Substitute 'swpb' (swap byte) instruction with 'ldrexb/strexb', because 'swpb'
needs to be enabled explicitly by the kernel, which is done by neither HW or FOC.
When disabled, 'swpb' will cause an undefined instruction exception.
Issue #1048
If opening a report session fails (for example because of invalid
session arguments) and an exception is thrown during the session
construction, the report would wrongly keep the enabled state.
By moving the assignment of the state after the construction,
the report stays disabled as it should be.
This patch improves the focus handling by updating the menubar each time
the user clicks on a different view, even the old and new view belong
to the same session.
Check that in every round really all threads are alive on all CPUs. It
happened that only the first round was ok (all alive) and in the next rounds
some were dead. Unfortunately the test claimed to be successful.
The destructor of the Area object uses invalid caps which results in
a wanted abort of the process on nova. This is mainly the case in forked
process in noux.
Within the central security unit of the i.MX53 SoC, one can set protection
level of various DMA bus master requests, distinguishing them between normal,
and secure access. Although, the access level was meant to be set correctly,
the enumeration values that denoted the kind of access were incorrect. Thereby,
until now every DMA requests was set as being secure. This commit corrects
the enumeration values, and sets all DMA operations as being unsecure, accept
from the graphical subsystem which is controlled by the secure world only.
Thanks to Andrea Barisani and Andrej Rosano from Inverse Path for discovering
this bug, as well as the hardware limitation!
The timed semaphore supports a minimum timeout of 10 ms and logs a
warning if the timeout is lower than the minimum. To prevent the
warning, we limit timeouts to >= 10 ms.
Adding this function eases the implementation of realloc based on
'Libc::Mem_alloc'. Note that this allocator is not used by libc's
default malloc implementation but it is useful for customized C
runtimes, e.g., for the runtime of VirtualBox.
This function provides a way to request the size of an previously
allocated block. It is useful to to ease the implementation of realloc
functionality based on Allocator_avl.
This information is useful if 'libc-common.inc' is included from
another repository, i.e., for building stripped-down libc variants
tailored to an individual application.
Out of laziness we only provide two dummy functions for all FUSE
operations, which are used in case the FUSE file system does not
implement them itself.
Fixes#1058.
Omit the main rountine in fuse-ext2.c. Otherwise using fuse-ext2 with
fuse_fs is not possible because the server framework already defines
a main routine.
Fixes#1058.
* add sync method:
Since file systems tend to have a inbuild caching mechansim we need to
sync these caches at the end of session when using the fuse_fs server.
Therefore each FUSE file system port has to implement a Fuse::sync_fs()
function that executes the necessary actions if requested.
* add symlink check
* allow to check FUSE fs initialization
This changes the private API of the FUSE implementation. The init_fs
method now has to return true if the initialization was successful and
otherwise false. All current users of the API are also changed
accordingly.
Fixes#1058.
Noux generates 'argv[0]' for the initial child automatically (in contrast
to the 'config_args' library), so the first argument stated in the
configuration should not be the GDB program name.
Fixes#1062.
On Genode/Fiasco.OC, when an unresolved page fault occurs, only the IP and
SP registers are valid in the thread state read by GDB monitor. This was
not taken into account so far and the other (possibly outdated) register
values got reported to the client, too.
With this patch, only IP and SP get reported to the client in the page
fault case.
Fixes#1063.
For further information see: http://wiki.netbsd.org/rumpkernel/. In this version
I ported the central rump components to Genode in order to take advantage of
NetBSD file system implementation. The new 'dde_rump' repository contains the
Genode version of the rump libraries and a 'rump_fs' server that implements
Genode file-system-session interface. Currently ext2, iso9660, and fat
file-systems are supported.
Issue #1048
'check_installed' takes a command name as argument and tries to call 'which' in
order to find the command path. If that does not succeed, paths like '/sbin' are
'/usr/sbin' searched. On success the absolute path of the command is returned,
on failure 'exit' is called with an error message.
Issue #1048
Previously we used to many registers in syscalls with much arguments
to build with optimization level O0. Additionally this fix fastens the
userland backend of syscalls.
All the pre- and post-processing of the startup lib around the main
function of a dynamic program is now done by LDSO. Hence LDSO directly
calls the main function of the program.
Issue #1042
This is needed later when eliminating the need for a startup lib in
dynamic programs to enable LDSO to call ctors and dtors of the program.
Issue #1042
After some research we found that the stack pointer on ARM platforms must be
at least double word aligned (See: "Procedure Call Standard for the ARM
Architecture" - 5.2.1.1). Since a 'call' on ARM will not result in a stack pointer
change (like on x86), the current behavior resulted in a 4 Byte aligned stack
only.
Follow up to #1043
This commit generalizes the bit array in 'base/util/bit_array.h',
so that it can be used in a statically, when the array size is known
at compile time, or dynamically. It uses the dynamic approach of the
bit array for a more generalized version of the packet allocator,
formerly only used by NIC session clients. The more generic packet
allocator is used by the block cache to circumvent the allocation
deadlock described in issue #1059.
Fixes#1059
Base libraries are already contained within ldso.lib.so. Remove unnecessary
filtering from 'dep_lib.mk', make ldso depend on base libs.
Issue #1017
Issue #989
This patch make the handling of resizing the virtual framebuffer more
consistent. Liquid_fb keeps track of two sizes. The "next size" is the
size of the framebuffer handed out via the next call of 'dataspace'.
The "designated size" is the size as demanded by the user. The latter
size may be updated more often than the "next" size, depending on the
responsiveness of the framebuffer client to mode-change signals.
The patch also removes the synchronization with refresh calls because
the synchronization made the flickering artifacts worse when executing
nitpicker within liquid_fb. So it was not properly working anyway.
In the future, we might reimplement such a synchronization mechanism
when switching to the server API.
Issue #1056
As the initial main-thread stack is not used for the whole main-thread life
anymore but only for the initialization of the Genode environment it can be
downsized to 32Kb for all architectures.
ref #989
For a main thread a thread object is created by the CRT0 before _main gets
called so that _main can already run in a generic environment that, e.g.,
catches stack overflows as a page-fault instead of corrupting the BSS.
Additionally dynamic programs have only one CRT0 - the one of the LDSO -
which does the initialization for both LDSO and program.
ref #989
Normally for intptr_t the printf format PRIiPTR should be used. As Genode
printf doens't support this format we cast it to long int (intptr_t is int
for 32 bit and long int for 64 bit).
ref #989
This patch adds accessors to obtain the buffer of an attribute value,
which is useful to avoid the copying-out of such information by
maintaining pointers into the XML string as meta data.
There exist different default setups for a specific autoconf version:
* autoconf
* autoconf$(VERSION)
* autoconf-$(VERSION)
As of now, only the second option is recognized by the check in tool_chain.
This patch ensures that if one of those is present in the correct
version, it will be found and used in the build process.
Fixes#1053.
With this patch, the liquid_fb title bar height gets reserved at the top of the
screen, so if a Qt application wants to position a window at (0,0), there's
still enough space to show the title bar above.
Issue #1054.
This utility allows for the manual placement of objects without the need
to have a global placement new operation nor the need for type-specific
new operators.
Issue #989
The trace_fs server provides access to a Trace_session by using a
File_system_session as frontend.
Each trace subject is represented by a directory ('thread_name.subject')
that contains specific files ('active', 'cleanup', 'enable', 'events',
'buffer_size' and 'policy'), which are used to control the tracing
process of the thread as well as storing the content of its trace
buffer.
The tracing of a thread is only activated if there is a valid policy
installed and the intend to trace the subject was made clear by writing
'1' to the 'enable' file.
The tracing of a thread may be deactived by writing a '0' to the
'enable' file.
A policy may be changed by overwriting the currently used one. In this
case the old policy is replaced by the new policy and is automatically
utilize.
Writing a value to the 'buffer_size' file changes the appointed size of
the trace buffer. This value is only evaluted by reactivating the
tracing process.
The content of the trace buffer may be accessed by reading from the
'events' file. Throughout all tracing session new trace events are
appended to this file.
Nodes of UNTRACED subjects are kept as long as they do not change their
tracing state to DEAD. In this case all nodes are removed from the
file system. Subjects that were traced before and are now UNTRACED will
only be removed by writing '1' to the 'cleanup' file - even if they
are DEAD by now.
To use the trace_fs a config similar to the following may be used:
! <start name="trace_fs">
! <resource name="RAM" quantum="128M"/>
! <provides><service name="File_system"/></provides>
! <config>
! <policy label="noux -> trace" interval="1000" subject_limit="512" trace_quota="64M" />
! </config>
! </start>
'interval' sets the periode in which the Trace_session is polled. The
time is given in milliseconds.
'subject_limit' speficies how many trace subject should by acquired at
most when the Trace_session is polled.
'trace_quota' is the amount of quota the trace_fs should use for the
Trace_session connection. The remaing amount of RAM quota will be used
for the actual nodes of the file system and the 'policy' as well as the
'events' files.
In addiition there are 'buffer_size' and 'buffer_size_limit' that define
the initial and the upper limit of the size of a trace buffer.
Tracing of parent processes or rather threads may be enabled by setting
'parent_levels' to a value greater than '0' (though this attribute is
available, the trace session component within core still lacks support
for it).
A ready-to-use runscript can by found in 'ports/run/noux_trace_fs.run'.
Fixes#1049.
Until now, block drivers had to deal with a pointer to the client
session component, e.g.: to acknowledge block packets already processed.
When a session was closed, the driver object wasn't informed explicitly,
which leads to defensive programming, or lastly to a race-condition in
test-blk-srv. To prevent from this class of errors, the pointer is now
private to the generic block driver base class, and not accessible to
the concrete driver implementation. Moreover, the driver gets explicitly
informed when a session got invalidated.
Ref #113
This block cache component acts as a block device for a single client.
It uses fixed 4K blocks as caching granularity, thereby implicitly reads
ahead whenever a client requests lesser amount of blocks. Currently,
it only supports a least-recently-used replacement policy.
Fixes#113
When using the server framework, it might happen that the main thread
tries to forward a signal to the entrypoint, while the context of that
signal is already destroyed. In that case the main thread will get an
ipc error exception as result.
Related to #113
Instead of terminating tool/tool_chain when finding the first
missing tool, this patch runs all checks to completion before
bailing out. This eases finding missing programs, because the
user has to run the script only once to get a list of all missing
software.
Fixes#1046Fixes#1047
On 64-bit platforms Qt's JavaScript engine tries to reserve 1GiB of
virtual memory via 'mmap()', to be backed by physical memory on demand.
Genode's 'mmap()' implementation currently does not support on-demand
allocation of physical memory and tries to allocate the whole amount at
once, which is usually far more than needed.
With this patch, the amount to be reserved gets decreased to 32MiB.
Fixes#1041.
The x86_64 ABI requires the stack pointer to be 16-byte aligned before the
call of a function and decreased by 8 at the function entrypoint (after
the return address has been pushed to the stack).
Currently, when a new Genode thread gets created, the initial stack
pointer is aligned to 16 byte. On Genode/Linux, the thread entry function
is entered by a 'call' instruction, so the stack pointer alignment at the
function entrypoint is correct. On Fiasco.OC and NOVA, however, the thread
entry function gets executed without a return address being pushed to the
stack, so at the function entrypoint the stack pointer is still aligned to
16 byte, which can cause problems with compiler-generated SSE
instructions.
With this patch, the stack pointer given to a new thread gets aligned to
16 bytes and decreased by 8 by default, since most of the currently
supported base platforms execute the thread entry function without pushing
a return address to the stack. For base-linux, the stack pointer gets
realigned to 16 bytes before the thread entry function gets called.
Fixes#1043.
- 'kill()' syscall added
- 'wait()' gets unblocked when a signal occurs
- syscalls can get called from a signal handler without corrupting the 'sysio' object
- the child's exit status gets correctly reported to 'wait()'
- SIGCHLD gets ignored by default
- pending signals survive 'execve()'
Fixes#1035.
Delete operators with additional allocator reference/pointer parameters
are needed if the constructor of an 'new(allocator)' allocated object
throws an exception. Also, destroy now uses the operator to free memory
and provides variants with allocator reference and pointer.
The commit includes a simple test scripts 'run/new_delete', which
exercises the several 'delete' cases.
Related to #1030.
Use a bit allocator for the allocation management of thread contexts,
instead of holding allocation information within the Thread_base objects,
which lead to race conditions in the past.
Moreover, extend the Thread_base class interface with the ability to
to add additional stacks to a thread, and associate the context they're
located in with the corresponding Thread_base object. Additional stacks
can be used to do user-level scheduling with stack switching, without breaking
Genode's API.
Fixes#1024Fixes#1036
Change the template parameter for Bit_allocator, and Bit_array. Instead of
assigning words to be used by the bit array, you can now tell the count of
items that shall be used.
Moreover, some dead code, previously using the Bit_allocator, was removed.
Related to #1024
Splitting the new Genode::Deallocator interface from the former
Genode::Allocator interface enables us to restrict the accessible
operations for code that is only supposed to release memory, but not
perform any allocations.
Additionally, this patch introduces variants of the 'new' operator
that takes a reference (as opposed to a pointer) to a Genode::Allocator
as argument.
By assigning the file name as label, we may become able to remove the
filename argument in the future by just interpreting the last part of
the label as filename. By keeping only the label, we won't need to
consider conditional routing (via <if-arg>) based on session arguments
other than the label anymore.
The new Attached_dataspace complements the existing Attached_*
utilities with a simple version that can be used with any kind of
dataspaces. It may be even useful as a common base type for the other
variants. For example, this patch simplifies Attached_rom_dataspace
and removes the Terminal::Client::Io_buffer.
This patch integrate the scout widgets with Genode's new API headers
'util/geometry.h', 'os/surface.h' and 'os/texture.h'. Thereby, we get
almost rid of the platform-abstraction shim that was never used anyway.
Furthermore, it extracts the parts that are worth reusing from the
scout implementation to the public location 'demo/include/scout'.
This patch re-arranges nitpicker's graphics backend in a more modular
and expandable way. Generalized versions of the 'Canvas',
'Chunky_canvas', and 'Pixel_*' classes have been moved to
'os/include/util/' and 'os/include/os'. The only remaining parts that
are specific to nitpicker's needs are a few drawing functions, each
located in a distinct header at 'os/include/nitpicker_gfx/'.
This patch makes nitpicker's geometry utilities available for the use
by other programs. Thereby, the 'Point', 'Area', and 'Rect' classes
have become templates that take the coordinate type and distance type
as arguments.
Unless '-ignorestderr' is set on 'exec' in expect, any output on stderr
is interpreted as execution failure. In this case, 'create_iso' logs
some diagnostics but does not fail.
We repeatedly promote our ISOs to be bootable from USB storage.
Therefore, we have a hard dependency on 'isohybrid' and should fail in
the case that the tool is missing.
Access to a block session is provided by using the block file system.
By specifying the label, each block session request can be routed to
the proper block session provider:
! <fstab>
! ...
! <dir name="dev">
! <block name="blkdev0" label="block_session_0" />
! </dir>
! ...
! </fstab>
In addition to this file system, support for the DIOCGMEDIASIZE ioctl
request was added. This request is used by FreeBSD and therefore our
libc to query the size of the block device in bytes.
Fixes#1010.
All source codes of the glue code between Vancouver and Genode that were
based on existing GPL code had already stated that Genode Labs is not
the sole owner of the code. To make the distinction between the Genode
OS framework and the glue code more clear, this patch removes the text
"is part of the Genode OS framework" from the glue code.
Instead of, passing responsibility to manage and dissolve Signal_rpc_member
objects at a corresponding entrypoint to the user, hand over entrypoint's
reference to the constructor, and do it in the constructor resp. destructor
of the class.
Fixes#1022
Both base/src/test/thread and base-okl4/src/test/okl4_03_thread used the
same target name, which ultimately confused the build system when
building on OKL4.
File systems using the File_system_session interface can now be
synchronized by using this syscall. This is needed for file system
that maintain an internal cache, which should be flushed.
Fixes#1008.
Users of a File_system_session might want to force a file system
to flush or rather to synchronize its internal cache. A concret
default implementation is provided because not all file systems
maintain an internal cache and are not required to synchronize
caches.
Fixes#1007.
Fail hard if no large enough virtual memory area can be found where to map
the memory from the kernel to core.
Additionally clear dataspaces in junks if it can't be done in one large junk.
Fixes#1011
Make 'set_program_var' accessible outside of 'rtld.c'. Also, compile
dynamically linked programs with the '-fPIC' option. Doing not so,
yields to program-global symbols being put in the '.symtab' section
(which can be stripped) only. In order to get access to global
variables from the dynamic linker, the symbols need to reside within
the '.dynsym' section additionally. Hence the '-fPIC'.
ref #989fix#1002
If an RM client gets dissolved the RM server tries to first
dissolve and then destruct the according pager object. As pager objects
previously cancelled unresolved faults only in destructor the dissolve
operation blocked forever when an unresolved fault existed.
As every pager object should get dissolved before it gets destructed
(signal-context complains otherwise) no more unresolved-fault cancelling
is needed in the destructor.
ref #989
As synchronization of signal contexts is now the users business instead of
cores and the signal framework ensures that every context of a receiver gets
synchronously destructed before the destruction of the receiver itself
synchronization and thus blocking at the destruction of a kernel
receiver-object isn't necessary anymore.
ref #989
Kernel::signal_context_kill can be used by any program to halt the processing
of a signal context synchronously to prevent broken refs when core destructs
the according kernel object. In turn, Kernel::bin_signal_context doesn't block
anymore and destructs a signal context no matter if there are unacknowledged
signals. This way, cores entrypoint doesn't depend on signal acks of a
untrustworthy client anymore.
ref #989
In the future bin_* means the direct destruction of a kernel object
without any blocking. kill_* in contrast is used for bringing a
kernel object such as signal contexts synchronized into a sleeping
state from where they can be destructed without the risk of getting
broken refs in userland.
ref #989
To remap its UTCB to its context area later, a main thread needs
to know the according dataspace capability. This is done through
the start-info it receives from its creator at startup.
ref #989
I have no idea where the previous default alignment = 2 in the unsynchronized
singleton came from but as at least the Arndale IC-driver in base-hw needs an
alignment of 4 = address width, unmanaged singleton now uses sizeof(addr_t)
as default alignment.
ref #989
An unmanaged singleton is a singleton object that isn't
constructed or destructed implicitly through the C++ runtime
enviroment. The new header provides a helper to create such objects
and is located in src/base/include.
ref #989
* Increase entrypoint stack size for part_blk server,
since it crashes on 64 bit
* Consider packet alignment in bulk buffer size calculation of test-blk-cli
* allow to handle a maximum of packets in parallel
that fits free slots in the ack queue
* stop processing packets, when the driver can't handle
more requests in parallel, and resume packet handling,
when the driver is ready again
As hw_arndale is a bit slower than foc_arm and spawn_serial timing
calculation has changed in general, timeouts of noux_tool_chain_auto test
must be adjusted.
fix#996
The Genode-specific implementation of 'QWaitCondition' contains a race
condition which can make the 'qt5_samegame' application hang on Fiasco.OC.
Since most of the pthread synchronization functions needed by the
UNIX-specific implementation of 'QWaitCondition' and 'QMutex' are
available now, we can use these now instead of fixing and keeping
the Genode-specific implementation.
Fixes#993.
Instead of using an additional thread in each Session_component of a
block server, which uses the generic block component and driver classes,
replace it with signal dispatchers.
Ref #113
With 64K stack size, when doing 'make core' in noux on base-hw, the main thread
of /libexec/gcc/arm-elf-eabi/4.7.2/cc1plus runs into a stack overflow during
the compilation of core/main.o . Thus raise the stack size to 128K.
fix#964
The previously used RAM 0x0..0x10000000 was just an alias for
0x70000000..0x80000000. Qemu provides up to of 768 MB RAM with the
correct -m argument. This RAM is located at 0x70000000..0x90000000 and
0x20000000..0x30000000. At least the noux_tool_chain scripts are
happy to have that much RAM.
ref #964
For PBXA9 qemu adjusts provided RAM chips to the -m arg. Thus we
filter user values and force value that enables all chips that Genode
expects to be available. Not doing so leads to inexplicable errors.
ref #964
Makeinfo versions greater 5 treat an @itemx that isn't preceeded by an @item
not as warning anymore but as error. The GCC version 4.7.2 that is used by
noux currently triggers this error multiple times. This commit adds a patch
to 'make prepare PKG="gcc"' that avoids the use of @itemx without preceeding
@item. As GCC versions greater than 4.8 should fix this problem by themselves
this should be seen as temporary quick fix.
ref #964
At least with base-hw, the endless loop at the end of the fork
parent slows execution of the fork child dramatically. Using
libc function pause() is a cleaner solution anyways.
ref #964
When using the initial SP of a main thread for the UTCB
startup-argument, fork_trampoline in libc_noux gets broken.
The function expects the SP to be initialized already in contrast
to the _start function in crt0.s that is called for processes that
are not forked. As the main-thread UTCB is located at the same virtual
address for every PD anyways, we can circumvent this problem by
defining it statically.
ref #964
Struct Msg was introduced due to the handling of pagefaults
and interrupts via synchronous IPC. Its only purpose was to provide
the message type in front of the typed message. Now pagefaults and
interrupts are handled via signals and struct Msg is not necessary
anymore.
ref #958
If the script is executed with an obscure path (e.g.,
'../tool/autopilot'), just taking the argv0 string fails. Therefore, the
file path is now normalized prior to the directory detection.
This patch enables experimental QML support in Qt5.
Only the QtQuick plugin is available yet.
Currently runs best on Linux and has some problems on NOVA and Fiasco.OC.
Fixes#979.
Replace the static lock with the file descriptor lock because recursive
calls of p{read,write} would result in a deadlock when using multiple
libc-plugins at the same time.
Fixes#948.
This FUSE implementation consists of libfuse, which provides a
subset of the FUSE 2.6 API and libc_fuse, which provides support
for accessing FUSE based file system via the libc.
Fixes#942.
In addition, file-system tests will use the AHCI driver instead of the
ATAPI driver. This change side-steps certain issues with Qemu's IDE
emulation.
Fixes#942.
Since RM sessions can be used as dataspaces and dataspace sizes are
supposed to have page granularity, RM session sizes should have page
granularity, too.
Fixes#972.
Among other changes, this patch makes it possible to let Mesa render into
a user-provided buffer instead of the screen. This can be achieved with
the 'eglCreateWindowSurface()' function, which takes a buffer
description as third argument.
Fixes#974.
One of the Qt5 patches is supposed to create symbolic links, which is not
supported by GNU patch before version 2.7. Using 'git apply' to apply the
patches solves this problem.
Fixes#969.
In programs with dynamic linker, _main and thus also platform_main_bootstrap
are called twice. By now, platform_main_bootstrap tried to always access the
startup message in the UTCB of the main thread that gets overridden till the
second call.
fix#967
Since dde_linux now contains the port of the Linux IP stack available for all
Genode base-* platforms move the repository out of drivers_arm and drivers_x86
build.conf to the optional build.conf (available to all platforms).
To support components, which implement the block session's server side
rpc object, and which doesn't write data to their device backend immediately,
an additional synchronization call is needed. Thereby, clients like for
instance a file system can tell these components, when a synchronization is
required.
Ref #113
Issue #949
Related to issue #808 - one way to nearly double the maximum VM size for
VMs on 32bit Genode/Nova host if decreased performance is acceptable.
To ease the creation of custom virtual machine monitors on top of
NOVA, this patch moves generic utilities from vancouver resp. seoul to the
public include location 'ports/include/vmm'. As a nice side effect,
this change simplifies 'vancouver/main.cc'.
Issue #949
The platform driver is used to access the features provided by the
Videocore mboxes, i.e., power configuration and framebuffer setup. The
framebuffer driver uses the platform interface to setup a screen mode of
1024x768.
At the current stage, the USB HID and storage drivers are prinicpally
working but not stable. If interrupts are not processed fast enough,
devices will get sporadically disconnected.
The USB host-controller driver is not part of the normal Linux kernel.
For this reason, we need to download it separately. There exists a
'prepare_rpi' rule in the 'dde_linux/Makefile' to automate this process.
This patch principally allows to install symlinks to out-of-Linux tree
drivers into the contrib directory. Those files are then considered for
the 'lx_emul.h' symlink procedure. Is useful as a temporary mechanism
while developing the rpi USB driver.
When saving/resuming translation table base registers, and data fault register
a VMM is able to translate the VM's virtual addresses, and to analyse aborts
it has generated.
Every thread receives a startup message from its creator through the initial
state of its userland thread-context. The thread-startup code remembers the
kernel name of the new thread by reading this message before the userland
thread-context gets polluted. This way, Kernel::current_thread_id becomes
unnecessary.
fix#953
Don't set priority and label in platform thread and then communicate this
core object via Kernel::new_thread but communicate priority and label directly.
This way kernel doesn't need to know anymore what a platform thread is.
ref #953
Instead of writing initial thread context to the platform-thread members
and then communicating this core object to kernel, core calls
Kernel::access_thread_regs first to initialize thread context and then
Kernel::start_thread without a platform-thread pointer. This way
the frontend as well as the backend of Kernel::start_thread loose
complexity and it is a first step to remove platform thread from the
vocabulary of the kernel.
ref #953
This patch enables the recursive startup of launchpad instances, which
was not possible since the recent removal of launchpad's built-in
default configuration.
Open a capability receive window according to the number of the capabilities
expected as out parameter per RPC function.
Typically the number of capabilities expected during the reply of a RPC/IPC
call is 0 to 1. Before this patch ever a capability receive window of 4 has
been opened.
On Nova the capability selectors of receive windows must be naturally aligned
to the size/order of the expected capabilities. This leads until now to the
issue that the left over 3 capabilities couldn't be reused for new IPCs since
they are not naturally aligned to 4.
Issue #905
Enable routing of thread events to signal contexts via
Kernel::route_thread_event.
Replace Kernel::set_pager by Kernel::route_thread_event.
In base-hw a pager object is a signal context and a pager activation
is a signal receiver. If a thread wants to start communicating its page
faults via a pager object, the thread calls Kernel::route_thread_event with
its thread ID, event ID "FAULT", and the signal context ID of the pager object.
If a pager activation wants to start handling page faults of a pager object,
the pager activation assigns the corresponding signal context to its signal
receiver. If a pager activation wants to stop handling page faults of a pager
object, the pager activation dissolves the corresponding signal context from
its signal receiver. If a thread wants to start communicating its page faults
via a pager object, the thread calls Kernel::route_thread_event with its
thread ID, event ID "FAULT", and the invalid signal context ID.
Remove Kernel::resume_faulter.
Move all page fault related code from generic kernel sources to CPU
specific cpu_support.h and cpu_support.cc.
fix#935
Provide core-local signal service before other services to enable the use
of signal connections while initialzing the other services. This has been
introduced due to the use of the signal framework by the pager lib in
base-hw (RM service).
ref #935
DosBox is DOS-Emulator which is mainly used for playing old
DOS games on POSIX systems and newer Windows versions.
This port of DosBox runs natively on Genode by using its
SDL backend. It is currently only works on x86_*.
Fixes#937.
This patch changes the noux.run script to use the new log_terminal
component instead of an UART driver. Besides being a nice way to test
the log_terminal service, the new version is much simpler and it just
became compatible to Linux as it no longer relies on an UART driver.
Issue #947
Since we switched to using C++11 by default, the webkit-related
parts of qt4 failed to compile because of C++11 compatibility
issues. This patch disables the use of C++11 for the offenders.
There are programms that use struct stat's st_ino field to check certain
conditions. Since we are using multiple filesystems in a noux session we
cannot use the inode number which the actual filesystem provides.
Therefore we calculate a random inode number by hashing the stated path.
Fixes#299.
A timer session is now used instead of a jiffy counter. This way, libSDL
can use a time source that is not bound to the granularity our libc's
nanosleep implementation. Currently, the granularity of nanosleep is in
the order of 10 milliseconds, which is far to coarse for the use of
SDL-using applications such as DosBox.
Fixes#934.
In general, requesting a dataspace from a server twice is no good
idea. The server might react in a unrecoverable fashion. E.g. the rom_fs
service always throws away the corresponding dataspace from the first call
of dataspace(), and constructs a new one.
This patch adds a 'gdb' command to 'cli_monitor', which makes it possible
to debug an application with GDB.
The command works similarly to the 'start' command, but instead of
starting the subsystem binary directly, an 'init' subsystem gets
started, which then starts 'terminal_crosslink', 'noux', GDB and
'gdb_monitor' (which starts the application binary as its target).
So, for the 'gdb' command to work, these additional components need to
be available, too. 'terminal_crosslink', 'noux', 'gdb_monitor' and the
file 'gdb_command_config' are expected to be ROM modules. The Noux GDB
client needs to get mounted at '/bin' in Noux and the target binaries need
to be available as ROM modules (loaded by 'gdb_monitor') and also mounted
at '/gdb' in Noux (loaded by the GDB client).
Additionally, the source code of the target application can be provided
at '/gdb/src/ in Noux. How the Noux mountings get established can
be configured in the 'gdb_command_config' file. The default configuration
in 'os/src/server/cli_monitor/gdb_command_config' mounts GDB from a tar
archive named 'gdb.tar', the GDB target binaries from a tar archive named
'gdb_target.tar' and the target source code from a tar archive named
'gdb_target-src.tar'.
The patch includes an 'expect' include file (ports/run/noux_gdb.inc)
which provides functions that help to create those tar files:
- 'create_gdb_tar' creates a tar archive for the 'gdb' client
- 'create_binary_tar' creates a tar archive for the target application
- 'create_source_tar' creates a tar archive for the source code of
the target application
- 'create_binary_and_source_tars' is a convenience wrapper for the previous
two functions
The patch also includes an example run script
(ports/run/noux_gdb_dynamic.run).
The 'gdb' command supports the following command line options:
- --ram: the initial RAM quota provided to the whole subsystem
(including the GDB-related components)
- --ram-limit: limit for expanding RAM quota
- --gdb-ram-preserve: the RAM quota that 'gdb_monitor' ahould preserve
for itself
Fixes#928.
When a child requests more ram resources, it gets blocked immediately when
the preservation limit is reached. Otherwise, it might happen that the
cli_monitor runs out of memory.
When a command was executed, it is necessary to check not only whether the
preservation limit of the ram quota is reached, but also whether new ram quota
is available (e.g.: consequence of the kill command), and children are waiting
for additional resources.
Implement a ballooning mechanism in L4Linux similar to solutions like XEN's
balloon driver. Therefore the new parent interface extensions for requesting
and yielding resources are used. L4Linux registers a yield signal context at
its parent. Whenever the parent triggers a yield, the balloon driver blows up,
which means it requests all pages available, and then frees the corresponding
backend memory.
This patch changes the interface of Nitpicker to support dynamically
dimensioned virtual frame buffers. This solves two problems:
First, it enables a client to create a connection to nitpicker without
donating much session quota in advance. The old interface required each
screen-size-dependent client to donate as much memory as needed to
allocate a screen-sized virtual framebuffer. For clients that are
interested int the screen size but cover just a small portion of the
screen (e.g., a banner, a menu, an applet that sits in the screen
corner), this overprovisioning is painful. The new interface allows such
clients to upgrade the session quota for an existing session as needed.
Second, because each nitpicker session used to have a virtual frame
buffer with a fixed size over the lifetime of the session, a client that
wanted to implement a variable-sized window had to either vastly
overprovide resources (by opening a session as large as the screen just
in order to be prepared for the worst case of a maximized window), or it
had to replace the session by a new one (thereby discarding the stacking
order of the old views) each time the window changes its dimensions. The
new interface accommodates such clients much better.
This patch implements the POSIX signal functionality needed to interrupt a
running Noux GDB by pressing 'Ctrl-C'.
It allows to register a signal handler for the 'SIGINT' signal, which
gets executed after 'Ctrl-C' is received from the terminal. With the
current state of the implementation, the signal handler only gets executed
when the Noux application calls a 'read()', 'write()', 'ftruncate()' or
'select()' syscall.
Fixes#923.
With this patch, the 'Ring_buffer' class can be made unsynchronized by
setting the 'Ring_buffer_unsynchronized' policy as third template
argument.
Fixes#922.
USB HID gets stuck due to strange kernel error
as HDMI starts simulatnously. This workaround
delays HDMI init by a second (only in case we
build for Exynos5 & FOC with USB) to let
scenarious like demo get their USB HID started
without much CPU load.
ref #796
For the framebuffer driver of the i.MX53 platform to work even when u-boot
didn't prepared the display previously, there were some IOMUX routes missing.
Fixes#914
By now, only one button press/release event per IRQ was handled correctly.
Pressing and/or releasing several buttons concurrently could bring the input
driver into an inconsistent state.
Fixes#913
* Remove far too low default values from Nic::Connection constructor
* Extend lwip initialization function with desired TX/RX buffer sizes
* Add configuration possibility to libc_lwip_dhcp plugin to define
buffer sizes, like the following:
'<libc tx_buf_size="1M" tx_buf_size="1M"/>'
Fixes#892
Previously, if two ID allocators for different kernel objects had the
same size, the kernel-object framework managed both objects types
through the same allocator instance. This is caused by the use of
unsynchronized singletons in the accessor functions and can be avoided
by creating new types through inheritance instead of using typedefs.
Anyways, this fix is a little bit ugly and should replaced by avoiding
the use of unsynchronized singletons in the future.
fix#906
At this point we cannot close the connection anymore because all
mappings are gone and the needed stack is invalid. This is not a
problem since process will be discarded anyway.
Fixes#909.
With this patch, the register contents of a paused thread (which is not
currently executing a syscall) can get modified by the
'Cpu_session::state()' function.
Fixes#896.
The copy constructor of Signal did not copy the Signal::Data contents of
the copy source. This bug could survive undetected because the compiler
can optimize code in a way, that copy constructor and destructor are not
necessary when returning by value from simple functions. I assume that
it creates the object in CPU registers instead of RAM and reuses it
instead of copying it to save time. This way the bug triggered first
after wait_for_signal was changed in a way that avoided optimization.
ref #912
In hybrid mode, all programs are dynamic executables and ld.lib.so is
not supported. Therefore, only the "static" variant of the test can be
build and executed.
This change allows for the testing of cli_monitor's automatic resource
balancing by executing the following command:
start ram_eater --ram-limit 1G --count 5
The command starts 5 instances of a RAM-eating process, which is,
however, able to yield resources when instructed. The RAM quota for the
processes gets automatically extended because of the overly large limit
of 1 GiB, which is far more than CLI monitor's RAM resources (100 MiB).
When the RAM usage hits the preservation limit, CLI monitor broadcasts
yield requests to each ram_eater instance, which allow the scenario to
remain alive.
If a local thread is attempted to be 'pause'd via cpu_session, don't wait
until it gets into the recalled state. If the caller is lucky it is, if not
return only the stack pointer.
Avoids deadlocking of the gdb when attached to a process running a server.
Issue #478
The 'pause' call on base-nova assumes that a thread can solely block in its
associated semaphore. Main reason is that so core can unblock a thread in order
that the recall exception gets delivered and the register state can be
obtained.
Unfortunately the signal session implementation creates a semaphore, which is
unknown by the pager code. Instead create the semaphore via the pager of the
thread, so that the pager can unblock the signal thread when a pause is issued.
Issue #478
If a thread caused a page fault and later on get be paused, then it left
the recall handler immediately due to the pause call instead of staying
in this handler.
Add some (complicated) state machine to detect and handle the case. Still not
waterproof, especially server threads may never get recalled if they never get
a IPC from the outside.
Fixes#478
This patch introduces new commands for dynamically balancing RAM between
subsystems. The 'status' command prints a table with the RAM status of
each subsystem. The 'ram' command changes the quota or a quota limit of
a given subsystem. The quota limit can be defined to allow the on-demand
expansion of the quota. Finally, the 'yield' command can be used to
instruct a subsystem to yield a specified amount of resources.
For trying out the new commands, a so-called 'ram_eater' example has
been added to the 'terminal_mux.run' scenario. This program simulates a
subsystem with a growing demand for resources, yet with the capability
to yield resources when instructed by the parent (i.e., cli_monitor).
Besides implementing the new features, the patch splits the
implementation of 'cli_monitor' into multiple files.
In order to be able to dynamically balance resources of slaves, we need
to provide an accessor to the slave's RAM session and a way to issue
yield requests.
The new 'String' buffer type is meant to replace the manually created
character buffers that are scattered throughout Genode. It plainly holds
a null-terminated string to be stored as a member variable (e.g., a
session label) or passed as RPC argument. It is not intended to become a
string API.
Revised region management detects region conflicts by using _soft_
mappings per default. Overmapping is activated for population of managed
dataspaces only. For more information see header documentation of
base-linux/src/base/env/rm_session_mmap.cc.
Fixes#883.
To prevent multiple execution of main-bootstrap, I moved the code to a
statically initialized object. The reason for this change is that
_main() is exeuted twice when starting dynamic binaries. Now, the object
is part of the base-common library which is linked with ld.lib.so.
Deleting the generated 'launchpad.config' file is a bad idea because in
contrast to most base platforms, on Linux, we merely create symlinks
from the 'var/run/demo/' directory to the 'bin/' directory instead of
copying the files.
For ARM support on N900, commit 4a9b1c6 changed the process library to
start dynamic binaries directly depending on the Linux kernel to comply
to the interp section info ("ld.lib.so"). This seems not required on
more recent platforms or kernel versions and also introduced challenging
corner cases in region handling on Linux. Therefore, this commit
restores the original behavior.
This patch makes sure that a line break is printed before the test
finishes. This way, the "Test succeeded" message is printed on a new
line, which was not always the case (i.e., on Pistachio) otherwise.
The macro 'enter_kdebug' appended the 'text' argument immediately after
the '"' literal. Apparently, the old C++ standard accepted this code but
the new standard is more strict.
Statically configured NIC bridge clients must be configured via
<policy...> nodes in the config. Otherwise, the bridge can't answer ARP
requests or route traffic.
After announcing the NIC service, the bridge connects to the driver to
ensure to see any incoming traffic in case the client itself only reacts
on connects from LAN (e.g., the netperf server).
Also, some styling issues were fixed.
Both 'platform_session/capability.h' and 'platform_session/connection.h'
do not contain platform-specific information. By moving them from
'include/platform/imx53/platform_session/' to 'include/platform_session/',
this patch enables other platforms to reuse them.
Prior this change, the attempt to re-schedule a timer from its timer
handler resulted in a clear '_pending' flag. This caused the timer event
to disappear from the scheduling queue without the handler being called
ever again. By resetting the '_pending' value before calling the hander,
we prevent a re-scheduled '_pending' flag to be cleared immediately
after calling the handler.
On non-PC platforms, the variable 'build' remains undefined, which lets
the 'build $build' step fail. Use the traditional 'build_components'
variable instead. As a further plus, this avoids multiple passes of the
build system.
With this patch, if an ELF dataspace to be executed does not have a path
in the host file system, the dataspace content gets copied into a
temporary file whose path can be given to 'execve()'.
Fixes#879.
This patch updates the launchpad config to use XML attributes and
removes the built-in default configuration (which is only meaningful
for demo.run anyway).
By splitting Session_policy into two classes, we make it more flexible.
Originally, the constructor accepted solely an args string, which made it
unusable for situations where we already have extracted the session
label (e.g., stored in the session meta data of a server). Now, the
extraction of the label from the args string is performed by the new
Session_label class instead, which, in turn, can be passed to the
constructor of Session_policy.
This change causes a minor API change. The following code
Session_policy policy(session_args);
Must be turned into
Session_label label(session_args);
Session_policy policy(label);
This patch overhauls the signal handling of nitpicker to clear the way
towards dynamic reconfiguration. Furthermore, it moves the
implementation of the global-keys handling and input utilities to
separate files.
Originally, the convenience utility for accessing a process
configuration came in the form of a header file. But this causes
aliasing problems if multiple compilation units access the config while
the configuration gets dynamically updated. Moving the implementation of
the accessor to the singleton object into a library solves those
problems.
This patch adds support for iterating through a const list. This allows
users of lists to be more rigid with regard to constness. Furthermore,
the patch adds the function 'List::insert_at' for inserting an element
at a specified position. By adding this function, we can remove code
duplication in nitpicker.
To enable the specification of key names in configuration files parsed
at runtime, we need the association between key-code values and their
respective names.
binary_ds cap is attempted to free up twice by
_root_dir->release(_name, _binary_ds) in ~Child de-constructor and by
Static_dataspace_info _binary_ds_info de-constructor.
This commit keeps all binary related information inside a struct which gets
freed up after all noux session book keep cleaning is done.
Issue #485
The netperf test configures the target Genode system for with
10.0.2.55/24. Also, nic_drv on base-linux uses the virtual ethernet
device 'tap0', which must be configured for the test user and network
address 10.0.2.1/24 on the test host like follows.
tunctl -t tap0 -u <user running test>
ip address add 10.0.2.1/24 dev tap
ip link set tap0 up
This patch moves the GDB commands to set a breakpoint in the 'main()'
function into a separate file that can be included from other run scripts.
Fixes#876.
If the path of a Genode source file (as extracted from the binary test
application) contains a part like '/a/b/../' where '/a' exists, but '/a/b'
does not exist anymore, 'tar' complains. With this patch, the run script
normalizes the path before calling 'tar'.
Fixes#875.
- if no affinity was set for a new thread before calling
Cpu_session::start(), the CPU session's affinity gets set for this
thread
- documentation fix: <affinity_space> -> <affinity-space>
Fixes#873.
In case there is not enough quota left to create the trace buffer
or trace policy dataspace throw Out_of_metadata explicitly instead
of rethrowing the Ram_session::Quota_exceeded exception. Now one
can catch Trace::Out_of_metadata exception in a client application.
In addition fix Allocator_guard::withdraw() checks because this
method does not throw any exceptions and a failed withdrawal goes
unoticed.
Fixes#871.
This patch adds some of lwip's checksum calculation options to the
Genode-specific 'lwiptops.h' configuration file. The checksum calculations
are enabled by default.
Fixes#868.
Instead of using msleep to sleep periodically, and then increase jiffies
counter in the alarm scheduler implementation of the timed semaphore
use the 'trigger_periodic' call introduced by the change of the timer session
interface into an asynchronous one. Thereby, we can reduce the necessary IPC
communication with the timer service effectively.
Ref #35
As it turns out using -fPIC was not the issue but discarding certain
sections. The policy_module_table is now located in .data.rel which
needs to be at the beginning of the binary.
Fixes#849.
The regions reported by the RMRR structure are used by legacy devices for DMA
requests. Theses would need to be added to the device_pd to avoid DMAR faults
when used in legacy mode.
For now parse and print them, so that one has a clue about why we get DMAR
faults.
Issue #683
Be more robust. If the attachment fails continue to operate and just print a
error message. Before the commit the device_pd stopped to operate if an
attachment did not succeed.
Issue #683
Only the directories and files which were created in the first place
by the libc port should be removed. Thereby ignore the exit code of
the find command to prevent GNUmake from stopping its execution.
Fixes#841.
Don't account the boottime to the actual compile time - since it varies quite
a lot if somebody else utilize the network with lwip tests for example ;-).
Syscall binding functions which use '__L4_INDIRECT_CALL' need to tell the
compiler that the 'edi' register gets modified. Since 'edi' is an input
operand and input operands may not get added to the clobber list, this
patch defines 'edi' also as an output operand instead.
Fixes#834.
At least 64bit Seoul dies with Region_conflict reliable and reproducible.
When during startup of Seoul some Genode code (caused by executing some
constructors) try to attach a region, the region manager code in the rm_session
will try to place the attachment at the smallest large enough aligned free
virtual region.
For now, I observed one attachment causing trouble (but not knowing who causes
this - it does also not really matter). The questionable region is 0x4000 of
size for 32bit and 0x8000 of size for 64bit.
To steer the region manager a bit, we try now following trick:
With this commit the load address of the binary for 32 and 64 bit is moved
close to the end of the virtual address space, but leaving enough free virtual
space for the above observed attachment (and a bit more).
The region manager code now will try to fill up the virtual region behind
the binary up to the end of the virtual address space, effectively letting the
lower virtual region untouched - hopefully.
Works for now, but it will break again - for sure.
Fixes#519
To avoid build conflicts with Qt5, with this patch, 'qt4_deprecated' needs
to be added to the 'SPECS' variable (in specs.conf) when building for Qt4.
Issue #345.
By now Signal_session_component has allocated initial SLAB
blocks in constructor, wich crashed with the root
components assumptions about the RAM quota needs of
session creation. Thus, if the background allocator was already
exhausted from component allocation the session was created
with broken initial SLAB blocks.
fix#574
If a script is executed which uses a interpreter that does not exist the
construction of the child fails and potentially leaks memory because the
wrong delete operator is called.
Therefore the binary dataspace of the script and the binary dataspace of
the interpreter are now checked before a new child will be created.
Fixes#812.
The assignment of affinities consists of two parts, the definition
of the affinity space dimensions as used for the init process, and
the association sub systems with affinity locations (relative to the
affinity space). The affinity space is configured as a sub node of the
config node. For example, the following declaration describes an
affinity space of 4x2:
<config>
...
<affinity_space width="4" height="2" />
...
</config>
Subsystems can be constrained to parts of the affinity space using
the '<affinity>' sub node of a '<start>' entry:
<config>
...
<start name="loader">
<affinity xpos="0" ypos="1" width="2" height="1" />
...
</start>
...
</config>
This patch extends the 'Parent::session()' and 'Root::session()'
functions with an additional 'affinity' parameter, which is inteded to
express the preferred affinity of the new session. For CPU sessions
provided by core, the values will be used to select the set of CPUs
assigned to the CPU session. For other services, the session affinity
information can be utilized to optimize the locality of the server
thread with the client. For example, to enable the IRQ session to route
an IRQ to the CPU core on which the corresponding device driver (the IRQ
client) is running.
This patch introduces new types for expressing CPU affinities. Instead
of dealing with physical CPU numbers, affinities are expressed as
rectangles in a grid of virtual CPU nodes. This clears the way to
conveniently assign sets of adjacent CPUs to subsystems, each of them
managing their respective viewport of the coordinate space.
By using 2D Cartesian coordinates, the locality of CPU nodes can be
modeled for different topologies such as SMP (simple Nx1 grid), grids of
NUMA nodes, or ring topologies.
r3 contains the recent Nova upstream kernel version plus the Genode specific
extensions and changes as known from r2.
Additionally, the r3 branch
* contains the assign_pci patch now directly,
* adds support for cross CPU IPC,
* fixes some issues with freeing up kernel memory part of r2 and
* update the documentation a bit.
Fixes#814
* read out supported number of CPUs
* start per CPU a thread
* monitor by main thread liveness of remote CPU threads
* add a round variable
* terminate run script after a specific round or after 90s
* on qemu wait 5 rounds, on native runs 40
Add run script to autopilot list
Issue #814
This avoids a deadlock if during issuing a printf the low level IPC fails.
. Printf uses an address space local lock and if we are trying again
to make a printf we deadlock forever ...
This patch eliminates the "no attachment at..." warnings, which
were caused by a use-after-free problem of dataspaces. When a
dataspace was destroyed, the users of the dataspace were not
informed and therefore could not revert possible attachments to
RM sessions. The fix introduces a callback mechanism that allows
dataspace users (i.e., RM regions) to register for the event that
a dataspace vanishes.
The following types of dataspaces are handled:
* RAM dataspaces
* ROM dataspaces
* The process binary
* The binary of the dynamic linker
* Args dataspace
* Sysio dataspace
* Env dataspace
* managed RM dataspaces
The handling of ROM dataspaces is still not complete. When forking,
the ROM dataspace of the parent process gets just reused without
creating proper meta data ('Dataspace_info') for the forked process.
Similar issues might arise from other special dataspaces (e.g.,
args, env, sysio).
This patch removes all "no attachment at..." warnings except for
one (an attachment at 0).
Issue #485
The 'check_dev_tty()' function calls 'ttyname()', which calls the pthread
stub function 'pthread_main_np()', which prints a 'not implemented'
message. Calling 'check_dev_tty()' doesn't seem to be necessary, so this
patch removes the call.
Issue #815.
With this patch, the 'not implemented' messages of the pthread function
stubs always get printed to the Genode log console instead of stdout.
Issue #815.
Previous commit denies the creation of regions larger then the dataspace.
Noux does it by setting the default size to the dataspace size without
subtracting the offset.
Fixes#591
The rm_session implementation expects that offset + size must be
part of one dataspace. Unfortunately the parameters are not checked
properly during an rm::attach.
During an detach memory behind the actual region can be unmapped by such
bogus region entries.
Issues #591
Since RM sessions can be used as dataspaces and dataspace sizes are
supposed to have page granularity, RM session sizes should have page
granularity, too.
Fixes#799.
Forgetting to restore the old utcb content results in hard to debug bugs.
Save only the amount of word items which are actually on the UTCB.
Issue #806
Avoids the message
cxx: operator delete (void *) called - not implemented. A working implementation is available in the 'stdcxx' library
during a " new ..." which causes exceptions. Happens for seoul in disk.cc
Issue #806
The Rpc_exit call is delivered via RPC which results in a deadlock
if the Rpc_entrypoint has not been started yet. To prevent this
situation we active the Rpc_entrypoint explicitly before we call
Rpc_exit.
Fixes#811.
'alloc_skb' might now fail, the Nic component will then send a 'packet
available' signal and return. Fix broken SKB list implementation as well as
completely bogus initialization of SKBs.
Related to #778.
In this case "mv A B" works slightly different than "cp A B; rm A" as
symbolic links come into play. The statements should copy the contents
of A into the symboliv link at B (preserving it as is) and remove A. The
mv would replace the link B by the binary A.
Fixes#805.
When using certain assembler instructions, e.g. 'smc' that are
only available on some CPUs of the same architecture like ARMv7a,
it's necessary to specify the target CPU for the assembler. Otherwise
it will complain about.
Use NATIVE MAX ADDRESS EXT to retrieve last block for LBA48. Also check not only
for enabled LBA48 support but for the 'host protected area' bit before using the
LBA48 version. This is because the high order byte (HOB) data retrieval is
broken in Qemu.
Fixes#761.
Split the netperf run script into 3 ones so that it can be used more easily
in an automated run.
It is solely for foc_arndale by now.
l4linux_netperf.run - use nic via usb2.0
l4linux_netperf-usb30.run - use nic via usb3.0
l4linux_netperf-bridge.run - use nic via usb3.0 + bridge
Split the netperf run script into 3 ones so that it can be used more easily
in an automated run.
netperf.run - use native nic driver (x86) or usb2.0 (arndale, panda)
netperf_usb30.run - use native nic driver (x86) or usb3.0
netperf_bridge.run - use native nic driver (x86) or usb3.0 (arndale) and bridge
Issue #794
- use the generic 'crt0.s' for Linux
- move the read-only '__dso_handle' definition into the '.text' section
- move the '__initial_sp' definition into the '.bss' section
- remove the '_main_utcb' definition
Part of #766.
Until now the print procedure call in the Log_session_component
did contain a hardcoded 'init' string. Adding a method to filter
the session args to prefix the label and labelling the initial
Cpu_connection for the init-process enabled us to remove the
hardcoded string.
Fixes#789.
The given number of bytes is consumed but not actually allocated. This
feature may be used for accounting and use memory within core which is
in fact provided by a session client.
Fixes#792.
* Always download md5sum file and check downloaded binaries
* Extend sleep time in l4linux_netperf script, so that DHCP has enough time
* Fix regexp rule in l4linux_netperf run script to work with MAC addresses
containing only numbers
Fix#787
Sometimes the ports are not freed up quick enough by the host system after the
first test finished. The port restriction is mainly required for qemu, so don't
use it for bare metal hardware tests.
* Add platform_drv for usb_drv, sd_card_drv and ahci
* Add ahci driver and part_blk on top of it
* add linux instance using SATA partition
* add VIM using SATA partition
The window scale option (http://tools.ietf.org/html/rfc1323) patch of lwIP
definitely works solely for the receive window, not for the send window.
Setting the send window size to the maximum of an 16bit value, 65535,
or multiple of it (x * 65536 - 1) results in the same performance.
Everything else decrease performance.
We will have to check this window scale patch before using higher values.
Minor speed improvements of ~6Mbit. Additionally a ethernet frame fits now
into one memory allocation per pbuf. Beforehand two were allocated - one being
1514 bytes and another one being 2 bytes (monitored by instrumenting copy loop
in libports/src/lib/lwip/platform/nic.cc).
lwip reports via getsockopt the size of the default size of the receive buffer
to the netperf server. lwip returns 2GB and netperf server uses this value to
allocate some buffers - which of course fails with out of memory.
Reduces the "default size" to some smaller value.
With the commit we are not forced anymore to (but still can) use specific
netperf client options regarding memory allocations of the receive buffer.
MAERTS is STREAM backwards and effectively lets the netserver sends the packets
to the netperf client. So, TCP_STREAM measure the receive performance of the
lwIP stack on Genode and TCP_MAERTS the send performance of the lwIP stack
on Genode.
Normally this bench has read all data to one large buffer and
than written it back to the drive but for SATA 3 (6 Gbps) benchmarks
we would need a buffer of approximately 1.2 GB to do it this way
and reach 2 seconds bench time. Thus we use a buffer of SATA request size
and override it with every request.
This commit splits the Fiasco.OC-specific extension for the cli_monitor
into one for the Arndale platform, and one for all others. On Arndale
we add the cpu_frequency command beside the ones defined on all platforms.
Initialize and limit port speed to 3 Gbps in general because the Seagate
Barracuda 1TB throws much errors with 6 Gbps by now.
Try all port speeds from the highest to the lowest as long as debouncing fails
and try them all again in this order when falling back to slower debouncing.
Try to recover from all types of interface error.
When a port was recovered from an error during a NCQ command
get the last LBA that was accessed successfully and continue command from
this point.
Use a platform driver through the 'Regulator' service to do CMU and PMU config.
Switch off verbosity by default.
To raise expressiveness of the benchmark it dynamically adjusts the
transfer amount at any test to get a result that was measured
over a transfer time of 2000 ms at least and 2300 ms at a max.
* Retry debouncing first with a higher trial time and if this also doesn't
work with lower link speed additionaly.
* Ignore DevSlp feature because it isn't needed anyway as far as i can see.
* Relax some restrictions according the feedback of the drive as far as it
seem to have no effect in Linux too
Fix#753
The verbosity must be enabled at two levels: at compile time
via an enum that switches the availability of verbosity code
and via two members of 'Mmio' named '_read_verbose' and
'_write_verbose'. The latter are initialized to 0 (change this to
enable verbosity globally) and can be used to locally enable
(or disable) verbosity in deriving classes.
Ref #753
Currently, on the Arndale platform, core uses a different thread context
area base address than the other tasks (0x20000000 vs. 0x40000000). This
is problematic, because core calculates the location of the UTCB area of a
new thread relatively to core's own thread context area base. So, the UTCB
area of non-core threads ends up in a virtual address range which is
outside of the task's thread context area and not marked as used in the
task's RM session.
With this patch, the same thread context area base address gets used in
core and in the other tasks.
Fixes#779.
Added spec file for ARM-VFPv3 floating-point unit. This shadows
'base/include/arm/' with 'base/include/arm/vfp' and enables a 'memcpy_cpu'
version that mainly uses the FPU. Enabled VFP support for 'foc_arndale'.
Ref #773
* Implements platform driver for Arndale providing Regulator for CPU clock
* Implements a cpu frequency scaling test using the affinity test
* Fixes#770
TFTP server requiring absolute directory names are supported (better) -
specify in RUN_OPT "--tftp-absolute" to create Pulsar config with absolute
path names for PXE boot.
Additional a symbolic link is created from the build directory to
"$PXE_TFTP_DIR_BASE$PXE_TFTP_DIR_OFFSET" automatically. This eases the use
together with autopilot for x86.
Commit c464ee2e6673fe328a8717342dca30f3b0204cb8 removed the RX_BUF_SIZE from
the NIC session interface. Mistakenly, the nic_loopback server was missed
when doing this change.
The PWD variable contains the current working directory of the original
location where 'make -C' is executed, not the directory specified as
argument of '-C'. The tools referenced by ports/libports, however,
expect PWD to point to the root of the respective repository.
This patch splits the download of signatures from the download of the
archive to improve robustness. This way, signature files will be
downloaded even if the corresponding archive is already in place.
Issue #748
In fact, the sizes were the same the whole time, but by using
the same enum in both cases to instantiate the Packet_stream_tx
and Packet_stream_rx members of the e.g. RPC object, it allows
for more flexible generalization between e.g. source or, sink
objects, when programming event-driven, and implementing generic
handlers for their signals.
Just use configuration values when existent, otherwise when no configuration
is given use the default values. When an incomplete configuration is given,
take the supplied ones, and for the rest the default ones. Fix#762
Don't use the xhci USB host controller for HID and NIC in the l4linux
run script. It doesn't work on the Pandaboard, and isn't needed for the
Arndale board. Moreover, provide a MAC address, and add a providing
rule in the KDB UART driver to supress ugly warnings. Fix#763
This patch makes the handling of failed integrity checks of 3rd-party
packages more robust. Previously, a once failed 'make prepare PKG=curl'
would not leave any trace of the verification state. Hence, a successive
attempt to perform the 'make prepare' step again succeeded even if the
signature check failed.
To solve this problem, the outcome of a successful signature check is
represented by a tag file called 'download/<archive-name>.verified'.
Because the rule for extracting the archive depends on the .verify tag
file, the extraction step is not performed until the signature check
succeeds.
Issue #748
The downloaded archives for building the tool chain are checked for its
signature before using them. In case of a signature failure, the build
is interrupted.
Issue #748
The signature verification tool uses gpg to verify the detached
signature of the given file.
It also tries to obtain the signing key if it is not part of the local
key ring.
Signature verification implies the verification of the integrity and
authenticity of a given file.
Issue #748
Instead of using a fixed command like picocom in the run tool,
it's better to have the flexibility to set the whole command that
connects to the serial device. Therefore, it's possible for instance
to connect to a remote serial device exported via TCP/IP by using tools
like socat.
This patch introduces a new platform 'linux_arm' for building and running
Genode/Linux on an ARM device.
Known limitations:
- libc 'setjmp()'/'longjmp()' doesn't currently save/restore floating
point registers
Fixes#746.
With this patch, 'liquid_framebuffer' can be reconfigured at runtime.
The configuration arguments are now provided as XML attributes, matching
those for 'nit_fb'. Furthermore, two new configuration options are added:
<config ...
resize_handle="off" - show/hide a resize handle widget in the lower
right window corner
decoration="on" - show/hide window decoration
(title bar and borders)
/>
Fixes#740Fixes#14
This is a first version of the AHCI driver. It supports SATA HDDs
with UDMA-133 only, up to 6 Gbps and native command queueing.
The more blocks one transfers with one command, the higher is the
chance that the driver produces a fatal handshake error. Nevertheless
the driver is stable with one block per ATA command. Although NCQ is
used the driver doesn't queue multiple commands simultanously.
The driver was tested with a western digital HDD "WDC WD2500BEVS-08VAT1
13.01A13" (250 GB) with hw_arndale (run/ahci) and foc_arndale
(run/ahci, run/l4linux: dd). SSDs were not tested.
Fix#706
The previous version of the PS/2 mouse backend manged mouse motion
events in a strange way, effectively throwing away most information
about the motion vector. Furthermore, the tracking of the mouse-button
states were missing. So drag-and-drop in a guest OS won't work. The new
version fixes those issues. For the transformation of input events to
PS/2 packets, a the Genode::Register facility is used. This greatly
simplifies the code.
This patch replaces the error-prone manual locking with the use of the
'Synced_interface' for the motherboard and the VCPU dispatcher. It also
removes all globally visible locks. Locks are now explicitly passed to
subsystems when needed.
This patch moves the implementation of the 'Arm::memory_region_attr'
function from the generic ARM code to the ARM v6/v7 specific code
to enable the customization of page-table bits depending on the
specific CPU core type. I.e., the ARM1176 apparently does not cope
well with setting the 'Tex::bits(2)' for MMIO mappings.
This patch eliminates calls of 'cmpxchg' prior enabling the MMU. This is
needed because the 'ldrex' and 'strex' instructions do not always work
with MMU and L1 cache disabled, i.e., on Raspberry Pi.
Changes GPIO session interface to a one-GPIO-pin-per-session style. Moreover,
this commit introduces a generic driver interface for GPIO drivers. Thereby
generalizes root- and session component for GPIO.
In issue #313 the SO_RCVBUF was intended to be enabled, however the current
lwip port looks for another define LWIP_SO_RCVBUF instead of LWIP_RCVBUF.
Fixes#716
If the target machine is connected locally one may specify
"serial" as target in the RUN_OPT variable to get the test output.
Used for panda and arndale on foc and hw.
Use RUN_OPT="--target ..." to select the backend test method.
Supported values so far:
qemu - qemu + grub bootloader (default)
qemu+pxe - qemu + pulsar bootloader (PXE)
amt - Intel AMT (reset+serial output) + pulsar bootloader
Related to issue #598
A run script which sends raw ethernet packets from the host machine to the
target machine. Three tests are implemented:
- The network_stat instrumented driver of usb_drv and net_drv
are used to get the raw receive performance of the network driver.
- A simple nic_session client is receiving from the un-instrumented network
driver raw ethernet packets.
- A bridge is added between driver and simple nic_session client.
genode_until_run can be called now with a spawn id to able to reattach to a
spawned process (amt, serial output). Run scripts can now call genode_until_run
multiple times.
Additionally, we do the cleanup of the remains of a previously failed
run prior creating the run directory. Otherwise, the directly creation
may fail because of a pending bindmount.
With this patch, the thread context area RM session gets created at
program startup to have the thread context area's virtual address range
reserved right from the beginning.
Fixes#734.
This patch implies that all Genode processes try to create an RM
session. So a route to the RM service must be present even for processes
that have only a single thread. Hence, the patch contains an update of
affected components.
lwIP only supports the 'AF_INET' domain, but doesn't check the 'domain'
argument of the 'lwip_socket()' function.
This patch avoids an error message from lwIP when the Arora browser
tries to connect a socket of the 'AF_LOCAL' domain.
Fixes#732.
The parent-service registry is populated on demand by the
'Loader::Child' whenever a prior unknown service is requested. Since the
number of parent services is limited, we expect the registry to settle
after a while. However, each loader session has a private instance of
a parent-service registry. So when creating and destroying loader
sessions, parent registries will be populated again and again. We
have to make sure to discard the entries along with the destruction
of a loader session to avoid the leakage of memory.
Issue #717
Try to free the metadata of a thread only if created by Genode. The code
did not cause any actual problems. I just stumbled over the inconsistency
while reviewing the code.
Enable optinal support for double buffering in the i.MX53 framebuffer
driver. This prevents flickering in certain scenarios, where applications
directly render in the framebuffer dataspace given by the driver.
* Simplify IPU register definitions using templates
* Distinguish between i.MX53 QSB and SMD board in driver
* Support IPU specific overlay mechanism by framebuffer session extension
With this patch, the 'libc_lwip_nic_dhcp' plugin provides the DNS server
address acquired by lwIP via DHCP in the file '/etc/resolv.conf'.
This feature can be disabled from the config file:
<libc resolv="no" />
The static network interface configuration attributes are now also a part
of the '<libc>' config node:
<libc ip_addr="..." netmask="..." gateway="..." />
Fixes#731.
This commit removes an endless loop, that occurred when the sd_card driver
called usleep, or msleep on its Timer_delayer object. Fixes#705
Also fixes the same problem for the Omap4 GPIO driver.
'Gratuitous ARP' broadcast messages are used to announce newly created
IP<->MAC address mappings to other hosts. nic_bridge-internal hosts
would expect a nic_bridge-internal MAC address in this message, whereas
external hosts would expect the NIC's MAC address in this message.
The simplest solution to this problem is to just drop those messages,
since they are not really necessary.
Fixes#709.
This patch adds the consideration of suddenly disappearing managed
dataspaces in the 'Rm_session_component::reverse_lookup' function.
Previously, this case resulted in a seamingly valid translation.
Fixes#701
This commit simplifies the creation of additional threads and VCPUs in L4linux.
By now, some Genode::Thread_base methods where overridden to use a Fiasco.OC
specific Cpu_session when creating threads.
Recent commit: 297538678e moved the actual creation
of the platform thread into the constructor of the generic Thread_base class.
Thereby the Vcpu class, which extended the Thread_base class, now unnecessarily
created two platform threads for each thread created via Vcpu. Nowadays, the
cpu_session capability is available via the Genode::env() environment. So we can
use the Thread_base parent class for the setup of the platform thread, and
afterwards create a Fiasco.OC specific cpu session client with the same cpu
session capability, Thread_base used for creation, to make use of the L4Linux
specific features of this interface (VCPU enabling, irq object creation etc.).
When destroying a thread, which was not bound to a protection domain via kernel
primitives beforehand, it is critical to change the pager and exregs the thread
in the destruction process. Therefore, this commit introduces two thread states:
DEAD and RUNNING. On the basis of the thread state, we can decide whether to
reset the thread before destroying it, or not.
This patch clears the terminal each time the menu appears and thereby
wipes away artifacts that might occur when combining terminal_mux with
kdb_uart_drv and the kernel prints messages directly.
This fixes issues with several HID keyboards by implementing
get_unaligned_le16(), which obviously may also fix other not-yet-known
issues. Hint: I had to look out for suspicious lines like follows in the
verbose log.
[init -> usb_drv] get_unaligned_le16 called, not implemented
Also, quirks for cherry keyboards are now applied.
Because the template instantiation rules of C++ do not deal well with
null pointers specified as '0', the constructor of 'Local_addr' was
instantiated for [T = int], which does not make sense. To avoid the
warning "cast to pointer from integer of different size", we need to
explicitly state that '0' is a pointer. In C++11, there is the 'nullptr'
keyword, but until we switch to this version, we have to state (void *)0.
In usb.inc all required Linux include files of the Linux code are looked up
by 'sed'ing through the files of SRC_C and SRC_CC. The Linux include files
are then added as dependency to the SRC_C and SRC_CC files and during dependency
resolution symbolic links to the lx_emul.h will be created.
In the platform specific usb.mk file there are the Linux driver files
added, but unfortunately after including usb.inc. So, for them no dependency
to any Linux include header file is generated and so no symbolic files are
generated.
If the driver code file is compiled as first, as for asix.c, the symbolic links
of the include files are missing and compilation fails.
Add the Linux driver code files to SRC_C before including usb.inc in the
platform specific usb.mk files.
Originally, a thread was created at core not before calling the 'start'
function. In order to configure the thread affinity before starting the
thread, we have to make the thread known at core right at construction
time. This patch moves the needed thread-creation sequence from the
'start' function to the '_init_platform_thread' function.
When L4Linux tries to allocate a dataspace of the size of its physical
memory, this allocation can fail, because the 'l4re_ma_alloc()' function
in the 'l4lx' library always tries to allocate a contiguous dataspace of
the given size and there might be no contiguous free area left.
With this patch, memory gets allocated in chunks: if the size to be
allocated exceeds the configured chunk size, a managed dataspace gets
created and filled with multiple memory chunks of at most the chunk size.
The chunk size is 16M by default and can be configured in an l4linux
config node:
<config args="...">
<ram chunk_size="16M"/>
</config>
Fixes#695.
Don't do anything in Mapping::prepare_map_operation. At this point and in the
current implementation, the memory has been mapped and cleared already. Touching
the memory may only pollute the cache causing data corruption in DMA memory.
Fixes issue #452
The KDB UART driver uses the Fiasco(.OC) kernel debugger console as backend
for input and output. This is useful in the case that only one UART is
available.
Fixes#665.
In this version of the transition the Hip structure from Genode is reused,
@nfeskes seoul_libc_support is used for the string functions and the
nul/config.h is replaced by just using a constant value in the one place where
the file was needed.
Related to #666.
- search for alternative virtual address regions upwards, starting from
the given start address, in the 'l4re_rm_attach()' and
'Region_manager::reserve_range()' functions
- don't treat memory locations above 0x80000000 in l4linux's virtual
address space as device memory
- align the start address of the vmalloc area according to the assumption
in 'devicemaps_init()'
Fixes#414.
Explicitly set default mode for legacy interrupts to not rely on kernel
default settings. This patch fixes the constantly busy IRQ threads for
IRQ 1 and 12 as soon as the PS/2 driver was loaded until the point when
the first IRQ occurred.
Remove the 'epit' variable from the generic imx31 and imx53 specification,
and only add it to base-hw specific i.MX specs. Thereby the EPIT timer
library gets build for base-hw only.
Moreover, fix some const-ness issues in the platform_timer implementation
for the EPIT timer.
Fixes#688.
The new core-internal 'Address_space' interface enables cores RM service
to flush mappings of a PD in which a given 'Rm_client' thread resides.
Prior this patch, each platform invented their own way to flush mappings
in the respective 'rm_session_support.cc' implementation. However, those
implementations used to deal poorly with some corner cases. In
particular, if a PD session was destroyed prior a RM session, the RM
session would try to use no longer existing PD session. The new
'Address_space' uses the just added weak-pointer mechanism to deal with
this issue.
Furthermore, the generic 'Rm_session_component::detach' function has
been improved to avoid duplicated unmap operations for platforms that
implement the 'Address_space' interface. Therefore, it is related to
issue #595. Right now, this is OKL4 only, but other platforms will follow.
This enables us to use the run scripts applied to a native machine equipped
with Intel's AMT. If the environment variables are correctly set up, the remote
test machine is reseted via 'amttool', then via 'amtterm' the serial output
is collected and the normal run script matching pattern for success/failure of
the run script are applied.
'amttool' and 'amtterm' are part of the package called 'amtterm' shipped with
the Linux distributions like Ubuntu, Debian and lot more.
Following environment variables are required, to run the run scripts with a
native AMT test machine:
PXE_TFTP_DIR_BASE - absolute path of TFTP directory
PXE_TFTP_DIR_OFFSET - relative path to PXE_TFTP_DIR_BASE where the config file
will be generated - named 'config-00-00-00-00-00-00'
AMT_TEST_MACHINE_IP - TCP/IP address of target AMT test machine
AMT_TEST_MACHINE_PWD - password of target AMT test machine
Issue #679
Since checking if the certificate is valid is not that important
(we currently do not check the signature of the archive which is the
bigger issue) we disable the checking to prevent certain wget version
from refusing to download the archive.
Fixes#681
mkisofs is the original ISO creation tool from cdrtools available on
many UNIX systems. genisoimage on the other hand is part of a mostly
unmaintained fork of cdrtools very specific to Debian Linux and its
derivates (e.g., Ubuntu). Fortunately, genisoimage (as we used it) is
completely invocation-compatible to mkisofs.
Fixes#627.
Instead of trying all PCI devices by a specific PCI driver, now the device or
the device class can be limited to the one actually supported by the specific
driver.
The "strncpy - not implemented" message appeared on the use of libpng.
Even though it did not cause trouble, spilling the log with such
easy-to-fix issues should better be avoided.
Bender fixes the serial output on modern PC hardware. Prior this patch,
it was used only when combined with pulsar. Now, we also use it when
booting via GRUB.
Allocate ever an extra page behind the commandline pointer. If it turns out
that this page is unused, because commandline was short enough, unmap the
memory and put the virtual and physical regions back to the allocator.
Fix#664
With this patch, the 'futex' syscall gets used for blocking and unblocking
of threads in the Linux-specific lock implementation.
The 'Native_thread_id' type, which was previously used in the
lock-internal 'Applicant' class to identify a thread to be woken up,
was not suitable anymore for implementing this change. With this patch,
the 'Thread_base*' type gets used instead, which also has the positive
effect of making the public 'cancelable_lock.h' header file
platform-independent.
Fixes#646.
Revoke the right to set the portal id (aka label) when it is not needed
anymore. Otherwise everybody in the system having a mapping of the portal can
reset the label to something we don't expect.
Issue #667
In base-fiasco, base-foc and base-pistachio, physical memory gets mapped
1:1 to core virtual memory. When the 'Ram_session_component' allocates
physical memory for a client, it zeroes out the corresponding area in
core's virtual address space and then maps the area to the client. If this
area overlaps with core's virtual thread context area (usually at
0x40000000-0x4fffffff), the stack of one or more core threads can get
overwritten.
To avoid this problem, with this patch, the thread context area gets
removed from the physical RAM allocator on these platforms.
Fixes#660.
Without the patch the signal cap was ever transferred to the timer session
when a usleep/msleep was called, even when unneeded. On base-nova this
causes the allocation of new capability indexes which are not freed up.
So the timer service run quickly out of indexes and get out of order...
Related to issue #1
This happened when I killed one of the genode clients which was
tracked via an expception_handler. In this case the wait4 syscall
returned 0 and the for(;;) was looped eternally. This caused an
100% CPU utilization for the core binary.
Make 'context_area_virtual_base' platform configurable. On Arndale, we
need to move the context area to a location that does not interfere with
the address range of physical memory.
The new terminal_mux server is able to provide multiple terminal
sessions over one terminal-client session. The user can switch
between the different sessions using the keyboard shortcut C-y,
which brings up an ncurses-based menu.
This patch moves the further reusable parts of the terminal into public
header files. It also slightly tweaks the color table to give all colors
a similar brightness level.
This patch moves the os/config examples to their respective run scripts,
removes some of them, and moves the priority example to the src/init
directory (where other examples are located).
Additionally, this patch adapts the OKL4-specific priority.run test to
the recent changes of the timer interface.
This base platform is no longer maintained.
For supporting the Microblaze CPU in the future, we might consider
integrating support for this architecture into base-hw. Currently
though, there does not seem to be any demand for it.
With the change of the Timer::Session interface, all scenarios that use
the timer use core's SIGNAL service. So we need to route sessions
accordingly.
In addition to the adaptation to the changed timer, this patch removes
some stale examples that predate the run tool and are no longer used.
This patch simplifies the way of how Genode's base libraries are
organized. Originally, the base API was implemented in the form of many
small libraries such as 'thread', 'env', 'server', etc. Most of them
used to consist of only a small number of files. Because those libraries
are incorporated in any build, the checking of their inter-dependencies
made the build process more verbose than desired. Also, the number of
libraries and their roles (core only, non-core only, shared by both core
and non-core) were not easy to capture.
Hereby, the base libraries have been reduced to the following few
libraries:
- startup.mk contains the startup code for normal Genode processes.
On some platform, core is able to use the library as well.
- base-common.mk contains the parts of the base library that are
identical by core and non-core processes.
- base.mk contains the complete base API implementation for non-core
processes
Consequently, the 'LIBS' declaration in 'target.mk' files becomes
simpler as well. In the most simple case, only the 'base' library must
be mentioned.
Fixes#18
With the use of the new timer interface, each timer client uses signals.
Hence, programs that have not used signals before will consume slightly
more quota. This is the case for the moon test (triggered on foc_x64_64
only).
The distinction between 'ipc.h' and 'ipc_generic.h' is no more. The only
use case for platform-specific extensions of the IPC support was the
marshalling of capabilities. However, this case is accommodated by a
function interface ('_marshal_capability', '_unmarshal_capability'). By
moving the implementation of these functions from the headers into the
respective ipc libraries, we can abandon the platform-specific 'ipc.h'
headers.
By using the build system's library-selection mechanism instead of many
timer targets with different 'REQUIRES' declarations, this patch reduces
the noise of the build system. For all platforms, the target at
'os/src/drivers/timer' is built. The target, in turn, depends on a
'timer' library, which is platform-specific. The various library
description files are located under 'os/lib/mk/<platform>'. The common
bits are contained in 'os/lib/mk/timer.inc'.
The 'Timer::Session::msleep' function is one of the last occurrences of
long-blocking RPC calls. Synchronous blocking RPC interfaces turned out
to be constant source of trouble and code complexity. I.e., a timer
client that also wants to respond to non-timer events was forced to be a
multi-threaded process. This patch replaces the blocking 'msleep' call
by a mechanism for programming timeouts and receiving wakeup signals in
an asynchronous fashion. Thereby signals originating from the timer can
be handled along with signals from other signal sources by a single
thread.
The changed interface has been tested on Linux, L4/Fiasco, OKL4, NOVA,
L4ka::Pistachio, Codezero, Fiasco.OC, and hw_pbxa9. Furthermore, this
patch adds the timer test to autopilot.
Fixes#1
Cap_sessions and portals created via the sessions are nowadays freed up during
c++ object destruction. Because of that the exception portals for a vCPU thread
get be revoked as soon as the cap_session object leaves its scope.
Keep one cap_session for the whole lifetime of the vmm to avoid disappearing
exception portals.
Related to #582.
The setup now uses nitpicker and nit_fb to display several instances of
vancouver. The guest OS binaries must be supplied in the
'<build-dir>/bin' directory manually.
Furthermore, the patch lets launchpad pass Block, Nic, and Rtc to the
parent.
Vancouver can now assign block devices to guests using the Block
interface. The machine has to be configured to use a specified drive,
which could be theoretically routed to different partitions or services
via policy definitions. Currently the USB driver only supports one
device. Genode's AHCI driver is untested.
If the session quota is too low, random pagefaults can occur on the
stack.
According to @Nils-TUD, it is necessary to protect the DiskCommit
messages with a lock against deadlocking with the timer. Observations
showed that this mitigates some problems with Gentoo on real hardware.
Vancouver is now able to use the Intel 82576 device model from NUL to
give VMs access to the network via the nic_bridge service. In order to
integrate the device model, it had to be renamed to i82576 due to XML
limitations. This is done by a patch applied via the 'make prepare'
mechanism.
Although current network card models in Vancouver panic if they can't
get a MAC address, the OP_GET_MAC hostop now fails gracefully in the
case where no nic_drv or nic_bridge is available.
The guest VM can now be provided with a framebuffer and keyboard input.
Mouse positioning of the guest is a problem. Because the PS2 model applies
some calculations to the movement values, it can happen that overflows mess
with the cursor. Therefore the handling was changed and only movements of 1
and -1 are sent. Since absolute positioning is not possible with PS2, we
have to live with this limitation until USB HID is implemented.
For the framebuffer size in Vancouver the configuration value in the machine
XML node is used. It is possible to map the corresponding memory area
directly to the guest, regardless if it is from nitpicker,
liquid_framebuffer or vesa_drv. The guest is provided with two modes (text
mode 3 and graphics mode 0x114 (0x314 in Linux).
Pressing LWIN+END while a VM has focus resets the virtual machine. Also,
RESET and DEBUG key presses will not be forwarded to the VM anymore.
It is possible to dump a VM's state by pressing LWIN+INS keys.
The text console is able to detect idle mode, unmaps the buffer from the
guest and stops interpreting. Upon the next pagefault in this area, it
resumes operation again. The code uses a simple checksum mechanism instead
of a large buffer and memcmp to detect an idle text console. False
positives don't matter very much.
When an EPT/NPT fault occurs during IDT vectoring, the original event must
be reinjected. Additionally we may have to inject an IRQ window if another
event is already pending.
core does not use POSIX threads when built for the 'lx_hybrid_x86'
platform, so we need to reserve the thread-context area via a segment in
the program to prevent clashes with vdso and shared libraries.
Fixes#639.
The default constructor didn't initialize all members, some of them holding
pointers. In the de-constructor the _name pointer was tried to free up, even
when it was not initialized.
Avoid any hassle for uninitialized members and just initialize it. Fixes
sporadic page fault on x86_64 base-nova.
Issue #155
Some shared libraries of the host system contain search paths for finding
other needed shared libraries. These paths get evaluated only by a native
linker. To find all needed shared libraries, with this patch, the host
linker is used to link hybrid applications.
Fixes#645.
reverts 68156918ee
"base: apply thread.cc fix of foc to base"
Depending on the context area a fixed location is calculated where the
memory for the stack is attached to. If the context area is released before the
detach call, the very same context area can be reused and memory for the new
stack is attached for a new thread. The detach of the old thread would then
revoke the mapping for the new thread which will cause a un-handled page fault.
Issue #549
Prior this patch the startup lock was not released if the call of
'_associate()' failed. In this condition, the caller of the constructor
was infinitely blocked.
During a ram_session->free call in 'core' the lock in core_env.h is taken.
Then in the ram_session::_free_ds implementation the dissolve function for the
dataspace is called. base-nova tries to make sure that the ds is not
accessible anymore by any kind of parallel incoming IPC by performing a
cleanup IPC. Unfortunately the dataspace_session implementation uses the very
same allocator in 'core' and may require to obtain the same lock as taken in
ram_session->free. This leads to a spurious deadlock on base-nova.
The actual free_ds implementation is mostly thread safe, since all used objects
inside there are already locked. The only missing piece is the _payload
variable. By changing the _payload variable in a atomic fashion there is no
need to lock the whole ram_session->free call which avoids deadlocks on
base-nova.
Fixes#549
The cleanup call must be performed already during the _dissolve function
shortly after the object at the cap_session is freed up. Otherwise there
is the chance that an in-flight IPC will find the to be dissolved function
again.
Bomb test triggered the case, that a already dissolved rpc_object was found
by a in-flight IPC. If the rpc_object was already freed up by alloc->destroy
the thread using this stale rpc_object pointer cause page-faults in core.
Fixes partly #549
As first step the rpc object must be freed up so that the kernel object
(portal) vanishes. Then the object must be removed from the internal object
pool list so that the object can't be obtained anymore. And then the cleanup
call can be performed (_leave_server_object) since now all names to the
rpc_object are gone.
Doing it in different order (as before the commit) there is a very very little
chance (but the bomb test triggers it occasionally) that the rpc_object can be
obtained again by an incoming IPC - even it is already scheduled for removal.
Fixes partly #549
If page faults are handled concurrently (as for base-nova) the traverse lookup
call in rm_session_component must be thread safe, which it isn't.
If the faulting area is backed by nested dataspaces which are managed by
various rm_sessions then a race happens under following circumstances
(triggered occasionally by the bomb test).
The traverse lookup may return a pointer to a rm_session of a nested dataspace.
If the rm_session is in parallel subject to destruction it happened that faults
got enqueued to the faulters list of the deleted rm_session and internally to
a list of the current rm_session of the Rm_client.
During destruction of the faulting Rm_client the associated rm_session will
be dissolved from the Rm_client, which leads to dereferencing the
dangling pointer of the already destructed rm_session.
On base-nova the memory of the rm_session object get unmapped eventually, so
that the de-referencing of the dangling pointer caused page faults in core.
The memory on other kernels inside core never get unmapped so that the
bug doesn't trigger visible faults.
The patch replace the keeping of a rm_session pointer by keeping a
capability instead. The rm_session object must be looked up now explicitly in
the Object_pool implementation, which implements proper reference counting on
the rm_session object.
Issue #549
Since we have now more than a handful patches to the vanilla kernel, we
better switch to a separate git repository in order to review and to maintain
the patches more effectively.
Remove the patches, they are already in the kernel branch.
Fixes#394
Warnings like the following:
warning: narrowing conversion of ‘((Genode::Platform_pd*)this)->Genode::Platform_pd::_space_id’ from ‘int’ to ‘Codezero::l4id_t {aka unsigned int}’ inside { } is ill-formed in C++11 [-Wnarrowing]
First make the clients inaccessible and dissolve them from the entrypoint. If
this isn't the first step the clients may be obtained again between
the unlock and lock steps in the destructor.
Additionally the clients may be removed in between the unlock and call
sequence, which renders such client pointers dangling and causes spurious page
faults. Keep instead a lock as long as possible and when it is required to
release a lock, then the pointer to the objects must be revalidated.
Replace the dissolve function with a remove_client implementation as suggested
by #13, which avoids that the cpu_session may call dissolve with a dangling
pointer of a already removed rm_client object. Instead the pager must be
released explicitly.
Related to issue #549
Related to issue #394
Related to issue #13
This patch removes the 'soname' link option for building the host
library for the 'lx_hybrid_ctors' test. Without this option, the
library's absolute path at build time gets hardcoded into the
application, which should be okay for this simple test case.
Fixes#638.
If we ran out of capabilities indexes, the bit allocator throws an exception.
If this happens the code seems to hang and nothing happens.
Instead one could catch the exception and print some diagnostic message.
This would be nice, but don't work. Printing some diagnostic message itself
tries to do potentially IPC and will allocate new capability indexes at
least for the receive window.
So, catch the exception and let the thread die, so at least the instruction
pointer is left as trace to identify the reason of the trouble.
Fixes#625
If an exception is thrown the lock is released automatically, so that
other callers may get a capability index if in between some are freed. Fixes
some deadlocks if Genode is short on capability indexes.
Related to #625
Currently, the hello run script of the hello_tutorial misses some services the
timer driver needs on various platforms. The hello_tutorial is meant for
educational purposes only. So it's desireable to keep it simple. Instead of
complexifying the configuration, this commit just removes the timer from the
example.
By now, the memcmp implementation of Genode's basic string utilities just
returned whether two memory blocks are equal or differ. It gave no hint which
block is greater, or lesser than the other one. This isn't the behaviour
anticipated by implementations that rely on the C standard memcmp, e.g. GCC's
libsupc++, or the nic_bridge's AVL tree implementation.
With this patch, the 'Signal_receiver::dissolve()' function does not return
as long as the signal context to be dissolved is still referenced by one
or more 'Signal' objects. This is supposed to delay the destruction of the
signal context while it is still in use.
Fixes#594.
With this change, init becomes able to respond to config changes by
restarting the scenario with the new config. To make this feature useful
in practice, init must not fail under any circumstances. Even on
conditions that were considered as fatal previously and led to the abort
of init (such as ambiguous names of the children or misconfiguration in
general), init must stay alive and responsive to config changes.
This patch improves the config handling by falling back to a static
string (empty "<config />") if no valid config ROM module could be
found. This can happen initially, but also at runtime when the ROM
module dissapears, e.g., a ROM module accessed via fs_rom where the
corresponding file gets unlinked.
This patch introduces keyboard-focus events to the 'Input::Event' class
and changes the name 'Input::Event::keycode' to 'code'. The 'code'
represents the key code for PRESS/RELEASE events, and the focus state
for FOCUS events (0 - unfocused, 1 - focused).
Furthermore, nitpicker has been adapted to deliver FOCUS events to its
clients.
Fixes#609
This patch extends the file-system interface with the ability to monitor
changes of files or directories. The new 'File_system::sigh' function
can be used to install a signal handler for an open node.
The 'ram_fs' server has been enhanced to support the new interface. So
any file or directory changes can now be observed by 'ram_fs' clients.
Fixes#607
Remove signal context object from signal source component list (_signal_queue)
before destruction, otherwise we get a dangling pointer.
On native hardware for base-nova, the signal source thread triggered page
faults in the Signal_source_component::wait_for_signal() method when the signal
context got freed up in Signal_session_component::free_context but was still
enqueued in Signal_source_component::_signal_queue.
Fixes#600
With this patch the destruction of Noux 'Child' objects gets delayed
further until the exit signal has been dispatched. This prevents the
self-destruction of the signal dispatcher, which is a member of the
'Child' object.
Fixes#603.
Several users of the signal API used custom convenience classes to
invoke signal-handling functions on the reception of incoming signals.
The 'Signal_dispatcher' pattern turned out to be particularly useful. To
avoid the duplication of this code across the code base, this patch
adds the interface to 'base/signal.h'.
Furthermore, the patch changes the 'Signal::num()' return type from int
to unsigned because negative numbers are meaningless here.
Fixes#511
When matching the 'label' session argument using '<if-args>' in a
routing table, we can omit the child name prefix because it is always
the same for all sessions originating from the child anyway. Therefore,
this patch adds a special case for matching session labels. It makes the
expression of label-specific routing more intuitive.
Add functionality to lookup an object and lock it. Additional the case is
handled that a object may be already in-destruction and the lookup will deny
returning the object.
The object_pool generalize the lookup and lock functionality of the rpc_server
and serve as base for following up patches to fix dangling pointer issues.
When releasing a lock we must take care that all state is written back to
memory and is not cached in registers. The volatile flag of the lock variable
only means to the compiler that this value must be written immediately.
Other values changed before may be kept by the compiler in registers, which we
don't want here.
Additionally the compiler is free to reorder the code in order to optimize.
That means the code we intend to be executed inside the critical section can
get be reordered and can be executed after we reset the lock variable in the
unlock implementation. The volatile statement of the lock variable doesn't
prevent reordering of instructions which are independent.
By adding a explicit memory barrier, we force the compiler to generate code
that writes back all the register content to memory/cache (and avoid a
bunch of hard to find bugs ...)
Merge core only libs into the target make-files.
Use base-hw specific Board drivers that inherit
from generic Board_base.
Use Page_flags::access_t instead of additional
page_flags_t.
Fix#570
As iPXE header files are not C++ compatible, the implementation missed
proper include directives. For example, alloc_memblock() had a wrong
signature, which was not detected. Now, C wrapper functions are
implemented using a local API to the C++ backend.
Related to #593.
With this patch, the loader installs an optional client-provided fault
handler as default CPU exception handler and RM fault handler for all
CPU and RM sessions of the loaded subsystem. This way, loader clients
become able to respond to failures occuring within the subsystem.
The new feature is provided via the added 'Loader::fault_handler' RPC
function.
The 'run/failsafe' test covers two cases related to the loader, which
are faults produced by the immediate child of the loader and faults
produced by indirect children.
The CPU session interfaces comes with the ability to install an
exception handler per thread. This patch enhances the feature with the
provision of a default signal handler that is used if no thread-specific
handler is installed. The default signal handler can be set by
specifying an invalid thread capability and a valid signal context
capability.
Furthermore, this patch relaxes the requirement of the order of the
calls of 'exception_handler' and 'set_pager'. Originally, the exception
handler could be installed not before setting a pager. Now, we remember
the installed exception handler in the 'Cpu_thread' and propagate to to
the platform thread at a later time.
With this patch, core responds to SIGCHLD signals of terminating Genode
processes by reflecting these events as exceptions to the CPU session
interface. This way, Genode processes become able to respond to
terminating Genode child processes.
Implement the same semantic like L4Re for the initialization of the initramfs
dataspace. Although, it didn't lead to problems right now, this commit might
prevent future problems.
With this patch hybrid applications get linked with the Genode GCC's
'crtbegin.o' and 'crtend.o' files instead of the host GCC's versions
to avoid compatibility problems. This only affects the 'linux_x86'
platform, since on the 'lx_hybrid_x86' platform the Genode GCC is the
host GCC.
Fixes#550.
It happens that ram_session and rm_session itself are invoking alloc
respectively free on the very same sliced heap inside core.
Lock only the sliced_heap list implementation and let the session locking to
the session implementation of rm_session and ram_session.
The ram_session and rm_session must take care to proper lock since inside
both implementations already the session handling thread and the service thread
are running parallel.
With commit 1389b63050 in thread.cc for base-foc
a bug was fixed, where the memory of the context got freed up before running
the de-constructor.
Apply the fix also to base and base-mb.
For base-nova thread creation related exception can be thrown, since the
Pager_objects are threads. Catch the exception and re-throw the
expected/documented exception in rm_session.
This commit avoids that core dies with an unhandled exception if a thread
couldn't be created (e.g. because the limit has been reached).
Sanity check that the context area has been attached. Otherwise the code
later tries to access the context area and core dies with a unhandled page
fault.
Open VCPU interrupts while the VCPU is in an IPC operation can badly influence
its state. That's why this commit fixes a whole bunch of places, where IRQs
weren't masked by now.
We have to take the block queue's spin lock before invoking the interrupt
routine, otherwise the AVL tree og Genode's block packet stream gets
corrupted.
If no platform thread was created before somebody destroys a thread object,
there is no valid UTCB available. Thereby, we've to check this before accessing
the UTCB when destroying a thread object.
This should ensure that the directory is created before trying to
create a file within it.
This hopefully fixes errors like the following when using parallel
builds:
checking library dependencies...
/bin/bash: line 19: var/libdeps: No such file or directory
make[5]: *** [init_libdep_file] Error 1
The Linux version of core used a part of the BSS to simulate access to
physical memory. All dataspaces would refer to a portion of 'some_mem'.
So every time when core would access the dataspace content, it would
access its local BSS. For all processes outside of core, dataspaces were
represented as files. This patch removes the distinction between core
and non-core processes. Now, core uses the same 'Rm_session_mmap'
implementation as regular processes. This way, the 'some_mem' could be
abandoned. We still use BSS variable for allocating core-local meta
data through.
Instead of allocating and freeing the space that is needed for the
kernel thread objects from core, wich is not convenient with the
quota system, platform thread now holds the space as array by
itself.
Unfortunately we cannot measure the space size by a static function
anymore, so kernel thread had to be moved from kernel.cc into its
own header. This way platform thread can use sizeof().
Fix#543
The Gentoo-specific section should be taken offline until the overlay
got updated.
Version 12.11 adds a binary package for x86_64 in addition to x86_32.
The generic 'sleep_forever()' function creates an Ipc_server object which
might not get cleaned up correctly when the thread gets destroyed and
unneeded capability references could remain and drain the capability index
allocator. With this patch a lock gets used on thread exit instead of
calling 'sleep_forever()'.
Fixes#538.
This patch reflects eventual allocation errors in a more specific way to
the caller of 'alloc_aligned', in particular out-of-metadata and
out-of-memory are considered as different conditions.
Related to issue #526.
In the recent change of the RPC-entrypoint destruction, the
'~Rpc_entrypoint' calls 'Thread_base::join'. Hence, we need to provide
an implementation wherever RPC entrypoints are used.
Revert the core-local mapping created in 'Ram_session_component::_clear_ds()'
and free the virtual memory region allocated for this mapping when a
RAM dataspace gets freed.
Fixes#416.
When finishing a block request in the L4Linux block stub driver,
we#ve to hold the queue lock before using __blk_end_request_all, or
simply use blk_end_request_all instead. Moreover, this commit simplifies
the lock/unlock behaviour when the block queue has to be stopped, or resumed.
Thanks to I. Ismagilov for these suggestions.
File_io_channel now includes ioctl() because pseudo devices which are
implemented as a file-system, e.g. /dev/tty, are controlled via ioctl()
requests. The method is exported to the Vfs through the Vfs_io_channel
class.
The random file-system provides an arc4 based urandom implementation
which is needed for OpenSSL.
NOTE: the Arc4random class currently _does not collect enough_ random
bytes!
We will reuse the terminal connection in the stdio filesystem
to implement /dev/tty. Therefor we need to access the terminal
from different locations which is simplified if it is provided
by a singleton.
This patch improves the life-time management of socket descriptors and
addresses several corner cases exposed by the 'bomb' test.
The lookup and association of file descriptors with global IDs have been
turned into an atomic operation. Otherwise, multiple threads interacting
with the singleton 'ep_sd_registry' may override each other's
associations.
Closing the socket pair used for the reply channel has been implemented
via the RAII pattern to capture all corner cases, in particular
exceptions.
If blocking operations are interrupted by signals, we throw a
'Blocking_canceled' exception.
We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid
a corner case where the parent capability is going to dup2'ed to the
same handle.
Support for 'Thread_base::join' within core to enable leaving Genode via
Control-C.
This patch introduces clean synchronization between the entrypoint
thread and the caller of the 'Rpc_entrypoint' destructor. The most
important change is the handling of the 'Ipc_server' destruction. This
object is in the local scope of the server's entry function. However,
since the server loop used to be an infinite loop, there was hardly any
chance to destruct the object in a clean way. Hence, the
'Rpc_entrypoint' destructor used to explicitly call '~Ipc_server'.
Unfortunately, this approach led to problems because there are indeed
rare cases where the server thread leaves the scope of the entry
function, namely uncaught exceptions. In such a case, the destructor
would have been called twice.
With the new protocol, we make sure to leave the scope of the entry
function and thereby destroy the 'Ipc_server' object as expected. This
is achieved by propagating the exit condition through a local RPC call
to the entrypoint. This way, the blocking state of the entrypoint
becomes unblocked. Furthermore, '~Rpc_entrypoint' makes use of the new
'join' function to wait for the completion of the server thread.
The block count in DMA requests is limited to 8 bit. Therefore,
if a client requests more than 255 blocks in a single packet request,
split the request in a loop.
'Bender' can detect serial ports accessible via PCI and writes the I/O ports
to the Bios Data area (BDA).
Usage together with the PXE bootloader ease life running Genode/NOVA on native
hardware, where a standard serial device isn't available anymore anywhere.
We don't can use map_local_one_to_one for boot modules because it happens
that boot modules can be at addresses above physical 3G boundary for x86_32.
Defer the mapping of modules until the point where the core allocators
are set up properly and then remap the physical pages to virtual addresses
below 3G.
If the I/O ports are non default (3f8), we had to specify manually the correct
I/O ports. With this commit the BDA is read and the I/O port of the first
serial interface (COM) is taken. If no serial interface is available no device
configuration will be undertaken.
There is no obvious reason for having two different SPEC variables, definitions,
and pathes for the Pandaboard platform. It even lead to problems regarding the
omap4 framebuffer driver (look at issue #505 and #506).
By now there is no use case for read/write a single register
of a thread state. Thus the new syscalls 'read_thread_state' and
'write_thread_state' replace the old ones 'read_register' and
'write_register'.
Add 'resume_faulter' syscall that is similar to 'resume_thread', but
is called only when resuming a thread after resolving its pagefault.
This way the kernel can flush caches after resolving a pagefault. This is
because by now the MMU doesn't use caches when doing a pagetable walk.
'Page_flags' maps application-specific memory attributes
to the TLB-specific memory attributes. Thereby it avoids
functions with lots of parameters, by declaring appropriate
bitfields on a single POD value.
With this patch the make install target for Noux applications gets defined
in the 'NOUX_INSTALL_TARGET' make variable with 'install-strip' as default.
Fixes#503.
With this patch, custom UIDs and GIDs can be assigned to individual
Genode processes or whole Genode subsystems.
The new 'base-linux/run/lx_uid.run' script contains an example of how to
use the feature.
Fixes#510
On Linux, we want to attach additional attributes to processes, i.e.,
the chroot location, the designated UID, and GID. Instead of polluting
the generic code with such Linux-specific platform details, I introduced
the new 'Native_pd_args' type, which can be customized for each
platform. The platform-dependent policy of init is factored out in the
new 'pd_args' library.
The new 'base-linux/run/lx_pd_args.run' script can be used to validate
the propagation of those attributes into core.
Note that this patch does not add the interpretation of the new UID and
PID attributes by core. This will be subject of a follow-up patch.
Related to #510.
This ensures that the cwd of the process is within the chroot
environment, improving security for root processes.
The cwd after the chroot is the same as before, this is needed to
start binaries given as relative path name.
Using the new 'join()' function, the caller can explicitly block for the
completion of the thread's 'entry()' function. The test case for this
feature can be found at 'os/src/test/thread_join'. For hybrid
Linux/Genode programs, the 'Thread_base::join()' does not map directly
to 'pthread_join'. The latter function gets already called by the
destructor of 'Thread_base'. According to the documentation, subsequent
calls of 'pthread_join' for one thread may result in undefined behaviour.
So we use a 'Genode::Lock' on this platform, which is in line with the
other platforms.
Related to #194, #501
When an IPC server is finalized two important things should happen:
First, the association of the server socket with a capability must be
invalidated. And finally, the server socket pair (server side and client
side) must be closed.
Related to #38.
The IPC-server object exists solely on the stack of the entrypoint
thread and, therefore, would never be destructed as the thread is just
killed. Now, the object is explicitly destructed in the entrypoint
destructor. An alternative solution could instruct the entrypoint thread
the terminate, which would automatically cleanup its stack.
The object pool is assumed to be empty on destruction of the entrypoint.
If not, we warn and at least dissolve all RPC objects.
Set the right bg color instead of using a dimmed version of the fg
color. The colors are stored in the first 6 bits of the color index.
Thereby the first 3 bits contain the fg and the second 3 bits the
bg color.
The debug message in _handle_esc_seq5() now shows the sequence in
question.
Fixes#495.
Since the number of the fds in the select call is not necassarily equal
to the number of fds SYSCALL_SELECT returns we have to reset the number
of fds given as argument to select().
This keeps OpenSSH from reading from a non-ready socket.
Fixes#494.
Currently the lookup of a specific record in a tar archive may take a long
time, because the records get searched in sequence. With this patch a tree
structure representing the directory layout gets created when loading the
tar file for speeding up record lookups.
Fixes#491.
The previous implementation disregards the fact that we actually have
to use libc's plugin mechanism if we play with fds. So in the end the
libc did not know to which plugin the fd belonged.
Fixes#493.
You cannot check an unsigned size_t variable for underflow, so I
changed the code to first check if an underflow would occur before
performing the subtraction.
Fixes#489.
'Core_tlb' ensures that core never throws pagefaults,
in contrast to its base 'Tlb' that is planned to use displacement
in the future.
'Core_tlb' enables the application of differenet memory attributes
in core, according to the board specific partitioning of the physical
address space. This way it enables caching in core.
Enable caches. Core is not cached by now. This is because kernel
creates core space and doesn't know any memory attributes by now.
Cacheable pages are cached write-through without write-allocate.
Caching and write-combining is not supported for IOMEM by now.
Implement 'Signal_receiver::pending()'.
Provide display-subsystem MMIO.
Avoid method ambiguousness in 'Irq_context' in
'dde_linux/src/drivers/usb/signal/irq.cc'
(it derives from two list element classes when using 'base_hw').
Enables demo scenario with 'hw_panda_a2'.
Fix bug regarding idle thread in thread scheduling in
'base-hw/src/core/kernel.cc'.
Fix regarding signal submit in signal framework in
'base-hw/src/core/kernel.cc'.
Implies support for the ARMv6 architecture through 'base-hw'.
Get rid of 'base/include/drivers' expect of 'base/include/drivers/uart'.
Merge with the support for trustzone on VEA9X4 that came from
Stefan Kalkowski.
Leave board drivers in 'base/include/platform'.
Rework structure of the other drivers that were moved to
'base_hw/src/core' and those that came with the trustzone support.
Beautify further stuff in 'base_hw'.
Test 'nested_init' with 'hw_imx31' (hardware) and 'hw_panda_a2' (hardware),
'demo' and 'signal' with 'hw_pbxa9' (qemu) and 'hw_vea9x4'
(hardware, no trustzone), and 'vmm' with 'hw_vea9x4'
(hardware, with trustzone).
The new 'Uart::Session' interface is an extension of the
'Terminal::Session' interface that allows for configuring UART-specific
parameters, i.e., the baud rate.
This patch introduces principal support for extending session interfaces
with specialized functionality in a clean way. For example, an 'Uart'
interface may implement the 'Terminal' interface but also offers
additional functions for setting the baud rate. A service that
implements the 'Uart' service will then automatically announce both the
'Uart' and 'Terminal' services.
Extend tracking of delegated and of translated items. The additional
information is used to solely free up unused/unwanted mapped capabilities and
to avoid unnecessary revokes on capability indexes where nothing have been
received.
Fixes#430
Since FD_ZERO() resets a whole fd_set (which is 128 bytes) using it to
reset dst_fds will override otherwise used memory if the memory was
allocated dynamically and is less than sizeof (fd_set). So instead of
using this macro we reset the fd_set manually.
The Io_receptor is now used to unblock certain I/O channels from lwip's
callback-function.
There was also a bug in which all ready-to-ready fds were overriden by
the ready-to-write ones.
The Socket_io_channel class now uses the Io_channel_backend to provide
the network related methods. In addition the Socket_io_channel_registry
was replaced with a simpler implementation which uses Io_receptors to
unblock I/O channels from the callback-function of lwip.
This patch fixes the 'lx_hybrid_pthread_ipc.run' test. In order to use
the 'Genode::Lock' we need to set the SIGUSR1 handler to an empty handler.
Normally, this happens when creating a thread via the Genode API. But as
this test creates a thread via the pthread library and thereby bypasses
the Genode API, the signal handler remained unset.
Using the host compiler in this case seems to be an artifact from an
older change. On x86_64, this approach ended in unsable hybrid binaries
due to incompatible handling of non-trivial return values, i.e.
structures. See '-freg-struct-return' in GCC manual page:
"[...] If there is no standard convention, GCC defaults to
-fpcc-struct-return, except on targets where GCC is the principal
compiler. In those cases, we can choose the standard, and we chose
the more efficient register return alternative."
In other words: All x86_64 Linux systems break the ABI standard :-(
The thread ID reported to core was not always initialized prior the RPC
call. The 'startup_lock' ensures that the thread is completely
initialized before this information gets propagated.
Since the recent move of the process creation into core, the original chroot trampoline
mechanism implemented in 'os/src/app/chroot' does not work anymore. A
process could simply escape the chroot environment by spawning a new
process via core's PD service. Therefore, this patch moves the chroot
support into core. So the chroot policy becomes mandatory part of the
process creation. For each process created by core, core checks for
'root' argument of the PD session. If a path is present, core takes the
precautions needed to execute the new process in the specified chroot
environment.
This conceptual change implies minor changes with respect to the Genode
API and the configuration of the init process. The API changes are the
enhancement of the 'Genode::Child' and 'Genode::Process' constructors to
take the root path as argument. Init supports the specification of a
chroot per process by specifying the new 'root' attribute to the
'<start>' node of the process. In line with these changes, the
'Loader::Session::start' function has been enhanced with the additional
(optional) root argument.
When building in hybrid Linux/Genode mode, there exist two definitions
of 'size_t', one in the 'Genode' namespace and one imported from the
glibc headers.
On Linux, we use the session label for naming the corresponding Linux
process. When looking up the processes via 'ps', the Genode process
hierarchy becomes immediately visible.
Genode used to create new processes by directly forking from the
respective Genode parent using the process library. The forking process
created a PD session at core merely for propagating the PID of the new
process into core (for later destruction). This traditional mechanisms
has the following disadvantages:
First, the PID reported by the creating process to core cannot easily be
validated by core. Therefore core has to trust the PD client to not
specify a PID of an existing process, which would happen to be killed
once the PD session gets destructed. This problem is documented by
issue #318. Second, there is no way for a Genode process to detect the
failure of its any grandchildren. The immediate parent of a faulting
process could use the SIGCHLD-and-waitpid mechanism to observe its
children but this mechanism does not work transitively.
By performing the process creation exclusively within core, all Genode
processes become immediate child processes of core. Hence, core can
respond to failures of any of those processes and reflect such
conditions via core's session interfaces. Furthermore, the PID
associated to a PD session is locally known within core and cannot be
forged anymore. In fact, there is actually no need at all to make
processes aware of any PIDs of other processes.
Please note that this patch breaks the 'chroot' mechanism that comes in
the form of the 'os/src/app/chroot' program. Because all processes are
forked from core, a chroot'ed process could sneak outside its chroot
environment by just creating a new Genode process. To address this
issue, the chroot mechanism must be added to core.
This patch simplifies the system call bindings. The common syscall
bindings in 'src/platform/' have been reduced to the syscalls needed by
non-core programs. The additional syscalls that are needed solely by
core have been moved to 'src/core/include/core_linux_syscalls.h'.
Furthermore, the resource path is not used outside of core anymore.
Hence, we could get rid of the rpath library. The resource-path code has
been moved to 'src/core/include/resource_path.h'. The IPC-related parts
of 'src/platform' have been moved to the IPC library. So there is now a
clean separation between low-level syscall bindings (in 'src/platform')
and higher-level code.
The code for the socket-descriptor registry is now located in the
'src/base/ipc/socket_descriptor_registry.h' header. The interface is
separated from 'ipc.cc' because core needs to access the registry from
outside the ipc library.
Thanks to the exclusive use of SCM rights for delegating access rights
to memory objects and RPC entrypoints, Genode processes outside of core
won't need to access any files.
This patch changes the way of how dataspace content is accessed by
processes outside of core. Dataspaces are opened by core only and the
corresponding file descriptors are handed out the other processes via
the 'Linux_dataspace::fd()' RPC function. At the client side, the
returned file descriptor is then used to mmap the file.
Consequently, this patch eliminates all files from 'lx_rpath'. The
path is still needed by core to temporarily create dataspaces and
unix domain sockets. However, those files are unlinked immediately
after their creation.
This patch alleviates the need for any non-core process to create Unix
domain sockets locally. All sockets used for RPC communication are
created by core and subsequently passed to the other processes via RPC
or the parent interface. The immediate benefit is that no process other
than core needs to access the 'rpath' directory in order to communicate.
However, access to 'rpath' is still needed for accessing dataspaces.
Core creates one socket pair per thread on demand on the first call of
the 'Linux_cpu_session::server_sd()' or 'Linux_cpu_session::client_sd()'
functions. 'Linux_cpu_session' is a Linux-specific extension to the CPU
session interface. In addition to the socket accessors, the extension
provides a mechanism to register the PID/TID of a thread. Those
information were formerly propagated into core along with the thread
name as argument to 'create_thread()'.
Because core creates socket pairs for entrypoints, it needs to know all
threads that are potential entrypoints. For lx_hybrid programs, we
hadn't had propagated any thread information into core, yet. Hence, this
patch also contains the code for registering threads of hybrid
applications at core.
This patch eliminates the thread ID portion of the 'Native_capability'
type. The access to entrypoints is now exclusively handled by passing
socket descripts over Unix domain sockets and by inheriting the socket
descriptor of the parent entrypoint at process-creation time.
Each entrypoint creates a socket pair. The server-side socket is bound
to a unique name defined by the server. The client-side socket is then
connected to the same name. Whereas the server-side socket is meant to
be exclusively used by the server to wait for incoming requests, the
client-side socket can be delegated to other processes as payload of RPC
messages (via SCM rights). Anyone who receives a capability over RPC
receives the client-side socket of the entrypoint to which the
capability refers. Given this socket descriptor, the unique name (as
defined by the server) can be requested using 'getpeername'. Using this
name, it is possible to compare socket descriptors, which is important
to avoid duplicates from polluting the limited socket-descriptor name
space.
Wheras this patch introduces capability-based delegation of access
rights to entrypoints, it does not cover the protection of the integrity
of RPC objects. RPC objects are still referenced by a global ID passed
as normal message payload.
This patch adds prinicipal support for transmitting socket descriptors
as RPC payload. Socket descriptors are handled by the linux-specific
implementation of the capability marshalling and unmarshalling functions
in 'ipc.h'. The 'Message' type in 'src/platform/linux_socket.h' has been
extended to carry multiple descriptors in a single message.
Unfortuately, we hit a problem (and potential show stopper) here:
lx_sendmsg failed with -109 in lx_call()
The error code corresponds to ETOOMANYREFS. There is only one place in
the Linux kernel where this error code is used (net/unix/af_unix.c).
The code for 'unix_attach_fds()' suggests that there is a limit with
regard to the maximum number of references for a given Unix domain
socket. When the error occurs, core and init are running. The socket
of core's server entrypoint is present in the '/proc/pid/fd' of those
processes 8 times. The error occurs when core tries to perform an
RPC to the entrypoint to perform 'Ram_session::transfer_quota()'
(base/include/base/child.h at line 248).
By storing the reply socket descriptor inside the 'Ipc_ostream::_dst'
capability instead as part of the connection state object, we can
use the 'explicit_reply' mechanism as usual. Right now, we store
both the tid and socket handle in 'Native_capability::Dst'. In the
final version, the 'tid' member will be gone.
In the final version, the 'socket' will be the only member to remain in
the 'Dst' time. In the transition phase, we store both the old 'tid' and
the 'socket'.
This patch, which was originally created by Christian Helmuth,
represents the first step towards using SCM rights as capability
mechanism on Linux. It employs the SCM rights mechanism for transmitting
a reply capability to the server as argument of each IPC call. The
server will then send its respond to this reply file descriptor. This
way, the reply channel does not need to be globally visible anymore.
The bash-builtin 'pwd' command uses the 'st_dev' and 'st_ino' members of
the 'stat' struct to compare the path from the 'PWD' environment variable
with the path returned by 'getcwd()'. These members don't get set
correctly in Noux and therefore the 'pwd' command sometimes returns wrong
results when building Genode in Noux. With this patch the 'CURDIR' make
variable gets used instead of calling 'pwd'.
Fixes#454.
With this patch an error message gets printed in
'Allocator_avl_base::free()' if the given address is not the start address
of the allocated block.
Fixes#459.
Create the signal context object before the signal receiver object to get the
signal receiver destroyed before the signal context. This avoids a 'specified
signal-context capability has wrong type' warning when the signal receiver
tries to free its managed context on destruction.
Part of #448.
When building the Fiasco.OC kernel, and L4Linux within the Genode build system,
forward the CC, and CXX variables. It might contain useful tools like ccache,
or distcc to speed up compilation. Moreover, don't delete the MAKEFLAGS when
building Fiasco.OC. It hinders parallel builds.
Certain symbols from the libgcc_eh library in cxx that is linked with the
L4Linux kernel were resolved by using kernel internal implementations.
This lead to errors because the complete Linux kernel is built regparm=3.
This patch prefixes the appropriate symbols in the Linux Kernel and its
modules. Moreover, it fixes some warnings introduced by the latest update
to gcc 4.7.
g++ 4.4.5 outputs the following warnings in our code using the loader
session:
.../base/include/base/capability.h: In member function 'typename Genode::Trait::Call_return<typename IF::Ret_type>::Type Genode::Capability<RPC_INTERFACE>::call() const [with IF = Loader::Session::Rpc_view_geometry, RPC_INTERFACE = Loader::Session]':
.../base/include/base/capability.h:207: warning: 'ret.Genode::Capability<Loader::Session>::Return<Loader::Session::Rpc_view_geometry>::_value.Loader::Session::View_geometry::width' may be used uninitialized in this function
.../base/include/base/capability.h:207: warning: 'ret.Genode::Capability<Loader::Session>::Return<Loader::Session::Rpc_view_geometry>::_value.Loader::Session::View_geometry::height' may be used uninitialized in this function
.../base/include/base/capability.h:207: warning: 'ret.Genode::Capability<Loader::Session>::Return<Loader::Session::Rpc_view_geometry>::_value.Loader::Session::View_geometry::buf_x' may be used uninitialized in this function
.../base/include/base/capability.h:207: warning: 'ret.Genode::Capability<Loader::Session>::Return<Loader::Session::Rpc_view_geometry>::_value.Loader::Session::View_geometry::buf_y' may be used uninitialized in this function
This is easily fixed with providing a default constructor.
Because of the C++ rules regarding initialer lists code that used
them for View_geometry had to be modified to use a normal construction
call. In my tests only Nitpicker had to be changed.
Preparation of base-pistachio fails on Ubuntu with dash as /bin/sh as it
does not support non-POSIX features like brace expansion. In this case
expanding in the Makefile via $(addprefix ...) fixes this shortcoming.
With the update to L4ka::Pistachio, we no longer need to patch the
contrib sources. Our patch went upstream in the meanwhile.
Apparently, gcc-4.7 is picky about specifying the '-melf_i386' argument
at the command line of the GCC frontend. We need to make sure to use the
'-Wl,' prefix.
The eglgears application depends on 'sqrt'. With the old tool chain,
this symbol was resolved through the dependencies of the 'gallium'
library. This does not work anymore for the new tool chain.
A similar issue arised for avplay, where we need to explicitly
state the av components in the LIBS declaration of the target.
The terminal has a lot of bits that may be worth reusing outside the
single implementation. Those bits are now located at 'include/terminal'
in the gems repository.
Replacing the local name of a capability index object which exists in the
capability map can destroy the AVL tree order of the capability map. With
this patch the outdated object gets removed from the map and a new object
gets inserted afterwards.
Fixes#435.
After this commit "make prepare" uses HTTP, HTTPS, or FTP where possible
fvor downloading third-party source codes. This prevents problems with
strict firewall rules where only selected ports are usable.
Unfortunately, git.l4android.org does not support Git via HTTP and,
therefore, the sources need a working Git port (9418).
Fixes#443.
* Introduces Schedule_context
* Use fast-interrupts or normal interrupts
* Add mode-transition between secure/non-secure world
* Limit system resources for Genode apps due to non-secure world
This commit implements the newly introduced Vm session interface to be used
on top of TrustZone capable Armv7 CPUs. Therefore a new Schedule_context is
introduced in the kernel. Threads and Vms are both Schedule_contexts used
by the scheduler. In contrast to a thread a vm uses a different assembler
mode switch to the non-secure, virtual world, as well as another exception
is used, when the non-secure world is left. For both worlds to co-exist
the interrupt-controller needs to be configured, so that the secure (Genode)
world uses fast-interrupts only, and the non-secure world only legacy
interrupts.
The only TrustZone capable platform the base-hw kernel works on top of
is the CoreTile Express 9x4 for the Versatile Express motherboard. For a
virtual machine working properly on top some platform resources must be
reserved. Therefore there exist two flavours of this platform now, one with
the 'trustzone' spec-variable enabled, and one without. If 'trustzone' is
specified most platform resources (DDR-RAM, and most IRQs) are reserved
for the Vm and not available to the secure Genode world.
Driver definitions which are used by kernel/core in base-hw, and also by other
drivers (e.g. from the os repository) have to reside in the generic
base-repository, for instance some uart drivers. All drivers which are
interesting for one of the sites only (sp804 for timer driver, or
cortex_a9 cpu driver for base-hw) should reside in the respective repos.
Factorize cpu context out of Cortex A9 specific definitions. Moreover, there
is already a Cpu_state object containing all common ARM registers. We use
this as a base for the cpu context switching done by the base-hw kernel.
The Cpu_state class get extended by a cpu-exception field, that stores the kind
of exception raised when the corresponding context got interrupted. This
information is used not only by the base-hw kernel, but also by the TrustZone
VMM that is build currently.
The 'Cpu_state' in 'base/include/base/cpu_state.h' is not needed anymore.
Moreover, it's inconsistent with the architecture-specific definitions
of 'Cpu_state' that all reside in <cpu/cpu_state.h>.
By now all services in core where created, and registered in the generic
main routine. Although there exists already a x86-specific service (I/O ports)
there was no possibility to announce core-services for certain platforms only.
This commit introduces a hook function in the 'Platform' class, that enables
registration of platform-specific services. Moreover, the io-port service
is offered on x86 platforms only now.
By naming all board declaration (previously in base/include/drivers/board) the
same way, and putting them in platform-specific include-pathes, we save additional
declaration redirection in the base-hw kernel, and in driver definitions.
By adding a "mac=XX:XX:XX:XX:XX:XX" attribute/value pair to the nic_bridge's
configuration one can define the first MAC address from which the nic_brigde
will allocate MACs for it's clients. Note: that the least relevant byte will
be ignored, and ranges from 0-255. Fixes#424.
Areas of an attached dataspace which have never been accessed cannot get
unmapped. With this patch this case is not treated as error anymore.
Fixes#398.
There are certain programs that need gettimeofday(), e.g.
network-related tools like ping(1) etc. but also filesystem-related
programs like find(1) etc. and of course time-related programs like
date(1).
As there is currently no interface in Genode for actually using clock
devices like RTC on x86 (though there is a driver for it) we "abuse"
the timeout_scheduler thread to at least provide flow-of-time.
Noux: add clock_gettime() implementation
For now, only CLOCK_SECOND is supported.
Noux: add utimes() dummy
Fixes#401
The 'delete (void *)' operator gets referenced by compiler generated code,
so it must be publicly defined in the 'cxx' library. These compiler
generated calls seem to get executed only subsequently to explicit
'delete (void *)' calls in application code, which are not supported by
the 'cxx' library, so the 'delete (void *)' implementation in the 'cxx'
library does not have to do anything. Applications should use the
'delete (void *)' implementation of the 'stdcxx' library instead. To make
this possible, the 'delete (void *)' implementation in the 'cxx' library
must be 'weak'.
Fixes#419.
This patch moves the thread iterator function declarations in GDB
monitor's 'Cpu_session_component' above the 'CPU session interface'
comment, because these functions are not part of the CPU session
interface anymore.
Fixes#10.
In Genode's paravirtualized block driver a request cache is used to find again
Linux request structures via corresponding block-session packets. To work
correctly the cache needs to have at least the same size like the
block-session's queue-size.
Print Fiasco.OC kernel debugger messages into a file instead of a pipe
in the default l4linux run-script. Thereby rarely triggered issues by the
nightly running buildbot can be analyzed after the test failed.
Implement shared IRQs using 'Irq_proxy' class.
Nova: Added global worker 'Irq_thread' support in core and adapted Irq_session.
FOC: Adapted IRQ session code, x86 has shared IRQ support, ARM uses the old
model. Read and set 'mode' argument (from MADT) in 'Irq_session'.
OKL4: Use generic 'Irq_proxy'
Fixes issue #390
Added generic 'Irq_proxy' class to core includes (ported from base-okl4). It can
be used to implement shared IRQ support for various base platforms. It will
generate one thread per IRQ and unblocks waiting clients (IRQ sessions) upon
interrupt receipt.
Issue #390
GCC warns about uninitialized local variables in cases where no
initialization is needed, in particular in the overloads of the
'Capability::call()' function. Prior this patch, we dealt with those
warnings by using an (unreliable) GCC pragma or by disabling the
particular warning altogether (which is a bad idea). This patch removes
the superfluous warnings by telling the compiler that the variable in
question is volatile.
Formerly, GENODE_RELEASE just undef'd PDBG() which concealed bugs in
places PDBG was used, e.g., do to API changes. Unfortunately,
desparately disabling GENODE_RELEASE during bug hunt sometimes
introduced new errors. Now, PDBG is just a branch not taken but seen by
the compiler, which is able to produce warnings/errors when the API is
changed.
Fixes#378.
Unify handling of UTCBs. The utcb of the main thread is with commit
ea38aad30e at a fixed location - per convention.
So we can remove all the ugly code to transfer the utcb address during process
creation.
To do so also the UTCB of the main thread of Core must be inside Genode's
thread context area to handle it the same way. Unfortunately the UTCB of the
main thread of Core can't be chosen, it is defined by the kernel.
Possible solutions:
- make virtual address of first thread UTCB configurable in hypervisor
- map the utcb of the first thread inside Core to the desired location
This commit implements the second option.
Kernel patch: make utcb map-able
With the patch the Utcb of the main thread of Core is map-able.
Fixes#374
Noux actually uses the sp variable during thread creation and expects to be
set accordingly. This wasn't the case for the main thread, it was ever set
to the address of the main thread UTCB.
If during the file system iterations in the 'stat()', 'rename()' or
'mkdir()' funtions of the 'Dir_file_system' class any file system
returns an error code other than 'ERR_NO_ENTRY', return immediately.
Fixes#376.
Make sure unlock is called when 'global_mutex' reaches zero count. Add verbose
variable in order to disable some output. Disable irritating 'Overflow' messages
in 'sys_mbox_post' and 'sys_mbox_try_post' per default. This may happen and is
not an error, since the ring buffer is full and will be emptied eventually.
Remove priority from genode_org run script.
Should fix#347
The 'build.mk' file checks if the tool chain to be used supports the
'-static' and '-fno-stack-protector' flags, but this check always fails
for the current Genode tool chain because it cannot create executable
files without explicitly specifying the 'crt0' and library files to be
linked, which the check doesn't.
This patch removes the compiler check.
Fixes#358.
With this patch, when a child exits, all of its open file descriptors get
closed immediately. This is necessary to unblock the parent if it is
trying to read from a pipe (connected to the child) before calling
'wait4()'.
Fixes#357.
Use slab allocators for small object sizes, do it the usual way otherwise.
This patch is related to #363. Using this optimization may be a viable
alternative to switching to the FreeBSD's malloc implementation.
Use 'Nic::Packet_allocator', wait for acknowledgements if packet allocation
fails. Updated 'lwip.run' and 'genode_org.run' to support OMAP4 correctly. Use
memcpy to copy PBUFs
May resolve issue #347
Missing parantheses around the calculation of last byte address in a UDP
Packet led to dereferencing the wrong value, thereby the UDP checksum
calculation failed, whenever an odd byte-count UPD packet was calculated.
Many thanks to Markus Partheymueller who discovered this issue and its
resolution.
Don't map all memory of the VM at once, instead only the one permitted
by the memory model. Otherwise memory regions get mapped which must not,
where each instruction and memory access have to cause an exception in
order to emulate it step by step.
Classes in Vancouver expect to get zero initialised memory when using memory
from the heap. Some classes don't initialize member variables as they should
do.
The exception initialization and handling in gcc_eh allocates early (_main)
memory before executing main. In Vancouver the virtual
region from [0,VM size) must be reserved. Vancouver fails if the memory
allocated by the exception handling and the static objects was allocated
inside the [0, VM size) area.
To circumvent the situation allocate the first memory pieces for the heap
from the bss.
Reserve memory region for VM as early as possible before any other
memory allocation happens. Otherwise it could happen that heap
allocations will use part of the virtual region we require for the VM.
Move the context area close to the end of the virtual user available address,
so that Vancouver can obtain as much as possible of the lower virtual address
range for VMs.
Use virtual regions for memory used during core initialization behind context
area. Enables us to start Vancouver VMs up to 1280 MiB, which requires
large virtual regions of contiguous aligned memory.
Exclude used virtual regions of echo and of pager thread in core.
The alternative weighted scheduler might lead to some threads don't make
any progress anymore (take for example the signal test). So we have to use
the fixed priority scheduler also in the kernel configuration for 64 Bit.
The first metadata-block, which is inherent part of the allocator object
itself has a fixed size which isn't suitable enough for some 64bit platforms
(e.g. core's RAM-allocator on a 64bit platform with lots of different regions).
This commit let the block size be address-width aware.
In sigma0 normally no answer tag to a request/fault is created. It simply uses
the message tag received with the request. This doesn't work out when I/O ports
are requested. This patch constructs an appropriate answer tag. Moreover,
we have to enable I/O port protection in the kernel configuration.
The memory allocation heuristics in the usb driver provided by dde_linux
changed with the recent commit 71b2b42936.
Apparently, the new variant requires a larger memory pool. Increasing
the quota is a temporary fix until the memory allocator gets revisited.
This commit comprises the following changes to enable L4Linux to use several
CPUs:
* change default configuration for x86 and ARM
* add atomic cmpxchg operation to l4re library
* implement l4_sleep (per thread)
* enable setting affinity for VCPUs and IRQs
* move "per CPU" section within linker-script (x86 only)
* introduce SMP run-script for pandaboard
* deactivate direct scheduler (Fiasco.OC syscall) access by L4Linux
The recently added 'Genode::Path' class makes it easy to create absolute
paths. With this patch the 'ffat_fs' server uses the 'Genode::Path' class
where possible instead of working with 'f_chdir()' and relative paths.
This also solves the problem reported in issue #355, which was caused by
storing a relative file name in the 'File' node.
Fixes#355.
The 'find' program can abort if the 'gettimeofday()' function returns -1,
which it currently does. With this patch the 'gettimeofday()' returns a
dummy time instead to prevent such a termination.
Fixes#353.
With this patch the 'Vfs_io_channel::lseek()' function takes the offset
argument into account when calculating the new seek offset in the SEEK_CUR
and SEEK_END cases.
Fixes#352.
With this patch, when a 'Packet_alloc_failed' exception occurs in the
'write()' function, the function waits for a packet acknowledgement and
the release of the packet and then tries the packet allocation again.
Fixes#348.
Every 64-bit binary is effectively 4M too big currently [0]. The GNU linker ld
aligns the text section of the binary to the maximum page size. On i386
the default section alignment is fixed typically to 4K.
Avoid wasting mainly 4M on x86_64 by telling the linker the max page size to
be 4K.
[0] http://sourceware.org/ml/binutils/2009-04/msg00099.html
This patch introduces the functions 'affinity' and 'num_cpus' to the CPU
session interface. The interface extension will allow the assignment of
individual threads to CPUs. At this point, it is just a stub with no
actual platform support.
This patch adds libstdc++ to libports. With the previous version of the
stdcxx library, the build system used the C++ standard library that
comes with the compiler. This mechanism was prone to inconsistencies of
types defined in the header files used at compile time of the tool chain
and the types provided by our libc. By building the C++ standard library
as part of the Genode build process, such inconsistencies cannot happen
anymore.
Note that the patch changes the meaning of the 'stdcxx' library for
users that happened to rely on 'stdcxx' for hybrid Linux/Genode
applications. For such uses, the original mechanism is still available,
in the renamed form of 'toolchain_stdcxx'.
The old values were much too small and the current ones are probably to
large but the TCP send throuhgput has increased noticeable (a few MiB/s
on the Pandaboard).
Fixes#343.
The Cap_mapping abstraction in core shouldn't use a Cap_index directly, but
use Native_capability instead, as it can break reference-counting, as long as
the same Cap_index gets used in a Cap_mapping and a Native_capability. This
commit finally fixes#208.
This commit fixes several issues that were triggered e.g. by the
'noux_tool_chain' run-script (fix#208 in part). The following problems
are tackled:
* Don't reference count capability selectors within a task that are actually
controlled by core (all beneath 0x200000), because it's undecideable which
"version" of a capability selector we currently use, e.g. a thread gets
destroyed and a new one gets created immediately some other thread might
have a Native_capability pointing to the already destroyed thread's gate
capability-slot, that is now a new valid one (the one of the new thread)
* In core we cannot invalidate and remove a capability from the so called
Cap_map before each reference to it is destroyed, so don't do this in
Cap_session_component::free, but only reference-decrement within there,
the actual removal can only be done in Cap_map::remove. Because core also
has to invalidate a capability to be removed in all protection-domains
we have to implement a core specific Cap_map::remove method
* When a capability gets inserted into the Cap_map, and we detect an old
invalid entry with the dame id in the tree, don't just overmap that
invalid entry (as there exist remaining references to it), but just remove
it from the tree and allocate an new entry.
* Use the Cap_session_component interface to free a Pager_object when it
gets dissolved, as its also used for allocation
Let the Fiasco.OC base platform succeed the cap_integrity run-script meaning
that it is not feasible anymore to fake a capability by using a valid one
together with a guessed local_name.
On systems that use multiple UHCI/EHCI controllers, synchronize access to low
level interrupt handler. Let 'device_may_wakeup' return 1, so suspended
controllers will send interrupts upon device connection. Make sure URBs are
shutdown upon disconnect.
Fixes#332
With this patch environment variables always get stored as zero-separated
strings in buffers of type 'Sysio::Env'. This fixes the problem that
environment variables with non-alphanumeric characters did not get set
correctly in child processes.
Fixes#340.
Change the uid/gid entries in the stat syscall to have the same values
on all filesystems that are used in the current noux-instance according
to the specified values in noux' config.
Fixes#338.
Programs use the errno value to check which error exactly occured.
It is mandatory for non-blocking I/O, e.g. connect() gets the current
state of the connection by looking at the returned errno values.
Fixes#337.
The cpu_session interface fails to be virtualized by gdb_monitor because
platform-nova uses an extended nova_cpu_session interface.
The problem was that threads have been created directly at core without
knowledge of gdb_monitor. This lead to the situation that gdb_monitor didn't
know of all threads to be debugged.
Tunnel the additional parameters required on base-nova through the state()
call of the cpu_session interface before the thread actual is started.
The kernel provides a "recall" feature issued on threads to force a thread into
an exception. In the exception the current state of the thread can be obtained
and its execution can be halted/paused.
However, the recall exception is only delivered when the next time the thread
would leave the kernel. That means the delivery is asynchronous and Genode has
to wait until the exception triggered.
Waiting for the exception can either be done in the cpu_session service or
outside the service in the protection domain of the caller.
It turned out that waiting inside the cpu_service is prone to deadlock the
system. The cpu_session interface is one of many session interfaces handled by
the same thread inside Core.
Deadlock situation:
* The caller (thread_c) to pause some thread_p manages to establish the call
to the cpu_session thread_s of Core but get be interrupted before issuing
the actual pause (recall) command.
* Now the - to be recalled thread_p - is scheduled and tries to invoke another
service of Core, like making log output.
* Since the Core thread_s is handling the session request of thread_c, the
kernel uses the timeslice of thread_p to help to finish the request handled
by thread_s.
* Thread_s issues the actual pause/recall on thread_p and blocks inside Core
to wait for the recall exception to be issued.
* thread_p will leave not the kernel before finishing it actual IPC with
thread_s which is blocked waiting for thread_p.
That is the reason why the waiting/blocking for the recall exception taking
place must be done on NOVA in the context of the caller (thread_1).
Introduce a pause_sync call to the cpu_session which returns a semaphore
capability to the caller. The caller blocks on the semaphore and is woken up
when the pager of thread_p receives the recall exception with the state of
thread_p.
The 'fd_set' size calculation in the current version of the 'poll()'
function results in an amount which is smaller than the size of the
'fd_set' data type. With this patch the file descriptor sets get
allocated as plain stack variables.
Fixes#335.
This patch implements a service which provides the contents of a tar
archive via the 'File_system::Session' interface.
Configuration:
<config>
<archive name="tar_archive.tar" />
<policy label="label_of_client" root="/rootdir/for/client" />
</config>
Fixes#333.
Certain programs tend to set their sockets non-blocking. As previously
descriptors in Noux were only blocking we now introduce a method to mark
the used Io_channel as non-blocking.
There are certain programms which check if an fd is open by calling
fcntl(fd, F_GETFL, ...). So to keep them happy we return true if
such an request was done to our terminal fd's.
Explanation why --disable-rpath-hack is needed:
When building on pistachio_x86 $(LDFLAGS) contains '-L[...]/l4/lib'
which will be transformed by autoconf to '-rpath [...]/l4/lib'.
Now the problem at hand is that we pretend to be FreeBSD when we are
actually not. So autoconf assumes it is valid to use '-path' when it
is actually not.
Also we use zlib for (de)compressing gzipped streams/files instead of
calling gzip as this currently somewhat buggy.
These device are mandatory for most programs (well, at least null
is required to be present for a POSIX compliant OS, which Noux is
actually not). But for proper shell-script support we will need
them anyway.
There are certain programs which need the information that is stored in
'struct passwd'. This commit introduces configurable user information
support to NOUX.
One can set the user information via <user> in NOUX config:
! <config>
! <user name="baron" uid="1" gid="1">
! <shell name="/bin/bash" />
! <home name="/home" />
! </user>
! [...]
! </config>
When <user> is not specified default values are used. Currently these
are 'root', 0, 0, '/bin/bash', '/'.
Note: this is just a single user implementation because each Noux instance
has only one user or rather one identity and there will be no complete
multi-user support in Noux. If you need different users, just start new
Noux instances for each of them.
Removes getpwent.c from build because the passwd facilities provided by
the FreeBSD libc will not be used anyway and add stub functions instead.
Now services which need these functions have to implement their own
(e.g. libc_noux).
Apparently, GNU make 3.81 picks the generic '%.h' rule instead of the
more specific 'rpc/%.h' rule during the preparation of the libc.
Changing the order of the rules solves the problem.
libc_resolv is a {free,get}addrinfo() plugin, mainly for use with NOUX.
We prefix the original libc functions to with 'libc_' so there is no
symbol conflict with file_operations.cc.
Most of the libs are needed for DNS related stuff. Since we now
have libc_resolv they are not longer needed. Infact they will
lead to undefined symbols so we remove them alltogther as build
dependency for the libc.
Previously there was not actual timeout handling. If a select() call
set an timeout it would be set to zero instead and was always handled
as blocking i/o. While this works fine for file descriptors which
will be triggerd externally (for example vim through terminal i/o) it
does not work at all for socket descriptors and network operations in
general.
So this commit introduces proper timeout handling and changes the
behaviour of SYSCALL_SELECT so that it now returns more than just
one descriptor at a time.
noux/minimal and noux/net now depend on thread and alarm libraries.
Noux used to trace syscalls by default, which significantly slows down
its execution. This patch disables the tracing by default. It can be
enabled by specifying 'trace_syscalls="yes"' attribute to the Noux
configuration.
This patch resolves a problem with running 'noux_gdb.run'. Right at the
start, GDB would output a message like:
...cli-script.c:1614: internal-error: called with NULL file pointer!
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Quit this debugging session? (y or n)
The LOG output hints at the cause of the problem:
[init -> noux -> /bin/genode-x86-gdb] fcntl: F_GETFL for libc_fd=3
Thanks to cproc for the fix!
The directory specified by --prefix is not only used to determine
the install location but is also used by -rpath. Therefor it is
better to use $(DESTDIR) to install the binaries to the right
directory and to use --prefix to express the actual location within
NOUX.
This patch adds lighttpd as noux package. However, we do not use the
original build system but rather compile lighttpd directly from the
Genode build system. This is needed because we want to statically link
lighttpd modules into the binary. This mode is (somehow) supported by
the SConscript that comes with lighttpd. However, the GNU build scripts
do not expose this feature.
The port of lighttpd at 'ports/src/app/lighttpd' executes the web server
directly (w/o using Noux). It is accompanied by the lighttpd.run script.
At the current stage, lighttpd is starting up but fails because of an
unsupport fcntl call.
In the current form, only PROT_READ is supported. This case is emulated
by copying the file content into new allocated backing store. Even
though the performance benefits of mmap-using code will not be
preserved, code that relies on mmap can be executed via the libc_noux
or libc_fs plugins, i.e. lightttpd.
Multiple calls to get the dataspace capability on NOVA lead to the situation
that the caller gets each time a new mapping of the same capability at
different indexes.
The client/caller assumes to get every time the very same index, e.g. in
Noux the index is used to look up structures.
Cache the dataspace capability returned via a rm_session for base-nova.
On both 32-bit and 64-bit platforms, 'uint64_t' can be defined as
'unsigned long long', which is the type expected by the %llx
format-string specifier. By unifying the type definitions, we resolve
warnings about unmatching type specifiers. This patch also removes
redundant words from the typedefs.
As of lwip-1.4.x this is not needed anymore because lwip
now always creates a loopback device. This plug-in will
be removed in the future but for now keep it around so
we currently do not need to update the other targets that
depend on it.
Fixes#329.
The bash configure script cannot detect if the 'getcwd()' function in
Genode's libc works correctly, so it assumes that it is broken and makes
bash use its own version of this function. With this patch bash uses the
libc version, which has a Noux-specific implementation in the 'libc_noux'
plugin.
Fixes#324.
The new version works fine but there is an issue with connect()
that needs the included patch:
There is no actual handling of EALREADY in lwip. It sets errno
to EALREADY when the connection was established. Unfortunatly this
is really bad because most programs expect to receive errno EISCONN
if the connection was successfully established. So this behaviour
breaks Qt4 and several noux/net packages (like lynx) because those
programs end up in an endless loop trying to connect via an already
connected socket. The longterm solution would be fixing the wrong
behaviour in lwip (there are already bug-reports on lwip's mailinglist)
but for now, it works well enough to simple change lwip's err_to_errno
table to set errno to EISCONN when the connection was established.
The generic parent_cap.cc overwrote the beginning of the data segment with
to much. Reserved are solely 16 byte, for 64bit we use however 32byte.
Actually, the parent_cap copying is not required at all. The parent cap
selector is at a fixed define place, so that no exported symbols are required
for determination of the parent_cap.
Remove it.
Required to start thread on Genode/NOVA. Without the service it fails with:
int main(): --- init created, waiting for exit condition ---
[init] timer: no route to service "CPU"
[init -> test-moon] Starting ldso ...
[init -> timer] C++ runtime: Genode::Parent::Service_denied
[init -> timer] void* abort(): abort called
Certain rpc headers are needed for compiling getaddrinfo.c. Unfortunatly
that means we have to generate _a few_ header files which we do when we
prepare the libc.
These header files need to be created before the symlinks. Also, some of
these header files depend on a patch. Therefore we apply the patches
first, generate the header files and in the end we create the symlinks.
Fixes#296.
Since no kernel objects can be created anymore outside Genode::core,
the Vancouver port must be adjusted to use solely the Genode interfaces.
The Vcpu_dispatcher creates all portals via the cpu_session interface and
uses the feature to setup a specific receive window during a IPC (the
cap_session::alloc IPC) to place to be received/to be mapped capability
(virtualization exception portal) at the designed indexes.
The actual vCPU thread extends from a normal Genode::Thread and extends it
by specific vCPU requirements, which are a larger exception base window and
the need by Vancouver to place the SM and EC cap at indexes next to each other.
Fixes#316
Extend Native_capability type to hold a specific selector index where the to
be received cap during a IPC should be mapped to. This feature is required to
place created caps by the cap_session at specific indexes. This feature is
used by Vancouver to setup the virtualization exception portals (created by
the cap_session) at the intended indexes.
Patch prevents following bugs:
* In sleep_forever the thread return from semaphore down if cap is revoked
during destruction of a thread. This causes an endless loop consuming time
not available for other threads.
* In lock_helper and cap_sel_alloc the thread return from the lock() method
even if the semaphore down call failed because of an revoked semaphore.
This lead to the situation that a thread subject to de-construction returns
from the lock method, but not holding the lock, entering the critical section
and modifying state inside the critical section. Another thread in parallel
already in the critical section or entering the critical section also
modifies the state. This lead to curious bugs ...
* thread_nova, thread_start, irq_session
Detect early bugs if the SM is gone unexpectedly where it should never
happen.
Vancouver recalls the vCPU in the vCPU dispatcher code. Enable the right bit
in the mapped native cap so that Vancouver actually is able to perform this
operation.
It now can hold a right bit used during IPC to demote rights of the to be
transfered capability.
The local_name field in the native_capability type is not needed anymore
in NOVA. Simplify the class, remove it from constructors and adapt all
invocations in base-nova.
Unfortunately local_name in struct Raw is still used in generic base code
(process.cc, reload_parent_cap.cc), however has no effect in base-nova.
MsgBuf has to keep the number of received capabilities in order
to free/know correctly unused and unwanted capabilities. Explicitly
call rcv_msg->post_ipc to store this information in a MsgBuf.
Don't reset rcv_msg in ipc.cc, since this is used during
un-marshalling of caps in ipc.h afterwards. The MsgBuf is reseted when its
de-constructor is called.
With this patch solely the local ids are used, no global unique ids
are transfered anymore during IPC.
demo.run, signal.run, noux_tool_chain.run works up to the same
point as before the patches for issue #268.
Fixes#268
Unfortunately, another kernel patch is required for Genode/NOVA to get rid
of global unique ids for objects (issue #268).
Kernel patch:
If a translate of a object capability item inside the same PD
(receiver/sender in same PD) is not successful then he very same item is
returned instead of the null item.
Genode:
Some code in Genode try to map/translate the "root" (the first instance of a)
object capability within the same PD. The translate fails since it is the
first cap and was not delegated beforehand. Instead the cap gets mapped to a
new capability index due to xlt_rcv kernel item patch.
The new local object capability index is used to lookup manged objects
in lists, which however fails because the object is only known by the original
object capability index.
Unfortunately, this happens not only once. Below one example trace and
description is attached.
There are several possible solutions possible:
* Find all places in Genode and replace normal function calls between objects
with IPC calls, such that all capabilities can be translated during IPC.
** Time consuming to find all spots
** Rather platform specific issue requires re-adjustments in generic Genode
code
** Not trivial to ever remember this fact during development of new components
[other platforms have not such a issue, however have global object ids]
** Neither good in terms of performance.
* Use some special system call to the kernel to be able to translate a given
capability index as long until you find the requested original index.
(Obviously ... no comment).
* Kernel patch as this one.
* <your proposal>
Example trace + code description showing the behavior above:
int main(): --- create local services ---
int main(): --- start init ---
[0] DEL OBJ PD:0xc000aa80->0xc000aa80 SB:0x000000aa RB:0x000000ac O:0x00 A:0x1f
int main(): transferred 42 MB to init
[0] DEL OBJ PD:0xc000aa80->0xc000aa80 SB:0x00000120 RB:0x0000013c O:0x00 A:0x1f
[0] DEL OBJ PD:0xc000aa80->0xc000aa80 SB:0x0000016c RB:0x00000168 O:0x00 A:0x1f
Setup ELF failed
[0] XLT OBJ PD:0xc000aa80->0xc000aa80 SB:0x00000168 RB:0x0000016c O:0x00
unknown exception?
int main(): --- init created, waiting for exit condition ---
thread - file - line - text
-------------------------------------------------------------------------------
thread A - [ 0] - 228 - new Core_child(... rom_session.dataspace() ...)
thread A - [ 1] - 27 - IPC call - ask for dataspace cap
thread B - [ 2] - 49 - function - return dataspace cap index 0x120
thread A - [ 1] - 27 - IPC returned - map 0x120 -> 0x13c, translate failed
thread A - ...
thread A - [ 3] - 231 - call _setup_elf()
thread A - [ 3] - 60 - call env->rm_session()->attach()
thread A - [ 4] - 35 - do dataspace object lookup (0x13c)
thread A - [ 4] - 36 - lookup failed (object known as 0x120), throw Exception
thread A - [ 3] - 61 - catch Exception -> return error code "0"
thread A - [ 3] - 233 - "Setup ELF failed" - because error code "0"
File legend:
[0] base/src/core/main.cc
[1] base/include/rom_session/client.h
[2] base-nova/src/core/include/core_rm_session.h
[3] base/src/base/process/process.cc
[4] base-nova/src/core/core_rm_session.cc
Kernel patch:
Introduce a transfer item type to express that a cap should be translated
and if this fails to map it instead.
It would be possible without this combined transfer item type however
with additional overhead. In this case Genode/NOVA would
have to map and translate all caps used as parameter in IPC. It would look
like this:
* If the map and translation succeed, the cap at the new cap index
would have to be revoked. Then the translated cap index can be used.
* If the map succeeds and the translation fails then the mapped cap index
can be used.
* It would become complicated when multiple caps are mapped and translated
and only some of the translation succeed. In such cases Genode would have
to figure out the right relation of translated/mapped and not
translated/mapped caps. It would require to make some assumption about the
order how translated/mapped caps are reported at the UTCB by the kernel.
All the points above lead to the decision to create a separate transfer item
type for that.
Genode:
Most the times the translation succeeds, mapping of caps happens either
seldom. This takes now a bit the pressure of not enough aligned receive
cap windows as described in issue #247.
The patch mainly adds adjustments to handle the
translated and mapped caps correctly especially during freeing of the
receive window (don't free translated cap indexes).
Fixes#268
The additional quota is needed because of the recent performance
optimizations of the USB/networking code, e.g., to support the
increased NIC packet-stream buffer size.
Added SKB bitmap allocator, use Nic::Packet_allocator in packet stream, use slab
allocators on top of back-end AVL allocator, split allocators in cached/uncached
for general purpose/DMA allocation, added patch to original code to distinguish
cached or uncached memory requests, take advantage of and implement TX bursts
(or SKB batching), call interrupt handlers until they return unhandled.
Make calls using IPCs IRQ safe, handle packet exhaustion, removed
'Packet_pool', tweak TCP rmem and wmem buffer sizes to show better performance
results, use 'Net::Packet_allocator, fix 'update-patch' Makefile command
Avoid the use of deprecated 'MASK' enum in CPU register 'Asid'.
Enable the use of the 'K' bit in MMU translations.
Treat any try to modify existing valid entries in section- and
pagetables when doing 'insert_translation' as error.
Beautify concerned files.
By allocating the packet-stream dataspace for block sessions as
uncached, we can use DMA to directly read and write into the client
buffer. Currently, the OMAP4 SD-card driver is using this feature.
With this patch, the driver code gets complemented with DMA support.
The support for master DMA, in turn, cleared the way for using
interrupts to wait for the completion of transfers, which largely
relieves the CPU compared to the polling PIO mode. Consequently, the new
version has a much lower CPU footprint.
In the current version, both modes of operation PIO and DMA are
functional. However, PIO mode is retained for benchmarking purposes only
and will possibly be removed to keep the driver simple. It is disabled
in the driver's 'main.cc'.
This patch replaces the jiffies thread in 'sd_card/omap4/bench' calls to
'Timer::Session::elapsed_ms()'. This way, we use wall-clock time for the
measurements. Depending on the load of the rest of the system, the
previous version used to accumulate the inaccuracy for each 'msleep'
call.
For 64-bit registers we cannot compute MASK and SHIFT values via enums
because enum values are always of type int. But we can use static member
functions instead. Furthermore, the patch fixes the type trait for
64-bit registers. (apparently, this access width was never used so far)
The enable the use of 'Attached_ram_dataspace' objects as DMA buffers,
we need to pass the 'cached' flag to the constructor. By default, the
dataspace is cached, which corresponds to the original behaviour.
The Demo of 64bit Genode/NOVA fails during the booting phase when
physical memory was tried to be mapped lying above 4G boundary.
(qemu -m 4096 triggered it on some systems). The memory never got
mapped and the attempt to access the virtual region resulted
in a unexpected page fault inside Genode core.
The latest revision removed the artificial boundary of 4G for 64bit.
Example trace showing the issue:
([-1] lines show debugging output that mapping failed)
...
int main(): --- create local services ---
int main(): --- start init ---
int main(): transferred 4047 MB to init
int main(): --- init created, waiting for exit condition ---
start new pager object with EIP=0x1025814, ESP=0x6001000
[init] Could not open file "ld.lib.so"
start new pager object with EIP=0x10213e4, ESP=0x6001000
start new pager object with EIP=0x1037684, ESP=0x6001000
start new pager object with EIP=0x1021664, ESP=0x6001000
start new pager object with EIP=0x101e374, ESP=0x6001000
start new pager object with EIP=0x10295a4, ESP=0x6001000
start new pager object with EIP=0x1037db4, ESP=0x6001000
[init -> pci_drv] PCI driver started
[init -> launchpad] Could not open file "ld.lib.so"
[init -> launchpad] Could not open file "config"
[init -> launchpad] Could not obtain config file
[init -> ps2_drv] Detected ExPS/2 mouse - activating scroll-wheel and 5-button support.
[init -> ps2_drv] Using keyboard with scan code set 1 (xlate).
[init -> timer] Timer::Timeout_scheduler::Timeout_scheduler(Platform_timer*, Genode::Rpc_entrypoint*): starting timeout scheduler
[init -> vesa_drv] int Framebuffer_drv::map_io_mem(Genode::addr_t, Genode::size_t, bool, void**, Genode::addr_t, Genode::Dataspace_capability*): fb mapped to 1000
start new pager object with EIP=0x101eaf0, ESP=0x401fef80
[init -> timer] Timer::Session_component::Session_component(Timer::Timeout_scheduler*, Genode::Cap_session*): created new session component, _session_cap.valid=1
start new pager object with EIP=0x1021d10, ESP=0x400fef80
start new pager object with EIP=0x1021d10, ESP=0x401fef80
[init -> vesa_drv] Could not open file "config"
[init -> vesa_drv] Could not obtain config file
[init -> vesa_drv] Found: VESA BIOS version 2.0
[init -> vesa_drv] OEM: VGABIOS Cirrus extension
[init -> vesa_drv] Found: physical frame buffer at 0xfc000000 size: 0x00400000
[init -> vesa_drv] int Framebuffer_drv::map_io_mem(Genode::addr_t, Genode::size_t, bool, void**, Genode::addr_t, Genode::Dataspace_capability*): fb mapped to 400000
[init -> nitpicker] framebuffer is 1024x768@1
[init -> nitpicker] create session with args: fb_format=1, label="launchpad", ram_quota=1646592
[init -> nitpicker] Could not open file "config"
[init -> nitpicker] Could not obtain config file
[init -> nitpicker] create session with args: fb_width=400, fb_height=1504, fb_format=1, label="launchpad", ram_quota=1211392
[ 0] DEL MEM PD:0xffffffff8100d620->0xffffffff8100d320 SB:0x00100000 RB:0x00002a00 O:0x08 A:0x7
[-1] Pd::delegate snd->S::tree_lookup(0x100000) == 0x0 -- base-nova/contrib/src/pd.cpp:54 - Pd::snd 0xffffffff8100d620 =? Pd::kern 0xffffffff8100d620
[ 0] DEL MEM PD:0xffffffff8100d620->0xffffffff8100d320 SB:0x00100100 RB:0x00002b00 O:0x05 A:0x7
[-1] Pd::delegate snd->S::tree_lookup(0x100100) == 0x0 -- base-nova/contrib/src/pd.cpp:54 - Pd::snd 0xffffffff8100d620 =? Pd::kern 0xffffffff8100d620
[ 0] DEL MEM PD:0xffffffff8100d620->0xffffffff8100d320 SB:0x00100120 RB:0x00002b20 O:0x02 A:0x7
[-1] Pd::delegate snd->S::tree_lookup(0x100120) == 0x0 -- base-nova/contrib/src/pd.cpp:54 - Pd::snd 0xffffffff8100d620 =? Pd::kern 0xffffffff8100d620
[ 0] DEL MEM PD:0xffffffff8100d620->0xffffffff8100d320 SB:0x00100124 RB:0x00002b24 O:0x01 A:0x7
[-1] Pd::delegate snd->S::tree_lookup(0x100124) == 0x0 -- base-nova/contrib/src/pd.cpp:54 - Pd::snd 0xffffffff8100d620 =? Pd::kern 0xffffffff8100d620
[ 0] Killed EC:0xffffffff823ca880 SC:0xffffffff823cb740 V:0xe CS:0x2b EIP:0x1215a0 CR2:0x2b25fff ERR:0x6 (PT not found)
sgr0 is currently implemented as a wrapper of sgr(0) which
seems to work fine.
For now we accept but ignore certain sgr sequences like for
example [0;10;1m which is generated by lynx even when using
TERM=linux (I am not sure yet if that's actually valid at all).
Our FreeBSD libc based libc defines SOL_SOCKET as 0xffff. We change
lwip's definition from 0xfff to match ours. This prevents us from
converting the level when we call {g,s}etsockopt.
Fixes#292.
libcrypto provides certain optimized assembler functions which
unfortunatly are non-pic. Therefore this asm code is removed
and libcrypto is build with -DOPENSSL_NO_ASM.
Because the asm code is not needed anymore, its generation is
also removed from openssl.mk.
import-libssl.mk was also added because it is essential for building
programs which depend on libssl.
Fixes#291.
Fixes#294.
When opening a new file, a new Fs_vfs_handle is created but with the
initial mode set to 0 which is not expected by functions like fdopen()
that check if the original flags given to the open() call match the
returned ones on the used fd.
Fixes#289.
Though the initial commit contains nicer looking color definitions
it is easier to spot wrong colors when using a program that uses
ncurses like for example lynx.
Fixes#284.
Added support for more than one UHCI controller. Make sure the 'PIRQ' bit in the
legacy support register (PCI config space) of the UHCI controller is enabled and
also that the 'Trap on IRQ' bit is disabled. Fix offset bug in PCI-config space
emulation for Linux.
Fixes#282
The code intended to stop after the first failed attempt,
however the bool variable to control this was reseted
inside the loop and so it endless loops.
Fixes#51
If a thread has been deleted the thread object at the cpu_session was never
freed which caused the cpu_session quota to be exhausted as reported in
issue #150.
Fixes#150
Be bit more robust.
* Don't use addresses and sizes larger than
32 bit address boundaries.
* Don't take modules of size 0, at address 0 and if aux is 0.
(Already seen on machines in the University ...)
Fixes#269
With this patch the 'GNU Project Debugger' (GDB) can be built for Noux.
The included run script connects GDB and GDB monitor via a cross-link
terminal and allows interactive source-level debugging of the GDB monitor
test application on Genode.
Fixes#280.
This patch implements the 'readv()' function in the libc.
A lock guard prevents the parallel execution of either or both of the
'readv()' and 'writev()' functions.
Fixes#279.
This patch implements the 'pread()' and 'pwrite()' functions in the libc.
A lock guard prevents the parallel execution of either or both functions.
Fixes#278.
Increase size of block session backing store so it can handle maximum supported
packet size. Synchronize client threads during packet allocation.
Fixes#276
The line-status register has two relevant status bits - transmitter-hold
register empty and data-hold register empty - from which only the THR is
relevant as it signals new character can be written to the device.
Fixes#281
Setting the handler for SIGCHLD to SIG_IGN (ignore) informs the kernel
not to enter the zombie state: (man 2 wait)
POSIX.1-2001 specifies that if the disposition of SIGCHLD is set to
SIG_IGN or the SA_NOCLDWAIT flag is set for SIGCHLD (see
sigaction(2)), then children that terminate do not become zombies
[...]
Fixes#271.
This patch sets the default document type in the "File save" dialog to
HTML and makes both the "File open" and "File save" dialogs enter the "/"
directory by default.
Fixes#274.
The block test at test/ahci is indeed not AHCI-specific. It is a generic
block read/write test for the block-session interface. But in contrast
to the original test/block, it restores the block device content (at
least when the test succeeds). Hence, we remove the original (dangerous)
block test and always use code of test/ahci.
The new SD card driver at 'os/src/drivers/sd_card/omap4' allows the use
of an SD card with the Pandaboard as block service. Currently, the
driver is using PIO, no DMA, and no IRQs. The driver can be tested using
the 'os/run/sd_card.run' script.
Rm_client is derived from Pager_object. If the Pager_object is also
derived from Thread_base (which is the case for NOVA) then the
Rm_client object must be destructed without holding the rm_session_object
lock. The native platform specific Thread_base implementation has to take
care that all in-flight page handling requests are finished before
destruction. On NOVA it is done by doing an IPC to the pager thread.
(performed in Pager_object::dissolve() in base-nova). The
called thread than executes its operation until end which also requires
in some cases to take the rm_session_object lock.
Since _client_slab insertion/deletion also must be performed
synchronized but can't be protected by the rm_session_object lock
because of the described dead_lock situation, we have
to use a synchronized allocator object to perform insertion and
deletion of Rm_clients.
Following deadlock happens when a Rm_client/Pager_object handles a page-fault
and concurrently the same object is dissolved (triggered by parent killing
the client).
The situation is as follows:
Page fault handling :
base-nova/src/base/pager/pager.cc : pf_handler() - lock pf_lock
base/.../core/rm_session_component.cc: pager() - lock rm_session
(in reverse_lookup())
Dissolve of Rm_client:
base/src/core/rm_session_component.cc: dissolve() - lock rm_session
base-nova/src/base/pager/pager.cc : dissolve() - lock pf_lock
The pf_lock is not required here during normal page fault handling,
since this pager object @NOVA is executed only by one and the same
thread and all critical operations inside the rm_session_object itself
are locked anyway. The only critical point is the destruction of the
Pager_object which is already handled in the both dissolve functions
of the rm-session_component (locking) and the pager_object (finalize
in-flight page faults).
Allocate exc_pt_sel inside Thread_base object
instead of pager object, since it is a thread
specific characteristic.
Same for freeing of the thread capabilities:
- ec, sc, rs, exc_pt_sel is thread specific
and has nothing to do in server nor pager object.
The invalid thread is specified as 0,0,-1 (ec cap, sc cap, sem cap).
The main thread is specified as 0,0,0.
The comparator identified "tid_main == tid_invalid" as equal,
which is obviously wrong.
The patch compares at least ec and sem cap.
Use semaphore down feature of NOVA to set the counter to zero.
If the semaphore was up()ed more than one time by impatient callers
(e.g. guys calling cancel_blocking) we make sure that the thread
really stops.
Don't allocate ec cap twice, in pager.cc and thread_start.cc.
Unmap of utcb has to be done in destructor of thread class, not
in pager class. Free capability selectors of ec and rs.
Invoke cancel_blocking before calling the
cleanup portal of the rpc_entrypoint. If a rpc_entrypoint
is blocked in a semaphore the cleanup call gets
stuck forever.
If nobody is blocked in a semaphore, nothing can be dequeued. If
the semaphore is used for signalling, there can be somebody in the queue,
but not necessarily.
This patch replaces the first attempt to resolve the ambiguity of using
the size_t type that occurred when 'loader_session.h' was included
alongside libc headers. Instead of explicitly qualifying each occurrence
of the type, the new solution defines 'size_t' within the 'Loader' namespace.
Fixes#253
The CML2 configuration system calls 'evn python' and expects version
2.x. So we check if python2 is installed when preparing Pistachio and
use the found version instead.
Fixes#264.
Some type size tests in the findutils source code expect the 'time_t' type
to be of the same size as the 'long' type, whereas the Genode libc defines
it as '__int64_t' for ARM. This patch disables these tests.
Fixes#262.
Eliminate prints to stderr for normal messages, because it leads to exceptional
returns in TCL-scripts e.g. when run-script is triggered by the autopilot even
if the script's return code itself will be zero.
In the create_builddir script the foc_x86_64 platform was missing
when adding x86-drivers to the etc/build.conf file. This lead to
failed run-scripts initiated by the autopilot tool.
The compiler complained about ambigous references when compiling a
lx_hybrid program using the loader session. Here are some error
messages:
genode/os/include/loader_session/loader_session.h:72: error: reference to 'size_t' is ambiguous
/usr/lib/gcc/i486-linux-gnu/4.4.5/include/stddef.h:211: error: candidates are: typedef unsigned int size_t
genode/base/include/base/stdint.h:25: error: typedef unsigned int Genode::size_t
genode/os/include/loader_session/loader_session.h:72: error: reference to 'size_t' is ambiguous
/usr/lib/gcc/i486-linux-gnu/4.4.5/include/stddef.h:211: error: candidates are: typedef unsigned int size_t
genode/base/include/base/stdint.h:25: error: typedef unsigned int Genode::size_t
...
This commit qualifies size_t using the Genode namespace which fixes
the compilation.
Make pxe optional and use by default grub.
For that to work we use objcopy to repack the elf64
file into elf32.
With this commit more tests succeed. Most
tests use 64M and with that pulsar even does not start
the hypervisor. With 96M more test run however that would
mean to adjust most of the run scripts ...
Without this patch the compilation failed with:
/usr/bin/ld: main.o: relocation R_X86_64_32S against
`vtable for Genode::Dataspace' can not be used when making a shared object;
recompile with -fPIC
main.o: could not read symbols: Bad value
collect2: ld returned 1 exit status
make[6]: *** [init] Error 1
For this patch the use of the hardening tool chain must be indicated
using the "hardening_tool_chain" SPECS entry within the file
<build>/etc/specs.conf
Fixes#79
Check that there is enough room for a typed item on the
UTCB. Otherwise deny to add the item and return false.
Enable explicitly a return unused warning to get the right
attention.
The UTCB of the thread cleaning up thread objects has been unmapped.
However the UTCB of the destroyed thread must be unmapped.
Objects must explicitly be made unreachable before cleaning up. The
server and pager objects must be unreachable before they can be freed.
Both object types are threads. Revoking the thread(EC) cap on NOVA
doesn't mean that the thread stops executing. All portals pointing to a
thread are still reachable by clients even if the last EC cap is gone in
user land. So it must be taken care that no portals are pointing anymore
to a thread when the associated objects are getting destroyed. This
commit handles this.
Additionally, even if the last portal is gone - there can be still an
ongoing request handled by such server/pager object/threads. For each
such object an additional portal is created. This object is called
'cleanup portal' and is only local to the object. After all portals are
revoked the cleanup portal is called. When the call returns we know that
nobody is anymore handled by the object since all remotely available
portals are gone.
Fixes#20
Use git to get recent kernels from github. Adjust NOVA patch to compile
with recent github version. Patch and use makefile of NOVA microkernel
to avoid duplicated (and outdated) makefile in Genode
Furthermore, this patch adds support for using NOVA on x86_64. The
generic part of the syscall bindings has been moved to
'base-nova/include/nova/syscall-generic.h'. The 32/64-bit specific
parts are located at 'base-nova/include/32bit/nova/syscalls.h' and
'base-nova/include/64bit/nova/syscalls.h' respectively.
On x86_64, the run environment boots qemu using the Pulsar boot loader
because GRUB legacy does not support booting 64bit ELF executables.
In addition to the NOVA-specific changes in base-nova, this patch
rectifies compile-time warnings or build errors in the 'ports' and
'libports' repositories that are related to NOVA x86_64 (i.e., Vancouver
builds for 32bit only and needed an adaptation to NOVAs changed
bindings)
Fixes#233, fixes#234
In 'Fs_file_system::open()' the call of '_fs.dir()' can throw a
'File_system::Lookup_failed' exception, which gets explicitly caught
with this patch.
Fixes#246.
This patch adds a new "terminal" file system type to Noux, which allows to
create a "character device" file that is connected to a Genode 'Terminal'
service.
The 'Terminal' session created by the file system has the label
"noux(terminal_fs)" to distinguish it from the 'Terminal' session
created by Noux itself.
Fixes#244.
This patch extends the RAM session interface with the ability to
allocate DMA buffers. The client specifies the type of RAM dataspace to
allocate via the new 'cached' argument of the 'Ram_session::alloc()'
function. By default, 'cached' is true, which correponds to the common
case and the original behavior. When setting 'cached' to 'false', core
takes the precautions needed to register the memory as uncached in the
page table of each process that has the dataspace attached.
Currently, the support for allocating DMA buffers is implemented for
Fiasco.OC only. On x86 platforms, it is generally not needed. But on
platforms with more relaxed cache coherence (such as ARM), user-level
device drivers should always use uncacheable memory for DMA transactions.
When creating a 'Child' object with an already active entrypoint,
session requests may arrive as soon as the '_process' is created. We
have to make sure that at least all parts of the 'Child' object needed
for serving 'session' requests are constructed. This is particularly
important for the '_policy' member.
The sysio's struct fields need to be properly set on each syscall. This
fixes a bug where the wrong fd is used after the first sendto syscall.
Also the minimal buffer size calculation uses the wrong size.
Fixes#235.
When sigma0 runs on a lower priority than the rest of the threads in the
system it might come to the point that while answering a page fault or
I/O memory area request the timeslice of the caller (core-pager) gets
fully consumed. As long as other threads are still executable and don't block
sigma0 won't do progress anymore, because it runs at the lowest priority.
This commit simply sets sigma0's priority to the highest in the system.
When invoking the bootstrap build in the L4RE build-system to create
a single elf-image containing all needed files to boot a scenario, don't
use the 'ENTRY' variable, but 'E' variable instead. Otherwise 'ENTRY'
might get overridden (dependent on the make-version). Moreover, using
'E' seems to be the way L4Re is expecting it has to be invoked.
Fixes#226
We are using bison to generate certain files when preparing the libc.
However the yacc(1) wrapper script is used instead of calling bison
directly which does not work if bison is not installed but the original
yacc(1).
Fixes#225. Fixes#227.
When core requests all RAM from sigma0 it normally unmaps page 0 so that
null-pointer dereferences are detected by a pagefault. The unmap syscall
in the Fiasco.OC base platform was used insufficiently in this particular
case.
The media player has been traded for the persistent storage topic
because the latter one naturally builds upon the just recently added
file-system interface. Furthermore, we defer the live CD until July as
we realized that we first need to overhaul low-level components such as
USB before the new live system can be expected to work as intended.
modexp512 and rc4-md5 code were missing for x86_64. The files are now
generated on openssl-prepare and will be used when building for x86_64.
Fixes#224.
By now the gmp-library works builds on x86/32bit only. The mpfr library
depends on gmp, so make both library dependent on the corresponding platform
variables. Look at the discussion of issue #135.
Use terminals for LOG output of L4Android scenario, as well as a terminal
session for the Linux terminal. Now everything can be used interactively
on one screen: the Linux/Android framebuffer, the Linux console, and the
LOG-output of L4Linux.
Introduce process global spin-lock for Cap_index's reference-counter
to avoid non-atomic increment/decrement of the counter. Here, we don't
use a static Spinlock object, because it's constructor wouldn't be
initialized before used for the first time.
The following fixes partly solve the problems triggered by the noux stress
test introduced by nfeske in issue #208.
* The check whether a capability exists in the Cap_map, and its insertion,
has to be done atomically
* While removing a capability it is looked up in the Cap_map via its id,
check whether the found capability pointer is the same like the looked up,
otherwise the wrong capability gets freed
* When a local capability is un- resp. marshalled, only the local pointer
gets transfered, not the redundant capability id
* Introduce several assertions and warnings to facilitate debugging
Some source files do not build with -O0 due to conflicting register
allocation and inline assembler constrains. We enforce optimization (O2)
for these files.
Also, I reduced the noise from warning messages induced by lazy handling
of "assignment discards ‘const’ qualifier" and "passing argument from
incompatible pointer type" in third-party sources.
This patch implements a simple Qt-based media player which is actually a
graphical user interface for the SDL-based 'avplay' media player from
'libav'. It starts 'avplay' as a child and shows its graphical output in a
'QNitpickerViewWidget'. The widgets for controlling the player state send
the according keyboard and mouse input events to 'avplay'.
The 'qt_avplay' player supports the following configuration options:
<mediafile name="..."/>
-> name of the media file to play
<framebuffer_filter name="..." ram_quota="..."/> (may appear multiple times)
-> name of a framebuffer filter service to filter the video output
Fixes#222.
This commit contains the initial port of OpenSSL to Genode. It certainly
needs some more work to get things straight - it compiles fine but does
not work because of a NULL pointer exception.
Noux/net adds network functionality to noux. Currently most basic
network related system calls including 'accept', 'bind', 'connect',
'listen', 'recv', 'send', 'shutdown', and 'socket' are implemented by
wrapping lwip's network functions.
At the moment noux/net is rarely usable, though it is possible to
use netcat to send a message to a netcat server which listen on a
given port in noux/net.
With this patch the SDL-based 'avplay' media player, which is part of
'libav', can be built. The run script expects a media file named
'mediafile' in the 'bin' directory.
Fixes#216.
The new 'dde_linux' repository will host device drivers ported from the
Linux kernel. In contrast to the original 'linux_drivers' repository,
'dde_linux' does not contain any 3rd-party source code. To download the
Linux kernel source code and extract the drivers, execute the 'make
prepare' rule of the top-level Makefile. The initial version of the
'dde_linux' repository comes with an USB driver. The porting methodology
follows the path of the Intel GEM port. Instead of attempting to provide
a generic Linux environment that works across drivers, each driver comes
with a specially tailored DDE.
The DDE consists of Genode-specific implementations of Linux API
functions as declared in 'lx_emul.h'. Most of these functions are
dummies that must merely be provided to resolve dependencies at the
linking stage. They are called by unused code-paths.
As of now, the USB driver support UHCI, EHCI on the x86_32 platform. I
exposes USB HID devices and USB storage devices via Genode's input-session
and block-session respectively.
The USB driver is accompanied with two run scripts 'run/usb_hid.run' and
'run/usb_storage.run'.
The Lua runtime library is built in two variants: ANSI C and C++. The
C++ provides all Lua API function with C++ linkage and uses C++
exceptions instead of setjmp/longjmp for protected execution of Lua
chunks.
The ported version of Lua is 5.1.5.
This commit adds a terminal_log component, and a run-script which demonstrates
its usage. The terminal_log component provides the LOG service, and prints
every log-output prefixed by the session-label via a terminal-session.
The new 'genode_envp' variable declared in '_main.cc' allows libc
plugins to supplying custom environment pointers to the main function.
This is needed by 3rd-party software such as GNU make, which expects the
environment pointer as third argument of the main function.
This patch introduces support for stacked file systems alongside new
glue for accessing file-system implementations provided via Genode's
new file-system-session interface.
Using stacked file systems, an arbitrary number of file systems (such
as tar archives or file systems implemented as separate Genode
components) can be composed to form one merged virtual file system.
An example is given via the 'ports/run/noux_bash.run' script. This run
script creates a virtual file system out of multiple tar archives each
containing the content of a particular GNU package. In addition, one
'ram_fs' is mounted, which enables Noux to perform write operations.
This way, the shell output can be redirected to a file, or files can
be saved in VIM.
Fixes#103.
This patch introduces the file-system-session interface, provides an
implementation of this interface in the form of an in-memory file
system, and enables the libc to use the new file-system facility.
The new interface resides in 'os/include/file_system_session/'. It
uses synchronous RPC calls for functions referring to directory
and meta-data handling. For transferring payload from/to files, the
packet-stream interface is used. I envision that the asynchronous design
of the packet-stream interface fits well will the block-session
interface. Compared to Unix-like file-system APIs, Genode's file-system
session interface is much simpler. In particular, it does not support
per-file permissions. On Genode, we facilitate binding policy (such as
write-permission) is sessions rather than individual file objects.
As a reference implementation of the new interface, there is the
new 'ram_fs' service at 'os/src/server/ram_fs'. It stores sparse
files in memory. At the startup, 'ram_fs' is able to populate the
file-system content with directories and ROM modules as specified
in its configuration.
To enable libc-using programs to access the new file-system interface,
there is the new libc plugin at 'libports/src/lib/libc-fs'. Using this
plugin, files stored on a native Genode file system can be accessed
using the traditional POSIX file API.
To see how the three parts described above fit together, the test
case at 'libports/run/libc_fs' can be taken as reference. It reuses
the original 'libc_ffat' test to exercise several file operations
on a RAM file-system using the libc API.
:Known limitations:
The current state should be regarded as work in progress. In particular
the error handling is not complete yet. Not all of the session functions
return the proper exceptions in the event of an error. I plan to
successively refine the interface while advancing the file-system
implementations. Also the support for truncating files and symlink
handling are not yet implemented.
Furthermore, there is much room for optimization, in particular for the
handling of directory entries. Currently, we communicate only one dir
entry at a time, which is bad when traversing large trees. However, I
decided to focus on functionality first and defer optimizations (such as
batching dir entries) to a later stage.
The current implementation does not handle file modification times at
all, which may be a severe limitation for tools that depend on this
information such as GNU make. Support for time will be added after we
have revisited Genode's timer-session interface (issue #1).
Fixes#54Fixes#171
The 'Session_policy' helper could not cope well with configurations that
contain nodes of a type other than '<policy>'. This patch improves the
policy matching by skipping non-policy nodes.
This patch implements a Genode-specific audio backend for SDL.
The audio volume (in percent) can be configured in the config file of the
SDL application:
<config>
<sdl_audio_volume value="100"/>
</config>
Fixes#204.
Due to recent changes on the Fiasco.OC platform, when building ldso
applications for this platform the std::terminate function is needed
by the ~Ipc_server destructor. So we've to add it to ldso's whitelist.
This commit introduces placement new/delete, and a constructor for
Heap::Dataspace objects. It fixes the usage of uninitialized Dataspace
objects when expanding the heap that lead to problems in conjunction
with Native_capability smart-pointer in base-foc. Please refer to
issue #203.
This patch increases the size of the JDB kernel object names buffer. The
original size was too small for some Genode scenarios and caused missing
thread names in the kernel debugger thread list.
Fixes#191.
This patch increases the stack size of entrypoint threads in the PCI and
PS/2 drivers, in the Terminal server and in the Signal service for 64-bit
Genode/Fiasco.OC built with -O0.
Fixes#198.
With this patch the Genode thread used by the QThread class gets deleted
when 'QThread::wait()' gets called and the timeout didn't trigger or when
'QThread::terminate()' gets called.
Fixes#193.
When unmarshalling capabilities it is checked, whether a capability with the
id was leaking, but this isn't done when creating a thread. Here the capability
is transfered indirectly via the thread state object. This patch checks for
old leakage capabilities while thread creation.
Due to recently introduces smart-pointers to Cap_index objects it's
necessary to always keep at least one reference as long as a corresponding
slot in the capability-space of a process is in use. This is especially
important for L4Linux that uses cap-slots directly without the given
abstractions of Genode.
The syscall l4_task_cap_equal almost returns false although the referenced
kernel-objects are equal. This patch changes the semantic of the syscall so
that whenever two capabilities refering the same kernel-object are compared
it will return true. Please refer to the discussion of the following mail
thread:
http://www.mail-archive.com/l4-hackers@os.inf.tu-dresden.de/msg05162.html
When a portion of the sliced heap gets freed, the corresponding block
gets removed from the list of blocks, and it's dataspace containing the
block gets detached, but it's destructor never gets called. This leads
to leaking capabilities, when Native_capability is implemented as
smart-pointer, because the destructor of Ram_dataspace_capability that
is part of the Block object gets never called.
Implements Native_capability as smart-pointer type referencing Cap_index
objects. Whenever capabilities are copied, assigned, constructed, or destructed
the reference-counter of the Cap_index is incremented/decremented. When it
reaches zero the Cap_index is removed from the process-global cap_map and
gets freed. Fix for issue #32.
Whenever Native_capability or its derivation Capaility is memcpy'd no copy-
constructor/assignment-operator is used and thereby implementation of
reference-counting gets impossible for these objects. Use object-oriented
means like e.g. copy-constructor instead.
The original loader service was primarily motivated by the
browser-plugin scenario presented on our live CD. The new version
implements a more general session interface, which widens the
application scope of the service and, at the same time, reduces its
implementation complexity.
The complexity reduction is achieved by removing the original limitation
of supplying the new sub system as a single binary blob only. The server
used to implement heuristics and functionality for dealing with
different kinds of blobs such as ELF images or TAR archives. This has
been replaced by a session-local ROM service, which can be equipped with
an arbitrary number of ROM modules supplied by the loader client prior
starting the new sub system. Even though the TAR support has been
removed, a separate instance of the 'tar_rom' service can be used within
the subsystem to provide the formerly built-in functionality.
If any operand of the '?' operator is of an unsigned type, the result
is unsigned by default. Thanks to Julian Stecklina for finding
this out.
Fixes#189.
This patch allows to configure the amount of RAM that GDB monitor should
preserve for itself. The configuration syntax looks as follows:
<start name="gdb_monitor">
<resource name="RAM" quantum="1G"/>
<config>
<target name="noux">
<preserve name="RAM" quantum="2M"/>
...
</config>
</start>
Fixes#190.
The new 'chroot' tool at 'os/src/app/chroot' allows for executing
subsystems within chroot jails on Linux. For using the tool, please
refer to the test case 'os/run/chroot.run'. Fixes#37
This patch enables the use of threads and locking mechanisms in SDL
applications. The 'pthread' libary is used as backend. Not all features
are currently supported.
Fixes#185.
With this patch clients of the RM service can state if they want a mapping
to be executable or not. This allows dataspaces to be mapped as
non-executable on Linux by default and as executable only if needed.
Partially fixes#176.
This patch reads program arguments from the config file and makes them
available to the application via the 'argc' and 'argv' arguments of the
'main()' function. The configuration syntax looks like this:
<config>
<arg value="...">
<arg value="...">
...
</config>
The 'value' attribute of the first <arg> node becomes 'argv[0]' and so on.
Fixes#184.
With this patch GDB monitor provides a 'config' file to the target. Its
content can be defined in the <config> sub node of the <target> XML node.
Fixes#179.
This patch introduces support for ROM sessions that update their
provided data during the lifetime of the session. The 'Rom_session'
interface had been extended with the new 'release()' and 'sigh()'
functions, which are needed to support the new protocol. All ROM
services have been updated to the new interface.
Furthermore, the patch changes the child policy of init
with regard to the handling of configuration files. The 'Init::Child'
used to always provide the ROM dataspace with the child's config file
via a locally implemented ROM service. However, for dynamic ROM
sessions, we need to establish a session to the real supplier of the ROM
data. This is achieved by using a new 'Child_policy_redirect_rom_file'
policy to handle the 'configfile' rather than handling the 'configfile'
case entirely within 'Child_config'.
To see the new facility in action, the new 'os/run/dynamic_config.run'
script provides a simple scenario. The config file of the test program
is provided by a service, which generates and updates the config data
at regular intervals.
In addition, new support has been added to let slaves use dynamic
reconfiguration. By using the new 'Child_policy_dynamic_rom_file', the
configuration of a slave can be changed dynamically at runtime via the
new 'configure()' function.
The config is provided as plain null-terminated string (instead of a
dataspace capability) because we need to buffer the config data anyway.
So there is no benefit of using a dataspace. For buffering configuration
data, a 'Ram_session' must be supplied. If no 'Ram_session' is specified
at construction time of a 'Slave_policy', no config is supplied to the
slave (which is still a common case).
An example for dynamically reconfiguring a slave is provided by
'os/run/dynamic_config_slave.run'.
The new 'swap' and 'realloc' functions are needed in scenarios where
'Attached_ram_dataspace' is used to implement double buffering. The
particular use case is the implementation of dynamic ROM sessions.
When the pager gets a pagefault, exception, pause, or wakeup request it's
always possible, that the corresponding thread gets destroyed between
receiving the message and looking up the thread's pager_object. This commit
unifies the check for a valid pager_object for each kind of requests to the
pager, thereby adds currently missing checks.
The build system overlays multiple source trees (repositories) such that
they can shadow libraries and include search paths. This patch extends
the shadowing concept to build targets. Furthermore, it streamlines the
build stage for generating library depenencies, reducing the processing
time of this stage by 10-20 percent. Fixes#165.
The 'copy_to' function turned out to be not flexible enough to
accommodate the Noux fork mechanism. This patch removes the function,
adds an accessor for the capability destination and a compound type
'Native_capability::Raw' to be used wherever plain capability
information must be communicated.
In applications that use ldso the main_thread_bootstrap() function is called
twice which results in the main thread's gate-capability to be inserted twice
in the Capability_map which results in an exception. Unfortunately at least
on ARM this exception cannot be handled that early, so this commit prevents
the exception by checking, whether the capability is inserted already or not.
Fixes#164.
When constructing a thread object its capability is inserted into the
capability map. Normally this is done by the ipc-unmarshalling code, but
in this case the thread-capability isn't transfered via normal IPC, but in
a special form via the thread_state object. In contrast to the unmarshalling
code, the thread-startup code doesn't check, whether the capability-map
already contains a deprecated entry with the same capability id before
inserting the thread's capability. This commit add the necessary check.
Moreover, a check is added to the insertion methods of the capability-map
to verify that capability-allocation didn't failed.
Removing a Cap_index from Capability_map in core can happen twice, via
Cap_session_component or destructor of a Cap_mapping. That it's checked
whether the index is part of the map before removing it. This patch puts
the check into the remove method, so both operations are within the same
lock context, to remove a race condition.
This is a follow up fix for commit d287b9d893
By commit d287b9d893 the Native_capability
class changed fundamentally in the Fiasco.OC platform code of Genode. Thereby
the cap_integrity test got incompatible with it. This commit introduces a
separate test implementation for Fiasco.OC that does semantically the same
like the old test. Please refer to issue #161.
By using the `compare_output_to` method from the run tool instead of using
regexp in the cap_integrity run-script, the test outputs the undesired lines
instead of just signaling that the test failed.
In the compare_output_to function in the run tool a check was introduced,
whether the given arguments are empty, and if so if the output string is it
too. Without this patch compare_output_to succeeded when the given pattern
was empty but output wasn't. Please refer to issue #162.
This commit introduces a Cap_index class for Fiasco.OC's capabilities.
A Cap_index is a combination of the global capability id, that is used by Genode
to correctly identify a kernel-object, and a corresponding entry in a
protection-domain's (kernel-)capability-space. The cap-indices are non-copyable,
unique objects, that are held in a Cap_map. The Cap_map is used to re-find
capabilities already present in the protection-domain, when a capability is
received via IPC. The retrieval of capabilities effectively fixes issue #112,
meaning the waste of capability-space entries.
Because Cap_index objects are non-copyable (their address indicates the position
in the capability-space of the pd), they are inappropriate to use as
Native_capability. Therefore, Native_capability is implemented as a reference
to Cap_index objects. This design seems to be a good pre-condition to implement
smart-pointers for entries in the capability-space, and thereby closing existing
leaks (please refer to issue #32).
Cap_index, Cap_map, and the allocator for Cap_index objects are designed in a way,
that it should be relatively easy to apply the same concept to NOVA also. By now,
these classes are located in the `base-foc` repository, but they intentionally
contain no Fiasco.OC specific elements.
The previously explained changes had extensive impact on the whole Fiasco.OC
platform implementation, due to various dependencies. The following things had to
be changed:
* The Thread object's startup and destruction routine is re-arranged, to
enable another thread (that calls the Thread destructor) gaining the
capability id of the thread's gate to remove it from the Cap_map, the
thread's UTCB had to be made available to the caller, because there
is the current location of that id. After having the UTCB available
in the Thread object for that reason, the whole thread bootstrapping
could be simplified.
* In the course of changing the Native_capability's semantic, a new Cap_mapping
class was introduced in core, that facilitates the establishment and
destruction of capability mappings between core and it's client's, especially
mappings related to Platform_thread and Platform_task, that are relevant to
task and thread creation and destruction. Thereby, the destruction of
threads had to be reworked, which effectively removed a bug (issue #149)
where some threads weren't destroyed properly.
* In the quick fix for issue #112, something similar to the Cap_map was
introduced available in all processes. Moreover, some kind of a capability
map already existed in core, to handle cap-session request properly. The
introduction of the Cap_map unified both structures, so that the
cap-session component code in core had to be reworked too.
* The platform initialization code had to be changed sligthly due to the
changes in Native_capability
* The vcpu initialization in the L4Linux support library had to be adapted
according to the already mentioned changes in the Thread object's bootstrap
code.
This patch provides an implementation of the '_nanosleep()' libc function,
which blocks on a timed semaphore for the given time, but at least 10ms.
This should result in better performance than creating a timer connection
on every call (for thread-safety), but could still be improved.
Fixes#158.
There seems to be a bug in Fiasco.OC, that is hard to reproduce. The scenario
discussed in issue #157 triggers it relatively often. When sigma0 handles
pagefaults of core on demand at runtime, at some point its reply ipc-message
gets stucked in the kernel. This commit touches all ROM-modules when the
platform is initialized in advance (like it was done for RAM etc. already
before).
Use multiple load store instructions for 32 byte chunks in ARM-specific
blit-function, analog to x86 variant. Make the blit-function of x86 a
generic one, and provide needed utility functions for ARM and generic code.
Please refer issue #147 for discussion.
We cannot trust signal imprints received with signals to represent valid
pointers to signal contexts. After a signal context has been dissolved
from its receiver, a signal corresponding to the context might still be
in flight. Hence, we need a facility to check received signal imprints
against the list of valid contexts at reception time. The new
'Signal_context_registry' is a very simple attempt to create such a
facility.
Introduce a new Noncopyable class, one can derive from to mark a class of
objects to be uncopyable. This way the compiler can check for any violations
for you.
Both the libc and the NOVA syscall bindings provide the definition of
PAGE_SIZE. In contrast to the libc, which uses a #define, the NOVA
syscalls uses a proper enum value. Thus, we can work around the conflict
by including the NOVA syscalls header prior the libc header. Fixes#152.
This bug was introduced by commit c9c21ad39c, where Fiasco_capability
was removed, and enums defined in that class scope went to the namespace
Fiasco. In L4Linux some references to Fiasco_capability remained.
This commit unifies the policy name for the template argument for
Native_capability_tpl to Cap_dst_policy, like suggested by Norman in the
discussion resulting from issue #145. Moreover, it takes the memcpy
operation for copying a Native_capability out of the template, which is
included by a significant bunch of files, and separates it in a library,
analog to the suggestion in issue #145.
Because we use to pass a policy class to 'Native_capability_tpl'
we can pass the dst type as part of the policy instead of as
a separate template argument. This patch also adds documentation
of the POLICY interface as expected by 'Native_capability_tpl'.
This patch unifies the Native_capability classes for the different kernel
platforms by introducing an appropriate template, and eliminating naming
differences. Please refer issue #145.
To give the platform developer more freedom in how the Native_capability
class is internally implemented (e.g. turning it into a smart-pointer),
this patch removes the memcpy operation, when transfering the parent-capability
to a new process from the generic code, and let the implementation of the
platform-specific Native_capability decide how the transfer has to be done.
Please refer to issue #144.
Introduce a factory-, and dereference method for local capabilities. These are
capabilities that reference objects of services, which are known to be used
protection-domain internally only. To support the new Capability class methods
a protected constructor and accessor to the local object's pointer is needed
in the platform's capability base-classes. For further discussion details please
refer issue #139.
The 'log2()' and 'log2f()' functions have been added in FreeBSD's libc
version 9.0.0, but they are missing in version 8.2.0, which is used in
Genode. This patch provides preliminary implementations of these
functions until the Genode libc gets updated to version 9.0.0 or above.
Fixes#143.
When introducing an avl-tree to re-find known capabilities in Fiasco.OC
(issue #112), the memory demand of apllications was slightly increased.
So we've to give the pl11x driver more memory by default. Fixes#140.
Separate spin-lock implementation from lock-implementation and put it into a
non-public header, so it can be re-used by the DDE kit's and Fiasco.OC's
capability-allocator spin lock. Fixes issue #123.
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU General Public License version 2.
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
