The 'usb_report_filter' component takes the devices report from the
USB driver and generates a new devices report after checking each
entry against its device white-list. Before emitting the new report
it changes the configuration of the USB driver to contain the
required policy entries.
See 'repos/os/src/app/usb_report_filter/README' for more details.
Issue #1863.
- Use 'label' attribute to identify device instead of
bus/dev and vendor_id/product_id
- Implement release_interface RPC
- Report 'label' as well as 'bus' and 'dev'
- Add policy handling to raw driver (includes reconfiguration
at runtime)
- Use own memory backing store for large DMA allocations
Issue #1863.
Now, the right PCI bus:device:function (BDF) is reported to the kernel
during assign_pci syscall - beforehand it was ever 0:0.0. The BDF is
needed to lookup the correct DMAR unit the kernel has to configure. This
was revealed as the DMAR unit for Intel graphics on x201 is not the same
as for all other PCI devices we have drivers for on this platform.
Fixes#1848
Because a check for the TEST_WRITE configuration was missing as condition for a
packet submit, the test caused unwanted write access to the device.
Ref #1824
This patch adds diagnostic messages during the label-policy application,
if no policy for the session label was found or if the domain configured
in the policy node does not exist.
From our observations we can tell that the error should not exceed 4%.
However, there is no reasonable explanation by now why the test results
are less stable on these platforms. We have tried several things that
did not lead to an explanation or improvement:
* changing the timing parameters of the scheduler
* switching off SMP
* double-checking the speed of userland and kernel timers
Ref #1805
The test threads previously used a stack size independent from the machine
word width. Qemu was previously configured to provide 64Mb of RAM which isn't
sufficient for x86_64.
Ref #1805
Print result error and error tolerance per test result. Use TCL commands
'format' and 'abs'to simplify calculations in the conclusion part of the run
script.
Ref #1805
This reverts commit d8b95c263b.
Some clients might want to fiddle with the clients play position
(e.g. the mixer) within 'Audio_out::start()' and we might reset
it to an old value if we do it afterwards.
Fixes#1796.
Since all Audio_out server components loop over the packet stream
queue it is save to reset the tail position to one after the play
position. We have to do this because we do not know exactly when
the play position changes (i.e. the driver has processed the packet)
and we might end up with a tail position before the current play
position.
Issue #1796.
Instead of bailing out if the channel list is incorrect check config
node attributes and default settings first.
Being there also fix flawed LOG messages.
Fixes#1794.
This patch unifies the mechanism of selecting server-side policies and
taking session-routing decisions based on session labels. In both cases,
XML nodes are scored against session labels. The score depends on the
XML attributes 'label' (exact match), 'label_prefix', and
'label_suffix'.
Issue #1766
* Provide paravirtualized block API for accessing the second partition
of the block device that is provided by the ESDHC driver.
* Provide paravirtualized serial API for sending log-output over Genodes
serial port.
* Use the latest Linux suggested in the USB Armory Wiki [1] when on USB Armory
while still using the older vendor Linux when on i.MX53 QSB. I.e.,
provide a device tree through RAM and a rootfs through the paravirtualized
block device when on USB Armory while providing ATAGs and Initrd when on
i.MX53 QSB.
* Switch on the LED on the USB Armory when the VMM catches a VM-exception
and switch it off again when as soon as the exception is handled. This
merely show-cases the ability to instrument the LED for such purposes. In an
ideal world, the LED is switched on as long as we're on the "Secure Side"
and switched off as long as we're not.
* For further information see repos/os/run/tz_vmm.run
[1] https://github.com/inversepath/usbarmory/wiki/Preparing-a-bootable-microSD-imageFixes#1497
Move ADMA2 stuff to extra header and unit. Move ESDHCv2 implementations to
extra unit. Use exceptions instead of error codes. Clean-up documentation.
Ref #1497
The manual termination of multi-block writes via "Stop Transmission" commands
seems to leave the card in a busy state sometimes. This causes errors on
subsequent commands. Thus, we have to synchronize manually with the
card-internal state via "Send State" commands. Additionally, the method
for issuing the manual "Stop Transmission" commands was refined.
Ref #1497
We have to issue a data synchronization barrier after writing a ADMA2
table to ensure that the corresponding write commands were actually
executed before issuing the SD command.
Ref #1497
On i.MX53 QSB, a "Send Op Cond" command during the driver initialization
returns another response value than on the USB Armory. As the check for
this response seems to have no relevance for the driver functionality (Linux
reads the value from MMIO but I can't find a place in the source code where
it is used), we simply remove it.
Ref #1497
Previously, it was not necessary to acknowledge an IRQ initially before using
it. However, since the IRQ framework changed lately it is. Adapt to this.
Ref #1497
Notify client initially to enforce a client-side ROM update. Otherwise,
a server-side ROM update between session creation and signal-handler
registration would go unnoticed.
Issue #1788
This patch changes the decorator to always apply stacking-order changes
immediately instead of deferring the re-stacking of the nitpicker views
to the next call of 'update_nitpicker_views'. The deferred application
did not always work when more then one windows changed their stacking
position at once because the cached '_neighbor' values interfered with
each other.
The eager re-stacking should not have negative effects on the user
experience because, in contrast to re-positioning, re-stacking a rare
operation.
This change makes it possible to reuse the generic window decorator
classes in include/decorator/ for decorators of a different structure.
E.g., instead of painting decorations on a single nitpicker session,
each window may paint its decorations into additional window-specific
nitpicker sessions.
In the event where a nitpicker session's quota was depleted by the
allocation of view handles, nitpicker would abort. The patch prevents
the abort by reflecting this condition as an Out_of_metadata exception
to the client. This way, the client can upgrade its session as needed.
The problem was triggered by running the decorator_stress test (changed
to generate 40 windows) with the themed_decorator.
This patch addresses the corner case that the specified neighbor view
is the first view of the view stack. If this is the case when inserting
the view in front of the neighbor (behind == false), the target position
within the view stack must be a null pointer, not the first view.
Because the conditions have become rather complicated, both cases
of 'behind' are handled separately now.
The notion of a channel is shared by the mixer backend as well as the
frontend. To make dealing with reports between those easier move the
Channel definition to a global header.
Issue #1770.
This patch ensures that focus changes performed via the Session::focus
call are made effective the next time, the user is idle. Previously,
focus changes during drag operations were simply discarded.
strip_last_element at Path removes everything after the trailing slash,
which causes lookup failures at the VFS server when opening directories.
Issue #1648
Throw Invalid_name, No_space, and Out_of_node_handles where appropriate.
Catch the new range of errors thrown by at the VFS.
Catch Out_of_node_handles at the VFS, but print a message and re-throw.
Issue #1648
This patch introduces a shortcut for conditional session routes of the
form '<if-arg key="label" value="..."/>'. With this change, the label
can be directly specified as 'label' attribute of an '<any-service>' or
a '<service>' node. The '<if-arg>' mechanism was not documented anyway
and I hope to be able to ultimately remove it.
Currently, when a signal arrives in the main thread, the signal dispatcher is
retrieved and called from the main thread, the dispatcher uses a proxy object
that in turn sends an RPC to the entry point. This becomes a problem when the
entry point destroys the dispatcher object, before the dispatch function has
been called by the main thread. Therefore, the main thread should simply send an
RPC to the entry point upon signal arrival and the dispatching should be handled
solely by the entry point.
Issue #1738
* use '_dma_ext' or '_fdpma' commands
* handle interrupts depending on mode of operation
* spelling fixes
* move ATA 'Idendity' struct to ata header
issue #1734
This patch improves the decorator in two ways. First, it enables the
assignment of window colors depending on the window labels. This
configuration can be changed dynamically. Second, it adds the handling
of window controls for closing, maximizing, minimizing windows.
Issue #1689Fixes#1688
This patch supplements the existing focus reports with the new attribute
'active', which indicates recent user activity when set to "yes". This
information is consumed by the clipboard to dynamically adjust its
information-flow policy depending on the user activity.
Issue #1712
This patch moves the formerly internal classes of the report-ROM service
to the public location os/include/report_rom/ so that they can be reused
by other components such as the upcoming clipboard.
This overload of the value member eases the retrieval of Genode::String
objects from XML attributes. So we won't need to deal with C-style
character buffers anymore.
The utilities in os/session_policy.h used to be tailored for the
matching of session arguments against a server-side policy
configuration. However, the policy-matching part is useful in other
situations, too. This patch removes the tight coupling with the
session-argument parsing (via Arg_string) and the hard-wired use of
'Genode::config()'.
To make the utilities more versatile, the 'Session_label' has become a
'Genode::String' (at the time when we originally introduced the
'Session_label', there was no 'Genode::String'). The parsing of the
session arguments happens in the constructor of this special 'String'.
The constructor of 'Session_policy' now takes a 'Genode::String' as
argument. So it can be used with the 'Session_label' but also with other
'String' types. Furthermore, the implicit use of 'Genode::config()' can
be overridden by explicitly specifying the config node as an argument.
Until now, the CLI monitor and the laucher allowed the user to explitly
kill subsystems but both used to ignore gracefully exiting subsystems.
It was the user's job to remove the remains of those subsystems. The
patch takes the burden of manually killing exited subsystems from the
user.
Fixes#1685
Destroying an object within the scope of a lambda/functor executed
in the object pool's apply function leads potentially to memory corruption.
Within the scope the corresponding object is locked and unlocked when
leaving the scope. Therefore, it is illegal to free the object's memory meanwhile.
This commit eliminates several places in core that destroyed wrongly in
the object pool's scope.
Fix#1713
* Move the Synced_interface from os -> base
* Align the naming of "synchronized" helpers to "Synced_*"
* Move Synced_range_allocator to core's private headers
* Remove the raw() and lock() members from Synced_allocator and
Synced_range_allocator, and re-use the Synced_interface for them
* Make core's Mapped_mem_allocator a friend class of Synced_range_allocator
to enable the needed "unsafe" access of its physical and virtual allocators
Fix#1697
The intention of Packet_ref was to allow clients to place opaque
references into the packet descriptor itself, which could be observed on
packet completion. Currently no component in our sources uses this
feature and beyond that it is questionable if it should be used at all:
If the server tampers with the ref the client may easily be confused
into observing an incorrect or invalid context. It seems better to
remove the opaque context from the descriptor and leave the actual
implementation to the client and its needs.
This patch extends the configuration concept of init with an additional
sub node for the <start> node:
<start name="noux">
<exit propagate="yes"/>
...
</start>
If the 'propagate' attribute is set to "yes", the exit of the respective
child will appear to init's parent as the exit of the entire init
subsystem.
Fixes#1686
Instead of holding SPEC-variable dependent files and directories inline
within the repository structure, move them into 'spec' subdirectories
at the corresponding levels, e.g.:
repos/base/include/spec
repos/base/mk/spec
repos/base/lib/mk/spec
repos/base/src/core/spec
...
Moreover, this commit removes the 'platform' directories. That term was
used in an overloaded sense. All SPEC-relative 'platform' directories are
now named 'spec'. Other files, like for instance those related to the
kernel/architecture specific startup library, where moved from 'platform'
directories to explicit, more meaningful places like e.g.: 'src/lib/startup'.
Fix#1673
This scripts starts two Audio_out session clients. These clients
access the soundcard via the mixer. The first client simply streams
a sample file in a loop while the second client generates a click
sound when any key is pressed.
Issue #1666.
Sometimes, the play position in stream is behind the out stream, mostly
because of timing issue. In this case, the mixer will produce invalid
packets which in return will lead to looping on an invalid packet in
the audio_drv.
Issue #1666.
For some platforms (at least hw_zynq on Qemu), the measured time of the
periodic timeout test exceeded the maximum that was previously
calculated without any tolerance. Most likely, this is not a malfunction
of the test subject as the error is pretty small and, of course,
measuring the time produces overhead itself. Introducing a tolerance of
only 0.1% fixes the problem.
Fixes#1599
Instead of returning pointers to locked objects via a lookup function,
the new object pool implementation restricts object access to
functors resp. lambda expressions that are applied to the objects
within the pool itself.
Fix#884Fix#1658
If a requested report already exists the request is denied with
Invalid_args.
Further, I dusted the report_rom test and added it to the
autopilot list.
When a stream was stopped it may still contain valid packets that
will be played automatically when the stream is started again. The
invalidate_all() method may be called after stopping the stream to
prevent this.
Issue #1647.
The alarm library failed to handle the case properly where an already
scheduled alarm gets rescheduled before it triggered. Even though the
attempt to reschedule the alarm (twice insertion into alarm queue) was
detected, this condition resulted in the mere modification of the
alarm's parameters while keeping the alarm's queue position unchanged.
This, in turn, may violate the invariant that all enqueued alarm objects
are strictly ordered by their deadlines. The patch handles the case by
dequeuing the alarm object before reinserting it into the queue at the
right position.
Fixes#1646
With the introducation of the Audio_in session interface it makes
sense to rename the current available audio drivers. At the moment
only the dde_bsd audio_drv supports Audio_out as well as Audio_in.
The Linux audio_drv only supports Audio_out (there is no demand for
Audio_in support currently) but is renamed nonetheless to make it
easiert to write generic run scripts.
Issue #1644.
In line with the Audio_out session a Audio_in session is used to
record audio frames. Like in the Audio_out session shared memory
in form of the Audio_in::Stream is used to transport the frames
from the server to the client. These frames consist of single
channel (mono) samples. An Audio_in::Packet always contains a full
period of frames.
A Audio_in server captures frames and puts them into the
Audio_in::Stream. To do so the server allocates a Audio_in::Packet
from the packet queue embedded in the Audio_in::Stream. If the queue
is already full, the server will override packets and notify the
client by submitting the 'overrun' signal. The client has to cope
with this situation, e.g., by saving packets more frequently.
A client will also receive a 'progress' signal from the server when
a new Audio_in::Packet was submitted to the packet queue.
Fixes#1644.
To archive lower latency the length of a period was reduced from
2048 (~46ms) to 512 (~11.6ms) samples.
It should be noted that this change probably breaks audio in Qemu on
most systems.
Issue #1644.
Move FS Node implementations from server/ram_fs to include/ram_fs.
Support embedded ram_fs instances in VFS configurations using <ram/>.
Add 'no space' handling to VFS symlink ops.
Fixes#1635
Allow symlinks to be passed to the read and write file system utilities.
Disallow writes to symlinks with offsets in file system servers, this is
to ensure that writing the target of a symlink is an atomic operation.
Fixes#1604
If some sessions run out of memory in init, resource requests will be issued
to core, which it never will satisfy. Setting some default signal handler
avoids that the default implementation will block init for ever.
Issue #1632
The timer driver previously used floating point operations to translate us to
tics and vice versa. This isn't necessary as the rounding error isn't critical
for the given values but expensive which should be avoided in a code path that
must be executed pretty frequent with high priority.
Ref #1628
This commit eliminates the mutual interlaced taking of destruction lock,
list lock and weak pointer locks that could lead to a dead-lock situation
when a lock pointer was tried to construct while a weak object is in
destruction progress.
Now, all weak pointers are invalidated and dequeued at the very
beginning of the weak object's destruction. Moreover, before a weak pointer
gets invalidated during destruction of a weak object, it gets dequeued, and
the list lock is freed again to avoid the former dead-lock.
Fix#1607
The timer driver on X86 needs CPU quota with highest priority as it
frequently has to interrupt the counters to update the PIT.
On ARM this makes no difference in the test results as ARM timer
drivers, once configured, can sleep until the end of the timeouts.
On X86 we raise the error tolerance to 2% (default 1%) to compensate
the error caused by the timer.
Fixes#1621
Printing all errors and the goal values instead of exiting at the first
error allows for faster analysis of problems with the CPU-quota
mechanism.
Ref #1616
The test always succeeded because I forgot to set the error tolerance from
my debugging value 1 back to the correct value 0.01 before commiting the
test.
Ref #1616
Adjust bomb to specify the various hard-coded parameters and set up bomb.run
this way that it manages at our test machine to succeed in the given time.
Issue #1615
Add a test where a locked pointer shall be taken during object destruction.
Moreover, extend the run-script so it runs on different platforms with
"real" timers.
Init used to specify the unique child name as session label when
requesting the binary image of a dynamically linked child. The actual
module name was propagated as "filename" session argument. Since we want
to move towards the sole use of the session label, which can be taken
into account for the session routing, the module name should always be
the last part of a ROM session label.
This patch changes the window manager, the decorator, and the
floating window layouter to propagate the usage of an alpha channel from
the client application to the decorator. This way, the decorator can
paint the decoration elements behind the affected windows, which would
otherwise be skipped.
This patch changes the way how CLI monitor obtains its subsystem
configurations. Originally, this information was provided via the
Genode::config mechanism. But for managing complex scenarios, the config
node becomes very complex. Hence, it is preferrable to have a distinct
file for each subsystem configuration.
The CLI monitor scans the directory '/subsystems' for files ending with
".subsystem". Each file has the same syntax as the formerly used
subsystem nodes.
Removed the Nic::Driver implementation. All nic servers now inherit from
Nic::Session_component. Packet stream signals are dispatched to
the 'handle_packet_stream' function within a session component. Thus, nic
servers now have direct access to the packet stream channels, making handling
more flexible.
Adjusted nic_loobpack, dde_ipxe, wifi, usb, lan9118, Linux nic, and OpenVPN to
the new interface.
Fixes#1602
While importing trace sources as trace subjects into a TRACE session,
the session quota might become depleted. The TRACE session already keeps
track of the session quota via an allocator guard but the 'subjects' RPC
function missed to handle the out-of-memory condition. This patch
reflects the error condition as an 'Out_of_metadata' exception to the
TRACE client. It also contains an extension of the trace test to
exercise the corner case.
This patch enable clients of core's TRACE service to obtain the
execution times of trace subjects (i.e., threads). The execution time is
delivered as part of the 'Subject_info' structure.
Right now, the feature is available solely on NOVA. On all other base
platforms, the returned execution times are 0.
Issue #813
This patch bases the size of the destination buffer in
'Init::Child_policy_redirect_rom_file' on the maximum label size
instead of the filename size. Otherwise, the use of a long configfile
name (i.e., "trace_subject_reporter.config") in combination with a long
child name ("trace_subject_reporter") would result in a truncated label
string.
When replacing a report with a smaller one, the corresponding ROM
dataspace should not contain any traces of the old report. Otherwise,
the consumer of the ROM dataspace may mistake the stale content as
meaningful information. This is particularly annoying when manually
inspecting reports. This patch overwrites the stale content with zeros.
By appending a newline to the generated XML data, we prevent the output
from messing with the command prompt when using 'cat' on a shell.
Futhermore, when using line-buffered output, the trailing newline
ensures that the output gets gets properly flushed.
This patch moves the VFS file-system factory to a separate vfs library
that is independent from libc. This enables libc-less Genode programs to
easily use the VFS infrastructure.
Fixes#1561
- send a 'state_change' signal on session creation if the device is
already attached
- evaluate the status code of a finished asynchronous operation
- return the number of actually transferred bytes for control transfers,
too
Fixes#1490
White list access to ports we actually need for our drivers so far and
deny everything else by default. The extend pci config space dataspace is
currently not used and exposes a potential risk (BAR rewrite) - so deny.
Related to #1487
Step to move shared irq handling out of core in the long run. So, use
irq_proxy implementation from base in os and implement shared irq handling
in platform driver of x86 (pci_drv).
Fixes#1471
Physical CPU quota was previously given to a thread on construction only
by directly specifying a percentage of the quota of the according CPU
session. Now, a new thread is given a weighting that can be any value.
The physical counter-value of such a weighting depends on the weightings
of the other threads at the CPU session. Thus, the physical quota of all
threads of a CPU session must be updated when a weighting is added or
removed. This is each time the session creates or destroys a thread.
This commit also adapts the "cpu_quota" test in base-hw accordingly.
Ref #1464
Use the new asynchronous IRQ interface in the mostly used drivers, e.g.:
* ahci_drv: x86/exynos5
* gpio_drv: imx53/omap4
* input_drv: imx53/dummy
* ps2_drv: x86/pl050
* timer_drv
Now, the Irq_session is requested from Gpio::Session:
From now on we use an asynchronous IRQ interface. To prevent triggering
another GPIO IRQ while currently handling the former one, IRQs must
now by acknowledged explicitly. While here, we also changed the GPIO
session interface regarding IRQ management. The generic GPIO component
now wraps the Irq_session managed by the backend instead of using the
GPIO backend methods directly. A client using the GPIO session may
request the Irq_session_capability by calling
'Gpio::Session::irq_session()' and can use this capability when using
a local Irq_session_client.
Issue #1456.
This patch adds const qualifiers to the functions Allocator::consumed,
Allocator::overhead, Allocator::avail, and Range_allocator::valid_addr.
Fixes#1481
Currently, the 'pointed session' gets updated only when an input event
occurs, but an update is also needed in other situations, for example
when the view under the current mouse position was moved.
With this commit, the 'pointed session' gets updated whenever the
timer-triggered 'handle_input()' function is called.
Fixes#1473
There are lots of places where a numeric argument of an argument string
gets extraced as signed long value and then assigned to an unsigned long
variable. If the value in the string was negative, it would not be
detected as invalid (and replaced by the default value), but become a
positive bogus value.
With this patch, numeric values which are supposed to be unsigned get
extracted with the 'ulong_value()' function, which returns the default
value for negative numbers.
Fixes#1472
The driver operates in PIO mode only. Depending on the block size (512
bytes versus 128 KiB), it has a troughput of 2 MiB/sec - 10 MiB/sec for
reading and 173 KiB/sec - 8 MiB/sec for writing.
Fixes#1475
This patch enhances the generic SD-card protocol implementation in
sd-card.h with the ability to handle the version 1.0 of the CSD register
(containing the capacity information of older SD cards).
The emergency dataspace is used to accommodate the corner case where
a signal context capability is created while issuing the first
resource request. Normally, the attempt to upgrade the signal-session
quota under such a constrained situation would fail. By freeing the
emergency dataspace in this situation, we regain enough quota to
upgrade the signal session.
This is a follow up commit for "base: Raise RAM quota of signal session
to 16K" and fixes the resource_request test on 64-bit platforms.
A Nic::Session client can install a signal handler that is used to
propagate changes of the link-state by calling 'link_state_sigh()'.
The actual link state is queried via 'link_state()'.
The nic-driver interface now provides a Driver_notification callback,
which is used to forward link-state changes from the driver to the
Nic::Session_component.
The following drivers now provide real link state: dde_ipxe, nic_bridge,
and usb_drv. Currently, OpenVPN, Linux nic_drv, and lan9118 do not
support link state and always report link up.
Fixes#1327
If a client acknowledges the same packet more than once, the packet also
gets freed more than once. At the second attempt the underlaying
Bit_array will throw an 'Invalid_clear' exception, which results in an
uncaught exception that leads to an abort() call in the freeing
component.
Fixes#1462.
The driver for the Freescale eSDHCv2 doesn't support the highest
available bus frequency by now and also the bus width may be set to a
higher value but that needs further checks on the capabilities of the
inserted card.
The commits provide a benchmark as it exists for the OMAP4 SDHC driver.
Fix#1458
The GUID partition table (GPT) is primarily used by systems using
(U)EFI and is a replacement for the legacy MBR. For now, the current
implementation is able to address up to 128 GUID partition entries
(GPE).
To enable the GPT support in 'part_blk' it has to be configured
accrodingly:
! <start name="part_blk">
! [...]
! <config use_gpt="yes">
! [...]
! </start>
If 'part_blk' is not able to find a valid GPT header it falls back
to using the MBR.
Current limitations:
Since no endian conversion takes place it only works on LE platforms
and of all characters in the UTF-16 encoded name field of an entry
only the ones included in the ASCII encoding are printed. It also
ignores all GPE attributes.
Issue #1429.
The hover reports provides information about the session currently
pointed-to, i.e., hovered session. It can be enabled by the 'hover'
attribute of nitpicker's 'report' configuration element
<report hover="yes" />
Fixes#1442
Drivers like SD-Card, platform, AHCI, and framebuffer are specified as Exynos5
compliant. But they are at least not compliant with Odroid-XU although this is
Exynos5. Thus, prevent tests that rely on such drivers when building for
hw_odoid_xu. Furthermore, make previous Arndale regulator/consts.h,
uart_defs.h, and some Board_base enums available to all Exynos5 builds to
enable at least building the drivers.
Fixes#1419
For the USB-Armory, we use a newer version of Linux (3.18) as for the
i.MX53-QSB. The main difference is, that the newer Linux uses a DTB instead of
ATAGs.
Fixes#1422
The USB Armory is almost the same as the i.MX53-QSB but it uses only
one of the two RAM banks available in i.MX53. Furthermore we use the USB
Armory only with Trustzone enabled.
Ref #1422
* enables world-switch using ARM virtualization extensions
* split TrustZone and virtualization extensions hardly from platforms,
where it is not used
* extend 'Vm_session' interface to enable configuration of guest-physical memory
* introduce VM destruction syscall
* add virtual machine monitor for hw_arndale that emulates a simplified version
of ARM's Versatile Express Cortex A15 board for a Linux guest OS
Fixes#1405
The handling of MMIO regions now supports more pathological cases with
weird cross references. Also, MMIO regions are releases after the
parsing is done.
Fixes#998
When returning early on directory operations, file systems that might
be able to handle the request but come after the current one are not
tried.
Fixes#1400.
Instead of returning an uint64_t value, return a structured time stamp.
This change is only visible to components using Rtc_session directly.
Fixes#1381.
By blocking on a timeout, we yield the CPU in order to give a
concurrently running sporadic process a chance to obtain ROM modules.
Otherwise, such requests would be deferred until the ROM prefetcher
completes its operation or in the unlikely event that the prefetcher
gets preempted.
Fixes#1378
Instead of fixing the missing dynamic facilities of the AHCI driver
backends for x86 and Exynos5, just avoid to create/destroy the backend
for every new connection, but always use one and the same object.
The AHCI drivers need to be re-written anyway, see issue #1352 for instance,
we can make it more robust for the dynamic case then.
Fixes#786Fixes#1133
When building Genode for VEA9X4 as micro-hypervisor protected by the ARM
TrustZone hardware we ran into limitations regarding our basic daily
testing routines. The most significant is that, when speaking about RAM
partitioning, the only available options are to configure the whole SRAM
to be secure and the whole DDR-RAM to be non-secure or vice versa. The
SRAM however provides only 32 MB which isn't enough for both a
representative non-secure guest OS or a secure Genode that is still
capable of passing our basic tests. This initiated our decision to
remove the VEA9X4 TrustZone-support.
Fixes#1351
Declaring the SP804 0/1 module and its interrupt to be non-secure prevents the
secure Genode from receiving the interrupt and hence the timer driver in the
secure Genode doesn't work.
Fixes#1340
The commit uses a fixed kernel branch (r8), which fixes a caching bug
observable in the Genode host. The quirk detecting the circumstance in the
timer service is obsolete now and is removed.
Fixes#1338
In the init configuration one can configure the donation of CPU time via
'resource' tags that have the attribute 'name' set to "CPU" and the
attribute 'quantum' set to the percentage of CPU quota that init shall
donate. The pattern is the same as when donating RAM quota.
! <start name="test">
! <resource name="CPU" quantum="75"/>
! </start>
This would cause init to try donating 75% of its CPU quota to the child
"test". Init and core do not preserve CPU quota for their own
requirements by default as it is done with RAM quota.
The CPU quota that a process owns can be applied through the thread
constructor. The constructor has been enhanced by an argument that
indicates the percentage of the programs CPU quota that shall be granted
to the new thread. So 'Thread(33, "test")' would cause the backing CPU
session to try to grant 33% of the programs CPU quota to the thread
"test". By now, the CPU quota of a thread can't be altered after
construction. Constructing a thread with CPU quota 0 doesn't mean the
thread gets never scheduled but that the thread has no guaranty to receive
CPU time. Such threads have to live with excess CPU time.
Threads that already existed in the official repositories of Genode were
adapted in the way that they receive a quota of 0.
This commit also provides a run test 'cpu_quota' in base-hw (the only
kernel that applies the CPU-quota scheme currently). The test basically
runs three threads with different physical CPU quota. The threads simply
count for 30 seconds each and the test then checks wether the counter
values relate to the CPU-quota distribution.
fix#1275
The way this function is currently used in dde_linux expects this
function to return. Since there is dde_kit_panic it should better
be used in such a case the output should block.
This patch ensures that priority values passed as session arguments
are within the valid range of priorities. Without the clamping, a child
could specify a priority of a lower priority band than the one assigned
to the subsystem. Thanks to Johannes Schlatow for reporting this issue.
Fixes#1279
The alias is rather Linux-specific and also prevents particularly
tailored jiffies implementations. For the existing dde_linux ports (usb
and lxip) we just define jiffies to be dde_kit_timer_ticks with a
preprocessor macro.
The new 'session_control' function can be used to perform operations on
the global view stack that span one or multiple sessions, e.g., bringing
all views of specific sessions to the front, or hiding them.
The headers 'texture_rgb565.h' and 'texture_rgb888' contain
template specializations needed for using the 'Texture::rgba' function
for the respective pixel formats. The specializations were formerly
contained in application-local code.
This patch add an optional alpha argument to the constructor, which may
be passed to a pixel type representing an alpha channel. Furthermore,
a new overload of the mix function has been added to accommodate use
cases where one texture is applied to both a pixel surface and an alpha
channel.
When X-ray mode is active, nitpicker filters motion events that are not
referring to the currently focused domain. However, domains configured
as xray="no" (such as a panel) need to obtain motion events regardless
of the xray mode. This patch relaxes the motion-event filtering to
accommodate such clients.
The buffer offset was wrongly accounted for. The miscalculation went
unnoticed until now because the buffer offset was apparently never used
in combination with alpha-channels.
If a domain is configured as xray="no", we want to let the views of the
domain respond to input events like in flat mode, even if xray mode is
active. Normally, the input mask of views with an alpha channel is
disregarded in X-ray mode. However, for non-ray views, the input mask
should always be considered.
The 'Signal_rpc_member' takes care about dissolving its signal context
from the receiver. So we don't need to manually perform this operation
in the session destructor.
It turned out that the controller configuration can change during the self
tests, so now it is read before running the tests and restored afterwards.
Fixes#1260.
This component merges the input events of multiple sources.
Example configuration:
<start name="input_merger">
<resource name="RAM" quantum="1M" />
<provides>
<service name="Input" />
</provides>
<config>
<input label="ps2" />
<input label="usb_hid" />
</config>
<route>
<service name="Input">
<if-arg key="label" value="ps2" /> <child name="ps2_drv" />
</service>
<service name="Input">
<if-arg key="label" value="usb_hid" /> <child name="usb_drv" />
</service>
<any-service> <parent /> <any-child /> </any-service>
</route>
</start>
For each 'input' config node, the component opens an 'Input' session with the
configured label. This label is then evaluated by 'init' to route the session
request to a specific input source component.
Fixes#1259.
The backend allocator for the slab is a sliced heap, which hands out
allocations with page-size granularity (4096 bytes). Therefore, the
slab-block size should also be about a multiple of the page size minus
some bytes of overhead.
Additional adjustments:
- The slab-block size and the default quota-upgrade amount for SIGNAL
sessions depends on the platform bit width now.
- The signal test also stresses the case of many managed context in one
session including creation and destruction of the used signal receiver
in repeated rounds.
- correctly catch and report non-existing root directories
- remove *all* leading slashes from root-directory attributes and
sanitize empty declarations to current working directory
Before the pointer handling was removed from the nitpicker server, the
pointer was always the first view, which was skipped in the find_view
function. However, since we support pointer-less operation by now, we
have to consider all views starting with the top-most one.
This patch fixes a potential race condition that could happen if a
client connects to nitpicker before the signal for the import of the
initial configuration was delivered. In this case, nitpicker would be
unable to assign a domain to the session (because this information comes
from the configuration), rendering subsequent calls to 'mode' invalid.
The patch solves this problem by manually calling the signal handler
for importing the configuration.