Make hiffy callable over the network

[mkeeter]

For too long, a network-attached Humility has only been able to run a subset of hiffy programs (ones that exclusively use the Send operations, using the udprpc hack). This PR adds a net feature to the hiffy task, restoring it to full usefulness when network-attached.

hiffy accepts three messages:

• Write program text
• Write data
• Kick (begin execution)

For simplicity, these messages only write to RAM. Even the HiffyKick message doesn't actually start execution itself; it just sets the HIFFY_KICK variable, which is checked the main loop. This mimics the behavior of the debugger.

Interestingly, we don't need any new infrastructure to read the results; we can use the existing RAM-reading infrastructure.

Unfortunately, Github is butchering the diff here. The existing code (look for kick, run program) is unchanged but for indentation, because we have two notifications (timer and net activity). If the new net notification fires, then we handle the packet in a new net::State object.

I'm opening this as a draft while I polish up the Humility side, but it's ready for review now.

[mkeeter]

Marking this a ready-for-review now that oxidecomputer/humility#616 is out

[lzrd]

I would fix the repeated literal constants.
It would be nice to see all of the loop timing and retry constants be together.

[lzrd]

Same literal constant repeated. Make it symbolic.

[mkeeter]

Can you suggest names for these constants? The first 10 is "number of iterations to run between updates to sleep_ms", the second 10 is "scale factor between updates"; neither of them have a good pithy name.

(This is also unchanged from the previous code, just indented)

[lzrd]

We're in an intentional insecure mode. But, do we at least get an integrity check on the network transport? There isn't one at this layer. This is debug/YOLO mode, but a light check to scope a data corruption error would be good.
Maybe just a comment on data integrity for now.

[mkeeter]

We use IPv6 UDP, which has a 16-bit checksum. This is true for all Hubris network activity, so calling out Hiffy as uniquely bad doesn't make sense to me.

[labbott]

It feels odd to potentially check the net task here and then also have to check the timer. It's probably fine and I think I'm having a strong reaction to this not being an idol server (hiffy probably pre-dates that?)

[mkeeter]

Can you say more about why it feels odd? We're waiting on the combined net + timer notification bits, so it seems reasonable to check which one(s) fired and proceed accordingly.

I did consider making this an Idol server, but decided against it:

• hiffy doesn't expose any public IPCs
• We'd end up doing the same notification checks in the impl NotificationHandler, with more indirection / overhead from the Idol runtime

[labbott]

I was initially concerned about TOCTOU with the net and timer aligning in weird ways but I don't think that's actually a concern on re-review

[labbott]

I don't think we're less unsound but do we need further discussion either her or in another comment about interactions between hiffy over probe and hiffy over the network? I can handwave about soundness okay from one external input source (probe) but two (net and probe) makes things more complicated. Is using both net hiffy and probe hiffy in the category of "don't do that"?

[mkeeter]

How about we bring in #2475 first, then I update this PR to use those new primitives (e.g. lifetime-bounded slices)?

[labbott]

yes I think that would make things easier to reason about

[mkeeter]

Done and rebased!