cvs commit: src/sys/dev/netif/ndis if_ndis.c

Matthew Dillon dillon at apollo.backplane.com
Thu Aug 11 12:06:34 PDT 2005


:
:
:--Apple-Mail-12--551403316
:Content-Transfer-Encoding: 7bit
:Content-Type: text/plain; charset=US-ASCII; format=flowed
:
:On 11.08.2005, at 19:34, Matthew Dillon wrote:
:>     From my read, nearly all the M_NOWAIT's here should be changed
:>     to M_INTWAIT's.  Basically any path which is not subject to
:>     network load, which is all of the paths still using M_NOWAIT
:>     in this case.
:
:What's preferable: gracefully accept low-memory situations, or block on 
:these?  I prefer the former.

    For malloc to fail in a low-memory situation implies that malloc is
    being called in a manner which scales to the load.  i.e. that we have
    to allow it to fail or the system would not be able to recover.

    malloc's which do NOT scale to load, in particular any malloc related
    to structures that already exist in the system, or during initialization,
    or other things that do not scale to load, should be expected to succeed
    and M_NOWAIT should not be used with them.

    A very common place for bugs to be introduced is in error handling,
    simply because error paths are very rarely exercised on a running system.
    For this reason, trying to deal with low-memory situations gracefully
    for allocations which are not significant contributors to the low-memory
    situation or otherwise not significantly related to the load on the 
    system is a bad idea.  Such allocations should always be require to
    succeed.

    I'll give you a couple of examples:  

    * Incoming packets.  Clearly such allocations must be allowed to fail
      (and they do).

    * Dynamic filter rules.  Clearly should be programmatically limited
      and not depend on M_NOWAIT failing.

    * Look-aside structures related to elements of the system that have
      already been successfully allocated.  For example, lets say we
      have an I/O buffer and we need to tag it with a small allocated
      structure.  Such allocations should be required to succeed.

    * Temporary structures, using during the course of a single procedure,
      clearly must be required to succeed.

    * Allocations with limited scope during initialization, such as the
      ring buffers for a network driver, clearly must be required to succeed.

    And so on and so forth.

					-Matt
					Matthew Dillon 
					<dillon at xxxxxxxxxxxxx>





More information about the Commits mailing list