This patch improves the `Text_painter` utility that is commonly used by
native Genode components to render text:
- Support for subpixel positioning
- Generic interface for accessing font data
- Basic UTF-8 support
Since the change decouples the font format from the 'Text_painter' and
changes the API to use the sub-pixel accurate 'Text_painter::Position'
type, all users of the utility require an adaptation.
Fixes#2716
This file system is meant as a building block for pseudo file systems
that host a directory of several small files where each corresponds to
an attribute of the pseudo file system.
By letting the 'Dir_file_system' accept an arbitrary 'File_system'
as root directory, we can use the 'Dir_file_system' as a building
block for creating other file-system types.
This patch enables the use of the VFS from VFS plugins by passing a
reference of the root directory to the constructors of file-system
instances. Since it changes the signature of 'Vfs::Dir_file_system',
any code that uses the VFS directly requires an adaptation.
Fixes#2701
If the remote DNS server address value of a DHCP server changes, the affected
interfaces do a link down/up to inform all DHCP clients that they should
re-request their DHCP info.
Issue #2730
The dns_server_from attribute of the dhcp-server tag has effect only if
the dns_server attribute of the same tag is not set. If this is the
case, the dns_server_from attribute states the domain from whose IP
config to take the DNS server address. This is useful, for instance, if
the stated domain receives the address of a local DNS server via DHCP.
Whenever the IP config of the stated domain becomes invalid, the DHCP
server switches to a mode where it drops all requests unanswered until
the IP config becomes valid again.
Issue #2730
Until now, the DHCP server of a domain was re-constructed each time the
IP config changed. This is not necessary as a domain that acts as DHCP
server must have a static IP config as it would be senseless to act as
DHCP server and client at the same time. Now, a configured DHCP server
is constructed only when the Domain gets constructed and stays alive
until the domain gets destructed. Furthermore, we now throw Domain::Invalid
if there is no static IP config plus a DHCP server configured. However, by
now, this exception is not caught as it is not trivial to destruct the
domain at this point.
Issue #2730
The Interface constructor previously tried to attach to a domain. This
might include sending a DHCP request to get the domain a valid IP config.
But in order to achieve this, the constructor used a pure virtual method
of Interface which crashes due to the unfinished vtable. To fix this bug,
the attach attempt was moved to a new Interface::init method.
Issue #2730
Instead of Pointer<T>::set use assignment operator with implicit constructor
from T-reference. Instead of Pointer<T>::unset use assignment operator with
Pointer<T>(). Instead of Pointer<T>::deref provide () operator.
Issue #2730
The router reacts as follows to a configuration change:
1) Construct new internal configuration representation (the old one stays
in place to be able to do comparisons in the following steps)
2) Iterate through all user-dependent objects (interfaces, link states, ARP
information, DHCP information) and re-check which remain valid with the
new configuration and which must be dismissed.
3) Adapt the objects that remain valid to the new configuration (re-write
references) and remove or detach the dismissed objects.
4) Do a link state DOWN at each interface and a link state UP at each
interface that remains attached to a domain.
5) Replace the old internal configuration representation with the new one
This way, the router keeps as much user dependent states as possible
while going through a configuration change. Thus, overwriting the old
configuration with an exact copy of itself is (almost) transparent to
clients of the router. Almost, because there are things the router must
do on every configuration handling, like re-scheduling the expiration
timeouts of links.
Ref #2670
The for_each method of the List wrapper remembers the next list item
before calling the functor on the current one, so, the current one can
be destroyed during the functor.
Ref #2670
Clients can connect at any time to the NIC router. The interfaces (sessions)
get attached to the appropriate domain as soon as it appears. This implies
that interfaces can also be detached from a domain without beeing destructed
when the domain disappears. All user dependent states of an interface such as
the link states, DHCP allocations and ARP information get lost when the
interface gets detached.
Ref #2670
This separates the decision wether to log the received and sent packets
from the 'verbose' attribute. This information is now only logged if
'verbose_packets' is switched on. If 'verbose' is switched on, only
routing decisions and optional hints are printed.
Ref #2670
Switch port I/O based PCI config space access to memory-mapped IO. The
base address of the PCI configuration space is acquired by mapping the
ACPI ROM and reading the first <bdf> node. An exception is thrown if the
first <bdf> node is not for PCI domain zero or if multiple <bdf> nodes
exist. This is to reduce complexity and also because multiple PCI
domains are rare.
The PCI configuration space is accessed via I/O mem dataspace which is
created in the platform_drv root and then passed on to the PCI session,
device components and finally to the actual PCI config access instances.
The memory access code is implemented in a way to make it work with Muen
subject monitor (SM) device emulation and also general x86 targets. On
Muen, the simplified device emulation code (which works also for Linux)
always returns 0xffff in EAX to indicate a non-existing device.
Therefore, EAX is enforced in the assembly templates.
Fixes#2547
This patch adds a safety check to nit_fb to ensures that nit_fb never
runs out of RAM. Should the available RAM not suffice for resizing the
virtual framebuffer to a new mode, it keeps the current mode.
The Dir_file_system uses static cast to convert handles from the
application to a plugin local type. For this reason, only the local
handle type may be returned from 'opendir' or 'open'. This fixes the
unexpected behavior when opening directories as files.
Fix#2533
This patch removes the notion of partial writes from the file-system
servers. Since write operations are asynchronously submitted, they are
expected to succeed completely, except for I/O errors. I/O errors are
propagated with the write acknowledgement but those are usually handled
out of band at the client side. Partial writes must never occur because
they would go undetected by clients, which usually don't wait for the
completion of each single write operation.
Until now, most file-system servers returned the number of written bytes
in the acknowledgement packet. If a server managed to write a part of
the request only, it issued the acknowledgement immediately where it
should have cared about writing the remaining part first.
The patch detects such misbehaving server-side code. If partial writes
unexpectedly occur, it prints a message and leaves the corresponding
request unacknowdleged.
Issue #2672
File_system clients may now watch files and directories for changes by
opening a 'Watch_handle' rather than submitting a 'CONTENT_CHANGED'
packet to the server. When a change happens at a node with an open
Watch_handle a CONTENT_CHANGED packet will be sent from the server to
the client. This serializes registration with other handle operations
and separates I/O handle state from notification handle state.
Test at run/fs_rom_update.
Ref #1934
Catch out of RAM and capability exceptions and return error values.
Abort opening a composite directory at Dir_file_system where an
opendir call on any child file-system returns an OUT_OF_RAM or
OUT_OF_CAPS error.
Ref #2642
This change enables the use of negative values for the 'initial_width'
and 'initial_height' attributes to specify values that are relative to
the screen size. This is consistent with the meaning of the 'width' and
'height' attributes.
This patch introduces the subnodes <provides>, <requires>, and
<content> to the <runtime> node. All <rom> sessions that are
expected from the depot appear within the <content> node, which
sets them nicely apart from <rom> sessions that may be required
as runtime arguments.
Note that the <requires> and <provides> nodes do not appear in the
patch because the existing depot_deploy tool does not interpret this
information (the pkg/test-fs_report runtime does not provide any
service, and the timer session is provided as a common route).
The new 'Terminal_session::size_changed_sigh' RPC function registers a
signal handler that is triggered each time when the terminal size
changes. It enables the client to adjust itself to the new size by
subsequently calling the 'size' RPC function. Of all terminal servers,
only the graphical terminal triggers this signal.
- handle line wraps in 'ech()'
- take (1,1) origin into account in 'hpa()' and 'vpa()'
- unify handling of SGR escape sequences of different lengths
- accept the '[?2004h' and '[?2004l' escape sequences (used by midnight commander)
Fixes#2671
The 'Expanding_reporter' wrapper for the 'Reporter' eliminates
the burden of handling 'Xml_generator::Buffer_exceeded' exceptions
from components that generate reports.
Fixes#2655
AVL trees can't be copied with the default copy constructor as the
parent pointer of the first item of both of the resulting trees would
point to the original tree. Copying an AVL node, however, generally
violates the integrity of the corresponding tree. The copy constructor
of Avl_tree is used in some places but in those places it can be
replaced easily. So, this commit deletes the copy constructor of
Avl_node_base which makes Avl_node and Avl_tree non-copyable.
Issue #2654
The 'trace_logger' component can be used to easily gather, process and export
different types of tracing data. Which subjects to select is configurable via
session label policies and thread names. Which data to collect from the
selected subjects can be configured for each subject individually, for groups
of subjects, or for all subjects. The gathered data can be exported as log
output.
This is an example configuration of the 'trace_logger' component which shows
the default value for each attribute except the policy.thread and
policy.label:
! <config verbose="no"
! session_ram="10M"
! session_arg_buffer="4K"
! session_parent_levels="0"
! period_sec="5"
! activity="no"
! affinity="no"
! default_policy="null"
! default_buffer="4K">
!
! <policy label="init -> timer" />
! <policy label_suffix=" -> ram_fs" />
! <policy label_prefix="init -> encryption -> "
! thread="worker"
! buffer="4K"
! policy="null" />
! </config>
For more details see os/src/app/trace_logger/README.
Fixes#2654
Building this policy was disabled by a REQUIRES = riscv_toolchain_bugfix
to prevent compiler crashes on nightly test builds. Since the latest
RISCV toolchain update, test builds for RISCV crash at much more places
which makes this single work-around senseless.
Issue #2654
The 'Buffered_xml' utility is used by three components and a fourth is
on the way. To avoid another duplication of the code, this patch makes
it publicly available at 'os/buffered_xml.h'.
This patch replaces the 'Heap' by a 'Sliced_heap' to avoid the
allocation of a 16 KiB memory block when 'dummy' acts as a server. On
seL4, such an allocation would exceed the 1M quota as assigned by the
init.run script.
The 'initial_width' and 'initial_height' attributes were added to
accomodate the use-case to set the initial dimensions whenever 'nit_fb'
is used in a dynamic fashion, e.g, in combination with a window manager.
These attributes may not be mixed with the 'width' and 'height'
attributes, which are mostly used when a static size configuration is
desired.
When a NIC session is destructed at the router, we have to remove all ARP
cache entries that match the MAC address of that session. Otherwise the
outdated entries might be re-applied later, leading to wrong destination
MAC addresses in routed packets.
Fixes#2637
By specifying the 'config' of a '<runtime>' as an attribute, we can
distinguish the case where the config is obtained from a ROM session
from the case where the config is specified inline as a '<config>' node.
This fix handles the case where the focused domain loses its focus
because the currently focused client vanishes. In this case, the focus
will be undefined and the non-focused views of the domain become
tinted again. The refresh should take effect immediately as soon as the
client vanishes.
With this patch, init responds to the exit of a child by closing all
sessions of the child. E.g., if a child is a GUI application, its
nitpicker session is closed at the time of exit, not at the time when
the start node disappears from init's configuration.
Since this change requires a modification of the 'Genode::Child' class,
it takes the chance to make the child-destruction less brutal. The
new version ensures that all threads of the destructed subsystem are
destructed before other sessions, in particular PD sessions. This
eliminates spurious page-fault warnings during the child destruction.
On Fiasco.OC, closing the CPU session of a thread while being called by
the thread causes a deadlock. Hence, we skip the eager destruction of
CPU sessions on this kernel.
Related to issue #2659
which executed in the current measurement period but are now dead.
Keep the Entry object up to next period, where the recent_execution_time will
become 0 since it will not execute definitely.
Issue #2638
Require x86_64 because memory/adress space limitations on x86_32
restrict the use-cases on such a platform anyway. Doing that,
we can also assume that memory adresses are always 64bit long and
do not have to handle 32bit adresses.
According to the creator of the net-stat lib, this lib was a mere debugging
tool that is not used anymore nor worth the work of updating the it to
modern Genode coding paradigms. Also, there exist no tests for the lib.
Instead of having a method validate_size in each packet class, check
sizes in the data accessor of the surrounding packet class. This packet
accessor is the one that casts the data pointer to the desired data type
so it is sensible that it also checks whether the desired type would
exceed the available RAM before doing the cast. This also fits nicely
the fact that for the top-level packet-class of a packet, the size must
not be checked (which was previously done).
Issue #465
This is a follow-up commit to "Increase default warning level", which
overrides Genode's new default warning level for targets contained in
higher-level repositories. By explicitly whitelisting all those targets,
we can selectively adjust them to the new strictness over time - by
looking out for 'CC_CXX_WARN_STRICT' in the target description files.
Issue #465
The patch adjust the code of the base, base-<kernel>, and os repository.
To adapt existing components to fix violations of the best practices
suggested by "Effective C++" as reported by the -Weffc++ compiler
argument. The changes follow the patterns outlined below:
* A class with virtual functions can no longer publicly inherit base
classed without a vtable. The inherited object may either be moved
to a member variable, or inherited privately. The latter would be
used for classes that inherit 'List::Element' or 'Avl_node'. In order
to enable the 'List' and 'Avl_tree' to access the meta data, the
'List' must become a friend.
* Instead of adding a virtual destructor to abstract base classes,
we inherit the new 'Interface' class, which contains a virtual
destructor. This way, single-line abstract base classes can stay
as compact as they are now. The 'Interface' utility resides in
base/include/util/interface.h.
* With the new warnings enabled, all member variables must be explicitly
initialized. Basic types may be initialized with '='. All other types
are initialized with braces '{ ... }' or as class initializers. If
basic types and non-basic types appear in a row, it is nice to only
use the brace syntax (also for basic types) and align the braces.
* If a class contains pointers as members, it must now also provide a
copy constructor and assignment operator. In the most cases, one
would make them private, effectively disallowing the objects to be
copied. Unfortunately, this warning cannot be fixed be inheriting
our existing 'Noncopyable' class (the compiler fails to detect that
the inheriting class cannot be copied and still gives the error).
For now, we have to manually add declarations for both the copy
constructor and assignment operator as private class members. Those
declarations should be prepended with a comment like this:
/*
* Noncopyable
*/
Thread(Thread const &);
Thread &operator = (Thread const &);
In the future, we should revisit these places and try to replace
the pointers with references. In the presence of at least one
reference member, the compiler would no longer implicitly generate
a copy constructor. So we could remove the manual declaration.
Issue #465
The warning "no interface connected to domain" was introduced when only one NIC
session at a time could be connected to a domain. It should help to track
packet drops that were caused by startup timing issues between servers and
clients. However, a user should watch the "NIC sessions" value of a domain
(verbose_domain_state) instead when debugging packet loss. With support for
multiple sessions per domain, even a non-empty domain may still miss the
session that connects the desired server.
Fix#2629
Previously, all packets that the router wanted to sent were first prepared to
their final state and then copied at once into the packet stream RAM. This is
fine for packets that the router only passes through with modifying merely
a few values. But for packets that the router writes from scratch on its own,
it is better to compose the packet directly in the packet stream RAM.
Fix#2626
Normally, Interface::send always takes the base and size of the RAM region
where a packet was composed and copies this finished packet at once into the
packet stream RAM. But we want to be able to also compose packets directly in
the packet stream RAM, so that no memcpy is needed. Thus, Interface::send now
takes a functor that describes how to compose the packet, then allocates the
packet stream RAM and applies the functor to this RAM. there is also a version
of Interface::send that provides the old behavior but with the new back end.
This way, we stay backwards-compatible.
Issue #2626
When composing an ARP packet for sending, it's pointless to use the Arp_packet
constructor as the constructor only checks whether the packet is malformed.
Issue #2618
The NIC router can now be configured to periodically send reports.
Configuration example (shows default values):
<config>
<report interval_sec="5" bytes="yes" config="yes">
</config>
If the 'report' tag is not available, no reports are send.
The attributes of the 'report' tag:
'bytes' : Boolean : Whether to report sent bytes and received bytes per
domain
'config' : Boolean : Whether to report ipv4 interface and gateway per
domain
'interval_sec' : 1..3600 : Interval of sending reports in seconds
Issue #2614
In the context of link state objects we often used the term "close" were we
actually meant "dissolve". The term "close" originated from the TCP connection
state and is still used in TCP links in the correct manner.
Issue #2609
Act as hub for the interfaces at a domain. This also changes the roles of the
Domain and Interface classes. By now the Interface held the data structures for
the ARP cache, foreign ARP waiters, and the searchtrees for layer 3 links. All
these structures have moved to the Domain while the memory allocations and
lifetime management for the contents of these structures still come from from
the according Interface object. The mentioned data structures were also adapted
to fit the fact that they now may maintain objects of different interfaces.
Issue #2609
If an IPv4 packet targets an IP local to the domain it comes from and doesn't
target the routers IP of that domain, forward it to all other interfaces of
the domain without considering any other routing.
Issue #2609
Improve ARP handling code in general:
Make the several cases and their handling more clear by using a more
readable if/else statement structure. Drop gratuitous ARP requests.
Domain-local ARP:
Handle ARP packets that target local IPs other than the routers IP
(forward them to all other interfaces of the domain).
Issue #2609
IP allocations were renamed DHCP allocations without fixing the according
places in log messages and comments. This commit rectifies this omission.
Issue #2609
This patch makes service-announce messages depend on the configured
verbosity. It also omits "parent provides" title messages if no new
parent services are added during a config update.
Detect loops by walking hard-links at two different speeds and checking
for lapping. Tar link walking is no longer a recursive procedure.
Caught a loop created by GNU tar 1.29.
Fix#2611
If a client decides to spontaneously send a DHCP DISCOVER again, even though
he has received a still valid IP config from the router, we don't want to
discard the DISCOVER like it was done before but discard the IP config
assignment and offer a new one.
Issue #2534
When this flag is set in the config tag, the NIC router will print a
short information to the log for each general state change of a domain.
This includes currently the IP-configuration state and the number of
connected NIC sessions. This a useful addition as the normal verbose
flag's purpose is a very deep insight into almost every activity in the
router, which is cool for debugging sophisticated problems but normally
floods the log and therefore discards this option for, e.g., desktop
systems. In such systems, the new verbosity is pretty discreet but
already gives a good hint on why packets may get dropped by the router
although the routing rules are correct.
Issue #2534
The run tool now by default checks configurations with target-specific
XML schemata. Each component may define a config schema file in its
target.mk via the CONFIG_XSD variable. When the run tool has checked an
configuration of an init instance, it additionally goes through the
start nodes of the config. For each start node it checks whether there
is an XSD file that matches. If so, the run tool also checks the config
of the start node (if existant). This is done recursively. I.e., also
the child configs of a sub-init of a sub-init of the top-level init
receive a config check.
Issue #2600
Added a new constructor that takes the entrypoint as constructor
argument. The original constructor retrieves the entrypoint from the
Genode environment. This does not allow to use a different entrypoint.
Replace former rtt_sec attribute of the <config> tag by more specific
(and still optional) attributes for timeouts used in the NIC router
(these are also the default values):
<config dhcp_discover_timeout_sec="10"
dhcp_request_timeout_sec="10"
dhcp_offer_timeout_sec="10"
udp_idle_timeout_sec="30"
tcp_idle_timeout_sec="600"
tcp_max_segm_lifetime_sec="30">
Details about the new attributes can be found in the README of the router.
Issue #2590
On x86 64 bit with SeL4, the test needs around 80MB that must be
completely composed of 4KB-pages due to current limitations of the SeL4
port. Thus, Core must flush the page table caches pretty often during
the test which is an expensive high-prior operation and makes it
impossible to provide a highly precise time.
Multi-wraps
-----------
Previously, on every new timeout, we programmed registers LR=timeout and
CMP=0. The counter than counted from LR down to 0, triggered the IRQ,
jumped back to LR, and counted down again. If one installed small
timeouts (< 1000 us), it was likely that the counter wrapped multiple
times before we were able to read it out. Initially, this was not a big
issue as the additional wraps were simply ignored and the amount of time
lost through this was not big. But when we want to do correct rate
limitation, multiple wraps cause an overflow in the additional
calculations, and this has a big effect on the resulting time value.
Thus, we now program the counter to start from ~0 and count down to 0.
We set CMP=~0-timeout so that the timer still triggers the IRQ at the right
time. The counter continues counting down after the IRQ has triggered until
we install a new timeout. We do not consider anymore that the counter wraps.
The maximum timeout is set to half the maximum counter value, so, we should
be able to install a new timeout before the counter wraps.
Rate limit for time updates
---------------------------
In the time span between two interrupts we have to remember how many ticks
we have already added to the time value. This is because at each call of
curr_time we can only see how many ticks have passed since the last call of
schedule_timeout and not since the last call of curr_time. But we want to
limit the rate of time updates in curr_time. With the member for ticks that
were already added since the last call to schedule_timeout we can then
calculate how many are yet to be added.
This patch supplements the existing 'hover' report with the information
whether or not the user has recently moved the pointer. This works
analogously to how the 'focus' report features the information about
recent button/keyboard activity.
Together, the 'hover' and 'focus' reports may be combined to observe
prolonged user inactivity, e.g. to activate a lock screen.
This patch enables nitpicker to use an external focus policy instead of
the traditional builtin click-to-focus policy. The external focus policy
is obtained from a 'focus' ROM. The focus ROM is expected to have a
'label' attribute with the value set to the label of the to-be focused
client.
This patch revises the implementation of nitpicker in the following
respects:
- Split the implementation into smaller files,
- Consistently use the 'Nitpicker' namespace,
- Avoid the use of format strings,
- Retire old (and hackish) debug mode,
- Removal of unused timer connection,
- Merging 'Session' into 'Session_component',
- Merging 'Mode' into 'User_state',
- Adding the notions of 'View_owner' and 'Focus' as interfaces,
- Untangle 'User_state' and 'View_stack'
This patch adds a 'Color::print' method as counterpart to the 'ascii_to'
function. If the color is opaque (alpha is 255), its output has the form
"#rrggbb". If the color has a distinct alpha value, the output has the
form "#rrggbbaa". The new version of the 'ascii_to' overload for 'Color'
is able to deal with both forms.
This patch supplements init's service-forwarding mechanism to propagate
the insufficient RAM/cap quota conditions from the server to the client.
Without it, the client's session request stays pending infinitely.
This is a follow-up patch to "init: periodic state updates if sensible".
In situations where the report rate is deliberately limited via the
'delay_ms' attribute while also reporting child-resource stats, we don't
want generate reports at a fixed rate of one second. This patch limits
the rate according to the 'delay_ms' value.
The input filter used to temporarily close all input sessions upon its
reconfiguration. In most cases, the same set of sessions is
re-established immediately afterwards. However, at the server (driver)
side, the closing of the session implicitly disables the input-event
queue. Hence events generated by the hardware while the session is
closed are dropped. This becomes a noticeable problem when using the
recently added <rom> modifier feature for handling capslock. The change
of the ROM always triggers the re-configuration of the input filter.
When pressing capslock and other keys at a high rate, press/release
events may get lost.
This patch solves this problem by maintaining all input sessions that
are defined in both the old and new configuration. It thereby removes
the short duration where the input event queues are temporarily disabled
at the drivers.
This makes '/' and the actual root of VFS distinguishable. A VFS root
may contain one ore more '/' entries for each file system. 'opendir' for
the VFS root opens all file systems via 'open_composite_dir', while
'opendir' for '/' only returns a VFS handle.
Fixes#2569
This patch adds a sanity check to the Event::type accessor. If the key
code of a given PRESS or RELEASE event is out of the valid range, it
reports an INVALID event. This way, client side code does not need to
deal with such edge cases. E.g., on Lenovo notebooks, the ps2 driver
reports strange key events when pressing shift-pageup/pagedown,
violating the general assumption that there is a release event for each
press event. By flagging these events as INVALID, the client-side logic
stays intact.
Check at the VFS server that the capability cost of sessions do not
exceed the session quota donation. Raise the default initial capability
donation for File_system connections.
Fix#2553
Previously the destructors of classes derived from Source were not
called when destructing a Source because Source missed the declaration
of a virtual destructor. This caused at least problems when
reconstructing a Chargen_source with its Chargen_repeater that includes
a One_shot_timeout. In this case, the members of the Alarm behind the
timeout were not reset and the next time beeing used the Alarm appeared
to be still active which wasn't true.
Fixes#2570
A new configuration may implicitly change the domain color of the
currently focused session. We need to refresh the report to trigger an
update of the status bar.
This commit replaces the old xray_trigger component by a new component
called global_keys_handler. For details, please refer to the issue text
and the accompanied README file.
Fixes#2554
Whenever a childs is terminated the exit value is propagate through a
new state report. Thereby it becomes possibly for a managing component
to react upon the terminating condition of a child.
Issue #2558.
If the attribute 'interface' is not set in a 'domain' tag, the router tries to
dynamically receive and maintain an IP configuration for that domain by using
DHCP in the client role at all interfaces that connect to the domain. In the
DHCP discover phase, the router simply chooses the first DHCP offer that
arrives. So, no comparison of different DHCP offers is done. In the DHCP
request phase, the server is expected to provide an IP address, a gateway, a
subnet mask, and an IP lease time to the router. If anything substantial goes
wrong during a DHCP exchange, the router discards the outcome of the exchange
and goes back to the DHCP discover phase. At any time where there is no valid
IP configuration present at a domain, the domain does only act as DHCP client
and all other router functionality is disabled for the domain. A domain cannot
act as DHCP client and DHCP server at once. So, a 'domain' tag must either
have an 'interface' attribute or must not contain a 'dhcp-server' tag.
Ref #2534
An IPv4 config (for a domain/interface of the router) consists of
an IPv4 address, a subnet prefix specifier, an optional gateway
IPv4 address, and some flags that declare whether these fields and
the config as a whole are valid. To make the handling of those
tightly connected values easier and less error prone, we encapsulate
them in a new class.
Ref #2534
Under certain circumstances we don't want inits state report to become too
outdated even if there is no change to its config or the sessions of its
children. This is the case if init is requested to provide a capability or RAM
info of it's children via its state report. Now, init automatically updates
the state report with each 1000 ms if the attribute 'child_caps' or
'child_ram' is positively set in the 'report' tag.
Timing itself costs time. Thus, the stressfull timeout phase of the
test is not exactly as long as set but a little bit longer. This is why the
fast timeouts are able to trigger more often than they are expected to
(the timer has a static timeout-rate limit). Normally we consider this effect
through an error tolerance of 10%. But at least on foc x86_32 (PIT with very
low max timeout), timing is so expensive that 10% is not enough. We have to
raise it to 11%.
This patch propages the 'Service_denied' condition of forwarded sessions
to the parent. Without it, the invalid session request stays pending
infinitely, which leads to the problem described in issue #2542. It
turns out that suggested solution given in the issue text is actually
not needed when applying this fix.
Fixes#2542
The ROM filter did not handle the situation where the generated content
exceeds the size of the initially allocated dataspace for the target
buffer. This patch wraps the XML generation in a retry loop that
expands the buffer as needed.
This patch makes the specification of screen coordinates more flexible.
First, the 'origin' attribute allows one to refer to either of the four
screen corners without knowing the screen size. Second, the 'width'
and 'height' values now accept negative values, which are relative to
the screen size.
The 'File_system::Connection' already performs an on-demand session
upgrade should the server report an 'Out_of_caps' or 'Out_of_ram'
condition. So file-system clients are normally relieved from handling
those exceptions. However, the upgrade was limited to two attempts per
operation (which amounts to 16 KiB). When using the Rump VFS plugin in
the VFS server, this amount does not always suffice. So the exception is
reflected to the client. I observed this problem as a message "unhandled
error" printed by fs_rom. This patch removes the upgrade limit such that
a greedy file-system server becomes iteratively upgraded until it stops
arguing or the client's RAM is exhausted.
This was an error output-line for each affected packet previously but it
is pretty normal for the router to receive packets whose network layer
protocol it doesn't know . In the default case, these packets shall be
ignored silently.
Ref #2490
One can configure the NIC router to act as DHCP server at interfaces of a
domain by adding the <dhcp> tag to the configuration of the domain like
this:
<domain name="vbox" interface="10.0.1.1/24">
<dhcp-server ip_first="10.0.1.80"
ip_last="10.0.1.100"
ip_lease_time_sec="3600"
dns_server="10.0.0.2"/>
...
</domain>
The attributes ip_first and ip_last define the available IPv4 address
range while ip_lease_time_sec defines the lifetime of an IPv4 address
assignment in seconds. The IPv4 address range must be in the subnet
defined by the interface attribute of the domain tag and must not cover
the IPv4 address in this attribute. The dns_server attribute gives the
IPv4 address of the DNS server that might also be in another subnet.
The lifetime of an offered assignment is the configured round trip time of
the router while the ip_lease_time_sec is applied only if the offer is
requested by the client in time.
The ports/run/virtualbox_nic_router.run script is an example of how to
use the new DHCP server functionality.
Ref #2490
Previously, garbage collect was only done when an incoming packet passed the
Ethernet checks. Now it is really done first when receiving a packet at an
interface.
Ref #2490
If the router has no gateway attribute for a domain (means that the router
itself is the gateway), and it gets an ARP request for a foreign IP, it shall
answer with its own IP.
Ref #2490
Do not use two times the RTT for the lifetime of links but use it as
it is configured to simplify the usage of the router. Internally, use
Microseconds/Duration type instead of plain integers.
Ref #2490
The nic_dump uses a wrapper for all supported protocols that
takes a packet and a verbosity configuration. The wrapper object can
than be used as argument for a Genode log function and prints the
packet's contents according to the given configuration. The
configuration is a distinct class to enable the reuse of one instance
for different packets.
There are currently 4 possible configurations for each protocol:
* NONE (no output for this protocol)
* SHORT (only the protocol name)
* COMPACT (the most important information densely packed)
* COMPREHENSIVE (all header information of this protocol)
Ref #2490
Provide utilities for appending new options to an existing DHCP packet
and a utility for finding existing options that returns a typed option
object. Remove old version that return untyped options.
Ref #2490
Apply the style rule that an accessor is named similar to the the underlying
value. Provide read and write accessors for each mandatory header attribute.
Fix some incorrect structure in the headers like with the flags field
in Ipv4_packet.
Ref #2490
Encapsulate the enum into a struct so that it is named
Ethernet_frame::Type::Enum, give it the correct storage type
uint16_t, and remove those values that are (AFAIK) not used by
now (genode, world).
Ref #2490
Do not stop routing if the transport layer protocol is unknown but
continue with trying IP routing instead. The latter was already
done when no transport routing could be applied but for unknown transport
protocols we caught the exception at the wrong place.
Ref #2490
No starvation of timeout signals
--------------------------------
Add several timeouts < 1ms to the stress test and check that timeout
handling doesn't become significantly unfair (starvation) in this situation
where some timeouts trigger nmuch faster than they get handled.
Rate limiting for timeout handling in timer
-------------------------------------------
Ensure that the timer does not handle timeouts again within 1000
microseconds after the last handling of timeouts. This makes denial of
service attacks harder. This commit does not limit the rate of timeout
signals handled inside the timer but it causes the timer to do it less
often. If a client continuously installs a very small timeout at the
timer it still causes a signal to be submitted to the timer each time
and some extra CPU time to be spent in the internal handling method. But
only every 1000 microseconds this internal handling causes user timeouts
to trigger.
If we would want to limit also the call of the internal handling method
to ensure that CPU time is spent beside the RPCs only every 1000
microseconds, things would get more complex. For instance, on NOVA
Time_source::schedule_timeout(0) must be called each time a new timeout
gets installed and becomes head of the scheduling queue. We cannot
simply overwrite the already running timeout with the new one.
Ref #2490
We did not set the correct now_period previously but it wasn't conspicuous
because the bug triggered not before a full period had passed which on most
platforms is a pretty long time.
Ref #2490
Ensure that the timer does not handle timeouts again within 1000
microseconds after the last handling of timeouts. This makes denial of
service attacks harder. This commit does not limit the rate of timeout
signals handled inside the timer but it causes the timer to do it less
often. If a client continuously installs a very small timeout at the
timer it still causes a signal to be submitted to the timer each time
and some extra CPU time to be spent in the internal handling method. But
only every 1000 microseconds this internal handling causes user timeouts
to trigger.
If we would want to limit also the call of the internal handling method
to ensure that CPU time is spent beside the RPCs only every 1000
microseconds, things would get more complex. For instance, on NOVA
Time_source::schedule_timeout(0) must be called each time a new timeout
gets installed and becomes head of the scheduling queue. We cannot
simply overwrite the already running timeout with the new one.
Ref #2490
This patch fixes an aliasing problem of the 'close' method signature
that prevented the Input::Root_component::close method to be called.
This way, the event-queue state was not reset at session-close time,
which prevented a subsequent session-creation request to succeed. With
the patch, input servers like ps2_drv, usb_drv that rely on the
Input::Root_component support the dynamic re-opening of sessions. This
happens in particular when using a dynamically configured input filter.
We update the alarm-scheduler time with results of
Timer::Connection::curr_time when we schedule new timeouts but when
handling the signal from the Timer server we updated the alarm-scheduler
time with the result of Timer::Connection::elapsed_us. Mixing times
like this could cause a non-monotone time value in the alarm scheduler.
The alarm scheduler then thought that the time value wrapped and
triggered all timeouts immediately. The problem was fixed by always
using Timer::Connection::curr_time as time source.
Ref #2490
This patch applies the handling of cursor keys, function keys, and page
up/down keys even if no keymap is defined. This is the case when using
the terminal with character events produced by the input filter.
Create periodic and one-shot timeouts with the maximum duration
to see if triggers any corner-case bugs. They must not trigger during
the test.
Ref #2490
If we add an absolute timeout to the back-end alarm-scheduler we must first
call 'handle' at the scheduler to update its internal time value.
Otherwise, it might happen that we add a timeout who's deadline is so big that
it normally belongs to the next time-counter period but the scheduler thinks
that it belongs to the current period as its time is older than the one used
to calculate the deadline.
Ref #2490
When we have two time values of an unsigned integer type and we create
the difference and want to know wether it is positive or negative within
the same value we loose at least one half of the value range for casting
to signed integers. This was the case in the alarm scheduler when
checking wether an alarm already triggered. Even worse, we casted from
'unsigned long' to 'signed int' which caused further loss on at least
x86_64. Thus, big timeouts like ~0UL falsely triggered directly.
Now, we use an extra boolean value to remember in which period of the
time counter we are and to which period of the time counter the deadline
of an alarm belongs. This boolean switches its value each time the time
counter wraps. This way, we can avoid any casting by checking wether the
current time is of the same period as the deadline of the alarm that we
inspect. If so, the alarm is pending if "current time >= alarm
deadline", otherwise it is pending if "current time < alarm deadline".
Ref #2490
If the PIT timer driver gets activated too slow (e.g. because of a bad priority
configuration), it might miss counter wraps and would than produce sudden time
jumps. The driver now detects this problem dynamically, warns about it and
adapts the affected values to avoid time jumps.
Ref #2400
The NIC router always reports the link state "Up" (true) because
the effective link state depends on the targeted remote interface
and thus on the individual routing for each packet. Consequently,
also the signal handler for state changes gets ignored.
Ref #2490
IP stacks may treat a network interface as "down" when it states a MAC
address with the I/G bit (bit 40) set to "Group" (value 0) instead of
"Individual" (value 1). This was observed with a TinyCore 8 inside a
Virtualbox VM. Thus, the previously choosen 03:03:03:03:03:00 as base
for the MAC address allocator is bad. Now we use the 02:02:02:02:02:00
instead. This also ensures that the MAC addresses are not marked as
"Universal" but as "Local" (bit 41, value 1) which is correct in general
as the router allocates MAC addresses only for virtual networks.
Ref #2490
The timer driver should always be of the highest priority to avoid
problem with timers that have low max-counter values like the PIT
with only 53 ms.
Ref #2400
The NIC dump component didn't support forwarding of link states and link-state
signals until now. Furthermore, it now prints MAC address and link state
on session creation and on every link state change.
Ref #2490
Previously, the uplink session was created on component startup while the
creation of the downlink session is timed by the client component. This
created a time span in which packets from the uplink were dropped at the
nic_dump. Now the uplink session-request is done by the session component
of the downlink.
Ref #2490
Add a "writeable" policy option to the ahci_drv and part_blk Block
servers and default from writeable to ready-only. Should a policy
permit write acesss the session request argument "writeable" may still
downgrade a session to ready-only.
Fix#2469
There are hardware timers whose frequency can't be expressed as
ticks-per-microsecond integer-value because only a ticks-per-millisecond
integer-value is precise enough. We don't want to use expensive
floating-point values here but nonetheless want to translate from ticks
to time with microseconds precision. Thus, we split the input in two and
translate both parts separately. This way, we can raise precision by
shifting the values to their optimal bit position. Afterwards, the results
are shifted back and merged together again.
As this algorithm is not so trivial anymore and used by at least three
timer drivers (base-hw/x86_64, base-hw/cortex_a9, timer/pit), move it to a
generic header to avoid redundancy.
Ref #2400
Due to the simplicity of the algorithm that translated from timer ticks
to time, we lost microseconds precision although the timer allows for it.
Ref #2400
When synchronizing with the remote time source, we have to take care that the
measured time difference cannot become null because its real value is smaller
than the measurement granularity. Since the granularity is one microsecond, we
simply go on polling timestamp and time until the microsecond has passed.
This busy waiting should be no problem for the system for two reasons. First,
it is limited to a relatively small amount of time and second, a busy lock
does not happen because the time source that is responsible for the limiting
factor is explicitely called on each poll.
Ref #2400
The VFS library can be used in single-threaded or multi-threaded
environments and depending on that, signals are handled by the same thread
which uses the VFS library or possibly by a different thread. If a VFS
plugin needs to block to wait for a signal, there is currently no way
which works reliably in both environments.
For this reason, this commit makes the interface of the VFS library
nonblocking, similar to the File_system session interface.
The most important changes are:
- Directories are created and opened with the 'opendir()' function and the
directory entries are read with the recently introduced 'queue_read()'
and 'complete_read()' functions.
- Symbolic links are created and opened with the 'openlink()' function and
the link target is read with the 'queue_read()' and 'complete_read()'
functions and written with the 'write()' function.
- The 'write()' function does not wait for signals anymore. This can have
the effect that data written by a VFS library user has not been
processed by a file system server yet when the library user asks for the
size of the file or closes it (both done with RPC functions at the file
system server). For this reason, a user of the VFS library should
request synchronization before calling 'stat()' or 'close()'. To make
sure that a file system server has processed all write request packets
which a client submitted before the synchronization request,
synchronization is now requested at the file system server with a
synchronization packet instead of an RPC function. Because of this
change, the synchronization interface of the VFS library is now split
into 'queue_sync()' and 'complete_sync()' functions.
Fixes#2399
This patch changes init's service forwarding such that pending requests
are kept unanswered as long as the requested service is not present
(yet). In dynamic-init scenarios, this is needed in situtions where the
dynamic init is known to eventually provide the service but the internal
subsystem is not ready yet. Previously, a client that attempted to
request a session in this early phase would get a 'Service_denied'
exception. By deferring the forwarding in this situation, the behaviour
becomes deterministic.
If a matching '<service>' exists but there is no matching policy sub
node, the request is answered with 'Service_denied' - as expected.
Currently, init does not test wether a service is abandoned on a new
configuration if the service was routed via an any-child route. Trigger
this behaviour in the init test.
Ref #2483
The calibration of the interpolation parameters was previously only done
periodically every 500 ms. Together with the fact that the parameters
had to be stable for at least 3 calibration steps to enable
interpolation, it took at least 1.5 seconds after establishing a
connection to get microseconds-precise time values.
This is a problem for some drivers that directly start to poll time.
Thus, the timer connection now does a calibration burst as soon as it
switches to the modern mode (the mode with microseconds precision).
During this phase it does several (currently 9) calibration steps
without a delay inbetween. It is assumed that this is fast enough to not
get interrupted by scheduling. Thus, despite being small, the measured
values should be very stable which is why the burst should in most cases
be sufficient to get the interpolation initialized.
Ref #2400
When in modern mode (with local time interpolation), the timer
connection used to maximize the left shifting of its
timestamp-to-microseconds factor. The higher the shift the more precise
is the translation from timestamps to microseconds. If the timestamp
values used for determining the best shift were small - i.e. the delay
between the calibration steps were small - we may got a pretty big
shift. If we then used the shift with bigger timestamp values - i.e.
called curr_time seldom or raised calibration delays - the big shift
value became a problem. The framework had to scale down all measured
timestamps and time values temporarily to stay operative until the next
calibration step.
Thus, we now raise the shift only that much that the resulting factor
fullfills a given minimum. This keeps it as low as possible according
to the precision requirement. Currently, this requirement is set to 8
meaning that the shifted factor shall be at least 2^8 = 256.
Ref #2400
As the timer session now provides a method 'elapsed_us', there is no more need
for doing any internal calculations with values of milliseconds.
Ref #2400