This patch supplements the existing 'hover' report with the information
whether or not the user has recently moved the pointer. This works
analogously to how the 'focus' report features the information about
recent button/keyboard activity.
Together, the 'hover' and 'focus' reports may be combined to observe
prolonged user inactivity, e.g. to activate a lock screen.
This patch enables nitpicker to use an external focus policy instead of
the traditional builtin click-to-focus policy. The external focus policy
is obtained from a 'focus' ROM. The focus ROM is expected to have a
'label' attribute with the value set to the label of the to-be focused
client.
This patch revises the implementation of nitpicker in the following
respects:
- Split the implementation into smaller files,
- Consistently use the 'Nitpicker' namespace,
- Avoid the use of format strings,
- Retire old (and hackish) debug mode,
- Removal of unused timer connection,
- Merging 'Session' into 'Session_component',
- Merging 'Mode' into 'User_state',
- Adding the notions of 'View_owner' and 'Focus' as interfaces,
- Untangle 'User_state' and 'View_stack'
This patch supplements init's service-forwarding mechanism to propagate
the insufficient RAM/cap quota conditions from the server to the client.
Without it, the client's session request stays pending infinitely.
This is a follow-up patch to "init: periodic state updates if sensible".
In situations where the report rate is deliberately limited via the
'delay_ms' attribute while also reporting child-resource stats, we don't
want generate reports at a fixed rate of one second. This patch limits
the rate according to the 'delay_ms' value.
The input filter used to temporarily close all input sessions upon its
reconfiguration. In most cases, the same set of sessions is
re-established immediately afterwards. However, at the server (driver)
side, the closing of the session implicitly disables the input-event
queue. Hence events generated by the hardware while the session is
closed are dropped. This becomes a noticeable problem when using the
recently added <rom> modifier feature for handling capslock. The change
of the ROM always triggers the re-configuration of the input filter.
When pressing capslock and other keys at a high rate, press/release
events may get lost.
This patch solves this problem by maintaining all input sessions that
are defined in both the old and new configuration. It thereby removes
the short duration where the input event queues are temporarily disabled
at the drivers.
This makes '/' and the actual root of VFS distinguishable. A VFS root
may contain one ore more '/' entries for each file system. 'opendir' for
the VFS root opens all file systems via 'open_composite_dir', while
'opendir' for '/' only returns a VFS handle.
Fixes#2569
Check at the VFS server that the capability cost of sessions do not
exceed the session quota donation. Raise the default initial capability
donation for File_system connections.
Fix#2553
Previously the destructors of classes derived from Source were not
called when destructing a Source because Source missed the declaration
of a virtual destructor. This caused at least problems when
reconstructing a Chargen_source with its Chargen_repeater that includes
a One_shot_timeout. In this case, the members of the Alarm behind the
timeout were not reset and the next time beeing used the Alarm appeared
to be still active which wasn't true.
Fixes#2570
A new configuration may implicitly change the domain color of the
currently focused session. We need to refresh the report to trigger an
update of the status bar.
This commit replaces the old xray_trigger component by a new component
called global_keys_handler. For details, please refer to the issue text
and the accompanied README file.
Fixes#2554
Whenever a childs is terminated the exit value is propagate through a
new state report. Thereby it becomes possibly for a managing component
to react upon the terminating condition of a child.
Issue #2558.
If the attribute 'interface' is not set in a 'domain' tag, the router tries to
dynamically receive and maintain an IP configuration for that domain by using
DHCP in the client role at all interfaces that connect to the domain. In the
DHCP discover phase, the router simply chooses the first DHCP offer that
arrives. So, no comparison of different DHCP offers is done. In the DHCP
request phase, the server is expected to provide an IP address, a gateway, a
subnet mask, and an IP lease time to the router. If anything substantial goes
wrong during a DHCP exchange, the router discards the outcome of the exchange
and goes back to the DHCP discover phase. At any time where there is no valid
IP configuration present at a domain, the domain does only act as DHCP client
and all other router functionality is disabled for the domain. A domain cannot
act as DHCP client and DHCP server at once. So, a 'domain' tag must either
have an 'interface' attribute or must not contain a 'dhcp-server' tag.
Ref #2534
An IPv4 config (for a domain/interface of the router) consists of
an IPv4 address, a subnet prefix specifier, an optional gateway
IPv4 address, and some flags that declare whether these fields and
the config as a whole are valid. To make the handling of those
tightly connected values easier and less error prone, we encapsulate
them in a new class.
Ref #2534
Under certain circumstances we don't want inits state report to become too
outdated even if there is no change to its config or the sessions of its
children. This is the case if init is requested to provide a capability or RAM
info of it's children via its state report. Now, init automatically updates
the state report with each 1000 ms if the attribute 'child_caps' or
'child_ram' is positively set in the 'report' tag.
Timing itself costs time. Thus, the stressfull timeout phase of the
test is not exactly as long as set but a little bit longer. This is why the
fast timeouts are able to trigger more often than they are expected to
(the timer has a static timeout-rate limit). Normally we consider this effect
through an error tolerance of 10%. But at least on foc x86_32 (PIT with very
low max timeout), timing is so expensive that 10% is not enough. We have to
raise it to 11%.
This patch propages the 'Service_denied' condition of forwarded sessions
to the parent. Without it, the invalid session request stays pending
infinitely, which leads to the problem described in issue #2542. It
turns out that suggested solution given in the issue text is actually
not needed when applying this fix.
Fixes#2542
The ROM filter did not handle the situation where the generated content
exceeds the size of the initially allocated dataspace for the target
buffer. This patch wraps the XML generation in a retry loop that
expands the buffer as needed.
This patch makes the specification of screen coordinates more flexible.
First, the 'origin' attribute allows one to refer to either of the four
screen corners without knowing the screen size. Second, the 'width'
and 'height' values now accept negative values, which are relative to
the screen size.
This was an error output-line for each affected packet previously but it
is pretty normal for the router to receive packets whose network layer
protocol it doesn't know . In the default case, these packets shall be
ignored silently.
Ref #2490
One can configure the NIC router to act as DHCP server at interfaces of a
domain by adding the <dhcp> tag to the configuration of the domain like
this:
<domain name="vbox" interface="10.0.1.1/24">
<dhcp-server ip_first="10.0.1.80"
ip_last="10.0.1.100"
ip_lease_time_sec="3600"
dns_server="10.0.0.2"/>
...
</domain>
The attributes ip_first and ip_last define the available IPv4 address
range while ip_lease_time_sec defines the lifetime of an IPv4 address
assignment in seconds. The IPv4 address range must be in the subnet
defined by the interface attribute of the domain tag and must not cover
the IPv4 address in this attribute. The dns_server attribute gives the
IPv4 address of the DNS server that might also be in another subnet.
The lifetime of an offered assignment is the configured round trip time of
the router while the ip_lease_time_sec is applied only if the offer is
requested by the client in time.
The ports/run/virtualbox_nic_router.run script is an example of how to
use the new DHCP server functionality.
Ref #2490
Previously, garbage collect was only done when an incoming packet passed the
Ethernet checks. Now it is really done first when receiving a packet at an
interface.
Ref #2490
If the router has no gateway attribute for a domain (means that the router
itself is the gateway), and it gets an ARP request for a foreign IP, it shall
answer with its own IP.
Ref #2490
Do not use two times the RTT for the lifetime of links but use it as
it is configured to simplify the usage of the router. Internally, use
Microseconds/Duration type instead of plain integers.
Ref #2490
The nic_dump uses a wrapper for all supported protocols that
takes a packet and a verbosity configuration. The wrapper object can
than be used as argument for a Genode log function and prints the
packet's contents according to the given configuration. The
configuration is a distinct class to enable the reuse of one instance
for different packets.
There are currently 4 possible configurations for each protocol:
* NONE (no output for this protocol)
* SHORT (only the protocol name)
* COMPACT (the most important information densely packed)
* COMPREHENSIVE (all header information of this protocol)
Ref #2490
Provide utilities for appending new options to an existing DHCP packet
and a utility for finding existing options that returns a typed option
object. Remove old version that return untyped options.
Ref #2490
Apply the style rule that an accessor is named similar to the the underlying
value. Provide read and write accessors for each mandatory header attribute.
Fix some incorrect structure in the headers like with the flags field
in Ipv4_packet.
Ref #2490
Encapsulate the enum into a struct so that it is named
Ethernet_frame::Type::Enum, give it the correct storage type
uint16_t, and remove those values that are (AFAIK) not used by
now (genode, world).
Ref #2490
Do not stop routing if the transport layer protocol is unknown but
continue with trying IP routing instead. The latter was already
done when no transport routing could be applied but for unknown transport
protocols we caught the exception at the wrong place.
Ref #2490
No starvation of timeout signals
--------------------------------
Add several timeouts < 1ms to the stress test and check that timeout
handling doesn't become significantly unfair (starvation) in this situation
where some timeouts trigger nmuch faster than they get handled.
Rate limiting for timeout handling in timer
-------------------------------------------
Ensure that the timer does not handle timeouts again within 1000
microseconds after the last handling of timeouts. This makes denial of
service attacks harder. This commit does not limit the rate of timeout
signals handled inside the timer but it causes the timer to do it less
often. If a client continuously installs a very small timeout at the
timer it still causes a signal to be submitted to the timer each time
and some extra CPU time to be spent in the internal handling method. But
only every 1000 microseconds this internal handling causes user timeouts
to trigger.
If we would want to limit also the call of the internal handling method
to ensure that CPU time is spent beside the RPCs only every 1000
microseconds, things would get more complex. For instance, on NOVA
Time_source::schedule_timeout(0) must be called each time a new timeout
gets installed and becomes head of the scheduling queue. We cannot
simply overwrite the already running timeout with the new one.
Ref #2490
We did not set the correct now_period previously but it wasn't conspicuous
because the bug triggered not before a full period had passed which on most
platforms is a pretty long time.
Ref #2490
Ensure that the timer does not handle timeouts again within 1000
microseconds after the last handling of timeouts. This makes denial of
service attacks harder. This commit does not limit the rate of timeout
signals handled inside the timer but it causes the timer to do it less
often. If a client continuously installs a very small timeout at the
timer it still causes a signal to be submitted to the timer each time
and some extra CPU time to be spent in the internal handling method. But
only every 1000 microseconds this internal handling causes user timeouts
to trigger.
If we would want to limit also the call of the internal handling method
to ensure that CPU time is spent beside the RPCs only every 1000
microseconds, things would get more complex. For instance, on NOVA
Time_source::schedule_timeout(0) must be called each time a new timeout
gets installed and becomes head of the scheduling queue. We cannot
simply overwrite the already running timeout with the new one.
Ref #2490
We update the alarm-scheduler time with results of
Timer::Connection::curr_time when we schedule new timeouts but when
handling the signal from the Timer server we updated the alarm-scheduler
time with the result of Timer::Connection::elapsed_us. Mixing times
like this could cause a non-monotone time value in the alarm scheduler.
The alarm scheduler then thought that the time value wrapped and
triggered all timeouts immediately. The problem was fixed by always
using Timer::Connection::curr_time as time source.
Ref #2490
Create periodic and one-shot timeouts with the maximum duration
to see if triggers any corner-case bugs. They must not trigger during
the test.
Ref #2490
If we add an absolute timeout to the back-end alarm-scheduler we must first
call 'handle' at the scheduler to update its internal time value.
Otherwise, it might happen that we add a timeout who's deadline is so big that
it normally belongs to the next time-counter period but the scheduler thinks
that it belongs to the current period as its time is older than the one used
to calculate the deadline.
Ref #2490
When we have two time values of an unsigned integer type and we create
the difference and want to know wether it is positive or negative within
the same value we loose at least one half of the value range for casting
to signed integers. This was the case in the alarm scheduler when
checking wether an alarm already triggered. Even worse, we casted from
'unsigned long' to 'signed int' which caused further loss on at least
x86_64. Thus, big timeouts like ~0UL falsely triggered directly.
Now, we use an extra boolean value to remember in which period of the
time counter we are and to which period of the time counter the deadline
of an alarm belongs. This boolean switches its value each time the time
counter wraps. This way, we can avoid any casting by checking wether the
current time is of the same period as the deadline of the alarm that we
inspect. If so, the alarm is pending if "current time >= alarm
deadline", otherwise it is pending if "current time < alarm deadline".
Ref #2490
If the PIT timer driver gets activated too slow (e.g. because of a bad priority
configuration), it might miss counter wraps and would than produce sudden time
jumps. The driver now detects this problem dynamically, warns about it and
adapts the affected values to avoid time jumps.
Ref #2400
The NIC router always reports the link state "Up" (true) because
the effective link state depends on the targeted remote interface
and thus on the individual routing for each packet. Consequently,
also the signal handler for state changes gets ignored.
Ref #2490
IP stacks may treat a network interface as "down" when it states a MAC
address with the I/G bit (bit 40) set to "Group" (value 0) instead of
"Individual" (value 1). This was observed with a TinyCore 8 inside a
Virtualbox VM. Thus, the previously choosen 03:03:03:03:03:00 as base
for the MAC address allocator is bad. Now we use the 02:02:02:02:02:00
instead. This also ensures that the MAC addresses are not marked as
"Universal" but as "Local" (bit 41, value 1) which is correct in general
as the router allocates MAC addresses only for virtual networks.
Ref #2490
The NIC dump component didn't support forwarding of link states and link-state
signals until now. Furthermore, it now prints MAC address and link state
on session creation and on every link state change.
Ref #2490
Previously, the uplink session was created on component startup while the
creation of the downlink session is timed by the client component. This
created a time span in which packets from the uplink were dropped at the
nic_dump. Now the uplink session-request is done by the session component
of the downlink.
Ref #2490
Add a "writeable" policy option to the ahci_drv and part_blk Block
servers and default from writeable to ready-only. Should a policy
permit write acesss the session request argument "writeable" may still
downgrade a session to ready-only.
Fix#2469
There are hardware timers whose frequency can't be expressed as
ticks-per-microsecond integer-value because only a ticks-per-millisecond
integer-value is precise enough. We don't want to use expensive
floating-point values here but nonetheless want to translate from ticks
to time with microseconds precision. Thus, we split the input in two and
translate both parts separately. This way, we can raise precision by
shifting the values to their optimal bit position. Afterwards, the results
are shifted back and merged together again.
As this algorithm is not so trivial anymore and used by at least three
timer drivers (base-hw/x86_64, base-hw/cortex_a9, timer/pit), move it to a
generic header to avoid redundancy.
Ref #2400
Due to the simplicity of the algorithm that translated from timer ticks
to time, we lost microseconds precision although the timer allows for it.
Ref #2400
When synchronizing with the remote time source, we have to take care that the
measured time difference cannot become null because its real value is smaller
than the measurement granularity. Since the granularity is one microsecond, we
simply go on polling timestamp and time until the microsecond has passed.
This busy waiting should be no problem for the system for two reasons. First,
it is limited to a relatively small amount of time and second, a busy lock
does not happen because the time source that is responsible for the limiting
factor is explicitely called on each poll.
Ref #2400
The VFS library can be used in single-threaded or multi-threaded
environments and depending on that, signals are handled by the same thread
which uses the VFS library or possibly by a different thread. If a VFS
plugin needs to block to wait for a signal, there is currently no way
which works reliably in both environments.
For this reason, this commit makes the interface of the VFS library
nonblocking, similar to the File_system session interface.
The most important changes are:
- Directories are created and opened with the 'opendir()' function and the
directory entries are read with the recently introduced 'queue_read()'
and 'complete_read()' functions.
- Symbolic links are created and opened with the 'openlink()' function and
the link target is read with the 'queue_read()' and 'complete_read()'
functions and written with the 'write()' function.
- The 'write()' function does not wait for signals anymore. This can have
the effect that data written by a VFS library user has not been
processed by a file system server yet when the library user asks for the
size of the file or closes it (both done with RPC functions at the file
system server). For this reason, a user of the VFS library should
request synchronization before calling 'stat()' or 'close()'. To make
sure that a file system server has processed all write request packets
which a client submitted before the synchronization request,
synchronization is now requested at the file system server with a
synchronization packet instead of an RPC function. Because of this
change, the synchronization interface of the VFS library is now split
into 'queue_sync()' and 'complete_sync()' functions.
Fixes#2399
This patch changes init's service forwarding such that pending requests
are kept unanswered as long as the requested service is not present
(yet). In dynamic-init scenarios, this is needed in situtions where the
dynamic init is known to eventually provide the service but the internal
subsystem is not ready yet. Previously, a client that attempted to
request a session in this early phase would get a 'Service_denied'
exception. By deferring the forwarding in this situation, the behaviour
becomes deterministic.
If a matching '<service>' exists but there is no matching policy sub
node, the request is answered with 'Service_denied' - as expected.
The calibration of the interpolation parameters was previously only done
periodically every 500 ms. Together with the fact that the parameters
had to be stable for at least 3 calibration steps to enable
interpolation, it took at least 1.5 seconds after establishing a
connection to get microseconds-precise time values.
This is a problem for some drivers that directly start to poll time.
Thus, the timer connection now does a calibration burst as soon as it
switches to the modern mode (the mode with microseconds precision).
During this phase it does several (currently 9) calibration steps
without a delay inbetween. It is assumed that this is fast enough to not
get interrupted by scheduling. Thus, despite being small, the measured
values should be very stable which is why the burst should in most cases
be sufficient to get the interpolation initialized.
Ref #2400
When in modern mode (with local time interpolation), the timer
connection used to maximize the left shifting of its
timestamp-to-microseconds factor. The higher the shift the more precise
is the translation from timestamps to microseconds. If the timestamp
values used for determining the best shift were small - i.e. the delay
between the calibration steps were small - we may got a pretty big
shift. If we then used the shift with bigger timestamp values - i.e.
called curr_time seldom or raised calibration delays - the big shift
value became a problem. The framework had to scale down all measured
timestamps and time values temporarily to stay operative until the next
calibration step.
Thus, we now raise the shift only that much that the resulting factor
fullfills a given minimum. This keeps it as low as possible according
to the precision requirement. Currently, this requirement is set to 8
meaning that the shifted factor shall be at least 2^8 = 256.
Ref #2400
As the timer session now provides a method 'elapsed_us', there is no more need
for doing any internal calculations with values of milliseconds.
Ref #2400
As timer sessions are not expected to be microseconds precise (because
of RPC latency and scheduling), the session interface provided only a
method 'elapsed_ms' although the back end of this method in the timer
driver works with microseconds.
However, in some cases it makes sense to have a method 'elapsed_us'. The
values it returns might be milliseconds away from the "real" time but it
allows you to work with delays smaller than a millisecond without
getting a zero delta value.
This commit is motivated by the need for fast bursts of calibration
steps for the time interpolation in the new timer connection.
Ref #2400
The run script did not consider the routing for the environment ROM
sessions for the test-iso component. It routed all ROM sessions -
including the ones for the executable and the dynamic linker - to
fs_rom. The patch also adds the cap quota definitions required since
version 17.05 and fixes a whitespace inconsistency between the test
program and the run script.
Thanks to Steven Harp for reporting!
This is expected by hardware terminals, ie., terminal programs connected
to null-modem serial connections. Otherwise, the next line starts at the
column right after the last line.
The new version of the test exercises the combination of fs_report with
ram_fs and fs_rom as a more flexible alternative to report_rom.
It covers two corner cases that remained unaddressed by fs_rom and
ram_fs so far: First, the late installation of a ROM-update signal
handler at fs_rom right before the content of the file is modified.
Second, the case where the requested file is not present on the file
system at the creation time of the ROM session. Here, the ram_fs missed
to inform listeners for the compound directory about the later created
file.
This patch ensures that fs_rom delivers a ROM-update notification in the
case where the underlying file was changed in-between requesting the
initial ROM content and registering the signal handler.
With the introduction of the CONTENT_CHANGED notifications delivered via
the packet stream, the assumption that no more than one READ packet is
in flight at all times does no longer hold. If the fs server responds
to a CONTENT_CHANGED packet while the fs_rom expects the completion of a
read request, the '_update_dataspace' method would prematurely return,
leaving the dataspace unpopulated. This patch solves the problem by
specifically waiting for the completion of the read request.
On platforms that use the PIT timer driver, 'elapsed_ms' is pretty
inprecise/unsteady (up to 3 ms deviation) for a reason that is not
clearly determined yet. On Fiasco and Fiasco.OC, that use kernel timing,
it is the same. So, on these platforms, our locally interpolated time
seems to be fine but the reference time is bad. Until this is fixed, we
raise the error tolerance for these platforms in the run script.
Ref #2400
Appending a suffix to report filenames was behavior inherited from
fs_log, it prevents creating files where directories need to be created
later. But unlike logs, only a subset of the hierarchy will report and
those that do append a component-local label, so the risk of collision
is low.
By removing the suffix fs_rom can serve reports back as ROM just as
report_rom does.
Ref #2422
In the timeout framework, we maintain a translation factor value to
translate between time and timestamps. To raise precision we scale-up
the factor when we calculate it and scale-down the result of its
appliance later again. This up and down scaling is achieved through
left and right shifting. Until now, the shift width was statically
choosen. However, some platforms need a big shift width and others a
smaller one. The one static shift width couldn't cover all platforms
which caused overflows or precision problems.
Now, the shift width is choosen optimally for the actual translation
factor each time it gets re-calculated. This way, we can take care that
the shift always renders the best precision level without the risk for
overflows.
Ref #2400
The result-buffer related members of the fast polling test are
the same for each buffered result type. Thus, we can make the
code easier by providing them through a struct.
Ref #2400
On QEMU, NOVA uses the pretty unstable TSC emulation as primary time
source. Thus, timeouts do not trigger with the common precision (< 50
ms). Use an error tolerance of 200 ms for this platform constellation.
Ref #2400
The fast polling test uses one timer session for raw 'elapsed_ms' calls
and another one for potentially interpolated 'curr_time' calls. It then
compares the two results against each other. However, until now, the
test did not consider that the duration of the session construction may
create a remarkable shift between the local times of the two sessions.
This shift is now determined and compensated before doing any
comparison.
Ref #2400
The multiple-handlers test was checking if handlers at one signal were
activated in a fair manner. But on Qemu, the error tolerance of one was
too small in rare cases (2 of 100 runs). However, having multiple
handlers for the same signal context can be considered deprecated
anyway. With the recommended Signal_handler wrapper for signal sessions,
you can't use this feature. Thus, we removed the multiple-handlers test.
Fixes#2450
We incorrectly used 'unsigned long' (which is 32 or 64 bit depending on
the CPU architecture) for a timestamp (which is always 64 bit) in the
timer-connection implementation.
Ref #2435
On platforms were we do not have local time interpolation we can simply
skip the first test stage in the timeout test. This way, we can at least
test the rest.
Fixes#2435
On ARM, we do not have a component-local hardware time-source. The ARM
performance counter has no reliable frequency as the ARM idle command
halts the counter. Thus, we do not do local time interpolation on ARM.
Except we're on the HW kernel. In this case we can read out the kernel
time instead.
Ref #2435
The explicit relative location of the file instructed both target builds
to generate ../main.o which gloriously fails with parallel builds. The
produced range of error messages was astonishing ranging from "file
truncated" to "TLS reference in ../main.o mismatches non-TLS reference
in ../main.o".
If a child is allowed to constrain physical memory allocations but left
the 'phys_start' and 'phys_size' session arguments blank, init applies
builtin constraints for allocating DMA buffers.
The only component that makes use of the physical-memory constraint
feature is the platform driver. Since the built-in heuristics are
applied to the platform driver's environment RAM session, all
allocations performed by the platform driver satisfy the DMA
constraints.
To justify building-in these heuristics into init as opposed to
supplying the values as configuration arguments, the values differ
between 32 and 64 bit. The configuration approach would raise the need
to differentiate init configurations for both cases, which are
completely identical otherwise.
Issue #2407
This commit removes support for limitation of RAM allocations from the
platform_drv. A subsequent commit adds this feature to init.
Issue #2398
Issue #2407
Previously, the Genode::Timer::curr_time always used the
Timer_session::elapsed_ms RPC as back end. Now, Genode::Timer reads
this remote time only in a periodic fashion independently from the calls
to Genode::Timer::curr_time. If now one calls Genode::Timer::curr_time,
the function takes the last read remote time value and adapts it using
the timestamp difference since the remote-time read. The conversion
factor from timestamps to time is estimated on every remote-time read
using the last read remote-time value and the timestamp difference since
the last remote time read.
This commit also re-works the timeout test. The test now has two stages.
In the first stage, it tests fast polling of the
Genode::Timer::curr_time. This stage checks the error between locally
interpolated and timer-driver time as well as wether the locally
interpolated time is monotone and sufficiently homogeneous. In the
second stage several periodic and one-shot timeouts are scheduled at
once. This stage checks if the timeouts trigger sufficiently precise.
This commit adds the new Kernel::time syscall to base-hw. The syscall is
solely used by the Genode::Timer on base-hw as substitute for the
timestamp. This is because on ARM, the timestamp function uses the ARM
performance counter that stops counting when the WFI (wait for
interrupt) instruction is active. This instruction, however is used by
the base-hw idle contexts that get active when no user thread needs to
be scheduled. Thus, the ARM performance counter is not a good choice for
time interpolation and we use the kernel internal time instead.
With this commit, the timeout library becomes a basic library. That means
that it is linked against the LDSO which then provides it to the program it
serves. Furthermore, you can't use the timeout library anymore without the
LDSO because through the kernel-dependent LDSO make-files we can achieve a
kernel-dependent timeout implementation.
This commit introduces a structured Duration type that shall successively
replace the use of Microseconds, Milliseconds, and integer types for duration
values.
Open issues:
* The timeout test fails on Raspberry PI because of precision errors in the
first stage. However, this does not render the framework unusable in general
on the RPI but merely is an issue when speaking of microseconds precision.
* If we run on ARM with another Kernel than HW the timestamp speed may
continuously vary from almost 0 up to CPU speed. The Timer, however,
only uses interpolation if the timestamp speed remained stable (12.5%
tolerance) for at least 3 observation periods. Currently, one period is
100ms, so its 300ms. As long as this is not the case,
Timer_session::elapsed_ms is called instead.
Anyway, it might happen that the CPU load was stable for some time so
interpolation becomes active and now the timestamp speed drops. In the
worst case, we would now have 100ms of slowed down time. The bad thing
about it would be, that this also affects the timeout of the period.
Thus, it might "freeze" the local time for more than 100ms.
On the other hand, if the timestamp speed suddenly raises after some
stable time, interpolated time can get too fast. This would shorten the
period but nonetheless may result in drifting away into the far future.
Now we would have the problem that we can't deliver the real time
anymore until it has caught up because the output of Timer::curr_time
shall be monotone. So, effectively local time might "freeze" again for
more than 100ms.
It would be a solution to not use the Trace::timestamp on ARM w/o HW but
a function whose return value causes the Timer to never use
interpolation because of its stability policy.
Fixes#2400
Removes the following Fiasco.OC specific features:
* GDB extensions for Fiasco.OC
* i.MX53 support for Fiasco.OC
* Kernel debugger terminal driver
* Obsolete interface Native_pd
* Obsolete function of interface Native_cpu
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes#2398
This patch reworks the implementation of core's RAM service to make use
of the 'Session_object' and to remove the distinction between the
"metadata" quota and the managed RAM quota. With the new implementation,
the session implicitly allocates its metadata from its own account. So
there is not need to handle 'Out_of_metadata' and 'Quota_exceeded' via
different exceptions. Instead, the new version solely uses the
'Out_of_ram' exception.
Furthermore, the 'Allocator::Out_of_memory' exception has become an alias
for 'Out_of_ram', which simplifies the error handling.
Issue #2398
The 'diag' flag can be defined by a target node of a route in init's
configuration. It is propagated as session argument to the server, which
may evaluate the flag to enable diagnostic output for the corresponding
session.
Issue #2398
This patch makes use of the new 'Quota_transfer::Account' by the service
types in base/service.h and uses 'Quota_transfer' objects in
base/child.cc and init/server.cc.
Furthermore, it decouples the notion of an 'Async_service' from
'Child_service'. Init's 'Routed_service' is no longer a 'Child_service'
but is based on the new 'Async_service' instead.
With this patch in place, quota transfers do no longer implicitly use
'Ram_session_client' objects. So transfers can in principle originate
from component-local 'Ram_session_component' objects, e.g., as used by
noux. Therefore, this patch removes a strumbling block for turning noux
into a single threaded component in the future.
Issue #2398
This patch replaces the 'Parent::Quota_exceeded',
'Service::Quota_exceeded', and 'Root::Quota_exceeded' exceptions
by the single 'Insufficient_ram_quota' exception type.
Furthermore, the 'Parent' interface distinguished now between
'Out_of_ram' (the child's RAM is exhausted) from
'Insufficient_ram_quota' (the child's RAM donation does not suffice to
establish the session).
This eliminates ambiguities and removes the need to convert exception
types along the path of the session creation.
Issue #2398
This patch replaces the former use of size_t with the use of the
'Ram_quota' type to improve type safety (in particular to avoid
accidentally mixing up RAM quotas with cap quotas).
Issue #2398
The 'Ram_allocator' interface contains the subset of the RAM session
interface that is needed to satisfy the needs of the 'Heap' and
'Sliced_heap'. Its small size makes it ideal for intercepting memory
allocations as done by the new 'Constrained_ram_allocator' wrapper
class, which is meant to replace the existing 'base/allocator_guard.h'
and 'os/ram_session_guard.h'.
Issue #2398
This patch augments the existing session/session.h with useful types for
the session creation:
* The new 'Insufficient_ram_quota' and 'Insufficient_cap_quota'
exceptions are meant to supersede the old 'Quota_exceeded' exception
of the 'Parent' and 'Root' interfaces.
* The 'Session::Resources' struct subsumes the information about the
session quota provided by the client.
* The boolean 'Session::Diag' type will allow sessions to operate in a
diagnostic mode.
* The existing 'Session_label' is not also available under the alias
'Session::Label'.
* A few helper functions ease the extraction of typed session arguments
from the session-argument string.
Issue #2398
This commit moves the headers residing in `repos/base/include/spec/*/drivers`
to `repos/base/include/drivers/defs` or repos/base/include/drivers/uart`
respectively. The first one contains definitions about board-specific MMIO
iand RAM addresses, or IRQ lines. While the latter contains device driver
code for UART devices. Those definitions are used by driver implementations
in `repos/base-hw`, `repos/os`, and `repos/dde-linux`, which now need to
include them more explicitely.
This work is a step in the direction of reducing 'SPEC' identifiers overall.
Ref #2403
This patch replaces the set-defaults command by a reset command, which
is needed to use the Lenovo x250 trackpoint. (original patch by
Christian Prochaska)
For asynchronously provided sessions, the parent has to maintain the
session state as long as the server hasn't explicitly responded to a
close request. For this reason, the lifetime of such session states is
bound to the server, not the client.
When the server responds to a close request, the session state gets
freed. The 'session_response' implementation does not immediately
destroy the session state but delegates the destruction to a client-side
callback, which thereby also notifies the client. However, the code did
not consider the case where the client has completely vanished at
session-response time. In this case, we need to drop the session state
immediately.
Fixes#2391
File_system servers shall deny clients not matching a defined policy.
Servers shall also apply session root offset policy followed by a client
offset.
Fix#2365
Init's service forwarding functionality did not take the service type
into account when forwarding a session request. If a server provides
multiple services, e.g. fb_sdl that provides both "Input" and
"Framebuffer", the type of the forwarded session request did not always
correspond to the actually requested type.
The base class of Registered must provide a virtual destructor to enable
safe deletion with just a base class pointer. This requirement can be
lifted by using Registered_no_delete in places where the deletion
property is not needed.
Fixes#2331
Ldso now does not automatically execute static constructors of the
binary and shared libraries the binary depends on. If static
construction is required (e.g., if a shared library with constructor is
used or a compilation unit contains global statics) the component needs
to execute the constructors explicitly in Component::construct() via
Genode::Env::exec_static_constructors().
In the case of libc components this is done by the libc startup code
(i.e., the Component::construct() implementation in the libc).
The loading of shared objects at runtime is not affected by this change
and constructors of those objects are executed immediately.
Fixes#2332
The test used to rely on init's formerly built-in policy of answering
resource requests with slack memory, if available. Since init no longer
responds to resource requests in an autonomous way, we use a dynamically
configured sub-init instance as runtime for the test. This instance, in
turn, is monitored and controlled such that resource requests are
result in quota upgrades. The monitoring component is implemented in
the same test-resource_request program as the test. Both roles are
distinguished by the "role" config attribute.
This is a follow-up to "init: explicit response to resource requests".
This patch equips init with the ability to act as a server that forwards
session requests to its children. Session requests can be routed
depending of the requested service type and the session label
originating from init's parent.
The feature is configured by one or multiple <service> nodes hosted in
init's <config> node. The routing policy is selected by via the regular
server-side policy-selection mechanism, for example:
<config>
...
<service name="LOG">
<policy label="noux">
<child name="terminal_log" label="important"/>
</policy>
<default-policy> <child name="nitlog"/> </default-policy>
</service>
...
</config>
Each policy node must have a <child> sub node, which denotes name of the
server with the 'name' attribute. The optional 'label' attribute defines
the session label presented to the server, analogous to how the
rewriting of session labels works in session routes. If not specified,
the client-provided label is presented to the server as is.
Fixes#2247
This patch removes the formerly built-in policy of responding to
resource requests with handing out slack quota. Instead, resource
requests have to be answered by an update of the init configuration with
adjusted quota values.
Note that this patch may break run scripts that depend on init's
original policy. Those run scripts may be adjusted by increasing the
quota for the components that use to inflate their RAM usage during
runtime such that the specified quota suffices for the entire lifetime
of the component.
This patch improves init's dynamic reconfigurability with respect to
adjustments of the RAM quota assigned to the children.
If the RAM quota is decreased, init withdraws as much quota from the
child's RAM session as possible. If the child's RAM session does not
have enough available quota, a resource-yield request is issued to
the child. Cooparative children may respond to such a request by
releasing memory.
If the RAM quota is increased, the child's RAM session is upgraded.
If the configuration exceeds init's available RAM, init re-attempts
the upgrade whenever new slack memory becomes available (e.g., by
disappearing other children).
This patch enables init to apply changes of any server's <provides>
declarations in a differential way. Servers can in principle be extended
by new services without re-starting them. Of course, changes of the
<provides> declarations may affect clients or would-be clients as this
information is taken into account for the session routing.
Under certain timing conditions, the test would end up flushing the
input from the input filter in a nested way, which ultimately resulted
in lost input events of the outer nesting level. This patch eliminates
this corner case and thereby stabilizes the key-repeat test.
Transfer quota to the session local RAM session to react to the
Quota_exceeded exception properly.
The platform driver keeps a session local RAM session for each of its
clients that is used to allocate DMA memory. A client needs to transfer
some of its quota to the platform driver, which in return transfers this
quota to the session local RAM session. As it happens allocating memory
from a RAM session involves book keeping and in this case, where the
available quota in the session did not suffice and the request was only
a few KiB, the platform driver handled the exception wrongly and did not
transfer the quota.
This problem did not surface up to now because all drivers allocate DMA
memory in larger chunks and the book keeping overhead was of no
consequence as the initial quota transfer probably covered the overhead.
Fixes#2316.
* Increase test-thread count to trigger quota exceeding on all platforms
* Synchronize test-thread destruction, otherwise an half-destructed thread
object can lead to an error message of the thread to be destructed,
which causes a deadlock, when the destructed thread still holds the log lock
* Limit SMP settings for QEMU to x86 (Ref #2307)
The signal_1/2/3 objects (which are threads) are in destruction, but still
signals are send to them. When the signal arrive and the memory for the
signal_1/2/3 object is already invalid we operate on stale memory and all
the locking infrastructure of the Thread don't work anymore.
Be more robust, explicitly wait for the termination of the thread.
Issue #2284
This patch improves the accuracy of init's quota-saturation feature
(handing out all slack quota to a child by specifying an overly high RAM
quota for the child) and makes the RAM preserved by init configurable.
The preservation is specified as follows:
! <config>
! ...
! <resource name="RAM" preserve="1M"/>
! ...
! </config>
If not specified, init has a reasonable default of 160K (on 32 bit) and
320K (on 64 bit).
This patch lets init apply configuration changes to a running scenario
in a differential way. Children are restarted if any of their session
routes change, new children can be added to a running scenario, or
children can deliberately be removed.
Furthermore, the new version of init is able to propagate configuration
changes (modifications of <config> nodes) to its children without
restarting them.
Change metadata before submitting a packet. If the submitting thread is a
pthread, the metadata may be immediately change by the signal handler running
in the context of the entrypoint thread.
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.
In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping
Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.
For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
This patch equips init with the ability to report its internal state in
the form of a "state" report. This feature can be enabled by placing a
'<report>' node in init's configuration.
The report node accepts the following arguments (with their default
values):
'delay_ms="100"': specifies the number of milliseconds to wait before
producing a new report. This way, many consecutive state changes -
like they occur during the startup - do not result in an overly
large number of reports but are merged into one final report.
'buffer="4K"': the maximum size of the report in bytes. The attribute
accepts the use of K/M/G as units.
'init_ram="no"': if enabled, the report will contain a '<ram>' node
with the memory stats of init.
'ids="no"': supplement the children in the report with unique IDs, which
may be used to infer the lifetime of children accross configuration
updates in the future;
'requested="no"': if enabled, the report will contain information about
all session requests initiated by the children.
'provided="no"': if enabled, the report will contain information about
all sessions provided by all servers.
'session_args="no"': level of detail of the session information
generated via 'requested' or 'provided'.
'child_ram="no"': if enabled, the report will contain a '<ram>' node
for each child based on the information obtained from the child's RAM
session.
Issue #2246
This commit includes changes to the Nic::Session_component interface.
We now pass the entire env to the component instead of only ram, rm and
the ep because we need the env to open connections from within the
Session_component implemenation. So far only the cadence_gem driver
needs this, though.
Issue #2280.
When a directory gets destructed it dissolves the handles of each contained file
but the acknowledgement might be still in-flight. If we finally receive it,
it leads to an Unknown_id exception on the Handles ID Space in 'handle_ack'.
Now we catch it, print a warning, and go on.
The input_filter is the successor of the input_merger. In addition to
merging input streams, the component applies several forms of input
transformations such as the application of keyboard layouts.
Issue #2264
The read-ready packet informs the server that the client wants to be
notified if a handle becomes readable. When becoming readable, the
server acknowledges packet and the client may queue a read requests
accordingly.
This patch eliminates the need for a global allocator by passing the
parent-service registry as argument to the 'Slave::Policy' constructor.
Fixes#2269
The support has two parts. First, a VFS plugin now gets passed an
I/O-response handler callback on construction, which informs users of the
VFS that an I/O event occurred. This enables, for example, the libC to
check if blocking read can be completed. Further, the VFS file I/O
interface provides now functions for suspendable reads, i.e.,
queue_read() and complete_read().
Replacing the node lookup table with an Id_space removes the
limit on open handles per session and allows mutal associativity
between File_system handles and local VFS handles.
Fix#2221
The block file system wrongly modified the seek offset during a
read-modify-write operation that is required for sub-block-size
requests. This led to problems whenever such write requests spanned
multiple blocks and thereby were handled in multiple iterations.
Fixes#2262
The new utility at 'os/static_parent_services.h' allows the creation of
a registry of parent services at compile time and thereby eliminates the need
for dynamic memory allocations whenever the set of services is known at
compile time as is the case for most uses of 'Slave::Policy'. The commit
showcases the utility in the bomb test.
This commit enables compile-time warnings displayed whenever a deprecated
API header is included, and adjusts the existing #include directives
accordingly.
Issue #1987
For all tests
* use Component::construct instead of main
* use new connection constructors with env argument
* use log instead of printf
For some tests
* replace signal receivers with signal handlers
* replace global static variables with Main class members
* remove unnecessary multithreading
* model test steps as classes that are independent from each other and managed
by Main as constructibles
* use references instead of pointers and exceptions instead of error codes
* use Attached_* helpers intead of doing attach/detach manually
* use helpers like String, Id_space, Registry instead of arrays and lists
* make the run script suitable for automated execution and conclusion
Ref #1987
In the past, the Genode::destroy, that is called by the RAM-FS-chunk destructors,
issued Allocator::free instead of the C++ delete. Therefore it was possible to
use the size argument of Allocator::free for the allocation tracker in the
RAM-FS-chunk test. Nowadays, we have to keep track of the allocation sizes
ourselves because delete doesn't hand over the size.
Ref #1987
The FB Block Adapter in os/src/test visualizes a block session via a
Framebuffer session. As far as I can see, it is not a test but rather
the base for a bump-in-the-wire component. However, for this role it
currently lacks a Block back-end. As it also would have to be updated to
use the new base API I removed it instead, leaving only its git
history as inspiration if someone needs such a component in the future.
Fixes#2245
Ref #1987
* get rid of printf
* use exceptions instead of error codes
* use Id_space instead of the individual block device registry
* use Cstring instead of char const*
* move method definitions > 1 line to .cc files
* rename Block Block_driver and Serial Serial_driver to avoid name clashes
with the Genode namespace and thereby simplify the code
* use lambdas for Block device lookup and apply
* switch to the Component framework
* don't use env(), config(), ... and hand over env to each connection
* use Attached_mmio and Attached_rom/ram_dataspace instead of manual
solutions
Fixes#2223
The init component used to create the CPU/RAM/PD/ROM sessions (the child
environment) for its children by issuing session requests to its parent,
which is typically core. This policy was hard-wired. This patch enables
the routing of the environment sessions of the children of init
according to the configured routing policy.
Because there is no hard-wired policy regarding the environment sessions
anymore, routes to respective services must be explicitly declared in
the init configuration. For this reason, the patch adjusts several run
scripts in this respect.
This patch removes the outdated '<if-args>' special handling of session
labels. The '<if-args>' feature will eventually be removed completely
(ref #2250)
Issue #2197
Issue #2215
Issue #2233
Issue #2250
To better support non-blocking terminal components, let the
'Terminal::Session::write()' function return the number of bytes
actually written.
Fixes#2240
The session-control mechanism is based on the way how sessions are
labeled. In #2171, we changed the labeling to be more strict. In
particular, label-less sessions do no longer exist.
Unfortunately, nitpicker and the window manager still handled the former
weaker labeling, which ultimately led to a situation where any
session-control argument would mismatch. The behavior could be observed
in the launcher.run script where a click on the subsystem button would
not focus the clicked-on subsystem. With the patch, the scenario works
again as expected.
This patch enables warnings if one of the deprecate functions that rely
in the implicit use of the global Genode::env() accessor are called.
For the time being, some places within the base framework continue
to rely on the global function while omitting the warning by calling
'env_deprecated' instead of 'env'.
Issue #1987
Merge the platform-specific files and classes (they merely aggregated
themselves) so that each platform provides merely one class
Sd_card::Driver. Also, the Sd_card::Driver_base class is introduced for
the generic parts of Sd_card::Driver.
Ref #2206
Most implementations use a Signal_handler now to acknowledge the packet
instead of waiting for the transfer completion. The exceptions to that are
the non-DMA implementations for RPI and PL180
Ref #2206