xref: /trueos/contrib/ntp/ntpd/ntp_loopfilter.c (revision 94d2b7f64912987093f1a98573737a32e4e5d8d1)
1 /*
2  * ntp_loopfilter.c - implements the NTP loop filter algorithm
3  *
4  * ATTENTION: Get approval from Dave Mills on all changes to this file!
5  *
6  */
7 #ifdef HAVE_CONFIG_H
8 # include <config.h>
9 #endif
10 
11 #include "ntpd.h"
12 #include "ntp_io.h"
13 #include "ntp_unixtime.h"
14 #include "ntp_stdlib.h"
15 
16 #include <stdio.h>
17 #include <ctype.h>
18 
19 #include <signal.h>
20 #include <setjmp.h>
21 
22 #if defined(VMS) && defined(VMS_LOCALUNIT)	/*wjm*/
23 #include "ntp_refclock.h"
24 #endif /* VMS */
25 
26 #ifdef KERNEL_PLL
27 #include "ntp_syscall.h"
28 #endif /* KERNEL_PLL */
29 
30 /*
31  * This is an implementation of the clock discipline algorithm described
32  * in UDel TR 97-4-3, as amended. It operates as an adaptive parameter,
33  * hybrid phase/frequency-lock loop. A number of sanity checks are
34  * included to protect against timewarps, timespikes and general mayhem.
35  * All units are in s and s/s, unless noted otherwise.
36  */
37 #define CLOCK_MAX	.128	/* default step threshold (s) */
38 #define CLOCK_MINSTEP	900.	/* default stepout threshold (s) */
39 #define CLOCK_PANIC	1000.	/* default panic threshold (s) */
40 #define	CLOCK_PHI	15e-6	/* max frequency error (s/s) */
41 #define CLOCK_PLL	16.	/* PLL loop gain (log2) */
42 #define CLOCK_AVG	8.	/* parameter averaging constant */
43 #define CLOCK_FLL	(NTP_MAXPOLL + CLOCK_AVG) /* FLL loop gain */
44 #define	CLOCK_ALLAN	1500.	/* compromise Allan intercept (s) */
45 #define CLOCK_DAY	86400.	/* one day in seconds (s) */
46 #define CLOCK_JUNE	(CLOCK_DAY * 30) /* June in seconds (s) */
47 #define CLOCK_LIMIT	30	/* poll-adjust threshold */
48 #define CLOCK_PGATE	4.	/* poll-adjust gate */
49 #define PPS_MAXAGE	120	/* kernel pps signal timeout (s) */
50 
51 /*
52  * Clock discipline state machine. This is used to control the
53  * synchronization behavior during initialization and following a
54  * timewarp.
55  *
56  *	State	< step		> step		Comments
57  *	====================================================
58  *	NSET	FREQ		step, FREQ	no ntp.drift
59  *
60  *	FSET	SYNC		step, SYNC	ntp.drift
61  *
62  *	FREQ	if (mu < 900)	if (mu < 900)	set freq
63  *		    ignore	    ignore
64  *		else		else
65  *		    freq, SYNC	    freq, step, SYNC
66  *
67  *	SYNC	SYNC		if (mu < 900)	adjust phase/freq
68  *				    ignore
69  *				else
70  *				    SPIK
71  *
72  *	SPIK	SYNC		step, SYNC	set phase
73  */
74 #define S_NSET	0		/* clock never set */
75 #define S_FSET	1		/* frequency set from the drift file */
76 #define S_SPIK	2		/* spike detected */
77 #define S_FREQ	3		/* frequency mode */
78 #define S_SYNC	4		/* clock synchronized */
79 
80 /*
81  * Kernel PLL/PPS state machine. This is used with the kernel PLL
82  * modifications described in the README.kernel file.
83  *
84  * If kernel support for the ntp_adjtime() system call is available, the
85  * ntp_control flag is set. The ntp_enable and kern_enable flags can be
86  * set at configuration time or run time using ntpdc. If ntp_enable is
87  * false, the discipline loop is unlocked and no corrections of any kind
88  * are made. If both ntp_control and kern_enable are set, the kernel
89  * support is used as described above; if false, the kernel is bypassed
90  * entirely and the daemon discipline used instead.
91  *
92  * There have been three versions of the kernel discipline code. The
93  * first (microkernel) now in Solaris discipilnes the microseconds. The
94  * second and third (nanokernel) disciplines the clock in nanoseconds.
95  * These versions are identifed if the symbol STA_PLL is present in the
96  * header file /usr/include/sys/timex.h. The third and current version
97  * includes TAI offset and is identified by the symbol NTP_API with
98  * value 4.
99  *
100  * Each update to a prefer peer sets pps_stratum if it survives the
101  * intersection algorithm and its time is within range. The PPS time
102  * discipline is enabled (STA_PPSTIME bit set in the status word) when
103  * pps_stratum is true and the PPS frequency discipline is enabled. If
104  * the PPS time discipline is enabled and the kernel reports a PPS
105  * signal is present, the pps_control variable is set to the current
106  * time. If the current time is later than pps_control by PPS_MAXAGE
107  * (120 s), this variable is set to zero.
108  *
109  * If an external clock is present, the clock driver sets STA_CLK in the
110  * status word. When the local clock driver sees this bit, it updates
111  * via this routine, which then calls ntp_adjtime() with the STA_PLL bit
112  * set to zero, in which case the system clock is not adjusted. This is
113  * also a signal for the external clock driver to discipline the system
114  * clock.
115  */
116 /*
117  * Program variables that can be tinkered.
118  */
119 double	clock_max = CLOCK_MAX;	/* step threshold (s) */
120 double	clock_minstep = CLOCK_MINSTEP; /* stepout threshold (s) */
121 double	clock_panic = CLOCK_PANIC; /* panic threshold (s) */
122 double	clock_phi = CLOCK_PHI;	/* dispersion rate (s/s) */
123 double	allan_xpt = CLOCK_ALLAN; /* Allan intercept (s) */
124 
125 /*
126  * Program variables
127  */
128 static double clock_offset;	/* offset (s) */
129 double	clock_jitter;		/* offset jitter (s) */
130 double	drift_comp;		/* frequency (s/s) */
131 double	clock_stability;	/* frequency stability (wander) (s/s) */
132 u_long	sys_clocktime;		/* last system clock update */
133 u_long	pps_control;		/* last pps update */
134 u_long	sys_tai;		/* UTC offset from TAI (s) */
135 static void rstclock P((int, u_long, double)); /* transition function */
136 
137 #ifdef KERNEL_PLL
138 struct timex ntv;		/* kernel API parameters */
139 int	pll_status;		/* status bits for kernel pll */
140 #endif /* KERNEL_PLL */
141 
142 /*
143  * Clock state machine control flags
144  */
145 int	ntp_enable;		/* clock discipline enabled */
146 int	pll_control;		/* kernel support available */
147 int	kern_enable;		/* kernel support enabled */
148 int	pps_enable;		/* kernel PPS discipline enabled */
149 int	ext_enable;		/* external clock enabled */
150 int	pps_stratum;		/* pps stratum */
151 int	allow_panic = FALSE;	/* allow panic correction */
152 int	mode_ntpdate = FALSE;	/* exit on first clock set */
153 
154 /*
155  * Clock state machine variables
156  */
157 int	state;			/* clock discipline state */
158 u_char	sys_poll = NTP_MINDPOLL; /* time constant/poll (log2 s) */
159 int	tc_counter;		/* jiggle counter */
160 double	last_offset;		/* last offset (s) */
161 
162 /*
163  * Huff-n'-puff filter variables
164  */
165 static double *sys_huffpuff;	/* huff-n'-puff filter */
166 static int sys_hufflen;		/* huff-n'-puff filter stages */
167 static int sys_huffptr;		/* huff-n'-puff filter pointer */
168 static double sys_mindly;	/* huff-n'-puff filter min delay */
169 
170 #if defined(KERNEL_PLL)
171 /* Emacs cc-mode goes nuts if we split the next line... */
172 #define MOD_BITS (MOD_OFFSET | MOD_MAXERROR | MOD_ESTERROR | \
173     MOD_STATUS | MOD_TIMECONST)
174 #ifdef SIGSYS
175 static void pll_trap P((int));	/* configuration trap */
176 static struct sigaction sigsys;	/* current sigaction status */
177 static struct sigaction newsigsys; /* new sigaction status */
178 static sigjmp_buf env;		/* environment var. for pll_trap() */
179 #endif /* SIGSYS */
180 #endif /* KERNEL_PLL */
181 
182 /*
183  * init_loopfilter - initialize loop filter data
184  */
185 void
init_loopfilter(void)186 init_loopfilter(void)
187 {
188 	/*
189 	 * Initialize state variables. Initially, we expect no drift
190 	 * file, so set the state to S_NSET. If a drift file is present,
191 	 * it will be detected later and the state set to S_FSET.
192 	 */
193 	rstclock(S_NSET, 0, 0);
194 	clock_jitter = LOGTOD(sys_precision);
195 }
196 
197 /*
198  * local_clock - the NTP logical clock loop filter.
199  *
200  * Return codes:
201  * -1	update ignored: exceeds panic threshold
202  * 0	update ignored: popcorn or exceeds step threshold
203  * 1	clock was slewed
204  * 2	clock was stepped
205  *
206  * LOCKCLOCK: The only thing this routine does is set the
207  * sys_rootdispersion variable equal to the peer dispersion.
208  */
209 int
local_clock(struct peer * peer,double fp_offset)210 local_clock(
211 	struct	peer *peer,	/* synch source peer structure */
212 	double	fp_offset	/* clock offset (s) */
213 	)
214 {
215 	int	rval;		/* return code */
216 	u_long	mu;		/* interval since last update (s) */
217 	double	flladj;		/* FLL frequency adjustment (ppm) */
218 	double	plladj;		/* PLL frequency adjustment (ppm) */
219 	double	clock_frequency; /* clock frequency adjustment (ppm) */
220 	double	dtemp, etemp;	/* double temps */
221 #ifdef OPENSSL
222 	u_int32 *tpt;
223 	int	i;
224 	u_int	len;
225 	long	togo;
226 #endif /* OPENSSL */
227 
228 	/*
229 	 * If the loop is opened or the NIST LOCKCLOCK is in use,
230 	 * monitor and record the offsets anyway in order to determine
231 	 * the open-loop response and then go home.
232 	 */
233 #ifdef DEBUG
234 	if (debug)
235 		printf(
236 		    "local_clock: assocID %d offset %.9f freq %.3f state %d\n",
237 		    peer->associd, fp_offset, drift_comp * 1e6, state);
238 #endif
239 #ifdef LOCKCLOCK
240 	return (0);
241 
242 #else /* LOCKCLOCK */
243 	if (!ntp_enable) {
244 		record_loop_stats(fp_offset, drift_comp, clock_jitter,
245 		    clock_stability, sys_poll);
246 		return (0);
247 	}
248 
249 	/*
250 	 * If the clock is way off, panic is declared. The clock_panic
251 	 * defaults to 1000 s; if set to zero, the panic will never
252 	 * occur. The allow_panic defaults to FALSE, so the first panic
253 	 * will exit. It can be set TRUE by a command line option, in
254 	 * which case the clock will be set anyway and time marches on.
255 	 * But, allow_panic will be set FALSE when the update is less
256 	 * than the step threshold; so, subsequent panics will exit.
257 	 */
258 	if (fabs(fp_offset) > clock_panic && clock_panic > 0 &&
259 	    !allow_panic) {
260 		msyslog(LOG_ERR,
261 		    "time correction of %.0f seconds exceeds sanity limit (%.0f); set clock manually to the correct UTC time.",
262 		    fp_offset, clock_panic);
263 		return (-1);
264 	}
265 
266 	/*
267 	 * If simulating ntpdate, set the clock directly, rather than
268 	 * using the discipline. The clock_max defines the step
269 	 * threshold, above which the clock will be stepped instead of
270 	 * slewed. The value defaults to 128 ms, but can be set to even
271 	 * unreasonable values. If set to zero, the clock will never be
272 	 * stepped. Note that a slew will persist beyond the life of
273 	 * this program.
274 	 *
275 	 * Note that if ntpdate is active, the terminal does not detach,
276 	 * so the termination comments print directly to the console.
277 	 */
278 	if (mode_ntpdate) {
279 		if (fabs(fp_offset) > clock_max && clock_max > 0) {
280 			step_systime(fp_offset);
281 			msyslog(LOG_NOTICE, "time reset %+.6f s",
282 	   		    fp_offset);
283 			printf("ntpd: time set %+.6fs\n", fp_offset);
284 		} else {
285 			adj_systime(fp_offset);
286 			msyslog(LOG_NOTICE, "time slew %+.6f s",
287 			    fp_offset);
288 			printf("ntpd: time slew %+.6fs\n", fp_offset);
289 		}
290 		record_loop_stats(fp_offset, drift_comp, clock_jitter,
291 		    clock_stability, sys_poll);
292 		exit (0);
293 	}
294 
295 	/*
296 	 * The huff-n'-puff filter finds the lowest delay in the recent
297 	 * interval. This is used to correct the offset by one-half the
298 	 * difference between the sample delay and minimum delay. This
299 	 * is most effective if the delays are highly assymetric and
300 	 * clockhopping is avoided and the clock frequency wander is
301 	 * relatively small.
302 	 *
303 	 * Note either there is no prefer peer or this update is from
304 	 * the prefer peer.
305 	 */
306 	if (sys_huffpuff != NULL && (sys_prefer == NULL || sys_prefer ==
307 	    peer)) {
308 		if (peer->delay < sys_huffpuff[sys_huffptr])
309 			sys_huffpuff[sys_huffptr] = peer->delay;
310 		if (peer->delay < sys_mindly)
311 			sys_mindly = peer->delay;
312 		if (fp_offset > 0)
313 			dtemp = -(peer->delay - sys_mindly) / 2;
314 		else
315 			dtemp = (peer->delay - sys_mindly) / 2;
316 		fp_offset += dtemp;
317 #ifdef DEBUG
318 		if (debug)
319 			printf(
320 		    "local_clock: size %d mindly %.6f huffpuff %.6f\n",
321 			    sys_hufflen, sys_mindly, dtemp);
322 #endif
323 	}
324 
325 	/*
326 	 * Clock state machine transition function. This is where the
327 	 * action is and defines how the system reacts to large phase
328 	 * and frequency errors. There are two main regimes: when the
329 	 * offset exceeds the step threshold and when it does not.
330 	 * However, if the step threshold is set to zero, a step will
331 	 * never occur. See the instruction manual for the details how
332 	 * these actions interact with the command line options.
333 	 *
334 	 * Note the system poll is set to minpoll only if the clock is
335 	 * stepped. Note also the kernel is disabled if step is
336 	 * disabled or greater than 0.5 s.
337 	 */
338 	clock_frequency = flladj = plladj = 0;
339 	mu = peer->epoch - sys_clocktime;
340 	if (clock_max == 0 || clock_max > 0.5)
341 		kern_enable = 0;
342 	rval = 1;
343 	if (fabs(fp_offset) > clock_max && clock_max > 0) {
344 		switch (state) {
345 
346 		/*
347 		 * In S_SYNC state we ignore the first outlyer amd
348 		 * switch to S_SPIK state.
349 		 */
350 		case S_SYNC:
351 			state = S_SPIK;
352 			return (0);
353 
354 		/*
355 		 * In S_FREQ state we ignore outlyers and inlyers. At
356 		 * the first outlyer after the stepout threshold,
357 		 * compute the apparent frequency correction and step
358 		 * the phase.
359 		 */
360 		case S_FREQ:
361 			if (mu < clock_minstep)
362 				return (0);
363 
364 			clock_frequency = (fp_offset - clock_offset) /
365 			    mu;
366 
367 			/* fall through to S_SPIK */
368 
369 		/*
370 		 * In S_SPIK state we ignore succeeding outlyers until
371 		 * either an inlyer is found or the stepout threshold is
372 		 * exceeded.
373 		 */
374 		case S_SPIK:
375 			if (mu < clock_minstep)
376 				return (0);
377 
378 			/* fall through to default */
379 
380 		/*
381 		 * We get here by default in S_NSET and S_FSET states
382 		 * and from above in S_FREQ or S_SPIK states.
383 		 *
384 		 * In S_NSET state an initial frequency correction is
385 		 * not available, usually because the frequency file has
386 		 * not yet been written. Since the time is outside the
387 		 * step threshold, the clock is stepped. The frequency
388 		 * will be set directly following the stepout interval.
389 		 *
390 		 * In S_FSET state the initial frequency has been set
391 		 * from the frequency file. Since the time is outside
392 		 * the step threshold, the clock is stepped immediately,
393 		 * rather than after the stepout interval. Guys get
394 		 * nervous if it takes 17 minutes to set the clock for
395 		 * the first time.
396 		 *
397 		 * In S_FREQ and S_SPIK states the stepout threshold has
398 		 * expired and the phase is still above the step
399 		 * threshold. Note that a single spike greater than the
400 		 * step threshold is always suppressed, even at the
401 		 * longer poll intervals.
402 		 */
403 		default:
404 			step_systime(fp_offset);
405 			msyslog(LOG_NOTICE, "time reset %+.6f s",
406 			    fp_offset);
407 			reinit_timer();
408 			tc_counter = 0;
409 			sys_poll = NTP_MINPOLL;
410 			sys_tai = 0;
411 			clock_jitter = LOGTOD(sys_precision);
412 			rval = 2;
413 			if (state == S_NSET) {
414 				rstclock(S_FREQ, peer->epoch, 0);
415 				return (rval);
416 			}
417 			break;
418 		}
419 		rstclock(S_SYNC, peer->epoch, 0);
420 	} else {
421 
422 		/*
423 		 * The offset is less than the step threshold. Calculate
424 		 * the jitter as the exponentially weighted offset
425 		 * differences.
426  	      	 */
427 		etemp = SQUARE(clock_jitter);
428 		dtemp = SQUARE(max(fabs(fp_offset - last_offset),
429 		    LOGTOD(sys_precision)));
430 		clock_jitter = SQRT(etemp + (dtemp - etemp) /
431 		    CLOCK_AVG);
432 		switch (state) {
433 
434 		/*
435 		 * In S_NSET state this is the first update received and
436 		 * the frequency has not been initialized. Adjust the
437 		 * phase, but do not adjust the frequency until after
438 		 * the stepout threshold.
439 		 */
440 		case S_NSET:
441 			rstclock(S_FREQ, peer->epoch, fp_offset);
442 			break;
443 
444 		/*
445 		 * In S_FSET state this is the first update received and
446 		 * the frequency has been initialized. Adjust the phase,
447 		 * but do not adjust the frequency until the next
448 		 * update.
449 		 */
450 		case S_FSET:
451 			rstclock(S_SYNC, peer->epoch, fp_offset);
452 			break;
453 
454 		/*
455 		 * In S_FREQ state ignore updates until the stepout
456 		 * threshold. After that, correct the phase and
457 		 * frequency and switch to S_SYNC state.
458 		 */
459 		case S_FREQ:
460 			if (mu < clock_minstep)
461 				return (0);
462 
463 			clock_frequency = (fp_offset - clock_offset) /
464 			    mu;
465 			rstclock(S_SYNC, peer->epoch, fp_offset);
466 			break;
467 
468 		/*
469 		 * We get here by default in S_SYNC and S_SPIK states.
470 		 * Here we compute the frequency update due to PLL and
471 		 * FLL contributions.
472 		 */
473 		default:
474 			allow_panic = FALSE;
475 
476 			/*
477 			 * The FLL and PLL frequency gain constants
478 			 * depend on the poll interval and Allan
479 			 * intercept. The PLL is always used, but
480 			 * becomes ineffective above the Allan
481 			 * intercept. The FLL is not used below one-half
482 			 * the Allan intercept. Above that the loop gain
483 			 * increases in steps to 1 / CLOCK_AVG.
484 			 */
485 			if (ULOGTOD(sys_poll) > allan_xpt / 2) {
486 				dtemp = CLOCK_FLL - sys_poll;
487 				flladj = (fp_offset - clock_offset) /
488 				    (max(mu, allan_xpt) * dtemp);
489 			}
490 
491 			/*
492 			 * For the PLL the integration interval
493 			 * (numerator) is the minimum of the update
494 			 * interval and poll interval. This allows
495 			 * oversampling, but not undersampling.
496 			 */
497 			etemp = min(mu, (u_long)ULOGTOD(sys_poll));
498 			dtemp = 4 * CLOCK_PLL * ULOGTOD(sys_poll);
499 			plladj = fp_offset * etemp / (dtemp * dtemp);
500 			rstclock(S_SYNC, peer->epoch, fp_offset);
501 			break;
502 		}
503 	}
504 
505 #ifdef OPENSSL
506 	/*
507 	 * Scan the loopsecond table to determine the TAI offset. If
508 	 * there is a scheduled leap in future, set the leap warning,
509 	 * but only if less than 30 days before the leap.
510 	 */
511 	tpt = (u_int32 *)tai_leap.ptr;
512 	len = ntohl(tai_leap.vallen) / sizeof(u_int32);
513 	if (tpt != NULL) {
514 		for (i = 0; i < len; i++) {
515 			togo = (long)ntohl(tpt[i]) -
516 			    (long)peer->rec.l_ui;
517 			if (togo > 0) {
518 				if (togo < CLOCK_JUNE)
519 					leap_next |= LEAP_ADDSECOND;
520 				break;
521 			}
522 		}
523 #if defined(STA_NANO) && NTP_API == 4
524 		if (pll_control && kern_enable && sys_tai == 0) {
525 			memset(&ntv, 0, sizeof(ntv));
526 			ntv.modes = MOD_TAI;
527 			ntv.constant = i + TAI_1972 - 1;
528 			ntp_adjtime(&ntv);
529 		}
530 #endif /* STA_NANO */
531 		sys_tai = i + TAI_1972 - 1;
532 	}
533 #endif /* OPENSSL */
534 #ifdef KERNEL_PLL
535 	/*
536 	 * This code segment works when clock adjustments are made using
537 	 * precision time kernel support and the ntp_adjtime() system
538 	 * call. This support is available in Solaris 2.6 and later,
539 	 * Digital Unix 4.0 and later, FreeBSD, Linux and specially
540 	 * modified kernels for HP-UX 9 and Ultrix 4. In the case of the
541 	 * DECstation 5000/240 and Alpha AXP, additional kernel
542 	 * modifications provide a true microsecond clock and nanosecond
543 	 * clock, respectively.
544 	 *
545 	 * Important note: The kernel discipline is used only if the
546 	 * step threshold is less than 0.5 s, as anything higher can
547 	 * lead to overflow problems. This might occur if some misguided
548 	 * lad set the step threshold to something ridiculous.
549 	 */
550 	if (pll_control && kern_enable) {
551 
552 		/*
553 		 * We initialize the structure for the ntp_adjtime()
554 		 * system call. We have to convert everything to
555 		 * microseconds or nanoseconds first. Do not update the
556 		 * system variables if the ext_enable flag is set. In
557 		 * this case, the external clock driver will update the
558 		 * variables, which will be read later by the local
559 		 * clock driver. Afterwards, remember the time and
560 		 * frequency offsets for jitter and stability values and
561 		 * to update the frequency file.
562 		 */
563 		memset(&ntv,  0, sizeof(ntv));
564 		if (ext_enable) {
565 			ntv.modes = MOD_STATUS;
566 		} else {
567 			struct tm *tm = NULL;
568 			time_t tstamp;
569 
570 #ifdef STA_NANO
571 			ntv.modes = MOD_BITS | MOD_NANO;
572 #else /* STA_NANO */
573 			ntv.modes = MOD_BITS;
574 #endif /* STA_NANO */
575 			if (clock_offset < 0)
576 				dtemp = -.5;
577 			else
578 				dtemp = .5;
579 #ifdef STA_NANO
580 			ntv.offset = (int32)(clock_offset * 1e9 +
581 			    dtemp);
582 			ntv.constant = sys_poll;
583 #else /* STA_NANO */
584 			ntv.offset = (int32)(clock_offset * 1e6 +
585 			    dtemp);
586 			ntv.constant = sys_poll - 4;
587 #endif /* STA_NANO */
588 
589 			/*
590 			 * The frequency is set directly only if
591 			 * clock_frequency is nonzero coming out of FREQ
592 			 * state.
593 			 */
594 			if (clock_frequency != 0) {
595 				ntv.modes |= MOD_FREQUENCY;
596 				ntv.freq = (int32)((clock_frequency +
597 				    drift_comp) * 65536e6);
598 			}
599 			ntv.esterror = (u_int32)(clock_jitter * 1e6);
600 			ntv.maxerror = (u_int32)((sys_rootdelay / 2 +
601 			    sys_rootdispersion) * 1e6);
602 			ntv.status = STA_PLL;
603 
604 			/*
605 			 * Set the leap bits in the status word, but
606 			 * only on the last day of June or December.
607 			 */
608 			tstamp = peer->rec.l_ui - JAN_1970;
609 			tm = gmtime(&tstamp);
610 			if (tm != NULL) {
611 				if ((tm->tm_mon + 1 == 6 &&
612 				    tm->tm_mday == 30) || (tm->tm_mon +
613 				    1 == 12 && tm->tm_mday == 31)) {
614 					if (leap_next & LEAP_ADDSECOND)
615 						ntv.status |= STA_INS;
616 					else if (leap_next &
617 					    LEAP_DELSECOND)
618 						ntv.status |= STA_DEL;
619 				}
620 			}
621 
622 			/*
623 			 * If the PPS signal is up and enabled, light
624 			 * the frequency bit. If the PPS driver is
625 			 * working, light the phase bit as well. If not,
626 			 * douse the lights, since somebody else may
627 			 * have left the switch on.
628 			 */
629 			if (pps_enable && pll_status & STA_PPSSIGNAL) {
630 				ntv.status |= STA_PPSFREQ;
631 				if (pps_stratum < STRATUM_UNSPEC)
632 					ntv.status |= STA_PPSTIME;
633 			} else {
634 				ntv.status &= ~(STA_PPSFREQ |
635 				    STA_PPSTIME);
636 			}
637 		}
638 
639 		/*
640 		 * Pass the stuff to the kernel. If it squeals, turn off
641 		 * the pig. In any case, fetch the kernel offset and
642 		 * frequency and pretend we did it here.
643 		 */
644 		if (ntp_adjtime(&ntv) == TIME_ERROR) {
645 			NLOG(NLOG_SYNCEVENT | NLOG_SYSEVENT)
646 			    msyslog(LOG_NOTICE,
647 			    "kernel time sync error %04x", ntv.status);
648 			ntv.status &= ~(STA_PPSFREQ | STA_PPSTIME);
649 		}
650 		pll_status = ntv.status;
651 #ifdef STA_NANO
652 		clock_offset = ntv.offset / 1e9;
653 #else /* STA_NANO */
654 		clock_offset = ntv.offset / 1e6;
655 #endif /* STA_NANO */
656 		clock_frequency = ntv.freq / 65536e6;
657 		flladj = plladj = 0;
658 
659 		/*
660 		 * If the kernel PPS is lit, monitor its performance.
661 		 */
662 		if (ntv.status & STA_PPSTIME) {
663 			pps_control = current_time;
664 #ifdef STA_NANO
665 			clock_jitter = ntv.jitter / 1e9;
666 #else /* STA_NANO */
667 			clock_jitter = ntv.jitter / 1e6;
668 #endif /* STA_NANO */
669 		}
670 	} else {
671 #endif /* KERNEL_PLL */
672 
673 		/*
674 		 * We get here if the kernel discipline is not enabled.
675 		 * Adjust the clock frequency as the sum of the directly
676 		 * computed frequency (if measured) and the PLL and FLL
677 		 * increments.
678 		 */
679 		clock_frequency = drift_comp + clock_frequency +
680 		    flladj + plladj;
681 #ifdef KERNEL_PLL
682 	}
683 #endif /* KERNEL_PLL */
684 
685 	/*
686 	 * Clamp the frequency within the tolerance range and calculate
687 	 * the frequency change since the last update.
688 	 */
689 	if (fabs(clock_frequency) > NTP_MAXFREQ)
690 		NLOG(NLOG_SYNCEVENT | NLOG_SYSEVENT)
691 		    msyslog(LOG_NOTICE,
692 		    "frequency error %.0f PPM exceeds tolerance %.0f PPM",
693 		    clock_frequency * 1e6, NTP_MAXFREQ * 1e6);
694 	dtemp = SQUARE(clock_frequency - drift_comp);
695 	if (clock_frequency > NTP_MAXFREQ)
696 		drift_comp = NTP_MAXFREQ;
697 	else if (clock_frequency < -NTP_MAXFREQ)
698 		drift_comp = -NTP_MAXFREQ;
699 	else
700 		drift_comp = clock_frequency;
701 
702 	/*
703 	 * Calculate the wander as the exponentially weighted frequency
704 	 * differences.
705 	 */
706 	etemp = SQUARE(clock_stability);
707 	clock_stability = SQRT(etemp + (dtemp - etemp) / CLOCK_AVG);
708 
709 	/*
710 	 * Here we adjust the poll interval by comparing the current
711 	 * offset with the clock jitter. If the offset is less than the
712 	 * clock jitter times a constant, then the averaging interval is
713 	 * increased, otherwise it is decreased. A bit of hysteresis
714 	 * helps calm the dance. Works best using burst mode.
715 	 */
716 	if (fabs(clock_offset) < CLOCK_PGATE * clock_jitter) {
717 		tc_counter += sys_poll;
718 		if (tc_counter > CLOCK_LIMIT) {
719 			tc_counter = CLOCK_LIMIT;
720 			if (sys_poll < peer->maxpoll) {
721 				tc_counter = 0;
722 				sys_poll++;
723 			}
724 		}
725 	} else {
726 		tc_counter -= sys_poll << 1;
727 		if (tc_counter < -CLOCK_LIMIT) {
728 			tc_counter = -CLOCK_LIMIT;
729 			if (sys_poll > peer->minpoll) {
730 				tc_counter = 0;
731 				sys_poll--;
732 			}
733 		}
734 	}
735 
736 	/*
737 	 * Yibbidy, yibbbidy, yibbidy; that'h all folks.
738 	 */
739 	record_loop_stats(clock_offset, drift_comp, clock_jitter,
740 	    clock_stability, sys_poll);
741 #ifdef DEBUG
742 	if (debug)
743 		printf(
744 		    "local_clock: mu %lu jitr %.6f freq %.3f stab %.6f poll %d count %d\n",
745 		    mu, clock_jitter, drift_comp * 1e6,
746 		    clock_stability * 1e6, sys_poll, tc_counter);
747 #endif /* DEBUG */
748 	return (rval);
749 #endif /* LOCKCLOCK */
750 }
751 
752 
753 /*
754  * adj_host_clock - Called once every second to update the local clock.
755  *
756  * LOCKCLOCK: The only thing this routine does is increment the
757  * sys_rootdispersion variable.
758  */
759 void
adj_host_clock(void)760 adj_host_clock(
761 	void
762 	)
763 {
764 	double	adjustment;
765 
766 	/*
767 	 * Update the dispersion since the last update. In contrast to
768 	 * NTPv3, NTPv4 does not declare unsynchronized after one day,
769 	 * since the dispersion check serves this function. Also,
770 	 * since the poll interval can exceed one day, the old test
771 	 * would be counterproductive. Note we do this even with
772 	 * external clocks, since the clock driver will recompute the
773 	 * maximum error and the local clock driver will pick it up and
774 	 * pass to the common refclock routines. Very elegant.
775 	 */
776 	sys_rootdispersion += clock_phi;
777 
778 #ifndef LOCKCLOCK
779 	/*
780 	 * If clock discipline is disabled or if the kernel is enabled,
781 	 * get out of Dodge quick.
782 	 */
783 	if (!ntp_enable || mode_ntpdate || (pll_control &&
784 	    kern_enable))
785 		return;
786 
787 	/*
788 	 * Declare PPS kernel unsync if the pps signal has not been
789 	 * heard for a few minutes.
790 	 */
791 	if (pps_control && current_time - pps_control > PPS_MAXAGE) {
792 		if (pps_control)
793 			NLOG(NLOG_SYNCEVENT | NLOG_SYSEVENT)
794 			    msyslog(LOG_NOTICE, "pps sync disabled");
795 		pps_control = 0;
796 	}
797 
798 	/*
799 	 * Implement the phase and frequency adjustments. The gain
800 	 * factor (denominator) is not allowed to increase beyond the
801 	 * Allan intercept. It doesn't make sense to average phase noise
802 	 * beyond this point and it helps to damp residual offset at the
803 	 * longer poll intervals.
804 	 */
805 	adjustment = clock_offset / (CLOCK_PLL * min(ULOGTOD(sys_poll),
806 	    allan_xpt));
807 	clock_offset -= adjustment;
808 	adj_systime(adjustment + drift_comp);
809 #endif /* LOCKCLOCK */
810 }
811 
812 
813 /*
814  * Clock state machine. Enter new state and set state variables. Note we
815  * use the time of the last clock filter sample, which may be earlier
816  * than the current time.
817  */
818 static void
rstclock(int trans,u_long update,double offset)819 rstclock(
820 	int	trans,		/* new state */
821 	u_long	update,		/* new update time */
822 	double	offset		/* new offset */
823 	)
824 {
825 #ifdef DEBUG
826 	if (debug)
827 		printf("local_clock: time %lu offset %.6f freq %.3f state %d\n",
828 		    update, offset, drift_comp * 1e6, trans);
829 #endif
830 	state = trans;
831 	sys_clocktime = update;
832 	last_offset = clock_offset = offset;
833 }
834 
835 
836 /*
837  * huff-n'-puff filter
838  */
839 void
huffpuff()840 huffpuff()
841 {
842 	int i;
843 
844 	if (sys_huffpuff == NULL)
845 		return;
846 
847 	sys_huffptr = (sys_huffptr + 1) % sys_hufflen;
848 	sys_huffpuff[sys_huffptr] = 1e9;
849 	sys_mindly = 1e9;
850 	for (i = 0; i < sys_hufflen; i++) {
851 		if (sys_huffpuff[i] < sys_mindly)
852 			sys_mindly = sys_huffpuff[i];
853 	}
854 }
855 
856 
857 /*
858  * loop_config - configure the loop filter
859  *
860  * LOCKCLOCK: The LOOP_DRIFTINIT and LOOP_DRIFTCOMP cases are no-ops.
861  */
862 void
loop_config(int item,double freq)863 loop_config(
864 	int item,
865 	double freq
866 	)
867 {
868 	int i;
869 
870 	switch (item) {
871 
872 	case LOOP_DRIFTINIT:
873 
874 #ifndef LOCKCLOCK
875 #ifdef KERNEL_PLL
876 		/*
877 		 * Assume the kernel supports the ntp_adjtime() syscall.
878 		 * If that syscall works, initialize the kernel time
879  		 * variables. Otherwise, continue leaving no harm
880 		 * behind. While at it, ask to set nanosecond mode. If
881 		 * the kernel agrees, rejoice; othewise, it does only
882 		 * microseconds.
883 		 */
884 		if (mode_ntpdate)
885 			break;
886 
887 		pll_control = 1;
888 		memset(&ntv, 0, sizeof(ntv));
889 #ifdef STA_NANO
890 		ntv.modes = MOD_BITS | MOD_NANO;
891 #else /* STA_NANO */
892 		ntv.modes = MOD_BITS;
893 #endif /* STA_NANO */
894 		ntv.maxerror = MAXDISPERSE;
895 		ntv.esterror = MAXDISPERSE;
896 		ntv.status = STA_UNSYNC;
897 #ifdef SIGSYS
898 		/*
899 		 * Use sigsetjmp() to save state and then call
900 		 * ntp_adjtime(); if it fails, then siglongjmp() is used
901 		 * to return control
902 		 */
903 		newsigsys.sa_handler = pll_trap;
904 		newsigsys.sa_flags = 0;
905 		if (sigaction(SIGSYS, &newsigsys, &sigsys)) {
906 			msyslog(LOG_ERR,
907 			    "sigaction() fails to save SIGSYS trap: %m");
908 			pll_control = 0;
909 		}
910 		if (sigsetjmp(env, 1) == 0)
911 			ntp_adjtime(&ntv);
912 		if ((sigaction(SIGSYS, &sigsys,
913 		    (struct sigaction *)NULL))) {
914 			msyslog(LOG_ERR,
915 			    "sigaction() fails to restore SIGSYS trap: %m");
916 			pll_control = 0;
917 		}
918 #else /* SIGSYS */
919 		ntp_adjtime(&ntv);
920 #endif /* SIGSYS */
921 
922 		/*
923 		 * Save the result status and light up an external clock
924 		 * if available.
925 		 */
926 		pll_status = ntv.status;
927 		if (pll_control) {
928 #ifdef STA_NANO
929 			if (pll_status & STA_CLK)
930 				ext_enable = 1;
931 #endif /* STA_NANO */
932 			NLOG(NLOG_SYNCEVENT | NLOG_SYSEVENT)
933 			    msyslog(LOG_INFO,
934 		  	    "kernel time sync status %04x",
935 			    pll_status);
936 		}
937 #endif /* KERNEL_PLL */
938 #endif /* LOCKCLOCK */
939 		break;
940 
941 	case LOOP_DRIFTCOMP:
942 
943 #ifndef LOCKCLOCK
944 		/*
945 		 * If the frequency value is reasonable, set the initial
946 		 * frequency to the given value and the state to S_FSET.
947 		 * Otherwise, the drift file may be missing or broken,
948 		 * so set the frequency to zero. This erases past
949 		 * history should somebody break something.
950 		 */
951 		if (freq <= NTP_MAXFREQ && freq >= -NTP_MAXFREQ) {
952 			drift_comp = freq;
953 			rstclock(S_FSET, 0, 0);
954 		} else {
955 			drift_comp = 0;
956 		}
957 
958 #ifdef KERNEL_PLL
959 		/*
960 		 * Sanity check. If the kernel is available, load the
961 		 * frequency and light up the loop. Make sure the offset
962 		 * is zero to cancel any previous nonsense. If you don't
963 		 * want this initialization, remove the ntp.drift file.
964 		 */
965 		if (pll_control && kern_enable) {
966 			memset((char *)&ntv, 0, sizeof(ntv));
967 			ntv.modes = MOD_OFFSET | MOD_FREQUENCY;
968 			ntv.freq = (int32)(drift_comp * 65536e6);
969 			ntp_adjtime(&ntv);
970 		}
971 #endif /* KERNEL_PLL */
972 #endif /* LOCKCLOCK */
973 		break;
974 
975 	case LOOP_KERN_CLEAR:
976 #ifndef LOCKCLOCK
977 #ifdef KERNEL_PLL
978 		/* Completely turn off the kernel time adjustments. */
979 		if (pll_control) {
980 			memset((char *)&ntv, 0, sizeof(ntv));
981 			ntv.modes = MOD_BITS | MOD_OFFSET | MOD_FREQUENCY;
982 			ntv.status = STA_UNSYNC;
983 			ntp_adjtime(&ntv);
984 			NLOG(NLOG_SYNCEVENT | NLOG_SYSEVENT)
985 			    msyslog(LOG_INFO,
986 		  	    "kernel time sync disabled %04x",
987 			    ntv.status);
988 		   }
989 #endif /* KERNEL_PLL */
990 #endif /* LOCKCLOCK */
991 		break;
992 
993 	/*
994 	 * Special tinker variables for Ulrich Windl. Very dangerous.
995 	 */
996 	case LOOP_MAX:			/* step threshold */
997 		clock_max = freq;
998 		break;
999 
1000 	case LOOP_PANIC:		/* panic threshold */
1001 		clock_panic = freq;
1002 		break;
1003 
1004 	case LOOP_PHI:			/* dispersion rate */
1005 		clock_phi = freq;
1006 		break;
1007 
1008 	case LOOP_MINSTEP:		/* watchdog bark */
1009 		clock_minstep = freq;
1010 		break;
1011 
1012 	case LOOP_ALLAN:		/* Allan intercept */
1013 		allan_xpt = freq;
1014 		break;
1015 
1016 	case LOOP_HUFFPUFF:		/* huff-n'-puff filter length */
1017 		if (freq < HUFFPUFF)
1018 			freq = HUFFPUFF;
1019 		sys_hufflen = (int)(freq / HUFFPUFF);
1020 		sys_huffpuff = (double *)emalloc(sizeof(double) *
1021 		    sys_hufflen);
1022 		for (i = 0; i < sys_hufflen; i++)
1023 			sys_huffpuff[i] = 1e9;
1024 		sys_mindly = 1e9;
1025 		break;
1026 
1027 	case LOOP_FREQ:			/* initial frequency */
1028 		drift_comp = freq / 1e6;
1029 		rstclock(S_FSET, 0, 0);
1030 		break;
1031 	}
1032 }
1033 
1034 
1035 #if defined(KERNEL_PLL) && defined(SIGSYS)
1036 /*
1037  * _trap - trap processor for undefined syscalls
1038  *
1039  * This nugget is called by the kernel when the SYS_ntp_adjtime()
1040  * syscall bombs because the silly thing has not been implemented in
1041  * the kernel. In this case the phase-lock loop is emulated by
1042  * the stock adjtime() syscall and a lot of indelicate abuse.
1043  */
1044 static RETSIGTYPE
pll_trap(int arg)1045 pll_trap(
1046 	int arg
1047 	)
1048 {
1049 	pll_control = 0;
1050 	siglongjmp(env, 1);
1051 }
1052 #endif /* KERNEL_PLL && SIGSYS */
1053