On x86 64 bit with SeL4, the test needs around 80MB that must be
completely composed of 4KB-pages due to current limitations of the SeL4
port. Thus, Core must flush the page table caches pretty often during
the test which is an expensive high-prior operation and makes it
impossible to provide a highly precise time.
Multi-wraps
-----------
Previously, on every new timeout, we programmed registers LR=timeout and
CMP=0. The counter than counted from LR down to 0, triggered the IRQ,
jumped back to LR, and counted down again. If one installed small
timeouts (< 1000 us), it was likely that the counter wrapped multiple
times before we were able to read it out. Initially, this was not a big
issue as the additional wraps were simply ignored and the amount of time
lost through this was not big. But when we want to do correct rate
limitation, multiple wraps cause an overflow in the additional
calculations, and this has a big effect on the resulting time value.
Thus, we now program the counter to start from ~0 and count down to 0.
We set CMP=~0-timeout so that the timer still triggers the IRQ at the right
time. The counter continues counting down after the IRQ has triggered until
we install a new timeout. We do not consider anymore that the counter wraps.
The maximum timeout is set to half the maximum counter value, so, we should
be able to install a new timeout before the counter wraps.
Rate limit for time updates
---------------------------
In the time span between two interrupts we have to remember how many ticks
we have already added to the time value. This is because at each call of
curr_time we can only see how many ticks have passed since the last call of
schedule_timeout and not since the last call of curr_time. But we want to
limit the rate of time updates in curr_time. With the member for ticks that
were already added since the last call to schedule_timeout we can then
calculate how many are yet to be added.
* integrate rump's contrib code into Genode's build system and build what is
required by Genode, only
* checkout needed NetBSD sources directly from CVS
fixes#2589
In case the video geometry (WxH) is larger than the current size of
the framebuffer, match its size and let libav do the scaling. This
enables the playback of 1080p movies on smaller screens.
Issue #2583.
This patch supplements the existing 'hover' report with the information
whether or not the user has recently moved the pointer. This works
analogously to how the 'focus' report features the information about
recent button/keyboard activity.
Together, the 'hover' and 'focus' reports may be combined to observe
prolonged user inactivity, e.g. to activate a lock screen.
This patch enables nitpicker to use an external focus policy instead of
the traditional builtin click-to-focus policy. The external focus policy
is obtained from a 'focus' ROM. The focus ROM is expected to have a
'label' attribute with the value set to the label of the to-be focused
client.
This patch revises the implementation of nitpicker in the following
respects:
- Split the implementation into smaller files,
- Consistently use the 'Nitpicker' namespace,
- Avoid the use of format strings,
- Retire old (and hackish) debug mode,
- Removal of unused timer connection,
- Merging 'Session' into 'Session_component',
- Merging 'Mode' into 'User_state',
- Adding the notions of 'View_owner' and 'Focus' as interfaces,
- Untangle 'User_state' and 'View_stack'
This patch adds a 'Color::print' method as counterpart to the 'ascii_to'
function. If the color is opaque (alpha is 255), its output has the form
"#rrggbb". If the color has a distinct alpha value, the output has the
form "#rrggbbaa". The new version of the 'ascii_to' overload for 'Color'
is able to deal with both forms.
This is a follup-up commit for "driver_manager: add fb_boot_drv
support". It refines the heuristics for selecting the most suitable
framebuffer driver be prevent boot_fb_drv from being preferred over
the VESA driver when running in Qemu.
The synchronization with the ACPI driver is not needed when starting
acpica at a later stage. It could already be disabled via the
'acpi_ready="yes"' config attribute. However, acpica still
unconditionally requests the so-called "Acpi" service, which is an
alias for the platform_drv's "Platform" service. This patch disables the
use of this alias when the 'acpi_ready' synchronization is disabled.
This patch supplements init's service-forwarding mechanism to propagate
the insufficient RAM/cap quota conditions from the server to the client.
Without it, the client's session request stays pending infinitely.
The debug version comes with an unwelcome libc dependency, which is
solely needed for the formatted output of error messages. Since the
distinction between the regular and the debug versions remained unused
in practice, this patch removes the debug version.
This is a follow-up patch to "init: periodic state updates if sensible".
In situations where the report rate is deliberately limited via the
'delay_ms' attribute while also reporting child-resource stats, we don't
want generate reports at a fixed rate of one second. This patch limits
the rate according to the 'delay_ms' value.
The input filter used to temporarily close all input sessions upon its
reconfiguration. In most cases, the same set of sessions is
re-established immediately afterwards. However, at the server (driver)
side, the closing of the session implicitly disables the input-event
queue. Hence events generated by the hardware while the session is
closed are dropped. This becomes a noticeable problem when using the
recently added <rom> modifier feature for handling capslock. The change
of the ROM always triggers the re-configuration of the input filter.
When pressing capslock and other keys at a high rate, press/release
events may get lost.
This patch solves this problem by maintaining all input sessions that
are defined in both the old and new configuration. It thereby removes
the short duration where the input event queues are temporarily disabled
at the drivers.
This makes '/' and the actual root of VFS distinguishable. A VFS root
may contain one ore more '/' entries for each file system. 'opendir' for
the VFS root opens all file systems via 'open_composite_dir', while
'opendir' for '/' only returns a VFS handle.
Fixes#2569
This patch adds a sanity check to the Event::type accessor. If the key
code of a given PRESS or RELEASE event is out of the valid range, it
reports an INVALID event. This way, client side code does not need to
deal with such edge cases. E.g., on Lenovo notebooks, the ps2 driver
reports strange key events when pressing shift-pageup/pagedown,
violating the general assumption that there is a release event for each
press event. By flagging these events as INVALID, the client-side logic
stays intact.
By now the file system gets mounted and unmounted on demand (whenever
the first clients comes along and whenever the last client leaves).
As a precaution we now also try to mount and unmounted the file system
in the init phase to prevent the first client from failing to its own
surprise.
Issue #2558.
Currently, LxIP peers need a lot of RAM (the simple test-client/server for the
nic_router test need at least 28 MB per component). As the nic_router test
previously used 6 instances of such components and a lot of other components,
it had issues with insufficient RAM on some platforms. By using two new
LwIP-based UDP tests instead, we save more than 100 MB.
Ref #2543
In general, make the message conform to the according message of the
common build system. Adds instruction how to fix the missing/outdated
port.
Fixes#2573
Check at the VFS server that the capability cost of sessions do not
exceed the session quota donation. Raise the default initial capability
donation for File_system connections.
Fix#2553
Instead of storing whether the first item in the timeout list was already
programmed using the timer service, just program the first timeout in the
list unconditionally. In the past we lost a timeout at least when using the
usb ethernet driver on hw/arndale sporadically.
Previously the destructors of classes derived from Source were not
called when destructing a Source because Source missed the declaration
of a virtual destructor. This caused at least problems when
reconstructing a Chargen_source with its Chargen_repeater that includes
a One_shot_timeout. In this case, the members of the Alarm behind the
timeout were not reset and the next time beeing used the Alarm appeared
to be still active which wasn't true.
Fixes#2570
Instead of changing the attributes (e.g., Xd bit) of the top-level page-tables,
set them to allow everything. Only leafs of the paging hierarchy are set
according to the paging attributes given by core. Otherwise, top-level page-
table attributes are changed during lifetime, which requires a TLB flush
operation (not intended in the semantic of the kernel/core).
This led to problems when using the non-executable features introduced by
issue #1723 in the recent past.
The dependency was added as a supposed work-around of a dysfunctional
fork when building bash as depot archive. However, it turned out that
the actual problem was related to the timestamps of 3rd-party source
file, which were discarded by the recipes/src/bash/content.mk.
A new configuration may implicitly change the domain color of the
currently focused session. We need to refresh the report to trigger an
update of the status bar.
This commit replaces the old xray_trigger component by a new component
called global_keys_handler. For details, please refer to the issue text
and the accompanied README file.
Fixes#2554
Without this patch, usb_drv would issue a resource request when
assigning a USB device to a VM in the sculpt scenario.
Furthermore, the patch adjusts the intel_fb quota to enable it on
devices where the driver allocates the framebuffer in many 4K pieces.
Linux does not do that in register_netdev() either. Some drivers set the
carrier flags on attach and never reenable it (as seen with rndis_host).
Consequently, the usbnet driver refuses to receive data as it checks the
carrier state before enqueuing new SKBs to its receive queue.
Apart from rndis_host, this change was tested with an ax88179_178a
device which worked as expected.
Whenever a childs is terminated the exit value is propagate through a
new state report. Thereby it becomes possibly for a managing component
to react upon the terminating condition of a child.
Issue #2558.
Until now the client called the Linux code directly through the EP
when sending ethernet frames and was not part of the driver's internal
task scheduling. This will lead to problems if the sending code needs
to grab a lock as those depend on running from within a Lx::Task.
Although this has only happend recently when using 8260 devices, this
is an issue that needs to be fix.
This commit addresses the issue by using a dedicated transmit task
in whose context the Linux code sends the ethernet frame or rather
newly allocated skb.
Fixes#2559.
As noted above the former enum for the local-attachment address we
discovered address clashes on current Linux installations, esp. 32-bit
runtime on 64-bit Linux. The local_attach_addr is now configurable in
the run script and the memory maps heuristics were removed.
Recent work related to issue 1723 showed that there is potential
to get rid of code duplication in MMU fault handling especially
with regard to ARM cpus.
If there is no debug/core-<kernel>.o library available, e.g., when
running a scenario in a fresh build directory where core is provided
via a depot package, the build_core_image step of the run tool was
canceled in the past, when trying to access the non-existing library.
This commit changes the semantic of build_core_image to link a core
binary with debug symbols only when the designated library is in place.
This fixup is related to issue #2339
If the attribute 'interface' is not set in a 'domain' tag, the router tries to
dynamically receive and maintain an IP configuration for that domain by using
DHCP in the client role at all interfaces that connect to the domain. In the
DHCP discover phase, the router simply chooses the first DHCP offer that
arrives. So, no comparison of different DHCP offers is done. In the DHCP
request phase, the server is expected to provide an IP address, a gateway, a
subnet mask, and an IP lease time to the router. If anything substantial goes
wrong during a DHCP exchange, the router discards the outcome of the exchange
and goes back to the DHCP discover phase. At any time where there is no valid
IP configuration present at a domain, the domain does only act as DHCP client
and all other router functionality is disabled for the domain. A domain cannot
act as DHCP client and DHCP server at once. So, a 'domain' tag must either
have an 'interface' attribute or must not contain a 'dhcp-server' tag.
Ref #2534
An IPv4 config (for a domain/interface of the router) consists of
an IPv4 address, a subnet prefix specifier, an optional gateway
IPv4 address, and some flags that declare whether these fields and
the config as a whole are valid. To make the handling of those
tightly connected values easier and less error prone, we encapsulate
them in a new class.
Ref #2534
Under certain circumstances we don't want inits state report to become too
outdated even if there is no change to its config or the sessions of its
children. This is the case if init is requested to provide a capability or RAM
info of it's children via its state report. Now, init automatically updates
the state report with each 1000 ms if the attribute 'child_caps' or
'child_ram' is positively set in the 'report' tag.
The tools.conf in base-fiasco/etc was obsolete and must therefore not
packaged.
This commit removes sporadic recipe hash changes due to missing or
existent etc/tools.conf.
Timing itself costs time. Thus, the stressfull timeout phase of the
test is not exactly as long as set but a little bit longer. This is why the
fast timeouts are able to trigger more often than they are expected to
(the timer has a static timeout-rate limit). Normally we consider this effect
through an error tolerance of 10%. But at least on foc x86_32 (PIT with very
low max timeout), timing is so expensive that 10% is not enough. We have to
raise it to 11%.
This patch propages the 'Service_denied' condition of forwarded sessions
to the parent. Without it, the invalid session request stays pending
infinitely, which leads to the problem described in issue #2542. It
turns out that suggested solution given in the issue text is actually
not needed when applying this fix.
Fixes#2542
The ROM filter did not handle the situation where the generated content
exceeds the size of the initially allocated dataspace for the target
buffer. This patch wraps the XML generation in a retry loop that
expands the buffer as needed.
This patch makes the specification of screen coordinates more flexible.
First, the 'origin' attribute allows one to refer to either of the four
screen corners without knowing the screen size. Second, the 'width'
and 'height' values now accept negative values, which are relative to
the screen size.
The 'File_system::Connection' already performs an on-demand session
upgrade should the server report an 'Out_of_caps' or 'Out_of_ram'
condition. So file-system clients are normally relieved from handling
those exceptions. However, the upgrade was limited to two attempts per
operation (which amounts to 16 KiB). When using the Rump VFS plugin in
the VFS server, this amount does not always suffice. So the exception is
reflected to the client. I observed this problem as a message "unhandled
error" printed by fs_rom. This patch removes the upgrade limit such that
a greedy file-system server becomes iteratively upgraded until it stops
arguing or the client's RAM is exhausted.
* Instead of always re-load page-tables when a thread context is switched
only do this when another user PD's thread is the next target,
core-threads are always executed within the last PD's page-table set
* remove the concept of the mode transition
* instead map the exception vector once in bootstrap code into kernel's
memory segment
* when a new page directory is constructed for a user PD, copy over the
top-level kernel segment entries on RISCV and X86, on ARM we use a designated
page directory register for the kernel segment
* transfer the current CPU id from bootstrap to core/kernel in a register
to ease first stack address calculation
* align cpu context member of threads and vms, because of x86 constraints
regarding the stack-pointer loading
* introduce Align_at template for members with alignment constraints
* let the x86 hardware do part of the context saving in ISS, by passing
the thread context into the TSS before leaving to user-land
* use one exception vector for all ARM platforms including Arm_v6
Fix#2091
* introduce new syscall (core-only) to create privileged threads
* take the privilege level of the thread into account
when doing a context switch
* map kernel segment as accessable for privileged code only
Ref #2091
Always switch to the "exception stack" instead of having a hardware initiated
stack switch during exceptions/interrupts when the privilege level changes only.
Moreover, this commit increases the exception stack slightly.
Ref #2091
* introduces central memory map for core/kernel
* on 32-bit platforms the kernel/core starts at 0x80000000
* on 64-bit platforms the kernel/core starts at 0xffffffc000000000
* mark kernel/core mappings as global ones (tagged TLB)
* move the exception vector to begin of core's binary,
thereby bootstrap knows from where to map it appropriately
* do not map boot modules into core anymore
* constrain core's virtual heap memory area
* differentiate in between user's and core's main thread's UTCB,
which now resides inside the kernel segment
Ref #2091
This was an error output-line for each affected packet previously but it
is pretty normal for the router to receive packets whose network layer
protocol it doesn't know . In the default case, these packets shall be
ignored silently.
Ref #2490
One can configure the NIC router to act as DHCP server at interfaces of a
domain by adding the <dhcp> tag to the configuration of the domain like
this:
<domain name="vbox" interface="10.0.1.1/24">
<dhcp-server ip_first="10.0.1.80"
ip_last="10.0.1.100"
ip_lease_time_sec="3600"
dns_server="10.0.0.2"/>
...
</domain>
The attributes ip_first and ip_last define the available IPv4 address
range while ip_lease_time_sec defines the lifetime of an IPv4 address
assignment in seconds. The IPv4 address range must be in the subnet
defined by the interface attribute of the domain tag and must not cover
the IPv4 address in this attribute. The dns_server attribute gives the
IPv4 address of the DNS server that might also be in another subnet.
The lifetime of an offered assignment is the configured round trip time of
the router while the ip_lease_time_sec is applied only if the offer is
requested by the client in time.
The ports/run/virtualbox_nic_router.run script is an example of how to
use the new DHCP server functionality.
Ref #2490
Previously, garbage collect was only done when an incoming packet passed the
Ethernet checks. Now it is really done first when receiving a packet at an
interface.
Ref #2490
If the router has no gateway attribute for a domain (means that the router
itself is the gateway), and it gets an ARP request for a foreign IP, it shall
answer with its own IP.
Ref #2490
Do not use two times the RTT for the lifetime of links but use it as
it is configured to simplify the usage of the router. Internally, use
Microseconds/Duration type instead of plain integers.
Ref #2490
The nic_dump uses a wrapper for all supported protocols that
takes a packet and a verbosity configuration. The wrapper object can
than be used as argument for a Genode log function and prints the
packet's contents according to the given configuration. The
configuration is a distinct class to enable the reuse of one instance
for different packets.
There are currently 4 possible configurations for each protocol:
* NONE (no output for this protocol)
* SHORT (only the protocol name)
* COMPACT (the most important information densely packed)
* COMPREHENSIVE (all header information of this protocol)
Ref #2490
Provide utilities for appending new options to an existing DHCP packet
and a utility for finding existing options that returns a typed option
object. Remove old version that return untyped options.
Ref #2490
Apply the style rule that an accessor is named similar to the the underlying
value. Provide read and write accessors for each mandatory header attribute.
Fix some incorrect structure in the headers like with the flags field
in Ipv4_packet.
Ref #2490
Encapsulate the enum into a struct so that it is named
Ethernet_frame::Type::Enum, give it the correct storage type
uint16_t, and remove those values that are (AFAIK) not used by
now (genode, world).
Ref #2490
Do not stop routing if the transport layer protocol is unknown but
continue with trying IP routing instead. The latter was already
done when no transport routing could be applied but for unknown transport
protocols we caught the exception at the wrong place.
Ref #2490
No starvation of timeout signals
--------------------------------
Add several timeouts < 1ms to the stress test and check that timeout
handling doesn't become significantly unfair (starvation) in this situation
where some timeouts trigger nmuch faster than they get handled.
Rate limiting for timeout handling in timer
-------------------------------------------
Ensure that the timer does not handle timeouts again within 1000
microseconds after the last handling of timeouts. This makes denial of
service attacks harder. This commit does not limit the rate of timeout
signals handled inside the timer but it causes the timer to do it less
often. If a client continuously installs a very small timeout at the
timer it still causes a signal to be submitted to the timer each time
and some extra CPU time to be spent in the internal handling method. But
only every 1000 microseconds this internal handling causes user timeouts
to trigger.
If we would want to limit also the call of the internal handling method
to ensure that CPU time is spent beside the RPCs only every 1000
microseconds, things would get more complex. For instance, on NOVA
Time_source::schedule_timeout(0) must be called each time a new timeout
gets installed and becomes head of the scheduling queue. We cannot
simply overwrite the already running timeout with the new one.
Ref #2490
In the past, a signal context, that was chosen for handling by
'Signal_receiver::pending_signal and always triggered again before
the next call of 'pending_signal', caused all other contexts behind
in the list to starve. This was the case because 'pending_signal'
always took the first pending context in its context list.
We avoid this problem now by handling pending signals in a round-robin
fashion instead.
Ref #2532
We did not set the correct now_period previously but it wasn't conspicuous
because the bug triggered not before a full period had passed which on most
platforms is a pretty long time.
Ref #2490
Ensure that the timer does not handle timeouts again within 1000
microseconds after the last handling of timeouts. This makes denial of
service attacks harder. This commit does not limit the rate of timeout
signals handled inside the timer but it causes the timer to do it less
often. If a client continuously installs a very small timeout at the
timer it still causes a signal to be submitted to the timer each time
and some extra CPU time to be spent in the internal handling method. But
only every 1000 microseconds this internal handling causes user timeouts
to trigger.
If we would want to limit also the call of the internal handling method
to ensure that CPU time is spent beside the RPCs only every 1000
microseconds, things would get more complex. For instance, on NOVA
Time_source::schedule_timeout(0) must be called each time a new timeout
gets installed and becomes head of the scheduling queue. We cannot
simply overwrite the already running timeout with the new one.
Ref #2490
The remote shell facilities are past deprecation and there is an
obligation to prevent their use rather than to support them. This patch
removes the related function definitions from 'unistd.h', which have not
been been included in the Genode libc ABI regardless.
Fix#2530
Remove getaddrinfo and freeaddrinfo from the Libc::Plugin and get rid of
the extra libc_resolv library. Remove getaddrinfo/freeaddrinfo symbol
hiding patch for FreeBSD sources. Remove libc_resolv from Makefiles and
run scenarios.
Fix#2273
Linux del_timer() and mod_timer() return if the timer was pending before
the modification. Additionally, these functions are potentially called
from handler function of the timer to modify and, therefore, checking
for timeout != INVALID_TIMEOUT is not sufficient as the timeout is
indeed valid when the handler is executed.
In the image.elf file, the very last boot module is followed
by arbitrary other core-local data. Since those boot modules are
exported as page-granular dataspace to the outside of core via core's
ROM service, we need to ensure that the last page is padded with zeros.
This patch fixes an aliasing problem of the 'close' method signature
that prevented the Input::Root_component::close method to be called.
This way, the event-queue state was not reset at session-close time,
which prevented a subsequent session-creation request to succeed. With
the patch, input servers like ps2_drv, usb_drv that rely on the
Input::Root_component support the dynamic re-opening of sessions. This
happens in particular when using a dynamically configured input filter.
We update the alarm-scheduler time with results of
Timer::Connection::curr_time when we schedule new timeouts but when
handling the signal from the Timer server we updated the alarm-scheduler
time with the result of Timer::Connection::elapsed_us. Mixing times
like this could cause a non-monotone time value in the alarm scheduler.
The alarm scheduler then thought that the time value wrapped and
triggered all timeouts immediately. The problem was fixed by always
using Timer::Connection::curr_time as time source.
Ref #2490
This recipe copies the entire stdcxx library into the API archive, which
is an interim solution until we introduce a proper ABI for stdcxx. With
this current version, every user of the stdcxx ABI will implicitly build
the stdcxx library.
This patch merges two similar rules, which create content at 'include'
into a single rule. This prevents a possible race condition when
creating archives in parallel.
We moved the stack-area segment 128 MiB behind text and data to comply
with assumptions in the kernel ELF loader.
This commit also reenables static binaries on linux and removes the
unused stack_area.stdlib.ld script.
Fixes#2521
This is a drivers subsystem that starts the most fundamental
(framebuffer, input, block) device drivers dynamically, depending on the
runtime-detected devices. The discovered block devices are reported
as a "block_devices" report.
This patch applies the handling of cursor keys, function keys, and page
up/down keys even if no keymap is defined. This is the case when using
the terminal with character events produced by the input filter.
This patch is a workaround for the apparent problem that noux
applications, which perform execve, implicitly use functionality from
the dynamic linker, not explicitly via the libc. If the binary lacks the
dependency information, noux will fail on the execve attempt. The latter
is the case when the noux package is built as a depot archive where
library dependencies are not traversed over multiple levels.
In nested scenarios like driver_manager.run, the initial session quota
for IO_PORT, IO_PORT, and IRQ sessions is expectedly insufficient.
However, the condition is properly handled by re-attemping the request
with a slightly increased quota. Still, core prints a warning each time
the request is denied for quota reasons, which spams the log. This patch
removes the non-critical message.
Create periodic and one-shot timeouts with the maximum duration
to see if triggers any corner-case bugs. They must not trigger during
the test.
Ref #2490
If we add an absolute timeout to the back-end alarm-scheduler we must first
call 'handle' at the scheduler to update its internal time value.
Otherwise, it might happen that we add a timeout who's deadline is so big that
it normally belongs to the next time-counter period but the scheduler thinks
that it belongs to the current period as its time is older than the one used
to calculate the deadline.
Ref #2490
When we have two time values of an unsigned integer type and we create
the difference and want to know wether it is positive or negative within
the same value we loose at least one half of the value range for casting
to signed integers. This was the case in the alarm scheduler when
checking wether an alarm already triggered. Even worse, we casted from
'unsigned long' to 'signed int' which caused further loss on at least
x86_64. Thus, big timeouts like ~0UL falsely triggered directly.
Now, we use an extra boolean value to remember in which period of the
time counter we are and to which period of the time counter the deadline
of an alarm belongs. This boolean switches its value each time the time
counter wraps. This way, we can avoid any casting by checking wether the
current time is of the same period as the deadline of the alarm that we
inspect. If so, the alarm is pending if "current time >= alarm
deadline", otherwise it is pending if "current time < alarm deadline".
Ref #2490
If the PIT timer driver gets activated too slow (e.g. because of a bad priority
configuration), it might miss counter wraps and would than produce sudden time
jumps. The driver now detects this problem dynamically, warns about it and
adapts the affected values to avoid time jumps.
Ref #2400
The cache directory content is slightly different on each prepare-port
run and fortunately not used at build time. So, we just remove it at the
end of port preparation.
When using the elfweaver to generate boot images, python stores
precompiled modules in the source directory besides the .py files. This
changed the contrib source tree with binary files specific to the build
host. As a result the depot create tool picked up the changed source
tree and produced strange new hashes. Now, the tool sources are copied
to the build directory where python can do its optimizations and the
depot stays clean.
The NIC router always reports the link state "Up" (true) because
the effective link state depends on the targeted remote interface
and thus on the individual routing for each packet. Consequently,
also the signal handler for state changes gets ignored.
Ref #2490
IP stacks may treat a network interface as "down" when it states a MAC
address with the I/G bit (bit 40) set to "Group" (value 0) instead of
"Individual" (value 1). This was observed with a TinyCore 8 inside a
Virtualbox VM. Thus, the previously choosen 03:03:03:03:03:00 as base
for the MAC address allocator is bad. Now we use the 02:02:02:02:02:00
instead. This also ensures that the MAC addresses are not marked as
"Universal" but as "Local" (bit 41, value 1) which is correct in general
as the router allocates MAC addresses only for virtual networks.
Ref #2490
The timer driver should always be of the highest priority to avoid
problem with timers that have low max-counter values like the PIT
with only 53 ms.
Ref #2400
The NIC dump component didn't support forwarding of link states and link-state
signals until now. Furthermore, it now prints MAC address and link state
on session creation and on every link state change.
Ref #2490
Previously, the uplink session was created on component startup while the
creation of the downlink session is timed by the client component. This
created a time span in which packets from the uplink were dropped at the
nic_dump. Now the uplink session-request is done by the session component
of the downlink.
Ref #2490
Add a "writeable" policy option to the ahci_drv and part_blk Block
servers and default from writeable to ready-only. Should a policy
permit write acesss the session request argument "writeable" may still
downgrade a session to ready-only.
Fix#2469
This should actually never happen. However if it happens, be a bit robuster
and don't provide the memory for re-use (which causes tons of other trouble
afterwards).
Issue #2505
Some x86 machines do have a LAPIC speed < 1000 ticks per millisecond
when configured to use the maximum divider (as it was always the case).
But we need microseconds precision for the timeout framework. Thus,
reduce the divider dynamically until the frequency fullfills our
requirements.
Ref #2400
There are hardware timers whose frequency can't be expressed as
ticks-per-microsecond integer-value because only a ticks-per-millisecond
integer-value is precise enough. We don't want to use expensive
floating-point values here but nonetheless want to translate from ticks
to time with microseconds precision. Thus, we split the input in two and
translate both parts separately. This way, we can raise precision by
shifting the values to their optimal bit position. Afterwards, the results
are shifted back and merged together again.
As this algorithm is not so trivial anymore and used by at least three
timer drivers (base-hw/x86_64, base-hw/cortex_a9, timer/pit), move it to a
generic header to avoid redundancy.
Ref #2400
Due to the simplicity of the algorithm that translated from timer ticks
to time, we lost microseconds precision although the timer allows for it.
Ref #2400
Due to the simplicity of the algorithm that translated from timer ticks
to time, we lost microseconds precision although the timer allows for it.
Ref #2400
When synchronizing with the remote time source, we have to take care that the
measured time difference cannot become null because its real value is smaller
than the measurement granularity. Since the granularity is one microsecond, we
simply go on polling timestamp and time until the microsecond has passed.
This busy waiting should be no problem for the system for two reasons. First,
it is limited to a relatively small amount of time and second, a busy lock
does not happen because the time source that is responsible for the limiting
factor is explicitely called on each poll.
Ref #2400
When building Genode on a Linux system running in a Xen Dom0, the 'xen'
run target can run a Genode scenario in a Xen DomU.
Usage: in build/x86_*/etc/build.conf, define:
RUN_OPT = --include boot_dir/$(KERNEL) --include image/iso --include power_on/xen --include log/xen --include power_off/xen
The Xen DomU runs in HVM mode and loads Genode from an ISO image. Serial
log output is printed to the console and graphical output is shown in an
SDL window.
The Xen DomU ist managed using the 'xl' command line tool and it is
possible to add configuration options in the 'xen_args' variable in a run
script. Common options are:
- disabling the graphical output:
append xen_args { sdl="0" }
- configuring a network device:
append xen_args { vif=\["model=e1000,mac=02:00:00:00:01:01,bridge=xenbr0"\] }
- configuring USB input devices:
append xen_args { usbdevice=\["mouse","keyboard"\] }
Note: the 'xl' tool requires super-user permissions and interactive
password input can be troublesome in combination with 'expect' and is not
practical for automatic tests. For this reason, the current implementation
assumes that no password input is needed when running 'sudo xl', which can
be achieved by creating a file '/etc/sudoers.d/xl' with the content
'user ALL=(root) NOPASSWD: /usr/sbin/xl'
(where 'user' is the Linux user name).
Fixes#2504
When running core as the kernel inside every component, a separate
stack area for core is needed that is different from the user-land
component's one.
Ref #2091
Acquire Signal_context objects locks via Object_pool::apply() in the
context of the entrpyoint thread, instead in the context of the calling
thread.
Fixes#2485
The files are generated via flex and bison. Until now, this step was
performed when preparing the libc port. Unfortunately, the generated
files have subtle differences depending on the flex/bison versions
installed in the host. For example, the bison version number appears in
the generated code. This, in turn, breaks the hash mechanism of the
depot where a src/libc archive ends up being slightly different when
created on different hosts.
By moving the code generation to the build stage, the src/libc archive
merely contains the nslexer.l and nsparser.y source files but not the
generated files.
- Fix fatal exception handling so that stack traces are dumped
- Add 'include/nim' directories to Nim module search path
- Enable release optimizations for release builds
Fix#2493
This patch removes the assertion about the unexpected call of
'block_for_signal' within core. On Linux, this call is actually
expected because of the handling of SIGCHLD signals by core.
When idle, menu_view de-schedules timer events to save processing time.
Once reactivated by a dialog update, it computes the passed time and
applies the result to the animator. However, the animation was most likely
started by the update not during the sleep. So the passed time must not
be applied to the animation in this case. Otherwise, many animation steps
are computed at once within a single visible frame.
Furthermore, the patch adjusts the REDRAW_PERIOD to 2, which is a better
value for geometric movements as opposed to mere color-blending effects
where the frame rate does not matter so much.
It also refines the nitpicker-buffer relocation in a way that extends
the buffer but does not shrink it. This lowers the interaction with
nitpicker in situations where the dialog size changes a lot.
By applying the text output to the alpha buffer in addition to the pixel
buffer, labels can now appear without the need for an underlying frame
or button.
The new widget allows one to align a child widget within a larger parent
widget by specifying the boolean attributes 'north', 'south', 'east',
and 'west'. If none is specified, the child is centered. If opposite
attributes are specified, the child is stretched.
This improves the output quality of antialiased lines onto a transparent
nitpicker buffer. For antialiased graphics operations, the initial color
leaks through. Leaking 50% gray is better than leaking black, in
particular when drawing white lines.
This patch makes the use of 'List' invisible at the 'Animator'
interface. This allows users of the utility to keep 'Animator::Items' in
a custom 'List' with no aliasing problems.
The VFS library can be used in single-threaded or multi-threaded
environments and depending on that, signals are handled by the same thread
which uses the VFS library or possibly by a different thread. If a VFS
plugin needs to block to wait for a signal, there is currently no way
which works reliably in both environments.
For this reason, this commit makes the interface of the VFS library
nonblocking, similar to the File_system session interface.
The most important changes are:
- Directories are created and opened with the 'opendir()' function and the
directory entries are read with the recently introduced 'queue_read()'
and 'complete_read()' functions.
- Symbolic links are created and opened with the 'openlink()' function and
the link target is read with the 'queue_read()' and 'complete_read()'
functions and written with the 'write()' function.
- The 'write()' function does not wait for signals anymore. This can have
the effect that data written by a VFS library user has not been
processed by a file system server yet when the library user asks for the
size of the file or closes it (both done with RPC functions at the file
system server). For this reason, a user of the VFS library should
request synchronization before calling 'stat()' or 'close()'. To make
sure that a file system server has processed all write request packets
which a client submitted before the synchronization request,
synchronization is now requested at the file system server with a
synchronization packet instead of an RPC function. Because of this
change, the synchronization interface of the VFS library is now split
into 'queue_sync()' and 'complete_sync()' functions.
Fixes#2399
This patch enables one to supply a list of arguments to
'install_config'. The arguments appear concatenated in the resulting
config file. This is useful for embedding dynamically generated content
into an otherwise static configuration. For example, in the following
config, the 'pkg' attribute of the '<query>' config node is defined by
the return value of the 'query_pkg' function:
install_config {
<config>
...
<start name="depot_query">
...
<config>
<query pkg="genodelabs/pkg/} [query_pkg] {"/>
</config>
</start>
</config>}
This patch changes init's service forwarding such that pending requests
are kept unanswered as long as the requested service is not present
(yet). In dynamic-init scenarios, this is needed in situtions where the
dynamic init is known to eventually provide the service but the internal
subsystem is not ready yet. Previously, a client that attempted to
request a session in this early phase would get a 'Service_denied'
exception. By deferring the forwarding in this situation, the behaviour
becomes deterministic.
If a matching '<service>' exists but there is no matching policy sub
node, the request is answered with 'Service_denied' - as expected.
A boot module with size 0 previously made Core crash with a page fault in
Region_map_component::attach. This patch prevents the creation of ROM-FS
entries for such modules.
Ref #2490
For most base platforms (except linux and sel4), the initialization of
boot modules is the same. Thus, merge this default implementation in the
new unit base/src/core/platform_rom_modules.cc.
Ref #2490
In Region_map_component::attach, storing the metadata for a region may
throw an exception. Catch it and throw an Invalid_dataspace exception.
Ref #2490
Currently, init does not test wether a service is abandoned on a new
configuration if the service was routed via an any-child route. Trigger
this behaviour in the init test.
Ref #2483
We used a hardware timer locally in the RPI USB driver because a timer
connection was not precise enough to fullfill the host controllers
requirements.
With the modern timer connection interface, however, reading out time at
a connection is microseconds precise and we can remove the local timer.
But we cannot use the same timer connection for doing legacy-interface
stuff like usleep (currently used in LX kit) and modern-interface stuff
like curr_time. Thus, we open two connections for now.
Ref #2400
The calibration of the interpolation parameters was previously only done
periodically every 500 ms. Together with the fact that the parameters
had to be stable for at least 3 calibration steps to enable
interpolation, it took at least 1.5 seconds after establishing a
connection to get microseconds-precise time values.
This is a problem for some drivers that directly start to poll time.
Thus, the timer connection now does a calibration burst as soon as it
switches to the modern mode (the mode with microseconds precision).
During this phase it does several (currently 9) calibration steps
without a delay inbetween. It is assumed that this is fast enough to not
get interrupted by scheduling. Thus, despite being small, the measured
values should be very stable which is why the burst should in most cases
be sufficient to get the interpolation initialized.
Ref #2400
When in modern mode (with local time interpolation), the timer
connection used to maximize the left shifting of its
timestamp-to-microseconds factor. The higher the shift the more precise
is the translation from timestamps to microseconds. If the timestamp
values used for determining the best shift were small - i.e. the delay
between the calibration steps were small - we may got a pretty big
shift. If we then used the shift with bigger timestamp values - i.e.
called curr_time seldom or raised calibration delays - the big shift
value became a problem. The framework had to scale down all measured
timestamps and time values temporarily to stay operative until the next
calibration step.
Thus, we now raise the shift only that much that the resulting factor
fullfills a given minimum. This keeps it as low as possible according
to the precision requirement. Currently, this requirement is set to 8
meaning that the shifted factor shall be at least 2^8 = 256.
Ref #2400
The kernel timer on RPI is able to measure time microseconds-precise.
Howeer, due to a bug, we dropped precision during the ticks-to-time
translation and return only milliseconds-precise time.
Ref #2400
As the timer session now provides a method 'elapsed_us', there is no more need
for doing any internal calculations with values of milliseconds.
Ref #2400
As timer sessions are not expected to be microseconds precise (because
of RPC latency and scheduling), the session interface provided only a
method 'elapsed_ms' although the back end of this method in the timer
driver works with microseconds.
However, in some cases it makes sense to have a method 'elapsed_us'. The
values it returns might be milliseconds away from the "real" time but it
allows you to work with delays smaller than a millisecond without
getting a zero delta value.
This commit is motivated by the need for fast bursts of calibration
steps for the time interpolation in the new timer connection.
Ref #2400
The filename buffer of a dataspace in base-linux is limited to
40 bytes. When using file names longer than this, the remainder
gets dropped silently. Add an error message to aid debugging this
case.
This is helpful for disabling messages in etc/tools.conf by
setting it to e.g.
MSG_LINK = @true ""
This results in much shorter and less cluttered logs in automatic
builds.
- factor out Rm_client::pager lambda code into utility
Region_map_component::create_map_item
- use utility to find/lookup physical addresses to be mapped eagerly
Issue #2209
The launcher.run scenario was last updated mid-may of the recently
developed cap-quota accounting (before all cap types were covered).
Hence, the quotas used in the scenario are too low. This patch adjusts
the values such that the scenario can be started on NOVA on Qemu. It
also fixes a warning about a deprecated way of configuring the
report_rom component.
Thanks to Jörg-Christian Böhme for reporting!
- Update FatFS port from 0.07e to 0.13
- Multi-device support
- Basic test at run/fatfs
- Adaption of existing components
Note, ffat is now consistently renamed to fatfs.
Ref #2410
rm_fault.run triggers write on read-only ROM provided by core, which
fails without this patch:
arm - "raised unhandled data abort"
x86 - (silent/invisible) busy loop because write fault gets never resolved
The run script did not consider the routing for the environment ROM
sessions for the test-iso component. It routed all ROM sessions -
including the ones for the executable and the dynamic linker - to
fs_rom. The patch also adds the cap quota definitions required since
version 17.05 and fixes a whitespace inconsistency between the test
program and the run script.
Thanks to Steven Harp for reporting!
This is expected by hardware terminals, ie., terminal programs connected
to null-modem serial connections. Otherwise, the next line starts at the
column right after the last line.
Platform_pd "_pd" uses a allocator for, which relies on the mapped RAM
dataspace within core. Unfortunately the RAM dataspaces are already freed up
during _ram_ds_factory destruction, which may lead to trouble if accessed
afterwards.
Issue #2451
relocation is required, to avoid overlapping phdr in the elf binaries, but
sel4 will fail to boot if bender relocates the images at the end of physical
memory. Limit the physical relocation address to a fixed 256M value, so that
sel4 will work.
Issue #2451
The new version of the test exercises the combination of fs_report with
ram_fs and fs_rom as a more flexible alternative to report_rom.
It covers two corner cases that remained unaddressed by fs_rom and
ram_fs so far: First, the late installation of a ROM-update signal
handler at fs_rom right before the content of the file is modified.
Second, the case where the requested file is not present on the file
system at the creation time of the ROM session. Here, the ram_fs missed
to inform listeners for the compound directory about the later created
file.
This patch ensures that fs_rom delivers a ROM-update notification in the
case where the underlying file was changed in-between requesting the
initial ROM content and registering the signal handler.
With the introduction of the CONTENT_CHANGED notifications delivered via
the packet stream, the assumption that no more than one READ packet is
in flight at all times does no longer hold. If the fs server responds
to a CONTENT_CHANGED packet while the fs_rom expects the completion of a
read request, the '_update_dataspace' method would prematurely return,
leaving the dataspace unpopulated. This patch solves the problem by
specifically waiting for the completion of the read request.
Session_requester inherits from Dynamic_rom_session::Content_producer
which specifies the Buffer_capacity_exceeded exception which is thrown
on insufficient buffer space.
The former use of 'arm_v7' as architecture was too unspecific. Depot
binary archives for Cortex-A8/A9 platforms should be generated for
the 'arm_v7a' architecture to define the required compile flags
(i.e., -march).
This patch sets the -march complile flag in spec/arm_v7a.mk, which
enables us to build depot archives for the 'arm_v7a' architecture.
It also removes copy-pasted comments that offer no valuable insights but
contain grammar errors.
On platforms that use the PIT timer driver, 'elapsed_ms' is pretty
inprecise/unsteady (up to 3 ms deviation) for a reason that is not
clearly determined yet. On Fiasco and Fiasco.OC, that use kernel timing,
it is the same. So, on these platforms, our locally interpolated time
seems to be fine but the reference time is bad. Until this is fixed, we
raise the error tolerance for these platforms in the run script.
Ref #2400
Appending a suffix to report filenames was behavior inherited from
fs_log, it prevents creating files where directories need to be created
later. But unlike logs, only a subset of the hierarchy will report and
those that do append a component-local label, so the risk of collision
is low.
By removing the suffix fs_rom can serve reports back as ROM just as
report_rom does.
Ref #2422
When building with multiple jobs, the 'Makefile' rule may be executed
before any of its sibling rules, which implicitly create the target
directory. In this case, the attempt to create the symlink for
'Makefile' fails and the 'build_bin_archive' aborts. Analogously to the
sibling rules, this fix creates the target directory as a side effect of
the 'Makefile' rule.
This patch makes the build step of the create tool conditional. If
merely creating api, src, pkg, or raw archives, the invocation of the
'build' tool can be skipped. Otherwise, the heap message for the 'build'
tool is displayed (because it is called w/o any arguments), which is
misleading to the user.
A bug in the timer-ticks-to-microseconds translation of the kernel timer
caused the user time to periodically get stuck for about 32 milliseconds
and then jump forward to the normal level again.
Ref #2400
In the timeout framework, we maintain a translation factor value to
translate between time and timestamps. To raise precision we scale-up
the factor when we calculate it and scale-down the result of its
appliance later again. This up and down scaling is achieved through
left and right shifting. Until now, the shift width was statically
choosen. However, some platforms need a big shift width and others a
smaller one. The one static shift width couldn't cover all platforms
which caused overflows or precision problems.
Now, the shift width is choosen optimally for the actual translation
factor each time it gets re-calculated. This way, we can take care that
the shift always renders the best precision level without the risk for
overflows.
Ref #2400
The result-buffer related members of the fast polling test are
the same for each buffered result type. Thus, we can make the
code easier by providing them through a struct.
Ref #2400
This patch increases init's preserved RAM and capability quota to
account for a current limitation of init with respect to the creation of
sessions to parent services:
In contrast to regular routed services, sessions to parent services are
created via 'Env::session'. The implementation of 'Env::session'
automatically upgrades session quotas on demand, which is the desired
behavior for regular 'Connection' objects. However, for sessions
established on the behalf of init's children, we would need to reflect
the error condition to the child instead of resolving it locally within
init (by subsidizing the session with init's quota). This patch leaves
this issue unresolved but fixes the symptom for the bomb test. It is
meant as an interim solution until the handling of parent sessions is
revised.
This patch decouples the error handling of the quota transfers
and the actual session creation. In the previous version, an error in
the 'initiate_request' phase would leave the local scope via an
exception without disarming the transfer guard objects. This way,
the guard destructors would attempt the returning of session quota in
addition to the explicit call of '_revert_quota_and_destroy' as done in
the error handling of the 'initiate_request' operation.
In the presence of a session-creation error in the 'initiate_request'
phase, session quota would eventually be returned twice. This patch
removes the intertwined error handling of both phases in a way that the
guards of the first phase (quota transfer) are no longer present in the
second phase (initiate_request).
This patch makes sure that the initial PD session limit (as defined by
the client-provided session quota) is preserved over the entire lifetime
of the PD session. That means, it cannot be transferred to other PD
sessions. Otherwise, it may be impossive to hand back all the static
session quota to the PD-session client at session-destruction time
because parts of the initial quota would no longer belong to the
session.
Note that the initial limit can still be used for allocations within the
PD session as those allocations are automatically reverted at
session-destruction time.
The implementations of the lock and C++ guards tests depend on
thread-execution priorities, which produces false negatives of the whole
thread test on platforms without priority support.
On QEMU, NOVA uses the pretty unstable TSC emulation as primary time
source. Thus, timeouts do not trigger with the common precision (< 50
ms). Use an error tolerance of 200 ms for this platform constellation.
Ref #2400
Apparently this construct leads to a compiler errors like
error: second operand to the conditional operator is of type ‘void’, but
the third operand is neither a throw-expression nor of type ‘void’
The fast polling test uses one timer session for raw 'elapsed_ms' calls
and another one for potentially interpolated 'curr_time' calls. It then
compares the two results against each other. However, until now, the
test did not consider that the duration of the session construction may
create a remarkable shift between the local times of the two sessions.
This shift is now determined and compensated before doing any
comparison.
Ref #2400
The multiple-handlers test was checking if handlers at one signal were
activated in a fair manner. But on Qemu, the error tolerance of one was
too small in rare cases (2 of 100 runs). However, having multiple
handlers for the same signal context can be considered deprecated
anyway. With the recommended Signal_handler wrapper for signal sessions,
you can't use this feature. Thus, we removed the multiple-handlers test.
Fixes#2450
The recently implemented capability resource trading scheme unfortunately
broke the automated capability memory upgrade mechanism needed by base-hw
kernel/core. This commit splits the capability memory upgrade mechanism
from the PD session ram_quota upgrade, and moves that functionality
into a separate Pd_session::Native_pd interface.
Ref #2398
The depot tool did not consistently distinct libraries from regular
targets when handling binary archives. The binary archive of a regular
target is located at <user>/<bin>/<arch>/<name> whereas a library is
located at <user>/<bin>/<arch>/<api>/<name>.
Fixes#2438
We incorrectly used 'unsigned long' (which is 32 or 64 bit depending on
the CPU architecture) for a timestamp (which is always 64 bit) in the
timer-connection implementation.
Ref #2435
On platforms were we do not have local time interpolation we can simply
skip the first test stage in the timeout test. This way, we can at least
test the rest.
Fixes#2435
On ARM, we do not have a component-local hardware time-source. The ARM
performance counter has no reliable frequency as the ARM idle command
halts the counter. Thus, we do not do local time interpolation on ARM.
Except we're on the HW kernel. In this case we can read out the kernel
time instead.
Ref #2435
This patch replaces the toy downloader (that merely copied files
locally, for testing) with the mechanics needed to download files from a
www server.
It also changes the use of GPG to use detached signatures.
Issue #2339
VM-exit interruption info was dropped and Vbox only needs guest CR3
value for guest-physical memory translation but does not actually change
it since the VM is running in unrestricted guest mode.
The explicit relative location of the file instructed both target builds
to generate ../main.o which gloriously fails with parallel builds. The
produced range of error messages was astonishing ranging from "file
truncated" to "TLS reference in ../main.o mismatches non-TLS reference
in ../main.o".
E.g., the script manually tried to configure lighttpd and used the old
porting directory structure that was integrated in the repos. For the
same reason it produced compile errors with noux packages.
Ref #2398
We do not have debug symbols in the bin/ binaries anymore. Thus, use the
debug/ binaries instead. We now have kernel specific binary names for
ld.lib.so and some others. Adapt, to this fact as well. For doing so
without unnecessary output, provide a new parameter "silent" at the
"kernel_specific_binary" procedure.
Ref #2398
A dataspace capability request to a ROM service may invalidate any
previously issued dataspace. Therefor no requests should be made while a
session dataspace is mapped. Reducing calls to the session also improves
performance where servicing a ROM request has a significant cost.
Fix#2418
There are programs, e.g. curl, that check if a connection was
established successfully by looking at SO_ERROR. Pretend that
the getsockopt() call was executed to keep them happy. If they
try to use a broken connection, the other socket functions will
bail.
This patch changes the noux build rules to produce a tar archive in
'bin/', alleviating the need for this step from the run scripts.
This way, the visible result of a built noux package is a single (tar)
file in '<build-dir>bin/', which is suited for the use as a ROM module.
The 'Stack_area_ram_session' is now a 'Stack_area_ram_allocator', which
simplifies the code and remove a dependency from the 'Ram_session'
interface, which we want to remove after all.
Issue #2407
By supplying a statically allocated initial block to the slab allocator
for signal contexts, we become able to construct a 'Signal_broker' (the
back end for the PD's signalling API) without any dynamic memory
allocation. This is a precondition for using the PD as meta-data
allocator for its contained signal broker (meta data allocations must
not happen before the PD construction is complete).
Issue #2407
If a child is allowed to constrain physical memory allocations but left
the 'phys_start' and 'phys_size' session arguments blank, init applies
builtin constraints for allocating DMA buffers.
The only component that makes use of the physical-memory constraint
feature is the platform driver. Since the built-in heuristics are
applied to the platform driver's environment RAM session, all
allocations performed by the platform driver satisfy the DMA
constraints.
To justify building-in these heuristics into init as opposed to
supplying the values as configuration arguments, the values differ
between 32 and 64 bit. The configuration approach would raise the need
to differentiate init configurations for both cases, which are
completely identical otherwise.
Issue #2407
This commit removes support for limitation of RAM allocations from the
platform_drv. A subsequent commit adds this feature to init.
Issue #2398
Issue #2407
By separating the session-interface concerns from the mechanics of the
dataspace creation, the code becomes simpler to follow, and the RAM
session can be more easily merged with the PD session in a subsequent
step.
Issue #2407
This patch allows core's 'Signal_transmitter' implementation to sidestep
the 'Env::Pd' interface and thereby adhere to a stricter layering within
core. The 'Signal_transmitter' now uses - on kernels that depend on it -
a dedicated (and fairly freestanding) RPC proxy mechanism for signal
deliver, instead of channeling signals through the 'Pd_session::submit'
RPC function.
With the capability-quota mechanism, the terminal-session won't always
be constructed completely on the first try (we may run out of caps in
the middle of the construction). Therefore, all members of the object
must be properly destructable. Furthermore, the patch replaces the
sliced heap by a heap to avoid allocating a new dataspace for each line
of the cell array.
Previously, the Genode::Timer::curr_time always used the
Timer_session::elapsed_ms RPC as back end. Now, Genode::Timer reads
this remote time only in a periodic fashion independently from the calls
to Genode::Timer::curr_time. If now one calls Genode::Timer::curr_time,
the function takes the last read remote time value and adapts it using
the timestamp difference since the remote-time read. The conversion
factor from timestamps to time is estimated on every remote-time read
using the last read remote-time value and the timestamp difference since
the last remote time read.
This commit also re-works the timeout test. The test now has two stages.
In the first stage, it tests fast polling of the
Genode::Timer::curr_time. This stage checks the error between locally
interpolated and timer-driver time as well as wether the locally
interpolated time is monotone and sufficiently homogeneous. In the
second stage several periodic and one-shot timeouts are scheduled at
once. This stage checks if the timeouts trigger sufficiently precise.
This commit adds the new Kernel::time syscall to base-hw. The syscall is
solely used by the Genode::Timer on base-hw as substitute for the
timestamp. This is because on ARM, the timestamp function uses the ARM
performance counter that stops counting when the WFI (wait for
interrupt) instruction is active. This instruction, however is used by
the base-hw idle contexts that get active when no user thread needs to
be scheduled. Thus, the ARM performance counter is not a good choice for
time interpolation and we use the kernel internal time instead.
With this commit, the timeout library becomes a basic library. That means
that it is linked against the LDSO which then provides it to the program it
serves. Furthermore, you can't use the timeout library anymore without the
LDSO because through the kernel-dependent LDSO make-files we can achieve a
kernel-dependent timeout implementation.
This commit introduces a structured Duration type that shall successively
replace the use of Microseconds, Milliseconds, and integer types for duration
values.
Open issues:
* The timeout test fails on Raspberry PI because of precision errors in the
first stage. However, this does not render the framework unusable in general
on the RPI but merely is an issue when speaking of microseconds precision.
* If we run on ARM with another Kernel than HW the timestamp speed may
continuously vary from almost 0 up to CPU speed. The Timer, however,
only uses interpolation if the timestamp speed remained stable (12.5%
tolerance) for at least 3 observation periods. Currently, one period is
100ms, so its 300ms. As long as this is not the case,
Timer_session::elapsed_ms is called instead.
Anyway, it might happen that the CPU load was stable for some time so
interpolation becomes active and now the timestamp speed drops. In the
worst case, we would now have 100ms of slowed down time. The bad thing
about it would be, that this also affects the timeout of the period.
Thus, it might "freeze" the local time for more than 100ms.
On the other hand, if the timestamp speed suddenly raises after some
stable time, interpolated time can get too fast. This would shorten the
period but nonetheless may result in drifting away into the far future.
Now we would have the problem that we can't deliver the real time
anymore until it has caught up because the output of Timer::curr_time
shall be monotone. So, effectively local time might "freeze" again for
more than 100ms.
It would be a solution to not use the Trace::timestamp on ARM w/o HW but
a function whose return value causes the Timer to never use
interpolation because of its stability policy.
Fixes#2400
This patch make sure that a once managed parent RPC object will always be
dissolved if an exception during the remaining child construction
occurs. The original version would miss the dissolve call if one of the
subsequent members throws an exception at construction time.
With this, we get rid of platform specific timer interfaces. The new
Timer class does the same as the old Clock class and has a generic
interface. The old Timer class was merely used by the old Clock class.
Also, we get rid of having only one timer instance which we tell with
each method call for which CPU it shall be done. Instead now each Cpu
object has its own Timer member that knows the CPU it works for.
Also, rename all "tics" to "ticks".
Fixes#2347
Removes the following Fiasco.OC specific features:
* GDB extensions for Fiasco.OC
* i.MX53 support for Fiasco.OC
* Kernel debugger terminal driver
* Obsolete interface Native_pd
* Obsolete function of interface Native_cpu
Previously we did write the SPSR via an MSR instruction without
additional flags. Unfortunately, this tells the CPU to write the
register only partially. This often isn't a problem as the users PSR
reset value normally is conform to our expectations but in some cases
(e.g. PSR endianess bit on WandBoard core #4) the reset value is bad.
Thus, we have to add the CXSF flags (access Control + eXtension + Status
+ Flags) so the CPU overwrites the entire register.
Fixes#2254
Previously, the debugging version of the core image
(<build_dir>/var/run/<run_name>.core) was created by the run tool from
the common core object file
(<build_dir>/var/run/<run_name>/core-<kernel>.o). This object file,
however, was already stripped by the build system and thus didn't
contain debug info anymore. The build system also creates an unstripped
version in <build_dir>/debug/core-<kernel>.o, so we now use this one
for <build_dir>/var/run/<run_name>.core.
Ref #2254
This patch eases the debugging of situations where a session-object
constructor wrongly throws an exception type not specified in the
'Local_service::Factory' interface.
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes#2398
This patch reworks the implementation of core's RAM service to make use
of the 'Session_object' and to remove the distinction between the
"metadata" quota and the managed RAM quota. With the new implementation,
the session implicitly allocates its metadata from its own account. So
there is not need to handle 'Out_of_metadata' and 'Quota_exceeded' via
different exceptions. Instead, the new version solely uses the
'Out_of_ram' exception.
Furthermore, the 'Allocator::Out_of_memory' exception has become an alias
for 'Out_of_ram', which simplifies the error handling.
Issue #2398
The 'Session_object' unifies several aspects of server-component
implementations:
* It keeps track of session quotas and is equipped with standardized
interfaces (Quota_guard) to upgrade (and in the future potentially
downgrade) session quotas in a uniform way.
* It follows the pattern of modern RPC objects / signal handlers that
manage/dissolve themselves at the entrypoint given as constructor
argument. Thereby, the relationship with its entrypoint is always
coupled with the lifetime of the session-component object.
* It stores the session label, which was previously done manually by
most but not all server-component implementations.
* It stores the session 'diag' flag.
* It is equipped with output methods 'diag', 'error', and 'warning'.
All messages printed from the context of a session component is
automatically prefixed with the session type and client label.
Messages passed via 'diag' are only printed if the 'diag' flag of
the session is set.
Issue #2398
The 'diag' flag can be defined by a target node of a route in init's
configuration. It is propagated as session argument to the server, which
may evaluate the flag to enable diagnostic output for the corresponding
session.
Issue #2398
This patch makes use of the new 'Quota_transfer::Account' by the service
types in base/service.h and uses 'Quota_transfer' objects in
base/child.cc and init/server.cc.
Furthermore, it decouples the notion of an 'Async_service' from
'Child_service'. Init's 'Routed_service' is no longer a 'Child_service'
but is based on the new 'Async_service' instead.
With this patch in place, quota transfers do no longer implicitly use
'Ram_session_client' objects. So transfers can in principle originate
from component-local 'Ram_session_component' objects, e.g., as used by
noux. Therefore, this patch removes a strumbling block for turning noux
into a single threaded component in the future.
Issue #2398
The 'Quota_transfer' helper facilitated the implementation of quota
transfers between components in a transactional manner. It is designated
for framework-internal use (replacing the 'Transfer' class in child.h).
However, since it is also useful for init, we make it publicly
available.
The 'Quota_transfer::Account' class serves as an interface representing
the donor or receiver of quotas (parent, service, client).
Issue #2398
This patch replaces the 'Parent::Quota_exceeded',
'Service::Quota_exceeded', and 'Root::Quota_exceeded' exceptions
by the single 'Insufficient_ram_quota' exception type.
Furthermore, the 'Parent' interface distinguished now between
'Out_of_ram' (the child's RAM is exhausted) from
'Insufficient_ram_quota' (the child's RAM donation does not suffice to
establish the session).
This eliminates ambiguities and removes the need to convert exception
types along the path of the session creation.
Issue #2398
This patch adds sanity checks to the RPC entrypoint that detect attempts
to manage or dissolve the same RPC object twice. This is not always a
bug. I.e., if RPC objects are implemented in the modern way where the
object manages/dissolves itself. As the generic framework code (in
particular root/component.h) cannot rely on this pattern, it has to
call manage/dissolve for session objects anyway. For modern session
objects, this double attempt would result in a serious error (double
insertion into the object pool's AVL tree).
Issue #2398
This patch replaces the former use of size_t with the use of the
'Ram_quota' type to improve type safety (in particular to avoid
accidentally mixing up RAM quotas with cap quotas).
Issue #2398
The 'Ram_allocator' interface contains the subset of the RAM session
interface that is needed to satisfy the needs of the 'Heap' and
'Sliced_heap'. Its small size makes it ideal for intercepting memory
allocations as done by the new 'Constrained_ram_allocator' wrapper
class, which is meant to replace the existing 'base/allocator_guard.h'
and 'os/ram_session_guard.h'.
Issue #2398
This patch augments the existing session/session.h with useful types for
the session creation:
* The new 'Insufficient_ram_quota' and 'Insufficient_cap_quota'
exceptions are meant to supersede the old 'Quota_exceeded' exception
of the 'Parent' and 'Root' interfaces.
* The 'Session::Resources' struct subsumes the information about the
session quota provided by the client.
* The boolean 'Session::Diag' type will allow sessions to operate in a
diagnostic mode.
* The existing 'Session_label' is not also available under the alias
'Session::Label'.
* A few helper functions ease the extraction of typed session arguments
from the session-argument string.
Issue #2398
This patch upgrades the cap-space slab only if the kernel runs out of
entries, instead of consuming as much PD-session quota as possible.
Until now, the behavior worked well because the cap-space slab was the
only consumer of PD-session quota. However, once we start accounting all
PD session meta data - and eventually merging the PD and RAM services -
the aggressive scheme stands in the way.
Issue #2398
This accessor is useful to eagerly expand the slab with new slab blocks,
side stepping the slab's built-in policy for the allocation of new slab
blocks.
This is particularly important when using the slab for allocating the
cap space meta-data for the base-hw kernel. To guarantee that the slab
gets never exhausted in the kernel, it is expanded before entering the
kernel.
With the introduction of the 'Out_of_caps' exception type, the slab
needs to consider exceptions during the call of '_new_slab_block' by
reverting the 'nested' state.
The old download location is very shaky resp. currently unavailable and
also other projects (e.g., Gentoo and Linux From Scratch) use this
location. Note, the archive hash does _not_ change.
By building the posix library as shared object with an ABI, we
effectively decouple posix-using programs from the library
implementation (which happens to depend on several os-level APIs such as
the VFS).
This commit moves the headers residing in `repos/base/include/spec/*/drivers`
to `repos/base/include/drivers/defs` or repos/base/include/drivers/uart`
respectively. The first one contains definitions about board-specific MMIO
iand RAM addresses, or IRQ lines. While the latter contains device driver
code for UART devices. Those definitions are used by driver implementations
in `repos/base-hw`, `repos/os`, and `repos/dde-linux`, which now need to
include them more explicitely.
This work is a step in the direction of reducing 'SPEC' identifiers overall.
Ref #2403
causes the rem timer callback pending check to run more often (every 1 ms
instead 10 ms). This is essential to met the timeout requirements of the
audio backend, which must be checked&run every 5ms.
This patch adjusts the interactive scenarios of the gems repository to
use the depot. This has three immediate benefits. First, once the depot
is populated with binary archives, the start time of the scenarios
becomes very quick because most dependency checks and build steps are
side-stepped. Second, the run scripts become more versatile. In
particular, run scripts that were formerly supported on base-linux only
(nit_fader, decorator, menu_view) have become usable on all base
platforms that have a 'drivers_interactive' package defined. Finally,
the run scripts have become much shorter.
Issue #2339
This way, files copied from the depot are incorporated in addition to
the files explicitly specified as boot modules.
The patch also adds an automatic check for the validity of the XML
syntax of boot modules ending with '.config'.
Issue #2339
Run scripts can use the new 'import_from_depot' function to incorporate
archive content from the depot into a scenario. The function must be
called after the 'create_boot_directory' function and takes any number
of pkg, src, or raw archives as arguments. An archive is specified as
depot-relative path of the form <user>/<type>/name. Run scripts may
call 'import_from_depot' repeatedly.
An argument can refer to a specific version of an archive or just the
version-less archive name. In the latter case, the current version (as
defined by a corresponding archive recipe in the source tree) is used.
If a 'src' archive is specified, the run tool integrates the content of
the corrsponding binary archive into the scenario. The binary archives
are selected according the spec values as defined for the build directory.
As of now, only x86_32 and x86_64 are supported by the 'depot_spec'
function.
Issue #2339
In order to deliver base-hw as a binary archive, we need to install the
bootstap.o file to bin/. Since bin/ is a global name space shared by all
kernels, this patch renames the object file to bootstap-hw.o and thereby
clarifies the association of the file with base-hw.
This patch replaces the set-defaults command by a reset command, which
is needed to use the Lenovo x250 trackpoint. (original patch by
Christian Prochaska)
For asynchronously provided sessions, the parent has to maintain the
session state as long as the server hasn't explicitly responded to a
close request. For this reason, the lifetime of such session states is
bound to the server, not the client.
When the server responds to a close request, the session state gets
freed. The 'session_response' implementation does not immediately
destroy the session state but delegates the destruction to a client-side
callback, which thereby also notifies the client. However, the code did
not consider the case where the client has completely vanished at
session-response time. In this case, we need to drop the session state
immediately.
Fixes#2391
Originally, the spec files for less specific SPEC values were include
via the 'select_from_repositories' function. This implies that BASE_DIR
must always be present in the list of 'REPOSITORIES'. Otherwise the
spec files won't be found. By explicitly including sub specs from
'$(BASE_DIR)/mk', we lift this restriction.
This patch is required to build the OKL4 version of core from a source
archive. It avoids fetching source codes from BASE_DIR, and moves the
vpath wildcard for %.cc after all specific vpath definitins, in
particular those that are x86-specific. Without the latter change, core
would always end up using the generic version of 'platform_services.cc',
omitting the IO_PORT service from core.
The <build-dir>/bin/ directory used to contain symbolic links to the
unstripped build results. However, since the upcoming depot tool
extracts the content of binary archives from bin/, the resulting
archives would contain overly large unstripped binaries, which is
undesired. On the other hand, always stripping the build results is not
a good option either because we rely of symbol information during
debugging.
This patch changes the installation of build results such that a new
'debug/' directory is populated besides the existing 'bin/' directory.
The debug directory contains symbolic links to the unstripped build
results whereas the bin directory contains stripped binaries that are
palatable for packaging (depot tool) and for assembling boot images (run
tool).
By installing the core object to bin/, we follow the same convention as
for regular binaries. This, in turn, enables us to ship core in a
regular binary archive. The patch also adjusts the run tool to pick up
the core object from bin/ for the final linking stage.
When creating a source archive for the USB driver, both the contrib and
Genode-specific source codes are merged into a single directory
structure. In this case, the original way of determining the Linux
source code to scan for #include directives would apply the scanning to
Genode-specific source codes too. This patch tightens the search
criterion such that only Linux source codes are processed.
This macro is implicitly pulled in by libc-setjmp (via the libc's
cdefs.h). However, apparently not all sources include <setjmp.h>.
Unfortunately, for sources that do, this change produces a
double-definition warning. We should fix it by removing the dependency
from the libc's setjmp.
File_system servers shall deny clients not matching a defined policy.
Servers shall also apply session root offset policy followed by a client
offset.
Fix#2365
Init's service forwarding functionality did not take the service type
into account when forwarding a session request. If a server provides
multiple services, e.g. fb_sdl that provides both "Input" and
"Framebuffer", the type of the forwarded session request did not always
correspond to the actually requested type.
'unzip' can uncompress and load raw multiboot images and ELF files.
Usage together with the PXE bootloader ease life running the muen hypervisor
together with a Genode/x86_64 VM, where the raw boot image is typically quite
large.
Ref #2358
The information log file contains a list of all log files that are
expected to exist after the autopilot has finished its execution.
By using the '-i' option the default filename of 'autopilot.log'
can be overriden.
Debian has dropped mkisofs long time ago, hence hardcoding it prevents
Genode from being built on Debian easily. This patch makes the tool
configurable (defaulting to mkisofs). Building on Debian can then be
done by something like:
ISOTOOL=genisoimage make run/foobar
Fixes#2234Fixes#2235
The size of the whole table and table entries were exchanged for PML4,
leading to out-of-bound accesses for addesses >= 2^39. Some constants
were lacking type suffixes causing integer overflows.
Added assertions to catch out-of-bound accesses early on.
Fixes#2210Fixes#2211
If we do the tics-to-us translation with one division and multiplication
over the whole argument, like before, we loose microseconds granularity
although the timer frequency allows for such granularity. Thus, we treat
the most significant half and the least significant half of the tics
value separate. Each half is shifted to the best bit position for the
translation, then translated, and then shifted back.
Ref #2347
The use of 'select_from_repositories' for locating the linker script for
dynamically-linked executables only works if 'BASE_DIR' appears in the
list of 'REPOSITORIES'. This is the case when using the build system in
the traditional way but it is not desired when building binary archives
of individual components.
This patch adjusts the run script in two ways:
It removes the reliance on init's formerly built-in resource-request
handling by increasing the RAM quota for the backdrop instances. Since
commit "init: explicit response to resource requests", init no longer
hands out slack memory automatically.
Second, it makes sure that the backdrop appears under the precise label
"backdrop" at nitpicker by facilitating init's label-rewriting feature.
Without explicitly setting the label to "backdrop", nitpicker observes
the label "backdrop -> backdrop" (the first part comes from init, the
second part comes from the nitpicker-session argument specified by
backdrop itself). However, the client is only considered as default
background if labeled as "backdrop" (see nitpicker's '_create_session')
implementation.
Issue #2352
The base class of Registered must provide a virtual destructor to enable
safe deletion with just a base class pointer. This requirement can be
lifted by using Registered_no_delete in places where the deletion
property is not needed.
Fixes#2331
Ldso now does not automatically execute static constructors of the
binary and shared libraries the binary depends on. If static
construction is required (e.g., if a shared library with constructor is
used or a compilation unit contains global statics) the component needs
to execute the constructors explicitly in Component::construct() via
Genode::Env::exec_static_constructors().
In the case of libc components this is done by the libc startup code
(i.e., the Component::construct() implementation in the libc).
The loading of shared objects at runtime is not affected by this change
and constructors of those objects are executed immediately.
Fixes#2332
With the current implementation resource requests are not automically
satisfied with slack quota by init. Therefore, this commit adapts RAM
quotas of autopilot scenarios to the actual demands.
An inline attribute mismatch in the gcc-4.9.2 source causes its
compilation to fail on modern gcc versions (verified with gcc 6.3.1,
but probably since gcc 5)
The patch is courtesy of the gcc-patches mailing list:
https://gcc.gnu.org/ml/gcc-patches/2015-08/msg00375.htmlFixes#2341
The test used to rely on init's formerly built-in policy of answering
resource requests with slack memory, if available. Since init no longer
responds to resource requests in an autonomous way, we use a dynamically
configured sub-init instance as runtime for the test. This instance, in
turn, is monitored and controlled such that resource requests are
result in quota upgrades. The monitoring component is implemented in
the same test-resource_request program as the test. Both roles are
distinguished by the "role" config attribute.
This is a follow-up to "init: explicit response to resource requests".
- use more upstream hm code
- add call to memory check as done in vbox4
- add in principle all vbox devices and drivers
- avoid null pointer during VM startup (patch reported to vbox-devel list)
- avoid endless loop in usb root hub
Issue #2338
This patch equips init with the ability to act as a server that forwards
session requests to its children. Session requests can be routed
depending of the requested service type and the session label
originating from init's parent.
The feature is configured by one or multiple <service> nodes hosted in
init's <config> node. The routing policy is selected by via the regular
server-side policy-selection mechanism, for example:
<config>
...
<service name="LOG">
<policy label="noux">
<child name="terminal_log" label="important"/>
</policy>
<default-policy> <child name="nitlog"/> </default-policy>
</service>
...
</config>
Each policy node must have a <child> sub node, which denotes name of the
server with the 'name' attribute. The optional 'label' attribute defines
the session label presented to the server, analogous to how the
rewriting of session labels works in session routes. If not specified,
the client-provided label is presented to the server as is.
Fixes#2247
This patch removes the formerly built-in policy of responding to
resource requests with handing out slack quota. Instead, resource
requests have to be answered by an update of the init configuration with
adjusted quota values.
Note that this patch may break run scripts that depend on init's
original policy. Those run scripts may be adjusted by increasing the
quota for the components that use to inflate their RAM usage during
runtime such that the specified quota suffices for the entire lifetime
of the component.
This patch destructs the environment sessions for the binary and the
dynamic linker along with the other environment sessions to avoid a
warning about reverting quota that occurs when attempting to close
these sessions too late.
This patch improves init's dynamic reconfigurability with respect to
adjustments of the RAM quota assigned to the children.
If the RAM quota is decreased, init withdraws as much quota from the
child's RAM session as possible. If the child's RAM session does not
have enough available quota, a resource-yield request is issued to
the child. Cooparative children may respond to such a request by
releasing memory.
If the RAM quota is increased, the child's RAM session is upgraded.
If the configuration exceeds init's available RAM, init re-attempts
the upgrade whenever new slack memory becomes available (e.g., by
disappearing other children).
Since init no longer provides public headers, we have to adjust the
existing users of this headers. The 'init/child_config.h' is used only
by GDB monitor. So the patch moves the header there as an interim fix.
The 'init/child_policy.h' is still used by a few components, so we have
to keep a trimmed-down version of it for now.
This patch enables init to apply changes of any server's <provides>
declarations in a differential way. Servers can in principle be extended
by new services without re-starting them. Of course, changes of the
<provides> declarations may affect clients or would-be clients as this
information is taken into account for the session routing.
This patch addresses the corner cases where an environment session
could not be routed, i.e., if an environment LOG log session is
routed to a non-existing child.
The optional 'version' attribute allows for the forced restart of a
child with an otherwise unmodified start node. The specified value is
also reflected in the state report.
This patch covers the resolution of the ROM route for child binaries
via the generic label-rewriting mechanics. Now, the <binary> node has
become merely sytactic sugar for a route like the following:
<start name="test"/>
<route>
<service name="ROM" unscoped_label="test">
<parent label="test-binary-name"/> </service>
...
</route>
...
</start>
A change of the binary name has an effect on the child's ROM route to
the binary and thereby implicitly triggers a child restart due to the
existing re-validation of the routing.
This patch extends the constructor of 'Local_connection' with an
optional 'label' argument, which was previously passed implicitly as
part of the 'args' argument. Keeping the label separate from 'args'
enables us to distinguish the client-specified label from a label that
resulted from a server-side label as it is used when rewriting a label
of an environment session (i.e., the binary name) in init's routing
policy. In principle, this patch eliminates the need for init's
explicite handling of the binary name via the '<binary>' node, or
at least allows us to simplity the binary-node handling.
With this check in place, one can safely construct an 'Xml_generator'
even if the report is disabled. This relieves the user of the reporter
from the need to distinguish enabled from disabled reports.
The initial ROMs (program and linker) are already attached to the region
map of a forked process and don't need to be obtained again from an
external ROM service when the 'Child' class asks for them. For the program
image, the local Noux ROM service already returned an invalid dataspace
capability, but not for the linker.
Instead of adding another 'magic' ROM name for the local ROM service,
this commit implements an 'empty' ROM service, which returns an
invalid dataspace for the initial ROMs.
Fixes#2272
The race may happen when element objects get destructed by another thread then
the thread handling the for_each loop. In this case it may happen that the
object is already destructed (left the ~Element destructor) but the thread
handling the loop touches the invalid memory afterwards (the Element lock).
detected during issue #2299Fixes#2320
Under certain timing conditions, the test would end up flushing the
input from the input filter in a nested way, which ultimately resulted
in lost input events of the outer nesting level. This patch eliminates
this corner case and thereby stabilizes the key-repeat test.
Transfer quota to the session local RAM session to react to the
Quota_exceeded exception properly.
The platform driver keeps a session local RAM session for each of its
clients that is used to allocate DMA memory. A client needs to transfer
some of its quota to the platform driver, which in return transfers this
quota to the session local RAM session. As it happens allocating memory
from a RAM session involves book keeping and in this case, where the
available quota in the session did not suffice and the request was only
a few KiB, the platform driver handled the exception wrongly and did not
transfer the quota.
This problem did not surface up to now because all drivers allocate DMA
memory in larger chunks and the book keeping overhead was of no
consequence as the initial quota transfer probably covered the overhead.
Fixes#2316.
This enables to use append_if like the append command in the following
situation.
proc optional_binary {} {...}
append_if $optional config {
<start name="} [optional_binary] {">
...
}
Due to rounding in the timeout calculation it may happen that the timeout
stored in ms becomes 0, but actually some time (us or ns) are left to wait.
With threads on various priorities (vbox) this may end up in endless loops.
Fixes#2311
The file space demand for the object files when compiling core has grown.
Therefore, the ram_fs component runs out of memory and requests additional
memory from init. On OKL4, where the physical memory is limited by the
elfweaver bootstrap tool, there is no more slack memory after the donation
of 1G to noux.
* Increase test-thread count to trigger quota exceeding on all platforms
* Synchronize test-thread destruction, otherwise an half-destructed thread
object can lead to an error message of the thread to be destructed,
which causes a deadlock, when the destructed thread still holds the log lock
* Limit SMP settings for QEMU to x86 (Ref #2307)
The signal_1/2/3 objects (which are threads) are in destruction, but still
signals are send to them. When the signal arrive and the memory for the
signal_1/2/3 object is already invalid we operate on stale memory and all
the locking infrastructure of the Thread don't work anymore.
Be more robust, explicitly wait for the termination of the thread.
Issue #2284
Otherwise it may happend that the Guest tries to set the last stored
resolution from another run, which maybe is too large.
Up to now, everthing is fine, beside the fact that output changes are not
visible - which is odd and one things the VM came not up.
Issue #2306
that happened during early bootup.
The signal about input events may arrive before keyboard and mouse is set
(due wait_and_dispatch_one_signal called from a started pthread and ep still
not done with the initialisation)
Issue #2306
Previously we had configured the timer for the Panda ES with 700 MHz
CPU clock. But the Panda A6 that we use as reference now runs with
800 MHz.
Fixes#2308
Previously, on X86, the timer driver used the PIT with a maximum timeout
of 54 ms. Thus, the driver frequently interrupted the counters with
highest priority to update the timer. This is why we needed a higher
error tolerance as for ARM where the driver, once configured, can sleep
for the whole test timeout. Now, we use the kernel timer and the problem
seems to be exits no longer.
Ref #2304
Previously we pre-calculated the translation errors for the session
quota to make a discret check in the test. But since the order, in which
init childs get their CPU quota isn't always the same anymore (we should
have never made assumptions about that) the translation errors differ
from trial to trial. However, the errors are below 0.01% of the super
period. We now tolerate them in the run script.
Ref #2304
We call curl a second time if the first check fails. This gives download
sites time to reconsider their response and helps, for example, to check
the qemu-usb port.
By separating the plain MMIO access implementation from the generic bit
and offset logic of registers, we can now use the latter also with other
types of register access like I2C. The register and MMIO front-ends have
not changed due to the separation.
Ref #2196
* Acknowledge receive of page-fault signal with ack_signal,
but restart thread execution separately
* use kill_signal_context when disolving a pager_object to prevent race
* Remove bureaucracy in form of Thread_event and Signal_ack_handler
* remove dead code in riscv, namely Thread_base definition
* translation_table_insertions function for ARM drops out,
which was overcautious
The MIN_PSK_LENGTH constant was not adjusted to accommodate for the
semcantic change when switching from using the raw char array to using
the Genode::String class. The Genode::String::length() method includes
the terminating NUL byte while strlen() does not.
Fixes#2296.
With the commit "init: session-label rewriting", the stack usage
increased due to the handling of session-label strings as local
variables. The stack overrun occurred in the vmm scenario on
base-hw.
There was a race when the component entrypoint wanted to do
'wait_and_dispatch_one_signal'. In this function it raises a flag for
the signal proxy thread to notice that the entrypoint also wants to
block for signals. When the flag is set and the signal proxy wakes up
with a new signal, it tried to cancel the blocking of the entrypoint.
However, if the entrypoint had not reached the signal blocking at this
point, the cancel blocking failed without a solution. Now, the new
Kernel::cancel_next_signal_blocking call solves the problem by storing a
request to cancel the next signal blocking of a thread immediately
without blocking itself.
Ref #2284
To select a different keyboard layout than the default 'en_us', override the
'language_chargen' function in your run script (after including
qt5_common.inc):
proc language_chargen { } { return "de" }
where "de" refers to the character map file
'repos/os/src/server/input_filter/de.chargen'
Issue #2264
This patch improves the accuracy of init's quota-saturation feature
(handing out all slack quota to a child by specifying an overly high RAM
quota for the child) and makes the RAM preserved by init configurable.
The preservation is specified as follows:
! <config>
! ...
! <resource name="RAM" preserve="1M"/>
! ...
! </config>
If not specified, init has a reasonable default of 160K (on 32 bit) and
320K (on 64 bit).
It seems that our buildbot has a problem with the TCL command 'string
cat'. In most cases it is not necessary anyway as we can use the ""
enclosure instead. It unfolds inline procedure calls and variables
automatically. We don't want to use "" only in cases where the literal
shall contain many " characters itself as it is the case for XML
configs. Then we use the 'append' command and a helper variable instead.
Ref #2193
It can happen that when Cpu_free_component is constructed the insertion
of the object through 'manage' succeeds for the EP put not for the pager
EP, which in turn raises an Out_of_meta_data exception. Because we are
within the constructor, the descstructor is not called, leading to a
dangling object pool entry for the EP.
issue #2289
This patch lets init apply configuration changes to a running scenario
in a differential way. Children are restarted if any of their session
routes change, new children can be added to a running scenario, or
children can deliberately be removed.
Furthermore, the new version of init is able to propagate configuration
changes (modifications of <config> nodes) to its children without
restarting them.
If 'close' does not call 'unlink' like 'shutdown', the Lxip_socket_dir
never gets destroyed and thus the socket server leaks resources like
RAM and ports.
Ref #2285
Our 'shutdown' implementation handles only the case that 'how' is 'RDWR'.
Thus, print an error and continue if a user calls it with another value.
Fixes#2285
If not dissolved in ~Entrypoint, the signal proxy is found within NOVA's
and FOC's object pool upon Rpc_entrypoint destruction. This leads to a
deadlock because the signal proxy is destructed before the RPC EP.
issue #2284
This patch ensures that the POLICY::release is called whenever the
session creation aborted with an exception. In the original version, an
exception like 'Quota_exceeded' caused a single-session root interface
to deny subsequent session requests.
If 'Libc::Kernel::resume:all()' is called from a non-main thread, send a
signal to unblock the main thread from 'wait_and_dispatch_one_signal()'.
Fixes#2283
Change metadata before submitting a packet. If the submitting thread is a
pthread, the metadata may be immediately change by the signal handler running
in the context of the entrypoint thread.
This patch enhances the 'Child' and 'Child_policy' with the ability to
separate the different steps of bootstrapping children. If the
'Child_policy::initiate_env_sessions()' returns false, the child's
environment sessions remain unrouted at construction time. This way,
child objects for many children can be initialized to a state that
allows the children to represent services for other children. Therefore,
session routing can be applied before any child executes.
At this stage, the environment RAM sessions of all children can be
created. Note that this step still has the limitation that RAM sessions
are generally expected to be provided by either the parent or a local
service.
Once all children are equipped with RAM, they can in principle receive
session-quota donations. Hence, all other environment sessions can now
be arbitrarily routed and initiated.
Once the environment of a child is complete, the child's process and
initial thread is created.
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.
In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping
Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.
For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
This patch equips init with the ability to report its internal state in
the form of a "state" report. This feature can be enabled by placing a
'<report>' node in init's configuration.
The report node accepts the following arguments (with their default
values):
'delay_ms="100"': specifies the number of milliseconds to wait before
producing a new report. This way, many consecutive state changes -
like they occur during the startup - do not result in an overly
large number of reports but are merged into one final report.
'buffer="4K"': the maximum size of the report in bytes. The attribute
accepts the use of K/M/G as units.
'init_ram="no"': if enabled, the report will contain a '<ram>' node
with the memory stats of init.
'ids="no"': supplement the children in the report with unique IDs, which
may be used to infer the lifetime of children accross configuration
updates in the future;
'requested="no"': if enabled, the report will contain information about
all session requests initiated by the children.
'provided="no"': if enabled, the report will contain information about
all sessions provided by all servers.
'session_args="no"': level of detail of the session information
generated via 'requested' or 'provided'.
'child_ram="no"': if enabled, the report will contain a '<ram>' node
for each child based on the information obtained from the child's RAM
session.
Issue #2246
This method is a hook to enable a runtime to respond to state changes.
In particular, in init this hook is used to trigger the generation of a
new state report, if configured.
Furthermore, the patch introduces the 'generate_client_side_info' and
'generate_server_side_info' methods to the 'Session_state', which
generates an XML representation of the session states to appear in
reports produced by init.
Issue #2246
Normally, the platform driver helpers adapt the global run variables directly
via append. But the introduction of a more elegant run script style, that
incorporates dependent strings inline may be a good idea. Thus, we need the
backends of the helpers available as functions that return their string rather
than appending it.
The old interface still exists and uses the new interface as backend.
Ref #2193
The 'server_ip' and 'server_port' attributes for 'lxip/udp_client' and
'lwip/http_clnt' as well as the 'port' attribute for 'lxip/udp_echo' and
'lwip/http_srv_static' are not directly libc-related so they should not
live in the libc tag but in the config tag of the component.
Ref #2193
This patch enhances init with the support for rewriting session labels
in the target node of a matching session route. For example, a Noux
instance may have the following session route for the "home" file
system:
<route>
<service name="File_system" label="home">
<child name="rump_fs"/>
</service>
...
</route>
At the rump_fs file-system server, the label of the file-system session
will appear as "noux -> home". This information may be evaluated by
rump_fs's server-side policy. However, when renaming the noux instance,
we'd need to update this server-side policy.
With the new mechanism, the client's identity can be hidden from the
server. The label could instead represent the role of the client, or a
name of a physical resource. For example, the Noux route could be
changed to this:
<route>
<service name="File_system" label="home">
<child name="rump_fs" label="primary_user"/>
</service>
...
</route>
When the rump_fs receives the session request, it is presented with the
label "primary_user". The fact that the client is "noux" is not taken
into account for the server-side policy selection.
Issue #2248
The new return value of 'resolve_session_request' allows the child
policy to define the label used as the policy selector at the server.
Because this patch introduces the distinction of the child-provided
label from the label as presented to the server along with the session
request, the latter is now handled as a dedicated 'Session_state'
argument.
Issue #2248
This commit includes changes to the Nic::Session_component interface.
We now pass the entire env to the component instead of only ram, rm and
the ep because we need the env to open connections from within the
Session_component implemenation. So far only the cadence_gem driver
needs this, though.
Issue #2280.
Libc components cannot use regular calls to select() as this may suspend
their execution. In this case incoming RPCs will be deferred until
select() returns and the component returns to the entrypoint dispatch
loop. The Libc::Signal_handler solves this problem with a its select()
that either returns the currently ready file descriptors immediately or
calls the registered handler function during libc resume.
Now, the libc kernel supports to execute application code from all RPC
functions not only Component::construct(). This is enabled by the
Libc::with_libc() scope function.
This commit extends an easy-to-use mechanism to allow Genode component
code to enter/leave the libc application context. This is needed
whenever low-level component code (like signal handlers or RPC
functions) need to interact with potentially blocking libc I/O
functions.
Please note that this commit contains the API-level design only. The
actual context switching code 'execute_in_application_context' is
missing.
The socket file system can be configured in the "socket" attribute of
the libc config node like follows.
<vfs> <dir name="socket"> <fs/> </dir> </vfs>
<libc ... socket="/socket"/>
This configures the socket file system libc backend to access files in
"/socket" for socket operations.
There existed a race when 'wait_and_dispatch_one_signal' is called form
a RPC context, because the 'signal_proxy' or 'main' will block and the
signal semaphore, when the EP then calls 'wait_and_dispatch_one_signal',
the signal proxy is woken up ands sends an RPC to the EP, leading to a
dead lock if no further signal arrive, because the EP will then remain
blocked in the signal semaphore.
Therefore, for this case, the signal proxy will now perform a semaphore
up operation and does not perform an RPC if the EP is within
'wait_and_dispatch_one_signal'.
This patch enhances init with the ability to route individual
environment sessions. Prior this patch, environment sessions could be
routed only by an all-encompassing '<service>' node that would match
both child-initiated and environment sessions.
In contrast to the existing 'label', 'label_prefix', and 'label_suffix'
attributes of '<service>' nodes, which are always scoped with ther name
of the corresponding child, the 'unscoped_label' allows the definition
of routing rules for all session requests, including init's requests for
the child's environment sessions. For example, to route the ROM session
requests for a child's dynamic linker, the following route would match:
<route>
<service name="ROM" unscoped_label="ld.lib.so"> ... </service>
</route>
Issue #2215
When a directory gets destructed it dissolves the handles of each contained file
but the acknowledgement might be still in-flight. If we finally receive it,
it leads to an Unknown_id exception on the Handles ID Space in 'handle_ack'.
Now we catch it, print a warning, and go on.
This patch adds the handling of 'CHARACTER' events as emitted by the
input-filter's character generator (<chargen>). To avoid interpreting
press/release events twice (at the input filter and by the terminal's
built-in scancode tracker), the terminal's scancode tracker can be
explicitly disabled via <config> <keyboard layout="none"/> </config>.
In the future, the terminal's built-in scancode tracker will be
removed.
The use of the terminal with the input filter is illustrated by the
'terminal_echo.run' script.
Issue #2264
The input_filter is the successor of the input_merger. In addition to
merging input streams, the component applies several forms of input
transformations such as the application of keyboard layouts.
Issue #2264
Character events are created via a dedicated 'Event' constructor that
takes an 'Event:Utf8' object as argument. Internally, the character is
kept in the '_code' member. The 'Utf8' value can by retrieved by the
recipient via the new 'utf8' method.
Issue #2264
A binary file may be a temporary Vim .swp file when examining contrib
sources. The commit prevents build errors like
.../repos/dde_linux/lib/mk/lxip_include.mk:29:
target '.../x86_64/var/libcache/lxip_include/include/include/include/Binary'
given more than once in the same rule
.../repos/dde_linux/lib/mk/lxip_include.mk:29:
target '.../x86_64/var/libcache/lxip_include/include/include/include/file'
given more than once in the same rule
...
A Signal_handler may schedule a hook function that is executed after the
signal handler returned. This can be used if the hook function may
trigger a (nested) signal handler by means of
wait_and_dispatch_one_signal(). Otherwise, an occurrence of the same
signal that triggered the original signal handler results in a dead lock
just before calling the nested handler (due to the Signal_context
destruction lock).
The read-ready packet informs the server that the client wants to be
notified if a handle becomes readable. When becoming readable, the
server acknowledges packet and the client may queue a read requests
accordingly.
The i.MX53 Framebuffer driver doesn't come up on on Fiasco.OC because the Platform
driver isn't allowed to access essential devises like the SRC or the Fuses. This is
most likely due to the kernel not configuring the CSU appropriately.
Ref #2268
broken due to changes of
libc: API transition
Issue #1987
For now provide a initial memory buffer for allocation of static
constructors and of malloc calls out of the libc during early
libc initialization until actual vbox code is executed having the Env
pointer.
This change introduces a Genode specific init function, which sets the
backend allocator used by jent_zalloc/zfree(). As consequence the
library can solely be used by native Genode components, direct libc
usage is not supported.
Fixes#2274.
Put the initialization of the cpu cores, setup of page-tables, enabling of
MMU and caches into a separate component that is only used to bootstrap
the kernel resp. core.
Ref #2092
Instead of implicitly asking for core's link address when linking
core within the run tool, deliver it explicitly to the build_core
routine. Thereby we gain the freedom to use the build_core tool for
different targets like core, and bootstrap.
Ref #2092
This hook allows the export of the allocator's state by a derrived
class. I.e., the final state of the allocator used for bootstrapping
core.
Ref #2092
This patch eliminates the need for a global allocator by passing the
parent-service registry as argument to the 'Slave::Policy' constructor.
Fixes#2269
The support has two parts. First, a VFS plugin now gets passed an
I/O-response handler callback on construction, which informs users of the
VFS that an I/O event occurred. This enables, for example, the libC to
check if blocking read can be completed. Further, the VFS file I/O
interface provides now functions for suspendable reads, i.e.,
queue_read() and complete_read().
Replacing the node lookup table with an Id_space removes the
limit on open handles per session and allows mutal associativity
between File_system handles and local VFS handles.
Fix#2221
The test now forks twice - the parent forks a child and the child itself
forks a grand child. Both, parent and child, wait for termination of
their forked process with waitpid(). Additionally, the run script now
checks for exit of the parent (not any noux process).
First, calls to manage and dissolve signal contexts now check if the
signal receiver was constructed. There is a small window during suspend
where it is destructed before reconstructed again.
Last, we ensure that processing of incoming signal was deblocked by the
suspend signal before entering the suspend operation. This way we ensure
already queued signal are handled.
The block file system wrongly modified the seek offset during a
read-modify-write operation that is required for sub-block-size
requests. This led to problems whenever such write requests spanned
multiple blocks and thereby were handled in multiple iterations.
Fixes#2262
This test reproduces an issue of the VFS block file system when the
underlying block device has a coarser granularity than the block
requests issued by the VFS client. I.e., if the underlying block device
has a block size of 4K, writing a sequence of (non-4K-aligned) 512 blocks
that crosss a 4K boundary corrupts the data on the block device.
Issue #2262
The new utility at 'os/static_parent_services.h' allows the creation of
a registry of parent services at compile time and thereby eliminates the need
for dynamic memory allocations whenever the set of services is known at
compile time as is the case for most uses of 'Slave::Policy'. The commit
showcases the utility in the bomb test.
This commit enables compile-time warnings displayed whenever a deprecated
API header is included, and adjusts the existing #include directives
accordingly.
Issue #1987
On Odroid XU the SD card driver comes up and finds a card but for card
access it seems that we would need a platform driver like on Arndale.
On imx_53, the first SDHCI MMIO access faults. This is likely due to the
AIPSTZ memory bridge. On HW, we initialize the AIPSTZ in the kernel, but
when I tried doing that in the platform driver instead, the first AIPSTZ
MMIO access faults ^^ So I gave up for now and removed support.
Fixes#2259
Parse ``<env key="..." value=".."/>`` nodes from the config ROM and
populate a list at the 'genode_envp' and 'environ' symbols.
Test script at run/libc_getenv.
Fix#2236
In combination with run/image/uboot, run/boot_dir/foc expected a file link it
created itself to be a directory by trying to create another file link inside
it.
Ref #1987
For all tests
* use Component::construct instead of main
* use new connection constructors with env argument
* use log instead of printf
For some tests
* replace signal receivers with signal handlers
* replace global static variables with Main class members
* remove unnecessary multithreading
* model test steps as classes that are independent from each other and managed
by Main as constructibles
* use references instead of pointers and exceptions instead of error codes
* use Attached_* helpers intead of doing attach/detach manually
* use helpers like String, Id_space, Registry instead of arrays and lists
* make the run script suitable for automated execution and conclusion
Ref #1987
In the past, the Genode::destroy, that is called by the RAM-FS-chunk destructors,
issued Allocator::free instead of the C++ delete. Therefore it was possible to
use the size argument of Allocator::free for the allocation tracker in the
RAM-FS-chunk test. Nowadays, we have to keep track of the allocation sizes
ourselves because delete doesn't hand over the size.
Ref #1987
The FB Block Adapter in os/src/test visualizes a block session via a
Framebuffer session. As far as I can see, it is not a test but rather
the base for a bump-in-the-wire component. However, for this role it
currently lacks a Block back-end. As it also would have to be updated to
use the new base API I removed it instead, leaving only its git
history as inspiration if someone needs such a component in the future.
Fixes#2245
Ref #1987
lesskey and lessecho missed the declaration of ${LIBS} on the compiler
command line, which ended up in unusable programs.
> file noux-pkg/less/lesskey.broken
noux-pkg/less/lesskey.broken: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter *empty*, not stripped
> file noux-pkg/less/lesskey
noux-pkg/less/lesskey: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter ld.lib.so, not stripped
The issue was identified because -O0 builds broke with
ld: lesskey: The first section in the PT_DYNAMIC segment is not the .dynamic section
Unfortunately, this simple fix renders both tools also dependent to libm
and ncurses which they don't use.
This streamlines the Genode-specific interface for both 32-bit and
64-bit architectures and fixes dynamic-linking issue with the rump
VFS due to differing size_t types.
This function returns the information whether the used platform relies
on USB HID for interactive scenarios by default as is the case for most
ARM platforms. In contrast, for x86 the USB driver can be omitted because
we can use the PS/2 driver (that is readily available in repos/os/).
If the detach address is not the beginning of the region, one gets:
"virtual void Genode::Allocator_avl_base::free(void*): given
address (0x180e0) is not the block start address (0x18000)"
Instead, print an explicit warning in front of the detach call.
Cleaning up LWIP when returning from the main function sporadically
leads to endless errors "Error: sys_arch_mbox_fetch: unknown exception
occured!". We let the client sleep forever at the end of its main function
to prevent tests from failing due to a flooded log.
Reg #2193
* get rid of printf
* use exceptions instead of error codes
* use Id_space instead of the individual block device registry
* use Cstring instead of char const*
* move method definitions > 1 line to .cc files
* rename Block Block_driver and Serial Serial_driver to avoid name clashes
with the Genode namespace and thereby simplify the code
* use lambdas for Block device lookup and apply
* switch to the Component framework
* don't use env(), config(), ... and hand over env to each connection
* use Attached_mmio and Attached_rom/ram_dataspace instead of manual
solutions
Fixes#2223
The init component used to create the CPU/RAM/PD/ROM sessions (the child
environment) for its children by issuing session requests to its parent,
which is typically core. This policy was hard-wired. This patch enables
the routing of the environment sessions of the children of init
according to the configured routing policy.
Because there is no hard-wired policy regarding the environment sessions
anymore, routes to respective services must be explicitly declared in
the init configuration. For this reason, the patch adjusts several run
scripts in this respect.
This patch removes the outdated '<if-args>' special handling of session
labels. The '<if-args>' feature will eventually be removed completely
(ref #2250)
Issue #2197
Issue #2215
Issue #2233
Issue #2250
This patch changes the 'Xml_node_label_score' to regard an empty
label_prefix or label_suffix as a match instead of a conflict. Until
now, there was no use case for an empty label_prefix. But with init's
new ability to route environment sessions, an empty prefix denotes any
child-initiated session (as oposed to an parent-initiated environment
session).
Issue #2215
Issue #2233
This patch fixes a problem that unsurfaced by the commit "menu_view: API
transition", which changed the class layout of the 'Png_image' so that
the 'Read_struct' pointer is no longer equal to the 'Png_image' pointer.
This commit addresses the situation where an environment session
outlives the session-providing service. In this case, the env session
got already invaidated at the destruction time of the server. However,
the underlying session-state structure continues to exist until the
client is destructed. During the eventual destruction of such a dangling
environment session, we have to be careful not to interact with the
no-longer existing service.
Ref #2197
This patch addresses the corner case of destructing a child that
provides an enviroment session to another child. Before this patch,
this situation could result in an infinite loop.
The problem was introduced as a side effect of issue #2197 "base: apply
routing policy to environment sessions".
This patch re-enables the launchpad to start multiple instances of the
same program. Without it, launchpad wrongly requests the binary ROM with
the child's unique name as label. The lookup of the first instance
solely succeeds because the unique name equals the binary name.
To better support non-blocking terminal components, let the
'Terminal::Session::write()' function return the number of bytes
actually written.
Fixes#2240
The session-control mechanism is based on the way how sessions are
labeled. In #2171, we changed the labeling to be more strict. In
particular, label-less sessions do no longer exist.
Unfortunately, nitpicker and the window manager still handled the former
weaker labeling, which ultimately led to a situation where any
session-control argument would mismatch. The behavior could be observed
in the launcher.run script where a click on the subsystem button would
not focus the clicked-on subsystem. With the patch, the scenario works
again as expected.
This patch enables warnings if one of the deprecate functions that rely
in the implicit use of the global Genode::env() accessor are called.
For the time being, some places within the base framework continue
to rely on the global function while omitting the warning by calling
'env_deprecated' instead of 'env'.
Issue #1987
This patch removes the dependency of the deprecated Genode API,
fixes the coding style, and removes the "random" file system
(superseded by the VFS plugin mechanism).
Ref #1987
Merge the platform-specific files and classes (they merely aggregated
themselves) so that each platform provides merely one class
Sd_card::Driver. Also, the Sd_card::Driver_base class is introduced for
the generic parts of Sd_card::Driver.
Ref #2206
Most implementations use a Signal_handler now to acknowledge the packet
instead of waiting for the transfer completion. The exceptions to that are
the non-DMA implementations for RPI and PL180
Ref #2206
In addition to that we now busy wait, i.e. poll, for interrupts
instead of using the IRQ session. That is fine because interrupts
were only used while configuring the HDMI over I2C and are not used
while normal operation.
Issue #1987.
Libc::Env is the Genode::Env interface extended to cover access
to the XML content of the 'config' ROM and a VFS instance. This
deduplicates the burden of components to attain and manage
these resources.
Fix#2217
Ref #1987
This aspect was always enabled when creating a build directory for hw,
but is not enabled anymore due to recent build directory unifications.
On the other hand it is needed for jitter entropy anyway.
Ref #2190
This commit mostly removes the globally visible NR_OF_CPUS define
from the global makefile specifiers defined in the base-hw repository.
Whereever necessary it adds platform specific makefiles to the base
repository when they were missing.
Ref #2190
This patch make the ABI mechanism available to shared libraries other
than Genode's dynamic linker. It thereby allows us to introduce
intermediate ABIs at the granularity of shared libraries. This is useful
for slow-moving ABIs such as the libc's interface but it will also
become handy for the package management.
To implement the feature, the build system had to be streamlined a bit.
In particular, archive dependencies and shared-lib dependencies are now
handled separately, and the global list of 'SHARED_LIBS' is no more.
Now, the variable with the same name holds the per-target list of shared
libraries used by the target.
Ubuntu provides position independent shared objects for libraries, e.g.,
libsdl1.2-dev. To appropriatly link it to Genode, the linker flag
'-no-pie' has to be added to the make file.
This patch removes the component_entry_point library, which used to
proved a hook for the libc to intercept the call of the
'Component::construct' function. The mechansim has several shortcomings
(see the discussion in the associated issue) and was complex. So we
eventually discarded the approach in favor of the explicit handling of
the startup.
A regular Genode component provides a 'Component::construct' function,
which is determined by the dynamic linker via a symbol lookup.
For the time being, the dynamic linker falls back to looking up a 'main'
function if no 'Component::construct' function could be found.
The libc provides an implementation of 'Component::construct', which
sets up the libc's task handling and finally call the function
'Libc::Component::construct' from the context of the appllication task.
This function is expected to be provided by the libc-using application.
Consequently, Genode components that use the libc have to implement the
'Libc::Component::construct' function.
The new 'posix' library provides an implementation of
'Libc::Component::construct' that calls a main function. Hence, POSIX
programs that merely use the POSIX API merely have to add 'posix' to the
'LIBS' declaration in their 'target.mk' file. Their execution starts at
'main'.
Issue #2199
On a 64-bit system, enabling the OpenSSL NIST 64-bit optimization should
result in considerable speed improvements when using curves: NIST-P224,
NIST-P256, and NIST-P521. Additionally it avoids that Tor complains
about having an OpenSSL that lacks this feature.
Ref #2193
These functions are marked as always inline through the 'SELF_RELOC' macro. This
became necessary because on riscv functions calls are performed through the
global offset table, which is not initialized at this point.
Fixes#2203
This commit adds support for testing multiple kernels within the same
build directory. In addition to the existing -p arguments, the new
version expects one or more -k arguments that denote the kernels to be
used for executing the specified run scripts.
Consequently, the autopilot executes the 3-dimensional matrix of
platforms x kernels x run scripts, e.g.,
autopilot --force -p x86_32 -k nova -k okl4 -k sel4 -k linux -r log
Issue #2190
This patch makes the benefit of the recently introduced unified Genode
ABI available to developers by enabling the use of multiple kernels from
within a single build directory. The create_builddir tool has gained a
new set of kernel-agnostic platform arguments such as x86_32, or panda.
Most build targets within directories are in principle compatible with
all kernels that support the selected hardware platform. To execute a
scenario via the run tool, one has to select the kernel to use by
setting the 'KERNEL' argument in the build configuration
(etc/build.conf). Alternatively, the 'KERNEL' can be specified as
command-line argument of the Genode build system, e.g.:
make run/log KERNEL=nova
This allows us to easily switch from one kernel to another without
rebuilding any Genode component except for the very few kernel-specific
ones.
The new version of the 'create_builddir' tool is still compatible with
the old version. The old kernel-specific build directories can still be
created. However, those variants will eventually be removed.
Note that the commit removes the 'ports-foc' repository from the
generated 'build.conf' files. As this is only meaningful for 'foc',
I did not want to include it in the list of regular repositories (as
visible in a 'x86_32' build directory). Hence, the repository must
now be manually added in order to use L4Linux.
Issue #2190
This patch removes the manually maintained symbol map from the dynamic
linker. This way, the symbol map stays in sync with the ABI and - more
importantly - no longer uses wildcards. So the symbols exported by the
dynamic linker are strictly limited by the ABI.
Issue #2190
Previously, if a packet should be routed to a domain that had no interface
connected, the NIC router only printed "Unroutable packet". Technically,
this was wrong as an unavailable interface doesn't mean that the routing
failed. Now it gives an error "no interface connected to domain".
Ref #2193
The main window must be visible before avplay or a framebuffer filter
requests the framebuffer session which goes to Nitpicker, because the
parent view of the new Nitpicker view is part of the
QNitpickerPlatformWindow object, which is created when the main window
becomes visible. If this object does not exist yet, a page fault occurs.
Fixes#2187
This patch changes the child-construction procedure to allow the routing
of environment sessions to arbitrary servers, not only to the parent.
In particular, it restores the ability to route the LOG session of the
child to a LOG service provided by a child of init. In principle, it
becomes possible to also route the immediate child's PD, CPU, and RAM
environment sessions in arbitrary ways, which simplifies scenarios that
intercept those sessions, e.g., the CPU sampler.
Note that the latter ability should be used with great caution because
init needs to interact with these sessions to create/destruct the child.
Normally, the sessions are provided by the parent. So init is safe at
all times. If they are routed to a child however, init will naturally
become dependent on this particular child. For the LOG session, this is
actually not a problem because even though the parent creates the LOG
session as part of the child's environment, it never interacts with the
session directly.
Fixes#2197
This patch removes possible ambiguities with respect to the naming of
kernel-dependent binaries and libraries. It also removes the use of
kernel-specific global side effects from the build system. The reach of
kernel-specific peculiarities has thereby become limited to the actual
users of the respective 'syscall-<kernel>' libraries.
Kernel-specific build artifacts are no longer generated at magic places
within the build directory (like okl4's includes, or the L4 build
directories of L4/Fiasco and Fiasco.OC, or the build directories of
various kernels). Instead, such artifacts have been largely moved to the
libcache. E.g., the former '<build-dir>/l4/' build directory for the L4
build system resides at '<build-dir>/var/libcache/syscall-foc/build/'.
This way, the location is unique to the kernel. Note that various tools
are still generated somewhat arbitrarily under '<build-dir>/tool/' as
there is no proper formalism for building host tools yet.
As the result of this work, it has become possible to use a joint Genode
build directory that is usable with all kernels of a given hardware
platform. E.g., on x86_32, one can now seamlessly switch between linux,
nova, sel4, okl4, fiasco, foc, and pistachio without rebuilding any
components except for core, the kernel, the dynamic linker, and the timer
driver. At the current stage, such a build directory must still be
created manually. A change of the 'create_builddir' tool will follow to
make this feature easily available.
This patch also simplifies various 'run/boot_dir' plugins by removing
the option for an externally hosted kernel. This option remained unused
for many years now.
Issue #2190
The header is foc-specific. It used to shadow the generic one provided
by the base repository, which contradicts with the kernel-agnostic
Genode API. Hence, it had to be moved to a foc-specific location.
This patch decouples the kernel-specific implementation of the dynamic
linker from its kernel-agnostic binary interface. The name of the
kernel-specific dynamic linker binary now corresponds to the kernel,
e.g., 'ld-linux.lib.so' or 'ld-nova.lib.so'. Applications are no longer
linked directly against a concrete instance of the dynamic linker but
against a shallow stub called 'ld.lib.so'. This stub contains nothing
but the symbols provided by the dynamic linker. It thereby represents
the Genode ABI.
At system-integration time, the kernel-specific run/boot_dir back ends
integrate the matching the kernel-specific variant of the dynamic linker
as 'ld.lib.so' into the boot image.
The ABI symbol file for the dynamic linker is located at
'base/lib/symbols/ld'. It contains the joint ABI of all supported
architectures. The new utility 'tool/abi_symbols' eases the creation of
such an ABI symbol file for a given shared library. Its result should be
manually inspected and edited as needed.
The patch removes the 'syscall' library from 'base_libs.mk' to avoid
polluting the kernel-agnostic ABI with kernel-specific interfaces.
Issue #2190
Issue #2195
By not placing the sysio buffer (16 KiB) on the stack, we can call
'noux_syscall' from the initial thread. This is needed to issue fork
from the suspend callback, which is executed by the initial thread.
This cleans up the syscalls that are mainly used to control the
scheduling readiness of a thread. The different use cases and
requirements were somehow mixed together in the previous interface. The
new syscall set is:
1) pause_thread and resume_thread
They don't affect the state of the thread (IPC, signalling, etc.) but
merely decide wether the thread is allowed for scheduling or not, the
so-called pause state. The pause state is orthogonal to the thread state
and masks it when it comes to scheduling. In contrast to the stopped
state, which is described in "stop_thread and restart_thread", the
thread state and the UTCB content of a thread may change while in the
paused state. However, the register state of a thread doesn't change
while paused. The "pause" and "resume" syscalls are both core-restricted
and may target any thread. They are used as back end for the CPU session
calls "pause" and "resume". The "pause/resume" feature is made for
applications like the GDB monitor that transparently want to stop and
continue the execution of a thread no matter what state the thread is
in.
2) stop_thread and restart_thread
The stop syscall can only be used on a thread in the non-blocking
("active") thread state. The thread then switches to the "stopped"
thread state in wich it explicitely waits for a restart. The restart
syscall can only be used on a thread in the "stopped" or the "active"
thread state. The thread then switches back to the "active" thread state
and the syscall returns whether the thread was stopped. Both syscalls
are not core-restricted. "Stop" always targets the calling thread while
"restart" may target any thread in the same PD as the caller. Thread
state and UTCB content of a thread don't change while in the stopped
state. The "stop/restart" feature is used when an active thread wants to
wait for an event that is not known to the kernel. Actually the syscalls
are used when waiting for locks and on thread exit.
3) cancel_thread_blocking
Does cleanly cancel a cancelable blocking thread state (IPC, signalling,
stopped). The thread whose blocking was cancelled goes back to the
"active" thread state. It may receive a syscall return value that
reflects the cancellation. This syscall doesn't affect the pause state
of the thread which means that it may still not get scheduled. The
syscall is core-restricted and may target any thread.
4) yield_thread
Does its best that a thread is scheduled as few as possible in the
current scheduling super-period without touching the thread or pause
state. In the next superperiod, however, the thread is scheduled
"normal" again. The syscall is not core-restricted and always targets
the caller.
Fixes#2104
The main thread does no longer execute application code. It is solely
responsible for the initialization of the component's entrypoint and for
retrieving asynchronous notifications. Since the stack usage is no
longer dependent on application-specific code, we can significantly
shrink it to reduce the memory footprint of components. In the worst
case - should the stack overrun - we would observe a page fault because
the stack is placed in the stack area, surrounded by guard pages.
This patch replaces the former machine-word-dependent default stack size
by the fixed value of 64 KiB which should suffice for components on both
32 and 64 bit. Previously, the default stack size on 64 bit was 128 KiB,
which is wasteful. If a component needs more stack than 64 KiB, it can
specify a custon stack size by implementing 'Component::stack_size'.
The initial stack is solely used to initialize the Genode environment
along with the application stack located in the stack area. It never
executes application code. Hence, we can make it small. To check that it
is not dimensioned too small, the patch introduces a sanity check right
before switching to the application stack.
At least on foc_x86_64, nic_router refused to create sessions for the
test clients as the session object's size exceeds the old quota
donation.
Ref #2139
Both methods are now available for Ipv4_address as well as for
Ipv4_address_prefix. An IPv4 address is invalid if it contains zeros only.
An IPv4 address prefix is invalid if its address is invalid and its
prefix is 32.
Ref #2139
Instead of creating one socket and re-using it each test run because the
client shall also test the termination of pseudo-connections at components that
implement hole punching for UDP.
Ref #2139
This patch unconditionally applies the labeling of sessions and thereby
removes the most common use case of 'Child_policy::filter_session_args'.
Furthermore, the patch removes an ambiguity of the session labels of
sessions created by the parent of behalf of its child, e.g., the PD
session created as part of 'Child' now has the label "<child-name>"
whereas an unlabeled PD-session request originating from the child
has the label "<child-name> -> ". This way, the routing-policy of
'Child_policy::resolve_session_request' can differentiate both cases.
As a consequence, the stricter labeling must now be considered wherever
a precise label was specified as a key for a session route or a server-
side policy selection. The simplest way to adapt those cases is to use a
'label_prefix' instead of the 'label' attribute. Alternatively, the
'label' attribute may used by appending " -> " (note the whitespace).
Fixes#2171
The log plugin can now be configured to request a log session with the
specified label like follows.
<log label="..."/>
Per default, no new log session is requested but the existing log
session of the component's environment is used.
The heap typically first tries to allocate larger chunks than necessary, and
if it fails the actual minimal one. The first attempt already triggers warnings
which are not critical at all. If the second (critical) allocation fails,
then there are additionally checks and warnings already in place.
Issue #1039
Trace_control dataspace gets destroyed implicitly when the cpu session is
closed. Remove the trace control dataspace from the internal noux dataspace
registry before cpu session destruction.
The code in Core's Cpu_session_component::create_thread might throw a
capability refernce-count overflow if one creates many threads, which would
kill core if not handled.
Ref #2120
This patch adjusts the various users of the 'Child' API to the changes
on the account of the new non-blocking parent interface. It also removes
the use of the no-longer-available 'Connection::KEEP_OPEN' feature.
With the adjustment, we took the opportunity to redesign several
components to fit the non-blocking execution model much better, in
particular the demo applications.
Issue #2120
This is a redesign of the root and parent interfaces to eliminate
blocking RPC calls.
- New session representation at the parent (base/session_state.h)
- base-internal root proxy mechanism as migration path
- Redesign of base/service.h
- Removes ancient 'Connection::KEEP_OPEN' feature
- Interface change of 'Child', 'Child_policy', 'Slave', 'Slave_policy'
- New 'Slave::Connection'
- Changed child-construction procedure to be compatible with the
non-blocking parent interface and to be easier to use
- The child's initial LOG session, its binary ROM session, and the
linker ROM session have become part of the child's envirenment.
- Session upgrading must now be performed via 'env.upgrade' instead
of performing a sole RPC call the parent. To make RAM upgrades
easier, the 'Connection' provides a new 'upgrade_ram' method.
Issue #2120
This data structure is meant as a safe alternative for a list wherever
the list is solely used to remember objects and iterate through them in
an unspecified order. One use case is the 'Service_registry'.
This data structure allows the association of objects with IDs. IDs are
kept in an AVL tree. So in contrast to a bit allocator, the ID space can be
sparsely populated and does not need to be dimensioned. The lifetime of
an ID is bound to an 'Element' object, which relieves the programmer
from manually allocating/deallocating IDs for objects.
Issue #2120
We preserve lower RAM for device drivers with physical memory
constraints. If no physical RAM constraint exists, the allocations above
3G (32-bit) or 4G (64-bit) are preferred.
Limit the number of generations to 4 to prevent hitting the
socket-descriptor limit on Linux. Also, all possible configuration
parameters for bomb our now customizable in the run script and the
current config is logged by bomb master.
The 'connected_scan_interval' config attribute specifies the scan
interval in seconds. The commit also removes the deprecated ram_fs
component from the test run script.
VirtualBox mainly derives the initial link-state for its device models
from checking the <Adapter ... cable="true"/> attribute. Our backend
only propagates the current state of the Nic session if it receives a
link-state signal. This may lead to problems if a guest detects a link
up state when it is actually down and wants to use the interface. The
backend now queries the Nic session and sets the link-state accordingly
when it is constructed.
In case there is no link do not attempt to submit a packet to the packet
stream but return with an error so that upper layers can handle it.
Enable signals for network on poweron and not already during
construction. The network model may be not yet ready to process incoming
signals and data.
Fixes#2117.
This fixes a regression on Ubuntu 16.04 (resp. Linux systems with recent
kernel versions) and address-space randomization originating from an
uninitialized relocation base of 0.
This patch is a preparation of the forthcoming async parent interface.
Note that this patch increases the size of connection objects.
Furthermore it adds a diagnostic message whenever a connection fails.
Issue #2166
Because of the session-argument buffering added to 'Connection' objects
when changing the parent interface to be non-blocking, the
'Device_component' has grown in size from 1.5 KiB to 5 KiB. The slab
allocator was configured with a block size of 4 KiB. So it does not work
with the grown 'Device_component' size.
Once the transition to the new API is completed (when we can remove the
buffering of session arguments from the 'Connection' objects), we may
revert this change.
Issue #2120
Unfortunately, the volatile object does not inherit the noncopyable
attribute of the enclosed object. By making all volatile objects
noncopyable, we prevent the accidental copying of a noncopyable object
wrapped in a volatile object.
This feature is not compatible with the forthcoming nonblocking parent
interface. The patch removes the use of feature in all places except for
the components of the demo repository, which will under go a redesign
anyway.
Issue #2120
Issue #2165
Replace 'dump()' debug utilities within Allocator_avl with Output::print
equivalents, and use the new Avl_tree::for_each utility to simplify
the implementation.
Ref #2159
Instead of using a somewhat incomplete module_param_named() macro,
which will influence other drivers, patch the driver that requires
this treatment.
Fixes#2169Fixes#2155
This overload covers the common case for initializing a string from a
literal without employing the 'Output' mechanism. This way, such
strings can by constructed without calling virtual functions, which in
turn makes the 'String' usable for the 'init_rtld' phase of the dynamic
linker.
This patch fixes a race condition triggered by the thread test running
on Linux inside VirtualBox. The 'test_stack_alloc' sporadically produced
one of two errors: A segfault in the 'Thread::deinit_platform_thread' on
the attempt to access the 'native_thread' of the to-be-destructed thread
(this data structure is located on the thread's stack). Or, an error
message about a region conflict within the stack area.
The problem was that two instances of 'Region_map_mmap' issued a
sequence of munmap and mmap each. Even though each instance locked the
attach/detach operations, the lock was held per instance. In a situation
where two instances performed attach/detach operations in parallel, the
syscall sequences could interfere with each other.
In the test scenario, the two region-map instances are the test's
address space and the stack area. When creating a thread, the thread's
trace-control dataspace is attached at an arbitrary place (picked by
the Linux kernel) within the address space whereas the stack is attached
at the stack area. The problem is the following sequence:
Thread A wants to destruct a thread:
1. Remove stack from stack area
(issue unmap syscall)
2. Preserve virtual address range that was occupied from the stack
so that Linux won't use it
(issue mmap syscall)
Thread B wants to construct a thread:
1. Request trace-control dataspace from CPU session
2. Attach trace-control dataspace to address space at a location
picked by the Linux kernel
(issue mmap syscall)
The problem occurs when thread B's second step is executed in between
the steps 1 and 2 of thread A and the Linux kernel picks the
just-unmapped address as the location for the new trace-control mapping.
Now, the trace control dataspace is mapped at the virtual address that
was designated for the stack of the to-be-created thread, and the
attempt to map the real stack fails.
The patch fixes the problem by replacing the former region-map-local
locks by a component-global lock.
Furthermore, it cleans up core's implementation of the support function
for the region-map-mmap implementation, eliminating the temporary
unlocking of the region-map lock during RPC.
Prepared for internal test machine, which has 8 logical cores.
6 Win7 64bit VMs are started, each having 2 vCPUs, using the same image and
different overlays. Changes to the VM are written to the overlays of ram_fs
and dropped after the test.
lCPU 0 : Genode base system and drivers
lCPU 1-2: VM1 2 vCPUs
lCPU 2-3: VM2 "
lCPU 3-4: VM3 "
lCPU 4-5: VM4 "
lCPU 5-6: VM5 "
lCPU 6-7: VM6 "
Fixes#2143
drm_framebuffer_remove takes care of references to CRTC pointers before
freeing up framebuffer object. Directly calling the destroy function may cause
dangling CRTC pointers pointing inside the framebuffer object.
Fixes#2140
Instead of solving the problem to deliver ROM modules to core while booting
differently for the several kernels (multi-boot, elfweaver, core re-linking),
this commit unifies the approaches. It always builds core as a library, and
after all binaries are built from a run-script, the run-tool will link an
ELF image out of the core-library and all boot modules. Thereby, core can
access its ROM modules directly.
This approach now works for all kernels except Linux.
With this solution, there is no [build_dir]/bin/core binary available anymore.
For debugging purposes you will find a core binary without boot modules, but
with debug symbols under [run_dir].core.
Fix#2095
The usb_drv must always check the device pointer in all session facing.
methods. A errorneous client can otherwise trigger a page-fault in the
driver.
Fixes#2133.
- use the correct memory free functions on errors
- report packet submit errors
- rename 'Usb::Packet_descriptor::transfer.timeout' as
'Usb::Packet_descriptor::transfer.polling_interval'
Fixes#2135
base generic code:
* Remove unused verbosity code from mmio framework
* Remove escape sequence end heuristic from LOG
* replace Core_console with Core_log (no format specifiers)
* move test/printf to test/log
* remove `printf()` tests from the log test
* check for exact match of the log test output
base-fiasco:
* remove unused Fiasco::print_l4_threadid function
base-nova:
* remove unused hexdump utility from core
base-hw:
* remove unused Kernel::Thread::_print_* debug utilities
* always print resource summary of core during startup
* remove Kernel::Ipc_node::pd_label (not used anymore)
base*:
* Turn `printf`,`PWRN`, etc. calls into their log equivalents
Ref #1987Fix#2119
The 11n mode can forcefully be disabled by setting the 'disable_11n'
attribute to 'true'. This is workaround for certain 6200 ABG cards
that apparently do not support this mode.
Fixes#2124.
Implementing this macro provides easy access to module parameters from
outside the contrib code, i.e. the driver frontend. For now it will be
solely used by the wifi_drv.
Issue #2124.
The default iPXE settings of 8 (RXD) and 16 (TXD) lead to issues when
AMT is enabled. In most other OS drivers those descriptors are set
to 256, let us do the same. This should fix all observed issues wrt.
AMT.
Fixes#2108.
* Supply Env to Input::Session_component
* Attach input event dataspace at Input::Client
* Process input events by lambda rather than pointer
* Supply Env and a label to Input::Connection
* Wm serves valid input_session to decorator
* Per-source signal handling at input_merger
* Base API update for dummy_input_drv, test_input
* Input API update for launcher, menu_view, terminal,
mupdf, sdl, seoul, virtualbox
Ref #1987
This patch makes the build-system integration of noux packages usable
for non-Noux targets. It moves the GNU build system wrapper to
ports/mk/gnu_build.mk, which is now included by noux.mk. This way,
non-noux applications can use the same build-system wrapper. So the
porting of individual applications becomes easier.
This change removes the 'NOUX_' prefix use the various build variables
used by the noux-pkg's target.mk files to steer the behaviour of the GNU
build system. E.g., NOUX_CONFIGURE_ARGS is now called CONFIGURE_ARGS.
Note that there is a single exception to this pattern: The formerly
named NOUX_LIBS is now called LDLIBS because the plain LIBS variable is
used by the Genode build system.
Fixes#2094
* Remove 'test' routine from kernel/core
* Move 'cpu_scheduler' and 'double_list' test to user-land
* Remove 'hw_info' target at all (can be recycled in a topic branch)
Kernel fails to lookup a capability it just got delegated, if
the backing store for the destination capability was before backed by a
zero-page. Triggers if PCID (64bit) is in use or in SMP setups.
Fixes#2101
When run with the '--autopilot' run option, the 'usb_hid.run' script tests
the input events generated by a 'Pro Micro' microcontroller board. Setup
instructions for the Pro Micro can be found in the run script.
Fixes#2087
The nic_router component can be used to individually route IPv4 packets
between multiple NIC sessions. Thereby, it can translate between
different IP subnets. The component supports port forwarding, as well as
the partitioning of the TCP and UDP port spaces.
Fixes#114
A run script to demonstrate the combination of the cpu_sampler, fs_log,
ram_fs and noux components for saving the sampled data in files and
accessing these in a Noux environment. When the script is run by the
autopilot, it will check if one of the generated sample data files
contains the correct instruction pointer. When the script is run
interactively, the generated files can be accessed from a Noux Bash shell.
Fixes#2078
In other contexts (IPv4) 'calc_checksum' merely returns a new checksum that is
then installed via 'checksum'. Thus, the UDP 'calc_checksum' that calculates AND
installs a new checksum is misleading.
Ref #114
Both, client and server now read their IP config from their Genode config.
Furthermore, the client now waits 4 instead of 2 seconds before sending the
first request to prevent connection fails in tests with a slow startup. The
client truncates its packet dump for better readability.
Ref #114
This patch adds the missing exception handling for depleted RM session
quotas. If core runs out of session quota while creating a new region
map, it now reflects this condition as a Region_map::Out_of_metadata
exception to the RM client. Thanks to Denis Huber for reporting the
issue!
The '--autopilot' option makes it possible for a run script to detect if
it is being executed by the autopilot by
if { [get_cmd_switch --autopilot] } { ... }
In that case, the run script could do an automated test, whereas the
test could be interactive when run without this option.
Fixes#2076
The new parameter specifies the additional timeout duration in seconds
which is incurred by AMT log processing, e.g. time spent waiting for the
system to boot.
Although the driver makes no use of interrupts it references Irq_handler
for unknown reasons. Moreover, this commit eliminates the lock that is
not necessary anymore, because the driver now runs single-threaded.
Ref #2072
* Unify uart drivers of different hardware drivers
* Remove deprecated IRQ activations
* Remove additional timer thread in Fiasco* KDB driver
* Move more generic UART definitions to specific supported
platforms (e.g.: pl011 -> pbxa9)
* Move internal definitions from global to local headers
Ref #1987Fix#2071
Use a seperate handle at each session.
Use SEEK_TAIL to append messages to files.
Increase packet buffer.
Refactor to component framework.
Fixes#1777
Issue #2060
This patch revives our ds_ownership test from 2012, which just revealed
a regression in core where the dataspace-free operation of the RAM
service would unconditionally destroy dataspace objects from foreign
sessions. The patch fixes the bug and adds an updated version of the
test to the autopilot.
Fixes#2065
The main feature for this version upgrade is the use of the instruction
emulator (IEM) to speed up execution and less often the slow recompiler.
issue #2059
Besides adapting the components to the use of base/log.h, the patch
cleans up a few base headers, i.e., it removes unused includes from
root/component.h, specifically base/heap.h and
ram_session/ram_session.h. Hence, components that relied on the implicit
inclusion of those headers have to manually include those headers now.
While adjusting the log messages, I repeatedly stumbled over the problem
that printing char * arguments is ambiguous. It is unclear whether to
print the argument as pointer or null-terminated string. To overcome
this problem, the patch introduces a new type 'Cstring' that allows the
caller to express that the argument should be handled as null-terminated
string. As a nice side effect, with this type in place, the optional len
argument of the 'String' class could be removed. Instead of supplying a
pair of (char const *, size_t), the constructor accepts a 'Cstring'.
This, in turn, clears the way let the 'String' constructor use the new
output mechanism to assemble a string from multiple arguments (and
thereby getting rid of snprintf within Genode in the near future).
To enforce the explicit resolution of the char * ambiguity, the 'char *'
overload of the 'print' function is marked as deleted.
Issue #1987
Core on seL4 is configured to run on native hardware, so some static
allocators are bit over dimensioned. Some run scripts fail on qemu because
solely 64M are available in the system - adjust the affected scripts.
Issue #2044
The initial support reports TouchPointPressed, TouchPointMoved, and
TouchPointReleased for multiple touch points, but is currently only
tested with widgets not leveraging multi-touch events. In other words, I
made sure synthetic mouse events are generated properly when using touch
screens.
We now always run the input_merger as Input service provider and
configure backends suitable for the used platform. On x86 hardware, we
enable both, PS/2 and USB HID.
Required to boot on hardware. The fragmentation is such unfortunate with the
old allocator that alloc() will throw an exception during very early core boot
phase.
Issue #2044
- disable iommu
- increase root_cnode further for native boot
- support vesa driver on native hardware
- don't mask edge triggered ioapic irqs
- increase various allocators to get noux_tool_chain_* booting natively
Issue #2044
That seems nowadays the right place in order to tell the caller that the
thread couldn't be completely constructed. The return value false of
bind_thread causes in Cpu_thread_component the throwing of
Thread_creation_failed.
thread.run now passes
pthread.run now passes
Issue #2044
Additionally, exclude boot-module from page_table_registry. Core does not use
the boot-modules inside core.
Adding it otherwise to the registry will use up the meta data allocator of
the page_table_registry in core in scenarios with lot of boot modules,
e.g. noux and friends.
Issue #2044
- adjust syscall bindings to support -fPIC
- read serial i/o ports from BIOS data area
- use autoconf.h provided by sel4
-- to avoid ambiguity between sel4 kernel and user libraries
-- remove manual set defines
- remove debug messages
- increase user virtual area to 3GB
Issue #1720
Issue #2044
and show some message about. On sel4 sometimes exceptions are thrown and no
message is shown, it just seems to hang. With this patch at least you get
an idea that something bad happened.
Issue #2044
- remove special handling from base-nova
- add to rpc_server where it actually should be applied to
- required to work for sel4 cancel_blocking
Issue #2044
Now, we support multi-touch devices generating multi-touch events and
absolute-pointer devices simultaneously with multitouch="yes". Still,
multitouch="no" generates emulated absolute-pointer events for
multi-touch devices.
Add option to load the initial overlay*.vdi from disk, but keep the changes
in a ram_fs.
Used with AHCI model for vbox_auto_win7. Currently we have no way to tell
rump_fs to unmount and write back data to disk before resetting the machine.
On MVM only the initial scanning of APs works. If wpa_supplicant changes
from triggered scans to the scheduled-scanning hardware feature no
further scan results are reported. Therefore, we disable the
scheduled-scanning hardware feature until the issue is fixed.
Issue #2046
When running the same kernel in a VM as on the host system and the
kernel boot message from the VM appears on the log output, the run tool
assumes that the host machine has rebooted unexpectedly. With this
commit, an unexpected reboot is assumed only if the kernel boot message
appears at the beginning of a line. On base-hw, we enforce a line feed
at the beginning of the boot message as the SPIKE emulator log starts
with the first message of the kernel lacking a line feed.
Fixes#2041
Thread stacks with less than 4K usable space are insufficient for our
implementation of Linux exception signal handling. If such a unusually
small stack overflows the SIGSEGV handler will not be able to print the
diagnostic message leaving no hint of the cause of the stuck process.
The linker scripts are known to reside in BASE_DIR. By using them
directly from this location instead of searching them in the
REPOSITORIES, we don't need to specify the repos/base as a repository in
order to link.
This patch handles x86_32 and x86_64 separately since this is the SPEC
value directly supplied to the package build tool. This way, we achieve
that a CROSS_DEV_PREFIX is defined for each supported argument.
This patch equips the build system with the feature of building an
individual library with its dependencies by specifying the library
as 'LIB' argument. E.g., 'make LIB=libc' builds the libc.
This patch adds the methods 'sigh_ack_avail()' and
'sigh_ready_to_submit()', which are needed to build asynchronously
operating file-system clients.
Fixes#2023
Those headers implement a platform-specific mechanism. They are never
used by components directly.
This patch also cleans up a few other remaining platform-specific
artifact such as the Fiasco.OC-specific assert.h.
Issue #1993
Conveying the ROM filename as the final label element simplifies
routing policy and session construction.
Annotations by nfeske:
This commit also changes the ROM session to use base/log.h instead of
base/printf.h, which produced build error of VirtualBox because the
vbox headers have a '#define Log', which collides with the content of
base/log.h. Hence, this commit has to take precautions to resolve this
conflict.
The commit alse refines the previous session-label change by adding a
new 'Session_label::prefix' method and removing the use of 'char const *'
from this part of the API.
Fixes#1787
Session_label constructor now takes a bare string rather than a
serialized argument buffer.
Replace all instances of previous constructor with 'label_from_args'
function.
Issue #1787
This patch establishes the sole use of generic headers across all
kernels. The common 'native_capability.h' is based on the version of
base-sel4. All traditional L4 kernels and Linux use the same
implementation of the capability-lifetime management. On base-hw, NOVA,
Fiasco.OC, and seL4, custom implementations (based on their original
mechanisms) are used, with the potential to unify them further in the
future.
This change achieves binary compatibility of dynamically linked programs
across all kernels.
Furthermore, the patch introduces a Native_capability::print method,
which allows the easy output of the kernel-specific capability
representation using the base/log.h API.
Issue #1993
This patch alleviates the need for a Native_capability::Dst at the API
level. The former use case of this type as argument to
Deprecated_env::reinit uses the opaque Native_capability::Raw type
instead. The 'Raw' type contains the portion of the capability that is
transferred as-is when delegating the capability (i.e., when installing
the parent capability into a new component, or when installing a new
parent capability into a new forked Noux process). This information can
be retrieved via the new Native_capability::raw method.
Furthermore, this patch moves the functions for retriving the parent
capability to base/internal/parent_cap.h, which is meant to be
implemented in platform-specific ways. It replaces the former set of
startup/internal/_main_parent_cap.h headers.
Issue #1993
The static 'Thread::mystack()' function returns the stack boundaries of
the calling thread. It is useful when a thread uses a diffent stack than
the primary one.
Fixes#2037
When calling 'connect()' in nonblocking mode and the connection has been
established, don't call 'tcp_connect()' again, which would trigger an
assertion with the message 'tcp_connect: can only connect from state
CLOSED'.
Fixes#2039
In addition to modernizing the component now also supports using
empty RAM dataspace as backing store.
For example to use an ISO file the component has to be configured
as follows:
! <config file="image.iso" block_size="2048"/>
To use a empty RAM dataspace that is 256MiB large and has a block
size of 4KiB the configuration looks like this:
! <config size="256M" block_size="4096"/>
Either 'size' or 'file' has to specified. If both are declared the
'file' attribute is soley evaluated.
Issue #1987.
Fixes#2031.
Use quota large enough so that the USB driver does not attempt to
request further memory. On the Raspberry Pi, init has no slack memory
to respond to such a request.
Pass both paths, absolute path to the mount point and the relative path
from the mount point to the file, along with an open handle rather than
just an absolute path. Otherwise, fstat fails if the addressed file is
implemented by another VFS plugin.
Fixes#1789
Move Genode/vbox memory configuration check to separate
genode_check_memory_config() function and call it in platform-specific
setup machine hook of accloff/nova.
The rationale for this change is to omit the check on Muen since the
guest memory is separate and not allocated from base-hw memory.
Issue #2016
Write tick count of next kernel timer to the guest timed events page if
present. This causes the guest VM to be preempted at the requested tick
count and ensures that the guest VM can not monopolize the CPU if no
traps occur.
The base-hw kernel expects a configured switch-event from the guest VM
to base-hw with ID 30 and target vector 32 to be present in the system
policy.
Issue #2016
Switch kernel timer driver to timed event interface. The base-hw kernel
expects a configured self-event with ID 31 and target vector 32 to be
present in the system policy.
ssue #2016
Add call to genode_setup_machine prior to machine registration in
frontend machine setup code. This enables platform-specific adjustments
to the machine instance.
The new function is used on hw_x86_64_muen to clamp the processor count
to 1 as multiple virtual CPUs are not supported on this platform.
Issue #2016
* Implement VMMR0_DO_VMMR0_INIT operation for Muen
- Indicate VT-x support
- Enable unrestricted guest mode
- Set CR[0|4] mask to enable masking of guest CR0.[NE,NW,CD] and
CR4.VMXE bits.
* Implement VMMR0_DO_GVMM_CREATE_VM on Muen
Return error if trying to create SMP VM as VMs with multiple CPUs are
currently not supported on hw_x86_64_muen.
* Add Muen-specific Mem_region type
On hw_x86_64_muen the guest memory layout is static, thus regions are
handed out from an array of memory regions.
Use sinfo API to calculate the base address of the VM RAM physical
0x0 region. This allows to dynamically modify the VM RAM size by
adjusting the Muen policy and Genode vbox files accordingly.
Zeroize all memory regions apart from VM Ram since Virtualbox expects
these regions to be cleared.
* Add Muen subject state struct
The subject state encompasses the guest VM machine state that is
transfered between Virtualbox and hardware accelerated execution on
Muen.
* Add Muen-specific Vm_handler class
* Use Vm_handler to run VM
* Instruct recompiler to flush its code cache
* Copy the Muen subject state to/from the Vbox PCPUMCTX.
* Use the VM interruptibility state to inform the recompiler whether
interrupts are currently inhibited.
* Explicitly handle control register access
If a VM-exit occurs due to a control register access, handle it and
directly continue hardware accelerated execution of guest VM.
Note: On NOVA control register accesses are handled by the kernel [1].
[1] - https://github.com/alex-ab/NOVA/blob/master/src/ec_vmx.cpp#L106
* Reset guest interruptibility state
Assert that interrupts are not inhibited in the Virtualbox machine
state and clear Blocking-by-[STI|MOV to SS] guest interruptibility
flags prior to running a guest VM in hwaccel mode.
* Set return code depending on exit reason
Do not unconditionally emulate the next instruction on VM exit. This
makes sharing the VM FPU state with Virtualbox unnecessary, as FPU
instructions are not emulated by the recompiler any longer.
Also, assert that the FPU has not been used by the recompiler
* Inject pending guest VM interrupts on Muen
Use mapped subject pending interrupts page of guest VM to perform
interrupt injection. IRQs are transferred from the Virtualbox trap
manager state to the pending interrupts region for injection. If an
IRQ remains pending upon returning to the recompiler, it is copied
back to the trap manager state and cleared in the subject interrupts
region.
* Inform recompiler about changed SYSENTER_[CS|EIP|ESP] values,
otherwise values set while running the guest VM hardware accelerated
may get lost.
* Implement genode_cpu_hz() on Muen
Determine the CPU frequency dynamically using the sinfo API.
Issue #2016
* The Vm thread is always paused and on exception to make sure that guest VM
execution is suspended whenever we handle an interrupt. Also signal the Vm
session to poke waiting threads (e.g. Virtualbox EMT).
* Implement Vm::proceed
Switch to the mode transition assembly code declared at the _vt_vm_entry
label.
Issue #2016
The entry enables interrupts and initiates a handover to the guest VM by
invoking event number one. The sti instruction is placed at the start to
allow exits to Muen before handing off to the VM if window exiting is
requested.
Issue #2016
The virtual PCI model delivers IRQs to the PIC by default and to the
IOAPIC only if the guest operating system selected the IOAPIC with the
'_PIC' ACPI method and if it called the '_PRT' ACPI method afterwards.
When running a guest operating system which uses the IOAPIC, but does
not call these ACPI methods (for example Genode/NOVA), the new
configuration option
<config force_ioapic="yes">
enforces the delivery of PCI IRQs to the IOAPIC.
Fixes#2029
The alternate stack must use the stack area as, e.g., Thread::myself()
depends on this property. Hybrid components do not depend on this
property and, therefore, use a static stack buffer.
Fixes#1935
* Align pitch value to 64 byte (thanks to cnuke for investigation)
* Get rid of extra dataspace retrival and attachment, now that we always buffer
* Consistently name all lx_emul helpers: lx_* (get rid of dde*)
* Add missing file headers
Fix#1997
Instead of providing a buffer to the client and blitting from that
to the "real" framebuffer as an option, with this commit we always do so.
Thereby its possible to immediately destroy the old framebuffer used by
hardware when a configuration change is done, and a new framebuffer
is used. This also simplifies the modesetting.
Moreover, this commit fixes an issue when not using the connector reporting.
Until now the initial mode detection of connectors was only done when
the report was created. this is a regression that entered the driver
when upgrading to the recent Linux kernel version.
Ref #1997
Use new env, component and logging frameworks.
Sync file system and block device on component entrypoint.
Support for 'root' session argument.
Increase Rump open file descriptor limit.
Issue #1987Fixes#2011
* remove all 'Genode::env()' calls
* use attached roms to read configuration
* use compoenent framework
* remove all PDBG, PINF, PWRN macros
Issue #1987Fixes#2019
* use Component::* instead of Server::*
* do not use old printf format anymore
* do not use old Genode::env()->heap() anymore
* avoid pointers where possible, and use references instead
* throw away the thread-safe variants of list and AVL tree,
nic_bridge became single-threaded in the past
* introduce Ram_session_guard instead of Allocator_guard
Issue #1987
- platform_drv announces a separate "Acpi" session
- platform_drv waits for ROM "system" to change state to "acpi_ready"
- acpica waits for "Acpi" announcement
- acpica uses the platform driver via "Acpi" to reconfigure PCI devices
- acpica changes "system" state to "acpi_ready" after it ready with initialization
- platform_drv reacts on "system" state change to "acpi_ready" by announcing "Platform" session
- drivers start to operate as usual
Issue #2009
This patch introduces the Genode::raw function that prints output
directly via a low-level kernel mechanism, if available.
On base-linux, it replaces the former 'raw_write_str' function.
On base-hw, it replaces the former kernel/log.h interface.
Fixes#2012
This is a follow-up commit to "slab: throw exception if initial
allocation fails". It is needed because on seL4, the PD session quota is
used as backing store for the meta data of the PD's virtual memory. For
this reason, PD sessions on seL4 require more session quota compared to
the other kernels. Apparently, the default quota is too scarce to
complete the PD-session construction. By shrinking the number of
supported page-table entries, we reduce the size of the PD session
component so that the creation succeeds.
Issue #1983
Replace 'attribute(...).has_value("yes")`
with 'attribute_value(..., false)'.
This allows for boolean configuration to be set with values such as
"true", "false", "yes", "no", or "1", "0".
Fixes#2002
A configuration policy must match against a policy node label,
label_prefix, or label_suffix atttribute. A fallback to
<default-policy/> is provided as a label wildcard.
Fixes#1901
The sinfo function declared in sinfo_instance.h creates a static sinfo
object instance and returns a pointer to the caller.
- kernel timer and platform support to use sinfo() function to
instantiate sinfo object
- address and size of the base-hw RAM region via the sinfo API
- log_status() function in sinfo API
To circumvent problems on platforms with shaky hotplug interrupt notification
introduce a "poll" configuration option to the driver, which enables
polling for connector changes.
Fix#2004
The whole XML comment has to be parsed as one XML tag to support strange
but valid combinations like
<!---->
<!--invisible-tag></invisible-tag-->
Fixes#1424
The vanilla 'schedule_timeout()' Linux function expects a relative
timeout value. The first implementation of the wifi_drv, however, used
an absolute timeout value. This mismatch was overlooked when the
lx_kit, which adheres to the vanilla Linux semantics, was incoporated
in the driver.
Fixes#1990.
Instead of introducing a $(BASE_HW_DIR) variable that has to be defined in each
core makefile for the different base-hw targets, this commit replaces the
$(REP_DIR) variable usage in core.inc files with $(BASE_DIR)/../base-hw.
Ref #1955
Quota_exceeded message are of no use during session construction, since
the arguments of the ram_quota are used and no upgrade can take place (the
session construction failed and is so not available for upgrade)
Fixes#1983
Allocating a packet in the packet stream without a payload is not
allowed. Therefore we have to allocate CTRL message packets, that do
not have a payload, with a bogus length instead.
Directory_service::leaf_path returns a pointer offset from its argument
so pass member data rather than a constructor argument to leaf_path.
Issue #1775
This is an interim fix for solving the quota leakage problem of
the platform driver on x86 platforms. To properly fix that problem
one has to track which dataspaces where created by the platform driver,
so that freeing the dataspace and reversing the quota transfer is done
on correct dataspaces only.
Refer #1980
This patch removes the outdates doc/architecture.txt since the
topics are covered by the book. We keep repos/os/doc/init.txt
because it contains a few details not present in the book (yet).
The patch streamlines the terminology a bit. Furthermore, it
slightly adjusts a few source-code comments to improve the book's
functional specification chapter.
Instead of passing on the Noux 'config' ROM dataspace to child processes,
provide a separate configuration for each Noux child, which is either
'<config/>' or '<config ld_verbose="yes"/>', depending on the
configuration of this attribute for the Noux process. This is also a
workaround to prevent multiple insertion of the same 'config' ROM
dataspace capability into the dataspace registry.
Issue #1978
* Adds public timeout syscalls to kernel API
* Kernel::timeout installs a timeout and binds a signal context to it that
shall trigger once the timeout expired
* With Kernel::timeout_max_us, one can get the maximum installable timeout
* Kernel::timeout_age_us returns the time that has passed since the
calling threads last timeout installation
* Removes all device specific back-ends for the base-hw timer driver and
implements a generic back-end taht uses the kernel timeout API
* Adds assertions about the kernel timer frequency that originate from the
requirements of the the kernel timeout API and adjusts all timers
accordingly by using the their internal dividers
* Introduces the Kernel::Clock class. As member of each Kernel::Cpu object
it combines the management of the timer of the CPU with a timeout scheduler.
Not only the timeout API uses the timeout scheduler but also the CPUs job
scheduler for installing scheduling timeouts.
* Introduces the Kernel::time_t type for timer tic values and values inherited
from timer tics (like microseconds).
Fixes#1972
To avoid the need for adapting the names of the core restricted syscalls
each time we add a public syscall (restricted names must always be
greater than public names), let restricted syscall names simply start at
100 (we should never have more than 100 public syscalls).
Ref #1972
Building a kernel test produced an error about a missing config
apparently because of recent changes in the run tool. So, we add
a dummy XML node as config.
Ref #1972
Evaluate fadt xml node in report from acpi_drv. If the io ports in the range
of 0xcf8+4 are necessary for the reset than the platform driver will
react on the 'system' state 'reset' and reboot.
Issue #1962
Will be/can be used by the platform driver to reset the machine, iif the
platform driver owns the resources, e.g. the I/O ports of PCI config access.
Issue #1962
The modular lx_kit seperates the required back end functionality of the
Linux emulation environment from the front end. Thereby each driver can
reuse specific parts or supply more suitable implementations by itself.
It is used to reduce the amount of redundant code in each driver.
The lx_kit is split into several layers whose structure is as follows:
The first layer in _repos/dde_linux/src/include/lx_emul_ contains those
header files that provide the structural definitions and function
declarations of the Linux API, e.g. _errno.h_ provides all error code
values. The second layer in _repos/dde_linux/src/include/lx_emul/impl_
contains the implementation of selected functions, e.g. _slab.h_
provides the implementation of 'kmalloc()'. The lx_kit back end API is
the third layer and provides the _Lx::Malloc_ interface
(_repos/dde_linux/src/include/lx_kit/malloc.h_) which is used to
implement 'kmalloc()'. There are several generic implementations of the
lx_kit interfaces that can be used by a driver.
A driver typically includes a 'lx_emul/impl/xyz.h' header once
directly in its lx_emul compilation unit. The lx_kit interface files
are only included in those compilation units that use or implement the
interface. If a driver wants to use a generic implementation it must
add the source file to its source file list. The generic
implementations are located in _repos/dde_linux/src/lx_kit/_.
The modular lx_kit still depends on the private _lx_emul.h_ header file
that is tailored to each driver. Since the lx_kit already contains much
of the declarations and definitions that were originally placed in
these private header files, those files can now ommit a large amount
of code.
Fixes#1974.
In addition to updating the contrib sources the driver now uses the
new Component API and will report the internal mixer state.
Reporting of the mixer state is enabled by adding the 'report_mixer'
attribute to the drivers configuration and setting its value to 'yes'.
The following snippets illustrates the format of the report:
!<mixer_state>
! <mixer field="inputs.beep" value="108"/>
! <mixer field="outputs.hp_sense" value="plugged"/>
! <mixer field="outputs.master" value="128,128"/>
! <mixer field="outputs.mic_sense" value="unplugged"/>
! <mixer field="outputs.spkr_muters" value="hp,mic"/>
!</mixer_state>
The mixer state may expose other mixer fields as well, depending on the
used sound card. The naming scheme of the attributes intentionally
matches the naming scheme of OpenBSD's mixerctl(1) program.
Each 'mixer' node can be used to configure the audio driver by using it
in its configuration, e.g.:
!<config report_mixer="yes">
! <mixer field="outputs.master" value="255,255"/>
!</config>
This configuration will set the output volume to the highest possible
value. Although it is now also possible to update the configuration
at run-time it should not be done while the driver is currently playing
or recording because it may provoke the generation of artefacts.
Fixes#1973.
We do not ensure that the Fpu::Context is 16-byte aligned and,
therefore, should not tell the compiler that we did. Otherwise, the GCC
may optimize operations regarding the addresses of members as it did for
if ((addr_t)_fxsave_area & 0xf) ...
With the declared 16-byte alignment the condition will never become
true.
- add a new function 'binary_ready_hook_for_gdb()' in ldso. GDB can set a
breakpoint at this function to know when ldso has loaded the binary
into memory.
- get the thread state from the NOVA kernel immediately on 'pause()'
Fixes#1968
This patch moves the thread operations from the 'Cpu_session'
to the 'Cpu_thread' interface.
A noteworthy semantic change is the meaning of the former
'exception_handler' function, which used to define both, the default
exception handler or a thread-specific signal handler. Now, the
'Cpu_session::exception_sigh' function defines the CPU-session-wide
default handler whereas the 'Cpu_thread::exception_sigh' function
defines the thread-specific one.
To retain the ability to create 'Child' objects without invoking a
capability, the child's initial thread must be created outside the
'Child::Process'. It is now represented by the 'Child::Initial_thread',
which is passed as argument to the 'Child' constructor.
Fixes#1939
These warnings are triggered by requests either using byte offsets or
reading a number of bytes that is not a multiple of the block size as
well as by components using the plugin with a different block size than
the backend block session provides.
Fixes#1964.
Adjust IRTE_COUNT to specify the number of IRTEs and not the index of
the last IRTE entry. This fixes an off-by-one error in the toggle_mask()
function, where the range check for I/O APIC IRQs wrongly ignored IRQ
23.
The custom version merely differs from the generic one with respect to
the session quota. Since we support the dynamic upgrading of sessions,
we don't need to provide the big amount (128KiB) defined by the custom
version.
This patch supplements each existing connection type with an new
constructor that is meant to replace the original one. The new
one takes a reference to the component's environment as argument and
thereby does not rely on the presence of the globally accessible
'env()' interface.
The original constructors are marked as deprecated. Once we have
completely abolished the use of the global 'env()', we will remove them.
Fixes#1960
The recent move of the initial three region maps into the PD session
breaks the noux.run test on Linux because the address spaces are locally
managed on this platform but the generic code of Noux still tries to
execute the regular procedure of creating the virtualized PD session for
a new Noux process. This patch handles a corner case that occurs on
Linux but no other platform. It enables the successful creation of the
virtualized PD session so that the test runs to completion. Still noux
on Linux remains to be limited to non-forking programs.
Issue #1938
All core.inc files now use $BASE_HW_DIR instead of $REP_DIR. The former
is defined by the core.mk file. This allows including core.inc files
from other repositories (e.g. genode-world) for additional platform
support.
Fixes#1955
Replace size_t by uint8_t in accessors for the IPv4 header fields
'version' and 'header_length' - uint8_t is the smallest integral type
for 4 bit of information. Note, as the _internet header length_ field is
defined to reflect the number of 32-bit words the header occupies, we
also stick to the specification with our accessor.
Issue #1915
The old implementation cleared all other bits in the SCU control
register when enabling the SCU, which broke the kernel startup on zynq-
based boards.
By only raising the enable bit, we can keep the initial/default state
e.g. as set up by uboot.
Fixes#1953
It turns out that the name function does not have much use in practice
except for naming the thread of the component's initial entrypoint. For
dynamically linked components, this thread is created by the dynamic
linker. It is named "ep" in these cases. Considering that we will
eventually turn all regular components into dynamically linked
executables, the additional information provided by the
Component::name() function remains unused. So it is better to not bother
the component developers with adding boilerplate code.
Now rlibs are actually linked to programs. Target files have been
modified to not generate code that requires compiler-rt. Added a target
for libstd-rust, but it's very broken right now. Moved alloc_system to
the libports folder because either a memory allocator needs to be
written in rust or posix_memalign needs to be implemented. Changed
liblibc to use freebsd as the OS instead of netbsd. Added a library with
unwind dummy functions.
Rust relies on atomic builtins, which are not implemented in libgcc for
ARM. One was implemented in rust, which was sufficient to get the
current rust test to run. Rust libs were added into the group of libs
for the linker so order no longer matters. The raspberry pi now uses an
armv6 target.
This patch cleans up the thread API and comes with the following
noteworthy changes:
- Introduced Cpu_session::Weight type that replaces a formerly used
plain integer value to prevent the accidental mix-up of
arguments.
- The enum definition of Cpu_session::DEFAULT_WEIGHT moved to
Cpu_session::Weight::DEFAULT_WEIGHT
- New Thread constructor that takes a 'Env &' as first argument.
The original constructors are now marked as deprecated. For the
common use case where the default 'Weight' and 'Affinity' are
used, a shortcut is provided. In the long term, those two
constructors should be the only ones to remain.
- The former 'Thread<>' class template has been renamed to
'Thread_deprecated'.
- The former 'Thread_base' class is now called 'Thread'.
- The new 'name()' accessor returns the thread's name as 'Name'
object as centrally defined via 'Cpu_session::Name'. It is meant to
replace the old-fashioned 'name' method that takes a buffer and size
as arguments.
- Adaptation of the thread test to the new API
Issue #1954
This patch moves the base library from src/base to src/lib/base,
flattens the library-internal directory structure, and moves the common
parts of the library-description files to base/lib/mk/base.inc and
base/lib/mk/base-common.inc.
Furthermore, the patch fixes a few cosmetic issues (whitespace and
comments only) that I encountered while browsing the result.
Fixes#1952
We report UNLINK_ERR_NO_PERM only for files in TAR archive, otherwise
UNLINK_ERR_NO_ENTRY is returned. This permits the arbitrary layering of
file systems with support for proper ENOENT reporting, for example,
when using 'rm -f non_existent_file' that aborts if EPERM is wrongly
reported.
Most slab allocators in core use a sliced heap as backing store. Since
sliced-heap allocations are performed at page-granularity, it is
sensible to dimension the slab blocks to fill whole pages.
This patch cleans up the implementation of the sliced heap, adds a
constructor that takes references instead of pointers, and adds the
function 'meta_data_size' to determine the meta-data overhead per block.
The latter can be used to dimension slab allocators such that slab
blocks use whole pages.
The original 'Env' interface as returned by 'Genode::env()' has been
renamed to 'Env_deprecated' and moved to deprecated/env.h. The new version
of base/env.h contains the interface passed to modern components that
use the component API via base/component.h.
Issue #1832
This patch makes the former 'Process' class private to the 'Child'
class and changes the constructor of the 'Child' in a way that
principally enables the implementation of single-threaded runtime
environments that virtualize the CPU, PD, and RAM services. The
new interfaces has become free from side effects. I.e., instead
of implicitly using Genode::env()->rm_session(), it takes the reference
to the local region map as argument. Also, the handling of the dynamic
linker via global variables is gone. Now, the linker binary must be
provided as constructor argument.
Fixes#1949
This patch replaces the former 'Pd_session::bind_thread' function by a
PD-capability argument of the 'Cpu_session::create_thread' function, and
removes the ancient thread-start protocol via 'Rm_session::add_client' and
'Cpu_session::set_pager'. Threads are now bound to PDs at their creation
time and implicitly paged according to the address space of the PD.
Note the API change:
This patch changes the signature of the 'Child' and 'Process' constructors.
There is a new 'address_space' argument, which represents the region map
representing the child's address space. It is supplied separately to the
PD session capability (which principally can be invoked to obtain the
PD's address space) to allow the population of the address space
without relying on an 'Pd_session::address_space' RPC call.
Furthermore, a new (optional) env_pd argument allows the explicit
overriding of the PD capability handed out to the child as part of its
environment. It can be used to intercept the interaction of the child
with its PD session at core. This is used by Noux.
Issue #1938
Since the dynamic linker depends on the XML utils and we plan to replace
the ancient 'Arg_string' with XML, it is time to move the 'Xml_node' and
'Xml_generator' to base/include.
We will eventually remove the delivery of the number of occurred signals
to the recipient. There haven't been any convincing use cases for this
feature. In the contrary, it actually led to wrong design choices in the
past where the rate of signals carried information (such as the progress
of time) that should better be obtained via an explicit RPC call.
The old 'Signal_rpc_member' template retains the old interface for now.
But the new 'Signal_handler' omits the 'unsigned' argument from the
handler function.
GNU ar only uses a flat module (object) name space but supports multiple
instances of objects with the same name. As we use subdirectories with
source file names that may clash (e.g., signal/common.cc and
server/common.cc in the base library) some of our static library
archives have multiple object instances. This is not an issue on archive
creation but works not as expected when updating archives. To avoid
updates of library archives we delete the files before calling GNU ar.
This patch integrates three region maps into each PD session to
reduce the session overhead and to simplify the PD creation procedure.
Please refer to the issue cited below for an elaborative discussion.
Note the API change:
With this patch, the semantics of core's RM service have changed. Now,
the service is merely a tool for creating and destroying managed
dataspaces, which are rarely needed. Regular components no longer need a
RM session. For this reason, the corresponding argument for the
'Process' and 'Child' constructors has been removed.
The former interface of the 'Rm_session' is not named 'Region_map'. As a
minor refinement, the 'Fault_type' enum values are now part of the
'Region_map::State' struct.
Issue #1938
The return code of assign_parent remained unused. So this patch
removes it.
The bind_thread function fails only due to platform-specific limitations
such as the exhaustion of ID name spaces, which cannot be sensibly
handled by the PD-session client. If occurred, such conditions used to
be reflected by integer return codes that were used for diagnostic
messages only. The patch removes the return codes and leaves the
diagnostic output to core.
Fixes#1842
The mixer is not directly necessary for the avplay demo. But it implies
additional maintenance work. E.g., in the current state, it complains about
the missing Report server and mutes audio output by default.
Ref #1910
Currently the report name is used implicitly as first xml node name for the
report. This is inconvenient if one component wants to generate various xml
reports under various names (e.g. to steer consumers/clients slightly
differently) but with the same xml node tree structure.
Fixes#1940
We don't want Genode environment objects that register their destructor
for program exit as it is mostly unnecessary and easily produces
dangling pointers. Thus, use unmanaged_singleton instead of the static
keyword.
Fixes#1941
When bringing up the kernel on multiple cores, there is a time span
where some cores already have caches enabled and some don't. Core-local
storage that may be used during this time must be aligned at least to
the maximum line size among global caches. Otherwise, a cached core may
unintentionally prefetch data of a yet uncached core into a global
cache. This may corrupt the view of the uncached core as soon as it
enables caches. However, to determine the exact alignment for every
single ARM platform isn't sensible. Instead, we can align to the minimum
page size assuming that a cache never wants to prefetch from multiple
pages at once and thus fulfills "line size <= page size".
Fixes#1937
When using the Allocator interface, one can't tell which alignment
resulting allocations fulfill. However, at least on ARM, given the
architectural alignment requirements of ARM memory accesses, one wants
memory allocations (what allocators are for in most cases) to be word
aligned automatically. Previously, at least the AVL allocator simply
called alloc_aligned without defining align in its alloc implementation.
This led to unaligned access faults (the default was 0) when using the
AVL allocator as Allocator (as done in the metadata management of a SLAB
of an AVL that uses the AVL as backing store). To avoid such pitfalls
in the future, we force users of alloc_aligned to always specify align
(why use alloc_aligned without align anyway).
Ref #1941
This is a generalisation approach of the hw_zynq target. As the boards
typically use UART1 instead of UART0 (used by qemu), we have to
distinguish between those. Moreover, in general hw_zynq does not imply
zynq_qemu anymore, so that the support of particular boards can be
placed in third-party or community repositories (e.g. Genode world).
Fixes#1926
Besides unifying the Msgbuf_base classes across all platforms, this
patch merges the Ipc_marshaller functionality into Msgbuf_base, which
leads to several further simplifications. For example, this patch
eventually moves the Native_connection_state and removes all state
from the former Ipc_server to the actual server loop, which not only
makes the flow of control and information much more obvious, but is
also more flexible. I.e., on NOVA, we don't even have the notion of
reply-and-wait. Now, we are no longer forced to pretend otherwise.
Issue #1832
This patch unifies the CPU session interface across all platforms. The
former differences are moved to respective "native-CPU" interfaces.
NOVA is not covered by the patch and still relies on a custom version of
the core-internal 'cpu_session_component.h'. However, this will soon be
removed once the ongoing rework of pause/single-step on NOVA is
completed.
Fixes#1922
This patch changes the organization of the slab blocks within the slab
allocator. Originally, blocks were kept in a list sorted by the number
of free entries. However, it turned out that the maintenance of this
invariant involves a lot of overhead in the presence of a large number
of blocks. The new implementation manages blocks within a ring in no
particular order and maintains a pointer to the block where the next
allocation is attempted. This alleviates the need for sorting blocks
when allocating and deallocating.
Fixes#1908
This patch ensures that the 'Allocator_avl' releases all memory obtained
from the meta-data allocator at destruction time. If allocations are
still dangling, it produces a warning, hinting at possible memory leaks.
Finally, it properly reverts all 'add_range' operations.
This patch fixes a use-after-free problem raised by the recent ability of
the slab allocator to dynamically release empty slab blocks. The
Rm_session_component::detach function used to rely on the assumption
that the region metadata co-located with the allocator metadata of the
'_map' would stay intact even after a 'free' if the region.
This patch prevents the destruction of the fd allocator when the program
exists. Otherwise, the meta data for file descriptors that were not
manually closed would vanish, which may cause problems in subsequent
destructors.
This patch makes sure that the dataspace pool is flushed before
destructing the heap-local allocator-avl instance. With the original
destruction order, the allocator would still contain dangling
allocations on the account of the dataspace pool when destructed. In
practice, this caused no problem because the underlying backing store is
eventually freed on the destruction of the pool. But it triggers a
runtime warning of the allocator since it has become more strict with
regard to dangling allocations.
This patch removes the dynamically growing slab allocator from the
page-table registry. This has two benefits. First, we alleviate the
corner cases where the slab allocator needed to extend its backing store
while establishing a core-local memory mapping, thereby triggering a
nested core-local mapping. Without this corner case, no reentrant lock
is needed any longer. Second, it removes the dependency from the overly
large old API of the slab allocator. So we can tighten the slab
interface.
Replace the Out_of_node_handles exception with Out_of_metadata.
Clients need to know when the server is out of internal resources,
but not why.
Cleanup and sort the errors at file_system_session.h.
Remove 'Size_limit_reached exception' from File_system, which was
internal to ram_fs.
Issue #1751Fixes#1909
Opening a VFS handle previously involved allocating from the global heap
at each VFS file system. By amending open with an allocator argument,
dynamic allocation can be partitioned.
A new close method is used to deallocate open handles.
Issue #1751
Issue #1891
The returned capacity had different semantics dependent on the card
type. For HIGH_CAPACITY cards, the memory capacity is specified in 512kB
blocks. So we should also return 512kB blocks for STANDARD_CAPACITY
cards.
Issue #1925
When init destroys a child server with an open session, the client must
be updated as it will otherwise store a pointer to a no-more existing
service object which will be dereferenced when the child client is
destroyed.
Fixes#1912
First, we use an alternate stack for signal handling now. The stack is
shared among all threads of the component, which is okay as we only
handle exceptions with log output and pass on to the default handler
(that terminates the execution). The primary motivation for the
alternate stack is the detection of SIGSEGV due to stack overflows.
Also, hybrid components now handle exception signals by logging and the
support for multi-threaded applications was improved.
Fixes#1935
This commit introduces the new `Component` interface in the form of the
headers base/component.h and base/entrypoint.h. The os/server.h API
has become merely a compatibilty wrapper and will eventually be removed.
The same holds true for os/signal_rpc_dispatcher.h. The mechanism has
moved to base/signal.h and is now called 'Signal_handler'.
Since the patch shuffles headers around, please do a 'make clean' in the
build directory.
Issue #1832
Prevents the annoying warning about
WARNING: Image format was not specified for 'bin/test.img' and probing guessed raw.
Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
Specify the 'raw' format explicitly to remove the restrictions.
If attached ROM dataspaces are not valid after update(), code that uses
these ROMs produces
void Genode::Volatile_object< <template-parameter-1-1> >::_check_constructed() const [with MT = Genode::Attached_dataspace]: Deref_unconstructed_object
In scenarios where the config ROM is loaded from a report ROM or any
other non-static ROM, config might try to access an invalid dataspace
capability. This patch prevents the component from aborting in this
case.
Fixes#1914
This commit replaces the stateful 'Ipc_client' type with the plain
function 'ipc_call' that takes all the needed state as arguments.
The stateful 'Ipc_server' class is retained but it moved from the public
API to the internal ipc_server.h header. The kernel-specific
implementations were cleaned up and simplified. E.g., the 'wait'
function does no longer exist. The badge and exception code are no
longer carried in the message buffers but are handled in kernel-specific
ways.
Issue #610
Issue #1832
If ports need preparation in order to execute a run script, use the
knowledge about the actual genode directory to suggest a command to the
user that can be directly copied to the command line.
Rust relies on atomic builtins, which are not implemented in libgcc for
ARM. One is implemented in rust, which is sufficient to get the
current rust test to run.
Issue #1899
Check if the binary pointer is valid before attempting to lookup the
symbol. Shared objects with unresolved symbols and missing depencies,
e.g a library that references 'errno' but is not linked against libc,
will now produce an error message when they are loaded by the dynamic
linker.
Fixes#1904.
This patch moves details about the stack allocation and organization
the base-internal headers. Thereby, I replaced the notion of "thread
contexts" by "stacks" as this term is much more intuitive. The fact that
we place thread-specific information at the bottom of the stack is not
worth introducing new terminology.
Issue #1832
The interfaces linux_cpu_session, local_capability, linux_dataspace,
linux_native_pd are mere implementation necessities. They are meant for the
internal use by the framework only. So it is appropriate to move them to
base/internal/.
Issue #1832
On seL4 and L4/Fiasco, we employ a simple yielding spinlock as lock
implementation. Consequently these base platforms used to have a
simplified header. However, since the regular cancelable_lock has all
the member variables needed to implement a spinlock, we can simply use
the generic header on those two platforms too, just leaving some other
parts of the generic header unused. So at API level, the difference is
not visible.
Issue #1832
By moving the stub implementation to rm_session_client.cc, we can use
the generic base/include/rm_session/client.h for base-linux and
base-nova and merely use platform-specific implementations.
Issue #1832
This patch establishes a common organization of header files
internal to the base framework. The internal headers are located at
'<repository>/src/include/base/internal/'. This structure has been
choosen to make the nature of those headers immediately clear when
included:
#include <base/internal/lock_helper.h>
Issue #1832
This patch integrates the functionality of the former CAP session into
the PD session and unifies the approch of supplementing the generic PD
session with kernel-specific functionality. The latter is achieved by
the new 'Native_pd' interface. The kernel-specific interface can be
obtained via the Pd_session::native_pd accessor function. The
kernel-specific interfaces are named Nova_native_pd, Foc_native_pd, and
Linux_native_pd.
The latter change allowed for to deduplication of the
pd_session_component code among the various base platforms.
To retain API compatibility, we keep the 'Cap_session' and
'Cap_connection' around. But those classes have become mere wrappers
around the PD session interface.
Issue #1841
This patch removes the SIGNAL service from core and moves its
functionality to the PD session. Furthermore, it unifies the PD service
implementation and terminology across the various base platforms.
Issue #1841
This patch removes the support for executing subsystems of CLI monitor
within the GDB monitor. There are multiple reasons: First, the feature
remained unused for multiple years. Second, it relied on the base/elf.h
header to determine whether the started binary is dynamically or
statically linked. This header, however, is going to be removed from the
Genode API. Third, the feature will eventually break with the upcoming
changes of how components are bootstrapped. Finally, there is the plan
to turn CLI monitor into a sole front end of a dynamically configurable
init component. Once we pursue this plan, we'd need to reconsider the
GDB support anyway.
Issue #1832
The commit avoids the need to have contrib sources of the kernel
available for this run script. We actually just want to build core and
not the kernel itself, which is always required after recent changes in
the ports tool.
This is the default optimization level in the original seL4 SDK. By
adapting to O3, we work around a bug [1] in version 2.1.0 that only
shows on low optimization levels.
[1] https://github.com/seL4/seL4/issues/20
Previously, ports that were needed for a scenario and that were not
prepared or outdated, triggered one assertion each during the second
build stage. The commit slots a mechanism in ahead that gathers all
these ports during the first build stage and reports them in form of a
list before the second build stage is entered. This list can be used
directly as argument for tool/ports/prepare_port to prepare respectively
update the ports. If, however, this mechanism is not available, for
example because a target is build without the first build stage, the old
assertion still prevents the target from running into troubles with a
missing port.
Fixes#1872
To raise readability when preparing multiple ports in parallel we prefix
also the git clone output with the port name dark-yellow-coloured. To
achieve this we sed the git output. In sed \x1b[ resolves to an escape
sequence and \033[, that we use normally, doesn't. The echo command, at
the other hand, resolves both to an escape sequence. Thus we use the
sed-compatible version in general. This commit inhibits the progress
output of git clone as it can't be redirected to sed.
Ref #1872
The tool/prepare_port tool is now able to handle a list of ports that
shall be prepared. Additionally, one may state the number of ports that
shall be prepared in parallel at a max by using the -j parameter. If -j
is not set by the user, the tool acts as with -j1. The previous
implementation of the tool that prepares only a single port was moved to
tool/ports/mk/prepare_single_port.mk and acts as back end to the new
prepare_port tool. The interface of the new prepare_port tool is
backwards compatible. When called for one port only, the behavior is the
same as when calling tool/ports/mk/prepare_single_port.mk directly.
Removes "usage" rule from prepare_single_port.mk. Removes shebang line
from prepare_single_port.mk.
Ref #1872
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
