Allocating a packet in the packet stream without a payload is not
allowed. Therefore we have to allocate CTRL message packets, that do
not have a payload, with a bogus length instead.
Directory_service::leaf_path returns a pointer offset from its argument
so pass member data rather than a constructor argument to leaf_path.
Issue #1775
This is an interim fix for solving the quota leakage problem of
the platform driver on x86 platforms. To properly fix that problem
one has to track which dataspaces where created by the platform driver,
so that freeing the dataspace and reversing the quota transfer is done
on correct dataspaces only.
Refer #1980
This patch removes the outdates doc/architecture.txt since the
topics are covered by the book. We keep repos/os/doc/init.txt
because it contains a few details not present in the book (yet).
The patch streamlines the terminology a bit. Furthermore, it
slightly adjusts a few source-code comments to improve the book's
functional specification chapter.
Instead of passing on the Noux 'config' ROM dataspace to child processes,
provide a separate configuration for each Noux child, which is either
'<config/>' or '<config ld_verbose="yes"/>', depending on the
configuration of this attribute for the Noux process. This is also a
workaround to prevent multiple insertion of the same 'config' ROM
dataspace capability into the dataspace registry.
Issue #1978
* Adds public timeout syscalls to kernel API
* Kernel::timeout installs a timeout and binds a signal context to it that
shall trigger once the timeout expired
* With Kernel::timeout_max_us, one can get the maximum installable timeout
* Kernel::timeout_age_us returns the time that has passed since the
calling threads last timeout installation
* Removes all device specific back-ends for the base-hw timer driver and
implements a generic back-end taht uses the kernel timeout API
* Adds assertions about the kernel timer frequency that originate from the
requirements of the the kernel timeout API and adjusts all timers
accordingly by using the their internal dividers
* Introduces the Kernel::Clock class. As member of each Kernel::Cpu object
it combines the management of the timer of the CPU with a timeout scheduler.
Not only the timeout API uses the timeout scheduler but also the CPUs job
scheduler for installing scheduling timeouts.
* Introduces the Kernel::time_t type for timer tic values and values inherited
from timer tics (like microseconds).
Fixes#1972
To avoid the need for adapting the names of the core restricted syscalls
each time we add a public syscall (restricted names must always be
greater than public names), let restricted syscall names simply start at
100 (we should never have more than 100 public syscalls).
Ref #1972
Building a kernel test produced an error about a missing config
apparently because of recent changes in the run tool. So, we add
a dummy XML node as config.
Ref #1972
Evaluate fadt xml node in report from acpi_drv. If the io ports in the range
of 0xcf8+4 are necessary for the reset than the platform driver will
react on the 'system' state 'reset' and reboot.
Issue #1962
Will be/can be used by the platform driver to reset the machine, iif the
platform driver owns the resources, e.g. the I/O ports of PCI config access.
Issue #1962
The modular lx_kit seperates the required back end functionality of the
Linux emulation environment from the front end. Thereby each driver can
reuse specific parts or supply more suitable implementations by itself.
It is used to reduce the amount of redundant code in each driver.
The lx_kit is split into several layers whose structure is as follows:
The first layer in _repos/dde_linux/src/include/lx_emul_ contains those
header files that provide the structural definitions and function
declarations of the Linux API, e.g. _errno.h_ provides all error code
values. The second layer in _repos/dde_linux/src/include/lx_emul/impl_
contains the implementation of selected functions, e.g. _slab.h_
provides the implementation of 'kmalloc()'. The lx_kit back end API is
the third layer and provides the _Lx::Malloc_ interface
(_repos/dde_linux/src/include/lx_kit/malloc.h_) which is used to
implement 'kmalloc()'. There are several generic implementations of the
lx_kit interfaces that can be used by a driver.
A driver typically includes a 'lx_emul/impl/xyz.h' header once
directly in its lx_emul compilation unit. The lx_kit interface files
are only included in those compilation units that use or implement the
interface. If a driver wants to use a generic implementation it must
add the source file to its source file list. The generic
implementations are located in _repos/dde_linux/src/lx_kit/_.
The modular lx_kit still depends on the private _lx_emul.h_ header file
that is tailored to each driver. Since the lx_kit already contains much
of the declarations and definitions that were originally placed in
these private header files, those files can now ommit a large amount
of code.
Fixes#1974.
In addition to updating the contrib sources the driver now uses the
new Component API and will report the internal mixer state.
Reporting of the mixer state is enabled by adding the 'report_mixer'
attribute to the drivers configuration and setting its value to 'yes'.
The following snippets illustrates the format of the report:
!<mixer_state>
! <mixer field="inputs.beep" value="108"/>
! <mixer field="outputs.hp_sense" value="plugged"/>
! <mixer field="outputs.master" value="128,128"/>
! <mixer field="outputs.mic_sense" value="unplugged"/>
! <mixer field="outputs.spkr_muters" value="hp,mic"/>
!</mixer_state>
The mixer state may expose other mixer fields as well, depending on the
used sound card. The naming scheme of the attributes intentionally
matches the naming scheme of OpenBSD's mixerctl(1) program.
Each 'mixer' node can be used to configure the audio driver by using it
in its configuration, e.g.:
!<config report_mixer="yes">
! <mixer field="outputs.master" value="255,255"/>
!</config>
This configuration will set the output volume to the highest possible
value. Although it is now also possible to update the configuration
at run-time it should not be done while the driver is currently playing
or recording because it may provoke the generation of artefacts.
Fixes#1973.
We do not ensure that the Fpu::Context is 16-byte aligned and,
therefore, should not tell the compiler that we did. Otherwise, the GCC
may optimize operations regarding the addresses of members as it did for
if ((addr_t)_fxsave_area & 0xf) ...
With the declared 16-byte alignment the condition will never become
true.
- add a new function 'binary_ready_hook_for_gdb()' in ldso. GDB can set a
breakpoint at this function to know when ldso has loaded the binary
into memory.
- get the thread state from the NOVA kernel immediately on 'pause()'
Fixes#1968
This patch moves the thread operations from the 'Cpu_session'
to the 'Cpu_thread' interface.
A noteworthy semantic change is the meaning of the former
'exception_handler' function, which used to define both, the default
exception handler or a thread-specific signal handler. Now, the
'Cpu_session::exception_sigh' function defines the CPU-session-wide
default handler whereas the 'Cpu_thread::exception_sigh' function
defines the thread-specific one.
To retain the ability to create 'Child' objects without invoking a
capability, the child's initial thread must be created outside the
'Child::Process'. It is now represented by the 'Child::Initial_thread',
which is passed as argument to the 'Child' constructor.
Fixes#1939
These warnings are triggered by requests either using byte offsets or
reading a number of bytes that is not a multiple of the block size as
well as by components using the plugin with a different block size than
the backend block session provides.
Fixes#1964.
Adjust IRTE_COUNT to specify the number of IRTEs and not the index of
the last IRTE entry. This fixes an off-by-one error in the toggle_mask()
function, where the range check for I/O APIC IRQs wrongly ignored IRQ
23.
The custom version merely differs from the generic one with respect to
the session quota. Since we support the dynamic upgrading of sessions,
we don't need to provide the big amount (128KiB) defined by the custom
version.
This patch supplements each existing connection type with an new
constructor that is meant to replace the original one. The new
one takes a reference to the component's environment as argument and
thereby does not rely on the presence of the globally accessible
'env()' interface.
The original constructors are marked as deprecated. Once we have
completely abolished the use of the global 'env()', we will remove them.
Fixes#1960
The recent move of the initial three region maps into the PD session
breaks the noux.run test on Linux because the address spaces are locally
managed on this platform but the generic code of Noux still tries to
execute the regular procedure of creating the virtualized PD session for
a new Noux process. This patch handles a corner case that occurs on
Linux but no other platform. It enables the successful creation of the
virtualized PD session so that the test runs to completion. Still noux
on Linux remains to be limited to non-forking programs.
Issue #1938
All core.inc files now use $BASE_HW_DIR instead of $REP_DIR. The former
is defined by the core.mk file. This allows including core.inc files
from other repositories (e.g. genode-world) for additional platform
support.
Fixes#1955
Replace size_t by uint8_t in accessors for the IPv4 header fields
'version' and 'header_length' - uint8_t is the smallest integral type
for 4 bit of information. Note, as the _internet header length_ field is
defined to reflect the number of 32-bit words the header occupies, we
also stick to the specification with our accessor.
Issue #1915
The old implementation cleared all other bits in the SCU control
register when enabling the SCU, which broke the kernel startup on zynq-
based boards.
By only raising the enable bit, we can keep the initial/default state
e.g. as set up by uboot.
Fixes#1953
It turns out that the name function does not have much use in practice
except for naming the thread of the component's initial entrypoint. For
dynamically linked components, this thread is created by the dynamic
linker. It is named "ep" in these cases. Considering that we will
eventually turn all regular components into dynamically linked
executables, the additional information provided by the
Component::name() function remains unused. So it is better to not bother
the component developers with adding boilerplate code.
Now rlibs are actually linked to programs. Target files have been
modified to not generate code that requires compiler-rt. Added a target
for libstd-rust, but it's very broken right now. Moved alloc_system to
the libports folder because either a memory allocator needs to be
written in rust or posix_memalign needs to be implemented. Changed
liblibc to use freebsd as the OS instead of netbsd. Added a library with
unwind dummy functions.
Rust relies on atomic builtins, which are not implemented in libgcc for
ARM. One was implemented in rust, which was sufficient to get the
current rust test to run. Rust libs were added into the group of libs
for the linker so order no longer matters. The raspberry pi now uses an
armv6 target.
This patch cleans up the thread API and comes with the following
noteworthy changes:
- Introduced Cpu_session::Weight type that replaces a formerly used
plain integer value to prevent the accidental mix-up of
arguments.
- The enum definition of Cpu_session::DEFAULT_WEIGHT moved to
Cpu_session::Weight::DEFAULT_WEIGHT
- New Thread constructor that takes a 'Env &' as first argument.
The original constructors are now marked as deprecated. For the
common use case where the default 'Weight' and 'Affinity' are
used, a shortcut is provided. In the long term, those two
constructors should be the only ones to remain.
- The former 'Thread<>' class template has been renamed to
'Thread_deprecated'.
- The former 'Thread_base' class is now called 'Thread'.
- The new 'name()' accessor returns the thread's name as 'Name'
object as centrally defined via 'Cpu_session::Name'. It is meant to
replace the old-fashioned 'name' method that takes a buffer and size
as arguments.
- Adaptation of the thread test to the new API
Issue #1954
This patch moves the base library from src/base to src/lib/base,
flattens the library-internal directory structure, and moves the common
parts of the library-description files to base/lib/mk/base.inc and
base/lib/mk/base-common.inc.
Furthermore, the patch fixes a few cosmetic issues (whitespace and
comments only) that I encountered while browsing the result.
Fixes#1952
We report UNLINK_ERR_NO_PERM only for files in TAR archive, otherwise
UNLINK_ERR_NO_ENTRY is returned. This permits the arbitrary layering of
file systems with support for proper ENOENT reporting, for example,
when using 'rm -f non_existent_file' that aborts if EPERM is wrongly
reported.
Most slab allocators in core use a sliced heap as backing store. Since
sliced-heap allocations are performed at page-granularity, it is
sensible to dimension the slab blocks to fill whole pages.
This patch cleans up the implementation of the sliced heap, adds a
constructor that takes references instead of pointers, and adds the
function 'meta_data_size' to determine the meta-data overhead per block.
The latter can be used to dimension slab allocators such that slab
blocks use whole pages.
The original 'Env' interface as returned by 'Genode::env()' has been
renamed to 'Env_deprecated' and moved to deprecated/env.h. The new version
of base/env.h contains the interface passed to modern components that
use the component API via base/component.h.
Issue #1832
This patch makes the former 'Process' class private to the 'Child'
class and changes the constructor of the 'Child' in a way that
principally enables the implementation of single-threaded runtime
environments that virtualize the CPU, PD, and RAM services. The
new interfaces has become free from side effects. I.e., instead
of implicitly using Genode::env()->rm_session(), it takes the reference
to the local region map as argument. Also, the handling of the dynamic
linker via global variables is gone. Now, the linker binary must be
provided as constructor argument.
Fixes#1949
This patch replaces the former 'Pd_session::bind_thread' function by a
PD-capability argument of the 'Cpu_session::create_thread' function, and
removes the ancient thread-start protocol via 'Rm_session::add_client' and
'Cpu_session::set_pager'. Threads are now bound to PDs at their creation
time and implicitly paged according to the address space of the PD.
Note the API change:
This patch changes the signature of the 'Child' and 'Process' constructors.
There is a new 'address_space' argument, which represents the region map
representing the child's address space. It is supplied separately to the
PD session capability (which principally can be invoked to obtain the
PD's address space) to allow the population of the address space
without relying on an 'Pd_session::address_space' RPC call.
Furthermore, a new (optional) env_pd argument allows the explicit
overriding of the PD capability handed out to the child as part of its
environment. It can be used to intercept the interaction of the child
with its PD session at core. This is used by Noux.
Issue #1938
Since the dynamic linker depends on the XML utils and we plan to replace
the ancient 'Arg_string' with XML, it is time to move the 'Xml_node' and
'Xml_generator' to base/include.
We will eventually remove the delivery of the number of occurred signals
to the recipient. There haven't been any convincing use cases for this
feature. In the contrary, it actually led to wrong design choices in the
past where the rate of signals carried information (such as the progress
of time) that should better be obtained via an explicit RPC call.
The old 'Signal_rpc_member' template retains the old interface for now.
But the new 'Signal_handler' omits the 'unsigned' argument from the
handler function.
GNU ar only uses a flat module (object) name space but supports multiple
instances of objects with the same name. As we use subdirectories with
source file names that may clash (e.g., signal/common.cc and
server/common.cc in the base library) some of our static library
archives have multiple object instances. This is not an issue on archive
creation but works not as expected when updating archives. To avoid
updates of library archives we delete the files before calling GNU ar.
This patch integrates three region maps into each PD session to
reduce the session overhead and to simplify the PD creation procedure.
Please refer to the issue cited below for an elaborative discussion.
Note the API change:
With this patch, the semantics of core's RM service have changed. Now,
the service is merely a tool for creating and destroying managed
dataspaces, which are rarely needed. Regular components no longer need a
RM session. For this reason, the corresponding argument for the
'Process' and 'Child' constructors has been removed.
The former interface of the 'Rm_session' is not named 'Region_map'. As a
minor refinement, the 'Fault_type' enum values are now part of the
'Region_map::State' struct.
Issue #1938
The return code of assign_parent remained unused. So this patch
removes it.
The bind_thread function fails only due to platform-specific limitations
such as the exhaustion of ID name spaces, which cannot be sensibly
handled by the PD-session client. If occurred, such conditions used to
be reflected by integer return codes that were used for diagnostic
messages only. The patch removes the return codes and leaves the
diagnostic output to core.
Fixes#1842
The mixer is not directly necessary for the avplay demo. But it implies
additional maintenance work. E.g., in the current state, it complains about
the missing Report server and mutes audio output by default.
Ref #1910
Currently the report name is used implicitly as first xml node name for the
report. This is inconvenient if one component wants to generate various xml
reports under various names (e.g. to steer consumers/clients slightly
differently) but with the same xml node tree structure.
Fixes#1940
We don't want Genode environment objects that register their destructor
for program exit as it is mostly unnecessary and easily produces
dangling pointers. Thus, use unmanaged_singleton instead of the static
keyword.
Fixes#1941
When bringing up the kernel on multiple cores, there is a time span
where some cores already have caches enabled and some don't. Core-local
storage that may be used during this time must be aligned at least to
the maximum line size among global caches. Otherwise, a cached core may
unintentionally prefetch data of a yet uncached core into a global
cache. This may corrupt the view of the uncached core as soon as it
enables caches. However, to determine the exact alignment for every
single ARM platform isn't sensible. Instead, we can align to the minimum
page size assuming that a cache never wants to prefetch from multiple
pages at once and thus fulfills "line size <= page size".
Fixes#1937
When using the Allocator interface, one can't tell which alignment
resulting allocations fulfill. However, at least on ARM, given the
architectural alignment requirements of ARM memory accesses, one wants
memory allocations (what allocators are for in most cases) to be word
aligned automatically. Previously, at least the AVL allocator simply
called alloc_aligned without defining align in its alloc implementation.
This led to unaligned access faults (the default was 0) when using the
AVL allocator as Allocator (as done in the metadata management of a SLAB
of an AVL that uses the AVL as backing store). To avoid such pitfalls
in the future, we force users of alloc_aligned to always specify align
(why use alloc_aligned without align anyway).
Ref #1941
This is a generalisation approach of the hw_zynq target. As the boards
typically use UART1 instead of UART0 (used by qemu), we have to
distinguish between those. Moreover, in general hw_zynq does not imply
zynq_qemu anymore, so that the support of particular boards can be
placed in third-party or community repositories (e.g. Genode world).
Fixes#1926
Besides unifying the Msgbuf_base classes across all platforms, this
patch merges the Ipc_marshaller functionality into Msgbuf_base, which
leads to several further simplifications. For example, this patch
eventually moves the Native_connection_state and removes all state
from the former Ipc_server to the actual server loop, which not only
makes the flow of control and information much more obvious, but is
also more flexible. I.e., on NOVA, we don't even have the notion of
reply-and-wait. Now, we are no longer forced to pretend otherwise.
Issue #1832
This patch unifies the CPU session interface across all platforms. The
former differences are moved to respective "native-CPU" interfaces.
NOVA is not covered by the patch and still relies on a custom version of
the core-internal 'cpu_session_component.h'. However, this will soon be
removed once the ongoing rework of pause/single-step on NOVA is
completed.
Fixes#1922
This patch changes the organization of the slab blocks within the slab
allocator. Originally, blocks were kept in a list sorted by the number
of free entries. However, it turned out that the maintenance of this
invariant involves a lot of overhead in the presence of a large number
of blocks. The new implementation manages blocks within a ring in no
particular order and maintains a pointer to the block where the next
allocation is attempted. This alleviates the need for sorting blocks
when allocating and deallocating.
Fixes#1908
This patch ensures that the 'Allocator_avl' releases all memory obtained
from the meta-data allocator at destruction time. If allocations are
still dangling, it produces a warning, hinting at possible memory leaks.
Finally, it properly reverts all 'add_range' operations.
This patch fixes a use-after-free problem raised by the recent ability of
the slab allocator to dynamically release empty slab blocks. The
Rm_session_component::detach function used to rely on the assumption
that the region metadata co-located with the allocator metadata of the
'_map' would stay intact even after a 'free' if the region.
This patch prevents the destruction of the fd allocator when the program
exists. Otherwise, the meta data for file descriptors that were not
manually closed would vanish, which may cause problems in subsequent
destructors.
This patch makes sure that the dataspace pool is flushed before
destructing the heap-local allocator-avl instance. With the original
destruction order, the allocator would still contain dangling
allocations on the account of the dataspace pool when destructed. In
practice, this caused no problem because the underlying backing store is
eventually freed on the destruction of the pool. But it triggers a
runtime warning of the allocator since it has become more strict with
regard to dangling allocations.
This patch removes the dynamically growing slab allocator from the
page-table registry. This has two benefits. First, we alleviate the
corner cases where the slab allocator needed to extend its backing store
while establishing a core-local memory mapping, thereby triggering a
nested core-local mapping. Without this corner case, no reentrant lock
is needed any longer. Second, it removes the dependency from the overly
large old API of the slab allocator. So we can tighten the slab
interface.
Replace the Out_of_node_handles exception with Out_of_metadata.
Clients need to know when the server is out of internal resources,
but not why.
Cleanup and sort the errors at file_system_session.h.
Remove 'Size_limit_reached exception' from File_system, which was
internal to ram_fs.
Issue #1751Fixes#1909
Opening a VFS handle previously involved allocating from the global heap
at each VFS file system. By amending open with an allocator argument,
dynamic allocation can be partitioned.
A new close method is used to deallocate open handles.
Issue #1751
Issue #1891
The returned capacity had different semantics dependent on the card
type. For HIGH_CAPACITY cards, the memory capacity is specified in 512kB
blocks. So we should also return 512kB blocks for STANDARD_CAPACITY
cards.
Issue #1925
When init destroys a child server with an open session, the client must
be updated as it will otherwise store a pointer to a no-more existing
service object which will be dereferenced when the child client is
destroyed.
Fixes#1912
First, we use an alternate stack for signal handling now. The stack is
shared among all threads of the component, which is okay as we only
handle exceptions with log output and pass on to the default handler
(that terminates the execution). The primary motivation for the
alternate stack is the detection of SIGSEGV due to stack overflows.
Also, hybrid components now handle exception signals by logging and the
support for multi-threaded applications was improved.
Fixes#1935
This commit introduces the new `Component` interface in the form of the
headers base/component.h and base/entrypoint.h. The os/server.h API
has become merely a compatibilty wrapper and will eventually be removed.
The same holds true for os/signal_rpc_dispatcher.h. The mechanism has
moved to base/signal.h and is now called 'Signal_handler'.
Since the patch shuffles headers around, please do a 'make clean' in the
build directory.
Issue #1832
Prevents the annoying warning about
WARNING: Image format was not specified for 'bin/test.img' and probing guessed raw.
Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
Specify the 'raw' format explicitly to remove the restrictions.
If attached ROM dataspaces are not valid after update(), code that uses
these ROMs produces
void Genode::Volatile_object< <template-parameter-1-1> >::_check_constructed() const [with MT = Genode::Attached_dataspace]: Deref_unconstructed_object
In scenarios where the config ROM is loaded from a report ROM or any
other non-static ROM, config might try to access an invalid dataspace
capability. This patch prevents the component from aborting in this
case.
Fixes#1914
This commit replaces the stateful 'Ipc_client' type with the plain
function 'ipc_call' that takes all the needed state as arguments.
The stateful 'Ipc_server' class is retained but it moved from the public
API to the internal ipc_server.h header. The kernel-specific
implementations were cleaned up and simplified. E.g., the 'wait'
function does no longer exist. The badge and exception code are no
longer carried in the message buffers but are handled in kernel-specific
ways.
Issue #610
Issue #1832
If ports need preparation in order to execute a run script, use the
knowledge about the actual genode directory to suggest a command to the
user that can be directly copied to the command line.
Rust relies on atomic builtins, which are not implemented in libgcc for
ARM. One is implemented in rust, which is sufficient to get the
current rust test to run.
Issue #1899
Check if the binary pointer is valid before attempting to lookup the
symbol. Shared objects with unresolved symbols and missing depencies,
e.g a library that references 'errno' but is not linked against libc,
will now produce an error message when they are loaded by the dynamic
linker.
Fixes#1904.
This patch moves details about the stack allocation and organization
the base-internal headers. Thereby, I replaced the notion of "thread
contexts" by "stacks" as this term is much more intuitive. The fact that
we place thread-specific information at the bottom of the stack is not
worth introducing new terminology.
Issue #1832
The interfaces linux_cpu_session, local_capability, linux_dataspace,
linux_native_pd are mere implementation necessities. They are meant for the
internal use by the framework only. So it is appropriate to move them to
base/internal/.
Issue #1832
On seL4 and L4/Fiasco, we employ a simple yielding spinlock as lock
implementation. Consequently these base platforms used to have a
simplified header. However, since the regular cancelable_lock has all
the member variables needed to implement a spinlock, we can simply use
the generic header on those two platforms too, just leaving some other
parts of the generic header unused. So at API level, the difference is
not visible.
Issue #1832
By moving the stub implementation to rm_session_client.cc, we can use
the generic base/include/rm_session/client.h for base-linux and
base-nova and merely use platform-specific implementations.
Issue #1832
This patch establishes a common organization of header files
internal to the base framework. The internal headers are located at
'<repository>/src/include/base/internal/'. This structure has been
choosen to make the nature of those headers immediately clear when
included:
#include <base/internal/lock_helper.h>
Issue #1832
This patch integrates the functionality of the former CAP session into
the PD session and unifies the approch of supplementing the generic PD
session with kernel-specific functionality. The latter is achieved by
the new 'Native_pd' interface. The kernel-specific interface can be
obtained via the Pd_session::native_pd accessor function. The
kernel-specific interfaces are named Nova_native_pd, Foc_native_pd, and
Linux_native_pd.
The latter change allowed for to deduplication of the
pd_session_component code among the various base platforms.
To retain API compatibility, we keep the 'Cap_session' and
'Cap_connection' around. But those classes have become mere wrappers
around the PD session interface.
Issue #1841
This patch removes the SIGNAL service from core and moves its
functionality to the PD session. Furthermore, it unifies the PD service
implementation and terminology across the various base platforms.
Issue #1841
This patch removes the support for executing subsystems of CLI monitor
within the GDB monitor. There are multiple reasons: First, the feature
remained unused for multiple years. Second, it relied on the base/elf.h
header to determine whether the started binary is dynamically or
statically linked. This header, however, is going to be removed from the
Genode API. Third, the feature will eventually break with the upcoming
changes of how components are bootstrapped. Finally, there is the plan
to turn CLI monitor into a sole front end of a dynamically configurable
init component. Once we pursue this plan, we'd need to reconsider the
GDB support anyway.
Issue #1832
The commit avoids the need to have contrib sources of the kernel
available for this run script. We actually just want to build core and
not the kernel itself, which is always required after recent changes in
the ports tool.
This is the default optimization level in the original seL4 SDK. By
adapting to O3, we work around a bug [1] in version 2.1.0 that only
shows on low optimization levels.
[1] https://github.com/seL4/seL4/issues/20
Previously, ports that were needed for a scenario and that were not
prepared or outdated, triggered one assertion each during the second
build stage. The commit slots a mechanism in ahead that gathers all
these ports during the first build stage and reports them in form of a
list before the second build stage is entered. This list can be used
directly as argument for tool/ports/prepare_port to prepare respectively
update the ports. If, however, this mechanism is not available, for
example because a target is build without the first build stage, the old
assertion still prevents the target from running into troubles with a
missing port.
Fixes#1872
To raise readability when preparing multiple ports in parallel we prefix
also the git clone output with the port name dark-yellow-coloured. To
achieve this we sed the git output. In sed \x1b[ resolves to an escape
sequence and \033[, that we use normally, doesn't. The echo command, at
the other hand, resolves both to an escape sequence. Thus we use the
sed-compatible version in general. This commit inhibits the progress
output of git clone as it can't be redirected to sed.
Ref #1872
The tool/prepare_port tool is now able to handle a list of ports that
shall be prepared. Additionally, one may state the number of ports that
shall be prepared in parallel at a max by using the -j parameter. If -j
is not set by the user, the tool acts as with -j1. The previous
implementation of the tool that prepares only a single port was moved to
tool/ports/mk/prepare_single_port.mk and acts as back end to the new
prepare_port tool. The interface of the new prepare_port tool is
backwards compatible. When called for one port only, the behavior is the
same as when calling tool/ports/mk/prepare_single_port.mk directly.
Removes "usage" rule from prepare_single_port.mk. Removes shebang line
from prepare_single_port.mk.
Ref #1872
The gnat and gprbuild tools are not necessarily in the PATH when
preparing the port since the effective location is specified by the
--image-muen-gnat-path RUN_OPT.
This patch updates seL4 from the experimental branch of one year ago to
the master branch of version 2.1. The transition has the following
implications.
In contrast to the experimental branch, the master branch has no way to
manually define the allocation of kernel objects within untyped memory
ranges. Instead, the kernel maintains a built-in allocation policy. This
policy rules out the deallocation of once-used parts of untyped memory.
The only way to reuse memory is to revoke the entire untyped memory
range. Consequently, we cannot share a large untyped memory range for
kernel objects of different protection domains. In order to reuse memory
at a reasonably fine granularity, we need to split the initial untyped
memory ranges into small chunks that can be individually revoked. Those
chunks are called "untyped pages". An untyped page is a 4 KiB untyped
memory region.
The bootstrapping of core has to employ a two-stage allocation approach
now. For creating the initial kernel objects for core, which remain
static during the entire lifetime of the system, kernel objects are
created directly out of the initial untyped memory regions as reported
by the kernel. The so-called "initial untyped pool" keeps track of the
consumption of those untyped memory ranges by mimicking the kernel's
internal allocation policy. Kernel objects created this way can be of
any size. For example the phys CNode, which is used to store page-frame
capabilities is 16 MiB in size. Also, core's CSpace uses a relatively
large CNode.
After the initial setup phase, all remaining untyped memory is turned
into untyped pages. From this point on, new created kernel objects
cannot exceed 4 KiB in size because one kernel object cannot span
multiple untyped memory regions. The capability selectors for untyped
pages are organized similarly to those of page-frame capabilities. There
is a new 2nd-level CNode (UNTYPED_CORE_CNODE) that is dimensioned
according to the maximum amount of physical memory (1M entries, each
entry representing 4 KiB). The CNode is organized such that an index
into the CNode directly corresponds to the physical frame number of the
underlying memory. This way, we can easily determine a untyped page
selector for any physical addresses, i.e., for revoking the kernel
objects allocated at a specific physical page. The downside is the need
for another 16 MiB chunk of meta data. Also, we need to keep in mind
that this approach won't scale to 64-bit systems. We will eventually
need to replace the PHYS_CORE_CNODE and UNTYPED_CORE_CNODE by CNode
hierarchies to model a sparsely populated CNode.
The size constrain of kernel objects has the immediate implication that
the VM CSpaces of protection domains must be organized via several
levels of CNodes. I.e., as the top-level CNode of core has a size of
2^12, the remaining 20 PD-specific CSpace address bits are organized as
a 2nd-level 2^4 padding CNode, a 3rd-level 2^8 CNode, and several
4th-level 2^8 leaf CNodes. The latter contain the actual selectors for
the page tables and page-table entries of the respective PD.
As another slight difference from the experimental branch, the master
branch requires the explicit assignment of page directories to an ASID
pool.
Besides the adjustment to the new seL4 version, the patch introduces a
dedicated type for capability selectors. Previously, we just used to
represent them as unsigned integer values, which became increasingly
confusing. The new type 'Cap_sel' is a PD-local capability selector. The
type 'Cnode_index' is an index into a CNode (which is not generally not
the entire CSpace of the PD).
Fixes#1887
Use the new Sinfo::get_dev_info function to retrieve device information
in the platform-specific get_msi_params function. If the requested
device supports MSI, set the IRQ and MSI address/data register values to
enable MSIs in remappable format (see VT-d specification, section
5.1.2.2).
Currently only one MSI per device is supported as the subhandle in the
data register is always set to 0.
The new Sinfo::get_dev_info function can be used to retrieve information
for a PCI device with given source-id (SID). The function returns false
if no device information for the specified device exists.
The platform-specific get_msi_params function returns MSI parameters for
a device identified by PCI config space address. The function returns
false if either the platform or the device does not support MSI mode of
operation.
Extend the base-hw Irq_session_component class with _is_msi, _address
and _value variables required to support MSI mode of operation.
Return MSI configuration in info() function if _is_msi is set to true.
Enable the ACPI functionality in the platform_drv on hw_x86_64_muen and
provide a simple generated XML report as ROM session in order to make
the PCI configuration space available.
This is a requirement to implement support for MSI on hw_x86_64_muen.
In addition to now using the framework the playback is triggered by a
timer. For now it is a periodic timer that triggers every 11 ms which
is roughly the current Audio:out period (*).
The driver now also behaves like the other BSD Audio_out driver, i.e,
it always advances the play pointer. That is vital for the Audio_out
stack above the driver to work properly (e.g. the mixer).
(*) It stands to reason if it would be better to use the async ALSA
timer interface instead of using the Timer session.
Fixes#1892.
For some reason 'os/config.h' is imported through 'launchpad.h', when linking an
undefined symbol ('Genode::config') is produced, which actually should not
happen.
This commit adds rocket core on the Zynq FPGA support to base HW. It also takes
advantage of the new timer infrastructure introduced with the privileged 1.8 and
adds improved TLB flush support.
fixes#1880
The wrapper functions (e.g., 'Unwind_*' and friends) now have the same signature
as the original function in 'libgcc', reside in a separate C file which is
archived to cxx.lib.a. In supc++.o we prefix the wrapped functions with '_cxx_'.
This also enables support for riscv.
related to #1880
This driver uses the Usb session interface and provides a Block session
to its client. See _repos/os/src/drivers/usb_block/README' for more
information.
Fixes#1885.
Instead of only hardcoding "hw" read 'alsa_device' attribute from the
config node to determine the proper playback device. The default value
is still "hw" in case the attribute is not present.
Fixes#1884.
This patch removes a superfluous resize request at the creation time of
a new window, which resulted from _requested_size being initialized with
zero whereas the _geometry was initialized with the actual window
geometry. In some cases, this inconsistency led to the report of a new
resize request for the size 0x0, which is obviously wrong. I.e., it
leads clients to believe that the user has closed the window.
This patch resets the part of the window state that is responsible the
dragging of window controls once the drag operation is finalized.
Without it, the window was wrongly positioned when leaving the maximized
state after a previous resize operation.
This patch adds support for manipulating the window layout with keyboard
actions. It supports the toggling of fullscreen (aka maximize), the
raising of the currently focused window, and the focusing the next/previous
window.
This patch adds the mechanics for detecting key sequences to the window
layouter. Sequences for layouter actions can be expressed in the
layouter configuration. They cannot trigger any real action yet.
This patch weakens the themed decorator's demands with respect to the
supplied theme data. It no longer strictly requires the specification of
the '<closer>', '<title>', and '<maximizer>' nodes and the accompanied
png/tff data. Furthermore, the default.png can be left out if both decor
and aura have a size of zero.
This patch enhances the layouter to apply a label-dependent policy
for the placement of new windows. The policy may contain the
attributes 'xpos', 'ypos', and 'maximized'. If the latter is set
to "yes", the matching window will appear in maximized state.
This patch ensures that we never request a zero-sized virtual
framebuffer from nitpicker even when instantiating the object with zero
width or height. It therebu removes the burden of handling the resulting
invalid framebuffer dataspace from the user of the Nitpicker_buffer
utility.
The driver might end up in an endless loop on systems that do not
contain an i8042 controller when probing the AUX interface. This
leads to busy looping and in the end to not annoucing the Input
service. Components that wait for the announcement of the service
will therefore hang as well.
Normally a service gets announced only if it is usable but in this
case this is inconvient because it renders all scenarios that use
the input_merger non working on x86 systems that only provide USB
input and do not have PS/2 at all.
Ideally, the PS/2 driver should only be started if the system needs it.
That is currently not feasible and for the time being we post-pone the
inevitable and back down after several unsucessful attempts to read
from the AUX interface while initializing the driver.
Fixes#1871.
Interfaces that have been claimed by a component always have to be
released when the session is closed in case the component
malfunctioned.
Fixes#1869.
Inspired by the mailing-list posting [1], this commit removes the
MAC/PHY reset for all Intel cards and effectively prevents the bandwidth
drop to 10 MBit/s (e.g., on i217lm). I understand it as preliminary fix
for practical reasons - a real fix would be to update the ipxe port and
monitor for more postings like the one mentioned.
[1] http://lists.ipxe.org/pipermail/ipxe-devel/2015-December/004511.html
The 'usb_report_filter' component takes the devices report from the
USB driver and generates a new devices report after checking each
entry against its device white-list. Before emitting the new report
it changes the configuration of the USB driver to contain the
required policy entries.
See 'repos/os/src/app/usb_report_filter/README' for more details.
Issue #1863.
- Use 'label' attribute to identify device instead of
bus/dev and vendor_id/product_id
- Implement release_interface RPC
- Report 'label' as well as 'bus' and 'dev'
- Add policy handling to raw driver (includes reconfiguration
at runtime)
- Use own memory backing store for large DMA allocations
Issue #1863.
This prevents a sporadic null-pointer dereference in the nic_loopback
test, which occurred once in 100 runs. I'm not sure if there's still a
race window (we may investigate) with context dissolve.
Instead of polling for new Nic session signals, when waiting for
network packets with a timeout, block on the signal receiver, and
register a timer event beforehand using the same signal receiver.
Fix#1862
Ref #1864
Do not build core-muen_on library without the muen soecifier set.
Do not reference files of the muen contrib directory in the first
pass of make's rule analysis, when parding the muen specific kernel
makefile.
Fix#1859
The new implementation of the FPU and FPU context is taken out to
separate architecture-dependent header files. The generic Cpu_lazy_state
is deleted. There is no hint about the existence of something like an
FPU in the generic non-architexture-dependent code anymore. Instead the
architecture-dependent CPU context of a thread is extended by an FPU
context where supported.
Moreover, the current FPU implementations are enhanced so that threads
that get deleted now release the FPU when still obtaining it.
Fix#1855
Thanks to the log_terminal server, we no longer rely on a separate UART
for the noux output. We also skip the indirection of using a tar archive
but rather start the test-noux_form program as a mounted ROM module.
With commit e74b53d5dd the fork semantic in noux
changed slightly, and broke platforms like hw & sel4, where the UTCB is mapped
directly into the thread's context area. The change moved the re-initialization
to a point where the new noux process' thread stack-pointer was already switched
back to the context area. But to re-initialize the context area RPC calls must
be done, and the UTCB must be used therefore. On the other side the UTCB is
found implicitly by the stack-pointer, whereby a stack-pointer located in the
context-area refers to a UTCB that is expected to reside in the context-area
as well. But the UTCB gets overlayed inside the context area by the
context-area's re-initialization - we've come round in a circle.
This commit rolls back the move of the re-initialization routine. To preserve
the intention of the original commit, the context-area location is stored in
a static variable, so that the Native_config API is not needed anymore.
Fix#1851
This commit enables multi-processing for all Cortex A9 SoCs we currently
support. Moreover, it thereby enables the L2 cache for i.MX6 that was not
enabled until now. However, the QEMU variants hw_pbxa9 and hw_zynq still
only use 1 core, because the busy cpu synchronization used when initializing
multiple Cortex A9 cores leads to horrible boot times on QEMU.
During this work the CPU initialization in general was reworked. From now
on lots of hardware specifics were put into the 'spec' specific files, some
generic hook functions and abstractions thereby were eliminated. This
results to more lean implementations for instance on non-SMP platforms,
or in the x86 case where cache maintainance is a non-issue.
Due to the fact that memory/cache coherency and SMP are closely coupled
on ARM Cortex A9 this commit combines so different aspects.
Fix#1312Fix#1807
On ARM Cortex A9 platforms the external PL310 L2 cache controller
needs to be initialized dependent on the SoC. For instance on Pandaboard
it needs to call the firmware running in TrustZone's secure world,
on i.MX6 it initializes it directly, on other boards it doesn't need
to be initialized at all, because the bootloader already did so.
Therefore, we should implement the PL310 intialization in board specific
code and not in the base class implementation.
Ref #1312
This commit separates certain SMP aspects into 'spec/smp' subdirectories.
Thereby it simplifies non-SMP implementations again, where no locking
and several platform specific maintainance operations are not needed.
Moreover, it moves several platform specifics to appropriated places,
removes dead code from x86, and starts to turn global static pointers
into references that are handed over.
Now, the right PCI bus:device:function (BDF) is reported to the kernel
during assign_pci syscall - beforehand it was ever 0:0.0. The BDF is
needed to lookup the correct DMAR unit the kernel has to configure. This
was revealed as the DMAR unit for Intel graphics on x201 is not the same
as for all other PCI devices we have drivers for on this platform.
Fixes#1848
Instead of using the 'alloc()' method to allocate new packets use
the 'next()' method with the previous packet. This is needed because
the last audio stack changes broke the semantics assumed by 'alloc()'.
We now keep track of the already queued packets by hand.
Fixes#1827.
Use kernel branch which is more accurate in accounting memory, which avoids
kernel messages of following form:
[0] warning: insufficient resources ...
Fixes#1830
Enable automatic build of Muen system image by adding the image/muen run
script to RUN_OPT. Also specify --image-muen parameters with explanatory
comments.
Note: The ISO image is not built by default anymore.
The script takes the following RUN_OPT parameters:
--image-muen-external-build Muen system is built automatically or externally
--image-muen-system Muen system policy
--image-muen-components Muen system components
--image-muen-hardware Muen hardware platform
--image-muen-gnat-path Path to GNAT toolchain
--image-muen-spark-path Path to SPARK toolchain
Because a check for the TEST_WRITE configuration was missing as condition for a
packet submit, the test caused unwanted write access to the device.
Ref #1824
Explicitly cast floats to long as we currently do not plan to support
float in Xml_generator and previously the value was implicitly casted to
long anyway.
Issue #1819
Executing the system call will change the input fds as a side-effect
because the select_in.fds and select_out.fds structure are part of a
union. Since the original select_in.fds content is needed afterwards
make a copy instead of using a reference.
Fixes#1809.
The main thread's UTCB, used during bootstrap of the main thread before
it allocates its context area, needs to be outside the virtual memory
area controlled by the RM session, because it is needed before the main
thread can access its RM session.
Fix#1804
This patch adds diagnostic messages during the label-policy application,
if no policy for the session label was found or if the domain configured
in the policy node does not exist.
When unblocking a thread in Semaphore::up() while holding the fifo meta-data
lock, it might happen that the lock holder gets destroyed by the one it was
unblocking. This happened for instance in the pthread test in the past, where
thread destruction was synchronized via a semaphore. There is no need to hold
the lock during the unblock operation, so we should do it outside the critical
section.
Fix#1333
Previously we used a pretty slow external clock source for the timer. This
resulted in such a low TICS_PER_MS value that the granularity wasn't
sufficient to find a setup with a precision better than 1 second error per
minute. Now we use the so-called High Frequency Reference Clock as input
with TICS_PER_MS=33333 and the timer precision is significantly < 1 second per
minute.
Fixes#1805
From our observations we can tell that the error should not exceed 4%.
However, there is no reasonable explanation by now why the test results
are less stable on these platforms. We have tried several things that
did not lead to an explanation or improvement:
* changing the timing parameters of the scheduler
* switching off SMP
* double-checking the speed of userland and kernel timers
Ref #1805
The test threads previously used a stack size independent from the machine
word width. Qemu was previously configured to provide 64Mb of RAM which isn't
sufficient for x86_64.
Ref #1805
Upgrading the quota of a PD session on HW always triggers a "Quota
exceeded" warning. To prevent unecessary debugging effort in the future,
we explain in an in-code comment that the warning is normal.
Ref #1805
Print result error and error tolerance per test result. Use TCL commands
'format' and 'abs'to simplify calculations in the conclusion part of the run
script.
Ref #1805
When capabilities are delegated to components, they are added to the UTCB of the
target thread. Before the thread is able to take out the capability id out of
the UTCB and adapt the user-level capability reference counter, it might happen
that another thread of the same component deletes the same capability because
its user-level reference counter reached zero. If the kernel then destroys the
capability, before the same capability id is taken out of all UTCBs, an
inconsitent view in the component is the result. To keep an consistent view in
the multi-threading scenario, the kernel now counts how often it puts a
capability into a UTCB. The threads on the other hand hint the kernel when they
took capabilities out of the UTCB, so the kernel can decrement the counter
again. Only when the counter is zero, capabilities can get destructed.
Fix#1623
On Linux the linker can now be loaded at arbitrary addresses, this became
necessary for newer kernel versions. The 'linux_arm' target is not supported.
Issue #1728
Former Native_config::context_area_virtual_base() was used to identify
the main, which is not desired as the Native_config is rather low-level
(almost private to the base libs). The commit uses a library constructor
to retrieve the main-thread Thread_base pointer, which can be used later
to distinguish main and other threads.
Likewise on the x86 branch, we have to remove all virtual memory ranges from the
virtual memory allocator that are used by one-by-one mappings of I/O regions
used by the kernel.
Fix#1797
If the injection of an event causes an EPT violation, the event must be
injected again. This commit implements the reinjection for the case that
the EPT violation can be resolved without involving the recompiler.
Fixes#1798
This reverts commit d8b95c263b.
Some clients might want to fiddle with the clients play position
(e.g. the mixer) within 'Audio_out::start()' and we might reset
it to an old value if we do it afterwards.
Fixes#1796.
Since all Audio_out server components loop over the packet stream
queue it is save to reset the tail position to one after the play
position. We have to do this because we do not know exactly when
the play position changes (i.e. the driver has processed the packet)
and we might end up with a tail position before the current play
position.
Issue #1796.
* Also change the way how mute is handled. Only send the
changed signal if the user has clicked on the mute checkbox
* Always check channels_rom is valid
* Add <default> handling
* Increase verbosity
Fixes#1795.
Instead of bailing out if the channel list is incorrect check config
node attributes and default settings first.
Being there also fix flawed LOG messages.
Fixes#1794.
* enable i915 driver from Linux 3.14.5
* tested for generation 5 till 8 GPUs
The driver can be configured at run-time via the config ROM. Every
connector of the graphic card can be configured separately using the
following syntax
<config>
<connector name="LVDS-11" width="1280" height="800" enabled="true"/>
</config>
Also, when enabled within the intel framebuffer driver configuration like
the following
<config buffered="yes"/>
a simple ram dataspace is propagated to the client and the driver
itselfs copies from that buffer to the framebuffer triggered via refresh
calls. This option is useful to alleviate tearing effects.
The driver distributes all available connectors of the graphic card and
their supported resolutions via a report. It looks like follows
<connectors>
<connector name="LVDS-11" connected="1">
<mode width="1280" height="800" hz="60"/>
...
</connector>
...
</connectors>
The driver distributes the report only if this is stated within its
configuration, like the following
<config>
<report connectors="yes"/>
</config>
Fix#1764
This patch unifies the mechanism of selecting server-side policies and
taking session-routing decisions based on session labels. In both cases,
XML nodes are scored against session labels. The score depends on the
XML attributes 'label' (exact match), 'label_prefix', and
'label_suffix'.
Issue #1766
* Provide paravirtualized block API for accessing the second partition
of the block device that is provided by the ESDHC driver.
* Provide paravirtualized serial API for sending log-output over Genodes
serial port.
* Use the latest Linux suggested in the USB Armory Wiki [1] when on USB Armory
while still using the older vendor Linux when on i.MX53 QSB. I.e.,
provide a device tree through RAM and a rootfs through the paravirtualized
block device when on USB Armory while providing ATAGs and Initrd when on
i.MX53 QSB.
* Switch on the LED on the USB Armory when the VMM catches a VM-exception
and switch it off again when as soon as the exception is handled. This
merely show-cases the ability to instrument the LED for such purposes. In an
ideal world, the LED is switched on as long as we're on the "Secure Side"
and switched off as long as we're not.
* For further information see repos/os/run/tz_vmm.run
[1] https://github.com/inversepath/usbarmory/wiki/Preparing-a-bootable-microSD-imageFixes#1497
On the USB Armory, we want to secure different devices than on other i.MX53
implementations. Thus, add a board specific configuration that is interpreted
by the kernel Trustzone initialization.
Ref #1497
Enhance the VM state, that can be accessed by a VMM, by a member
'unsigned irq_injection'. In Kernel::Vm::proceed check, whether
irq_injection is set. If so, check whether irq_injection is a
non-secure IRQ. If so, let the PIC raise this IRQ in the VM and reset
irq_injection.
Ref #1497
This enables installation of the bootloader image without wiping the
partition table which is needed at least for the tz_vmm tutorial with
hw_usb_armory.
Ref #1497
Move ADMA2 stuff to extra header and unit. Move ESDHCv2 implementations to
extra unit. Use exceptions instead of error codes. Clean-up documentation.
Ref #1497
The manual termination of multi-block writes via "Stop Transmission" commands
seems to leave the card in a busy state sometimes. This causes errors on
subsequent commands. Thus, we have to synchronize manually with the
card-internal state via "Send State" commands. Additionally, the method
for issuing the manual "Stop Transmission" commands was refined.
Ref #1497
We have to issue a data synchronization barrier after writing a ADMA2
table to ensure that the corresponding write commands were actually
executed before issuing the SD command.
Ref #1497
On i.MX53 QSB, a "Send Op Cond" command during the driver initialization
returns another response value than on the USB Armory. As the check for
this response seems to have no relevance for the driver functionality (Linux
reads the value from MMIO but I can't find a place in the source code where
it is used), we simply remove it.
Ref #1497
Previously, it was not necessary to acknowledge an IRQ initially before using
it. However, since the IRQ framework changed lately it is. Adapt to this.
Ref #1497
Notify client initially to enforce a client-side ROM update. Otherwise,
a server-side ROM update between session creation and signal-handler
registration would go unnoticed.
Issue #1788
This patch changes the decorator to always apply stacking-order changes
immediately instead of deferring the re-stacking of the nitpicker views
to the next call of 'update_nitpicker_views'. The deferred application
did not always work when more then one windows changed their stacking
position at once because the cached '_neighbor' values interfered with
each other.
The eager re-stacking should not have negative effects on the user
experience because, in contrast to re-positioning, re-stacking a rare
operation.
This change makes it possible to reuse the generic window decorator
classes in include/decorator/ for decorators of a different structure.
E.g., instead of painting decorations on a single nitpicker session,
each window may paint its decorations into additional window-specific
nitpicker sessions.
For each session upgrade performed by a wm client as part of the
Nitpicker::Connection::buffer function, the window manager wrongly
upgraded the wrapped nitpicker session twice: Once by handling the
Root::upgrade, and again by handling of the server-side 'buffer'
operation. Here, the 'buffer' operation was implemented by not merely
forwarding the RPC request to the wrapped nitpicker session but by
calling the 'buffer' method on the wrapped session's connection
object, which implictly issues session upgrades. Consequently,
the window manager would transfer twice the amount of the session
upgrades it received by its clients to nitpicker and eventually ran
out of memory.
The patch fixes the problem by eliminating the call of the
Nitpicker::Connection::buffer method and instead merely forward the RPC
requests to the wrapped nitpicker sessions.
The original version of the icon painter would reach beyong the
texture boundaries for textures of even width and height, and when
painting an icon with the width or height of the texture.
In this case, p3 would be set to the same value as p2. However, the code
expects p3 to lie within the middle rectangle. However, in this corner
case, the middle rectangle is actually empty. So no pixel can lie within
it. Hence, p3 is positioned by one pixel to the left outside the middle
rectangle, which violates the assumptions when calculating the clipping
and texture offsets. The patch fixes the problem by reducing the size of
the right column by one pixel. This ensures that exists always a
non-zero middle rectangle.
In the event where a nitpicker session's quota was depleted by the
allocation of view handles, nitpicker would abort. The patch prevents
the abort by reflecting this condition as an Out_of_metadata exception
to the client. This way, the client can upgrade its session as needed.
The problem was triggered by running the decorator_stress test (changed
to generate 40 windows) with the themed_decorator.
This patch addresses the corner case that the specified neighbor view
is the first view of the view stack. If this is the case when inserting
the view in front of the neighbor (behind == false), the target position
within the view stack must be a null pointer, not the first view.
Because the conditions have become rather complicated, both cases
of 'behind' are handled separately now.
'block_for_signal' and 'pending_signal' now set pending flag in signal context
in order to determine pending signal. The context list is also used by the
'Signal_receiver' during destruction.
Fixes#1738
Instead of just red messages in the log and a hanging caller, the issuer
may respond to it - e.g. a noux bash shell will show an error and is
afterwards still usable.
Fixes#1778
Accidentally removed by #1658. We need to make the cleanup call for server
objects - otherwise we may get in capability identifier re-use trouble.
Issue #1778
The notion of a channel is shared by the mixer backend as well as the
frontend. To make dealing with reports between those easier move the
Channel definition to a global header.
Issue #1770.
This effectively enables configuring builds with -O0 for rump sources.
Note, if the build directory is not clean, at least var/libcache/rump*
should be removed before building with changed etc/tools.conf.
The test performs several rounds of write-read cycles with the following
configuration attributes in a <write-read> config node
rounds determines the number of rounds (default is 4)
size determines the number of bytes written/read in one round
(default is 4 MiB)
buffer_size determines the size of the write-read buffer
(default is 32 KiB)
In one round the test writes and reads "size/buffer_size" times
from/into a buffer_size'd buffer.
Related to #1765
Instructions:
1. Create a file in terminal one in the 'ram' directory
! echo "test" > ram/test
2. Second terminal
! tail -f ram/test
3. First terminal
! echo "Meaningless output" >> ram/test
4. Observe second terminal
The pthread object for the main thread initializes its 'Thread_base' base
class part with a reference to the 'Thread_base' object of the Genode main
thread. Therefore the pthread object for the main thread should never be
destroyed, as this would also destroy the Genode 'Thread_base' object.
Fixes#1760
Trapping rdtsc creates a huge load in some guests, e.g. Windows 8.1,
that use this instruction very frequently. This influences audio
playback/recording in a bad way (distorted sounds, …). As a interim
solution disable the virtualization of rdtsc completely. As long
as each guest VM runs on its own CPU core it should be fine as there
should not be that much interference (TSC warping).
That being said, TSC offsetting as well as adjusting within vbox have to
be evaluated.
Fixes#1768.
The RAM quota currently dedicated to the wm and decorator components in
the 'qt5_common.inc' file is too low for a window of size 1920x1080.
Fixes#1761
- Align implementation to the current generic implementation
- Document NOVA-specific implementation of dataspace() (as in the
original commit message)
This patch, complements the existing vbox layout with a hbox layout and
improves the response to dynamic dialog updates. The new version support
disappearing widgets and the reordering of widgets. Furthermore, this
patch ensures that the 'Widget::_layout' functions are executed after
updating a new version of the dialog.
This patch ensures that focus changes performed via the Session::focus
call are made effective the next time, the user is idle. Previously,
focus changes during drag operations were simply discarded.
strip_last_element at Path removes everything after the trailing slash,
which causes lookup failures at the VFS server when opening directories.
Issue #1648
Throw Invalid_name, No_space, and Out_of_node_handles where appropriate.
Catch the new range of errors thrown by at the VFS.
Catch Out_of_node_handles at the VFS, but print a message and re-throw.
Issue #1648
This patch introduces a shortcut for conditional session routes of the
form '<if-arg key="label" value="..."/>'. With this change, the label
can be directly specified as 'label' attribute of an '<any-service>' or
a '<service>' node. The '<if-arg>' mechanism was not documented anyway
and I hope to be able to ultimately remove it.
Don't skip the cleanup call if a pager object is marked as blocked.
It happens that the pager_object is in destruction but it is also used
concurrently by the pager thread. The pager thread handling code may set the
pager object to blocked but still uses the pointer to the pager object. Avoid
locking at the state of the pager object and make the cleanup call everytime.
Error output looks like this, where the pf_ip is within
void Pager_object::_page_fault_handler(addr_t pager_obj)
method and the pf_addr is the stale pointer to the already released pager_object.
no RM attachment (READ pf_addr=xxx pf_ip=xxx from 00 <NULL>)
static void Genode::Pager_object::_page_fault_handler(Genode::addr_t): page fault, thread '<NULL>', cpu x, ip=xxx, fault address=xxx
PAGE-FAULT IN CORE (READ pf_addr=b10e0090 pf_ip=132dbc from 00 <NULL>)
Currently, when a signal arrives in the main thread, the signal dispatcher is
retrieved and called from the main thread, the dispatcher uses a proxy object
that in turn sends an RPC to the entry point. This becomes a problem when the
entry point destroys the dispatcher object, before the dispatch function has
been called by the main thread. Therefore, the main thread should simply send an
RPC to the entry point upon signal arrival and the dispatching should be handled
solely by the entry point.
Issue #1738
* use '_dma_ext' or '_fdpma' commands
* handle interrupts depending on mode of operation
* spelling fixes
* move ATA 'Idendity' struct to ata header
issue #1734
- we claim to have no limits on file handles and number of threads
- remove obsolete Thread_base::myself fall-back code for stack size calculation
Issue #1733.
Too less memory quota for a PD may be calculated, which leads to too early
punishment for a Genode process.
Discovered during Turmvilla scenario #1552 and issue #1733.
Additionally print warnings about unavailable CPUs if they are tried to be
used during pager object setup.
Discovered during Turmvilla scenario #1552 and issue #1733.
Causes trouble if a gz image is loaded via grub and later used as initrd for a
Linux VM (e.g. with Seoul VMM)
Discovered during Turmvilla scenario #1552 and issue #1733.
threads with prio 0 will not be started and would fail silently.
Happened on Turmvilla for the USBProxy thread in virtualbox.
Discovered during Turmvilla scenario #1552 and issue #1733.
Reduces kernel log message noise when running on kernel-debug branch.
Additionally add a more verbose core message.
Discovered during Turmvilla scenario #1552 and issue #1733.
To make the creation of a bootstrap medium for most ARM platforms more
comfortable this tool shall bundle all the different U-Boot source
states, patches, and MMC preparation rules that we gathered over the
year for that purpose. As input, the tool merely needs the targeted
platform (analogous to the platform parameter of 'create_builddir'). By
now, 'hw_wand_quad' is the only supported platform. Further platforms
can be added successively. As output, the tool creates a head image file
of small size (8MiB) that can be copied (dd) with offset 0 to the MMC.
Fixes#1730
Under some circumstances, the diagnostic message in the exception signal
handler was not printed. This could happen due to a dead lock in the
console library if the console code itself produces the exception while
possessing the mutex, e.g., by exhausting a undersized stack. Now, we
directly write to the log session via the stdout_write() hook or use
raw_write_str() in core.
This patch improves the decorator in two ways. First, it enables the
assignment of window colors depending on the window labels. This
configuration can be changed dynamically. Second, it adds the handling
of window controls for closing, maximizing, minimizing windows.
Issue #1689Fixes#1688
This patch supplements the existing focus reports with the new attribute
'active', which indicates recent user activity when set to "yes". This
information is consumed by the clipboard to dynamically adjust its
information-flow policy depending on the user activity.
Issue #1712
This patch moves the formerly internal classes of the report-ROM service
to the public location os/include/report_rom/ so that they can be reused
by other components such as the upcoming clipboard.
This overload of the value member eases the retrieval of Genode::String
objects from XML attributes. So we won't need to deal with C-style
character buffers anymore.
The utilities in os/session_policy.h used to be tailored for the
matching of session arguments against a server-side policy
configuration. However, the policy-matching part is useful in other
situations, too. This patch removes the tight coupling with the
session-argument parsing (via Arg_string) and the hard-wired use of
'Genode::config()'.
To make the utilities more versatile, the 'Session_label' has become a
'Genode::String' (at the time when we originally introduced the
'Session_label', there was no 'Genode::String'). The parsing of the
session arguments happens in the constructor of this special 'String'.
The constructor of 'Session_policy' now takes a 'Genode::String' as
argument. So it can be used with the 'Session_label' but also with other
'String' types. Furthermore, the implicit use of 'Genode::config()' can
be overridden by explicitly specifying the config node as an argument.
Defer destruction of threads which tries to self-destruct. Check an perform
cleanup of such threads during pthread_cancel and pthread_create.
Issue #1687
Until now, the CLI monitor and the laucher allowed the user to explitly
kill subsystems but both used to ignore gracefully exiting subsystems.
It was the user's job to remove the remains of those subsystems. The
patch takes the burden of manually killing exited subsystems from the
user.
Fixes#1685
Instead of white-listing floppy controllers, certain SCSI controllers
as well as ISAPnP etc. pp. remove the diagnostics and print each access
if verbose is set.
Fixes#1726.
Instead of using the alarm_timer thread we use our own timer thread
that uses a kernel semaphore on Nova. On all other platforms a timer
connection and trigger_once is used.
Fixes#1727.
Addressing must be PC-relative, so adapt the approach from the other
nova_x86_32 syscall bindings (description by @ssumpf):
Use call to push the current IP on the stack and add the distance of
label 0 and label 1 in order to determine the return address, which
NOVA requires in edx.
The bug only showed up with "-O0" in libc.lib.so in form of a unwanted
text relocation.
Fixes#1721
platform_execute() is used to initially switch the stack of a
routine/task. While Thread_base::alloc_secondary_stack() properly aligns
the returned stack pointer the x86_64 assembler implementation did not
comply to stack frame management specified in the ABI.
The used (and most simple) stack-alignment check may pass a float to a
varargs function on x86, which requires the compiler to properly save
some XMM registers on stack.
Dataspace components inherit from RPC objects which are non-copyable from now
on. Therefore, the Rom_session_component's constructor had to be modified
to not construct a dataspace component on the stack and assign it in the
following.
Ref #1704
Holding the object pool's lock while trying to obtain an object's lock
can leave to dead-lock situations, when more than one thread tries to
access multiple objects at once (e.g.: when transfer_quota gets called
simultanously by the init and entrypoint thread in core). To circumvent
holding the object pool lock too long, but access object pointers safely
on the other hand, this commit updates the object pool implementation
to use weak pointers during the object retrieval.
Fix#1704
Destroying an object within the scope of a lambda/functor executed
in the object pool's apply function leads potentially to memory corruption.
Within the scope the corresponding object is locked and unlocked when
leaving the scope. Therefore, it is illegal to free the object's memory meanwhile.
This commit eliminates several places in core that destroyed wrongly in
the object pool's scope.
Fix#1713
If a client provides a read buffer of insufficient size for all
available data, we have two options
1) Leave it to the client to do partial reads until not further data is
available, or
2) Signal the client that there still some bytes on a partial read.
As the second option seems more robust it's implemented in this commit.
Fixes#1705
This makes use of the iPXE sanboot command [1] which downloads and
boots an ISO image directly via HTTP. Therefore, your RUN_OPT needs
both
--include image/iso and
--include load/ipxe
NOTE: The webserver serving the ISO image must support ranged requests,
see [2].
[1] - http://ipxe.org/cmd/sanboot
[2] - http://forum.ipxe.org/showthread.php?tid=7295&pid=10482#pid10482
iPXE is an open source network boot firmware which supports booting from
a web server via HTTP [1].
The following two parameters can be used to specify the iPXE/HTTP setup:
--load-ipxe-base-dir
This parameter specifies the base directory of the HTTP server from
which the target machine downloads the files.
--load-ipxe-boot-dir
The directory relative to iPXE base dir which contains the iPXE
chainload configuration and all necessary files.
The target machine is expected to request the following iPXE
configuration via HTTP:
http://${HOST_URL}/${ipxe-boot-dir}/boot.cfg
This can be achieved by building iPXE with the following embedded
script:
#!ipxe
dhcp
chain http://${HOST_URL}/${ipxe-boot-dir}/boot.cfg
See also [2] for additional information.
[1] - http://ipxe.org/
[2] - http://ipxe.org/howto/chainloading#breaking_the_loop_with_an_embedded_scriptFixes#1708
* Move the Synced_interface from os -> base
* Align the naming of "synchronized" helpers to "Synced_*"
* Move Synced_range_allocator to core's private headers
* Remove the raw() and lock() members from Synced_allocator and
Synced_range_allocator, and re-use the Synced_interface for them
* Make core's Mapped_mem_allocator a friend class of Synced_range_allocator
to enable the needed "unsafe" access of its physical and virtual allocators
Fix#1697
The commit consumes the argument of a unsupported printf command.
Without the commit - a subsequent command uses the argument of the preceding
command, which may cause memory corruption or page faults for sequences using
string commands, e.g.
Genode::printf("%#x %s\n", 0x20, "Test");
'#' is not supported by Genode::printf. In this scenario a pagefault at
address 0x20 is caused.
Fixes#1701
The 'O_NONBLOCK' flag has different numerical values in lwip and in the
libc, which prevented the correct setting of nonblocking socket mode.
Fixes#1699
The intention of Packet_ref was to allow clients to place opaque
references into the packet descriptor itself, which could be observed on
packet completion. Currently no component in our sources uses this
feature and beyond that it is questionable if it should be used at all:
If the server tampers with the ref the client may easily be confused
into observing an incorrect or invalid context. It seems better to
remove the opaque context from the descriptor and leave the actual
implementation to the client and its needs.
Unfortunately, the 'gcc -dumpmachine' magic does not suffice on all
Linux distros, so we just add the well-known paths for i386-linux-gnu
and x86_64-linux-gnu.
Fixes#1694
This patch extends the configuration concept of init with an additional
sub node for the <start> node:
<start name="noux">
<exit propagate="yes"/>
...
</start>
If the 'propagate' attribute is set to "yes", the exit of the respective
child will appear to init's parent as the exit of the entire init
subsystem.
Fixes#1686
Instead of holding SPEC-variable dependent files and directories inline
within the repository structure, move them into 'spec' subdirectories
at the corresponding levels, e.g.:
repos/base/include/spec
repos/base/mk/spec
repos/base/lib/mk/spec
repos/base/src/core/spec
...
Moreover, this commit removes the 'platform' directories. That term was
used in an overloaded sense. All SPEC-relative 'platform' directories are
now named 'spec'. Other files, like for instance those related to the
kernel/architecture specific startup library, where moved from 'platform'
directories to explicit, more meaningful places like e.g.: 'src/lib/startup'.
Fix#1673
The plugin works just like the netio plugin and uses the following
parameters
--power-off-energenie-host network address of device
--power-off-energenie-password password for device
--power-off-energenie-port target port of device
The run plugin is not generic and works for NETIO4/NETIO230 powerplugs
only. Further, this opens the path for other vendor-specific powerplug
plugins.
Note, the plugin parameter for the addressed powerplug was renamed to
--power-on-netio-host resp.
--power-off-netio-host
To correctly delete all IPC gates created via a CAP session, all
capabilities created have to be stored. Otherwise we leak kernel
objects within Fiasco.OC permanently.
Fix#702
This scripts starts two Audio_out session clients. These clients
access the soundcard via the mixer. The first client simply streams
a sample file in a loop while the second client generates a click
sound when any key is pressed.
Issue #1666.
Sometimes, the play position in stream is behind the out stream, mostly
because of timing issue. In this case, the mixer will produce invalid
packets which in return will lead to looping on an invalid packet in
the audio_drv.
Issue #1666.
Instead of looping the whole queue, the driver now loops on the first
invalid packet. In any case it will send a progress signal to its
client.
Fixes#1666.
For some platforms (at least hw_zynq on Qemu), the measured time of the
periodic timeout test exceeded the maximum that was previously
calculated without any tolerance. Most likely, this is not a malfunction
of the test subject as the error is pretty small and, of course,
measuring the time produces overhead itself. Introducing a tolerance of
only 0.1% fixes the problem.
Fixes#1599
Instead of returning pointers to locked objects via a lookup function,
the new object pool implementation restricts object access to
functors resp. lambda expressions that are applied to the objects
within the pool itself.
Fix#884Fix#1658
Propagating the user context-pointer from C++ code to the mode
transition assembly doesn't touch any CPU global data. Thus, we can
reduce the in-sync window.
Fixes#1223
Other platforms implement Kernel::Cpu_context stuff in
kernel/cpu_context.cc. On x86_64, it was implemented in
kernel/thread.cc. The commit fixes this inconsistency to the other
platforms.
Ref #1652
The distinction between Kernel::Thread and Kernel::Thread_base is
unnecessary as currently all Hw platforms would have the same content in
the latter class. Thus I've merged Kernel::Thread_base into
Kernel::Thread. Thereby, Kernel::Thread_event can be moved to
kernel/thread.h.
Ref #1652
The Muen-specific PIC implementation provides the irq_occurred()
function which is used to register an IRQ with the PIC upon thread
exception.
The occurred IRQs are stored in a boolean array internally and handed
out to a CPU via take_request().
The driver uses the timer page containing a vector and timer value to
implement the start_one_shot() and value() functions. The timer value
designates the absolute tick count of the next event.
The address of the time page is acquired using the get_memregion_info
Sinfo API function.
The Muen Sinfo API is used to retrieve information about the execution
environment of a subject running on the Muen Separation Kernel.
While the C++ API is defined in sinfo.h, musinfo.h specifies the
internal format of the information stored in the Sinfo pages provided by
the Muen SK. It is a copy of the file contained in the libmusinfo
library of the Muen project. That is the reason why the coding style in
this file differs from the official style.
Move Platform::setup_irq_mode function from x86 platform_support.cc to
x86_64 specific file. This will enable the upcoming x86_64_muen platform
to provide a separate implementation.
The hw_x86_64_muen platform is a x86/64 base-hw kernel which runs as
isolated subject (guest) on the Muen Separation Kernel (SK) [1].
The platform is implemented as an extension to hw_x86_64 replacing the
PIC and timer drivers with paravirtualized variants. The skeleton
contains a dummy PIC and timer implementation for now.
[1] - http://muen.sk
If the guest is not in an interruptible state when the recall handler is
called, an assertion fails. Since the assertion is only relevant if the
recall handler was called during IRQ injection, it should be moved into
the corresponding conditional block which already has the assertion for
the 'IF' flag.
Fixes#1661
By default, the EMT thread of the last vCPU handles expired timers. When
running VirtualBox with 2 vCPUs, it sporadically happens that the EMT
thread of the second CPU clears an 'interrupt pending' flag for the first
vCPU after changing the state of a timer device model, which is not
expected by our Genode-specific code (failed assertion '!_irq_win' in the
recall handler).
The problem did not occur yet when letting the EMT thread of the first
vCPU handle the expired timers, which is done by this commit as an interim
fix until the problem has been further investigated.
Issue #1660
Add spin loop hint by means of the PAUSE instruction since
wait_for_interrupt is called in a busy loop. This should improve processor
performance and reduce power consumption.
Note: HLT cannot be used since it is a privileged instruction and the idle
thread is executed in userspace.
Move the _core_only_mmio_regions function to the
x86_64/platform_support.cc file. This is required to make it overridable
for other platforms deriving from x86.
If a requested report already exists the request is denied with
Invalid_args.
Further, I dusted the report_rom test and added it to the
autopilot list.
There are currently some issue with the mixing/filtering code of vbox.
So instead of using the audio subsystem to do filtering and mixing we
bypass it to get better audio qualitiy. That means that the device
model of the VM has to use the same sample rate as the Audio_out/in
sessions, however.
Issue #1647.
With this commit preliminary audio support in VirtualBox is enabled.
The backend supports playback as well as recording sounds from within
a guest VM. Depending on how the guest configures the device model
the audio output may sound disorted. If the guest uses buffers that
are too small, i.e., 10 ms or less, frequent buffer underruns will
occure.
To get this low-latency one has also to increase vbox' update hz
to 200 (i.e., 5ms).
Fixes#1647.
When a stream was stopped it may still contain valid packets that
will be played automatically when the stream is started again. The
invalidate_all() method may be called after stopping the stream to
prevent this.
Issue #1647.
Run script depending on VFS plugins (i.e., shared objects) like
vfs_jitterentropy.lib.so have to state this dependency rather the actual
binaries linked against libc. The latter introduces a library dependency
that is just not there. For example, the dependency on vfs_jitterentropy
is a result from the config node for libc which automatically loads the
plugin.
The alarm library failed to handle the case properly where an already
scheduled alarm gets rescheduled before it triggered. Even though the
attempt to reschedule the alarm (twice insertion into alarm queue) was
detected, this condition resulted in the mere modification of the
alarm's parameters while keeping the alarm's queue position unchanged.
This, in turn, may violate the invariant that all enqueued alarm objects
are strictly ordered by their deadlines. The patch handles the case by
dequeuing the alarm object before reinserting it into the queue at the
right position.
Fixes#1646
With the introducation of the Audio_in session interface it makes
sense to rename the current available audio drivers. At the moment
only the dde_bsd audio_drv supports Audio_out as well as Audio_in.
The Linux audio_drv only supports Audio_out (there is no demand for
Audio_in support currently) but is renamed nonetheless to make it
easiert to write generic run scripts.
Issue #1644.
The driver is now able to record audio samples. In contrast
to playback it has to be enabled explicitly by setting the
configuration attribute 'recording' to 'yes'. Playback is by
default enabled but may be disabled by setting 'playback' to
'no'. Furthermore it is now possible to configure the mixer
from the configuration. For now, the interface used by vanilla
OpenBSD is just exported.
The following snippet shows how to enable and configure recording
on an Thinkpad X220 where the headset rather than the internal
mic is used as recording source:
! <start name="audio_out_drv">
! <resource name="RAM" quantum="8M"/>
! <provides>
! <service name="Audio_out"/>
! <service name="Audio_in"/>
! </provides>
! <config recording="yes">
! <mixer field="outputs.master" value="255"/>
! <mixer field="record.adc-0:1_source" value="sel2"/>
! <mixer field="record.adc-0:1" value="255"/>
! </config>
! </start>
In addition to selecting the recording source the playback as
well as the recording volume are set to 255 (maximum).
Information about the available mixers and settings in general
may be obtained by setting the 'verbose' to 'yes' in the config
node.
Issue #1644.
Unfortunatly, there is no support for any HDMI/DP based HDA codecs in
this driver. Therefore we try to filter out known devices (normally the
PCI device on 00:03.00). This could also be done in the platform_drv's
configuration by explicitly naming the BDF but for better or worse that
will not work when using a wildcard class like HDAUDIO which is done in
generic run scripts.
Issue #1644.
In line with the Audio_out session a Audio_in session is used to
record audio frames. Like in the Audio_out session shared memory
in form of the Audio_in::Stream is used to transport the frames
from the server to the client. These frames consist of single
channel (mono) samples. An Audio_in::Packet always contains a full
period of frames.
A Audio_in server captures frames and puts them into the
Audio_in::Stream. To do so the server allocates a Audio_in::Packet
from the packet queue embedded in the Audio_in::Stream. If the queue
is already full, the server will override packets and notify the
client by submitting the 'overrun' signal. The client has to cope
with this situation, e.g., by saving packets more frequently.
A client will also receive a 'progress' signal from the server when
a new Audio_in::Packet was submitted to the packet queue.
Fixes#1644.
To archive lower latency the length of a period was reduced from
2048 (~46ms) to 512 (~11.6ms) samples.
It should be noted that this change probably breaks audio in Qemu on
most systems.
Issue #1644.
For most platforms except of NOVA a distinction between pager entrypoint
and pager activation is not needed, and only exists due to historical
reasons. Moreover, the pager thread's execution path is almost identical
between most platforms excluding NOVA, HW, and Fisco.OC. Therefore,
this commit unifies the pager loop for the other platforms, and removes
the pager activation class.
This exit handler is called by the NOVA kernel now when the VM uses PAE
with nested paging and the PDPTE registers need to get updated. With this
commit, an error message is printed if this situation occurs.
Fixes#1640
The reference count get increase to use 2 bytes, so we need the double amount
of selectors as before.
Additionally print a message if we run out of capabilities in a server. Since
our rpc framework is now clever enough to detect that for a printf we don't
need to setup a receive window, we may use a printf instead of a die call.
Eases debugging.
Issue #1601
Showcasing the out of memory kernel issue.
One test triggers oom during memory delegation when talking to core pager
thread. Two other test trigger oom during capability delegation in a
server/client scenario for send and reply phase separately.
Issue #1601
Move FS Node implementations from server/ram_fs to include/ram_fs.
Support embedded ram_fs instances in VFS configurations using <ram/>.
Add 'no space' handling to VFS symlink ops.
Fixes#1635
Allow symlinks to be passed to the read and write file system utilities.
Disallow writes to symlinks with offsets in file system servers, this is
to ensure that writing the target of a symlink is an atomic operation.
Fixes#1604
If a user has e.g. /tftpboot/x86 as directory and configures
base_dir=/tftboot and offset_dir=/x86, this leads to bad behavior
as the load module creates a symlink
/tftpboot/x86/<builddir> -> <absolut_builddir>
in this case instead of the desired
/tftpboot/x86 -> <absolut_builddir>
Furthermore, the module works on
/tftpboot/x86/config-00-00-00-00-00-00
and
/tftpboot/x86/<builddir>/config-00-00-00-00-00-00
afterwards, which looks bad too. As there is no warning at all, this can
be hard to debug. The commit adds an appropriate check with error message and
exit -1 on an existing directory.
Fixes#1630
Increase internal chunk size of heap only if an allocation succeeded
beforehand. Otherwise the chunk size increases with every unsuccessful
invocation and a upgrade of the used ram session will be insufficient and of
no use at all.
Fixes#1632
If some sessions run out of memory in init, resource requests will be issued
to core, which it never will satisfy. Setting some default signal handler
avoids that the default implementation will block init for ever.
Issue #1632
Moves the Bios Data Area header from base-hw to base. Modifies the
base-nova core console that it uses the header as replacement for
the previous BDA bit logic.
Ref #1625
Introduces a class Unmanaged_singleton_constructor that can be declared as
friend to be able to call unmanaged_singleton on classes with a private
constructor. Enables the appliance of the singleton pattern.
Ref #1625
Three things were done:
* Timouts are measured in an asynchronous way to be able to start counters
after the potentially expensive RPC that starts the timeout.
* Timeouts were increased from 45 and 15 seconds to 60 and 20 seconds
because at least on Arndale, results were not stable enough.
* Counting is done on 'unsigned long long' instead of 'unsigned' because
with the higher timeouts, overflows occured.
Fixes#1628
The timer driver previously used floating point operations to translate us to
tics and vice versa. This isn't necessary as the rounding error isn't critical
for the given values but expensive which should be avoided in a code path that
must be executed pretty frequent with high priority.
Ref #1628
If just one multiboot kernel module was loaded after bender, the
relocation was skipped before. This resulted in a corrupt binary image
on ELF loading if the regions of the boot module and the final program
overlap. Now, all modules are copied below 2 GiB (and out of the way)
before ELF loading.
Fixes#1624
Bender upstream issue is TUD-OS/morbo#4
This commit eliminates the mutual interlaced taking of destruction lock,
list lock and weak pointer locks that could lead to a dead-lock situation
when a lock pointer was tried to construct while a weak object is in
destruction progress.
Now, all weak pointers are invalidated and dequeued at the very
beginning of the weak object's destruction. Moreover, before a weak pointer
gets invalidated during destruction of a weak object, it gets dequeued, and
the list lock is freed again to avoid the former dead-lock.
Fix#1607
Up to now it was not possible to trace threads that use a different
Cpu_session rather than env()->cpu_session() (as done by VirtualBox).
This problem is now solved by setting the Cpu_session explicitly when
creating the event logger and attaching the trace control area when
creating the thread.
Fixes#1618.
The timer driver on X86 needs CPU quota with highest priority as it
frequently has to interrupt the counters to update the PIT.
On ARM this makes no difference in the test results as ARM timer
drivers, once configured, can sleep until the end of the timeouts.
On X86 we raise the error tolerance to 2% (default 1%) to compensate
the error caused by the timer.
Fixes#1621
Printing all errors and the goal values instead of exiting at the first
error allows for faster analysis of problems with the CPU-quota
mechanism.
Ref #1616
The test always succeeded because I forgot to set the error tolerance from
my debugging value 1 back to the correct value 0.01 before commiting the
test.
Ref #1616
Since the HW-kern-caps commit, there was a bug in the Platform_thread
constructor. When called for a user thread, the constructor stated 0
as CPU quota at the Kernel_object instead of its quota input-paramater.
Fixes#1620
- free up kernel memory of empty slabs (if already one empty slab is in
place)
- free up more page table entries
- handle CPUs with invariant TSCs gracefully
Genode/Nova running on CPUs without the invariant TSC feature may seem
to 'hang'. The referenced commit of the nova branch fixes the issue
for some older Intel CPUs.
Fixes#1615
Adjust bomb to specify the various hard-coded parameters and set up bomb.run
this way that it manages at our test machine to succeed in the given time.
Issue #1615
Bomb and any server may generate references to capabilities exceeding 256 -
use a 16bit counter until the cap handling in Genode gets unified.
Additionally try to print a warning, instead of dying, if we get cap reference
count under or overflow.
Issue #1615
Do not use slabs for allocations above 64KB, this seems to lead to memory
corruptions and the error described in issue #1613 under certain circumstances.
fixes#1613
Add a test where a locked pointer shall be taken during object destruction.
Moreover, extend the run-script so it runs on different platforms with
"real" timers.
SDL uses the Audio_out session in streaming fashion. For this reason
the audio might be played with delay of at most the queue size. To
mitigate the effect we synchronize the tail pointer to the current play
pointer when the PlayAudio() function is called by SDL for the first
time.
Fixes#1612.
Init used to specify the unique child name as session label when
requesting the binary image of a dynamically linked child. The actual
module name was propagated as "filename" session argument. Since we want
to move towards the sole use of the session label, which can be taken
into account for the session routing, the module name should always be
the last part of a ROM session label.
This patch changes the window manager, the decorator, and the
floating window layouter to propagate the usage of an alpha channel from
the client application to the decorator. This way, the decorator can
paint the decoration elements behind the affected windows, which would
otherwise be skipped.
This patch adds two new painters located at gems/include/polygon_gfx.
Both painters draw convex polygons with an arbirary number of points.
The shaded-polygon painter interpolates the color and alpha values
whereas the textured-polygon painter applies a texture to the polygon.
The painters are accompanied by simplistic 3D routines located at
gems/include/nano3d/ and a corresponding example (gems/run/nano3d.run).
This patch changes the way how CLI monitor obtains its subsystem
configurations. Originally, this information was provided via the
Genode::config mechanism. But for managing complex scenarios, the config
node becomes very complex. Hence, it is preferrable to have a distinct
file for each subsystem configuration.
The CLI monitor scans the directory '/subsystems' for files ending with
".subsystem". Each file has the same syntax as the formerly used
subsystem nodes.
Instead of using the Genode user-level signal API to signal page-faults to
a page-fault handler, use the kernel API directly. Thereby the accounting
of signal contexts needed for each paging subject can be done easily.
Fix#956
Moreover, be strict when calculating the page-table requirements of
core, which is architecture specific, and declare the virtual memory
requirements of core architecture-wise.
Ref #1588
We set 'ld -z max-page-size' to 4KiB to prevent the linker from aligning
the text segment to any built-in default (e.g., 4MiB on x86_64 or 64KiB
on ARM). Otherwise, the padding bytes are wasted at the beginning of the
final binary.
Removed the Nic::Driver implementation. All nic servers now inherit from
Nic::Session_component. Packet stream signals are dispatched to
the 'handle_packet_stream' function within a session component. Thus, nic
servers now have direct access to the packet stream channels, making handling
more flexible.
Adjusted nic_loobpack, dde_ipxe, wifi, usb, lan9118, Linux nic, and OpenVPN to
the new interface.
Fixes#1602
The ~Irq_session_component relied on the IRQ number obtained by the
corresponding kernel IRQ object to mark the IRQ as free at the IRQ
allocator. However, since the kernel IRQ object is initialized not
before the 'sigh' function is called, the IRQ of sessions that
never called 'sigh' could not be freed correctly. This patch fixes
the problem by not relying on the kernel IRQ object for obtaining
the number in the destructor but using the '_irq_number' member
variable instead.
Use printf format specifier with correct size to log error code which is
if type uint32_t. Also print the error code in hex since this simplifies
lookup as the error values are also defined as hexadecimal values, see
[1].
Fixes#1600
[1] - repos/ports/src/virtualbox/include/xpcom/nsError.h
Instead of organizing page tables within slab blocks and allocating such
blocks dynamically on demand, replace the page table allocator with a
simple, static alternative. The new page table allocator is dimensioned
at compile-time. When a PD runs out of page-tables, we simply flush its
current mappings, and re-use the freed tables. The only exception is
core/kernel that should not produce any page faults. Thereby it has to
be ensured that core has enough page tables to populate it's virtual
memory.
A positive side-effect of this static approach is that the accounting
of memory used for page-tables is now possible again. In the dynamic case
there was no protocol existent that solved the problem of donating memory
to core during a page fault.
Fix#1588
Unregister callbacks, so rx packets will not be propated to the deleteted
'Driver' object. Initialize ipxe once in the 'Main' object, thus allowing new
session connections.
Fixes#1595
With the server framework this becomes unnecessary. Also when the 'platform_drv'
has a lower priority, signaling will cause a constant load that starves the
'platform_drv'.
Fixes#1594
The recent change of the TRACE session interface triggered the
following warning:
/home/no/src/genode/repos/base/include/base/ipc.h:79:4: warning: ‘ret’ may be used uninitialized in this function [-Wmaybe-uninitialized]
*reinterpret_cast<T *>(&_sndbuf[_write_offset]) = value;
^
In file included from /home/no/src/genode/repos/base/src/core/include/trace/session_component.h:19:0,
from /home/no/src/genode/repos/base/src/core/trace_session_component.cc:15:
/home/no/src/genode/repos/base/include/base/rpc_server.h:132:42: note: ‘ret’ was declared here
typename This_rpc_function::Ret_type ret;
The warning occurs for basic return types (like size_t), which are
indeed not initialized. The variable gets its value assigned by the
corresponding 'call_member' overload, to which the variable is passed as
reference. But the compiler apparently is not able to detect this assignment.
Declaring 'ret' with a C++11-style default initializer fixes the warning.
While importing trace sources as trace subjects into a TRACE session,
the session quota might become depleted. The TRACE session already keeps
track of the session quota via an allocator guard but the 'subjects' RPC
function missed to handle the out-of-memory condition. This patch
reflects the error condition as an 'Out_of_metadata' exception to the
TRACE client. It also contains an extension of the trace test to
exercise the corner case.
This patch enable clients of core's TRACE service to obtain the
execution times of trace subjects (i.e., threads). The execution time is
delivered as part of the 'Subject_info' structure.
Right now, the feature is available solely on NOVA. On all other base
platforms, the returned execution times are 0.
Issue #813
This patch bases the size of the destination buffer in
'Init::Child_policy_redirect_rom_file' on the maximum label size
instead of the filename size. Otherwise, the use of a long configfile
name (i.e., "trace_subject_reporter.config") in combination with a long
child name ("trace_subject_reporter") would result in a truncated label
string.
When replacing a report with a smaller one, the corresponding ROM
dataspace should not contain any traces of the old report. Otherwise,
the consumer of the ROM dataspace may mistake the stale content as
meaningful information. This is particularly annoying when manually
inspecting reports. This patch overwrites the stale content with zeros.
By appending a newline to the generated XML data, we prevent the output
from messing with the command prompt when using 'cat' on a shell.
Futhermore, when using line-buffered output, the trailing newline
ensures that the output gets gets properly flushed.
The result of the second run (TCP_MAERTS) gets extracted wrongly - due to the
change introduced by commit "run: always append to output buffer"
(Issue #1327). The output buffer is no longer reseted between several
run_genode_until invocation within a run script.
On ARM, the compiler generates calls to memcpy and memset. Most
dynamically linked programs use the libc, which provides these
functions. However, if a dynamically linked program does not use the
libc (e.g., noux/minimal or the new version of cli_monitor), those
symbols remain unresolved. By adding them to ldso's symbol.map, the
dynamic linker will resolve them with the functions of the cxx
library, which is part of the dynamic linker.
Issue #1561
This patch moves the VFS file-system factory to a separate vfs library
that is independent from libc. This enables libc-less Genode programs to
easily use the VFS infrastructure.
Fixes#1561
With this patch, the VESA driver reports the framebuffer width to the
client instead of the visible width This fixes possible distortion
if these widths differ, at the cost that content in the right-most area
might be invisible in such cases.
Issue #1264.
Add a Platform::setup_irq_mode function which enables the IRQ session to
update the trigger mode and polarity of the associated IRQ according to
the session parameters. On ARM this function is a nop.
This change enables the x86_64 platform to support devices which use
arbitrary trigger modes and polarity settings, e.g. AHCI on QEMU and
real hardware.
Fixes#1528.
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
