Kernel and process manager

We now support ARMv8.2 targets.
By default, you can now use only secure sigevents that you've registered with MsgRegisterEvent(). There's a new -U option for procnto that lets you use nonregistered events too. Instead of using this option, you can use the _NTO_COF_UNREG_EVENTS flag when you call ConnectAttach() to allow a specific connection to use registered and unregistered events.
Note:
- _NTO_COF_UNREG_EVENTS and procnto's -U option are temporary workarounds and will be removed in a future version. You should update your system to use only registered events.
- The mq_notify() function accepts registered events, but for compatibility with POSIX, it also accepts unregistered events, even if the system as a whole is required to use registered events.
Address Space Layout Randomization (ASLR) is now enabled by default.
We now save and restore the FPU context in Interrupt Service Routines (ISRs), signal handlers, trace event handlers, and idle handlers. GCC 8 may optimize some non-floating-point operations—especially array operations—by using floating-point (FP) registers and operations (e.g., using SIMD). This means that although there is no C code using FP operations, the generated opcodes may use them, violating the requirement to not touch floating point registers in Interrupt Service Routines (ISRs), signal handlers, trace event handlers, and idle handlers, leading to corruption of the FP state in user threads, and doing so in a way that is extremely difficult to debug.
Rather than require the use of architecture-specific options (-mgeneral-regs-only for AArch64 or x86_64; there isn't such an option for ARMLE-v7) to force the compiler not to use these registers for an entire compilation unit, we decided to save all FP registers if and when an ISR first accesses any FP register, and to save the FP registers on entering a signal handler, trace event handler, or idle handler. We restore all the FP registers after leaving the ISR or handler. This has the following effects:
- It removes the danger of corrupting the FP registers by optimized code generated by the compiler despite the lack of any FP operations in the ISR or handler's source code.
- It allows the use of FP operations inside an ISR or handler. For an ISR, there's a one-time cost each time the ISR is invoked if there is any use of floating-point registers.
It's still possible to force an ISR to not use FP using the compiler options mentioned above (and therefore guarantee avoiding the performance hit of saving the FP registers), but if the ISR is in a C file that also has functions that explicitly use floating point, or would benefit from these optimizations, you can move the ISR to its own C file and use the appropriate flag to compile that file, but you need to be careful with preprocessor macros and calling functions that aren't in the C file.
There are some new mechanisms for improving the security of shared memory objects:
- shared memory handles that provide a safe, secure and efficient way to share buffers among processes without the use of public paths
- a way for the creator of a shared memory object to seal a shared memory object to prevent other processes from changing the physical layout of the object, even if these processes are allowed to change the object's contents
- a way for the creator of a shared memory object to revoke access to the object such that it can be safely destroyed or reused for other purposes. Without the revocable flag, a shared memory object is cleaned up only when the last process removes a mapping to it, which means that the creator has no control over destruction and reuse.
For more information, see “Secure Buffer Management” in the “Shared Memory” chapter of the QNX Neutrino Programmer's Guide.

The following security trace events are new:

Event	Emitted when:
_NTO_TRACE_SEC_PERM_LOOKUP	secpol_get_permission() is called to get a handle to a permission that's associated with a custom class
_NTO_TRACE_SEC_PERM_TEST	secpol_check_permission() is called to test if a given type has a permission
_NTO_TRACE_SEC_UNREG_EVENT	MsgDeliverEvent() is called with an unregistered sigevent

For more information, see the System Analysis Toolkit (SAT) User's Guide.