Commit graph

6779 commits

Author SHA1 Message Date
David van Moolenbroek
78ff1e69b6 libmagic: fail on all state transfer errors
Also do not report debugging information by default.

Change-Id: I5d80a3df3c3ecc16a577d88abe6e37a792add747
2015-09-17 17:14:03 +00:00
David van Moolenbroek
0d6c408f48 libblockdriver: suspend threads for live update
Same as for VFS.

Change-Id: I0f09d43f24c32361af5e5658923140c79244d3d1
2015-09-17 17:13:52 +00:00
David van Moolenbroek
728b0e5b34 VFS: suspend threads for live update
- do not allow live update for request and protocol free states if
  there are any worker threads that have pending or active work;
- destroy all worker threads before such live updates and recreate
  them afterwards, because transferring (the contents of) the
  thread stacks is not an option at this time;
- recreate worker threads in the new instance only if they were
  shut down before the state transfer, by letting RS provide the
  original preparation state as initialization information.

Change-Id: I846225f5b7281f19e69175485f2c88a4b4891dc2
2015-09-17 17:13:46 +00:00
David van Moolenbroek
129adfeb53 Annotations and tweaks for live update
This change is necessary for instrumentation-aided state transfer.

Change-Id: I24be938009f02e302a15083f9a7a11824975e42b
2015-09-17 17:13:38 +00:00
David van Moolenbroek
23369f9c9e DS: workaround for weak symbol issue
The bitcode file given to the instrumentation pass does not include
certain weak symbols, in particular regcomp and regfree, which are
required to be visible to the magic pass for state transfer to work
correctly.  This patch forces DS to make the calls using their actual
symbol names (with leading underscore), thus resolving the issue, but
this issue should really be solved in a cleaner and more generic way.

Change-Id: Iebee4341cc30ddabcf7593afb5c49d41c0839863
2015-09-17 17:13:28 +00:00
David van Moolenbroek
3a3478dcea magic pass: register additional compatible types
This patch is a first step towards working around the larger problem of
LLVM 3.x's use of bitcasting between structures and their elements to
deal with opaque types, replacing LLVM 2.x's actual unification.  The
patch allows the pass to register a larger number of compatible types,
in particular for structure pointers passed through function calls.
A skeleton is provided for dealing with structure elements as well, but
that part requires much more work.  It remains to be seen whether a
more structural approach to dealing with this problem may be warranted.

For now, this change is necessary to allow instrumented state transfer
of various "minix_timer" structures and pointers in PM and VFS.

Change-Id: Ib717d86ccfced53387e72a92750d22ae980c3466
2015-09-17 17:13:21 +00:00
David van Moolenbroek
ebef68bf4c libmagic: supply own ctype macros
Due to the current linker command line ordering, parts of lib(min)c
that are used exclusively by libmagic end up not being instrumented,
which then causes problems transferring pointers such as _ctype_tab_
and _tolower_tab_.  As a temporary workaround, we redefine the macros
that use those pointers.  A better long-term solution should
eventually render this patch obsolete.

Change-Id: Ice1d125ff6fb2f65ac6dcc6cf6eec7cd6176bee1
2015-09-17 17:13:13 +00:00
David van Moolenbroek
c8f6986185 libmagic: ignore kernel pointers on MINIX3
Change-Id: I8830cab3d6637bae6141dc2b0e209d319703787f
2015-09-17 17:13:03 +00:00
David van Moolenbroek
1aad172900 Make more services use stateful live update
Change-Id: If2e5b8e56fef633e471ec1cbb6e08ce3496ea755
2015-09-17 17:12:02 +00:00
David van Moolenbroek
a4220d7774 tests: extend multicomponent live update test
- test multicomponent live update with and without rs and/or vm;
- retry the update a few times if the failure code suggests it might
  be a transient failure.

Change-Id: I5fce256bb418be257353ed21428f672d851d974d
2015-09-17 14:11:48 +00:00
David van Moolenbroek
b6b6793d05 tests: improve testrelpol.sh robustness
- fix a TOCTOU bug;
- stop the script on permanent failure.

Change-Id: I570cce3427945ad34d283ded013219c93402ddf9
2015-09-17 14:11:09 +00:00
David van Moolenbroek
54434d4eff tests: remove VM exceptions from testrelpol.sh
Change-Id: Ied1db7e77d1849ecb5e92fe9694bb395983c6122
2015-09-17 14:10:53 +00:00
David van Moolenbroek
c0df94ec22 RS: remove support for unsafe updates
This feature should no longer be necessary.

Change-Id: I9bff628be020cf1741bffaeb3bb97e3660a54aea
2015-09-17 14:09:47 +00:00
David van Moolenbroek
4506a0eebf VM: allocate cache pages in mmap region
That way, these pages are transferred during live update, as they
should.  This resolves a mfs crash after a number of live updates.

Change-Id: Ia53bec2692b2114c29b96a453beb0f915f56453a
2015-09-17 14:09:06 +00:00
David van Moolenbroek
7f79fb8810 Improve asynsend support for process swapping
This resolves various system stalls while running testrelpol.

Change-Id: Ie70fc2dbcdb0a8c9e3800cc0df564be747e111ec
2015-09-17 14:08:30 +00:00
David van Moolenbroek
5105ab554b Ignore a new ARM driver entry for instrumentation
Change-Id: I710a7534d2ba41107641252b9f80f197d04ba107
2015-09-17 14:08:01 +00:00
David van Moolenbroek
c07c198b5f Disable malloc instrumentation for VM (#2)
When the malloc code is instrumented, the global _brksize variable
should not be transferred.  However, when the malloc code is not
instrumented, failing to transfer _brksize would reset the heap
upon state transfer.  In this patch, the magic pass stores the flag
indicating whether memory function instrumentation is disabled, in
the target process.  This allows libmagic to check this flag during
state transfer, to see whether it should transfer _brksize or not.

Change-Id: Ia004651e21e08b0ed3f5305865c53c6659e18f38
2015-09-17 14:07:31 +00:00
David van Moolenbroek
76b68f9f99 Disable malloc instrumentation for VM (#1)
This patch changes the VM makefile to specify that the magic pass is
to skip memory function instrumentation, and to transfer the data
variables of the malloc code (thus overriding the exception we made
for all other system services).  We add two magic pass flags to
achieve this.  Since the magic pass is a big bowl of spaghetti code,
ignoring whitespace changes while viewing this patch is recommended.

Change-Id: I5ab83b23d8437b37c44dea99537bc202469c9df6
2015-09-17 14:05:14 +00:00
David van Moolenbroek
b7725c8552 Fix mmap leak in malloc code upon state transfer
The NetBSD libc malloc implementation uses a memory-mapped area for
its page directory.  Since the process heap is reconstructed upon
state transfer for live update, this memory-mapped area must not be
transferred to the new process.  However, as the new instance of the
process being updated inherits all memory-mapped areas of the old
instance, it also automatically inherits the malloc implementation's
page directory.  Thus, we must explicitly free this area in order to
avoid a memory leak.

The magic pass already detects (de)allocation functions called from
within other (de)allocation functions, which is why the mmap(2) and
munmap(2) calls of the malloc code are not instrumented as it is.
This patch changes that particular case to allow a different hook
function to be called for such "nested" allocation calls, for a
particular set of nested calls.  In particular, the malloc(3) code's
mmap(2) and munmap(2) calls are replaced with magic_nested_mmap and
magic_nested_munmap calls, respectively.  The magic library then
tracks memory mapping allocations of the malloc code by providing an
implementation for these two wrappers, and frees the allocations upon
state transfer.

This approach was chosen over various alternatives:

- While it appears that nesting could be established by setting a
  flag while the malloc(3) wrapper is active, and testing the flag in
  the mmap(2)/munmap(2) wrappers, this approach would fail to detect
  memory-mapped allocations made from uninstrumented malloc(3) calls,
  and therefore not a viable option.
- It would be possible to obtain the value of the variables that
  store the information about the memory-mapped area in the malloc
  code.  However, this is rather difficult in practice due to the way
  the libc malloc implementation stores the size of the are, and it
  would make the solution more dependent on the specific libc malloc
  implementation.
- It would be possible to use the special "nested" instrumentation
  for allocations made from certain marked sections.  Since we mark
  the data section of the malloc code already, this would not be hard
  to do.  Switching to this alternative would change very little, and
  if for any reason this approach yields more advantages in the
  future, we can still choose to do so.

Change-Id: Id977405da86a72458dd10f18e076d8460fd2fb75
2015-09-17 14:04:43 +00:00
David van Moolenbroek
9b9bea921f Do not instrument malloc implementation variables
Since the heap is reconstructed upon state transfer, the old malloc
state is discarded.  In order to avoid state transfer errors, we can
and in fact must discard the internal state of the malloc
implementation.  This patch achieves this by using the sectionify
pass to mark the variables in the libminc malloc object as state that
must be skipped during state transfer.

Change-Id: Ie330f582c8bd45f37a878ea41fa0f9d4a18045e1
2015-09-17 14:03:47 +00:00
David van Moolenbroek
abf8a7e7b3 RS/VM: proper preparation for multi-VM live update
Due to changed VM internals, more elaborate preparation is required
before a live update with multiple components including VM can take
place.  This patch adds the essential preparation infrastructure to
VM and adapts RS to make use of it.  As a side effect, it is no
longer necessary to supply RS as the last component (if at all)
during the set-up of a multicomponent live update operation.

Change-Id: If069fd3f93f96f9d5433998e4615f861465ef448
2015-09-17 14:01:06 +00:00
David van Moolenbroek
5a4672e300 VM: undo actions after live-update rollback
During live update, the new instance of VM may make changes that,
after a rollback, have to be undone by the old instance of VM, in
particular because both instances share (read-write) all dynamically
allocated pages.

Change-Id: I2bcfa8e627ca6084b1991e0af7cccecc683894a2
2015-09-17 14:00:32 +00:00
David van Moolenbroek
40aba308a0 libmagic: free actual dsentry rather than a copy
This resolves an infinite loop during boot, in libblockdriver freeing
DMA memory at the end of a partition(3) call.

Change-Id: I0757aa48f769ea79eab7160f23ee4c97cf58e055
2015-09-17 14:00:07 +00:00
David van Moolenbroek
949a3e52e5 Break loose from llvm-apps entirely
Change-Id: I532f5f44c785c1a72407b504568d54fc6cbabf8f
2015-09-17 13:58:57 +00:00
David van Moolenbroek
0acd3f1ae0 Import magic library from llvm-apps
Change-Id: Icfbcfae6afc731a23e71448a7a5d0045b2c219e5
2015-09-17 13:58:32 +00:00
David van Moolenbroek
3e457fe321 Import magic pass from llvm-apps
Change-Id: I19535b913b50f2ff24aeb80ddefc92e305c31fe8
2015-09-17 13:57:53 +00:00
David van Moolenbroek
b5e2faaaaf Import sectionify pass from llvm-apps
Change-Id: I3e3ac102b4898ca22ed1d9c25ec309d77bbe32de
2015-09-17 13:57:29 +00:00
David van Moolenbroek
3956ee9eed LLVM passes: centralize Makefile structure
Make the passes we have so far, hello and WeakAliasModuleOverride,
use settings from a Makefile include file in the parent directory.
This change is in preparation of adding other passes.

Change-Id: Ib195ee7f5c7626f4975368b02c944382e87e3814
2015-09-17 13:56:41 +00:00
Erik van der Kouwe
63a89582ab x86_hdimage: increase image size for bitcode build
Make disk image size sufficient for LLVM bitcode build with symbols.

Edited by David van Moolenbroek to do this only when -b is given.

Change-Id: I3bde164756c477b4af5ed9435ca03da3b186cf7e
2015-09-17 13:55:38 +00:00
Lionel Sambuc
44bb91d464 BitCode: Fix Dynamic Binaries
Change-Id: I7f3b775426a0c79969c7efc7a9970683b9dd950c
2015-09-17 13:55:06 +00:00
Lionel Sambuc
3ceafe99fd Support BUILDVARS from cmd line in configure.llvm
Change-Id: I59527c60cb34c12fd2bed449b37bb812a83c4e42
2015-09-17 13:53:18 +00:00
Cristiano Giuffrida
035cdb2e79 llvm: Never rebuild gold in configure.llvm.
Change-Id: I7378ca38a5a9bf018823b6431d1a4ca8fbb10b58
2015-09-17 13:52:35 +00:00
Cristiano Giuffrida
c9590fa23a llvm: Fix OPTFLAGS.
Change-Id: Id35ac2821ad69825735c50a32bdd04d8453edb22
2015-09-17 13:52:24 +00:00
Lionel Sambuc
d8d3052dd0 QEMU default command lines updates
- Fix a bug in clientctl which tried to test for kvm. This simply
   remove this faulty test  as the kvm command has been deprecated by the
   QEMU project for a couple of years now.

 - Specify by default 256M of RAM as this is the minimal amount required
   for the whole-OS live update test to succeed.

 - Update the default command printed out at the end of the x86_hdimage
   script to be more generic, less focused on one use-case.

Change-Id: Ic555d50a3a1471f7d35cc7fd369f2292add6ac39
2015-09-17 13:51:14 +00:00
Cristiano Giuffrida
f8ddf7c81d releasetools: Fix CREATE_IMAGE_ONLY in x86 hdimage script.
Change-Id: Ie1c8dbedc16b8edac16f5b76b36df30b3a4eddb1
2015-09-17 13:51:02 +00:00
Cristiano Giuffrida
1e7bfb997f llvm: Build scripts improvements.
Change-Id: I278cdebccdba18be7e264bfd240ff02d4480b33c
2015-09-17 13:49:25 +00:00
Cristiano Giuffrida
04c5ac3eb5 llvm: Extend clientctl with many features.
Change-Id: I739eefa46458e956cb79c42a8cbf880428eec794
2015-09-17 13:49:03 +00:00
Cristiano Giuffrida
c3041d5c6d llvm: Fix module map generation.
Change-Id: If9c2bef4c0ef3d002ac65a2c66aabcf0cf99ff95
2015-09-17 13:48:40 +00:00
Cristiano Giuffrida
326b9df3db llvm: Improve error handling in configure.llvm.
Change-Id: I9aa8f8a07a512f642447c70dca2e85d40ebe2b2a
2015-09-17 13:48:18 +00:00
David van Moolenbroek
3779ed93c3 Kernel: IPC filter support for VM memory requests
The filtering also exposed the risk that a process be killed or
swapped while on the list of VM memory requests.  These cases are
now handled properly as well.

Change-Id: Ibd3897b34abdf33bce19d37b8e5f65fbd0fd9316
2015-09-17 13:46:23 +00:00
Lionel Sambuc
8b0f8559ee VM: set recovery policy to restart
- Update proc to select restart policy for VM
 - Update testrelpol to test the supported modes of recovery for VM
 - Small code cleanups in testrelpol as well.

Change-Id: I6958e100865c2429b9435f3f7cc7d018046378c3
2015-09-17 13:45:43 +00:00
David van Moolenbroek
95cb93971a VM: fix mmap region transfer range bug
A missing check to see whether the range being transferred is sane
(with a starting address lower than an ending address) caused extra
memory to be marked erroneously as copy-on-write for some processes,
ultimately resulting in pagefaults on the stack during live update
rollback.

Change-Id: I1516b509b485379606d8df05b8a0f514896a0f19
2015-09-17 13:44:55 +00:00
Dirk Vogt
a6db4d0a62 VM: live update - check for regions above stack
If the stack is not mapped at the VM_DATATOP (e.g. booted with
ac_layout = 1), there might be some more regions hiding above
the stack.  We also have to transfer those.

Change-Id: Idf3b94a36fcec8a10ace2f6dffe816faf0a88f60
2015-09-17 13:44:30 +00:00
Ben Gras
8f4f859b35 RS: synchronize priv from kernel after swap
. make sure the priv id etc is maintained so
	  future privctl talk about the right thing
	. solves broken IPC after update

Change-Id: I17ed0212c22d634e6db1e80f8dcb2fb8bffe82c6
2015-09-17 13:43:49 +00:00
David van Moolenbroek
2867e60add SEF: query VM about holes during state transfer
The 'memory' service has holes in its data section, which causes
problems during state transfer.  Since VM cannot handle page faults
during a multicomponent-with-VM live update, the state transfer must
ensure that no page faults occur during copying.  Therefore, we now
query VM about the regions to copy, thus skipping holes.  While the
solution is not ideal, it is sufficiently generic that it can be used
for the data section state transfer of all processes, and possibly
for state transfer of other regions in the future as well.

Change-Id: I2a71383a18643ebd36956c396fbd22c8fd137202
2015-09-17 13:43:06 +00:00
Ben Gras
683f1fcab3 vm: restartability improvements (#2)
also allocate vm pagetables dynamic-only.

further improves restart survivability.

Change-Id: Iac44845d9bd434408b23755274fa890a7b851373
2015-09-17 13:42:18 +00:00
Ben Gras
10e6ba68d2 vm: restartability improvements (#1)
Two bugs fixed wrt vm restartability.

	. make sure pagetable data is only allocated
	  using dynamic data instead of static spare pages
	  (bootstrap pages). They are needed for bootstrap
	  but now repeat some of the initialization so only
	  dynamic data remains. This solves the problem of
	  physical addresses changing (as static pages are
	  re-allocated for the new instance) after update.
	. pt_ptalloc has to be specified in bytes instead of
	  pde slot numbers. leaving pt_pt NULL causes mapping
	  transfers to fail because NULL happens to be mapped in
	  then and updates then happen there.
	. added some sanity checks against the above happening.

The new state is that VM can update many times, but the system
isn't fully reliable afterwards yet.

Change-Id: I7313602c740cdae8590589132291116ed921aed7
2015-09-17 13:41:26 +00:00
Ben Gras
8bab0dfa2a Kernel: delivermsg improvements
. make arch-independent, and local to proc.c, reduce code duplication
    . make vm_suspend public but unduplicated in proc.c
    . ask VM for handling once, 2nd time SIGSEGV process
    . remove debug printfs
    . test case for bogus sendrec() address argument

Change-Id: I3893758910c01de60b8fe3e50edd594296a0b73e
2015-09-17 13:41:09 +00:00
Cristiano Giuffrida
36f477c20e vm: Allow in-band metadata for cache blocks
Allow extra space for in-band metadata when allocating cache blocks.

Edited by David van Moolenbroek: since this effectively halves the
potential size of the typical file system cache, do this only when
compiling with instrumentation.

Change-Id: I0840af6420899ede2d5bb7539e79c0a456b5128d
2015-09-17 13:40:39 +00:00
Cristiano Giuffrida
75206e2f3e libmthread: Fix guard page mapping.
Edited by David van Moolenbroek to deallocate the guard page as well.
Note that while the new approach is better in theory (previously, the
hole could end up being filled by another allocated page), guard page
protection is now broken in practice, because VM does not support
setting specific page permissions (in this case, PROT_NONE).

Change-Id: I882624f5d152d3ebe82fca649cbad85aa4931780
2015-09-17 13:38:44 +00:00