Originally the outgoing buffer was flush when the terminal was
detached. Since we cannot do that at this point, make the flushing
part of the common cleanup procedure.
Issue #3682.
Rather than calling 'ssh_disconnect' from within the Terminal session,
flag the detached terminal in the session and let the event loop do the
cleanup. Otherwise it might happen that the 'ep' (handling the Terminal
session) as well as the 'pthread.0' (executing the ssh event loop) end
up both triggering the cleanup concurrently.
Issue #3682.
In case of arm_v7a Kernel::call64 the syscall will use both r0 and r1 as
output registers. Unfortunately the inline asm does not reflect this and
only r0 is explicitly specified as output. GCC manages to produce output
which we'd like to see. Clang on the other hand takes adventage of the fact
r1 should not be touched by swi and produces fewer instructions which do
what the code describes, but not what we actually want.
Basically the code which we want and is generated by GCC is:
svc 0
mov r2, r0
mov r0, r1
mov r1, r2
bx lr
Clang on the other hand generates correct assembly given the code, but
incorrect given what the function is supposed to do:
svc 0
mov r1, r0
mov r0, #0
bx lr
Both GCC and clang generate the same, expected assembly output when r1
is marked as output register from the inline asm swi call.
Fixes#3951
Clang correctly asserts this private member variable is not used
anywhere in the code. I'm not sure what the intention of the code is,
might be this is a part of some unfinished feature. This patch just does
the minimum amount of work to allow the code to build with clang. If
required I can also drop the parent_levels constructor argument and
clean up the call sites.
Issue #3950
The msg argument in Genode::Rpc_dispatcher::_read_arg is not used. GCC
does not care about this, but clang does and prints a warning regaring
this. Silence it by removing unused argument name.
fixup! base: Silence unused arg warning in rpc_server.h
The CBE repository contained a lot of Genode-specific code despite the fact
that the CBE core logic is not bound to Genode in any way. Therefore the
Genode-specific CBE code is moved to the 'gems' repository to form part of
Genode mainline. The remaining CBE code becomes a port in Genode instead of
being invoked as sub-repository.
The commit combines the following work steps:
* add all files removed from CBE repository
* add CBE port files
* make all CBE libs and targets build again
* make all CBE run scripts succeed again
* make all CBE recipes build again
* make CBE autopilot succeed again
* let CBE autopilot use 'libsparcrypto' contrib dir and Genode build dir
instead of '.ci' dir in CBE contrib dir (remove '.ci' dir from CBE repo)
* let CBE autopilot always check for all ports
* make CBE autopilot directly executable
* fix license headers in all Genode CBE files
* remove unused VFS replay component
* remove unused CBE test
* remove unused external crypto
* remove unused files in run dir
* remove unused external trust anchor
* add cbe_tester test to autopilot list
* get rid of directories 'include/cbe_*' and 'include/utils'
Fixes#3937
The control area is constructed during session creation and the caller can
handle the Out_of_* exception by increasing the quota by the next attempt.
Fixes#3917
Log a warning when the lwIP VFS plugin queues a read while waiting
for an interface to become ready. By comparision the Lxip plugin
has the same behavior but a more verbose initialization process.
Fix#3920
Account for the situation where the driver is started while the HP
is already plugged in and configure the mixer accordingly.
Thanks to Peter for the patch.
Issue #3929.
Due to what seems like a copy-and-paste error, the wrong union member
was used to compare the label. Fortunately, as both structs have the
same memory layout that did not result in any issue.
Issue #3929.
Originally, the kernel code should have been executed within the
context of the main task like it is done in dde_linux. The initial
port of the HDA driver, however, did not required doing so and the
session called code directly.
When using USB device, that is no longer possible as we have to
suspend the execution during the execution of the kernel code. So
we pass in the audio data and schedule the kernel.
Fixes#3929.
This becomes necessary in case of the USB audio driver where we have
to wait for and query the function first.
That being said, alternatively we could also announce the session but
ignore any request until there is a device we can use.
Issue #3929.
With this commit the timer back-end uses the timeout framework to
schedule any occuring timeouts and for providing the current time.
For now there is only one timeout, the unsolicited azlia codec event
and therefore the timeout queue consists of solely one timeout object.
In addition a timer session is used for implementing 'delay()' where
we have to block until the delay is completed.
Issue #3929.
For historical reason the 'strlcpy' implemention was directly pull in
into the emulation environment. There is, however, no reason not to
use the contrib sources in the usual fashion.
Issue #3929.
Instead of the generic name, call the PCI driver 'pci_audio_drv'.
This is preliminary clean-up work before introducing the USB audio
driver.
Issue #3929.
The supported drivers so far exclusively used PCI and for practical
reasons the emulation environment was to tied to. To make future
addition of drivers that employ other transport busses easier, split
the bus handling into its own backend.
This is preliminary clean-up work before introducing the USB audio
driver.
Issue #3929.
* Updating the run script was missed in commit "dde_bsd: remove
configration attributes".
* Decrease output and input volume to "more sane" levels.
Issue #3929.
Updating the config and using its settings instead of only reporting
the new session allows to apply stored channel settings immediately.
In case of Sculpt this is useful when an existing launcher already
contains a valid config that sets the volume levels appropiately or
the 'recall_fs' is used.
Fixes#3930.
The _root, _gid and _uid private member variables are not used for
anything. GCC does not care, but clang likes to complain about things
like this.
Issue #3938
Right now the code marks specific instance of this function as noreturn.
It then tries to initialize it using a value that has the same type,
except for the noreturn part. GCC does not care, but clang complains this
technically assigns the value of entry from incompatible pointer type.
Fix this by defining Entry function as no return.
Issue #3938
The lambda function passed to Board::Vm_page_table_array does not
actually use "this" for anything. GCC does not warn about this, but
clang does. Remove the extra capture to make clang happy.
Issue #3938
GCC doesn't care, but clang complains if [[fallthrough]] is not followed
by a semicolon. Existing code is also not consitent in this regard. Lets
just fix it to make clang happy.
Issue #3938
When compiling this code, clang complains reference to 'Sandbox' is
ambiguous. It can either mean ::Sandbox namespace from
os/src/lib/sandbox/types.h, or Genode::Sandbox declared in
repos/os/include/os/sandbox.h. Since the code refers to ::Sandbox::Child
and its already in ::Sandbox namespace we can just drop "Sandbox" and
refer to just Child, which makes clang happy.
Issue #3938
This path fixes a void cast used to silence unused return value warning.
Its a common pattern to use void cast to do that. The code uses void *
cast instead. It works for GCC, but clang complains about this.
Issue #3938
Clang is rather picky about this and prints the following warning when
compiling new_delete.cc:
error: function previously declared with an explicit exception
specification redeclared with an implicit exception specification
[-Werror,-Wimplicit-exception-spec-mismatch]
Issue #3938
This was discovered when building the code with clang instead of GCC. In
this setup the run/ping on base-hw/arm_v8a/virt_qemu would crash
on shutdown due to uncaught Deref_unconstructed_object exception thrown
for Genode::Reconstructible<Genode::Account<Genode::Ram_quota>>. The
specific instance throwing this exception was
Pd_session_component::_ram_account. My investigation exposed the
following problem:
1. The Pd_session_component has a _sliced_heap member backed by
_constrained_ram_alloc which in turn uses Pd_session_component itself
as its Ram_allocator.
2. When ~Pd_session_component is called it first destroys _ram_account,
followed by _signal_broker.
3. The signal broker holds a reference to
Pd_session_component::_sliced_heap as Signal_broker::_md_alloc.
4. The base-hw implementation of ~Signal_broker destroys some contexts
and does this by calling Genode::destroy on some slabs using the
_md_alloc (ref to Pd_session_component::_sliced_heap).
5. The Genode::Slab calls the Ram_allocator::free which ends up calling
Pd_session_component::free.
6. The Pd_session_component::free can among other things call replenish
method on Pd_session_component::_ram_account which has already been
freed at this point.
From my POV calling replenish at this point is basically an undefined
behavior. The Genode::Constructible holding the Genode::Account was
already detroyed at this point. GCC builds happen to somehow manage to
go through the -> operator call without raising any alarms, while clang
builds trip on the _check_constructed() call.
This fix moves the _ram_account a bit higher in class declaration to
ensure its destroyed after _sliced_heap. This seems like the simpliest
solution for this problem.
Fixes#3941
This prevents later file-descriptor shortage when opening files on
demand, which can't be reflected to the application in a sane manner.
The real fix is to open socket files not on libc level but on VFS level
only effectively consume one libc file descriptor for one socket.
* Fix GIC model to support priority and cpu target settings correspondingly
* Fix semantic of SGIR register for GICv2
* Minor GIC model IRQ state fix
* Introduce synchronization for VirtIO and GIC models
* Enable multiple CPUs in test run-script for ARMv8
Fix#3926
* Introduce hypervisor-stack per CPU
* Introduce host world context per CPU
* Mark EL2 translation table memory as inner shareable
* The VMID is not bound to a single VCPU, but to the Vm_session as a whole
* Set affinity of the VCPU accordingly
* Add VMPIDR to VM state
Ref #3926
Instead of calling core to run/pause a VCPU, go directly to the kernel.
Apart from the performance win, it would otherwise involve a more complex
protocol, when a VCPU on another core has to be removed from the scheduler.
Core's entrypoint handling those request runs on the boot-cpu only.
Ref #3926
To enable the interaction of a VMM with the kernel directly,
a hidden RPC gets introduced. It allows a kernel-specific
base-library implementation of the Vm_session::Client to request
a kernel-specific capability to address a VCPU, e.g., to
run/stop it.
Ref #3926
Now, the USB connection is established on backend initialization and
terminated on backend exit triggered by high-level libusb code.
Thanks to Peter for the patch.
- unlink shared memory files
- lower maximum number of socket pool sockets to reduce chance of file
descriptor exhaustion
- fix a build dependency which caused sporadic parallel build errors
Fixes#3910
With this commit, the alignment of anonymous 'mmap()' allocations can be
configured like this:
<config>
<libc>
<mmap align_log2="21"/>
</libc>
</config>
Fixes#3907
This plugin gives access to the Audio_out session by roughly
implementing a OSS pseudo-device. It merely wrapps the session and does
not provide any resampling or re-coding.
Fixes#3891.
In the same vein as the terminal and block I/O controls, the sound
controls are implemented via poperty files and match the OSS
API ([1] features a nice overview while [2] is v3 and [3] gives
in-depth information on the current v4.x API we eventually might want
to implement).
[1] https://wiki.freebsd.org/RyanBeasley/ioctlref/
[2] http://www.opensound.com/pguide/oss.pdf
[3] http://manuals.opensound.com/developer/
The controls currently implemented are the ones used by the cmus OSS
output plugin, which was the driving factor behind the implementation.
It uses the obsolete (v3) API and does not check if the requested
parameter was actually set, which should be done according to the
official OSS documentation.
At the moment it is not possible to set or rather change any
parameters. In case the requested setting differs from the parameters
of the underlying Audio_out session - in contrast to the suggestion in
the OSS manual - we do not silently adjust the parameters returned
to the callee but outright fail the I/O control operation.
The following list contains all currently handled I/O controls.
* SNDCTL_DSP_CHANNELS sets the number of channels. We return the
available channels here and return ENOTSUP if it differs from
the requested number of channels.
* SNDCTL_DSP_GETOSPACE returns amount of playback data that can
be written without blocking. For now it amounts the space left
in the Audio_out packet-stream.
* SNDCTL_DSP_POST forces playback to start. We do nothing and return
success.
* SNDCTL_DSP_RESET is supposed to reset the device when it is
active before any parameters are changed. We do nothing and return
success.
* SNDCTL_DSP_SAMPLESIZE sets the sample size. We return the
sample size of the underlying Audio_out session and return ENOTSUP
if it differs from the requested number of channels.
* SNDCTL_DSP_SETFRAGMENT sets the buffer size hint. We ignore the
hint and return success.
* SNDCTL_DSP_SPEED sets the samplerate. For now, we always return
the rate of the underlying Audio_out session and return ENOTSUP
if it differs from the requested one.
This commit serves as a starting point for further implementing the
OSS API by exploring more users, e.g. as VirtualBox/Qt5/SDL2 audio
backend or a more sophisticated progam like sndiod.
Issue #3891.
At least on some PIT-based platforms (x86_32 + pistachio/okl4/sel4), we run
into trouble with the reworked timeout framework that now proccesses all
pending timeouts before calling their handlers. This order change leads to a
higher rate of handling of short periodic timeouts in the timer driver which
can cause lower prioritized components to starve. Especially, if submitting
signals (from timer to client) isn't cheap (as is the case on qemu + pistachio
for example).
Issue #3884
The driver is faily simple and does not support fancy features like
TCP checksum offloading or vlan filtering, but it is fully capable of
running every Genode network based scenario I've tried. Its currently
known to work on virt_qemu arm platforms and x86_64.
Fix#3825
To simplify writing native VirtIO drivers for Genode add helper classes
representing VirtIO device and queue. The queue implementation should
be platform independant. The device abstraction however is closely tied
to the VirtIO transport being used (PCI/MMIO). Both PCI and MMIO
implementations expose the same public API so the actual driver logic
should be the same regardless of which transport is used.
Its also important to note that the PCI version of Virtio::Device
currently does not support MSI-X interrupts. Unfortunately my kowledge
about PCI bus is very limited and my main area of interest was to get
VirtIO drivers working on virt_qemu ARM/Aarch64 platform. As such all
the VirtIO drivers I plan to submit will work with PCI bus, but might
not use some extended capabilities.
Ref #3825
The VirtIO device configuration on Qemu is dynamic. The
order and presence of different command line switches affects
base address and interrupt assignment of each device. One could
probably hard-code the necessary switches and resulting XML ARM
platform driver configuration in each run script, but this seems
like troublesome and hard to maintain solution.
This patch explores an alternative approach to the problem.
It implements a ROM driver which probes the address space region
Qemu virt machines assign to VirtIO MMIO devices and exposes the
result as XML via a ROM session. This XML output can be fed directly
as config to the generic ARM platform driver.
Ref #3825
Right now the same code dealing with nic setup on qemu is duplicated
in many different run scripts. It makes it unnecesarily complex to
change the existing config or add support for new nic types. Lets move
all this common code to qemu.inc.
Ref #3825
- make GPIO server more robust on imx by not throwing exceptions for
unknown pins, use '_with_gpio' instead
- use 'Gpio::Pin' data type instead of POD 'unsigned'
issue #3900
The patch handles the case, that the memory for the MSI-X table is part
of one of the Pci::Resource Memory BARs, which got allocated beforehand already.
With this commit, the platform driver will not fall back to use legacy IRQs or MSI, whereby MSI-X is available actually. Additionally, this patch avoids a lot of red
messages about non available IO-MEM printed by the roottask.
Fixes#3904
The deadlock occured with three concurrently running threads: two
waiters calling pthread_cond_timedwait() and one signaller calling
pthread_cond_signal().
If waiter W1 hits its timeout, the signaller may have called
pthread_cond_signal(), detected this waiter and posted the internal
'signal_sem' concurrently. Then, the signaller waits for 'handshake_sem'
to ensure the waiter got woken up.
Waiter W1 can't consume the 'signal_sem' post by
'sem_wait(&c->signal_sem)' because another waiter W2 may have consumed
the post already above in sem_wait/timedwait(). Waiting for a post on
'signal_sem' would block the waiter W1 in perfect deadlock with
signaller on 'handshake_sem'. As W1 also owns 'counter_mutex' in this
situation, waiter W2 would block when trying to aquire 'counter_mutex'
and can't resolve the situation.
So, W1 does nothing in this case and we accept the spurious wakeup on
next pthread_cond_wait/timedwait().
* get rid of alarm abstraction
* get rid of Timeout::Time type
* get rid of pointer arguments
* get rid of _discard_timeout indirection
* get rid of 65th bit in stored time values
* get rid of Timeout_scheduler interface
* get rid of uninitialized deadlines
* get rid of default arguments
* get rid of Timeout::_periodic
* get rid of Timeout::Raw
* use list abstraction
* only one interface for timeout handlers
* rework locking scheme to be smp safe
* move all method definitions to CC file
* name mutexes more accurate
* fix when & how to set time-source timeout
* fix deadlocks
Fixes#3884
In case of contexts blocked in select() the monitor updates the
file-descriptor status, but if the entrypoint is just blocked for the
select handler, the status must be updated explicitly on
dispatch_select().
This patch fixes the corner case where the keyboard focus is defined
independently from user interactivity, e.g., the activation of a
screensaver or lock screen.
In this case, nitpicker would update its internal focus state not before
the next input event is handled. Should this input event be a press
event, this event would wrongly be delivered to the prior focused
session. Another problematic situation is the initial state before the
very first input event occurs. Since the focus remains undefined until
the first input event is handled, an initial key press event would not
be delivered.
This is a regression caused be the transition to the event-session
interface and the removal of the nitpicker's periodic way of operation.
The patch fixes the problem by applying pending focus changes not only
at the input processing but also on the code path that responds to focus
changes (e.g., focus-rom update).
Issue #3812
Adjust the base-* platforms to acknowledge new thread location solely if
migration is supported and succeeded. Otherwise the wrong thread
locations are observed via the trace session and utilization time calculation
get wrong.
Issue #3842
Instead of using the old 'ioctl' Vfs::File_io_services API implement
the I/O control functionality in a buch of files. This is similar to
the terminal-VFS plugin.
Fixes#3889.
Like already done for terminal I/O controls use collect the information
by reading property files instead of using the old VFS ioctl interface.
Fixes#3888.
There is a type mismatch as in the FreeBSD contrib code the type of the
request is 'unsigned long'. So far, only I/O controls where the request
falls into the signed range where used and this was not a problem.
Some of the SNDCTL requests, however, have the bit set.
Fixes#3887.
This patch is a follow-up for the commit "libc: use monitor for fork".
It removes the use of the monitor mechanism from the
'Local_clone_service::close' RPC function because the fork_ep must stay
responsive for the destruction and creation of 'Child' objects.
Issue #3874
The current version of the driver leaves the screen in a black state
after a mode change, e.g., when connecting an external display.
With this patch, the framebuffer content is fetched for the entire
screen after a mode change. Thanks to Sebastian Sumpf for investigating.
Issue #3878
- Show "..." for resource-assignment menu entry because it leads
to a sub menu.
- Avoid dialog changes when clicking on "Add component" while a
routing or resource dialog is unfolded.
The initial implementation of the affinity configuration in
"depot_deploy: support affinity configuration" added the affinity
location attributes to the <start> node of the deploy config. This patch
moves the information into a dedicated <affinity> sub node as done by
the init configuration. So the context of the attributes 'xpos', 'ypos',
'width' and 'height' becomes clear.
It also fixes a usability issue in Sculpt that occurred during testing:
When configuring multiple components with custom affinities, the
resources dialog of later components would wrongly display the state of
earlier components instead of displaying the fresh (default) state. The
resulting configuration would then not match the displayed information.
This is fixed by resetting the dialog state.
As another minor cosmetic change, the patch adds a line break in front
of copied <config> or <heartbeat> nodes.
Issue #3597
The combination of Net::Mac_address and
Genode::ascii_to(Net::Mac_address) required shaky quirks in several
places because GCC is not able to resolve the ascii_to overload if
base/xml_node.h was included to early. The current solution moves the
several ascii_to overloads "closer" to the Net types by putting them
into the Net namespace, where GCC reliably picks them up.
Hence, co-locating the ascii_to() utility with the overload type in the
same scope/namespace is good practice.
This patch removes the now obsolete <nic/xml_node.h> header file.
With the move of the storage-management dialogs to the graph in Sculpt
version 20.02, the ability to unselect the buttons for destructive
storage operations such as format or expand disappeared. This patch
restores the original behavior.
* On this platform there is no need to zero out the framebuffer
dataspace, which is already blanked by core
* But it might happen that the GUI server is sending a capture
event before the zero out happens. Thereby screen content can get
lost
Fix#3878
* Fixes faulty algorithm in fractional pll rate calculation
* Enables clocks that are set as reference clock to prevent system freeze
* Enables/disables root clocks of gates implicitely
Fix#3876
By default, bash brings its own version of 'getenv', named exactly like
the libc function. This becomes a problem in fork/execve scenarios if
the dynamic linker resolves 'getenv' to the bash binary instead of the
libc.
This patch fixes the generate step of the genodians.org scenario.
Issue #3882
This patch enables the menu view's new ability to respond to font-size
changes in Sculpt so that the menu view instanced no longer need to be
restarted whenever the screen resolution or font size is changed.
Fixes#3875
This patch allows the use of the VFS watch mechanism for the glyph file
of the TTF VFS plugin so that clients become able to dynamically respond
to font reconfigurations.
Issue #3875
This is needed to enable VFS plugins to notify VFS clients about file
changes that depend on the plugin configuration, E.g., whenever the vfs_ttf
plugin responds to a font-size change, it generates a watch notification
for the glyphs file. Since the change is independent from I/O, we need
to manually call 'handle_io_progress'.
By default, Vim renames a written file to a backup file suffixed with
"~" before writing the current buffer to a new file. Consequently, there
exists an intermediate state when no file exists. Should a client watch
such a file to obtain dynamic configuration info, it observes the empty
state.
Some components have builtin heuristics for such a situation. In
particular, the window layouter falls back to a predefined default
'rules' if no rules are provided as a file. So when interactively
editing window-layouter rules using Vim, it can happen that the manually
maintained rules get overwritten by the default rules.
By setting 'set nowritebackup', we can sidestep this issue by preventing
Vim from producing the bad intermediate state.
With the change of nitpicker to the event session interface, the
formerly periodic hovering updates moved to the - now sporadic - input
processing. This has the unfortunate side effect that hovering changes
caused by non-user-input, in particular view-stack changes issued by the
GUI clients that change the view under the current pointer position,
would no longer be reported immediately but only after receiving the
next incoming input event.
This patch reworks the hover handling such that potential hovering
changes due to view-stack operations are evaluated immediately by
those operations, covering the update of the hover report and the
generation of artificial enter/motion events.
Issue #3812
This patch solves a corner case where one long-active job (e.g.,
read-ready request) stays at the beginning of the '_active_jobs' queue
without an ack. In this case, the '_try_acknowledge_jobs' method would
wrongly stop processing the subsequent acknowledgements. In practice,
this can lead to a delayed sending of acknowledgements until new I/O or
client requests occur. In particular, Vim in Sculpt's inspect window
sometimes did not immediately respond to key presses during tab
completion. Here, the read-ready request of the terminal prevented the
acknowledgement for read of directory entry from being delivered until
the next key was pressed.
Fixes#3873
The quota for the argument buffer is already accounted by using the
Attached_ram_dataspace _argument_buffer, which uses the Constraint_ram_allocator
_ram, which uses the Ram_quota_guard from the Session_object. Running on
Sculpt with more than 1000 Subject_info objects/trace IDs the memory
waste become noticeable.
Follow-up commit to fix the old usb_drv. Under rpi one and the
same irq can be requested several times. Therefore, we've to track
the Irq_connection objects.
Ref #3865
The Lx_kit::Irq abstraction of DDE Linux was always using the very first
interrupt of a Platform::Device stored in it. Instead of handing over the
platform device it is much more flexible and sane to hand over the actual
interrupt capability.
Ref #3865
By now, the enumeration of peripheral interrupts on Raspberry Pi 1 was
different in between base-hw kernel and Fiasco.OC. Therefore, hacks were
needed in every driver to request the correct interrupt number dependent
on the kernel. Before reproducing the same in the platform driver for rpi,
we can more easily use the same enumeration with base-hw.
Ref #3864
This is a temporary workaround to not harm drivers, which aren't
converted yet to request all device resources including power and
clocks from this new platform driver.
Ref #3863
To access the ARM Trusted Firmware from the platform driver
fill the new `managing_system` call of the PD session with life resp.
do a SMC call on behalf of the client.
Fix#3816
Introduce the managing_system privilege for components like the
platform_driver to allow it to call system management functionality
that is reserved by kernel or special firmware, e.g., ARM Trusted Firmware.
The former RAM resource configuration attribute `constrain_phys`,
which enabled to constrain the region of physical RAM to be used,
gets replaced by the new, broader managing_system configuration
attribute of a `start` node. It gets enforced by the sandbox library.
Ref #3816
Normally CLOCK_REALTIME is used. However libraries, like glib, want to
use CLOCK_MONOTONIC. To make those users happy add setting the clock.
Note, the pthread_cond implementation uses the POSIX semaphore API
internally that does not have means to set the clock. For this reason,
the private 'sem_set_clock' function is introduced.
Fixes#3846.
When the 'raw' attribute is set to 'yes' the terminal VFS plugin will
ignore control characters. This in necessary for terminal connections
that transport data that contain such characters as part of message.
Fixes#3860.
The driver wrongly rejected a block request for the very last block of
the device, which prevented part_block from successfully parsing the
partition table (when attempting to access the GPT backup).
Fixes#3861
With this patch, sculpt uses init's heartbeat-monitoring mechanism to
detect the failure of part_block instances during storage disovery.
If part_block gets stuck, the device is released and can thereby
be accessed at the whole-device level.
Issue #3861
The patches disable VBOX_IGNORE_FLUSH and a sanity check in the VMDK
backend. This enables passing an explicit flush request by the guest
down to the VFS.
Fixes#3743.
The check prevents the Ttf_font from violating the bounding box in the
presence of very small scale values. This can happen during the startup
of Sculpt. Before the framebuffer driver is up, Sculpt bases its dynamic
font-size setting on a screen resolution of 1x1.
Issue #3812
* add libsparkcrypto source-recipe
* provide ALI files through a new repository by mstein and add the repo
download to the libsparcrypto port-file
* remove dependencies to non-existent contrib ADB files from the library make
files
Fixes: #3852
The sculpt manager used to defer the initialization of the GUI until
nitpicker's first display report became ready. This way, Sculpt was able
to run headlessly even if the framebuffer driver failed to start up.
Thanks to #3827, nitpicker no longer depends on a working framebuffer
driver. So the sculpt manager is safe to rely on nitpicker in any case,
simplifying the code.
Issue #3827
This is a follow-up commit to "nitpicker: make framebuffer and input
optional". It restores the dynamic mode-change support when using
'request_framebuffer="yes"' as needed in scenarios where multiple
nitpicker instances are used in a cascaded way. E.g., Sculpt's
Leitzentrale. The previous version missed to reconstruct the
'_fb_screen' on mode changes.
Issue #3812
This patch untangles the dependency of VFS operations that need RTC
information from the 'clock_gettime' libc function that must never be
called from the libc kernel context.
- The 'Rtc' class uses the VFS directly for reading the rtc file instead
of relying on libc functions.
- The 'Rtc' instance has become part of the 'Kernel' instead of
being construced as a side effect of the first call of
'clock_gettime'.
- Changed 'Rtc::read' to return a timespec value, which has a higher
precision than the formerly used time_t value.
- The 'Rtc::read' returns a value with the relative 'current_time'
already applied. The former handling of subsequent rtc-value
updates has been rewritten to become more logical.
- The 'Vfs_plugin' no longer calls 'clock_gettime' but the new
kernel-level 'Current_real_time' interface.
Issue #2635
This patch untangles the interplay of the base library and the libc
during the exit handling.
- The CXA ABI for the atexit handling is now provided by the libc.
For plain Genode components without libc dependency, __cxa_atexit
is a no-op, which is consistent with Genode's notion of components.
- The 'abort' implementation of the base library no longer calls
'genode_exit' but merely 'sleep_forever'. This way, the cxx library
no longer depends on a 'genode_exit' implementation.
- The libc provides 'atexit' support by storing metadata on the
libc kernel's heap now, thereby eliminating the former bounded
maximum number of atexit handlers.
- Shared-library dtors are no longer called via the atexit mechanism
by explicitly by the dynamic linker. This slightly changes the
call order of destructors (adjustment of the ldso test). Functions
marked as destructors are called after the atexit handlers now.
- The libc executes atexit handlers in the application context,
which supports the I/O operations in those handles, in particular
the closing of file descriptors.
Fixes#3851
For the time being, we put all spec and body files into the recipe although
there might be a (so far to us unknown) way to have only the API relevant files
in it.
Fixes#3849
* switch to a libsparkcrypto fork of m-stein
* switch to a libsparkcrypto state that makes some units pure that are used by
the consistent block encrypter, in order that the latter can become
completely pure
Ref #3849
* switch to fork of the Ada runtime provided by m-stein
* switch to a Ada-runtime state that provides the Exp_Int package (exponential
function on integers)
* adapt spark lib, symbols, and recipes to incorporate the Exp_Int package
Fixes#3848
* enable all common warnings through default value of CC_ADA_WARN
* treat warnings like errors through default value of CC_ADA_WARN_STRICT
* enable almost all style checks through default value of CC_ADA_WARN_STRICT
* style fixes for aes_cbc_4k
* disable strict warnings and style checks for libsparkcrypto and spark lib
Ref #3848
This patch prevents nitpicker from requesting a framebuffer and input
session by default because the regular use of nitpicker relies on the
capture-session and event-session interfaces by now.
For supporting the nested use of nitpicker via the gui_fb component, it
is still possible to enable the traditional behavior by explicitely
setting the 'request_input' and 'request_framebuffer' config attributes
to "yes".
Issue #3812
This remove the call to Io_progress_handler::handle_io_progress() from
wait_and_dispatch_one_io_signal() to prevent unexpected nesting
I/O-progress handling in case of custom dispatch loops (e.g., in libc).
The original intention of Io_progress_handler was to inform the
entrypoint just before blocking in the entrypoint loop.
Issue #2635
This commit applies the transition from the "Input" session to the "Event"
session to the event-filtering mechansim. The functionality of the
input_filter is now provided by the event_filter. The event filter
requests only one "Event" session as destination for the filter result,
which is usually routed to the nitpicker GUI server. It provides an
"Event" service to which any number of event sources can connect.
The configuration of the filter chain remains almost the same. Only the
declaration of the <input> nodes is no longer needed. Instead, the
configuration must specify <policy> nodes, which define the mapping of
"Event" clients (event sources) to the inputs used in the filter chain.
The patch adjusts all uses of the nitpicker GUI server accordingly such
that the event filter reports events to nitpicker's event service
instead of having nitpicker request an "Input" session. This dissolves
the dependency of nitpicker from input drivers.
Issue #3827
This patch brings the input filter into a shape that is easier to
re-mold into an event filter, reversing the client/server roles of
the component.
* The 'Sink &destination' is no longer passed as constructor argument
to the individual filters but passed as argument to the 'generate'
method. This way, the final destination does not need to exist at
the construction time of the filter chain but can be created on
the fly (clearing the way for using 'Event::Client::with_batch').
* A new 'Source::Filter' interface with the 'apply' method aids the
cascading of filters during 'generate'. The modules now implement
the 'Source::Filter::filter_event' interface instead of the
'Source::Sink::submit_event' interface.
* Since the 'Sink &destination' is no longer a member of the filter
modules, character-repeat events can no longer be emitted in an
ad-hoc way. Instead, the character-repeat mechanism now invokes
a new 'Trigger::trigger_generate' hook that prompts the execution
of the regular 'generate' mechanism by the main program.
This patch is supposed to leave the semantics of the input filter
unchanged (validated by the input_filter.run script).
Issue #3827
This is an intermediate helper component for the transition of input
servers into event clients. It works analogously to the
input_event_bridge but it connects servers instead of clients.
In particular, it can act as glue between a traditional input driver
that provides an input service and the event filter that provides an
event service. Thanks to this component, each driver can be migrated to
the event-client interface individually.
Issue #3827
- base/cancelable_lock.h becomes base/lock.h
- all members become private within base/lock.h
- solely Mutex and Blockade are friends to use base/lock.h
Fixes#3819
This patch replaces the use of the "Framebuffer" session interface by
the new "Capture" session interface in all framebuffer drivers. Thanks
to this change, those drivers have become mere clients of the nitpicker
GUI server now, and are no longer critical for the liveliness of the GUI
server.
The patch touches the following areas:
- The actual driver components. The new versions of all drivers have
been tested on the respective hardware. Generally, the drivers
have become simpler.
- The drivers_interactive packages for various boards. The drivers
subsystem no longer provides a "Framebuffer" service but needs a
valid route to the "Capture" service provided by nitpicker.
- The driver manager of Sculpt OS.
- This patch changes the role of the test-framebuffer component from a
framebuffer client to a capture server so that drivers (capture clients)
can be directly connected to the test component without the nitpicker
server.
- Framebuffer driver no longer support the unbuffered mode.
- The fb_bench.run script is no longer very meaningful because it
interplays solely with nitpicker, not with the driver directly.
- All run scripts for graphical scenarios and the related depot
archives got adapted to the change.
Fixes#3813
This patch replaces meta-data allocation during the resize handling by a
new 'Resizeable_texture' type that has all meta data preallocated.
It also replaces the use of pointer return values with the
'Resizeable_texture::with_texture' method.
Issue #3812
Nitpicker used to unconditionally request a framebuffer and input
session. With the transition to the new capture/event session
interfaces, this built-in policy does no longer suffice.
This patch introduces the attributes 'request_framebuffer="yes"' and
'request_input="yes"' (with the default values shown) to nitpicker's
<config> node. If setting those attributes to "no", nitpicker won't
request a "Framebuffer" and "Input" session respectively.
Issue #3812
In the presence of potentially multiple output back ends, this
dirty_rect state must be maintained individually per back end. Instead
of storing the dirty_rect as view-stack member, the view stack now calls
a new 'Damage::mark_as_damaged' interface, which allows nitpicker to
propagate this information to multiple back ends. Unfortunately, the
patch must remove the per-view dirty_rect state.
Issue #3812
This patch simplifies the internal naming of the nitpicker GUI server as
a preparatory step for adding support for the capture session interface.
Issue #3812
_timestamp() returns CPU local values which may not be in sync with _ts
taken from another CPU. Be robust and don't produce wraparound/negative
timeout values.
Issue #3657
* Differentiate in between different architectures with assembler routines
for correct measures
* Automate first step measuring of 10G bogomips across different hardware
Fix#3785
Until now, Genode's framebuffer session interface was based on the
RGB565 pixel format. This patch changes the pixel format to 32-bit
XRGB where the X part is ignored. It adapts all graphical applications
and device drivers accordingly.
The patch also adjusts the users of the drivers_interactive packages,
assigning 64 MiB RAM and 1500 caps to the drivers subsystem, which is
sufficient for covering high resolutions at 32 bits per pixel and to
accommodate multi-component USB HID input stacks.
Fixes#3784
The 'vfs_block' component will give access to a VFS file through a
Block session. For more detailed information please look at its
README.
(On a technical note, the server currently only allows for one
active session and has only one pending back end request but can
easily be extended in the future.)
Fixes#3781.
Setting the 'size' attribute will restrict a reader to consume
0s up to the specified amount per VFS handle. The attribute is
parsed as 'Number_of_bytes', which will limit the amount to the
maximum of the addressable memory on the platform.
This addition comes in handy when needing to provide a synthetic
empty file with a fixed size.
Issue #3781.
So far the condition whether to spawn a new job or not depended on
the amount of data already processed. This could lead to spawning
more jobs than necessary if batching is used and in return could
result in creating invalid requests in case the tested block session
is not large enough.
In addition to checking the amount of data the test now stores the
number of the last block and checks if the current request is in
range. This properly limits the total amount of requests.
Issue #3781.
The seek offset has to be updated on partial writes according to the
current write position. Otherwise writes will override the content
at the initial offset.
Fixes#3780.
This commit fixes the 'Out_of_caps' handling. The previous version
mistakenly upgraded the RAM instead the caps as response. The problem
could be triggered by the 'decorator_stress.run' script.
The blit API archive missed the CPU-architecture-specific variants of
the blit library such that all depot binaries worked with the generic
(slow) fallback implementation. This patch adds the missing pieces to
the blit API archive.
Up to now all pthreads get placed on one CPU.
The patch adds support to evaluate a libc pthread configuration specifying
a placement strategy.
The default strategy is now to use all available CPUs as imposed by Genode's
affinity configuration for the pthread application.
The old behaviour, putting all pthreads on one single cpu can be still
configured by:
<libc>
<pthread placement="single-cpu"/>
...
</libc>
Fixes#3775
To enable logging of ROM session deliveries, set the "diag" on
session routes:
<route>
<service name="ROM" label_prefix="/bin/">
<child name="cached_fs_rom" diag="yes"/>
</service>
…
<route>
Fix#3772
Make the framebuffer driver for pl11x chipsets,
the ps2 input driver for pl050, and the lan9116 NIC driver independent from
the pbxa9 board by using the newly introduced common ARM platform driver API.
Ref #3299
* Remove input driver specific to i.MX53 tablet board from QSB driver pkg
* Move GPIO settings for QSB LVDS backlight out of framebuffer driver into
GPIO driver config
* Move PWM driver functionality out of framebuffer driver
* Make framebuffer driver configureable, and less dependent on
platform driver i.MX53 specifics
base-linux uses seccomp to reduce the available system calls
to the minimum set needed to run base-linux. There are still
some syscalls that allow accessing global state which should
be further reduced.
The combination of seccomp and socket descriptor caps should
provide an intermediate level of security for base-linux
thereby enabling base-linux as a migration path from using
the Linux kernel to the use of microkernel-based Genode.
Fixes#3581
Add the option to configure the RAM quota for core on base-linux.
The environment variable GENODE_RAM_QUOTA if it exists is interpreted
as number of bytes to provide to the first init.
Issue #3762
- Since Genode::strncpy is not 100% compatible with the POSIX
strncpy function, better use a distinct name.
- Remove bogus return value from the function, easing the potential
enforcement of mandatory return-value checks later.
Fixes#3752
This patch is a workaround for the missing implementation of
'Pd_session::transfer_quota' interface by the GDB monitor's PD service.
The missing implementation becomes problematic with the changes of #3750
that enabled the cap-quota accounting for core's CPU service.
In regular scenarios without the GDB monitor, the client of
'Cpu_session::create_thread' deals with Out_of_caps or Out_of_ram by
upgrading the CPU session's cap and RAM quotas. This, in turn, results
in a sequence of 'transfer_quota' operations at the parent.
Since GDB monitor implements a custom PD service, these 'transfer_quota'
calls try to transfer quota between sessions provided by core and those
provided by the GDB monitor. This does of course not work. To fix this
issue, the GDB monitor needs a major overhaul. This patch side-steps
the problem by handing Out_of_caps and Out_of_ram from the debuging
target.
As discovered by Johannes Kliemann, peeking at buffered socket data
using 'recv' and 'MSG_PEEK' is not supported. Read a "peek" control file
from the socket directory to attempt to peek into buffers at the
socket_fs. Support for every feature of POSIX sockets cannot be
expected, but this one is trivial to implement.
Fix#2875
The driver always opens the audio device in duplex mode, i.e.,
playback and recording. Setting the 'playback' or 'recording' attribute
only influnces the service announcement. Due to changes made in a more
recent OpenBSD release recording must be set enabled explicitly anyway.
Since we already provide the interface that mirrors the one used by
OpenBSD 1:1 in the configuration use that and the remove the additional
config attributes.
Fixes#3757.
The former ldso-startup static library (now called ldso_so_support) is
used to spice each shared object/library with local support code for the
dynamic linker (execution of static constructors and ARM-EABI).
Therefore, the library must be statically linked to each dynamic
library.
As a result recipes for dynamic libraries must always depend on the "so"
API, which makes ldso_so_support.mk and so_support.c available
independent of "base". Additionally, ldso_so_support is also provided in
the libc API to cut the dependency early for libc/posix libraries.
Issue #3720
If a "cat" tool as simple as the removed one is needed, it should be
implemented with Goa, only depend on libc/posix (*not* base), and be
named "simple_cat". Up to today, the misleading naming of the removed
tool, tricked me into believing "test-pipe" tests POSIX pipes, which it
did not!
This patch fixes the handling of the corner case where the allocation of
a trace buffer throws 'Out_of_caps' or 'Out_of_ram'. Under this
circumstance, the '_buffer' would still be flagged with the 'size',
which prevented any subsequent allocation attempt. This patch fixes the
problem by initializing the 'size' after the potentially throwing
allocation.
The problem triggered with the test-trace_logger after the accounting of
core's TRACE service (replacing the 'Allocator_guard' by
'Constrained_ram_allocator') became more accurate.
Related to issue #3750
The 'WHITESPACE' case of the _calc_len method wrongly accessed the
character before checking upper bound of the token. The problem is fixed
by switching the order of both conditions.
Fixes#3756
This patch removes old 'Allocator_guard' utility and replaces its use
with the modern 'Constrained_ram_allocator'.
The adjustment of core in this respect has the side effect of a more
accurate capability accounting in core's CPU, TRACE, and RM services.
In particular, the dataspace capabilities needed for core-internal
allocations via the 'Sliced_heap' are accounted to the client now.
The same goes for nitpicker and nic_dump as other former users of the
allocator guard. Hence, the patch also touches code at the client and
server sides related to these services.
The only remaining user of the 'Allocator_guard' is the Intel GPU
driver. As the adaptation of this component would be too invasive
without testing, this patch leaves this component unchanged by keeping a
copy of the 'allocator_guard.h' locally at the component.
Fixes#3750
This patch largely reverts the commit "base: lay groundwork for
base-linux caps change" because the use of 'epoll' instead of 'select'
alleviated the need to allocate large FD sets, which motivated the
introduction of the 'Native_context' hook.
Related to issue #3581
The sandbox library supports the forwarding of session requests from the
outside to one of the hosted children according to a policy. This patch
introduces the distinction between two cases, which previously triggered
the denial of the session request.
- There exists no matching policy for the requested session
- There exists a matching policy but the referred server child
does not exist (yet)
Whereas the proper response to the first case is the denial of the
request, the second case can occur in situation where a dynamic init is
used to implement a staged startup, for example via the deploy
mechanism. In such cases, a policy may exist as a static rule while the
server has not been started yet. This patch changes the behavior such
that such requests are stalled.
The patch is accompanied with test cases for exercising both situations.
Fixes#3733
If trace is enabled for component than an attempt to put message into
trace buffer is performed using log_output policy. If it succeeds than
message is not put to logs using log service.
Fixes#3714
On Linux, Genode used to represent each RPC object by a socket
descriptor of the receiving thread (entrypoint) and a globally-unique
value that identifies the object. Because the latter was transferred as
plain message payload, clients had to be trusted to not forge the
values. For this reason, Linux could not be considered as a productive
Genode base platform but remained merely a development vehicle.
This patch changes the RPC mechanism such that each RPC object is
represented by a dedicated socket pair. Entrypoints wait on a set of
the local ends of the socket pairs of all RPC objects managed by the
respective entrypoint. The epoll kernel interface is used as the
underlying mechanism to wait for a set of socket descriptors at the
server side.
When delegating a capability, the remote end of the socket pair is
transferred to the recipient along with a plaintext copy of the
socket-descriptor value of the local end. The latter value serves as a
hint for re-identifiying a capability whenever it is delegated back to
its origin. Note that the client is not trusted to preserve this
information. The integrity of the hint value is protected by comparing
the inode values of incoming and already present capablities at the
originating site (whenever the capability is invoked or presented to the
owner of the RPC object).
The new mechanism effectively equips base-linux with Genode's capablity
model as described in the Chapter 3 of the Genode Foundations book.
That said, the sandboxing of components cannot be assumed at this point
because each component has still direct access to the Linux system-call
interface.
This patch is based on the extensive exploration work conducted by
Stefan Thoeni who strongly motivated the inclusion of this feature into
Genode.
Issue #3581
Older ARM processors like ARMv6, or Cortex A8 need to write back changes
of the page-tables to physical ram because the MMU does not use the cache.
This naturally needs to be done not only when adding a mapping,
but on removal too.
Fix#3715
The topics are either covered by the Genode Founations book for by our
tools, in particular the integration of the prepare_port mechanism with
the run tool.
- don't use 'qemu -serial mon:stdio' anymore as it no longer works as
expected
- use "bash -l" with [terminal] to read user's profile configuration,
e.g., PATH settings
- added missing boot modules and cap quotas
This commit puts all C++ runtime/support symbols of ld.lib.so in a
dedicated section of base/lib/symbols/ld and mirrors the section to
libports/lib/symbols/libc. So, the libc ABI resolves potential C++
runtime dependencies of base-ABI-agnostic components at link time. The
runtime resolution is done by the linker by symbol lookup in ld.lib.so.
Issue #3720
config_0.xml.tmp:26: element config: Schemas validity error :
Element 'config': Character content other than whitespace is
not allowed because the content type is 'element-only'
Issue #3612
This patch increases the default limit of the maximum number of open
file descriptors to the hard limit of the system. This is needed for
complex scenarios, which require more FDs than the default of 1024
at core.
Related to issue #3581Fixes#3721
