Track the dataspaces used by attach and add handling of flushing VM space
when dataspace gets destroyed (not triggered via the vm_session interface).
Issue #3111
Handles corner case when addr + size becomes exactly 0. Before the commit
the function returned that sum is not part of the range, which is wrong.
Issue #3111
This patch removes the blocking Block::Session::sync RPC function and
adds the asynchronous operations SYNC and TRIM to the block session's
packet-stream interface.
Even though the patch adjusts all block components to the interface
change, the components keep the former blocking handling of sync
internally for now because of the design of the 'Block::Driver'
interface. This old interface is not worth changing. We should instead
migrate the block servers step by step to the new
'Block::Request_stream' API.
Fixes#3274
The new request tag allows a block-session client to uniquely correlate
acknowledgements with outstanding requests. Until now, this was possible
for read and write operations by taking the value of the request's
packet-stream offset. However, SYNC and TRIM requests do not carry any
packet-stream payload and thereby lack meaningful offset values. By
introducing the notion of a 'tag', we can support multiple outstanding
requests of any type and don't need to overload the meaning of the
'offset' value.
Issue #3274
This patch splits the 'Request' definition into smaller types that are
suitable for the client-side API too.
The new 'Operation' type comprises the block operation's type (opcode)
and the operation's arguments (block number, block count).
The former 'Request::operation_defined' is now 'Operation::valid'.
The 'Request' aggregates an 'Operation', which changes its object
layout.
Note that this commit relaxes the bit-precise definition of 'Request' to
facilitate the use of 'unsigned long' where appropriate, in particular
for the request tag (which should correspond to an 'Id_space::Id'). The
originally bit-precise definition was pursued to allow the sharing of
the 'Request' type between SPARK and C++ code. However, it turns out
that defining a native type in each language and a (set of) converting
constructors is a more natural approach.
Issue #3283
When receiving a terminal signal, the uart device model has to
take all characters out of the stream. Otherwise, characters
might never arrive at the VM. This was not recognized before,
because it was used with a quite slow UART only, which obviously
never achieved to send more characters at once.
Ref #3278
A small terminal-client tool, which expects a specific line(-start),
and then sends a specified line to the other side. Optionally,
it prints all received lines to its LOG service.
Ref #3278
- sorting of initializer by Christian Prochaska - issue #3253
- leak of FPU register state reported by Julian Stecklina - thanks !
- fix page table synchronization bug - by Julian Stecklina
- add a second dynamic buddy if the memory requirements could not be fulfilled
by the first dynamic buddy
- disable vtlb peek if EPT/NPT is enabled
This patch renames 'wakeup_client' to 'wakeup_client_if_needed' to
clarify that the method triggers signals only when needed, not on every
call.
The name 'wakeup_client' is prone to misguide users to call the function
conditionally as an optimization, thereby complicating the code, but to
no effect.
Fixes#3279
This patch replaces the formerly fixed 2 KiB data alignment within the
packet-stream buffer by a server-defined alignment. This has two
benefits.
First, when using block servers that provide small block sizes like 512
bytes, we avoid fragmenting the packet-stream buffer, which occurs when
aligning 512-byte requests at 2 KiB boundaries. This reduces meta data
costs for the packet-stream allocator and also allows fitting more
requests into the buffer.
Second, block drivers with alignment constraints dictated by the
hardware can now pass those constraints to the client, thereby easing
the use of zero-copy DMA directly into the packet stream.
The alignment is determined by the Block::Session_client at construction
time and applied by the Block::Session_client::alloc_packet method.
Block-session clients should always use this method, not the 'alloc_packet'
method of the packet stream (tx source) directly. The latter merely
applies a default alignment of 2 KiB.
At the server side, the alignment is automatically checked by
block/component.h (old API) and block/request_stream.h (new API).
Issue #3274
This patch modernizes the 'Block::Session::info' interface. Instead of
using out parameters, the 'init' RPC function returns a compound 'Info'
object now. The rather complicated 'Operations' struct is replaced by
a 'writeable' attribute in the 'Info' object.
Fixes#3275
Triggering of an invalidated signal seems to be no real exception,
but something that occurs regularily. Therefore, the kernel warning
is of no use to developers anymore.
Ref #3277
As far as possible remove usage of warning/error/log in the kernel,
otherwise the kernel context might try to take a lock hold by a core
thread, which results in a syscall to block.
Fix#3277
This patch removes the reliance of the extract tool from the libc's
behavior regarding the access of time and timing.
The extract tool is not expected to need time. However, unfortunately,
libarchive calls the 'time' function unconditionally. By adding a
dummy for 'time', we avoid bothering the libc, which would otherwise
need to obtain a time source.
Issue #3204
In the original version, I used 'number_of_bits' because Ada's 'Size
returns the size in bits, not bytes. But the values (for objects) are
always a multiple of 8. On the C++ side, performing size checks at the
granularity of bits is just awkward. The term 'object size' is more
natural.
* necessary for enabling the kernel debugging facilities on base-foc
(outstring, fiasco_tbuf_log_3val and friends)
* disabled by default
related to issue #3260
By adding a wildcard at the beginning of (expected) error messages, the
test.run tool becomes able to match the lines (ignoring the characters
of the color escape sequence).
The 'aes_cbc_4k' library is simple wrapper around libsparkcrypto to
serve as a backend for storage encryption. It operates on data chunks of
4 KiB and uses AES-CBC while incorporating the block number and the
private key as salt values.
Discovered while creating an ext2 file system on an sd_card (no
partitions, imx6), which failed with an error message that stated the
device is in use. Genode's libc/posix layer has no notion of mount
points.
Fixes#3271
Disconnecting a client and connecting an other to the sd_card_drv
on imx6 results in a "Completion host signal timed out" error in
the newly connected client.
Fixes#3272
The "nameserver" file cannot be opened through a VFS File_system client
if the plugin does not support opening the parent directory of
"/nameserver", which would be "/".
Ref #3269
Replace the I/O response handler that is passed to the VFS at
construction with an object that is dynamically attached to handles.
This object shall also accept read-ready notifications, and plugins are
encouraged to keep handles awaiting ready-ready notifications separate
from handles that await I/O progress.
Replace the use of handle lists in plugins with handle queues, this
makes the code easier to understand and the ordering of notifications to
the application more explicit.
These changes replace the use of the Post_signal_hook from all VFS
plugins, applications must assume that read-ready and I/O notifications
occur during I/O signal dispatch and use an Io_progress_handler at its
entrypoints to defer response until after signal dispatching.
Fix#3257
Make sure that the rwlock is allocated before a lock operation is
performed. This case occurs if a static rwlock was create by using
PTHREAD_RWLOCK_INITIALIZER. Same goes for PTHREAD_CONDS_INITIALIZER.
Fixes#3262.
Since QEMU might put the audio device at 00:03.0, also check if the
vendor is Intel. Hopefully we do not render HDA on real machines
useless with this changes (so far I have not encountered one).
Fixes#3263.
For better or worse we have no proper way of handling this right now
but contrib libraries, e.g. glib, use it to determine if they can use
the underlying fd.
Fxies #3265.
Issue #3111
- enable vt-x in kernel configuration
Kernel patches:
- add unrestricted guest support
- avoid kernel boot failure when vt-x is not available
- avoid nullpointer in kernel when vcpu is not fully setup
- avoid vcpu scheduling bug which causes starvation on same/below prio level
- save efer register correctly from guest
The '_currently_constructed' pointer caches the information about which
'Launched_child' is currently configured in the menu. When discarding
the runtime (e.g., when un-using a file system) at this point, this
cached pointer was not invalidated while all 'Launched_child' objects
would be freed (including the currently constructed one). On the next
attempt to construct a new child, the sculpt manager attempted to
destruct the 'Launched_child' referred by the (now outdated)
'_currently_constructed' again.
Fixes#3240
Until now, Genode referenced a fork of the outdated elfloader-tool
to enable bootstrapping of sel4 on ARM platforms. Because the
elfloader is inherently dependent on the used platforms newer
ARM versions supported by the kernel could not be loaded by the
outdated elfloader. This commit uses a fresh fork of the nowadays
used sel4_tools repository.
Ref #3251
This commit handles the corner case where a package could be installed
successfully but the package's runtime definition is inconsistent with
the content delivered by the package's dependencies, i.e., the <content>
of the runtime file lists ROM modules that do not exist.
With this patch, the '+' menu shows the message "installed but
incomplete" whenever a package is in such a state.
Issue #3241
The new configuration attributes <tcp-forward to_port="123" /> and
<udp-forward to_port="123" /> enable manipulating the destination port of
port-forwarded packets.
Fixes#3237
The required memory of the VMM depends on the VM memory configuration (vbox)
and the available screen resolution. Check for insane configurations in the
beginning to avoid late surprises.
Issue #3216
The "Vfs::Vfs_handle" type should not contain any public members that
can be initialized by the VFS internally and by the application, so
remove inheritance from the "Genode::list::Element" class. The VFS
plugins must instead use lists of "Vfs::Vfs_handle" sub-classes, the
lifetime of which are always managed by the plugin.
Ref #3036
Use a single timeout scheduler passed during lxip instantiation for
both timers and 'schedule_timeout' facilites rather than instantiate
two timer sessions and signal handlers. This reduces the library's
capability cost and initialization time.
Fix#2961
The old inline assembly provided two output operands that were afterwards
combined for a return value. However, the second output operand isn't
necessary when using the "Acquiring a Lock" example-code of the ARM manual
"Barrier Litmus Tests and Cookbook". This saves two logical operations
per acquisition try. Additionally better documentation is now provided.
Fixes#1292
This patch adds the items necessary for building Genode components with
stack protection enabled, but it is not initialized at runtime. They are
provided at the moment as a convenience and do not implement a security
feature.
Fix#3066
This is a safeguard against accidentally taking the 'Ack' interface as a
value instead of a reference.
The 'Payload' interface should also not be copied (and potentially
stored) because it contains a pointer.
It turns out that the commit "window layouter: allow floating apps to
resize" interplays badly with the interactive toggling of the maximize
state of windows. In contrast to the window geometry and stacking, which
is always updated through the rules-feedback mechanism, interactive
changes of the maximize state omitted this loop and instead took a local
shortcut. Because of this shortcut, the maximized geometry eventually
ended up as window size in the window's assign rule. So unmaximizing the
window failed to revert the geometry to its original state.
This patch removes this inconsistency. The maximize state adheres to the
official chain of commands through the rules mechanism now. The state is
now maintained internally without affecting the window's geometry and is
evaluated while generating the window layout only.
As a minor loosely related improvement, this patch prevents the
highlighting of resize handles for non-resizable windows.
Issue #3200
This patch reworks the 'Session_component::destroy' to cope become
robust against a client-provided invalid view handle. The code did not
consider that 'Handle_registry::has_handle' may throw.
Thanks to Alexander Boettcher for reporting and the initial fix.
Fixes#3232
This patch improves the transition from an interactive window geometry
change (dragging a window element) to the point where the resulting
new layout rules come into effect. During this short time, no resize
request must be issued because such a resize request would be based on
stale rules.
Fixes#3227
This is a follow-up commit to "Update <provides> info in pkg runtimes",
which adapts the users of the wm pkg to the changed label of the "focus"
nitpicker session.
If a component is being destroyed just before it calls `exit()` at its
parent, the `exit()` call causes an `Ipc_error` exception, which leads to
an `abort()` loop with repeated error messages, because `abort()` calls
`exit()` too. Catching the exception in `Expanding_parent_client::exit()`
avoids this problem.
Fixes#3228
bus or device should be different (not both) when comparing a device to
already present devices. Because of this the second USB device was
marked as existent when the bus matched or the bus did not but the
device number.
This patch gives applications the ability to control the size of their
window whenever the window is floating, not tiled or maximized. See the
comment in the code for the rationale.
Fixes#3200
The default rate of 100 ms keeps Sculpt too busy because the menu that
displays the percentage values is drawn completely on each update.
Limiting the rate to 1/4 seconds relieves the effect.
By clicking on a yellow checkbox in the depot selection dialog, the
corresponding index files are removed. This way, index files can
be update by removing and downloading them again.
This patch also filters out sculpt-managed components from the graph to
avoid erratic graph-position changes while the '+' menu is open.
Fixes#3193
Without this patch, a version change of an already exited child would not
trigger the restart of the child because the version is evaluated as
late as the child configuration, but only if the child has not exited
yet.
This patch evaluates the version at the earlier stage where the identity
of the child (its name) is checked against the new configuration.
Fixes#3226
The disk image contains an extended partition table now that would
have been parsed incorrectly in the past. While there remove the unused
gpt BLOB (test-part_block_gpt has its own raw archive).
Issue #3223.
The fs_tool component performs file operations according to its
configuration. This initial version implements only the operation
<remove-file> as needed for Sculpt CE.
Issue #3222
Issue #3193
This patch refines the criterion of when the networking is considered as
ready to use. Until now, any IP reported by the NIC router was taken as
an indicator for connectivity. But as the NIC router reports an IP
0.0.0.0/32 when no network cable is plugged at the uplink, the condition
was too loose.
* Introduces pending_signal syscall to check for new signals for the
calling thread without blocking
* Implements pending_signal in the base-library specific for hw to use the
new syscall
Fix#3217
This patch improves the error handling of depot-download manager for the
case where a download is requested but the corresponding software
provider information is absent from the depot. Without this patch, the
update mechanism would get stuck in the failed depot-query step and
won't attempt to perform subsequent download jobs.
Fixes#3224
The storage dialog is folded when activating the runtime view (e.g., by
clicking on the Genode Logo). This should happen immediately as response
of the mouse click.
This patch improves the separation of the update and layout phases to
avoid superfluous geometry animations of its child widgets. Prior this
patch, 'Widget::geometry' was called in both phases, potentially
triggering geometry animations with intermediate values at the update
phase.
Related to issue #3221
The button widget already supported an animated transition between
hovered and unhovered states. This patch generalizes the mechanism to
allow animated transitions between arbitrary button states, including
style changes.
This way, the fade-out of non-TCB components in Sculpt CE happens not
abruptly but smooth.
Fixes#3221
This patch makes the application of color/alpha from the icon's texture
to the target surface customizable by replacing the formerly built-in
'_transfer_pixel' function by calls to the new 'Pixel_rgba::transfer'
interface.
Issue #3221
The new 'transfer' function interface defines how pixel/alpha values
sampled from texture are applied to a destination pixel, similar to the
role of a fragment shader in GPU-based rendering. The transfer function
can be customized by defining custom pixel types, which may be (but
don't need to be) derived from 'Pixel_rgba'.
Issue #3221
The default 'Rect' constructor constructs an invalid rectangle where the
p1 coordinates are lower than the p2 coordinates. In particular, p1 is
set to (1, 1). The 'Widget' implementation uses the points individually
as input into the 'Animated_rect' mechanism. This way, widgets end up
being positioned at (1, 1) initially and are moved to (0, 0) once the
first layout update is applied. By explicitly initializing the
'_geometry' to (0x0+0+0), we avoid this initial artifact.
When entering/leaving sub menus of Sculpt's '+' menu, some parts of the
menu sometimes remain unchanged, in particular the back button.
Originally, a click would reset the hovering on clicks in the
expectation that any click would eventually result in a completely new
situation where the old hovering information does not make sense and
would only (potentially) confuse the menu. But this was apparently
overzealous. With the patch a once hovered back button stays hovered
even when actitivated and the back button of the upper-level menu
happens to stay under the current pointer position.
Issue #3209
This patch improves the hover handling in situations where the dialog
changes under the pointer. Previously, hover changes were reported
as response to user input only, which failed to cover this case. This
became a problem with Sculpt CE's '+' menu, which changes on the fly
when entering/leaving sub menus.
The patch also cleanly separates the hover handling from the focus
handling. Originally, the hovering was reset when the menu view got
unfocused. In situations like Sculpt's '+' menu where the menu view
receives a transient focus only while clicked and gets unfocused on the
button-release event (aka clack), each clack would invalidate the hover
information until a new input event comes in.
Finally, the patch introduces the clear distinction between situations
where the entire dialog is hovered or not. Previously, this state was
somehow implicitly kept by issuing an invalid hover report whenever a
leave event was observed.
Issue #3209
When a window is moved, the virtual pointer position must be updated,
taking the changed input coordinate into account. This patch propagates
such changes via absolute motion events to the client.
Without this patch, Sculpt CE's '+' menu wouldn't update the hovered
item correctly when entering/leaving sub menus (which happen to trigger
the repositioning of the menu on screen).
Issue #3209
The site download.qt.io seems to apply some mirror-via-HTTP-redirect
scheme which, unfortunately, seems broken (and therefore annoyingly
slow) for non-SSL-secured URLs.
* Introduce 64-bit tick counter
* Let the timer always count when possible, also if it already fired
* Simplify the kernel syscall API to have one current time call,
which returns the elapsed microseconds since boot
When specifying the attribute 'dep_visible="false"' for a primary
dependency or the attribute 'visible="false"' for a secondary
dependency, the dependency is used for the layout calculation but not
displayed in the graph.
- Omit showing routes to uninteresting ROMs obtained from the parent,
i.e., the binaries requested by the sculpt-managed subsystems.
- Change the routes for the inspect subsystem such that the inspect-noux
instance is anchored at the config node (critical!) and the nit_fb
instance anchored at the used GUI.
The "schedule_post_signal_hook" method of the Genode::Entrypoint class
is problematic because the signal hook can be scheduled and replaced
multiple times during the signal dispatch cycle. Add an alternative to
this method with "register_io_progress_handler" and the "Post_signal_
hook" class with "Io_progress_handler". The difference being an
"Io_progress_handler" may be registered once during the lifetime of an
entrypoint to prevent arbitrary libraries from replacing a pending hook.
The "register_io_progress_handler" remains as a deprecated API, and is
now invoked for every I/O signal received and only for I/O signals
rather than for any signal.
Ref #3132
This patch excludes the current "Construction" from the list of
"present" components in the runtime. Without the patch, a missing "wm"
would go unmissing once when the routing dialog of a new wm instance
appears. Now an already present window layouter that had a broken route
would prematurely re-appear in the config, which should not happen
because the new wm does not exist yet.
When buiding the sculpt image, the sculpt.run script used to integrate
the current version of the index of the 'depot_user' into the boot
image. At runtime, when the Sculpt partition is selected for "use" this
index - along with the 'pubkey' and 'download' files of the known
depot users - is written to the Sculpt partition.
This has the undesirable effect that a later version of the index
(published some time after the sculpt image was created) would always be
overwritten by the outdated index shipped with the boot image.
The built-in default index was actually a stop-gap solution needed
during the development of Sculpt CE, introduced when the downloading of
index files was not yet supported. Now, with the working download
mechanism, it is no longer needed. Hence, this patch removes the default
index from the sculpt image.
This commit removes most of the default launchers, which are now
superseded by the interactive component addition feature of the '+'
menu.
We keep the chroot components because we cannot easily create chroot
instances interactively yet.
The usb_devices_rom is still needed because its configuration is meant
to be edited at runtime.
It also adds a 'themed_wm' launcher to make the initial sculpt
experience easier. For knowledgeable users, the index contains all
ingredients needed to build a multi-component window manager manually.
This commit turns the '+' menu into a tool for the following tasks:
- Selecting and downloading of depot index files
- Browsing of the hierarchical depot index files
- Installation of packages found in the index files
- Interactive routing configuration of a selected package
- Deployment of configured component
Sculpt used to restrict the size of leitzentrale windows to the screen
area that is not obstructed by the menu and log. This is useful for the
runtime view and the inspect window. However, the menu should be allowed
to use the entire screen because it overlays the other content.
Before this patch, the menu wouldn't be displayed completely on small
resolutions (e.g., 1024x768 when using the VESA driver) because the log
at the bottom of the screen imposed the size constraint on the menu.
With the patch, the menu is able to overlay the log window.
This patch enhances the runtime view such that not only immediate
dependencies but also all transitive dependencies of the selected
component are displayed. This way, the graph nicely reveals the
trusted computing base of the selection.
Instead of parsing the runtime's configuration each time when generating
the graph dialog (e.g., when changing the hover state), extract the
relevant information only on configuration changes.
The runtime view, launcher query, and depot query increase the
complexity of the graph without providing a tangible value to the user.
This patch omits those components from the runtime view to make the
graph less confusing.
Append "..." to button labels whenever the button does not perform an
immediate action but merely toggles user-interface elements. This
tells the user that the button can be pressed without risk.
With this commit, the 'installation' input of the depot-download
subsystem accepts <index> nodes in addition to <archive> nodes. Each
index node refers to one index file specified via the 'path' attribute.
This commit also improves the tracking of failure states. Once an
installation job failed (due to a download of verification error),
it won't get re-scheduled. In the past, such failure states were not kept
across subsequent import iterations, which could result in infinite
re-attempts when an installation contained archives from multiple users.
The the progress of the download process is now reflected by the
"progress" attribute on the download manager's state report, which
allows the final report to contain the list of installed/failed archives
along with the overall progress/completed state. The detection of the
latter is important for the sculpt manager for reattempting the
deployment of the completed packages.
The patch enhances the depot_download.run script to stress the new
abilities. In particular, the scenario downloads a mix of index files
(one present, one missing) and archives, from two different depot users
(genodelabs and nfeske).
Issue #3172
The input for the pkg index is located at gems/run/sculpt/index.
The sculpt.run script uses this input for generating the depot index
file at depot/<user>/index/<version>.
The tool/depot/publish tool support arguments of the form
<user>/index/<version> where <version> corresponds to the Sculpt
version.
Issue #3172
This prevents the situation where the user has booted the system, has
not yet selected a storage target to "use" for Sculpt, yet clicks on the
'+' menu. Such clicks show no immediate response because Sculpt cannot
know where to deploy the selected package. But since the user is not
guided towards resolving this prerequisite, it's better to not present
the menu in the first place. The '+' appears as soon as a storage target
is selected for "use".
This error message may occur during the startup of a multi-component
application when the very first dialog is generated just after the menu
view is ready. It is not an error.
This commit adds the following styles:
button/enter - for entering a sub menu
button/back - for returning from a sub menu
button/radio - for picking one item of a list
button/checkbox - for making a selection
frame/transient - for temporary GUI elements
This message is diagnostic, but also occurs in legitimate situations
such as the wm in Sculpt's Leitzentrale where the focus is managed
completely outside the wm.