[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Persistence
|
From: |
Emmanuel Colbus |
|
Subject: |
Re: Persistence |
|
Date: |
Mon, 31 Oct 2005 21:26:37 +0100 (CET) |
Marcus Brinkmann wrote :
> Capabilities to resources outside of the persistent core (device
> drivers, external filesystems, network) have to be invalidated on
> recover.
>
> This will make the applications that rely on them get a fault, which
> they can handle by reconnecting (and then verifying their consistency
> requirements!) or by terminating.
>
Yes, this may work as soon as the application tries to perform an action
on the given capability, but what if it was just waiting for data
to be available? Will the system send such applications a fault at
system restart? Then, in this case, how does the application knows which
capabilities have to be reconnected? (Is it possible for it to know
which of its capabilities refer to something outside the persistent
core?)
And what if the system crashes again, but has taken his last snapshot
during application reconnection? (Well, such a reconnection may take a
long time...) Will an application who is in its recovery fault handler
receive the fault another time?
And what if one finds a way to deterministically crash the system, and starts
a task which will crash it just after a snapshot? Or, worse, after twenty
days, just after a snapshot, and everytime it receives the system recovery
fault, and everytime the date is set over task start time + 20 days?
Thanks,
Emmanuel
- Re: Persistence,
Emmanuel Colbus <=