Instead of using a fixed command like picocom in the run tool,
it's better to have the flexibility to set the whole command that
connects to the serial device. Therefore, it's possible for instance
to connect to a remote serial device exported via TCP/IP by using tools
like socat.
This patch introduces a new platform 'linux_arm' for building and running
Genode/Linux on an ARM device.
Known limitations:
- libc 'setjmp()'/'longjmp()' doesn't currently save/restore floating
point registers
Fixes#746.
With this patch, 'liquid_framebuffer' can be reconfigured at runtime.
The configuration arguments are now provided as XML attributes, matching
those for 'nit_fb'. Furthermore, two new configuration options are added:
<config ...
resize_handle="off" - show/hide a resize handle widget in the lower
right window corner
decoration="on" - show/hide window decoration
(title bar and borders)
/>
Fixes#740Fixes#14
This is a first version of the AHCI driver. It supports SATA HDDs
with UDMA-133 only, up to 6 Gbps and native command queueing.
The more blocks one transfers with one command, the higher is the
chance that the driver produces a fatal handshake error. Nevertheless
the driver is stable with one block per ATA command. Although NCQ is
used the driver doesn't queue multiple commands simultanously.
The driver was tested with a western digital HDD "WDC WD2500BEVS-08VAT1
13.01A13" (250 GB) with hw_arndale (run/ahci) and foc_arndale
(run/ahci, run/l4linux: dd). SSDs were not tested.
Fix#706
The previous version of the PS/2 mouse backend manged mouse motion
events in a strange way, effectively throwing away most information
about the motion vector. Furthermore, the tracking of the mouse-button
states were missing. So drag-and-drop in a guest OS won't work. The new
version fixes those issues. For the transformation of input events to
PS/2 packets, a the Genode::Register facility is used. This greatly
simplifies the code.
This patch replaces the error-prone manual locking with the use of the
'Synced_interface' for the motherboard and the VCPU dispatcher. It also
removes all globally visible locks. Locks are now explicitly passed to
subsystems when needed.
This patch moves the implementation of the 'Arm::memory_region_attr'
function from the generic ARM code to the ARM v6/v7 specific code
to enable the customization of page-table bits depending on the
specific CPU core type. I.e., the ARM1176 apparently does not cope
well with setting the 'Tex::bits(2)' for MMIO mappings.
This patch eliminates calls of 'cmpxchg' prior enabling the MMU. This is
needed because the 'ldrex' and 'strex' instructions do not always work
with MMU and L1 cache disabled, i.e., on Raspberry Pi.
Changes GPIO session interface to a one-GPIO-pin-per-session style. Moreover,
this commit introduces a generic driver interface for GPIO drivers. Thereby
generalizes root- and session component for GPIO.
In issue #313 the SO_RCVBUF was intended to be enabled, however the current
lwip port looks for another define LWIP_SO_RCVBUF instead of LWIP_RCVBUF.
Fixes#716
If the target machine is connected locally one may specify
"serial" as target in the RUN_OPT variable to get the test output.
Used for panda and arndale on foc and hw.
Use RUN_OPT="--target ..." to select the backend test method.
Supported values so far:
qemu - qemu + grub bootloader (default)
qemu+pxe - qemu + pulsar bootloader (PXE)
amt - Intel AMT (reset+serial output) + pulsar bootloader
Related to issue #598
A run script which sends raw ethernet packets from the host machine to the
target machine. Three tests are implemented:
- The network_stat instrumented driver of usb_drv and net_drv
are used to get the raw receive performance of the network driver.
- A simple nic_session client is receiving from the un-instrumented network
driver raw ethernet packets.
- A bridge is added between driver and simple nic_session client.
genode_until_run can be called now with a spawn id to able to reattach to a
spawned process (amt, serial output). Run scripts can now call genode_until_run
multiple times.
Additionally, we do the cleanup of the remains of a previously failed
run prior creating the run directory. Otherwise, the directly creation
may fail because of a pending bindmount.
With this patch, the thread context area RM session gets created at
program startup to have the thread context area's virtual address range
reserved right from the beginning.
Fixes#734.
This patch implies that all Genode processes try to create an RM
session. So a route to the RM service must be present even for processes
that have only a single thread. Hence, the patch contains an update of
affected components.
lwIP only supports the 'AF_INET' domain, but doesn't check the 'domain'
argument of the 'lwip_socket()' function.
This patch avoids an error message from lwIP when the Arora browser
tries to connect a socket of the 'AF_LOCAL' domain.
Fixes#732.
The parent-service registry is populated on demand by the
'Loader::Child' whenever a prior unknown service is requested. Since the
number of parent services is limited, we expect the registry to settle
after a while. However, each loader session has a private instance of
a parent-service registry. So when creating and destroying loader
sessions, parent registries will be populated again and again. We
have to make sure to discard the entries along with the destruction
of a loader session to avoid the leakage of memory.
Issue #717
Try to free the metadata of a thread only if created by Genode. The code
did not cause any actual problems. I just stumbled over the inconsistency
while reviewing the code.
Enable optinal support for double buffering in the i.MX53 framebuffer
driver. This prevents flickering in certain scenarios, where applications
directly render in the framebuffer dataspace given by the driver.
* Simplify IPU register definitions using templates
* Distinguish between i.MX53 QSB and SMD board in driver
* Support IPU specific overlay mechanism by framebuffer session extension
With this patch, the 'libc_lwip_nic_dhcp' plugin provides the DNS server
address acquired by lwIP via DHCP in the file '/etc/resolv.conf'.
This feature can be disabled from the config file:
<libc resolv="no" />
The static network interface configuration attributes are now also a part
of the '<libc>' config node:
<libc ip_addr="..." netmask="..." gateway="..." />
Fixes#731.
This commit removes an endless loop, that occurred when the sd_card driver
called usleep, or msleep on its Timer_delayer object. Fixes#705
Also fixes the same problem for the Omap4 GPIO driver.
'Gratuitous ARP' broadcast messages are used to announce newly created
IP<->MAC address mappings to other hosts. nic_bridge-internal hosts
would expect a nic_bridge-internal MAC address in this message, whereas
external hosts would expect the NIC's MAC address in this message.
The simplest solution to this problem is to just drop those messages,
since they are not really necessary.
Fixes#709.
This patch adds the consideration of suddenly disappearing managed
dataspaces in the 'Rm_session_component::reverse_lookup' function.
Previously, this case resulted in a seamingly valid translation.
Fixes#701
This commit simplifies the creation of additional threads and VCPUs in L4linux.
By now, some Genode::Thread_base methods where overridden to use a Fiasco.OC
specific Cpu_session when creating threads.
Recent commit: 297538678e moved the actual creation
of the platform thread into the constructor of the generic Thread_base class.
Thereby the Vcpu class, which extended the Thread_base class, now unnecessarily
created two platform threads for each thread created via Vcpu. Nowadays, the
cpu_session capability is available via the Genode::env() environment. So we can
use the Thread_base parent class for the setup of the platform thread, and
afterwards create a Fiasco.OC specific cpu session client with the same cpu
session capability, Thread_base used for creation, to make use of the L4Linux
specific features of this interface (VCPU enabling, irq object creation etc.).
When destroying a thread, which was not bound to a protection domain via kernel
primitives beforehand, it is critical to change the pager and exregs the thread
in the destruction process. Therefore, this commit introduces two thread states:
DEAD and RUNNING. On the basis of the thread state, we can decide whether to
reset the thread before destroying it, or not.
This patch clears the terminal each time the menu appears and thereby
wipes away artifacts that might occur when combining terminal_mux with
kdb_uart_drv and the kernel prints messages directly.
This fixes issues with several HID keyboards by implementing
get_unaligned_le16(), which obviously may also fix other not-yet-known
issues. Hint: I had to look out for suspicious lines like follows in the
verbose log.
[init -> usb_drv] get_unaligned_le16 called, not implemented
Also, quirks for cherry keyboards are now applied.
Because the template instantiation rules of C++ do not deal well with
null pointers specified as '0', the constructor of 'Local_addr' was
instantiated for [T = int], which does not make sense. To avoid the
warning "cast to pointer from integer of different size", we need to
explicitly state that '0' is a pointer. In C++11, there is the 'nullptr'
keyword, but until we switch to this version, we have to state (void *)0.
In usb.inc all required Linux include files of the Linux code are looked up
by 'sed'ing through the files of SRC_C and SRC_CC. The Linux include files
are then added as dependency to the SRC_C and SRC_CC files and during dependency
resolution symbolic links to the lx_emul.h will be created.
In the platform specific usb.mk file there are the Linux driver files
added, but unfortunately after including usb.inc. So, for them no dependency
to any Linux include header file is generated and so no symbolic files are
generated.
If the driver code file is compiled as first, as for asix.c, the symbolic links
of the include files are missing and compilation fails.
Add the Linux driver code files to SRC_C before including usb.inc in the
platform specific usb.mk files.
Originally, a thread was created at core not before calling the 'start'
function. In order to configure the thread affinity before starting the
thread, we have to make the thread known at core right at construction
time. This patch moves the needed thread-creation sequence from the
'start' function to the '_init_platform_thread' function.
When L4Linux tries to allocate a dataspace of the size of its physical
memory, this allocation can fail, because the 'l4re_ma_alloc()' function
in the 'l4lx' library always tries to allocate a contiguous dataspace of
the given size and there might be no contiguous free area left.
With this patch, memory gets allocated in chunks: if the size to be
allocated exceeds the configured chunk size, a managed dataspace gets
created and filled with multiple memory chunks of at most the chunk size.
The chunk size is 16M by default and can be configured in an l4linux
config node:
<config args="...">
<ram chunk_size="16M"/>
</config>
Fixes#695.
Don't do anything in Mapping::prepare_map_operation. At this point and in the
current implementation, the memory has been mapped and cleared already. Touching
the memory may only pollute the cache causing data corruption in DMA memory.
Fixes issue #452
The KDB UART driver uses the Fiasco(.OC) kernel debugger console as backend
for input and output. This is useful in the case that only one UART is
available.
Fixes#665.
In this version of the transition the Hip structure from Genode is reused,
@nfeskes seoul_libc_support is used for the string functions and the
nul/config.h is replaced by just using a constant value in the one place where
the file was needed.
Related to #666.
- search for alternative virtual address regions upwards, starting from
the given start address, in the 'l4re_rm_attach()' and
'Region_manager::reserve_range()' functions
- don't treat memory locations above 0x80000000 in l4linux's virtual
address space as device memory
- align the start address of the vmalloc area according to the assumption
in 'devicemaps_init()'
Fixes#414.
Explicitly set default mode for legacy interrupts to not rely on kernel
default settings. This patch fixes the constantly busy IRQ threads for
IRQ 1 and 12 as soon as the PS/2 driver was loaded until the point when
the first IRQ occurred.
Remove the 'epit' variable from the generic imx31 and imx53 specification,
and only add it to base-hw specific i.MX specs. Thereby the EPIT timer
library gets build for base-hw only.
Moreover, fix some const-ness issues in the platform_timer implementation
for the EPIT timer.
Fixes#688.
The new core-internal 'Address_space' interface enables cores RM service
to flush mappings of a PD in which a given 'Rm_client' thread resides.
Prior this patch, each platform invented their own way to flush mappings
in the respective 'rm_session_support.cc' implementation. However, those
implementations used to deal poorly with some corner cases. In
particular, if a PD session was destroyed prior a RM session, the RM
session would try to use no longer existing PD session. The new
'Address_space' uses the just added weak-pointer mechanism to deal with
this issue.
Furthermore, the generic 'Rm_session_component::detach' function has
been improved to avoid duplicated unmap operations for platforms that
implement the 'Address_space' interface. Therefore, it is related to
issue #595. Right now, this is OKL4 only, but other platforms will follow.
This enables us to use the run scripts applied to a native machine equipped
with Intel's AMT. If the environment variables are correctly set up, the remote
test machine is reseted via 'amttool', then via 'amtterm' the serial output
is collected and the normal run script matching pattern for success/failure of
the run script are applied.
'amttool' and 'amtterm' are part of the package called 'amtterm' shipped with
the Linux distributions like Ubuntu, Debian and lot more.
Following environment variables are required, to run the run scripts with a
native AMT test machine:
PXE_TFTP_DIR_BASE - absolute path of TFTP directory
PXE_TFTP_DIR_OFFSET - relative path to PXE_TFTP_DIR_BASE where the config file
will be generated - named 'config-00-00-00-00-00-00'
AMT_TEST_MACHINE_IP - TCP/IP address of target AMT test machine
AMT_TEST_MACHINE_PWD - password of target AMT test machine
Issue #679
Since checking if the certificate is valid is not that important
(we currently do not check the signature of the archive which is the
bigger issue) we disable the checking to prevent certain wget version
from refusing to download the archive.
Fixes#681
mkisofs is the original ISO creation tool from cdrtools available on
many UNIX systems. genisoimage on the other hand is part of a mostly
unmaintained fork of cdrtools very specific to Debian Linux and its
derivates (e.g., Ubuntu). Fortunately, genisoimage (as we used it) is
completely invocation-compatible to mkisofs.
Fixes#627.
Instead of trying all PCI devices by a specific PCI driver, now the device or
the device class can be limited to the one actually supported by the specific
driver.
The "strncpy - not implemented" message appeared on the use of libpng.
Even though it did not cause trouble, spilling the log with such
easy-to-fix issues should better be avoided.
Bender fixes the serial output on modern PC hardware. Prior this patch,
it was used only when combined with pulsar. Now, we also use it when
booting via GRUB.
Allocate ever an extra page behind the commandline pointer. If it turns out
that this page is unused, because commandline was short enough, unmap the
memory and put the virtual and physical regions back to the allocator.
Fix#664
With this patch, the 'futex' syscall gets used for blocking and unblocking
of threads in the Linux-specific lock implementation.
The 'Native_thread_id' type, which was previously used in the
lock-internal 'Applicant' class to identify a thread to be woken up,
was not suitable anymore for implementing this change. With this patch,
the 'Thread_base*' type gets used instead, which also has the positive
effect of making the public 'cancelable_lock.h' header file
platform-independent.
Fixes#646.
Revoke the right to set the portal id (aka label) when it is not needed
anymore. Otherwise everybody in the system having a mapping of the portal can
reset the label to something we don't expect.
Issue #667
In base-fiasco, base-foc and base-pistachio, physical memory gets mapped
1:1 to core virtual memory. When the 'Ram_session_component' allocates
physical memory for a client, it zeroes out the corresponding area in
core's virtual address space and then maps the area to the client. If this
area overlaps with core's virtual thread context area (usually at
0x40000000-0x4fffffff), the stack of one or more core threads can get
overwritten.
To avoid this problem, with this patch, the thread context area gets
removed from the physical RAM allocator on these platforms.
Fixes#660.
Without the patch the signal cap was ever transferred to the timer session
when a usleep/msleep was called, even when unneeded. On base-nova this
causes the allocation of new capability indexes which are not freed up.
So the timer service run quickly out of indexes and get out of order...
Related to issue #1
This happened when I killed one of the genode clients which was
tracked via an expception_handler. In this case the wait4 syscall
returned 0 and the for(;;) was looped eternally. This caused an
100% CPU utilization for the core binary.
Make 'context_area_virtual_base' platform configurable. On Arndale, we
need to move the context area to a location that does not interfere with
the address range of physical memory.
The new terminal_mux server is able to provide multiple terminal
sessions over one terminal-client session. The user can switch
between the different sessions using the keyboard shortcut C-y,
which brings up an ncurses-based menu.
This patch moves the further reusable parts of the terminal into public
header files. It also slightly tweaks the color table to give all colors
a similar brightness level.
This patch moves the os/config examples to their respective run scripts,
removes some of them, and moves the priority example to the src/init
directory (where other examples are located).
Additionally, this patch adapts the OKL4-specific priority.run test to
the recent changes of the timer interface.
This base platform is no longer maintained.
For supporting the Microblaze CPU in the future, we might consider
integrating support for this architecture into base-hw. Currently
though, there does not seem to be any demand for it.
With the change of the Timer::Session interface, all scenarios that use
the timer use core's SIGNAL service. So we need to route sessions
accordingly.
In addition to the adaptation to the changed timer, this patch removes
some stale examples that predate the run tool and are no longer used.
This patch simplifies the way of how Genode's base libraries are
organized. Originally, the base API was implemented in the form of many
small libraries such as 'thread', 'env', 'server', etc. Most of them
used to consist of only a small number of files. Because those libraries
are incorporated in any build, the checking of their inter-dependencies
made the build process more verbose than desired. Also, the number of
libraries and their roles (core only, non-core only, shared by both core
and non-core) were not easy to capture.
Hereby, the base libraries have been reduced to the following few
libraries:
- startup.mk contains the startup code for normal Genode processes.
On some platform, core is able to use the library as well.
- base-common.mk contains the parts of the base library that are
identical by core and non-core processes.
- base.mk contains the complete base API implementation for non-core
processes
Consequently, the 'LIBS' declaration in 'target.mk' files becomes
simpler as well. In the most simple case, only the 'base' library must
be mentioned.
Fixes#18
With the use of the new timer interface, each timer client uses signals.
Hence, programs that have not used signals before will consume slightly
more quota. This is the case for the moon test (triggered on foc_x64_64
only).
The distinction between 'ipc.h' and 'ipc_generic.h' is no more. The only
use case for platform-specific extensions of the IPC support was the
marshalling of capabilities. However, this case is accommodated by a
function interface ('_marshal_capability', '_unmarshal_capability'). By
moving the implementation of these functions from the headers into the
respective ipc libraries, we can abandon the platform-specific 'ipc.h'
headers.
By using the build system's library-selection mechanism instead of many
timer targets with different 'REQUIRES' declarations, this patch reduces
the noise of the build system. For all platforms, the target at
'os/src/drivers/timer' is built. The target, in turn, depends on a
'timer' library, which is platform-specific. The various library
description files are located under 'os/lib/mk/<platform>'. The common
bits are contained in 'os/lib/mk/timer.inc'.
The 'Timer::Session::msleep' function is one of the last occurrences of
long-blocking RPC calls. Synchronous blocking RPC interfaces turned out
to be constant source of trouble and code complexity. I.e., a timer
client that also wants to respond to non-timer events was forced to be a
multi-threaded process. This patch replaces the blocking 'msleep' call
by a mechanism for programming timeouts and receiving wakeup signals in
an asynchronous fashion. Thereby signals originating from the timer can
be handled along with signals from other signal sources by a single
thread.
The changed interface has been tested on Linux, L4/Fiasco, OKL4, NOVA,
L4ka::Pistachio, Codezero, Fiasco.OC, and hw_pbxa9. Furthermore, this
patch adds the timer test to autopilot.
Fixes#1
Cap_sessions and portals created via the sessions are nowadays freed up during
c++ object destruction. Because of that the exception portals for a vCPU thread
get be revoked as soon as the cap_session object leaves its scope.
Keep one cap_session for the whole lifetime of the vmm to avoid disappearing
exception portals.
Related to #582.
The setup now uses nitpicker and nit_fb to display several instances of
vancouver. The guest OS binaries must be supplied in the
'<build-dir>/bin' directory manually.
Furthermore, the patch lets launchpad pass Block, Nic, and Rtc to the
parent.
Vancouver can now assign block devices to guests using the Block
interface. The machine has to be configured to use a specified drive,
which could be theoretically routed to different partitions or services
via policy definitions. Currently the USB driver only supports one
device. Genode's AHCI driver is untested.
If the session quota is too low, random pagefaults can occur on the
stack.
According to @Nils-TUD, it is necessary to protect the DiskCommit
messages with a lock against deadlocking with the timer. Observations
showed that this mitigates some problems with Gentoo on real hardware.
Vancouver is now able to use the Intel 82576 device model from NUL to
give VMs access to the network via the nic_bridge service. In order to
integrate the device model, it had to be renamed to i82576 due to XML
limitations. This is done by a patch applied via the 'make prepare'
mechanism.
Although current network card models in Vancouver panic if they can't
get a MAC address, the OP_GET_MAC hostop now fails gracefully in the
case where no nic_drv or nic_bridge is available.
The guest VM can now be provided with a framebuffer and keyboard input.
Mouse positioning of the guest is a problem. Because the PS2 model applies
some calculations to the movement values, it can happen that overflows mess
with the cursor. Therefore the handling was changed and only movements of 1
and -1 are sent. Since absolute positioning is not possible with PS2, we
have to live with this limitation until USB HID is implemented.
For the framebuffer size in Vancouver the configuration value in the machine
XML node is used. It is possible to map the corresponding memory area
directly to the guest, regardless if it is from nitpicker,
liquid_framebuffer or vesa_drv. The guest is provided with two modes (text
mode 3 and graphics mode 0x114 (0x314 in Linux).
Pressing LWIN+END while a VM has focus resets the virtual machine. Also,
RESET and DEBUG key presses will not be forwarded to the VM anymore.
It is possible to dump a VM's state by pressing LWIN+INS keys.
The text console is able to detect idle mode, unmaps the buffer from the
guest and stops interpreting. Upon the next pagefault in this area, it
resumes operation again. The code uses a simple checksum mechanism instead
of a large buffer and memcmp to detect an idle text console. False
positives don't matter very much.
When an EPT/NPT fault occurs during IDT vectoring, the original event must
be reinjected. Additionally we may have to inject an IRQ window if another
event is already pending.
core does not use POSIX threads when built for the 'lx_hybrid_x86'
platform, so we need to reserve the thread-context area via a segment in
the program to prevent clashes with vdso and shared libraries.
Fixes#639.
The default constructor didn't initialize all members, some of them holding
pointers. In the de-constructor the _name pointer was tried to free up, even
when it was not initialized.
Avoid any hassle for uninitialized members and just initialize it. Fixes
sporadic page fault on x86_64 base-nova.
Issue #155
Some shared libraries of the host system contain search paths for finding
other needed shared libraries. These paths get evaluated only by a native
linker. To find all needed shared libraries, with this patch, the host
linker is used to link hybrid applications.
Fixes#645.
reverts 68156918ee
"base: apply thread.cc fix of foc to base"
Depending on the context area a fixed location is calculated where the
memory for the stack is attached to. If the context area is released before the
detach call, the very same context area can be reused and memory for the new
stack is attached for a new thread. The detach of the old thread would then
revoke the mapping for the new thread which will cause a un-handled page fault.
Issue #549
Prior this patch the startup lock was not released if the call of
'_associate()' failed. In this condition, the caller of the constructor
was infinitely blocked.
During a ram_session->free call in 'core' the lock in core_env.h is taken.
Then in the ram_session::_free_ds implementation the dissolve function for the
dataspace is called. base-nova tries to make sure that the ds is not
accessible anymore by any kind of parallel incoming IPC by performing a
cleanup IPC. Unfortunately the dataspace_session implementation uses the very
same allocator in 'core' and may require to obtain the same lock as taken in
ram_session->free. This leads to a spurious deadlock on base-nova.
The actual free_ds implementation is mostly thread safe, since all used objects
inside there are already locked. The only missing piece is the _payload
variable. By changing the _payload variable in a atomic fashion there is no
need to lock the whole ram_session->free call which avoids deadlocks on
base-nova.
Fixes#549
The cleanup call must be performed already during the _dissolve function
shortly after the object at the cap_session is freed up. Otherwise there
is the chance that an in-flight IPC will find the to be dissolved function
again.
Bomb test triggered the case, that a already dissolved rpc_object was found
by a in-flight IPC. If the rpc_object was already freed up by alloc->destroy
the thread using this stale rpc_object pointer cause page-faults in core.
Fixes partly #549
As first step the rpc object must be freed up so that the kernel object
(portal) vanishes. Then the object must be removed from the internal object
pool list so that the object can't be obtained anymore. And then the cleanup
call can be performed (_leave_server_object) since now all names to the
rpc_object are gone.
Doing it in different order (as before the commit) there is a very very little
chance (but the bomb test triggers it occasionally) that the rpc_object can be
obtained again by an incoming IPC - even it is already scheduled for removal.
Fixes partly #549
If page faults are handled concurrently (as for base-nova) the traverse lookup
call in rm_session_component must be thread safe, which it isn't.
If the faulting area is backed by nested dataspaces which are managed by
various rm_sessions then a race happens under following circumstances
(triggered occasionally by the bomb test).
The traverse lookup may return a pointer to a rm_session of a nested dataspace.
If the rm_session is in parallel subject to destruction it happened that faults
got enqueued to the faulters list of the deleted rm_session and internally to
a list of the current rm_session of the Rm_client.
During destruction of the faulting Rm_client the associated rm_session will
be dissolved from the Rm_client, which leads to dereferencing the
dangling pointer of the already destructed rm_session.
On base-nova the memory of the rm_session object get unmapped eventually, so
that the de-referencing of the dangling pointer caused page faults in core.
The memory on other kernels inside core never get unmapped so that the
bug doesn't trigger visible faults.
The patch replace the keeping of a rm_session pointer by keeping a
capability instead. The rm_session object must be looked up now explicitly in
the Object_pool implementation, which implements proper reference counting on
the rm_session object.
Issue #549
Since we have now more than a handful patches to the vanilla kernel, we
better switch to a separate git repository in order to review and to maintain
the patches more effectively.
Remove the patches, they are already in the kernel branch.
Fixes#394
Warnings like the following:
warning: narrowing conversion of ‘((Genode::Platform_pd*)this)->Genode::Platform_pd::_space_id’ from ‘int’ to ‘Codezero::l4id_t {aka unsigned int}’ inside { } is ill-formed in C++11 [-Wnarrowing]
First make the clients inaccessible and dissolve them from the entrypoint. If
this isn't the first step the clients may be obtained again between
the unlock and lock steps in the destructor.
Additionally the clients may be removed in between the unlock and call
sequence, which renders such client pointers dangling and causes spurious page
faults. Keep instead a lock as long as possible and when it is required to
release a lock, then the pointer to the objects must be revalidated.
Replace the dissolve function with a remove_client implementation as suggested
by #13, which avoids that the cpu_session may call dissolve with a dangling
pointer of a already removed rm_client object. Instead the pager must be
released explicitly.
Related to issue #549
Related to issue #394
Related to issue #13
This patch removes the 'soname' link option for building the host
library for the 'lx_hybrid_ctors' test. Without this option, the
library's absolute path at build time gets hardcoded into the
application, which should be okay for this simple test case.
Fixes#638.
If we ran out of capabilities indexes, the bit allocator throws an exception.
If this happens the code seems to hang and nothing happens.
Instead one could catch the exception and print some diagnostic message.
This would be nice, but don't work. Printing some diagnostic message itself
tries to do potentially IPC and will allocate new capability indexes at
least for the receive window.
So, catch the exception and let the thread die, so at least the instruction
pointer is left as trace to identify the reason of the trouble.
Fixes#625
If an exception is thrown the lock is released automatically, so that
other callers may get a capability index if in between some are freed. Fixes
some deadlocks if Genode is short on capability indexes.
Related to #625
Currently, the hello run script of the hello_tutorial misses some services the
timer driver needs on various platforms. The hello_tutorial is meant for
educational purposes only. So it's desireable to keep it simple. Instead of
complexifying the configuration, this commit just removes the timer from the
example.
By now, the memcmp implementation of Genode's basic string utilities just
returned whether two memory blocks are equal or differ. It gave no hint which
block is greater, or lesser than the other one. This isn't the behaviour
anticipated by implementations that rely on the C standard memcmp, e.g. GCC's
libsupc++, or the nic_bridge's AVL tree implementation.
With this patch, the 'Signal_receiver::dissolve()' function does not return
as long as the signal context to be dissolved is still referenced by one
or more 'Signal' objects. This is supposed to delay the destruction of the
signal context while it is still in use.
Fixes#594.
With this change, init becomes able to respond to config changes by
restarting the scenario with the new config. To make this feature useful
in practice, init must not fail under any circumstances. Even on
conditions that were considered as fatal previously and led to the abort
of init (such as ambiguous names of the children or misconfiguration in
general), init must stay alive and responsive to config changes.
This patch improves the config handling by falling back to a static
string (empty "<config />") if no valid config ROM module could be
found. This can happen initially, but also at runtime when the ROM
module dissapears, e.g., a ROM module accessed via fs_rom where the
corresponding file gets unlinked.
This patch introduces keyboard-focus events to the 'Input::Event' class
and changes the name 'Input::Event::keycode' to 'code'. The 'code'
represents the key code for PRESS/RELEASE events, and the focus state
for FOCUS events (0 - unfocused, 1 - focused).
Furthermore, nitpicker has been adapted to deliver FOCUS events to its
clients.
Fixes#609
This patch extends the file-system interface with the ability to monitor
changes of files or directories. The new 'File_system::sigh' function
can be used to install a signal handler for an open node.
The 'ram_fs' server has been enhanced to support the new interface. So
any file or directory changes can now be observed by 'ram_fs' clients.
Fixes#607
Remove signal context object from signal source component list (_signal_queue)
before destruction, otherwise we get a dangling pointer.
On native hardware for base-nova, the signal source thread triggered page
faults in the Signal_source_component::wait_for_signal() method when the signal
context got freed up in Signal_session_component::free_context but was still
enqueued in Signal_source_component::_signal_queue.
Fixes#600
With this patch the destruction of Noux 'Child' objects gets delayed
further until the exit signal has been dispatched. This prevents the
self-destruction of the signal dispatcher, which is a member of the
'Child' object.
Fixes#603.
Several users of the signal API used custom convenience classes to
invoke signal-handling functions on the reception of incoming signals.
The 'Signal_dispatcher' pattern turned out to be particularly useful. To
avoid the duplication of this code across the code base, this patch
adds the interface to 'base/signal.h'.
Furthermore, the patch changes the 'Signal::num()' return type from int
to unsigned because negative numbers are meaningless here.
Fixes#511
When matching the 'label' session argument using '<if-args>' in a
routing table, we can omit the child name prefix because it is always
the same for all sessions originating from the child anyway. Therefore,
this patch adds a special case for matching session labels. It makes the
expression of label-specific routing more intuitive.
Add functionality to lookup an object and lock it. Additional the case is
handled that a object may be already in-destruction and the lookup will deny
returning the object.
The object_pool generalize the lookup and lock functionality of the rpc_server
and serve as base for following up patches to fix dangling pointer issues.
When releasing a lock we must take care that all state is written back to
memory and is not cached in registers. The volatile flag of the lock variable
only means to the compiler that this value must be written immediately.
Other values changed before may be kept by the compiler in registers, which we
don't want here.
Additionally the compiler is free to reorder the code in order to optimize.
That means the code we intend to be executed inside the critical section can
get be reordered and can be executed after we reset the lock variable in the
unlock implementation. The volatile statement of the lock variable doesn't
prevent reordering of instructions which are independent.
By adding a explicit memory barrier, we force the compiler to generate code
that writes back all the register content to memory/cache (and avoid a
bunch of hard to find bugs ...)
Merge core only libs into the target make-files.
Use base-hw specific Board drivers that inherit
from generic Board_base.
Use Page_flags::access_t instead of additional
page_flags_t.
Fix#570
As iPXE header files are not C++ compatible, the implementation missed
proper include directives. For example, alloc_memblock() had a wrong
signature, which was not detected. Now, C wrapper functions are
implemented using a local API to the C++ backend.
Related to #593.
With this patch, the loader installs an optional client-provided fault
handler as default CPU exception handler and RM fault handler for all
CPU and RM sessions of the loaded subsystem. This way, loader clients
become able to respond to failures occuring within the subsystem.
The new feature is provided via the added 'Loader::fault_handler' RPC
function.
The 'run/failsafe' test covers two cases related to the loader, which
are faults produced by the immediate child of the loader and faults
produced by indirect children.
The CPU session interfaces comes with the ability to install an
exception handler per thread. This patch enhances the feature with the
provision of a default signal handler that is used if no thread-specific
handler is installed. The default signal handler can be set by
specifying an invalid thread capability and a valid signal context
capability.
Furthermore, this patch relaxes the requirement of the order of the
calls of 'exception_handler' and 'set_pager'. Originally, the exception
handler could be installed not before setting a pager. Now, we remember
the installed exception handler in the 'Cpu_thread' and propagate to to
the platform thread at a later time.
With this patch, core responds to SIGCHLD signals of terminating Genode
processes by reflecting these events as exceptions to the CPU session
interface. This way, Genode processes become able to respond to
terminating Genode child processes.
Implement the same semantic like L4Re for the initialization of the initramfs
dataspace. Although, it didn't lead to problems right now, this commit might
prevent future problems.
With this patch hybrid applications get linked with the Genode GCC's
'crtbegin.o' and 'crtend.o' files instead of the host GCC's versions
to avoid compatibility problems. This only affects the 'linux_x86'
platform, since on the 'lx_hybrid_x86' platform the Genode GCC is the
host GCC.
Fixes#550.
It happens that ram_session and rm_session itself are invoking alloc
respectively free on the very same sliced heap inside core.
Lock only the sliced_heap list implementation and let the session locking to
the session implementation of rm_session and ram_session.
The ram_session and rm_session must take care to proper lock since inside
both implementations already the session handling thread and the service thread
are running parallel.
With commit 1389b63050 in thread.cc for base-foc
a bug was fixed, where the memory of the context got freed up before running
the de-constructor.
Apply the fix also to base and base-mb.
For base-nova thread creation related exception can be thrown, since the
Pager_objects are threads. Catch the exception and re-throw the
expected/documented exception in rm_session.
This commit avoids that core dies with an unhandled exception if a thread
couldn't be created (e.g. because the limit has been reached).
Sanity check that the context area has been attached. Otherwise the code
later tries to access the context area and core dies with a unhandled page
fault.
Open VCPU interrupts while the VCPU is in an IPC operation can badly influence
its state. That's why this commit fixes a whole bunch of places, where IRQs
weren't masked by now.
We have to take the block queue's spin lock before invoking the interrupt
routine, otherwise the AVL tree og Genode's block packet stream gets
corrupted.
If no platform thread was created before somebody destroys a thread object,
there is no valid UTCB available. Thereby, we've to check this before accessing
the UTCB when destroying a thread object.
This should ensure that the directory is created before trying to
create a file within it.
This hopefully fixes errors like the following when using parallel
builds:
checking library dependencies...
/bin/bash: line 19: var/libdeps: No such file or directory
make[5]: *** [init_libdep_file] Error 1
The Linux version of core used a part of the BSS to simulate access to
physical memory. All dataspaces would refer to a portion of 'some_mem'.
So every time when core would access the dataspace content, it would
access its local BSS. For all processes outside of core, dataspaces were
represented as files. This patch removes the distinction between core
and non-core processes. Now, core uses the same 'Rm_session_mmap'
implementation as regular processes. This way, the 'some_mem' could be
abandoned. We still use BSS variable for allocating core-local meta
data through.
Instead of allocating and freeing the space that is needed for the
kernel thread objects from core, wich is not convenient with the
quota system, platform thread now holds the space as array by
itself.
Unfortunately we cannot measure the space size by a static function
anymore, so kernel thread had to be moved from kernel.cc into its
own header. This way platform thread can use sizeof().
Fix#543
The Gentoo-specific section should be taken offline until the overlay
got updated.
Version 12.11 adds a binary package for x86_64 in addition to x86_32.
The generic 'sleep_forever()' function creates an Ipc_server object which
might not get cleaned up correctly when the thread gets destroyed and
unneeded capability references could remain and drain the capability index
allocator. With this patch a lock gets used on thread exit instead of
calling 'sleep_forever()'.
Fixes#538.
This patch reflects eventual allocation errors in a more specific way to
the caller of 'alloc_aligned', in particular out-of-metadata and
out-of-memory are considered as different conditions.
Related to issue #526.
In the recent change of the RPC-entrypoint destruction, the
'~Rpc_entrypoint' calls 'Thread_base::join'. Hence, we need to provide
an implementation wherever RPC entrypoints are used.
Revert the core-local mapping created in 'Ram_session_component::_clear_ds()'
and free the virtual memory region allocated for this mapping when a
RAM dataspace gets freed.
Fixes#416.
When finishing a block request in the L4Linux block stub driver,
we#ve to hold the queue lock before using __blk_end_request_all, or
simply use blk_end_request_all instead. Moreover, this commit simplifies
the lock/unlock behaviour when the block queue has to be stopped, or resumed.
Thanks to I. Ismagilov for these suggestions.
File_io_channel now includes ioctl() because pseudo devices which are
implemented as a file-system, e.g. /dev/tty, are controlled via ioctl()
requests. The method is exported to the Vfs through the Vfs_io_channel
class.
The random file-system provides an arc4 based urandom implementation
which is needed for OpenSSL.
NOTE: the Arc4random class currently _does not collect enough_ random
bytes!
We will reuse the terminal connection in the stdio filesystem
to implement /dev/tty. Therefor we need to access the terminal
from different locations which is simplified if it is provided
by a singleton.
This patch improves the life-time management of socket descriptors and
addresses several corner cases exposed by the 'bomb' test.
The lookup and association of file descriptors with global IDs have been
turned into an atomic operation. Otherwise, multiple threads interacting
with the singleton 'ep_sd_registry' may override each other's
associations.
Closing the socket pair used for the reply channel has been implemented
via the RAII pattern to capture all corner cases, in particular
exceptions.
If blocking operations are interrupted by signals, we throw a
'Blocking_canceled' exception.
We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid
a corner case where the parent capability is going to dup2'ed to the
same handle.
Support for 'Thread_base::join' within core to enable leaving Genode via
Control-C.
This patch introduces clean synchronization between the entrypoint
thread and the caller of the 'Rpc_entrypoint' destructor. The most
important change is the handling of the 'Ipc_server' destruction. This
object is in the local scope of the server's entry function. However,
since the server loop used to be an infinite loop, there was hardly any
chance to destruct the object in a clean way. Hence, the
'Rpc_entrypoint' destructor used to explicitly call '~Ipc_server'.
Unfortunately, this approach led to problems because there are indeed
rare cases where the server thread leaves the scope of the entry
function, namely uncaught exceptions. In such a case, the destructor
would have been called twice.
With the new protocol, we make sure to leave the scope of the entry
function and thereby destroy the 'Ipc_server' object as expected. This
is achieved by propagating the exit condition through a local RPC call
to the entrypoint. This way, the blocking state of the entrypoint
becomes unblocked. Furthermore, '~Rpc_entrypoint' makes use of the new
'join' function to wait for the completion of the server thread.
The block count in DMA requests is limited to 8 bit. Therefore,
if a client requests more than 255 blocks in a single packet request,
split the request in a loop.
'Bender' can detect serial ports accessible via PCI and writes the I/O ports
to the Bios Data area (BDA).
Usage together with the PXE bootloader ease life running Genode/NOVA on native
hardware, where a standard serial device isn't available anymore anywhere.
We don't can use map_local_one_to_one for boot modules because it happens
that boot modules can be at addresses above physical 3G boundary for x86_32.
Defer the mapping of modules until the point where the core allocators
are set up properly and then remap the physical pages to virtual addresses
below 3G.
If the I/O ports are non default (3f8), we had to specify manually the correct
I/O ports. With this commit the BDA is read and the I/O port of the first
serial interface (COM) is taken. If no serial interface is available no device
configuration will be undertaken.
There is no obvious reason for having two different SPEC variables, definitions,
and pathes for the Pandaboard platform. It even lead to problems regarding the
omap4 framebuffer driver (look at issue #505 and #506).
By now there is no use case for read/write a single register
of a thread state. Thus the new syscalls 'read_thread_state' and
'write_thread_state' replace the old ones 'read_register' and
'write_register'.
Add 'resume_faulter' syscall that is similar to 'resume_thread', but
is called only when resuming a thread after resolving its pagefault.
This way the kernel can flush caches after resolving a pagefault. This is
because by now the MMU doesn't use caches when doing a pagetable walk.
'Page_flags' maps application-specific memory attributes
to the TLB-specific memory attributes. Thereby it avoids
functions with lots of parameters, by declaring appropriate
bitfields on a single POD value.
With this patch the make install target for Noux applications gets defined
in the 'NOUX_INSTALL_TARGET' make variable with 'install-strip' as default.
Fixes#503.
With this patch, custom UIDs and GIDs can be assigned to individual
Genode processes or whole Genode subsystems.
The new 'base-linux/run/lx_uid.run' script contains an example of how to
use the feature.
Fixes#510
On Linux, we want to attach additional attributes to processes, i.e.,
the chroot location, the designated UID, and GID. Instead of polluting
the generic code with such Linux-specific platform details, I introduced
the new 'Native_pd_args' type, which can be customized for each
platform. The platform-dependent policy of init is factored out in the
new 'pd_args' library.
The new 'base-linux/run/lx_pd_args.run' script can be used to validate
the propagation of those attributes into core.
Note that this patch does not add the interpretation of the new UID and
PID attributes by core. This will be subject of a follow-up patch.
Related to #510.
This ensures that the cwd of the process is within the chroot
environment, improving security for root processes.
The cwd after the chroot is the same as before, this is needed to
start binaries given as relative path name.
Using the new 'join()' function, the caller can explicitly block for the
completion of the thread's 'entry()' function. The test case for this
feature can be found at 'os/src/test/thread_join'. For hybrid
Linux/Genode programs, the 'Thread_base::join()' does not map directly
to 'pthread_join'. The latter function gets already called by the
destructor of 'Thread_base'. According to the documentation, subsequent
calls of 'pthread_join' for one thread may result in undefined behaviour.
So we use a 'Genode::Lock' on this platform, which is in line with the
other platforms.
Related to #194, #501
When an IPC server is finalized two important things should happen:
First, the association of the server socket with a capability must be
invalidated. And finally, the server socket pair (server side and client
side) must be closed.
Related to #38.
The IPC-server object exists solely on the stack of the entrypoint
thread and, therefore, would never be destructed as the thread is just
killed. Now, the object is explicitly destructed in the entrypoint
destructor. An alternative solution could instruct the entrypoint thread
the terminate, which would automatically cleanup its stack.
The object pool is assumed to be empty on destruction of the entrypoint.
If not, we warn and at least dissolve all RPC objects.
Set the right bg color instead of using a dimmed version of the fg
color. The colors are stored in the first 6 bits of the color index.
Thereby the first 3 bits contain the fg and the second 3 bits the
bg color.
The debug message in _handle_esc_seq5() now shows the sequence in
question.
Fixes#495.
Since the number of the fds in the select call is not necassarily equal
to the number of fds SYSCALL_SELECT returns we have to reset the number
of fds given as argument to select().
This keeps OpenSSH from reading from a non-ready socket.
Fixes#494.
Currently the lookup of a specific record in a tar archive may take a long
time, because the records get searched in sequence. With this patch a tree
structure representing the directory layout gets created when loading the
tar file for speeding up record lookups.
Fixes#491.
The previous implementation disregards the fact that we actually have
to use libc's plugin mechanism if we play with fds. So in the end the
libc did not know to which plugin the fd belonged.
Fixes#493.
You cannot check an unsigned size_t variable for underflow, so I
changed the code to first check if an underflow would occur before
performing the subtraction.
Fixes#489.
'Core_tlb' ensures that core never throws pagefaults,
in contrast to its base 'Tlb' that is planned to use displacement
in the future.
'Core_tlb' enables the application of differenet memory attributes
in core, according to the board specific partitioning of the physical
address space. This way it enables caching in core.
Enable caches. Core is not cached by now. This is because kernel
creates core space and doesn't know any memory attributes by now.
Cacheable pages are cached write-through without write-allocate.
Caching and write-combining is not supported for IOMEM by now.
Implement 'Signal_receiver::pending()'.
Provide display-subsystem MMIO.
Avoid method ambiguousness in 'Irq_context' in
'dde_linux/src/drivers/usb/signal/irq.cc'
(it derives from two list element classes when using 'base_hw').
Enables demo scenario with 'hw_panda_a2'.
Fix bug regarding idle thread in thread scheduling in
'base-hw/src/core/kernel.cc'.
Fix regarding signal submit in signal framework in
'base-hw/src/core/kernel.cc'.
Implies support for the ARMv6 architecture through 'base-hw'.
Get rid of 'base/include/drivers' expect of 'base/include/drivers/uart'.
Merge with the support for trustzone on VEA9X4 that came from
Stefan Kalkowski.
Leave board drivers in 'base/include/platform'.
Rework structure of the other drivers that were moved to
'base_hw/src/core' and those that came with the trustzone support.
Beautify further stuff in 'base_hw'.
Test 'nested_init' with 'hw_imx31' (hardware) and 'hw_panda_a2' (hardware),
'demo' and 'signal' with 'hw_pbxa9' (qemu) and 'hw_vea9x4'
(hardware, no trustzone), and 'vmm' with 'hw_vea9x4'
(hardware, with trustzone).
The new 'Uart::Session' interface is an extension of the
'Terminal::Session' interface that allows for configuring UART-specific
parameters, i.e., the baud rate.
This patch introduces principal support for extending session interfaces
with specialized functionality in a clean way. For example, an 'Uart'
interface may implement the 'Terminal' interface but also offers
additional functions for setting the baud rate. A service that
implements the 'Uart' service will then automatically announce both the
'Uart' and 'Terminal' services.
Extend tracking of delegated and of translated items. The additional
information is used to solely free up unused/unwanted mapped capabilities and
to avoid unnecessary revokes on capability indexes where nothing have been
received.
Fixes#430
Since FD_ZERO() resets a whole fd_set (which is 128 bytes) using it to
reset dst_fds will override otherwise used memory if the memory was
allocated dynamically and is less than sizeof (fd_set). So instead of
using this macro we reset the fd_set manually.
The Io_receptor is now used to unblock certain I/O channels from lwip's
callback-function.
There was also a bug in which all ready-to-ready fds were overriden by
the ready-to-write ones.
The Socket_io_channel class now uses the Io_channel_backend to provide
the network related methods. In addition the Socket_io_channel_registry
was replaced with a simpler implementation which uses Io_receptors to
unblock I/O channels from the callback-function of lwip.
This patch fixes the 'lx_hybrid_pthread_ipc.run' test. In order to use
the 'Genode::Lock' we need to set the SIGUSR1 handler to an empty handler.
Normally, this happens when creating a thread via the Genode API. But as
this test creates a thread via the pthread library and thereby bypasses
the Genode API, the signal handler remained unset.
Using the host compiler in this case seems to be an artifact from an
older change. On x86_64, this approach ended in unsable hybrid binaries
due to incompatible handling of non-trivial return values, i.e.
structures. See '-freg-struct-return' in GCC manual page:
"[...] If there is no standard convention, GCC defaults to
-fpcc-struct-return, except on targets where GCC is the principal
compiler. In those cases, we can choose the standard, and we chose
the more efficient register return alternative."
In other words: All x86_64 Linux systems break the ABI standard :-(
The thread ID reported to core was not always initialized prior the RPC
call. The 'startup_lock' ensures that the thread is completely
initialized before this information gets propagated.
Since the recent move of the process creation into core, the original chroot trampoline
mechanism implemented in 'os/src/app/chroot' does not work anymore. A
process could simply escape the chroot environment by spawning a new
process via core's PD service. Therefore, this patch moves the chroot
support into core. So the chroot policy becomes mandatory part of the
process creation. For each process created by core, core checks for
'root' argument of the PD session. If a path is present, core takes the
precautions needed to execute the new process in the specified chroot
environment.
This conceptual change implies minor changes with respect to the Genode
API and the configuration of the init process. The API changes are the
enhancement of the 'Genode::Child' and 'Genode::Process' constructors to
take the root path as argument. Init supports the specification of a
chroot per process by specifying the new 'root' attribute to the
'<start>' node of the process. In line with these changes, the
'Loader::Session::start' function has been enhanced with the additional
(optional) root argument.
When building in hybrid Linux/Genode mode, there exist two definitions
of 'size_t', one in the 'Genode' namespace and one imported from the
glibc headers.
On Linux, we use the session label for naming the corresponding Linux
process. When looking up the processes via 'ps', the Genode process
hierarchy becomes immediately visible.
Genode used to create new processes by directly forking from the
respective Genode parent using the process library. The forking process
created a PD session at core merely for propagating the PID of the new
process into core (for later destruction). This traditional mechanisms
has the following disadvantages:
First, the PID reported by the creating process to core cannot easily be
validated by core. Therefore core has to trust the PD client to not
specify a PID of an existing process, which would happen to be killed
once the PD session gets destructed. This problem is documented by
issue #318. Second, there is no way for a Genode process to detect the
failure of its any grandchildren. The immediate parent of a faulting
process could use the SIGCHLD-and-waitpid mechanism to observe its
children but this mechanism does not work transitively.
By performing the process creation exclusively within core, all Genode
processes become immediate child processes of core. Hence, core can
respond to failures of any of those processes and reflect such
conditions via core's session interfaces. Furthermore, the PID
associated to a PD session is locally known within core and cannot be
forged anymore. In fact, there is actually no need at all to make
processes aware of any PIDs of other processes.
Please note that this patch breaks the 'chroot' mechanism that comes in
the form of the 'os/src/app/chroot' program. Because all processes are
forked from core, a chroot'ed process could sneak outside its chroot
environment by just creating a new Genode process. To address this
issue, the chroot mechanism must be added to core.
This patch simplifies the system call bindings. The common syscall
bindings in 'src/platform/' have been reduced to the syscalls needed by
non-core programs. The additional syscalls that are needed solely by
core have been moved to 'src/core/include/core_linux_syscalls.h'.
Furthermore, the resource path is not used outside of core anymore.
Hence, we could get rid of the rpath library. The resource-path code has
been moved to 'src/core/include/resource_path.h'. The IPC-related parts
of 'src/platform' have been moved to the IPC library. So there is now a
clean separation between low-level syscall bindings (in 'src/platform')
and higher-level code.
The code for the socket-descriptor registry is now located in the
'src/base/ipc/socket_descriptor_registry.h' header. The interface is
separated from 'ipc.cc' because core needs to access the registry from
outside the ipc library.
Thanks to the exclusive use of SCM rights for delegating access rights
to memory objects and RPC entrypoints, Genode processes outside of core
won't need to access any files.
This patch changes the way of how dataspace content is accessed by
processes outside of core. Dataspaces are opened by core only and the
corresponding file descriptors are handed out the other processes via
the 'Linux_dataspace::fd()' RPC function. At the client side, the
returned file descriptor is then used to mmap the file.
Consequently, this patch eliminates all files from 'lx_rpath'. The
path is still needed by core to temporarily create dataspaces and
unix domain sockets. However, those files are unlinked immediately
after their creation.
This patch alleviates the need for any non-core process to create Unix
domain sockets locally. All sockets used for RPC communication are
created by core and subsequently passed to the other processes via RPC
or the parent interface. The immediate benefit is that no process other
than core needs to access the 'rpath' directory in order to communicate.
However, access to 'rpath' is still needed for accessing dataspaces.
Core creates one socket pair per thread on demand on the first call of
the 'Linux_cpu_session::server_sd()' or 'Linux_cpu_session::client_sd()'
functions. 'Linux_cpu_session' is a Linux-specific extension to the CPU
session interface. In addition to the socket accessors, the extension
provides a mechanism to register the PID/TID of a thread. Those
information were formerly propagated into core along with the thread
name as argument to 'create_thread()'.
Because core creates socket pairs for entrypoints, it needs to know all
threads that are potential entrypoints. For lx_hybrid programs, we
hadn't had propagated any thread information into core, yet. Hence, this
patch also contains the code for registering threads of hybrid
applications at core.
This patch eliminates the thread ID portion of the 'Native_capability'
type. The access to entrypoints is now exclusively handled by passing
socket descripts over Unix domain sockets and by inheriting the socket
descriptor of the parent entrypoint at process-creation time.
Each entrypoint creates a socket pair. The server-side socket is bound
to a unique name defined by the server. The client-side socket is then
connected to the same name. Whereas the server-side socket is meant to
be exclusively used by the server to wait for incoming requests, the
client-side socket can be delegated to other processes as payload of RPC
messages (via SCM rights). Anyone who receives a capability over RPC
receives the client-side socket of the entrypoint to which the
capability refers. Given this socket descriptor, the unique name (as
defined by the server) can be requested using 'getpeername'. Using this
name, it is possible to compare socket descriptors, which is important
to avoid duplicates from polluting the limited socket-descriptor name
space.
Wheras this patch introduces capability-based delegation of access
rights to entrypoints, it does not cover the protection of the integrity
of RPC objects. RPC objects are still referenced by a global ID passed
as normal message payload.
This patch adds prinicipal support for transmitting socket descriptors
as RPC payload. Socket descriptors are handled by the linux-specific
implementation of the capability marshalling and unmarshalling functions
in 'ipc.h'. The 'Message' type in 'src/platform/linux_socket.h' has been
extended to carry multiple descriptors in a single message.
Unfortuately, we hit a problem (and potential show stopper) here:
lx_sendmsg failed with -109 in lx_call()
The error code corresponds to ETOOMANYREFS. There is only one place in
the Linux kernel where this error code is used (net/unix/af_unix.c).
The code for 'unix_attach_fds()' suggests that there is a limit with
regard to the maximum number of references for a given Unix domain
socket. When the error occurs, core and init are running. The socket
of core's server entrypoint is present in the '/proc/pid/fd' of those
processes 8 times. The error occurs when core tries to perform an
RPC to the entrypoint to perform 'Ram_session::transfer_quota()'
(base/include/base/child.h at line 248).
By storing the reply socket descriptor inside the 'Ipc_ostream::_dst'
capability instead as part of the connection state object, we can
use the 'explicit_reply' mechanism as usual. Right now, we store
both the tid and socket handle in 'Native_capability::Dst'. In the
final version, the 'tid' member will be gone.
In the final version, the 'socket' will be the only member to remain in
the 'Dst' time. In the transition phase, we store both the old 'tid' and
the 'socket'.
This patch, which was originally created by Christian Helmuth,
represents the first step towards using SCM rights as capability
mechanism on Linux. It employs the SCM rights mechanism for transmitting
a reply capability to the server as argument of each IPC call. The
server will then send its respond to this reply file descriptor. This
way, the reply channel does not need to be globally visible anymore.
The bash-builtin 'pwd' command uses the 'st_dev' and 'st_ino' members of
the 'stat' struct to compare the path from the 'PWD' environment variable
with the path returned by 'getcwd()'. These members don't get set
correctly in Noux and therefore the 'pwd' command sometimes returns wrong
results when building Genode in Noux. With this patch the 'CURDIR' make
variable gets used instead of calling 'pwd'.
Fixes#454.
With this patch an error message gets printed in
'Allocator_avl_base::free()' if the given address is not the start address
of the allocated block.
Fixes#459.
Create the signal context object before the signal receiver object to get the
signal receiver destroyed before the signal context. This avoids a 'specified
signal-context capability has wrong type' warning when the signal receiver
tries to free its managed context on destruction.
Part of #448.
When building the Fiasco.OC kernel, and L4Linux within the Genode build system,
forward the CC, and CXX variables. It might contain useful tools like ccache,
or distcc to speed up compilation. Moreover, don't delete the MAKEFLAGS when
building Fiasco.OC. It hinders parallel builds.
Certain symbols from the libgcc_eh library in cxx that is linked with the
L4Linux kernel were resolved by using kernel internal implementations.
This lead to errors because the complete Linux kernel is built regparm=3.
This patch prefixes the appropriate symbols in the Linux Kernel and its
modules. Moreover, it fixes some warnings introduced by the latest update
to gcc 4.7.
g++ 4.4.5 outputs the following warnings in our code using the loader
session:
.../base/include/base/capability.h: In member function 'typename Genode::Trait::Call_return<typename IF::Ret_type>::Type Genode::Capability<RPC_INTERFACE>::call() const [with IF = Loader::Session::Rpc_view_geometry, RPC_INTERFACE = Loader::Session]':
.../base/include/base/capability.h:207: warning: 'ret.Genode::Capability<Loader::Session>::Return<Loader::Session::Rpc_view_geometry>::_value.Loader::Session::View_geometry::width' may be used uninitialized in this function
.../base/include/base/capability.h:207: warning: 'ret.Genode::Capability<Loader::Session>::Return<Loader::Session::Rpc_view_geometry>::_value.Loader::Session::View_geometry::height' may be used uninitialized in this function
.../base/include/base/capability.h:207: warning: 'ret.Genode::Capability<Loader::Session>::Return<Loader::Session::Rpc_view_geometry>::_value.Loader::Session::View_geometry::buf_x' may be used uninitialized in this function
.../base/include/base/capability.h:207: warning: 'ret.Genode::Capability<Loader::Session>::Return<Loader::Session::Rpc_view_geometry>::_value.Loader::Session::View_geometry::buf_y' may be used uninitialized in this function
This is easily fixed with providing a default constructor.
Because of the C++ rules regarding initialer lists code that used
them for View_geometry had to be modified to use a normal construction
call. In my tests only Nitpicker had to be changed.
Preparation of base-pistachio fails on Ubuntu with dash as /bin/sh as it
does not support non-POSIX features like brace expansion. In this case
expanding in the Makefile via $(addprefix ...) fixes this shortcoming.
With the update to L4ka::Pistachio, we no longer need to patch the
contrib sources. Our patch went upstream in the meanwhile.
Apparently, gcc-4.7 is picky about specifying the '-melf_i386' argument
at the command line of the GCC frontend. We need to make sure to use the
'-Wl,' prefix.
The eglgears application depends on 'sqrt'. With the old tool chain,
this symbol was resolved through the dependencies of the 'gallium'
library. This does not work anymore for the new tool chain.
A similar issue arised for avplay, where we need to explicitly
state the av components in the LIBS declaration of the target.
The terminal has a lot of bits that may be worth reusing outside the
single implementation. Those bits are now located at 'include/terminal'
in the gems repository.
Replacing the local name of a capability index object which exists in the
capability map can destroy the AVL tree order of the capability map. With
this patch the outdated object gets removed from the map and a new object
gets inserted afterwards.
Fixes#435.
After this commit "make prepare" uses HTTP, HTTPS, or FTP where possible
fvor downloading third-party source codes. This prevents problems with
strict firewall rules where only selected ports are usable.
Unfortunately, git.l4android.org does not support Git via HTTP and,
therefore, the sources need a working Git port (9418).
Fixes#443.
* Introduces Schedule_context
* Use fast-interrupts or normal interrupts
* Add mode-transition between secure/non-secure world
* Limit system resources for Genode apps due to non-secure world
This commit implements the newly introduced Vm session interface to be used
on top of TrustZone capable Armv7 CPUs. Therefore a new Schedule_context is
introduced in the kernel. Threads and Vms are both Schedule_contexts used
by the scheduler. In contrast to a thread a vm uses a different assembler
mode switch to the non-secure, virtual world, as well as another exception
is used, when the non-secure world is left. For both worlds to co-exist
the interrupt-controller needs to be configured, so that the secure (Genode)
world uses fast-interrupts only, and the non-secure world only legacy
interrupts.
The only TrustZone capable platform the base-hw kernel works on top of
is the CoreTile Express 9x4 for the Versatile Express motherboard. For a
virtual machine working properly on top some platform resources must be
reserved. Therefore there exist two flavours of this platform now, one with
the 'trustzone' spec-variable enabled, and one without. If 'trustzone' is
specified most platform resources (DDR-RAM, and most IRQs) are reserved
for the Vm and not available to the secure Genode world.
Driver definitions which are used by kernel/core in base-hw, and also by other
drivers (e.g. from the os repository) have to reside in the generic
base-repository, for instance some uart drivers. All drivers which are
interesting for one of the sites only (sp804 for timer driver, or
cortex_a9 cpu driver for base-hw) should reside in the respective repos.
Factorize cpu context out of Cortex A9 specific definitions. Moreover, there
is already a Cpu_state object containing all common ARM registers. We use
this as a base for the cpu context switching done by the base-hw kernel.
The Cpu_state class get extended by a cpu-exception field, that stores the kind
of exception raised when the corresponding context got interrupted. This
information is used not only by the base-hw kernel, but also by the TrustZone
VMM that is build currently.
The 'Cpu_state' in 'base/include/base/cpu_state.h' is not needed anymore.
Moreover, it's inconsistent with the architecture-specific definitions
of 'Cpu_state' that all reside in <cpu/cpu_state.h>.
By now all services in core where created, and registered in the generic
main routine. Although there exists already a x86-specific service (I/O ports)
there was no possibility to announce core-services for certain platforms only.
This commit introduces a hook function in the 'Platform' class, that enables
registration of platform-specific services. Moreover, the io-port service
is offered on x86 platforms only now.
By naming all board declaration (previously in base/include/drivers/board) the
same way, and putting them in platform-specific include-pathes, we save additional
declaration redirection in the base-hw kernel, and in driver definitions.
By adding a "mac=XX:XX:XX:XX:XX:XX" attribute/value pair to the nic_bridge's
configuration one can define the first MAC address from which the nic_brigde
will allocate MACs for it's clients. Note: that the least relevant byte will
be ignored, and ranges from 0-255. Fixes#424.
Areas of an attached dataspace which have never been accessed cannot get
unmapped. With this patch this case is not treated as error anymore.
Fixes#398.
There are certain programs that need gettimeofday(), e.g.
network-related tools like ping(1) etc. but also filesystem-related
programs like find(1) etc. and of course time-related programs like
date(1).
As there is currently no interface in Genode for actually using clock
devices like RTC on x86 (though there is a driver for it) we "abuse"
the timeout_scheduler thread to at least provide flow-of-time.
Noux: add clock_gettime() implementation
For now, only CLOCK_SECOND is supported.
Noux: add utimes() dummy
Fixes#401
The 'delete (void *)' operator gets referenced by compiler generated code,
so it must be publicly defined in the 'cxx' library. These compiler
generated calls seem to get executed only subsequently to explicit
'delete (void *)' calls in application code, which are not supported by
the 'cxx' library, so the 'delete (void *)' implementation in the 'cxx'
library does not have to do anything. Applications should use the
'delete (void *)' implementation of the 'stdcxx' library instead. To make
this possible, the 'delete (void *)' implementation in the 'cxx' library
must be 'weak'.
Fixes#419.
This patch moves the thread iterator function declarations in GDB
monitor's 'Cpu_session_component' above the 'CPU session interface'
comment, because these functions are not part of the CPU session
interface anymore.
Fixes#10.
In Genode's paravirtualized block driver a request cache is used to find again
Linux request structures via corresponding block-session packets. To work
correctly the cache needs to have at least the same size like the
block-session's queue-size.
Print Fiasco.OC kernel debugger messages into a file instead of a pipe
in the default l4linux run-script. Thereby rarely triggered issues by the
nightly running buildbot can be analyzed after the test failed.
Implement shared IRQs using 'Irq_proxy' class.
Nova: Added global worker 'Irq_thread' support in core and adapted Irq_session.
FOC: Adapted IRQ session code, x86 has shared IRQ support, ARM uses the old
model. Read and set 'mode' argument (from MADT) in 'Irq_session'.
OKL4: Use generic 'Irq_proxy'
Fixes issue #390
Added generic 'Irq_proxy' class to core includes (ported from base-okl4). It can
be used to implement shared IRQ support for various base platforms. It will
generate one thread per IRQ and unblocks waiting clients (IRQ sessions) upon
interrupt receipt.
Issue #390
GCC warns about uninitialized local variables in cases where no
initialization is needed, in particular in the overloads of the
'Capability::call()' function. Prior this patch, we dealt with those
warnings by using an (unreliable) GCC pragma or by disabling the
particular warning altogether (which is a bad idea). This patch removes
the superfluous warnings by telling the compiler that the variable in
question is volatile.
Formerly, GENODE_RELEASE just undef'd PDBG() which concealed bugs in
places PDBG was used, e.g., do to API changes. Unfortunately,
desparately disabling GENODE_RELEASE during bug hunt sometimes
introduced new errors. Now, PDBG is just a branch not taken but seen by
the compiler, which is able to produce warnings/errors when the API is
changed.
Fixes#378.
Unify handling of UTCBs. The utcb of the main thread is with commit
ea38aad30e at a fixed location - per convention.
So we can remove all the ugly code to transfer the utcb address during process
creation.
To do so also the UTCB of the main thread of Core must be inside Genode's
thread context area to handle it the same way. Unfortunately the UTCB of the
main thread of Core can't be chosen, it is defined by the kernel.
Possible solutions:
- make virtual address of first thread UTCB configurable in hypervisor
- map the utcb of the first thread inside Core to the desired location
This commit implements the second option.
Kernel patch: make utcb map-able
With the patch the Utcb of the main thread of Core is map-able.
Fixes#374
Noux actually uses the sp variable during thread creation and expects to be
set accordingly. This wasn't the case for the main thread, it was ever set
to the address of the main thread UTCB.
If during the file system iterations in the 'stat()', 'rename()' or
'mkdir()' funtions of the 'Dir_file_system' class any file system
returns an error code other than 'ERR_NO_ENTRY', return immediately.
Fixes#376.
Make sure unlock is called when 'global_mutex' reaches zero count. Add verbose
variable in order to disable some output. Disable irritating 'Overflow' messages
in 'sys_mbox_post' and 'sys_mbox_try_post' per default. This may happen and is
not an error, since the ring buffer is full and will be emptied eventually.
Remove priority from genode_org run script.
Should fix#347
The 'build.mk' file checks if the tool chain to be used supports the
'-static' and '-fno-stack-protector' flags, but this check always fails
for the current Genode tool chain because it cannot create executable
files without explicitly specifying the 'crt0' and library files to be
linked, which the check doesn't.
This patch removes the compiler check.
Fixes#358.
With this patch, when a child exits, all of its open file descriptors get
closed immediately. This is necessary to unblock the parent if it is
trying to read from a pipe (connected to the child) before calling
'wait4()'.
Fixes#357.
Use slab allocators for small object sizes, do it the usual way otherwise.
This patch is related to #363. Using this optimization may be a viable
alternative to switching to the FreeBSD's malloc implementation.
Use 'Nic::Packet_allocator', wait for acknowledgements if packet allocation
fails. Updated 'lwip.run' and 'genode_org.run' to support OMAP4 correctly. Use
memcpy to copy PBUFs
May resolve issue #347
Missing parantheses around the calculation of last byte address in a UDP
Packet led to dereferencing the wrong value, thereby the UDP checksum
calculation failed, whenever an odd byte-count UPD packet was calculated.
Many thanks to Markus Partheymueller who discovered this issue and its
resolution.
Don't map all memory of the VM at once, instead only the one permitted
by the memory model. Otherwise memory regions get mapped which must not,
where each instruction and memory access have to cause an exception in
order to emulate it step by step.
Classes in Vancouver expect to get zero initialised memory when using memory
from the heap. Some classes don't initialize member variables as they should
do.
The exception initialization and handling in gcc_eh allocates early (_main)
memory before executing main. In Vancouver the virtual
region from [0,VM size) must be reserved. Vancouver fails if the memory
allocated by the exception handling and the static objects was allocated
inside the [0, VM size) area.
To circumvent the situation allocate the first memory pieces for the heap
from the bss.
Reserve memory region for VM as early as possible before any other
memory allocation happens. Otherwise it could happen that heap
allocations will use part of the virtual region we require for the VM.
Move the context area close to the end of the virtual user available address,
so that Vancouver can obtain as much as possible of the lower virtual address
range for VMs.
Use virtual regions for memory used during core initialization behind context
area. Enables us to start Vancouver VMs up to 1280 MiB, which requires
large virtual regions of contiguous aligned memory.
Exclude used virtual regions of echo and of pager thread in core.
The alternative weighted scheduler might lead to some threads don't make
any progress anymore (take for example the signal test). So we have to use
the fixed priority scheduler also in the kernel configuration for 64 Bit.
The first metadata-block, which is inherent part of the allocator object
itself has a fixed size which isn't suitable enough for some 64bit platforms
(e.g. core's RAM-allocator on a 64bit platform with lots of different regions).
This commit let the block size be address-width aware.
In sigma0 normally no answer tag to a request/fault is created. It simply uses
the message tag received with the request. This doesn't work out when I/O ports
are requested. This patch constructs an appropriate answer tag. Moreover,
we have to enable I/O port protection in the kernel configuration.
The memory allocation heuristics in the usb driver provided by dde_linux
changed with the recent commit 71b2b42936.
Apparently, the new variant requires a larger memory pool. Increasing
the quota is a temporary fix until the memory allocator gets revisited.
This commit comprises the following changes to enable L4Linux to use several
CPUs:
* change default configuration for x86 and ARM
* add atomic cmpxchg operation to l4re library
* implement l4_sleep (per thread)
* enable setting affinity for VCPUs and IRQs
* move "per CPU" section within linker-script (x86 only)
* introduce SMP run-script for pandaboard
* deactivate direct scheduler (Fiasco.OC syscall) access by L4Linux
The recently added 'Genode::Path' class makes it easy to create absolute
paths. With this patch the 'ffat_fs' server uses the 'Genode::Path' class
where possible instead of working with 'f_chdir()' and relative paths.
This also solves the problem reported in issue #355, which was caused by
storing a relative file name in the 'File' node.
Fixes#355.
The 'find' program can abort if the 'gettimeofday()' function returns -1,
which it currently does. With this patch the 'gettimeofday()' returns a
dummy time instead to prevent such a termination.
Fixes#353.
With this patch the 'Vfs_io_channel::lseek()' function takes the offset
argument into account when calculating the new seek offset in the SEEK_CUR
and SEEK_END cases.
Fixes#352.
With this patch, when a 'Packet_alloc_failed' exception occurs in the
'write()' function, the function waits for a packet acknowledgement and
the release of the packet and then tries the packet allocation again.
Fixes#348.
Every 64-bit binary is effectively 4M too big currently [0]. The GNU linker ld
aligns the text section of the binary to the maximum page size. On i386
the default section alignment is fixed typically to 4K.
Avoid wasting mainly 4M on x86_64 by telling the linker the max page size to
be 4K.
[0] http://sourceware.org/ml/binutils/2009-04/msg00099.html
This patch introduces the functions 'affinity' and 'num_cpus' to the CPU
session interface. The interface extension will allow the assignment of
individual threads to CPUs. At this point, it is just a stub with no
actual platform support.
This patch adds libstdc++ to libports. With the previous version of the
stdcxx library, the build system used the C++ standard library that
comes with the compiler. This mechanism was prone to inconsistencies of
types defined in the header files used at compile time of the tool chain
and the types provided by our libc. By building the C++ standard library
as part of the Genode build process, such inconsistencies cannot happen
anymore.
Note that the patch changes the meaning of the 'stdcxx' library for
users that happened to rely on 'stdcxx' for hybrid Linux/Genode
applications. For such uses, the original mechanism is still available,
in the renamed form of 'toolchain_stdcxx'.
The old values were much too small and the current ones are probably to
large but the TCP send throuhgput has increased noticeable (a few MiB/s
on the Pandaboard).
Fixes#343.
The Cap_mapping abstraction in core shouldn't use a Cap_index directly, but
use Native_capability instead, as it can break reference-counting, as long as
the same Cap_index gets used in a Cap_mapping and a Native_capability. This
commit finally fixes#208.
This commit fixes several issues that were triggered e.g. by the
'noux_tool_chain' run-script (fix#208 in part). The following problems
are tackled:
* Don't reference count capability selectors within a task that are actually
controlled by core (all beneath 0x200000), because it's undecideable which
"version" of a capability selector we currently use, e.g. a thread gets
destroyed and a new one gets created immediately some other thread might
have a Native_capability pointing to the already destroyed thread's gate
capability-slot, that is now a new valid one (the one of the new thread)
* In core we cannot invalidate and remove a capability from the so called
Cap_map before each reference to it is destroyed, so don't do this in
Cap_session_component::free, but only reference-decrement within there,
the actual removal can only be done in Cap_map::remove. Because core also
has to invalidate a capability to be removed in all protection-domains
we have to implement a core specific Cap_map::remove method
* When a capability gets inserted into the Cap_map, and we detect an old
invalid entry with the dame id in the tree, don't just overmap that
invalid entry (as there exist remaining references to it), but just remove
it from the tree and allocate an new entry.
* Use the Cap_session_component interface to free a Pager_object when it
gets dissolved, as its also used for allocation
Let the Fiasco.OC base platform succeed the cap_integrity run-script meaning
that it is not feasible anymore to fake a capability by using a valid one
together with a guessed local_name.
On systems that use multiple UHCI/EHCI controllers, synchronize access to low
level interrupt handler. Let 'device_may_wakeup' return 1, so suspended
controllers will send interrupts upon device connection. Make sure URBs are
shutdown upon disconnect.
Fixes#332
With this patch environment variables always get stored as zero-separated
strings in buffers of type 'Sysio::Env'. This fixes the problem that
environment variables with non-alphanumeric characters did not get set
correctly in child processes.
Fixes#340.
Change the uid/gid entries in the stat syscall to have the same values
on all filesystems that are used in the current noux-instance according
to the specified values in noux' config.
Fixes#338.
Programs use the errno value to check which error exactly occured.
It is mandatory for non-blocking I/O, e.g. connect() gets the current
state of the connection by looking at the returned errno values.
Fixes#337.
The cpu_session interface fails to be virtualized by gdb_monitor because
platform-nova uses an extended nova_cpu_session interface.
The problem was that threads have been created directly at core without
knowledge of gdb_monitor. This lead to the situation that gdb_monitor didn't
know of all threads to be debugged.
Tunnel the additional parameters required on base-nova through the state()
call of the cpu_session interface before the thread actual is started.
The kernel provides a "recall" feature issued on threads to force a thread into
an exception. In the exception the current state of the thread can be obtained
and its execution can be halted/paused.
However, the recall exception is only delivered when the next time the thread
would leave the kernel. That means the delivery is asynchronous and Genode has
to wait until the exception triggered.
Waiting for the exception can either be done in the cpu_session service or
outside the service in the protection domain of the caller.
It turned out that waiting inside the cpu_service is prone to deadlock the
system. The cpu_session interface is one of many session interfaces handled by
the same thread inside Core.
Deadlock situation:
* The caller (thread_c) to pause some thread_p manages to establish the call
to the cpu_session thread_s of Core but get be interrupted before issuing
the actual pause (recall) command.
* Now the - to be recalled thread_p - is scheduled and tries to invoke another
service of Core, like making log output.
* Since the Core thread_s is handling the session request of thread_c, the
kernel uses the timeslice of thread_p to help to finish the request handled
by thread_s.
* Thread_s issues the actual pause/recall on thread_p and blocks inside Core
to wait for the recall exception to be issued.
* thread_p will leave not the kernel before finishing it actual IPC with
thread_s which is blocked waiting for thread_p.
That is the reason why the waiting/blocking for the recall exception taking
place must be done on NOVA in the context of the caller (thread_1).
Introduce a pause_sync call to the cpu_session which returns a semaphore
capability to the caller. The caller blocks on the semaphore and is woken up
when the pager of thread_p receives the recall exception with the state of
thread_p.
The 'fd_set' size calculation in the current version of the 'poll()'
function results in an amount which is smaller than the size of the
'fd_set' data type. With this patch the file descriptor sets get
allocated as plain stack variables.
Fixes#335.
This patch implements a service which provides the contents of a tar
archive via the 'File_system::Session' interface.
Configuration:
<config>
<archive name="tar_archive.tar" />
<policy label="label_of_client" root="/rootdir/for/client" />
</config>
Fixes#333.
Certain programs tend to set their sockets non-blocking. As previously
descriptors in Noux were only blocking we now introduce a method to mark
the used Io_channel as non-blocking.
There are certain programms which check if an fd is open by calling
fcntl(fd, F_GETFL, ...). So to keep them happy we return true if
such an request was done to our terminal fd's.
Explanation why --disable-rpath-hack is needed:
When building on pistachio_x86 $(LDFLAGS) contains '-L[...]/l4/lib'
which will be transformed by autoconf to '-rpath [...]/l4/lib'.
Now the problem at hand is that we pretend to be FreeBSD when we are
actually not. So autoconf assumes it is valid to use '-path' when it
is actually not.
Also we use zlib for (de)compressing gzipped streams/files instead of
calling gzip as this currently somewhat buggy.
These device are mandatory for most programs (well, at least null
is required to be present for a POSIX compliant OS, which Noux is
actually not). But for proper shell-script support we will need
them anyway.
There are certain programs which need the information that is stored in
'struct passwd'. This commit introduces configurable user information
support to NOUX.
One can set the user information via <user> in NOUX config:
! <config>
! <user name="baron" uid="1" gid="1">
! <shell name="/bin/bash" />
! <home name="/home" />
! </user>
! [...]
! </config>
When <user> is not specified default values are used. Currently these
are 'root', 0, 0, '/bin/bash', '/'.
Note: this is just a single user implementation because each Noux instance
has only one user or rather one identity and there will be no complete
multi-user support in Noux. If you need different users, just start new
Noux instances for each of them.
Removes getpwent.c from build because the passwd facilities provided by
the FreeBSD libc will not be used anyway and add stub functions instead.
Now services which need these functions have to implement their own
(e.g. libc_noux).
Apparently, GNU make 3.81 picks the generic '%.h' rule instead of the
more specific 'rpc/%.h' rule during the preparation of the libc.
Changing the order of the rules solves the problem.
libc_resolv is a {free,get}addrinfo() plugin, mainly for use with NOUX.
We prefix the original libc functions to with 'libc_' so there is no
symbol conflict with file_operations.cc.
Most of the libs are needed for DNS related stuff. Since we now
have libc_resolv they are not longer needed. Infact they will
lead to undefined symbols so we remove them alltogther as build
dependency for the libc.
Previously there was not actual timeout handling. If a select() call
set an timeout it would be set to zero instead and was always handled
as blocking i/o. While this works fine for file descriptors which
will be triggerd externally (for example vim through terminal i/o) it
does not work at all for socket descriptors and network operations in
general.
So this commit introduces proper timeout handling and changes the
behaviour of SYSCALL_SELECT so that it now returns more than just
one descriptor at a time.
noux/minimal and noux/net now depend on thread and alarm libraries.
Noux used to trace syscalls by default, which significantly slows down
its execution. This patch disables the tracing by default. It can be
enabled by specifying 'trace_syscalls="yes"' attribute to the Noux
configuration.
This patch resolves a problem with running 'noux_gdb.run'. Right at the
start, GDB would output a message like:
...cli-script.c:1614: internal-error: called with NULL file pointer!
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Quit this debugging session? (y or n)
The LOG output hints at the cause of the problem:
[init -> noux -> /bin/genode-x86-gdb] fcntl: F_GETFL for libc_fd=3
Thanks to cproc for the fix!
The directory specified by --prefix is not only used to determine
the install location but is also used by -rpath. Therefor it is
better to use $(DESTDIR) to install the binaries to the right
directory and to use --prefix to express the actual location within
NOUX.
This patch adds lighttpd as noux package. However, we do not use the
original build system but rather compile lighttpd directly from the
Genode build system. This is needed because we want to statically link
lighttpd modules into the binary. This mode is (somehow) supported by
the SConscript that comes with lighttpd. However, the GNU build scripts
do not expose this feature.
The port of lighttpd at 'ports/src/app/lighttpd' executes the web server
directly (w/o using Noux). It is accompanied by the lighttpd.run script.
At the current stage, lighttpd is starting up but fails because of an
unsupport fcntl call.
In the current form, only PROT_READ is supported. This case is emulated
by copying the file content into new allocated backing store. Even
though the performance benefits of mmap-using code will not be
preserved, code that relies on mmap can be executed via the libc_noux
or libc_fs plugins, i.e. lightttpd.
Multiple calls to get the dataspace capability on NOVA lead to the situation
that the caller gets each time a new mapping of the same capability at
different indexes.
The client/caller assumes to get every time the very same index, e.g. in
Noux the index is used to look up structures.
Cache the dataspace capability returned via a rm_session for base-nova.
On both 32-bit and 64-bit platforms, 'uint64_t' can be defined as
'unsigned long long', which is the type expected by the %llx
format-string specifier. By unifying the type definitions, we resolve
warnings about unmatching type specifiers. This patch also removes
redundant words from the typedefs.
As of lwip-1.4.x this is not needed anymore because lwip
now always creates a loopback device. This plug-in will
be removed in the future but for now keep it around so
we currently do not need to update the other targets that
depend on it.
Fixes#329.
The bash configure script cannot detect if the 'getcwd()' function in
Genode's libc works correctly, so it assumes that it is broken and makes
bash use its own version of this function. With this patch bash uses the
libc version, which has a Noux-specific implementation in the 'libc_noux'
plugin.
Fixes#324.
The new version works fine but there is an issue with connect()
that needs the included patch:
There is no actual handling of EALREADY in lwip. It sets errno
to EALREADY when the connection was established. Unfortunatly this
is really bad because most programs expect to receive errno EISCONN
if the connection was successfully established. So this behaviour
breaks Qt4 and several noux/net packages (like lynx) because those
programs end up in an endless loop trying to connect via an already
connected socket. The longterm solution would be fixing the wrong
behaviour in lwip (there are already bug-reports on lwip's mailinglist)
but for now, it works well enough to simple change lwip's err_to_errno
table to set errno to EISCONN when the connection was established.
The generic parent_cap.cc overwrote the beginning of the data segment with
to much. Reserved are solely 16 byte, for 64bit we use however 32byte.
Actually, the parent_cap copying is not required at all. The parent cap
selector is at a fixed define place, so that no exported symbols are required
for determination of the parent_cap.
Remove it.
Required to start thread on Genode/NOVA. Without the service it fails with:
int main(): --- init created, waiting for exit condition ---
[init] timer: no route to service "CPU"
[init -> test-moon] Starting ldso ...
[init -> timer] C++ runtime: Genode::Parent::Service_denied
[init -> timer] void* abort(): abort called
Certain rpc headers are needed for compiling getaddrinfo.c. Unfortunatly
that means we have to generate _a few_ header files which we do when we
prepare the libc.
These header files need to be created before the symlinks. Also, some of
these header files depend on a patch. Therefore we apply the patches
first, generate the header files and in the end we create the symlinks.
Fixes#296.
Since no kernel objects can be created anymore outside Genode::core,
the Vancouver port must be adjusted to use solely the Genode interfaces.
The Vcpu_dispatcher creates all portals via the cpu_session interface and
uses the feature to setup a specific receive window during a IPC (the
cap_session::alloc IPC) to place to be received/to be mapped capability
(virtualization exception portal) at the designed indexes.
The actual vCPU thread extends from a normal Genode::Thread and extends it
by specific vCPU requirements, which are a larger exception base window and
the need by Vancouver to place the SM and EC cap at indexes next to each other.
Fixes#316
Extend Native_capability type to hold a specific selector index where the to
be received cap during a IPC should be mapped to. This feature is required to
place created caps by the cap_session at specific indexes. This feature is
used by Vancouver to setup the virtualization exception portals (created by
the cap_session) at the intended indexes.
Patch prevents following bugs:
* In sleep_forever the thread return from semaphore down if cap is revoked
during destruction of a thread. This causes an endless loop consuming time
not available for other threads.
* In lock_helper and cap_sel_alloc the thread return from the lock() method
even if the semaphore down call failed because of an revoked semaphore.
This lead to the situation that a thread subject to de-construction returns
from the lock method, but not holding the lock, entering the critical section
and modifying state inside the critical section. Another thread in parallel
already in the critical section or entering the critical section also
modifies the state. This lead to curious bugs ...
* thread_nova, thread_start, irq_session
Detect early bugs if the SM is gone unexpectedly where it should never
happen.
Vancouver recalls the vCPU in the vCPU dispatcher code. Enable the right bit
in the mapped native cap so that Vancouver actually is able to perform this
operation.
It now can hold a right bit used during IPC to demote rights of the to be
transfered capability.
The local_name field in the native_capability type is not needed anymore
in NOVA. Simplify the class, remove it from constructors and adapt all
invocations in base-nova.
Unfortunately local_name in struct Raw is still used in generic base code
(process.cc, reload_parent_cap.cc), however has no effect in base-nova.
MsgBuf has to keep the number of received capabilities in order
to free/know correctly unused and unwanted capabilities. Explicitly
call rcv_msg->post_ipc to store this information in a MsgBuf.
Don't reset rcv_msg in ipc.cc, since this is used during
un-marshalling of caps in ipc.h afterwards. The MsgBuf is reseted when its
de-constructor is called.
With this patch solely the local ids are used, no global unique ids
are transfered anymore during IPC.
demo.run, signal.run, noux_tool_chain.run works up to the same
point as before the patches for issue #268.
Fixes#268
Unfortunately, another kernel patch is required for Genode/NOVA to get rid
of global unique ids for objects (issue #268).
Kernel patch:
If a translate of a object capability item inside the same PD
(receiver/sender in same PD) is not successful then he very same item is
returned instead of the null item.
Genode:
Some code in Genode try to map/translate the "root" (the first instance of a)
object capability within the same PD. The translate fails since it is the
first cap and was not delegated beforehand. Instead the cap gets mapped to a
new capability index due to xlt_rcv kernel item patch.
The new local object capability index is used to lookup manged objects
in lists, which however fails because the object is only known by the original
object capability index.
Unfortunately, this happens not only once. Below one example trace and
description is attached.
There are several possible solutions possible:
* Find all places in Genode and replace normal function calls between objects
with IPC calls, such that all capabilities can be translated during IPC.
** Time consuming to find all spots
** Rather platform specific issue requires re-adjustments in generic Genode
code
** Not trivial to ever remember this fact during development of new components
[other platforms have not such a issue, however have global object ids]
** Neither good in terms of performance.
* Use some special system call to the kernel to be able to translate a given
capability index as long until you find the requested original index.
(Obviously ... no comment).
* Kernel patch as this one.
* <your proposal>
Example trace + code description showing the behavior above:
int main(): --- create local services ---
int main(): --- start init ---
[0] DEL OBJ PD:0xc000aa80->0xc000aa80 SB:0x000000aa RB:0x000000ac O:0x00 A:0x1f
int main(): transferred 42 MB to init
[0] DEL OBJ PD:0xc000aa80->0xc000aa80 SB:0x00000120 RB:0x0000013c O:0x00 A:0x1f
[0] DEL OBJ PD:0xc000aa80->0xc000aa80 SB:0x0000016c RB:0x00000168 O:0x00 A:0x1f
Setup ELF failed
[0] XLT OBJ PD:0xc000aa80->0xc000aa80 SB:0x00000168 RB:0x0000016c O:0x00
unknown exception?
int main(): --- init created, waiting for exit condition ---
thread - file - line - text
-------------------------------------------------------------------------------
thread A - [ 0] - 228 - new Core_child(... rom_session.dataspace() ...)
thread A - [ 1] - 27 - IPC call - ask for dataspace cap
thread B - [ 2] - 49 - function - return dataspace cap index 0x120
thread A - [ 1] - 27 - IPC returned - map 0x120 -> 0x13c, translate failed
thread A - ...
thread A - [ 3] - 231 - call _setup_elf()
thread A - [ 3] - 60 - call env->rm_session()->attach()
thread A - [ 4] - 35 - do dataspace object lookup (0x13c)
thread A - [ 4] - 36 - lookup failed (object known as 0x120), throw Exception
thread A - [ 3] - 61 - catch Exception -> return error code "0"
thread A - [ 3] - 233 - "Setup ELF failed" - because error code "0"
File legend:
[0] base/src/core/main.cc
[1] base/include/rom_session/client.h
[2] base-nova/src/core/include/core_rm_session.h
[3] base/src/base/process/process.cc
[4] base-nova/src/core/core_rm_session.cc
Kernel patch:
Introduce a transfer item type to express that a cap should be translated
and if this fails to map it instead.
It would be possible without this combined transfer item type however
with additional overhead. In this case Genode/NOVA would
have to map and translate all caps used as parameter in IPC. It would look
like this:
* If the map and translation succeed, the cap at the new cap index
would have to be revoked. Then the translated cap index can be used.
* If the map succeeds and the translation fails then the mapped cap index
can be used.
* It would become complicated when multiple caps are mapped and translated
and only some of the translation succeed. In such cases Genode would have
to figure out the right relation of translated/mapped and not
translated/mapped caps. It would require to make some assumption about the
order how translated/mapped caps are reported at the UTCB by the kernel.
All the points above lead to the decision to create a separate transfer item
type for that.
Genode:
Most the times the translation succeeds, mapping of caps happens either
seldom. This takes now a bit the pressure of not enough aligned receive
cap windows as described in issue #247.
The patch mainly adds adjustments to handle the
translated and mapped caps correctly especially during freeing of the
receive window (don't free translated cap indexes).
Fixes#268
The additional quota is needed because of the recent performance
optimizations of the USB/networking code, e.g., to support the
increased NIC packet-stream buffer size.
Added SKB bitmap allocator, use Nic::Packet_allocator in packet stream, use slab
allocators on top of back-end AVL allocator, split allocators in cached/uncached
for general purpose/DMA allocation, added patch to original code to distinguish
cached or uncached memory requests, take advantage of and implement TX bursts
(or SKB batching), call interrupt handlers until they return unhandled.
Make calls using IPCs IRQ safe, handle packet exhaustion, removed
'Packet_pool', tweak TCP rmem and wmem buffer sizes to show better performance
results, use 'Net::Packet_allocator, fix 'update-patch' Makefile command
Avoid the use of deprecated 'MASK' enum in CPU register 'Asid'.
Enable the use of the 'K' bit in MMU translations.
Treat any try to modify existing valid entries in section- and
pagetables when doing 'insert_translation' as error.
Beautify concerned files.
By allocating the packet-stream dataspace for block sessions as
uncached, we can use DMA to directly read and write into the client
buffer. Currently, the OMAP4 SD-card driver is using this feature.
With this patch, the driver code gets complemented with DMA support.
The support for master DMA, in turn, cleared the way for using
interrupts to wait for the completion of transfers, which largely
relieves the CPU compared to the polling PIO mode. Consequently, the new
version has a much lower CPU footprint.
In the current version, both modes of operation PIO and DMA are
functional. However, PIO mode is retained for benchmarking purposes only
and will possibly be removed to keep the driver simple. It is disabled
in the driver's 'main.cc'.
This patch replaces the jiffies thread in 'sd_card/omap4/bench' calls to
'Timer::Session::elapsed_ms()'. This way, we use wall-clock time for the
measurements. Depending on the load of the rest of the system, the
previous version used to accumulate the inaccuracy for each 'msleep'
call.
For 64-bit registers we cannot compute MASK and SHIFT values via enums
because enum values are always of type int. But we can use static member
functions instead. Furthermore, the patch fixes the type trait for
64-bit registers. (apparently, this access width was never used so far)
The enable the use of 'Attached_ram_dataspace' objects as DMA buffers,
we need to pass the 'cached' flag to the constructor. By default, the
dataspace is cached, which corresponds to the original behaviour.
The Demo of 64bit Genode/NOVA fails during the booting phase when
physical memory was tried to be mapped lying above 4G boundary.
(qemu -m 4096 triggered it on some systems). The memory never got
mapped and the attempt to access the virtual region resulted
in a unexpected page fault inside Genode core.
The latest revision removed the artificial boundary of 4G for 64bit.
Example trace showing the issue:
([-1] lines show debugging output that mapping failed)
...
int main(): --- create local services ---
int main(): --- start init ---
int main(): transferred 4047 MB to init
int main(): --- init created, waiting for exit condition ---
start new pager object with EIP=0x1025814, ESP=0x6001000
[init] Could not open file "ld.lib.so"
start new pager object with EIP=0x10213e4, ESP=0x6001000
start new pager object with EIP=0x1037684, ESP=0x6001000
start new pager object with EIP=0x1021664, ESP=0x6001000
start new pager object with EIP=0x101e374, ESP=0x6001000
start new pager object with EIP=0x10295a4, ESP=0x6001000
start new pager object with EIP=0x1037db4, ESP=0x6001000
[init -> pci_drv] PCI driver started
[init -> launchpad] Could not open file "ld.lib.so"
[init -> launchpad] Could not open file "config"
[init -> launchpad] Could not obtain config file
[init -> ps2_drv] Detected ExPS/2 mouse - activating scroll-wheel and 5-button support.
[init -> ps2_drv] Using keyboard with scan code set 1 (xlate).
[init -> timer] Timer::Timeout_scheduler::Timeout_scheduler(Platform_timer*, Genode::Rpc_entrypoint*): starting timeout scheduler
[init -> vesa_drv] int Framebuffer_drv::map_io_mem(Genode::addr_t, Genode::size_t, bool, void**, Genode::addr_t, Genode::Dataspace_capability*): fb mapped to 1000
start new pager object with EIP=0x101eaf0, ESP=0x401fef80
[init -> timer] Timer::Session_component::Session_component(Timer::Timeout_scheduler*, Genode::Cap_session*): created new session component, _session_cap.valid=1
start new pager object with EIP=0x1021d10, ESP=0x400fef80
start new pager object with EIP=0x1021d10, ESP=0x401fef80
[init -> vesa_drv] Could not open file "config"
[init -> vesa_drv] Could not obtain config file
[init -> vesa_drv] Found: VESA BIOS version 2.0
[init -> vesa_drv] OEM: VGABIOS Cirrus extension
[init -> vesa_drv] Found: physical frame buffer at 0xfc000000 size: 0x00400000
[init -> vesa_drv] int Framebuffer_drv::map_io_mem(Genode::addr_t, Genode::size_t, bool, void**, Genode::addr_t, Genode::Dataspace_capability*): fb mapped to 400000
[init -> nitpicker] framebuffer is 1024x768@1
[init -> nitpicker] create session with args: fb_format=1, label="launchpad", ram_quota=1646592
[init -> nitpicker] Could not open file "config"
[init -> nitpicker] Could not obtain config file
[init -> nitpicker] create session with args: fb_width=400, fb_height=1504, fb_format=1, label="launchpad", ram_quota=1211392
[ 0] DEL MEM PD:0xffffffff8100d620->0xffffffff8100d320 SB:0x00100000 RB:0x00002a00 O:0x08 A:0x7
[-1] Pd::delegate snd->S::tree_lookup(0x100000) == 0x0 -- base-nova/contrib/src/pd.cpp:54 - Pd::snd 0xffffffff8100d620 =? Pd::kern 0xffffffff8100d620
[ 0] DEL MEM PD:0xffffffff8100d620->0xffffffff8100d320 SB:0x00100100 RB:0x00002b00 O:0x05 A:0x7
[-1] Pd::delegate snd->S::tree_lookup(0x100100) == 0x0 -- base-nova/contrib/src/pd.cpp:54 - Pd::snd 0xffffffff8100d620 =? Pd::kern 0xffffffff8100d620
[ 0] DEL MEM PD:0xffffffff8100d620->0xffffffff8100d320 SB:0x00100120 RB:0x00002b20 O:0x02 A:0x7
[-1] Pd::delegate snd->S::tree_lookup(0x100120) == 0x0 -- base-nova/contrib/src/pd.cpp:54 - Pd::snd 0xffffffff8100d620 =? Pd::kern 0xffffffff8100d620
[ 0] DEL MEM PD:0xffffffff8100d620->0xffffffff8100d320 SB:0x00100124 RB:0x00002b24 O:0x01 A:0x7
[-1] Pd::delegate snd->S::tree_lookup(0x100124) == 0x0 -- base-nova/contrib/src/pd.cpp:54 - Pd::snd 0xffffffff8100d620 =? Pd::kern 0xffffffff8100d620
[ 0] Killed EC:0xffffffff823ca880 SC:0xffffffff823cb740 V:0xe CS:0x2b EIP:0x1215a0 CR2:0x2b25fff ERR:0x6 (PT not found)
sgr0 is currently implemented as a wrapper of sgr(0) which
seems to work fine.
For now we accept but ignore certain sgr sequences like for
example [0;10;1m which is generated by lynx even when using
TERM=linux (I am not sure yet if that's actually valid at all).
Our FreeBSD libc based libc defines SOL_SOCKET as 0xffff. We change
lwip's definition from 0xfff to match ours. This prevents us from
converting the level when we call {g,s}etsockopt.
Fixes#292.
libcrypto provides certain optimized assembler functions which
unfortunatly are non-pic. Therefore this asm code is removed
and libcrypto is build with -DOPENSSL_NO_ASM.
Because the asm code is not needed anymore, its generation is
also removed from openssl.mk.
import-libssl.mk was also added because it is essential for building
programs which depend on libssl.
Fixes#291.
Fixes#294.
When opening a new file, a new Fs_vfs_handle is created but with the
initial mode set to 0 which is not expected by functions like fdopen()
that check if the original flags given to the open() call match the
returned ones on the used fd.
Fixes#289.
Though the initial commit contains nicer looking color definitions
it is easier to spot wrong colors when using a program that uses
ncurses like for example lynx.
Fixes#284.
Added support for more than one UHCI controller. Make sure the 'PIRQ' bit in the
legacy support register (PCI config space) of the UHCI controller is enabled and
also that the 'Trap on IRQ' bit is disabled. Fix offset bug in PCI-config space
emulation for Linux.
Fixes#282
The code intended to stop after the first failed attempt,
however the bool variable to control this was reseted
inside the loop and so it endless loops.
Fixes#51
If a thread has been deleted the thread object at the cpu_session was never
freed which caused the cpu_session quota to be exhausted as reported in
issue #150.
Fixes#150
Be bit more robust.
* Don't use addresses and sizes larger than
32 bit address boundaries.
* Don't take modules of size 0, at address 0 and if aux is 0.
(Already seen on machines in the University ...)
Fixes#269
With this patch the 'GNU Project Debugger' (GDB) can be built for Noux.
The included run script connects GDB and GDB monitor via a cross-link
terminal and allows interactive source-level debugging of the GDB monitor
test application on Genode.
Fixes#280.
This patch implements the 'readv()' function in the libc.
A lock guard prevents the parallel execution of either or both of the
'readv()' and 'writev()' functions.
Fixes#279.
This patch implements the 'pread()' and 'pwrite()' functions in the libc.
A lock guard prevents the parallel execution of either or both functions.
Fixes#278.
Increase size of block session backing store so it can handle maximum supported
packet size. Synchronize client threads during packet allocation.
Fixes#276
The line-status register has two relevant status bits - transmitter-hold
register empty and data-hold register empty - from which only the THR is
relevant as it signals new character can be written to the device.
Fixes#281
Setting the handler for SIGCHLD to SIG_IGN (ignore) informs the kernel
not to enter the zombie state: (man 2 wait)
POSIX.1-2001 specifies that if the disposition of SIGCHLD is set to
SIG_IGN or the SA_NOCLDWAIT flag is set for SIGCHLD (see
sigaction(2)), then children that terminate do not become zombies
[...]
Fixes#271.
This patch sets the default document type in the "File save" dialog to
HTML and makes both the "File open" and "File save" dialogs enter the "/"
directory by default.
Fixes#274.
The block test at test/ahci is indeed not AHCI-specific. It is a generic
block read/write test for the block-session interface. But in contrast
to the original test/block, it restores the block device content (at
least when the test succeeds). Hence, we remove the original (dangerous)
block test and always use code of test/ahci.
The new SD card driver at 'os/src/drivers/sd_card/omap4' allows the use
of an SD card with the Pandaboard as block service. Currently, the
driver is using PIO, no DMA, and no IRQs. The driver can be tested using
the 'os/run/sd_card.run' script.
Rm_client is derived from Pager_object. If the Pager_object is also
derived from Thread_base (which is the case for NOVA) then the
Rm_client object must be destructed without holding the rm_session_object
lock. The native platform specific Thread_base implementation has to take
care that all in-flight page handling requests are finished before
destruction. On NOVA it is done by doing an IPC to the pager thread.
(performed in Pager_object::dissolve() in base-nova). The
called thread than executes its operation until end which also requires
in some cases to take the rm_session_object lock.
Since _client_slab insertion/deletion also must be performed
synchronized but can't be protected by the rm_session_object lock
because of the described dead_lock situation, we have
to use a synchronized allocator object to perform insertion and
deletion of Rm_clients.
Following deadlock happens when a Rm_client/Pager_object handles a page-fault
and concurrently the same object is dissolved (triggered by parent killing
the client).
The situation is as follows:
Page fault handling :
base-nova/src/base/pager/pager.cc : pf_handler() - lock pf_lock
base/.../core/rm_session_component.cc: pager() - lock rm_session
(in reverse_lookup())
Dissolve of Rm_client:
base/src/core/rm_session_component.cc: dissolve() - lock rm_session
base-nova/src/base/pager/pager.cc : dissolve() - lock pf_lock
The pf_lock is not required here during normal page fault handling,
since this pager object @NOVA is executed only by one and the same
thread and all critical operations inside the rm_session_object itself
are locked anyway. The only critical point is the destruction of the
Pager_object which is already handled in the both dissolve functions
of the rm-session_component (locking) and the pager_object (finalize
in-flight page faults).
Allocate exc_pt_sel inside Thread_base object
instead of pager object, since it is a thread
specific characteristic.
Same for freeing of the thread capabilities:
- ec, sc, rs, exc_pt_sel is thread specific
and has nothing to do in server nor pager object.
The invalid thread is specified as 0,0,-1 (ec cap, sc cap, sem cap).
The main thread is specified as 0,0,0.
The comparator identified "tid_main == tid_invalid" as equal,
which is obviously wrong.
The patch compares at least ec and sem cap.
Use semaphore down feature of NOVA to set the counter to zero.
If the semaphore was up()ed more than one time by impatient callers
(e.g. guys calling cancel_blocking) we make sure that the thread
really stops.
Don't allocate ec cap twice, in pager.cc and thread_start.cc.
Unmap of utcb has to be done in destructor of thread class, not
in pager class. Free capability selectors of ec and rs.
Invoke cancel_blocking before calling the
cleanup portal of the rpc_entrypoint. If a rpc_entrypoint
is blocked in a semaphore the cleanup call gets
stuck forever.
If nobody is blocked in a semaphore, nothing can be dequeued. If
the semaphore is used for signalling, there can be somebody in the queue,
but not necessarily.
This patch replaces the first attempt to resolve the ambiguity of using
the size_t type that occurred when 'loader_session.h' was included
alongside libc headers. Instead of explicitly qualifying each occurrence
of the type, the new solution defines 'size_t' within the 'Loader' namespace.
Fixes#253
The CML2 configuration system calls 'evn python' and expects version
2.x. So we check if python2 is installed when preparing Pistachio and
use the found version instead.
Fixes#264.
Some type size tests in the findutils source code expect the 'time_t' type
to be of the same size as the 'long' type, whereas the Genode libc defines
it as '__int64_t' for ARM. This patch disables these tests.
Fixes#262.
Eliminate prints to stderr for normal messages, because it leads to exceptional
returns in TCL-scripts e.g. when run-script is triggered by the autopilot even
if the script's return code itself will be zero.
In the create_builddir script the foc_x86_64 platform was missing
when adding x86-drivers to the etc/build.conf file. This lead to
failed run-scripts initiated by the autopilot tool.
The compiler complained about ambigous references when compiling a
lx_hybrid program using the loader session. Here are some error
messages:
genode/os/include/loader_session/loader_session.h:72: error: reference to 'size_t' is ambiguous
/usr/lib/gcc/i486-linux-gnu/4.4.5/include/stddef.h:211: error: candidates are: typedef unsigned int size_t
genode/base/include/base/stdint.h:25: error: typedef unsigned int Genode::size_t
genode/os/include/loader_session/loader_session.h:72: error: reference to 'size_t' is ambiguous
/usr/lib/gcc/i486-linux-gnu/4.4.5/include/stddef.h:211: error: candidates are: typedef unsigned int size_t
genode/base/include/base/stdint.h:25: error: typedef unsigned int Genode::size_t
...
This commit qualifies size_t using the Genode namespace which fixes
the compilation.
Make pxe optional and use by default grub.
For that to work we use objcopy to repack the elf64
file into elf32.
With this commit more tests succeed. Most
tests use 64M and with that pulsar even does not start
the hypervisor. With 96M more test run however that would
mean to adjust most of the run scripts ...
Without this patch the compilation failed with:
/usr/bin/ld: main.o: relocation R_X86_64_32S against
`vtable for Genode::Dataspace' can not be used when making a shared object;
recompile with -fPIC
main.o: could not read symbols: Bad value
collect2: ld returned 1 exit status
make[6]: *** [init] Error 1
For this patch the use of the hardening tool chain must be indicated
using the "hardening_tool_chain" SPECS entry within the file
<build>/etc/specs.conf
Fixes#79
Check that there is enough room for a typed item on the
UTCB. Otherwise deny to add the item and return false.
Enable explicitly a return unused warning to get the right
attention.
The UTCB of the thread cleaning up thread objects has been unmapped.
However the UTCB of the destroyed thread must be unmapped.
Objects must explicitly be made unreachable before cleaning up. The
server and pager objects must be unreachable before they can be freed.
Both object types are threads. Revoking the thread(EC) cap on NOVA
doesn't mean that the thread stops executing. All portals pointing to a
thread are still reachable by clients even if the last EC cap is gone in
user land. So it must be taken care that no portals are pointing anymore
to a thread when the associated objects are getting destroyed. This
commit handles this.
Additionally, even if the last portal is gone - there can be still an
ongoing request handled by such server/pager object/threads. For each
such object an additional portal is created. This object is called
'cleanup portal' and is only local to the object. After all portals are
revoked the cleanup portal is called. When the call returns we know that
nobody is anymore handled by the object since all remotely available
portals are gone.
Fixes#20
Use git to get recent kernels from github. Adjust NOVA patch to compile
with recent github version. Patch and use makefile of NOVA microkernel
to avoid duplicated (and outdated) makefile in Genode
Furthermore, this patch adds support for using NOVA on x86_64. The
generic part of the syscall bindings has been moved to
'base-nova/include/nova/syscall-generic.h'. The 32/64-bit specific
parts are located at 'base-nova/include/32bit/nova/syscalls.h' and
'base-nova/include/64bit/nova/syscalls.h' respectively.
On x86_64, the run environment boots qemu using the Pulsar boot loader
because GRUB legacy does not support booting 64bit ELF executables.
In addition to the NOVA-specific changes in base-nova, this patch
rectifies compile-time warnings or build errors in the 'ports' and
'libports' repositories that are related to NOVA x86_64 (i.e., Vancouver
builds for 32bit only and needed an adaptation to NOVAs changed
bindings)
Fixes#233, fixes#234
In 'Fs_file_system::open()' the call of '_fs.dir()' can throw a
'File_system::Lookup_failed' exception, which gets explicitly caught
with this patch.
Fixes#246.
This patch adds a new "terminal" file system type to Noux, which allows to
create a "character device" file that is connected to a Genode 'Terminal'
service.
The 'Terminal' session created by the file system has the label
"noux(terminal_fs)" to distinguish it from the 'Terminal' session
created by Noux itself.
Fixes#244.
This patch extends the RAM session interface with the ability to
allocate DMA buffers. The client specifies the type of RAM dataspace to
allocate via the new 'cached' argument of the 'Ram_session::alloc()'
function. By default, 'cached' is true, which correponds to the common
case and the original behavior. When setting 'cached' to 'false', core
takes the precautions needed to register the memory as uncached in the
page table of each process that has the dataspace attached.
Currently, the support for allocating DMA buffers is implemented for
Fiasco.OC only. On x86 platforms, it is generally not needed. But on
platforms with more relaxed cache coherence (such as ARM), user-level
device drivers should always use uncacheable memory for DMA transactions.
When creating a 'Child' object with an already active entrypoint,
session requests may arrive as soon as the '_process' is created. We
have to make sure that at least all parts of the 'Child' object needed
for serving 'session' requests are constructed. This is particularly
important for the '_policy' member.
The sysio's struct fields need to be properly set on each syscall. This
fixes a bug where the wrong fd is used after the first sendto syscall.
Also the minimal buffer size calculation uses the wrong size.
Fixes#235.
When sigma0 runs on a lower priority than the rest of the threads in the
system it might come to the point that while answering a page fault or
I/O memory area request the timeslice of the caller (core-pager) gets
fully consumed. As long as other threads are still executable and don't block
sigma0 won't do progress anymore, because it runs at the lowest priority.
This commit simply sets sigma0's priority to the highest in the system.
When invoking the bootstrap build in the L4RE build-system to create
a single elf-image containing all needed files to boot a scenario, don't
use the 'ENTRY' variable, but 'E' variable instead. Otherwise 'ENTRY'
might get overridden (dependent on the make-version). Moreover, using
'E' seems to be the way L4Re is expecting it has to be invoked.
Fixes#226
We are using bison to generate certain files when preparing the libc.
However the yacc(1) wrapper script is used instead of calling bison
directly which does not work if bison is not installed but the original
yacc(1).
Fixes#225. Fixes#227.
When core requests all RAM from sigma0 it normally unmaps page 0 so that
null-pointer dereferences are detected by a pagefault. The unmap syscall
in the Fiasco.OC base platform was used insufficiently in this particular
case.
2012-05-30 11:36:34 +02:00
2884 changed files with 112363 additions and 40643 deletions
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU General Public License version 2.
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
