Commit Graph

193 Commits

Author SHA1 Message Date
Emery Hemingway
1fce8d0d74 default ahci_drv and part_blk Block sessions to read-only
Add a "writeable" policy option to the ahci_drv and part_blk Block
servers and default from writeable to ready-only. Should a policy
permit write acesss the session request argument "writeable" may still
downgrade a session to ready-only.

Fix #2469
2017-08-28 16:49:51 +02:00
Martin Stein
ffaf99ae86 timeout test: remove error-limit exception for PIT
The problems with the PIT timer drivers were fixed so it is not necessary
anymore to treat them special.

Ref #2400
2017-08-28 16:49:49 +02:00
Alexander Boettcher
7a006ccf50 uefi: adjust framebuffer.run to use fb_boot_drv
Issue #2242
2017-08-28 16:49:47 +02:00
Martin Stein
9476f3f645 run/init: test abandoned any-child routes
Currently, init does not test wether a service is abandoned on a new
configuration if the service was routed via an any-child route. Trigger
this behaviour in the init test.

Ref #2483
2017-08-28 16:49:35 +02:00
Alexander Boettcher
4020766105 sel4: adapt timeouts of run scripts
Issue #2451
2017-08-18 10:24:47 +02:00
Alexander Boettcher
da5441292a sel4: add Wandboard Quad (iMX6) support
Issue #2451
2017-08-17 11:04:21 +02:00
Alexander Boettcher
66c0c7b6f1 sel4: add x86_64 support
Issue #2451
2017-08-17 11:04:20 +02:00
Alexander Boettcher
95329c82e2 sel4: update to 5.2.0
Issue #2451
2017-08-17 11:04:19 +02:00
Norman Feske
7d12d7a78f fs_report.run: replace test with dedicated program
The new version of the test exercises the combination of fs_report with
ram_fs and fs_rom as a more flexible alternative to report_rom.

It covers two corner cases that remained unaddressed by fs_rom and
ram_fs so far: First, the late installation of a ROM-update signal
handler at fs_rom right before the content of the file is modified.
Second, the case where the requested file is not present on the file
system at the creation time of the ROM session. Here, the ram_fs missed
to inform listeners for the compound directory about the later created
file.
2017-08-17 10:59:43 +02:00
Norman Feske
a9da97bc4a init.run: lower timing sensitivity
Instead of relying on init's delayed reporting, we explicitly force init
to produce a new report with the up-to-date child-RAM information.
2017-06-29 12:00:03 +02:00
Martin Stein
67fc1ec42b timeout test: prioritize timer driver over test
Ref #2400
2017-06-29 12:00:00 +02:00
Martin Stein
61f59818d3 pit/fiasco timeout: raise time error tolerance
On platforms that use the PIT timer driver, 'elapsed_ms' is pretty
inprecise/unsteady (up to 3 ms deviation) for a reason that is not
clearly determined yet. On Fiasco and Fiasco.OC, that use kernel timing,
it is the same. So, on these platforms, our locally interpolated time
seems to be fine but the reference time is bad. Until this is fixed, we
raise the error tolerance for these platforms in the run script.

Ref #2400
2017-06-29 11:59:59 +02:00
Emery Hemingway
73eb7a52a0 server/fs_report: do not append '.report to file names
Appending a suffix to report filenames was behavior inherited from
fs_log, it prevents creating files where directories need to be created
later. But unlike logs, only a subset of the hierarchy will report and
those that do append a component-local label, so the risk of collision
is low.

By removing the suffix fs_rom can serve reports back as ROM just as
report_rom does.

Ref #2422
2017-06-29 11:59:56 +02:00
Christian Prochaska
04f82721b1 fs_rom_update.run: add capability quota
Fixes #2453
2017-06-29 11:59:54 +02:00
Norman Feske
c7b739cc61 bomb.run: define resource preservation for init
This patch increases init's preserved RAM and capability quota to
account for a current limitation of init with respect to the creation of
sessions to parent services:

In contrast to regular routed services, sessions to parent services are
created via 'Env::session'. The implementation of 'Env::session'
automatically upgrades session quotas on demand, which is the desired
behavior for regular 'Connection' objects. However, for sessions
established on the behalf of init's children, we would need to reflect
the error condition to the child instead of resolving it locally within
init (by subsidizing the session with init's quota). This patch leaves
this issue unresolved but fixes the symptom for the bomb test. It is
meant as an interim solution until the handling of parent sessions is
revised.
2017-06-29 11:59:53 +02:00
Martin Stein
5fec4a2166 timeout test: raise error tolerance on nova + qemu
On QEMU, NOVA uses the pretty unstable TSC emulation as primary time
source. Thus, timeouts do not trigger with the common precision (< 50
ms). Use an error tolerance of 200 ms for this platform constellation.

Ref #2400
2017-06-29 11:59:49 +02:00
Christian Helmuth
ba9ef7fdee foc: use slab for meta-data in RPC cap factory 2017-06-19 12:35:56 +02:00
Emery Hemingway
47c616ab94 server/fs_report: write reports to file-systems
Fix #2422
2017-06-19 12:35:54 +02:00
Martin Stein
23337eb6e7 run/timeout: run also on arm w/o hw and qemu
On platforms were we do not have local time interpolation we can simply
skip the first test stage in the timeout test. This way, we can at least
test the rest.

Fixes #2435
2017-05-31 17:50:28 +02:00
Christian Helmuth
8bd0efced6 Remove obsolete RAM/CAP services from run scripts
Adapted launchpad and also the rm_fault and resource_request tests.

Issue #2407
2017-05-31 13:16:22 +02:00
Emery Hemingway
16be05e530 Optional session label for Rtc connection constructor
Ref #2410
2017-05-31 13:16:22 +02:00
Christian Helmuth
b37f411c3f ahci: optionally report discovered devices
Issue #2417
2017-05-31 13:16:20 +02:00
Stefan Kalkowski
0fb672b493 run: use default Qemu memory size for x86
Fix #2428
2017-05-31 13:16:19 +02:00
Boris Mulder
d094ff995f part_blk: added optional partitions report 2017-05-31 13:16:16 +02:00
Norman Feske
0167d5af50 Integrate core's RAM service into the PD service
Fixes #2407
2017-05-31 13:16:14 +02:00
Martin Stein
c70fed29f7 os/timer: interpolate time via timestamps
Previously, the Genode::Timer::curr_time always used the
Timer_session::elapsed_ms RPC as back end.  Now, Genode::Timer reads
this remote time only in a periodic fashion independently from the calls
to Genode::Timer::curr_time. If now one calls Genode::Timer::curr_time,
the function takes the last read remote time value and adapts it using
the timestamp difference since the remote-time read. The conversion
factor from timestamps to time is estimated on every remote-time read
using the last read remote-time value and the timestamp difference since
the last remote time read.

This commit also re-works the timeout test. The test now has two stages.
In the first stage, it tests fast polling of the
Genode::Timer::curr_time. This stage checks the error between locally
interpolated and timer-driver time as well as wether the locally
interpolated time is monotone and sufficiently homogeneous. In the
second stage several periodic and one-shot timeouts are scheduled at
once. This stage checks if the timeouts trigger sufficiently precise.

This commit adds the new Kernel::time syscall to base-hw. The syscall is
solely used by the Genode::Timer on base-hw as substitute for the
timestamp. This is because on ARM, the timestamp function uses the ARM
performance counter that stops counting when the WFI (wait for
interrupt) instruction is active. This instruction, however is used by
the base-hw idle contexts that get active when no user thread needs to
be scheduled.  Thus, the ARM performance counter is not a good choice for
time interpolation and we use the kernel internal time instead.

With this commit, the timeout library becomes a basic library. That means
that it is linked against the LDSO which then provides it to the program it
serves. Furthermore, you can't use the timeout library anymore without the
LDSO because through the kernel-dependent LDSO make-files we can achieve a
kernel-dependent timeout implementation.

This commit introduces a structured Duration type that shall successively
replace the use of Microseconds, Milliseconds, and integer types for duration
values.

Open issues:

* The timeout test fails on Raspberry PI because of precision errors in the
  first stage. However, this does not render the framework unusable in general
  on the RPI but merely is an issue when speaking of microseconds precision.

* If we run on ARM with another Kernel than HW the timestamp speed may
  continuously vary from almost 0 up to CPU speed. The Timer, however,
  only uses interpolation if the timestamp speed remained stable (12.5%
  tolerance) for at least 3 observation periods. Currently, one period is
  100ms, so its 300ms. As long as this is not the case,
  Timer_session::elapsed_ms is called instead.

  Anyway, it might happen that the CPU load was stable for some time so
  interpolation becomes active and now the timestamp speed drops. In the
  worst case, we would now have 100ms of slowed down time. The bad thing
  about it would be, that this also affects the timeout of the period.
  Thus, it might "freeze" the local time for more than 100ms.

  On the other hand, if the timestamp speed suddenly raises after some
  stable time, interpolated time can get too fast. This would shorten the
  period but nonetheless may result in drifting away into the far future.
  Now we would have the problem that we can't deliver the real time
  anymore until it has caught up because the output of Timer::curr_time
  shall be monotone. So, effectively local time might "freeze" again for
  more than 100ms.

  It would be a solution to not use the Trace::timestamp on ARM w/o HW but
  a function whose return value causes the Timer to never use
  interpolation because of its stability policy.

Fixes #2400
2017-05-31 13:16:11 +02:00
Christian Helmuth
307dd5768c Test for part_blk with GPT
Issue #1576
2017-05-31 13:16:11 +02:00
Christian Helmuth
03a1008f2e Use parted in part_blk test
Fixes #1576
2017-05-31 13:16:10 +02:00
Stefan Kalkowski
10e2e223cd foc: remove obsolete features (ref #2405)
Removes the following Fiasco.OC specific features:
* GDB extensions for Fiasco.OC
* i.MX53 support for Fiasco.OC
* Kernel debugger terminal driver
* Obsolete interface Native_pd
* Obsolete function of interface Native_cpu
2017-05-31 13:16:08 +02:00
Norman Feske
4d442bca30 Streamline exception types
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.

Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.

This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
2017-05-31 13:16:07 +02:00
Norman Feske
1f4f119b1e Capability quota accounting and trading
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.

Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.

At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.

If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:

  <default-route>
    <service name="PD" unscoped_label="timer">
      <parent diag="yes"/>
    </service>
    ...
  </default-route>

For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.

Fixes #2398
2017-05-31 13:16:06 +02:00
Norman Feske
773e08976d Assign cap quotas in run scripts and recipes
Issue #2398
2017-05-31 13:16:06 +02:00
Emery Hemingway
24a9537a27 File_system: replace per-handle signals with notification packets
Replace registration and signaling of per-handle signal capabilities
with CONTENT_CHANGED notification packets.

Fix #2397
2017-05-31 13:16:01 +02:00
Christian Helmuth
1d99e7ede9 base: classify signals as I/O and application level
Fixes #2363
2017-05-31 13:15:58 +02:00
Christian Helmuth
7680d20686 Re-enable usb_block test 2017-05-31 13:15:54 +02:00
Norman Feske
8e7aa54493 base: drop session states of vanished clients
For asynchronously provided sessions, the parent has to maintain the
session state as long as the server hasn't explicitly responded to a
close request. For this reason, the lifetime of such session states is
bound to the server, not the client.

When the server responds to a close request, the session state gets
freed. The 'session_response' implementation does not immediately
destroy the session state but delegates the destruction to a client-side
callback, which thereby also notifies the client. However, the code did
not consider the case where the client has completely vanished at
session-response time. In this case, we need to drop the session state
immediately.

Fixes #2391
2017-05-31 13:15:52 +02:00
Alexander Boettcher
e3e41e5ca0 ahci: avoid deprecated warnings
Issue #1987
2017-05-02 15:29:03 +02:00
Norman Feske
60cda87b5c init.run: add missing build of report_rom 2017-05-02 15:29:02 +02:00
Christian Helmuth
707f66e9a5 ahci: remove disk image after test 2017-03-24 16:20:02 +01:00
Christian Helmuth
d3884c67ad sd_card: remove disk image after test 2017-03-24 16:20:01 +01:00
Christian Helmuth
9fb175e236 fb_bench: adjust RAM quota for large frame buffers 2017-03-24 16:20:00 +01:00
Norman Feske
8d68d3d8ac Adapt resource-request test to changes of init
The test used to rely on init's formerly built-in policy of answering
resource requests with slack memory, if available. Since init no longer
responds to resource requests in an autonomous way, we use a dynamically
configured sub-init instance as runtime for the test. This instance, in
turn, is monitored and controlled such that resource requests are
result in quota upgrades. The monitoring component is implemented in
the same test-resource_request program as the test. Both roles are
distinguished by the "role" config attribute.

This is a follow-up to "init: explicit response to resource requests".
2017-03-24 16:20:00 +01:00
Norman Feske
8ab8e65fb5 input_filter.run: avoid runtime resource request
This is a follow-up to "init: explicit response to resource requests".
2017-03-24 16:20:00 +01:00
Norman Feske
7813c3be8f init.run: tweak timings for Qemu 2017-03-24 16:19:58 +01:00
Norman Feske
1fde4d638c init: service forwarding
This patch equips init with the ability to act as a server that forwards
session requests to its children. Session requests can be routed
depending of the requested service type and the session label
originating from init's parent.

The feature is configured by one or multiple <service> nodes hosted in
init's <config> node. The routing policy is selected by via the regular
server-side policy-selection mechanism, for example:

<config>
  ...
  <service name="LOG">
    <policy label="noux">
      <child name="terminal_log" label="important"/>
    </policy>
    <default-policy> <child name="nitlog"/> </default-policy>
  </service>
  ...
</config>

Each policy node must have a <child> sub node, which denotes name of the
server with the 'name' attribute. The optional 'label' attribute defines
the session label presented to the server, analogous to how the
rewriting of session labels works in session routes. If not specified,
the client-provided label is presented to the server as is.

Fixes #2247
2017-03-24 16:19:57 +01:00
Norman Feske
1489791d5e init: explicit response to resource requests
This patch removes the formerly built-in policy of responding to
resource requests with handing out slack quota. Instead, resource
requests have to be answered by an update of the init configuration with
adjusted quota values.

Note that this patch may break run scripts that depend on init's
original policy. Those run scripts may be adjusted by increasing the
quota for the components that use to inflate their RAM usage during
runtime such that the specified quota suffices for the entire lifetime
of the component.
2017-03-24 16:19:57 +01:00
Norman Feske
06943f413d init: respond to RAM-quota changes in config
This patch improves init's dynamic reconfigurability with respect to
adjustments of the RAM quota assigned to the children.

If the RAM quota is decreased, init withdraws as much quota from the
child's RAM session as possible. If the child's RAM session does not
have enough available quota, a resource-yield request is issued to
the child. Cooparative children may respond to such a request by
releasing memory.

If the RAM quota is increased, the child's RAM session is upgraded.
If the configuration exceeds init's available RAM, init re-attempts
the upgrade whenever new slack memory becomes available (e.g., by
disappearing other children).
2017-03-24 16:19:57 +01:00
Norman Feske
9dca1503a8 init: apply changes of <provides> nodes
This patch enables init to apply changes of any server's <provides>
declarations in a differential way. Servers can in principle be extended
by new services without re-starting them. Of course, changes of the
<provides> declarations may affect clients or would-be clients as this
information is taken into account for the session routing.
2017-03-24 16:19:56 +01:00
Norman Feske
8d4fb288d9 init: add version attribute to start nodes
The optional 'version' attribute allows for the forced restart of a
child with an otherwise unmodified start node. The specified value is
also reflected in the state report.
2017-03-24 16:19:56 +01:00
Norman Feske
fcf25c22d1 init: respond to binary-name changes
This patch covers the resolution of the ROM route for child binaries
via the generic label-rewriting mechanics. Now, the <binary> node has
become merely sytactic sugar for a route like the following:

<start name="test"/>
  <route>
    <service name="ROM" unscoped_label="test">
      <parent label="test-binary-name"/> </service>
      ...
  </route>
  ...
</start>

A change of the binary name has an effect on the child's ROM route to
the binary and thereby implicitly triggers a child restart due to the
existing re-validation of the routing.
2017-03-24 16:19:55 +01:00