The change "core: allow offset-attached managed dataspaces" addressed a
corner case of the use of nested region maps. Apparently, this change
negatively affects other scenarios (tool_chain_auto).
In order to confidently cover all the differnt situations, this patch
reworks the page-fault resolution code for improved clarity and safety,
by introducing dedicated result types, reducing the use of basic types,
choosing expressive names, and fostering constness.
It also introduces a number of 'print' hooks that greatly ease manual
instrumentation and streamlines the error messages printed by core.
Those messages no longer appear when a user-level page-fault handler
is reistered for the faulted-at region map. So the monitor component
produces less noise on the attempt to dump non-existing memory.
Issue #4917Fixes#4920
Either enable strict-alignment or disable FPU code generation by gcc
regarding bootstrap code, which cannot handle alignment faults during
initialization properly.
Ref genodelabs/genode#4827
The new 'init_platform' function performs the platform-specific
component-local low-level initialization. It allows for the
differentiation between core and regular components as well as
kernel-dependent peculiarities.
This patch introduces a consistent notion of a 'Platform'. Within core,
the 'Platform' contains the kernel-specific initialization. Outside
core, the platform sets up the interplay with the parent component. In
all cases, the platform is constructed while running on the initial
stack.
Issue #4784
This patch ultimatedly removes format strings from Genode's base API.
Users of the former base/snprintf.h and base/console.h headers may
use the free-standing 'format' library hosted in the ports repository.
Fixes#2064Fixes#3869
The namespace draws a clear line between the base library and the core
component.
It is declared at the new core-local header <types.h>, which is expected
to be included by all code of the core component. It is thereby a
natural place for kernel-agnostic general types like commonly used C++
utilities.
Fixes#4777
Set wakeup pointer in FADT/FACS tables and prepare/place ACPI resume code
at application processors (AP) 16-bit entry. Exclude memory used for AP resume
from RAM range to avoid usage by Genode core in allocators.
Issue #4669
The CPUs are woken all at once and up to now the IDs are assigned depending
on the arrival order, which is unfortunate for the resume case. Keep track
of once assigned IDs for CPUs, so that on resume the very same CPU id is given.
The APIC id is guaranteed to be fixed per CPU on suspend, but unfortunately
not dense packed.
Issue #4669
The ACPI table FACS and FADT are required to support ACPI suspend/resume. The
commits add the lookup of the ACPI table in bootstrap and the general usage
of the ACPI registers via the MMIO framework.
Issue #4669
Add explicit init() to Timer infrastructure to re-initialize the hardware
based on the parameters given during constructing time of the timer object.
Issue #4669
On resume the CPU state must be re-initialized, since all CPUs have been
potentially off (depending on sleep form) and lost state. Handle the halt
and suspend state explicitly by an extra Job implementation which can be
executed without holding the global kernel lock.
Issue #4669
Instead of re-using the register values found in HCR_EL2 and CPTR_EL2
and setting single bits within them, define the complete content to
prevent inconsistent hardware/hypervisor state.
Ref genodelabs/genode#4759
Tests on qemu would fail when started with RAM sizes from 1025MiB to
2048MiB, because the the mapping hole in the page table from 1GiB to
2GiB would interfere with qemu's mapping addresses for ACPI.
Identity-map the complete first 4GiB of memory to catch all early
memory accesses during bootstrap.
Fixes#4724.
Adds befriended test-local wrappers for the classes Cpu_share and Cpu_scheduler
and adds a print method to the scheduler wrapper that prints the internal state
of the scheduler to the given output. Cpu_shares are referenced in the output
via a the IDs that the test uses to organize them. I.e., this corresponds to
how the CPU shares are named when calling the atomic steps the test is made of.
Ref #4151
Ref #4710
This adapts the test to the changes that were applied to the scheduling scheme
by the following commits:
* base-hw scheduler: optimize quota depletion events
* base-hw scheduler: fix bug on removing head
* base-hw scheduler: fix ready method
* base-hw: optimize & cleanup scheduler
Part of that is that the test used to check whether the act of setting a share
ready outdates the head or not. However, with the current version of the
scheduler, this check is not possible anymore. We can merely check whether the
head is outdated after setting the share ready. So, among other adaptions, this
commit adapts the expectations of the test to the new semantics of the check.
Ref #4151
Ref #4710
* Get rid of preprocessor macros.
* Introduce Main as class.
* Exit with -1 instead of endless loops on errors.
* Don't try to deal with error conditions, just print a message and exit
with -1.
* Only one operation per line.
Ref #4151
Ref #4710
This is an optimization for the case that a prioritized scheduling context
needs slightly more time during a round than granted via quota. If this is the
case, we move the scheduling context to the front of the unprioritized schedule
once its quota gets depleted and thereby at least ensure that it does not have
to wait for all unprioritized scheduling contexts as well before being
scheduled again.
Note that this introduces the possibility of undeserved starvation of
unprioritized scheduling contexts to the scheduling scheme. If there are
enough prioritized contexts that deplete their quota during a round,
they may cover up also the rest of the round with their unprioritized time
slices. If this happens every round, contexts without a priority/quota may
never get a turn. In the previous scheduling scheme, this could not occur as
the unprioritized schedule was completely independent from prioritized
schedules and rounds.
Ref #4151
Ref #4710
The scheduler did not consider the consumed quota during a call to "update"
if the head that consumed the quota was removed from the scheduler. When this
occured, the internal round time did not advance as expected but remained at
its previous value untile the next call to "update" (without a removed head)
This commit introduces a new flag that is set only when the head gets removed
in order to detect and handle the situation correctly on the next call to
"update".
Ref #4151
Ref #4710
Setting the _need_to_schedule member in the 'ready' method of the scheduler
was not done correctly. At least, the _need_to_schedule was set true in
situations were the head was not outdated by the 'ready' operation.
Ref #4151
* Remove *request* in context of: wait, reply, send to shorten it.
* Use ready_to_* instead of can_*, which is regularily used in Genode's APIs
* Replace helping_sink with helping_destination, as destination is more common
Ref genodelabs/genode#4704
The IPC protcol violations are:
* Sending to an unknown thread (cap)
* Waiting for messages if a reply hasn't happened yet
This silents threads that otherwise repeatedly cause kernel messages
about the violation.
Ref genodelabs/genode#4704
* Split the internal state into incoming and outgoing message relations
* Avoid fragmenting of one state like formerly '_state' and '_help'
* Remove pointer to caller, use incoming FIFO instead
This commit fixes at least two bugs that were triggered by tests that
destroy threads in many different states, like run/bomb:
* The '_help' data member was not reset reliable in each situation where a
helping relationship came to an end. However, when we fixed this bug alone
in the old state model, the issues remained. The new state model fixes
this bug as well.
* A thread sometimes referenced an already dead thread as receiver. This caused
the kernel IPC code to access the vtable of an object that didn't exist any
longer. Note that the two threads were not in direct IPC relationship while
the receiver was destroyed, so, there must have been an intermediate node
between them. Due to the complexity of this problem, we eventually gave up
pin-pointing the exact reason in the kernel IPC code. The issue disappeared
with the new state model.
Fixgenodelabs/genode#4704
When running on x86, and riscv never enter the kernel for cache maintainance,
but use the dummy implementation of the generic base library instead.
On ARMv8 it is not necessary to enter privileged mode for cache cleaning, and
unification of instruction/data cache, but only for invalidating cache lines
at all levels, which is necessary for the use cases, where this function it
needed (coherency of DMA memory).
Fixgenodelabs/genode#4339
This call is used to query the cache line size of the underlying CPU.
For now it is only implemented and used by 'arm_v8' platforms.
It does not distinguish between D-/I-cache sizes and always uses the
smallest size. Furthermore it does not account for any discrepancy
in 'big.little' CPUs.
Issue #4339.
To prevent the kernel to deadlock, or call itself with a syscall when
using a lock potentially hold by a core thread, the log console's
backend for core (hw) gets replaced by a specific variant that checks
whether it runs in the kernel context before using the mutex.
Fixgenodelabs/genode#3280
Some signal-heavy scenarios (e.g., libc_integration) produced the
following warning that hinted a data race on signal data in the context
object.
Warning: returning signal with num == 0
The cause was the use of Signal_context::local_submit() in the libc
introduced in
424ed1b79a libc: remove Reconstructible / use local_submit in kernel
in combination with a missing context-mutex aquisition resulting in a
data race on Signal_context::_curr_signal.
Issue #3923
On some Cortex A9 platforms (Qemu 4.2.1 PBXA9), the IRQ status register is not
reliable. Sometimes, it indicates an IRQ too early, i.e., shortly before the
counter wraps. Therefore we have to accomplish wrap detection via counter
comparison only. We check whether the current counter value is higher than the
start counter value of the current timeout.
However, this implies that we have to take care to always read out the counter
before it hits the max timout value again. And, therefore, the max timeout
value has to be far away from the first value the counter has after wrapping.
Consequently, we propagate a max timeout value of half the max counter value.
Fixes#4209
* Modernize routines, eliminate pointers, use constructibles, etc.
* Use absolute time instead of relative time consumption when
updating the scheduler
Ref genodelabs/genode#4151
This commit fixes two issues with the timeout lib and the base-hw src recipe:
* Add source files of timeout lib to recipe content.
The files weren't copied to the depot until now. However, the archive
nonetheless built successfully because of the second issue that is described
below.
* Get rid of the usage of the BASE_DIR variable in the timeout lib.
The BASE_DIR variable always resolves to the repos/base directory even when
building in a depot. That said, the use of BASE_DIR in make-files that are
not part of the build system itself must be avoided. Instead, REP_DIR,
REP_INC_DIR, and $(call select_from_repositories, ...) should be used.
Ref #4209
This patch refines the rules for generating a base-hw src archive
for a given board by enumerating the content of the lib/mk/spec/*
directories instead of including entire directories. This avoids
the inclusion of lib.mk files found in SoC-specific repositories
(like genode-allwinner) in the kernel source archives.
When building a binary archive from such a src archive with the changes
of issue #4599, the build system would otherwise try (and fail) to build
the libraries for the accidentally included lib.mk files.
Instead of having a generic "virt_qemu" board use "virt_qemu_<arch>" in
order to have a clean distinction between boards. Current supported
boards are "virt_qemu_arm_v7a", "virt_qemu_arm_v8a", and
"virt_qemu_riscv".
issue #4034
This commit introduces a hypervisor calling interface. The host kernel can
use it to either switch to a guest VM, or to invalidate the TLB with
regard to a specified VM id.
The VM-specific TLB invalidation is called whenever a VM (Vcpu)
gets destroyed.
Fixgenodelabs/genode#4528
When a PD gets deleted check whether it is active on the current CPU resp. MMU.
If yes, switch to core/kernel's PD to prevent that invalid page-tables or
address-space IDs are still in use. Moreover, whenever we switch to an idle
thread, we switch to kernel/core's PD too. Thereby, we prevent that vanished
PDs are still active on CPUs different from the one, where the core entrypoint
is active, which does the PD deletion.
This whole scheme is only valid under the assumption that core has only one
entrypoint running on one CPU.
Fixgenodelabs/genode#4527
Do not only distinguish core and user threads, but the idle threads too.
Instead of a boolean value, introduce a new thread type.
Ref genodelabs/genode#4527
Genode code already expects MMU to be disabled when starting the
kernel. It is enabled eventually in Bootstrap::Platform::enable_mmu,
after setting up translation tables. Unfortunately nothing ensures
this is actually the case. If MMU happens to be enabled when entering
the kernel things go downhill pretty fast after we start messing with
TTBR.
This patch ensures MMU is disabled for EL1, EL2, EL3 dependent on the
exception level of the CPU core, which is entering the kernel.
This should allow base-hw to start correctly on Quartz64 A board.
The `lookup_translation` function got introduced and is used only in the
context to proof whether a cache maintainance function can be executed
safely by the kernel. Unfortunately, it did not checked write permissions,
which can lead to permission faults. This commit restricts the lookup
function to only succeed when the target page is writeable. Consequently,
the lookup function gets renamed to `lookup_rw_translation`.
Fixgenodelabs/genode#4348
According to ARM Cortex-A55 Core Technical Reference Manual r1p0 the
lowest 8 bits (Aff0) of MPIDR register represent thread IDs within a
multi-threaded core. The actual core identification bits are in Aff1.
This layout can be identified by checking the MT bit of MPIDR register.
Basically, if MT=1 core id is in Aff1, if MT=0 core id is in Aff0.
Without this change Genode will identify all CPU cores on A55 as primary
(0) core.
Its worth to mention that Cortex-A55 by itself is not a multi-threaded
CPU. Aff0 values are always expected to be 0 for pure A55 cores. A55
cores can however be paired with cores that are multi-threaded. To
support such big.LITTLE CPUs in Genode we'd probably need to add a
different mechanism for mapping MPIDR values to logical, contignous
core IDs which Genode expects.
Ref:
https://developer.arm.com/documentation/100442/0100/register-descriptions/aarch64-system-registers/mpidr-el1--multiprocessor-affinity-register--el1?lang=en
The soft ABI implies purely software floating point implementation.
This is not the case for Genode however. For example core's
exception_vector.S uses vmsr instruction. This builds fine with with
GCC based toolchain, but clang with integrated-as complains:
src/core/spec/arm/exception_vector.S:122:2: error: instruction requires: VFP2
vmsr fpexc, r1
^
Fix this by passing softfp to mfloat-abi command on ARMv7. This allows
usage of FP HW, but implies soft-floating point ABI.
Issue #4421
According to C++11 reference:
"If the strictest (largest) alignas on a declaration is weaker than
the alignment it would have without any alignas specifiers (that is,
weaker than its natural alignment or weaker than alignas on another
declaration of the same object or type), the program is ill-formed:"
https://en.cppreference.com/w/cpp/language/alignas
The code requests 4 byte alignment for Genode::Arm_cpu::Context.
The Context structure inherits Genode::Arm_cpu::Fpu_context which
has minimum alignment requirement of 8 bytes, due to uint64_t d0_d31
member. This makes the 4 byte value in Context's alignas specifier
invalid (smaller than allowed minimum).
Similar situation takes place in Arm_64 case. The claimed minimum
alignment of Context is 8 bytes, but the fpu_state member imposes 16
bytes alignment (explicitly specified in Fpu_state declaration).
In both cases the code builds fine with GCC 8.3.0, but fails with
clang which claims that "requested alignment is less than minimum
alignment of X for type", where X is 8 on ARM and 16 on AArch64.
Ref: https://eel.is/c++draft/dcl.align#5
Issue #4421
Even though the use of the C++ exception mechanism (and the implicit use
of the cxx heap) is not a problem at the server side, this patch
nevertheless replaces the exception-based return-value handling to make
the code consistent with the ipc_call path.
Issue #3612
On some boards or emulators a CPU might be executing in hyp mode
when entering Genode's bootstrap code. In that mode the 'cps' instruction
is not defined. Therefore, we change the way the boot cpu is identified.
Ref #3415
* renamed rpi pic to Bcm2835_pic
* renamed rpi3 pic to Bcm2837_pic
* added bcm2837 control for setting prescaler value (to fix timer_accuracy)
* changed handling of all interrupts for rpi3 by cascading to bcm2835 pic
* rpi3 irq controller base address made consistent with rpi
* added usb controller memory region for pic on rpi3 (for SOF interrupts)
Ref #3415
This patch improves the robustness of the CPU-affinity handling.
- The types in base/affinity.h received the accessors
'Location::within(space)' and 'Affinity::valid', which alleviates
the fiddling with coordinates when sanity checking the values,
in init or core.
- The 'Affinity::Location::valid' method got removed because its
meaning was too vague. For sanity checks of affinity configurations,
the new 'within' method is approriate. In cases where only the x,y
values are used for selecting a physical CPU (during thread creation),
the validity check (width*height > 0) was not meaningful anyway.
- The 'Affinity::Location::from_xml' requires a 'Affinity::Space'
as argument because a location always relates to the bounds of
a specific space. This function now implements the selection of
whole rows or columns, which has previously a feature of the
sandbox library only.
- Whenever the sandbox library (init) encounters an invalid affinity
configuration, it prints a warning message as a diagnostic aid.
- A new 'Affinity::unrestricted' function constructs an affinity that
covers the whole affinity space. The named functions clarifies
the meaning over the previous use of the default constructor.
- Core's CPU service denies session requests with an invalid
affinity parameter. Previously, it would fall back to an
unrestricted affinity.
Issue #4300
This patch changes the 'Allocator' interface to the use of 'Attempt'
return values instead of using exceptions for propagating errors.
To largely uphold compatibility with components using the original
exception-based interface - in particluar use cases where an 'Allocator'
is passed to the 'new' operator - the traditional 'alloc' is still
supported. But it existes merely as a wrapper around the new
'try_alloc'.
Issue #4324
The includes for the address-space-ID allocator and the translation table are
usually specific to the CPU in use. Therefore these includes can be moved from
their current location in the board header to the CPU headers. This reduces the
number of decisions a board maintainer has to make if the CPU model he's aiming
for is already available.
This can probably also be applied for other includes in the board headers but I
intentionally leave it for a future commit as I don't have the time to do it
all now.
Ref #4217
For base-hw Core, we used to add quite some hardware-specific include paths
to 'INC_DIR'. Generic code used to include, for instance, '<cpu.h>' and
'<translation_table.h>' using these implicit path resolutions. This commit
removes hardware-specific include paths except for
1) the '<board.h>' include paths (e.g., 'src/core/board/pbxa9'),
2) most architecture-specific include paths (e.g., 'src/core/spec/arm_v7'),
3) include paths that reflect usage of virtualization or ARM Trustzone
(e.g., 'src/core/spec/arm/virtualization').
The first category is kept because, in contrast to the former "spec"-mechanism,
the board variable used for this type of resolution is not deprecated and the
board headers are meant to be the front end of hardware-specific headers
towards generic code which is why they must be available generically via
'<board.h>'.
The second category is kept because it was suggested by other maintainers that
simple arch-dependent headers (like for the declaration of a CPU state) should
not imply the inclusion of the whole '<board.h>' and because the architecture
is given also without the former "spec"-mechanism through the type of the build
directory. I think this is questionable but am fine with it.
The third category is kept because the whole way of saying whether
virtualization resp. ARM Trustzone is used is done in an out-dated manner and
changing it now would blow up this commit a lot and exceed the time that I'm
willing to spend. This category should be subject to a future issue.
Ref #4217
The 'src/core/board/<board>/board.h' header is thought as front end of
hardware-specific headers of a given board towards the generic base-hw Core
code. Therefore it leads to problems (circular includes) if the board.h header
is included from within another hardware-specific header.
If hardware-specific headers access declarations from namespace Board in a
definition, the definition should be moved to a compilation unit that may
include board.h. If hardware-specific headers access declarations from board.h
in a declaration, they should either use the primary declaration from the
original header or, if the declaration must be selected according to the board,
another board-specific header should be introduced to reflect this abstraction.
This is applied by this commit for the current state of base-hw.
Ref #4217
It is not necessary to have a class, an object, and a generic header for the
perfomance counter. The kernel merely enables the counter using cpu registers
('msr' instructions, no MMIO) on arm_v6 and arm_v7 only. Therefore this commit
makes the header arm-specific and replaces class and global static object with
a function for enabling the counter.
Fixes#4217
Let the kernel's driver for the global IRQ controller be a member of the one
Kernel::Main object instead of having it as static variables in the drivers for
the local IRQ controllers. Note that this commit spares out renaming 'Pic' to
'Local_interrupt_controller' which would be more sensible now with the new
'Global_interrupt_controller' class. Furthermore, on ARM boards the commit
doesn't move 'Distributer' stuff to the new global IRQ controller class as they
don't have real data members (only MMIO) and can be instanciated for each CPU
anew. However, the right way would be to instanciate them only once in Main as
well.
Ref #4217
The unmanaged-singleton approach was used in this context only because of the
alignment requirement of the Core main-UTCB. This, however can also be achieved
with the new 'Aligned' utility, allowing the UTCB to be a member of the Core
main-thread object.
Ref #4217
It's sufficient to access the boot info only on kernel initialization time.
Therfore, it can remain completely hidden to the rest of the kernel inside
kernel/main.cc in the initialization function.
Ref #4217
This commit introduces the Kernel::Main class that replaces the former way of
initializing the kernel (former 'kernel_init' function) and calling the C++
kernel entry handler (former 'kernel' function). These two are now
'Main::initialize_and_handle_kernel_entry' and 'Main::handle_kernel_entry'.
Also reading the execution time of the idle threads was already moved to
'Main'. The one static Main instance is meant to successivly replace all the
global static objects of the base-hw kernel with data members of the Main
instance making the data model of the kernel much more comprehensible. The
instance and most of its interface are hidden in kernel/main.cc. There are only
rare cases where parts of the Main interface must be accessible from the
outside. This should be done in the most specific way possible (see main.h)
and, if possible, without handing out references to Main data members or the
Main instance itself.
Ref #4217
Normally, the board header can be found for each supported board under
'src/core/board/<BOARD>/board.h'. This was not the case for the board 'pc'
that was located under 'src/core/spec/x86_64/board.h'. The commit fixes this.
Ref #4217
The class name Core_thread in Kernel for the object of the first thread of
core is too generic as there can be an arbitrary number of threads in core
besides this one. Furthermore, creating a core thread has its own syscall
'new_core_thread' that isn't related in any way to Core_thread. Therefore
this commit introduces the more specific name Core_main_thread as replacement
for Core_thread.
Ref #4217
The function was only still used for reading the execution time of idle threads
of CPUs. Certainly, it is technically fine and more performant to read these
values directly from the kernel objects without doing a syscall. However,
calling cpu_pool() for it provides read and write access to a lot more than
only the execution time values. The interface via which Core directly reads
state of the kernel should be as narrow and specific as possible.
Perspectively, we want to get rid of the cpu_pool() accessor anyway. Therefore
this commit introduces Kernel::read_idle_thread_execution_time(cpu_idx) as
replacement. The function is implemented in kernel code and called by Core in
platform.cc.
Ref #4217
Apparently, there is no need for exposing the data members of Trace_source, so,
we sould better make them private before someone gets the impression that they
are meant to be accessed directly.
Ref #4217
Core used to read the kernel-reserved IRQs from the timer objects in the
kernel's CPU objects and the PIC class (inter-processor IRQ). Besides not
being "good style" to access a kernel object in Core, this becomes a problem
when trying to prevent CPU pool from being accessed via global functions.
As a solution, this commit extends the boot info to also carry an array of all
kernel-reserved IRQs.
Ref #4217
For the constructor of Kernel_object<T> there are two variants. One for the
case that it is called from Core where the kernel object (type T) must be
created via a syscall and one when it is called from within the kernel and the
kernel object can be created directly. Selecting one of these variants was done
using a bool argument to the constructor. However, this implies that the
constructor of Kernel_object<T> and that of T have the same signature in the
variadic arguments, even in the syscall case, although technically it would
then not be necessary.
This becomes a problem as soon as kernel objects created by Core shall receive
additional arguments from the kernel, for instance a reference to the global
CPU pool, and therefore stands in the way when wanting to get rid of global
statics in the kernel. Therefore, this commit introduces two constructors that
are selected through enum arguments:
! Kernel_object(Called_from_kernel, ...);
! Kernel_object(Called_from_core, ...);
Ref #4217