E.g., the script manually tried to configure lighttpd and used the old
porting directory structure that was integrated in the repos. For the
same reason it produced compile errors with noux packages.
Ref #2398
We do not have debug symbols in the bin/ binaries anymore. Thus, use the
debug/ binaries instead. We now have kernel specific binary names for
ld.lib.so and some others. Adapt, to this fact as well. For doing so
without unnecessary output, provide a new parameter "silent" at the
"kernel_specific_binary" procedure.
Ref #2398
A dataspace capability request to a ROM service may invalidate any
previously issued dataspace. Therefor no requests should be made while a
session dataspace is mapped. Reducing calls to the session also improves
performance where servicing a ROM request has a significant cost.
Fix#2418
There are programs, e.g. curl, that check if a connection was
established successfully by looking at SO_ERROR. Pretend that
the getsockopt() call was executed to keep them happy. If they
try to use a broken connection, the other socket functions will
bail.
This patch changes the noux build rules to produce a tar archive in
'bin/', alleviating the need for this step from the run scripts.
This way, the visible result of a built noux package is a single (tar)
file in '<build-dir>bin/', which is suited for the use as a ROM module.
The 'Stack_area_ram_session' is now a 'Stack_area_ram_allocator', which
simplifies the code and remove a dependency from the 'Ram_session'
interface, which we want to remove after all.
Issue #2407
By supplying a statically allocated initial block to the slab allocator
for signal contexts, we become able to construct a 'Signal_broker' (the
back end for the PD's signalling API) without any dynamic memory
allocation. This is a precondition for using the PD as meta-data
allocator for its contained signal broker (meta data allocations must
not happen before the PD construction is complete).
Issue #2407
If a child is allowed to constrain physical memory allocations but left
the 'phys_start' and 'phys_size' session arguments blank, init applies
builtin constraints for allocating DMA buffers.
The only component that makes use of the physical-memory constraint
feature is the platform driver. Since the built-in heuristics are
applied to the platform driver's environment RAM session, all
allocations performed by the platform driver satisfy the DMA
constraints.
To justify building-in these heuristics into init as opposed to
supplying the values as configuration arguments, the values differ
between 32 and 64 bit. The configuration approach would raise the need
to differentiate init configurations for both cases, which are
completely identical otherwise.
Issue #2407
This commit removes support for limitation of RAM allocations from the
platform_drv. A subsequent commit adds this feature to init.
Issue #2398
Issue #2407
By separating the session-interface concerns from the mechanics of the
dataspace creation, the code becomes simpler to follow, and the RAM
session can be more easily merged with the PD session in a subsequent
step.
Issue #2407
This patch allows core's 'Signal_transmitter' implementation to sidestep
the 'Env::Pd' interface and thereby adhere to a stricter layering within
core. The 'Signal_transmitter' now uses - on kernels that depend on it -
a dedicated (and fairly freestanding) RPC proxy mechanism for signal
deliver, instead of channeling signals through the 'Pd_session::submit'
RPC function.
With the capability-quota mechanism, the terminal-session won't always
be constructed completely on the first try (we may run out of caps in
the middle of the construction). Therefore, all members of the object
must be properly destructable. Furthermore, the patch replaces the
sliced heap by a heap to avoid allocating a new dataspace for each line
of the cell array.
Previously, the Genode::Timer::curr_time always used the
Timer_session::elapsed_ms RPC as back end. Now, Genode::Timer reads
this remote time only in a periodic fashion independently from the calls
to Genode::Timer::curr_time. If now one calls Genode::Timer::curr_time,
the function takes the last read remote time value and adapts it using
the timestamp difference since the remote-time read. The conversion
factor from timestamps to time is estimated on every remote-time read
using the last read remote-time value and the timestamp difference since
the last remote time read.
This commit also re-works the timeout test. The test now has two stages.
In the first stage, it tests fast polling of the
Genode::Timer::curr_time. This stage checks the error between locally
interpolated and timer-driver time as well as wether the locally
interpolated time is monotone and sufficiently homogeneous. In the
second stage several periodic and one-shot timeouts are scheduled at
once. This stage checks if the timeouts trigger sufficiently precise.
This commit adds the new Kernel::time syscall to base-hw. The syscall is
solely used by the Genode::Timer on base-hw as substitute for the
timestamp. This is because on ARM, the timestamp function uses the ARM
performance counter that stops counting when the WFI (wait for
interrupt) instruction is active. This instruction, however is used by
the base-hw idle contexts that get active when no user thread needs to
be scheduled. Thus, the ARM performance counter is not a good choice for
time interpolation and we use the kernel internal time instead.
With this commit, the timeout library becomes a basic library. That means
that it is linked against the LDSO which then provides it to the program it
serves. Furthermore, you can't use the timeout library anymore without the
LDSO because through the kernel-dependent LDSO make-files we can achieve a
kernel-dependent timeout implementation.
This commit introduces a structured Duration type that shall successively
replace the use of Microseconds, Milliseconds, and integer types for duration
values.
Open issues:
* The timeout test fails on Raspberry PI because of precision errors in the
first stage. However, this does not render the framework unusable in general
on the RPI but merely is an issue when speaking of microseconds precision.
* If we run on ARM with another Kernel than HW the timestamp speed may
continuously vary from almost 0 up to CPU speed. The Timer, however,
only uses interpolation if the timestamp speed remained stable (12.5%
tolerance) for at least 3 observation periods. Currently, one period is
100ms, so its 300ms. As long as this is not the case,
Timer_session::elapsed_ms is called instead.
Anyway, it might happen that the CPU load was stable for some time so
interpolation becomes active and now the timestamp speed drops. In the
worst case, we would now have 100ms of slowed down time. The bad thing
about it would be, that this also affects the timeout of the period.
Thus, it might "freeze" the local time for more than 100ms.
On the other hand, if the timestamp speed suddenly raises after some
stable time, interpolated time can get too fast. This would shorten the
period but nonetheless may result in drifting away into the far future.
Now we would have the problem that we can't deliver the real time
anymore until it has caught up because the output of Timer::curr_time
shall be monotone. So, effectively local time might "freeze" again for
more than 100ms.
It would be a solution to not use the Trace::timestamp on ARM w/o HW but
a function whose return value causes the Timer to never use
interpolation because of its stability policy.
Fixes#2400
This patch make sure that a once managed parent RPC object will always be
dissolved if an exception during the remaining child construction
occurs. The original version would miss the dissolve call if one of the
subsequent members throws an exception at construction time.
With this, we get rid of platform specific timer interfaces. The new
Timer class does the same as the old Clock class and has a generic
interface. The old Timer class was merely used by the old Clock class.
Also, we get rid of having only one timer instance which we tell with
each method call for which CPU it shall be done. Instead now each Cpu
object has its own Timer member that knows the CPU it works for.
Also, rename all "tics" to "ticks".
Fixes#2347
Removes the following Fiasco.OC specific features:
* GDB extensions for Fiasco.OC
* i.MX53 support for Fiasco.OC
* Kernel debugger terminal driver
* Obsolete interface Native_pd
* Obsolete function of interface Native_cpu
Previously we did write the SPSR via an MSR instruction without
additional flags. Unfortunately, this tells the CPU to write the
register only partially. This often isn't a problem as the users PSR
reset value normally is conform to our expectations but in some cases
(e.g. PSR endianess bit on WandBoard core #4) the reset value is bad.
Thus, we have to add the CXSF flags (access Control + eXtension + Status
+ Flags) so the CPU overwrites the entire register.
Fixes#2254
This patch eases the debugging of situations where a session-object
constructor wrongly throws an exception type not specified in the
'Local_service::Factory' interface.
This patch reduces the number of exception types by facilitating
globally defined exceptions for common usage patterns shared by most
services. In particular, RPC functions that demand a session-resource
upgrade not longer reflect this condition via a session-specific
exception but via the 'Out_of_ram' or 'Out_of_caps' types.
Furthermore, the 'Parent::Service_denied', 'Parent::Unavailable',
'Root::Invalid_args', 'Root::Unavailable', 'Service::Invalid_args',
'Service::Unavailable', and 'Local_service::Factory::Denied' types have
been replaced by the single 'Service_denied' exception type defined in
'session/session.h'.
This consolidation eases the error handling (there are fewer exceptions
to handle), alleviates the need to convert exceptions along the
session-creation call chain, and avoids possible aliasing problems
(catching the wrong type with the same name but living in a different
scope).
This patch mirrors the accounting and trading scheme that Genode employs
for physical memory to the accounting of capability allocations.
Capability quotas must now be explicitly assigned to subsystems by
specifying a 'caps=<amount>' attribute to init's start nodes.
Analogously to RAM quotas, cap quotas can be traded between clients and
servers as part of the session protocol. The capability budget of each
component is maintained by the component's corresponding PD session at
core.
At the current stage, the accounting is applied to RPC capabilities,
signal-context capabilities, and dataspace capabilities. Capabilities
that are dynamically allocated via core's CPU and TRACE service are not
yet covered. Also, the capabilities allocated by resource multiplexers
outside of core (like nitpicker) must be accounted by the respective
servers, which is not covered yet.
If a component runs out of capabilities, core's PD service prints a
warning to the log. To observe the consumption of capabilities per
component in detail, the PD service is equipped with a diagnostic
mode, which can be enabled via the 'diag' attribute in the target
node of init's routing rules. E.g., the following route enables the
diagnostic mode for the PD session of the "timer" component:
<default-route>
<service name="PD" unscoped_label="timer">
<parent diag="yes"/>
</service>
...
</default-route>
For subsystems based on a sub-init instance, init can be configured
to report the capability-quota information of its subsystems by
adding the attribute 'child_caps="yes"' to init's '<report>'
config node. Init's own capability quota can be reported by adding
the attribute 'init_caps="yes"'.
Fixes#2398
This patch reworks the implementation of core's RAM service to make use
of the 'Session_object' and to remove the distinction between the
"metadata" quota and the managed RAM quota. With the new implementation,
the session implicitly allocates its metadata from its own account. So
there is not need to handle 'Out_of_metadata' and 'Quota_exceeded' via
different exceptions. Instead, the new version solely uses the
'Out_of_ram' exception.
Furthermore, the 'Allocator::Out_of_memory' exception has become an alias
for 'Out_of_ram', which simplifies the error handling.
Issue #2398
The 'Session_object' unifies several aspects of server-component
implementations:
* It keeps track of session quotas and is equipped with standardized
interfaces (Quota_guard) to upgrade (and in the future potentially
downgrade) session quotas in a uniform way.
* It follows the pattern of modern RPC objects / signal handlers that
manage/dissolve themselves at the entrypoint given as constructor
argument. Thereby, the relationship with its entrypoint is always
coupled with the lifetime of the session-component object.
* It stores the session label, which was previously done manually by
most but not all server-component implementations.
* It stores the session 'diag' flag.
* It is equipped with output methods 'diag', 'error', and 'warning'.
All messages printed from the context of a session component is
automatically prefixed with the session type and client label.
Messages passed via 'diag' are only printed if the 'diag' flag of
the session is set.
Issue #2398
The 'diag' flag can be defined by a target node of a route in init's
configuration. It is propagated as session argument to the server, which
may evaluate the flag to enable diagnostic output for the corresponding
session.
Issue #2398
This patch makes use of the new 'Quota_transfer::Account' by the service
types in base/service.h and uses 'Quota_transfer' objects in
base/child.cc and init/server.cc.
Furthermore, it decouples the notion of an 'Async_service' from
'Child_service'. Init's 'Routed_service' is no longer a 'Child_service'
but is based on the new 'Async_service' instead.
With this patch in place, quota transfers do no longer implicitly use
'Ram_session_client' objects. So transfers can in principle originate
from component-local 'Ram_session_component' objects, e.g., as used by
noux. Therefore, this patch removes a strumbling block for turning noux
into a single threaded component in the future.
Issue #2398
The 'Quota_transfer' helper facilitated the implementation of quota
transfers between components in a transactional manner. It is designated
for framework-internal use (replacing the 'Transfer' class in child.h).
However, since it is also useful for init, we make it publicly
available.
The 'Quota_transfer::Account' class serves as an interface representing
the donor or receiver of quotas (parent, service, client).
Issue #2398
This patch replaces the 'Parent::Quota_exceeded',
'Service::Quota_exceeded', and 'Root::Quota_exceeded' exceptions
by the single 'Insufficient_ram_quota' exception type.
Furthermore, the 'Parent' interface distinguished now between
'Out_of_ram' (the child's RAM is exhausted) from
'Insufficient_ram_quota' (the child's RAM donation does not suffice to
establish the session).
This eliminates ambiguities and removes the need to convert exception
types along the path of the session creation.
Issue #2398
This patch adds sanity checks to the RPC entrypoint that detect attempts
to manage or dissolve the same RPC object twice. This is not always a
bug. I.e., if RPC objects are implemented in the modern way where the
object manages/dissolves itself. As the generic framework code (in
particular root/component.h) cannot rely on this pattern, it has to
call manage/dissolve for session objects anyway. For modern session
objects, this double attempt would result in a serious error (double
insertion into the object pool's AVL tree).
Issue #2398
This patch replaces the former use of size_t with the use of the
'Ram_quota' type to improve type safety (in particular to avoid
accidentally mixing up RAM quotas with cap quotas).
Issue #2398
The 'Ram_allocator' interface contains the subset of the RAM session
interface that is needed to satisfy the needs of the 'Heap' and
'Sliced_heap'. Its small size makes it ideal for intercepting memory
allocations as done by the new 'Constrained_ram_allocator' wrapper
class, which is meant to replace the existing 'base/allocator_guard.h'
and 'os/ram_session_guard.h'.
Issue #2398
This patch augments the existing session/session.h with useful types for
the session creation:
* The new 'Insufficient_ram_quota' and 'Insufficient_cap_quota'
exceptions are meant to supersede the old 'Quota_exceeded' exception
of the 'Parent' and 'Root' interfaces.
* The 'Session::Resources' struct subsumes the information about the
session quota provided by the client.
* The boolean 'Session::Diag' type will allow sessions to operate in a
diagnostic mode.
* The existing 'Session_label' is not also available under the alias
'Session::Label'.
* A few helper functions ease the extraction of typed session arguments
from the session-argument string.
Issue #2398
This patch upgrades the cap-space slab only if the kernel runs out of
entries, instead of consuming as much PD-session quota as possible.
Until now, the behavior worked well because the cap-space slab was the
only consumer of PD-session quota. However, once we start accounting all
PD session meta data - and eventually merging the PD and RAM services -
the aggressive scheme stands in the way.
Issue #2398
This accessor is useful to eagerly expand the slab with new slab blocks,
side stepping the slab's built-in policy for the allocation of new slab
blocks.
This is particularly important when using the slab for allocating the
cap space meta-data for the base-hw kernel. To guarantee that the slab
gets never exhausted in the kernel, it is expanded before entering the
kernel.
With the introduction of the 'Out_of_caps' exception type, the slab
needs to consider exceptions during the call of '_new_slab_block' by
reverting the 'nested' state.
The old download location is very shaky resp. currently unavailable and
also other projects (e.g., Gentoo and Linux From Scratch) use this
location. Note, the archive hash does _not_ change.
By building the posix library as shared object with an ABI, we
effectively decouple posix-using programs from the library
implementation (which happens to depend on several os-level APIs such as
the VFS).
This commit moves the headers residing in `repos/base/include/spec/*/drivers`
to `repos/base/include/drivers/defs` or repos/base/include/drivers/uart`
respectively. The first one contains definitions about board-specific MMIO
iand RAM addresses, or IRQ lines. While the latter contains device driver
code for UART devices. Those definitions are used by driver implementations
in `repos/base-hw`, `repos/os`, and `repos/dde-linux`, which now need to
include them more explicitely.
This work is a step in the direction of reducing 'SPEC' identifiers overall.
Ref #2403
causes the rem timer callback pending check to run more often (every 1 ms
instead 10 ms). This is essential to met the timeout requirements of the
audio backend, which must be checked&run every 5ms.
This patch adjusts the interactive scenarios of the gems repository to
use the depot. This has three immediate benefits. First, once the depot
is populated with binary archives, the start time of the scenarios
becomes very quick because most dependency checks and build steps are
side-stepped. Second, the run scripts become more versatile. In
particular, run scripts that were formerly supported on base-linux only
(nit_fader, decorator, menu_view) have become usable on all base
platforms that have a 'drivers_interactive' package defined. Finally,
the run scripts have become much shorter.
Issue #2339
In order to deliver base-hw as a binary archive, we need to install the
bootstap.o file to bin/. Since bin/ is a global name space shared by all
kernels, this patch renames the object file to bootstap-hw.o and thereby
clarifies the association of the file with base-hw.
This patch replaces the set-defaults command by a reset command, which
is needed to use the Lenovo x250 trackpoint. (original patch by
Christian Prochaska)
For asynchronously provided sessions, the parent has to maintain the
session state as long as the server hasn't explicitly responded to a
close request. For this reason, the lifetime of such session states is
bound to the server, not the client.
When the server responds to a close request, the session state gets
freed. The 'session_response' implementation does not immediately
destroy the session state but delegates the destruction to a client-side
callback, which thereby also notifies the client. However, the code did
not consider the case where the client has completely vanished at
session-response time. In this case, we need to drop the session state
immediately.
Fixes#2391
Originally, the spec files for less specific SPEC values were include
via the 'select_from_repositories' function. This implies that BASE_DIR
must always be present in the list of 'REPOSITORIES'. Otherwise the
spec files won't be found. By explicitly including sub specs from
'$(BASE_DIR)/mk', we lift this restriction.
This patch is required to build the OKL4 version of core from a source
archive. It avoids fetching source codes from BASE_DIR, and moves the
vpath wildcard for %.cc after all specific vpath definitins, in
particular those that are x86-specific. Without the latter change, core
would always end up using the generic version of 'platform_services.cc',
omitting the IO_PORT service from core.
The <build-dir>/bin/ directory used to contain symbolic links to the
unstripped build results. However, since the upcoming depot tool
extracts the content of binary archives from bin/, the resulting
archives would contain overly large unstripped binaries, which is
undesired. On the other hand, always stripping the build results is not
a good option either because we rely of symbol information during
debugging.
This patch changes the installation of build results such that a new
'debug/' directory is populated besides the existing 'bin/' directory.
The debug directory contains symbolic links to the unstripped build
results whereas the bin directory contains stripped binaries that are
palatable for packaging (depot tool) and for assembling boot images (run
tool).
By installing the core object to bin/, we follow the same convention as
for regular binaries. This, in turn, enables us to ship core in a
regular binary archive. The patch also adjusts the run tool to pick up
the core object from bin/ for the final linking stage.
When creating a source archive for the USB driver, both the contrib and
Genode-specific source codes are merged into a single directory
structure. In this case, the original way of determining the Linux
source code to scan for #include directives would apply the scanning to
Genode-specific source codes too. This patch tightens the search
criterion such that only Linux source codes are processed.
This macro is implicitly pulled in by libc-setjmp (via the libc's
cdefs.h). However, apparently not all sources include <setjmp.h>.
Unfortunately, for sources that do, this change produces a
double-definition warning. We should fix it by removing the dependency
from the libc's setjmp.
File_system servers shall deny clients not matching a defined policy.
Servers shall also apply session root offset policy followed by a client
offset.
Fix#2365
Init's service forwarding functionality did not take the service type
into account when forwarding a session request. If a server provides
multiple services, e.g. fb_sdl that provides both "Input" and
"Framebuffer", the type of the forwarded session request did not always
correspond to the actually requested type.
The size of the whole table and table entries were exchanged for PML4,
leading to out-of-bound accesses for addesses >= 2^39. Some constants
were lacking type suffixes causing integer overflows.
Added assertions to catch out-of-bound accesses early on.
Fixes#2210Fixes#2211
If we do the tics-to-us translation with one division and multiplication
over the whole argument, like before, we loose microseconds granularity
although the timer frequency allows for such granularity. Thus, we treat
the most significant half and the least significant half of the tics
value separate. Each half is shifted to the best bit position for the
translation, then translated, and then shifted back.
Ref #2347
The use of 'select_from_repositories' for locating the linker script for
dynamically-linked executables only works if 'BASE_DIR' appears in the
list of 'REPOSITORIES'. This is the case when using the build system in
the traditional way but it is not desired when building binary archives
of individual components.
This patch adjusts the run script in two ways:
It removes the reliance on init's formerly built-in resource-request
handling by increasing the RAM quota for the backdrop instances. Since
commit "init: explicit response to resource requests", init no longer
hands out slack memory automatically.
Second, it makes sure that the backdrop appears under the precise label
"backdrop" at nitpicker by facilitating init's label-rewriting feature.
Without explicitly setting the label to "backdrop", nitpicker observes
the label "backdrop -> backdrop" (the first part comes from init, the
second part comes from the nitpicker-session argument specified by
backdrop itself). However, the client is only considered as default
background if labeled as "backdrop" (see nitpicker's '_create_session')
implementation.
Issue #2352
The base class of Registered must provide a virtual destructor to enable
safe deletion with just a base class pointer. This requirement can be
lifted by using Registered_no_delete in places where the deletion
property is not needed.
Fixes#2331
Ldso now does not automatically execute static constructors of the
binary and shared libraries the binary depends on. If static
construction is required (e.g., if a shared library with constructor is
used or a compilation unit contains global statics) the component needs
to execute the constructors explicitly in Component::construct() via
Genode::Env::exec_static_constructors().
In the case of libc components this is done by the libc startup code
(i.e., the Component::construct() implementation in the libc).
The loading of shared objects at runtime is not affected by this change
and constructors of those objects are executed immediately.
Fixes#2332
With the current implementation resource requests are not automically
satisfied with slack quota by init. Therefore, this commit adapts RAM
quotas of autopilot scenarios to the actual demands.
An inline attribute mismatch in the gcc-4.9.2 source causes its
compilation to fail on modern gcc versions (verified with gcc 6.3.1,
but probably since gcc 5)
The patch is courtesy of the gcc-patches mailing list:
https://gcc.gnu.org/ml/gcc-patches/2015-08/msg00375.htmlFixes#2341
The test used to rely on init's formerly built-in policy of answering
resource requests with slack memory, if available. Since init no longer
responds to resource requests in an autonomous way, we use a dynamically
configured sub-init instance as runtime for the test. This instance, in
turn, is monitored and controlled such that resource requests are
result in quota upgrades. The monitoring component is implemented in
the same test-resource_request program as the test. Both roles are
distinguished by the "role" config attribute.
This is a follow-up to "init: explicit response to resource requests".
- use more upstream hm code
- add call to memory check as done in vbox4
- add in principle all vbox devices and drivers
- avoid null pointer during VM startup (patch reported to vbox-devel list)
- avoid endless loop in usb root hub
Issue #2338
This patch equips init with the ability to act as a server that forwards
session requests to its children. Session requests can be routed
depending of the requested service type and the session label
originating from init's parent.
The feature is configured by one or multiple <service> nodes hosted in
init's <config> node. The routing policy is selected by via the regular
server-side policy-selection mechanism, for example:
<config>
...
<service name="LOG">
<policy label="noux">
<child name="terminal_log" label="important"/>
</policy>
<default-policy> <child name="nitlog"/> </default-policy>
</service>
...
</config>
Each policy node must have a <child> sub node, which denotes name of the
server with the 'name' attribute. The optional 'label' attribute defines
the session label presented to the server, analogous to how the
rewriting of session labels works in session routes. If not specified,
the client-provided label is presented to the server as is.
Fixes#2247
This patch removes the formerly built-in policy of responding to
resource requests with handing out slack quota. Instead, resource
requests have to be answered by an update of the init configuration with
adjusted quota values.
Note that this patch may break run scripts that depend on init's
original policy. Those run scripts may be adjusted by increasing the
quota for the components that use to inflate their RAM usage during
runtime such that the specified quota suffices for the entire lifetime
of the component.
This patch destructs the environment sessions for the binary and the
dynamic linker along with the other environment sessions to avoid a
warning about reverting quota that occurs when attempting to close
these sessions too late.
This patch improves init's dynamic reconfigurability with respect to
adjustments of the RAM quota assigned to the children.
If the RAM quota is decreased, init withdraws as much quota from the
child's RAM session as possible. If the child's RAM session does not
have enough available quota, a resource-yield request is issued to
the child. Cooparative children may respond to such a request by
releasing memory.
If the RAM quota is increased, the child's RAM session is upgraded.
If the configuration exceeds init's available RAM, init re-attempts
the upgrade whenever new slack memory becomes available (e.g., by
disappearing other children).
Since init no longer provides public headers, we have to adjust the
existing users of this headers. The 'init/child_config.h' is used only
by GDB monitor. So the patch moves the header there as an interim fix.
The 'init/child_policy.h' is still used by a few components, so we have
to keep a trimmed-down version of it for now.
This patch enables init to apply changes of any server's <provides>
declarations in a differential way. Servers can in principle be extended
by new services without re-starting them. Of course, changes of the
<provides> declarations may affect clients or would-be clients as this
information is taken into account for the session routing.
This patch addresses the corner cases where an environment session
could not be routed, i.e., if an environment LOG log session is
routed to a non-existing child.
The optional 'version' attribute allows for the forced restart of a
child with an otherwise unmodified start node. The specified value is
also reflected in the state report.
This patch covers the resolution of the ROM route for child binaries
via the generic label-rewriting mechanics. Now, the <binary> node has
become merely sytactic sugar for a route like the following:
<start name="test"/>
<route>
<service name="ROM" unscoped_label="test">
<parent label="test-binary-name"/> </service>
...
</route>
...
</start>
A change of the binary name has an effect on the child's ROM route to
the binary and thereby implicitly triggers a child restart due to the
existing re-validation of the routing.
This patch extends the constructor of 'Local_connection' with an
optional 'label' argument, which was previously passed implicitly as
part of the 'args' argument. Keeping the label separate from 'args'
enables us to distinguish the client-specified label from a label that
resulted from a server-side label as it is used when rewriting a label
of an environment session (i.e., the binary name) in init's routing
policy. In principle, this patch eliminates the need for init's
explicite handling of the binary name via the '<binary>' node, or
at least allows us to simplity the binary-node handling.
With this check in place, one can safely construct an 'Xml_generator'
even if the report is disabled. This relieves the user of the reporter
from the need to distinguish enabled from disabled reports.
The initial ROMs (program and linker) are already attached to the region
map of a forked process and don't need to be obtained again from an
external ROM service when the 'Child' class asks for them. For the program
image, the local Noux ROM service already returned an invalid dataspace
capability, but not for the linker.
Instead of adding another 'magic' ROM name for the local ROM service,
this commit implements an 'empty' ROM service, which returns an
invalid dataspace for the initial ROMs.
Fixes#2272
The race may happen when element objects get destructed by another thread then
the thread handling the for_each loop. In this case it may happen that the
object is already destructed (left the ~Element destructor) but the thread
handling the loop touches the invalid memory afterwards (the Element lock).
detected during issue #2299Fixes#2320
Under certain timing conditions, the test would end up flushing the
input from the input filter in a nested way, which ultimately resulted
in lost input events of the outer nesting level. This patch eliminates
this corner case and thereby stabilizes the key-repeat test.
Transfer quota to the session local RAM session to react to the
Quota_exceeded exception properly.
The platform driver keeps a session local RAM session for each of its
clients that is used to allocate DMA memory. A client needs to transfer
some of its quota to the platform driver, which in return transfers this
quota to the session local RAM session. As it happens allocating memory
from a RAM session involves book keeping and in this case, where the
available quota in the session did not suffice and the request was only
a few KiB, the platform driver handled the exception wrongly and did not
transfer the quota.
This problem did not surface up to now because all drivers allocate DMA
memory in larger chunks and the book keeping overhead was of no
consequence as the initial quota transfer probably covered the overhead.
Fixes#2316.
Due to rounding in the timeout calculation it may happen that the timeout
stored in ms becomes 0, but actually some time (us or ns) are left to wait.
With threads on various priorities (vbox) this may end up in endless loops.
Fixes#2311
The file space demand for the object files when compiling core has grown.
Therefore, the ram_fs component runs out of memory and requests additional
memory from init. On OKL4, where the physical memory is limited by the
elfweaver bootstrap tool, there is no more slack memory after the donation
of 1G to noux.
* Increase test-thread count to trigger quota exceeding on all platforms
* Synchronize test-thread destruction, otherwise an half-destructed thread
object can lead to an error message of the thread to be destructed,
which causes a deadlock, when the destructed thread still holds the log lock
* Limit SMP settings for QEMU to x86 (Ref #2307)
The signal_1/2/3 objects (which are threads) are in destruction, but still
signals are send to them. When the signal arrive and the memory for the
signal_1/2/3 object is already invalid we operate on stale memory and all
the locking infrastructure of the Thread don't work anymore.
Be more robust, explicitly wait for the termination of the thread.
Issue #2284
Otherwise it may happend that the Guest tries to set the last stored
resolution from another run, which maybe is too large.
Up to now, everthing is fine, beside the fact that output changes are not
visible - which is odd and one things the VM came not up.
Issue #2306
that happened during early bootup.
The signal about input events may arrive before keyboard and mouse is set
(due wait_and_dispatch_one_signal called from a started pthread and ep still
not done with the initialisation)
Issue #2306
Previously we had configured the timer for the Panda ES with 700 MHz
CPU clock. But the Panda A6 that we use as reference now runs with
800 MHz.
Fixes#2308
Previously, on X86, the timer driver used the PIT with a maximum timeout
of 54 ms. Thus, the driver frequently interrupted the counters with
highest priority to update the timer. This is why we needed a higher
error tolerance as for ARM where the driver, once configured, can sleep
for the whole test timeout. Now, we use the kernel timer and the problem
seems to be exits no longer.
Ref #2304
Previously we pre-calculated the translation errors for the session
quota to make a discret check in the test. But since the order, in which
init childs get their CPU quota isn't always the same anymore (we should
have never made assumptions about that) the translation errors differ
from trial to trial. However, the errors are below 0.01% of the super
period. We now tolerate them in the run script.
Ref #2304
By separating the plain MMIO access implementation from the generic bit
and offset logic of registers, we can now use the latter also with other
types of register access like I2C. The register and MMIO front-ends have
not changed due to the separation.
Ref #2196
* Acknowledge receive of page-fault signal with ack_signal,
but restart thread execution separately
* use kill_signal_context when disolving a pager_object to prevent race
* Remove bureaucracy in form of Thread_event and Signal_ack_handler
* remove dead code in riscv, namely Thread_base definition
* translation_table_insertions function for ARM drops out,
which was overcautious
The MIN_PSK_LENGTH constant was not adjusted to accommodate for the
semcantic change when switching from using the raw char array to using
the Genode::String class. The Genode::String::length() method includes
the terminating NUL byte while strlen() does not.
Fixes#2296.
With the commit "init: session-label rewriting", the stack usage
increased due to the handling of session-label strings as local
variables. The stack overrun occurred in the vmm scenario on
base-hw.
There was a race when the component entrypoint wanted to do
'wait_and_dispatch_one_signal'. In this function it raises a flag for
the signal proxy thread to notice that the entrypoint also wants to
block for signals. When the flag is set and the signal proxy wakes up
with a new signal, it tried to cancel the blocking of the entrypoint.
However, if the entrypoint had not reached the signal blocking at this
point, the cancel blocking failed without a solution. Now, the new
Kernel::cancel_next_signal_blocking call solves the problem by storing a
request to cancel the next signal blocking of a thread immediately
without blocking itself.
Ref #2284
To select a different keyboard layout than the default 'en_us', override the
'language_chargen' function in your run script (after including
qt5_common.inc):
proc language_chargen { } { return "de" }
where "de" refers to the character map file
'repos/os/src/server/input_filter/de.chargen'
Issue #2264
This patch improves the accuracy of init's quota-saturation feature
(handing out all slack quota to a child by specifying an overly high RAM
quota for the child) and makes the RAM preserved by init configurable.
The preservation is specified as follows:
! <config>
! ...
! <resource name="RAM" preserve="1M"/>
! ...
! </config>
If not specified, init has a reasonable default of 160K (on 32 bit) and
320K (on 64 bit).
It seems that our buildbot has a problem with the TCL command 'string
cat'. In most cases it is not necessary anyway as we can use the ""
enclosure instead. It unfolds inline procedure calls and variables
automatically. We don't want to use "" only in cases where the literal
shall contain many " characters itself as it is the case for XML
configs. Then we use the 'append' command and a helper variable instead.
Ref #2193
It can happen that when Cpu_free_component is constructed the insertion
of the object through 'manage' succeeds for the EP put not for the pager
EP, which in turn raises an Out_of_meta_data exception. Because we are
within the constructor, the descstructor is not called, leading to a
dangling object pool entry for the EP.
issue #2289
This patch lets init apply configuration changes to a running scenario
in a differential way. Children are restarted if any of their session
routes change, new children can be added to a running scenario, or
children can deliberately be removed.
Furthermore, the new version of init is able to propagate configuration
changes (modifications of <config> nodes) to its children without
restarting them.
If 'close' does not call 'unlink' like 'shutdown', the Lxip_socket_dir
never gets destroyed and thus the socket server leaks resources like
RAM and ports.
Ref #2285
Our 'shutdown' implementation handles only the case that 'how' is 'RDWR'.
Thus, print an error and continue if a user calls it with another value.
Fixes#2285
If not dissolved in ~Entrypoint, the signal proxy is found within NOVA's
and FOC's object pool upon Rpc_entrypoint destruction. This leads to a
deadlock because the signal proxy is destructed before the RPC EP.
issue #2284
This patch ensures that the POLICY::release is called whenever the
session creation aborted with an exception. In the original version, an
exception like 'Quota_exceeded' caused a single-session root interface
to deny subsequent session requests.
If 'Libc::Kernel::resume:all()' is called from a non-main thread, send a
signal to unblock the main thread from 'wait_and_dispatch_one_signal()'.
Fixes#2283
Change metadata before submitting a packet. If the submitting thread is a
pthread, the metadata may be immediately change by the signal handler running
in the context of the entrypoint thread.
This patch enhances the 'Child' and 'Child_policy' with the ability to
separate the different steps of bootstrapping children. If the
'Child_policy::initiate_env_sessions()' returns false, the child's
environment sessions remain unrouted at construction time. This way,
child objects for many children can be initialized to a state that
allows the children to represent services for other children. Therefore,
session routing can be applied before any child executes.
At this stage, the environment RAM sessions of all children can be
created. Note that this step still has the limitation that RAM sessions
are generally expected to be provided by either the parent or a local
service.
Once all children are equipped with RAM, they can in principle receive
session-quota donations. Hence, all other environment sessions can now
be arbitrarily routed and initiated.
Once the environment of a child is complete, the child's process and
initial thread is created.
This patch improves the accounting for the backing store of
session-state meta data. Originally, the session state used to be
allocated by a child-local heap partition fed from the child's RAM
session. However, whereas this approach was somehow practical from a
runtime's (parent's) point of view, the child component could not count
on the quota in its own RAM session. I.e., if the Child::heap grew at
the parent side, the child's RAM session would magically diminish. This
caused two problems. First, it violates assumptions of components like
init that carefully manage their RAM resources (and giving most of them
away their children). Second, if a child transfers most of its RAM
session quota to another RAM session (like init does), the child's RAM
session may actually not allow the parent's heap to grow, which is a
very difficult error condition to deal with.
In the new version, there is no Child::heap anymore. Instead, session
states are allocated from the runtime's RAM session. In order to let
children pay for these costs, the parent withdraws the local session
costs from the session quota donated from the child when the child
initiates a new session. Hence, in principle, all components on the
route of the session request take a small bite from the session quota to
pay for their local book keeping
Consequently, the session quota that ends up at the server may become
depleted more or less, depending on the route. In the case where the
remaining quota is insufficient for the server, the server responds with
'QUOTA_EXCEEDED'. Since this behavior must generally be expected, this
patch equips the client-side 'Env::session' implementation with the
ability to re-issue session requests with successively growing quota
donations.
For several of core's services (ROM, IO_MEM, IRQ), the default session
quota has now increased by 2 KiB, which should suffice for session
requests to up to 3 hops as is the common case for most run scripts. For
longer routes, the retry mechanism as described above comes into effect.
For the time being, we give a warning whenever the server-side quota
check triggers the retry mechanism. The warning may eventually be
removed at a later stage.
This patch equips init with the ability to report its internal state in
the form of a "state" report. This feature can be enabled by placing a
'<report>' node in init's configuration.
The report node accepts the following arguments (with their default
values):
'delay_ms="100"': specifies the number of milliseconds to wait before
producing a new report. This way, many consecutive state changes -
like they occur during the startup - do not result in an overly
large number of reports but are merged into one final report.
'buffer="4K"': the maximum size of the report in bytes. The attribute
accepts the use of K/M/G as units.
'init_ram="no"': if enabled, the report will contain a '<ram>' node
with the memory stats of init.
'ids="no"': supplement the children in the report with unique IDs, which
may be used to infer the lifetime of children accross configuration
updates in the future;
'requested="no"': if enabled, the report will contain information about
all session requests initiated by the children.
'provided="no"': if enabled, the report will contain information about
all sessions provided by all servers.
'session_args="no"': level of detail of the session information
generated via 'requested' or 'provided'.
'child_ram="no"': if enabled, the report will contain a '<ram>' node
for each child based on the information obtained from the child's RAM
session.
Issue #2246
This method is a hook to enable a runtime to respond to state changes.
In particular, in init this hook is used to trigger the generation of a
new state report, if configured.
Furthermore, the patch introduces the 'generate_client_side_info' and
'generate_server_side_info' methods to the 'Session_state', which
generates an XML representation of the session states to appear in
reports produced by init.
Issue #2246
Normally, the platform driver helpers adapt the global run variables directly
via append. But the introduction of a more elegant run script style, that
incorporates dependent strings inline may be a good idea. Thus, we need the
backends of the helpers available as functions that return their string rather
than appending it.
The old interface still exists and uses the new interface as backend.
Ref #2193
The 'server_ip' and 'server_port' attributes for 'lxip/udp_client' and
'lwip/http_clnt' as well as the 'port' attribute for 'lxip/udp_echo' and
'lwip/http_srv_static' are not directly libc-related so they should not
live in the libc tag but in the config tag of the component.
Ref #2193