Additionally, we do the cleanup of the remains of a previously failed
run prior creating the run directory. Otherwise, the directly creation
may fail because of a pending bindmount.
With this patch, the thread context area RM session gets created at
program startup to have the thread context area's virtual address range
reserved right from the beginning.
Fixes#734.
This patch implies that all Genode processes try to create an RM
session. So a route to the RM service must be present even for processes
that have only a single thread. Hence, the patch contains an update of
affected components.
The KDB UART driver uses the Fiasco(.OC) kernel debugger console as backend
for input and output. This is useful in the case that only one UART is
available.
Fixes#665.
This patch moves the os/config examples to their respective run scripts,
removes some of them, and moves the priority example to the src/init
directory (where other examples are located).
Additionally, this patch adapts the OKL4-specific priority.run test to
the recent changes of the timer interface.
The 'Timer::Session::msleep' function is one of the last occurrences of
long-blocking RPC calls. Synchronous blocking RPC interfaces turned out
to be constant source of trouble and code complexity. I.e., a timer
client that also wants to respond to non-timer events was forced to be a
multi-threaded process. This patch replaces the blocking 'msleep' call
by a mechanism for programming timeouts and receiving wakeup signals in
an asynchronous fashion. Thereby signals originating from the timer can
be handled along with signals from other signal sources by a single
thread.
The changed interface has been tested on Linux, L4/Fiasco, OKL4, NOVA,
L4ka::Pistachio, Codezero, Fiasco.OC, and hw_pbxa9. Furthermore, this
patch adds the timer test to autopilot.
Fixes#1
With this change, init becomes able to respond to config changes by
restarting the scenario with the new config. To make this feature useful
in practice, init must not fail under any circumstances. Even on
conditions that were considered as fatal previously and led to the abort
of init (such as ambiguous names of the children or misconfiguration in
general), init must stay alive and responsive to config changes.
With this patch, the loader installs an optional client-provided fault
handler as default CPU exception handler and RM fault handler for all
CPU and RM sessions of the loaded subsystem. This way, loader clients
become able to respond to failures occuring within the subsystem.
The new feature is provided via the added 'Loader::fault_handler' RPC
function.
The 'run/failsafe' test covers two cases related to the loader, which
are faults produced by the immediate child of the loader and faults
produced by indirect children.
Using the new 'join()' function, the caller can explicitly block for the
completion of the thread's 'entry()' function. The test case for this
feature can be found at 'os/src/test/thread_join'. For hybrid
Linux/Genode programs, the 'Thread_base::join()' does not map directly
to 'pthread_join'. The latter function gets already called by the
destructor of 'Thread_base'. According to the documentation, subsequent
calls of 'pthread_join' for one thread may result in undefined behaviour.
So we use a 'Genode::Lock' on this platform, which is in line with the
other platforms.
Related to #194, #501
The new 'Uart::Session' interface is an extension of the
'Terminal::Session' interface that allows for configuring UART-specific
parameters, i.e., the baud rate.
Since the recent move of the process creation into core, the original chroot trampoline
mechanism implemented in 'os/src/app/chroot' does not work anymore. A
process could simply escape the chroot environment by spawning a new
process via core's PD service. Therefore, this patch moves the chroot
support into core. So the chroot policy becomes mandatory part of the
process creation. For each process created by core, core checks for
'root' argument of the PD session. If a path is present, core takes the
precautions needed to execute the new process in the specified chroot
environment.
This conceptual change implies minor changes with respect to the Genode
API and the configuration of the init process. The API changes are the
enhancement of the 'Genode::Child' and 'Genode::Process' constructors to
take the root path as argument. Init supports the specification of a
chroot per process by specifying the new 'root' attribute to the
'<start>' node of the process. In line with these changes, the
'Loader::Session::start' function has been enhanced with the additional
(optional) root argument.
The memory allocation heuristics in the usb driver provided by dde_linux
changed with the recent commit 71b2b42936.
Apparently, the new variant requires a larger memory pool. Increasing
the quota is a temporary fix until the memory allocator gets revisited.
The block test at test/ahci is indeed not AHCI-specific. It is a generic
block read/write test for the block-session interface. But in contrast
to the original test/block, it restores the block device content (at
least when the test succeeds). Hence, we remove the original (dangerous)
block test and always use code of test/ahci.
This patch introduces the file-system-session interface, provides an
implementation of this interface in the form of an in-memory file
system, and enables the libc to use the new file-system facility.
The new interface resides in 'os/include/file_system_session/'. It
uses synchronous RPC calls for functions referring to directory
and meta-data handling. For transferring payload from/to files, the
packet-stream interface is used. I envision that the asynchronous design
of the packet-stream interface fits well will the block-session
interface. Compared to Unix-like file-system APIs, Genode's file-system
session interface is much simpler. In particular, it does not support
per-file permissions. On Genode, we facilitate binding policy (such as
write-permission) is sessions rather than individual file objects.
As a reference implementation of the new interface, there is the
new 'ram_fs' service at 'os/src/server/ram_fs'. It stores sparse
files in memory. At the startup, 'ram_fs' is able to populate the
file-system content with directories and ROM modules as specified
in its configuration.
To enable libc-using programs to access the new file-system interface,
there is the new libc plugin at 'libports/src/lib/libc-fs'. Using this
plugin, files stored on a native Genode file system can be accessed
using the traditional POSIX file API.
To see how the three parts described above fit together, the test
case at 'libports/run/libc_fs' can be taken as reference. It reuses
the original 'libc_ffat' test to exercise several file operations
on a RAM file-system using the libc API.
:Known limitations:
The current state should be regarded as work in progress. In particular
the error handling is not complete yet. Not all of the session functions
return the proper exceptions in the event of an error. I plan to
successively refine the interface while advancing the file-system
implementations. Also the support for truncating files and symlink
handling are not yet implemented.
Furthermore, there is much room for optimization, in particular for the
handling of directory entries. Currently, we communicate only one dir
entry at a time, which is bad when traversing large trees. However, I
decided to focus on functionality first and defer optimizations (such as
batching dir entries) to a later stage.
The current implementation does not handle file modification times at
all, which may be a severe limitation for tools that depend on this
information such as GNU make. Support for time will be added after we
have revisited Genode's timer-session interface (issue #1).
Fixes#54Fixes#171
The original loader service was primarily motivated by the
browser-plugin scenario presented on our live CD. The new version
implements a more general session interface, which widens the
application scope of the service and, at the same time, reduces its
implementation complexity.
The complexity reduction is achieved by removing the original limitation
of supplying the new sub system as a single binary blob only. The server
used to implement heuristics and functionality for dealing with
different kinds of blobs such as ELF images or TAR archives. This has
been replaced by a session-local ROM service, which can be equipped with
an arbitrary number of ROM modules supplied by the loader client prior
starting the new sub system. Even though the TAR support has been
removed, a separate instance of the 'tar_rom' service can be used within
the subsystem to provide the formerly built-in functionality.
