[Zion] Use the glacier ArrayView class for sending IPC msgs.

lib/glacier/container/array.h

@@ -0,0 +1,59 @@
+#pragma once
+
+#include <stdint.h>
+
+#include "glacier/container/array_view.h"
+
+namespace glcr {
+
+template <typename T>
+class Array {
+ public:
+  Array() : data_(nullptr), size_(0) {}
+
+  explicit Array(uint64_t size) : data_(new T[size]), size_(size) {}
+
+  Array(const ArrayView<T> view) : Array(view.size()) {
+    for (uint64_t i = 0; i < size_; i++) {
+      data_[i] = view[i];
+    }
+  }
+
+  Array(const Array&) = delete;
+
+  Array(Array&& other) : data_(other.data), size_(other.size_) {
+    other.data_ = nullptr;
+    other.size_ = 0;
+  }
+
+  Array& operator=(Array&& other) {
+    if (data_) {
+      delete[] data_;
+    }
+    data_ = other.data_;
+    size_ = other.size_;
+    other.data_ = nullptr;
+    other.size_ = 0;
+    return *this;
+  }
+
+  ~Array() {
+    if (data_) {
+      delete[] data_;
+    }
+  }
+
+  T* RawPtr() { return data_; }
+  const T* RawPtr() const { return data_; }
+
+  uint64_t size() const { return size_; }
+
+  T& operator[](uint64_t index) { return data_[index]; }
+  const T& operator[](uint64_t index) const { return data_[index]; }
+
+ private:
+  T* data_;
+  uint64_t size_;
+};
+
+}  // namespace glcr

lib/glacier/container/array_view.h

@@ -0,0 +1,27 @@
+#pragma once
+
+#include <stdint.h>
+
+namespace glcr {
+
+template <typename T>
+class ArrayView {
+ public:
+  ArrayView() : data_(nullptr), size_(0) {}
+  ArrayView(const ArrayView&) = default;
+  ArrayView(T* data, uint64_t size) : data_(data), size_(size) {}
+
+  T* RawPtr() { return data_; }
+  const T* RawPtr() const { return data_; }
+
+  uint64_t size() const { return size_; }
+
+  T& operator[](uint64_t index) { return data_[index]; }
+  const T& operator[](uint64_t index) const { return data_[index]; }
+
+ private:
+  T* data_;
+  uint64_t size_;
+};
+
+}  // namespace glcr

lib/glacier/status/error_or.h

@@ -11,8 +11,11 @@ class ErrorOr {
   ErrorOr() = delete;
   ErrorOr(const ErrorOr&) = delete;
   ErrorOr(ErrorOr&&) = delete;
-  // FIXME: Do we have to call ~T manually here.
-  ~ErrorOr() {}
+  ~ErrorOr() {
+    if (ok_) {
+      obj_.~T();
+    }
+  }
 
   ErrorOr(ErrorCode code) : error_(code), ok_(false) {}
   ErrorOr(const T& obj) : obj_(obj), ok_(true) {}

lib/mammoth/src/endpoint_server.cpp

@@ -9,8 +9,7 @@ void EndpointServerThreadBootstrap(void* endpoint_server) {
 
 glcr::ErrorOr<glcr::UniquePtr<EndpointClient>> EndpointServer::CreateClient() {
   uint64_t client_cap;
-  // FIXME: Restrict permissions to send-only here.
-  RET_ERR(ZCapDuplicate(endpoint_cap_, &client_cap));
+  RET_ERR(ZCapDuplicate(endpoint_cap_, ~(kZionPerm_Read), &client_cap));
   return EndpointClient::AdoptEndpoint(client_cap);
 }
 

lib/mammoth/src/port_server.cpp

@@ -13,9 +13,8 @@ PortServer PortServer::AdoptCap(z_cap_t cap) { return PortServer(cap); }
 PortServer::PortServer(z_cap_t port_cap) : port_cap_(port_cap) {}
 
 glcr::ErrorOr<PortClient> PortServer::CreateClient() {
-  // FIXME: Restrict permissions.
   z_cap_t new_port;
-  RET_ERR(ZCapDuplicate(port_cap_, &new_port));
+  RET_ERR(ZCapDuplicate(port_cap_, ~(kZionPerm_Read), &new_port));
   return PortClient::AdoptPort(new_port);
 }
 

sys/denali/lib/denali/denali.yunq.server.cpp

@@ -31,8 +31,7 @@ void DenaliServerBaseThreadBootstrap(void* server_base) {
 
 glcr::ErrorOr<DenaliClient> DenaliServerBase::CreateClient() {
   uint64_t client_cap;
-  // FIXME: Restrict permissions to send-only here.
-  RET_ERR(ZCapDuplicate(endpoint_, &client_cap));
+  RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap));
   return DenaliClient(client_cap);
 }
 

sys/victoriafalls/lib/victoriafalls/victoriafalls.yunq.server.cpp

@@ -31,8 +31,7 @@ void VFSServerBaseThreadBootstrap(void* server_base) {
 
 glcr::ErrorOr<VFSClient> VFSServerBase::CreateClient() {
   uint64_t client_cap;
-  // FIXME: Restrict permissions to send-only here.
-  RET_ERR(ZCapDuplicate(endpoint_, &client_cap));
+  RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap));
   return VFSClient(client_cap);
 }
 

sys/yellowstone/lib/yellowstone/yellowstone.yunq.server.cpp

@@ -31,8 +31,7 @@ void YellowstoneServerBaseThreadBootstrap(void* server_base) {
 
 glcr::ErrorOr<YellowstoneClient> YellowstoneServerBase::CreateClient() {
   uint64_t client_cap;
-  // FIXME: Restrict permissions to send-only here.
-  RET_ERR(ZCapDuplicate(endpoint_, &client_cap));
+  RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap));
   return YellowstoneClient(client_cap);
 }
 

sys/yellowstone/yellowstone_server.cpp

@@ -60,7 +60,7 @@ glcr::ErrorCode YellowstoneServer::HandleGetAhciInfo(const Empty&,
 glcr::ErrorCode YellowstoneServer::HandleGetDenali(const Empty&,
                                                    DenaliInfo& info) {
   z_cap_t new_denali;
-  check(ZCapDuplicate(denali_cap_, &new_denali));
+  check(ZCapDuplicate(denali_cap_, kZionPerm_All, &new_denali));
   info.set_denali_endpoint(new_denali);
   info.set_device_id(device_id_);
   info.set_lba_offset(lba_offset_);

yunq/server.cpp.jinja

@@ -31,8 +31,7 @@ void {{interface.name}}ServerBaseThreadBootstrap(void* server_base) {
 
 glcr::ErrorOr<{{interface.name}}Client> {{interface.name}}ServerBase::CreateClient() {
   uint64_t client_cap;
-  // FIXME: Restrict permissions to send-only here.
-  RET_ERR(ZCapDuplicate(endpoint_, &client_cap));
+  RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap));
   return {{interface.name}}Client(client_cap);
 }
 

zion/include/zcall.h

@@ -55,7 +55,7 @@ SYS5(ReplyPortSend, z_cap_t, reply_port_cap, uint64_t, num_bytes, const void*,
 SYS5(ReplyPortRecv, z_cap_t, reply_port_cap, uint64_t*, num_bytes, void*, data,
      uint64_t*, num_caps, z_cap_t*, caps);
 
-SYS2(CapDuplicate, z_cap_t, cap_in, z_cap_t*, cap_out);
+SYS3(CapDuplicate, z_cap_t, cap_in, z_perm_t, perm_mask, z_cap_t*, cap_out);
 
 SYS1(MutexCreate, z_cap_t*, mutex_cap);
 SYS1(MutexLock, z_cap_t, mutex_cap);

zion/include/ztypes.h

@@ -67,6 +67,7 @@ const uint64_t kZionDebug = 0x1'0000;
  * ------------------------------*/
 
 typedef uint64_t z_cap_t;
+typedef uint64_t z_perm_t;
 
 const uint64_t kZionInvalidCapability = 0x0;
 
@@ -87,6 +88,9 @@ const uint64_t kZionPerm_SpawnThread = 0x200;
 const uint64_t kZionPerm_Lock = 0x100;
 const uint64_t kZionPerm_Release = 0x200;
 
+const z_perm_t kZionPerm_None = 0;
+const z_perm_t kZionPerm_All = -1;
+
 /* ------------------------------
  * Process Init Types
  *

zion/interrupt/interrupt.cpp

@@ -153,7 +153,7 @@ glcr::RefPtr<Port> pci1_port;
 extern "C" void isr_pci1();
 extern "C" void interrupt_pci1(InterruptFrame*) {
   dbgln("Interrupt PCI line 1");
-  pci1_port->Send(0, nullptr, 0, nullptr);
+  pci1_port->Send({}, {});
   gApic->SignalEOI();
 }
 

zion/lib/message_queue.cpp

@@ -3,30 +3,24 @@
 #include "debug/debug.h"
 #include "scheduler/scheduler.h"
 
-glcr::ErrorCode UnboundedMessageQueue::PushBack(uint64_t num_bytes,
-                                                const void* bytes,
-                                                uint64_t num_caps,
-                                                const z_cap_t* caps,
-                                                z_cap_t reply_cap) {
-  if (num_bytes > 0x1000) {
-    dbgln("Large message size unimplemented: %x", num_bytes);
+glcr::ErrorCode UnboundedMessageQueue::PushBack(
+    const glcr::ArrayView<uint8_t>& message,
+    const glcr::ArrayView<z_cap_t>& caps, z_cap_t reply_cap) {
+  if (message.size() > 0x1000) {
+    dbgln("Large message size unimplemented: %x", message.size());
     return glcr::UNIMPLEMENTED;
   }
 
-  auto message = glcr::MakeShared<Message>();
-  message->num_bytes = num_bytes;
-  message->bytes = new uint8_t[num_bytes];
-  for (uint64_t i = 0; i < num_bytes; i++) {
-    message->bytes[i] = static_cast<const uint8_t*>(bytes)[i];
-  }
+  auto msg_struct = glcr::MakeShared<Message>();
+  msg_struct->message = glcr::Array<uint8_t>(message);
 
   if (reply_cap != kZionInvalidCapability) {
     // FIXME: We're just trusting that capability has the correct permissions.
-    message->reply_cap =
+    msg_struct->reply_cap =
         gScheduler->CurrentProcess().ReleaseCapability(reply_cap);
   }
 
-  for (uint64_t i = 0; i < num_caps; i++) {
+  for (uint64_t i = 0; i < caps.size(); i++) {
     // FIXME: This would feel safer closer to the relevant syscall.
     // FIXME: Race conditions on get->check->release here. Would be better to
     // have that as a single call on the process. (This pattern repeats other
@@ -39,11 +33,11 @@ glcr::ErrorCode UnboundedMessageQueue::PushBack(uint64_t num_bytes,
       return glcr::CAP_PERMISSION_DENIED;
     }
     cap = gScheduler->CurrentProcess().ReleaseCapability(caps[i]);
-    message->caps.PushBack(cap);
+    msg_struct->caps.PushBack(cap);
   }
 
   MutexHolder h(mutex_);
-  pending_messages_.PushBack(message);
+  pending_messages_.PushBack(msg_struct);
 
   if (blocked_threads_.size() > 0) {
     auto thread = blocked_threads_.PopFront();
@@ -70,7 +64,7 @@ glcr::ErrorCode UnboundedMessageQueue::PopFront(uint64_t* num_bytes,
 
   MutexHolder lock(mutex_);
   auto next_msg = pending_messages_.PeekFront();
-  if (next_msg->num_bytes > *num_bytes) {
+  if (next_msg->message.size() > *num_bytes) {
     return glcr::BUFFER_SIZE;
   }
   if (next_msg->caps.size() > *num_caps) {
@@ -79,10 +73,10 @@ glcr::ErrorCode UnboundedMessageQueue::PopFront(uint64_t* num_bytes,
 
   next_msg = pending_messages_.PopFront();
 
-  *num_bytes = next_msg->num_bytes;
+  *num_bytes = next_msg->message.size();
 
   for (uint64_t i = 0; i < *num_bytes; i++) {
-    static_cast<uint8_t*>(bytes)[i] = next_msg->bytes[i];
+    static_cast<uint8_t*>(bytes)[i] = next_msg->message[i];
   }
 
   auto& proc = gScheduler->CurrentProcess();
@@ -105,40 +99,32 @@ void UnboundedMessageQueue::WriteKernel(uint64_t init,
                                         glcr::RefPtr<Capability> cap) {
   // FIXME: Add synchronization here in case it is ever used outside of init.
   auto msg = glcr::MakeShared<Message>();
-  msg->bytes = new uint8_t[8];
-  msg->num_bytes = sizeof(init);
+  msg->message = glcr::Array<uint8_t>(sizeof(init));
 
   uint8_t* data = reinterpret_cast<uint8_t*>(&init);
   for (uint8_t i = 0; i < sizeof(init); i++) {
-    msg->bytes[i] = data[i];
+    msg->message[i] = data[i];
   }
   msg->caps.PushBack(cap);
 
   pending_messages_.PushBack(msg);
 }
 
-glcr::ErrorCode SingleMessageQueue::PushBack(uint64_t num_bytes,
-                                             const void* bytes,
-                                             uint64_t num_caps,
-                                             const z_cap_t* caps,
-                                             z_cap_t reply_port) {
+glcr::ErrorCode SingleMessageQueue::PushBack(
+    const glcr::ArrayView<uint8_t>& message,
+    const glcr::ArrayView<z_cap_t>& caps, z_cap_t reply_port) {
   MutexHolder h(mutex_);
   if (has_written_) {
     return glcr::FAILED_PRECONDITION;
   }
-  num_bytes_ = num_bytes;
-  bytes_ = new uint8_t[num_bytes];
-
-  for (uint64_t i = 0; i < num_bytes; i++) {
-    bytes_[i] = reinterpret_cast<const uint8_t*>(bytes)[i];
-  }
+  message_ = message;
 
   if (reply_port != kZionInvalidCapability) {
     dbgln("Sent a reply port to a single message queue");
     return glcr::INTERNAL;
   }
 
-  for (uint64_t i = 0; i < num_caps; i++) {
+  for (uint64_t i = 0; i < caps.size(); i++) {
     // FIXME: This would feel safer closer to the relevant syscall.
     auto cap = gScheduler->CurrentProcess().GetCapability(caps[i]);
     if (!cap) {
@@ -181,16 +167,16 @@ glcr::ErrorCode SingleMessageQueue::PopFront(uint64_t* num_bytes, void* bytes,
     return glcr::FAILED_PRECONDITION;
   }
 
-  if (num_bytes_ > *num_bytes) {
+  if (message_.size() > *num_bytes) {
     return glcr::BUFFER_SIZE;
   }
   if (caps_.size() > *num_caps) {
     return glcr::BUFFER_SIZE;
   }
 
-  *num_bytes = num_bytes_;
-  for (uint64_t i = 0; i < num_bytes_; i++) {
-    reinterpret_cast<uint8_t*>(bytes)[i] = bytes_[i];
+  *num_bytes = message_.size();
+  for (uint64_t i = 0; i < message_.size(); i++) {
+    reinterpret_cast<uint8_t*>(bytes)[i] = message_[i];
   }
 
   if (reply_port != nullptr) {

zion/lib/message_queue.h

@@ -1,5 +1,7 @@
 #pragma once
 
+#include <glacier/container/array.h>
+#include <glacier/container/array_view.h>
 #include <glacier/container/intrusive_list.h>
 #include <glacier/container/linked_list.h>
 #include <glacier/memory/ref_ptr.h>
@@ -14,12 +16,12 @@ class MessageQueue {
  public:
   virtual ~MessageQueue() {}
 
-  virtual glcr::ErrorCode PushBack(uint64_t num_bytes, const void* bytes,
-                                   uint64_t num_caps, const z_cap_t* caps,
-                                   z_cap_t reply_cap = 0) = 0;
+  virtual glcr::ErrorCode PushBack(const glcr::ArrayView<uint8_t>& message,
+                                   const glcr::ArrayView<z_cap_t>& caps,
+                                   z_cap_t reply_cap) = 0;
   virtual glcr::ErrorCode PopFront(uint64_t* num_bytes, void* bytes,
                                    uint64_t* num_caps, z_cap_t* caps,
-                                   z_cap_t* reply_cap = nullptr) = 0;
+                                   z_cap_t* reply_cap) = 0;
   virtual bool empty() = 0;
 
  protected:
@@ -36,8 +38,8 @@ class UnboundedMessageQueue : public MessageQueue {
   UnboundedMessageQueue& operator=(const UnboundedMessageQueue&) = delete;
   virtual ~UnboundedMessageQueue() override {}
 
-  glcr::ErrorCode PushBack(uint64_t num_bytes, const void* bytes,
-                           uint64_t num_caps, const z_cap_t* caps,
+  glcr::ErrorCode PushBack(const glcr::ArrayView<uint8_t>& message,
+                           const glcr::ArrayView<z_cap_t>& caps,
                            z_cap_t reply_cap) override;
   glcr::ErrorCode PopFront(uint64_t* num_bytes, void* bytes, uint64_t* num_caps,
                            z_cap_t* caps, z_cap_t* reply_cap) override;
@@ -51,8 +53,7 @@ class UnboundedMessageQueue : public MessageQueue {
 
  private:
   struct Message {
-    uint64_t num_bytes;
-    uint8_t* bytes;
+    glcr::Array<uint8_t> message;
 
     glcr::LinkedList<glcr::RefPtr<Capability>> caps;
     glcr::RefPtr<Capability> reply_cap;
@@ -68,8 +69,8 @@ class SingleMessageQueue : public MessageQueue {
   SingleMessageQueue(SingleMessageQueue&&) = delete;
   virtual ~SingleMessageQueue() override {}
 
-  glcr::ErrorCode PushBack(uint64_t num_bytes, const void* bytes,
-                           uint64_t num_caps, const z_cap_t* caps,
+  glcr::ErrorCode PushBack(const glcr::ArrayView<uint8_t>& message,
+                           const glcr::ArrayView<z_cap_t>& caps,
                            z_cap_t reply_cap) override;
   glcr::ErrorCode PopFront(uint64_t* num_bytes, void* bytes, uint64_t* num_caps,
                            z_cap_t* caps, z_cap_t* reply_cap) override;
@@ -82,7 +83,6 @@ class SingleMessageQueue : public MessageQueue {
  private:
   bool has_written_ = false;
   bool has_read_ = false;
-  uint64_t num_bytes_;
-  uint8_t* bytes_;
+  glcr::Array<uint8_t> message_;
   glcr::LinkedList<glcr::RefPtr<Capability>> caps_;
 };

zion/object/endpoint.cpp

@@ -5,18 +5,3 @@
 glcr::RefPtr<Endpoint> Endpoint::Create() {
   return glcr::AdoptPtr(new Endpoint);
 }
-
-glcr::ErrorCode Endpoint::Send(uint64_t num_bytes, const void* data,
-                               uint64_t num_caps, const z_cap_t* caps,
-                               z_cap_t reply_port_cap) {
-  auto& message_queue = GetSendMessageQueue();
-  return message_queue.PushBack(num_bytes, data, num_caps, caps,
-                                reply_port_cap);
-}
-glcr::ErrorCode Endpoint::Recv(uint64_t* num_bytes, void* data,
-                               uint64_t* num_caps, z_cap_t* caps,
-                               z_cap_t* reply_port_cap) {
-  auto& message_queue = GetRecvMessageQueue();
-  return message_queue.PopFront(num_bytes, data, num_caps, caps,
-                                reply_port_cap);
-}

zion/object/endpoint.h

@@ -26,12 +26,6 @@ class Endpoint : public IpcObject {
 
   static glcr::RefPtr<Endpoint> Create();
 
-  // FIXME: These are hacky "almost" overrides that could lead to bugs.
-  glcr::ErrorCode Send(uint64_t num_bytes, const void* data, uint64_t num_caps,
-                       const z_cap_t* caps, z_cap_t reply_port_cap);
-  glcr::ErrorCode Recv(uint64_t* num_bytes, void* data, uint64_t* num_caps,
-                       z_cap_t* caps, z_cap_t* reply_port_cap);
-
   virtual MessageQueue& GetSendMessageQueue() override {
     return message_queue_;
   }

zion/object/ipc_object.cpp

@@ -2,14 +2,26 @@
 
 #include "scheduler/scheduler.h"
 
-glcr::ErrorCode IpcObject::Send(uint64_t num_bytes, const void* bytes,
-                                uint64_t num_caps, const z_cap_t* caps) {
+glcr::ErrorCode IpcObject::Send(const glcr::ArrayView<uint8_t>& message,
+                                const glcr::ArrayView<z_cap_t>& caps) {
+  return Send(message, caps, kZionInvalidCapability);
+}
+
+glcr::ErrorCode IpcObject::Send(const glcr::ArrayView<uint8_t>& message,
+                                const glcr::ArrayView<z_cap_t>& caps,
+                                const z_cap_t reply_port) {
   auto& message_queue = GetSendMessageQueue();
-  return message_queue.PushBack(num_bytes, bytes, num_caps, caps);
+  return message_queue.PushBack(message, caps, reply_port);
 }
 
 glcr::ErrorCode IpcObject::Recv(uint64_t* num_bytes, void* bytes,
                                 uint64_t* num_caps, z_cap_t* caps) {
-  auto& message_queue = GetRecvMessageQueue();
-  return message_queue.PopFront(num_bytes, bytes, num_caps, caps);
+  return Recv(num_bytes, bytes, num_caps, caps, nullptr);
+}
+
+glcr::ErrorCode IpcObject::Recv(uint64_t* num_bytes, void* bytes,
+                                uint64_t* num_caps, z_cap_t* caps,
+                                z_cap_t* reply_port) {
+  auto& message_queue = GetRecvMessageQueue();
+  return message_queue.PopFront(num_bytes, bytes, num_caps, caps, reply_port);
 }

zion/object/ipc_object.h

@@ -11,10 +11,17 @@ class IpcObject : public KernelObject {
   IpcObject(){};
   virtual ~IpcObject() {}
 
-  virtual glcr::ErrorCode Send(uint64_t num_bytes, const void* bytes,
-                               uint64_t num_caps, const z_cap_t* caps) final;
+  virtual glcr::ErrorCode Send(const glcr::ArrayView<uint8_t>& message,
+                               const glcr::ArrayView<z_cap_t>& caps) final;
+  virtual glcr::ErrorCode Send(const glcr::ArrayView<uint8_t>& message,
+                               const glcr::ArrayView<z_cap_t>& caps,
+                               const z_cap_t reply_port) final;
+
   virtual glcr::ErrorCode Recv(uint64_t* num_bytes, void* bytes,
                                uint64_t* num_caps, z_cap_t* caps) final;
+  virtual glcr::ErrorCode Recv(uint64_t* num_bytes, void* bytes,
+                               uint64_t* num_caps, z_cap_t* caps,
+                               z_cap_t* reply_port) final;
 
   bool HasMessages() { return !GetRecvMessageQueue().empty(); }
 

zion/object/thread.cpp

@@ -69,7 +69,7 @@ void Thread::Exit() {
 #endif
   state_ = FINISHED;
   process_.CheckState();
-  while (!blocked_threads_.size() == 0) {
+  while (blocked_threads_.size() != 0) {
     auto thread = blocked_threads_.PopFront();
     thread->SetState(Thread::RUNNABLE);
     gScheduler->Enqueue(thread);
@@ -78,7 +78,16 @@ void Thread::Exit() {
 }
 
 void Thread::Wait() {
-  // FIXME: We need synchronization code here.
+  // TODO: We need synchronization code here.
+  // Race condition is for A waiting on B.
+  // 1. A checks if B is finished.
+  // 2. Context Switch A -> B
+  // 3. B finishes.
+  // 4. Context Switch B -> A
+  // 5. A forever blocks on B.
+  if (state_ == Thread::FINISHED) {
+    return;
+  }
   auto thread = gScheduler->CurrentThread();
   thread->SetState(Thread::BLOCKED);
   blocked_threads_.PushBack(thread);

zion/scheduler/scheduler.cpp

@@ -16,7 +16,6 @@ void Scheduler::Init() { gScheduler = new Scheduler(); }
 Scheduler::Scheduler() {
   Process& root = gProcMan->FromId(0);
   sleep_thread_ = root.GetThread(0);
-  // TODO: Implement a separate sleep thread?
   current_thread_ = sleep_thread_;
 }
 
@@ -32,6 +31,13 @@ void Scheduler::SwapToCurrent(Thread& prev) {
   asm volatile("sti");
 }
 
+void Scheduler::Enqueue(const glcr::RefPtr<Thread>& thread) {
+  runnable_threads_.PushBack(thread);
+  if (current_thread_ == sleep_thread_) {
+    Yield();
+  }
+}
+
 void Scheduler::Preempt() {
   if (!enabled_) {
     return;
@@ -41,14 +47,6 @@ void Scheduler::Preempt() {
   if (current_thread_ == sleep_thread_) {
     // Sleep should never be preempted. (We should yield it if another thread
     // becomes scheduleable).
-    // FIXME: We should yield these threads instead of preempting them.
-    if (runnable_threads_.size() > 0) {
-      current_thread_ = runnable_threads_.PopFront();
-      sleep_thread_->SetState(Thread::RUNNABLE);
-      SwapToCurrent(*sleep_thread_);
-    } else {
-      asm volatile("sti");
-    }
     return;
   }
 

zion/scheduler/scheduler.h

@@ -18,9 +18,7 @@ class Scheduler {
   Process& CurrentProcess() { return current_thread_->process(); }
   glcr::RefPtr<Thread> CurrentThread() { return current_thread_; }
 
-  void Enqueue(const glcr::RefPtr<Thread>& thread) {
-    runnable_threads_.PushBack(thread);
-  }
+  void Enqueue(const glcr::RefPtr<Thread>& thread);
 
   void Preempt();
   void Yield();

zion/syscall/capability.cpp

@@ -13,6 +13,8 @@ z_err_t CapDuplicate(ZCapDuplicateReq* req) {
   if (!(cap->permissions() & kZionPerm_Duplicate)) {
     return glcr::CAP_PERMISSION_DENIED;
   }
-  *req->cap_out = proc.AddExistingCapability(cap);
+
+  *req->cap_out = proc.AddNewCapability(cap->raw_obj(),
+                                        cap->permissions() & req->perm_mask);
   return glcr::OK;
 }

zion/syscall/ipc.cpp

@@ -6,6 +6,14 @@
 #include "object/reply_port.h"
 #include "scheduler/scheduler.h"
 
+namespace {
+
+glcr::ArrayView<uint8_t> Buffer(const void* bytes, uint64_t num_bytes) {
+  return glcr::ArrayView(reinterpret_cast<uint8_t*>(const_cast<void*>(bytes)),
+                         num_bytes);
+}
+}  // namespace
+
 glcr::ErrorCode ChannelCreate(ZChannelCreateReq* req) {
   auto& proc = gScheduler->CurrentProcess();
   auto chan_pair = Channel::CreateChannelPair();
@@ -20,7 +28,8 @@ glcr::ErrorCode ChannelSend(ZChannelSendReq* req) {
   RET_ERR(ValidateCapability<Channel>(chan_cap, kZionPerm_Write));
 
   auto chan = chan_cap->obj<Channel>();
-  return chan->Send(req->num_bytes, req->data, req->num_caps, req->caps);
+  return chan->Send(Buffer(req->data, req->num_bytes),
+                    glcr::ArrayView<z_cap_t>(req->caps, req->num_caps));
 }
 
 glcr::ErrorCode ChannelRecv(ZChannelRecvReq* req) {
@@ -45,7 +54,8 @@ glcr::ErrorCode PortSend(ZPortSendReq* req) {
   RET_ERR(ValidateCapability<Port>(port_cap, kZionPerm_Write));
 
   auto port = port_cap->obj<Port>();
-  return port->Send(req->num_bytes, req->data, req->num_caps, req->caps);
+  return port->Send(Buffer(req->data, req->num_bytes),
+                    glcr::ArrayView<z_cap_t>(req->caps, req->num_caps));
 }
 
 glcr::ErrorCode PortRecv(ZPortRecvReq* req) {
@@ -100,8 +110,10 @@ glcr::ErrorCode EndpointSend(ZEndpointSendReq* req) {
   *req->reply_port_cap = proc.AddNewCapability(reply_port, kZionPerm_Read);
   uint64_t reply_port_cap_to_send =
       proc.AddNewCapability(reply_port, kZionPerm_Write | kZionPerm_Transmit);
-  return endpoint->Send(req->num_bytes, req->data, req->num_caps, req->caps,
-                        reply_port_cap_to_send);
+  return endpoint->Send(
+      Buffer(req->data, req->num_bytes),
+      glcr::ArrayView<z_cap_t>(const_cast<z_cap_t*>(req->caps), req->num_caps),
+      reply_port_cap_to_send);
 }
 
 glcr::ErrorCode EndpointRecv(ZEndpointRecvReq* req) {
@@ -126,7 +138,8 @@ glcr::ErrorCode ReplyPortSend(ZReplyPortSendReq* req) {
   ValidateCapability<ReplyPort>(reply_port_cap, kZionPerm_Read);
   auto reply_port = reply_port_cap->obj<ReplyPort>();
 
-  return reply_port->Send(req->num_bytes, req->data, req->num_caps, req->caps);
+  return reply_port->Send(Buffer(req->data, req->num_bytes),
+                          glcr::ArrayView<z_cap_t>(req->caps, req->num_caps));
 }
 glcr::ErrorCode ReplyPortRecv(ZReplyPortRecvReq* req) {
   auto& proc = gScheduler->CurrentProcess();

zion/syscall/thread.cpp

@@ -4,6 +4,12 @@
 #include "debug/debug.h"
 #include "scheduler/scheduler.h"
 
+namespace {
+
+bool IsKernel(uint64_t addr) { return (addr & 0xFFFF'FF80'0000'0000); }
+
+}  // namespace
+
 glcr::ErrorCode ThreadCreate(ZThreadCreateReq* req) {
   auto& curr_proc = gScheduler->CurrentProcess();
   auto cap = curr_proc.GetCapability(req->proc_cap);
@@ -21,7 +27,11 @@ glcr::ErrorCode ThreadStart(ZThreadStartReq* req) {
   RET_ERR(ValidateCapability<Thread>(cap, kZionPerm_Write));
 
   auto thread = cap->obj<Thread>();
-  // FIXME: validate entry point is in user space.
+
+  if (IsKernel(req->entry) || IsKernel(req->arg1) || IsKernel(req->arg2)) {
+    return glcr::INVALID_ARGUMENT;
+  }
+
   thread->Start(req->entry, req->arg1, req->arg2);
   return glcr::OK;
 }