYING or DEAD. However, before this change, it doesn't claim
state_lock_, so that check is ineffective: it can race with
terminating the process (via SetState()), which sets state_. As a
result, a thread can get added after process termination has been
started. If that happens, it's possible that process termination will
never complete.

The obvious fix is to claim state_lock_ in AddThread(). That doesn't
work by itself, because there are two routes through which AddThread()
is called:

1) Starting a process's initial thread:
sys_process_start()
-> ProcessDispatcher::Start()
-> UserThread::Start()
-> ProcessDispatcher::AddThread()

ProcessDispatcher::Start() claims state_lock_, so AddThread()
can't claim it too.

2) Starting subsequent threads:
sys_thread_start()
-> UserThread::Start()
-> ProcessDispatcher::AddThread()

This change resolves that by removing ProcessDispatcher::Start() and
moving its functionality into AddThread(). This makes
sys_process_start() and sys_thread_start() more uniform because both
now call UserThread::Start().

MG-355

Change-Id: I2ad5a61d1c56268171e1389dd23126f5c62aa8b3

[magenta][syscalls] Resource Objects (part 2 of n)

- make resource objects a bit more real
- resource objects have children
- resource syscalls can create/interact with them
- resource objects have components
- start sketching out components
- require name/subtype on creation
- require self rrec on creation from userspace

Change-Id: I7b2ee51edae64839b1137b8d8b9f0ee598ee5596

[kernel][system] Wire job to process

Now process_create takes as firt param the job handle.

We don't yet do much with it except print it in `mx ps

Change-Id: Id1b8dd1e6a3d2f1fa35a5d5e3ef2a70c98428ece

[kernel][userboot] Factor vDSO and userboot image handling out of userboot.cpp

This cleans things up to have some more modularity.

Change-Id: I876a504a588f4d5419d4ce4a10abc7d6f07c980f

[kernel][vm] refactor VMOs into a base vmo class, a paged version, and a physical memory version

Can now create vmos that represent physical memory and map them.
Physical VMOs are not resizeable or read/writable, but can be mapped and shared
just like regular VMOs.

Not exposed to syscall layer yet.

Change-Id: I48ca4dd9e75392323b3a7b09833030338ad168b0

[kernel][userboot] Tighten up code

Prepare the bootstrap message directly in the MessagePacket object,
avoiding a copy. Use RefPtrs for all input parameters at function
boundaries and in a few more places.

Change-Id: I8d39e1334d1b30ce6f7206e6e06fb8935c637cbf

[magenta] More msgpipe => channel conversion

Change-Id: I16a4d0879251b5b32b0a01e9658d74da0725d4d6

[magenta][syscalls][userboot] Add MessagePacket::Create().

For now, add no optimizations -- this is just a reorganization of logic
for future improvements.

Also, I'm not very satisfied with MessagePacket's Handle ownership model
(but it wasn't very satisfactory before either).

Change-Id: I5c259140701d221f681e745f0a1a8ecece96830b

[magenta][syscalls][userboot] Make MessagePipeDispatcher::Write() take a MessagePacket.

This is so we'll be able to make allocation/creation of MessagePackets
smarter.

Note: That we duplicate some code in userboot.cpp is temporary
messiness. Eventually, much of this will be part of a unified
MessagePacket::Create() (or something like that).

Change-Id: I77332ada93dfbb576dafe328b400010e37e9f9af

[kernel][magenta] Give ports some TLC

1- move port syscalls to their own file
2- rename the files to drop the io_ part
3- rename class to drop the IO part

Some other files are touched because they
had missing includes, uncovered by doing
the above.

Change-Id: I7195c8c5d4f4d84e1f9d533b1e222f19c0c9cace

[kernel][magenta] Job objects (part 2)

In this installment we 'thread' the root job which is held in a
global into the userboot process, which has a handle to it.

The userboot sends the job object to the device manager which
then creates a child job object, which is not used at the moment.

The change includes a syscall to create a job object which only
devmanager can call since its the only one that gets passed a
job object.

the `mx ps shoud show at total of two job object now, like this

[00017.656] K id-s #t #h: #jb #pr #th #vm #mp #ev #ip #dp [name]
[00017.656] K 270-R 6 104: 2 1 6 4 84 0 3 0 [bin/devmgr]

Change-Id: If406588228e8b9dce641975add5194d7cfdc33b1

[kernel][userboot] New VmObject::CreateFromROData static method

This moves the code to create a VMO and populate it from kernel
RO-data pages into a static method on class VmObject. The
knowledge of the VM layer's limitation about reusing pages from
the kernel image mapping is moved into this VmObject method,
rather than being implicit in the userboot code.

Change-Id: I6dce9b4e72afde7c530f309a79b8c5db5702a68e

[system][vmo] add MAP right, test mappings against READ/WRITE/EXECUTE/MAP

Change-Id: Ifc9e7502eb5f3cb86c0b03240008a0e3e95babeb

[kernel][magenta] Use new GetDispatcher pattern for ThreadDispatcher

Change-Id: I08fae8b8994bcbcc11f13f42185b7736f35f60d2

[kernel][magenta] redo RTTI scheme

The previous scheme was not very amenable to simplifying
callsites since the name of the downcast-to was weakly encoded
in the downcast function.

In addition this creates N * (N-1) empty vtable entries with
N being the number of derived classes. currently about 240

Change-Id: I55fcd7059a4d8b99771f922a472778804b4502f1

[runtime][launchpad][userboot] Consolidate stack size computations

This moves the code that knows the ABI requirements for the
stack pointer, and the default user thread stack size, into
a comment place shared by all places that need to know this,
both in kernel and in user mode.

It enforces the ABI-required alignment, rather than assuming that all
stacks are allocated page-aligned. The stacks for additional user
threads created by musl sometimes put the TLS data above the stack.

Change-Id: I606aa10925760a0a3974fd1546e48ca3830f7cd6

[kernel][userboot] Use ProcessDispatcher methods to map memory

Go through the ProcessDispatcher as if doing process_vm_map system
calls, so the userboot module doesn't need to know all the
implementation details.

Change-Id: Iefa9f77678d67afa038844f80e0a2887decd46be

[utils][mxtl] Rename utils:: --> mxtl::

Rename the old kernel utils:: namespace to mxtl:: (magenta
template-library)

Change-Id: I7f07296faedc270c14eebe4bc537e2a4d9bfc41b

[userboot] Make userboot exit when it's done

The initial user process doesn't need to stick around once it has loaded
the first "real" user process, except for userboot.shutdown mode.

Change-Id: I1e81eed5456c4915247093d76a34ffdc162b71df

[kernel][userboot] hold refs for the system vmos constructed from existing pages

This avoids a situation where one of these vmos is closed from user space and
the pages are freed out from the middle of the kernel. That shouldn't be a problem,
except it blows up on the arm architectures due to the way the kernel is mapped.

Added TODO to fix once we get the arm kernels moved out of the Big Memory Map.

Change-Id: I10f6bebdb17db4ad72b4cdfed46e13e97bdf3685

[kernel][magenta] Rename message pipe files

The "msg" was the odd one out in the magenta naming of files.

Change-Id: Ia8ec532fb253fc35d51ac8565a96a6ce9a67550b

[kernel][userboot] directly populate the kernel generated fixed VMOs from kernel pages

Instead of making a copy, populate the VMOs for bootfs, vdso, and userboot binary from the
underlying pages in the kernel. Avoids a copy of all the pages.

Change-Id: I457cf4d2c53ccee61836c2aa216621d21015ea39

[kernel] Second user argument for process start

The process_start syscall gets a second, plain integer, argument
to pass to the initial thread's start function. This is used to
pass down the vDSO mapping address. This is the last
prerequisite for actually making the vDSO real.

Change-Id: Id5a68f98658b499faa024bdb202a55241d98067d

[kernel][magenta] switch thread/process creation syscalls to a two phase api

-In both thread and process creation apis, require user space create the
object first, then start it with additional args
-For threads stack allocation is also moved to user space
-Wire up the process/thread handles to be transferred through to new processes

Change-Id: I43d447c86af1ab3199d8dcf29ff4fe3a384b6e65

[magenta][userboot] pass a resource root handle to userboot and beyond

Change-Id: I3624dc90fcb0d91bda131e1e1c70cbeb2384bc82

[kernel][vmm] Change VMM page permission polarity

This makes all page permissions explicit and with positive
polarity. Previously, specifying no flags would give you
RWX permissions, and you'd need to pass RO to drop the write
permission and NO_EXECUTE to drop the execute permission.

This model more closely matches the one we wish to expose to usermode,
and is less tied to the MMU flags of the arm/x86 implementations. It
should also make it easier to talk about "mapping" regions with no
permissions in order to reserve parts of an aspace.

Change-Id: I20d99298888155f904fa2d1ae4fee7a72bce3f98

[kernel] [userboot] Allocate user stack and pass down VMO handle

This is in preparation for the new process/thread start model.

Change-Id: Id46de3adfe45d5e470840c73862b8cf242c1ae3e

[kernel] [uapp] [userboot] Compensate for nm's lies about Thumb addresses

This makes the entry point address extracted for userboot work as a
Thumb-mode branch target, which covers what the compilers do on ARM
today. To fix this more cleanly we might need to make the scripts use
readelf or something else that does not molest symbol values in ARM
binaries. The vDSO entry points don't need adjustment because they
happen to be all ARM-mode code.

Change-Id: If6e3984f95e363a53704a80442a9ee602f60024b

[kernel] [userboot] Implement vDSO and new userboot scheme

libmagenta.so is now the vDSO, magically embedded in the kernel
and provided to userland as a read-only VMO at boot time.

The old statically linked userboot program is replaced by a new
userboot that is a pure read-only/reentrant DSO with a simplified
layout (like the vDSO). The kernel loads this and the vDSO with
simple hard-wired code, eliminating the need for a full ELF loader
in the kernel. The userboot image is embedded directly into the
kernel like the vDSO image, also eliminating the need for any
handling of the bootfs format in the kernel.

The kernel starts userboot with a message pipe handle as its
argument after writing a bootstrap message to the pipe. This
message has the standard mx_proc_args_t format, using the kernel
command line as environment strings, and handles to the vDSO VMO and
the bootfs VMO.

userboot reads the bootfs to find the first real user program to
run. It has a full ELF loader including PT_INTERP support, so this
program can use the dynamic linker, which is also the shared
libc.so; userboot does not implement the "loader service", so there
is no means to load other shared libraries from the bootfs and the
program must statically in link everything but libc itself.

userboot interprets the kernel command line for its own options
(so far just the "userboot=filename" option to change the default of
what to run next from "bin/devmgr"). It then passes on the
bootstrap message containing the kernel command line as the
environment strings and the VMO handles from the kernel, so the
startup of the first program is just like any other normal userland
program's startup and it can access (and propagate) the kernel
command line via its environment.

Change-Id: I7f11ee84aaf585de6544731b722a420c616a2a26

[kernel][magenta] Remove ProcessDispatcher (part 2)

This is a mechanical rename. See CL 4407 for the first part.

Change-Id: I02a3f1df3537dc9618ec3cdf64ddd064a89300b6

[kernel][magenta] Remove ProcessDispatcher (part 1)

We now have UserProcess doing its job, it was is not adding any value.

In the next CL I'll rename UserProcess. Not done here to keep
the CL to its core.

Change-Id: Iebb4a6eea6ade69bb8b88e89c3640adbe013daf1

[magenta] pass kernel commandline to userspace

"userboot" option can override what process is started second
in userspace.

run-magenta script now has -c option to add command line options
for the kernel

Change-Id: Ibef0173d0900bdaec82ea9ff6df25995c626cf68

[kernel][magenta] add ref counting to process/thread objects, wire in kill semantics

Processes and threads are now fully ref counted, and using newly added kernel kill
feature, will be cleaned up properly when the last ref goes away, or when a process
enters the dead state.

Limitations (to be addressed in subsequent commits):
-Threads may leak in a specific case where the last ref of the thread is dropped inside
the exit path of the thread itself. Will need to be solved with a worker thread.
-Process and thread kill are not wired to syscall layer yet.
-Process and thread kill reason are not tracked yet.
-Main thread of a process is still 'special' and will need to be made un-special as
the user space syscall api is modified to reflect these changes.

Change-Id: Id1311af49ec8f5f4a1001b986bb0c9b0fcc7a485

[pc][userboot][devmgr] arrange for ramdisk to be appended to bootfs

A second bootfs (in addition to the compiled-in one) may be
passed through the zeropage ramdisk/initrd mechanism. It
will be appended to the built-in bootfs and devmgr will
import it into the /boot filesystem as well.

Change-Id: If4295570e00075df390a2ca75afaac3afc22bffd

[kernel] move the userboot payload into a read only segment

Needed to fix some assembly code in arm64 that couldn't handle the additional
gap in the binary between .text and .data because of this.

Change-Id: Iea875fe1efd496ceca7836a515736d2c0e413051

[magenta] Initial commit