- test multicomponent live update with and without rs and/or vm;
- retry the update a few times if the failure code suggests it might
be a transient failure.
Change-Id: I5fce256bb418be257353ed21428f672d851d974d
That way, these pages are transferred during live update, as they
should. This resolves a mfs crash after a number of live updates.
Change-Id: Ia53bec2692b2114c29b96a453beb0f915f56453a
When the malloc code is instrumented, the global _brksize variable
should not be transferred. However, when the malloc code is not
instrumented, failing to transfer _brksize would reset the heap
upon state transfer. In this patch, the magic pass stores the flag
indicating whether memory function instrumentation is disabled, in
the target process. This allows libmagic to check this flag during
state transfer, to see whether it should transfer _brksize or not.
Change-Id: Ia004651e21e08b0ed3f5305865c53c6659e18f38
This patch changes the VM makefile to specify that the magic pass is
to skip memory function instrumentation, and to transfer the data
variables of the malloc code (thus overriding the exception we made
for all other system services). We add two magic pass flags to
achieve this. Since the magic pass is a big bowl of spaghetti code,
ignoring whitespace changes while viewing this patch is recommended.
Change-Id: I5ab83b23d8437b37c44dea99537bc202469c9df6
The NetBSD libc malloc implementation uses a memory-mapped area for
its page directory. Since the process heap is reconstructed upon
state transfer for live update, this memory-mapped area must not be
transferred to the new process. However, as the new instance of the
process being updated inherits all memory-mapped areas of the old
instance, it also automatically inherits the malloc implementation's
page directory. Thus, we must explicitly free this area in order to
avoid a memory leak.
The magic pass already detects (de)allocation functions called from
within other (de)allocation functions, which is why the mmap(2) and
munmap(2) calls of the malloc code are not instrumented as it is.
This patch changes that particular case to allow a different hook
function to be called for such "nested" allocation calls, for a
particular set of nested calls. In particular, the malloc(3) code's
mmap(2) and munmap(2) calls are replaced with magic_nested_mmap and
magic_nested_munmap calls, respectively. The magic library then
tracks memory mapping allocations of the malloc code by providing an
implementation for these two wrappers, and frees the allocations upon
state transfer.
This approach was chosen over various alternatives:
- While it appears that nesting could be established by setting a
flag while the malloc(3) wrapper is active, and testing the flag in
the mmap(2)/munmap(2) wrappers, this approach would fail to detect
memory-mapped allocations made from uninstrumented malloc(3) calls,
and therefore not a viable option.
- It would be possible to obtain the value of the variables that
store the information about the memory-mapped area in the malloc
code. However, this is rather difficult in practice due to the way
the libc malloc implementation stores the size of the are, and it
would make the solution more dependent on the specific libc malloc
implementation.
- It would be possible to use the special "nested" instrumentation
for allocations made from certain marked sections. Since we mark
the data section of the malloc code already, this would not be hard
to do. Switching to this alternative would change very little, and
if for any reason this approach yields more advantages in the
future, we can still choose to do so.
Change-Id: Id977405da86a72458dd10f18e076d8460fd2fb75
Since the heap is reconstructed upon state transfer, the old malloc
state is discarded. In order to avoid state transfer errors, we can
and in fact must discard the internal state of the malloc
implementation. This patch achieves this by using the sectionify
pass to mark the variables in the libminc malloc object as state that
must be skipped during state transfer.
Change-Id: Ie330f582c8bd45f37a878ea41fa0f9d4a18045e1
Due to changed VM internals, more elaborate preparation is required
before a live update with multiple components including VM can take
place. This patch adds the essential preparation infrastructure to
VM and adapts RS to make use of it. As a side effect, it is no
longer necessary to supply RS as the last component (if at all)
during the set-up of a multicomponent live update operation.
Change-Id: If069fd3f93f96f9d5433998e4615f861465ef448
During live update, the new instance of VM may make changes that,
after a rollback, have to be undone by the old instance of VM, in
particular because both instances share (read-write) all dynamically
allocated pages.
Change-Id: I2bcfa8e627ca6084b1991e0af7cccecc683894a2
This resolves an infinite loop during boot, in libblockdriver freeing
DMA memory at the end of a partition(3) call.
Change-Id: I0757aa48f769ea79eab7160f23ee4c97cf58e055
Make the passes we have so far, hello and WeakAliasModuleOverride,
use settings from a Makefile include file in the parent directory.
This change is in preparation of adding other passes.
Change-Id: Ib195ee7f5c7626f4975368b02c944382e87e3814
Make disk image size sufficient for LLVM bitcode build with symbols.
Edited by David van Moolenbroek to do this only when -b is given.
Change-Id: I3bde164756c477b4af5ed9435ca03da3b186cf7e
- Fix a bug in clientctl which tried to test for kvm. This simply
remove this faulty test as the kvm command has been deprecated by the
QEMU project for a couple of years now.
- Specify by default 256M of RAM as this is the minimal amount required
for the whole-OS live update test to succeed.
- Update the default command printed out at the end of the x86_hdimage
script to be more generic, less focused on one use-case.
Change-Id: Ic555d50a3a1471f7d35cc7fd369f2292add6ac39
The filtering also exposed the risk that a process be killed or
swapped while on the list of VM memory requests. These cases are
now handled properly as well.
Change-Id: Ibd3897b34abdf33bce19d37b8e5f65fbd0fd9316
- Update proc to select restart policy for VM
- Update testrelpol to test the supported modes of recovery for VM
- Small code cleanups in testrelpol as well.
Change-Id: I6958e100865c2429b9435f3f7cc7d018046378c3
A missing check to see whether the range being transferred is sane
(with a starting address lower than an ending address) caused extra
memory to be marked erroneously as copy-on-write for some processes,
ultimately resulting in pagefaults on the stack during live update
rollback.
Change-Id: I1516b509b485379606d8df05b8a0f514896a0f19
If the stack is not mapped at the VM_DATATOP (e.g. booted with
ac_layout = 1), there might be some more regions hiding above
the stack. We also have to transfer those.
Change-Id: Idf3b94a36fcec8a10ace2f6dffe816faf0a88f60
. make sure the priv id etc is maintained so
future privctl talk about the right thing
. solves broken IPC after update
Change-Id: I17ed0212c22d634e6db1e80f8dcb2fb8bffe82c6
The 'memory' service has holes in its data section, which causes
problems during state transfer. Since VM cannot handle page faults
during a multicomponent-with-VM live update, the state transfer must
ensure that no page faults occur during copying. Therefore, we now
query VM about the regions to copy, thus skipping holes. While the
solution is not ideal, it is sufficiently generic that it can be used
for the data section state transfer of all processes, and possibly
for state transfer of other regions in the future as well.
Change-Id: I2a71383a18643ebd36956c396fbd22c8fd137202
Two bugs fixed wrt vm restartability.
. make sure pagetable data is only allocated
using dynamic data instead of static spare pages
(bootstrap pages). They are needed for bootstrap
but now repeat some of the initialization so only
dynamic data remains. This solves the problem of
physical addresses changing (as static pages are
re-allocated for the new instance) after update.
. pt_ptalloc has to be specified in bytes instead of
pde slot numbers. leaving pt_pt NULL causes mapping
transfers to fail because NULL happens to be mapped in
then and updates then happen there.
. added some sanity checks against the above happening.
The new state is that VM can update many times, but the system
isn't fully reliable afterwards yet.
Change-Id: I7313602c740cdae8590589132291116ed921aed7
. make arch-independent, and local to proc.c, reduce code duplication
. make vm_suspend public but unduplicated in proc.c
. ask VM for handling once, 2nd time SIGSEGV process
. remove debug printfs
. test case for bogus sendrec() address argument
Change-Id: I3893758910c01de60b8fe3e50edd594296a0b73e
Allow extra space for in-band metadata when allocating cache blocks.
Edited by David van Moolenbroek: since this effectively halves the
potential size of the typical file system cache, do this only when
compiling with instrumentation.
Change-Id: I0840af6420899ede2d5bb7539e79c0a456b5128d
Edited by David van Moolenbroek to deallocate the guard page as well.
Note that while the new approach is better in theory (previously, the
hole could end up being filled by another allocated page), guard page
protection is now broken in practice, because VM does not support
setting specific page permissions (in this case, PROT_NONE).
Change-Id: I882624f5d152d3ebe82fca649cbad85aa4931780
If arguments are provided, the services list to test is set from those,
instead of initializing it with every currently running service.
If such arguments are present, also skip LiveUpdate tests.
Change-Id: I14f874666a610072a5ff4a60516e59cf04dc9e31
VM used to call sendrec to send a boot-time RS_INIT reply to RS, but
RS could run into a pagefault at the same time, thus spawning a
message to VM, resulting in a deadlock. We resolve this situation by
making VM acknowledge RS_INIT asynchronously at boot time, while
retaining the synchronous sendrec for subsequent RS_INIT responses.
Change-Id: I3cb72d7f8d6b9bfdc59a85958ada739c37fa3bde