cvs commit: src/sys/dev/netif/ndis if_ndis.c
Matthew Dillon
dillon at apollo.backplane.com
Thu Aug 11 12:06:34 PDT 2005
:
:
:--Apple-Mail-12--551403316
:Content-Transfer-Encoding: 7bit
:Content-Type: text/plain; charset=US-ASCII; format=flowed
:
:On 11.08.2005, at 19:34, Matthew Dillon wrote:
:> From my read, nearly all the M_NOWAIT's here should be changed
:> to M_INTWAIT's. Basically any path which is not subject to
:> network load, which is all of the paths still using M_NOWAIT
:> in this case.
:
:What's preferable: gracefully accept low-memory situations, or block on
:these? I prefer the former.
For malloc to fail in a low-memory situation implies that malloc is
being called in a manner which scales to the load. i.e. that we have
to allow it to fail or the system would not be able to recover.
malloc's which do NOT scale to load, in particular any malloc related
to structures that already exist in the system, or during initialization,
or other things that do not scale to load, should be expected to succeed
and M_NOWAIT should not be used with them.
A very common place for bugs to be introduced is in error handling,
simply because error paths are very rarely exercised on a running system.
For this reason, trying to deal with low-memory situations gracefully
for allocations which are not significant contributors to the low-memory
situation or otherwise not significantly related to the load on the
system is a bad idea. Such allocations should always be require to
succeed.
I'll give you a couple of examples:
* Incoming packets. Clearly such allocations must be allowed to fail
(and they do).
* Dynamic filter rules. Clearly should be programmatically limited
and not depend on M_NOWAIT failing.
* Look-aside structures related to elements of the system that have
already been successfully allocated. For example, lets say we
have an I/O buffer and we need to tag it with a small allocated
structure. Such allocations should be required to succeed.
* Temporary structures, using during the course of a single procedure,
clearly must be required to succeed.
* Allocations with limited scope during initialization, such as the
ring buffers for a network driver, clearly must be required to succeed.
And so on and so forth.
-Matt
Matthew Dillon
<dillon at xxxxxxxxxxxxx>
More information about the Commits
mailing list