To enable the use of uncached DMA buffers as RX and TX communication
buffers in between driver (service) and client, introduce a cache
attribute in the constructor of Nic::Session_component
Ref #3291
This enforces the use of unsigned 64-bit values for time in the duration type,
the timeout framework, the timer session, the userland timer-drivers, and the
alarm framework on all platforms. The commit also adapts the code that uses
these tools accross all basic repositories (base, base-*, os. gems, libports,
ports, dde_*) to use unsigned 64-bit values for time as well as far as this
does not imply profound modifications.
Fixes#3208
- Added 'io_buffer' attribute, default is 4M
- Added 'batch' attribute, specifying the number of jobs used
in parallel, default is 1 (sequential)
- Removed 'synchronous' attribute (use batch of 1 instead)
- Added 'copy' attribute (default "yes")
- Print number of signals ("triggered")
Issue #3283
This patch equips the 'Block::Connection' with a framework API for the
implementation of robust block-session clients that perform block I/O in
an asynchronous fashion.
An application-defined 'JOB' type, inherited from 'Connection::Job',
encapsulates the application's context information associated with a
block operation.
The lifecycle of the jobs is implemented by the 'Connection' and driven
by the application's invokation of 'Connection::update_jobs'. The
'update_jobs' mechanism takes three hook functions as arguments, which
implement the applications-defined policy for producing and consuming
data, and for the completion of jobs.
Issue #3283
As a preparatory step for introducing the new block-client API, we have
to turn the 'Block::Connection' into a class template. The template
argument will be used to tie an application-defined job type to the
block connection.
Issue #3283
This patch adds support for manually triggering the wakeup of the packet
sink by the source. This way, a packet source becomes able to marshal
batches of submissions or unmarshal batches of acknowledgements before
yielding the control over to the sink.
Issue #3283
Track the dataspaces used by attach and add handling of flushing VM space
when dataspace gets destroyed (not triggered via the vm_session interface).
Issue #3111
This patch removes the blocking Block::Session::sync RPC function and
adds the asynchronous operations SYNC and TRIM to the block session's
packet-stream interface.
Even though the patch adjusts all block components to the interface
change, the components keep the former blocking handling of sync
internally for now because of the design of the 'Block::Driver'
interface. This old interface is not worth changing. We should instead
migrate the block servers step by step to the new
'Block::Request_stream' API.
Fixes#3274
The new request tag allows a block-session client to uniquely correlate
acknowledgements with outstanding requests. Until now, this was possible
for read and write operations by taking the value of the request's
packet-stream offset. However, SYNC and TRIM requests do not carry any
packet-stream payload and thereby lack meaningful offset values. By
introducing the notion of a 'tag', we can support multiple outstanding
requests of any type and don't need to overload the meaning of the
'offset' value.
Issue #3274
This patch splits the 'Request' definition into smaller types that are
suitable for the client-side API too.
The new 'Operation' type comprises the block operation's type (opcode)
and the operation's arguments (block number, block count).
The former 'Request::operation_defined' is now 'Operation::valid'.
The 'Request' aggregates an 'Operation', which changes its object
layout.
Note that this commit relaxes the bit-precise definition of 'Request' to
facilitate the use of 'unsigned long' where appropriate, in particular
for the request tag (which should correspond to an 'Id_space::Id'). The
originally bit-precise definition was pursued to allow the sharing of
the 'Request' type between SPARK and C++ code. However, it turns out
that defining a native type in each language and a (set of) converting
constructors is a more natural approach.
Issue #3283
When receiving a terminal signal, the uart device model has to
take all characters out of the stream. Otherwise, characters
might never arrive at the VM. This was not recognized before,
because it was used with a quite slow UART only, which obviously
never achieved to send more characters at once.
Ref #3278
A small terminal-client tool, which expects a specific line(-start),
and then sends a specified line to the other side. Optionally,
it prints all received lines to its LOG service.
Ref #3278
This patch renames 'wakeup_client' to 'wakeup_client_if_needed' to
clarify that the method triggers signals only when needed, not on every
call.
The name 'wakeup_client' is prone to misguide users to call the function
conditionally as an optimization, thereby complicating the code, but to
no effect.
Fixes#3279
This patch replaces the formerly fixed 2 KiB data alignment within the
packet-stream buffer by a server-defined alignment. This has two
benefits.
First, when using block servers that provide small block sizes like 512
bytes, we avoid fragmenting the packet-stream buffer, which occurs when
aligning 512-byte requests at 2 KiB boundaries. This reduces meta data
costs for the packet-stream allocator and also allows fitting more
requests into the buffer.
Second, block drivers with alignment constraints dictated by the
hardware can now pass those constraints to the client, thereby easing
the use of zero-copy DMA directly into the packet stream.
The alignment is determined by the Block::Session_client at construction
time and applied by the Block::Session_client::alloc_packet method.
Block-session clients should always use this method, not the 'alloc_packet'
method of the packet stream (tx source) directly. The latter merely
applies a default alignment of 2 KiB.
At the server side, the alignment is automatically checked by
block/component.h (old API) and block/request_stream.h (new API).
Issue #3274
This patch modernizes the 'Block::Session::info' interface. Instead of
using out parameters, the 'init' RPC function returns a compound 'Info'
object now. The rather complicated 'Operations' struct is replaced by
a 'writeable' attribute in the 'Info' object.
Fixes#3275
Disconnecting a client and connecting an other to the sd_card_drv
on imx6 results in a "Completion host signal timed out" error in
the newly connected client.
Fixes#3272
Replace the I/O response handler that is passed to the VFS at
construction with an object that is dynamically attached to handles.
This object shall also accept read-ready notifications, and plugins are
encouraged to keep handles awaiting ready-ready notifications separate
from handles that await I/O progress.
Replace the use of handle lists in plugins with handle queues, this
makes the code easier to understand and the ordering of notifications to
the application more explicit.
These changes replace the use of the Post_signal_hook from all VFS
plugins, applications must assume that read-ready and I/O notifications
occur during I/O signal dispatch and use an Io_progress_handler at its
entrypoints to defer response until after signal dispatching.
Fix#3257
Issue #3111
- enable vt-x in kernel configuration
Kernel patches:
- add unrestricted guest support
- avoid kernel boot failure when vt-x is not available
- avoid nullpointer in kernel when vcpu is not fully setup
- avoid vcpu scheduling bug which causes starvation on same/below prio level
- save efer register correctly from guest
The new configuration attributes <tcp-forward to_port="123" /> and
<udp-forward to_port="123" /> enable manipulating the destination port of
port-forwarded packets.
Fixes#3237
The "Vfs::Vfs_handle" type should not contain any public members that
can be initialized by the VFS internally and by the application, so
remove inheritance from the "Genode::list::Element" class. The VFS
plugins must instead use lists of "Vfs::Vfs_handle" sub-classes, the
lifetime of which are always managed by the plugin.
Ref #3036
This is a safeguard against accidentally taking the 'Ack' interface as a
value instead of a reference.
The 'Payload' interface should also not be copied (and potentially
stored) because it contains a pointer.
This patch reworks the 'Session_component::destroy' to cope become
robust against a client-provided invalid view handle. The code did not
consider that 'Handle_registry::has_handle' may throw.
Thanks to Alexander Boettcher for reporting and the initial fix.
Fixes#3232
Without this patch, a version change of an already exited child would not
trigger the restart of the child because the version is evaluated as
late as the child configuration, but only if the child has not exited
yet.
This patch evaluates the version at the earlier stage where the identity
of the child (its name) is checked against the new configuration.
Fixes#3226
The disk image contains an extended partition table now that would
have been parsed incorrectly in the past. While there remove the unused
gpt BLOB (test-part_block_gpt has its own raw archive).
Issue #3223.
The new 'transfer' function interface defines how pixel/alpha values
sampled from texture are applied to a destination pixel, similar to the
role of a fragment shader in GPU-based rendering. The transfer function
can be customized by defining custom pixel types, which may be (but
don't need to be) derived from 'Pixel_rgba'.
Issue #3221
The "schedule_post_signal_hook" method of the Genode::Entrypoint class
is problematic because the signal hook can be scheduled and replaced
multiple times during the signal dispatch cycle. Add an alternative to
this method with "register_io_progress_handler" and the "Post_signal_
hook" class with "Io_progress_handler". The difference being an
"Io_progress_handler" may be registered once during the lifetime of an
entrypoint to prevent arbitrary libraries from replacing a pending hook.
The "register_io_progress_handler" remains as a deprecated API, and is
now invoked for every I/O signal received and only for I/O signals
rather than for any signal.
Ref #3132
The zynq nic_drv also depends on hw, we therefore adapted the folder
structure for clarity. Also renamed the binary to 'zynq_nic_drv' to
prevent conflicts and to allow removing the cadence_gem spec.
Issue #3179
This commit removes APIs that were previously marked as deprecated. This
change has the following implications:
- The use of the global 'env()' accessor is not possible anymore.
- Boolean accessor methods are no longer prefixed with 'is_'. E.g.,
instead of 'is_valid()', use 'valid()'.
- The last traces of 'Ram_session' are gone now. The 'Env::ram()'
accessor returns the 'Ram_allocator' interface, which is a subset of
the 'Pd_session' interface.
- All connection constructors need the 'Env' as argument.
- The 'Reporter' constructor needs an 'Env' argument now because the
reporter creates a report connection.
- The old overload 'Child_policy::resolve_session_request' that returned
a 'Service' does not exist anymore.
- The base/printf.h header has been removed, use base/log.h instead.
- The old notion of 'Signal_dispatcher' is gone. Use 'Signal_handler'.
- Transitional headers like os/server.h, cap_session/,
volatile_object.h, os/attached*_dataspace.h, signal_rpc_dispatcher.h
have been removed.
- The distinction between 'Thread_state' and 'Thread_state_base' does
not exist anymore.
- The header cpu_thread/capability.h along with the type definition of
'Cpu_thread_capability' has been removed. Use the type
'Thread_capability' define in cpu_session/cpu_session.h instead.
- Several XML utilities (i.e., at os/include/decorator) could be removed
because their functionality is nowadays covered by util/xml_node.h.
- The 'os/ram_session_guard.h' has been removed.
Use 'Constrained_ram_allocator' provided by base/ram_allocator.h instead.
Issue #1987
Make the size of the packet buffer at the VFS File_system client
configurable. This allows larger reads to be completed in a single
packet cycle.
Example: <vfs> <fs buffer_size="512K"/> </vfs>
Fix#3167
1) A session request gets denied if there is no matching session policy.
(The <defaul-policy/> tag can be used for the former default behavior)
2) A session request gets denied if the MAC address is given through the
matching policy but this address cannot be allocated.
3) A session request gets denied if the MAC address is not given through the
matching policy and it is also not possible to allocate one.
Issue #3040
This patch enhances the packet-stream API with the principle ability to
side-step the built-in implicity data-flow signals and manage the
signals manually. This allows for a more efficient batching of packet
processing.
Issue #3092
The 'tx_cap' RPC function is only used at session-creation time. For
this reason, it was not listed in the "official" RPC interface in
'block_session.h'. However, this makes the interface more obscure than
it needs to be. So this patch promotes it to a regular RPC function.
Issue #3092
This patch adjusts the implementation of the base library and core such
that the code no longer relies on deprecated APIs except for very few
cases, mainly to keep those deprecated APIs in tact for now.
The most prominent changes are:
- Removing the use of base/printf.h
- Removing of the log backend for printf. The 'Console' with the
format-string parser is still there along with 'snprintf.h' because
the latter is still used at a few places, most prominently the
'Connection' classes.
- Removing the notion of a RAM session, which does not exist in
Genode anymore. Still the types were preserved (by typedefs to
PD session) to keep up compatibility. But this transition should
come to an end now.
- Slight rennovation of core's tracing service, e.g., the use of an
Attached_dataspace as the Argument_buffer.
- Reducing the reliance on global accessors like deprecated_env() or
core_env(). Still there is a longish way to go to eliminate all such
calls. A useful pattern (or at least a stop-gap solution) is to
pass the 'Env' to the individual compilation units via init functions.
- Avoiding the use of the old 'Child_policy::resolve_session_request'
interface that returned a 'Service' instead of a 'Route'.
Issue #1987
The notion of a RAM session does not exist anymore. Hence, we have to
adjust the name of 'init_env_ram_session'. Since this change modifies
the ABI, it comes as separate commit.
Issue #2407
Refactor the graphical terminal server to internally represent
characters as 16-bit codepoints and handle the duplex terminal stream as
UTF-8.
- Make the Codepoint class printable to the Output interface
- Decode data received at the Terminal session from UTF-8 to a 16-bit
character
- Pass 16-bit characters through terminal decoder and char-cell arrays
- Send Unicode through terminal session in a burst of UTF-8 bytes
Fix#3148
- support to create multiple vCPUs
- support to implement Vm_session methods client side within base library
- adjust muen specific virtualbox4 version to compile/link
Issue #3111
Move the allocation of the session packet buffer into a subclass that is
constructed before the File_system RPC object. This allows the buffer
allocation to be wrapped in a constructor/destructor class and clearly
accounted for.
Fix#3134
The situation where a 'Session_policy' is constructed for a label with
no matching policy is in almost all cases a configuration problem.
A diagnostic message eases pin-pointing such mistaks. By adding the
message to the 'Session_policy', servers don't need to manually handle
the exception to provide diagnostic information. This simplifies the
server code in many components.
The former 'Genode::Timed_semaphore' mechanism is moved to the private
part of the two remaining users, namely dde_rump and the libc. Note
there are now two private copies of 'timed_semaphore.h'. This should be
regarded as an interim step until the use of this mechanism is removed
from both users.
This patch also cleans up the mechanism from legacy Genode API calls and
global side effects (alarm-thread singleton). The test/timed_semaphore
is now located at the libports repository as it now tests a mechanism of
the libc. The former timed_semaphore library is no more.
Fixes#3121
Since the timer and timeout handling is part of the base library (the
dynamic linker), it belongs to the base repository.
Besides moving the timer and its related infrastructure (alarm, timeout
libs, tests) to the base repository, this patch also moves the timer
from the 'drivers' subdirectory directly to 'src' and disamibuates the
timer's build locations for the various kernels. Otherwise the different
timer implementations could interfere with each other when using one
build directory with multiple kernels.
Note that this patch changes the include paths for the former os/timer,
os/alarm.h, os/duration.h, and os/timed_semaphore.h to base/.
Issue #3101
This patch improves the window decorators in the following respects:
* Strict warnings are enabled now.
* The use of the 'List_model' makes the application of window-
layout changes more robust. This is particularly the case for
the restacking of windows.
* Display-mode changes are now supported by both decorators.
Issue #3094
Init's state reports are updated whenever an interesting part of init's
internal state changes (e.g., when sessions are established, or when
children are started/removed). However, until now, a change of a skipped
heartbeat counter was not taken as trigger for state-report updates.
In scenarios where no other intersting event happened, the last reported
state did no reflect the current heartbeat state. In particular, when
the last report was issued during the construction of a new child just
before the child became able to respond to heartbeat requests, the stale
report hinted at heartbeat problems that were just an initialization
artifact. This problem became visible on some Qemu platform where the
child startup takes a long time.
The patch tracks the observed skipped-heartbeat counter and triggers a
report whenever the counter value changes.
Issue #3079
By adding an additional synchronization point in the form of a matched
log message, this patch makes the timing behavior of the "test changing
provided services" step more deterministic. Without it, the scheduling
of OKL4 and base-hw resulted in a merge of two config updates into one.
Issue #3079
Packets whose data is stored within the Packet_descriptor itself
but not as payload, .e.g Usb::Packet_descriptor, are valid packets
after all. So loosen the packet valid check for zero-sized packets
is reasonable.
Fixes#3076.
Our overall nightly test time greatly decreases when the timeouts for
the single tests are not that over-pessimistic. Using the slowest
platforms as reference, this commit reduces the test timeouts.
Ref #3027
For reading the MAC address we try first to read it from the <policy> tag, and
when it is not defined in the <policy> tag, we allocate a MAC. But there was
no handling of the case that there is no appropriate <policy> tag. In this
case we want to create the session with an allocated MAC also.
This patch makes init robust against invalid routing rules that lack a
name attribute in the '<service>' node. This situation may occur when
interactively editing routes in Sculpt.
Some application code is dereferencing the pointer returned by
'packet_content' at packet streams without checking that it is valid.
Throw an exception rather than return a null pointer, except for
zero-length packets, which have somewhat implicit invalid content and
that we believe to be properly handled in all current cases.
The client-side of a packet stream cannot take corrective action if the
server-side is sending packets with invalid content, but the servers
that provide packet streams should catch this exception to detect
misbehaving clients.
Ref #3059
Change the root of a session request into an explicit path and apply the
label-to-path conversion using the "path_prefix" policy attribute. This
is in addition to only applying a root change with a "path" attribute.
Ref #3031Fix#3056
The bulk buffer is now 64Byte-aligned so that the allocated
packets get aligned likewise (assumed the packet allocator uses an
appropriately aligned block size). This ensures that each packet
starts at a new cache line on common platforms.
Issue #3053
This patch improves the detection of new appearing top-most windows.
Such a window should prompt the decorator to bring the corresponding
nitpicker view(s) to the front of the view stack. The original
implementation relied on hints provided by the layouter (the 'topped'
attribute). With the patch, the decorator tracks the top-most window by
itself, which improves the robustness.
As a second improvement, the patch defers the destruction of windows to
the point when all other window operations are completed. This hides
intermediate states when replacing one window by another in one step,
which is typical for console-like scenarios. Hence, this patch should
eliminate flickering artifacts when switching from one virtual console
to another.
Issue #3031
* Account all RAM/CAP quota of a session except quota for metadata used in
core. The latter is considered when asking if a session can afford to make
an operation but it does not get accounted to always be able to pay back all
quota when a session closes. The general accounting mechanism is moved from
atop of the allocators down to the level of RAM/RM session operations.
* report statistics about session objects and quota if <report stats="yes"
quota="yes"/> is configured. (default is yes if <report> is present)
Issue #2953
Like suggested by RFC 2663, reprogram the dissolve timeout of a TCP link
state to 2 times the maximum segment lifetime (by default 1 minute) when
receiving a matching packet with the FIN flag set, or with the ACK flag
set to acknowledge a FIN of the remote side.
Mark a link state as closed (no further reprogramming of the dissolve
timeout) and set the dissolve timeout to 2 times the maximum segment
lifetime when receiving a packet with the RESET flag set.
Issue #2953
If the NIC router has insufficient CAP or RAM quota for the creation of
a state object for an interface, it tries to destroy a certain amount of
existing state objects of this interface to free resources. Afterwards,
it retries handling the current packet once. If it does fail again, the
router drops the packet.
Issue #2953
Ensure that a '\0' always appears at the end of the ouput of the XML
generator. Previously, exceptions during the Node(...) constructor
might have prevented this. This commit also extends the xml_generator
test to drive a harder test on exceptions in the Xml_generator.
Issue #2953
When the functor provided to the Node constructor throws an exception,
do revert all changes in reverse order. Previously, the changes made
to the parent node were not considered by the exception handler which
caused unnecessary characters to remain in the out buffer for each
reverted node.
Issue #2953
The VFS server does not support file-system with one single-file plugin
providing the root. This is because the "leaf_path" is not universally
implemented to handle the path "/". This fix is simply to skip a
"leaf_path" check when opening the path "/".
Ref #2919
The PS/2 driver retries to get mouse-reset results for 700 ms, sleeping
after each attempt for 10 ms. So, the driver needs a Timer session now.
Fixes#2713
This patch addresses a situation where _process_packets was called as a
side effect of watch notification (that was processed during an unlink
RPC operation). This scenario (triggered by the fs_query test)
ultimately ended up in a deadlock. Io/watch reponse handlers should
never re-enter the application logic.
The new base/xsd/config.inc defines generic XSD types such as 'Boolean' or
'Session_label'. It can be included in config XSD files by using:
! <xs:include schemaLocation="file://${GENODE_CONFIG_INC}"/>
The string ${GENODE_CONFIG_INC} is replaced by the run tool with the
above mentionened file path.
Issue #2897
Seen on X250
Description from https://www.win.tue.nl/~aeb/linux/kbd/scancodes-1.html
The ten grey keys Insert, Home, PgUp, Delete, End, PgDn, Up, Left,
Down, Right are supposed to function regardless of the state of Shift
and NumLock keys. But for an old AT keyboard the keypad keys would
produce digits when Numlock was on or Shift was down. Therefore, in
order to fool old programs, fake scancodes are sent: when LShift is
down, and Insert is pressed, e0 aa e0 52 is sent; upon release of
Insert e0 d2 e0 2a is sent. In other words, a fake LShift-up and fake
LShift-down are inserted.
Fixes#2888
Add additional parsing modes to the sequence decoder to detect and
discard unhandled sequences for ECMA-48, DEC private, and Xterm.
Add new behavior for cursor movement, cursor hiding, character deletion,
and line-wrapping.
Fix#2923
When the cached_fs_rom saturates the packet stream of its File_system
session it will call the session request handler recursively as pending
transfers are completed. This is bad because the content of the XML node
currently being processed will change.
The session request handler can no longer be called directly, but the
"schedule" method will submit a signal to the request handler, and
requests will be processed after the current operation has completed.
Calling 'handle_io_response()' in a regular VFS function (in contrast to a
post-signal hook) can cause problems if the caller of the VFS function holds
a lock which prevents the io response handler from returning.
With this commit, the user of the VFS becomes responsible for unblocking
threads which might be blocking after a failed 'queue_read()', 'queue_sync()'
or 'write()' call.
Fixes#2896
This new vfs_import plugin allows a VFS instance to be populated during
construction using a sub-VFS configured in an '<import>' configuration
node. This allows the ram_fs File_system server to be replaced by the
VFS server by reimplementing the ram_fs 'content' feature. At the
moment the copying of symlinks is not enabled, and the resources
obtained by the import file-system may not be freed after the import is
finished.
Fix#2906
The ram plugin to the VFS must send notifications to watch handles on
files when they are removed. This brings the VFS server to parity with
the ram_fs server for the sake of notifications.
Move run/fs_report to gems and use the vfs server and the vfs init
plugin in the test.
Ref #2902
This patch removes the detection of statically linked executables from
the base framework. It thereby fixes the corner cases encountered with
Sculpt when obtaining the binaries of the runtime from the depot_rom
service that is hosted within the runtime.
Statically linked binaries and hybrid Linux/Genode (lx_hybrid) binaries
can still be started by relabeling the ROM-session route of "ld.lib.so"
to the binary name, pretending that the binary is the dynamic linker.
This can be achieved via init's label rewriting mechanism:
<route>
<service name="ROM" unscoped_label="ld.lib.so">
<parent label="test-platform"/> </service>
</route>
However, as this is quite cryptic and would need to be applied for all
lx_hybrid components, the patch adds a shortcut to init's configuration.
One can simply add the 'ld="no"' attribute to the <start> node of the
corresponding component:
<start name="test-platform" ld="no"/>
Fixes#2866
When mounting a ROM module with binary="no", the
vfs will detect the 0-termination to calculate the
file size instead of using the dataspace size.
Fixes#2903
Process I/O packets in batches. If a batch is processed and there are
still packets pending, send a signal locally to the packet handler and
return to the entrypoint signal dispatcher. This prevents clients from
starving each other, which happens when a client continuously submits
packets at a faster rate than the server can process.
Fix#2900
Test of File_system I/O scheduling. It appears that a client not
submitting I/O packets slower than the VFS server can process will
starve other clients.
Ref #2900
This component is contrasted with the fs_rom server that serves
independent dataspaces to each client. Using a cache was not possible
until the region map session supported the creation of read-only
attachments.
Test at run/read_only_rom.
Ref #1633Fix#2760
The verbosity mode of the NIC bridge can be toggled with the verbose attribute
(default value shown):
! <config verbose="no" />
If enabled, the NIC bridge logs sent and received packets as well as the
lifetime of interfaces connected to the bridge.
Issue #2899
The test triggers the following assertion in the kernel, which will
remain unfixed as the kernel is no longer developed:
Assertion queue_state.is_set(queue_state_t::send) failed in file
.../pistachio/kernel/src/api/v4/tcb.h, line 727
This assertion is presumably similar / related to issue #1495.
Quietly insert forward declaration of a Input::Binding class, and make
it a friend of Input::Event and Input::Session_client. This is to allow
non-C++ language bindings (Nim) to access private members by providing
their own implementation of the Binding class.
Fix#2889
The legacy PIT timer driver is too jittery for the character-repeat
test. This patch disables the test for platforms using this device as
user-level time source, which are at the moment OKL4, Pistachio, and
seL4.
Also remove 'requires_installation_of', while also checking sbin
directories in 'have_installed'. The run scripts have been adjusted
accordingly.
Fixes#2853
The 200-second timeout of the init test triggers on some test platform
(in particular on qemu) while it is overly pessimistic on others.
This patch aims at stabilizing the timing behavior of the test across
the tested kernels/machines.
This is a follow-up patch of "init: avoid too eager child restart". On
each config update of init, init re-applies child-specific configuration
changes. In the case of an already exited child, this re-evaluation
wrongly marked such a child as abandoned because the child's environment
sessions do no longer exist. Abandoning the child, in turn, triggers the
destruction and subseqent restart (because the <start> node of the
configuration still exists). The latter is bad for two reasons.
First, the exit state of the original instance becomes lost. Second, the
restart may have unexpected side effects due to sessions created by the
new instance. I.e., when resizing a partition in sculpt, init would
wrongly restart the gpt-write tool after the tool successfully exited.
This collides with a newly started instance of part_blk/resize2fs, which
now competes with the second gpt-write instance for the exclusive access
of the targeted block device.
The patch prevents init from re-applying configurations to exited
children. The accompanied test case covers the corner case.
Do not simply wait for the good ping test to finish, but for the other
flood tests to trigger the RAM exhaustion. This makes the test more
robust with slower platforms or a different timing.
Issue #2857
The log messages covered by verbose_packet_drop were previously
configured by the verbose attribute. This isn't the case anymore. Now,
you can configure them as follows:
! <config verbose_packet_drop="no" ... >
! <domain verbose_packet_drop="no" ... />
! <config/>
The new attribute determines whether to log each packet drop and the
rational behind it. The <config> value affects all domains without a
<domain> local value.
Issue #2857
The default value of each <domain> is the <config> value. However, if
a <domain> local value is set, the <config> value doesn't affect this
value at all.
Fixes#2874
The ICMP-Echo-server functionality of the router has the following
configuration attributes (default values shown):
! <config icmp_echo_server="yes">
! <domain icmp_echo_server="yes" ... />
! </config>
The icmp_echo_server attribute configures whether the router answers ICMP Echo
requests that address the router. The <config> value affects all domains
without a <domain> local value.
Issue #2874
When a domain is updated to a new component config, the two criteria for
keeping an ARP waiting state of a remote domain are whether the remote
domain still exists and whether its IP config is still the same. This
means that a domain must also dissolve all of its remote ARP waiting
states if its IP config changes (without an update of the component
config). This wasn't the case until now.
Issue #2840
The chroot server was conceived to automatically place File_system
sessions into segregated root directories by converting session labels
to paths. If multiple children needed to be grouped under the same path,
a 'merge' policy would truncate the session label before path conversion.
Now that init can rewrite session labels and thus reproduce truncation,
the chroot merge feature is redundant and can be removed.
Fix#2846
Removed the modified mark from handles that have been written to when
they are synced, otherwise a notification would be sent again when the
handle is closed.
Ref #2839
* Do not log events that are not critical (deadly) to the NIC router if not
configured to be verbose,
* Print almost all log lines with a prefix of the domain name they are
related to,
* And, do not use Genode::error and Genode::warning as they make it hard to
read the log with the domain name prefixes.
Fixes#2840
Introduce the uplink tag:
! <config>
! <uplink label="wifi" domain="uplink">
! <uplink label="wired" domain="wired_bridge">
! <uplink domain="wired_bridge">
! <config/>
For each uplink tag, the NIC router requests a NIC session with the
corresponding label or an empty label if there is no label attribute.
These NIC sessions get attached to the domain that is set in their
uplink tag as soon as the domain appears. This means their lifetime is
not bound to the domain. Uplink NIC sessions can be safely moved from
one domain to another without being closed by reconfiguring the
corresponding domain attribute.
Attention: This may render previously valid NIC router configurations
useless. A domain named "uplink" doesn't automatically request a NIC
session anymore. To fix these configurations, just add
! <uplink domain="uplink"/>
or
! <uplink label="[LABEL]" domain="uplink"/>
as direct subtag of the <config> tag.
Issue #2840
The term was used for the old configuration during the handling of a new
configuration but in other places it was already called old_config.
Issue #2840
Dissolve and destroy the invalid domain first before deinitializing all
domains for the next round. This way, the deinitialization is not done twice
for the invalid domain.
Issue #2840
Due to a bug in the deinitialization of the DHCP server of a domain (the
reference to the destroyed object was not cleared), the NIC router could
end up in a page fault caused by a double-free at the heap. This also fixes
the previously missing dissolving of the "DNS-server-from" relation to a
remote domain.
Issue #2840
Currently has three clients that continuously create new UDP/TCP/ICMP
connections through the NIC router with NAT to the outer world and they
get never closed. A fourth client does normal ping through the same
domain to the outer world that must succeed even after the RAM quota of
the other session at the router is exhausted. The test is restricted to
Qemu to not being at risk to flood real networks.
Issue #2857
This patch weakens the aggressive restart of a child with incomplete
environment sessions. The restart check is performed each time
the init configuration changes. In sculpt, this is not a rare special
case anymore but a frequent case when using the depot_rom as provider
for environment ROM sessions. In particular when starting a chain of
inter-depending children, the sculpt-manager quickly generates a
sequence of configurations with successively added start nodes.
The addition of the 'Cap_consumer' feature to app/dummy increased the
static RAM demand of the component to a point where 1 MiB no longer
suffices on sel4 (on this kernel, the base library uses a larger amount
of statically allocated data compared to the others). The tweaks enable
init.run and init_loop.run to work on sel4 on x86-64.
Selecting an alternate interface setting, even if it is the same as the
current one, apparently makes the INQUIRY command fail with USB devices
like 'SanDisk Ultra Fit' (0781:5583) and 'Corsair Flash Voyager'
(1b1c:1a03) when the USB block driver is restarted.
Fixes#2860
* Catch Quota_guard exceptions wherever we do 'new (_alloc)' in Interface
and in case drop the packet that caused the exception
* Modify Interface::handle_config_2 to not use the guarded allocator of the
NIC session quota as we cannot handle a RAM exhaustion well at this point
in time. Instead use a Constructible member in Interface so that a needed
RAM adds up to the calculation in the create_session implementation where
an exhaustion is handled via a service denial.
Issue #2857
The interface destructor called pure virtual methods at least when
cancelling ARP- waiting states. The implementations were made by the
deriving classes Session_component respectively Uplink. This led to an
abort of the NIC router as the destruction of the derived class was
already done. A similar problem already occured in the past during the
construction of Interface and was back then solved by introducing a
separate init() method. This commit, however, solved the problem by
making Interface a member of the other classes. Therefore, the init()
method could be removed again. Furthermore, the interface polica could be
moved from Session_component_base to Session_component. The commit also
had to generalize the way the link state of an interface is determined.
Fixes#2856
While a child is abandoned, we must limit the start of anothers with
the same name. Otherwise - of the child has startup problems - a number
of abandoned children with the same name may queue up. This becomes a
problem whenever the child destruction depends on an asynchronous
service that provides an env session for the children. If the service is
unable to keep up with the session requests (both create and close),
the queue of abandoned children becomes unbounded. Limiting the child
creation rate to one abandoned child per name mitigates this problem.
This patch reduces the latency of state reports when children are
removed or added, thereby, accellerating the feedback loop between a
management component and init during the staged startup or removal of
inter-dependent components.
This test monitors the RAM quota of a dynamic init and a server hosted
within the dynamic init in the presence of a repeatedly created and
destructed client.
Previously we were doing the initialization once over all domains,
remembered which of them became invalid and destroyed those afterwards.
This isn't sufficient. As soon as one domain becomes invalid we have to
dissolve/destroy this one, deinitialize all other domains again (as they
could contain references to the invalid domain) and retry to initialize
them from the beginning. We proceed with this until we have one run
without a domain becoming invalid. Then we can be sure that the last
initialization run did not create references to any invalid domain.
Issue #2840
The generic helper Avl_string_tree of the NIC router is currently only
used for finding domains via their names, but in the future it can be
used for finding uplinks by their labels also. Additionally, it enables
us to throw an exception when inserting two elements with the same
identifier.
Issue #2840
* Get rid of the base classes Rule and Leaf_rule,
* Make log output about initiated or invalid routing rules conform to the rest
of the router log, and
* Ensure that each type of routing rule when being invalid invalidates its
whole domain.
Issue #2840
On Linux, we have a tap device as NIC back end but there is no one to
ping to in the subnet of the tap device. On FOC, the tests seem to trigger
a bug in the destruction of components with parent.exit(X); .
Fixes#2848
The condition was too rigid. In the case where no motion occurred in
between the press and release events of the magic button, the delayed
press event would not be delivered. This - in turn - confused other
components (like nitpicker) down the input chain.
for such classes where it should be safe and where we have seen issues.
Disabling in general bus master DMA causes on some machines hard hangs, e.g.
because the USB handover protocol was violated.
Fixes#2835
In contrast to most information of init's state reports, which can be
monitored at a relatively low rate (like 2 seconds in Sculpt's runtime),
resource requests call for an immediate response by the consumer of the
report. Otherwise the requesting child stays unnecessarily blocked until
the next rate-limited state report is due. This patch adds a fast lane
for such low-latency state updates to init.
Do not send nor buffer packets at interfaces with link state "down". This
prevents that packets that were routed to one network (allowed to see them),
due to a sudden link down/up, are leaked to another network that is not
allowed to see them.
When updating an interface in the NIC router to a new configuration and
the domain name of the interface has not changed but the domain
disappeared, the NIC router did not detach from the old domain correctly
which led to broken remnants of interface state objects (like connection
states).
Adapt the nic_router_uplinks run script to work with the fix.
fs_report truncated the report file on construction of the report
session to mimic an "empty report". This prevented existing use cases
where the initial state was already written to the file system by other
means.
I doubt that use cases exist where the inital empty-report mimic is
needed and (if I'm wrong) there is still the race of the consumer
reading the file just before the report session is constructed.
Reporters that want to enforce an empty initial report should send it
explicitly.
Clients may wish to act on missing files. In any case the fs_rom
needs to reopen a watch handle when a file is deleted, and this
sort of change to the internal state machine is propelled by
client RPC requests.
Fix#2839
The new 'displays' report contains information about the used
framebuffer backend. It is issued when nitpicker has successfully passed
all initialization, in particular the connection to the framebuffer
driver. Hence, it can be taken as an indicator of whether the framebuffer
is available or not (e.g., caused by a faulty driver).