2 * systime -- routines to fiddle a UNIX clock.
4 * ATTENTION: Get approval from Dave Mills on all changes to this file!
10 #include "ntp_syslog.h"
11 #include "ntp_stdlib.h"
12 #include "ntp_random.h"
14 #include "timevalops.h"
15 #include "timespecops.h"
16 #include "ntp_calendar.h"
18 #ifdef HAVE_SYS_PARAM_H
19 # include <sys/param.h>
23 #endif /* HAVE_UTMP_H */
26 #endif /* HAVE_UTMPX_H */
29 #ifndef USE_COMPILETIME_PIVOT
30 # define USE_COMPILETIME_PIVOT 1
34 * These routines (get_systime, step_systime, adj_systime) implement an
35 * interface between the system independent NTP clock and the Unix
36 * system clock in various architectures and operating systems. Time is
37 * a precious quantity in these routines and every effort is made to
38 * minimize errors by unbiased rounding and amortizing adjustment
41 * In order to improve the apparent resolution, provide unbiased
42 * rounding and most importantly ensure that the readings cannot be
43 * predicted, the low-order unused portion of the time below the minimum
44 * time to read the clock is filled with an unbiased random fuzz.
46 * The sys_tick variable specifies the system clock tick interval in
47 * seconds, for stepping clocks, defined as those which return times
48 * less than MINSTEP greater than the previous reading. For systems that
49 * use a high-resolution counter such that each clock reading is always
50 * at least MINSTEP greater than the prior, sys_tick is the time to read
53 * The sys_fuzz variable measures the minimum time to read the system
54 * clock, regardless of its precision. When reading the system clock
55 * using get_systime() after sys_tick and sys_fuzz have been determined,
56 * ntpd ensures each unprocessed clock reading is no less than sys_fuzz
57 * later than the prior unprocessed reading, and then fuzzes the bits
58 * below sys_fuzz in the timestamp returned, ensuring each of its
59 * resulting readings is strictly later than the previous.
61 * When slewing the system clock using adj_systime() (with the kernel
62 * loop discipline unavailable or disabled), adjtime() offsets are
63 * quantized to sys_tick, if sys_tick is greater than sys_fuzz, which
64 * is to say if the OS presents a stepping clock. Otherwise, offsets
65 * are quantized to the microsecond resolution of adjtime()'s timeval
66 * input. The remaining correction sys_residual is carried into the
67 * next adjtime() and meanwhile is also factored into get_systime()
70 double sys_tick = 0; /* tick size or time to read (s) */
71 double sys_fuzz = 0; /* min. time to read the clock (s) */
72 long sys_fuzz_nsec = 0; /* min. time to read the clock (ns) */
73 double measured_tick; /* non-overridable sys_tick (s) */
74 double sys_residual = 0; /* adjustment residue (s) */
75 int trunc_os_clock; /* sys_tick > measured_tick */
76 time_stepped_callback step_callback;
79 /* perlinger@ntp.org: As 'get_sysime()' does it's own check for clock
80 * backstepping, this could probably become a local variable in
81 * 'get_systime()' and the cruft associated with communicating via a
82 * static value could be removed after the v4.2.8 release.
84 static int lamport_violated; /* clock was stepped back */
88 static int systime_init_done;
89 # define DONE_SYSTIME_INIT() systime_init_done = TRUE
91 # define DONE_SYSTIME_INIT() do {} while (FALSE)
94 #ifdef HAVE_SIGNALED_IO
99 CRITICAL_SECTION get_systime_cs;
109 INSIST(sys_fuzz >= 0);
110 INSIST(sys_fuzz <= 1.0);
111 sys_fuzz_nsec = (long)(sys_fuzz * 1e9 + 0.5);
118 INIT_GET_SYSTIME_CRITSEC();
119 INIT_WIN_PRECISE_TIME();
124 #ifndef SIM /* ntpsim.c has get_systime() and friends for sim */
128 struct timespec * tsp
134 #if defined(HAVE_CLOCK_GETTIME)
135 rc = clock_gettime(CLOCK_REALTIME, tsp);
136 #elif defined(HAVE_GETCLOCK)
137 rc = getclock(TIMEOFDAY, tsp);
141 rc = GETTIMEOFDAY(&tv, NULL);
142 tsp->tv_sec = tv.tv_sec;
143 tsp->tv_nsec = tv.tv_usec * 1000;
146 msyslog(LOG_ERR, "read system clock failed: %m (%d)",
151 if (trunc_os_clock) {
152 ticks = (long)((tsp->tv_nsec * 1e-9) / sys_tick);
153 tsp->tv_nsec = (long)(ticks * 1e9 * sys_tick);
159 * get_systime - return system time in NTP timestamp format.
163 l_fp *now /* system time */
166 static struct timespec ts_last; /* last sampled os time */
167 static struct timespec ts_prev; /* prior os time */
168 static l_fp lfp_prev; /* prior result */
169 static double dfuzz_prev; /* prior fuzz */
170 struct timespec ts; /* seconds and nanoseconds */
171 struct timespec ts_min; /* earliest permissible */
172 struct timespec ts_lam; /* lamport fictional increment */
173 struct timespec ts_prev_log; /* for msyslog only */
181 DEBUG_REQUIRE(systime_init_done);
182 ENTER_GET_SYSTIME_CRITSEC();
184 /* First check if here was a Lamport violation, that is, two
185 * successive calls to 'get_ostime()' resulted in negative
186 * time difference. Use a few milliseconds of permissible
187 * tolerance -- being too sharp can hurt here. (This is intented
188 * for the Win32 target, where the HPC interpolation might
189 * introduce small steps backward. It should not be an issue on
190 * systems where get_ostime() results in a true syscall.)
192 if (cmp_tspec(add_tspec_ns(ts, 50000000), ts_last) < 0)
193 lamport_violated = 1;
197 * After default_get_precision() has set a nonzero sys_fuzz,
198 * ensure every reading of the OS clock advances by at least
199 * sys_fuzz over the prior reading, thereby assuring each
200 * fuzzed result is strictly later than the prior. Limit the
201 * necessary fiction to 1 second.
203 if (!USING_SIGIO()) {
204 ts_min = add_tspec_ns(ts_prev, sys_fuzz_nsec);
205 if (cmp_tspec(ts, ts_min) < 0) {
206 ts_lam = sub_tspec(ts_min, ts);
207 if (ts_lam.tv_sec > 0 && !lamport_violated) {
209 "get_systime Lamport advance exceeds one second (%.9f)",
211 1e-9 * ts_lam.tv_nsec);
214 if (!lamport_violated)
217 ts_prev_log = ts_prev;
221 * Quiet "ts_prev_log.tv_sec may be used uninitialized"
222 * warning from x86 gcc 4.5.2.
227 /* convert from timespec to l_fp fixed-point */
228 result = tspec_stamp_to_lfp(ts);
233 dfuzz = ntp_random() * 2. / FRAC * sys_fuzz;
234 DTOLFP(dfuzz, &lfpfuzz);
235 L_ADD(&result, &lfpfuzz);
238 * Ensure result is strictly greater than prior result (ignoring
239 * sys_residual's effect for now) once sys_fuzz has been
242 if (!USING_SIGIO()) {
243 if (!L_ISZERO(&lfp_prev) && !lamport_violated) {
244 if (!L_ISGTU(&result, &lfp_prev) &&
246 msyslog(LOG_ERR, "ts_prev %s ts_min %s",
247 tspectoa(ts_prev_log),
249 msyslog(LOG_ERR, "ts %s", tspectoa(ts));
250 msyslog(LOG_ERR, "sys_fuzz %ld nsec, prior fuzz %.9f",
251 sys_fuzz_nsec, dfuzz_prev);
252 msyslog(LOG_ERR, "this fuzz %.9f",
255 L_SUB(&lfpdelta, &result);
256 LFPTOD(&lfpdelta, ddelta);
258 "prev get_systime 0x%x.%08x is %.9f later than 0x%x.%08x",
259 lfp_prev.l_ui, lfp_prev.l_uf,
260 ddelta, result.l_ui, result.l_uf);
265 if (lamport_violated)
266 lamport_violated = FALSE;
268 LEAVE_GET_SYSTIME_CRITSEC();
274 * adj_systime - adjust system time by the argument.
276 #if !defined SYS_WINNT
277 int /* 0 okay, 1 error */
279 double now /* adjustment (s) */
282 struct timeval adjtv; /* new adjustment */
283 struct timeval oadjtv; /* residual adjustment */
284 double quant; /* quantize to multiples of */
290 * The Windows port adj_systime() depends on being called each
291 * second even when there's no additional correction, to allow
292 * emulation of adjtime() behavior on top of an API that simply
293 * sets the current rate. This POSIX implementation needs to
294 * ignore invocations with zero correction, otherwise ongoing
295 * EVNT_NSET adjtime() can be aborted by a tiny adjtime()
296 * triggered by sys_residual.
302 * Most Unix adjtime() implementations adjust the system clock
303 * in microsecond quanta, but some adjust in 10-ms quanta. We
304 * carefully round the adjustment to the nearest quantum, then
305 * adjust in quanta and keep the residue for later.
307 dtemp = now + sys_residual;
312 adjtv.tv_sec = (long)dtemp;
313 dtemp -= adjtv.tv_sec;
314 if (sys_tick > sys_fuzz)
318 ticks = (long)(dtemp / quant + .5);
319 adjtv.tv_usec = (long)(ticks * quant * 1e6);
320 dtemp -= adjtv.tv_usec / 1e6;
321 sys_residual = dtemp;
324 * Convert to signed seconds and microseconds for the Unix
325 * adjtime() system call. Note we purposely lose the adjtime()
329 adjtv.tv_sec = -adjtv.tv_sec;
330 adjtv.tv_usec = -adjtv.tv_usec;
331 sys_residual = -sys_residual;
333 if (adjtv.tv_sec != 0 || adjtv.tv_usec != 0) {
334 if (adjtime(&adjtv, &oadjtv) < 0) {
335 msyslog(LOG_ERR, "adj_systime: %m");
345 * step_systime - step the system clock.
353 time_t pivot; /* for ntp era unfolding */
354 struct timeval timetv, tvlast, tvdiff;
355 struct timespec timets;
357 l_fp fp_ofs, fp_sys; /* offset and target system time in FP */
360 * Get pivot time for NTP era unfolding. Since we don't step
361 * very often, we can afford to do the whole calculation from
362 * scratch. And we're not in the time-critical path yet.
364 #if SIZEOF_TIME_T > 4
366 * This code makes sure the resulting time stamp for the new
367 * system time is in the 2^32 seconds starting at 1970-01-01,
371 #if USE_COMPILETIME_PIVOT
373 * Add the compile time minus 10 years to get a possible target
374 * area of (compile time - 10 years) to (compile time + 126
375 * years). This should be sufficient for a given binary of
378 if (ntpcal_get_build_date(&jd)) {
380 pivot += ntpcal_date_to_time(&jd);
383 "step-systime: assume 1970-01-01 as build date");
387 #endif /* USE_COMPILETIME_PIVOT */
390 /* This makes sure the resulting time stamp is on or after
391 * 1969-12-31/23:59:59 UTC and gives us additional two years,
392 * from the change of NTP era in 2036 to the UNIX rollover in
393 * 2038. (Minus one second, but that won't hurt.) We *really*
394 * need a longer 'time_t' after that! Or a different baseline,
395 * but that would cause other serious trouble, too.
400 /* get the complete jump distance as l_fp */
401 DTOLFP(sys_residual, &fp_sys);
402 DTOLFP(step, &fp_ofs);
403 L_ADD(&fp_ofs, &fp_sys);
405 /* ---> time-critical path starts ---> */
407 /* get the current time as l_fp (without fuzz) and as struct timeval */
409 fp_sys = tspec_stamp_to_lfp(timets);
410 tvlast.tv_sec = timets.tv_sec;
411 tvlast.tv_usec = (timets.tv_nsec + 500) / 1000;
413 /* get the target time as l_fp */
414 L_ADD(&fp_sys, &fp_ofs);
416 /* unfold the new system time */
417 timetv = lfp_stamp_to_tval(fp_sys, &pivot);
419 /* now set new system time */
420 if (ntp_set_tod(&timetv, NULL) != 0) {
421 msyslog(LOG_ERR, "step-systime: %m");
425 /* <--- time-critical path ended with 'ntp_set_tod()' <--- */
428 lamport_violated = (step < 0);
432 #ifdef NEED_HPUX_ADJTIME
434 * CHECKME: is this correct when called by ntpdate?????
440 * FreeBSD, for example, has:
442 * char ut_line[UT_LINESIZE];
443 * char ut_name[UT_NAMESIZE];
444 * char ut_host[UT_HOSTSIZE];
447 * and appends line="|", name="date", host="", time for the OLD
448 * and appends line="{", name="date", host="", time for the NEW
451 * Some OSes have utmp, some have utmpx.
455 * Write old and new time entries in utmp and wtmp if step
456 * adjustment is greater than one second.
458 * This might become even Uglier...
460 tvdiff = abs_tval(sub_tval(timetv, tvlast));
461 if (tvdiff.tv_sec > 0) {
479 # ifdef HAVE_PUTUTLINE
481 # define _PATH_UTMP UTMP_FILE
483 utmpname(_PATH_UTMP);
484 ut.ut_type = OLD_TIME;
485 strlcpy(ut.ut_line, OTIME_MSG, sizeof(ut.ut_line));
486 ut.ut_time = tvlast.tv_sec;
489 ut.ut_type = NEW_TIME;
490 strlcpy(ut.ut_line, NTIME_MSG, sizeof(ut.ut_line));
491 ut.ut_time = timetv.tv_sec;
495 # else /* not HAVE_PUTUTLINE */
496 # endif /* not HAVE_PUTUTLINE */
497 #endif /* UPDATE_UTMP */
502 # ifdef HAVE_PUTUTXLINE
503 utx.ut_type = OLD_TIME;
504 strlcpy(utx.ut_line, OTIME_MSG, sizeof(utx.ut_line));
508 utx.ut_type = NEW_TIME;
509 strlcpy(utx.ut_line, NTIME_MSG, sizeof(utx.ut_line));
514 # else /* not HAVE_PUTUTXLINE */
515 # endif /* not HAVE_PUTUTXLINE */
516 #endif /* UPDATE_UTMPX */
521 # ifdef HAVE_PUTUTLINE
523 # define _PATH_WTMP WTMP_FILE
525 utmpname(_PATH_WTMP);
526 ut.ut_type = OLD_TIME;
527 strlcpy(ut.ut_line, OTIME_MSG, sizeof(ut.ut_line));
528 ut.ut_time = tvlast.tv_sec;
531 ut.ut_type = NEW_TIME;
532 strlcpy(ut.ut_line, NTIME_MSG, sizeof(ut.ut_line));
533 ut.ut_time = timetv.tv_sec;
537 # else /* not HAVE_PUTUTLINE */
538 # endif /* not HAVE_PUTUTLINE */
539 #endif /* UPDATE_WTMP */
544 # ifdef HAVE_PUTUTXLINE
545 utx.ut_type = OLD_TIME;
547 strlcpy(utx.ut_line, OTIME_MSG, sizeof(utx.ut_line));
548 # ifdef HAVE_UPDWTMPX
549 updwtmpx(WTMPX_FILE, &utx);
550 # else /* not HAVE_UPDWTMPX */
551 # endif /* not HAVE_UPDWTMPX */
552 # else /* not HAVE_PUTUTXLINE */
553 # endif /* not HAVE_PUTUTXLINE */
554 # ifdef HAVE_PUTUTXLINE
555 utx.ut_type = NEW_TIME;
557 strlcpy(utx.ut_line, NTIME_MSG, sizeof(utx.ut_line));
558 # ifdef HAVE_UPDWTMPX
559 updwtmpx(WTMPX_FILE, &utx);
560 # else /* not HAVE_UPDWTMPX */
561 # endif /* not HAVE_UPDWTMPX */
562 # else /* not HAVE_PUTUTXLINE */
563 # endif /* not HAVE_PUTUTXLINE */
564 #endif /* UPDATE_WTMPX */