The nic_router component can be used to individually route IPv4 packets
between multiple NIC sessions. Thereby, it can translate between
different IP subnets. The component supports port forwarding, as well as
the partitioning of the TCP and UDP port spaces.
Fixes#114
A run script to demonstrate the combination of the cpu_sampler, fs_log,
ram_fs and noux components for saving the sampled data in files and
accessing these in a Noux environment. When the script is run by the
autopilot, it will check if one of the generated sample data files
contains the correct instruction pointer. When the script is run
interactively, the generated files can be accessed from a Noux Bash shell.
Fixes#2078
In other contexts (IPv4) 'calc_checksum' merely returns a new checksum that is
then installed via 'checksum'. Thus, the UDP 'calc_checksum' that calculates AND
installs a new checksum is misleading.
Ref #114
Both, client and server now read their IP config from their Genode config.
Furthermore, the client now waits 4 instead of 2 seconds before sending the
first request to prevent connection fails in tests with a slow startup. The
client truncates its packet dump for better readability.
Ref #114
This patch adds the missing exception handling for depleted RM session
quotas. If core runs out of session quota while creating a new region
map, it now reflects this condition as a Region_map::Out_of_metadata
exception to the RM client. Thanks to Denis Huber for reporting the
issue!
The '--autopilot' option makes it possible for a run script to detect if
it is being executed by the autopilot by
if { [get_cmd_switch --autopilot] } { ... }
In that case, the run script could do an automated test, whereas the
test could be interactive when run without this option.
Fixes#2076
The new parameter specifies the additional timeout duration in seconds
which is incurred by AMT log processing, e.g. time spent waiting for the
system to boot.
Although the driver makes no use of interrupts it references Irq_handler
for unknown reasons. Moreover, this commit eliminates the lock that is
not necessary anymore, because the driver now runs single-threaded.
Ref #2072
* Unify uart drivers of different hardware drivers
* Remove deprecated IRQ activations
* Remove additional timer thread in Fiasco* KDB driver
* Move more generic UART definitions to specific supported
platforms (e.g.: pl011 -> pbxa9)
* Move internal definitions from global to local headers
Ref #1987Fix#2071
Use a seperate handle at each session.
Use SEEK_TAIL to append messages to files.
Increase packet buffer.
Refactor to component framework.
Fixes#1777
Issue #2060
This patch revives our ds_ownership test from 2012, which just revealed
a regression in core where the dataspace-free operation of the RAM
service would unconditionally destroy dataspace objects from foreign
sessions. The patch fixes the bug and adds an updated version of the
test to the autopilot.
Fixes#2065
The main feature for this version upgrade is the use of the instruction
emulator (IEM) to speed up execution and less often the slow recompiler.
issue #2059
Besides adapting the components to the use of base/log.h, the patch
cleans up a few base headers, i.e., it removes unused includes from
root/component.h, specifically base/heap.h and
ram_session/ram_session.h. Hence, components that relied on the implicit
inclusion of those headers have to manually include those headers now.
While adjusting the log messages, I repeatedly stumbled over the problem
that printing char * arguments is ambiguous. It is unclear whether to
print the argument as pointer or null-terminated string. To overcome
this problem, the patch introduces a new type 'Cstring' that allows the
caller to express that the argument should be handled as null-terminated
string. As a nice side effect, with this type in place, the optional len
argument of the 'String' class could be removed. Instead of supplying a
pair of (char const *, size_t), the constructor accepts a 'Cstring'.
This, in turn, clears the way let the 'String' constructor use the new
output mechanism to assemble a string from multiple arguments (and
thereby getting rid of snprintf within Genode in the near future).
To enforce the explicit resolution of the char * ambiguity, the 'char *'
overload of the 'print' function is marked as deleted.
Issue #1987
Core on seL4 is configured to run on native hardware, so some static
allocators are bit over dimensioned. Some run scripts fail on qemu because
solely 64M are available in the system - adjust the affected scripts.
Issue #2044
The initial support reports TouchPointPressed, TouchPointMoved, and
TouchPointReleased for multiple touch points, but is currently only
tested with widgets not leveraging multi-touch events. In other words, I
made sure synthetic mouse events are generated properly when using touch
screens.
We now always run the input_merger as Input service provider and
configure backends suitable for the used platform. On x86 hardware, we
enable both, PS/2 and USB HID.
Required to boot on hardware. The fragmentation is such unfortunate with the
old allocator that alloc() will throw an exception during very early core boot
phase.
Issue #2044
- disable iommu
- increase root_cnode further for native boot
- support vesa driver on native hardware
- don't mask edge triggered ioapic irqs
- increase various allocators to get noux_tool_chain_* booting natively
Issue #2044
That seems nowadays the right place in order to tell the caller that the
thread couldn't be completely constructed. The return value false of
bind_thread causes in Cpu_thread_component the throwing of
Thread_creation_failed.
thread.run now passes
pthread.run now passes
Issue #2044
Additionally, exclude boot-module from page_table_registry. Core does not use
the boot-modules inside core.
Adding it otherwise to the registry will use up the meta data allocator of
the page_table_registry in core in scenarios with lot of boot modules,
e.g. noux and friends.
Issue #2044
- adjust syscall bindings to support -fPIC
- read serial i/o ports from BIOS data area
- use autoconf.h provided by sel4
-- to avoid ambiguity between sel4 kernel and user libraries
-- remove manual set defines
- remove debug messages
- increase user virtual area to 3GB
Issue #1720
Issue #2044
and show some message about. On sel4 sometimes exceptions are thrown and no
message is shown, it just seems to hang. With this patch at least you get
an idea that something bad happened.
Issue #2044
- remove special handling from base-nova
- add to rpc_server where it actually should be applied to
- required to work for sel4 cancel_blocking
Issue #2044
Now, we support multi-touch devices generating multi-touch events and
absolute-pointer devices simultaneously with multitouch="yes". Still,
multitouch="no" generates emulated absolute-pointer events for
multi-touch devices.
Add option to load the initial overlay*.vdi from disk, but keep the changes
in a ram_fs.
Used with AHCI model for vbox_auto_win7. Currently we have no way to tell
rump_fs to unmount and write back data to disk before resetting the machine.
On MVM only the initial scanning of APs works. If wpa_supplicant changes
from triggered scans to the scheduled-scanning hardware feature no
further scan results are reported. Therefore, we disable the
scheduled-scanning hardware feature until the issue is fixed.
Issue #2046
When running the same kernel in a VM as on the host system and the
kernel boot message from the VM appears on the log output, the run tool
assumes that the host machine has rebooted unexpectedly. With this
commit, an unexpected reboot is assumed only if the kernel boot message
appears at the beginning of a line. On base-hw, we enforce a line feed
at the beginning of the boot message as the SPIKE emulator log starts
with the first message of the kernel lacking a line feed.
Fixes#2041
Thread stacks with less than 4K usable space are insufficient for our
implementation of Linux exception signal handling. If such a unusually
small stack overflows the SIGSEGV handler will not be able to print the
diagnostic message leaving no hint of the cause of the stuck process.
The linker scripts are known to reside in BASE_DIR. By using them
directly from this location instead of searching them in the
REPOSITORIES, we don't need to specify the repos/base as a repository in
order to link.
This patch handles x86_32 and x86_64 separately since this is the SPEC
value directly supplied to the package build tool. This way, we achieve
that a CROSS_DEV_PREFIX is defined for each supported argument.
This patch equips the build system with the feature of building an
individual library with its dependencies by specifying the library
as 'LIB' argument. E.g., 'make LIB=libc' builds the libc.
This patch adds the methods 'sigh_ack_avail()' and
'sigh_ready_to_submit()', which are needed to build asynchronously
operating file-system clients.
Fixes#2023
Those headers implement a platform-specific mechanism. They are never
used by components directly.
This patch also cleans up a few other remaining platform-specific
artifact such as the Fiasco.OC-specific assert.h.
Issue #1993
Conveying the ROM filename as the final label element simplifies
routing policy and session construction.
Annotations by nfeske:
This commit also changes the ROM session to use base/log.h instead of
base/printf.h, which produced build error of VirtualBox because the
vbox headers have a '#define Log', which collides with the content of
base/log.h. Hence, this commit has to take precautions to resolve this
conflict.
The commit alse refines the previous session-label change by adding a
new 'Session_label::prefix' method and removing the use of 'char const *'
from this part of the API.
Fixes#1787
Session_label constructor now takes a bare string rather than a
serialized argument buffer.
Replace all instances of previous constructor with 'label_from_args'
function.
Issue #1787
This patch establishes the sole use of generic headers across all
kernels. The common 'native_capability.h' is based on the version of
base-sel4. All traditional L4 kernels and Linux use the same
implementation of the capability-lifetime management. On base-hw, NOVA,
Fiasco.OC, and seL4, custom implementations (based on their original
mechanisms) are used, with the potential to unify them further in the
future.
This change achieves binary compatibility of dynamically linked programs
across all kernels.
Furthermore, the patch introduces a Native_capability::print method,
which allows the easy output of the kernel-specific capability
representation using the base/log.h API.
Issue #1993
This patch alleviates the need for a Native_capability::Dst at the API
level. The former use case of this type as argument to
Deprecated_env::reinit uses the opaque Native_capability::Raw type
instead. The 'Raw' type contains the portion of the capability that is
transferred as-is when delegating the capability (i.e., when installing
the parent capability into a new component, or when installing a new
parent capability into a new forked Noux process). This information can
be retrieved via the new Native_capability::raw method.
Furthermore, this patch moves the functions for retriving the parent
capability to base/internal/parent_cap.h, which is meant to be
implemented in platform-specific ways. It replaces the former set of
startup/internal/_main_parent_cap.h headers.
Issue #1993
The static 'Thread::mystack()' function returns the stack boundaries of
the calling thread. It is useful when a thread uses a diffent stack than
the primary one.
Fixes#2037
When calling 'connect()' in nonblocking mode and the connection has been
established, don't call 'tcp_connect()' again, which would trigger an
assertion with the message 'tcp_connect: can only connect from state
CLOSED'.
Fixes#2039
In addition to modernizing the component now also supports using
empty RAM dataspace as backing store.
For example to use an ISO file the component has to be configured
as follows:
! <config file="image.iso" block_size="2048"/>
To use a empty RAM dataspace that is 256MiB large and has a block
size of 4KiB the configuration looks like this:
! <config size="256M" block_size="4096"/>
Either 'size' or 'file' has to specified. If both are declared the
'file' attribute is soley evaluated.
Issue #1987.
Fixes#2031.
Use quota large enough so that the USB driver does not attempt to
request further memory. On the Raspberry Pi, init has no slack memory
to respond to such a request.
Pass both paths, absolute path to the mount point and the relative path
from the mount point to the file, along with an open handle rather than
just an absolute path. Otherwise, fstat fails if the addressed file is
implemented by another VFS plugin.
Fixes#1789
Move Genode/vbox memory configuration check to separate
genode_check_memory_config() function and call it in platform-specific
setup machine hook of accloff/nova.
The rationale for this change is to omit the check on Muen since the
guest memory is separate and not allocated from base-hw memory.
Issue #2016
Write tick count of next kernel timer to the guest timed events page if
present. This causes the guest VM to be preempted at the requested tick
count and ensures that the guest VM can not monopolize the CPU if no
traps occur.
The base-hw kernel expects a configured switch-event from the guest VM
to base-hw with ID 30 and target vector 32 to be present in the system
policy.
Issue #2016
Switch kernel timer driver to timed event interface. The base-hw kernel
expects a configured self-event with ID 31 and target vector 32 to be
present in the system policy.
ssue #2016
Add call to genode_setup_machine prior to machine registration in
frontend machine setup code. This enables platform-specific adjustments
to the machine instance.
The new function is used on hw_x86_64_muen to clamp the processor count
to 1 as multiple virtual CPUs are not supported on this platform.
Issue #2016
* Implement VMMR0_DO_VMMR0_INIT operation for Muen
- Indicate VT-x support
- Enable unrestricted guest mode
- Set CR[0|4] mask to enable masking of guest CR0.[NE,NW,CD] and
CR4.VMXE bits.
* Implement VMMR0_DO_GVMM_CREATE_VM on Muen
Return error if trying to create SMP VM as VMs with multiple CPUs are
currently not supported on hw_x86_64_muen.
* Add Muen-specific Mem_region type
On hw_x86_64_muen the guest memory layout is static, thus regions are
handed out from an array of memory regions.
Use sinfo API to calculate the base address of the VM RAM physical
0x0 region. This allows to dynamically modify the VM RAM size by
adjusting the Muen policy and Genode vbox files accordingly.
Zeroize all memory regions apart from VM Ram since Virtualbox expects
these regions to be cleared.
* Add Muen subject state struct
The subject state encompasses the guest VM machine state that is
transfered between Virtualbox and hardware accelerated execution on
Muen.
* Add Muen-specific Vm_handler class
* Use Vm_handler to run VM
* Instruct recompiler to flush its code cache
* Copy the Muen subject state to/from the Vbox PCPUMCTX.
* Use the VM interruptibility state to inform the recompiler whether
interrupts are currently inhibited.
* Explicitly handle control register access
If a VM-exit occurs due to a control register access, handle it and
directly continue hardware accelerated execution of guest VM.
Note: On NOVA control register accesses are handled by the kernel [1].
[1] - https://github.com/alex-ab/NOVA/blob/master/src/ec_vmx.cpp#L106
* Reset guest interruptibility state
Assert that interrupts are not inhibited in the Virtualbox machine
state and clear Blocking-by-[STI|MOV to SS] guest interruptibility
flags prior to running a guest VM in hwaccel mode.
* Set return code depending on exit reason
Do not unconditionally emulate the next instruction on VM exit. This
makes sharing the VM FPU state with Virtualbox unnecessary, as FPU
instructions are not emulated by the recompiler any longer.
Also, assert that the FPU has not been used by the recompiler
* Inject pending guest VM interrupts on Muen
Use mapped subject pending interrupts page of guest VM to perform
interrupt injection. IRQs are transferred from the Virtualbox trap
manager state to the pending interrupts region for injection. If an
IRQ remains pending upon returning to the recompiler, it is copied
back to the trap manager state and cleared in the subject interrupts
region.
* Inform recompiler about changed SYSENTER_[CS|EIP|ESP] values,
otherwise values set while running the guest VM hardware accelerated
may get lost.
* Implement genode_cpu_hz() on Muen
Determine the CPU frequency dynamically using the sinfo API.
Issue #2016
* The Vm thread is always paused and on exception to make sure that guest VM
execution is suspended whenever we handle an interrupt. Also signal the Vm
session to poke waiting threads (e.g. Virtualbox EMT).
* Implement Vm::proceed
Switch to the mode transition assembly code declared at the _vt_vm_entry
label.
Issue #2016
The entry enables interrupts and initiates a handover to the guest VM by
invoking event number one. The sti instruction is placed at the start to
allow exits to Muen before handing off to the VM if window exiting is
requested.
Issue #2016
The virtual PCI model delivers IRQs to the PIC by default and to the
IOAPIC only if the guest operating system selected the IOAPIC with the
'_PIC' ACPI method and if it called the '_PRT' ACPI method afterwards.
When running a guest operating system which uses the IOAPIC, but does
not call these ACPI methods (for example Genode/NOVA), the new
configuration option
<config force_ioapic="yes">
enforces the delivery of PCI IRQs to the IOAPIC.
Fixes#2029
The alternate stack must use the stack area as, e.g., Thread::myself()
depends on this property. Hybrid components do not depend on this
property and, therefore, use a static stack buffer.
Fixes#1935
* Align pitch value to 64 byte (thanks to cnuke for investigation)
* Get rid of extra dataspace retrival and attachment, now that we always buffer
* Consistently name all lx_emul helpers: lx_* (get rid of dde*)
* Add missing file headers
Fix#1997
Instead of providing a buffer to the client and blitting from that
to the "real" framebuffer as an option, with this commit we always do so.
Thereby its possible to immediately destroy the old framebuffer used by
hardware when a configuration change is done, and a new framebuffer
is used. This also simplifies the modesetting.
Moreover, this commit fixes an issue when not using the connector reporting.
Until now the initial mode detection of connectors was only done when
the report was created. this is a regression that entered the driver
when upgrading to the recent Linux kernel version.
Ref #1997
Use new env, component and logging frameworks.
Sync file system and block device on component entrypoint.
Support for 'root' session argument.
Increase Rump open file descriptor limit.
Issue #1987Fixes#2011
* remove all 'Genode::env()' calls
* use attached roms to read configuration
* use compoenent framework
* remove all PDBG, PINF, PWRN macros
Issue #1987Fixes#2019
* use Component::* instead of Server::*
* do not use old printf format anymore
* do not use old Genode::env()->heap() anymore
* avoid pointers where possible, and use references instead
* throw away the thread-safe variants of list and AVL tree,
nic_bridge became single-threaded in the past
* introduce Ram_session_guard instead of Allocator_guard
Issue #1987
- platform_drv announces a separate "Acpi" session
- platform_drv waits for ROM "system" to change state to "acpi_ready"
- acpica waits for "Acpi" announcement
- acpica uses the platform driver via "Acpi" to reconfigure PCI devices
- acpica changes "system" state to "acpi_ready" after it ready with initialization
- platform_drv reacts on "system" state change to "acpi_ready" by announcing "Platform" session
- drivers start to operate as usual
Issue #2009
This patch introduces the Genode::raw function that prints output
directly via a low-level kernel mechanism, if available.
On base-linux, it replaces the former 'raw_write_str' function.
On base-hw, it replaces the former kernel/log.h interface.
Fixes#2012
This is a follow-up commit to "slab: throw exception if initial
allocation fails". It is needed because on seL4, the PD session quota is
used as backing store for the meta data of the PD's virtual memory. For
this reason, PD sessions on seL4 require more session quota compared to
the other kernels. Apparently, the default quota is too scarce to
complete the PD-session construction. By shrinking the number of
supported page-table entries, we reduce the size of the PD session
component so that the creation succeeds.
Issue #1983
Replace 'attribute(...).has_value("yes")`
with 'attribute_value(..., false)'.
This allows for boolean configuration to be set with values such as
"true", "false", "yes", "no", or "1", "0".
Fixes#2002
A configuration policy must match against a policy node label,
label_prefix, or label_suffix atttribute. A fallback to
<default-policy/> is provided as a label wildcard.
Fixes#1901
The sinfo function declared in sinfo_instance.h creates a static sinfo
object instance and returns a pointer to the caller.
- kernel timer and platform support to use sinfo() function to
instantiate sinfo object
- address and size of the base-hw RAM region via the sinfo API
- log_status() function in sinfo API
To circumvent problems on platforms with shaky hotplug interrupt notification
introduce a "poll" configuration option to the driver, which enables
polling for connector changes.
Fix#2004
The whole XML comment has to be parsed as one XML tag to support strange
but valid combinations like
<!---->
<!--invisible-tag></invisible-tag-->
Fixes#1424
The vanilla 'schedule_timeout()' Linux function expects a relative
timeout value. The first implementation of the wifi_drv, however, used
an absolute timeout value. This mismatch was overlooked when the
lx_kit, which adheres to the vanilla Linux semantics, was incoporated
in the driver.
Fixes#1990.
Instead of introducing a $(BASE_HW_DIR) variable that has to be defined in each
core makefile for the different base-hw targets, this commit replaces the
$(REP_DIR) variable usage in core.inc files with $(BASE_DIR)/../base-hw.
Ref #1955
Quota_exceeded message are of no use during session construction, since
the arguments of the ram_quota are used and no upgrade can take place (the
session construction failed and is so not available for upgrade)
Fixes#1983
Allocating a packet in the packet stream without a payload is not
allowed. Therefore we have to allocate CTRL message packets, that do
not have a payload, with a bogus length instead.
Directory_service::leaf_path returns a pointer offset from its argument
so pass member data rather than a constructor argument to leaf_path.
Issue #1775
This is an interim fix for solving the quota leakage problem of
the platform driver on x86 platforms. To properly fix that problem
one has to track which dataspaces where created by the platform driver,
so that freeing the dataspace and reversing the quota transfer is done
on correct dataspaces only.
Refer #1980
This patch removes the outdates doc/architecture.txt since the
topics are covered by the book. We keep repos/os/doc/init.txt
because it contains a few details not present in the book (yet).
The patch streamlines the terminology a bit. Furthermore, it
slightly adjusts a few source-code comments to improve the book's
functional specification chapter.
Instead of passing on the Noux 'config' ROM dataspace to child processes,
provide a separate configuration for each Noux child, which is either
'<config/>' or '<config ld_verbose="yes"/>', depending on the
configuration of this attribute for the Noux process. This is also a
workaround to prevent multiple insertion of the same 'config' ROM
dataspace capability into the dataspace registry.
Issue #1978
* Adds public timeout syscalls to kernel API
* Kernel::timeout installs a timeout and binds a signal context to it that
shall trigger once the timeout expired
* With Kernel::timeout_max_us, one can get the maximum installable timeout
* Kernel::timeout_age_us returns the time that has passed since the
calling threads last timeout installation
* Removes all device specific back-ends for the base-hw timer driver and
implements a generic back-end taht uses the kernel timeout API
* Adds assertions about the kernel timer frequency that originate from the
requirements of the the kernel timeout API and adjusts all timers
accordingly by using the their internal dividers
* Introduces the Kernel::Clock class. As member of each Kernel::Cpu object
it combines the management of the timer of the CPU with a timeout scheduler.
Not only the timeout API uses the timeout scheduler but also the CPUs job
scheduler for installing scheduling timeouts.
* Introduces the Kernel::time_t type for timer tic values and values inherited
from timer tics (like microseconds).
Fixes#1972
To avoid the need for adapting the names of the core restricted syscalls
each time we add a public syscall (restricted names must always be
greater than public names), let restricted syscall names simply start at
100 (we should never have more than 100 public syscalls).
Ref #1972
Building a kernel test produced an error about a missing config
apparently because of recent changes in the run tool. So, we add
a dummy XML node as config.
Ref #1972
Evaluate fadt xml node in report from acpi_drv. If the io ports in the range
of 0xcf8+4 are necessary for the reset than the platform driver will
react on the 'system' state 'reset' and reboot.
Issue #1962
Will be/can be used by the platform driver to reset the machine, iif the
platform driver owns the resources, e.g. the I/O ports of PCI config access.
Issue #1962
The modular lx_kit seperates the required back end functionality of the
Linux emulation environment from the front end. Thereby each driver can
reuse specific parts or supply more suitable implementations by itself.
It is used to reduce the amount of redundant code in each driver.
The lx_kit is split into several layers whose structure is as follows:
The first layer in _repos/dde_linux/src/include/lx_emul_ contains those
header files that provide the structural definitions and function
declarations of the Linux API, e.g. _errno.h_ provides all error code
values. The second layer in _repos/dde_linux/src/include/lx_emul/impl_
contains the implementation of selected functions, e.g. _slab.h_
provides the implementation of 'kmalloc()'. The lx_kit back end API is
the third layer and provides the _Lx::Malloc_ interface
(_repos/dde_linux/src/include/lx_kit/malloc.h_) which is used to
implement 'kmalloc()'. There are several generic implementations of the
lx_kit interfaces that can be used by a driver.
A driver typically includes a 'lx_emul/impl/xyz.h' header once
directly in its lx_emul compilation unit. The lx_kit interface files
are only included in those compilation units that use or implement the
interface. If a driver wants to use a generic implementation it must
add the source file to its source file list. The generic
implementations are located in _repos/dde_linux/src/lx_kit/_.
The modular lx_kit still depends on the private _lx_emul.h_ header file
that is tailored to each driver. Since the lx_kit already contains much
of the declarations and definitions that were originally placed in
these private header files, those files can now ommit a large amount
of code.
Fixes#1974.
In addition to updating the contrib sources the driver now uses the
new Component API and will report the internal mixer state.
Reporting of the mixer state is enabled by adding the 'report_mixer'
attribute to the drivers configuration and setting its value to 'yes'.
The following snippets illustrates the format of the report:
!<mixer_state>
! <mixer field="inputs.beep" value="108"/>
! <mixer field="outputs.hp_sense" value="plugged"/>
! <mixer field="outputs.master" value="128,128"/>
! <mixer field="outputs.mic_sense" value="unplugged"/>
! <mixer field="outputs.spkr_muters" value="hp,mic"/>
!</mixer_state>
The mixer state may expose other mixer fields as well, depending on the
used sound card. The naming scheme of the attributes intentionally
matches the naming scheme of OpenBSD's mixerctl(1) program.
Each 'mixer' node can be used to configure the audio driver by using it
in its configuration, e.g.:
!<config report_mixer="yes">
! <mixer field="outputs.master" value="255,255"/>
!</config>
This configuration will set the output volume to the highest possible
value. Although it is now also possible to update the configuration
at run-time it should not be done while the driver is currently playing
or recording because it may provoke the generation of artefacts.
Fixes#1973.
We do not ensure that the Fpu::Context is 16-byte aligned and,
therefore, should not tell the compiler that we did. Otherwise, the GCC
may optimize operations regarding the addresses of members as it did for
if ((addr_t)_fxsave_area & 0xf) ...
With the declared 16-byte alignment the condition will never become
true.
- add a new function 'binary_ready_hook_for_gdb()' in ldso. GDB can set a
breakpoint at this function to know when ldso has loaded the binary
into memory.
- get the thread state from the NOVA kernel immediately on 'pause()'
Fixes#1968
This patch moves the thread operations from the 'Cpu_session'
to the 'Cpu_thread' interface.
A noteworthy semantic change is the meaning of the former
'exception_handler' function, which used to define both, the default
exception handler or a thread-specific signal handler. Now, the
'Cpu_session::exception_sigh' function defines the CPU-session-wide
default handler whereas the 'Cpu_thread::exception_sigh' function
defines the thread-specific one.
To retain the ability to create 'Child' objects without invoking a
capability, the child's initial thread must be created outside the
'Child::Process'. It is now represented by the 'Child::Initial_thread',
which is passed as argument to the 'Child' constructor.
Fixes#1939
These warnings are triggered by requests either using byte offsets or
reading a number of bytes that is not a multiple of the block size as
well as by components using the plugin with a different block size than
the backend block session provides.
Fixes#1964.
Adjust IRTE_COUNT to specify the number of IRTEs and not the index of
the last IRTE entry. This fixes an off-by-one error in the toggle_mask()
function, where the range check for I/O APIC IRQs wrongly ignored IRQ
23.
The custom version merely differs from the generic one with respect to
the session quota. Since we support the dynamic upgrading of sessions,
we don't need to provide the big amount (128KiB) defined by the custom
version.
This patch supplements each existing connection type with an new
constructor that is meant to replace the original one. The new
one takes a reference to the component's environment as argument and
thereby does not rely on the presence of the globally accessible
'env()' interface.
The original constructors are marked as deprecated. Once we have
completely abolished the use of the global 'env()', we will remove them.
Fixes#1960
The recent move of the initial three region maps into the PD session
breaks the noux.run test on Linux because the address spaces are locally
managed on this platform but the generic code of Noux still tries to
execute the regular procedure of creating the virtualized PD session for
a new Noux process. This patch handles a corner case that occurs on
Linux but no other platform. It enables the successful creation of the
virtualized PD session so that the test runs to completion. Still noux
on Linux remains to be limited to non-forking programs.
Issue #1938
All core.inc files now use $BASE_HW_DIR instead of $REP_DIR. The former
is defined by the core.mk file. This allows including core.inc files
from other repositories (e.g. genode-world) for additional platform
support.
Fixes#1955
Replace size_t by uint8_t in accessors for the IPv4 header fields
'version' and 'header_length' - uint8_t is the smallest integral type
for 4 bit of information. Note, as the _internet header length_ field is
defined to reflect the number of 32-bit words the header occupies, we
also stick to the specification with our accessor.
Issue #1915
The old implementation cleared all other bits in the SCU control
register when enabling the SCU, which broke the kernel startup on zynq-
based boards.
By only raising the enable bit, we can keep the initial/default state
e.g. as set up by uboot.
Fixes#1953
It turns out that the name function does not have much use in practice
except for naming the thread of the component's initial entrypoint. For
dynamically linked components, this thread is created by the dynamic
linker. It is named "ep" in these cases. Considering that we will
eventually turn all regular components into dynamically linked
executables, the additional information provided by the
Component::name() function remains unused. So it is better to not bother
the component developers with adding boilerplate code.
Now rlibs are actually linked to programs. Target files have been
modified to not generate code that requires compiler-rt. Added a target
for libstd-rust, but it's very broken right now. Moved alloc_system to
the libports folder because either a memory allocator needs to be
written in rust or posix_memalign needs to be implemented. Changed
liblibc to use freebsd as the OS instead of netbsd. Added a library with
unwind dummy functions.
Rust relies on atomic builtins, which are not implemented in libgcc for
ARM. One was implemented in rust, which was sufficient to get the
current rust test to run. Rust libs were added into the group of libs
for the linker so order no longer matters. The raspberry pi now uses an
armv6 target.
This patch cleans up the thread API and comes with the following
noteworthy changes:
- Introduced Cpu_session::Weight type that replaces a formerly used
plain integer value to prevent the accidental mix-up of
arguments.
- The enum definition of Cpu_session::DEFAULT_WEIGHT moved to
Cpu_session::Weight::DEFAULT_WEIGHT
- New Thread constructor that takes a 'Env &' as first argument.
The original constructors are now marked as deprecated. For the
common use case where the default 'Weight' and 'Affinity' are
used, a shortcut is provided. In the long term, those two
constructors should be the only ones to remain.
- The former 'Thread<>' class template has been renamed to
'Thread_deprecated'.
- The former 'Thread_base' class is now called 'Thread'.
- The new 'name()' accessor returns the thread's name as 'Name'
object as centrally defined via 'Cpu_session::Name'. It is meant to
replace the old-fashioned 'name' method that takes a buffer and size
as arguments.
- Adaptation of the thread test to the new API
Issue #1954
This patch moves the base library from src/base to src/lib/base,
flattens the library-internal directory structure, and moves the common
parts of the library-description files to base/lib/mk/base.inc and
base/lib/mk/base-common.inc.
Furthermore, the patch fixes a few cosmetic issues (whitespace and
comments only) that I encountered while browsing the result.
Fixes#1952
We report UNLINK_ERR_NO_PERM only for files in TAR archive, otherwise
UNLINK_ERR_NO_ENTRY is returned. This permits the arbitrary layering of
file systems with support for proper ENOENT reporting, for example,
when using 'rm -f non_existent_file' that aborts if EPERM is wrongly
reported.
Most slab allocators in core use a sliced heap as backing store. Since
sliced-heap allocations are performed at page-granularity, it is
sensible to dimension the slab blocks to fill whole pages.
This patch cleans up the implementation of the sliced heap, adds a
constructor that takes references instead of pointers, and adds the
function 'meta_data_size' to determine the meta-data overhead per block.
The latter can be used to dimension slab allocators such that slab
blocks use whole pages.
The original 'Env' interface as returned by 'Genode::env()' has been
renamed to 'Env_deprecated' and moved to deprecated/env.h. The new version
of base/env.h contains the interface passed to modern components that
use the component API via base/component.h.
Issue #1832
This patch makes the former 'Process' class private to the 'Child'
class and changes the constructor of the 'Child' in a way that
principally enables the implementation of single-threaded runtime
environments that virtualize the CPU, PD, and RAM services. The
new interfaces has become free from side effects. I.e., instead
of implicitly using Genode::env()->rm_session(), it takes the reference
to the local region map as argument. Also, the handling of the dynamic
linker via global variables is gone. Now, the linker binary must be
provided as constructor argument.
Fixes#1949
This patch replaces the former 'Pd_session::bind_thread' function by a
PD-capability argument of the 'Cpu_session::create_thread' function, and
removes the ancient thread-start protocol via 'Rm_session::add_client' and
'Cpu_session::set_pager'. Threads are now bound to PDs at their creation
time and implicitly paged according to the address space of the PD.
Note the API change:
This patch changes the signature of the 'Child' and 'Process' constructors.
There is a new 'address_space' argument, which represents the region map
representing the child's address space. It is supplied separately to the
PD session capability (which principally can be invoked to obtain the
PD's address space) to allow the population of the address space
without relying on an 'Pd_session::address_space' RPC call.
Furthermore, a new (optional) env_pd argument allows the explicit
overriding of the PD capability handed out to the child as part of its
environment. It can be used to intercept the interaction of the child
with its PD session at core. This is used by Noux.
Issue #1938
Since the dynamic linker depends on the XML utils and we plan to replace
the ancient 'Arg_string' with XML, it is time to move the 'Xml_node' and
'Xml_generator' to base/include.
We will eventually remove the delivery of the number of occurred signals
to the recipient. There haven't been any convincing use cases for this
feature. In the contrary, it actually led to wrong design choices in the
past where the rate of signals carried information (such as the progress
of time) that should better be obtained via an explicit RPC call.
The old 'Signal_rpc_member' template retains the old interface for now.
But the new 'Signal_handler' omits the 'unsigned' argument from the
handler function.
GNU ar only uses a flat module (object) name space but supports multiple
instances of objects with the same name. As we use subdirectories with
source file names that may clash (e.g., signal/common.cc and
server/common.cc in the base library) some of our static library
archives have multiple object instances. This is not an issue on archive
creation but works not as expected when updating archives. To avoid
updates of library archives we delete the files before calling GNU ar.
This patch integrates three region maps into each PD session to
reduce the session overhead and to simplify the PD creation procedure.
Please refer to the issue cited below for an elaborative discussion.
Note the API change:
With this patch, the semantics of core's RM service have changed. Now,
the service is merely a tool for creating and destroying managed
dataspaces, which are rarely needed. Regular components no longer need a
RM session. For this reason, the corresponding argument for the
'Process' and 'Child' constructors has been removed.
The former interface of the 'Rm_session' is not named 'Region_map'. As a
minor refinement, the 'Fault_type' enum values are now part of the
'Region_map::State' struct.
Issue #1938
The return code of assign_parent remained unused. So this patch
removes it.
The bind_thread function fails only due to platform-specific limitations
such as the exhaustion of ID name spaces, which cannot be sensibly
handled by the PD-session client. If occurred, such conditions used to
be reflected by integer return codes that were used for diagnostic
messages only. The patch removes the return codes and leaves the
diagnostic output to core.
Fixes#1842
The mixer is not directly necessary for the avplay demo. But it implies
additional maintenance work. E.g., in the current state, it complains about
the missing Report server and mutes audio output by default.
Ref #1910
Currently the report name is used implicitly as first xml node name for the
report. This is inconvenient if one component wants to generate various xml
reports under various names (e.g. to steer consumers/clients slightly
differently) but with the same xml node tree structure.
Fixes#1940
We don't want Genode environment objects that register their destructor
for program exit as it is mostly unnecessary and easily produces
dangling pointers. Thus, use unmanaged_singleton instead of the static
keyword.
Fixes#1941
When bringing up the kernel on multiple cores, there is a time span
where some cores already have caches enabled and some don't. Core-local
storage that may be used during this time must be aligned at least to
the maximum line size among global caches. Otherwise, a cached core may
unintentionally prefetch data of a yet uncached core into a global
cache. This may corrupt the view of the uncached core as soon as it
enables caches. However, to determine the exact alignment for every
single ARM platform isn't sensible. Instead, we can align to the minimum
page size assuming that a cache never wants to prefetch from multiple
pages at once and thus fulfills "line size <= page size".
Fixes#1937
When using the Allocator interface, one can't tell which alignment
resulting allocations fulfill. However, at least on ARM, given the
architectural alignment requirements of ARM memory accesses, one wants
memory allocations (what allocators are for in most cases) to be word
aligned automatically. Previously, at least the AVL allocator simply
called alloc_aligned without defining align in its alloc implementation.
This led to unaligned access faults (the default was 0) when using the
AVL allocator as Allocator (as done in the metadata management of a SLAB
of an AVL that uses the AVL as backing store). To avoid such pitfalls
in the future, we force users of alloc_aligned to always specify align
(why use alloc_aligned without align anyway).
Ref #1941
This is a generalisation approach of the hw_zynq target. As the boards
typically use UART1 instead of UART0 (used by qemu), we have to
distinguish between those. Moreover, in general hw_zynq does not imply
zynq_qemu anymore, so that the support of particular boards can be
placed in third-party or community repositories (e.g. Genode world).
Fixes#1926
Besides unifying the Msgbuf_base classes across all platforms, this
patch merges the Ipc_marshaller functionality into Msgbuf_base, which
leads to several further simplifications. For example, this patch
eventually moves the Native_connection_state and removes all state
from the former Ipc_server to the actual server loop, which not only
makes the flow of control and information much more obvious, but is
also more flexible. I.e., on NOVA, we don't even have the notion of
reply-and-wait. Now, we are no longer forced to pretend otherwise.
Issue #1832
This patch unifies the CPU session interface across all platforms. The
former differences are moved to respective "native-CPU" interfaces.
NOVA is not covered by the patch and still relies on a custom version of
the core-internal 'cpu_session_component.h'. However, this will soon be
removed once the ongoing rework of pause/single-step on NOVA is
completed.
Fixes#1922
This patch changes the organization of the slab blocks within the slab
allocator. Originally, blocks were kept in a list sorted by the number
of free entries. However, it turned out that the maintenance of this
invariant involves a lot of overhead in the presence of a large number
of blocks. The new implementation manages blocks within a ring in no
particular order and maintains a pointer to the block where the next
allocation is attempted. This alleviates the need for sorting blocks
when allocating and deallocating.
Fixes#1908
This patch ensures that the 'Allocator_avl' releases all memory obtained
from the meta-data allocator at destruction time. If allocations are
still dangling, it produces a warning, hinting at possible memory leaks.
Finally, it properly reverts all 'add_range' operations.
This patch fixes a use-after-free problem raised by the recent ability of
the slab allocator to dynamically release empty slab blocks. The
Rm_session_component::detach function used to rely on the assumption
that the region metadata co-located with the allocator metadata of the
'_map' would stay intact even after a 'free' if the region.
This patch prevents the destruction of the fd allocator when the program
exists. Otherwise, the meta data for file descriptors that were not
manually closed would vanish, which may cause problems in subsequent
destructors.
This patch makes sure that the dataspace pool is flushed before
destructing the heap-local allocator-avl instance. With the original
destruction order, the allocator would still contain dangling
allocations on the account of the dataspace pool when destructed. In
practice, this caused no problem because the underlying backing store is
eventually freed on the destruction of the pool. But it triggers a
runtime warning of the allocator since it has become more strict with
regard to dangling allocations.
This patch removes the dynamically growing slab allocator from the
page-table registry. This has two benefits. First, we alleviate the
corner cases where the slab allocator needed to extend its backing store
while establishing a core-local memory mapping, thereby triggering a
nested core-local mapping. Without this corner case, no reentrant lock
is needed any longer. Second, it removes the dependency from the overly
large old API of the slab allocator. So we can tighten the slab
interface.
Replace the Out_of_node_handles exception with Out_of_metadata.
Clients need to know when the server is out of internal resources,
but not why.
Cleanup and sort the errors at file_system_session.h.
Remove 'Size_limit_reached exception' from File_system, which was
internal to ram_fs.
Issue #1751Fixes#1909
Opening a VFS handle previously involved allocating from the global heap
at each VFS file system. By amending open with an allocator argument,
dynamic allocation can be partitioned.
A new close method is used to deallocate open handles.
Issue #1751
Issue #1891
The returned capacity had different semantics dependent on the card
type. For HIGH_CAPACITY cards, the memory capacity is specified in 512kB
blocks. So we should also return 512kB blocks for STANDARD_CAPACITY
cards.
Issue #1925
When init destroys a child server with an open session, the client must
be updated as it will otherwise store a pointer to a no-more existing
service object which will be dereferenced when the child client is
destroyed.
Fixes#1912
First, we use an alternate stack for signal handling now. The stack is
shared among all threads of the component, which is okay as we only
handle exceptions with log output and pass on to the default handler
(that terminates the execution). The primary motivation for the
alternate stack is the detection of SIGSEGV due to stack overflows.
Also, hybrid components now handle exception signals by logging and the
support for multi-threaded applications was improved.
Fixes#1935
This commit introduces the new `Component` interface in the form of the
headers base/component.h and base/entrypoint.h. The os/server.h API
has become merely a compatibilty wrapper and will eventually be removed.
The same holds true for os/signal_rpc_dispatcher.h. The mechanism has
moved to base/signal.h and is now called 'Signal_handler'.
Since the patch shuffles headers around, please do a 'make clean' in the
build directory.
Issue #1832
Prevents the annoying warning about
WARNING: Image format was not specified for 'bin/test.img' and probing guessed raw.
Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
Specify the 'raw' format explicitly to remove the restrictions.
If attached ROM dataspaces are not valid after update(), code that uses
these ROMs produces
void Genode::Volatile_object< <template-parameter-1-1> >::_check_constructed() const [with MT = Genode::Attached_dataspace]: Deref_unconstructed_object
In scenarios where the config ROM is loaded from a report ROM or any
other non-static ROM, config might try to access an invalid dataspace
capability. This patch prevents the component from aborting in this
case.
Fixes#1914
This commit replaces the stateful 'Ipc_client' type with the plain
function 'ipc_call' that takes all the needed state as arguments.
The stateful 'Ipc_server' class is retained but it moved from the public
API to the internal ipc_server.h header. The kernel-specific
implementations were cleaned up and simplified. E.g., the 'wait'
function does no longer exist. The badge and exception code are no
longer carried in the message buffers but are handled in kernel-specific
ways.
Issue #610
Issue #1832
If ports need preparation in order to execute a run script, use the
knowledge about the actual genode directory to suggest a command to the
user that can be directly copied to the command line.
Rust relies on atomic builtins, which are not implemented in libgcc for
ARM. One is implemented in rust, which is sufficient to get the
current rust test to run.
Issue #1899
Check if the binary pointer is valid before attempting to lookup the
symbol. Shared objects with unresolved symbols and missing depencies,
e.g a library that references 'errno' but is not linked against libc,
will now produce an error message when they are loaded by the dynamic
linker.
Fixes#1904.
This patch moves details about the stack allocation and organization
the base-internal headers. Thereby, I replaced the notion of "thread
contexts" by "stacks" as this term is much more intuitive. The fact that
we place thread-specific information at the bottom of the stack is not
worth introducing new terminology.
Issue #1832
The interfaces linux_cpu_session, local_capability, linux_dataspace,
linux_native_pd are mere implementation necessities. They are meant for the
internal use by the framework only. So it is appropriate to move them to
base/internal/.
Issue #1832
On seL4 and L4/Fiasco, we employ a simple yielding spinlock as lock
implementation. Consequently these base platforms used to have a
simplified header. However, since the regular cancelable_lock has all
the member variables needed to implement a spinlock, we can simply use
the generic header on those two platforms too, just leaving some other
parts of the generic header unused. So at API level, the difference is
not visible.
Issue #1832
By moving the stub implementation to rm_session_client.cc, we can use
the generic base/include/rm_session/client.h for base-linux and
base-nova and merely use platform-specific implementations.
Issue #1832
This patch establishes a common organization of header files
internal to the base framework. The internal headers are located at
'<repository>/src/include/base/internal/'. This structure has been
choosen to make the nature of those headers immediately clear when
included:
#include <base/internal/lock_helper.h>
Issue #1832
This patch integrates the functionality of the former CAP session into
the PD session and unifies the approch of supplementing the generic PD
session with kernel-specific functionality. The latter is achieved by
the new 'Native_pd' interface. The kernel-specific interface can be
obtained via the Pd_session::native_pd accessor function. The
kernel-specific interfaces are named Nova_native_pd, Foc_native_pd, and
Linux_native_pd.
The latter change allowed for to deduplication of the
pd_session_component code among the various base platforms.
To retain API compatibility, we keep the 'Cap_session' and
'Cap_connection' around. But those classes have become mere wrappers
around the PD session interface.
Issue #1841
This patch removes the SIGNAL service from core and moves its
functionality to the PD session. Furthermore, it unifies the PD service
implementation and terminology across the various base platforms.
Issue #1841
This patch removes the support for executing subsystems of CLI monitor
within the GDB monitor. There are multiple reasons: First, the feature
remained unused for multiple years. Second, it relied on the base/elf.h
header to determine whether the started binary is dynamically or
statically linked. This header, however, is going to be removed from the
Genode API. Third, the feature will eventually break with the upcoming
changes of how components are bootstrapped. Finally, there is the plan
to turn CLI monitor into a sole front end of a dynamically configurable
init component. Once we pursue this plan, we'd need to reconsider the
GDB support anyway.
Issue #1832
The commit avoids the need to have contrib sources of the kernel
available for this run script. We actually just want to build core and
not the kernel itself, which is always required after recent changes in
the ports tool.
This is the default optimization level in the original seL4 SDK. By
adapting to O3, we work around a bug [1] in version 2.1.0 that only
shows on low optimization levels.
[1] https://github.com/seL4/seL4/issues/20
Previously, ports that were needed for a scenario and that were not
prepared or outdated, triggered one assertion each during the second
build stage. The commit slots a mechanism in ahead that gathers all
these ports during the first build stage and reports them in form of a
list before the second build stage is entered. This list can be used
directly as argument for tool/ports/prepare_port to prepare respectively
update the ports. If, however, this mechanism is not available, for
example because a target is build without the first build stage, the old
assertion still prevents the target from running into troubles with a
missing port.
Fixes#1872
To raise readability when preparing multiple ports in parallel we prefix
also the git clone output with the port name dark-yellow-coloured. To
achieve this we sed the git output. In sed \x1b[ resolves to an escape
sequence and \033[, that we use normally, doesn't. The echo command, at
the other hand, resolves both to an escape sequence. Thus we use the
sed-compatible version in general. This commit inhibits the progress
output of git clone as it can't be redirected to sed.
Ref #1872
The tool/prepare_port tool is now able to handle a list of ports that
shall be prepared. Additionally, one may state the number of ports that
shall be prepared in parallel at a max by using the -j parameter. If -j
is not set by the user, the tool acts as with -j1. The previous
implementation of the tool that prepares only a single port was moved to
tool/ports/mk/prepare_single_port.mk and acts as back end to the new
prepare_port tool. The interface of the new prepare_port tool is
backwards compatible. When called for one port only, the behavior is the
same as when calling tool/ports/mk/prepare_single_port.mk directly.
Removes "usage" rule from prepare_single_port.mk. Removes shebang line
from prepare_single_port.mk.
Ref #1872
The gnat and gprbuild tools are not necessarily in the PATH when
preparing the port since the effective location is specified by the
--image-muen-gnat-path RUN_OPT.
This patch updates seL4 from the experimental branch of one year ago to
the master branch of version 2.1. The transition has the following
implications.
In contrast to the experimental branch, the master branch has no way to
manually define the allocation of kernel objects within untyped memory
ranges. Instead, the kernel maintains a built-in allocation policy. This
policy rules out the deallocation of once-used parts of untyped memory.
The only way to reuse memory is to revoke the entire untyped memory
range. Consequently, we cannot share a large untyped memory range for
kernel objects of different protection domains. In order to reuse memory
at a reasonably fine granularity, we need to split the initial untyped
memory ranges into small chunks that can be individually revoked. Those
chunks are called "untyped pages". An untyped page is a 4 KiB untyped
memory region.
The bootstrapping of core has to employ a two-stage allocation approach
now. For creating the initial kernel objects for core, which remain
static during the entire lifetime of the system, kernel objects are
created directly out of the initial untyped memory regions as reported
by the kernel. The so-called "initial untyped pool" keeps track of the
consumption of those untyped memory ranges by mimicking the kernel's
internal allocation policy. Kernel objects created this way can be of
any size. For example the phys CNode, which is used to store page-frame
capabilities is 16 MiB in size. Also, core's CSpace uses a relatively
large CNode.
After the initial setup phase, all remaining untyped memory is turned
into untyped pages. From this point on, new created kernel objects
cannot exceed 4 KiB in size because one kernel object cannot span
multiple untyped memory regions. The capability selectors for untyped
pages are organized similarly to those of page-frame capabilities. There
is a new 2nd-level CNode (UNTYPED_CORE_CNODE) that is dimensioned
according to the maximum amount of physical memory (1M entries, each
entry representing 4 KiB). The CNode is organized such that an index
into the CNode directly corresponds to the physical frame number of the
underlying memory. This way, we can easily determine a untyped page
selector for any physical addresses, i.e., for revoking the kernel
objects allocated at a specific physical page. The downside is the need
for another 16 MiB chunk of meta data. Also, we need to keep in mind
that this approach won't scale to 64-bit systems. We will eventually
need to replace the PHYS_CORE_CNODE and UNTYPED_CORE_CNODE by CNode
hierarchies to model a sparsely populated CNode.
The size constrain of kernel objects has the immediate implication that
the VM CSpaces of protection domains must be organized via several
levels of CNodes. I.e., as the top-level CNode of core has a size of
2^12, the remaining 20 PD-specific CSpace address bits are organized as
a 2nd-level 2^4 padding CNode, a 3rd-level 2^8 CNode, and several
4th-level 2^8 leaf CNodes. The latter contain the actual selectors for
the page tables and page-table entries of the respective PD.
As another slight difference from the experimental branch, the master
branch requires the explicit assignment of page directories to an ASID
pool.
Besides the adjustment to the new seL4 version, the patch introduces a
dedicated type for capability selectors. Previously, we just used to
represent them as unsigned integer values, which became increasingly
confusing. The new type 'Cap_sel' is a PD-local capability selector. The
type 'Cnode_index' is an index into a CNode (which is not generally not
the entire CSpace of the PD).
Fixes#1887
Use the new Sinfo::get_dev_info function to retrieve device information
in the platform-specific get_msi_params function. If the requested
device supports MSI, set the IRQ and MSI address/data register values to
enable MSIs in remappable format (see VT-d specification, section
5.1.2.2).
Currently only one MSI per device is supported as the subhandle in the
data register is always set to 0.
The new Sinfo::get_dev_info function can be used to retrieve information
for a PCI device with given source-id (SID). The function returns false
if no device information for the specified device exists.
The platform-specific get_msi_params function returns MSI parameters for
a device identified by PCI config space address. The function returns
false if either the platform or the device does not support MSI mode of
operation.
Extend the base-hw Irq_session_component class with _is_msi, _address
and _value variables required to support MSI mode of operation.
Return MSI configuration in info() function if _is_msi is set to true.
Enable the ACPI functionality in the platform_drv on hw_x86_64_muen and
provide a simple generated XML report as ROM session in order to make
the PCI configuration space available.
This is a requirement to implement support for MSI on hw_x86_64_muen.
In addition to now using the framework the playback is triggered by a
timer. For now it is a periodic timer that triggers every 11 ms which
is roughly the current Audio:out period (*).
The driver now also behaves like the other BSD Audio_out driver, i.e,
it always advances the play pointer. That is vital for the Audio_out
stack above the driver to work properly (e.g. the mixer).
(*) It stands to reason if it would be better to use the async ALSA
timer interface instead of using the Timer session.
Fixes#1892.
For some reason 'os/config.h' is imported through 'launchpad.h', when linking an
undefined symbol ('Genode::config') is produced, which actually should not
happen.
This commit adds rocket core on the Zynq FPGA support to base HW. It also takes
advantage of the new timer infrastructure introduced with the privileged 1.8 and
adds improved TLB flush support.
fixes#1880
The wrapper functions (e.g., 'Unwind_*' and friends) now have the same signature
as the original function in 'libgcc', reside in a separate C file which is
archived to cxx.lib.a. In supc++.o we prefix the wrapped functions with '_cxx_'.
This also enables support for riscv.
related to #1880
This driver uses the Usb session interface and provides a Block session
to its client. See _repos/os/src/drivers/usb_block/README' for more
information.
Fixes#1885.
Instead of only hardcoding "hw" read 'alsa_device' attribute from the
config node to determine the proper playback device. The default value
is still "hw" in case the attribute is not present.
Fixes#1884.
This patch removes a superfluous resize request at the creation time of
a new window, which resulted from _requested_size being initialized with
zero whereas the _geometry was initialized with the actual window
geometry. In some cases, this inconsistency led to the report of a new
resize request for the size 0x0, which is obviously wrong. I.e., it
leads clients to believe that the user has closed the window.
This patch resets the part of the window state that is responsible the
dragging of window controls once the drag operation is finalized.
Without it, the window was wrongly positioned when leaving the maximized
state after a previous resize operation.
This patch adds support for manipulating the window layout with keyboard
actions. It supports the toggling of fullscreen (aka maximize), the
raising of the currently focused window, and the focusing the next/previous
window.
This patch adds the mechanics for detecting key sequences to the window
layouter. Sequences for layouter actions can be expressed in the
layouter configuration. They cannot trigger any real action yet.
This patch weakens the themed decorator's demands with respect to the
supplied theme data. It no longer strictly requires the specification of
the '<closer>', '<title>', and '<maximizer>' nodes and the accompanied
png/tff data. Furthermore, the default.png can be left out if both decor
and aura have a size of zero.
This patch enhances the layouter to apply a label-dependent policy
for the placement of new windows. The policy may contain the
attributes 'xpos', 'ypos', and 'maximized'. If the latter is set
to "yes", the matching window will appear in maximized state.
This patch ensures that we never request a zero-sized virtual
framebuffer from nitpicker even when instantiating the object with zero
width or height. It therebu removes the burden of handling the resulting
invalid framebuffer dataspace from the user of the Nitpicker_buffer
utility.
The driver might end up in an endless loop on systems that do not
contain an i8042 controller when probing the AUX interface. This
leads to busy looping and in the end to not annoucing the Input
service. Components that wait for the announcement of the service
will therefore hang as well.
Normally a service gets announced only if it is usable but in this
case this is inconvient because it renders all scenarios that use
the input_merger non working on x86 systems that only provide USB
input and do not have PS/2 at all.
Ideally, the PS/2 driver should only be started if the system needs it.
That is currently not feasible and for the time being we post-pone the
inevitable and back down after several unsucessful attempts to read
from the AUX interface while initializing the driver.
Fixes#1871.
Interfaces that have been claimed by a component always have to be
released when the session is closed in case the component
malfunctioned.
Fixes#1869.
Inspired by the mailing-list posting [1], this commit removes the
MAC/PHY reset for all Intel cards and effectively prevents the bandwidth
drop to 10 MBit/s (e.g., on i217lm). I understand it as preliminary fix
for practical reasons - a real fix would be to update the ipxe port and
monitor for more postings like the one mentioned.
[1] http://lists.ipxe.org/pipermail/ipxe-devel/2015-December/004511.html
The 'usb_report_filter' component takes the devices report from the
USB driver and generates a new devices report after checking each
entry against its device white-list. Before emitting the new report
it changes the configuration of the USB driver to contain the
required policy entries.
See 'repos/os/src/app/usb_report_filter/README' for more details.
Issue #1863.
- Use 'label' attribute to identify device instead of
bus/dev and vendor_id/product_id
- Implement release_interface RPC
- Report 'label' as well as 'bus' and 'dev'
- Add policy handling to raw driver (includes reconfiguration
at runtime)
- Use own memory backing store for large DMA allocations
Issue #1863.
This prevents a sporadic null-pointer dereference in the nic_loopback
test, which occurred once in 100 runs. I'm not sure if there's still a
race window (we may investigate) with context dissolve.
Instead of polling for new Nic session signals, when waiting for
network packets with a timeout, block on the signal receiver, and
register a timer event beforehand using the same signal receiver.
Fix#1862
Ref #1864
Do not build core-muen_on library without the muen soecifier set.
Do not reference files of the muen contrib directory in the first
pass of make's rule analysis, when parding the muen specific kernel
makefile.
Fix#1859
The new implementation of the FPU and FPU context is taken out to
separate architecture-dependent header files. The generic Cpu_lazy_state
is deleted. There is no hint about the existence of something like an
FPU in the generic non-architexture-dependent code anymore. Instead the
architecture-dependent CPU context of a thread is extended by an FPU
context where supported.
Moreover, the current FPU implementations are enhanced so that threads
that get deleted now release the FPU when still obtaining it.
Fix#1855
Thanks to the log_terminal server, we no longer rely on a separate UART
for the noux output. We also skip the indirection of using a tar archive
but rather start the test-noux_form program as a mounted ROM module.
With commit e74b53d5dd the fork semantic in noux
changed slightly, and broke platforms like hw & sel4, where the UTCB is mapped
directly into the thread's context area. The change moved the re-initialization
to a point where the new noux process' thread stack-pointer was already switched
back to the context area. But to re-initialize the context area RPC calls must
be done, and the UTCB must be used therefore. On the other side the UTCB is
found implicitly by the stack-pointer, whereby a stack-pointer located in the
context-area refers to a UTCB that is expected to reside in the context-area
as well. But the UTCB gets overlayed inside the context area by the
context-area's re-initialization - we've come round in a circle.
This commit rolls back the move of the re-initialization routine. To preserve
the intention of the original commit, the context-area location is stored in
a static variable, so that the Native_config API is not needed anymore.
Fix#1851
This commit enables multi-processing for all Cortex A9 SoCs we currently
support. Moreover, it thereby enables the L2 cache for i.MX6 that was not
enabled until now. However, the QEMU variants hw_pbxa9 and hw_zynq still
only use 1 core, because the busy cpu synchronization used when initializing
multiple Cortex A9 cores leads to horrible boot times on QEMU.
During this work the CPU initialization in general was reworked. From now
on lots of hardware specifics were put into the 'spec' specific files, some
generic hook functions and abstractions thereby were eliminated. This
results to more lean implementations for instance on non-SMP platforms,
or in the x86 case where cache maintainance is a non-issue.
Due to the fact that memory/cache coherency and SMP are closely coupled
on ARM Cortex A9 this commit combines so different aspects.
Fix#1312Fix#1807
On ARM Cortex A9 platforms the external PL310 L2 cache controller
needs to be initialized dependent on the SoC. For instance on Pandaboard
it needs to call the firmware running in TrustZone's secure world,
on i.MX6 it initializes it directly, on other boards it doesn't need
to be initialized at all, because the bootloader already did so.
Therefore, we should implement the PL310 intialization in board specific
code and not in the base class implementation.
Ref #1312
This commit separates certain SMP aspects into 'spec/smp' subdirectories.
Thereby it simplifies non-SMP implementations again, where no locking
and several platform specific maintainance operations are not needed.
Moreover, it moves several platform specifics to appropriated places,
removes dead code from x86, and starts to turn global static pointers
into references that are handed over.
Now, the right PCI bus:device:function (BDF) is reported to the kernel
during assign_pci syscall - beforehand it was ever 0:0.0. The BDF is
needed to lookup the correct DMAR unit the kernel has to configure. This
was revealed as the DMAR unit for Intel graphics on x201 is not the same
as for all other PCI devices we have drivers for on this platform.
Fixes#1848
Instead of using the 'alloc()' method to allocate new packets use
the 'next()' method with the previous packet. This is needed because
the last audio stack changes broke the semantics assumed by 'alloc()'.
We now keep track of the already queued packets by hand.
Fixes#1827.
Use kernel branch which is more accurate in accounting memory, which avoids
kernel messages of following form:
[0] warning: insufficient resources ...
Fixes#1830
Enable automatic build of Muen system image by adding the image/muen run
script to RUN_OPT. Also specify --image-muen parameters with explanatory
comments.
Note: The ISO image is not built by default anymore.
The script takes the following RUN_OPT parameters:
--image-muen-external-build Muen system is built automatically or externally
--image-muen-system Muen system policy
--image-muen-components Muen system components
--image-muen-hardware Muen hardware platform
--image-muen-gnat-path Path to GNAT toolchain
--image-muen-spark-path Path to SPARK toolchain
Because a check for the TEST_WRITE configuration was missing as condition for a
packet submit, the test caused unwanted write access to the device.
Ref #1824
Explicitly cast floats to long as we currently do not plan to support
float in Xml_generator and previously the value was implicitly casted to
long anyway.
Issue #1819
Executing the system call will change the input fds as a side-effect
because the select_in.fds and select_out.fds structure are part of a
union. Since the original select_in.fds content is needed afterwards
make a copy instead of using a reference.
Fixes#1809.
The main thread's UTCB, used during bootstrap of the main thread before
it allocates its context area, needs to be outside the virtual memory
area controlled by the RM session, because it is needed before the main
thread can access its RM session.
Fix#1804
This patch adds diagnostic messages during the label-policy application,
if no policy for the session label was found or if the domain configured
in the policy node does not exist.
When unblocking a thread in Semaphore::up() while holding the fifo meta-data
lock, it might happen that the lock holder gets destroyed by the one it was
unblocking. This happened for instance in the pthread test in the past, where
thread destruction was synchronized via a semaphore. There is no need to hold
the lock during the unblock operation, so we should do it outside the critical
section.
Fix#1333
Previously we used a pretty slow external clock source for the timer. This
resulted in such a low TICS_PER_MS value that the granularity wasn't
sufficient to find a setup with a precision better than 1 second error per
minute. Now we use the so-called High Frequency Reference Clock as input
with TICS_PER_MS=33333 and the timer precision is significantly < 1 second per
minute.
Fixes#1805
From our observations we can tell that the error should not exceed 4%.
However, there is no reasonable explanation by now why the test results
are less stable on these platforms. We have tried several things that
did not lead to an explanation or improvement:
* changing the timing parameters of the scheduler
* switching off SMP
* double-checking the speed of userland and kernel timers
Ref #1805
The test threads previously used a stack size independent from the machine
word width. Qemu was previously configured to provide 64Mb of RAM which isn't
sufficient for x86_64.
Ref #1805
Upgrading the quota of a PD session on HW always triggers a "Quota
exceeded" warning. To prevent unecessary debugging effort in the future,
we explain in an in-code comment that the warning is normal.
Ref #1805
Print result error and error tolerance per test result. Use TCL commands
'format' and 'abs'to simplify calculations in the conclusion part of the run
script.
Ref #1805
When capabilities are delegated to components, they are added to the UTCB of the
target thread. Before the thread is able to take out the capability id out of
the UTCB and adapt the user-level capability reference counter, it might happen
that another thread of the same component deletes the same capability because
its user-level reference counter reached zero. If the kernel then destroys the
capability, before the same capability id is taken out of all UTCBs, an
inconsitent view in the component is the result. To keep an consistent view in
the multi-threading scenario, the kernel now counts how often it puts a
capability into a UTCB. The threads on the other hand hint the kernel when they
took capabilities out of the UTCB, so the kernel can decrement the counter
again. Only when the counter is zero, capabilities can get destructed.
Fix#1623
On Linux the linker can now be loaded at arbitrary addresses, this became
necessary for newer kernel versions. The 'linux_arm' target is not supported.
Issue #1728
Former Native_config::context_area_virtual_base() was used to identify
the main, which is not desired as the Native_config is rather low-level
(almost private to the base libs). The commit uses a library constructor
to retrieve the main-thread Thread_base pointer, which can be used later
to distinguish main and other threads.
Likewise on the x86 branch, we have to remove all virtual memory ranges from the
virtual memory allocator that are used by one-by-one mappings of I/O regions
used by the kernel.
Fix#1797
If the injection of an event causes an EPT violation, the event must be
injected again. This commit implements the reinjection for the case that
the EPT violation can be resolved without involving the recompiler.
Fixes#1798
This reverts commit d8b95c263b.
Some clients might want to fiddle with the clients play position
(e.g. the mixer) within 'Audio_out::start()' and we might reset
it to an old value if we do it afterwards.
Fixes#1796.
Since all Audio_out server components loop over the packet stream
queue it is save to reset the tail position to one after the play
position. We have to do this because we do not know exactly when
the play position changes (i.e. the driver has processed the packet)
and we might end up with a tail position before the current play
position.
Issue #1796.
* Also change the way how mute is handled. Only send the
changed signal if the user has clicked on the mute checkbox
* Always check channels_rom is valid
* Add <default> handling
* Increase verbosity
Fixes#1795.
Instead of bailing out if the channel list is incorrect check config
node attributes and default settings first.
Being there also fix flawed LOG messages.
Fixes#1794.
* enable i915 driver from Linux 3.14.5
* tested for generation 5 till 8 GPUs
The driver can be configured at run-time via the config ROM. Every
connector of the graphic card can be configured separately using the
following syntax
<config>
<connector name="LVDS-11" width="1280" height="800" enabled="true"/>
</config>
Also, when enabled within the intel framebuffer driver configuration like
the following
<config buffered="yes"/>
a simple ram dataspace is propagated to the client and the driver
itselfs copies from that buffer to the framebuffer triggered via refresh
calls. This option is useful to alleviate tearing effects.
The driver distributes all available connectors of the graphic card and
their supported resolutions via a report. It looks like follows
<connectors>
<connector name="LVDS-11" connected="1">
<mode width="1280" height="800" hz="60"/>
...
</connector>
...
</connectors>
The driver distributes the report only if this is stated within its
configuration, like the following
<config>
<report connectors="yes"/>
</config>
Fix#1764
This patch unifies the mechanism of selecting server-side policies and
taking session-routing decisions based on session labels. In both cases,
XML nodes are scored against session labels. The score depends on the
XML attributes 'label' (exact match), 'label_prefix', and
'label_suffix'.
Issue #1766
* Provide paravirtualized block API for accessing the second partition
of the block device that is provided by the ESDHC driver.
* Provide paravirtualized serial API for sending log-output over Genodes
serial port.
* Use the latest Linux suggested in the USB Armory Wiki [1] when on USB Armory
while still using the older vendor Linux when on i.MX53 QSB. I.e.,
provide a device tree through RAM and a rootfs through the paravirtualized
block device when on USB Armory while providing ATAGs and Initrd when on
i.MX53 QSB.
* Switch on the LED on the USB Armory when the VMM catches a VM-exception
and switch it off again when as soon as the exception is handled. This
merely show-cases the ability to instrument the LED for such purposes. In an
ideal world, the LED is switched on as long as we're on the "Secure Side"
and switched off as long as we're not.
* For further information see repos/os/run/tz_vmm.run
[1] https://github.com/inversepath/usbarmory/wiki/Preparing-a-bootable-microSD-imageFixes#1497
On the USB Armory, we want to secure different devices than on other i.MX53
implementations. Thus, add a board specific configuration that is interpreted
by the kernel Trustzone initialization.
Ref #1497
Enhance the VM state, that can be accessed by a VMM, by a member
'unsigned irq_injection'. In Kernel::Vm::proceed check, whether
irq_injection is set. If so, check whether irq_injection is a
non-secure IRQ. If so, let the PIC raise this IRQ in the VM and reset
irq_injection.
Ref #1497
This enables installation of the bootloader image without wiping the
partition table which is needed at least for the tz_vmm tutorial with
hw_usb_armory.
Ref #1497
Move ADMA2 stuff to extra header and unit. Move ESDHCv2 implementations to
extra unit. Use exceptions instead of error codes. Clean-up documentation.
Ref #1497
The manual termination of multi-block writes via "Stop Transmission" commands
seems to leave the card in a busy state sometimes. This causes errors on
subsequent commands. Thus, we have to synchronize manually with the
card-internal state via "Send State" commands. Additionally, the method
for issuing the manual "Stop Transmission" commands was refined.
Ref #1497
We have to issue a data synchronization barrier after writing a ADMA2
table to ensure that the corresponding write commands were actually
executed before issuing the SD command.
Ref #1497
On i.MX53 QSB, a "Send Op Cond" command during the driver initialization
returns another response value than on the USB Armory. As the check for
this response seems to have no relevance for the driver functionality (Linux
reads the value from MMIO but I can't find a place in the source code where
it is used), we simply remove it.
Ref #1497
Previously, it was not necessary to acknowledge an IRQ initially before using
it. However, since the IRQ framework changed lately it is. Adapt to this.
Ref #1497
Notify client initially to enforce a client-side ROM update. Otherwise,
a server-side ROM update between session creation and signal-handler
registration would go unnoticed.
Issue #1788
This patch changes the decorator to always apply stacking-order changes
immediately instead of deferring the re-stacking of the nitpicker views
to the next call of 'update_nitpicker_views'. The deferred application
did not always work when more then one windows changed their stacking
position at once because the cached '_neighbor' values interfered with
each other.
The eager re-stacking should not have negative effects on the user
experience because, in contrast to re-positioning, re-stacking a rare
operation.
This change makes it possible to reuse the generic window decorator
classes in include/decorator/ for decorators of a different structure.
E.g., instead of painting decorations on a single nitpicker session,
each window may paint its decorations into additional window-specific
nitpicker sessions.
For each session upgrade performed by a wm client as part of the
Nitpicker::Connection::buffer function, the window manager wrongly
upgraded the wrapped nitpicker session twice: Once by handling the
Root::upgrade, and again by handling of the server-side 'buffer'
operation. Here, the 'buffer' operation was implemented by not merely
forwarding the RPC request to the wrapped nitpicker session but by
calling the 'buffer' method on the wrapped session's connection
object, which implictly issues session upgrades. Consequently,
the window manager would transfer twice the amount of the session
upgrades it received by its clients to nitpicker and eventually ran
out of memory.
The patch fixes the problem by eliminating the call of the
Nitpicker::Connection::buffer method and instead merely forward the RPC
requests to the wrapped nitpicker sessions.
The original version of the icon painter would reach beyong the
texture boundaries for textures of even width and height, and when
painting an icon with the width or height of the texture.
In this case, p3 would be set to the same value as p2. However, the code
expects p3 to lie within the middle rectangle. However, in this corner
case, the middle rectangle is actually empty. So no pixel can lie within
it. Hence, p3 is positioned by one pixel to the left outside the middle
rectangle, which violates the assumptions when calculating the clipping
and texture offsets. The patch fixes the problem by reducing the size of
the right column by one pixel. This ensures that exists always a
non-zero middle rectangle.
In the event where a nitpicker session's quota was depleted by the
allocation of view handles, nitpicker would abort. The patch prevents
the abort by reflecting this condition as an Out_of_metadata exception
to the client. This way, the client can upgrade its session as needed.
The problem was triggered by running the decorator_stress test (changed
to generate 40 windows) with the themed_decorator.
This patch addresses the corner case that the specified neighbor view
is the first view of the view stack. If this is the case when inserting
the view in front of the neighbor (behind == false), the target position
within the view stack must be a null pointer, not the first view.
Because the conditions have become rather complicated, both cases
of 'behind' are handled separately now.
'block_for_signal' and 'pending_signal' now set pending flag in signal context
in order to determine pending signal. The context list is also used by the
'Signal_receiver' during destruction.
Fixes#1738
Instead of just red messages in the log and a hanging caller, the issuer
may respond to it - e.g. a noux bash shell will show an error and is
afterwards still usable.
Fixes#1778
Accidentally removed by #1658. We need to make the cleanup call for server
objects - otherwise we may get in capability identifier re-use trouble.
Issue #1778
The notion of a channel is shared by the mixer backend as well as the
frontend. To make dealing with reports between those easier move the
Channel definition to a global header.
Issue #1770.
This effectively enables configuring builds with -O0 for rump sources.
Note, if the build directory is not clean, at least var/libcache/rump*
should be removed before building with changed etc/tools.conf.
The test performs several rounds of write-read cycles with the following
configuration attributes in a <write-read> config node
rounds determines the number of rounds (default is 4)
size determines the number of bytes written/read in one round
(default is 4 MiB)
buffer_size determines the size of the write-read buffer
(default is 32 KiB)
In one round the test writes and reads "size/buffer_size" times
from/into a buffer_size'd buffer.
Related to #1765
Instructions:
1. Create a file in terminal one in the 'ram' directory
! echo "test" > ram/test
2. Second terminal
! tail -f ram/test
3. First terminal
! echo "Meaningless output" >> ram/test
4. Observe second terminal
The pthread object for the main thread initializes its 'Thread_base' base
class part with a reference to the 'Thread_base' object of the Genode main
thread. Therefore the pthread object for the main thread should never be
destroyed, as this would also destroy the Genode 'Thread_base' object.
Fixes#1760
Trapping rdtsc creates a huge load in some guests, e.g. Windows 8.1,
that use this instruction very frequently. This influences audio
playback/recording in a bad way (distorted sounds, …). As a interim
solution disable the virtualization of rdtsc completely. As long
as each guest VM runs on its own CPU core it should be fine as there
should not be that much interference (TSC warping).
That being said, TSC offsetting as well as adjusting within vbox have to
be evaluated.
Fixes#1768.
The RAM quota currently dedicated to the wm and decorator components in
the 'qt5_common.inc' file is too low for a window of size 1920x1080.
Fixes#1761
- Align implementation to the current generic implementation
- Document NOVA-specific implementation of dataspace() (as in the
original commit message)
This patch, complements the existing vbox layout with a hbox layout and
improves the response to dynamic dialog updates. The new version support
disappearing widgets and the reordering of widgets. Furthermore, this
patch ensures that the 'Widget::_layout' functions are executed after
updating a new version of the dialog.
This patch ensures that focus changes performed via the Session::focus
call are made effective the next time, the user is idle. Previously,
focus changes during drag operations were simply discarded.
strip_last_element at Path removes everything after the trailing slash,
which causes lookup failures at the VFS server when opening directories.
Issue #1648
Throw Invalid_name, No_space, and Out_of_node_handles where appropriate.
Catch the new range of errors thrown by at the VFS.
Catch Out_of_node_handles at the VFS, but print a message and re-throw.
Issue #1648
This patch introduces a shortcut for conditional session routes of the
form '<if-arg key="label" value="..."/>'. With this change, the label
can be directly specified as 'label' attribute of an '<any-service>' or
a '<service>' node. The '<if-arg>' mechanism was not documented anyway
and I hope to be able to ultimately remove it.
Don't skip the cleanup call if a pager object is marked as blocked.
It happens that the pager_object is in destruction but it is also used
concurrently by the pager thread. The pager thread handling code may set the
pager object to blocked but still uses the pointer to the pager object. Avoid
locking at the state of the pager object and make the cleanup call everytime.
Error output looks like this, where the pf_ip is within
void Pager_object::_page_fault_handler(addr_t pager_obj)
method and the pf_addr is the stale pointer to the already released pager_object.
no RM attachment (READ pf_addr=xxx pf_ip=xxx from 00 <NULL>)
static void Genode::Pager_object::_page_fault_handler(Genode::addr_t): page fault, thread '<NULL>', cpu x, ip=xxx, fault address=xxx
PAGE-FAULT IN CORE (READ pf_addr=b10e0090 pf_ip=132dbc from 00 <NULL>)
Currently, when a signal arrives in the main thread, the signal dispatcher is
retrieved and called from the main thread, the dispatcher uses a proxy object
that in turn sends an RPC to the entry point. This becomes a problem when the
entry point destroys the dispatcher object, before the dispatch function has
been called by the main thread. Therefore, the main thread should simply send an
RPC to the entry point upon signal arrival and the dispatching should be handled
solely by the entry point.
Issue #1738
* use '_dma_ext' or '_fdpma' commands
* handle interrupts depending on mode of operation
* spelling fixes
* move ATA 'Idendity' struct to ata header
issue #1734
- we claim to have no limits on file handles and number of threads
- remove obsolete Thread_base::myself fall-back code for stack size calculation
Issue #1733.
Too less memory quota for a PD may be calculated, which leads to too early
punishment for a Genode process.
Discovered during Turmvilla scenario #1552 and issue #1733.
Additionally print warnings about unavailable CPUs if they are tried to be
used during pager object setup.
Discovered during Turmvilla scenario #1552 and issue #1733.
Causes trouble if a gz image is loaded via grub and later used as initrd for a
Linux VM (e.g. with Seoul VMM)
Discovered during Turmvilla scenario #1552 and issue #1733.
threads with prio 0 will not be started and would fail silently.
Happened on Turmvilla for the USBProxy thread in virtualbox.
Discovered during Turmvilla scenario #1552 and issue #1733.
Reduces kernel log message noise when running on kernel-debug branch.
Additionally add a more verbose core message.
Discovered during Turmvilla scenario #1552 and issue #1733.
To make the creation of a bootstrap medium for most ARM platforms more
comfortable this tool shall bundle all the different U-Boot source
states, patches, and MMC preparation rules that we gathered over the
year for that purpose. As input, the tool merely needs the targeted
platform (analogous to the platform parameter of 'create_builddir'). By
now, 'hw_wand_quad' is the only supported platform. Further platforms
can be added successively. As output, the tool creates a head image file
of small size (8MiB) that can be copied (dd) with offset 0 to the MMC.
Fixes#1730
Under some circumstances, the diagnostic message in the exception signal
handler was not printed. This could happen due to a dead lock in the
console library if the console code itself produces the exception while
possessing the mutex, e.g., by exhausting a undersized stack. Now, we
directly write to the log session via the stdout_write() hook or use
raw_write_str() in core.
This patch improves the decorator in two ways. First, it enables the
assignment of window colors depending on the window labels. This
configuration can be changed dynamically. Second, it adds the handling
of window controls for closing, maximizing, minimizing windows.
Issue #1689Fixes#1688
This patch supplements the existing focus reports with the new attribute
'active', which indicates recent user activity when set to "yes". This
information is consumed by the clipboard to dynamically adjust its
information-flow policy depending on the user activity.
Issue #1712
This patch moves the formerly internal classes of the report-ROM service
to the public location os/include/report_rom/ so that they can be reused
by other components such as the upcoming clipboard.
This overload of the value member eases the retrieval of Genode::String
objects from XML attributes. So we won't need to deal with C-style
character buffers anymore.
The utilities in os/session_policy.h used to be tailored for the
matching of session arguments against a server-side policy
configuration. However, the policy-matching part is useful in other
situations, too. This patch removes the tight coupling with the
session-argument parsing (via Arg_string) and the hard-wired use of
'Genode::config()'.
To make the utilities more versatile, the 'Session_label' has become a
'Genode::String' (at the time when we originally introduced the
'Session_label', there was no 'Genode::String'). The parsing of the
session arguments happens in the constructor of this special 'String'.
The constructor of 'Session_policy' now takes a 'Genode::String' as
argument. So it can be used with the 'Session_label' but also with other
'String' types. Furthermore, the implicit use of 'Genode::config()' can
be overridden by explicitly specifying the config node as an argument.
Defer destruction of threads which tries to self-destruct. Check an perform
cleanup of such threads during pthread_cancel and pthread_create.
Issue #1687
Until now, the CLI monitor and the laucher allowed the user to explitly
kill subsystems but both used to ignore gracefully exiting subsystems.
It was the user's job to remove the remains of those subsystems. The
patch takes the burden of manually killing exited subsystems from the
user.
Fixes#1685
Instead of white-listing floppy controllers, certain SCSI controllers
as well as ISAPnP etc. pp. remove the diagnostics and print each access
if verbose is set.
Fixes#1726.
Instead of using the alarm_timer thread we use our own timer thread
that uses a kernel semaphore on Nova. On all other platforms a timer
connection and trigger_once is used.
Fixes#1727.
Addressing must be PC-relative, so adapt the approach from the other
nova_x86_32 syscall bindings (description by @ssumpf):
Use call to push the current IP on the stack and add the distance of
label 0 and label 1 in order to determine the return address, which
NOVA requires in edx.
The bug only showed up with "-O0" in libc.lib.so in form of a unwanted
text relocation.
Fixes#1721
platform_execute() is used to initially switch the stack of a
routine/task. While Thread_base::alloc_secondary_stack() properly aligns
the returned stack pointer the x86_64 assembler implementation did not
comply to stack frame management specified in the ABI.
The used (and most simple) stack-alignment check may pass a float to a
varargs function on x86, which requires the compiler to properly save
some XMM registers on stack.
Dataspace components inherit from RPC objects which are non-copyable from now
on. Therefore, the Rom_session_component's constructor had to be modified
to not construct a dataspace component on the stack and assign it in the
following.
Ref #1704
Holding the object pool's lock while trying to obtain an object's lock
can leave to dead-lock situations, when more than one thread tries to
access multiple objects at once (e.g.: when transfer_quota gets called
simultanously by the init and entrypoint thread in core). To circumvent
holding the object pool lock too long, but access object pointers safely
on the other hand, this commit updates the object pool implementation
to use weak pointers during the object retrieval.
Fix#1704
Destroying an object within the scope of a lambda/functor executed
in the object pool's apply function leads potentially to memory corruption.
Within the scope the corresponding object is locked and unlocked when
leaving the scope. Therefore, it is illegal to free the object's memory meanwhile.
This commit eliminates several places in core that destroyed wrongly in
the object pool's scope.
Fix#1713
If a client provides a read buffer of insufficient size for all
available data, we have two options
1) Leave it to the client to do partial reads until not further data is
available, or
2) Signal the client that there still some bytes on a partial read.
As the second option seems more robust it's implemented in this commit.
Fixes#1705
This makes use of the iPXE sanboot command [1] which downloads and
boots an ISO image directly via HTTP. Therefore, your RUN_OPT needs
both
--include image/iso and
--include load/ipxe
NOTE: The webserver serving the ISO image must support ranged requests,
see [2].
[1] - http://ipxe.org/cmd/sanboot
[2] - http://forum.ipxe.org/showthread.php?tid=7295&pid=10482#pid10482
iPXE is an open source network boot firmware which supports booting from
a web server via HTTP [1].
The following two parameters can be used to specify the iPXE/HTTP setup:
--load-ipxe-base-dir
This parameter specifies the base directory of the HTTP server from
which the target machine downloads the files.
--load-ipxe-boot-dir
The directory relative to iPXE base dir which contains the iPXE
chainload configuration and all necessary files.
The target machine is expected to request the following iPXE
configuration via HTTP:
http://${HOST_URL}/${ipxe-boot-dir}/boot.cfg
This can be achieved by building iPXE with the following embedded
script:
#!ipxe
dhcp
chain http://${HOST_URL}/${ipxe-boot-dir}/boot.cfg
See also [2] for additional information.
[1] - http://ipxe.org/
[2] - http://ipxe.org/howto/chainloading#breaking_the_loop_with_an_embedded_scriptFixes#1708
* Move the Synced_interface from os -> base
* Align the naming of "synchronized" helpers to "Synced_*"
* Move Synced_range_allocator to core's private headers
* Remove the raw() and lock() members from Synced_allocator and
Synced_range_allocator, and re-use the Synced_interface for them
* Make core's Mapped_mem_allocator a friend class of Synced_range_allocator
to enable the needed "unsafe" access of its physical and virtual allocators
Fix#1697
The commit consumes the argument of a unsupported printf command.
Without the commit - a subsequent command uses the argument of the preceding
command, which may cause memory corruption or page faults for sequences using
string commands, e.g.
Genode::printf("%#x %s\n", 0x20, "Test");
'#' is not supported by Genode::printf. In this scenario a pagefault at
address 0x20 is caused.
Fixes#1701
The 'O_NONBLOCK' flag has different numerical values in lwip and in the
libc, which prevented the correct setting of nonblocking socket mode.
Fixes#1699
The intention of Packet_ref was to allow clients to place opaque
references into the packet descriptor itself, which could be observed on
packet completion. Currently no component in our sources uses this
feature and beyond that it is questionable if it should be used at all:
If the server tampers with the ref the client may easily be confused
into observing an incorrect or invalid context. It seems better to
remove the opaque context from the descriptor and leave the actual
implementation to the client and its needs.
Unfortunately, the 'gcc -dumpmachine' magic does not suffice on all
Linux distros, so we just add the well-known paths for i386-linux-gnu
and x86_64-linux-gnu.
Fixes#1694
This patch extends the configuration concept of init with an additional
sub node for the <start> node:
<start name="noux">
<exit propagate="yes"/>
...
</start>
If the 'propagate' attribute is set to "yes", the exit of the respective
child will appear to init's parent as the exit of the entire init
subsystem.
Fixes#1686
Instead of holding SPEC-variable dependent files and directories inline
within the repository structure, move them into 'spec' subdirectories
at the corresponding levels, e.g.:
repos/base/include/spec
repos/base/mk/spec
repos/base/lib/mk/spec
repos/base/src/core/spec
...
Moreover, this commit removes the 'platform' directories. That term was
used in an overloaded sense. All SPEC-relative 'platform' directories are
now named 'spec'. Other files, like for instance those related to the
kernel/architecture specific startup library, where moved from 'platform'
directories to explicit, more meaningful places like e.g.: 'src/lib/startup'.
Fix#1673
The plugin works just like the netio plugin and uses the following
parameters
--power-off-energenie-host network address of device
--power-off-energenie-password password for device
--power-off-energenie-port target port of device
The run plugin is not generic and works for NETIO4/NETIO230 powerplugs
only. Further, this opens the path for other vendor-specific powerplug
plugins.
Note, the plugin parameter for the addressed powerplug was renamed to
--power-on-netio-host resp.
--power-off-netio-host
To correctly delete all IPC gates created via a CAP session, all
capabilities created have to be stored. Otherwise we leak kernel
objects within Fiasco.OC permanently.
Fix#702
This scripts starts two Audio_out session clients. These clients
access the soundcard via the mixer. The first client simply streams
a sample file in a loop while the second client generates a click
sound when any key is pressed.
Issue #1666.
Sometimes, the play position in stream is behind the out stream, mostly
because of timing issue. In this case, the mixer will produce invalid
packets which in return will lead to looping on an invalid packet in
the audio_drv.
Issue #1666.
Instead of looping the whole queue, the driver now loops on the first
invalid packet. In any case it will send a progress signal to its
client.
Fixes#1666.
For some platforms (at least hw_zynq on Qemu), the measured time of the
periodic timeout test exceeded the maximum that was previously
calculated without any tolerance. Most likely, this is not a malfunction
of the test subject as the error is pretty small and, of course,
measuring the time produces overhead itself. Introducing a tolerance of
only 0.1% fixes the problem.
Fixes#1599
Instead of returning pointers to locked objects via a lookup function,
the new object pool implementation restricts object access to
functors resp. lambda expressions that are applied to the objects
within the pool itself.
Fix#884Fix#1658
Propagating the user context-pointer from C++ code to the mode
transition assembly doesn't touch any CPU global data. Thus, we can
reduce the in-sync window.
Fixes#1223
Other platforms implement Kernel::Cpu_context stuff in
kernel/cpu_context.cc. On x86_64, it was implemented in
kernel/thread.cc. The commit fixes this inconsistency to the other
platforms.
Ref #1652
The distinction between Kernel::Thread and Kernel::Thread_base is
unnecessary as currently all Hw platforms would have the same content in
the latter class. Thus I've merged Kernel::Thread_base into
Kernel::Thread. Thereby, Kernel::Thread_event can be moved to
kernel/thread.h.
Ref #1652
The Muen-specific PIC implementation provides the irq_occurred()
function which is used to register an IRQ with the PIC upon thread
exception.
The occurred IRQs are stored in a boolean array internally and handed
out to a CPU via take_request().
The driver uses the timer page containing a vector and timer value to
implement the start_one_shot() and value() functions. The timer value
designates the absolute tick count of the next event.
The address of the time page is acquired using the get_memregion_info
Sinfo API function.
The Muen Sinfo API is used to retrieve information about the execution
environment of a subject running on the Muen Separation Kernel.
While the C++ API is defined in sinfo.h, musinfo.h specifies the
internal format of the information stored in the Sinfo pages provided by
the Muen SK. It is a copy of the file contained in the libmusinfo
library of the Muen project. That is the reason why the coding style in
this file differs from the official style.
Move Platform::setup_irq_mode function from x86 platform_support.cc to
x86_64 specific file. This will enable the upcoming x86_64_muen platform
to provide a separate implementation.
The hw_x86_64_muen platform is a x86/64 base-hw kernel which runs as
isolated subject (guest) on the Muen Separation Kernel (SK) [1].
The platform is implemented as an extension to hw_x86_64 replacing the
PIC and timer drivers with paravirtualized variants. The skeleton
contains a dummy PIC and timer implementation for now.
[1] - http://muen.sk
If the guest is not in an interruptible state when the recall handler is
called, an assertion fails. Since the assertion is only relevant if the
recall handler was called during IRQ injection, it should be moved into
the corresponding conditional block which already has the assertion for
the 'IF' flag.
Fixes#1661
By default, the EMT thread of the last vCPU handles expired timers. When
running VirtualBox with 2 vCPUs, it sporadically happens that the EMT
thread of the second CPU clears an 'interrupt pending' flag for the first
vCPU after changing the state of a timer device model, which is not
expected by our Genode-specific code (failed assertion '!_irq_win' in the
recall handler).
The problem did not occur yet when letting the EMT thread of the first
vCPU handle the expired timers, which is done by this commit as an interim
fix until the problem has been further investigated.
Issue #1660
Add spin loop hint by means of the PAUSE instruction since
wait_for_interrupt is called in a busy loop. This should improve processor
performance and reduce power consumption.
Note: HLT cannot be used since it is a privileged instruction and the idle
thread is executed in userspace.
Move the _core_only_mmio_regions function to the
x86_64/platform_support.cc file. This is required to make it overridable
for other platforms deriving from x86.
If a requested report already exists the request is denied with
Invalid_args.
Further, I dusted the report_rom test and added it to the
autopilot list.
There are currently some issue with the mixing/filtering code of vbox.
So instead of using the audio subsystem to do filtering and mixing we
bypass it to get better audio qualitiy. That means that the device
model of the VM has to use the same sample rate as the Audio_out/in
sessions, however.
Issue #1647.
With this commit preliminary audio support in VirtualBox is enabled.
The backend supports playback as well as recording sounds from within
a guest VM. Depending on how the guest configures the device model
the audio output may sound disorted. If the guest uses buffers that
are too small, i.e., 10 ms or less, frequent buffer underruns will
occure.
To get this low-latency one has also to increase vbox' update hz
to 200 (i.e., 5ms).
Fixes#1647.
When a stream was stopped it may still contain valid packets that
will be played automatically when the stream is started again. The
invalidate_all() method may be called after stopping the stream to
prevent this.
Issue #1647.
Run script depending on VFS plugins (i.e., shared objects) like
vfs_jitterentropy.lib.so have to state this dependency rather the actual
binaries linked against libc. The latter introduces a library dependency
that is just not there. For example, the dependency on vfs_jitterentropy
is a result from the config node for libc which automatically loads the
plugin.
The alarm library failed to handle the case properly where an already
scheduled alarm gets rescheduled before it triggered. Even though the
attempt to reschedule the alarm (twice insertion into alarm queue) was
detected, this condition resulted in the mere modification of the
alarm's parameters while keeping the alarm's queue position unchanged.
This, in turn, may violate the invariant that all enqueued alarm objects
are strictly ordered by their deadlines. The patch handles the case by
dequeuing the alarm object before reinserting it into the queue at the
right position.
Fixes#1646
With the introducation of the Audio_in session interface it makes
sense to rename the current available audio drivers. At the moment
only the dde_bsd audio_drv supports Audio_out as well as Audio_in.
The Linux audio_drv only supports Audio_out (there is no demand for
Audio_in support currently) but is renamed nonetheless to make it
easiert to write generic run scripts.
Issue #1644.
The driver is now able to record audio samples. In contrast
to playback it has to be enabled explicitly by setting the
configuration attribute 'recording' to 'yes'. Playback is by
default enabled but may be disabled by setting 'playback' to
'no'. Furthermore it is now possible to configure the mixer
from the configuration. For now, the interface used by vanilla
OpenBSD is just exported.
The following snippet shows how to enable and configure recording
on an Thinkpad X220 where the headset rather than the internal
mic is used as recording source:
! <start name="audio_out_drv">
! <resource name="RAM" quantum="8M"/>
! <provides>
! <service name="Audio_out"/>
! <service name="Audio_in"/>
! </provides>
! <config recording="yes">
! <mixer field="outputs.master" value="255"/>
! <mixer field="record.adc-0:1_source" value="sel2"/>
! <mixer field="record.adc-0:1" value="255"/>
! </config>
! </start>
In addition to selecting the recording source the playback as
well as the recording volume are set to 255 (maximum).
Information about the available mixers and settings in general
may be obtained by setting the 'verbose' to 'yes' in the config
node.
Issue #1644.
Unfortunatly, there is no support for any HDMI/DP based HDA codecs in
this driver. Therefore we try to filter out known devices (normally the
PCI device on 00:03.00). This could also be done in the platform_drv's
configuration by explicitly naming the BDF but for better or worse that
will not work when using a wildcard class like HDAUDIO which is done in
generic run scripts.
Issue #1644.
In line with the Audio_out session a Audio_in session is used to
record audio frames. Like in the Audio_out session shared memory
in form of the Audio_in::Stream is used to transport the frames
from the server to the client. These frames consist of single
channel (mono) samples. An Audio_in::Packet always contains a full
period of frames.
A Audio_in server captures frames and puts them into the
Audio_in::Stream. To do so the server allocates a Audio_in::Packet
from the packet queue embedded in the Audio_in::Stream. If the queue
is already full, the server will override packets and notify the
client by submitting the 'overrun' signal. The client has to cope
with this situation, e.g., by saving packets more frequently.
A client will also receive a 'progress' signal from the server when
a new Audio_in::Packet was submitted to the packet queue.
Fixes#1644.
To archive lower latency the length of a period was reduced from
2048 (~46ms) to 512 (~11.6ms) samples.
It should be noted that this change probably breaks audio in Qemu on
most systems.
Issue #1644.
For most platforms except of NOVA a distinction between pager entrypoint
and pager activation is not needed, and only exists due to historical
reasons. Moreover, the pager thread's execution path is almost identical
between most platforms excluding NOVA, HW, and Fisco.OC. Therefore,
this commit unifies the pager loop for the other platforms, and removes
the pager activation class.
This exit handler is called by the NOVA kernel now when the VM uses PAE
with nested paging and the PDPTE registers need to get updated. With this
commit, an error message is printed if this situation occurs.
Fixes#1640
The reference count get increase to use 2 bytes, so we need the double amount
of selectors as before.
Additionally print a message if we run out of capabilities in a server. Since
our rpc framework is now clever enough to detect that for a printf we don't
need to setup a receive window, we may use a printf instead of a die call.
Eases debugging.
Issue #1601
Showcasing the out of memory kernel issue.
One test triggers oom during memory delegation when talking to core pager
thread. Two other test trigger oom during capability delegation in a
server/client scenario for send and reply phase separately.
Issue #1601
Move FS Node implementations from server/ram_fs to include/ram_fs.
Support embedded ram_fs instances in VFS configurations using <ram/>.
Add 'no space' handling to VFS symlink ops.
Fixes#1635
Allow symlinks to be passed to the read and write file system utilities.
Disallow writes to symlinks with offsets in file system servers, this is
to ensure that writing the target of a symlink is an atomic operation.
Fixes#1604
If a user has e.g. /tftpboot/x86 as directory and configures
base_dir=/tftboot and offset_dir=/x86, this leads to bad behavior
as the load module creates a symlink
/tftpboot/x86/<builddir> -> <absolut_builddir>
in this case instead of the desired
/tftpboot/x86 -> <absolut_builddir>
Furthermore, the module works on
/tftpboot/x86/config-00-00-00-00-00-00
and
/tftpboot/x86/<builddir>/config-00-00-00-00-00-00
afterwards, which looks bad too. As there is no warning at all, this can
be hard to debug. The commit adds an appropriate check with error message and
exit -1 on an existing directory.
Fixes#1630
Increase internal chunk size of heap only if an allocation succeeded
beforehand. Otherwise the chunk size increases with every unsuccessful
invocation and a upgrade of the used ram session will be insufficient and of
no use at all.
Fixes#1632
If some sessions run out of memory in init, resource requests will be issued
to core, which it never will satisfy. Setting some default signal handler
avoids that the default implementation will block init for ever.
Issue #1632
Moves the Bios Data Area header from base-hw to base. Modifies the
base-nova core console that it uses the header as replacement for
the previous BDA bit logic.
Ref #1625
Introduces a class Unmanaged_singleton_constructor that can be declared as
friend to be able to call unmanaged_singleton on classes with a private
constructor. Enables the appliance of the singleton pattern.
Ref #1625
Three things were done:
* Timouts are measured in an asynchronous way to be able to start counters
after the potentially expensive RPC that starts the timeout.
* Timeouts were increased from 45 and 15 seconds to 60 and 20 seconds
because at least on Arndale, results were not stable enough.
* Counting is done on 'unsigned long long' instead of 'unsigned' because
with the higher timeouts, overflows occured.
Fixes#1628
The timer driver previously used floating point operations to translate us to
tics and vice versa. This isn't necessary as the rounding error isn't critical
for the given values but expensive which should be avoided in a code path that
must be executed pretty frequent with high priority.
Ref #1628
If just one multiboot kernel module was loaded after bender, the
relocation was skipped before. This resulted in a corrupt binary image
on ELF loading if the regions of the boot module and the final program
overlap. Now, all modules are copied below 2 GiB (and out of the way)
before ELF loading.
Fixes#1624
Bender upstream issue is TUD-OS/morbo#4
This commit eliminates the mutual interlaced taking of destruction lock,
list lock and weak pointer locks that could lead to a dead-lock situation
when a lock pointer was tried to construct while a weak object is in
destruction progress.
Now, all weak pointers are invalidated and dequeued at the very
beginning of the weak object's destruction. Moreover, before a weak pointer
gets invalidated during destruction of a weak object, it gets dequeued, and
the list lock is freed again to avoid the former dead-lock.
Fix#1607
Up to now it was not possible to trace threads that use a different
Cpu_session rather than env()->cpu_session() (as done by VirtualBox).
This problem is now solved by setting the Cpu_session explicitly when
creating the event logger and attaching the trace control area when
creating the thread.
Fixes#1618.
The timer driver on X86 needs CPU quota with highest priority as it
frequently has to interrupt the counters to update the PIT.
On ARM this makes no difference in the test results as ARM timer
drivers, once configured, can sleep until the end of the timeouts.
On X86 we raise the error tolerance to 2% (default 1%) to compensate
the error caused by the timer.
Fixes#1621
Printing all errors and the goal values instead of exiting at the first
error allows for faster analysis of problems with the CPU-quota
mechanism.
Ref #1616
The test always succeeded because I forgot to set the error tolerance from
my debugging value 1 back to the correct value 0.01 before commiting the
test.
Ref #1616
Since the HW-kern-caps commit, there was a bug in the Platform_thread
constructor. When called for a user thread, the constructor stated 0
as CPU quota at the Kernel_object instead of its quota input-paramater.
Fixes#1620
- free up kernel memory of empty slabs (if already one empty slab is in
place)
- free up more page table entries
- handle CPUs with invariant TSCs gracefully
Genode/Nova running on CPUs without the invariant TSC feature may seem
to 'hang'. The referenced commit of the nova branch fixes the issue
for some older Intel CPUs.
Fixes#1615
Adjust bomb to specify the various hard-coded parameters and set up bomb.run
this way that it manages at our test machine to succeed in the given time.
Issue #1615
Bomb and any server may generate references to capabilities exceeding 256 -
use a 16bit counter until the cap handling in Genode gets unified.
Additionally try to print a warning, instead of dying, if we get cap reference
count under or overflow.
Issue #1615
Do not use slabs for allocations above 64KB, this seems to lead to memory
corruptions and the error described in issue #1613 under certain circumstances.
fixes#1613
Add a test where a locked pointer shall be taken during object destruction.
Moreover, extend the run-script so it runs on different platforms with
"real" timers.
SDL uses the Audio_out session in streaming fashion. For this reason
the audio might be played with delay of at most the queue size. To
mitigate the effect we synchronize the tail pointer to the current play
pointer when the PlayAudio() function is called by SDL for the first
time.
Fixes#1612.
Init used to specify the unique child name as session label when
requesting the binary image of a dynamically linked child. The actual
module name was propagated as "filename" session argument. Since we want
to move towards the sole use of the session label, which can be taken
into account for the session routing, the module name should always be
the last part of a ROM session label.
This patch changes the window manager, the decorator, and the
floating window layouter to propagate the usage of an alpha channel from
the client application to the decorator. This way, the decorator can
paint the decoration elements behind the affected windows, which would
otherwise be skipped.
This patch adds two new painters located at gems/include/polygon_gfx.
Both painters draw convex polygons with an arbirary number of points.
The shaded-polygon painter interpolates the color and alpha values
whereas the textured-polygon painter applies a texture to the polygon.
The painters are accompanied by simplistic 3D routines located at
gems/include/nano3d/ and a corresponding example (gems/run/nano3d.run).
This patch changes the way how CLI monitor obtains its subsystem
configurations. Originally, this information was provided via the
Genode::config mechanism. But for managing complex scenarios, the config
node becomes very complex. Hence, it is preferrable to have a distinct
file for each subsystem configuration.
The CLI monitor scans the directory '/subsystems' for files ending with
".subsystem". Each file has the same syntax as the formerly used
subsystem nodes.
Instead of using the Genode user-level signal API to signal page-faults to
a page-fault handler, use the kernel API directly. Thereby the accounting
of signal contexts needed for each paging subject can be done easily.
Fix#956
Moreover, be strict when calculating the page-table requirements of
core, which is architecture specific, and declare the virtual memory
requirements of core architecture-wise.
Ref #1588
We set 'ld -z max-page-size' to 4KiB to prevent the linker from aligning
the text segment to any built-in default (e.g., 4MiB on x86_64 or 64KiB
on ARM). Otherwise, the padding bytes are wasted at the beginning of the
final binary.
Removed the Nic::Driver implementation. All nic servers now inherit from
Nic::Session_component. Packet stream signals are dispatched to
the 'handle_packet_stream' function within a session component. Thus, nic
servers now have direct access to the packet stream channels, making handling
more flexible.
Adjusted nic_loobpack, dde_ipxe, wifi, usb, lan9118, Linux nic, and OpenVPN to
the new interface.
Fixes#1602
The ~Irq_session_component relied on the IRQ number obtained by the
corresponding kernel IRQ object to mark the IRQ as free at the IRQ
allocator. However, since the kernel IRQ object is initialized not
before the 'sigh' function is called, the IRQ of sessions that
never called 'sigh' could not be freed correctly. This patch fixes
the problem by not relying on the kernel IRQ object for obtaining
the number in the destructor but using the '_irq_number' member
variable instead.
Use printf format specifier with correct size to log error code which is
if type uint32_t. Also print the error code in hex since this simplifies
lookup as the error values are also defined as hexadecimal values, see
[1].
Fixes#1600
[1] - repos/ports/src/virtualbox/include/xpcom/nsError.h
Instead of organizing page tables within slab blocks and allocating such
blocks dynamically on demand, replace the page table allocator with a
simple, static alternative. The new page table allocator is dimensioned
at compile-time. When a PD runs out of page-tables, we simply flush its
current mappings, and re-use the freed tables. The only exception is
core/kernel that should not produce any page faults. Thereby it has to
be ensured that core has enough page tables to populate it's virtual
memory.
A positive side-effect of this static approach is that the accounting
of memory used for page-tables is now possible again. In the dynamic case
there was no protocol existent that solved the problem of donating memory
to core during a page fault.
Fix#1588
Unregister callbacks, so rx packets will not be propated to the deleteted
'Driver' object. Initialize ipxe once in the 'Main' object, thus allowing new
session connections.
Fixes#1595
With the server framework this becomes unnecessary. Also when the 'platform_drv'
has a lower priority, signaling will cause a constant load that starves the
'platform_drv'.
Fixes#1594
The recent change of the TRACE session interface triggered the
following warning:
/home/no/src/genode/repos/base/include/base/ipc.h:79:4: warning: ‘ret’ may be used uninitialized in this function [-Wmaybe-uninitialized]
*reinterpret_cast<T *>(&_sndbuf[_write_offset]) = value;
^
In file included from /home/no/src/genode/repos/base/src/core/include/trace/session_component.h:19:0,
from /home/no/src/genode/repos/base/src/core/trace_session_component.cc:15:
/home/no/src/genode/repos/base/include/base/rpc_server.h:132:42: note: ‘ret’ was declared here
typename This_rpc_function::Ret_type ret;
The warning occurs for basic return types (like size_t), which are
indeed not initialized. The variable gets its value assigned by the
corresponding 'call_member' overload, to which the variable is passed as
reference. But the compiler apparently is not able to detect this assignment.
Declaring 'ret' with a C++11-style default initializer fixes the warning.
While importing trace sources as trace subjects into a TRACE session,
the session quota might become depleted. The TRACE session already keeps
track of the session quota via an allocator guard but the 'subjects' RPC
function missed to handle the out-of-memory condition. This patch
reflects the error condition as an 'Out_of_metadata' exception to the
TRACE client. It also contains an extension of the trace test to
exercise the corner case.
This patch enable clients of core's TRACE service to obtain the
execution times of trace subjects (i.e., threads). The execution time is
delivered as part of the 'Subject_info' structure.
Right now, the feature is available solely on NOVA. On all other base
platforms, the returned execution times are 0.
Issue #813
This patch bases the size of the destination buffer in
'Init::Child_policy_redirect_rom_file' on the maximum label size
instead of the filename size. Otherwise, the use of a long configfile
name (i.e., "trace_subject_reporter.config") in combination with a long
child name ("trace_subject_reporter") would result in a truncated label
string.
When replacing a report with a smaller one, the corresponding ROM
dataspace should not contain any traces of the old report. Otherwise,
the consumer of the ROM dataspace may mistake the stale content as
meaningful information. This is particularly annoying when manually
inspecting reports. This patch overwrites the stale content with zeros.
By appending a newline to the generated XML data, we prevent the output
from messing with the command prompt when using 'cat' on a shell.
Futhermore, when using line-buffered output, the trailing newline
ensures that the output gets gets properly flushed.
The result of the second run (TCP_MAERTS) gets extracted wrongly - due to the
change introduced by commit "run: always append to output buffer"
(Issue #1327). The output buffer is no longer reseted between several
run_genode_until invocation within a run script.
On ARM, the compiler generates calls to memcpy and memset. Most
dynamically linked programs use the libc, which provides these
functions. However, if a dynamically linked program does not use the
libc (e.g., noux/minimal or the new version of cli_monitor), those
symbols remain unresolved. By adding them to ldso's symbol.map, the
dynamic linker will resolve them with the functions of the cxx
library, which is part of the dynamic linker.
Issue #1561
This patch moves the VFS file-system factory to a separate vfs library
that is independent from libc. This enables libc-less Genode programs to
easily use the VFS infrastructure.
Fixes#1561
With this patch, the VESA driver reports the framebuffer width to the
client instead of the visible width This fixes possible distortion
if these widths differ, at the cost that content in the right-most area
might be invisible in such cases.
Issue #1264.
Add a Platform::setup_irq_mode function which enables the IRQ session to
update the trigger mode and polarity of the associated IRQ according to
the session parameters. On ARM this function is a nop.
This change enables the x86_64 platform to support devices which use
arbitrary trigger modes and polarity settings, e.g. AHCI on QEMU and
real hardware.
Fixes#1528.
Because of helping, it is possible that a core thread that wants to
destroy another thread at the kernel is using the scheduling context of
the thread that shall be destroyed at this point in time. When building
without GENODE_RELEASE defined, this always triggers an assertion in the
kernel. But when building with GENODE_RELEASE defined, this might silently
lead to kernel-memory corruption. This commit eliminates the latter case.
Should be reverted as soon as the scheduler is able to remove its head.
Ref #1537
Placement new can be misleading, as we already overload the new operator
to construct objects via pointers to allocators. To prohibit any problems here,
and to use one consistent approach, we can explicitely construct the object
with the already available 'construct_at' template function.
Ref #1443
* Introduce a hw specific Address_space interface for protection
domains, which combines all memory-virtualization related functionality
* Introduce a core-specific Platform_pd object that solves all the hen-egg
problems formerly distributed in kernel and core-platform code
Ref #595
Ref #1443
For several basic sessions that core provides default ram quota values
exist in the form of enum values. They are used e.g. by init to deduce
session costs. Unfortunately they were not used when actually establishing
the session, which lead to inconsistencies.
Ref #1443
This patch installs the parent endpoint selector and the PD's CNode into
a PD at its creation time. Furthermore, it initializes the IPC buffer
for the main thread of the new component.
This allows us to see debug messages printed at the eary initialization
of init (before init is able to obtain the regular LOG session). This
will be reverted as soon as the initialziation of the non-core base
environment works.
To build core and other Genode components, we will need to extend the
base-common.mk library with additions that conflict with the
minimalistic root-task environment of test/sel4. To preserve the
minimalistic root task, we need to decouple it from the base-common
library.
We implicitly know that the value range will not exceed access_t despite
the integer-based arithmetics, i.e., negation and shift operations.
Fixes#1524
Avoids the need to have per IRQ a thread that blocks synchronously for next
interrupt. Now a thread may wait for multiple IRQs as other signals
simultaneously.
In core no threads are required anymore for IRQs/MSI - the clients (either
the pci_drv or in case of MSI the driver) gets the IRQ delivered directly as
a ordinary Genode signal.
Useful since #1216 and #1487 is now available.
Commit applies feature of #1446 also to IRQ/MSIs.
The base-hw kernel on x86_64 currently assumes 254 MiB of RAM. The RAM
region is subtracted from the I/O mem allocator and therefore this range
is not available for device I/O.
If qemu is started with -m 128, the region for (emulated) PCI config
space access lies within this region and I/O mem allocation in the
pci_drv will fail. Giving qemu more RAM moves the PCI config space out
of the 254 MiB region, making the run/libc_ffat scenario with acpi work.
The assumption that IRQs in the legacy ISA range are always
edge-triggered is wrong. For the free-for-use IRQs it depends on the
actual device which uses the specific IRQ. Therefore, treat IRQs 9, 10
and 11 as level-triggered.
Currently, libc_noux includes the 'base/src/base/env/platform_env.h' file
to be able to reinitialize the environment using the 'Platform_env'
interface. For base-linux, a special version of this file exists and the
inclusion of the generic version in libc_noux causes GCC 4.9 to make wrong
assumptions about the memory layout of the 'Env' object returned by
'Genode::env()'.
This commit moves the reinitialization functions to the 'Env' interface to
avoid the need to include the 'platform_env.h' file in libc_noux.
Fixes#1510
Some functions in the kernel, which create a static object and return its
address, are declared with a GCC 'const' attribute, which can cause GCC
4.9 to optimize the function call out and use the static object's address
without calling the constructor.
Fixes#1509
The information about connected devices is obtained from a ROM file named
'usb_devices', which is supposed to contain a device list as in the device
report generated by the USB driver (see issue #1506).
A policy for 'report_rom' would look like:
<policy label="vbox -> usb_devices" report="usb_drv -> devices"/>
If the 'usb_devices' ROM file is not available, a warning message gets
printed and VirtualBox continues without USB pass-through support.
The devices to be passed-through need to have a matching device filter in
the '.vbox' file. Example:
<USB>
<DeviceFilters>
<DeviceFilter name="USB Scanner" active="true" vendorId="04a9"
productId="2220" remote="0"/>
</DeviceFilters>
</USB>
The feature was tested with HID devices (mouse, keyboard) and a flatbed
scanner. Mass storage devices didn't work correctly (they also didn't work
with VirtualBox on Linux without the closed-source extension pack).
It should be made sure that the USB driver does not try to control the
devices to be passed-through itself, for example, when passing-through
a HID device, the '<hid/>' config option should not be set.
Fixes#1507
The report lists all connected devices and gets updated when devices are
added or removed.
Example report:
<devices>
<device vendor_id="0x17ef" product_id="0x4816"/>
<device vendor_id="0x0a5c" product_id="0x217f"/>
<device vendor_id="0x8087" product_id="0x0020"/>
<device vendor_id="0x8087" product_id="0x0020"/>
<device vendor_id="0x1d6b" product_id="0x0002"/>
<device vendor_id="0x1d6b" product_id="0x0002"/>
</devices>
There is no distinction yet for multiple devices of the same type.
The report is named "devices" and an example policy for 'report_rom' would
look like:
<policy label="vbox -> usb_devices" report="usb_drv -> devices"/>
The report only gets generated if enabled in the 'usb_drv' configuration:
<config>
<raw>
<report devices="yes"/>
</raw>
</config>
Fixes#1506
On NOVA, a Genode thread currently cannot destroy itself by destroying its
own 'Thread' object, because in 'Thread_base::_deinit_platform_thread()'
it cannot call 'Cpu_session::kill_thread()' anymore after it has revoked
its own UTCB.
As solution, the revocation of the UTCB can be delayed until its location
in the context area is needed by a new thread.
Fixes#1505
Enable a platform to specify how the MMIO memory allocator is to be
initialized. On ARM the existing behavior is kept while on x86 the I/O
memory is defined as the entire address space excluding the core only
RAM regions. This aligns the hw_x86_64 I/O memory allocator
initialization with how it is done for other x86 kernels such as NOVA or
Fiasco.
Perform lazy-initialization of FPU state when it is enabled for the
first time. This assures that the FXSAVE area (including the stored
MXCSR) is always properly setup and initialized to the platform default
values.
Perform all FPU-related setup in the Cpu class' init_fpu function instead of
the general system bring-up assembly code.
Set all required control register 0 and 4 flags according to Intel SDM Vol. 3A,
sections 9.2 and 9.6 instead of only enabling FPU error reporting and OSFXSR.
On seL4, we need to convert untyped memory to page frames before being
able to use it as normal memory. There already exists the hook function
'_export_ds' that is principally suitable for such tasks. It is
currently solely used on Linux where we have to create a file for each
dataspace. To make the hook useful also for seL4, we need to call
_export_ds prior _clear_ds. Otherwise, we would try to clear memory that
is still untyped.
On our test machine the xhci controller has a usb3.0 network adapter attached
and the xhci controller is the only usb controller which has MSI support,
so let us use and test it.
Issue #1216
This repository is superseded by the 'dde_bsd' repository. Though
OSSv4 served us well, its future is uncertain and having active
upstream development is preferable. In addition the ported Intel
HD Audio driver did not work on any Thinpad model newer than T60.
Issue #1498.
These audio drivers enable support for Intel HD Audio (Azalia) and
Ensoniq AudioPCI (ES1370) compatible soundcards. They are ported
from OpenBSD 5.7.
Fixes#1498.
This is especially true for i.MX53 but is not needed on Arndale
currently.
@skalk the test will still fail each night as we do not have a nic_drv
for imx53...
- send a 'state_change' signal on session creation if the device is
already attached
- evaluate the status code of a finished asynchronous operation
- return the number of actually transferred bytes for control transfers,
too
Fixes#1490
This patch avoids the attempt to extend the cxx-local heap during the
startup phase of an application. Originally, the static part of the cxx
was merely 100 bytes, which did not suffice to run the minimalistic test
roottask on seL4.
Fiasco.OC limits the UTCB area for roottask to 16K. Therefore, the
number of threads is limited to 16K / L4_UTCB_OFFSET. (see
kernel/fiasco/src/kern/kernel_thread-std.cpp:94)
In the past, when the user blocked for an IRQ signal, the last signal was
acknowledged automatically thereby unmasking the IRQ. Now, the signal session
got a dedicated RPC for acknowledging IRQs and the HW back-end of that RPC
acknowledged the IRQ signal too. This led to the situation that IRQs were
unmasked twice. However, drivers expect an interrupt to be unmasked only on
the Irq_session::ack_irq and thus IRQ unmasking was moved from
Kernel::ack_signal to a dedicated kernel call.
Fixes#1493
White list access to ports we actually need for our drivers so far and
deny everything else by default. The extend pci config space dataspace is
currently not used and exposes a potential risk (BAR rewrite) - so deny.
Related to #1487
If a null-terminated string exactly of length MAX (0 byte included) is
provided, it will be handled as invalid because of wrong string size length
checks.
Commit fixes this.
Discovered during #1486 development.
Step to move shared irq handling out of core in the long run. So, use
irq_proxy implementation from base in os and implement shared irq handling
in platform driver of x86 (pci_drv).
Fixes#1471
The thread library (thread.cc) in base-foc shared 95% of the code with
the generic implementation except myself(). Therefore, its
implementation is now separated from the other generic sources into
myself.cc, which allows base-foc to use a foc-specific primitive to
enable our base libraries in L4Linux.
Issue #1491
Otherwise RPC calls to dead/invalid destinations are rated as successful,
which leads to wrong execution paths later on. Triggered by bomb.run where
rm_session.attach() returned as successful with local address set to 0, which
causes un-handled page-faults later on.
Fixes#1480
Physical CPU quota was previously given to a thread on construction only
by directly specifying a percentage of the quota of the according CPU
session. Now, a new thread is given a weighting that can be any value.
The physical counter-value of such a weighting depends on the weightings
of the other threads at the CPU session. Thus, the physical quota of all
threads of a CPU session must be updated when a weighting is added or
removed. This is each time the session creates or destroys a thread.
This commit also adapts the "cpu_quota" test in base-hw accordingly.
Ref #1464
Use the new asynchronous IRQ interface in the mostly used drivers, e.g.:
* ahci_drv: x86/exynos5
* gpio_drv: imx53/omap4
* input_drv: imx53/dummy
* ps2_drv: x86/pl050
* timer_drv
Now, the Irq_session is requested from Gpio::Session:
From now on we use an asynchronous IRQ interface. To prevent triggering
another GPIO IRQ while currently handling the former one, IRQs must
now by acknowledged explicitly. While here, we also changed the GPIO
session interface regarding IRQ management. The generic GPIO component
now wraps the Irq_session managed by the backend instead of using the
GPIO backend methods directly. A client using the GPIO session may
request the Irq_session_capability by calling
'Gpio::Session::irq_session()' and can use this capability when using
a local Irq_session_client.
Issue #1456.
A long long time ago, in a galaxy^W^W^W we used DDE kit to ease the
porting of purely C based drivers. By now it became clear, that we
do not gain that much by following this approach. DDE kit contains
much generic functionality, which is not used or rather not needed
by most ported drivers. Hence, we implement a slim C wrapper on top
of Genode's C++ APIs, that is especially tailored to the driver.
In addition to removing the dependency on DDE kit, the iPXE driver
now uses the server framework and the newly introduced signal based
IRQ handling.
Issue #1456.
This patch adds const qualifiers to the functions Allocator::consumed,
Allocator::overhead, Allocator::avail, and Range_allocator::valid_addr.
Fixes#1481
Instead of handing over object ids to the kernel, which has to find them
in object pools then, core can simply use object pointers to reference
kernel objects.
Ref #1443
Instead of having an ID allocator per object class use one global allocator for
all. Thereby artificial limitations for the different object types are
superfluent. Moreover, replace the base-hw specific id allocator implementation
with the generic Bit_allocator, which is also memory saving.
Ref #1443
The verb "bin" in the context of destroying kernel objects seems pretty
unusual in contrast to "delete". When reading "bin" in the context of
systems software an association to something like "binary" is more likely.
Ref #1443
* Instead of using local capabilities within core's context area implementation
for stack allocation/attachment, simply do both operations while stack gets
attached, thereby getting rid of the local capabilities in generic code
* In base-hw the UTCB of core's main thread gets mapped directly instead of
constructing a dataspace component out of it and hand over its local
capability
* Remove local capability implementation from all platforms except Linux
Ref #1443
The global capability ID counter is not used by NOVA and Fiasco.OC
and in the future not needed by base-hw too. Thereby, remove the static
counter variable from the generic code base and add it where appropriated.
Ref #1443
Enable platform specific allocations and ram quota accounting for
protection domains. Needed to allocate object identity references
in the base-hw kernel when delegating capabilities via IPC.
Moreover, it can be used to account translation table entries in the
future.
Ref #1443
Currently, the 'pointed session' gets updated only when an input event
occurs, but an update is also needed in other situations, for example
when the view under the current mouse position was moved.
With this commit, the 'pointed session' gets updated whenever the
timer-triggered 'handle_input()' function is called.
Fixes#1473
There are lots of places where a numeric argument of an argument string
gets extraced as signed long value and then assigned to an unsigned long
variable. If the value in the string was negative, it would not be
detected as invalid (and replaced by the default value), but become a
positive bogus value.
With this patch, numeric values which are supposed to be unsigned get
extracted with the 'ulong_value()' function, which returns the default
value for negative numbers.
Fixes#1472
This commit enables the VirtualBox graphics adapter, provides guest mouse
pointer integration with Nitpicker using the 'vbox_pointer' application
and enhances the VirtualBox run scripts with the configuration of
Nitpicker, input merger and network driver.
Fixes#1474
The driver operates in PIO mode only. Depending on the block size (512
bytes versus 128 KiB), it has a troughput of 2 MiB/sec - 10 MiB/sec for
reading and 173 KiB/sec - 8 MiB/sec for writing.
Fixes#1475
This patch enhances the generic SD-card protocol implementation in
sd-card.h with the ability to handle the version 1.0 of the CSD register
(containing the capacity information of older SD cards).
The emergency dataspace is used to accommodate the corner case where
a signal context capability is created while issuing the first
resource request. Normally, the attempt to upgrade the signal-session
quota under such a constrained situation would fail. By freeing the
emergency dataspace in this situation, we regain enough quota to
upgrade the signal session.
This is a follow up commit for "base: Raise RAM quota of signal session
to 16K" and fixes the resource_request test on 64-bit platforms.
This patch improves the C++ parser to accommodate the tools for
generating the functional specification from source code:
* Added support for class definitions prefixed with a
namespace as promoted by Genode's coding style.
* Improves robustness of the parsing of function arguments by
considering nameless arguments in function declarations, default
values, varargs.
* Consider const qualfiers in return types.
* Added support for the override, constexpr keywords.
* Parsing of overloaded operators.
* Improved handling of type definitions.
* Added parsing of template arguments.
* Handling of template constructors.
The 'Thread_base' class is constructed differently in some special cases
like the main thread or a thread that use a distinct CPU session. The
official API, however, should be clean from such artifacts. Hence, I
separated the official constructor from the other cases.
VirtualBox can receive absolute or relative mouse motion events from the
'Input' service and the VM can support either or both of them. With this
patch, more of the possible combinations are handled.
Fixes#1470
There were two bugs. First, the caller of Kernel::await_signal wasn't
re-activated for scheduling. Second, the caller did not memorize that he
doesn't wait on a receiver anymore which had bad side effects on further
signal handling.
Fix#1459
The port uses the Cortex-A9 private timer for the kernel and an EPIT as
user timer. It was successfully tested on the Wandboard Quad and the CuBox-i
with the signal test. It lacks L2-cache and Trustzone support by now.
Thanks to Praveen Srinivas (IIT Madras, India) and Nikolay Golikov (Ksys Labs
LLC, Russia). This work is partially based on their contributions.
Fix#1467
Do not mask edge-triggered interrupts to avoid losing them while masked,
see Intel 82093AA I/O Advanced Programmable Interrupt Controller
(IOAPIC) specification, section 3.4.2, "Interrupt Mask":
"When this bit is 1, the interrupt signal is masked. Edge-sensitive
interrupts signaled on a masked interrupt pin are ignored (i.e., not
delivered or held pending)"
Or to quote Linus Torvalds on the subject:
"Now, edge-triggered interrupts are a _lot_ harder to mask, because the
Intel APIC is an unbelievable piece of sh*t, and has the edge-detect
logic _before_ the mask logic, so if a edge happens _while_ the device
is masked, you'll never ever see the edge ever again (unmasking will not
cause a new edge, so you simply lost the interrupt)."
So when you "mask" an edge-triggered IRQ, you can't really mask it at
all, because if you did that, you'd lose it forever if the IRQ comes in
while you masked it. Instead, we're supposed to leave it active, and set
a flag, and IF the IRQ comes in, we just remember it, and mask it at
that point instead, and then on unmasking, we have to replay it by
sending a self-IPI." [1]
[1] - http://yarchive.net/comp/linux/edge_triggered_interrupts.html
Ref #1448
In order to match the I/O APIC configuration, a request for user timer
IRQ 0 is remapped to vector 50 (Board::TIMER_VECTOR_USER), all other
requests are transposed by adding the vector offset 48
(Board::VECTOR_REMAP_BASE).
On base-hw/x86_64 the quota of the signal session is not sufficient due to
the large size of the Signal_session_component. Increasing the quota to
16K avoids signal-context resource exhaustion messages as emmitted by the
run/launcher scenario:
...
Quota exceeded! amount=4096, size=4096, consumed=4096
failed to allocate signal-context resources
upgrading quota donation for signal session
C++ runtime: Genode::Parent::Quota_exceeded
void* abort(): abort called
...
Note: This change increases the quota for all kernels even though it is
strictly only required for base-hw/x86_64.
* Enable the use of the FXSAVE and FXRSTOR instructions, see Intel SDM
Vol. 3C, section 2.5.
* The state of the x87 floating point unit (FPU) is loaded and saved on
demand.
* Make the cr0 control register accessible in the Cpu class. This is in
preparation of the upcoming FPU management.
* Access to the FPU is disabled by setting the Task Switch flag in the cr0
register.
* Access to the FPU is enabled by clearing the Task Switch flag in the cr0
register.
* Implement FPU initialization
* Add is_fpu_enabled helper function
* Add pointer to CPU lazy state to CPU class
* Init FPU when finishing kernel initialization
* Add function to retry FPU instruction:
Similar to the ARM mechanism to retry undefined instructions, implement a
function for retrying an FPU instruction. If a floating-point instruction
causes an #NM exception due to the FPU being disabled, it can be retried
after the correct FPU state is restored, saving the current state and
enabling the FPU in the process.
* Disable FPU when switching to different user context:
This enables lazy save/restore of the FPU since trying to execute a
floating point instruction when the FPU is disabled will cause a #NM
exception.
* Declare constant for #NM exception
* Retry FPU instruction on #NM exception
* Assure alignment of FXSAVE area:
The FXSAVE area is 512-byte memory region that must be 16-byte aligned. As
it turns out the alignment attribute is not honored in all cases so add a
workaround to assure the alignment constraint is met by manually rounding
the start of the FXSAVE area to the next 16-byte boundary if necessary.
The LAPIC timer is programmed in one-shot mode with vector 32
(Board::TIMER_VECTOR_KERNEL). The timer frequency is measured using PIT
channel 2 as reference (50ms delay).
Disable PIT timer channel 0 since BIOS programs it to fire periodically.
This avoids potential spurious timer interrupts.
The implementation initializes the Local APIC (LAPIC) of CPU 0 in xapic
mode (mmio register access) and uses the I/O APIC to remap, mask and
unmask hardware IRQs. The remapping offset of IRQs is 48.
Also initialize the legacy PIC and mask all interrupts in order to
disable it.
For more information about LAPIC and I/O APIC see Intel SDM Vol. 3A,
chapter 10 and the Intel 82093AA I/O Advanced Programmable Interrupt
Controller (IOAPIC) specification
Set bit 9 in the RFLAGS register of user CPU context to enable
interrupts on kernel- to usermode switch.
Make the local APIC accessible via its MMIO region by adding a 2 MB
large page mapping at 0xfee00000 with memory type UC.
Note: The mapping is added to the initial page tables to make the APIC
usable prior to the activation of core's page tables, e.g. in the
constructor of the timer class.
The location in memory is arbitrary but we use the same address as the
ARM architecture. Adjust references to virtual addresses in the mode
transition pages to cope with 64-bit values.
The interrupt stack must reside in the mtc region in order to use it for
non-core threads. The size of the stack is set to 56 bytes in order to
hold the interrupt stack frame plus the additional vector number that is
pushed onto the stack by the ISR.
Call the _virt_mtc_addr function with the _mt_isrs label to calculate
the ISR base address in Idt::setup. Again, assume the address to be
below 0x10000.
Use parameter instead of class member variable because it would get
stored into the mtc region otherwise. In a further iteration only the
actual IDT should be saved into the mtc, not the complete class
instance. Currently the class instance size is equal to the IDT table
size.
The class provides the load() function which reloads the GDTR with the
GDT address in the mtc region. This is needed to make the segments
accessible to non-core threads.
Make the _gdt_start label global to use it in the call to
_virt_mtc_addr().
Use the _mt_tss label and the placement new operator to create the
Tss class instance in the mtc region. Update the hard-coded
TSS base address to use the virtual mtc address.
On exception, the CPU first checks the IDT in order to find the
associated ISR. The IDT must therefore be placed in the mode transition
pages to make them available for non-core threads.
The limit is set to match the TSS size - 1 and the base address is
hardcoded to the *current* address of the TSS instance (0x3a1100).
TODO: Set the base address using the 'tss' label. If the TSS descriptor
format were not so utterly unusable this would be straightforward.
Changes to the code that indirectly lead to a different location
of the tss result in #GP since the base address will be invalid.
The class Genode::Tss represents a 64-bit Task State Segment (TSS) as
specified by Intel SDM Vol. 3A, section 7.7.
The setup function sets the stack pointers for privilege levels 0-2 to
the kernel stack address. The load function loads the TSS segment
selector into the task register.
Implement user argument setter and getter support functions. The mapping of
the state registers corresponds to the system call parameter passing
convention.
The instruction pointer is the first field of the master context and can
directly be used as a jump argument, which avoids additional register
copy operations.
Point stack to client context region and save registers using push
instructions.
Note that since the push instruction first increments the stack pointer
and then stores the value on the stack, the RSP has to point one field
past RBP before pushing the first register value.
As the kernel entry is called from the interrupt handler the stack
layout is as specified by Intel SDM Vol. 3A, figure 6-8. An additional
vector number is stored at the top of the stack.
Gather the necessary client information from the interrupt stack frame
and store it in the client context.
The new errcode field is used to store the error code that some
interrupts provide (e.g. #PF). Rework mode transition reserved space and
offset constants to match the new CPU_state layout.
The macros are used to assign syscall arguments to specific registers.
Using the AMD64 parameter passing convention avoids additional copying of
variables since the C++ function parameters are already in the right
registers.
The interrupt return instruction in IA-32e mode applies the prepared
interrupt stack frame to set the RFLAGS, CS and SS segment as well as
the RIP and RSP registers. It then continues execution of the user code.
For detailed information refer to Intel SDM Vol. 3A, section 6.14.3.
After activating the client page tables the client context cannot be
accessed any longer. The mode transition buffer however is globally
mapped and can be used to restore the remaining register values.
Set the stack pointer to the R8 field in the client context to enable
restoring registers by popping values of the stack.
After this step the only remaining registers that do not contain client
values are RAX, RSP and RIP.
Note that the client value of RAX is pop'd to the global buffer region as
the register will still be used by subsequent steps. It will be restored to
the value in the buffer area just prior to resuming client code execution.
Set I/O privilege level to 3 to allow core to perform port I/O from
userspace. Also make sure the IF flag is cleared for now until interrupt
handling is implemented.
Setup an IA-32e interrupt stack frame in the mode transition buffer region.
It will be used to perform the mode switch to userspace using the iret
instruction.
For detailed information about the IA-32e interrupt stack frame refer to
Intel SDM Vol. 3A, figure 6-8.
The constants specify offset values of CPU context member variables as
specified by Genode::Cpu_state [1] and Genode::Cpu::Context [2].
[1] - repos/base/include/x86_64/cpu/cpu_state.h
[2] - repos/base-hw/src/core/include/spec/x86/cpu.h
The new entries specify a 64-bit code segment with DPL 3 at index 3 and a
64-bit data segment with DPL 3 at index 4.
These segments are needed for transitioning to user mode.
A pointer to the client context is placed in the mt_client_context_ptr area.
It is used to pass the current client context to the lowlevel mode-switching
assembly code.
IA-32e paging translates 48-bit linear addresses to 52-bit physical
addresses. Translation structures are hierarchical and four levels deep.
The current implementation supports regular 4KB and 1 GB and 2 MB large
page mappings.
Memory typing is not yet implemented since the encoded type bits depend
on the active page attribute table (PAT)*.
For detailed information refer to Intel SDM Vol. 3A, section 4.5.
* The default PAT after power up does not allow the encoding of the
write-combining memory type, see Intel SDM Vol. 3A, section 11.12.4.
* Add common IA-32e paging descriptor type:
The type represents a table entry and encompasses all fields shared by
paging structure entries of all four levels (PML4, PDPT, PD and PT).
* Simplify PT entry type by using common descriptor:
Differing fields are the physical address, the global flag and the memory
type flags.
* Simplify directory entry type by using common descriptor:
Page directory entries (PDPT and PD) have an additional 'page size' field
that specifies if the entry references a next level paging structure or
represents a large page mapping.
* Simplify PML4 entry type by using common descriptor
Top-level paging structure entries (PML4) do not have a 'pat' flag and the
memory type is specified by the 'pwt' and 'pcd' fields only.
* Implement access right merging for directory paging entries
The access rights for translations are determined by the U/S, R/W and XD
flags. Paging structure entries that reference other tables must provide
the superset of rights required for all entries of the referenced table.
Thus merge access rights of new mappings into existing directory entries to
grant additional rights if needed.
* Add cr3 register definition:
The control register 3 is used to set the current page-directory base
register.
* Add cr3 variable to x86_64 Cpu Context
The variable designates the address of the top-level paging structure.
* Return current cr3 value as translation table base
* Set context cr3 value on translation table assignment
* Implement switch to virtual mode in kernel
Activate translation table in init_virt_kernel function by updating the
cr3 register.
* Ignore accessed and dirty flags when comparing existing table entries
These flags can be set by the MMU and must be disregarded.
* Add isr.s assembler file:
The file declares an array of Interrupt Service Routines (ISR) to handle
the exception vectors from 0 to 19, see Intel SDM Vol. 3A, section
6.3.1.
* Add Idt class:
* The class Genode::Idt represents an Interrupt Descriptor Table as
specified by Intel SDM Vol. 3A, section 6.10.
* The setup function initializes the IDT with 20 entries using the ISR
array defined in the isr.s assembly file.
* Setup and load IDT in Genode::Cpu ctor:
The Idt::setup function is only executed once on the BSP.
* Declare ISRs for interrupts 20-255
* Set IDT size to 256
The boot modules assembled by the generated boot_modules.s file is
accessed from core using struct Bm_header. Unfortunately the assembler
.long directive is synonym to .int [1] and thus has the same size as the
C++ int type and *not* long. Use the matching assembly type .quad in
boot_modules.s when generating the file for 64-bit platforms such as
x86_64.
[1] - https://sourceware.org/binutils/docs/as/Long.html
This patch contains the initial code needed to build and bootstrap the
base-hw kernel on x86 64-bit platforms. It gets stuck earlier
because the binary contains 64-bit instructions, but it is started in
32-bit mode. The initial setup of page tables and switch to long mode is
still missing from the crt0 code.
On each execution the output buffer is overriden when run_genode_until
is executed multiple times. Run scripts, that depend on extracting
information after several execution steps, e.g. noux_net_netcat, will
fail to do so. Therefore, we append the newly captured log output to
the old output buffer.
Issue #1327.
A Nic::Session client can install a signal handler that is used to
propagate changes of the link-state by calling 'link_state_sigh()'.
The actual link state is queried via 'link_state()'.
The nic-driver interface now provides a Driver_notification callback,
which is used to forward link-state changes from the driver to the
Nic::Session_component.
The following drivers now provide real link state: dde_ipxe, nic_bridge,
and usb_drv. Currently, OpenVPN, Linux nic_drv, and lan9118 do not
support link state and always report link up.
Fixes#1327
If a client acknowledges the same packet more than once, the packet also
gets freed more than once. At the second attempt the underlaying
Bit_array will throw an 'Invalid_clear' exception, which results in an
uncaught exception that leads to an abort() call in the freeing
component.
Fixes#1462.
To ease debugging without the need to tweak the kernel every time, and to
support userland developers with useful information this commit extends several
warnings and errors printed by the kernel/core by which thread/application
caused the problem, and what exactly failed.
Fix#1382Fix#1406
The driver for the Freescale eSDHCv2 doesn't support the highest
available bus frequency by now and also the bus width may be set to a
higher value but that needs further checks on the capabilities of the
inserted card.
The commits provide a benchmark as it exists for the OMAP4 SDHC driver.
Fix#1458
The 'continue_hw_accelerated' assertion at the end of the recall handler
can fail in situations which are not problematic, for example if the
'Timer' thread has set the 'VMCPU_FF_TIMER' flag in the meantime and
requested a recall afterwards. Since we don't know for sure if a recall is
requested for the other flags as well, the assertion gets replaced by a
debug message, which gets printed if any of the 'not yet verified as safe'
flags is set.
Fixes#1426
The GUID partition table (GPT) is primarily used by systems using
(U)EFI and is a replacement for the legacy MBR. For now, the current
implementation is able to address up to 128 GUID partition entries
(GPE).
To enable the GPT support in 'part_blk' it has to be configured
accrodingly:
! <start name="part_blk">
! [...]
! <config use_gpt="yes">
! [...]
! </start>
If 'part_blk' is not able to find a valid GPT header it falls back
to using the MBR.
Current limitations:
Since no endian conversion takes place it only works on LE platforms
and of all characters in the UTF-16 encoded name field of an entry
only the ones included in the ASCII encoding are printed. It also
ignores all GPE attributes.
Issue #1429.
The hover reports provides information about the session currently
pointed-to, i.e., hovered session. It can be enabled by the 'hover'
attribute of nitpicker's 'report' configuration element
<report hover="yes" />
Fixes#1442
The bindings for 32bit did not consider that in the syscall_3 function
edx changes due to the assembly instructions and that in the syscall_4
function edx and ecx change. So, the compiler wrongly assumed that the
content of these registers stayed unchanged.
Fixes#1447
In the past, unmap sometimes occured on RM clients that have no thread,
PD, or translation table assigned. However, this shouldn't be the
case anymore.
Fixes#504
* Introduce hw-specific crt0 for core that calls e.g.: init_main_thread
* re-map core's main thread UTCB to fit the right context area location
* switch core's main thread's stack to fit the right context area location
Fix#1440
The 'check_port_source' checks whether all remote sources defined for a given
port are currently available. It returns zero, when all remote resources are
available.
Fix#1430
This decouples the size of the mode transition control region from the
minimal mapping size of the page tables implementation. Rather, the CPU
architecture is able to specify the actual size.
Rationale: For x86_64, we need the mtc region to span two pages in order
to store all the tables required to perform the mode switch.
The size of empty structs differs in C (0 byte) and C++ (1 byte), which
leads to different offsets in compound structures. This fixes the driver
on 32Bit platforms.
Issue #1439.
The wireless stack calls timer_before(foo, timer.expires) and up to now
it was always 0. Let's be save and set this field when scheduling the
timer, although it worked fine so far.
Issue #1439.
We will always see this error message when the driver is started. It
is expected and not an actual error. When the driver is running it will
not allocate larger chunks than the Slab provides. Therefore, we can
safely ignore this message.
Issue #1439.
Some functions in the time manager, for example 'TMTimerSet()' and
'TMTimerStop()' let VirtualBox abort with a failed assertion if the timer
does not change to a 'stable' state after 1000 calls of a mixture of
'yield' and 'sleep'. On Genode, this happens sometimes when the 'EMT'
thread is executing 'TMTimerSet()' and gets interrupted by the 'TAP'
thread, which calls 'TMTimerStop()' and waits for the 'EMT' thread to
finish setting the timer. Since the 'EMT' thread has the lowest priority,
1000 retries can be too few. Without the assertion, these functions would
return an error code, which is often ignored by the caller, so it seems
safer to keep retrying until the function can return successfully.
Fixes#1437
The mkfs.ext2 heuristics select the "small" ext2 usage type, which does
not fit well with GiB-sized pen drives. For example, the block size is
just 1024 bytes compared to 4096 for "default". Therefore, we enforce
the default usage type as this fits our use case of dumping the image to
USB sticks better.
Among others, this function is used in the for_each_set_big() macro,
which is used when configuring the data rate tables. Therefore, this
fixes observed performance issues.
Fixes#1439.
If running multiple VBox VMMs with Windows as guest concurrently then it may
happen that the system seem to hang. It turned out that actually
a VM-exit storm (vmx_exception->handle_exc_nm) causes a endless loop between
kernel and vCPU. Nothing gets scheduled nor interrupts are received anymore.
The referenced kernel commit fixes this issue.
Issue #1343
Drivers like SD-Card, platform, AHCI, and framebuffer are specified as Exynos5
compliant. But they are at least not compliant with Odroid-XU although this is
Exynos5. Thus, prevent tests that rely on such drivers when building for
hw_odoid_xu. Furthermore, make previous Arndale regulator/consts.h,
uart_defs.h, and some Board_base enums available to all Exynos5 builds to
enable at least building the drivers.
Fixes#1419
For the USB-Armory, we use a newer version of Linux (3.18) as for the
i.MX53-QSB. The main difference is, that the newer Linux uses a DTB instead of
ATAGs.
Fixes#1422
The USB Armory is almost the same as the i.MX53-QSB but it uses only
one of the two RAM banks available in i.MX53. Furthermore we use the USB
Armory only with Trustzone enabled.
Ref #1422
With the new run tool, there is no more is_qemu_available function. However,
some scripts still try to use it because only frequently used scripts were
updated by now. The commit replaces the function calls with the new
'have_include power_on/qemu' check.
Ref #1419
The wifi_drv now provides two reports. The first one contains all
accesspoints that were found while scanning the supported frequencies.
The second one reports the state of the driver, i.e., if it is
conntected to an accesspoint or not. In addition to that, the driver
now gets its configuration via a ROM session.
More detailed information are available in 'repos/dde_linux/README'.
Issue #1415.
* enables world-switch using ARM virtualization extensions
* split TrustZone and virtualization extensions hardly from platforms,
where it is not used
* extend 'Vm_session' interface to enable configuration of guest-physical memory
* introduce VM destruction syscall
* add virtual machine monitor for hw_arndale that emulates a simplified version
of ARM's Versatile Express Cortex A15 board for a Linux guest OS
Fixes#1405
To enable support of hardware virtualization for ARM on the Arndale board,
the cpu needs to be prepared to enter the non-secure mode, as long as it does
not already run in it. Therefore, especially the interrupt controller and
some TrustZone specific system registers need to be prepared. Moreover,
the exception vector for the hypervisor needs to be set up properly, before
booting normally in the supervisor mode of the non-secure world.
Ref #1405
To enable the usage of virtualization extension related instructions
there is the need to enable the '-mcpu=cortex_a15' compiler flag on
those cpus. To not conflict with other compiler flags (Ref #810) we've
to disable the '-march=arm_v7a' flag.
Ref #1405
The generalization of interrupt objects in the kernel and the use of
C++ polymorphism instead of explicitely checking for special interrupts
within generic code (Cpu_job::_interrupt) enables the registration of
additional interrupts used by the kernel, which are needed for specific
aspects added to the kernel, like ARM hardware virtualization interrupts.
* Introduce generic base class for interrupt objects handled by the kernel
* Derive an interrupt class for those handled by the user-land
* Implement IPI-specific interrupt class
* Implement timer interrupts using the new generic base class
Ref #1405
Until now, one distinct software generated IRQ per cpu was used to
send signals between cpus. As ARM's GIC has 16 software generated
IRQs only, and they need to be partitioned between secure/non-secure
TrustZone world as well as virtual and non-virtual worlds, we should
save them.
Ref #1405
* name irq controller memory mapped I/O regions consistently
in board descriptions
* move irq controller and timer memory mapped I/O region descriptions
from cpu class to board class
* eliminate artificial distinction between flavors of ARM's GIC
* factor cpu local initialization out of ARM's GIC interface description,
which is needed if the GIC is initialized differently e.g. for TrustZone
Ref #1405
The 'dest' target is renamed in the updated rump version to 'dest.stage'. This
triggered some building steps, even when the targets already existed.
Issue #1409
The handling of MMIO regions now supports more pathological cases with
weird cross references. Also, MMIO regions are releases after the
parsing is done.
Fixes#998
While booting up, some devices send garbage over the serial connection.
This can result in an unexpected EOF event within expect(1). A filter
program may be specified with '--log-serial-filter' to circumvent this
problem. Then, the output of the serial program is piped through
the filter, which may sanitize the character stream.
Fixes#1395.
Setting the ACTLR.SMP bit also without SMP support fastens RAM access
significantly. A proper solution would implement SMP support which must enable
the bit anyway.
Fixes#1353
and move it close to run_genode_until implementation.
Somehow the "match_max -d" gets ignored if it is to far away and some
our run scripts fails because the buffer contains not all information
(seen for affinity.run on a 8 core machine)
This is needed at least by rump_ext2.run as it uses the perf-counter
in the jitterentropy-lib. On other platforms the perf-counter gets enabled
by the kernel by default. However, on HW, we keep the specifier to allow users
to disable it easily (e.g. for security reasons).
Ref #1393
When returning early on directory operations, file systems that might
be able to handle the request but come after the current one are not
tried.
Fixes#1400.
Up to now Noux used the libc sleep functions, which actually is not
possible because the _nanosleep() function implemented by our libc
creates a new thread to handle the timeout. Noux childs may have
only one thread, e.g., the main thread, though. To fix this issue
sleeping is now handled directly by Noux. It is implemented by calling
select(2) with a timeout. This fix is needed for mutt(1), which calls
sleep when it prints a notification for the user.
Fixes#1374.
Since rump now requires large buffers of random numbers (>= 512 bytes), use the
jitterentropy library instead of the slow timer pseudo random number generation.
Fixes#1393
To circumvent compilation errors with the older L4Android Linux kernel
version, the ballooning driver is included in the more recent L4Linux
kernel only. Moreover, to be able to maintain L4Android / L4Linux in a more
convenient way, e.g. to apply patches valid for both versions, we use
the same git clone that is used for L4Linux instead of using the upstream
L4Android version by applying patches.
Fixes#1390
Instead of returning an uint64_t value, return a structured time stamp.
This change is only visible to components using Rtc_session directly.
Fixes#1381.
Up until now 'schedule_timeout' did only wait for the next signal to occur.
However, we might run into situations where there won't occur signals for longer
periods of time. Therefore, we took care of the respective timeout handling.
This commit also adds Genode's tracing support
Issue #1310
This has been broken for a while now. Use correct (global) signal transmission,
do not use local signal transmission, as signals seems to get lost.
Issue #1310
This patch changes the Shared_object::lookup function to use a
reinterpret_cast instead of a static_cast to allow the conversion
from symbol addresses to arbitrary pointers.
By blocking on a timeout, we yield the CPU in order to give a
concurrently running sporadic process a chance to obtain ROM modules.
Otherwise, such requests would be deferred until the ROM prefetcher
completes its operation or in the unlikely event that the prefetcher
gets preempted.
Fixes#1378
The linker scripts use to fill alignment gaps within the text section
with the magic value 0x90909090, which correponds to the opcodes of four
nop instructions on x86. This patch removes this value because it
apparently solves no problem. If, for some reason (e.g., due to a dangling
pointer) a thread executes instructions within alignment paddings, NOP
instructions are not any better than any other instruction. The program
will eventually execute the instructions after the padding, which is
most likely fatal. It would be more reasonable to fill the padding with
the opcode of an illegal instruction so that such an error can be
immediately detected. That said, I cannot remember a single instance,
where the fill value has helped us during debugging.
Even if the mechanism served a purpose on x86, it is still better to
remove it because it does not equally work on the other architectures
where the linker scripts are used. I.e., on ARM, the opcode 0x90909090
is not a NOP instruction.
The patch supports both, a download-specific UNZIP_OPT(download) and a
general UNZIP_OPT that can be defined across downloads.
UNZIP_OPT(download) overrides UNZIP_OPT.
Note, the `--strip-components=1` argument is not required for unzip.
Issue #1357
If newlines are in the string send to the core log service, they don't get
the label properly appended before each output. The messages then look like
they are coming from core.
Fixes#1368
Be less verbose regards warnings caused by vmx_invalid exits - which triggers
on T400 more often because it has no Unrestricted Guest support. This leads
to lot of log messages so that the test does not succeed in time. Additionally,
the virtualbox_auto_disk.run script is adjusted to check for some output to
exit earlier if something went wrong.
Fixes#1367
Workaround for issue #1343. By disabling the 'vpid' feature of the nova
kernel several VMs can be used concurrently. Applies for Seoul and VirtualBox.
Issue #1343
tool/ports/shortcut
create symbolic link from 'contrib/<port-name>-<hash>' to
contrib/<port-name>
tool/ports/current
print current contrib directory of port
Fixes#1345.
Instead of fixing the missing dynamic facilities of the AHCI driver
backends for x86 and Exynos5, just avoid to create/destroy the backend
for every new connection, but always use one and the same object.
The AHCI drivers need to be re-written anyway, see issue #1352 for instance,
we can make it more robust for the dynamic case then.
Fixes#786Fixes#1133
This has to be used during shared object creation and destruction because global
lists are manipulated. We cannot use the 'Elf_object::lock' here because there
may be jump-slot relocations during object initialization.
Fixes#1350
When building Genode for VEA9X4 as micro-hypervisor protected by the ARM
TrustZone hardware we ran into limitations regarding our basic daily
testing routines. The most significant is that, when speaking about RAM
partitioning, the only available options are to configure the whole SRAM
to be secure and the whole DDR-RAM to be non-secure or vice versa. The
SRAM however provides only 32 MB which isn't enough for both a
representative non-secure guest OS or a secure Genode that is still
capable of passing our basic tests. This initiated our decision to
remove the VEA9X4 TrustZone-support.
Fixes#1351
On VEA9X4-TZ, the context-area overlaps with the virtual area of the
text, data and bss. However, we can't simply change the link address as
the core image (used physically respectively 1:1 mapped) needs to be in
this particular RAM-region as it is the only one that can be protected
against a VM. Thus I've moved the context area to a place where it
shouldn't disturb any HW-platform.
Fixes#1337
Declaring the SP804 0/1 module and its interrupt to be non-secure prevents the
secure Genode from receiving the interrupt and hence the timer driver in the
secure Genode doesn't work.
Fixes#1340
Some downloads are available via HTTPS only, but wget < 3.14 does not
support server-name identification, which is used by some sites. So, we
disable certificate checking in wget and check the validity of the
download via SIG or SHA.
Fixes#1334.
The commit uses a fixed kernel branch (r8), which fixes a caching bug
observable in the Genode host. The quirk detecting the circumstance in the
timer service is obsolete now and is removed.
Fixes#1338
The commit
- fixes the syscall bindings for using portal permissions
- revokes PT_CTRL permission after pager in core set local badge name
- revokes PT_CTRL permission after server entrypoint code set local badge name
Fixes#1335
This fix configures TTBRs and translation-table descriptors as if we would use
SMP although we don't to circumvent problems with UP-configurations.
This fix should be superseded later by full SMP support for the VEA9X4.
ref #1312
The HW-kernel, in contrast to other kernels, provides a direct reference
to the pager object with the fault signal that is send to the pager
activation. When accessing this reference directly we may fall into the
time span where the root parent-entrypoint of the faulter has alredy
dissolved the pager object from the pager entrypoint, but not yet
silenced the according signal context. To avoid this we issue an
additional 'lookup_and_lock' with the received pager object. This isn't
optimal as we don't need the potentially cost-intensive lookup but only the
synchronization.
Fixes#1311.
Fixes#1332.
- essential support for 7260 chipset and DMA fixes
- assign mvm->pm_ops at beginning of function iwl_op_mode_mvm_start.
iwl_mvm_mac_setup_register() uses mvm->pm_ops, but it is called
before this field is set to a valid value.
- disable call to function iwl_mvm_prepare_multicast.
This function leads to a pagefault, as it aspects a list of multicast
addresses, but the list is empty as it is not generated by this port.
On base-hw, each thread owns exactly one scheduling context for its
whole lifetime. However, introducing helping on IPC, a thread might get
executed on scheduling contexts that it doesn't own. Figuratively
spoken, the IPC-helping relation spans trees between threads. These
trees are identical to those of the IPC relation between threads. The
root of such a tree is executed on all scheduling contexts in the tree.
All other threads in the tree are not executed on any scheduling context
as long as they remain in this position. Consequently, the ready-state
of all scheduling contexts in an IPC-helping tree always equals the
state of the root context.
fix#1102
As soon as helping is used, a thread may also be in a blocking state when its
scheduling context is ready. Hence, the state designation SCHEDULED for an active
thread would be pretty misleading.
ref #1102
If the debug branch of the nova kernel is used, following messages are printed
by the kernel during vCPU setup phase:
[0] overmap attempt OBJ - tree - ...
Fixes#1324
The context of timer are now inserted correctly and the actual timer
triggering the exection of each context is always programmed if the
head of the timer list changes.
Fixes#1326.
The jiffies are only updated on each round of scheduling the runnable
tasks. We have to schedule the current task that executes the sleep
call to update the jiffies count and thereby preventing the task from
entering an endless loop when using a statement like
'while (!time_after(jiffies, now + timeout)) { msleep(1); }'.
Related to #1326.
Instead of probing all device on the PCI bus just look for devices
matching PCI_CLASS_NETWORK_OTHER. This fixes issues with other devices
on the PCI bus, e.g. the GPU, when access their extended config space.
Related to #1326.
Due to commit "run: relax IP power plug recognition + serial EOF",
when piping the serial command through 'tr', some characters might
get buffered, thereby preventing some run scripts to finish correctly.
This commit removes the 'tr' hack. Instead, to circumvent the 'expect'
problem, which kills under special conditions spawned childs used to
obtain serial line content, whenever EOF of the serial command is
recognized during the boot phase, the child process gets re-spawned.
Setting explicit routes for Nitpicker's 'Framebuffer' and 'Input' sessionsi
avoids ambiguities if a Qt application provides these services, too.
Fixes#1316
With this patch, when calling 'setFocus()' on a QNitpickerViewWidget, the
Nitpicker view gets the input focus (provided that the parent Qt window
already had it).
Fixes#1314
Until now, the successful termination of the boot process was recognized
when 'expect' saw the first L4 bootstrapper output on serial line. On sytems
with initially shaky serial connection like Versatile Express, where the serial
line baudrate changes with the bootstrapper initialization, the first expected
line might be missing. Therefore, change the expected line to the first
Fiasco.OC kernel output.
* To communicate with IP power plug devices from Koukaam, to remote
control power supply of test boards, don't parse minor versions, but
support different IP power plugs
* TCL's expect may report an EOF when reading from the spawned serial
terminal, especially when using 'socat' to stream serial over TCP/IP,
although the spawned child is still running and delivering content.
This problem is clearly not dependent on the characters send, but
possibly due to strange pipe signals. When piping the serial output
through 'tr' the problem vanishs.
This wasn't necessary before because we built an l4 library for
Pistachio and linked it against each application. With the new linker,
we compile the required files from within Genode and create a syscall
library that is only linked to ldso. If a program uses system calls
directly, for example, DDE kit's spinlock implementation, the required
symbols must be made globally accessible.
Fixes#1306
On the Versatile Express Cortex A9x4 platform the first memory region
0x0 - 0x4000000 is a hardware remapped memory area, containing flash
and DDR RAM copies and thus should not be added in addition to all
DDR RAM regions and the SRAM region.
In the init configuration one can configure the donation of CPU time via
'resource' tags that have the attribute 'name' set to "CPU" and the
attribute 'quantum' set to the percentage of CPU quota that init shall
donate. The pattern is the same as when donating RAM quota.
! <start name="test">
! <resource name="CPU" quantum="75"/>
! </start>
This would cause init to try donating 75% of its CPU quota to the child
"test". Init and core do not preserve CPU quota for their own
requirements by default as it is done with RAM quota.
The CPU quota that a process owns can be applied through the thread
constructor. The constructor has been enhanced by an argument that
indicates the percentage of the programs CPU quota that shall be granted
to the new thread. So 'Thread(33, "test")' would cause the backing CPU
session to try to grant 33% of the programs CPU quota to the thread
"test". By now, the CPU quota of a thread can't be altered after
construction. Constructing a thread with CPU quota 0 doesn't mean the
thread gets never scheduled but that the thread has no guaranty to receive
CPU time. Such threads have to live with excess CPU time.
Threads that already existed in the official repositories of Genode were
adapted in the way that they receive a quota of 0.
This commit also provides a run test 'cpu_quota' in base-hw (the only
kernel that applies the CPU-quota scheme currently). The test basically
runs three threads with different physical CPU quota. The threads simply
count for 30 seconds each and the test then checks wether the counter
values relate to the CPU-quota distribution.
fix#1275
Do not support the global construction from of objects from within a global
constructor of another object. This can happen if, for example, dlopen is called
from a global constructor. The construction will be post-boned until the current
constructor has finished.
On Arndale, the kernel timer resets to the initial value of the last
count-down and continues as soon as it reaches zero. We must check this
via the interrupt status when we read out the timer value and in case
return 0 instead of the real value.
fix#1299
The way this function is currently used in dde_linux expects this
function to return. Since there is dde_kit_panic it should better
be used in such a case the output should block.
Kernel::Processor was a confusing remnant from the old scheme where we had a
Processor_driver (now Genode::Cpu) and a Processor (now Kernel::Cpu).
This commit also updates the in-code documentation and the variable and
function naming accordingly.
fix#1274
The run test 'hw_info' prints the content of the basic ARMv7 identification and
feature registers in a pretty readable format. It is a kernel-internal test
because many of these registers are restricted to privilege level 1 or higher.
fix#1278
The new scheduler serves the orthogonal requirements of both
high-throughput-oriented scheduling contexts (shortly called fill in the
scheduler) and low-latency-oriented scheduling contexts (shortly called
claim in the scheduler). Thus it knows two scheduling modes. Every claim
owns a CPU-time-quota expressed as percentage of a super period
(currently 1 second) and a priority that is absolute as long as the
claim has quota left for the current super period. At the end of a super
period the quota of all claims gets refreshed. During a super period,
the claim mode is dominant as long as any active claim has quota left.
Every time this isn't the case, the scheduler switches to scheduling of
fills. Fills are scheduled in a simple round robin with identical time
slices. Order and time-slices of the fill scheduling are not affected by
the super period. Now on thread creation, two arguments, priority and
quota are needed. If quota is 0, the new thread participates in CPU
scheduling with a fill only. Otherwise he participates with both a
claim and a fill. This concept dovetails nicely with Genodes quota based
resource management as any process can grant subsets of its own
CPU-time and priorities to its child without knowing the global means of
CPU-time and priority.
The commit also adds a run script that enables an automated unit test of the
scheduler implementation.
fix#1225
To serve the needs of the coming CPU scheduler, the double list needs
additional methods such as 'to_tail' and 'insert_head'.
The commit also adds a run script that enables an automated unit test
of the list implementation.
ref #1225
Kernel tests are done by replacing the implementation of an otherwise
empty function 'Kernel::test' that gets called once at the primary CPU
as soon as all kernel initialization is done. To achieve this, the test
binary that implements 'Kernel::test' must be linked against the core
lib and must then replace the core binary when composing the boot image.
The latter can be done conveniently in a run script by setting the new
argument 'core_type' of the function 'build_boot_image' to the falue
'test'. If no kernel test is needed the argument does not have to be
given - it is set to 'core' by default which results in a "normal"
Genode image.
ref #1225
Previously, Idle_thread inherited from Thread which caused an extra
processor_pool.h and processor_pool.cc and also made class models for
processor and scheduling more complex. However, this inheritance makes
not much sense anyway as an idle context doesn't trigger most of the code
in Thread.
ref #1225
The memory barrier prevents the compiler from changing the program order
of memory accesses in such a way that accesses to the guarded resource
get outside the guarded stage. As cmpxchg() defines the start of the
guarded stage it also represents an effective memory barrier.
On x86, the architecture ensures to not reorder writes with older reads,
writes to memory with other writes (except in cases that are not
relevant for our locks), or read/write instructions with I/O
instructions, locked instructions, and serializing instructions.
However on ARM, the architectural memory model allows not only that
memory accesses take local effect in another order as their program
order but also that different observers (components that can access
memory like data-busses, TLBs and branch predictors) observe these
effects each in another order. Thus, a correct program order isn't
sufficient for a correct observation order. An additional architectural
preservation of the memory barrier is needed to achieve this.
Fixes#692
GCC 4.7.4 and newer seems to optimize the lock-variable accesses more
radically, which uncovered the missing volatile qualifier and resulted
in:
Assertion "(int)locked >= 0" failed in file '.../okl4_x86/kernel/include/kernel/read_write_lock.h', line 151 (fn=f0104771)
--- "KD# assert" ---
Invalidating all branch predictors before switching the PD
fixes instability problems on Panda and has not much effect
on the performance of other boards. However, we neither know why
this is a fix nor wether it fixes the real cause of the problem.
fix#1294
Previously, the timer was used to remember the state of the time slices.
This was sufficient before priorities entered the scene as a thread always
received a fresh time slice when he was scheduled away. However, with
priorities this isn't always the case. A thread can be preempted by another
thread due to a higher priority. In this case the low-priority thread must
remember how much time he has consumed from its current time slice because
the timer gets re-programmed. Otherwise, if we have high-priority threads
that block and unblock with high frequency, the head of the next lower
priority would start with a fresh time slice all the time and is never
superseded.
fix#1287
Some SDL applications expect the SDL_image headers in include/SDL to be
reachable without the SDL/ prefix. This patch adds the corresponding
search path. Furthermore it enables support for XPM images.
Ported drivers list and extract all needed source files. This decouples
ports according to contrib sources and also enables us to revert lxip to
Linux version 3.9, while staying with 3.14 for usb.
Fixes#1285
The manpage to errno tells the following story:
The <errno.h> header file defines the integer variable errno, which is
set by system calls and some library functions in the event of an error
to indicate what went wrong. Its value is significant only when the
return value of the call indicated an error (i.e., -1 from most system
calls; -1 or NULL from most library functions); a function that
succeeds is allowed to change errno.
Valid error numbers are all nonzero; errno is never set to zero by any
system call or library function.
When the 'Mtd::FPU' flag is set during the registration of a
virtualization event handler, it must also be set whenever the event
handler returns.
Fixes#1283
This patch ensures that priority values passed as session arguments
are within the valid range of priorities. Without the clamping, a child
could specify a priority of a lower priority band than the one assigned
to the subsystem. Thanks to Johannes Schlatow for reporting this issue.
Fixes#1279
This is just a quick fix to calm down the buildbot - a revised
implementation is needed according to issue #1277. Further, the reason
for the increased test duration on several platforms must be
investigated.
The alias is rather Linux-specific and also prevents particularly
tailored jiffies implementations. For the existing dde_linux ports (usb
and lxip) we just define jiffies to be dde_kit_timer_ticks with a
preprocessor macro.
The menu view generates a simple dialog of widgets and reports the
hovered element. It is meant to be embedded into applications that
require simple GUIs but don't want to deal with the pecularities of
a full-blown widget set.
The new 'session_control' function can be used to perform operations on
the global view stack that span one or multiple sessions, e.g., bringing
all views of specific sessions to the front, or hiding them.
If the Rom_session::update function returns false, the ROM dataspace may
have been physically destructed (and core has removed all mappings).
In this case, we have to omit the detach operation in the destructor
of 'Attached_dataspace' to avoid detaching the same region twice.
The headers 'texture_rgb565.h' and 'texture_rgb888' contain
template specializations needed for using the 'Texture::rgba' function
for the respective pixel formats. The specializations were formerly
contained in application-local code.
This patch add an optional alpha argument to the constructor, which may
be passed to a pixel type representing an alpha channel. Furthermore,
a new overload of the mix function has been added to accommodate use
cases where one texture is applied to both a pixel surface and an alpha
channel.
When X-ray mode is active, nitpicker filters motion events that are not
referring to the currently focused domain. However, domains configured
as xray="no" (such as a panel) need to obtain motion events regardless
of the xray mode. This patch relaxes the motion-event filtering to
accommodate such clients.
The buffer offset was wrongly accounted for. The miscalculation went
unnoticed until now because the buffer offset was apparently never used
in combination with alpha-channels.
If a domain is configured as xray="no", we want to let the views of the
domain respond to input events like in flat mode, even if xray mode is
active. Normally, the input mask of views with an alpha channel is
disregarded in X-ray mode. However, for non-ray views, the input mask
should always be considered.
The 'Signal_rpc_member' takes care about dissolving its signal context
from the receiver. So we don't need to manually perform this operation
in the session destructor.
With this patch, the VESA driver chooses the video mode with the highest
resolution from the list of available modes if no resolution is
explicitly configured.
Fixes#1263.
* use seoul branch containing vbios emulator
* report the memory model in the VBE mode info as otherwise the
Genode framebuffer driver will ignore this mode
Fixes#1261
It turned out that the controller configuration can change during the self
tests, so now it is read before running the tests and restored afterwards.
Fixes#1260.
This component merges the input events of multiple sources.
Example configuration:
<start name="input_merger">
<resource name="RAM" quantum="1M" />
<provides>
<service name="Input" />
</provides>
<config>
<input label="ps2" />
<input label="usb_hid" />
</config>
<route>
<service name="Input">
<if-arg key="label" value="ps2" /> <child name="ps2_drv" />
</service>
<service name="Input">
<if-arg key="label" value="usb_hid" /> <child name="usb_drv" />
</service>
<any-service> <parent /> <any-child /> </any-service>
</route>
</start>
For each 'input' config node, the component opens an 'Input' session with the
configured label. This label is then evaluated by 'init' to route the session
request to a specific input source component.
Fixes#1259.
* When flushing the data and unified cache on ARM, clean and invalidate
instead of just cleaning the corresponding cache lines
* After zero-ing a freshly constructed dataspace in core, invalidate
corresponding cache lines from the instruction cache
The backend allocator for the slab is a sliced heap, which hands out
allocations with page-size granularity (4096 bytes). Therefore, the
slab-block size should also be about a multiple of the page size minus
some bytes of overhead.
Additional adjustments:
- The slab-block size and the default quota-upgrade amount for SIGNAL
sessions depends on the platform bit width now.
- The signal test also stresses the case of many managed context in one
session including creation and destruction of the used signal receiver
in repeated rounds.
- correctly catch and report non-existing root directories
- remove *all* leading slashes from root-directory attributes and
sanitize empty declarations to current working directory
The older SOAP EOI protocol is not supported with AMT version 9+. By default
the wsman tool will be used if installed.
RUN_OPT examples to enforce amtool or wsman:
--target amt --amt-tool wsman
--target amt --amt-tool amttool
Fixes#1251
The weak implementation was added for quite special purposes years ago
and is no longer needed. On the other hand, the weak attribute does not
help if the implementation ends up in a shared library, which first
resolves symbols locally before asking ldso (that includes the acutal
thread library) *shiver*
The original git:// URL produced the following error:
Cloning into 'jbig2dec'...
fatal: remote error: access denied or repository not exported: /jbig2dec.git
Until now, the rumpkernel based tools were installed with all symbols
included. This accounts for about 200MiB used space on 64Bit system.
Stripping the binaries prior to installation brings the space
requirements down to 20MiB.
Fixes#1245.
The clean rule is used to delete already built binaries as well as to
clean-up any left-overs from previous build attempts. If there was
no previous attempt just return true to prevent make from complaining.
Fixes#1245.
Before the pointer handling was removed from the nitpicker server, the
pointer was always the first view, which was skipped in the find_view
function. However, since we support pointer-less operation by now, we
have to consider all views starting with the top-most one.
The port was succesfully tested a echo test and lighttpd. DHCP over
OpenVPN is not tested and probably will not work out of the box.
Therefore, the ip address etc. need to be specified manually.
For now, only ethernet bridging (using a TAP device) is supported.
Fixes#1235.
This commit adds a port the jitterentropy library to Genode. As
backend on x86_{32,64} 'rdtsc' is used and on ARMv{6,7} the
performance-counter.
Fixes#1239.
These file systems are provided on-demand by loading a shared library
when the fstab node is traversed. By convention this library is named
after the file system it provides. For example a file system that
provides a 'random' file system node is called 'vfs_random.lib.so'. It
is still possible to give the the node another name in the vfs. The
following code snippts illustrates this matter:
! [...]
! <config>
! <libc>
! <vfs>
! <dir name="dev"> <jitterentropy name="random"/> </dir>
! </vfs>
! </libc>
! </config>
! [...]
Here the jitterentropy file system, implemented in
'vfs_jitterentropy.lib.so' provides a file system node named 'random'
in the 'dev' directory. When traversing the vfs section the libc will
try to load 'vfs_jitterentropy.lib.so' but programs may access the
file system only via '/dev/random'.
Fixes#1240.
This patch fixes a potential race condition that could happen if a
client connects to nitpicker before the signal for the import of the
initial configuration was delivered. In this case, nitpicker would be
unable to assign a domain to the session (because this information comes
from the configuration), rendering subsequent calls to 'mode' invalid.
The patch solves this problem by manually calling the signal handler
for importing the configuration.
This provides bootable disk images for x86 platforms via
! RUN_OPT="--target disk"
The resulting disk image contains one ext2 partition with binaries from
the GRUB2 boot loader and the run scenario. The default disk size fits
all binaries, but is configurable via
! --disk-size <size in MiB>
in RUN_OPT.
The feature depends on an grub2-head.img, which is part of the commit,
but may also be generated by executing tool/create_grub2. The script
generates a disk image prepared for one partition, which contains files
for GRUB2. All image preparation steps that need superuser privileges
are conducted by this script.
The final step of writing the entire image to a disk must be executed
later by
sudo dd if=<image file> of=<device> bs=8M conv=fsync
Fixes#1203.
After modifying mode transition for branch prediction tz_vmm wasn't
working anymore on hw_imx53_tz but the modifications had nothing to do
with the VM code. However, the amount of instructions in the MT before the
VM exception-vector changed. So I tried stuffing the last working version with
NOPs and found that tz_vmm worked for some NOP amounts and for others not.
Thus, I increased the alignment of the VM exception-vector from 16 bytes to 32
bytes, é voila, its working with any amount of NOPs as well as with branch
prediction commits.
ref #474
Previously, we did the protection-domain switches without a transitional
translation table that contains only global mappings. This was fine as long
as the CPU did no speculative memory accesses. However, to enabling branch
prediction triggers such accesses. Thus, if we don't want to invalidate
predictors on every context switch, we need to switch more carefully.
ref #474
The console included nitpicker_view headers, which were not used. The
headers vanished with the recent nitpicker API change, which broke the
build of seoul.
This patch reimplements the nit_fb server using the server API and
thereby enables the dynamic resizing the of the framebuffer.
Note that the new implementation does not feature the ability to perform
a periodic refresh via the 'refresh_rate' configuration argument. This
feature was removed because the refresh policy can (and should) always
be implemented on the client side.
The QPluginWidget used to be a QNitpickerViewWidget but the new loader
interface does no longer hand out a view capability. So we need to
decouple both classes. This patch moves the view-geometry calculation to
a separate class to make it easier reusable, in particular for the
QPluginWidget.
The window manager provides a nitpicker session interface. In contrast
to the nitpicker server, which leaves the view layout up to the client,
the window manager organizes the views on screen according to a policy
provided by a window layouter. Furthermore, it equips views with window
decorations as provided by a window decorator. Both layouter and
decorator are independent programs.
This patch adds support for the consecutive re-dimensioning the virtual
framebuffer. When changing the buffer size, the session gets upgraded by
the missing portion of the quota instead of donating the whole size of
the new buffer each time.
This patch introduces a way to tweak the coordinate systems per
domain. The 'origin' attribute denotes the origin of the coordinate
system. Valid values are "top_left", "top_right", "bottom_left",
"bottom_right", and "pointer". Furthermore, the screen dimensions as
reported to the nitpicker client can be tweaked per domain using the
'width' and 'height' attributes. If the specified value is positive,
it is taken as literal boundary. If the value is negative, the size
if deducted by the specified amount from the physical screen area.
This patch introduces a mandatory layer attribute to domains. The layer
ordering is superimposed on the stacking order of the views. The
top-most layer can be assigned to a pointer-managing client. An example
for such a pointer is located at os/src/app/pointer. It replaces the
formerly built-in nitpicker mouse cursor.
The new layering mechanism replaces the former "stay-top" session
argument. So the Nitpicker::Connection no longer takes the stay-top flag
as the first argument.
A session can be explicitly configured to present its views in a
completely opaque way when the X-ray mode is active as opposed to the
default where each view gets tinted and surrounded by a frame. This
is useful for decorator views, which look overly busy otherwise.
This patch introduces the notion of a "domain" to the nitpicker
configuration concept. Session policies always refer to a domain where
multiple session policies can refer to the same domain. Thereby a domain
provides a way to express the grouping of sessions. This is useful for
applications that open multiple nitpicker sessions (such as Qt5 apps that
use one nitpicker session per window, menu, etc.). We want to assign all
those sessions to a single domain.
The configuration looks as follows:
<config>
...
<domain name="default" color="#ffffff"/>
<policy label="" domain="default"/>
...
</config>
This patch changes nitpicker's session interface to use session-local
view handles instead of view capabilities. This enables the batching
of multiple view operations into one atomic update.
This patch introduces a focus-management facility to the nitpicker
session interface. As a side effect of this change, we remove the notion
of a "focused view". There can only be a "focused session". This makes
sense because input is directed to sessions, not views.
Issue #1168
This patch changes nitpicker's way of redrawing. Originally, redraw
operations were triggered immediately by the RPC functions invoked by
clients. In the presence of clients that invoked a large number of those
functions, the server could become overloaded with processing redraw
operations. The new version performs redraw operations out of band with
the RPC functions. Similar to the design of the DOpE GUI server, redraw
operations are processed periodically. The RPC functions merely modify
meta data and track the dirty areas that need to be updated.
Consequently, nitpicker's RPC functions become light-weight operations.
As a nice collateral effect of this patch, nitpicker's internal
structure could be simplified because the drawing backend is no longer
needed by the code that dispatches the RPC interface.
So far, the lifetime-management utilities 'Weak_ptr' and 'Locked_ptr'
had been preserved for core-internal use only. However, the utilities
are handy for many use cases outside of core where object lifetimes
must be managed. So we promote them to the public API.
The new Rom_session::update function can be used to request the update of
an existing ROM dataspace. If the new data fits into the existing
dataspace, a subsequent call of 'dataspace' can be omitted. This way,
ROM dataspace updates don't suffer from page-fault-handling costs that
would occur when replacing the dataspace with each update.
When calling 'sub_node' on a node with no sub nodes, the Xml_node would
interpret the characters after the current node while searching for sub
nodes. The patch adds a sanity check that lets the 'sub_node' function
throw an exception when called on a node with no sub nodes.
This patch makes the handling of constructor arguments consistent among
the Volatile_object and Lazy_volatile_object classes. Arguments are
always forwarded. Otherwise, passing a reference as argument would result
in an unwanted copy of the passed object.
Some session interfaces use session-local handles for referring to
server-side objects, e.g., a file-system session hands out file handles
to the client. The new 'Handle_registry' class template can be used to
associate numeric handles with objects on the server side and thereby
simplifies the implementation of such servers.
This patch enables the debugging on services that rely on dynamic
session upgrades. For example, nitpicker expects its clients to donate
RAM quota that matches the size of the virtual framebuffer, which might
change during the lifetime of a nitpicker session.
* repos/ports/include/vmm
- add support to specify cpu location during vCPU construction
* seoul
- update to latest seoul branch supporting smp
- adjust to vmm interface changes
- vCPUs will be put in a round robin fashion on the available host CPUs,
beginning with the next CPU after the default (boot) CPU
- number of vCPUs can be specified in run script
* virtualbox
- adjust to vmm interface changes
- uses still one vCPU, placed on default (boot) CPU
Fixes#1212
This reverts commit edc03489b3.
Since commit
"timer: nova specific version of the service"
a nova specific timer is used and this quirk is not necessary anymore.
Issue #1211
When a page fault cannot be resolved, the GDB monitor can get a hint about
which thread faulted by evaluating the thread state object returned by
'Cpu_session::state()'. Unfortunately, with the current implementation,
the signal which informs GDB monitor about the page fault is sent before
the thread state object of the faulted thread has been updated, so it
can happen that the faulted thread cannot be determined immediately
after receiving the signal.
With this commit, the thread state gets updated before the signal is sent.
At least on base-nova it can also happen that the thread state is not
accessible yet after receiving the page fault notification. For this
reason, GDB monitor needs to retry its query until the state is
accessible.
Fixes#1206.
The build config for core is now provided through libraries to enable
implicit config composition through specifiers and thereby avoid
consideration of inappropriate targets.
fix#1199
The count value can be used to batch timeouts. I.e., if a periodic
timeout triggered multiple times before the timer had a chance to
process them, the count corresponds to the number of passed periods.
Until now, the HW platform support for the TrustZone features of the
i.MX53 boards could only be used, when adding a "trustzone" SPEC variable
manually. This commit adds a create_builddir target for HW i.MX53 with
TrustZone features enabled, fo convenience reasons.
- Log elapsed time per test in summary
- Command-line switch `--time-stamp` prefixes log output lines with
current time stamp (requires ts utility from Debian package _moreutils_)
Fixes#1156.
A subject that inherits from Processor_client not necessarily has the need for
doing a processor-global TLB flush (e.g. VMs). At the other hand the Thread
class (as representation of the only source of TLB flushes) is already one of
the largest classes in base-hw because it provides all the syscall backends
and should therefore not accumulate other aspects without a functional reason.
Hence, I decided to move the aspect of synchronizing a TLB flush over all
processors to a dedicated class named Processor_domain_update.
Additionally a singleton of Processor_domain_update_list is used to enable
each processor to see all update-domain requests that are currently pending.
fix#1174
and add xml configuration option to switch it on if required. Avoids trouble
on Windows 7 guest where IRQ injected by VMMDev PCI device is not delivered.
If ioapic is required and Windows guest addition "hangs", look in file
DevPCI.cpp, function pciSetIrqInternal, variable fIsApicEnabled. If
config[0xde] == 0xbe
config[0xad] == 0xef
it works. "Deadbeaf" seems to/should be set in ACPI file vbox.dsl. Happens for
unknown reason not on Genode/Nova.
Fixes#1188
By adding: "--target jtag \
--jtag-debugger <debugger configuration> \
--jtag-board <board configuration>" to the RUN_OPTs
this commits enables the run-tool to load and execute an ELF image
via JTAG to the target platform.
Fixes#1191
Commit 6a3368ee that refactored the mode transition assembler path, and
high-level entry point, fundamentally broke that part for the TrustZone VMs.
Instead of jumping to the appropriated address, the instruction value at that
point where used as target address.
Moreover, the TrustZone part of the mode transition page was not included into
the boundary check.
Ref #1182
On ARM it's relevant to not only distinguish between ordinary cached memory
and write-combined one, but also having non-cached memory too. To insert the
appropriated page table entries e.g.: in the base-hw kernel, we need to preserve
the information about the kind of memory from allocation until the pager
resolves a page fault. Therefore, this commit introduces a new Cache_attribute
type, and replaces the write_combined boolean with the new type where necessary.
Depending on 'src_w' and 'dst_w', different lines of a block to copy may be
32-bit aligned or not, so the alignment of each line needs to get checked.
Fixes#1111.
Don't define assembler constants inside macros, thereby calling the
corresponding macros isn't needed anymore. To prevent having to much
constants included in files where they aren't needed, split macros.s
file into a generic mode_transition.s part, and globally used macros.s.
Fix#1180
Previously this was not done before Thread_base::start(..) in
base-hw as it was not needed to have a valid cap that early. However,
when changing the affinity of a thread we need the cap to be valid
before Thread_base::start(..).
fix#1151
By now the scheduling timer was only refreshed for a new scheduling timeout
when the choosen scheduling context has changed. But we want it to be refreshed
also when the scheduled context yields without an effect to the schedulers
choice (this is the case e.g. when the idle thread gets a scheduling timeout
or a thread yields without any competitor in its priority band).
ref #1151
By using &&, we prevent the accidental copying of deallocator instances,
passed to the destroy function. We always want to take the deallocator
as reference or pointer.
For the correct integration of a QPluginWidget in a parent QWidget, with
this commit the parent QWidget's Nitpicker view is made the parent view of
the plugin's Nitpicker view.
Fixes#1173.
This commit adds a 'parent_view()' function to the loader session, which
allows to set the parent view of the subsystem's Nitpicker view.
If the function is to be used, this must get done before calling
'start()'.
Fixes#1172.
In file
src/VBox/Additions/WINNT/SharedFolders/driver/file.c
the function
static int vbsfTransferCommon(VBSFTRANSFERCTX *pCtx)
in the
VbglR0CanUsePhysPageList()
branch does not correctly evaluate the read or written bytes from
the VMM. It ever assumes that whole pages are read/written.
Workaround the bug in the Windows guest additions of Vbox until fixed
upstream by filling up the read/write buffer completely within the VMM code
of Vbox.
Fixes#1176
Genode::strncpy() enures the destination string is null terminated by
writing a null-byte. In this case, the null-bytes always overwrote the
last character of the output byte stream.
Ensures that the Exynos5 CPU is clocked equally no matter how the kernel
initialized it. This makes the result of this time critical test more
comparable.
fix#1162
Now that it is possible to resize the stack of the Genode main thread, it
is not necessary anymore to create a new Genode thread as Qt main thread.
Fixes#1134.
This patch changes both the Input::Session interface and the skeleton
for the server-side implementation of this interface
('input/component.h').
The Input::Session interface offers a new 'sigh' function, which can be
called be the client to register a signal handler. The signal handler
gets notified on the arrival of new input. This alleviates the need to
poll for input events at the client side.
The server-side skeleton for implementing input services underwent a
redesign to make it more modular and robust. I.e., there are no
global functions needed at the server side and the event-queue
enable/disable mechanism is implemented at a central place (in the root
component) rather than inside each driver.
Fixes#46
Fixes an alignment problem introduced by commit "hw: map core on demand"
where physical address alignment wasn't checked anymore, when inserting
a section within the first-level table of ARM's short translation table
format.
Many thanks to Christian Prochaska for helping to debug the problem.
In case the storage-entry point dispatches more then one packet, wait for the
previous command to finish before setting a new request. This has to be done
because the 'queuecommand' does actually *not* queue things, but can only handle
one request at the time.
Fix#1143
On ARM, when machine instructions get written into the data cache
(for example by a JIT compiler), one needs to make sure that the
instructions get written out to memory and read from memory into
the instruction cache before they get executed. This functionality
is usually provided by a kernel syscall and this patch adds a generic
interface for Genode applications to use it.
Fixes#1153.
Using 'upvar' instead of 'global' in the 'append_if' and 'lappend_if'
functions makes it possible to use these functions with local variables
of the calling function.
Fixes#1137.
The 'rump_cgd' server provides block level encryption for a block
session by employing the 'cgd(4)' device provided by the rumpkernel.
'rump_cgd' uses a Block_session to get access to an existing block
device and provides another Block_session to its clients. Each block
written or read by the client is transperently encrypted or decrypted
by the server.
For now 'rump_cgd' may only _configure_ a 'cgd' device but is unable
to generate a configuration. The used cipher is hardcoded to
_aes-cbc_ with a keysize of 256 bit. Furthermore the server is able to
serve one client only.
To ease the usage, its interface is modelled after the interface of
'cgdconfig(8)'. As implications thereof the key must have the same
format as used by 'cgdconfig'. That means the key is a base 64 encoded
string in which the first 4 bytes denote the actual length of the key
in bits (these 4 bytes are stored in big endian order).
Preparing a raw (e.g. without partition table) encrypted Ext2 disk
image is done by executing 'tool/rump':
! dd if=/dev/urandom of=/path/to/disk_image
! rump -c /path/to/disk_image # key is printed to stdout
! rump -c -k <key> -F ext2fs /path/to/disk_image
To use this disk image the following config snippet can be used:
! <start name="rump_cgd">
! <resource name="RAM" quantum="8M" />
! <provides><service name="Block"/></provides>
! <config action="configure">
! <params>
! <method>key</method>}
! <key>AAABAJhpB2Y2UvVjkFdlP4m44449Pi3A/uW211mkanSulJo8</key>
! </params>
! </config>
! <route>
! <service name="Block"> <child name="ahci"/> </service>
! <any-service> <parent/> <any-child/> </any-service>
! </route>
! </start>
the Block service provided by rump_cgd may be used by a file system
server in return:
! <start name="rump_fs">
! <resource name="RAM" quantum="16M"/>
! <provides><service name="File_system"/></provides>
! <config fs="ext2fs">
! <policy label="" root="/" writeable="yes"/>
! </config>
! <route>
! <service name="Block"> <child name="rump_cgd"/> </service>
! <any-service> <parent/> <any-child/> </any-service>
! </route>
! </start>
Since 'tool/rump' just utilizes the rumpkernel running on the host
system to do its duty there is a script called 'tool/cgdconf' that
extracts the key from a 'cgdconfig(8)' generated configuration file
and also is able to generade such a file from a given key. Thereby
the interoperabilty between 'rump_cgd' and the general rumpkernel
based tools is secured.
The rumpkernel based tools are intended to be used by executing
'tool/rump'. Since it covers the most common use cases for these
tools, this script is comparatively extensive, hence giving a short
tutorial seems reasonable:
* Format a disk image with Ext2:
To format a disk image with the Ext2 file system, first prepare the
actual image by executing dd:
! dd if=/dev/zero of=/path/to/disk_image bs=1M count=128
Second, use 'tool/rump' to format the disk image:
! rump -f -F ext2fs /path/to/disk_image
Afterwards the just created file system may be populated with the
content of another directory by executing
! rump -F ext2fs -p /path/to/another_dir /path/to/disk_image
The content of the file system image can be listed by executing
! rump -F ext2fs -l /path/to/disk_image
* Create a encrypted disk image:
Creating a cryptographic disk image based on cgd(4) is done by
executing the following command:
! rump -c /path/to/disk_image
This will generate a key that may be used to decrypt the image
later on. Since this command will _only_ generate a key and NOT
initialize the disk image, it is highly advised to prepare the disk
image by using '/dev/urandom' instead of '/dev/zero' (only new blocks
that will be written to the disk image are encrypted). In addition
while generating the key a temporary configuration file will be
created. Although this file has proper permissions, it may leak the
generated key if it is created on persistent storage. To specify a more
secure directory the '-t' option should be used:
! rump -c -t /path/to/secure/directory /path/to/disk_image
Decrypting the disk image requires the key generated in the previous
step:
! rump -c -k <key> /path/to/disk_image
For now this key has to specified as command line argument. This is
an issue if the shell, which is used, is maintaing a history of
executed commands.
For completness sake let us put all examples together by creating a
encrypted Ext2 image that will contain all files of Genode's _demo_
scenario:
! dd if=/dev/urandom of=/tmp/demo.img bs=1M count=16
! $(GENODE_DIR)/tool/rump -c -t /ramfs -F ext2fs /tmp/demo.img > \
! /ramfs/key # key is printed out to stdout
! $(GENODE_DIR)/tool/rump -c -t /ramfs -F ext2fs -k <key> \
! -p $(BUILD_DIR)/var/run/demo /tmp/demo.img
To check if the image was populated succesfully, execute the
following:
! $(GENODE_DIR)/tool/rump -c -t /ramfs -F ext2fs -k <key> -l \
! /tmp/demo.img
The rumpkernel tools are used within the Genode OS Framework tool chain
for preparing and populating disk images as well as creating cgd(4)
based cryptographic disk devices.
Execute 'tool/tool_chain_rump build' to build the tools and afterwards
'tool/tool_chain_rump install' to install the binaries. The default
install location is _/usr/local/genode-rump_.
On ARM in one way or another 'string.h' prototypes will be used. Move
the definitions from rump_fs to the rump library because it is needed
by all rump based servers running on ARM.
Issue #1141.
Use _italic_ for path names rather than 'verbatim'. Because path names
tend to be quite long, the overly use of verbatim makes paragraphs hard
to read.
The new 'select_from_ports' function allows a target description file to
query the path to an installed port. All ports are stored in a central
location specified as CONTRIB_DIR. By default, CONTRIB_DIR is defined
as '<genode-dir>/contrib'. Ports of 3rd-party source code are managed
using the tools at '<genode-dir>/tool/ports/'.
Issue #1082
This patch changes the top-level directory layout as a preparatory
step for improving the tools for managing 3rd-party source codes.
The rationale is described in the issue referenced below.
Issue #1082
This patch avoids the construction of the Genode::Config object in Noux
processes. The construction of this object would populate the Noux
process with additional capabilities, which cannot be handled by
'fork()'.
The old implementation of sleep_forever() used a local Ipc_server
object, which is not announced (i.e., known) outside of the blocking
process/thread, to infinitely wait for incoming messages. In past and
present, this leads to problems (e.g., issues #538 and #1032).
Fixes#1135.
Fixes#538.
Fixes#1032.
Use the libc Mem_alloc implementation per MMTYP of virtualbox. With this the
invariant that all memory allocation of a MMTYP are dense located.
Fixes#1130
Instead of mapping all physical memory 1:1 into core/kernel's address space,
this commit limits the 1:1 mapping to the binary image, and I/O memory
regions used by the kernel only. All subsequent memory accesses of core
are done by mapping the corresponding memory on demand, and not necessarily
1:1.
This commit has several side effects:
The page table code had to be revisited completely. The kernel inserts no
longer anything into the page tables, apart from the initial translations
to have the core/kernel image available when enabling the MMU. The page
tables and higher level translation tables are no longer named Tlb, but
Translation_table instead. There is no indirection class required to define
the translation tables of a concrete SoC, the appropriated ARM specifier
is sufficient.
The ability to map core's memory the same way like it's done for all other
protection domains, makes a special treatment of core's threads (no context
area) obsolete.
Ref #567 (partly solves it)
Fix#723Fix#1068
Removes the generic processor broadcast function call. By now, that call
was used for cross processor TLB maintance operations only. When core/kernel
gets its memory mapped on demand, and unmapped again, the previous cross
processor flush routine doesn't work anymore, because of a hen-egg problem.
The previous cross processor broadcast is realized using a thread constructed
by core running on top of each processor core. When constructing threads in
core, a dataspace for its thread context is constructed. Each constructed
RAM dataspace gets attached, zeroed out, and detached again. The detach
routine requires a TLB flush operation executed on each processor core.
Instead of executing a thread on each processor core, now a thread waiting
for a global TLB flush is removed from the scheduler queue, and gets attached
to a TLB flush queue of each processor. The processor local queue gets checked
whenever the kernel is entered. The last processor, which executed the TLB
flush, re-attaches the blocked thread to its scheduler queue again.
To ease uo the above described mechanism, a platform thread is now directly
associated with a platform pd object, instead of just associate it with the
kernel pd's id.
Ref #723
It covers bugs which we should detect and fix, especially depending on
the result of pthread_myself locking implementation (ours and vbox) takes
decision to take a lock or just to assume it is a reentrant locking attempt.
Fixes#1128
The pointer-report facility used to report the screen-absolute position
of the mouse pointer. For nitpicker clients, however, this position is
meaningless because their coordinate is always constrained to the area
below the menu bar. This patch offsets the reported position
accordingly.
The rm_session quota of the context area is not sufficient to start more
then ~95 threads per address space. If one really needs so many threads per
address space one could increase the quota or dynamically respond to it using
the Expanding_rm_session class. Until now there is no need to support so much
threads per address space.
Issue #1122
By separating the VFS from Noux, we become able to reuse the
VFS for libc-using programs. The most substantial change is the
removal of Noux::Sysio data structures from the VFS. Instead, the
Noux::Sysio refers to the VFS types now.
The new VFS library is located at 'os/include/vfs/'.
Furthermore, the patch removes various code duplications related
to pseudo file systems that provide a single file (block, zero,
random, terminal, null). The new 'Single_file_system' holds the
common boilerplate code for those.
Issue #999
Until now, there was not exception type for the condition where a
symlink was created on a file system w/o supporting symlinks, e.g., FAT.
The corresponding file-system server (ffat_fs) used to return a negative
handle as a work around. I added 'Permission_denied' to the list of
exceptions thrown by 'File_system::Session::symlink' to handle this case
in a clean way.
Genode's file system interface returns the number of directories
multiplied by sizeof(Directory_entry) as size of a directory. The
tar_fs server used to return zero. The fix counts the sub nodes of
the given directory.
The test used to rely on a writable root directory. To reuse the test
for the new VFS, where '/' is never writable, I changed all absolute
paths to relative paths.
By introducing the new 'File_system_registry', we can remove the
knowledge about the actual file-system implementations from the
'Dir_file_system'. Thereby the code becomes more generic, which is
a precondition for using it as the basis for Genode's VFS library.
Issue #999
* Perform sanity check before calculating memory available to rump kernel
* Distinguish between 'Hard_context' and 'Hard_context_thread', so no dead
threads (that will not be started) are created
* Install signal-handler for memory-resource requests. This way the fs server
will not block forever when the quota is execeeded and a resource requests
fails, leaving the rump kernels to perform necessary actions
Fixes#1127
The version string was generated when core/main.cc was rebuilt, which
happens on changes in the file itself or in a header file it includes.
But, the version should reflect if the Genode repository was changed at
any place. Therefore, I moved the version string to its own version.cc
which is forcedly rebuilt any time core is examined by the build system.
@nfeske what do you think about it? Core is now relinked on any build.
Fixes#551.
Turn Genode user-level spinlock into a user-level "helpinglock". This requires
support by the kernel introduced with kernel branch r5.
The commit avoids live-locks when multiple threads with SCs on different
priority levels compete for the same user-level Genode "spinlock".
Issue #986
The commit switches the kernel branch to r5 and updates the syscall bindings
in base-nova accordingly. Beside some cleanups, r5 extents the ec_ctrl syscall
to support following features:
* An EC may yield its current timeslice. The timeslice gets enqueued at the end
of the run queue without refreshing the left budget of the quantum.
* An EC helps with the current SC another EC. Used in Genode to implement
helping over a user-level lock to avoid live-lock situation. (Think of
a limited priority-inheritance mechanism.)
* An EC requests a new scheduler decision. Used in Genode to transfer back the
potentially helping SC to the helper EC.
Issue #986
Set cpu_session default affinity space already during
construction of the thread, so that main thread is placed in the cpu affinity
space as defined by the parent. Otherwise the main thread is placed potentially
outside the affinity space, typically on the first/boot CPU.
Fixes#1107
Otherwise affinity space is set to 1x1 and in cpu_session_component.cc the cpu
session local affinity space defined by parent is not taken because
"Location::valid()" returns true.
Issue #1107
Kernel::resume_thread was restricted to core when the targeted thread was in
another domain. Now there are two kernel calls, resume_local_thread and
resume_thread, where the former is never restricted and is provided via
public kernel/interface.h and the latter is always restricted to core and
is provided via core-local kernel/core_interface.h.
ref #1101
Kernel::pause_current_thread can be implemented much simpler and is not
restricted to core threads, in contrast to Kernel::pause_thread which
also benefits from the split and can be moved to core_interface.h.
ref #1101
If an RM fault ends up in any trouble, the faulter remains paused and
the pager activation continues with the next fault. Thus we can print
a warning instead of an error and safe execution time in release mode.
ref #1096
In most cases an error report is not necessary in the kernel as the problem
does not affect the kernel itself but the according user-land context. Thus
we can also do a warning that is not printed in release mode and hence safe
execution time.
ref #1096
As the message "replay: missing dataspace info for ..." occurs multiple times
on every fork, it slows down at least noux_tool_chain_auto with hw_arndale
about 10 seconds. To avoid this overhead in release mode I've turned it into a
warning rather than an error.
ref #1096
Previously for determining wether boot-up succeeded or not, we looked
for a message that is switched off in release mode. Now the kernel
provides a reliable message as soon as initialization is done.
ref #1096
We changed the test hardware and the new one does not support 1400x1050 anymore.
Choose some conservative resolution since this is anyway a auto test nobody
is really looking at the screen output.
The 'tinfo.cc' file needs to get built, because it implements
'std::type_info::operator==(std::type_info const&) const', which
is needed by the 'icu' library on ARM.
Fixes#1109.
If counter drops to 0, the wrap flag is set also. That means we have actually
no wrap around. The patch avoids to add too much time to the elapsed time
variable.
Issue #1106
The generalization of nitpicker's graphic backend changed the interface
of 'Mode::forget', which is a (non-pure) virtual function implemented
by 'User_state::forget'. Unfortunately, the signature change was not
applied to 'User_state::forget' so that the actual implementation was
no longer called. This inconsistency remained unnoticed because there
is a default implementation of the virtual function.
The effect of the omission of the 'User_state::forget' call was a
dangling pointer ('User_state::_pointed_view').
Lesson learned: Always annotate functions with the C++11 'override' when
implementing virtual functions.
The error message given to the 'errx()' function does not always contain a
'\n' character. Adding 'printf("\n")' ensures that the message appears on
the log console.
Fixes#1103.
Reserve first bit in bit allocator for main thread of context allocator and
remove special cases in context allocator. Without the reservation there is
is one context outside the context area allocated.
Fixes#1100
The do statement ensures the macros to generate just one expression that
is compatible with any programming construct. The concrete bug was
if (cond)
PDBG(...);
else
...
which was expanded to
if (cond)
if (DO_PDBG)
Genode::printf(...);
else
...
This is obviously wrong as the *else* branch is then connected to the
second *if*.
* Core_mem_allocator: implement Range_allocator interface
* Core_mem_allocator: allocate with page-granularity only
* Use slab allocators in core where meaningful (e.g. dataspace objects)
Fix a use-after-free bug concerning the use case where the config
of the init process changes dynamically. The childs' services were not
removed from the corresponding Service_registry properly.
Fixes#1094
When an object derived from Genode::Connection is copied we had
strange issues. An example is that the first RPC invocation works
correctly but the second one blocks or even delivers incorrect data.
We can avoid this issue if the object is always passed by reference.
Ensure this by deriving from Genode::Noncopyable.
The processor scheduler can determine without much overhead wether
the currently scheduled client becomes out-dated due to the insertion
of another client. This can be used to safe inter-processor interrupts
when a remote insertion doesn't imply an update of the currently
scheduled client.
fix#1088
At least with the ARM generic interrupt controller, inter-processor interrupts
are edge triggered and banked for all source processors. Thus it might be
possible that such an interrupt gets triggered redundantly until the targeted
processor is able to grab the kernel lock. As we're only interested in making
a processor recognize accumulative updates to its scheduler, we can omit
further interrupts if there is one pending already at the targeted processor.
ref #1088
This is needed as soon as we do inter-processor interrupts to
inform a processor about a remote modification in its scheduling plan.
In this case we can not explicitely decide wether to reset timer
or not. Instead we must decide it according to the choices of the
scheduler before and after the modification.
ref #1088
This patch removes the 'Framebuffer::Session::release()' function from
the interface to make the mode-change protocol consistent with the way
the Rom_session interface handles ROM-module changes. That is, the
client acknowledges the release of its current dataspace by requesting a
new dataspace via the 'Framebuffer::Session::dataspace()' function.
Fixes#1057
Previously this was not done before Thread_base::start(..) in
base-hw as it was not needed to have a valid cap that early. However,
when changing the affinity of a thread we need the cap to be valid
before Thread_base::start(..).
ref #1076
Express that the target binary files depend on the generated files not
the source files. The old expression seems to confuse Make, which then
logs a bogus error like the following
COMPILE Runtime/common/err/errmsg.o
genode-x86-g++: error: Runtime/common/err/errmsg.cpp: No such file or directory
genode-x86-g++: fatal error: no input files
compilation terminated.
make[2]: *** [Runtime/common/err/errmsg.o] Error 1
make[1]: *** [virtualbox-runtime.lib] Error 2
With this patch, functions which execute blocking syscalls on Fiasco.OC
are built with frame pointers to get a correct backtrace shown in GDB.
Also, the backtrace test for a thread currently executing a syscall now
traces the 'Genode::Thread_base::join()' function instead of
'Genode::sleep_forever()', because base-nova has a custom implementation
of 'Genode::sleep_forever()' with a different backtrace than on Fiasco.OC.
Fixes#1061.
Instead of using a special bitfield use a compound of boolean
values for the generic page attributes. To reduce copy overhead,
change the corresponding functions, where Page_flags are used as
arguments, to use references.
This is normally needed in LDSO and was previously done by the LDSO specific crt0.s.
I forgot to keep it during the unification of the different crt0s.
fix#1077
Substitute 'swpb' (swap byte) instruction with 'ldrexb/strexb', because 'swpb'
needs to be enabled explicitly by the kernel, which is done by neither HW or FOC.
When disabled, 'swpb' will cause an undefined instruction exception.
Issue #1048
If opening a report session fails (for example because of invalid
session arguments) and an exception is thrown during the session
construction, the report would wrongly keep the enabled state.
By moving the assignment of the state after the construction,
the report stays disabled as it should be.
This patch improves the focus handling by updating the menubar each time
the user clicks on a different view, even the old and new view belong
to the same session.
Check that in every round really all threads are alive on all CPUs. It
happened that only the first round was ok (all alive) and in the next rounds
some were dead. Unfortunately the test claimed to be successful.
The destructor of the Area object uses invalid caps which results in
a wanted abort of the process on nova. This is mainly the case in forked
process in noux.
Within the central security unit of the i.MX53 SoC, one can set protection
level of various DMA bus master requests, distinguishing them between normal,
and secure access. Although, the access level was meant to be set correctly,
the enumeration values that denoted the kind of access were incorrect. Thereby,
until now every DMA requests was set as being secure. This commit corrects
the enumeration values, and sets all DMA operations as being unsecure, accept
from the graphical subsystem which is controlled by the secure world only.
Thanks to Andrea Barisani and Andrej Rosano from Inverse Path for discovering
this bug, as well as the hardware limitation!
The timed semaphore supports a minimum timeout of 10 ms and logs a
warning if the timeout is lower than the minimum. To prevent the
warning, we limit timeouts to >= 10 ms.
Adding this function eases the implementation of realloc based on
'Libc::Mem_alloc'. Note that this allocator is not used by libc's
default malloc implementation but it is useful for customized C
runtimes, e.g., for the runtime of VirtualBox.
This function provides a way to request the size of an previously
allocated block. It is useful to to ease the implementation of realloc
functionality based on Allocator_avl.
This information is useful if 'libc-common.inc' is included from
another repository, i.e., for building stripped-down libc variants
tailored to an individual application.
Out of laziness we only provide two dummy functions for all FUSE
operations, which are used in case the FUSE file system does not
implement them itself.
Fixes#1058.
Omit the main rountine in fuse-ext2.c. Otherwise using fuse-ext2 with
fuse_fs is not possible because the server framework already defines
a main routine.
Fixes#1058.
* add sync method:
Since file systems tend to have a inbuild caching mechansim we need to
sync these caches at the end of session when using the fuse_fs server.
Therefore each FUSE file system port has to implement a Fuse::sync_fs()
function that executes the necessary actions if requested.
* add symlink check
* allow to check FUSE fs initialization
This changes the private API of the FUSE implementation. The init_fs
method now has to return true if the initialization was successful and
otherwise false. All current users of the API are also changed
accordingly.
Fixes#1058.
Noux generates 'argv[0]' for the initial child automatically (in contrast
to the 'config_args' library), so the first argument stated in the
configuration should not be the GDB program name.
Fixes#1062.
On Genode/Fiasco.OC, when an unresolved page fault occurs, only the IP and
SP registers are valid in the thread state read by GDB monitor. This was
not taken into account so far and the other (possibly outdated) register
values got reported to the client, too.
With this patch, only IP and SP get reported to the client in the page
fault case.
Fixes#1063.
For further information see: http://wiki.netbsd.org/rumpkernel/. In this version
I ported the central rump components to Genode in order to take advantage of
NetBSD file system implementation. The new 'dde_rump' repository contains the
Genode version of the rump libraries and a 'rump_fs' server that implements
Genode file-system-session interface. Currently ext2, iso9660, and fat
file-systems are supported.
Issue #1048
'check_installed' takes a command name as argument and tries to call 'which' in
order to find the command path. If that does not succeed, paths like '/sbin' are
'/usr/sbin' searched. On success the absolute path of the command is returned,
on failure 'exit' is called with an error message.
Issue #1048
Previously we used to many registers in syscalls with much arguments
to build with optimization level O0. Additionally this fix fastens the
userland backend of syscalls.
All the pre- and post-processing of the startup lib around the main
function of a dynamic program is now done by LDSO. Hence LDSO directly
calls the main function of the program.
Issue #1042
This is needed later when eliminating the need for a startup lib in
dynamic programs to enable LDSO to call ctors and dtors of the program.
Issue #1042
After some research we found that the stack pointer on ARM platforms must be
at least double word aligned (See: "Procedure Call Standard for the ARM
Architecture" - 5.2.1.1). Since a 'call' on ARM will not result in a stack pointer
change (like on x86), the current behavior resulted in a 4 Byte aligned stack
only.
Follow up to #1043
This commit generalizes the bit array in 'base/util/bit_array.h',
so that it can be used in a statically, when the array size is known
at compile time, or dynamically. It uses the dynamic approach of the
bit array for a more generalized version of the packet allocator,
formerly only used by NIC session clients. The more generic packet
allocator is used by the block cache to circumvent the allocation
deadlock described in issue #1059.
Fixes#1059
Base libraries are already contained within ldso.lib.so. Remove unnecessary
filtering from 'dep_lib.mk', make ldso depend on base libs.
Issue #1017
Issue #989
This patch make the handling of resizing the virtual framebuffer more
consistent. Liquid_fb keeps track of two sizes. The "next size" is the
size of the framebuffer handed out via the next call of 'dataspace'.
The "designated size" is the size as demanded by the user. The latter
size may be updated more often than the "next" size, depending on the
responsiveness of the framebuffer client to mode-change signals.
The patch also removes the synchronization with refresh calls because
the synchronization made the flickering artifacts worse when executing
nitpicker within liquid_fb. So it was not properly working anyway.
In the future, we might reimplement such a synchronization mechanism
when switching to the server API.
Issue #1056
As the initial main-thread stack is not used for the whole main-thread life
anymore but only for the initialization of the Genode environment it can be
downsized to 32Kb for all architectures.
ref #989
For a main thread a thread object is created by the CRT0 before _main gets
called so that _main can already run in a generic environment that, e.g.,
catches stack overflows as a page-fault instead of corrupting the BSS.
Additionally dynamic programs have only one CRT0 - the one of the LDSO -
which does the initialization for both LDSO and program.
ref #989
Normally for intptr_t the printf format PRIiPTR should be used. As Genode
printf doens't support this format we cast it to long int (intptr_t is int
for 32 bit and long int for 64 bit).
ref #989
This patch adds accessors to obtain the buffer of an attribute value,
which is useful to avoid the copying-out of such information by
maintaining pointers into the XML string as meta data.
There exist different default setups for a specific autoconf version:
* autoconf
* autoconf$(VERSION)
* autoconf-$(VERSION)
As of now, only the second option is recognized by the check in tool_chain.
This patch ensures that if one of those is present in the correct
version, it will be found and used in the build process.
Fixes#1053.
With this patch, the liquid_fb title bar height gets reserved at the top of the
screen, so if a Qt application wants to position a window at (0,0), there's
still enough space to show the title bar above.
Issue #1054.
This utility allows for the manual placement of objects without the need
to have a global placement new operation nor the need for type-specific
new operators.
Issue #989
The trace_fs server provides access to a Trace_session by using a
File_system_session as frontend.
Each trace subject is represented by a directory ('thread_name.subject')
that contains specific files ('active', 'cleanup', 'enable', 'events',
'buffer_size' and 'policy'), which are used to control the tracing
process of the thread as well as storing the content of its trace
buffer.
The tracing of a thread is only activated if there is a valid policy
installed and the intend to trace the subject was made clear by writing
'1' to the 'enable' file.
The tracing of a thread may be deactived by writing a '0' to the
'enable' file.
A policy may be changed by overwriting the currently used one. In this
case the old policy is replaced by the new policy and is automatically
utilize.
Writing a value to the 'buffer_size' file changes the appointed size of
the trace buffer. This value is only evaluted by reactivating the
tracing process.
The content of the trace buffer may be accessed by reading from the
'events' file. Throughout all tracing session new trace events are
appended to this file.
Nodes of UNTRACED subjects are kept as long as they do not change their
tracing state to DEAD. In this case all nodes are removed from the
file system. Subjects that were traced before and are now UNTRACED will
only be removed by writing '1' to the 'cleanup' file - even if they
are DEAD by now.
To use the trace_fs a config similar to the following may be used:
! <start name="trace_fs">
! <resource name="RAM" quantum="128M"/>
! <provides><service name="File_system"/></provides>
! <config>
! <policy label="noux -> trace" interval="1000" subject_limit="512" trace_quota="64M" />
! </config>
! </start>
'interval' sets the periode in which the Trace_session is polled. The
time is given in milliseconds.
'subject_limit' speficies how many trace subject should by acquired at
most when the Trace_session is polled.
'trace_quota' is the amount of quota the trace_fs should use for the
Trace_session connection. The remaing amount of RAM quota will be used
for the actual nodes of the file system and the 'policy' as well as the
'events' files.
In addiition there are 'buffer_size' and 'buffer_size_limit' that define
the initial and the upper limit of the size of a trace buffer.
Tracing of parent processes or rather threads may be enabled by setting
'parent_levels' to a value greater than '0' (though this attribute is
available, the trace session component within core still lacks support
for it).
A ready-to-use runscript can by found in 'ports/run/noux_trace_fs.run'.
Fixes#1049.
Until now, block drivers had to deal with a pointer to the client
session component, e.g.: to acknowledge block packets already processed.
When a session was closed, the driver object wasn't informed explicitly,
which leads to defensive programming, or lastly to a race-condition in
test-blk-srv. To prevent from this class of errors, the pointer is now
private to the generic block driver base class, and not accessible to
the concrete driver implementation. Moreover, the driver gets explicitly
informed when a session got invalidated.
Ref #113
This block cache component acts as a block device for a single client.
It uses fixed 4K blocks as caching granularity, thereby implicitly reads
ahead whenever a client requests lesser amount of blocks. Currently,
it only supports a least-recently-used replacement policy.
Fixes#113
When using the server framework, it might happen that the main thread
tries to forward a signal to the entrypoint, while the context of that
signal is already destroyed. In that case the main thread will get an
ipc error exception as result.
Related to #113
Instead of terminating tool/tool_chain when finding the first
missing tool, this patch runs all checks to completion before
bailing out. This eases finding missing programs, because the
user has to run the script only once to get a list of all missing
software.
Fixes#1046Fixes#1047
On 64-bit platforms Qt's JavaScript engine tries to reserve 1GiB of
virtual memory via 'mmap()', to be backed by physical memory on demand.
Genode's 'mmap()' implementation currently does not support on-demand
allocation of physical memory and tries to allocate the whole amount at
once, which is usually far more than needed.
With this patch, the amount to be reserved gets decreased to 32MiB.
Fixes#1041.
The x86_64 ABI requires the stack pointer to be 16-byte aligned before the
call of a function and decreased by 8 at the function entrypoint (after
the return address has been pushed to the stack).
Currently, when a new Genode thread gets created, the initial stack
pointer is aligned to 16 byte. On Genode/Linux, the thread entry function
is entered by a 'call' instruction, so the stack pointer alignment at the
function entrypoint is correct. On Fiasco.OC and NOVA, however, the thread
entry function gets executed without a return address being pushed to the
stack, so at the function entrypoint the stack pointer is still aligned to
16 byte, which can cause problems with compiler-generated SSE
instructions.
With this patch, the stack pointer given to a new thread gets aligned to
16 bytes and decreased by 8 by default, since most of the currently
supported base platforms execute the thread entry function without pushing
a return address to the stack. For base-linux, the stack pointer gets
realigned to 16 bytes before the thread entry function gets called.
Fixes#1043.
- 'kill()' syscall added
- 'wait()' gets unblocked when a signal occurs
- syscalls can get called from a signal handler without corrupting the 'sysio' object
- the child's exit status gets correctly reported to 'wait()'
- SIGCHLD gets ignored by default
- pending signals survive 'execve()'
Fixes#1035.
Delete operators with additional allocator reference/pointer parameters
are needed if the constructor of an 'new(allocator)' allocated object
throws an exception. Also, destroy now uses the operator to free memory
and provides variants with allocator reference and pointer.
The commit includes a simple test scripts 'run/new_delete', which
exercises the several 'delete' cases.
Related to #1030.
Use a bit allocator for the allocation management of thread contexts,
instead of holding allocation information within the Thread_base objects,
which lead to race conditions in the past.
Moreover, extend the Thread_base class interface with the ability to
to add additional stacks to a thread, and associate the context they're
located in with the corresponding Thread_base object. Additional stacks
can be used to do user-level scheduling with stack switching, without breaking
Genode's API.
Fixes#1024Fixes#1036
Change the template parameter for Bit_allocator, and Bit_array. Instead of
assigning words to be used by the bit array, you can now tell the count of
items that shall be used.
Moreover, some dead code, previously using the Bit_allocator, was removed.
Related to #1024
Splitting the new Genode::Deallocator interface from the former
Genode::Allocator interface enables us to restrict the accessible
operations for code that is only supposed to release memory, but not
perform any allocations.
Additionally, this patch introduces variants of the 'new' operator
that takes a reference (as opposed to a pointer) to a Genode::Allocator
as argument.
By assigning the file name as label, we may become able to remove the
filename argument in the future by just interpreting the last part of
the label as filename. By keeping only the label, we won't need to
consider conditional routing (via <if-arg>) based on session arguments
other than the label anymore.
The new Attached_dataspace complements the existing Attached_*
utilities with a simple version that can be used with any kind of
dataspaces. It may be even useful as a common base type for the other
variants. For example, this patch simplifies Attached_rom_dataspace
and removes the Terminal::Client::Io_buffer.
This patch integrate the scout widgets with Genode's new API headers
'util/geometry.h', 'os/surface.h' and 'os/texture.h'. Thereby, we get
almost rid of the platform-abstraction shim that was never used anyway.
Furthermore, it extracts the parts that are worth reusing from the
scout implementation to the public location 'demo/include/scout'.
This patch re-arranges nitpicker's graphics backend in a more modular
and expandable way. Generalized versions of the 'Canvas',
'Chunky_canvas', and 'Pixel_*' classes have been moved to
'os/include/util/' and 'os/include/os'. The only remaining parts that
are specific to nitpicker's needs are a few drawing functions, each
located in a distinct header at 'os/include/nitpicker_gfx/'.
This patch makes nitpicker's geometry utilities available for the use
by other programs. Thereby, the 'Point', 'Area', and 'Rect' classes
have become templates that take the coordinate type and distance type
as arguments.
Unless '-ignorestderr' is set on 'exec' in expect, any output on stderr
is interpreted as execution failure. In this case, 'create_iso' logs
some diagnostics but does not fail.
We repeatedly promote our ISOs to be bootable from USB storage.
Therefore, we have a hard dependency on 'isohybrid' and should fail in
the case that the tool is missing.
Access to a block session is provided by using the block file system.
By specifying the label, each block session request can be routed to
the proper block session provider:
! <fstab>
! ...
! <dir name="dev">
! <block name="blkdev0" label="block_session_0" />
! </dir>
! ...
! </fstab>
In addition to this file system, support for the DIOCGMEDIASIZE ioctl
request was added. This request is used by FreeBSD and therefore our
libc to query the size of the block device in bytes.
Fixes#1010.
All source codes of the glue code between Vancouver and Genode that were
based on existing GPL code had already stated that Genode Labs is not
the sole owner of the code. To make the distinction between the Genode
OS framework and the glue code more clear, this patch removes the text
"is part of the Genode OS framework" from the glue code.
Instead of, passing responsibility to manage and dissolve Signal_rpc_member
objects at a corresponding entrypoint to the user, hand over entrypoint's
reference to the constructor, and do it in the constructor resp. destructor
of the class.
Fixes#1022
Both base/src/test/thread and base-okl4/src/test/okl4_03_thread used the
same target name, which ultimately confused the build system when
building on OKL4.
File systems using the File_system_session interface can now be
synchronized by using this syscall. This is needed for file system
that maintain an internal cache, which should be flushed.
Fixes#1008.
Users of a File_system_session might want to force a file system
to flush or rather to synchronize its internal cache. A concret
default implementation is provided because not all file systems
maintain an internal cache and are not required to synchronize
caches.
Fixes#1007.
Fail hard if no large enough virtual memory area can be found where to map
the memory from the kernel to core.
Additionally clear dataspaces in junks if it can't be done in one large junk.
Fixes#1011
Make 'set_program_var' accessible outside of 'rtld.c'. Also, compile
dynamically linked programs with the '-fPIC' option. Doing not so,
yields to program-global symbols being put in the '.symtab' section
(which can be stripped) only. In order to get access to global
variables from the dynamic linker, the symbols need to reside within
the '.dynsym' section additionally. Hence the '-fPIC'.
ref #989fix#1002
If an RM client gets dissolved the RM server tries to first
dissolve and then destruct the according pager object. As pager objects
previously cancelled unresolved faults only in destructor the dissolve
operation blocked forever when an unresolved fault existed.
As every pager object should get dissolved before it gets destructed
(signal-context complains otherwise) no more unresolved-fault cancelling
is needed in the destructor.
ref #989
As synchronization of signal contexts is now the users business instead of
cores and the signal framework ensures that every context of a receiver gets
synchronously destructed before the destruction of the receiver itself
synchronization and thus blocking at the destruction of a kernel
receiver-object isn't necessary anymore.
ref #989
Kernel::signal_context_kill can be used by any program to halt the processing
of a signal context synchronously to prevent broken refs when core destructs
the according kernel object. In turn, Kernel::bin_signal_context doesn't block
anymore and destructs a signal context no matter if there are unacknowledged
signals. This way, cores entrypoint doesn't depend on signal acks of a
untrustworthy client anymore.
ref #989
In the future bin_* means the direct destruction of a kernel object
without any blocking. kill_* in contrast is used for bringing a
kernel object such as signal contexts synchronized into a sleeping
state from where they can be destructed without the risk of getting
broken refs in userland.
ref #989
To remap its UTCB to its context area later, a main thread needs
to know the according dataspace capability. This is done through
the start-info it receives from its creator at startup.
ref #989
I have no idea where the previous default alignment = 2 in the unsynchronized
singleton came from but as at least the Arndale IC-driver in base-hw needs an
alignment of 4 = address width, unmanaged singleton now uses sizeof(addr_t)
as default alignment.
ref #989
An unmanaged singleton is a singleton object that isn't
constructed or destructed implicitly through the C++ runtime
enviroment. The new header provides a helper to create such objects
and is located in src/base/include.
ref #989
* Increase entrypoint stack size for part_blk server,
since it crashes on 64 bit
* Consider packet alignment in bulk buffer size calculation of test-blk-cli
* allow to handle a maximum of packets in parallel
that fits free slots in the ack queue
* stop processing packets, when the driver can't handle
more requests in parallel, and resume packet handling,
when the driver is ready again
As hw_arndale is a bit slower than foc_arm and spawn_serial timing
calculation has changed in general, timeouts of noux_tool_chain_auto test
must be adjusted.
fix#996
The Genode-specific implementation of 'QWaitCondition' contains a race
condition which can make the 'qt5_samegame' application hang on Fiasco.OC.
Since most of the pthread synchronization functions needed by the
UNIX-specific implementation of 'QWaitCondition' and 'QMutex' are
available now, we can use these now instead of fixing and keeping
the Genode-specific implementation.
Fixes#993.
Instead of using an additional thread in each Session_component of a
block server, which uses the generic block component and driver classes,
replace it with signal dispatchers.
Ref #113
With 64K stack size, when doing 'make core' in noux on base-hw, the main thread
of /libexec/gcc/arm-elf-eabi/4.7.2/cc1plus runs into a stack overflow during
the compilation of core/main.o . Thus raise the stack size to 128K.
fix#964
The previously used RAM 0x0..0x10000000 was just an alias for
0x70000000..0x80000000. Qemu provides up to of 768 MB RAM with the
correct -m argument. This RAM is located at 0x70000000..0x90000000 and
0x20000000..0x30000000. At least the noux_tool_chain scripts are
happy to have that much RAM.
ref #964
For PBXA9 qemu adjusts provided RAM chips to the -m arg. Thus we
filter user values and force value that enables all chips that Genode
expects to be available. Not doing so leads to inexplicable errors.
ref #964
Makeinfo versions greater 5 treat an @itemx that isn't preceeded by an @item
not as warning anymore but as error. The GCC version 4.7.2 that is used by
noux currently triggers this error multiple times. This commit adds a patch
to 'make prepare PKG="gcc"' that avoids the use of @itemx without preceeding
@item. As GCC versions greater than 4.8 should fix this problem by themselves
this should be seen as temporary quick fix.
ref #964
At least with base-hw, the endless loop at the end of the fork
parent slows execution of the fork child dramatically. Using
libc function pause() is a cleaner solution anyways.
ref #964
When using the initial SP of a main thread for the UTCB
startup-argument, fork_trampoline in libc_noux gets broken.
The function expects the SP to be initialized already in contrast
to the _start function in crt0.s that is called for processes that
are not forked. As the main-thread UTCB is located at the same virtual
address for every PD anyways, we can circumvent this problem by
defining it statically.
ref #964
Struct Msg was introduced due to the handling of pagefaults
and interrupts via synchronous IPC. Its only purpose was to provide
the message type in front of the typed message. Now pagefaults and
interrupts are handled via signals and struct Msg is not necessary
anymore.
ref #958
If the script is executed with an obscure path (e.g.,
'../tool/autopilot'), just taking the argv0 string fails. Therefore, the
file path is now normalized prior to the directory detection.
This patch enables experimental QML support in Qt5.
Only the QtQuick plugin is available yet.
Currently runs best on Linux and has some problems on NOVA and Fiasco.OC.
Fixes#979.
Replace the static lock with the file descriptor lock because recursive
calls of p{read,write} would result in a deadlock when using multiple
libc-plugins at the same time.
Fixes#948.
This FUSE implementation consists of libfuse, which provides a
subset of the FUSE 2.6 API and libc_fuse, which provides support
for accessing FUSE based file system via the libc.
Fixes#942.
In addition, file-system tests will use the AHCI driver instead of the
ATAPI driver. This change side-steps certain issues with Qemu's IDE
emulation.
Fixes#942.
Since RM sessions can be used as dataspaces and dataspace sizes are
supposed to have page granularity, RM session sizes should have page
granularity, too.
Fixes#972.
Among other changes, this patch makes it possible to let Mesa render into
a user-provided buffer instead of the screen. This can be achieved with
the 'eglCreateWindowSurface()' function, which takes a buffer
description as third argument.
Fixes#974.
One of the Qt5 patches is supposed to create symbolic links, which is not
supported by GNU patch before version 2.7. Using 'git apply' to apply the
patches solves this problem.
Fixes#969.
In programs with dynamic linker, _main and thus also platform_main_bootstrap
are called twice. By now, platform_main_bootstrap tried to always access the
startup message in the UTCB of the main thread that gets overridden till the
second call.
fix#967
Since dde_linux now contains the port of the Linux IP stack available for all
Genode base-* platforms move the repository out of drivers_arm and drivers_x86
build.conf to the optional build.conf (available to all platforms).
To support components, which implement the block session's server side
rpc object, and which doesn't write data to their device backend immediately,
an additional synchronization call is needed. Thereby, clients like for
instance a file system can tell these components, when a synchronization is
required.
Ref #113
Issue #949
Related to issue #808 - one way to nearly double the maximum VM size for
VMs on 32bit Genode/Nova host if decreased performance is acceptable.
To ease the creation of custom virtual machine monitors on top of
NOVA, this patch moves generic utilities from vancouver resp. seoul to the
public include location 'ports/include/vmm'. As a nice side effect,
this change simplifies 'vancouver/main.cc'.
Issue #949
The platform driver is used to access the features provided by the
Videocore mboxes, i.e., power configuration and framebuffer setup. The
framebuffer driver uses the platform interface to setup a screen mode of
1024x768.
At the current stage, the USB HID and storage drivers are prinicpally
working but not stable. If interrupts are not processed fast enough,
devices will get sporadically disconnected.
The USB host-controller driver is not part of the normal Linux kernel.
For this reason, we need to download it separately. There exists a
'prepare_rpi' rule in the 'dde_linux/Makefile' to automate this process.
This patch principally allows to install symlinks to out-of-Linux tree
drivers into the contrib directory. Those files are then considered for
the 'lx_emul.h' symlink procedure. Is useful as a temporary mechanism
while developing the rpi USB driver.
When saving/resuming translation table base registers, and data fault register
a VMM is able to translate the VM's virtual addresses, and to analyse aborts
it has generated.
Every thread receives a startup message from its creator through the initial
state of its userland thread-context. The thread-startup code remembers the
kernel name of the new thread by reading this message before the userland
thread-context gets polluted. This way, Kernel::current_thread_id becomes
unnecessary.
fix#953
Don't set priority and label in platform thread and then communicate this
core object via Kernel::new_thread but communicate priority and label directly.
This way kernel doesn't need to know anymore what a platform thread is.
ref #953
Instead of writing initial thread context to the platform-thread members
and then communicating this core object to kernel, core calls
Kernel::access_thread_regs first to initialize thread context and then
Kernel::start_thread without a platform-thread pointer. This way
the frontend as well as the backend of Kernel::start_thread loose
complexity and it is a first step to remove platform thread from the
vocabulary of the kernel.
ref #953
This patch enables the recursive startup of launchpad instances, which
was not possible since the recent removal of launchpad's built-in
default configuration.
Open a capability receive window according to the number of the capabilities
expected as out parameter per RPC function.
Typically the number of capabilities expected during the reply of a RPC/IPC
call is 0 to 1. Before this patch ever a capability receive window of 4 has
been opened.
On Nova the capability selectors of receive windows must be naturally aligned
to the size/order of the expected capabilities. This leads until now to the
issue that the left over 3 capabilities couldn't be reused for new IPCs since
they are not naturally aligned to 4.
Issue #905
Enable routing of thread events to signal contexts via
Kernel::route_thread_event.
Replace Kernel::set_pager by Kernel::route_thread_event.
In base-hw a pager object is a signal context and a pager activation
is a signal receiver. If a thread wants to start communicating its page
faults via a pager object, the thread calls Kernel::route_thread_event with
its thread ID, event ID "FAULT", and the signal context ID of the pager object.
If a pager activation wants to start handling page faults of a pager object,
the pager activation assigns the corresponding signal context to its signal
receiver. If a pager activation wants to stop handling page faults of a pager
object, the pager activation dissolves the corresponding signal context from
its signal receiver. If a thread wants to start communicating its page faults
via a pager object, the thread calls Kernel::route_thread_event with its
thread ID, event ID "FAULT", and the invalid signal context ID.
Remove Kernel::resume_faulter.
Move all page fault related code from generic kernel sources to CPU
specific cpu_support.h and cpu_support.cc.
fix#935
Provide core-local signal service before other services to enable the use
of signal connections while initialzing the other services. This has been
introduced due to the use of the signal framework by the pager lib in
base-hw (RM service).
ref #935
DosBox is DOS-Emulator which is mainly used for playing old
DOS games on POSIX systems and newer Windows versions.
This port of DosBox runs natively on Genode by using its
SDL backend. It is currently only works on x86_*.
Fixes#937.
This patch changes the noux.run script to use the new log_terminal
component instead of an UART driver. Besides being a nice way to test
the log_terminal service, the new version is much simpler and it just
became compatible to Linux as it no longer relies on an UART driver.
Issue #947
Since we switched to using C++11 by default, the webkit-related
parts of qt4 failed to compile because of C++11 compatibility
issues. This patch disables the use of C++11 for the offenders.
There are programms that use struct stat's st_ino field to check certain
conditions. Since we are using multiple filesystems in a noux session we
cannot use the inode number which the actual filesystem provides.
Therefore we calculate a random inode number by hashing the stated path.
Fixes#299.
A timer session is now used instead of a jiffy counter. This way, libSDL
can use a time source that is not bound to the granularity our libc's
nanosleep implementation. Currently, the granularity of nanosleep is in
the order of 10 milliseconds, which is far to coarse for the use of
SDL-using applications such as DosBox.
Fixes#934.
In general, requesting a dataspace from a server twice is no good
idea. The server might react in a unrecoverable fashion. E.g. the rom_fs
service always throws away the corresponding dataspace from the first call
of dataspace(), and constructs a new one.
This patch adds a 'gdb' command to 'cli_monitor', which makes it possible
to debug an application with GDB.
The command works similarly to the 'start' command, but instead of
starting the subsystem binary directly, an 'init' subsystem gets
started, which then starts 'terminal_crosslink', 'noux', GDB and
'gdb_monitor' (which starts the application binary as its target).
So, for the 'gdb' command to work, these additional components need to
be available, too. 'terminal_crosslink', 'noux', 'gdb_monitor' and the
file 'gdb_command_config' are expected to be ROM modules. The Noux GDB
client needs to get mounted at '/bin' in Noux and the target binaries need
to be available as ROM modules (loaded by 'gdb_monitor') and also mounted
at '/gdb' in Noux (loaded by the GDB client).
Additionally, the source code of the target application can be provided
at '/gdb/src/ in Noux. How the Noux mountings get established can
be configured in the 'gdb_command_config' file. The default configuration
in 'os/src/server/cli_monitor/gdb_command_config' mounts GDB from a tar
archive named 'gdb.tar', the GDB target binaries from a tar archive named
'gdb_target.tar' and the target source code from a tar archive named
'gdb_target-src.tar'.
The patch includes an 'expect' include file (ports/run/noux_gdb.inc)
which provides functions that help to create those tar files:
- 'create_gdb_tar' creates a tar archive for the 'gdb' client
- 'create_binary_tar' creates a tar archive for the target application
- 'create_source_tar' creates a tar archive for the source code of
the target application
- 'create_binary_and_source_tars' is a convenience wrapper for the previous
two functions
The patch also includes an example run script
(ports/run/noux_gdb_dynamic.run).
The 'gdb' command supports the following command line options:
- --ram: the initial RAM quota provided to the whole subsystem
(including the GDB-related components)
- --ram-limit: limit for expanding RAM quota
- --gdb-ram-preserve: the RAM quota that 'gdb_monitor' ahould preserve
for itself
Fixes#928.
When a child requests more ram resources, it gets blocked immediately when
the preservation limit is reached. Otherwise, it might happen that the
cli_monitor runs out of memory.
When a command was executed, it is necessary to check not only whether the
preservation limit of the ram quota is reached, but also whether new ram quota
is available (e.g.: consequence of the kill command), and children are waiting
for additional resources.
Implement a ballooning mechanism in L4Linux similar to solutions like XEN's
balloon driver. Therefore the new parent interface extensions for requesting
and yielding resources are used. L4Linux registers a yield signal context at
its parent. Whenever the parent triggers a yield, the balloon driver blows up,
which means it requests all pages available, and then frees the corresponding
backend memory.
This patch changes the interface of Nitpicker to support dynamically
dimensioned virtual frame buffers. This solves two problems:
First, it enables a client to create a connection to nitpicker without
donating much session quota in advance. The old interface required each
screen-size-dependent client to donate as much memory as needed to
allocate a screen-sized virtual framebuffer. For clients that are
interested int the screen size but cover just a small portion of the
screen (e.g., a banner, a menu, an applet that sits in the screen
corner), this overprovisioning is painful. The new interface allows such
clients to upgrade the session quota for an existing session as needed.
Second, because each nitpicker session used to have a virtual frame
buffer with a fixed size over the lifetime of the session, a client that
wanted to implement a variable-sized window had to either vastly
overprovide resources (by opening a session as large as the screen just
in order to be prepared for the worst case of a maximized window), or it
had to replace the session by a new one (thereby discarding the stacking
order of the old views) each time the window changes its dimensions. The
new interface accommodates such clients much better.
This patch implements the POSIX signal functionality needed to interrupt a
running Noux GDB by pressing 'Ctrl-C'.
It allows to register a signal handler for the 'SIGINT' signal, which
gets executed after 'Ctrl-C' is received from the terminal. With the
current state of the implementation, the signal handler only gets executed
when the Noux application calls a 'read()', 'write()', 'ftruncate()' or
'select()' syscall.
Fixes#923.
With this patch, the 'Ring_buffer' class can be made unsynchronized by
setting the 'Ring_buffer_unsynchronized' policy as third template
argument.
Fixes#922.
USB HID gets stuck due to strange kernel error
as HDMI starts simulatnously. This workaround
delays HDMI init by a second (only in case we
build for Exynos5 & FOC with USB) to let
scenarious like demo get their USB HID started
without much CPU load.
ref #796
For the framebuffer driver of the i.MX53 platform to work even when u-boot
didn't prepared the display previously, there were some IOMUX routes missing.
Fixes#914
By now, only one button press/release event per IRQ was handled correctly.
Pressing and/or releasing several buttons concurrently could bring the input
driver into an inconsistent state.
Fixes#913
* Remove far too low default values from Nic::Connection constructor
* Extend lwip initialization function with desired TX/RX buffer sizes
* Add configuration possibility to libc_lwip_dhcp plugin to define
buffer sizes, like the following:
'<libc tx_buf_size="1M" tx_buf_size="1M"/>'
Fixes#892
Previously, if two ID allocators for different kernel objects had the
same size, the kernel-object framework managed both objects types
through the same allocator instance. This is caused by the use of
unsynchronized singletons in the accessor functions and can be avoided
by creating new types through inheritance instead of using typedefs.
Anyways, this fix is a little bit ugly and should replaced by avoiding
the use of unsynchronized singletons in the future.
fix#906
At this point we cannot close the connection anymore because all
mappings are gone and the needed stack is invalid. This is not a
problem since process will be discarded anyway.
Fixes#909.
With this patch, the register contents of a paused thread (which is not
currently executing a syscall) can get modified by the
'Cpu_session::state()' function.
Fixes#896.
The copy constructor of Signal did not copy the Signal::Data contents of
the copy source. This bug could survive undetected because the compiler
can optimize code in a way, that copy constructor and destructor are not
necessary when returning by value from simple functions. I assume that
it creates the object in CPU registers instead of RAM and reuses it
instead of copying it to save time. This way the bug triggered first
after wait_for_signal was changed in a way that avoided optimization.
ref #912
In hybrid mode, all programs are dynamic executables and ld.lib.so is
not supported. Therefore, only the "static" variant of the test can be
build and executed.
This change allows for the testing of cli_monitor's automatic resource
balancing by executing the following command:
start ram_eater --ram-limit 1G --count 5
The command starts 5 instances of a RAM-eating process, which is,
however, able to yield resources when instructed. The RAM quota for the
processes gets automatically extended because of the overly large limit
of 1 GiB, which is far more than CLI monitor's RAM resources (100 MiB).
When the RAM usage hits the preservation limit, CLI monitor broadcasts
yield requests to each ram_eater instance, which allow the scenario to
remain alive.
If a local thread is attempted to be 'pause'd via cpu_session, don't wait
until it gets into the recalled state. If the caller is lucky it is, if not
return only the stack pointer.
Avoids deadlocking of the gdb when attached to a process running a server.
Issue #478
The 'pause' call on base-nova assumes that a thread can solely block in its
associated semaphore. Main reason is that so core can unblock a thread in order
that the recall exception gets delivered and the register state can be
obtained.
Unfortunately the signal session implementation creates a semaphore, which is
unknown by the pager code. Instead create the semaphore via the pager of the
thread, so that the pager can unblock the signal thread when a pause is issued.
Issue #478
If a thread caused a page fault and later on get be paused, then it left
the recall handler immediately due to the pause call instead of staying
in this handler.
Add some (complicated) state machine to detect and handle the case. Still not
waterproof, especially server threads may never get recalled if they never get
a IPC from the outside.
Fixes#478
This patch introduces new commands for dynamically balancing RAM between
subsystems. The 'status' command prints a table with the RAM status of
each subsystem. The 'ram' command changes the quota or a quota limit of
a given subsystem. The quota limit can be defined to allow the on-demand
expansion of the quota. Finally, the 'yield' command can be used to
instruct a subsystem to yield a specified amount of resources.
For trying out the new commands, a so-called 'ram_eater' example has
been added to the 'terminal_mux.run' scenario. This program simulates a
subsystem with a growing demand for resources, yet with the capability
to yield resources when instructed by the parent (i.e., cli_monitor).
Besides implementing the new features, the patch splits the
implementation of 'cli_monitor' into multiple files.
In order to be able to dynamically balance resources of slaves, we need
to provide an accessor to the slave's RAM session and a way to issue
yield requests.
The new 'String' buffer type is meant to replace the manually created
character buffers that are scattered throughout Genode. It plainly holds
a null-terminated string to be stored as a member variable (e.g., a
session label) or passed as RPC argument. It is not intended to become a
string API.
Revised region management detects region conflicts by using _soft_
mappings per default. Overmapping is activated for population of managed
dataspaces only. For more information see header documentation of
base-linux/src/base/env/rm_session_mmap.cc.
Fixes#883.
To prevent multiple execution of main-bootstrap, I moved the code to a
statically initialized object. The reason for this change is that
_main() is exeuted twice when starting dynamic binaries. Now, the object
is part of the base-common library which is linked with ld.lib.so.
Deleting the generated 'launchpad.config' file is a bad idea because in
contrast to most base platforms, on Linux, we merely create symlinks
from the 'var/run/demo/' directory to the 'bin/' directory instead of
copying the files.
For ARM support on N900, commit 4a9b1c6 changed the process library to
start dynamic binaries directly depending on the Linux kernel to comply
to the interp section info ("ld.lib.so"). This seems not required on
more recent platforms or kernel versions and also introduced challenging
corner cases in region handling on Linux. Therefore, this commit
restores the original behavior.
This patch makes sure that a line break is printed before the test
finishes. This way, the "Test succeeded" message is printed on a new
line, which was not always the case (i.e., on Pistachio) otherwise.
The macro 'enter_kdebug' appended the 'text' argument immediately after
the '"' literal. Apparently, the old C++ standard accepted this code but
the new standard is more strict.
Statically configured NIC bridge clients must be configured via
<policy...> nodes in the config. Otherwise, the bridge can't answer ARP
requests or route traffic.
After announcing the NIC service, the bridge connects to the driver to
ensure to see any incoming traffic in case the client itself only reacts
on connects from LAN (e.g., the netperf server).
Also, some styling issues were fixed.
Both 'platform_session/capability.h' and 'platform_session/connection.h'
do not contain platform-specific information. By moving them from
'include/platform/imx53/platform_session/' to 'include/platform_session/',
this patch enables other platforms to reuse them.
Prior this change, the attempt to re-schedule a timer from its timer
handler resulted in a clear '_pending' flag. This caused the timer event
to disappear from the scheduling queue without the handler being called
ever again. By resetting the '_pending' value before calling the hander,
we prevent a re-scheduled '_pending' flag to be cleared immediately
after calling the handler.
On non-PC platforms, the variable 'build' remains undefined, which lets
the 'build $build' step fail. Use the traditional 'build_components'
variable instead. As a further plus, this avoids multiple passes of the
build system.
With this patch, if an ELF dataspace to be executed does not have a path
in the host file system, the dataspace content gets copied into a
temporary file whose path can be given to 'execve()'.
Fixes#879.
This patch updates the launchpad config to use XML attributes and
removes the built-in default configuration (which is only meaningful
for demo.run anyway).
By splitting Session_policy into two classes, we make it more flexible.
Originally, the constructor accepted solely an args string, which made it
unusable for situations where we already have extracted the session
label (e.g., stored in the session meta data of a server). Now, the
extraction of the label from the args string is performed by the new
Session_label class instead, which, in turn, can be passed to the
constructor of Session_policy.
This change causes a minor API change. The following code
Session_policy policy(session_args);
Must be turned into
Session_label label(session_args);
Session_policy policy(label);
This patch overhauls the signal handling of nitpicker to clear the way
towards dynamic reconfiguration. Furthermore, it moves the
implementation of the global-keys handling and input utilities to
separate files.
Originally, the convenience utility for accessing a process
configuration came in the form of a header file. But this causes
aliasing problems if multiple compilation units access the config while
the configuration gets dynamically updated. Moving the implementation of
the accessor to the singleton object into a library solves those
problems.
This patch adds support for iterating through a const list. This allows
users of lists to be more rigid with regard to constness. Furthermore,
the patch adds the function 'List::insert_at' for inserting an element
at a specified position. By adding this function, we can remove code
duplication in nitpicker.
To enable the specification of key names in configuration files parsed
at runtime, we need the association between key-code values and their
respective names.
binary_ds cap is attempted to free up twice by
_root_dir->release(_name, _binary_ds) in ~Child de-constructor and by
Static_dataspace_info _binary_ds_info de-constructor.
This commit keeps all binary related information inside a struct which gets
freed up after all noux session book keep cleaning is done.
Issue #485
The netperf test configures the target Genode system for with
10.0.2.55/24. Also, nic_drv on base-linux uses the virtual ethernet
device 'tap0', which must be configured for the test user and network
address 10.0.2.1/24 on the test host like follows.
tunctl -t tap0 -u <user running test>
ip address add 10.0.2.1/24 dev tap
ip link set tap0 up
This patch moves the GDB commands to set a breakpoint in the 'main()'
function into a separate file that can be included from other run scripts.
Fixes#876.
If the path of a Genode source file (as extracted from the binary test
application) contains a part like '/a/b/../' where '/a' exists, but '/a/b'
does not exist anymore, 'tar' complains. With this patch, the run script
normalizes the path before calling 'tar'.
Fixes#875.
- if no affinity was set for a new thread before calling
Cpu_session::start(), the CPU session's affinity gets set for this
thread
- documentation fix: <affinity_space> -> <affinity-space>
Fixes#873.
In case there is not enough quota left to create the trace buffer
or trace policy dataspace throw Out_of_metadata explicitly instead
of rethrowing the Ram_session::Quota_exceeded exception. Now one
can catch Trace::Out_of_metadata exception in a client application.
In addition fix Allocator_guard::withdraw() checks because this
method does not throw any exceptions and a failed withdrawal goes
unoticed.
Fixes#871.
This patch adds some of lwip's checksum calculation options to the
Genode-specific 'lwiptops.h' configuration file. The checksum calculations
are enabled by default.
Fixes#868.
Instead of using msleep to sleep periodically, and then increase jiffies
counter in the alarm scheduler implementation of the timed semaphore
use the 'trigger_periodic' call introduced by the change of the timer session
interface into an asynchronous one. Thereby, we can reduce the necessary IPC
communication with the timer service effectively.
Ref #35
As it turns out using -fPIC was not the issue but discarding certain
sections. The policy_module_table is now located in .data.rel which
needs to be at the beginning of the binary.
Fixes#849.
The regions reported by the RMRR structure are used by legacy devices for DMA
requests. Theses would need to be added to the device_pd to avoid DMAR faults
when used in legacy mode.
For now parse and print them, so that one has a clue about why we get DMAR
faults.
Issue #683
Be more robust. If the attachment fails continue to operate and just print a
error message. Before the commit the device_pd stopped to operate if an
attachment did not succeed.
Issue #683
Only the directories and files which were created in the first place
by the libc port should be removed. Thereby ignore the exit code of
the find command to prevent GNUmake from stopping its execution.
Fixes#841.
Don't account the boottime to the actual compile time - since it varies quite
a lot if somebody else utilize the network with lwip tests for example ;-).
Syscall binding functions which use '__L4_INDIRECT_CALL' need to tell the
compiler that the 'edi' register gets modified. Since 'edi' is an input
operand and input operands may not get added to the clobber list, this
patch defines 'edi' also as an output operand instead.
Fixes#834.
At least 64bit Seoul dies with Region_conflict reliable and reproducible.
When during startup of Seoul some Genode code (caused by executing some
constructors) try to attach a region, the region manager code in the rm_session
will try to place the attachment at the smallest large enough aligned free
virtual region.
For now, I observed one attachment causing trouble (but not knowing who causes
this - it does also not really matter). The questionable region is 0x4000 of
size for 32bit and 0x8000 of size for 64bit.
To steer the region manager a bit, we try now following trick:
With this commit the load address of the binary for 32 and 64 bit is moved
close to the end of the virtual address space, but leaving enough free virtual
space for the above observed attachment (and a bit more).
The region manager code now will try to fill up the virtual region behind
the binary up to the end of the virtual address space, effectively letting the
lower virtual region untouched - hopefully.
Works for now, but it will break again - for sure.
Fixes#519
To avoid build conflicts with Qt5, with this patch, 'qt4_deprecated' needs
to be added to the 'SPECS' variable (in specs.conf) when building for Qt4.
Issue #345.
By now Signal_session_component has allocated initial SLAB
blocks in constructor, wich crashed with the root
components assumptions about the RAM quota needs of
session creation. Thus, if the background allocator was already
exhausted from component allocation the session was created
with broken initial SLAB blocks.
fix#574
If a script is executed which uses a interpreter that does not exist the
construction of the child fails and potentially leaks memory because the
wrong delete operator is called.
Therefore the binary dataspace of the script and the binary dataspace of
the interpreter are now checked before a new child will be created.
Fixes#812.
The assignment of affinities consists of two parts, the definition
of the affinity space dimensions as used for the init process, and
the association sub systems with affinity locations (relative to the
affinity space). The affinity space is configured as a sub node of the
config node. For example, the following declaration describes an
affinity space of 4x2:
<config>
...
<affinity_space width="4" height="2" />
...
</config>
Subsystems can be constrained to parts of the affinity space using
the '<affinity>' sub node of a '<start>' entry:
<config>
...
<start name="loader">
<affinity xpos="0" ypos="1" width="2" height="1" />
...
</start>
...
</config>
This patch extends the 'Parent::session()' and 'Root::session()'
functions with an additional 'affinity' parameter, which is inteded to
express the preferred affinity of the new session. For CPU sessions
provided by core, the values will be used to select the set of CPUs
assigned to the CPU session. For other services, the session affinity
information can be utilized to optimize the locality of the server
thread with the client. For example, to enable the IRQ session to route
an IRQ to the CPU core on which the corresponding device driver (the IRQ
client) is running.
This patch introduces new types for expressing CPU affinities. Instead
of dealing with physical CPU numbers, affinities are expressed as
rectangles in a grid of virtual CPU nodes. This clears the way to
conveniently assign sets of adjacent CPUs to subsystems, each of them
managing their respective viewport of the coordinate space.
By using 2D Cartesian coordinates, the locality of CPU nodes can be
modeled for different topologies such as SMP (simple Nx1 grid), grids of
NUMA nodes, or ring topologies.
r3 contains the recent Nova upstream kernel version plus the Genode specific
extensions and changes as known from r2.
Additionally, the r3 branch
* contains the assign_pci patch now directly,
* adds support for cross CPU IPC,
* fixes some issues with freeing up kernel memory part of r2 and
* update the documentation a bit.
Fixes#814
* read out supported number of CPUs
* start per CPU a thread
* monitor by main thread liveness of remote CPU threads
* add a round variable
* terminate run script after a specific round or after 90s
* on qemu wait 5 rounds, on native runs 40
Add run script to autopilot list
Issue #814
This avoids a deadlock if during issuing a printf the low level IPC fails.
. Printf uses an address space local lock and if we are trying again
to make a printf we deadlock forever ...
This patch eliminates the "no attachment at..." warnings, which
were caused by a use-after-free problem of dataspaces. When a
dataspace was destroyed, the users of the dataspace were not
informed and therefore could not revert possible attachments to
RM sessions. The fix introduces a callback mechanism that allows
dataspace users (i.e., RM regions) to register for the event that
a dataspace vanishes.
The following types of dataspaces are handled:
* RAM dataspaces
* ROM dataspaces
* The process binary
* The binary of the dynamic linker
* Args dataspace
* Sysio dataspace
* Env dataspace
* managed RM dataspaces
The handling of ROM dataspaces is still not complete. When forking,
the ROM dataspace of the parent process gets just reused without
creating proper meta data ('Dataspace_info') for the forked process.
Similar issues might arise from other special dataspaces (e.g.,
args, env, sysio).
This patch removes all "no attachment at..." warnings except for
one (an attachment at 0).
Issue #485
The 'check_dev_tty()' function calls 'ttyname()', which calls the pthread
stub function 'pthread_main_np()', which prints a 'not implemented'
message. Calling 'check_dev_tty()' doesn't seem to be necessary, so this
patch removes the call.
Issue #815.
With this patch, the 'not implemented' messages of the pthread function
stubs always get printed to the Genode log console instead of stdout.
Issue #815.
Previous commit denies the creation of regions larger then the dataspace.
Noux does it by setting the default size to the dataspace size without
subtracting the offset.
Fixes#591
The rm_session implementation expects that offset + size must be
part of one dataspace. Unfortunately the parameters are not checked
properly during an rm::attach.
During an detach memory behind the actual region can be unmapped by such
bogus region entries.
Issues #591
Since RM sessions can be used as dataspaces and dataspace sizes are
supposed to have page granularity, RM session sizes should have page
granularity, too.
Fixes#799.
Forgetting to restore the old utcb content results in hard to debug bugs.
Save only the amount of word items which are actually on the UTCB.
Issue #806
Avoids the message
cxx: operator delete (void *) called - not implemented. A working implementation is available in the 'stdcxx' library
during a " new ..." which causes exceptions. Happens for seoul in disk.cc
Issue #806
The Rpc_exit call is delivered via RPC which results in a deadlock
if the Rpc_entrypoint has not been started yet. To prevent this
situation we active the Rpc_entrypoint explicitly before we call
Rpc_exit.
Fixes#811.
'alloc_skb' might now fail, the Nic component will then send a 'packet
available' signal and return. Fix broken SKB list implementation as well as
completely bogus initialization of SKBs.
Related to #778.
In this case "mv A B" works slightly different than "cp A B; rm A" as
symbolic links come into play. The statements should copy the contents
of A into the symboliv link at B (preserving it as is) and remove A. The
mv would replace the link B by the binary A.
Fixes#805.
When using certain assembler instructions, e.g. 'smc' that are
only available on some CPUs of the same architecture like ARMv7a,
it's necessary to specify the target CPU for the assembler. Otherwise
it will complain about.
Use NATIVE MAX ADDRESS EXT to retrieve last block for LBA48. Also check not only
for enabled LBA48 support but for the 'host protected area' bit before using the
LBA48 version. This is because the high order byte (HOB) data retrieval is
broken in Qemu.
Fixes#761.
Split the netperf run script into 3 ones so that it can be used more easily
in an automated run.
It is solely for foc_arndale by now.
l4linux_netperf.run - use nic via usb2.0
l4linux_netperf-usb30.run - use nic via usb3.0
l4linux_netperf-bridge.run - use nic via usb3.0 + bridge
Split the netperf run script into 3 ones so that it can be used more easily
in an automated run.
netperf.run - use native nic driver (x86) or usb2.0 (arndale, panda)
netperf_usb30.run - use native nic driver (x86) or usb3.0
netperf_bridge.run - use native nic driver (x86) or usb3.0 (arndale) and bridge
Issue #794
- use the generic 'crt0.s' for Linux
- move the read-only '__dso_handle' definition into the '.text' section
- move the '__initial_sp' definition into the '.bss' section
- remove the '_main_utcb' definition
Part of #766.
Until now the print procedure call in the Log_session_component
did contain a hardcoded 'init' string. Adding a method to filter
the session args to prefix the label and labelling the initial
Cpu_connection for the init-process enabled us to remove the
hardcoded string.
Fixes#789.
The given number of bytes is consumed but not actually allocated. This
feature may be used for accounting and use memory within core which is
in fact provided by a session client.
Fixes#792.
* Always download md5sum file and check downloaded binaries
* Extend sleep time in l4linux_netperf script, so that DHCP has enough time
* Fix regexp rule in l4linux_netperf run script to work with MAC addresses
containing only numbers
Fix#787
Sometimes the ports are not freed up quick enough by the host system after the
first test finished. The port restriction is mainly required for qemu, so don't
use it for bare metal hardware tests.
* Add platform_drv for usb_drv, sd_card_drv and ahci
* Add ahci driver and part_blk on top of it
* add linux instance using SATA partition
* add VIM using SATA partition
The window scale option (http://tools.ietf.org/html/rfc1323) patch of lwIP
definitely works solely for the receive window, not for the send window.
Setting the send window size to the maximum of an 16bit value, 65535,
or multiple of it (x * 65536 - 1) results in the same performance.
Everything else decrease performance.
We will have to check this window scale patch before using higher values.
Minor speed improvements of ~6Mbit. Additionally a ethernet frame fits now
into one memory allocation per pbuf. Beforehand two were allocated - one being
1514 bytes and another one being 2 bytes (monitored by instrumenting copy loop
in libports/src/lib/lwip/platform/nic.cc).
lwip reports via getsockopt the size of the default size of the receive buffer
to the netperf server. lwip returns 2GB and netperf server uses this value to
allocate some buffers - which of course fails with out of memory.
Reduces the "default size" to some smaller value.
With the commit we are not forced anymore to (but still can) use specific
netperf client options regarding memory allocations of the receive buffer.
MAERTS is STREAM backwards and effectively lets the netserver sends the packets
to the netperf client. So, TCP_STREAM measure the receive performance of the
lwIP stack on Genode and TCP_MAERTS the send performance of the lwIP stack
on Genode.
Normally this bench has read all data to one large buffer and
than written it back to the drive but for SATA 3 (6 Gbps) benchmarks
we would need a buffer of approximately 1.2 GB to do it this way
and reach 2 seconds bench time. Thus we use a buffer of SATA request size
and override it with every request.
This commit splits the Fiasco.OC-specific extension for the cli_monitor
into one for the Arndale platform, and one for all others. On Arndale
we add the cpu_frequency command beside the ones defined on all platforms.
Initialize and limit port speed to 3 Gbps in general because the Seagate
Barracuda 1TB throws much errors with 6 Gbps by now.
Try all port speeds from the highest to the lowest as long as debouncing fails
and try them all again in this order when falling back to slower debouncing.
Try to recover from all types of interface error.
When a port was recovered from an error during a NCQ command
get the last LBA that was accessed successfully and continue command from
this point.
Use a platform driver through the 'Regulator' service to do CMU and PMU config.
Switch off verbosity by default.
To raise expressiveness of the benchmark it dynamically adjusts the
transfer amount at any test to get a result that was measured
over a transfer time of 2000 ms at least and 2300 ms at a max.
* Retry debouncing first with a higher trial time and if this also doesn't
work with lower link speed additionaly.
* Ignore DevSlp feature because it isn't needed anyway as far as i can see.
* Relax some restrictions according the feedback of the drive as far as it
seem to have no effect in Linux too
Fix#753
The verbosity must be enabled at two levels: at compile time
via an enum that switches the availability of verbosity code
and via two members of 'Mmio' named '_read_verbose' and
'_write_verbose'. The latter are initialized to 0 (change this to
enable verbosity globally) and can be used to locally enable
(or disable) verbosity in deriving classes.
Ref #753
Currently, on the Arndale platform, core uses a different thread context
area base address than the other tasks (0x20000000 vs. 0x40000000). This
is problematic, because core calculates the location of the UTCB area of a
new thread relatively to core's own thread context area base. So, the UTCB
area of non-core threads ends up in a virtual address range which is
outside of the task's thread context area and not marked as used in the
task's RM session.
With this patch, the same thread context area base address gets used in
core and in the other tasks.
Fixes#779.
Added spec file for ARM-VFPv3 floating-point unit. This shadows
'base/include/arm/' with 'base/include/arm/vfp' and enables a 'memcpy_cpu'
version that mainly uses the FPU. Enabled VFP support for 'foc_arndale'.
Ref #773
* Implements platform driver for Arndale providing Regulator for CPU clock
* Implements a cpu frequency scaling test using the affinity test
* Fixes#770
TFTP server requiring absolute directory names are supported (better) -
specify in RUN_OPT "--tftp-absolute" to create Pulsar config with absolute
path names for PXE boot.
Additional a symbolic link is created from the build directory to
"$PXE_TFTP_DIR_BASE$PXE_TFTP_DIR_OFFSET" automatically. This eases the use
together with autopilot for x86.
Commit c464ee2e6673fe328a8717342dca30f3b0204cb8 removed the RX_BUF_SIZE from
the NIC session interface. Mistakenly, the nic_loopback server was missed
when doing this change.
The PWD variable contains the current working directory of the original
location where 'make -C' is executed, not the directory specified as
argument of '-C'. The tools referenced by ports/libports, however,
expect PWD to point to the root of the respective repository.
This patch splits the download of signatures from the download of the
archive to improve robustness. This way, signature files will be
downloaded even if the corresponding archive is already in place.
Issue #748
In fact, the sizes were the same the whole time, but by using
the same enum in both cases to instantiate the Packet_stream_tx
and Packet_stream_rx members of the e.g. RPC object, it allows
for more flexible generalization between e.g. source or, sink
objects, when programming event-driven, and implementing generic
handlers for their signals.
Just use configuration values when existent, otherwise when no configuration
is given use the default values. When an incomplete configuration is given,
take the supplied ones, and for the rest the default ones. Fix#762
Don't use the xhci USB host controller for HID and NIC in the l4linux
run script. It doesn't work on the Pandaboard, and isn't needed for the
Arndale board. Moreover, provide a MAC address, and add a providing
rule in the KDB UART driver to supress ugly warnings. Fix#763
This patch makes the handling of failed integrity checks of 3rd-party
packages more robust. Previously, a once failed 'make prepare PKG=curl'
would not leave any trace of the verification state. Hence, a successive
attempt to perform the 'make prepare' step again succeeded even if the
signature check failed.
To solve this problem, the outcome of a successful signature check is
represented by a tag file called 'download/<archive-name>.verified'.
Because the rule for extracting the archive depends on the .verify tag
file, the extraction step is not performed until the signature check
succeeds.
Issue #748
The downloaded archives for building the tool chain are checked for its
signature before using them. In case of a signature failure, the build
is interrupted.
Issue #748
The signature verification tool uses gpg to verify the detached
signature of the given file.
It also tries to obtain the signing key if it is not part of the local
key ring.
Signature verification implies the verification of the integrity and
authenticity of a given file.
Issue #748
Instead of using a fixed command like picocom in the run tool,
it's better to have the flexibility to set the whole command that
connects to the serial device. Therefore, it's possible for instance
to connect to a remote serial device exported via TCP/IP by using tools
like socat.
This patch introduces a new platform 'linux_arm' for building and running
Genode/Linux on an ARM device.
Known limitations:
- libc 'setjmp()'/'longjmp()' doesn't currently save/restore floating
point registers
Fixes#746.
With this patch, 'liquid_framebuffer' can be reconfigured at runtime.
The configuration arguments are now provided as XML attributes, matching
those for 'nit_fb'. Furthermore, two new configuration options are added:
<config ...
resize_handle="off" - show/hide a resize handle widget in the lower
right window corner
decoration="on" - show/hide window decoration
(title bar and borders)
/>
Fixes#740Fixes#14
This is a first version of the AHCI driver. It supports SATA HDDs
with UDMA-133 only, up to 6 Gbps and native command queueing.
The more blocks one transfers with one command, the higher is the
chance that the driver produces a fatal handshake error. Nevertheless
the driver is stable with one block per ATA command. Although NCQ is
used the driver doesn't queue multiple commands simultanously.
The driver was tested with a western digital HDD "WDC WD2500BEVS-08VAT1
13.01A13" (250 GB) with hw_arndale (run/ahci) and foc_arndale
(run/ahci, run/l4linux: dd). SSDs were not tested.
Fix#706
The previous version of the PS/2 mouse backend manged mouse motion
events in a strange way, effectively throwing away most information
about the motion vector. Furthermore, the tracking of the mouse-button
states were missing. So drag-and-drop in a guest OS won't work. The new
version fixes those issues. For the transformation of input events to
PS/2 packets, a the Genode::Register facility is used. This greatly
simplifies the code.
This patch replaces the error-prone manual locking with the use of the
'Synced_interface' for the motherboard and the VCPU dispatcher. It also
removes all globally visible locks. Locks are now explicitly passed to
subsystems when needed.
This patch moves the implementation of the 'Arm::memory_region_attr'
function from the generic ARM code to the ARM v6/v7 specific code
to enable the customization of page-table bits depending on the
specific CPU core type. I.e., the ARM1176 apparently does not cope
well with setting the 'Tex::bits(2)' for MMIO mappings.
This patch eliminates calls of 'cmpxchg' prior enabling the MMU. This is
needed because the 'ldrex' and 'strex' instructions do not always work
with MMU and L1 cache disabled, i.e., on Raspberry Pi.
Changes GPIO session interface to a one-GPIO-pin-per-session style. Moreover,
this commit introduces a generic driver interface for GPIO drivers. Thereby
generalizes root- and session component for GPIO.
In issue #313 the SO_RCVBUF was intended to be enabled, however the current
lwip port looks for another define LWIP_SO_RCVBUF instead of LWIP_RCVBUF.
Fixes#716
If the target machine is connected locally one may specify
"serial" as target in the RUN_OPT variable to get the test output.
Used for panda and arndale on foc and hw.
Use RUN_OPT="--target ..." to select the backend test method.
Supported values so far:
qemu - qemu + grub bootloader (default)
qemu+pxe - qemu + pulsar bootloader (PXE)
amt - Intel AMT (reset+serial output) + pulsar bootloader
Related to issue #598
A run script which sends raw ethernet packets from the host machine to the
target machine. Three tests are implemented:
- The network_stat instrumented driver of usb_drv and net_drv
are used to get the raw receive performance of the network driver.
- A simple nic_session client is receiving from the un-instrumented network
driver raw ethernet packets.
- A bridge is added between driver and simple nic_session client.
genode_until_run can be called now with a spawn id to able to reattach to a
spawned process (amt, serial output). Run scripts can now call genode_until_run
multiple times.
Additionally, we do the cleanup of the remains of a previously failed
run prior creating the run directory. Otherwise, the directly creation
may fail because of a pending bindmount.
With this patch, the thread context area RM session gets created at
program startup to have the thread context area's virtual address range
reserved right from the beginning.
Fixes#734.
This patch implies that all Genode processes try to create an RM
session. So a route to the RM service must be present even for processes
that have only a single thread. Hence, the patch contains an update of
affected components.
lwIP only supports the 'AF_INET' domain, but doesn't check the 'domain'
argument of the 'lwip_socket()' function.
This patch avoids an error message from lwIP when the Arora browser
tries to connect a socket of the 'AF_LOCAL' domain.
Fixes#732.
The parent-service registry is populated on demand by the
'Loader::Child' whenever a prior unknown service is requested. Since the
number of parent services is limited, we expect the registry to settle
after a while. However, each loader session has a private instance of
a parent-service registry. So when creating and destroying loader
sessions, parent registries will be populated again and again. We
have to make sure to discard the entries along with the destruction
of a loader session to avoid the leakage of memory.
Issue #717
Try to free the metadata of a thread only if created by Genode. The code
did not cause any actual problems. I just stumbled over the inconsistency
while reviewing the code.
Enable optinal support for double buffering in the i.MX53 framebuffer
driver. This prevents flickering in certain scenarios, where applications
directly render in the framebuffer dataspace given by the driver.
* Simplify IPU register definitions using templates
* Distinguish between i.MX53 QSB and SMD board in driver
* Support IPU specific overlay mechanism by framebuffer session extension
With this patch, the 'libc_lwip_nic_dhcp' plugin provides the DNS server
address acquired by lwIP via DHCP in the file '/etc/resolv.conf'.
This feature can be disabled from the config file:
<libc resolv="no" />
The static network interface configuration attributes are now also a part
of the '<libc>' config node:
<libc ip_addr="..." netmask="..." gateway="..." />
Fixes#731.
This commit removes an endless loop, that occurred when the sd_card driver
called usleep, or msleep on its Timer_delayer object. Fixes#705
Also fixes the same problem for the Omap4 GPIO driver.
'Gratuitous ARP' broadcast messages are used to announce newly created
IP<->MAC address mappings to other hosts. nic_bridge-internal hosts
would expect a nic_bridge-internal MAC address in this message, whereas
external hosts would expect the NIC's MAC address in this message.
The simplest solution to this problem is to just drop those messages,
since they are not really necessary.
Fixes#709.
This patch adds the consideration of suddenly disappearing managed
dataspaces in the 'Rm_session_component::reverse_lookup' function.
Previously, this case resulted in a seamingly valid translation.
Fixes#701
This commit simplifies the creation of additional threads and VCPUs in L4linux.
By now, some Genode::Thread_base methods where overridden to use a Fiasco.OC
specific Cpu_session when creating threads.
Recent commit: 297538678e moved the actual creation
of the platform thread into the constructor of the generic Thread_base class.
Thereby the Vcpu class, which extended the Thread_base class, now unnecessarily
created two platform threads for each thread created via Vcpu. Nowadays, the
cpu_session capability is available via the Genode::env() environment. So we can
use the Thread_base parent class for the setup of the platform thread, and
afterwards create a Fiasco.OC specific cpu session client with the same cpu
session capability, Thread_base used for creation, to make use of the L4Linux
specific features of this interface (VCPU enabling, irq object creation etc.).
When destroying a thread, which was not bound to a protection domain via kernel
primitives beforehand, it is critical to change the pager and exregs the thread
in the destruction process. Therefore, this commit introduces two thread states:
DEAD and RUNNING. On the basis of the thread state, we can decide whether to
reset the thread before destroying it, or not.
This patch clears the terminal each time the menu appears and thereby
wipes away artifacts that might occur when combining terminal_mux with
kdb_uart_drv and the kernel prints messages directly.
This fixes issues with several HID keyboards by implementing
get_unaligned_le16(), which obviously may also fix other not-yet-known
issues. Hint: I had to look out for suspicious lines like follows in the
verbose log.
[init -> usb_drv] get_unaligned_le16 called, not implemented
Also, quirks for cherry keyboards are now applied.
Because the template instantiation rules of C++ do not deal well with
null pointers specified as '0', the constructor of 'Local_addr' was
instantiated for [T = int], which does not make sense. To avoid the
warning "cast to pointer from integer of different size", we need to
explicitly state that '0' is a pointer. In C++11, there is the 'nullptr'
keyword, but until we switch to this version, we have to state (void *)0.
In usb.inc all required Linux include files of the Linux code are looked up
by 'sed'ing through the files of SRC_C and SRC_CC. The Linux include files
are then added as dependency to the SRC_C and SRC_CC files and during dependency
resolution symbolic links to the lx_emul.h will be created.
In the platform specific usb.mk file there are the Linux driver files
added, but unfortunately after including usb.inc. So, for them no dependency
to any Linux include header file is generated and so no symbolic files are
generated.
If the driver code file is compiled as first, as for asix.c, the symbolic links
of the include files are missing and compilation fails.
Add the Linux driver code files to SRC_C before including usb.inc in the
platform specific usb.mk files.
Originally, a thread was created at core not before calling the 'start'
function. In order to configure the thread affinity before starting the
thread, we have to make the thread known at core right at construction
time. This patch moves the needed thread-creation sequence from the
'start' function to the '_init_platform_thread' function.
When L4Linux tries to allocate a dataspace of the size of its physical
memory, this allocation can fail, because the 'l4re_ma_alloc()' function
in the 'l4lx' library always tries to allocate a contiguous dataspace of
the given size and there might be no contiguous free area left.
With this patch, memory gets allocated in chunks: if the size to be
allocated exceeds the configured chunk size, a managed dataspace gets
created and filled with multiple memory chunks of at most the chunk size.
The chunk size is 16M by default and can be configured in an l4linux
config node:
<config args="...">
<ram chunk_size="16M"/>
</config>
Fixes#695.
Don't do anything in Mapping::prepare_map_operation. At this point and in the
current implementation, the memory has been mapped and cleared already. Touching
the memory may only pollute the cache causing data corruption in DMA memory.
Fixes issue #452
The KDB UART driver uses the Fiasco(.OC) kernel debugger console as backend
for input and output. This is useful in the case that only one UART is
available.
Fixes#665.
In this version of the transition the Hip structure from Genode is reused,
@nfeskes seoul_libc_support is used for the string functions and the
nul/config.h is replaced by just using a constant value in the one place where
the file was needed.
Related to #666.
- search for alternative virtual address regions upwards, starting from
the given start address, in the 'l4re_rm_attach()' and
'Region_manager::reserve_range()' functions
- don't treat memory locations above 0x80000000 in l4linux's virtual
address space as device memory
- align the start address of the vmalloc area according to the assumption
in 'devicemaps_init()'
Fixes#414.
Explicitly set default mode for legacy interrupts to not rely on kernel
default settings. This patch fixes the constantly busy IRQ threads for
IRQ 1 and 12 as soon as the PS/2 driver was loaded until the point when
the first IRQ occurred.
Remove the 'epit' variable from the generic imx31 and imx53 specification,
and only add it to base-hw specific i.MX specs. Thereby the EPIT timer
library gets build for base-hw only.
Moreover, fix some const-ness issues in the platform_timer implementation
for the EPIT timer.
Fixes#688.
The new core-internal 'Address_space' interface enables cores RM service
to flush mappings of a PD in which a given 'Rm_client' thread resides.
Prior this patch, each platform invented their own way to flush mappings
in the respective 'rm_session_support.cc' implementation. However, those
implementations used to deal poorly with some corner cases. In
particular, if a PD session was destroyed prior a RM session, the RM
session would try to use no longer existing PD session. The new
'Address_space' uses the just added weak-pointer mechanism to deal with
this issue.
Furthermore, the generic 'Rm_session_component::detach' function has
been improved to avoid duplicated unmap operations for platforms that
implement the 'Address_space' interface. Therefore, it is related to
issue #595. Right now, this is OKL4 only, but other platforms will follow.
This enables us to use the run scripts applied to a native machine equipped
with Intel's AMT. If the environment variables are correctly set up, the remote
test machine is reseted via 'amttool', then via 'amtterm' the serial output
is collected and the normal run script matching pattern for success/failure of
the run script are applied.
'amttool' and 'amtterm' are part of the package called 'amtterm' shipped with
the Linux distributions like Ubuntu, Debian and lot more.
Following environment variables are required, to run the run scripts with a
native AMT test machine:
PXE_TFTP_DIR_BASE - absolute path of TFTP directory
PXE_TFTP_DIR_OFFSET - relative path to PXE_TFTP_DIR_BASE where the config file
will be generated - named 'config-00-00-00-00-00-00'
AMT_TEST_MACHINE_IP - TCP/IP address of target AMT test machine
AMT_TEST_MACHINE_PWD - password of target AMT test machine
Issue #679
Since checking if the certificate is valid is not that important
(we currently do not check the signature of the archive which is the
bigger issue) we disable the checking to prevent certain wget version
from refusing to download the archive.
Fixes#681
mkisofs is the original ISO creation tool from cdrtools available on
many UNIX systems. genisoimage on the other hand is part of a mostly
unmaintained fork of cdrtools very specific to Debian Linux and its
derivates (e.g., Ubuntu). Fortunately, genisoimage (as we used it) is
completely invocation-compatible to mkisofs.
Fixes#627.
Instead of trying all PCI devices by a specific PCI driver, now the device or
the device class can be limited to the one actually supported by the specific
driver.
The "strncpy - not implemented" message appeared on the use of libpng.
Even though it did not cause trouble, spilling the log with such
easy-to-fix issues should better be avoided.
Bender fixes the serial output on modern PC hardware. Prior this patch,
it was used only when combined with pulsar. Now, we also use it when
booting via GRUB.
Allocate ever an extra page behind the commandline pointer. If it turns out
that this page is unused, because commandline was short enough, unmap the
memory and put the virtual and physical regions back to the allocator.
Fix#664
With this patch, the 'futex' syscall gets used for blocking and unblocking
of threads in the Linux-specific lock implementation.
The 'Native_thread_id' type, which was previously used in the
lock-internal 'Applicant' class to identify a thread to be woken up,
was not suitable anymore for implementing this change. With this patch,
the 'Thread_base*' type gets used instead, which also has the positive
effect of making the public 'cancelable_lock.h' header file
platform-independent.
Fixes#646.
Revoke the right to set the portal id (aka label) when it is not needed
anymore. Otherwise everybody in the system having a mapping of the portal can
reset the label to something we don't expect.
Issue #667
In base-fiasco, base-foc and base-pistachio, physical memory gets mapped
1:1 to core virtual memory. When the 'Ram_session_component' allocates
physical memory for a client, it zeroes out the corresponding area in
core's virtual address space and then maps the area to the client. If this
area overlaps with core's virtual thread context area (usually at
0x40000000-0x4fffffff), the stack of one or more core threads can get
overwritten.
To avoid this problem, with this patch, the thread context area gets
removed from the physical RAM allocator on these platforms.
Fixes#660.
Without the patch the signal cap was ever transferred to the timer session
when a usleep/msleep was called, even when unneeded. On base-nova this
causes the allocation of new capability indexes which are not freed up.
So the timer service run quickly out of indexes and get out of order...
Related to issue #1
This happened when I killed one of the genode clients which was
tracked via an expception_handler. In this case the wait4 syscall
returned 0 and the for(;;) was looped eternally. This caused an
100% CPU utilization for the core binary.
Make 'context_area_virtual_base' platform configurable. On Arndale, we
need to move the context area to a location that does not interfere with
the address range of physical memory.
The new terminal_mux server is able to provide multiple terminal
sessions over one terminal-client session. The user can switch
between the different sessions using the keyboard shortcut C-y,
which brings up an ncurses-based menu.
This patch moves the further reusable parts of the terminal into public
header files. It also slightly tweaks the color table to give all colors
a similar brightness level.
This patch moves the os/config examples to their respective run scripts,
removes some of them, and moves the priority example to the src/init
directory (where other examples are located).
Additionally, this patch adapts the OKL4-specific priority.run test to
the recent changes of the timer interface.
This base platform is no longer maintained.
For supporting the Microblaze CPU in the future, we might consider
integrating support for this architecture into base-hw. Currently
though, there does not seem to be any demand for it.
With the change of the Timer::Session interface, all scenarios that use
the timer use core's SIGNAL service. So we need to route sessions
accordingly.
In addition to the adaptation to the changed timer, this patch removes
some stale examples that predate the run tool and are no longer used.
This patch simplifies the way of how Genode's base libraries are
organized. Originally, the base API was implemented in the form of many
small libraries such as 'thread', 'env', 'server', etc. Most of them
used to consist of only a small number of files. Because those libraries
are incorporated in any build, the checking of their inter-dependencies
made the build process more verbose than desired. Also, the number of
libraries and their roles (core only, non-core only, shared by both core
and non-core) were not easy to capture.
Hereby, the base libraries have been reduced to the following few
libraries:
- startup.mk contains the startup code for normal Genode processes.
On some platform, core is able to use the library as well.
- base-common.mk contains the parts of the base library that are
identical by core and non-core processes.
- base.mk contains the complete base API implementation for non-core
processes
Consequently, the 'LIBS' declaration in 'target.mk' files becomes
simpler as well. In the most simple case, only the 'base' library must
be mentioned.
Fixes#18
With the use of the new timer interface, each timer client uses signals.
Hence, programs that have not used signals before will consume slightly
more quota. This is the case for the moon test (triggered on foc_x64_64
only).
The distinction between 'ipc.h' and 'ipc_generic.h' is no more. The only
use case for platform-specific extensions of the IPC support was the
marshalling of capabilities. However, this case is accommodated by a
function interface ('_marshal_capability', '_unmarshal_capability'). By
moving the implementation of these functions from the headers into the
respective ipc libraries, we can abandon the platform-specific 'ipc.h'
headers.
By using the build system's library-selection mechanism instead of many
timer targets with different 'REQUIRES' declarations, this patch reduces
the noise of the build system. For all platforms, the target at
'os/src/drivers/timer' is built. The target, in turn, depends on a
'timer' library, which is platform-specific. The various library
description files are located under 'os/lib/mk/<platform>'. The common
bits are contained in 'os/lib/mk/timer.inc'.
The 'Timer::Session::msleep' function is one of the last occurrences of
long-blocking RPC calls. Synchronous blocking RPC interfaces turned out
to be constant source of trouble and code complexity. I.e., a timer
client that also wants to respond to non-timer events was forced to be a
multi-threaded process. This patch replaces the blocking 'msleep' call
by a mechanism for programming timeouts and receiving wakeup signals in
an asynchronous fashion. Thereby signals originating from the timer can
be handled along with signals from other signal sources by a single
thread.
The changed interface has been tested on Linux, L4/Fiasco, OKL4, NOVA,
L4ka::Pistachio, Codezero, Fiasco.OC, and hw_pbxa9. Furthermore, this
patch adds the timer test to autopilot.
Fixes#1
Cap_sessions and portals created via the sessions are nowadays freed up during
c++ object destruction. Because of that the exception portals for a vCPU thread
get be revoked as soon as the cap_session object leaves its scope.
Keep one cap_session for the whole lifetime of the vmm to avoid disappearing
exception portals.
Related to #582.
The setup now uses nitpicker and nit_fb to display several instances of
vancouver. The guest OS binaries must be supplied in the
'<build-dir>/bin' directory manually.
Furthermore, the patch lets launchpad pass Block, Nic, and Rtc to the
parent.
Vancouver can now assign block devices to guests using the Block
interface. The machine has to be configured to use a specified drive,
which could be theoretically routed to different partitions or services
via policy definitions. Currently the USB driver only supports one
device. Genode's AHCI driver is untested.
If the session quota is too low, random pagefaults can occur on the
stack.
According to @Nils-TUD, it is necessary to protect the DiskCommit
messages with a lock against deadlocking with the timer. Observations
showed that this mitigates some problems with Gentoo on real hardware.
Vancouver is now able to use the Intel 82576 device model from NUL to
give VMs access to the network via the nic_bridge service. In order to
integrate the device model, it had to be renamed to i82576 due to XML
limitations. This is done by a patch applied via the 'make prepare'
mechanism.
Although current network card models in Vancouver panic if they can't
get a MAC address, the OP_GET_MAC hostop now fails gracefully in the
case where no nic_drv or nic_bridge is available.
The guest VM can now be provided with a framebuffer and keyboard input.
Mouse positioning of the guest is a problem. Because the PS2 model applies
some calculations to the movement values, it can happen that overflows mess
with the cursor. Therefore the handling was changed and only movements of 1
and -1 are sent. Since absolute positioning is not possible with PS2, we
have to live with this limitation until USB HID is implemented.
For the framebuffer size in Vancouver the configuration value in the machine
XML node is used. It is possible to map the corresponding memory area
directly to the guest, regardless if it is from nitpicker,
liquid_framebuffer or vesa_drv. The guest is provided with two modes (text
mode 3 and graphics mode 0x114 (0x314 in Linux).
Pressing LWIN+END while a VM has focus resets the virtual machine. Also,
RESET and DEBUG key presses will not be forwarded to the VM anymore.
It is possible to dump a VM's state by pressing LWIN+INS keys.
The text console is able to detect idle mode, unmaps the buffer from the
guest and stops interpreting. Upon the next pagefault in this area, it
resumes operation again. The code uses a simple checksum mechanism instead
of a large buffer and memcmp to detect an idle text console. False
positives don't matter very much.
When an EPT/NPT fault occurs during IDT vectoring, the original event must
be reinjected. Additionally we may have to inject an IRQ window if another
event is already pending.
core does not use POSIX threads when built for the 'lx_hybrid_x86'
platform, so we need to reserve the thread-context area via a segment in
the program to prevent clashes with vdso and shared libraries.
Fixes#639.
The default constructor didn't initialize all members, some of them holding
pointers. In the de-constructor the _name pointer was tried to free up, even
when it was not initialized.
Avoid any hassle for uninitialized members and just initialize it. Fixes
sporadic page fault on x86_64 base-nova.
Issue #155
Some shared libraries of the host system contain search paths for finding
other needed shared libraries. These paths get evaluated only by a native
linker. To find all needed shared libraries, with this patch, the host
linker is used to link hybrid applications.
Fixes#645.
reverts 68156918ee
"base: apply thread.cc fix of foc to base"
Depending on the context area a fixed location is calculated where the
memory for the stack is attached to. If the context area is released before the
detach call, the very same context area can be reused and memory for the new
stack is attached for a new thread. The detach of the old thread would then
revoke the mapping for the new thread which will cause a un-handled page fault.
Issue #549
Prior this patch the startup lock was not released if the call of
'_associate()' failed. In this condition, the caller of the constructor
was infinitely blocked.
During a ram_session->free call in 'core' the lock in core_env.h is taken.
Then in the ram_session::_free_ds implementation the dissolve function for the
dataspace is called. base-nova tries to make sure that the ds is not
accessible anymore by any kind of parallel incoming IPC by performing a
cleanup IPC. Unfortunately the dataspace_session implementation uses the very
same allocator in 'core' and may require to obtain the same lock as taken in
ram_session->free. This leads to a spurious deadlock on base-nova.
The actual free_ds implementation is mostly thread safe, since all used objects
inside there are already locked. The only missing piece is the _payload
variable. By changing the _payload variable in a atomic fashion there is no
need to lock the whole ram_session->free call which avoids deadlocks on
base-nova.
Fixes#549
The cleanup call must be performed already during the _dissolve function
shortly after the object at the cap_session is freed up. Otherwise there
is the chance that an in-flight IPC will find the to be dissolved function
again.
Bomb test triggered the case, that a already dissolved rpc_object was found
by a in-flight IPC. If the rpc_object was already freed up by alloc->destroy
the thread using this stale rpc_object pointer cause page-faults in core.
Fixes partly #549
As first step the rpc object must be freed up so that the kernel object
(portal) vanishes. Then the object must be removed from the internal object
pool list so that the object can't be obtained anymore. And then the cleanup
call can be performed (_leave_server_object) since now all names to the
rpc_object are gone.
Doing it in different order (as before the commit) there is a very very little
chance (but the bomb test triggers it occasionally) that the rpc_object can be
obtained again by an incoming IPC - even it is already scheduled for removal.
Fixes partly #549
If page faults are handled concurrently (as for base-nova) the traverse lookup
call in rm_session_component must be thread safe, which it isn't.
If the faulting area is backed by nested dataspaces which are managed by
various rm_sessions then a race happens under following circumstances
(triggered occasionally by the bomb test).
The traverse lookup may return a pointer to a rm_session of a nested dataspace.
If the rm_session is in parallel subject to destruction it happened that faults
got enqueued to the faulters list of the deleted rm_session and internally to
a list of the current rm_session of the Rm_client.
During destruction of the faulting Rm_client the associated rm_session will
be dissolved from the Rm_client, which leads to dereferencing the
dangling pointer of the already destructed rm_session.
On base-nova the memory of the rm_session object get unmapped eventually, so
that the de-referencing of the dangling pointer caused page faults in core.
The memory on other kernels inside core never get unmapped so that the
bug doesn't trigger visible faults.
The patch replace the keeping of a rm_session pointer by keeping a
capability instead. The rm_session object must be looked up now explicitly in
the Object_pool implementation, which implements proper reference counting on
the rm_session object.
Issue #549
Since we have now more than a handful patches to the vanilla kernel, we
better switch to a separate git repository in order to review and to maintain
the patches more effectively.
Remove the patches, they are already in the kernel branch.
Fixes#394
Warnings like the following:
warning: narrowing conversion of ‘((Genode::Platform_pd*)this)->Genode::Platform_pd::_space_id’ from ‘int’ to ‘Codezero::l4id_t {aka unsigned int}’ inside { } is ill-formed in C++11 [-Wnarrowing]
First make the clients inaccessible and dissolve them from the entrypoint. If
this isn't the first step the clients may be obtained again between
the unlock and lock steps in the destructor.
Additionally the clients may be removed in between the unlock and call
sequence, which renders such client pointers dangling and causes spurious page
faults. Keep instead a lock as long as possible and when it is required to
release a lock, then the pointer to the objects must be revalidated.
Replace the dissolve function with a remove_client implementation as suggested
by #13, which avoids that the cpu_session may call dissolve with a dangling
pointer of a already removed rm_client object. Instead the pager must be
released explicitly.
Related to issue #549
Related to issue #394
Related to issue #13
This patch removes the 'soname' link option for building the host
library for the 'lx_hybrid_ctors' test. Without this option, the
library's absolute path at build time gets hardcoded into the
application, which should be okay for this simple test case.
Fixes#638.
If we ran out of capabilities indexes, the bit allocator throws an exception.
If this happens the code seems to hang and nothing happens.
Instead one could catch the exception and print some diagnostic message.
This would be nice, but don't work. Printing some diagnostic message itself
tries to do potentially IPC and will allocate new capability indexes at
least for the receive window.
So, catch the exception and let the thread die, so at least the instruction
pointer is left as trace to identify the reason of the trouble.
Fixes#625
If an exception is thrown the lock is released automatically, so that
other callers may get a capability index if in between some are freed. Fixes
some deadlocks if Genode is short on capability indexes.
Related to #625
Currently, the hello run script of the hello_tutorial misses some services the
timer driver needs on various platforms. The hello_tutorial is meant for
educational purposes only. So it's desireable to keep it simple. Instead of
complexifying the configuration, this commit just removes the timer from the
example.
By now, the memcmp implementation of Genode's basic string utilities just
returned whether two memory blocks are equal or differ. It gave no hint which
block is greater, or lesser than the other one. This isn't the behaviour
anticipated by implementations that rely on the C standard memcmp, e.g. GCC's
libsupc++, or the nic_bridge's AVL tree implementation.
With this patch, the 'Signal_receiver::dissolve()' function does not return
as long as the signal context to be dissolved is still referenced by one
or more 'Signal' objects. This is supposed to delay the destruction of the
signal context while it is still in use.
Fixes#594.
With this change, init becomes able to respond to config changes by
restarting the scenario with the new config. To make this feature useful
in practice, init must not fail under any circumstances. Even on
conditions that were considered as fatal previously and led to the abort
of init (such as ambiguous names of the children or misconfiguration in
general), init must stay alive and responsive to config changes.
This patch improves the config handling by falling back to a static
string (empty "<config />") if no valid config ROM module could be
found. This can happen initially, but also at runtime when the ROM
module dissapears, e.g., a ROM module accessed via fs_rom where the
corresponding file gets unlinked.
This patch introduces keyboard-focus events to the 'Input::Event' class
and changes the name 'Input::Event::keycode' to 'code'. The 'code'
represents the key code for PRESS/RELEASE events, and the focus state
for FOCUS events (0 - unfocused, 1 - focused).
Furthermore, nitpicker has been adapted to deliver FOCUS events to its
clients.
Fixes#609
This patch extends the file-system interface with the ability to monitor
changes of files or directories. The new 'File_system::sigh' function
can be used to install a signal handler for an open node.
The 'ram_fs' server has been enhanced to support the new interface. So
any file or directory changes can now be observed by 'ram_fs' clients.
Fixes#607
Remove signal context object from signal source component list (_signal_queue)
before destruction, otherwise we get a dangling pointer.
On native hardware for base-nova, the signal source thread triggered page
faults in the Signal_source_component::wait_for_signal() method when the signal
context got freed up in Signal_session_component::free_context but was still
enqueued in Signal_source_component::_signal_queue.
Fixes#600
With this patch the destruction of Noux 'Child' objects gets delayed
further until the exit signal has been dispatched. This prevents the
self-destruction of the signal dispatcher, which is a member of the
'Child' object.
Fixes#603.
Several users of the signal API used custom convenience classes to
invoke signal-handling functions on the reception of incoming signals.
The 'Signal_dispatcher' pattern turned out to be particularly useful. To
avoid the duplication of this code across the code base, this patch
adds the interface to 'base/signal.h'.
Furthermore, the patch changes the 'Signal::num()' return type from int
to unsigned because negative numbers are meaningless here.
Fixes#511
When matching the 'label' session argument using '<if-args>' in a
routing table, we can omit the child name prefix because it is always
the same for all sessions originating from the child anyway. Therefore,
this patch adds a special case for matching session labels. It makes the
expression of label-specific routing more intuitive.
Add functionality to lookup an object and lock it. Additional the case is
handled that a object may be already in-destruction and the lookup will deny
returning the object.
The object_pool generalize the lookup and lock functionality of the rpc_server
and serve as base for following up patches to fix dangling pointer issues.
When releasing a lock we must take care that all state is written back to
memory and is not cached in registers. The volatile flag of the lock variable
only means to the compiler that this value must be written immediately.
Other values changed before may be kept by the compiler in registers, which we
don't want here.
Additionally the compiler is free to reorder the code in order to optimize.
That means the code we intend to be executed inside the critical section can
get be reordered and can be executed after we reset the lock variable in the
unlock implementation. The volatile statement of the lock variable doesn't
prevent reordering of instructions which are independent.
By adding a explicit memory barrier, we force the compiler to generate code
that writes back all the register content to memory/cache (and avoid a
bunch of hard to find bugs ...)
Merge core only libs into the target make-files.
Use base-hw specific Board drivers that inherit
from generic Board_base.
Use Page_flags::access_t instead of additional
page_flags_t.
Fix#570
As iPXE header files are not C++ compatible, the implementation missed
proper include directives. For example, alloc_memblock() had a wrong
signature, which was not detected. Now, C wrapper functions are
implemented using a local API to the C++ backend.
Related to #593.
With this patch, the loader installs an optional client-provided fault
handler as default CPU exception handler and RM fault handler for all
CPU and RM sessions of the loaded subsystem. This way, loader clients
become able to respond to failures occuring within the subsystem.
The new feature is provided via the added 'Loader::fault_handler' RPC
function.
The 'run/failsafe' test covers two cases related to the loader, which
are faults produced by the immediate child of the loader and faults
produced by indirect children.
The CPU session interfaces comes with the ability to install an
exception handler per thread. This patch enhances the feature with the
provision of a default signal handler that is used if no thread-specific
handler is installed. The default signal handler can be set by
specifying an invalid thread capability and a valid signal context
capability.
Furthermore, this patch relaxes the requirement of the order of the
calls of 'exception_handler' and 'set_pager'. Originally, the exception
handler could be installed not before setting a pager. Now, we remember
the installed exception handler in the 'Cpu_thread' and propagate to to
the platform thread at a later time.
With this patch, core responds to SIGCHLD signals of terminating Genode
processes by reflecting these events as exceptions to the CPU session
interface. This way, Genode processes become able to respond to
terminating Genode child processes.
Implement the same semantic like L4Re for the initialization of the initramfs
dataspace. Although, it didn't lead to problems right now, this commit might
prevent future problems.
With this patch hybrid applications get linked with the Genode GCC's
'crtbegin.o' and 'crtend.o' files instead of the host GCC's versions
to avoid compatibility problems. This only affects the 'linux_x86'
platform, since on the 'lx_hybrid_x86' platform the Genode GCC is the
host GCC.
Fixes#550.
It happens that ram_session and rm_session itself are invoking alloc
respectively free on the very same sliced heap inside core.
Lock only the sliced_heap list implementation and let the session locking to
the session implementation of rm_session and ram_session.
The ram_session and rm_session must take care to proper lock since inside
both implementations already the session handling thread and the service thread
are running parallel.
With commit 1389b63050 in thread.cc for base-foc
a bug was fixed, where the memory of the context got freed up before running
the de-constructor.
Apply the fix also to base and base-mb.
For base-nova thread creation related exception can be thrown, since the
Pager_objects are threads. Catch the exception and re-throw the
expected/documented exception in rm_session.
This commit avoids that core dies with an unhandled exception if a thread
couldn't be created (e.g. because the limit has been reached).
Sanity check that the context area has been attached. Otherwise the code
later tries to access the context area and core dies with a unhandled page
fault.
Open VCPU interrupts while the VCPU is in an IPC operation can badly influence
its state. That's why this commit fixes a whole bunch of places, where IRQs
weren't masked by now.
We have to take the block queue's spin lock before invoking the interrupt
routine, otherwise the AVL tree og Genode's block packet stream gets
corrupted.
If no platform thread was created before somebody destroys a thread object,
there is no valid UTCB available. Thereby, we've to check this before accessing
the UTCB when destroying a thread object.
This should ensure that the directory is created before trying to
create a file within it.
This hopefully fixes errors like the following when using parallel
builds:
checking library dependencies...
/bin/bash: line 19: var/libdeps: No such file or directory
make[5]: *** [init_libdep_file] Error 1
The Linux version of core used a part of the BSS to simulate access to
physical memory. All dataspaces would refer to a portion of 'some_mem'.
So every time when core would access the dataspace content, it would
access its local BSS. For all processes outside of core, dataspaces were
represented as files. This patch removes the distinction between core
and non-core processes. Now, core uses the same 'Rm_session_mmap'
implementation as regular processes. This way, the 'some_mem' could be
abandoned. We still use BSS variable for allocating core-local meta
data through.
Instead of allocating and freeing the space that is needed for the
kernel thread objects from core, wich is not convenient with the
quota system, platform thread now holds the space as array by
itself.
Unfortunately we cannot measure the space size by a static function
anymore, so kernel thread had to be moved from kernel.cc into its
own header. This way platform thread can use sizeof().
Fix#543
/* return capability that uses the object id as badge */
returnreinterpret_cap_cast<Pager_object>(cap);
}
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
