Limit the use of Reg_list::for_each that caches a next pointer
of its items to allow destruction of items in its lambda body.
Instead provide an Reg_list::apply function in addition, which
takes a condition lambda to find the matching item, and a lambda
processed on it. In most use-cases where for_each was used, only
one item was searched for. Here we can use apply now., without
the need for a cached pointer, nor too many iterations.
Fixesgenodelabs/genode#5349
Unless nitpicker is used in 'request_framebuffer' mode, it no longer
depends on a periodic timer but merely acts as a broker between capture
clients and GUI clients. Sync signals as delivered to GUI clients are
now wired to Capture::Session::capture_at calls. So the display driver
defines the occurrence of those signals.
Note that sync signals are only delivered while a driver actively calls
'capture_at'. If a driver stops capturing, GUI clients no longer receive
any sync signal. This is a change from the previous situation where GUI
clients could depend on the periodicity of sync signals.
Issue #5347
With this change, a client (i.e., display driver) can register
a wakeup signal handler to be notified on the arrival of new data to
capture. The signal is delivered only when the client has stopped
capturing. The client propagates this condition to the server using
the new 'capture_stopped' RPC call.
This change in principle enables a display driver to suspend its
periodic mode of operation after a few frames without capturing any
new data. As the first driver, the fb_sdl driver has been adapted to
the new protocol. This change not only eliminates the driver's CPU
load when idle, it also reduces the latency of sporadic output
because the response to such GUI updates is no longer bound by a
fixed periodic interval.
Issue #5344
This patch is a preparatory step for relaxing the strictly periodic
operation of fb_sdl. With the new design, the SDL event loop can block
for events while Genode's main entrypoint stays receptive for I/O.
The main entrypoint can interact with the SDL thread by injecting
SDL user events.
The patch also replaces the full-screen clearing and update of the
SDL window by an update of the captured bounding box only. This reduces
the CPU load of fb_sdl when idle. When updating a small part of the
screen (e.g., when moving the mouse only), the load is still rather
heavy though.
Issue #5344
This patch enhances the Capture::Connection::Screen such that the
bounding box of the affected pixels can be tracked by the caller,
which can use this information to adjust its behavior to the
activity/inactivity of the capture server.
Issue #5344
This patch adds the physical screen size as argument to the
Capture::Session::buffer RPC function, which allows drivers to
propagate DPI information to the GUI server. While changing the
the interface, the patch replaces the former use of C++ exceptions
by a result type. The 'Buffer_result' is handled transparently by the
Capture::Connection. The client.h code is now integrated in
connection.h.
Issue #5344
This is a follow-up commit to "gui_session: manage view ID at the client
side", which missed to invalidate the neighbor view of a window but
instead wrongly assigned the (now always valid) view ID 0 as neighbor.
In situations where a window disappears and re-appears (e.g., repeatedly
launching testnit in the wm.run scenario), the new window could not
always be topped.
Issue #5242
The current default session RAM quota of 36 KiB reflects the needs of
the nitpicker GUI server. However, in most commonly used scenarios, a
GUI client connects to nitpicker indirectly via the wm. The low value
worked so far because the wm did not account RAM and cap usage per
client so far but paid out of its own pocket and faithfully forwarded
all resource upgrades to nitpicker.
When adding resource accounting to the wm, the old default value has the
effect that a new client has to repeatedly attempt the session creation -
each time offering sligthly more session quota - until both nitpicker and
the wm are satisfied.
By roughly doubling the default to 80 KiB, a wm client immediately
succeeds with opening a GUI session without repeated attempts.
By specifying a custom 'cap_quota' amount to the 'Genode::Connection',
the Gui::Connection now donates enough caps for both the wm and
nitpicker.
Issue #5340
This patch deduces the caps needed for the framebuffer and input RPC
objects from the resources accounted locally within the session. It also
takes precautions for the situation where a client offers too little
resources, prompting the mid-way cancelling of the 'Session_component'
creation. With the patch, the 'ep.manage' operations are rolled back
by the corresponding 'ep.dissolve' operations.
Issue #5340
This patch moves the eager allocation of view capabilities from the
'view' and 'child_view' RPC functions to the 'view_capability' RPC
function, reducing the consumption of capabilities in all scenarios
where views don't need to be shared between GUI sessions.
Issue #5340
The gui_fb client may have installed a custom sync_sigh and mode_sigh.
Reset those signal handlers at the GUI server should the client
disappear. Otherwise, the GUI server (nitpicker) continues to attempt
transmitting sync signals to the no-longer existing component, spamming
the log with "Warning: invalid signal-context capability" messages.
This interface change gives GUI servers the freedom to allocate view
capabilities at the time of request instead of the creation time of the
view. This is useful because view capabilities are rarely needed.
Issue #5242
This patch moves the management of view IDs from the server to the
client side. The former 'create_view' and 'create_child_view'
operations do no longer return a view ID but take a view ID as
argument. While changing those operations, this patch takes the
opportunity to allow for initial view attributes. Combined, those
changes simplify the window manager while accommodating typical
client use cases with less code.
To ease the client-side ID management, the Gui::Connection hosts
a 'view_ids' ID space for optional use. E.g., the new 'Top_level_view'
class uses this ID space for ID allocation. This class accommodates the
most typical use case of opening a single window.
The 'alloc_view_id' RPC function is no longer needed.
Issue #5242
This patch reworks the view-ID handling within the nitpicker GUI server
and the window manager. The namespace of view handles are now represented
as an Id_space. In constrast to the former "handles", which could be
invalid, IDs cannot be semantically overloaded with anything other than
an actual view reference. There is no notion of an invalid handle.
IDs are like C++ references (which cannot be a nullptr).
This change requires the code to be more explicit. E.g., the stacking of
a few at the front-most position can no longer be expressed by passing
an invalid handle as neighbor.
Issue #5242
Express the allocation of a new view handle by a dedicated RPC function
instead of passing an invalid view handle to the existing 'view_handle'
function.
This eliminates the notion of invalid view handles at the GUI session
interface, clearing the way for managing view handles via an Id_space.
Issue #5242
This patch eliminates the use of invalid view handles as special
Session::Command arguments. The TO_FRONT and TO_BACK operations
interpreted as invalid neighbor as top-most or back-most position.
Those corner cases are now expressed via dedicated commands. The
new stacking commands are FRONT, BACK, FRONT_OF, and BEHIND_OF.
While changing the command interface, the patch removes the OP_
prefix from the opcode values.
Issue #5242
- Rename framebuffer_session to framebuffer and
input_session to input as those RPC interfaces are no longer
meant to be used as stand-alone sessions.
- Host Connection::input and Connection::framebuffer as public
members, thereby removing the use of pointers. This simplifies
the client-sized code. E.g., '_gui.input()->pending()' becomes
'_gui.input.pending()'.
Issue #5242
To maintain ease of use at the client side, the OUT_OF_RAM and
OUT_OF_CAPS results are handled at the 'Gui::Connection' now.
Gui::Connection does not inherit the Gui::Session interface any longer,
which allows for the use of different result types.
Issue #5242
Issue #5245
This patch replaces the optional parent argument of the create_view
RPC function by a dedicated create_child_view RPC function. This
is a preparatory step of removing the notion of an invalid handle
as a special case.
Issue #5242
Now, USB audio class devices become available in Sculpt, e.g., for vbox
passthrough, and are not automatically grabbed by the usb_hid class=3
policy. In the future, interface/endpoint level policies will enable
driving the HID interface only from usb_hid while a usb_audio driver
controls the rest of the device.
- Remove exceptions
- Use 'Attr' struct for attach arguments
- Let 'attach' return 'Range' instead of 'Local_addr'
- Renamed 'Region_map::State' to 'Region_map::Fault'
Issue #5245Fixes#5070
The 'Thread_creation_failed' error is now reflected as
'Thread::Start_result' return value. This change also removes the
use of 'Invalid_thread' within core as this exception is an alias
of Cpu_session::Thread_creation_failed.
Issue #5245
For each packet that got stuck with an ARP-cache miss, the router used to send
one ARP request and create one ARP waiter. However, in situations where many
packets target the same IP at one destination domain and during a short period
of time, this causes unnecessary session-quota consumption and network traffic.
This issue becomes especially pressing when taking malicious source peers,
absent destination peers, and packet batching into account.
Therefore, with this commit, the router can accumulate multiple source packets
with the same destination IP at one ARP waiter. This means, that only the first
packet with an ARP-cache for a certain IP sends an ARP request and creates an
ARP waiter. For situations where the ARP request is not answered, this
essentially rate-limits ARP requests for one IP at one destination domain
according to the lifetime of ARP waiters (default: 10s)
Ref #4534
The router used to send an ARP request for a packet before allocating the
corresponding ARP waiter. If the ARP waiter could not be allocated due to
resource exhaustion plus emergency free failed, the packet got dropped and the
router had produced unnecessary network traffic. The commit fixes this by
sending only after successful allocation.
Ref #4534
The previous default packet-batch count of 150 (<config
max_packets_per_signal>) was choosen with the only goal of preventing
starvation by huge amounts of packets from one session.
However, there is something else to keep in mind. A packet that is found to
require ARP sends an ARP request and becomes blocked after having consumed
resources. This means, that, in the worst case, the router used to send 150 ARP
requests and consume resources 150 times before making it even possible for the
outer world to react and cause resources to be freed.
With this additional scenario in mind, the default batch size should be
significantly lower.
Ref #4534
This patch removes the exception formerly thrown by 'Cpu_thread::state'
and turns the 'Thread_state' structure into a plain compound type w/o a
constructor.
Issue #5245Fixes#5250
With libxml2 >= 2.13, the `-path` argument can no longer be used for
setting search paths for xsd files. Instead, we use an XML catalog to
replace genode:// URIs with absolute paths.
Fixes#5248
This patch replaces exceptions of the PD session RPC interface with
result types.
The change of the quota-transfer RPC functions required the adaptation
of base/quota_transfer.h and base/child.h.
The 'alloc_signal_source' method has been renamed to 'signal_source'
to avoid an exceedingly long name of the corresponding result type.
The Pd_session::map function takes a 'Virt_range' instead of basic-type
arguments.
The 'Signal_source_capability' alias for 'Capability<Signal_source>' has
been removed.
Issue #5245
This patch updates the signal API to avoid raw pointers, and
replaces the Context_already_in_use and Context_not_associated
exceptions by diagnostic messages.
Fixes#5247
The router used to ignore the value of the <report quota=".."/> attribute when
it came to determining whether an interface's report is empty or not.
Therefore, merely configuring <report quota="yes"/> didn't cause interfaces
(and their quota) to show up in the report. Instead, interface quota was
reported as side effect of <report stats="yes"/>. The commit fixes this
inconsistency with the README.
The only object that is dynamically allocated by a network interface and that
was not equipped with a self-destruct timeout was the ARP waiter. This commit
closes this gap by adding a timeout to each ARP waiter that is set to 10
seconds by default but can be configured via the new <config> attribute
'arp_request_timeout_sec'.
Ref #4729
RFCs recommend to keep TCP connections for a certain time even after they
finished a close handshake, AFAIK, in order to be able to recognize astray
packets when they arrive later. This seems overambitious especially when in
the context of the router where session quota is pretty limited. Therefore,
this commit drops this final timeout and drops closed connections immediately.
Ref #4729
The previous value of 60 seconds was never observed in real-time scenarios and
UDP, for instance always used a timeout of 30 seconds without causing issues.
Note that this applies only to TCP connections in a state other than
ESTABLISHED, i.e., while it is still safe to early-drop the connection.
Ref #4729
The TCP connection state "ESTABLISHED" (in the router "OPEN") is a privileged
one for peers because it lasts very long without any peer interaction (in the
NIC router it's only 10 minutes, but RFCs recommend not less than 2 hours and
4 minutes). Furthermore, TCP connections in this state are normally not
available for early-drop on resource exhaustion. This means that this state
binds resources to a connection potentially for a long time without the option
of regaining them under stress. Therefore, this state should be entered with
care.
Up to now, the router marked a TCP connection with this state as soon as it had
seen one matching packet in both directions, which is rather quick. However,
implementing a very precise tracking of the exact TCP states of both peers and
only marking the connection "ESTABLISHED" when both peers are "ESTABLISHED" is
a difficult task with lots of corner cases.
That said, this commit implements a compromise. The router now has two flags
for each peer of a TCP connection - FIN sent and FIN acked - and sets them
according to the observed TCP flags. The "ESTABLISHED" state is entered only
when FIN acked is set for both peers (without having observed an RST or FIN
flag meanwhile).
Ref #4729
The Reference and Const_reference utility were introduced in order to express
that something is a reference (no null value) but can be changed dynamically
(not possible with built-in C++ references). However, the idea of preventing
every possibility for null pointer faults, with which the router was built
initially, has not prevailed and using pointers instead of the utility saves
logic and makes the code more readable to other C++ developers.
Ref #4729
The deinitialization method of Domain used to rely on Domain::with_dhcp_server
in order to dissolve and destroy a present DHCP server. However, this method
skipped calling its functor argument also when there was a DHCP server but an
invalid one. This commt replaces the with_dhcp_server with a pointer null-check
in order to fix the leak.
Ref #4729
Re-implements an emergency freeing of resources on exhaustion of session quota.
In contrast to the past one, the new algorithm is executed directly where the
exhaustion occurs. Instead of interupting the packet handling and restart it
from the beginning after the freeing action, packet handling is now continued
at the point of exhaustion (if enough resources could be freed). Furthermore,
the new algorithm frees only 100 objects (instead of 1024) at a max as we found
this to better match real-life observations. And finally, the router now drops
ICMP first, then UDP, then TCP - as this better reflects priorities - and
refrains from dropping TCP connections in the ESTABLISHED state. If the router
cannot free a sufficient amount of resources, the packet that caused the
exhaustion is dropped with a warning (verbose_packet_drop="yes").
Ref #4729
Remove the use of C++ exception as much as possible from the router as C++
exception handling can be resource intensive and can make code hard to
understand.
This also removes the garbage collection that the router used to do when a
session ran out of quota. This is motivated by the fact that the garbage
collection was rather simple and removed connection states regardless of their
current state, thereby causing broken connections. The change is part of this
commit as the approach to integrating garbage collection relied strongly on
exception handling.
The user story behind removing garbage collection: The router emergency-dropped
an established TCP connection (with NAPT) and on the next matching packet
re-created it with a different NAPT port, thereby breaking the connection. With
this commit, existing connections are prioritized over new ones during resource
exhaustion and the packets that attempt to create a new connection in such a
state are dropped with a warning in the log (verbose_packet_drop="yes").
Note that the state resolves itself with time as existing connections time out
or are closed by peers.
Ref #4729
Reserved memory regions must be excluded from the corresponding DMA
allocators irrespective of whether the device is in use. Otherwise, an
early allocation of DMA buffers may use the reserved memory regions of a
late acquired device.
Fixes#5232
This exception got introduced as a mere convenience for implementers of
'Child_policy' but required a special case in the base library.
Following the goal of eliminating exceptions from the base system,
this patch removes it by making a server_id_space mandatory.
Issue #5245
as setup by firmware after boot. The information will/can be used by the
platform driver to re-program bridges after a system suspend/resume cycle.
Issue #5241
- Replace 'typedef' by 'using'
- Avoid plain pointers
- Import Genode namespace into Gui::
- Use enum class
- Use Attr struct for passing multiple attributes
- Turn testnit into proper Genode::Component
- Use distinct types for top-level and child views
- Remove dependency from timer
- Use util/geometry.h
- Move header to base/include to make it applicable for base types
like 'Affinity' down the road.
- Represent 'Rect' as typle of point and area, which is the most
common form of initialization, creates in valid 'Rect' by default.
- Turn Point, Area, and Rect into compound types, making x, y, w, h, at,
area accessible without a method call
- 'Rect::Compound' function for constructing a 'Rect' from two points,
replacing a former constructor
- Use result type 'Rect::Cut_remainder' instead of out parameters.
Fixes#5239
This patch turns 'Color' from a class to a POD type by replacing
the constructors by the named create functions 'rgb', 'clamped_rgb',
and 'clamped_rgba'. It thereby enables the initialization of Color
values using { .r = ... } syntax and makes the type usable in const
expressions.
It also narrows the type for color components and alpha values to
uint8_t. So possible integer overflows of computed values are detected
by -Wconversion.
As 'Color::rgb(0, 0, 0)' is repeatedly used as a default value, the
patch adds the 'Color::black()' function.
Fixes#5238
This enables the combination of the nic_uplink component with any driver
pkg featuring a runtime file. This is already the case of the pc_nic
driver.
This is a preparatory step for issue #4420.
When having a maximized terminal window, a suspend was causing an
invalid mode change at nitpicker. This triggered a huge resource request
in nitpicker because the RAM-quota check was rendered ineffective by a
wrap-around during unsigned multiplication.
Issue genodelabs/genode#5180Fixesgenodelabs/genode#5201
The test reverts the platform drivers' config at the end of the test
to an empty state. However, this state should still contain a default
policy (analogyously to the initial state). Otherwise, the platform
session of the test program will (sometimes) become invalid just before
successfully finishing the test.
The original use cases of the loader have long been covered by the
dynamic init. The only substantial client of the loader remained to be
the qpluginwidget. However, the qpluginwidget was supported only by the
Arora web browser. But the blending of plugins with websites ultimately
remained a tech demo, and Arora has been replaced by Falkon.
Fixes#5229
Default disabled initialization prevents follow-up errors if one
capability is already enabled on boot, but platform_drv decides to
enable the other one. The PCI spec explicitly states that "Behavior is
undefined if both MSI and MSI-X are enabled simultaneously".
Fixes#5228
- no need to explicitly switch off vga anymore
- use vPID for VMs which improves TLB usage if multiple vCPUs on same
pCPU is used, which happens to happen on Sculpt.
- support for mwait by nova kernel, which is off by default
Issue #5206
During resume the waiting for Cmd::St takes ~2s on a T460p with Intel
AHCI SSD attached. According to the Serial ATA AHCI Spec. wakeup can take
seconds, e.g. chapter 8.2 Power State Mappings of the Serial ATA AHCI spec
(1.3.1).
Issue #5203
