Commit Graph

71 Commits

Author SHA1 Message Date
Josef Söntgen c706b1c0a7 run: modularize run tool 2015-01-26 12:28:40 +01:00
Stefan Kalkowski 901bff813d imx31: remove platform completely (fix #1360) 2015-01-12 14:24:15 +01:00
Martin Stein 9a4a0448be hw vea9x4: remove trustzone support
When building Genode for VEA9X4 as micro-hypervisor protected by the ARM
TrustZone hardware we ran into limitations regarding our basic daily
testing routines. The most significant is that, when speaking about RAM
partitioning, the only available options are to configure the whole SRAM
to be secure and the whole DDR-RAM to be non-secure or vice versa. The
SRAM however provides only 32 MB which isn't enough for both a
representative non-secure guest OS or a secure Genode that is still
capable of passing our basic tests. This initiated our decision to
remove the VEA9X4 TrustZone-support.

Fixes #1351
2015-01-08 13:28:42 +01:00
Martin Stein be7d5b4827 hw: use context-area base that is ok for VEA9X4-TZ
On VEA9X4-TZ, the context-area overlaps with the virtual area of the
text, data and bss. However, we can't simply change the link address as
the core image (used physically respectively 1:1 mapped) needs to be in
this particular RAM-region as it is the only one that can be protected
against a VM. Thus I've moved the context area to a place where it
shouldn't disturb any HW-platform.

Fixes #1337
2015-01-07 10:41:22 +01:00
Martin Stein e63092f1dd hw & cortex_a9: fix scheduling-timer speed
The estimation of the input clock of the Cortex A9 Private Timer module
was pretty miserable at every Cortex A9 board.

Fixes #1341
2015-01-06 15:22:07 +01:00
Martin Stein ba321c20d1 hw vea9x4: let userland timer SP804 0/1 be secure
Declaring the SP804 0/1 module and its interrupt to be non-secure prevents the
secure Genode from receiving the interrupt and hence the timer driver in the
secure Genode doesn't work.

Fixes #1340
2015-01-06 15:16:02 +01:00
Martin Stein 659f6ff5c8 hw_vea9x4: quickfix for missing SMP awareness
This fix configures TTBRs and translation-table descriptors as if we would use
SMP although we don't to circumvent problems with UP-configurations.
This fix should be superseded later by full SMP support for the VEA9X4.

ref #1312
2014-12-19 13:58:49 +01:00
Martin Stein d31492040c hw: fix race on pager-object dissolve
The HW-kernel, in contrast to other kernels, provides a direct reference
to the pager object with the fault signal that is send to the pager
activation. When accessing this reference directly we may fall into the
time span where the root parent-entrypoint of the faulter has alredy
dissolved the pager object from the pager entrypoint, but not yet
silenced the according signal context.  To avoid this we issue an
additional 'lookup_and_lock' with the received pager object. This isn't
optimal as we don't need the potentially cost-intensive lookup but only the

Fixes #1311.
Fixes #1332.
2014-12-19 13:58:48 +01:00
Martin Stein d704563453 hw: helping on IPC
On base-hw, each thread owns exactly one scheduling context for its
whole lifetime. However, introducing helping on IPC, a thread might get
executed on scheduling contexts that it doesn't own. Figuratively
spoken, the IPC-helping relation spans trees between threads. These
trees are identical to those of the IPC relation between threads. The
root of such a tree is executed on all scheduling contexts in the tree.
All other threads in the tree are not executed on any scheduling context
as long as they remain in this position. Consequently, the ready-state
of all scheduling contexts in an IPC-helping tree always equals the
state of the root context.

fix #1102
2014-12-19 13:58:47 +01:00
Martin Stein 6370b6880a hw: rename Thread::State SCHEDULED in ACTIVE
As soon as helping is used, a thread may also be in a blocking state when its
scheduling context is ready. Hence, the state designation SCHEDULED for an active
thread would be pretty misleading.

ref #1102
2014-12-19 13:58:47 +01:00
Martin Stein 6f377ec4c5 hw: add FIFO variant with for_each() method
ref #1102
2014-12-19 13:58:47 +01:00
Martin Stein 9c027fd9bd hw: remove deprecated TLB declaration
fix #1320
2014-12-19 13:58:47 +01:00
Stefan Kalkowski 4d3fa001e0 hw: remove memory region duplicate (fix #1304)
On the Versatile Express Cortex A9x4 platform the first memory region
0x0 - 0x4000000 is a hardware remapped memory area, containing flash
and DDR RAM copies and thus should not be added in addition to all
DDR RAM regions and the SRAM region.
2014-11-28 12:02:40 +01:00
Martin Stein 8f9355b360 thread API & CPU session: accounting of CPU quota
In the init configuration one can configure the donation of CPU time via
'resource' tags that have the attribute 'name' set to "CPU" and the
attribute 'quantum' set to the percentage of CPU quota that init shall
donate. The pattern is the same as when donating RAM quota.

! <start name="test">
!   <resource name="CPU" quantum="75"/>
! </start>

This would cause init to try donating 75% of its CPU quota to the child
"test".  Init and core do not preserve CPU quota for their own
requirements by default as it is done with RAM quota.

The CPU quota that a process owns can be applied through the thread
constructor. The constructor has been enhanced by an argument that
indicates the percentage of the programs CPU quota that shall be granted
to the new thread. So 'Thread(33, "test")' would cause the backing CPU
session to try to grant 33% of the programs CPU quota to the thread
"test". By now, the CPU quota of a thread can't be altered after
construction. Constructing a thread with CPU quota 0 doesn't mean the
thread gets never scheduled but that the thread has no guaranty to receive
CPU time. Such threads have to live with excess CPU time.

Threads that already existed in the official repositories of Genode were
adapted in the way that they receive a quota of 0.

This commit also provides a run test 'cpu_quota' in base-hw (the only
kernel that applies the CPU-quota scheme currently). The test basically
runs three threads with different physical CPU quota. The threads simply
count for 30 seconds each and the test then checks wether the counter
values relate to the CPU-quota distribution.

fix #1275
2014-11-28 12:02:37 +01:00
Martin Stein 09e6c3457f hw_arndale: consider timer resets
On Arndale, the kernel timer resets to the initial value of the last
count-down and continues as soon as it reaches zero. We must check this
via the interrupt status when we read out the timer value and in case
return 0 instead of the real value.

fix #1299
2014-11-28 12:02:37 +01:00
Martin Stein b8ba3a7a22 hw: rename Kernel::Processor Kernel::Cpu
Kernel::Processor was a confusing remnant from the old scheme where we had a
Processor_driver (now Genode::Cpu) and a Processor (now Kernel::Cpu).
This commit also updates the in-code documentation and the variable and
function naming accordingly.

fix #1274
2014-11-28 12:02:35 +01:00
Martin Stein b3655902ed hw & arm_v7: provide run/hw_info
The run test 'hw_info' prints the content of the basic ARMv7 identification and
feature registers in a pretty readable format. It is a kernel-internal test
because many of these registers are restricted to privilege level 1 or higher.

fix #1278
2014-11-28 12:02:35 +01:00
Martin Stein 1b1fd1e1f9 hw: add and test totally sophisticated scheduler
The new scheduler serves the orthogonal requirements of both
high-throughput-oriented scheduling contexts (shortly called fill in the
scheduler) and low-latency-oriented scheduling contexts (shortly called
claim in the scheduler). Thus it knows two scheduling modes. Every claim
owns a CPU-time-quota expressed as percentage of a super period
(currently 1 second) and a priority that is absolute as long as the
claim has quota left for the current super period. At the end of a super
period the quota of all claims gets refreshed. During a super period,
the claim mode is dominant as long as any active claim has quota left.
Every time this isn't the case, the scheduler switches to scheduling of
fills. Fills are scheduled in a simple round robin with identical time
slices. Order and time-slices of the fill scheduling are not affected by
the super period. Now on thread creation, two arguments, priority and
quota are needed. If quota is 0, the new thread participates in CPU
scheduling with a fill only.  Otherwise he participates with both a
claim and a fill. This concept dovetails nicely with Genodes quota based
resource management as any process can grant subsets of its own
CPU-time and priorities to its child without knowing the global means of
CPU-time and priority.

The commit also adds a run script that enables an automated unit test of the
scheduler implementation.

fix #1225
2014-11-28 12:02:35 +01:00
Martin Stein a00eb9a66a hw: enhance and test double-list data-structure
To serve the needs of the coming CPU scheduler, the double list needs
additional methods such as 'to_tail' and 'insert_head'.

The commit also adds a run script that enables an automated unit test
of the list implementation.

ref #1225
2014-11-28 12:02:35 +01:00
Martin Stein 0ab5310b8a hw: enable kernel-internal tests via run tool
Kernel tests are done by replacing the implementation of an otherwise
empty function 'Kernel::test' that gets called once at the primary CPU
as soon as all kernel initialization is done. To achieve this, the test
binary that implements 'Kernel::test' must be linked against the core
lib and must then replace the core binary when composing the boot image.
The latter can be done conveniently in a run script by setting the new
argument 'core_type' of the function 'build_boot_image' to the falue
'test'. If no kernel test is needed the argument does not have to be
given - it is set to 'core' by default which results in a "normal"
Genode image.

ref #1225
2014-11-28 12:02:34 +01:00
Martin Stein b3bc9bd549 hw: idle execution context is no thread anymore
Previously, Idle_thread inherited from Thread which caused an extra
processor_pool.h and and also made class models for
processor and scheduling more complex. However, this inheritance makes
not much sense anyway as an idle context doesn't trigger most of the code
in Thread.

ref #1225
2014-11-28 12:02:34 +01:00
Martin Stein ec6c19a487 base: memory barriers in lock implementations
The memory barrier prevents the compiler from changing the program order
of memory accesses in such a way that accesses to the guarded resource
get outside the guarded stage. As cmpxchg() defines the start of the
guarded stage it also represents an effective memory barrier.

On x86, the architecture ensures to not reorder writes with older reads,
writes to memory with other writes (except in cases that are not
relevant for our locks), or read/write instructions with I/O
instructions, locked instructions, and serializing instructions.

However on ARM, the architectural memory model allows not only that
memory accesses take local effect in another order as their program
order but also that different observers (components that can access
memory like data-busses, TLBs and branch predictors) observe these
effects each in another order. Thus, a correct program order isn't
sufficient for a correct observation order. An additional architectural
preservation of the memory barrier is needed to achieve this.

Fixes #692
2014-11-28 12:02:34 +01:00
Stefan Kalkowski d452f37c25 hw: print page faults of core (fix #1286) 2014-11-28 12:00:44 +01:00
Martin Stein 635de1791f hw: fix panda instability on kernel exits
Invalidating all branch predictors before switching the PD
fixes instability problems on Panda and has not much effect
on the performance of other boards. However, we neither know why
this is a fix nor wether it fixes the real cause of the problem.

fix #1294
2014-11-20 16:39:16 +01:00
Stefan Kalkowski 0ffc89ee30 hw: clrex during context switch (Fixes #1196) 2014-11-20 16:39:16 +01:00
Martin Stein 8dad54c914 hw: fix scheduler timing on prio preemption
Previously, the timer was used to remember the state of the time slices.
This was sufficient before priorities entered the scene as a thread always
received a fresh time slice when he was scheduled away. However, with
priorities this isn't always the case. A thread can be preempted by another
thread due to a higher priority. In this case the low-priority thread must
remember how much time he has consumed from its current time slice because
the timer gets re-programmed. Otherwise, if we have high-priority threads
that block and unblock with high frequency, the head of the next lower
priority would start with a fresh time slice all the time and is never

fix #1287
2014-11-14 12:00:45 +01:00
Norman Feske 58a1e42201 hw/rpi: USB SOF interrupt filtering 2014-10-13 14:52:43 +02:00
Norman Feske d59d3c684f hw: don't preserve mmio of core devices
Fixes #1269
2014-10-13 14:51:55 +02:00
Stefan Kalkowski 3befb64afe hw: correctly flush cache on ARM (fix #1257)
* When flushing the data and unified cache on ARM, clean and invalidate
  instead of just cleaning the corresponding cache lines
* After zero-ing a freshly constructed dataspace in core, invalidate
  corresponding cache lines from the instruction cache
2014-10-10 13:02:30 +02:00
Stefan Kalkowski f0fae2a5f2 hw: set TTBR0 according to CPU facilities
Fixes #1195
2014-10-10 13:02:30 +02:00
Martin Stein 14e9a89cba hw: no superfluous ORing of zeros and clean up
fix #710
2014-08-15 10:19:49 +02:00
Martin Stein e7d57ded36 hw & trustzone: fix alignm. of VM exception-vector
After modifying mode transition for branch prediction tz_vmm wasn't
working anymore on hw_imx53_tz but the modifications had nothing to do
with the VM code. However, the amount of instructions in the MT before the
VM exception-vector changed. So I tried stuffing the last working version with
NOPs and found that tz_vmm worked for some NOP amounts and for others not.
Thus, I increased the alignment of the VM exception-vector from 16 bytes to 32
bytes, é voila, its working with any amount of NOPs as well as with branch
prediction commits.

ref #474
2014-08-15 10:19:49 +02:00
Martin Stein c03b277a34 hw & arm_v7: enable branch prediction
fix #474
2014-08-15 10:19:49 +02:00
Martin Stein 9da42dde2f hw & arm_v7: mode transition via transit ttbr0
Previously, we did the protection-domain switches without a transitional
translation table that contains only global mappings. This was fine as long
as the CPU did no speculative memory accesses. However, to enabling branch
prediction triggers such accesses. Thus, if we don't want to invalidate
predictors on every context switch, we need to switch more carefully.

ref #474
2014-08-15 10:19:48 +02:00
Martin Stein 03cd76821c hw & arm: exceptions to asserts in transl. table
ref #474
2014-08-15 10:19:48 +02:00
Martin Stein e686aee5f9 hw: provide 'bool aligned' function in util.h
ref #474
2014-08-15 10:19:48 +02:00
Martin Stein d48d0e7b43 hw: rename processor CPU
fix #1217
2014-08-15 10:19:48 +02:00
Martin Stein 1cba71208f hw: cpu_support to kernel/thread_base
ref #1217
2014-08-15 10:19:48 +02:00
Martin Stein a5cf09fa6e hw: re-organize file structure
fix #1197
2014-08-15 10:19:48 +02:00
Martin Stein 1bc8de83ff hw & arm_v6: fix bug in calculation of kernel SP
For ARMv6, this aspect wasn't updatet to the new kernel-stack
managment that came up with SMP support.

ref #1199
2014-07-24 10:18:08 +02:00
Christian Prochaska a46de84f89 Fix race condition in page fault notification
When a page fault cannot be resolved, the GDB monitor can get a hint about
which thread faulted by evaluating the thread state object returned by
'Cpu_session::state()'. Unfortunately, with the current implementation,
the signal which informs GDB monitor about the page fault is sent before
the thread state object of the faulted thread has been updated, so it
can happen that the faulted thread cannot be determined immediately
after receiving the signal.

With this commit, the thread state gets updated before the signal is sent.

At least on base-nova it can also happen that the thread state is not
accessible yet after receiving the page fault notification. For this
reason, GDB monitor needs to retry its query until the state is

Fixes #1206.
2014-07-24 10:18:07 +02:00
Martin Stein 6cb9559feb hw: core as library
The build config for core is now provided through libraries to enable
implicit config composition through specifiers and thereby avoid
consideration of inappropriate targets.

fix #1199
2014-07-24 10:18:06 +02:00
Martin Stein 5f145b74a5 hw_imx31: fix compilation error in timer.h
fix #1200
2014-07-24 10:18:06 +02:00
Stefan Kalkowski 609f7abb0a hw: map a dataspace in core according to its flags
Thereby removing obsolete quirk for uncached CPU state dataspace
in VM session.

Fixes #1198
2014-07-24 10:18:06 +02:00
Stefan Kalkowski 8f57ff1f27 hw: re-enable the L2 cache for i.MX53 (Ref #1194) 2014-07-09 16:26:06 +02:00
Stefan Kalkowski 1c11099f09 hw: clean cache lines of altered translation table
For Cortex A8, and ARM1176JZF clean cache lines of altered MMU translation

Fix #1194
2014-07-09 16:26:06 +02:00
Stefan Kalkowski 1c99ee951a hw: set pages shareable in SMP systems only
Fixes #1181
2014-07-09 16:26:05 +02:00
Martin Stein f3ae42275a hw: move global TLB flush to extra class
A subject that inherits from Processor_client not necessarily has the need for
doing a processor-global TLB flush (e.g. VMs). At the other hand the Thread
class (as representation of the only source of TLB flushes) is already one of
the largest classes in base-hw because it provides all the syscall backends
and should therefore not accumulate other aspects without a functional reason.
Hence, I decided to move the aspect of synchronizing a TLB flush over all
processors to a dedicated class named Processor_domain_update.
Additionally a singleton of Processor_domain_update_list is used to enable
each processor to see all update-domain requests that are currently pending.

fix #1174
2014-06-26 13:42:52 +02:00
Martin Stein 6e993d31d4 hw: for_each & safer type casts in Double_list
ref #1174
2014-06-26 12:09:40 +02:00
Martin Stein f0478ee214 hw: move double list to extra header
ref #1174
2014-06-26 12:09:26 +02:00