The kernel provides a "recall" feature issued on threads to force a thread into
an exception. In the exception the current state of the thread can be obtained
and its execution can be halted/paused.
However, the recall exception is only delivered when the next time the thread
would leave the kernel. That means the delivery is asynchronous and Genode has
to wait until the exception triggered.
Waiting for the exception can either be done in the cpu_session service or
outside the service in the protection domain of the caller.
It turned out that waiting inside the cpu_service is prone to deadlock the
system. The cpu_session interface is one of many session interfaces handled by
the same thread inside Core.
Deadlock situation:
* The caller (thread_c) to pause some thread_p manages to establish the call
to the cpu_session thread_s of Core but get be interrupted before issuing
the actual pause (recall) command.
* Now the - to be recalled thread_p - is scheduled and tries to invoke another
service of Core, like making log output.
* Since the Core thread_s is handling the session request of thread_c, the
kernel uses the timeslice of thread_p to help to finish the request handled
by thread_s.
* Thread_s issues the actual pause/recall on thread_p and blocks inside Core
to wait for the recall exception to be issued.
* thread_p will leave not the kernel before finishing it actual IPC with
thread_s which is blocked waiting for thread_p.
That is the reason why the waiting/blocking for the recall exception taking
place must be done on NOVA in the context of the caller (thread_1).
Introduce a pause_sync call to the cpu_session which returns a semaphore
capability to the caller. The caller blocks on the semaphore and is woken up
when the pager of thread_p receives the recall exception with the state of
thread_p.
Multiple calls to get the dataspace capability on NOVA lead to the situation
that the caller gets each time a new mapping of the same capability at
different indexes.
The client/caller assumes to get every time the very same index, e.g. in
Noux the index is used to look up structures.
Cache the dataspace capability returned via a rm_session for base-nova.
Since no kernel objects can be created anymore outside Genode::core,
the Vancouver port must be adjusted to use solely the Genode interfaces.
The Vcpu_dispatcher creates all portals via the cpu_session interface and
uses the feature to setup a specific receive window during a IPC (the
cap_session::alloc IPC) to place to be received/to be mapped capability
(virtualization exception portal) at the designed indexes.
The actual vCPU thread extends from a normal Genode::Thread and extends it
by specific vCPU requirements, which are a larger exception base window and
the need by Vancouver to place the SM and EC cap at indexes next to each other.
Fixes#316
Extend Native_capability type to hold a specific selector index where the to
be received cap during a IPC should be mapped to. This feature is required to
place created caps by the cap_session at specific indexes. This feature is
used by Vancouver to setup the virtualization exception portals (created by
the cap_session) at the intended indexes.
Patch prevents following bugs:
* In sleep_forever the thread return from semaphore down if cap is revoked
during destruction of a thread. This causes an endless loop consuming time
not available for other threads.
* In lock_helper and cap_sel_alloc the thread return from the lock() method
even if the semaphore down call failed because of an revoked semaphore.
This lead to the situation that a thread subject to de-construction returns
from the lock method, but not holding the lock, entering the critical section
and modifying state inside the critical section. Another thread in parallel
already in the critical section or entering the critical section also
modifies the state. This lead to curious bugs ...
* thread_nova, thread_start, irq_session
Detect early bugs if the SM is gone unexpectedly where it should never
happen.
Vancouver recalls the vCPU in the vCPU dispatcher code. Enable the right bit
in the mapped native cap so that Vancouver actually is able to perform this
operation.
It now can hold a right bit used during IPC to demote rights of the to be
transfered capability.
The local_name field in the native_capability type is not needed anymore
in NOVA. Simplify the class, remove it from constructors and adapt all
invocations in base-nova.
Unfortunately local_name in struct Raw is still used in generic base code
(process.cc, reload_parent_cap.cc), however has no effect in base-nova.
MsgBuf has to keep the number of received capabilities in order
to free/know correctly unused and unwanted capabilities. Explicitly
call rcv_msg->post_ipc to store this information in a MsgBuf.
Don't reset rcv_msg in ipc.cc, since this is used during
un-marshalling of caps in ipc.h afterwards. The MsgBuf is reseted when its
de-constructor is called.
With this patch solely the local ids are used, no global unique ids
are transfered anymore during IPC.
demo.run, signal.run, noux_tool_chain.run works up to the same
point as before the patches for issue #268.
Fixes#268
Unfortunately, another kernel patch is required for Genode/NOVA to get rid
of global unique ids for objects (issue #268).
Kernel patch:
If a translate of a object capability item inside the same PD
(receiver/sender in same PD) is not successful then he very same item is
returned instead of the null item.
Genode:
Some code in Genode try to map/translate the "root" (the first instance of a)
object capability within the same PD. The translate fails since it is the
first cap and was not delegated beforehand. Instead the cap gets mapped to a
new capability index due to xlt_rcv kernel item patch.
The new local object capability index is used to lookup manged objects
in lists, which however fails because the object is only known by the original
object capability index.
Unfortunately, this happens not only once. Below one example trace and
description is attached.
There are several possible solutions possible:
* Find all places in Genode and replace normal function calls between objects
with IPC calls, such that all capabilities can be translated during IPC.
** Time consuming to find all spots
** Rather platform specific issue requires re-adjustments in generic Genode
code
** Not trivial to ever remember this fact during development of new components
[other platforms have not such a issue, however have global object ids]
** Neither good in terms of performance.
* Use some special system call to the kernel to be able to translate a given
capability index as long until you find the requested original index.
(Obviously ... no comment).
* Kernel patch as this one.
* <your proposal>
Example trace + code description showing the behavior above:
int main(): --- create local services ---
int main(): --- start init ---
[0] DEL OBJ PD:0xc000aa80->0xc000aa80 SB:0x000000aa RB:0x000000ac O:0x00 A:0x1f
int main(): transferred 42 MB to init
[0] DEL OBJ PD:0xc000aa80->0xc000aa80 SB:0x00000120 RB:0x0000013c O:0x00 A:0x1f
[0] DEL OBJ PD:0xc000aa80->0xc000aa80 SB:0x0000016c RB:0x00000168 O:0x00 A:0x1f
Setup ELF failed
[0] XLT OBJ PD:0xc000aa80->0xc000aa80 SB:0x00000168 RB:0x0000016c O:0x00
unknown exception?
int main(): --- init created, waiting for exit condition ---
thread - file - line - text
-------------------------------------------------------------------------------
thread A - [ 0] - 228 - new Core_child(... rom_session.dataspace() ...)
thread A - [ 1] - 27 - IPC call - ask for dataspace cap
thread B - [ 2] - 49 - function - return dataspace cap index 0x120
thread A - [ 1] - 27 - IPC returned - map 0x120 -> 0x13c, translate failed
thread A - ...
thread A - [ 3] - 231 - call _setup_elf()
thread A - [ 3] - 60 - call env->rm_session()->attach()
thread A - [ 4] - 35 - do dataspace object lookup (0x13c)
thread A - [ 4] - 36 - lookup failed (object known as 0x120), throw Exception
thread A - [ 3] - 61 - catch Exception -> return error code "0"
thread A - [ 3] - 233 - "Setup ELF failed" - because error code "0"
File legend:
[0] base/src/core/main.cc
[1] base/include/rom_session/client.h
[2] base-nova/src/core/include/core_rm_session.h
[3] base/src/base/process/process.cc
[4] base-nova/src/core/core_rm_session.cc
Kernel patch:
Introduce a transfer item type to express that a cap should be translated
and if this fails to map it instead.
It would be possible without this combined transfer item type however
with additional overhead. In this case Genode/NOVA would
have to map and translate all caps used as parameter in IPC. It would look
like this:
* If the map and translation succeed, the cap at the new cap index
would have to be revoked. Then the translated cap index can be used.
* If the map succeeds and the translation fails then the mapped cap index
can be used.
* It would become complicated when multiple caps are mapped and translated
and only some of the translation succeed. In such cases Genode would have
to figure out the right relation of translated/mapped and not
translated/mapped caps. It would require to make some assumption about the
order how translated/mapped caps are reported at the UTCB by the kernel.
All the points above lead to the decision to create a separate transfer item
type for that.
Genode:
Most the times the translation succeeds, mapping of caps happens either
seldom. This takes now a bit the pressure of not enough aligned receive
cap windows as described in issue #247.
The patch mainly adds adjustments to handle the
translated and mapped caps correctly especially during freeing of the
receive window (don't free translated cap indexes).
Fixes#268
The Demo of 64bit Genode/NOVA fails during the booting phase when
physical memory was tried to be mapped lying above 4G boundary.
(qemu -m 4096 triggered it on some systems). The memory never got
mapped and the attempt to access the virtual region resulted
in a unexpected page fault inside Genode core.
The latest revision removed the artificial boundary of 4G for 64bit.
Example trace showing the issue:
([-1] lines show debugging output that mapping failed)
...
int main(): --- create local services ---
int main(): --- start init ---
int main(): transferred 4047 MB to init
int main(): --- init created, waiting for exit condition ---
start new pager object with EIP=0x1025814, ESP=0x6001000
[init] Could not open file "ld.lib.so"
start new pager object with EIP=0x10213e4, ESP=0x6001000
start new pager object with EIP=0x1037684, ESP=0x6001000
start new pager object with EIP=0x1021664, ESP=0x6001000
start new pager object with EIP=0x101e374, ESP=0x6001000
start new pager object with EIP=0x10295a4, ESP=0x6001000
start new pager object with EIP=0x1037db4, ESP=0x6001000
[init -> pci_drv] PCI driver started
[init -> launchpad] Could not open file "ld.lib.so"
[init -> launchpad] Could not open file "config"
[init -> launchpad] Could not obtain config file
[init -> ps2_drv] Detected ExPS/2 mouse - activating scroll-wheel and 5-button support.
[init -> ps2_drv] Using keyboard with scan code set 1 (xlate).
[init -> timer] Timer::Timeout_scheduler::Timeout_scheduler(Platform_timer*, Genode::Rpc_entrypoint*): starting timeout scheduler
[init -> vesa_drv] int Framebuffer_drv::map_io_mem(Genode::addr_t, Genode::size_t, bool, void**, Genode::addr_t, Genode::Dataspace_capability*): fb mapped to 1000
start new pager object with EIP=0x101eaf0, ESP=0x401fef80
[init -> timer] Timer::Session_component::Session_component(Timer::Timeout_scheduler*, Genode::Cap_session*): created new session component, _session_cap.valid=1
start new pager object with EIP=0x1021d10, ESP=0x400fef80
start new pager object with EIP=0x1021d10, ESP=0x401fef80
[init -> vesa_drv] Could not open file "config"
[init -> vesa_drv] Could not obtain config file
[init -> vesa_drv] Found: VESA BIOS version 2.0
[init -> vesa_drv] OEM: VGABIOS Cirrus extension
[init -> vesa_drv] Found: physical frame buffer at 0xfc000000 size: 0x00400000
[init -> vesa_drv] int Framebuffer_drv::map_io_mem(Genode::addr_t, Genode::size_t, bool, void**, Genode::addr_t, Genode::Dataspace_capability*): fb mapped to 400000
[init -> nitpicker] framebuffer is 1024x768@1
[init -> nitpicker] create session with args: fb_format=1, label="launchpad", ram_quota=1646592
[init -> nitpicker] Could not open file "config"
[init -> nitpicker] Could not obtain config file
[init -> nitpicker] create session with args: fb_width=400, fb_height=1504, fb_format=1, label="launchpad", ram_quota=1211392
[ 0] DEL MEM PD:0xffffffff8100d620->0xffffffff8100d320 SB:0x00100000 RB:0x00002a00 O:0x08 A:0x7
[-1] Pd::delegate snd->S::tree_lookup(0x100000) == 0x0 -- base-nova/contrib/src/pd.cpp:54 - Pd::snd 0xffffffff8100d620 =? Pd::kern 0xffffffff8100d620
[ 0] DEL MEM PD:0xffffffff8100d620->0xffffffff8100d320 SB:0x00100100 RB:0x00002b00 O:0x05 A:0x7
[-1] Pd::delegate snd->S::tree_lookup(0x100100) == 0x0 -- base-nova/contrib/src/pd.cpp:54 - Pd::snd 0xffffffff8100d620 =? Pd::kern 0xffffffff8100d620
[ 0] DEL MEM PD:0xffffffff8100d620->0xffffffff8100d320 SB:0x00100120 RB:0x00002b20 O:0x02 A:0x7
[-1] Pd::delegate snd->S::tree_lookup(0x100120) == 0x0 -- base-nova/contrib/src/pd.cpp:54 - Pd::snd 0xffffffff8100d620 =? Pd::kern 0xffffffff8100d620
[ 0] DEL MEM PD:0xffffffff8100d620->0xffffffff8100d320 SB:0x00100124 RB:0x00002b24 O:0x01 A:0x7
[-1] Pd::delegate snd->S::tree_lookup(0x100124) == 0x0 -- base-nova/contrib/src/pd.cpp:54 - Pd::snd 0xffffffff8100d620 =? Pd::kern 0xffffffff8100d620
[ 0] Killed EC:0xffffffff823ca880 SC:0xffffffff823cb740 V:0xe CS:0x2b EIP:0x1215a0 CR2:0x2b25fff ERR:0x6 (PT not found)
If a thread has been deleted the thread object at the cpu_session was never
freed which caused the cpu_session quota to be exhausted as reported in
issue #150.
Fixes#150
Be bit more robust.
* Don't use addresses and sizes larger than
32 bit address boundaries.
* Don't take modules of size 0, at address 0 and if aux is 0.
(Already seen on machines in the University ...)
Fixes#269
The line-status register has two relevant status bits - transmitter-hold
register empty and data-hold register empty - from which only the THR is
relevant as it signals new character can be written to the device.
Fixes#281
Following deadlock happens when a Rm_client/Pager_object handles a page-fault
and concurrently the same object is dissolved (triggered by parent killing
the client).
The situation is as follows:
Page fault handling :
base-nova/src/base/pager/pager.cc : pf_handler() - lock pf_lock
base/.../core/rm_session_component.cc: pager() - lock rm_session
(in reverse_lookup())
Dissolve of Rm_client:
base/src/core/rm_session_component.cc: dissolve() - lock rm_session
base-nova/src/base/pager/pager.cc : dissolve() - lock pf_lock
The pf_lock is not required here during normal page fault handling,
since this pager object @NOVA is executed only by one and the same
thread and all critical operations inside the rm_session_object itself
are locked anyway. The only critical point is the destruction of the
Pager_object which is already handled in the both dissolve functions
of the rm-session_component (locking) and the pager_object (finalize
in-flight page faults).
Allocate exc_pt_sel inside Thread_base object
instead of pager object, since it is a thread
specific characteristic.
Same for freeing of the thread capabilities:
- ec, sc, rs, exc_pt_sel is thread specific
and has nothing to do in server nor pager object.
The invalid thread is specified as 0,0,-1 (ec cap, sc cap, sem cap).
The main thread is specified as 0,0,0.
The comparator identified "tid_main == tid_invalid" as equal,
which is obviously wrong.
The patch compares at least ec and sem cap.
Use semaphore down feature of NOVA to set the counter to zero.
If the semaphore was up()ed more than one time by impatient callers
(e.g. guys calling cancel_blocking) we make sure that the thread
really stops.
Don't allocate ec cap twice, in pager.cc and thread_start.cc.
Unmap of utcb has to be done in destructor of thread class, not
in pager class. Free capability selectors of ec and rs.
Invoke cancel_blocking before calling the
cleanup portal of the rpc_entrypoint. If a rpc_entrypoint
is blocked in a semaphore the cleanup call gets
stuck forever.
Make pxe optional and use by default grub.
For that to work we use objcopy to repack the elf64
file into elf32.
With this commit more tests succeed. Most
tests use 64M and with that pulsar even does not start
the hypervisor. With 96M more test run however that would
mean to adjust most of the run scripts ...
Check that there is enough room for a typed item on the
UTCB. Otherwise deny to add the item and return false.
Enable explicitly a return unused warning to get the right
attention.
The UTCB of the thread cleaning up thread objects has been unmapped.
However the UTCB of the destroyed thread must be unmapped.
Objects must explicitly be made unreachable before cleaning up. The
server and pager objects must be unreachable before they can be freed.
Both object types are threads. Revoking the thread(EC) cap on NOVA
doesn't mean that the thread stops executing. All portals pointing to a
thread are still reachable by clients even if the last EC cap is gone in
user land. So it must be taken care that no portals are pointing anymore
to a thread when the associated objects are getting destroyed. This
commit handles this.
Additionally, even if the last portal is gone - there can be still an
ongoing request handled by such server/pager object/threads. For each
such object an additional portal is created. This object is called
'cleanup portal' and is only local to the object. After all portals are
revoked the cleanup portal is called. When the call returns we know that
nobody is anymore handled by the object since all remotely available
portals are gone.
Fixes#20
Use git to get recent kernels from github. Adjust NOVA patch to compile
with recent github version. Patch and use makefile of NOVA microkernel
to avoid duplicated (and outdated) makefile in Genode
Furthermore, this patch adds support for using NOVA on x86_64. The
generic part of the syscall bindings has been moved to
'base-nova/include/nova/syscall-generic.h'. The 32/64-bit specific
parts are located at 'base-nova/include/32bit/nova/syscalls.h' and
'base-nova/include/64bit/nova/syscalls.h' respectively.
On x86_64, the run environment boots qemu using the Pulsar boot loader
because GRUB legacy does not support booting 64bit ELF executables.
In addition to the NOVA-specific changes in base-nova, this patch
rectifies compile-time warnings or build errors in the 'ports' and
'libports' repositories that are related to NOVA x86_64 (i.e., Vancouver
builds for 32bit only and needed an adaptation to NOVAs changed
bindings)
Fixes#233, fixes#234
With this patch clients of the RM service can state if they want a mapping
to be executable or not. This allows dataspaces to be mapped as
non-executable on Linux by default and as executable only if needed.
Partially fixes#176.
The 'copy_to' function turned out to be not flexible enough to
accommodate the Noux fork mechanism. This patch removes the function,
adds an accessor for the capability destination and a compound type
'Native_capability::Raw' to be used wherever plain capability
information must be communicated.
This commit unifies the policy name for the template argument for
Native_capability_tpl to Cap_dst_policy, like suggested by Norman in the
discussion resulting from issue #145. Moreover, it takes the memcpy
operation for copying a Native_capability out of the template, which is
included by a significant bunch of files, and separates it in a library,
analog to the suggestion in issue #145.
Because we use to pass a policy class to 'Native_capability_tpl'
we can pass the dst type as part of the policy instead of as
a separate template argument. This patch also adds documentation
of the POLICY interface as expected by 'Native_capability_tpl'.
This patch unifies the Native_capability classes for the different kernel
platforms by introducing an appropriate template, and eliminating naming
differences. Please refer issue #145.
To give the platform developer more freedom in how the Native_capability
class is internally implemented (e.g. turning it into a smart-pointer),
this patch removes the memcpy operation, when transfering the parent-capability
to a new process from the generic code, and let the implementation of the
platform-specific Native_capability decide how the transfer has to be done.
Please refer to issue #144.
Introduce a factory-, and dereference method for local capabilities. These are
capabilities that reference objects of services, which are known to be used
protection-domain internally only. To support the new Capability class methods
a protected constructor and accessor to the local object's pointer is needed
in the platform's capability base-classes. For further discussion details please
refer issue #139.
The new function 'Platform_env::reload_parent_cap' triggers a reload
of the parent capability and its respective resources. It is needed
during the bootstrap of a new process forked from an existing Noux
process.
This library was used during the first porting steps of Genode to NOVA
for executing parts of the framework API without core. Those bare-metal
tests are not maintained anymore. So this library can be removed.
