QNX/Neutrino IPC

Although message passing is the primary form of IPC in QNX/Neutrino, several other forms are available as well. Unless otherwise noted, those other forms of IPC are built over QNX message passing. The strategy is to create a simple, robust IPC service that can be tuned for performance through a simplified code path in the microkernel; more ``feature cluttered'' IPC services can then be implemented from these.

Benchmarks comparing higher-level IPC services (like pipes and FIFOs implemented over QNX messaging) with their monolithic kernel counterparts show comparable performance.

QNX/Neutrino offers at least the following forms of IPC:

Service:	Implemented in:
Message-passing	kernel
Signals	kernel
POSIX message queues	external process
Shared memory	kernel

These services can be selected by the designer on the basis of bandwidth requirements, the need for queuing, network transparency, etc. The tradeoff can be complex, but the flexibility is useful.

As part of the engineering effort that went into defining the Neutrino microkernel, the focus on message passing as the fundamental IPC primitive was deliberate. As a form of IPC, message passing (as implemented in MsgSendv(), MsgReceivev(), and MsgReplyv()), is synchronous and copies data. Let's explore these two attributes in more detail.

Synchronous message passing

A thread undergoing state changes in a typical send-receive-reply transaction. This inherent blocking synchronizes the execution of the sending thread, since the act of requesting that the data be sent also causes the sending thread to be blocked and the receiving thread to be scheduled for execution - this happens without requiring explicit work by the kernel to determine which thread to run next (as would be the case with most other forms of IPC). Execution and data move directly from one context to another.

Data queuing capabilities are omitted from these messaging primitives because queueing could be implemented when needed within the receiving thread. The sending thread is often prepared to wait for a response; queueing is unnecessary overhead and complexity (i.e. it slows down the non-queued case). As a result, the sending thread doesn't need to make a separate, explicit blocking call to wait for a response had some other IPC form been used.

While the send and receive operations are blocking and synchronous, MsgReplyv() (or MsgError()) doesn't block. Since the client thread is already blocked waiting for the reply, no additional synchronization is required, so a blocking MsgReplyv() isn't needed. This allows a server to reply to a client and continue processing while the kernel and/or networking code asynchronously passes the reply data to the sending thread and marks it ready for execution. As most servers will tend to do some processing to prepare to receive the next request (at which point they block again), this works out well.

MsgReplyv() vs MsgError()

MsgError() is supported in Neutrino 1.1

Message copying

The messaging primitives in QNX support multipart transfers, so that a message delivered from the address space of one thread to another needn't pre-exist in a single, contiguous buffer. Instead, both the sending and receiving threads can specify a vector table that indicates where the sending and receiving message fragments reside in memory. Note that the size of the various parts can be different for the sender and receiver.

Multipart transfers allow messages that have a header block separate from the data block to be sent without performance-consuming copying of the data to create a contiguous message. In addition, if the underlying data structure is a ring buffer, specifying a three-part message will allow a header and two disjoint ranges within the ring buffer to be sent as a single atomic message. A hardware equivalent of this concept would be that of a scatter/gather DMA facility.

When sent or received, these parts are treated as one contiguous sequence of bytes. This is ideal for scatter/gather buffers and caches.

The multipart transfers are also used extensively by filesystems. On a read, the data is copied directly from the filesystem cache into the application using a message with one part for the reply status and n parts for the data. Each part points into the cache and compensates for the fact that cache blocks aren't contiguous in memory with a read starting or ending within a block.

For example, with a cache block size of 512 bytes, a read of 1454 bytes can be satisfied with a 5-part message:

Scatter/gather of a read of 1454 bytes.

Because message data is explicitly copied between address spaces (rather than by doing page table manipulations), messages can be easily allocated on the stack instead of from a special pool of page-aligned memory for MMU ``page flipping.'' As a result, many of the library routines that implement the API between client and server processes can be trivially expressed, without elaborate IPC-specific memory allocation calls.

For example, the code used by a client thread to request that the filesystem manager execute lseek on its behalf is implemented as follows:

#include <unistd.h>
#include <errno.h>
#include <sys/iomsg.h>
 
 
off64_t _lseek(int fd, off64_t offset, int whence) {
    union {
        struct _io_lseek        s;
        struct _io_lseek_reply  r;
    }                         msg;
    iov_t                  iov[2];
 
    msg.s.type = _IO_LSEEK;
    msg.s.combine_len = _IO_NO_COMBINE;
    msg.s.offset = offset; 
    msg.s.whence = whence; 
    msg.s.zero = 0;
    SETIOV(iov + 0, &msg.s, sizeof msg.s);
    SETIOV(iov + 1, &msg.r, sizeof msg.r);
    if(MsgSendv(fd, iov + 0, 1, iov + 1, 1) == -1) {
        offset.lo = offset.hi = -1;
        return offset;
    }
    if(msg.r.status != EOK) {
        errno = msg.r.status;
        offset.lo = offset.hi = -1;
        return offset;             
    }
    return msg.r.offset;
}
 
off_t lseek(int fd, off_t offset, int whence) {
    off64_t             off;
 
    off.hi = (offset < 0) ? -1 : 0;
    off.lo = offset;
    off = _lseek(fd, off, whence);
    return off.lo;
}
 
off_t tell(int fd) {
    return lseek(fd, 0, SEEK_CUR);
}
 

This code essentially builds a message structure on the stack, populates it with various constants and passed parameters from the calling thread, and sends it to the filesystem manager associated with fd. The reply indicates the success or failure of the operation.

This implementation doesn't prevent the kernel from detecting large message transfers and choosing to implement ``page flipping'' for those cases. Since most messages passed are quite tiny, copying messages is often faster than manipulating MMU page tables. For bulk data transfer, shared memory between processes (with message-passing or the other synchronization primitives for notification) is also a viable option.

Channels and connections

Channels are required by the message kernel calls and are used by servers to MsgReceivev() messages on. Connections are created by client threads to ``connect'' to the channels made available by servers. Once connections are established, clients can MsgSendv() messages over them. If a number of threads in a process all attach to the same channel, then the one connection is shared between all the threads. Channels and connections are named within a process by a small integer identifier. Client connections map directly into file descriptors.

Architecturally, this is a key point. By having client connections map directly into FDs, we have eliminated yet another layer of translation. We don't need to "figure out" where to send a message based on the file descriptor (e.g. via a read(fd) call). Instead, we can simply send a message directly to the "file descriptor" (i.e. connection ID).

Function	Description
ChannelCreate()	Create a channel to receive messages on.
ChannelDestroy()	Destroy a channel.
ConnectAttach()	Create a connection to send messages on.
ConnectDetach()	Detach a connection.

Connections map elegantly into file descriptors (i.e. coid 2 == fd 2).

A process acting as a server would implement an event loop to receive and process messages as follows:

chid = ChannelCreate(flags);
SETIOV(&iov, &msg, sizeof(msg));
for(;;) {
    rcv_id = MsgReceivev( chid, &iov, parts, &info );
 
    switch( msg.type ) {
        /* Perform message processing here */
        }
 
    MsgReplyv( rcv_id, &iov, rparts );
    }

This loop allows the thread to receive messages from any thread that had a connection to the channel.

The channel has three queues associated with it:

• one queue for threads waiting for messages
• one queue for threads that have sent a message that hasn't yet been received
• one queue for threads that have sent a message that has been received, but not yet replied to.

While in any of these queues, the waiting thread is blocked (i.e. RECEIVE, SEND, or REPLY blocked).

Waiting threads are blocked while in a channel queue.

Pulses

Pulses are often used as a notification mechanism within interrupt handlers. They also allow servers to signal clients without blocking on them.

Pulses pack a small payload - 8 bits of code and 32 bits of data.

Priority inheritance

The QNX/Neutrino message-passing API

Robust implementations with Send/Receive/Reply

A significant problem with asynchronous systems is that event notification requires signal handlers to be run. Asynchronous IPC can make it difficult to thoroughly test the operation of the system and make sure that no matter when the signal handler runs, that processing will continue as intended. Applications often try to avoid this scenario by relying on a ``window'' explicitly opened and shut, during which signals will be tolerated.

With a synchronous, non-queued system architecture built around Send/Receive/Reply, robust application architectures can be very readily implemented and delivered.

Avoiding deadlock situations is another difficult problem when constructing applications from various combinations of queued IPC, shared memory, and miscellaneous synchronization primitives. For example, suppose thread A doesn't release mutex 1 until thread B releases mutex 2. Unfortunately, if thread B is in the state of not releasing mutex 2 until thread A releases mutex 1, a standoff results. Simulation tools are often invoked in order to ensure that deadlock won't occur as the system runs.

The Send/Receive/Reply IPC primitives allow the construction of deadlock-free systems with the observation of only a couple simple rules:

1. Never have two threads send to each other.
2. Always arrange your threads in a hierarchy, with sends going up the tree.

The first rule is an obvious avoidance of the standoff situation, but the second rule requires further explanation. The team of cooperating threads and processes is arranged as follows:

Threads should always send up to higher-level threads.

Here the threads at any given level in the hierarchy never send to each other, but send only upwards instead.

One example of this might be a client application that sends to a database server process, which in turn sends to a filesystem process. Since the sending threads block and wait for the target thread to reply, and since the target thread isn't send-blocked on the sending thread, deadlock cannot result.

But how does a higher-level thread notify a lower-level thread that it has the results of a previously requested operation? (Assume the lower-level thread didn't want to wait for the replied results when it last sent.)

QNX/Neutrino provides a very flexible architecture with the MsgDeliverEvent() kernel call to deliver non-blocking events. All of the common asynchronous services can be implemented with this. For example, the server-side of the select() call is an API that an application can use to allow a thread to wait for an I/O event to complete on a set of file descriptors. In addition to an asynchronous notification mechanism being needed as a ``back channel'' for notifications from higher-level threads to lower-level threads, we can also build a reliable notification system for timers, hardware interrupts, and other event sources around this.

A higher-level thread can "send" a pulse event in order to notify a lower-level thread.

A related issue is the problem of how a higher-level thread can request work of a lower-level thread without sending to it, risking deadlock. The lower-level thread is present only to serve as a ``worker thread'' for the higher-level thread, doing work on request. The lower-level thread would send in order to ``report for work,'' but the higher-level thread wouldn't reply then. It would defer the reply until the higher-level thread had work to be done, and it would reply (which is a non-blocking operation) with the data describing the work. In effect, the reply is being used to initiate work, not the send, which neatly side-steps rule #1.

Events

Neutrino also defines additional, QNX-specific notification techniques such as pulses. Implementing all of these event mechanisms could have consumed significant code space, so our implementation strategy was to build all of these notification methods over a single, rich, event subsystem.

A benefit of this approach is that capabilities exclusive to one notification technique can become available to others. For example, a Neutrino application can apply the same queueing services of POSIX realtime signals to UNIX signals. This can simplify the robust implementation of signal handlers within applications.

The events encountered by an executing thread can come from any of three sources:

• a MsgDeliverEvent() kernel call invoked by a thread
• an interrupt handler
• the expiry of a timer.

The event itself can be any of a number of different types: QNX pulses, interrupts, various forms of signals, and forced ``unblock'' events. ``Unblock'' is a means by which a thread can be released from a deliberately blocked state without any explicit event actually being delivered.

Given this multiplicity of event types, and applications needing the ability to request whichever asynchronous notification technique best suits their needs, it would be awkward to require that server processes (the higher-level threads from the previous section) carry code to support all these options.

Instead, the client thread can give a data structure, or ``cookie,'' to the server to hang on to until later. When the server needs to notify the client thread, it will invoke MsgDeliverEvent() and the microkernel will set the event type encoded within the cookie upon the client thread.

The client sends a sigevent to the server, who saves the event structure. When conditions are met, the server delivers the event via MsgDeliverEvent().

I/O notification

The select() call is implemented using I/O notification and allows a thread to block and wait for a mix of I/O events on multiple fd's while continuing to respond to other forms of IPC.

Here are the conditions upon which the requested event can be delivered:

• _NOTIFY_COND_OUTPUT - there's room in the output buffer for more data.
• _NOTIFY_COND_INPUT - resource-manager-defined amount of data is available to read.
• _NOTIFY_OUT_OF_BAND - resource-manager-defined ``out of band'' data is available.

Signals

Incidentally, the UNIX-style signals can select POSIX realtime signal queuing, should the application desire it. Neutrino also extends the signal-delivery mechanisms of POSIX by allowing signals to be targeted at specific threads, rather than simply at the process containing the threads. Since signals are an asynchronous event, they're also implemented with the event-delivery mechanisms within Neutrino.

Microkernel call	POSIX call	Description
SignalKill()	kill(), pthread_kill(), raise(), sigqueue()	Set a signal on a process group, process, or thread.
SignalReturn()	N/A	Return from a signal handler.
SignalAction()	sigaction()	Define action to take on receipt of a signal.
SignalProcmask()	sigprocmask()	Change signal blocked mask of a thread.
SignalSuspend()	sigsuspend(), pause()	Block until a signal invokes a signal handler.
SignalWaitinfo()	sigwaitinfo()	Wait for signal and return info on it.

The original POSIX specification defined signal operation on processes only. In a multi-threaded process, the following rules are followed:

• The signal actions are maintained at the process level. If a thread ignores or catches a signal, it affects all threads within the process.
• The signal mask is maintained at the thread level. If a thread blocks a signal, it affects only that thread.
• An un-ignored signal targeted at a thread will be delivered to that thread alone.
• An un-ignored signal targeted at a process is delivered to the first thread that doesn't have the signal blocked. If all threads have the signal blocked, the signal will be queued on the process until any thread ignores or unblocks the signal. If ignored, the signal on the process will be removed. If unblocked, the signal will be moved from the process to the thread that unblocked it.

When a signal is targeted at a process with a large number of threads, the thread table must be scanned, looking for a thread with the signal unblocked. Standard practice for most multi-threaded processes is to mask the signal in all threads but one, which is dedicated to handling them. To increase the efficiency of process-signal delivery, the kernel will cache the last thread that accepted a signal and will always attempt to deliver the signal to it first.

Signals delivered to a process are given to the first thread with an interest or queued on the process until a thread expresses an interest.

The POSIX standard includes the concept of queued realtime signals (first introduced in 1003.1b). QNX/Neutrino supports optional queuing of any signal, not just realtime signals. The queuing can be specified on a signal-by-signal basis within a process. Each signal can have an associated 8-bit code and a 32-bit value.

This is very similar to message pulses described earlier. The kernel takes advantage of this similarity and uses common code for managing both signals and pulses. The signal number is mapped to a pulse priority using _SIGMAX - signo. As a result, signals are delivered in priority order with lower signal numbers having higher priority. This conforms with the POSIX standard, which states that existing signals (which encompass the first 32) have priority over the new realtime signals.

Neutrino special signals

The 8 special signals cannot be ignored or caught. An attempt to call the signal() or sigaction() functions or the SignalAction() kernel call to change them will fail with an error of EINVAL.

In addition, these signals are always blocked and have signal queuing enabled. An attempt to unblock these signals via the sigprocmask() function or SignalProcmask() kernel call with be quietly ignored.

A regular signal can be programmed to this behavior using the following standard signal calls. The special signals save the programmer from writing this code and protect the signal from accidental changes to this behavior.

sigset_t *set;
struct sigaction action;
 
sigemptyset(&set);
sigaddset(&set, signo);
sigprocmask(SIG_BLOCK, &set, NULL);
 
action.sa_handler = SIG_DFL;
action.sa_flags = SA_SIGINFO;
sigaction(signo, &action, NULL);

This configuration makes these signals suitable for synchronous notification using the sigwaitinfo() function or SignalWaitinfo() kernel call. The following code will block until the 8th special signal is received:

sigset_t *set;
siginfo_t info;
 
sigemptyset(&set);
sigaddset(&set, SIGSPECIALMAX);
sigwaitinfo(&set, &info);
printf("Received signal %d with code %d and value %d\n",
            info.si_signo,
            info.si_code,
            info.si_value.sival_int);

Since the signals are always blocked, the program cannot be interrupted or killed if the special signal is delivered outside of the sigwaitinfo() function. Since signal queuing is always enabled, signals won't be lost - they'll be queued for the next sigwaitinfo() call.

These signals were designed to solve a common IPC requirement where a server wishes to notify a client that it has information available for the client. The server will use the MsgDeliverEvent() call to notify the client. There are two reasonable choices for the event within the notification: pulses or signals.

A pulse is the preferred method for a client that may also be a server to other clients. In this case, the client will have created a channel for receiving messages and can also receive the pulse.

This won't be true for most simple clients. In order to receive a pulse, a simple client would be forced to create a channel for this express purpose. A signal can be used in place of a pulse if the signal is configured to be synchronous (i.e. the signal is blocked) and queued - this is exactly how the special signals are configured. The client would replace the MsgReceivev() call used to wait for a pulse on a channel with a simple sigwaitinfo() call to wait for the signal.

This signal mechanism is used by Photon to wait for events and by the select() function to wait for I/O from multiple servers. Of the 8 special signals, the first two have been given special names for this use.

#define SIGSELECT	(SIGSPECIALMIN + 0)
#define SIGPHOTON	(SIGSPECIALMIN + 1)

Summary of signals

POSIX message queues

POSIX message queues are implemented in QNX/Neutrino via an optional resource manager (Mqueue). Unlike QNX/Neutrino's inherent message-passing primitives, the POSIX message queues reside outside the kernel. For information about resource managers, see Chapter 4 in this book.

Why use POSIX message queues?

There's a fundamental difference between QNX messages and POSIX message queues. QNX messages block - they copy their data directly between the address spaces of the processes sending the messages. POSIX messages queues, on the other hand, implement a store-and-forward design in which the sender need not block and may have many outstanding messages queued. POSIX message queues exist independently of the processes that use them. You would likely use message queues in a design where a number of named queues will be operated on by a variety of processes over time.

For raw performance, POSIX message queues will be slower than QNX native messages for transferring data. However, the flexibility of queues may make this small performance penalty worth the cost.

File-like interface

For strict POSIX conformance, you should create message queues that start with a single slash (/) and contain no other slashes. But note that QNX/Neutrino extends the POSIX standard by supporting pathnames that may contain multiple slashes. This allows, for example, a company to place all its message queues under its company name and distribute a product with increased confidence that a queue name will not conflict with that of another company.

In QNX/Neutrino, all message queues created will appear in the filename space under the directory /dev/mqueue.

mq_open() name:	Pathname of message queue:
/data	/dev/mqueue/data
/acme/data	/dev/mqueue/acme/data
/qnx/data	/dev/mqueue/qnx/data

You can display all message queues in the system using the ls command as follows:

ls -Rl /dev/mqueue

The size printed will be the number of messages waiting.

Message queue functions

Shared memory

To solve these problems, shared memory is often used in conjunction with one of the synchronization primitives to make updates atomic between processes. If the granularity of updates is small, then the synchronization primitives themselves will limit the inherently high bandwidth of using shared memory. Shared memory is therefore most efficient when used for updating large amounts of data as a block.

Both semaphores and mutexes are suitable synchronization primitives for use with shared memory. Semaphores were introduced with the POSIX realtime standard for interprocess synchronization. Mutexes were introduced with the POSIX threads standard for thread synchronization. Mutexes may also be used between threads in different processes. POSIX considers this an optional capability; Neutrino supports it. In general, mutexes are more efficient than semaphores.

Shared memory with message passing

• very high performance (shared memory)
• synchronization (message passing)
• network transparency (message passing).

Using message passing, a client sends a request to a server and blocks. The server receives the messages in priority order from clients, processes them, and replies when it can satisfy a request. At this point, the client is unblocked and continues. The very act of sending messages provides natural synchronization between the client and the server. Rather than copy all the data through the message pass, the message can contain a reference to a shared memory region, so the server could read or write the data directly. This is best explained with a simple example.

Let's assume a graphics server accepts draw image requests from clients and renders them into a frame buffer on a graphics card. Using message passing alone, the client would send a message containing the image data to the server. This would result in a copy of the image data from the client's address space to the server's address space. The server would then render the image and issue a short reply.

If the client didn't send the image data inline with the message, but instead sent a reference to a shared memory region that contained the image data, then the server could access the client's data directly.

Since the client is blocked on the server as a result of sending it a message, the server knows that the data in shared memory is stable and will not change until the server replies. This combination of message passing and shared memory achieves natural synchronization and very high performance.

This model of operation can also be reversed - the server can generate data and give it to a client. For example, suppose a client sends a message to a server that will read video data directly from a CD-ROM into a shared memory buffer provided by the client. The client will be blocked on the server while the shared memory is being changed. When the server replies and the client continues, the shared memory will be stable for the client to access. This type of design can be pipelined using more than one shared memory region.

Simple shared memory can't be used between processes on different computers connected via a network. Message passing, on the other hand, is network transparent. A server could use shared memory for local clients and full message passing of the data for remote clients. This allows you to provide a high-performance server that is also network transparent.

In practice, the message-passing primitives are more than fast enough for the majority of IPC needs. The added complexity of a combined approach need only be considered for special applications with very high bandwidth.

Creating a shared memory object

POSIX shared memory is implemented in QNX/Neutrino via the Process Manager (ProcNto). The above calls are implemented as messages to ProcNto. For information about the Process Manager, see Chapter 3 in this book.

The shm_open() function takes the same arguments as open() and returns a file descriptor to the object. As with a regular file, this function lets you create a new shared memory object or open an existing shared memory object.

When a new shared memory object is created, the size of the object is set to zero. To set the size, you use the ftruncate() function. Note that this is the very same function used to set the size of a file.

mmap()

The mmap() function is defined as follows:

void * mmap(void *where_i_want_it, size_t length, int memory_protections,
            int mapping_flags, int fd, off_t offset_within_shared_memory);

In simple terms this says: "Map in length bytes of shared memory at offset_within_shared_memory in the shared memory object associated with fd."

The mmap() function will try to place the memory at the address where_i_want_it in your address space. The memory will be given the protections specified by memory_protections and the mapping will be done according to the mapping_flags.

The three arguments fd, offset_within_shared_memory, and length define a portion of a particular shared object to be mapped in. It's common to map in an entire shared object, in which case the offset will be zero and the length will be the size of the shared object in bytes. On an Intel processor, the length will be a multiple of the page size, which is 4096 bytes.

How arguments to the mmap() function refer to the mapped region.

The return value of mmap() will be the address in your process's address space where the object was mapped. The argument where_i_want_it is used as a hint by the system to where you want the object placed. If possible, the object will be placed at the address requested. Most applications specify an address of zero, which gives the system free reign to place the object where it wishes.

The following protection types may be specified for memory_protections:

Manifest	Description
PROT_NONE	No access allowed
PROT_READ	Memory may be read
PROT_WRITE	Memory may be written
PROT_EXEC	Memory may be executed
PROT_NOCACHE	Memory should not be cached

The PROT_NOCACHE manifest should be used when a shared memory region is used to gain access to dual-ported memory that may be modified by hardware (e.g. a video frame buffer or a memory-mapped network or communications board). Without this manifest, the processor may return "stale" data from a previously cached read.

The mapping_flags determine how the memory is mapped and are broken down into two parts. The first part is a type and must be specified as one of the following:

Map type	Description
MAP_SHARED	The mapping is shared by the calling processes.
MAP_PRIVATE	The mapping is private to the calling process. It allocates system RAM and makes a copy of the object.
MAP_ANON	Similar to MAP_PRIVATE, but the fd parameter isn't used (should be set to NOFD), and the allocated memory is zero-filled.

The MAP_SHARED type is the one to use for setting up shared memory between processes. The other types have more specialized uses. For example, MAP_ANON can be used as the basis for a page-level memory allocator.

A number of flags may be ORed into the above type to further define the mapping. These are described in detail in the mmap() library reference. A few of the more interesting flags are:

Map type modifier	Description
MAP_FIXED	Map object to the address specified by where_i_want_it. If a shared memory region contains pointers within it, then you may need to force the region at the same address in all processes that map it. This can be avoided by using offsets within the region in place of direct pointers.
MAP_PHYS	This flag indicates that you wish to deal with physical memory. The fd parameter should be set to NOFD. When used with MAP_SHARED, the offset_within_shared_memory specifies the exact physical address to map (e.g. for video frame buffers). If used with MAP_ANON then physically contiguous memory is allocated (e.g. for a DMA buffer). MAP_NOX64K and MAP_BELOW16M are used to further define the MAP_ANON allocated memory and address limitations present in some forms of DMA.
MAP_NOX64K	Used with MAP_PHYS | MAP_ANON. The allocated memory area will not cross a 64K boundary. This is required for the old 16-bit PC DMA.
MAP_BELOW16M	Used with MAP_PHYS | MAP_ANON. The allocated memory area will reside in physical memory below 16M. This is necessary when using DMA with ISA bus devices.

Using the mapping flags described above, a process can easily share memory between processes:

/* Map in a shared memory region */
fd = shm_open("datapoints", O_RDWR);
addr = mmap(0, len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);

Or share memory with hardware such as video memory:

/* Map in VGA display memory */
addr = mmap(0, 65536, PROT_READ|PROT_WRITE, MAP_PHYS|MAP_SHARED, NOFD, 0xa0000);

Or allocate a DMA buffer for a bus-mastering PCI network card:

/* Allocate a physically contiguous buffer */
addr = mmap(0, 262144, PROT_READ|PROT_WRITE|PROT_NOCACHE, MAP_PHYS|MAP_ANON, NOFD, 0);

You can unmap all or part of a shared memory object from your address space using munmap(). This primitive isn't restricted to unmapping shared memory - it can be used to unmap any region of memory within your process. When used in conjunction with the MAP_ANON flag to mmap(), you can easily implement a private page-level allocator/deallocator.

You can change the protections on a mapped region of memory using mprotect(). Like munmap(), mprotect() isn't restricted to shared memory regions - it can change the protection on any region of memory within your process.

Clock and timer services

The ClockCycles() function is implemented upon a 64-bit, free-running, high-precision counter. On an Intel Pentium processor, this is implemented directly with the RDTSC instruction. For processors that don't support this opcode, an instruction fault is generated - the kernel catches and emulates this using the counter timer chip.

The ClockPeriod() function allows a thread to set the system timer to some multiple of nanoseconds; the OS kernel will do the best it can to satisfy the precision of the request with the hardware available to it. On a PC-architecture machine, the precision of this timer setting can be as fine as 838 nanoseconds.

The interval selected is always rounded down to an integral of the precision of the underlying hardware timer. Of course, setting it to an extremely low value can result in a significant portion of CPU performance being consumed servicing timer interrupts.

The ClockTick() call is provided as an entry point to be used by an external timer interrupt handler. If the system has custom timer hardware, a thread external to the kernel can use this call to explicitly indicate the advance of time to the kernel.

Microkernel call	POSIX call	Description
ClockTime()	clock_gettime(), clock_settime()	Get or set the time of day.
ClockAdjust()	N/A	Apply small time adjustments to synchronize clocks.
ClockCycles()	N/A	Read a 64-bit free-running high-precision counter.
ClockPeriod()	clock_getres()	Get or set the period of the clock.
ClockTick()	N/A	Simulate a clock interrupt from an external

Time correction

Timers

The POSIX timer model is quite rich, providing the ability to have the timer expire on:

• an absolute date
• a relative date (i.e. n nanoseconds from now)
• cyclical (i.e. every n nanoseconds).

The cyclical mode is very significant, because the most common use of timers tends to be as a periodic source of events to ``kick'' a thread into life to do some processing and go back to sleep until the next event. If the thread had to re-program the timer for every event, there would be the danger that time would slip unless the thread was programming an absolute date. Worse, if the thread doesn't get to run on the timer event because a higher-priority thread is running, the date next programmed into the timer could be one that has already elapsed!

The cyclical mode circumvents these problems by requiring that the thread set the timer once and then simply respond to the resulting periodic source of events.

Since timers are another source of events in QNX/Neutrino, they also make use of its event-delivery system. As a result, the application can request that any of the Neutrino-supported events be delivered to the application upon occurrence of a timeout.

An often-needed timeout service provided by Neutrino is the ability to specify the maximum time the application is prepared to wait for any given kernel call or request to complete. A problem with using generic OS timer services in a preemptive realtime OS is that in the interval between the specification of the timeout and the request for the service, a higher-priority process might have been scheduled to run and preempted long enough that the specified timeout will have expired before the service is even requested. The application will then end up requesting the service with an already lapsed timeout in effect (i.e. no timeout). This timing window can result in `` hung'' processes, inexplicable delays in data transmission protocols, and other problems.

alarm(...);
   :
   :    <-- Alarm fires here
   :
blocking_call();

Neutrino's solution is a form of timeout request atomic to the service request itself. One approach might have been to provide an optional timeout parameter on every available service request, but this would overly complicate service requests with a passed parameter that would often go unused.

Neutrino provides a TimerTimeout() kernel call that allows an application to specify a list of blocking states for which to start a specified timeout. Later, when the application makes a request of the kernel, the kernel will atomically enable the previously configured timeout if the application is about to block on one of the specified states.

Since Neutrino has a very small number of blocking states, this mechanism works very concisely. At the conclusion of either the service request or the timeout, the timer will be disabled and control will be given back to the application.

TimerTimeout(...);
   :
   :
   :
blocking_call();
   :    <-- Timer atomically armed within kernel

#include <stdio.h>
#include <sys/neutrino.h>
 
struct sigevent event;
volatile unsigned counter;
 
struct sigevent *handler( void *area ) {
    // Pulse every 100'th interrupt
    if ( ++counter == 100 ) {
        counter = 0;
        return( &event );
        }
    else
        return( NULL );
    }
 
void main() {
    int i;
 
    // Initialize event structure
    event.sigev_notify = SIGEV_INTR;
 
    // Attach ISR vector
    InterruptAttach( _NTO_INTR_FIRST, &handler, NULL, 0, 0 );
 
    for( i = 0; i < 10; ++i ) {
        // Wait for ISR to pulse
        InterruptWait( 0, NULL );
        printf( "100 events\n" );
        }
 
    // Disconnect the ISR handler
    InterruptDetach( _NTO_INTR_FIRST, &handler );
    exit( 0 );
    }