From: "Kevin D. Kissell" <kevink@mips.com>
To: "Ralf Baechle" <ralf@oss.sgi.com>
Cc: <linux-mips@oss.sgi.com>
Subject: Re: Sigcontext->sc_pc Passed to User
Date: Fri, 12 Jul 2002 13:49:15 +0200 [thread overview]
Message-ID: <008e01c2299a$3268da30$10eca8c0@grendel> (raw)
In-Reply-To: 20020712120024.A20727@dea.linux-mips.net
From: "Ralf Baechle" <ralf@oss.sgi.com>
> On Fri, Jul 12, 2002 at 10:00:27AM +0200, Kevin D. Kissell wrote:
>
> > The IRIX team made some stunningly bad design
> > decisions over the years, my favorite being "virtual
> > swap space" and its side effect of deliberately killing
> > system daemons at random under load. A signal scheme
> > such as we have now in MIPS/Linux, where a user program
> > *cannot* identify the instruction causing a signal if
> > that instruction was in the delay slot of a taken branch,
> > is broken from first principles.
>
> Certainly you're right when you say a signal handler show know which
> instruction was causing a fault. Ours is simply a too bad implementation
> of their interface ...
>
> IRIX virtual swap space is simply memory overcommit. Linux has that too
> and it's been subject to frequent religious discussions on Linux kernel.
> Non-overcommit means large amounts of memory are required when forking
> of a new process. The standard example is a fat bloated Mozilla forking
> for printing. Non-overcommit means you need those 50 or 100 megs of
> Mozilla process size once more and if not as physical memory then at
> least as swap space. Deciede yourself if you're paranoid and want that
> operation to only succeed if that much memory is actually available or
> if you take the risk of the fork & exec operation failing the other way.
Whenever it's been my design responsibility, I made forks fail if
there wasn't enough backing store to handle the process. Frankly,
there are limits to the degree to which an OS should compromise
its integrity for the sake of supporting badly concieved applications,
be they Mozilla or the SGI integrated CAD environment. But
even if you prefer to take the "speculative" or "optimistic" model
for handling the situation, what IRIX did was insane: When, after
having allowed too many unsupportable forks to succeed, they
detected deadlock in the swap system, they killed processes
*at random*. Including system daemons. At a *minimum*,
a system should only terminate processes belonging to the
user (and preferably the process group) who has been granted
speculative fork success. Anything else is a massive "breach of
contract" for a multiuser OS.
IMHO, if someone really wanted to fix this in the OS,
we'd get beyond the traditional Unix "fork" model.
And if someone really wanted to avoid the problem in Mozilla or
an IDE, one would have all subprograms launched by a tiny
"launcher", who would recieve instructions and data via some
form of IPC, fork itself, and exec as appropriate.
But this is getting a bit off the topic. Is anyone aware of any
IRIX applications ported to Linux that would break if we
corrected the signal payload semantics?
Kevin K.
WARNING: multiple messages have this Message-ID (diff)
From: "Kevin D. Kissell" <kevink@mips.com>
To: Ralf Baechle <ralf@oss.sgi.com>
Cc: linux-mips@oss.sgi.com
Subject: Re: Sigcontext->sc_pc Passed to User
Date: Fri, 12 Jul 2002 13:49:15 +0200 [thread overview]
Message-ID: <008e01c2299a$3268da30$10eca8c0@grendel> (raw)
Message-ID: <20020712114915.-OJqVfKN3zdpQtjdFvboteYlH7ZvJ5pg6XQ7CEEUsns@z> (raw)
In-Reply-To: 20020712120024.A20727@dea.linux-mips.net
From: "Ralf Baechle" <ralf@oss.sgi.com>
> On Fri, Jul 12, 2002 at 10:00:27AM +0200, Kevin D. Kissell wrote:
>
> > The IRIX team made some stunningly bad design
> > decisions over the years, my favorite being "virtual
> > swap space" and its side effect of deliberately killing
> > system daemons at random under load. A signal scheme
> > such as we have now in MIPS/Linux, where a user program
> > *cannot* identify the instruction causing a signal if
> > that instruction was in the delay slot of a taken branch,
> > is broken from first principles.
>
> Certainly you're right when you say a signal handler show know which
> instruction was causing a fault. Ours is simply a too bad implementation
> of their interface ...
>
> IRIX virtual swap space is simply memory overcommit. Linux has that too
> and it's been subject to frequent religious discussions on Linux kernel.
> Non-overcommit means large amounts of memory are required when forking
> of a new process. The standard example is a fat bloated Mozilla forking
> for printing. Non-overcommit means you need those 50 or 100 megs of
> Mozilla process size once more and if not as physical memory then at
> least as swap space. Deciede yourself if you're paranoid and want that
> operation to only succeed if that much memory is actually available or
> if you take the risk of the fork & exec operation failing the other way.
Whenever it's been my design responsibility, I made forks fail if
there wasn't enough backing store to handle the process. Frankly,
there are limits to the degree to which an OS should compromise
its integrity for the sake of supporting badly concieved applications,
be they Mozilla or the SGI integrated CAD environment. But
even if you prefer to take the "speculative" or "optimistic" model
for handling the situation, what IRIX did was insane: When, after
having allowed too many unsupportable forks to succeed, they
detected deadlock in the swap system, they killed processes
*at random*. Including system daemons. At a *minimum*,
a system should only terminate processes belonging to the
user (and preferably the process group) who has been granted
speculative fork success. Anything else is a massive "breach of
contract" for a multiuser OS.
IMHO, if someone really wanted to fix this in the OS,
we'd get beyond the traditional Unix "fork" model.
And if someone really wanted to avoid the problem in Mozilla or
an IDE, one would have all subprograms launched by a tiny
"launcher", who would recieve instructions and data via some
form of IPC, fork itself, and exec as appropriate.
But this is getting a bit off the topic. Is anyone aware of any
IRIX applications ported to Linux that would break if we
corrected the signal payload semantics?
Kevin K.
next prev parent reply other threads:[~2002-07-12 11:44 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-07-11 9:08 Sigcontext->sc_pc Passed to User Kevin D. Kissell
2002-07-11 9:08 ` Kevin D. Kissell
2002-07-11 13:17 ` Maciej W. Rozycki
2002-07-11 15:16 ` Kevin D. Kissell
2002-07-11 15:16 ` Kevin D. Kissell
2002-07-11 16:52 ` Maciej W. Rozycki
2002-07-12 1:40 ` Ralf Baechle
2002-07-12 8:00 ` Kevin D. Kissell
2002-07-12 8:00 ` Kevin D. Kissell
2002-07-12 10:00 ` Ralf Baechle
2002-07-12 11:49 ` Kevin D. Kissell [this message]
2002-07-12 11:49 ` Kevin D. Kissell
2002-07-12 15:29 ` Ralf Baechle
2002-07-12 13:01 ` Alan Cox
2002-07-12 13:01 ` Alan Cox
2002-07-12 14:23 ` Ralf Baechle
2002-07-12 15:36 ` Alan Cox
2002-07-12 15:36 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='008e01c2299a$3268da30$10eca8c0@grendel' \
--to=kevink@mips.com \
--cc=linux-mips@oss.sgi.com \
--cc=ralf@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox