All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ian Campbell <ian.campbell@citrix.com>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>,
	George Dunlap <dunlapg@umich.edu>
Cc: Shriram Rajagopalan <rshriram@cs.ubc.ca>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	Yang Hongyang <yanghy@cn.fujitsu.com>,
	Martin Osterloh <osterlohm@ainfosec.com>,
	"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Subject: Re: Current LibXL Status
Date: Thu, 18 Feb 2016 17:26:33 +0000	[thread overview]
Message-ID: <1455816393.6225.59.camel@citrix.com> (raw)
In-Reply-To: <22213.64828.978431.135803@mariner.uk.xensource.com>

On Thu, 2016-02-18 at 17:19 +0000, Ian Jackson wrote:
> George Dunlap writes ("Re: [Xen-devel] Current LibXL Status"):
> > So what was the conclusion here?  It looks like we've confirmed that
> > exit() is only called:
> > 
> > 1. In the case of a malloc() failure
> > 2. in libxl-save-helper (a separate process forked by the library)
> > 3. In libxl__event_disaster(), if no callback is provided
>   4. In other processes forked by the library
> 
> But, yes,l basically.
> 
> > Which just leaves #1 as something to be discussed?
> 
> Is this crashing on malloc failure a problem ?

It is for non-C language bindings which might be using garbage collection,
since they might be OOM from a malloc perspective but actually have loads
of spare memory waiting to be collected (which they might plausibly be
doing quite lazily).

I just reminded people of my proposal to provide a callback to allow the
app/bindings to run their gc here in my reply to George before I saw your
reply.

> From the point of view of libxl's innards, making malloc failures
> fatal means that nothing that allocates memory needs to care about
> malloc failures.  That massively reduces the number of error paths to
> be considered and eliminates an entire class of (largely theoretical)
> bugs.
> 
> And often there is no good recovery possible (and logging the error is
> hard too).
> 
> I'm not sure whether I'd want to change this policy even if someone
> wanted to commit to auditing libxl and submitting the necessary
> patches to cope with every malloc failure.  Having to cope with malloc
> failure would be a continual burden on every proposed change or new
> feature.

I agree that we don't want to change this policy, but I think an OOM hook
is sufficient to solve the actual problem.


> If in practice this is a problem it would probaby be better to run
> libxl in a process which can be restarted if it dies due to malloc
> failure.
> 
> Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

  reply	other threads:[~2016-02-18 17:26 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-18 18:32 Current LibXL Status Martin Osterloh
2015-11-19  9:20 ` Ian Campbell
2015-11-19 10:23   ` George Dunlap
2015-11-19 10:55   ` Andrew Cooper
2015-11-19 11:23     ` Ian Campbell
2015-11-19 11:30       ` Processed: " xen
2015-11-19 11:33       ` Andrew Cooper
2015-11-19 11:48         ` Ian Campbell
2015-11-19 11:55           ` Ian Campbell
2015-11-19 12:16             ` Ian Campbell
2015-11-20  0:30               ` Yang Hongyang
2016-02-18 17:09               ` George Dunlap
2016-02-18 17:19                 ` Ian Jackson
2016-02-18 17:26                   ` Ian Campbell [this message]
2016-02-18 17:40                     ` George Dunlap
2016-02-18 17:24                 ` Ian Campbell
2016-02-18 18:30           ` Ian Jackson
2015-11-19 15:34       ` George Dunlap
2016-02-18 17:26       ` George Dunlap
2016-02-18 17:39         ` Ian Campbell
2016-02-18 17:47           ` George Dunlap
2016-02-18 17:50           ` Ian Campbell
2016-02-18 18:15     ` libxl and malloc failure (Re: Current LibXL Status) Ian Jackson
2016-02-19 10:52       ` Ian Campbell
2016-02-19 11:00         ` Processed: " xen
2016-02-22 16:48         ` Ian Jackson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1455816393.6225.59.camel@citrix.com \
    --to=ian.campbell@citrix.com \
    --cc=Ian.Jackson@eu.citrix.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=dunlapg@umich.edu \
    --cc=osterlohm@ainfosec.com \
    --cc=rshriram@cs.ubc.ca \
    --cc=xen-devel@lists.xen.org \
    --cc=yanghy@cn.fujitsu.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.