This patch weakens the aggressive restart of a child with incomplete
environment sessions. The restart check is performed each time
the init configuration changes. In sculpt, this is not a rare special
case anymore but a frequent case when using the depot_rom as provider
for environment ROM sessions. In particular when starting a chain of
inter-depending children, the sculpt-manager quickly generates a
sequence of configurations with successively added start nodes.
The addition of the 'Cap_consumer' feature to app/dummy increased the
static RAM demand of the component to a point where 1 MiB no longer
suffices on sel4 (on this kernel, the base library uses a larger amount
of statically allocated data compared to the others). The tweaks enable
init.run and init_loop.run to work on sel4 on x86-64.
Selecting an alternate interface setting, even if it is the same as the
current one, apparently makes the INQUIRY command fail with USB devices
like 'SanDisk Ultra Fit' (0781:5583) and 'Corsair Flash Voyager'
(1b1c:1a03) when the USB block driver is restarted.
Fixes#2860
* Catch Quota_guard exceptions wherever we do 'new (_alloc)' in Interface
and in case drop the packet that caused the exception
* Modify Interface::handle_config_2 to not use the guarded allocator of the
NIC session quota as we cannot handle a RAM exhaustion well at this point
in time. Instead use a Constructible member in Interface so that a needed
RAM adds up to the calculation in the create_session implementation where
an exhaustion is handled via a service denial.
Issue #2857
The interface destructor called pure virtual methods at least when
cancelling ARP- waiting states. The implementations were made by the
deriving classes Session_component respectively Uplink. This led to an
abort of the NIC router as the destruction of the derived class was
already done. A similar problem already occured in the past during the
construction of Interface and was back then solved by introducing a
separate init() method. This commit, however, solved the problem by
making Interface a member of the other classes. Therefore, the init()
method could be removed again. Furthermore, the interface polica could be
moved from Session_component_base to Session_component. The commit also
had to generalize the way the link state of an interface is determined.
Fixes#2856
With this patch, the sculpt manager takes over the role the window
layouter of the leitzentrale, which eliminates the need to manually
position and size the inspect window.
While a child is abandoned, we must limit the start of anothers with
the same name. Otherwise - of the child has startup problems - a number
of abandoned children with the same name may queue up. This becomes a
problem whenever the child destruction depends on an asynchronous
service that provides an env session for the children. If the service is
unable to keep up with the session requests (both create and close),
the queue of abandoned children becomes unbounded. Limiting the child
creation rate to one abandoned child per name mitigates this problem.
This patch reduces the latency of state reports when children are
removed or added, thereby, accellerating the feedback loop between a
management component and init during the staged startup or removal of
inter-dependent components.
Whenever an environment session was provided by an asynchronous service,
e.g., the depot_rom of the sculpt scenario, the session quota was not
transferred to the server at session-creation time. This resulted in a
slow depletion of the server's quota over time. This patch ensures that
the delivery of session quota is consistent with the information
reported to the server as session argument.
The 'Child::_revert_quota_and_destroy' assumes to be called from the
client's context, which is normally the case when destroying sessions.
However, if a client's session outlives the client (because the
asynchronous close request to the server is still pending), the session
cleanup is performed in the context of the server. Here, the
'session_response' implementation wrongly called
'_revert_quota_and_destroy' to the effect that the session quota was
withdrawn from the server (good) but subsequently transferred back to
the server (bad). The patch replaces the call of
'_revert_quota_and_destroy' with only the first - correct - part of the
transaction.
This test monitors the RAM quota of a dynamic init and a server hosted
within the dynamic init in the presence of a repeatedly created and
destructed client.
Previously we were doing the initialization once over all domains,
remembered which of them became invalid and destroyed those afterwards.
This isn't sufficient. As soon as one domain becomes invalid we have to
dissolve/destroy this one, deinitialize all other domains again (as they
could contain references to the invalid domain) and retry to initialize
them from the beginning. We proceed with this until we have one run
without a domain becoming invalid. Then we can be sure that the last
initialization run did not create references to any invalid domain.
Issue #2840
The generic helper Avl_string_tree of the NIC router is currently only
used for finding domains via their names, but in the future it can be
used for finding uplinks by their labels also. Additionally, it enables
us to throw an exception when inserting two elements with the same
identifier.
Issue #2840
This patch suppresses the start of components that cannot run because
obvious runtime dependencies (used servers) are missing in the runtime.
In this situation, the sculpt manager gives diagnostic feedback to the
user in the runtime dialog.
* Get rid of the base classes Rule and Leaf_rule,
* Make log output about initiated or invalid routing rules conform to the rest
of the router log, and
* Ensure that each type of routing rule when being invalid invalidates its
whole domain.
Issue #2840
On Linux, we have a tap device as NIC back end but there is no one to
ping to in the subnet of the tap device. On FOC, the tests seem to trigger
a bug in the destruction of components with parent.exit(X); .
Fixes#2848
Sculpt's discovery of the default storage target can be intercepted by
user input (i.e., pointer movements) at boot time. The patch makes this
intervention mechanism robust for the case where nitpicker's first hover
report arrives after all storage devices were already scanned.
By tracking the states for an interactive selected NIC target (managed)
and a manual-defined NIC target (config/nic_router) separately, the
sculpt manager becames able to present the user with the ability to
interactively disable and re-enable a manually-managed network
configuration.
The sculpt manager wrongly paid for the nitpicker session of the fader
out of its own pocket. This patch reduces the quota transfer to the
amount provided the fader.
When updating the GPT to match the underlying block device, the
protective MBR will normally also be updated. In case a hybrid MBR is
used, as is done if 'image/disk' is specified, setting the
'preserve_hybrid' flag will prevent the component from overriding the
MBR.
The condition was too rigid. In the case where no motion occurred in
between the press and release events of the magic button, the delayed
press event would not be delivered. This - in turn - confused other
components (like nitpicker) down the input chain.
for such classes where it should be safe and where we have seen issues.
Disabling in general bus master DMA causes on some machines hard hangs, e.g.
because the USB handover protocol was violated.
Fixes#2835
In contrast to most information of init's state reports, which can be
monitored at a relatively low rate (like 2 seconds in Sculpt's runtime),
resource requests call for an immediate response by the consumer of the
report. Otherwise the requesting child stays unnecessarily blocked until
the next rate-limited state report is due. This patch adds a fast lane
for such low-latency state updates to init.
- support saving of files with no file name extension
- make the the "All Files (*)" file selection filter the default to see
configuration files immediately
Fixes#2844
This commit updates Early-Adopters (EA) version of Sculpt to the version
for The Curious (TC). Most importantly, it contains the new interactive
sculpt-manager component that automates many system management and
configuration tasks.
In case of an Alloc_return error, don't free the address at 0. If this
is a managed dataspace, there could be valid attachments which then gets
lost.
Make decreasing alignment search working. Continue with lower alignment
restrictions in case the optimal alignment wish can't be fulfilled.
Do not send nor buffer packets at interfaces with link state "down". This
prevents that packets that were routed to one network (allowed to see them),
due to a sudden link down/up, are leaked to another network that is not
allowed to see them.
When updating an interface in the NIC router to a new configuration and
the domain name of the interface has not changed but the domain
disappeared, the NIC router did not detach from the old domain correctly
which led to broken remnants of interface state objects (like connection
states).
Adapt the nic_router_uplinks run script to work with the fix.
fs_report truncated the report file on construction of the report
session to mimic an "empty report". This prevented existing use cases
where the initial state was already written to the file system by other
means.
I doubt that use cases exist where the inital empty-report mimic is
needed and (if I'm wrong) there is still the race of the consumer
reading the file just before the report session is constructed.
Reporters that want to enforce an empty initial report should send it
explicitly.
This patch enhances the 'Child' interface with the ability to retry the
deployment after an initial attempt failed. This way, packages can be
installed on demand based on the error feedback of deployment attempts.
The state report reflects the progress of downloading, verifying, and
extracting archives. For the download step, it includes the progress
as reported by fetchurl.
This patch changes the button widget to apply the vertical offset to its
child widgets at draw time, not at the layout phase. This way, the
visual feedback on button press/release changes is more direct because
it sidesteps the geometry animation.
Clients may wish to act on missing files. In any case the fs_rom
needs to reopen a watch handle when a file is deleted, and this
sort of change to the internal state machine is propelled by
client RPC requests.
Fix#2839
The new 'displays' report contains information about the used
framebuffer backend. It is issued when nitpicker has successfully passed
all initialization, in particular the connection to the framebuffer
driver. Hence, it can be taken as an indicator of whether the framebuffer
is available or not (e.g., caused by a faulty driver).
* Enable USB input
* Get rid of variables that adapted runscript to other platforms than x86_64
hardware with nova and instead restrict the run script to this platform
* Use a dynamic config for routers
* Switch label of the uplink of router 1 so it connects to Wifi and NIC driver
alternately
* Let uplink domain tag appear and dissapear
Issue #2815
Automated test for switching the NIC-router uplink between NIC driver and Wifi
driver with DHCP and different subnets. Tests also removal and later re-
insertion of the uplink domain tag.
Issue #2815
When re-configuring the NIC router, determine for each domain if at least one
interface stays with the domain. If a domain fullfills this and has a
dynamic IP config (received via a DHCP client), keep the IP config.
To achieve this, the following changes have been made to the existing NIC
router code:
* Split-up Interface::handle_config into three steps:
1) Determine for each interface if its domain can keep its IP config or
or if it has to mark it invalid. This must be done before (re-)attaching
any interface because during "attach" several decisions are made based on
the validity of the IP config of corresponding the domain.
(E.g. whether to participate in sending DHCP DISCOVERs {IP config
invalid} or whether to participate in sending pending ARP REQUESTs
{IP config valid} ).
2) Detach, attach, or re-attach each interface according to the
configuration. This must be done before re-considering the temporary
state objects of each interface because the latter might have effects
on the interfaces of remote domains which must then be in place already.
3) Re-consider temporary state objects of each interface. (E.g. transport
layer connection states)
* Re-work IP-config setter in a way that it works as follows:
1) If the old IP config is valid, let all local interfaces as well as remote
interfaces that depend on the IP config of the domain detach from the old
IP config.
2) Overwrite with new IP config
3) If the new IP config is valid, let all local interfaces as well as remote
interfaces that depend on the IP config of the domain attach to the new
IP config.
Issue #2815
The new attribute config.domain.label has effect only at the uplink
domain-tag. It determines which label the NIC router shall use when
requesting the NIC session for the uplink domain. If value of this
attribute changes at the uplink domain-tag, the NIC router closes and
re-requests the NIC session of the uplink with the new label.
Issue #2815
This tests the case that behind a NIC router domain there are not only
directly connected clients of the subnet but also Layer 2 indirections like
a switch or a bridge which might be interesting for example for testing the
NIC routers DHCP server implementation.
Fixes#2837
Set DHCP-DISCOVER retry timeout and DHCP-REQUEST retry timeout from 10
seconds to 2 seconds. This prevents problems with tests where the NIC
driver comes up slowly and the first packets of the DHCP client get
dropped.
Issue #2837
The Ethernet destination MAC address of a DHCP reply is not the same as the
DHCP client MAC address. The DHCP server of the NIC router did not take care
of this by now.
Issue #2837
Properly initialize and reset the _owner member, otherwise
correlating the unlock operation with the respective read/write
lock does not work.
Move locking the _nbr_mutex in the unlock operation after the
owner check. Otherwise, a reader holding that mutex and waiting
for the write lock would deadlock a writer trying to unlock the
_global_mutex.
Ref. Componolit/componolit#86
Ref. #2656Fixes#2832
When an environment session is provided by a async service such as a
sibling component, the session metadata must be preserved until end of
the lifetime of the session at the server has been acknowledged by the
server. Since the session meta data of env sessions are always part of
the 'Child' object, the destruction of this object must be deferred
until this point.
Merge the 'Packet_handle' into the 'Rom_root' and use an Id_space to
match File_system handles to session objects rather than a list. This
avoids the need to override 'Root_component::_destroy_session'.
Fix#2833
When exhausted of RAM quota while starting children, init used to throw
an uncaught 'Out_of_ram' exception as this condition was considered
fatal. However, this behavior is undesired when init is used in a highly
dynamic yet long-running fashion like sculpt's runtime subsystem. This
change keeps init running despite the error condition, giving the user
the chance to relieve the resource pressure.
If ACPI IRQs are received but no changes to the watched state for a specified
count can be observed, than generate nonetheless a Genode report.
Issue #2816
The 'View_stack::draw_rec' method limited the redraw to parts of the
view that were explicitly marked as dirty. This does not produce the
desired result when stacking multiple transparent views. Here, the
background views must be drawn regardless of whether they are marked as
dirty or not.
Rename LwIP library in preparation for removal of LwIP libc plugin. The
current LwIP library will be replaced with a new version stripped of its
synchronous socket support. The next version will be incompatible with
the current, so removing 'lwip.lib.so' completely for a period makes it
easy to identify legacy users.
Fix#2797
This patch makes the 'List_model' utility robust against duplicated
occurrences of node IDs in the supplied XML data. If two or more XML
nodes correspond to the same model element, the existing element is
updated with the information of the subsequent XML nodes.
This patch enhances the box layout such that child widgets are
equally stretched to the available size whenever the box layout's
size is larger than its min size. Furthermore, it corrects the
mixed-up use of the terms east and west in the float widget.
The file may also be changed by other components, so a open-close cycle
for write() is more robust. For example, Vim removes the original file
and recreates with the new content.
This component creates a GPT on a Block device. It supports the common
actions, as in adding, deleting and modifying entries in the GPT, while
considering alignment constraints. If needed it will round the length of
a partition down to meet those constraints. The component will not
perform layout checking, i.e., it does not care about overlapping
partitions. Only when apping a partition it will make sure that the
partition will fit.
Please read _repos/gems/src/app/gpt_write/README_ for more detailed
information on how to use the component and feel free to check out
_repos/gems/run/gpt_write.run_.
Fixes#2814.
The box-layout widget used to trigger the geometry animation of its
children immediately when updating the widget from the XML model (by
calling 'child->Widget::geometry'). This caused layout inconsistencies
in situations where the box layout is defined not by the constraints of
the child widgets but from the outside (the parent calls Widget::size).
Since the final layout is not known before the parent defines the actual
size, this patch moves the trigger point for the geometry animation to
'Widget::size'.
The new 'version' attribute can be used to explicitly distinguish
widgets that have the same name. E.g., if one widget is removed and
another with the same name is created somewhere else at the same time,
the menu view would normally interpret this change as a movement.
By attaching a distinct 'version' the new instance, menu view won't
attempt perform a smooth transition between the old and new widgets.
The '_active_mode' must not be changed at any time except when the
client asks for the 'Framebuffer::mode'. Otherwise, the dimensions of
dataspace used by the client is not always consistent with the mode
information as gathered by the client.
Generic code that operates over both UDP and TCP sockets might use
'sendto', but in the case of TCP the destination address ought to be
safely discarded. This seems to be the case for certain DNS software
that operates over both UDP and TCP.
Fix#2807
On real hardware, the tests expect an IPv4 subnet such that UDP requests
to 10.0.0.2 port 12345 get answered with an ICMP destination port unreachable.
Issue #2775
support USB NIC
Issue #2788
Set DHCP discover timeout to 1 second because, for some reason, the first
DHCP discover attempt of the NIC router on the PandaBoard times out with the
nightly test infrastructure.
Issue #2788
Adaption to mac-address allocation changes
Normally, the NIC sessions are independent from the domain tags.
However, by now the uplink session, in contrast to the sessions of the
other domains, is still not a server but a client. This means that only
the NIC router itself can decide when to open and close uplink sessions
and how many. Thus, with this commit, we break with the pattern that
session lifetime is independent from domains by letting the NIC router
create the uplink session when the uplink domain appears and close the
session when the domain disappears.
Fixes#2795
Since the router MAC is allocated like the donwlink MACs it can't happen
anymore that these MACs clash, for instance due to nested routers. Thus,
the range of the MAC allocators of nested routers must not be exclusive
anymore which deprecates the 'mac_first' configuration attribute.
Issue #2795
Allocate a virtual MAC address at runtime that is used as router
Ethernet-identity for all downlink domains. This makes the downlink
domains independent from the uplink session.
Issue #2795
The old MAC allocator had several drawbacks:
* the address base was a public static that could and must have been written
directly from outside the class
* the in-use-flag array was based on unsigned values consuming 4 bytes each
for only one bit of information
* it was a public header that we actually don't want to expose to all
components but only to the few networking components
* it used the not-so-safe bit notation for integer members of GCC
The new version fixes all these drawbacks.
Issue #2795
Instead of handing over the maximum available size to the packet data
accessors, hand over a size guard that keeps track of the packets
boundaries.
This commit also moves the size-guard utilitiy header of Ping and NIC
Router to the include/net directory making it a part of the net library.
It applies the new approach to all net-lib users in the basic repositories.
Ping looses its configurability regarding the ICMP data size as this would
require an additional method in the size guard which would be used only by
Ping.
The size guard was also re-worked to fit the fact that a packet can
bring a tail as well as a header (Ethernet).
Issue #2788
For now it is enough to differentiate the most commonly used file
system on Genode, e.g. Ext2 for the Genode partition and FAT32 for
(U)EFI partitions.
Issue #2803.
The component will now always try to parse the MBR as well as the GPT
(in this order). It will bail out if both are considered valid, using
GPT/MBR hybrid tables is not supported.
Fixes#2803.
Issue #2778
The "create_grub2" script functionality is moved to the g2fg contrib sources
and also the GRUB2 head image (tool/grub2-head.img). The head image is now
partitioned as GPT and bootable in BIOS legacy mode.
issue #2791
pthread_attr is not associated with any thread, the statistics must be
gathered at runtime, while 'pthread_attr_get_np' may retrieve attributes
by from any thread. Addtionally, the attributes given to
'pthread_create' will most likely be deleted after the creation call.
The sole existence of shared-object dependencies lead to fatal
static-constructor errors before. Now, ldso checks if the ctors section
of objects in the init list are non-empty before whining.
Issue #2759
This patch addresses the corner case where hovering changes while a
button is held, e.g., when accidentially moving the pointer out of a
application window's area during a drag-and-drop operation. The patch
makes the window manager aware of the drag/idle state. Only when idle,
the pointer position is propagated to the decorator now.
Socket_fs sockets are now created each time a 'new_socket' control file
is opened, not each time a 'new_socket' file is read. When a handle on a
'new_socket' file is closed the socket and its socket files are
destroyed. The accept control file on a listening socket reads "1" or
reads nothing to indicate a client connection is queued. Client sockets
are accepted by opening an 'accept_socket' file in the listen socket
directory. This file behaves like the aforementioned 'new_socket' file.
Ref #2707
The nic_bridge test is not suitable to be executed on hardware so it should,
in case, print an appropriate message and return without doing anything else.
Issue #2788
The Ethernet payload may be followed by padding of variable length and
the FCS (Frame Check Sequence). Thus, we should consider the value
"Ethernet-frame size minus Ethernet-header size" to be only the maximum
size of the encapsulated IP packet. But until now, we considered it to
be also the actual size of the encapsulated IP packet. This commit fixes
the problem for all affected components of the Genode base-repository.
Fixes#2775
This reduces the redundant implementations of checksum calculation to
one generic implementation, makes the checksum interface conform over
all protocols, and brings performance optimizations. For instance,
the checksum is now calculated directly in big endian which saves us
most of the previously done byte-re-ordering.
Issue #2775
When the former trace buffer implementation wrapped, the last entry
according to commit order couldn't be detected anymore. Now, the last
committed entry is always followed by an entry with length 0.
As a downside of this, there are now two meanings of "last" entry: It
means either that the entry marks the empty padding after the entry with
the highest memory address or that it actually marks the end of the
buffer according to commit order. This is an example state of the buffer
with the two types of "last" entry:
last last
+-------------+------------+---+---------+-------------+------------+---+-------+
| len3 data3 | len4 data4 | 0 | empty | len1 data1 | len2 data2 | 0 | empty |
+-------------+------------+---+---------+-------------+------------+---+-------+
If the entry with the highest memory address fits perfectly, the first
type of "last" entry is not needed:
last
+------------+--------------------+---+-------+-------------+-------------------+
| len3 data3 | len4 data4 | 0 | empty | len1 data1 | len2 data2 |
+------------+--------------------+---+-------+-------------+-------------------+
If the buffer didn't wrap so far, there is only one "last" entry that
has both meanings:
last
+--------------------------+------------+-------------+---+---------------------+
| len1 data1 | len2 data2 | len3 data3 | 0 | empty |
+--------------------------+------------+-------------+---+---------------------+
Issue #2735
Co-authored-by: Martin Stein <martin.stein@genode-labs.com>
Replace packet method 'T *data' by the new methods 'T &reinterpret_data'
for parsing or modifying existing sub-protocol packets and 'T
&construct_at_data' for composing a new sub-protocol packet. This has
the advantage that, when composing a new packet, the default constructor
that zero-fills the packet is always called first.
Fixes#2751
This commit changes the 'Input::Event' type to be more safe and to
deliver symbolic character information along with press events.
Issue #2761Fixes#2786
By now, rump would query its available RAM quota to determine the
memory limit minus some RAM reserved for Genode meta-data. This
does not work when the VFS rump plugin is used as the available
quota belongs to the VFS server. In this case the memlimit should
be set by specifing the RAM in the plugin's config, e.g.:
! <vfs>
! <rump fs="ext2fs" ram="64M" writeabl="yes"/>
! </vfs>
Fixes#2783.
In Vm_space::map when allocating a new page-table-entry selector, the
allocator may throw an exception that there are no selecztors left which
was not caught by now. Now, we catch this exception, flush the mapping
cache to free all selectors again and retry to allocate.
Fixes#2781
On the Raspberry PI, the 2 seconds of round time in the polling test
were not sufficient to reach the goal of at least 1000 successful polls.
Thus, the commit sets the round time to 2.5 seconds which doesn't hurt to
much but allows the RPI to just make it.
Fixes#2779