The linker scripts use to fill alignment gaps within the text section
with the magic value 0x90909090, which correponds to the opcodes of four
nop instructions on x86. This patch removes this value because it
apparently solves no problem. If, for some reason (e.g., due to a dangling
pointer) a thread executes instructions within alignment paddings, NOP
instructions are not any better than any other instruction. The program
will eventually execute the instructions after the padding, which is
most likely fatal. It would be more reasonable to fill the padding with
the opcode of an illegal instruction so that such an error can be
immediately detected. That said, I cannot remember a single instance,
where the fill value has helped us during debugging.
Even if the mechanism served a purpose on x86, it is still better to
remove it because it does not equally work on the other architectures
where the linker scripts are used. I.e., on ARM, the opcode 0x90909090
is not a NOP instruction.
If newlines are in the string send to the core log service, they don't get
the label properly appended before each output. The messages then look like
they are coming from core.
Fixes#1368
Be less verbose regards warnings caused by vmx_invalid exits - which triggers
on T400 more often because it has no Unrestricted Guest support. This leads
to lot of log messages so that the test does not succeed in time. Additionally,
the virtualbox_auto_disk.run script is adjusted to check for some output to
exit earlier if something went wrong.
Fixes#1367
Workaround for issue #1343. By disabling the 'vpid' feature of the nova
kernel several VMs can be used concurrently. Applies for Seoul and VirtualBox.
Issue #1343
Instead of fixing the missing dynamic facilities of the AHCI driver
backends for x86 and Exynos5, just avoid to create/destroy the backend
for every new connection, but always use one and the same object.
The AHCI drivers need to be re-written anyway, see issue #1352 for instance,
we can make it more robust for the dynamic case then.
Fixes#786Fixes#1133
This has to be used during shared object creation and destruction because global
lists are manipulated. We cannot use the 'Elf_object::lock' here because there
may be jump-slot relocations during object initialization.
Fixes#1350
When building Genode for VEA9X4 as micro-hypervisor protected by the ARM
TrustZone hardware we ran into limitations regarding our basic daily
testing routines. The most significant is that, when speaking about RAM
partitioning, the only available options are to configure the whole SRAM
to be secure and the whole DDR-RAM to be non-secure or vice versa. The
SRAM however provides only 32 MB which isn't enough for both a
representative non-secure guest OS or a secure Genode that is still
capable of passing our basic tests. This initiated our decision to
remove the VEA9X4 TrustZone-support.
Fixes#1351
On VEA9X4-TZ, the context-area overlaps with the virtual area of the
text, data and bss. However, we can't simply change the link address as
the core image (used physically respectively 1:1 mapped) needs to be in
this particular RAM-region as it is the only one that can be protected
against a VM. Thus I've moved the context area to a place where it
shouldn't disturb any HW-platform.
Fixes#1337
Declaring the SP804 0/1 module and its interrupt to be non-secure prevents the
secure Genode from receiving the interrupt and hence the timer driver in the
secure Genode doesn't work.
Fixes#1340
The commit uses a fixed kernel branch (r8), which fixes a caching bug
observable in the Genode host. The quirk detecting the circumstance in the
timer service is obsolete now and is removed.
Fixes#1338
The commit
- fixes the syscall bindings for using portal permissions
- revokes PT_CTRL permission after pager in core set local badge name
- revokes PT_CTRL permission after server entrypoint code set local badge name
Fixes#1335
This fix configures TTBRs and translation-table descriptors as if we would use
SMP although we don't to circumvent problems with UP-configurations.
This fix should be superseded later by full SMP support for the VEA9X4.
ref #1312
The HW-kernel, in contrast to other kernels, provides a direct reference
to the pager object with the fault signal that is send to the pager
activation. When accessing this reference directly we may fall into the
time span where the root parent-entrypoint of the faulter has alredy
dissolved the pager object from the pager entrypoint, but not yet
silenced the according signal context. To avoid this we issue an
additional 'lookup_and_lock' with the received pager object. This isn't
optimal as we don't need the potentially cost-intensive lookup but only the
synchronization.
Fixes#1311.
Fixes#1332.
- essential support for 7260 chipset and DMA fixes
- assign mvm->pm_ops at beginning of function iwl_op_mode_mvm_start.
iwl_mvm_mac_setup_register() uses mvm->pm_ops, but it is called
before this field is set to a valid value.
- disable call to function iwl_mvm_prepare_multicast.
This function leads to a pagefault, as it aspects a list of multicast
addresses, but the list is empty as it is not generated by this port.
On base-hw, each thread owns exactly one scheduling context for its
whole lifetime. However, introducing helping on IPC, a thread might get
executed on scheduling contexts that it doesn't own. Figuratively
spoken, the IPC-helping relation spans trees between threads. These
trees are identical to those of the IPC relation between threads. The
root of such a tree is executed on all scheduling contexts in the tree.
All other threads in the tree are not executed on any scheduling context
as long as they remain in this position. Consequently, the ready-state
of all scheduling contexts in an IPC-helping tree always equals the
state of the root context.
fix#1102
As soon as helping is used, a thread may also be in a blocking state when its
scheduling context is ready. Hence, the state designation SCHEDULED for an active
thread would be pretty misleading.
ref #1102
If the debug branch of the nova kernel is used, following messages are printed
by the kernel during vCPU setup phase:
[0] overmap attempt OBJ - tree - ...
Fixes#1324
The context of timer are now inserted correctly and the actual timer
triggering the exection of each context is always programmed if the
head of the timer list changes.
Fixes#1326.
The jiffies are only updated on each round of scheduling the runnable
tasks. We have to schedule the current task that executes the sleep
call to update the jiffies count and thereby preventing the task from
entering an endless loop when using a statement like
'while (!time_after(jiffies, now + timeout)) { msleep(1); }'.
Related to #1326.
Instead of probing all device on the PCI bus just look for devices
matching PCI_CLASS_NETWORK_OTHER. This fixes issues with other devices
on the PCI bus, e.g. the GPU, when access their extended config space.
Related to #1326.
Setting explicit routes for Nitpicker's 'Framebuffer' and 'Input' sessionsi
avoids ambiguities if a Qt application provides these services, too.
Fixes#1316
With this patch, when calling 'setFocus()' on a QNitpickerViewWidget, the
Nitpicker view gets the input focus (provided that the parent Qt window
already had it).
Fixes#1314
Until now, the successful termination of the boot process was recognized
when 'expect' saw the first L4 bootstrapper output on serial line. On sytems
with initially shaky serial connection like Versatile Express, where the serial
line baudrate changes with the bootstrapper initialization, the first expected
line might be missing. Therefore, change the expected line to the first
Fiasco.OC kernel output.
This wasn't necessary before because we built an l4 library for
Pistachio and linked it against each application. With the new linker,
we compile the required files from within Genode and create a syscall
library that is only linked to ldso. If a program uses system calls
directly, for example, DDE kit's spinlock implementation, the required
symbols must be made globally accessible.
Fixes#1306
On the Versatile Express Cortex A9x4 platform the first memory region
0x0 - 0x4000000 is a hardware remapped memory area, containing flash
and DDR RAM copies and thus should not be added in addition to all
DDR RAM regions and the SRAM region.
In the init configuration one can configure the donation of CPU time via
'resource' tags that have the attribute 'name' set to "CPU" and the
attribute 'quantum' set to the percentage of CPU quota that init shall
donate. The pattern is the same as when donating RAM quota.
! <start name="test">
! <resource name="CPU" quantum="75"/>
! </start>
This would cause init to try donating 75% of its CPU quota to the child
"test". Init and core do not preserve CPU quota for their own
requirements by default as it is done with RAM quota.
The CPU quota that a process owns can be applied through the thread
constructor. The constructor has been enhanced by an argument that
indicates the percentage of the programs CPU quota that shall be granted
to the new thread. So 'Thread(33, "test")' would cause the backing CPU
session to try to grant 33% of the programs CPU quota to the thread
"test". By now, the CPU quota of a thread can't be altered after
construction. Constructing a thread with CPU quota 0 doesn't mean the
thread gets never scheduled but that the thread has no guaranty to receive
CPU time. Such threads have to live with excess CPU time.
Threads that already existed in the official repositories of Genode were
adapted in the way that they receive a quota of 0.
This commit also provides a run test 'cpu_quota' in base-hw (the only
kernel that applies the CPU-quota scheme currently). The test basically
runs three threads with different physical CPU quota. The threads simply
count for 30 seconds each and the test then checks wether the counter
values relate to the CPU-quota distribution.
fix#1275
Do not support the global construction from of objects from within a global
constructor of another object. This can happen if, for example, dlopen is called
from a global constructor. The construction will be post-boned until the current
constructor has finished.
On Arndale, the kernel timer resets to the initial value of the last
count-down and continues as soon as it reaches zero. We must check this
via the interrupt status when we read out the timer value and in case
return 0 instead of the real value.
fix#1299
The way this function is currently used in dde_linux expects this
function to return. Since there is dde_kit_panic it should better
be used in such a case the output should block.
Kernel::Processor was a confusing remnant from the old scheme where we had a
Processor_driver (now Genode::Cpu) and a Processor (now Kernel::Cpu).
This commit also updates the in-code documentation and the variable and
function naming accordingly.
fix#1274
The run test 'hw_info' prints the content of the basic ARMv7 identification and
feature registers in a pretty readable format. It is a kernel-internal test
because many of these registers are restricted to privilege level 1 or higher.
fix#1278
The new scheduler serves the orthogonal requirements of both
high-throughput-oriented scheduling contexts (shortly called fill in the
scheduler) and low-latency-oriented scheduling contexts (shortly called
claim in the scheduler). Thus it knows two scheduling modes. Every claim
owns a CPU-time-quota expressed as percentage of a super period
(currently 1 second) and a priority that is absolute as long as the
claim has quota left for the current super period. At the end of a super
period the quota of all claims gets refreshed. During a super period,
the claim mode is dominant as long as any active claim has quota left.
Every time this isn't the case, the scheduler switches to scheduling of
fills. Fills are scheduled in a simple round robin with identical time
slices. Order and time-slices of the fill scheduling are not affected by
the super period. Now on thread creation, two arguments, priority and
quota are needed. If quota is 0, the new thread participates in CPU
scheduling with a fill only. Otherwise he participates with both a
claim and a fill. This concept dovetails nicely with Genodes quota based
resource management as any process can grant subsets of its own
CPU-time and priorities to its child without knowing the global means of
CPU-time and priority.
The commit also adds a run script that enables an automated unit test of the
scheduler implementation.
fix#1225
To serve the needs of the coming CPU scheduler, the double list needs
additional methods such as 'to_tail' and 'insert_head'.
The commit also adds a run script that enables an automated unit test
of the list implementation.
ref #1225
Kernel tests are done by replacing the implementation of an otherwise
empty function 'Kernel::test' that gets called once at the primary CPU
as soon as all kernel initialization is done. To achieve this, the test
binary that implements 'Kernel::test' must be linked against the core
lib and must then replace the core binary when composing the boot image.
The latter can be done conveniently in a run script by setting the new
argument 'core_type' of the function 'build_boot_image' to the falue
'test'. If no kernel test is needed the argument does not have to be
given - it is set to 'core' by default which results in a "normal"
Genode image.
ref #1225
Previously, Idle_thread inherited from Thread which caused an extra
processor_pool.h and processor_pool.cc and also made class models for
processor and scheduling more complex. However, this inheritance makes
not much sense anyway as an idle context doesn't trigger most of the code
in Thread.
ref #1225
The memory barrier prevents the compiler from changing the program order
of memory accesses in such a way that accesses to the guarded resource
get outside the guarded stage. As cmpxchg() defines the start of the
guarded stage it also represents an effective memory barrier.
On x86, the architecture ensures to not reorder writes with older reads,
writes to memory with other writes (except in cases that are not
relevant for our locks), or read/write instructions with I/O
instructions, locked instructions, and serializing instructions.
However on ARM, the architectural memory model allows not only that
memory accesses take local effect in another order as their program
order but also that different observers (components that can access
memory like data-busses, TLBs and branch predictors) observe these
effects each in another order. Thus, a correct program order isn't
sufficient for a correct observation order. An additional architectural
preservation of the memory barrier is needed to achieve this.
Fixes#692
GCC 4.7.4 and newer seems to optimize the lock-variable accesses more
radically, which uncovered the missing volatile qualifier and resulted
in:
Assertion "(int)locked >= 0" failed in file '.../okl4_x86/kernel/include/kernel/read_write_lock.h', line 151 (fn=f0104771)
--- "KD# assert" ---
Invalidating all branch predictors before switching the PD
fixes instability problems on Panda and has not much effect
on the performance of other boards. However, we neither know why
this is a fix nor wether it fixes the real cause of the problem.
fix#1294
Previously, the timer was used to remember the state of the time slices.
This was sufficient before priorities entered the scene as a thread always
received a fresh time slice when he was scheduled away. However, with
priorities this isn't always the case. A thread can be preempted by another
thread due to a higher priority. In this case the low-priority thread must
remember how much time he has consumed from its current time slice because
the timer gets re-programmed. Otherwise, if we have high-priority threads
that block and unblock with high frequency, the head of the next lower
priority would start with a fresh time slice all the time and is never
superseded.
fix#1287
Some SDL applications expect the SDL_image headers in include/SDL to be
reachable without the SDL/ prefix. This patch adds the corresponding
search path. Furthermore it enables support for XPM images.
Ported drivers list and extract all needed source files. This decouples
ports according to contrib sources and also enables us to revert lxip to
Linux version 3.9, while staying with 3.14 for usb.
Fixes#1285
The manpage to errno tells the following story:
The <errno.h> header file defines the integer variable errno, which is
set by system calls and some library functions in the event of an error
to indicate what went wrong. Its value is significant only when the
return value of the call indicated an error (i.e., -1 from most system
calls; -1 or NULL from most library functions); a function that
succeeds is allowed to change errno.
Valid error numbers are all nonzero; errno is never set to zero by any
system call or library function.
When the 'Mtd::FPU' flag is set during the registration of a
virtualization event handler, it must also be set whenever the event
handler returns.
Fixes#1283
This patch ensures that priority values passed as session arguments
are within the valid range of priorities. Without the clamping, a child
could specify a priority of a lower priority band than the one assigned
to the subsystem. Thanks to Johannes Schlatow for reporting this issue.
Fixes#1279
This is just a quick fix to calm down the buildbot - a revised
implementation is needed according to issue #1277. Further, the reason
for the increased test duration on several platforms must be
investigated.
The alias is rather Linux-specific and also prevents particularly
tailored jiffies implementations. For the existing dde_linux ports (usb
and lxip) we just define jiffies to be dde_kit_timer_ticks with a
preprocessor macro.
The menu view generates a simple dialog of widgets and reports the
hovered element. It is meant to be embedded into applications that
require simple GUIs but don't want to deal with the pecularities of
a full-blown widget set.
The new 'session_control' function can be used to perform operations on
the global view stack that span one or multiple sessions, e.g., bringing
all views of specific sessions to the front, or hiding them.
If the Rom_session::update function returns false, the ROM dataspace may
have been physically destructed (and core has removed all mappings).
In this case, we have to omit the detach operation in the destructor
of 'Attached_dataspace' to avoid detaching the same region twice.
The headers 'texture_rgb565.h' and 'texture_rgb888' contain
template specializations needed for using the 'Texture::rgba' function
for the respective pixel formats. The specializations were formerly
contained in application-local code.
This patch add an optional alpha argument to the constructor, which may
be passed to a pixel type representing an alpha channel. Furthermore,
a new overload of the mix function has been added to accommodate use
cases where one texture is applied to both a pixel surface and an alpha
channel.
When X-ray mode is active, nitpicker filters motion events that are not
referring to the currently focused domain. However, domains configured
as xray="no" (such as a panel) need to obtain motion events regardless
of the xray mode. This patch relaxes the motion-event filtering to
accommodate such clients.
The buffer offset was wrongly accounted for. The miscalculation went
unnoticed until now because the buffer offset was apparently never used
in combination with alpha-channels.
If a domain is configured as xray="no", we want to let the views of the
domain respond to input events like in flat mode, even if xray mode is
active. Normally, the input mask of views with an alpha channel is
disregarded in X-ray mode. However, for non-ray views, the input mask
should always be considered.
The 'Signal_rpc_member' takes care about dissolving its signal context
from the receiver. So we don't need to manually perform this operation
in the session destructor.
With this patch, the VESA driver chooses the video mode with the highest
resolution from the list of available modes if no resolution is
explicitly configured.
Fixes#1263.
* use seoul branch containing vbios emulator
* report the memory model in the VBE mode info as otherwise the
Genode framebuffer driver will ignore this mode
Fixes#1261
It turned out that the controller configuration can change during the self
tests, so now it is read before running the tests and restored afterwards.
Fixes#1260.
This component merges the input events of multiple sources.
Example configuration:
<start name="input_merger">
<resource name="RAM" quantum="1M" />
<provides>
<service name="Input" />
</provides>
<config>
<input label="ps2" />
<input label="usb_hid" />
</config>
<route>
<service name="Input">
<if-arg key="label" value="ps2" /> <child name="ps2_drv" />
</service>
<service name="Input">
<if-arg key="label" value="usb_hid" /> <child name="usb_drv" />
</service>
<any-service> <parent /> <any-child /> </any-service>
</route>
</start>
For each 'input' config node, the component opens an 'Input' session with the
configured label. This label is then evaluated by 'init' to route the session
request to a specific input source component.
Fixes#1259.
* When flushing the data and unified cache on ARM, clean and invalidate
instead of just cleaning the corresponding cache lines
* After zero-ing a freshly constructed dataspace in core, invalidate
corresponding cache lines from the instruction cache
The backend allocator for the slab is a sliced heap, which hands out
allocations with page-size granularity (4096 bytes). Therefore, the
slab-block size should also be about a multiple of the page size minus
some bytes of overhead.
Additional adjustments:
- The slab-block size and the default quota-upgrade amount for SIGNAL
sessions depends on the platform bit width now.
- The signal test also stresses the case of many managed context in one
session including creation and destruction of the used signal receiver
in repeated rounds.
- correctly catch and report non-existing root directories
- remove *all* leading slashes from root-directory attributes and
sanitize empty declarations to current working directory
The weak implementation was added for quite special purposes years ago
and is no longer needed. On the other hand, the weak attribute does not
help if the implementation ends up in a shared library, which first
resolves symbols locally before asking ldso (that includes the acutal
thread library) *shiver*
The original git:// URL produced the following error:
Cloning into 'jbig2dec'...
fatal: remote error: access denied or repository not exported: /jbig2dec.git
