genode/doc/release_notes-10-05.txt

1212 lines
56 KiB
Plaintext

===============================================
Release notes for the Genode OS Framework 10.05
===============================================
Genode Labs
With version 10.05, the Genode project aimed at creating the infrastructure
needed to accommodate usage scenarios of ever increasing complexity. We are
excited to have reached the milestone to run the first version the
fully-fledged Arora web browser as native Genode process. The other major leap
regarding Genode's infrastructure is a new configuration concept that lets us
realize usage scenarios that we have dreamed of for a long time.
With the new configuration concept, we are now able to leverage the full power
of Genode's hierarchical process structure. It enables us to implement
fine-grained access control to all services that our system is comprised of.
But the concept just as well offers extremely flexible ways of routing
client-session requests throughout the Genode process tree to a matching
server. We are looking forward to present several showcase scenarios of this
new tool soon.
The second major focus for the current release was adding support for audio
output. We created a modular audio-streaming solution consisting of device
drivers for popular sound cards, an audio-mixer component, and a client
application interface. The combination of these new components with
real-time priorities introduced with the previous release and Genode's new
configuration concept lays the foundation for high-quality audio processing
on Genode.
Apart from these major topics, the new version comes with numerous functional
improvements. For example, our ongoing efforts to tightly integrate the
paravirtualized OKLinux kernel with native Genode components have culminated
in the added support for the seamless integration of the X Window System with
Genode's nitpicker GUI.
To boost the productivity of the Genode developers, we have implemented
a new build system, which is compatible with the original one but operates
much faster, in particular when used on systems with multiple CPUs.
Enabling mandatory access control
#################################
Since drafting the Genode architecture, we envisioned a flexible way to
construct complex usage scenarios out of Genode's process nodes
used as generic building blocks. Thanks to the strictly hierarchic and,
at the same time, recursive structure of Genode, a parent has full control
over the way, its children interact with each other and with the parent.
The initial implementation provided three different examples of such
policies, core's policy regarding the init process, the static policy
of the init process, and a more dynamic policy of the interactive
launchpad application.
:Core's policy: assigns all resources not used by core itself to init.
Session requests coming from init could only refer to one of core's
locally implemented services. Because init is the only child of core,
there is no policy about the interaction between multiple children.
:Init's policy: is driven by a configuration file, which declares a number
of children, their respective memory quotas and file names. Each child is
able to announce services but each service can be announced only once. Any
attempt of a child to announce an already existing service is denied. Session
requests of all children are resolved in a uniform way. If the requested
session refers to a service provided by core, init delegates the session
request to its parent. These services are hard-coded to RAM, PD, RM, ROM,
CPU, IRQ, IO_MEM, IO_PORT, CAP, SIGNAL, and LOG. Otherwise, the session
request is delegated to one of the children. If the requested service is not
yet announced, the aspiring client is put to halt until the service becomes
available.
:Launchpad's policy: enriches init's policy by a small detail, but with
a great effect. Instead of using fixed set of service names to take the
decision about whether to forward a session request to the parent or to one
of the other children, it implements the following rule: If the requested
service was announced by a child of launchpad, the request is delegated to
the child. Otherwise, the request is delegated to the parent. This simple
modification allows children to override arbitrary services normally provided
by core. For example, the nitlog application implements core's LOG interface.
After started, all requests for a LOG session end up at nitlog instead of
core, and this way, LOG output could be easily routed to the screen rather
than to core's debug output. Another example is exercised by the tutorial of
Genode default demo scenario, which allows for starting a second instance of
the nitpicker GUI server within a windowed frame buffer, which, in turn,
relies on the first instance of nitpicker.
Those three policies served us well for the past three years. Core's policy
is simple and exactly what core needs for starting and accommodating the
init process. Launchpad's policy illustrates well the power of Genode's
recursive structure. But the limitations of init's policy have become
apparent with our more recent use cases. We observed the following limitations.
* The set of services provided by the parent is predefined and hard-coded
in the source code of init. Even though init's configuration concept allows
for running multiple nested init instances, the fixed set of parent services
severe limits the practical use of this feature. In fact, for some use
cases, we had to combine different init implementations to achieve our
goals.
* Within one instance of init, there is no way to restrict the access of one
child to services provided by another child or to core's services.
* Among children of one init instance, each service can be announced only
once, based on a first-come-first-serve policy. There is no restriction
about which child is permitted to announce which service. But there are
legitimate uses of having multiple implementations of one interface present.
For example, in the presence of more than one network cards, multiple network
drivers may need to announce a NIC service each.
Despite of these limitations, the init configuration has one strong point,
which is ease of use. Our challenge with designing a new configuration
concept was to overcome the mentioned limitations while preserving the
ease of use as far as possible.
Configuration
=============
At the parent-child interface, there are two operations that are subject to
policy decisions of the parent, the child announcing a service and the
child requesting a service. If a child announces a service, the parent is up
to decide if and how to make this service accessible to its other children.
When a child requests a service, the parent may deny the session request,
delegate the request to its own parent, implement the requested service
locally, or open a session at one of its other children. This decision may
depend on the requested service or session-construction arguments provided
by the child. Apart from assigning resources to children, the central
element of the policy implemented in the parent is a set of rules to
route session requests. Therefore, the new configuration concept is laid out
around processes and the routing of session requests. The concept is best
illustrated by an example (executable on Linux):
! <config>
! <parent-provides>
! <service name="CAP"/>
! <service name="LOG"/>
! </parent-provides>
! <start name="timer">
! <resource name="RAM" quantum="1M"/>
! <provides> <service name="Timer"/> </provides>
! <route>
! <service name="CAP"> <parent/> </service>
! </route>
! </start>
! <start name="test-timer">
! <resource name="RAM" quantum="1M"/>
! <route>
! <service name="Timer"> <child name="timer"/> </service>
! <service name="LOG"> <parent/> </service>
! </route>
! </start>
! </config>
First, there is the declaration of services provided by the parent of the
configured init instance. In this case, we declare that the parent provides a
CAP service and a LOG service. For each child to start, there is a '<start>'
node describing resource assignments, declaring services provided by the child
and holding a routing table for session requests originating from the child.
The first child is called "timer" and implements the "Timer" service. To
implement this service, the timer requires a CAP session. In the routing table,
we define that a CAP session request gets delegated to init's parent. The
second process called "test-timer" is a client of the timer service. In its
routing table, we see that requests for "Timer" sessions should be routed to
the "timer" child whereas requests for "LOG" sessions should be delegated to
init's parent. Per-child service routing rules provide a flexible way to
express arbitrary client-server relationships. For example, service requests
may be transparently mediated through special policy components acting upon
session-construction arguments. There might be multiple children implementing
the same service, each addressed by different routing tables. If there is no
valid route to a requested service, the service is denied. In the example
above, the routing tables act effectively as a whitelist of services the child
is allowed to use.
In practice, usage scenarios become more complex than the basic example,
increasing the size of routing tables. Furthermore, in many practical cases,
multiple children may use the same set of services, and require duplicated
routing tables within the configuration. In particular during development, the
elaborative specification of routing tables tend to become an inconvenience.
To alleviate this problem, there are two mechanisms, wildcards and a default
route. Instead of specifying a list of single service routes targeting the same
destination, the wildcard '<any-service>' becomes handy. For example, instead
of specifying
! <route>
! <service name="ROM"> <parent/> </service>
! <service name="RAM"> <parent/> </service>
! <service name="RM"> <parent/> </service>
! <service name="PD"> <parent/> </service>
! <service name="CPU"> <parent/> </service>
! </route>
the following shortcut can be used:
! <route>
! <any-service> <parent/> </any-service>
! </route>
The latter version is not as strict as the first one because it permits the
child to create sessions at the parent, which were not whitelisted in the
elaborative version. Therefore, the use of wildcards is discouraged for
configuring untrusted components. Wildcards and explicit routes may be combined
as illustrated by the following example:
! <route>
! <service name="LOG"> <child name="nitlog"/> </service>
! <any-service> <parent/> </any-service>
! </route>
The routing table is processed starting with the first entry. If the route
matches the service request, it is taken, otherwise the remaining
routing-table entries are visited. This way, the explicit service route of
"LOG" sessions to "nitlog" shadows the LOG service provided by the parent.
To emulate the traditional init policy, which allows a child to use services
provided by arbitrary other children, there is a further wildcard called
'<any-child>'. Using this wildcard, the traditional policy can be expressed
as follows:
! <route>
! <any-service> <parent/> </any-service>
! <any-service> <any-child/> </any-service>
! </route>
This rule would delegate all session requests referring to one of the parent's
services to the parent. If no parent service matches the session request, the
request is routed to any child providing the service. The rule can be further
reduced to:
! <route>
! <any-service> <parent/> <any-child/> </any-service>
! </route>
Potential ambiguities caused by multiple children providing the same service
are detected automatically. In this case, the ambiguity must be resolved using
an explicit route preceding the wildcards.
To reduce the need to specify the same routing table for many children
in one configuration, there is a '<default-route>' mechanism. The default
route is declared within the '<config>' node and used for each '<start>'
entry with no '<route>' node. In particular during development, the default
route becomes handy to keep the configuration tidy and neat.
We believe that with the combination of explicit routes and wildcards, we
have designed a solution that scales well from being convenient to use during
development towards being highly secure at deployment time. If only explicit
rules are present in the configuration, the permitted relationships between all
processes are explicitly defined and can be easily verified. Note however that
the degree those rules are enforced at the kernel-interface level depends on
the used base platform.
Advanced features
=================
In addition to the service routing facility described in the previous section,
the following features are worth noting:
Resource quota saturation
~~~~~~~~~~~~~~~~~~~~~~~~~
If a specified resource (i.e., RAM quota) exceeds the available resources.
The available resources are assigned completely to the child. This makes
it possible to assign all remaining resources to the last child by
simply specifying an overly large quantum.
Multiple instantiation of a single ELF binary
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Each '<start>' node requires a unique 'name' attribute. By default, the
value of this attribute is used as file name for obtaining the ELF
binary at the parent's ROM service. If multiple instances of the same
ELF binary are needed, the binary name can be explicitly specified
using a '<binary>' sub node of the '<start>' node:
! <binary name="filename"/>
This way, the unique child names can be chosen independently from the
binary file name.
Nested configuration
~~~~~~~~~~~~~~~~~~~~
Each '<start>' node can host a '<config>' sub node. The content of this sub
node is provided to the child when a ROM session for the file name "config" is
requested. Thereby, arbitrary configuration parameters can be passed to the
child. For example, the following configuration starts 'timer-test' within an
init instance within another init instance. To show the flexibility of init's
service routing facility, the "Timer" session of the second-level 'timer-test'
child is routed to the timer service started at the first-level init instance.
! <config>
! <parent-provides>
! <service name="CAP"/>
! <service name="LOG"/>
! <service name="ROM"/>
! <service name="RAM"/>
! <service name="CPU"/>
! <service name="RM"/>
! <service name="PD"/>
! </parent-provides>
! <start name="timer">
! <resource name="RAM" quantum="1M"/>
! <provides><service name="Timer"/></provides>
! <route>
! <service name="CAP"> <parent/> </service>
! </route>
! </start>
! <start name="init">
! <resource name="RAM" quantum="1M"/>
! <config>
! <parent-provides>
! <service name="Timer"/>
! <service name="LOG"/>
! </parent-provides>
! <start name="test-timer">
! <resource name="RAM" quantum="1M"/>
! <route>
! <service name="Timer"> <parent/> </service>
! <service name="LOG"> <parent/> </service>
! </route>
! </start>
! </config>
! <route>
! <service name="Timer"> <child name="timer"/> </service>
! <service name="LOG"> <parent/> </service>
! <service name="ROM"> <parent/> </service>
! <service name="RAM"> <parent/> </service>
! <service name="CAP"> <parent/> </service>
! <service name="CPU"> <parent/> </service>
! <service name="RM"> <parent/> </service>
! <service name="PD"> <parent/> </service>
! </route>
! </start>
! </config>
The services ROM, RAM, CPU, RM, and PD are required by the second-level
init instance to create the timer-test process.
As illustrated by this example, the use of the nested configuration feature
enables the construction of arbitrarily complex process trees via a single
configuration file.
Priority support
~~~~~~~~~~~~~~~~
The number of CPU priorities to be distinguished by init can be specified with
'prio_levels' attribute of the '<config>' node. The value must be a power of
two. By default, no priorities are used. To assign a priority to a child
process, a priority value can be specified as 'priority' attribute of the
corresponding '<start>' node. Valid priority values lie in the range of
-prio_levels + 1 (maximum priority degradation) to 0 (no priority degradation).
Using the new configuration concept
===================================
With the current release, the old configuration concept is still enabled by
default. With the upcoming release, we will change the default to the new
concept and declare the old concept as obsolete and to-be-removed. To enable
the new concept now, all you need to do is adding the following line to your
'<build-dir>/etc/specs.conf' file:
! SPECS += use_new_init
By adding this line, the build system will build the init variant at
'os/src/init/experimental' rather than the default variant at 'os/src/init'.
To get acquainted with the new configuration format, there are two example
configuration files located at 'os/src/init/experimental', which are both
ready-to-use with the Linux version of Genode. Both configurations produce the
same scenario but they differ in the way policy is expressed. The
'explicit_routing' example is an example for the elaborative specification
of all service routes. All service requests not explicitly specified
are denied. So this policy is a whitelist enforcing mandatory access
control on each session request. The example illustrates well that such a
elaborative specification is possible in an intuitive manner. However, it is
significantly more comprehensive than a traditional configuration file of
init. In cases where the elaborative specification of service routing is not
fundamentally important, in particular during development, the use of wildcards
can help to simplify the configuration. The 'wildcard' example demonstrates the
use of a default route for session-request resolution and wildcards. This
variant is less strict about which child uses which service. For development,
its simplicity is beneficial but for deployment, we recommend to remove
wildcards ('<default-route>', '<any-child>', and '<any-service>') altogether.
The absence of such wildcards is easy to check automatically to ensure that
service routes are explicitly whitelisted.
Base framework
##############
This section provides a description of a number of small changes of the base
framework. It is rather detailed to ease the migration of existing code to the
new Genode version.
New child management framework
==============================
To realize the new configuration concept of init, we completely reworked the
child-management classes in 'base/child.h', 'base/service.h', and
'init/child.h'. The 'Child' class used to implement the most basic policy that
applies to all children, which comprises the protocols for trading memory quota
and the handling of the child's environment sessions. It was meant to be
derived by more a specialized policy such as init's policy. Thereby, each
derived implementation of the 'Child' class used to tailor the policy to a
further degree. We identified two problems with this approach. First, the
policy resulting from tweaking one or more inherited policies became hard to
grasp because it was spread in multiple files. For example, launchpad's policy
is influenced by 'launchpad.h', 'init/child.h', and 'base/child.h'. Second, we
observed that the generic program logic for resource trading was closely
intermingled with policy-specific code. This way, modifying an inherited policy
resulted in duplicating program logic code of the inherited class.
With the new implementation, we completely separated the raw mechanisms
needed for running a child process from its policy. To illustrate the change,
lets look at the difference between the old and new 'Child' constructor:
The original version looked a follows:
! Child(const char *name,
! Dataspace_capability elf_ds,
! Ram_session_capability ram,
! Cpu_session_capability cpu,
! Cap_session *cap,
! char *args[])
The 'Child' class used to aggregate several pieces needed to run a child.
In particular, it contained a dedicated entry point and server-activation
thread to serve the parent interface for the child. The 'cap' argument
was merely required to construct the entry point. This design resulted
in a number of problems: The stack size of the server-activation thread
was fixed and could not be changed by an inherited class. Because the
entry point and server-activation thread were embedded in the child,
special accessor functions were needed to let the creator of a 'Child'
interact with them. For example, the start of the server activation
had to be triggered by a special 'finalize_construction' call. For using
the entry point for serving additional local services, the special accessor
function 'parent_entrypoint' was needed.
The new 'Child' constructor looks as follows:
! Child(Dataspace_capability elf_ds,
! Ram_session_capability ram,
! Cpu_session_capability cpu,
! Server_entrypoint *entrypoint,
! Child_policy *policy)
One prominent change is that the entry point is now supplied as an argument,
which in principle allows for sharing one entry point by multiple children and
local services, and enables the use of arbitrary stack sizes. The more
significant change is the new 'Child_policy' argument, supplied to the
new child. The 'Child_policy' interface consists of the following functions:
! const char *name() const;
The 'name' function returns the name of the child, which was previously be
directly supplied as argument to the 'Child' constructor.
! Service *resolve_session_request(const char *service_name,
! const char *args);
This function is central to routing service requests to service providers.
A 'Service' is either a locally implemented service, a service provided by the
parent, or a service provided by another child. If the service request is
denied altogether, the function returns 0. Thanks to the 'args' argument, the
resolution of the service requests can be made dependent on session-construction
arguments, for example a 'filename' argument supplied to a new 'ROM' session.
! void filter_session_args(const char *service,
! char *args, size_t args_len);
This function enables the transformation of session-construction arguments. Its
uses are manifold. For example, labeling each session by prefixing the 'label'
session argument with the child name informs the server about the identity of
the client (see 'Child_policy_enforce_labeling'). Another example is the
transformation applied to the CPU priority as introduced by the Genode version
10.02 (see 'Child_policy_handle_cpu_priorities').
! bool announce_service(const char *name,
! Root_capability root,
! Allocator *alloc)
This function takes note of new service announcements coming from the child.
An announcement can be denied by returning 0. Otherwise, the policy is free
to consider the new service for subsequent 'resolve_session_request' calls
coming from other children.
With this policy toolkit, it was not only possible to easily reconstruct the
original behaviour of 'Core_child', 'Init::Child', and 'Launchpad::Child', it
also enabled the new configuration concept and service routing described in
Section [Enabling mandatory access control]. The 'Child' class defined in
'base/child.h' is no longer meant as a base class for customized child policies
but it solely contains the program logic for managing open sessions and
performing resource trading.
Because 'base/child.h' is closely related to 'base/service.h', the classes
defined in the latter were also subject to a major overhaul. The new 'Service'
interface removed the need for differently typed service pools. Instead
there is now a single 'Service_registry'. Since the 'Service' class abstracts
from parent, local, or child servers, it obsoleted the 'Session_control'
interface.
Flexible page sizes
===================
Core's generic page-fault handling code has become able to handle any page size
supported by underlying platforms. On OKL4, L4ka::Pistachio, NOVA, and
L4/Fiasco, core uses flexpages as big as possible. The used subset of supported
page size can be tailored for each platform using a new helper function in the
platform-specific 'core/include/util.h'. The function 'constrain_map_size_log2'
takes a page size (log2) as argument and returns a nearest (lower or equal than
the argument) possible page size to be used for a mapping on this platform.
To further unify the code among different kernels, we made the generic code
agnostic about the mapping source. On some kernels (e.g., OKL4, Codezero), map
operations refer to a physical address as source. On other kernels (typically,
kernels that rely on a mapping database), a core-local virtual address is used
as mapping source. Now, we introduced the function 'map_src_addr', which takes
both a core-local and a physical address as argument and returns one of those,
depending on the kernel.
Miscellaneous changes
=====================
:Exception types:
* Structured exception types of 'Parent' interface
* Introduced 'Rom_connection_failed' exception to the 'Rom_connection'
interface. Often, 'Rom_connection' errors are caused by user errors, which
are hard to come by when the program aborts with a 'Parent::Service_denied'
exception. The new exception type make the problem cause easier to spot.
* Removed redundant 'Rom_file_missing' exception from the 'Rom_session'
interface. By definition, this exception cannot occur because a ROM session
for a non-existing file will throw a 'Parent::Service_denied' exception.
:Growing heap chunks:
The heap used to grow by chunks of 16 KB (on 32 bit) respectively 32 KB (on 64
bit) blocks for small allocations. Each block is backed by an independent
dataspace. On Linux, this is problematic because each dataspace is represented
as a distinct file attached to the local address space via 'mmap'. Because on
Linux, the maximum number of open file descriptors is limited to 1024, Genode
processes on Linux could not use more than 16/32 MB of small memory blocks.
This limitation became noticeable with Qt4 applications, which rely on a large
number of small allocations. To alleviate this problem, we changed the
allocation of heap chunks from a fixed block size to an exponentially growing
block size, capped at a maximum block size of 4/8 MB.
:String parsing functions:
We unified the various ascii-parsing functions such as 'ascii_to_ulong',
'ascii_to_long', 'ascii_to_size', 'ascii_to_double' defined in
'util/string.h' to be overloads of a single function template called
'ascii_to<T>':
! template <typename T>
! size_t ascii_to(const char *s, T *result,
! unsigned base = 0);
There are specializations for 'long', 'unsigned long', and 'double'. For
parsing size values suffixed with 'K', 'M', or 'G', there is a helper class
called 'Number_of_bytes' wrapping 'size_t'. When passing a pointer to such an
object as argument to 'ascii_to', the suffix-handling specialization is
selected.
The use of overloading makes it easier to use the parsing functionality from
function templates which can thereby stay type-independent. For example,
'Xml_node::value' already benefits from this unification. Please note that we
removed the string-length argument that was supported by some of the previous
parsing functions. All 'ascii_to' implementations do expect null-terminated
strings.
:Tokenizer:
The 'Token' class is used by the 'Arg_string' class and the XML parser, which
used to employ the same syntactic rules for identifiers. Because this is no
longer the case, we made those rules customizable by turning the 'Token' class
into a class template taking a scanner policy as argument. The scanner policy
consists of a boolean function 'identifier_char' for classifying a character as
part of an identifier.
:Synchronization:
* Removed a rare race condition in the generic 'Cancelable_lock'
implementation introduced by a compiler optimization. We discovered this
problem first while running multiple instances of OKLinux under heavy load.
* Corrected the handling of lock cancellations for locks that were doubly
locked by the same thread. The cancellation condition is detected by
verifying the current lock owner when being waked up. If the unblocking
was caused by a regular 'unlock' by the old lock owner, the unblocked
thread is the new lock owner. Otherwise, the blocking was canceled.
However, if a thread took a lock twice, it is the lock owner, regardless
of the cause of getting unblocked. So lock cancellations went undetected
in this special case. We solved this ambiguity by reseting the lock
ownership when the current lock owner tries to take the lock again.
:Startup code and C++ runtime:
In '_main', we make sure to initialize the exception handling prior processing
global constructors. This way, exceptions that occur while executing such
constructors can be handled. Because the exception-handling initialization
relies on 'malloc', which in turn relies on the heap, which in turn, depends on
'Genode::env()', global constructors must no longer be used in the base
framework. Otherwise, this change would result in cyclic dependencies. Hence,
we replaced the last few occurrences of global constructors with local static
constructors. For example, in 'base-okl4/src/base/console/okl4_console.cc', we
replaced:
! static Okl4_console okl4_console;
with
! static Okl4_console &okl4_console()
! {
! static Okl4_console static_okl4_console;
! return static_okl4_console;
! }
and replaced the use of the 'okl4_console' object by the respective call
of 'okl4_console()'.
Of course, global constructors outside the Genode base frameworks are fully
supported.
:Dedicated I/O-port thread in core:
To reduce the temporal inter-dependency of I/O port accesses from core's
services, we moved the I/O port service to a separate thread within core.
This way, I/O port operations are performed out of band with other core's
services. The immediate effect is an improved accuracy of the PIC timer
driver.
Operating-system services and libraries
#######################################
XML parser
==========
Since the initial Genode release, we employ a simple XML parser for runtime
configuration purposes. The parser comes in the form of the single header file
'os/include/util/xml_node.h'. We tied the feature set of the parser to the
simple structures that we use for the init process, supporting nested '<tags>'
and '</endtags>' as well as XML comments. This simple parser served as well
over the last two years. The new configuration concept introduced with the
current release, however, prompted us to reconsider its feature set. We noted
that although using the existing markup to express complex attributes and
relations is principally possible, the resulting configuration files tend to
become incomprehensible and hard to maintain. After exemplarily applying XML
attributes and empty-element tags to our show-case configurations, we observed
that those negative effects could be entirely mitigated. On the other hand,
extending the XML parser would imply an increase in code complexity, which we
generally want to avoid. Fortunately, with around 100 lines of code added for
the provisioning of XML attributes and empty-element tags, the effect on code
complexity turned out to be reasonably low so that we decided for the extension
of the XML parser. Because this extension would require an API change, we took
the chance of further streamlining the interface and implementation of the
XML parser. The changes are:
* The length-limited parsing of XML data is now fully implemented.
* The supported forms for tag names are no longer a subset of the XML
standard. Now, underline, colon, dot, and minus characters are supported.
* Optimized the search through an XML node for a specified node type by
omitting a call of '_num_sub_nodes'. This way, the XML node is walked only
once per call, not twice.
* The accessor functions for the content of an XML node ('content', 'read')
had been unified to the template function 'value', which allows for the
interpretation of all types supported by the 'ascii_to' overloads defined
in 'base/include/util/string.h'.
* Renamed function 'is_type' to 'has_type'
* Added support for empty-element tags of the form '<element/>
* Added support for XML attributes using the new 'Xml_node::Attribute'
class
* Renamed exception type 'Nonexistent_subnode' to 'Nonexistent_sub_node' to
foster consistence with the Genode coding style
Timed semaphore
===============
We added a semaphore variant supporting timeouts to the 'os' repository.
The new 'Timed_semaphore' extends the interface of the original semaphore
with a new 'down' function taking a timeout as argument. The implementation
relies on a jiffies thread that is started the first time a timeout is
used. The timeout granularity is set to 50 ms to accommodate our current
use cases (TCP timeouts and 'select' timeouts).
Added 'select' to C library
===========================
We enhanced our C library with a 'select' implementation that interplays
with the libc plugin concept. This way, a libc plugin such as the lwIP back
end can wake up blocking 'select' calls that include their respective file
descriptors. Furthermore, the new 'select' implementation includes support
for timeouts. The timeout handling is provided via a timed semaphore.
Further changes are the addition of 'lseek' and '_open' to the plugin
interface, and the a sanitized dummy for 'gai_strerror', which is required
for running Arora.
Device-class interfaces for NIC and Audio-out
=============================================
While looking into implementing further device class interfaces, we observed
recurring patterns in the use of Genode's packet stream API. Naturally, there
are four use cases that are related to packet streams.
# A client transmits packets
# A server receives packets
# A client receives packets
# A server transmits packets
For each of these cases, we have created utility classes to ease the
realization of packet-stream-based inter-component interfaces. We grouped the
first two cases (transmit channel - TX) and the latter two cases (receive
channel - RX). The corresponding utility classes reside in
'os/include/packet_stream_rx/' and 'os/include/packet_stream_tx/'.
Each of both directories contain the usual elements of an RPC interface, an
abstract interface shared between client and server (called 'packet_steam_rx.h'
or 'packet_stream_tx.h'), the client-side interface ('client.h') and the
server-side interface ('server.h').
By applying these new generalized utility classes to the existing 'Nic_session'
interface, we were able significantly reduce the code complexity of this
device-class interface and expect less code duplications when introducing
further device classes.
Note that the change of the 'Nic_session' interface implies a slight API
change. The former wrapper functions such as 'rx_packet_avail()' were removed
in favor for a generic accessor to the stream interface. So this code must be
changed to 'rx()->packet_avail()' and respectively for the other wrapper
functions.
Audio playback sessions
-----------------------
The audio-out interface extends Genode's device-class interfaces by a
facility for audio-stream playback. It is based on the packet-stream
framework and uses one TX stream per audio channel. Therefore, the
channel configuration is not limited by the interface and audio-out
servers are free to provide custom channel configurations to clients.
For example, standard stereo playback creates to sessions - one for
"left" and one for "right". More sophisticated applications may
request 5.1 surround sound with channels for front left/center/right
and rear left/right plus low-frequency effects (LFE).
The actual PCM stream data uses 32-bit floating point numbers. This
implementation fosters complex audio applications with multi-channel
mixers and effect chains on all platforms supported by Genode.
Servers
=======
Nitpicker
~~~~~~~~~
We implemented the per-client background handling. Each client is free
to select one of its views as background. If the user activates the client,
the background view gets displayed as desktop background. In the presence
of multiple window systems as nitpicker clients, each window system can
have its own fully operational desktop. Depending on the client the user
is currently interacting with, the corresponding desktop is displayed.
Audio-out mixer
~~~~~~~~~~~~~~~
Based on the new audio-out session interface, we implemented an audio
mixer, which currently supports up to 16 stereo inputs and uses one
stereo output. We also added a simple audio-test program that plays
configured raw stereo float-PCM streams. The configuration snippet
configures input to direct all 'Audio_out' sessions to the mixer
except for the mixer itself, which uses the audio driver as back end.
The complete example can be found in 'os/config/mixer':
! <config>
! ...
! </parent-provides>
! <default-route>
! <!-- all clients use the mixer for audio per default -->
! <service name="Audio_out"> <child name="mixer"/> </service>
! <any-service> <parent/> <any-child/> </any-service>
! </default-route>
! ...
! <start name="audio_out_drv">
! <resource name="RAM" quantum="8M"/>
! <provides> <service name="Audio_out"/> </provides>
! </start>
!
! <start name="mixer">
! <resource name="RAM" quantum="1M"/>
! <provides> <service name="Audio_out"/> </provides>
! <route>
! <!-- use the actual driver as mixer back end -->
! <service name="Audio_out"> <child name="audio_out_drv"/> </service>
! <any-service> <parent/> <any-child/> </any-service>
! </route>
! </start>
!
! <start name="test-audio_out">
! <resource name="RAM" quantum="12M"/>
! <config>
! <!-- a bunch of raw media files in 2-channel FLOAT -->
! <filename>silence.f32</filename>
! <filename>silence.f32</filename>
! </config>
! </start>
! </config>
The scenario includes the audio test with two configured PCM-stream
files.
Device drivers
##############
Audio out
=========
With the introduction of the audio-out session interface, we
implemented drivers for certain audio back ends. Currently, each of
them provides two channels - "front left" and "front right".
On Linux, the 'audio_out_drv' uses the ALSA libraries and opens the
ALSA device 'hw'. Therefore, it needs exclusive access to the sound
hardware and other media applications should be closed. For real
hardware support, we ported the following drivers in DDE Linux 2.6:
* Ensoniq ES1370 (ens1370.c)
* Intel earlier ICH and before (intel8x0.c)
* Intel HD Audio
If you use the Qemu emulator to run Genode, activate the sound
hardware with the '-soundhw all' command line switch. Please note that
the default sound back end may stutter on some systems. In this case,
you may try other back ends by configuring the 'QEMU_AUDIO_DRV'
environment variable (see 'qemu -audio-help' for more information).
The following worked best on our systems:
! QEMU_AUDIO_DRV=oss qemu -soundhw all -cdrom genode.iso
Timer
=====
We improved the accuracy of the Linux-specific and PIT-based timer
implementations. On Linux, the timer relies on absolute time provided by the
'gettimeofday' system call rather than accumulated sleep times. For the PIT
timer driver, we removed the caching of the current time and instead read the
PIT counter register directly as needed.
Input
=====
Added input driver for PL050 PS/2 mouse and keyboard as found on the
VersatilePB platform.
Protocol stacks and libraries
#############################
zlib and libpng
===============
Since the first Genode release, the 'demo' repository contains ports of
'zlib' and 'libpng' to enable the Scout tutorial browser to display PNG
images. These libraries were meant to be used with the 'mini_libc' that
is also part of the 'demo' repository. For other use cases than Scout,
this port is incomplete. To provide a fully-fledged zlib and libpng to
Qt4, we renamed the old library ports to 'libz_static' and 'libpng_static',
and added fresh ports of the current zlib-1.2.5 and libpng-1.4.1 to the
'libports' repository. In contrast to the old libraries, the new versions
are built as shared objects.
libSDL
======
We integrated Stefan Kalkowski's original port of libSDL-1.2.13 into the
libports repository. Currently, it comes with back ends for SDL video
using Genode's 'Framebuffer' interface and SDL events using Genode's 'Input'
interface.
Qt4
===
* Enabled support for handling JPEG, GIF, and PNG files. Qt4 does no
longer depends on the 'libz' and 'libpng' libraries of the 'demo'
depository. It uses shared libraries provided by the 'libports'
repository instead.
* Qt4 threads are now named as "Qt <noname>"
* Let Qt4 use the standard C++ library that comes with the GCC tool chain.
This change removed the need for custom 'new' and 'delete' operators.
* The timeout handling is now accomplished using the new 'select'
implementation of the C library.
* Added support for more mouse buttons than only the left one
* Avoid unsupported timezone conversions
* Some Qt4 applications use to rely on local pipes for internal thread
synchronization. Such pipes do not carry payload but are used only as
a mechanism to block and wake up threads. To support such applications,
we added a libc plugin with a simplified implementation of 'pipe()',
which is essentially a lock. The libc plugin is called 'qt_libc_pipe'
and comes as a shared library with the 'qt4' repository.
* Enabled networking support by reverting to the original event dispatcher
implementation using the new 'select()' and 'pipe()' functions of the
C library
* Added 'Thread_qt::stack_base()' function to return the stack base of a
thread as this function is required by Webkit's Javascript engine.
* We moved the Dejavu-Sans font to a library because we use to link this
TTF font as a static resource to various Qt4 applications. By placing
it into a library, we avoid duplicating the font file in the source
tree.
lwIP stack
==========
* The lwIP-specific timed semaphore implementation and the corresponding alarm
thread have been replaced by the new generic timed semaphore provided by
the 'os' repository.
* We improved the integration of lwIP with the C library. The 'libc_lwip'
plugin supports the new 'select' implementation. To improve the convenience
of configuring lwIP, we added two helper libraries 'libc_lwip_loopback' and
'libc_lwip_nic_dhcp'. If either of both libraries is linked against a
lwIP-using target, the IP stack gets configured to use a loopback device or
a NIC adaptor with a dynamically acquired IP address. This facilitates the
reuse of existing BSD-socket-based networking code on Genode without
modifications. For an example, please see 'libports/src/test/lwip/loopback'.
The 'http_srv' example is still using lwIP directly without relying on the
'libc_lwip' plugin.
X event tracker
===============
We refined our window event tracker used for the seamless integration of the
X Window System with the nitpicker GUI. (either on Linux using Xvfb, or with
OKLinux using our Genode-FB stub driver) We improved the accuracy of window
stack operations and reduced pixel artifacts regarding the mouse cursor. The
latter problem, however, is not yet completely solved. Unfortunately, the X
mouse cursor is not captured by the X damage extension used to track screen
updates. Therefore, we need to employ heuristics, which have still room for
improvement.
DDE Kit
=======
We added support for handling sub-page-size I/O memory regions. To hand out
different I/O resources that reside on the same page to different processes,
we changed the I/O memory allocator in core to use byte granularity.
A page is handed out if the requested sub range is still available.
Consequently, one and the same I/O memory page may be mapped to multiple
drivers, each meant to access a portion of the page. At the DDE Kit API
level, small I/O regions are handled completely transparent to the user
of the API.
GUI and sound for paravirtualized Linux
#######################################
With the current release, we brought forward the integration of OKLinux with
native Genode components. This integration is achieved by so-called stub
drivers --- Linux device drivers that use Genode's services instead of hardware
devices. Our original port of OKLinux to Genode came with stub drivers for
virtual timer, user input, and framebuffer devices using Genode's timer-session,
input-session, and framebuffer-session interfaces. We have now complemented
our stub driver with drivers for the seamless integration of the X Window System
with the nitpicker GUI and sound. The Genode stub drivers are unconditionally
compiled into the OKLinux kernel. There is no need to enable them in the Linux
kernel configuration.
GUI
===
The seamless integration of the X Window System running on OKLinux with the
natively running nitpicker GUI is achieved by an enhanced Linux framebuffer
device. The number of virtual framebuffer devices can be declared in the
Genode configuration of the OKLinux kernel as follows:
! <config>
! <screens>
! <framebuffer/>
! <nitpicker/>
! </screens>
! </config>
The order in the 'screens' section determine the order of visible devices in
Linux. A '<framebuffer/>' entry declares a regular 'fb' device corresponding
to the 'Framebuffer' session. A '<nitpicker/>' entry declares an enhanced 'fb'
device that supports the propagation with window-stacking events (via 'ioctl'),
which are needed for the seamless integration of the X Window System. The first
device is typically used as boot console. For this reason, it should be a
regular '<framebuffer/>'. To run the X Window System in seamless mode using the
configuration above, the X server must be configured to use the '/dev/fb1'
device and the X session must start the X event tracker application, which
feeds window-state transitions to the enhanced '/dev/fb1' device. The X event
tracker is a plain Linux program located at 'oklinux/src/app/xev_track'. Note
that this program must be build for a Linux host platformm using a separate
build directory. This build directory must use the 'base-host' repository and
extend the 'SPECS' variable with 'x11', 'xtest', and 'xdamage'.
[image red_green_screenshot]
The screenshot shows two Linux instances and the native launchpad application
seamlessly integrated into a single GUI. We slightly modified nitpicker to tint
each client using a different color when activating the X-Ray mode. Even though
multiple window systems are running in parallel, the tinting and nitpicker's
floating labels reveal the information about which part of the screen belongs
to which protection domain.
Applications
############
In the line of the 'libports' repository, we added a new 'ports' repository.
Whereas 'libports' is meant as a place for 3rd-party libraries, 'ports' is the
designated place for 3rd-party applications. The mechanism for downloading
and preparing upstream source-code distributions is exactly the same.
The first application is the Qt4-based Arora web browser.
Arora web browser
=================
Arora has its origin as an example application for Qt4. However, it emancipated
itself to be a separate project.
:[http://arora.googlecode.com]: Arora project website
Even though compared with other browsers, its popularity is relatively small
but for us, it is perfect to stretch the bounds of our Genode infrastructure.
The following screenshot shows Arora running as native Genode process.
[image arora_screenshot]
Porting Arora to Genode motivated many improvements of our C library, the Qt4
port, and the lwIP stack. In the current state, the application is fully
functional and can be used to browse complex websites. However, our port is
still a proof of concept and not fully stable. As one interesting detail, Arora
on Genode is directly linked against the lwIP stack, which obtains an IP
address via DHCP.
To download the Arora source code, issue 'make prepare' from the 'ports'
repository. For building the application, make sure to have also prepared the
'qt4' and 'libports' repositories and specified those repositories in
your '<build-dir>/etc/build.conf' file. From within your build directory, you
can then issue 'make app/arora'.
For a first test drive, we recommend to use the Linux version of Genode.
On Linux, we can use Genode's TUN/TAP device driver located at
'os/src/drivers/nic/linux'. This driver uses the 'tap0' device to send and
receive raw Ethernet packets. To create such a device, issue the following
command (use 'sudo'):
! tunctl -b -u <username>
This command should return the name of the TAP device. If no other
TAP devices were created prior executing 'tunctl', this should be 'tap0'.
You can activate the device via:
! ifconfig tap0 up
To associate 'tap0' with your Ethernet device connected to the internet,
you will further need a bridge device:
! brctl addbr br0
This command creates a new bridge device called br0. Let's now associate
the bridge with both, your 'eth0' device (connected to the internet) and
the 'tap0' device:
! brctl addif br0 eth0
! brctl addif br0 tap0
Now you can activate the bridge and try to obtain a fresh IP address.
! ifconfig br0 up
! dhclient br0
After following these steps, the 'os/src/drivers/nic/linux' driver should
be functional and you can use the following init configuration (using the
traditional version of init) for starting Arora on Linux:
! <config>
! <start>
! <filename>fb_sdl</filename>
! <ram_quota>2M</ram_quota>
! </start>
! <start>
! <filename>timer</filename>
! <ram_quota>0x20000</ram_quota>
! </start>
! <start>
! <filename>nitpicker</filename>
! <ram_quota>1M</ram_quota>
! </start>
! <start>
! <filename>nic_drv</filename>
! <ram_quota>1M</ram_quota>
! </start>
! <start>
! <filename>arora</filename>
! <ram_quota>2G</ram_quota>
! </start>
! </config>
Note that the default memory pool used by Genode on Linux might be too small
for running Arora. To increase the amount of usable memory, change the
'_some_mem' declaration in 'base-linux/src/core/platform.cc'.
Platform-specific changes
#########################
:Codezero:
* Adapted Genode to the development branch of Codezero version 0.3 and the
'gcc-4.4' tool chain
* Implemented the Genode lock using Codezero's kernel mutex as block/unblock
mechanism. This way, the lock supports the full semantics of the lock
API including lock cancellation. The design is the same as for the lock on
NOVA. There is one kernel mutex per thread, which is part of the thread
context. A tread can block itself by trying to acquire the mutex twice.
Another thread can then wake up the thread by releasing the mutex.
* Added a new mechanism for ROM modules via a separate ROM ELF image. The
new mechanism relies on the new 'gen_romfs' tool at 'base-codezero/tool'.
For changing the set of boot modules, core must no longer be modified
or recompiled.
* Implemented core's IRQ service for Codezero
:NOVA:
To use NOVA on recent hardware, which often lacks RS232 ports, a serial PCI
card can be used for debugging. Because such a card is not initialized by the
BIOS, we added proper serial initialization code to NOVA core console.
Build system
############
New two-stage build system
==========================
Since the thorough
[http://www.genode-labs.com/publications/scons-vs-make-2008.pdf - analysis of the Genode build system]
by Ludwig Hähne in 2008, we were planning to incorporate his findings into
Genode. In his study, he reimplemented Genode's make-based build system using
SCons and compared both implementations. For us, the two most interesting
conclusions were that recursive make is evil and that SCons scales worse than
make with regard to memory usage.
The statement about recursive make was not entirely new to us but because we
were not aware of a good alternative, our build system relies on this scheme
for handling inter-library dependencies. This becomes troublesome if enabling
parallel builds using '-j'. If two libraries A and B depend on the same
library C, both A and B can be build concurrently, and both will issue the
build process for library C. However, if one and the same library C is build
twice in parallel, race conditions happen. For this reason, we explicitly
disabled parallel execution of make rules using GNU make's '.NOTPARALLEL'
feature. But this severe limits the scalability of the build system.
But according to the findings of the study, 'SCons' seemed to be no viable
alternative for other reasons, most importantly its memory foot print when
dealing with large source trees. SCons uses to create a complete dependency
graph by reading all SConscript files of the source tree. For building the
complete tree, this is of course needed but most of the time, only little parts
of the tree are of interest. In contrast, the Genode build system processes
only those build-description files that are required for the current build,
resulting in a constant memory usage regardless of the size of the source tree.
Finally, the study evidenced that flat make outperformed both SCons and
recursive make in terms of performance, scalability regarding parallelism,
and memory footprint.
Consequently, we sticked with our make-based solution but were seeking for
a way to avoid recursive make. We have now realized a solution that replaces
our original single-pass recursive make by a two-stage approach.
At the first stage, a library-dependency graph is generated by using recursive
make with no parallelism. Starting from the set of targets specified at the
top-level make instance, all library-description files required by those
targets are traversed in a recursive manner. So libraries can depend on further
libraries. During this process, a dependency graph for the particular set of
targets is generated. It is represented as a makefile called
'<build-dir>/var/libdeps'.
The second stage is driven by the generated '<build-dir>/var/libdeps' file,
taking full advantage of parallelism. Because all inter-library dependencies
are now specified at one flat makefile, race conditions cannot occur and the
build performance effectively corresponds to a flat make. For building
each single leaf of the dependency graph (either a library or a target),
a sub make is used, which encapsulates the leaf-specific build environment
such as custom compiler flags or defines.
Following the lines of the original build system, both stages visit only
those build-description files that are required for the current set of
targets. If this set is large, the first stage causes a clearly visible delay
prior the actual build, which was formerly obscured in the call sequence of
recursive make instances. The work flow of developing interdependent components
such as an application, a protocol stack, and a device driver often comprehends
a build command that is repetitively used. For example,
! make drivers server app/stresstest
To avoid the costs for regenerating the same dependency graph again and again,
the first stage can be skipped by using:
! make again
This way, the current version of 'var/libdeps' is reused for the second
stage. In practice, this shortcut provides a welcome performance boost for such
work flows.
From the developer's point of view, the new build system is fully compatible
with the old one but faster. No build-description files need to be changed to
take advantage of it. We slightly changed the build output because the grouping
of build steps to targets is no longer useful when building in parallel. The
best way for directing the build system to work in parallel is specifying a
'-j' argument in your '<build-dir>/etc/build.conf' file, for example
! 'MAKE += -j 4'
Further improvements are a much faster clean rule, an improved handling of
defect or missing libraries, and the detection of ambiguous target names.
Improved interplay between shared objects and static libraries
==============================================================
We reworked the interplay between static libraries and shared objects to cover
cases where static libraries are linked against shared objects. Because this is
possible, all libraries are now compiled as position-independent code (using
the '-fPIC' compiler option) unless specified otherwise. This behaviour can be
disabled per library by adding 'CC_OPT_PIC =' to its library-description file.