- test multicomponent live update with and without rs and/or vm;
- retry the update a few times if the failure code suggests it might
be a transient failure.
When the malloc code is instrumented, the global _brksize variable
should not be transferred. However, when the malloc code is not
instrumented, failing to transfer _brksize would reset the heap
upon state transfer. In this patch, the magic pass stores the flag
indicating whether memory function instrumentation is disabled, in
the target process. This allows libmagic to check this flag during
state transfer, to see whether it should transfer _brksize or not.
This patch changes the VM makefile to specify that the magic pass is
to skip memory function instrumentation, and to transfer the data
variables of the malloc code (thus overriding the exception we made
for all other system services). We add two magic pass flags to
achieve this. Since the magic pass is a big bowl of spaghetti code,
ignoring whitespace changes while viewing this patch is recommended.
The NetBSD libc malloc implementation uses a memory-mapped area for
its page directory. Since the process heap is reconstructed upon
state transfer for live update, this memory-mapped area must not be
transferred to the new process. However, as the new instance of the
process being updated inherits all memory-mapped areas of the old
instance, it also automatically inherits the malloc implementation's
page directory. Thus, we must explicitly free this area in order to
avoid a memory leak.
The magic pass already detects (de)allocation functions called from
within other (de)allocation functions, which is why the mmap(2) and
munmap(2) calls of the malloc code are not instrumented as it is.
This patch changes that particular case to allow a different hook
function to be called for such "nested" allocation calls, for a
particular set of nested calls. In particular, the malloc(3) code's
mmap(2) and munmap(2) calls are replaced with magic_nested_mmap and
magic_nested_munmap calls, respectively. The magic library then
tracks memory mapping allocations of the malloc code by providing an
implementation for these two wrappers, and frees the allocations upon
state transfer.
This approach was chosen over various alternatives:
- While it appears that nesting could be established by setting a
flag while the malloc(3) wrapper is active, and testing the flag in
the mmap(2)/munmap(2) wrappers, this approach would fail to detect
memory-mapped allocations made from uninstrumented malloc(3) calls,
and therefore not a viable option.
- It would be possible to obtain the value of the variables that
store the information about the memory-mapped area in the malloc
code. However, this is rather difficult in practice due to the way
the libc malloc implementation stores the size of the are, and it
would make the solution more dependent on the specific libc malloc
implementation.
- It would be possible to use the special "nested" instrumentation
for allocations made from certain marked sections. Since we mark
the data section of the malloc code already, this would not be hard
to do. Switching to this alternative would change very little, and
if for any reason this approach yields more advantages in the
future, we can still choose to do so.
Since the heap is reconstructed upon state transfer, the old malloc
state is discarded. In order to avoid state transfer errors, we can
and in fact must discard the internal state of the malloc
implementation. This patch achieves this by using the sectionify
pass to mark the variables in the libminc malloc object as state that
must be skipped during state transfer.
RS/VM: proper preparation for multi-VM live update
Due to changed VM internals, more elaborate preparation is required
before a live update with multiple components including VM can take
place. This patch adds the essential preparation infrastructure to
VM and adapts RS to make use of it. As a side effect, it is no
longer necessary to supply RS as the last component (if at all)
during the set-up of a multicomponent live update operation.
During live update, the new instance of VM may make changes that,
after a rollback, have to be undone by the old instance of VM, in
particular because both instances share (read-write) all dynamically
allocated pages.
Make the passes we have so far, hello and WeakAliasModuleOverride,
use settings from a Makefile include file in the parent directory.
This change is in preparation of adding other passes.
Lionel Sambuc [Fri, 23 Jan 2015 17:30:39 +0000 (18:30 +0100)]
QEMU default command lines updates
- Fix a bug in clientctl which tried to test for kvm. This simply
remove this faulty test as the kvm command has been deprecated by the
QEMU project for a couple of years now.
- Specify by default 256M of RAM as this is the minimal amount required
for the whole-OS live update test to succeed.
- Update the default command printed out at the end of the x86_hdimage
script to be more generic, less focused on one use-case.
The filtering also exposed the risk that a process be killed or
swapped while on the list of VM memory requests. These cases are
now handled properly as well.
Lionel Sambuc [Mon, 26 Jan 2015 14:09:05 +0000 (15:09 +0100)]
VM: set recovery policy to restart
- Update proc to select restart policy for VM
- Update testrelpol to test the supported modes of recovery for VM
- Small code cleanups in testrelpol as well.
A missing check to see whether the range being transferred is sane
(with a starting address lower than an ending address) caused extra
memory to be marked erroneously as copy-on-write for some processes,
ultimately resulting in pagefaults on the stack during live update
rollback.
Dirk Vogt [Mon, 19 Jan 2015 14:20:30 +0000 (15:20 +0100)]
VM: live update - check for regions above stack
If the stack is not mapped at the VM_DATATOP (e.g. booted with
ac_layout = 1), there might be some more regions hiding above
the stack. We also have to transfer those.
The 'memory' service has holes in its data section, which causes
problems during state transfer. Since VM cannot handle page faults
during a multicomponent-with-VM live update, the state transfer must
ensure that no page faults occur during copying. Therefore, we now
query VM about the regions to copy, thus skipping holes. While the
solution is not ideal, it is sufficiently generic that it can be used
for the data section state transfer of all processes, and possibly
for state transfer of other regions in the future as well.
Ben Gras [Thu, 15 Jan 2015 15:47:46 +0000 (16:47 +0100)]
vm: restartability improvements (#1)
Two bugs fixed wrt vm restartability.
. make sure pagetable data is only allocated
using dynamic data instead of static spare pages
(bootstrap pages). They are needed for bootstrap
but now repeat some of the initialization so only
dynamic data remains. This solves the problem of
physical addresses changing (as static pages are
re-allocated for the new instance) after update.
. pt_ptalloc has to be specified in bytes instead of
pde slot numbers. leaving pt_pt NULL causes mapping
transfers to fail because NULL happens to be mapped in
then and updates then happen there.
. added some sanity checks against the above happening.
The new state is that VM can update many times, but the system
isn't fully reliable afterwards yet.
Ben Gras [Sun, 28 Jun 2015 22:07:29 +0000 (00:07 +0200)]
Kernel: delivermsg improvements
. make arch-independent, and local to proc.c, reduce code duplication
. make vm_suspend public but unduplicated in proc.c
. ask VM for handling once, 2nd time SIGSEGV process
. remove debug printfs
. test case for bogus sendrec() address argument
Allow extra space for in-band metadata when allocating cache blocks.
Edited by David van Moolenbroek: since this effectively halves the
potential size of the typical file system cache, do this only when
compiling with instrumentation.
Edited by David van Moolenbroek to deallocate the guard page as well.
Note that while the new approach is better in theory (previously, the
hole could end up being filled by another allocated page), guard page
protection is now broken in practice, because VM does not support
setting specific page permissions (in this case, PROT_NONE).
VM used to call sendrec to send a boot-time RS_INIT reply to RS, but
RS could run into a pagefault at the same time, thus spawning a
message to VM, resulting in a deadlock. We resolve this situation by
making VM acknowledge RS_INIT asynchronously at boot time, while
retaining the synchronous sendrec for subsequent RS_INIT responses.
The following services have been updated to support stateful restarts:
- Drivers: tty
- Filesystems: isofs, mfs, pfs, libvtreefs-based file servers
- System servers: tty, ds, pm, vfs, vm
Previously, RS would clean up dead services only when it is idle.
During shutdown, all services are marked with the 'exiting' flag,
and these flags lead RS to conclude it is not idle. Therefore, at
shutdown time, no services were cleaned up anymore, leading to
deadlock situations. For example, VFS could end up waiting for a
service that was already dead, or one driver could end up waiting
for an interrupt on a line shared with another dead driver.
While it may be possible to ignore RS_EXITING when checking idle
status, other flags may have the same ultimate effect. Therefore,
this patch skips the idle check altogether when in shutdown mode.
While in a multicomponent live update that includes RS, the new RS
instance may receive heartbeat replies which, after a rollback, the
old RS instance will then never see. As a result, the rolled-back
RS instance may end up killing well-behaving services.
Some select queries require a response from device drivers. If a
select call is nonblocking (with a zero timeout), the response to
the caller may have to be deferred until all involved drivers have
responded to the initial query. This is handled just fine.
However, if the select call has a timeout that is so short that it
triggers before all the involved drivers have responded, the
resulting alarm would be discarded, possibly resulting in the call
blocking forever. This fix changes the alarm handler such that if
the alarm triggers too early, the select call is further handled
as though it was nonblocking.
This fix resolves a test77 deadlock on really slow systems.
- ping(1) triggers warnings about unimplemented exceptions for select;
even if there could be a useful implementation (which is doubtful),
the warnings are not helping anyone right now;
- the clock_t data type has changed.
Fix /dev/tty-related issues in tmux(1) by hardcoding the PTY major
in VFS in addition to the TTY major. Even though this is exactly
what we did NOT want to have to do, the actual fix for this issue
is going to take a little longer.
The previous approach of storing pointers to messages structures for
thread-blocking sendrec operations relied on several assumptions,
which if violated could lead to odd cases of memory corruption.
With this patch, VFS resets pointers right after use, avoiding that
any dangling pointers are accidentally dereferenced later. This
approach was already used in some cases, but not all of them.
For dynamically linked executables, the interpreter is passed a
file descriptor of the binary being executed. To this end, VFS
opens the target executable, but opening the file fails if it is
not readable, even when it is executable. With this patch, when
opening the executable, it verifies the X bit rather than the R
bit on the file, thus allowing the execution of dynamically
linked binaries that are executable but not readable.
This patch changes the prefetch API so that file systems must now
provide a set of block numbers, rather than a set of buffers. The
result is a leaner and more well-defined API; linear computation of
the range of blocks to prefetch; duplicates no longer interfering
with the prefetch process; guaranteed inclusion of the block needed
next into the prefetch range; and, limits and policy decisions better
established by libminixfs now actually being moved into libminixfs.
libminixfs: better support for read errors and EOF
- The lmfs_get_block*(3) API calls may now return an error. The idea
is to encourage a next generation of file system services to do a
better job at dealing with block read errors than the MFS-derived
implementations do. These existing file systems have been changed
to panic immediately upon getting a block read error, in order to
let unchecked errors cause corruption. Note that libbdev already
retries failing I/O operations a few times first.
- The libminixfs block device I/O module (bio.c) now deals properly
with end-of-file conditions on block devices. Since a device or
partition size may not be a multiple of the root file system's block
size, support for partial block retrival has been added, with a new
internal lmfs_get_partial_block(3) call. A new test program,
test85, tests the new handling of EOF conditions when reading,
writing, and memory-mapping a block device.
This patch changes the libminixfs API and implementation such that the
library is at all times aware of how many total and used blocks there
are in the file system. This removes the last upcall of libminixfs
into file systems (fs_blockstats). In the process, make this part of
the libminixfs API a little prettier and more robust. Change file
systems accordingly. Since this change only adds to MFS being unable
to deal with zones and blocks having different sizes, fail to mount
such file systems immediately rather than triggering an assert later.
This removes an implicit requirement for the way the libminixfs API is
to be used, namely that a block is to be marked as dirty only once its
contents have been fully updated, within a single get_block/put_block
window. The requirement may not be appropriate for all file systems.